好友
阅读权限35
听众
最后登录1970-1-1
|
solly
发表于 2019-3-23 01:20
本帖最后由 云在天 于 2019-6-7 13:23 编辑
VeryPDF PDF to Any Converter 用来将 PDF 转换为 Word、Excel、Powerpoint、HTML、XML、postscript、eps、纯文本和图像 (关于 TIFF、JPEG、TGA、png、GIF、BMP 和 PPM (PPM、PPM 和 PPM) 。对于不同的目标格式, 此应用程序提供相应的转换选项。用户可以设置颜色深度、页面大小、分辨率、压缩算法等。用户还可以指定要转换的页面范围。对于加密的 PDF, 用户可以提供密码再转换该 PDF。
试用版只有19次使用机会,安装启动该软件后,显示如下要求注册界面:
要求输入 Registration Code,也可以直接点 Try 进入试用。随便输入一个字符,界面立即变成如下这样,显示无效注册码。
看来是是在按键事件中,进行注册码的判断的,接下来退出,重新用OD载入,搜索字符串“the registration code is invalid. please enter again!”,立即就有结果:
双击进入字符串引用代码处,如下图:
汇编代码如下:
[Asm] 纯文本查看 复制代码 ; 字符串位置在 00421275 处访问
00421234 > \C74424 04 FFF>mov dword ptr [esp+4], -1
0042123C . C70424 D0FA43>mov dword ptr [esp], 0043FAD0 ; border:0px solid blue;background:url(':/myimage/image/error.png');background-repeat:no-repeat;
00421243 . FF15 C4084600 call dword ptr [<&QtCore4._ZN7QString16fromAscii_hel>; QtCore4._ZN7QString16fromAscii_helperEPKci
00421249 . 8945 C8 mov dword ptr [ebp-38], eax
0042124C . 8D75 C8 lea esi, dword ptr [ebp-38]
0042124F . 897424 04 mov dword ptr [esp+4], esi
00421253 . 8B43 14 mov eax, dword ptr [ebx+14]
00421256 . 8B40 30 mov eax, dword ptr [eax+30]
00421259 . 890424 mov dword ptr [esp], eax
0042125C . FF15 B80B4600 call dword ptr [<&QtGui4._ZN7QWidget13setStyleSheetE>; QtGui4._ZN7QWidget13setStyleSheetERK7QString
00421262 . 893424 mov dword ptr [esp], esi
00421265 . E8 F60C0100 call 00431F60
0042126A . 8D75 C4 lea esi, dword ptr [ebp-3C]
0042126D . C74424 0C 000>mov dword ptr [esp+C], 0
00421275 . C74424 08 4CF>mov dword ptr [esp+8], 0043FC4C ; the registration code is invalid. please enter again!
0042127D . C74424 04 209>mov dword ptr [esp+4], 00439420
00421285 . 893424 mov dword ptr [esp], esi
00421288 . FF15 50094600 call dword ptr [<&QtCore4._ZNK11QMetaObject2trEPKcS1>; QtCore4._ZNK11QMetaObject2trEPKcS1_
0042128E . 51 push ecx
0042128F . 897424 04 mov dword ptr [esp+4], esi
00421293 . 8B43 14 mov eax, dword ptr [ebx+14]
00421296 . 8B40 18 mov eax, dword ptr [eax+18]
00421299 . 890424 mov dword ptr [esp], eax
0042129C . FF15 A80C4600 call dword ptr [<&QtGui4._ZN9QTextEdit7setTextERK7QS>; QtGui4._ZN9QTextEdit7setTextERK7QString
004212A2 .^ E9 FCFDFFFF jmp 004210A3
往上回溯(在00421234处有跳转过来),当 eax = 5时会跳转去显示 "the registration code is invalid. please enter again!",如下:
[Asm] 纯文本查看 复制代码 0420DFC $ 55 push ebp
00420DFD . 89E5 mov ebp, esp
00420DFF . 57 push edi
00420E00 . 56 push esi
00420E01 . 53 push ebx
00420E02 . 83EC 7C sub esp, 7C
00420E05 . 8B5D 08 mov ebx, dword ptr [ebp+8]
00420E08 . 8B45 0C mov eax, dword ptr [ebp+C]
00420E0B . 83F8 03 cmp eax, 3
00420E0E . 0F84 A0020000 je 004210B4
00420E14 . 85C0 test eax, eax
00420E16 . 0F84 BC000000 je 00420ED8
00420E1C . 83F8 05 cmp eax, 5 ; 是否 eax=5
00420E1F . 0F84 0F040000 je 00421234 ; 是则跳转去显示 "the registration code is invalid. please enter again!"
