AutoDWG PDF Converter V3.2.2.3简单分析

冰糖 · 发表于 2008-10-15 18:49

【破文标题】AutoDWG PDF Converter V3.2.2.3简单分析
【破文作者】冰糖[BST]
【作者邮箱】bthulu#gmail.com
【作者主页】http://bbs.thulu.com
【破解工具】peid0.94+OD
【破解平台】XPsp3
【软件名称】AutoDWG DWG2PDF Converter
【软件大小】6.66 MB
【原版下载】http://www.skycn.com//soft/22012.html
【保护方式】注册码
【软件简介】AutoDWG DWG to PDF Converter allows you to convert DWG to PDF, DXF to PDF, DWF to PDF directly, NO AutoCAD required, batch conversion supported.
【破解声明】本文仅供研究学习，本人对因这篇文章而导致的一切后果，不承担任何法律责任。本文中的不足之处
------------------------------------------------------------------------
【破解过程】好久没破解，今天想把自己的CAD图纸转换成PDF格式的，就百度到这个软件，15天试用限制

准备好工具，下面开始动工

PEID查找无壳，Microsoft Visual C++ 6.0

OD载入，运行，输入假码确定，弹出窗口提示“register failed!”
查找字符串，双击进入
0041518E/.55pushebp;F2下断
0041518F|.8BECmov ebp, esp
00415191|.51pushecx
00415192|.894D FC mov dword ptr [ebp-4], ecx
00415195|.6A 01 push1
00415197|.8B4D FC mov ecx, dword ptr [ebp-4]
0041519A|.E8 7DBA4600 call<jmp.&MFC42.#6334>
0041519F|.6A 00 push0
004151A1|.68 384BAB00 push00AB4B38
004151A6|.8B4D FC mov ecx, dword ptr [ebp-4]
004151A9|.81C1 B0030000 add ecx, 3B0
004151AF|.E8 88BB4600 call<jmp.&MFC42.#6877>
004151B4|.8B4D FC mov ecx, dword ptr [ebp-4]
004151B7|.81C1 B4030000 add ecx, 3B4
004151BD|.E8 FEC8FEFF call00401AC0
004151C2|.85C0testeax, eax ;是否输入EMAIL检测
004151C4|.74 19 jeshort 004151DF
004151C6|.6A 00 push0
004151C8|.68 3C4BAB00 push00AB4B3C ;autodwgdwg2pdf
004151CD|.68 4C4BAB00 push00AB4B4C ;please input your email!
004151D2|.8B4D FC mov ecx, dword ptr [ebp-4]
004151D5|.E8 D8BD4600 call<jmp.&MFC42.#4224>
004151DA|.E9 F8000000 jmp 004152D7
004151DF|>6A 00 push0
004151E1|.68 684BAB00 push00AB4B68 ;@
004151E6|.8B4D FC mov ecx, dword ptr [ebp-4]
004151E9|.81C1 B4030000 add ecx, 3B4
004151EF|.E8 B8BD4600 call<jmp.&MFC42.#6663>
004151F4|.85C0testeax, eax ;EMAIL格式检测
004151F6|.7F 14 jgshort 0041520C
004151F8|.6A 00 push0
004151FA|.68 6C4BAB00 push00AB4B6C ;autodwgdwg2pdf
004151FF|.68 7C4BAB00 push00AB4B7C ;please input correct email address.
00415204|.8B4D FC mov ecx, dword ptr [ebp-4]
00415207|.E8 A6BD4600 call<jmp.&MFC42.#4224>
0041520C|>8B4D FC mov ecx, dword ptr [ebp-4]
0041520F|.81C1 B0030000 add ecx, 3B0
