|
Tutorial Cracking : PDF Password Cracker Pro v3.0
|
Target : PDF Password Cracker Pro v3.0
Tool : OllyDebug DeFixeD
PEiD v0.95
Quick Unpack v2.1
PDF Password Cracker Professional edition allows to search for "owner" and "user" passwords with brute-force and dictionary attacks, effectively optimized for speed (however, don't expect to recover long passwords in a reasonable time with these attacks).
Comment..!
Kali ini kita akan membypass registrasi software yang meminta serial untuk registrasinya.
Saatnya Mulai
buka PDF Password Cracker Pronya, kita cek yang muncul...!
Disambut ama registrasi!.
Percobaan 50 kali.
Di bagian registration key isi dengan "1234567890"
Klik ok
Muncul "Your registration key is wrong, please check it and try again.
Langkah pertama :
Scan crackpdf.exe dengan PEiD untuk melihat programnya dipack dengan apa??
Diproteksi dengan "UPX 0.89.6 - 1.02 / 1.05 - 2.90 -> Markus & Laszlo".
Jalankan Quick Unpack.
Buka filenya crackpdf.exe
Di OEP Findersnya pilih ForceOEP by Feuerrader & Archer.
Klik Full Unpack
Muncul Import Table, pilih save.
Klik exit
Langkah kedua :
Buka file crackpdf__.exe (file hasil unpack) dengan OllyDebug DeFixeD.
Di "CPU - main thread, module crackpdf", klik kanan pilih "Search for" terus "All Referenced Text Strings".
Geser keatas terus klik kanan pilih "Search For Text".
Pada "Enter Text to Search For" masukkan kata "Your registration", hilangkan tanda di case sensitive dan tandai entire scope.
Kita ada di
00407968 PUSH 004D2680 ASCII "Your registration key is wrong, please check it and try again."
klik dua kali alamat diatas.
0040785A . |0F84 84000000 JE 004078E4
00407860 . |48 DEC EAX
00407861 . |0F85 79030000 JNZ 00407BE0
00407867 . |8BB424 E80000>MOV ESI,DWORD PTR SS:[ESP+E8] ; Case 2 of switch 00407848
0040786E . |68 C8000000 PUSH 0C8 ; /Count = C8 (200.)
00407873 . |B9 32000000 MOV ECX,32 ; |
00407878 . |33C0 XOR EAX,EAX ; |
0040787A . |BF 24764F00 MOV EDI,004F7624 ; |
0040787F . |68 24764F00 PUSH 004F7624 ; |Buffer = crackpdf.004F7624
00407884 . |68 14040000 PUSH 414 ; |ControlID = 414 (1044.)
00407889 . |56 PUSH ESI ; |hWnd
0040788A . |F3:AB REP STOS DWORD PTR ES:[EDI] ; |
0040788C . |FF15 E49A5000 CALL DWORD PTR DS:[<&user32.GetDlgItemTe>; \GetDlgItemTextA
00407892 . |68 24764F00 PUSH 004F7624
00407897 . |E8 04FAFFFF CALL 004072A0
0040789C . |83C4 04 ADD ESP,4
0040789F . |85C0 TEST EAX,EAX
004078A1 . |74 18 JE SHORT 004078BB
004078A3 . |6A 02 PUSH 2 ; /Result = 2
004078A5 . |56 PUSH ESI ; |hWnd
004078A6 . |C705 EC764F00>MOV DWORD PTR DS:[4F76EC],1 ; |
004078B0 . |FF15 E89A5000 CALL DWORD PTR DS:[<&user32.EndDialog>] ; \EndDialog
004078B6 . |E9 25030000 JMP 00407BE0
004078BB > |6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
004078BD . |68 34274D00 PUSH 004D2734 ; |Title = "Software Registration"
004078C2 . |68 04274D00 PUSH 004D2704 ; |Text = "Please register PDF Password Cracker Pro 3.0!"