00420E25 . 83F8 01 cmp eax, 1
00420E28 . 0F84 CA010000 je 00420FF8
00420E2E . 83F8 02 cmp eax, 2
00420E31 . 0F84 21030000 je 00421158
在OD中按CTRL+F9执行到返回,退出本函数。来到如下代码调用处,选中0042153C地址那一行,ollyice会显示是从004213B7跳转过来的。
[Asm] 纯文本查看 复制代码 0042153C > \C74424 04 050>mov dword ptr [esp+4], 5 ; 设置标志 FLAG = 5
00421544 . 891C24 mov dword ptr [esp], ebx
00421547 . E8 B0F8FFFF call 00420DFC ; 该函数显示 the registration code is invalid. please enter again!
0042154C .^ E9 CAFEFFFF jmp 0042141B
再次回溯,来到004213B7处,可得到以下函数开始部分。其中004213B0处的call 004229B0返回值即是跳转条件。
[Asm] 纯文本查看 复制代码 00421344 $ 55 push ebp
00421345 . 89E5 mov ebp, esp
00421347 . 57 push edi
00421348 . 56 push esi
00421349 . 53 push ebx
0042134A . 83EC 5C sub esp, 5C
0042134D . 8B5D 08 mov ebx, dword ptr [ebp+8]
00421350 . 8D75 E0 lea esi, dword ptr [ebp-20]
00421353 . 8B43 14 mov eax, dword ptr [ebx+14]
00421356 . 8B40 2C mov eax, dword ptr [eax+2C]
00421359 . 894424 04 mov dword ptr [esp+4], eax
0042135D . 893424 mov dword ptr [esp], esi
00421360 . FF15 480D4600 call dword ptr [<&QtGui4._ZNK9QLineEdit4textEv>] ;从文本编辑控件读取注册码
00421366 . 52 push edx
00421367 . 8B45 E0 mov eax, dword ptr [ebp-20] ;eax指向刚才输入的注册码 unicode编码16bit格式
0042136A . 8378 08 00 cmp dword ptr [eax+8], 0 ;检查注册码的长度>=0
0042136E . 0F84 DC000000 je 00421450
00421374 . 0F8E B5000000 jle 0042142F
0042137A . 8D7D CC lea edi, dword ptr [ebp-34]
0042137D . 897424 04 mov dword ptr [esp+4], esi
00421381 . 893C24 mov dword ptr [esp], edi
00421384 . FF15 64094600 call dword ptr [<&QtCore4._ZNK7QString11toLocal8BitEv>] ;转换成8bit的ascii编码字符串
0042138A . 51 push ecx
0042138B . 8B45 CC mov eax, dword ptr [ebp-34] ;eax转换后的字符串
0042138E . 8B10 mov edx, dword ptr [eax]
00421390 . 4A dec edx
00421391 . 0F84 05020000 je 0042159C ; 检查是否转换成功
00421397 > 8B40 08 mov eax, dword ptr [eax+8]
0042139A . 894424 04 mov dword ptr [esp+4], eax
0042139E . 893C24 mov dword ptr [esp], edi
004213A1 . FF15 5C084600 call dword ptr [<&QtCore4._ZN10QByteArray7reallocEi>]
004213A7 . 8B45 CC mov eax, dword ptr [ebp-34]
004213AA . 8B50 0C mov edx, dword ptr [eax+C]
004213AD > 891424 mov dword ptr [esp], edx ; 检查完成后跳回至此, edx=02B8D858,保存SN的字符串(ASCII "7878787878787878787")
004213B0 . E8 FB150000 call 004229B0 ; 注册码规则检查,如果符合规则就表示是有效的注册码
004213B5 . 84C0 test al, al
004213B7 . 0F84 7F010000 je 0042153C ; 跳转去设置 FLAG=5 并显示 "the registration code is invalid. please enter again!"