00415215|.E8 A6C8FEFF call00401AC0
0041521A|.85C0testeax, eax ;是否输入注册码检测
0041521C|.74 19 jeshort 00415237
0041521E|.6A 00 push0
00415220|.68 A04BAB00 push00AB4BA0 ;autodwgdwg2pdf
00415225|.68 B04BAB00 push00AB4BB0 ;please input the register code!
0041522A|.8B4D FC mov ecx, dword ptr [ebp-4]
0041522D|.E8 80BD4600 call<jmp.&MFC42.#4224>
00415232|.E9 A0000000 jmp 004152D7
00415237|>8B4D FC mov ecx, dword ptr [ebp-4]
0041523A|.E8 EFB94600 call<jmp.&MFC42.#1669>
0041523F|.8B4D FC mov ecx, dword ptr [ebp-4]
00415242|.81C1 B0030000 add ecx, 3B0
00415248|.E8 23C9FEFF call00401B70
0041524D|.50pusheax;假码98765432101234567890123456
0041524E|.8B4D FC mov ecx, dword ptr [ebp-4]
00415251|.81C1 B4030000 add ecx, 3B4
00415257|.E8 14C9FEFF call00401B70
0041525C|.50pusheax;我的EMAIL:bthulu@gmail.com
0041525D|.E8 08A60300 call0044F86A ;算法CALL F7跟入
00415262|.83C4 08 add esp, 8
00415265|.25 FF000000 and eax, 0FF
0041526A|.85C0testeax, eax
0041526C|.74 4D jeshort 004152BB
0041526E|.8B4D FC mov ecx, dword ptr [ebp-4]
00415271|.E8 94B94600 call<jmp.&MFC42.#4853>
00415276|.8B45 FC mov eax, dword ptr [ebp-4]
00415279|.C780 B8030000 0>mov dword ptr [eax+3B8], 1
00415283|.8B4D FC mov ecx, dword ptr [ebp-4]
00415286|.83B9 B8030000 0>cmp dword ptr [ecx+3B8], 0
0041528D|.74 16 jeshort 004152A5
0041528F|.6A 00 push0
00415291|.68 D04BAB00 push00AB4BD0 ;autodwgdwg2pdf
00415296|.68 E04BAB00 push00AB4BE0 ;thank you, registered succeed !
0041529B|.8B4D FC mov ecx, dword ptr [ebp-4]
0041529E|.E8 0FBD4600 call<jmp.&MFC42.#4224>
004152A3|.EB 14 jmp short 004152B9
004152A5|>6A 00 push0
004152A7|.68 004CAB00 push00AB4C00 ;autodwgdwg2pdf
004152AC|.68 104CAB00 push00AB4C10 ;thank you, registered fail !
004152B1|.8B4D FC mov ecx, dword ptr [ebp-4]
004152B4|.E8 F9BC4600 call<jmp.&MFC42.#4224>
004152B9|>EB 1C jmp short 004152D7
004152BB|>6A 00 push0
004152BD|.68 304CAB00 push00AB4C30 ;autodwgdwg2pdf
004152C2|.68 404CAB00 push00AB4C40 ;register failed!
004152C7|.8B4D FC mov ecx, dword ptr [ebp-4]
004152CA|.E8 E3BC4600 call<jmp.&MFC42.#4224>
004152CF|.8B4D FC mov ecx, dword ptr [ebp-4]
004152D2|.E8 4BB94600 call<jmp.&MFC42.#2652>
004152D7|>8BE5mov esp, ebp
004152D9|.5Dpop ebp
004152DA\.C3retn