004078C7 . |56 PUSH ESI ; |hOwner
004078C8 . |FF15 EC9A5000 CALL DWORD PTR DS:[<&user32.MessageBoxA>>; \MessageBoxA
004078CE . |6A 00 PUSH 0 ; /ExitCode = 0
004078D0 . |FF15 8C965000 CALL DWORD PTR DS:[<&kernel32.ExitProces>; \ExitProcess
004078D6 . |6A 02 PUSH 2 ; /Result = 2
004078D8 . |56 PUSH ESI ; |hWnd
004078D9 . |FF15 E89A5000 CALL DWORD PTR DS:[<&user32.EndDialog>] ; \EndDialog
004078DF . |E9 FC020000 JMP 00407BE0
004078E4 > |8BB424 E80000>MOV ESI,DWORD PTR SS:[ESP+E8] ; Case 1 of switch 00407848
004078EB . |68 C8000000 PUSH 0C8 ; /Count = C8 (200.)
004078F0 . |B9 32000000 MOV ECX,32 ; |
004078F5 . |33C0 XOR EAX,EAX ; |
004078F7 . |BF 24764F00 MOV EDI,004F7624 ; |
004078FC . |68 24764F00 PUSH 004F7624 ; |Buffer = crackpdf.004F7624
00407901 . |68 14040000 PUSH 414 ; |ControlID = 414 (1044.)
00407906 . |56 PUSH ESI ; |hWnd
00407907 . |F3:AB REP STOS DWORD PTR ES:[EDI] ; |
00407909 . |FF15 E49A5000 CALL DWORD PTR DS:[<&user32.GetDlgItemTe>; \GetDlgItemTextA
0040790F . |68 24764F00 PUSH 004F7624
00407914 . |E8 87F9FFFF CALL 004072A0
00407919 . |83C4 04 ADD ESP,4
0040791C . |85C0 TEST EAX,EAX
0040791E . |74 44 JE SHORT 00407964
00407920 . |6A 40 PUSH 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00407922 . |68 F8264D00 PUSH 004D26F8 ; |Title = "Thank you."
00407927 . |68 C0264D00 PUSH 004D26C0 ; |Text = "Thank you purchased the PDF Password Cracker Pro v3.0."
0040792C . |56 PUSH ESI ; |hOwner
0040792D . |FF15 EC9A5000 CALL DWORD PTR DS:[<&user32.MessageBoxA>>; \MessageBoxA
00407933 . |51 PUSH ECX
00407934 . |8BCC MOV ECX,ESP
00407936 . |896424 0C MOV DWORD PTR SS:[ESP+C],ESP
0040793A . |68 24764F00 PUSH 004F7624
0040793F . |E8 5D750700 CALL 0047EEA1
00407944 . |E8 07FCFFFF CALL 00407550
00407949 . |83C4 04 ADD ESP,4
0040794C . |C705 EC764F00>MOV DWORD PTR DS:[4F76EC],1
00407956 . |6A 01 PUSH 1 ; /Result = 1
00407958 . |56 PUSH ESI ; |hWnd
00407959 . |FF15 E89A5000 CALL DWORD PTR DS:[<&user32.EndDialog>] ; \EndDialog
0040795F . |E9 7C020000 JMP 00407BE0
00407964 > |6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
00407966 . |6A 00 PUSH 0 ; |Title = NULL
00407968 . |68 80264D00 PUSH 004D2680 ; |Text = "Your registration key is wrong, please check it and try again."
kita analisa satu persatu karena banyak sekali lompatannya.
kita bypass saja alamat "00407861" dan "004078A1" agar bisa langsung masuk tanpa registrasi.
Langsung aja ganti "NOP" dikedua alamat diatas.
klik dua kali alamat diatas, masukkan "NOP" trus assemble, trus cancel.
Klik kanan "Copy to Executable" trus klik "All Modification" trus "Copy All".
Klik kanan lagi "Save File" dan overwrite dengan nama yang sama.
Keluar dari OllyDebug
Jalankan PDF Password Cracker Pronya
Langsung masuk program tanpa registrasi....
15/06/09
|