好友
阅读权限40
听众
最后登录1970-1-1
|
 需要用到一款批量把多张图片变成多个PDF的工具,于是搜索到Image To PDF 3.4,感觉用着还不错,至少达到使用目的了。
发现不注册有水印。
OD开工LOAD后F9出来上面这东西
邮箱:killgr@gmail.com
SN:KJJHHGHG-986767-GHGH0990 胡填呗~~
00413A8B |. 8B55 F8 mov edx,[local.2] ; 来看到我们的邮箱 假码。。。。
00413A8E |. EB 03 jmp XImage_To.00413A93
00413A90 |> 8D56 1D lea edx,dword ptr ds:[esi+0x1D]
00413A93 |> 8BC3 mov eax,ebx
00413A95 |. E8 AA060000 call Image_To.00414144
00413A9A |. 84C0 test al,al
00413A9C |. 0F85 97000000 jnz Image_To.00413B39 ; JMP
00413AA2 |. 6A 10 push 0x10
00413AA4 |. 837D F8 00 cmp [local.2],0x0
00413AA8 |. 74 05 je XImage_To.00413AAF
00413AAA |. 8B4D F8 mov ecx,[local.2]
00413AAD |. EB 03 jmp XImage_To.00413AB2
00413AAF |> 8D4E 1E lea ecx,dword ptr ds:[esi+0x1E]
00413AB2 |> 51 push ecx
00413AB3 |. 8D45 B4 lea eax,[local.19]
00413AB6 |. 50 push eax
00413AB7 |. E8 20E50B00 call Image_To.004D1FDC
00413ABC |. 83C4 0C add esp,0xC
00413ABF |. 85C0 test eax,eax
00413AC1 74 76 je XImage_To.00413B39
00413AC3 |. 66:C747 10 2C>mov word ptr ds:[edi+0x10],0x2C
00413AC9 |. 8D56 1F lea edx,dword ptr ds:[esi+0x1F]
00413ACC |. 8D45 F4 lea eax,[local.3]
00413ACF |. E8 84A40C00 call Image_To.004DDF58
00413AD4 |. FF47 1C inc dword ptr ds:[edi+0x1C]
00413AD7 |. 8B10 mov edx,dword ptr ds:[eax]
00413AD9 |. 8B83 14050000 mov eax,dword ptr ds:[ebx+0x514]
00413ADF |. E8 285C0600 call Image_To.0047970C
00413AE4 |. FF4F 1C dec dword ptr ds:[edi+0x1C]
00413AE7 |. 8D45 F4 lea eax,[local.3]
00413AEA |. BA 02000000 mov edx,0x2
00413AEF |. E8 C4A50C00 call Image_To.004DE0B8
00413AF4 |. 6A 10 push 0x10
00413AF6 |. 8D4E 60 lea ecx,dword ptr ds:[esi+0x60]
00413AF9 |. 51 push ecx
00413AFA |. 8D46 2D lea eax,dword ptr ds:[esi+0x2D]
00413AFD |. 50 push eax
00413AFE |. 8BC3 mov eax,ebx
00413B00 |. E8 EBC20600 call Image_To.0047FDF0
00413B05 |. 50 push eax ; |hOwner
00413B06 |. E8 3BB70C00 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
00413B0B |. FF4F 1C dec dword ptr ds:[edi+0x1C]
00413B0E |. 8D45 F8 lea eax,[local.2]
00413B11 |. BA 02000000 mov edx,0x2
00413B16 |. E8 9DA50C00 call Image_To.004DE0B8
00413B1B |. FF4F 1C dec dword ptr ds:[edi+0x1C]
00413B1E |. 8D45 FC lea eax,[local.1]
00413B21 |. BA 02000000 mov edx,0x2
00413B26 |. E8 8DA50C00 call Image_To.004DE0B8
00413B2B |. 8B0F mov ecx,dword ptr ds:[edi]
00413B2D |. 64:890D 00000>mov dword ptr fs:[0],ecx
00413B34 |. E9 15010000 jmp Image_To.00413C4E
00413B39 |> 837D F8 00 cmp [local.2],0x0
00413B3D 74 05 je XImage_To.00413B44 ; JMP了
00413B3F |. 8B4D F8 mov ecx,[local.2]
00413B42 |. EB 03 jmp XImage_To.00413B47
00413B44 |> 8D4E 67 lea ecx,dword ptr ds:[esi+0x67]
00413B47 |> 837D FC 00 cmp [local.1],0x0
00413B4B 74 05 je XImage_To.00413B52 ; JMP了
00413B4D |. 8B55 FC mov edx,[local.1]
00413B50 |. EB 03 jmp XImage_To.00413B55
00413B52 |> 8D56 66 lea edx,dword ptr ds:[esi+0x66]
00413B55 |> 8BC3 mov eax,ebx
00413B57 |. E8 CC030000 call Image_To.00413F28