0044F86A/$55pushebp
0044F86B|.8BECmov ebp, esp
0044F86D|.6A FF push-1
0044F86F|.68 2BD49500 push0095D42B ;SE 处理程序安装
0044F874|.64:A1 00000000mov eax, dword ptr fs:[0]
0044F87A|.50pusheax
0044F87B|.64:8925 0000000>mov dword ptr fs:[0], esp
0044F882|.83EC 14 sub esp, 14
0044F885|.C645 EC 01mov byte ptr [ebp-14], 1
0044F889|.8B45 0C mov eax, dword ptr [ebp+C] ;假码98765432101234567890123456
0044F88C|.50pusheax
0044F88D|.8D4D F0 lea ecx, dword ptr [ebp-10]
0044F890|.E8 B1164300 call<jmp.&MFC42.#537>
0044F895|.C745 FC 0000000>mov dword ptr [ebp-4], 0
0044F89C|.8B4D 0C mov ecx, dword ptr [ebp+C]
0044F89F|.51pushecx
0044F8A0|.E8 36040000 call0044FCDB ;算法关键CALL
0044F8A5|.83C4 04 add esp, 4
0044F8A8|.25 FF000000 and eax, 0FF
0044F8AD|.85C0testeax, eax
0044F8AF|.75 19 jnz short 0044F8CA
0044F8B1|.8B55 0C mov edx, dword ptr [ebp+C]
0044F8B4|.52pushedx
0044F8B5|.E8 C3130000 call00450C7D
0044F8BA|.83C4 04 add esp, 4
0044F8BD|.85C0testeax, eax
0044F8BF|.75 09 jnz short 0044F8CA ;不跳就死
0044F8C1|.C645 EC 00mov byte ptr [ebp-14], 0
0044F8C5E9 A8000000 jmp 0044F972
0044F8CA|>8D4D E8 lea ecx, dword ptr [ebp-18]
0044F8CD|.E8 8E15FDFF call00420E60
0044F8D2|.C645 FC 01mov byte ptr [ebp-4], 1
0044F8D6|.6A 00 push0
0044F8D8|.6A 00 push0
0044F8DA|.68 3F000F00 push0F003F
0044F8DF|.6A 00 push0;下面把注册信息保存到注册表
0044F8E1|.6A 00 push0
0044F8E3|.68 88A1AB00 push00ABA188 ;software\autodwg\dwg_pdf_conver
0044F8E8|.68 02000080 push80000002
0044F8ED|.8D4D E8 lea ecx, dword ptr [ebp-18]
0044F8F0|.E8 DB180000 call004511D0
0044F8F5|.85C0testeax, eax
0044F8F7|.75 19 jnz short 0044F912
0044F8F9|.68 A8A1AB00 push00ABA1A8 ;key
0044F8FE|.8B45 0C mov eax, dword ptr [ebp+C]
0044F901|.50pusheax
0044F902|.8D4D E8 lea ecx, dword ptr [ebp-18]
0044F905|.E8 36190000 call00451240
0044F90A|.85C0testeax, eax
0044F90C|.74 04 jeshort 0044F912
0044F90E|.C645 EC 00mov byte ptr [ebp-14], 0
0044F912|>8D4D E4 lea ecx, dword ptr [ebp-1C]
0044F915|.E8 4615FDFF call00420E60
0044F91A|.C645 FC 02mov byte ptr [ebp-4], 2
0044F91E|.6A 00 push0
0044F920|.6A 00 push0
0044F922|.68 3F000F00 push0F003F
0044F927|.6A 00 push0
0044F929|.6A 00 push0
0044F92B|.68 ACA1AB00 push00ABA1AC ;software\autodwg\dwg_pdf_conver
0044F930|.68 01000080 push80000001
0044F935|.8D4D E4 lea ecx, dword ptr [ebp-1C]
0044F938|.E8 93180000 call004511D0
0044F93D|.85C0testeax, eax
0044F93F|.75 19 jnz short 0044F95A
0044F941|.68 CCA1AB00 push00ABA1CC ;key
0044F946|.8B4D 0C mov ecx, dword ptr [ebp+C]
0044F949|.51pushecx