;检查转换是否成功
0042159C > \8B50 0C mov edx, dword ptr [eax+C]
0042159F . 8D48 10 lea ecx, dword ptr [eax+10]
004215A2 . 39CA cmp edx, ecx
004215A4 .^ 0F85 EDFDFFFF jnz 00421397
004215AA .^ E9 FEFDFFFF jmp 004213AD ; 检查完成跳回
上面代码中 eax 中的地址指向的数据如下:
02BA8330 03 00 00 00 16 00 00 00 13 00 00 00 42 83 BA 02
02BA8340 00 F0 37 00 38 00 37 00 38 00 37 00 38 00 37 00
02BA8350 38 00 37 00 38 00 37 00 38 00 37 00 38 00 37 00
转换后的数据,edx=02B8D858,转换后的SN
02B8D848 01 00 00 00 14 00 00 00 13 00 00 00 58 D8 B8 02
02B8D858 37 38 37 38 37 38 37 38 37 38 37 38 37 38 37 38
02B8D868 37 38 37 00 00 00 00 00 AB AB AB AB AB AB AB AB
上面代码中几个call是QT4的调用,只有一个 call 004229B0 不是QT4的调用,在此下断,F7进入些调用,来到以下代码处:
[Asm] 纯文本查看 复制代码 004229B0 $ 55 push ebp
004229B1 . 89E5 mov ebp, esp
004229B3 . 57 push edi
004229B4 . 56 push esi
004229B5 . 53 push ebx
004229B6 . 83EC 3C sub esp, 3C
004229B9 . 8B5D 08 mov ebx, dword ptr [ebp+8] ;ebx=02B8D858,保存SN的字符串(ASCII "7878787878787878787")
004229BC . 31C0 xor eax, eax
004229BE . B9 FFFFFFFF mov ecx, -1 ; ecx = 0xFFFFFFFF
004229C3 . 89DF mov edi, ebx ;edi=02B8D858,保存SN的字符串(ASCII "7878787878787878787")
004229C5 . F2:AE repne scas byte ptr es:[edi]
004229C7 . 83F9 EE cmp ecx, -12 ;是否16个字节长度
004229CA . 74 0C je short 004229D8 ;长度等于16字符则跳转到注册码的规则检查
004229CC > 31C0 xor eax, eax ;长度检查错误或后面的规则检查错误则函数将返回0,注册码无效!!!
004229CE > 83C4 3C add esp, 3C
004229D1 . 5B pop ebx
004229D2 . 5E pop esi
004229D3 . 5F pop edi
004229D4 . C9 leave
004229D5 . C3 retn
可以看到,如果注册码的长度不是16个字符,就直接 Game Over了。
退出,重新输入16个字符,再次来到这里,并跳转到 004229D8。
[Asm] 纯文本查看 复制代码 004229D8 > \31F6 xor esi, esi ; i=0, 开始第1轮判断
004229DA . EB 06 jmp short 004229E2 ;
004229DC > 46 inc esi ; i++
004229DD . 83FE 10 cmp esi, 10 ; i<16 (循环16次)
004229E0 . 74 36 je short 00422A18 ; ebx保存SN的基址
004229E2 > 0FBE3C33 movsx edi, byte ptr [ebx+esi] ; edi = SN[i]
004229E6 . 89F8 mov eax, edi
004229E8 . E8 ABFFFFFF call 00422998 ;这个call判断是否大写字母,是返回ascii码,否返回-1
004229ED . 40 inc eax ;不是大写字母,则eax=0了
004229EE .^ 75 EC jnz short 004229DC ;不为0则继续循环判断(continue)
004229F0 . A1 80074600 mov eax, dword ptr [<&msvcrt.__mb_cur_max>]
004229F5 . 8338 01 cmp dword ptr [eax], 1
004229F8 . 0F84 3E030000 je 00422D3C ;去查表检查是否有效的字符
004229FE . C74424 04 04000000 mov dword ptr [esp+4], 4
00422A06 . 893C24 mov dword ptr [esp], edi
00422A09 . E8 666C0000 call <jmp.&msvcrt._isctype> ; _isctype
00422A0E > 85C0 test eax, eax ; 是否为字母或数字
00422A10 .^ 74 BA je short 004229CC ; 无效字符返回无效注册码
00422A12 . 46 inc esi ; i++;
00422A13 . 83FE 10 cmp esi, 10 ; i<16;
00422A16 .^ 75 CA jnz short 004229E2 ; 继续前面的循环
00422A18 > 0FBE03 movsx eax, byte ptr [ebx] ; 开始第2轮判断,第1个大写
00422A1B . E8 78FFFFFF call 00422998