00413B5C |. 66:C747 10 38>mov word ptr ds:[edi+0x10],0x38
00413B62 |. 8D56 68 lea edx,dword ptr ds:[esi+0x68]
00413B65 |. 8D45 F0 lea eax,[local.4]
00413B68 |. E8 EBA30C00 call Image_To.004DDF58
00413B6D |. FF47 1C inc dword ptr ds:[edi+0x1C]
00413B70 |. 8B10 mov edx,dword ptr ds:[eax]
00413B72 |. 8B83 14050000 mov eax,dword ptr ds:[ebx+0x514]
00413B78 |. E8 8F5B0600 call Image_To.0047970C
00413B7D |. FF4F 1C dec dword ptr ds:[edi+0x1C]
00413B80 |. 8D45 F0 lea eax,[local.4]
00413B83 |. BA 02000000 mov edx,0x2
00413B88 |. E8 2BA50C00 call Image_To.004DE0B8
00413B8D |. 8D8E CF000000 lea ecx,dword ptr ds:[esi+0xCF]
00413B93 |. 6A 40 push 0x40
00413B95 |. 51 push ecx
00413B96 |. 8D46 7B lea eax,dword ptr ds:[esi+0x7B]
00413B99 |. 50 push eax
00413B9A |. 8BC3 mov eax,ebx
00413B9C |. C705 50014E00>mov dword ptr ds:[0x4E0150],0x2710
00413BA6 |. E8 45C20600 call Image_To.0047FDF0
00413BAB |. 50 push eax ; |hOwner
00413BAC |. E8 95B60C00 call <jmp.&USER32.MessageBoxA> ; \这里成功的地方
是不是觉得超简单,就搞定了?!让程序走完就进到了界面中,随便弄2张图片,生成,看下生成的有水印不?
结果真的就没有了~~
=====================
再打开运行,发现又得重新输入
========================
regworkshop注册表看下,没有发现可疑的地方
===========
程序目录中有
setup.ini
里有
[Public]
DeleteFile=0
SrcPath=C:\Users\Administrator\Desktop\9787121221576.jpg
AddFileIndex=1
[Register]
Mail=killgr@gmail.com
Serial=KJJHHGHG-986767-GHGH0990
你会发现,这就是传说中的重启验证类的吧~~
=====================
当注册码不对时,上面的项就被清空,无论用 read write file全是断不下来的~~~~
因为用到的是下面的API搞法
004019BD |. 5D pop ebp
004019BE \. C3 retn
004019BF 90 nop
004019C0 /$ 81C4 00FEFFFF add esp,-0x200
004019C6 |. 68 B8014E00 push 1.004E01B8 ; setup.ini 生成时又断下
004019CB |. 8D4424 04 lea eax,dword ptr ss:[esp+0x4]
004019CF |. 50 push eax
004019D0 |. E8 B7FFFFFF call 1.0040198C
004019D5 |. 83C4 08 add esp,0x8
004019D8 |. 54 push esp ; /IniFileName
004019D9 |. 6A 00 push 0x0 ; |Default = 0
004019DB |. 68 C9014E00 push 1.004E01C9 ; |Log
004019E0 |. 68 C2014E00 push 1.004E01C2 ; |Public
004019E5 |. E8 A4D00D00 call <jmp.&KERNEL32.GetPrivateProfileInt>; \GetPrivateProfileIntA
好吧,我们再回顾下
0040240B |. /74 7A je X1.00402487
0040240D |. |33C9 xor ecx,ecx
0040240F |. |B2 01 mov dl,0x1
00402411 |. |A1 906F4E00 mov eax,dword ptr ds:[0x4E6F90]
00402416 |. |E8 41150100 call 1.0041395C
0040241B |. |8BF8 mov edi,eax
0040241D |. |A1 7CF04E00 mov eax,dword ptr ds:[0x4EF07C]
00402422 |. |8938 mov dword ptr ds:[eax],edi
00402424 |. |813D 50014E00>cmp dword ptr ds:[0x4E0150],0x2710 [0x4E0150]
0040242E |74 0A je X1.0040243A ; 显然这里可以 挑过
00402430 |. |8BC7 mov eax,edi
00402432 |. |8B10 mov edx,dword ptr ds:[eax]
00402434 |. |FF92 E8000000 call dword ptr ds:[edx+0xE8] ; 出来启动时的 注册对话框
0040243A |> |8B0D 7CF04E00 mov ecx,dword ptr ds:[0x4EF07C] ; 1._DlgReg
0040A52B |. E8 883B0D00 call Image_To.004DE0B8
0040A530 |. 813D 50014E00>cmp dword ptr ds:[0x4E0150],0x2710 可见这玩意是重点
0040A53A E9 2C010000 jmp Image_To.0040A66B 修改!
0040A53F 90 nop 修改!
修改之后,彻底OK~~
|
|
发表于 2014-5-3 12:18
|
发表于 2014-5-3 12:26
谢谢分享