0044FCDB/$55pushebp
0044FCDC|.8BECmov ebp, esp
0044FCDE|.6A FF push-1
0044FCE0|.68 85D49500 push0095D485 ;SE 处理程序安装
0044FCE5|.64:A1 00000000mov eax, dword ptr fs:[0]
0044FCEB|.50pusheax
0044FCEC|.64:8925 0000000>mov dword ptr fs:[0], esp
0044FCF3|.83EC 24 sub esp, 24
0044FCF6|.8B45 08 mov eax, dword ptr [ebp+8]
0044FCF9|.50pusheax; /s
0044FCFA|.E8 F7174300 call<jmp.&MSVCRT.strlen> ; \strlen
0044FCFF|.83C4 04 add esp, 4
0044FD02|.83F8 1A cmp eax, 1A;注册码是否等于26位
0044FD0574 07 jeshort 0044FD0E ;不跳就死
0044FD07|.32C0xor al, al
0044FD09|.E9 BF000000 jmp 0044FDCD
0044FD0E|>8B4D 08 mov ecx, dword ptr [ebp+8]
0044FD11|.51pushecx
0044FD12|.8D4D F0 lea ecx, dword ptr [ebp-10]
0044FD15|.E8 2C124300 call<jmp.&MFC42.#537>
0044FD1A|.C745 FC 0000000>mov dword ptr [ebp-4], 0
0044FD21|.8D4D EC lea ecx, dword ptr [ebp-14]
0044FD24|.E8 870E4300 call<jmp.&MFC42.#540>
0044FD29|.C645 FC 01mov byte ptr [ebp-4], 1
0044FD2D|.51pushecx
0044FD2E|.8BCCmov ecx, esp
0044FD30|.8965 E8 mov dword ptr [ebp-18], esp
0044FD33|.8D55 F0 lea edx, dword ptr [ebp-10]
0044FD36|.52pushedx
0044FD37|.E8 EC0E4300 call<jmp.&MFC42.#535>
0044FD3C|.8945 D8 mov dword ptr [ebp-28], eax
0044FD3F|.8D45 E4 lea eax, dword ptr [ebp-1C]
0044FD42|.50pusheax
0044FD43|.E8 C40B0000 call0045090C ;用户输入注册码的变换CALL
0044FD48|.83C4 08 add esp, 8
0044FD4B|.8945 D4 mov dword ptr [ebp-2C], eax
0044FD4E|.8B4D D4 mov ecx, dword ptr [ebp-2C]
0044FD51|.894D D0 mov dword ptr [ebp-30], ecx
0044FD54|.C645 FC 02mov byte ptr [ebp-4], 2
0044FD58|.8B55 D0 mov edx, dword ptr [ebp-30]
0044FD5B|.52pushedx
0044FD5C|.8D4D EC lea ecx, dword ptr [ebp-14]
0044FD5F|.E8 D00E4300 call<jmp.&MFC42.#858>
0044FD64|.C645 FC 01mov byte ptr [ebp-4], 1
0044FD68|.8D4D E4 lea ecx, dword ptr [ebp-1C]
0044FD6B|.E8 280E4300 call<jmp.&MFC42.#800>
0044FD70|.68 4CA2AB00 push00ABA24C ;结果比较字符串"&d#2*P"
0044FD75|.8D45 EC lea eax, dword ptr [ebp-14]
0044FD78|.50pusheax
0044FD79|.E8 2265FCFF call004162A0 ;关键比较，比较用户输入的注册码变换后转换成字符串是否和"&d#2*P"相同
0044FD7E|.25 FF000000 and eax, 0FF
0044FD83|.85C0testeax, eax
0044FD85|.74 24 jeshort 0044FDAB ;跳就死
0044FD87|.C645 E0 01mov byte ptr [ebp-20], 1