00422A20 . 40 inc eax
00422A21 .^ 74 A9 je short 004229CC ; 不是大写返回无效注册码
00422A23 . 0FBE43 03 movsx eax, byte ptr [ebx+3] ; 第4个大写
00422A27 . E8 6CFFFFFF call 00422998
00422A2C . 40 inc eax
00422A2D .^ 74 9D je short 004229CC ; 不是大写返回无效注册码
00422A2F . 0FBE43 04 movsx eax, byte ptr [ebx+4] ; 第5个大写
00422A33 . E8 60FFFFFF call 00422998
00422A38 . 40 inc eax
00422A39 .^ 74 91 je short 004229CC ; 不是大写返回无效注册码
00422A3B . 0FBE43 06 movsx eax, byte ptr [ebx+6] ; 第7个大写
00422A3F . E8 54FFFFFF call 00422998
00422A44 . 40 inc eax
00422A45 .^ 74 85 je short 004229CC ; 不是大写返回无效注册码
00422A47 . 0FBE43 08 movsx eax, byte ptr [ebx+8] ; 第9个大写
00422A4B . E8 48FFFFFF call 00422998
00422A50 . 40 inc eax
00422A51 .^ 0F84 75FFFFFF je 004229CC ; 不是大写返回无效注册码
00422A57 . 0FBE43 09 movsx eax, byte ptr [ebx+9] ; 第10个大写
00422A5B . E8 38FFFFFF call 00422998
00422A60 . 40 inc eax
00422A61 .^ 0F84 65FFFFFF je 004229CC ; 不是大写返回无效注册码
00422A67 . 0FBE43 0C movsx eax, byte ptr [ebx+C] ; 第13个大写
00422A6B . E8 28FFFFFF call 00422998
00422A70 . 40 inc eax
00422A71 .^ 0F84 55FFFFFF je 004229CC ; 不是大写返回无效注册码
00422A77 . 0FBE43 0D movsx eax, byte ptr [ebx+D] ; 第14个大写
00422A7B . E8 18FFFFFF call 00422998
00422A80 . 40 inc eax
00422A81 .^ 0F84 45FFFFFF je 004229CC ; 不是大写返回无效注册码
00422A87 . 8A4B 01 mov cl, byte ptr [ebx+1] ; 取第2个SN
00422A8A . 884D DC mov byte ptr [ebp-24], cl
00422A8D . 0FBEC1 movsx eax, cl
00422A90 . 8945 E0 mov dword ptr [ebp-20], eax
00422A93 . E8 00FFFFFF call 00422998 ;是否大写字母
00422A98 . 8945 D8 mov dword ptr [ebp-28], eax
00422A9B . 40 inc eax
00422A9C . 75 13 jnz short 00422AB1
00422A9E . 8B55 E0 mov edx, dword ptr [ebp-20]
00422AA1 . 891424 mov dword ptr [esp], edx
00422AA4 . E8 131A0100 call 004344BC ; 是否大写或数字
00422AA9 . 85C0 test eax, eax
00422AAB .^ 0F84 1BFFFFFF je 004229CC ; 返回无效注册码
00422AB1 > 8A4B 02 mov cl, byte ptr [ebx+2] ; 取第3个SN
00422AB4 . 884D E4 mov byte ptr [ebp-1C], cl
00422AB7 . 0FBEF1 movsx esi, cl
00422ABA . 89F0 mov eax, esi
00422ABC . E8 D7FEFFFF call 00422998 ;是否大写字母
00422AC1 . 89C7 mov edi, eax
00422AC3 . 83F8 FF cmp eax, -1
00422AC6 . 75 10 jnz short 00422AD8
00422AC8 . 893424 mov dword ptr [esp], esi
00422ACB . E8 EC190100 call 004344BC ; 是否大写或数字
00422AD0 . 85C0 test eax, eax
00422AD2 .^ 0F84 F4FEFFFF je 004229CC
00422AD8 > 0FBE53 05 movsx edx, byte ptr [ebx+5] ; 取第6个SN
00422ADC . 89D0 mov eax, edx
00422ADE . 8955 CC mov dword ptr [ebp-34], edx
00422AE1 . E8 B2FEFFFF call 00422998 ;是否大写字母
00422AE6 . 40 inc eax
00422AE7 . 8B55 CC mov edx, dword ptr [ebp-34]
00422AEA . 75 10 jnz short 00422AFC
00422AEC . 891424 mov dword ptr [esp], edx
00422AEF . E8 C8190100 call 004344BC ; 是否大写或数字
00422AF4 . 85C0 test eax, eax
00422AF6 .^ 0F84 D0FEFFFF je 004229CC
00422AFC > 0FBE53 07 movsx edx, byte ptr [ebx+7] ; 取第8个SN
00422B00 . 89D0 mov eax, edx
00422B02 . 8955 CC mov dword ptr [ebp-34], edx
00422B05 . E8 8EFEFFFF call 00422998
00422B0A . 40 inc eax
00422B0B . 8B55 CC mov edx, dword ptr [ebp-34]
00422B0E . 75 10 jnz short 00422B20
00422B10 . 891424 mov dword ptr [esp], edx
00422B13 . E8 A4190100 call 004344BC
00422B18 . 85C0 test eax, eax
00422B1A .^ 0F84 ACFEFFFF je 004229CC
00422B20 > 0FBE53 0A movsx edx, byte ptr [ebx+A] ; 取第11个SN
00422B24 . 89D0 mov eax, edx
00422B26 . 8955 CC mov dword ptr [ebp-34], edx
00422B29 . E8 6AFEFFFF call 00422998
00422B2E . 40 inc eax
00422B2F . 8B55 CC mov edx, dword ptr [ebp-34]
00422B32 . 75 10 jnz short 00422B44
00422B34 . 891424 mov dword ptr [esp], edx
00422B37 . E8 80190100 call 004344BC
00422B3C . 85C0 test eax, eax
00422B3E .^ 0F84 88FEFFFF je 004229CC
00422B44 > 0FBE53 0B movsx edx, byte ptr [ebx+B] ; 取第12个SN
00422B48 . 89D0 mov eax, edx
00422B4A . 8955 CC mov dword ptr [ebp-34], edx
00422B4D . E8 46FEFFFF call 00422998
00422B52 . 40 inc eax
00422B53 . 8B55 CC mov edx, dword ptr [ebp-34]
00422B56 . 75 10 jnz short 00422B68
00422B58 . 891424 mov dword ptr [esp], edx
00422B5B . E8 5C190100 call 004344BC
00422B60 . 85C0 test eax, eax
00422B62 .^ 0F84 64FEFFFF je 004229CC
00422B68 > 0FBE53 0E movsx edx, byte ptr [ebx+E] ; 取第15个SN
00422B6C . 89D0 mov eax, edx
00422B6E . 8955 CC mov dword ptr [ebp-34], edx
00422B71 . E8 22FEFFFF call 00422998
00422B76 . 40 inc eax
00422B77 . 8B55 CC mov edx, dword ptr [ebp-34]
00422B7A . 75 10 jnz short 00422B8C
00422B7C . 891424 mov dword ptr [esp], edx
00422B7F . E8 38190100 call 004344BC
00422B84 . 85C0 test eax, eax
00422B86 .^ 0F84 40FEFFFF je 004229CC
00422B8C > 0FBE53 0F movsx edx, byte ptr [ebx+F] ; 取第16个SN
00422B90 . 89D0 mov eax, edx
00422B92 . 8955 CC mov dword ptr [ebp-34], edx
00422B95 . E8 FEFDFFFF call 00422998
00422B9A . 40 inc eax
00422B9B . 8B55 CC mov edx, dword ptr [ebp-34]
00422B9E . 0F84 68020000 je 00422E0C ;第16位SN为数字跳转
00422BA4 > 837D D8 FF cmp dword ptr [ebp-28], -1 ;上面跳转后,如果第16位为数字,会回跳到这里。
00422BA8 . 0F84 A2010000 je 00422D50 ;为字母时直接跳转去取第2位SN
00422BAE . 8B45 E0 mov eax, dword ptr [ebp-20]
00422BB1 . 894424 08 mov dword ptr [esp+8], eax
00422BB5 . C74424 04 01000000 mov dword ptr [esp+4], 1
00422BBD . C70424 41000000 mov dword ptr [esp], 41
00422BC4 . E8 23F8FFFF call 004223EC
00422BC9 . 8945 E0 mov dword ptr [ebp-20], eax
00422BCC . 8A53 02 mov dl, byte ptr [ebx+2] ;取第3个SN
00422BCF . 8855 E4 mov byte ptr [ebp-1C], dl
00422BD2 . 0FBEF2 movsx esi, dl
00422BD5 . 89F0 mov eax, esi
00422BD7 . E8 BCFDFFFF call 00422998