0045090C/$55pushebp
0045090D|.8BECmov ebp, esp
0045090F|.6A FF push-1
00450911|.68 47D59500 push0095D547 ;SE 处理程序安装
00450916|.64:A1 00000000mov eax, dword ptr fs:[0]
0045091C|.50pusheax
0045091D|.64:8925 0000000>mov dword ptr fs:[0], esp
00450924|.83EC 14 sub esp, 14
00450927|.C745 E4 0000000>mov dword ptr [ebp-1C], 0
0045092E|.C745 FC 0100000>mov dword ptr [ebp-4], 1
00450935|.8D4D F0 lea ecx, dword ptr [ebp-10]
00450938|.E8 73024300 call<jmp.&MFC42.#540>
0045093D|.C645 FC 02mov byte ptr [ebp-4], 2
00450941|.6A 00 push0
00450943|.68 10A3AB00 push00ABA310
00450948|.8D4D 0C lea ecx, dword ptr [ebp+C]
0045094B|.E8 EC034300 call<jmp.&MFC42.#6877>
00450950|.51pushecx
00450951|.8BCCmov ecx, esp
00450953|.8965 E8 mov dword ptr [ebp-18], esp
00450956|.68 14A3AB00 push00ABA314 ;ASCII "*2%^W#g@"
0045095B|.E8 E6054300 call<jmp.&MFC42.#537>
00450960|.8945 E0 mov dword ptr [ebp-20], eax
00450963|.8D45 0C lea eax, dword ptr [ebp+C]
00450966|.50pusheax;假吗98765432101234567890123456
00450967|.E8 8BCFFCFF call0041D8F7 ;算法变换CALL，变换结果ASCII "b05281811c1ae5211d96c6a7"
0045096C|.83C4 08 add esp, 8
0045096F|.C745 EC 0000000>mov dword ptr [ebp-14], 0
00450976|.EB 09 jmp short 00450981
00450978|>8B4D EC /mov ecx, dword ptr [ebp-14] ;算法变换结果隔两位取两位
0045097B|.83C1 02 |add ecx, 2
0045097E|.894D EC |mov dword ptr [ebp-14], ecx
00450981|>837D EC 0C cmp dword ptr [ebp-14], 0C
00450985|.7D 17 |jge short 0045099E
00450987|.8B55 EC |mov edx, dword ptr [ebp-14]
0045098A|.52|pushedx
0045098B|.8D4D 0C |lea ecx, dword ptr [ebp+C]
0045098E|.E8 DDE2FCFF |call0041EC70
00450993|.50|pusheax
00450994|.8D4D F0 |lea ecx, dword ptr [ebp-10]
00450997|.E8 E8064300 |call<jmp.&MFC42.#940>
0045099C|.^ EB DA \jmp short 00450978
0045099E|>8D45 F0 lea eax, dword ptr [ebp-10];上面计算结果 B0 81 1C E5 1D C6
004509A1|.50pusheax
004509A2|.8B4D 08 mov ecx, dword ptr [ebp+8]
004509A5|.E8 7E024300 call<jmp.&MFC42.#535>
004509AA|.8B4D E4 mov ecx, dword ptr [ebp-1C]
004509AD|.83C9 01 orecx, 1
004509B0|.894D E4 mov dword ptr [ebp-1C], ecx
004509B3|.C645 FC 01mov byte ptr [ebp-4], 1
004509B7|.8D4D F0 lea ecx, dword ptr [ebp-10]
004509BA|.E8 D9014300 call<jmp.&MFC42.#800>
004509BF|.C645 FC 00mov byte ptr [ebp-4], 0
004509C3|.8D4D 0C lea ecx, dword ptr [ebp+C]
004509C6|.E8 CD014300 call<jmp.&MFC42.#800>
004509CB|.8B45 08 mov eax, dword ptr [ebp+8]

------------------------------------------------------------------------
【破解总结】本软件是固定注册码的，与用户EMAIL无关

把输入的注册码经过一个算法变换和一个固定的字符串比较，爆破起来简单，既然固定注册码的，算法分析太麻烦，说不定还是不可逆算法，得不偿失

验证部分，
tt=固定算法（输入注册码）
For i = 1 To Len(tt) Step 4
a = Mid(tt, i, 2)
b = Val("&h" & a)
c = Chr(b)
TT2 = TT2 & c
Next i

如果TT2 和 “&d#2*P”相等，那么就注册成功了
------------------------------------------------------------------------
【版权声明】来自于BBS.THULU.COM 转载请注明作者并保持文章的完整, 谢谢!

unpack · 发表于 2008-10-15 21:06

是BST的冰sugar？？？？看看你的算法，学习一下，我是沙发吗？？？ [s:40]

lqiulu · 发表于 2008-10-15 22:03

欢迎冰糖发贴。学习一下。

帐号		自动登录	找回密码
密码			注册[Register]