00422BDC . 89C7 mov edi, eax
00422BDE > 47 inc edi
00422BDF . 0F84 BF010000 je 00422DA4
00422BE5 . 897424 08 mov dword ptr [esp+8], esi
00422BE9 . C74424 04 01000000 mov dword ptr [esp+4], 1
00422BF1 . C70424 41000000 mov dword ptr [esp], 41
00422BF8 . E8 EFF7FFFF call 004223EC ;检索字母的索引值
00422BFD . 89C6 mov esi, eax ;检查和的第1个数(第3个SN)
00422BFF > 8A4B 05 mov cl, byte ptr [ebx+5] ;取第6个SN
00422C02 . 884D E4 mov byte ptr [ebp-1C], cl
00422C05 . 0FBEF9 movsx edi, cl
00422C08 . 89F8 mov eax, edi
00422C0A . E8 89FDFFFF call 00422998
00422C0F . 40 inc eax
00422C10 . 0F84 62010000 je 00422D78
00422C16 . 897C24 08 mov dword ptr [esp+8], edi
00422C1A . C74424 04 01000000 mov dword ptr [esp+4], 1
00422C22 . C70424 41000000 mov dword ptr [esp], 41
00422C29 . E8 BEF7FFFF call 004223EC
00422C2E . 8945 D8 mov dword ptr [ebp-28], eax
00422C31 > 0FBE43 06 movsx eax, byte ptr [ebx+6] ;取第7个SN
00422C35 . 894424 08 mov dword ptr [esp+8], eax
00422C39 . C74424 04 01000000 mov dword ptr [esp+4], 1
00422C41 . C70424 41000000 mov dword ptr [esp], 41
00422C48 . E8 9FF7FFFF call 004223EC ;返回index of ('A'..'Z')
00422C4D . 8945 DC mov dword ptr [ebp-24], eax
00422C50 . 0FBE43 09 movsx eax, byte ptr [ebx+9] ;取第10个SN
00422C54 . 894424 08 mov dword ptr [esp+8], eax
00422C58 . C74424 04 01000000 mov dword ptr [esp+4], 1
00422C60 . C70424 41000000 mov dword ptr [esp], 41
00422C67 . E8 80F7FFFF call 004223EC ;返回index of ('A'..'Z')
00422C6C . 8945 D4 mov dword ptr [ebp-2C], eax
00422C6F . 8A43 0A mov al, byte ptr [ebx+A] ;取第11个SN
00422C72 . 8845 E4 mov byte ptr [ebp-1C], al
00422C75 . 0FBEF8 movsx edi, al
00422C78 . 89F8 mov eax, edi
00422C7A . E8 19FDFFFF call 00422998
00422C7F . 40 inc eax
00422C80 . 0F84 08010000 je 00422D8E
00422C86 . 897C24 08 mov dword ptr [esp+8], edi
00422C8A . C74424 04 01000000 mov dword ptr [esp+4], 1
00422C92 . C70424 41000000 mov dword ptr [esp], 41
00422C99 . E8 4EF7FFFF call 004223EC
00422C9E . 8945 D0 mov dword ptr [ebp-30], eax
00422CA1 > 0FBE43 0D movsx eax, byte ptr [ebx+D] ;取第14个SN
00422CA5 . 894424 08 mov dword ptr [esp+8], eax
00422CA9 . C74424 04 01000000 mov dword ptr [esp+4], 1
00422CB1 . C70424 41000000 mov dword ptr [esp], 41
00422CB8 . E8 2FF7FFFF call 004223EC ;返回index of ('A'..'Z')
00422CBD . 8945 E4 mov dword ptr [ebp-1C], eax
00422CC0 . 8A5B 0E mov bl, byte ptr [ebx+E] ;取第15个SN
00422CC3 . 0FBEFB movsx edi, bl
00422CC6 . 89F8 mov eax, edi
00422CC8 . E8 CBFCFFFF call 00422998
00422CCD . 40 inc eax
00422CCE . 0F84 92000000 je 00422D66
00422CD4 . 897C24 08 mov dword ptr [esp+8], edi
00422CD8 . C74424 04 01000000 mov dword ptr [esp+4], 1
00422CE0 . C70424 41000000 mov dword ptr [esp], 41
00422CE7 . E8 00F7FFFF call 004223EC ;返回index of ('A'..'Z')
00422CEC . 89C1 mov ecx, eax
00422CEE > 0375 E0 add esi, dword ptr [ebp-20] ;校验:第3位和第16位的数字和为偶数
00422CF1 . 83E6 01 and esi, 1 ;是否2的倍数
00422CF4 .^ 0F85 D2FCFFFF jnz 004229CC ;非偶数则失败
00422CFA . 8B45 DC mov eax, dword ptr [ebp-24] ;第7位SN的索引值
00422CFD . 0345 D8 add eax, dword ptr [ebp-28] ;加上第6位索引值
00422D00 . BA 03000000 mov edx, 3
00422D05 . 89D3 mov ebx, edx
00422D07 . 99 cdq
00422D08 . F7FB idiv ebx
00422D0A . 85D2 test edx, edx ;是否3的倍数。
00422D0C .^ 0F85 BAFCFFFF jnz 004229CC
00422D12 . 8B45 D0 mov eax, dword ptr [ebp-30] ;第11位SN的索引值
00422D15 . 0345 D4 add eax, dword ptr [ebp-2C] ;加上第10位索引值
00422D18 . A8 03 test al, 3 ;是否4的倍数
00422D1A .^ 0F85 ACFCFFFF jnz 004229CC
00422D20 . 8B55 E4 mov edx, dword ptr [ebp-1C] ;第14位SN的索引值
00422D23 . 8D0411 lea eax, dword ptr [ecx+edx] ;加上第15位SN的索引值
00422D26 . BA 05000000 mov edx, 5
00422D2B . 89D1 mov ecx, edx
00422D2D . 99 cdq
00422D2E . F7F9 idiv ecx
00422D30 . 85D2 test edx, edx ;是否为5的倍数
00422D32 . 0F94C0 sete al
00422D35 .^ E9 94FCFFFF jmp 004229CE
00422D3A . 66:90 nop
00422D3C > 8B15 A0074600 mov edx, dword ptr [<&msvcrt._pctype>] ; 查表检查是否有效的字符
00422D42 . 8B02 mov eax, dword ptr [edx]
00422D44 . 0FB70478 movzx eax, word ptr [eax+edi*2]
00422D48 . 83E0 04 and eax, 4
00422D4B .^ E9 BEFCFFFF jmp 00422A0E
00422D50 > 8A45 DC mov al, byte ptr [ebp-24] ;保存的第2位sn(当第16位为数字时)
00422D53 . 83E8 30 sub eax, 30
00422D56 . 3C 09 cmp al, 9
00422D58 . 76 5E jbe short 00422DB8 ;<='9'
00422D5A . C745 E0 FFFFFFFF mov dword ptr [ebp-20], -1
00422D61 .^ E9 78FEFFFF jmp 00422BDE
00422D66 > 83EB 30 sub ebx, 30
00422D69 . 80FB 09 cmp bl, 9
00422D6C . 76 5C jbe short 00422DCA ;<='9'
00422D6E . B9 FFFFFFFF mov ecx, -1
00422D73 .^ E9 76FFFFFF jmp 00422CEE
00422D78 > 8A45 E4 mov al, byte ptr [ebp-1C]
00422D7B . 83E8 30 sub eax, 30
00422D7E . 3C 09 cmp al, 9
00422D80 . 76 69 jbe short 00422DEB ;<='9'
00422D82 . C745 D8 FFFFFFFF mov dword ptr [ebp-28], -1
00422D89 .^ E9 A3FEFFFF jmp 00422C31
00422D8E > 8A45 E4 mov al, byte ptr [ebp-1C] ;第11个SN
00422D91 . 83E8 30 sub eax, 30
00422D94 . 3C 09 cmp al, 9
00422D96 . 76 41 jbe short 00422DD9
00422D98 . C745 D0 FFFFFFFF mov dword ptr [ebp-30], -1
00422D9F .^ E9 FDFEFFFF jmp 00422CA1
00422DA4 > 8A45 E4 mov al, byte ptr [ebp-1C] ;保存的第3个SN
00422DA7 . 83E8 30 sub eax, 30
00422DAA . 3C 09 cmp al, 9
00422DAC . 76 4F jbe short 00422DFD
00422DAE . BE FFFFFFFF mov esi, -1
00422DB3 .^ E9 47FEFFFF jmp 00422BFF
00422DB8 > 0FBEC0 movsx eax, al
00422DBB . 8B0485 A0FF4300 mov eax, dword ptr [eax*4+43FFA0] ;查表(0,1,2,3,4,5,6,7,8,9,0,0,0,0,0,0)得到数字的对应值(atoi)
00422DC2 . 8945 E0 mov dword ptr [ebp-20], eax
00422DC5 .^ E9 14FEFFFF jmp 00422BDE
00422DCA > 0FBEDB movsx ebx, bl
00422DCD . 8B0C9D A0FF4300 mov ecx, dword ptr [ebx*4+43FFA0] ;查表(0,1,2,3,4,5,6,7,8,9,0,0,0,0,0,0)得到数字的对应值(atoi)
00422DD4 .^ E9 15FFFFFF jmp 00422CEE
00422DD9 > 0FBEC0 movsx eax, al
00422DDC . 8B0485 A0FF4300 mov eax, dword ptr [eax*4+43FFA0] ;查表(0,1,2,3,4,5,6,7,8,9,0,0,0,0,0,0)得到数字的对应值(atoi)
00422DE3 . 8945 D0 mov dword ptr [ebp-30], eax
00422DE6 .^ E9 B6FEFFFF jmp 00422CA1
00422DEB > 0FBEC0 movsx eax, al
00422DEE . 8B0485 A0FF4300 mov eax, dword ptr [eax*4+43FFA0] ;查表(0,1,2,3,4,5,6,7,8,9,0,0,0,0,0,0)得到数字的对应值(atoi)
00422DF5 . 8945 D8 mov dword ptr [ebp-28], eax
00422DF8 .^ E9 34FEFFFF jmp 00422C31
00422DFD > 0FBEC0 movsx eax, al
00422E00 . 8B3485 A0FF4300 mov esi, dword ptr [eax*4+43FFA0] ;查表(0,1,2,3,4,5,6,7,8,9,0,0,0,0,0,0)得到数字的对应值(atoi)
00422E07 .^ E9 F3FDFFFF jmp 00422BFF
00422E0C > 891424 mov dword ptr [esp], edx
00422E0F . E8 A8160100 call 004344BC
00422E14 . 85C0 test eax, eax
00422E16 .^ 0F84 B0FBFFFF je 004229CC
00422E1C .^ E9 83FDFFFF jmp 00422BA4
00422E21 90 nop
00422E22 90 nop
00422E23 90 nop
;检查是否大写字母
00422998 /$ 55 push ebp
00422999 |. 89E5 mov ebp, esp
0042299B |. 8D50 BF lea edx, dword ptr [eax-41]
0042299E |. 80FA 19 cmp dl, 19
004229A1 |. 77 05 ja short 004229A8
004229A3 |. 0FBEC0 movsx eax, al
004229A6 |. C9 leave
004229A7 |. C3 retn
004229A8 |> B8 FFFFFFFF mov eax, -1
004229AD |. C9 leave
004229AE \. C3 retn
;检查是否数字或字母
004344BC /$ 55 push ebp
004344BD |. 89E5 mov ebp, esp
004344BF |. 83EC 18 sub esp, 18
004344C2 |. 8B55 08 mov edx, dword ptr [ebp+8] ; |
004344C5 |. A1 80074600 mov eax, dword ptr [<&msvcrt.__mb_cur_max>] ; |
004344CA |. 8338 01 cmp dword ptr [eax], 1 ; |
004344CD |. 74 15 je short 004344E4 ; |
004344CF |. C74424 04 04000000 mov dword ptr [esp+4], 4 ; |
004344D7 |. 891424 mov dword ptr [esp], edx ; |
004344DA |. E8 9551FFFF call <jmp.&msvcrt._isctype> ; \_isctype
004344DF |. C9 leave
004344E0 |. C3 retn
004344E1 | 8D76 00 lea esi, dword ptr [esi]
004344E4 |> A1 A0074600 mov eax, dword ptr [<&msvcrt._pctype>]
004344E9 |. 8B00 mov eax, dword ptr [eax]
004344EB |. 0FB70450 movzx eax, word ptr [eax+edx*2]
004344EF |. 83E0 04 and eax, 4
004344F2 |. C9 leave
004344F3 \. C3 retn
上面就是注册码的验证算法,从分析可以看出其验证规则如下:
1、注册码长度为16个字符,由大写字母或数字组成;
2、第1、4、5、7、9、10、13、14位置为大写的字母,其它位置为大写字母或数字;
3、字符转换规则:数字类字符直接为'0'~'9'对应的数字0~9;字母类字符则A~Z对应数字1~26,后面所有计算值都是转换后的值;
4、第2位和第3位的和为2的倍数;
5、第6位和第7位的和为3的倍数;
6、第10位和第11位的和为4的倍数;
7、第14位和第15位的和为5的倍数;
另外,软件注册后,会生成一个注册文件保存在如下位置:
c:\users\xfq\appdata\local/pdftoanyconvertertinforeg.txt
删除该文件后,会要求你重新注册。
注册成功后,显示界面如下:
两次发布被拒绝,是不是太长了,注册机放下一楼算了。。。。。。 |
免费评分
-
查看全部评分
|
[复制链接]
|
发表于 2019-3-23 01:56
