Foreword: In recent days, I found a help post on the school forum about cracking the PDF encrypted by EXE, and I searched the forum and found the same post. After consulting the relevant methods, I contacted the helper, got a set of machine codes and passwords that had been verified, and started machine code replacement cracking and PDF file extraction. (pseudo-original)
I can't achieve passwordless blasting, you can reply to the post to communicate
For copyright reasons, all relevant software information has been coded and processed, and the file is not uploaded as a sample, and only provides methods for communication reference. This article is for study and research purposes only; The content shall not be used for commercial or illegal purposes, otherwise, the user shall bear all the consequences, and I will not bear any responsibility for this.
Refer to the broken text:
1.The hyperlink login is visible.
2.The hyperlink login is visible.
Preparation Tools:
ExeinfoPE (shell and basic PE information), OD (no explanation), Process Monitor + Process Explorer (process and related operation monitoring), PCHunter (for final file extraction), Adobe Acrobat DC Pro (Adobe's PDF viewing, editing, export, etc.)
Main topic:
For regular operation, use EXEInfoPE to check the shell first
Delphi, it looks like no shell. The virtual machine tries to open directly
Sure enough, it's not that simple, there is virtual machine detection, and you will exit after clicking. I didn't break this virtual machine detection, I did it directly on win10 (but this is not recommended, if there is a hidden pile grid, shutdown, etc., it is very dangerous). First, it is a bit troublesome, and second, the technical level may not be reachable. If you have good skills, you can try it. The next thing is all done on the win10 platform, it is best to turn off defender after operation, it may block and misreport the My Love Toolkit
After starting the exe, the interface is as shown in the picture, and a folder named drmsoft is generated in the root directory of the C drive. Baidu can get its business information
Drag in OD and open Process Explorer, Process Monitor, and PCHunter. According to reference article 2, use Ctrl+G in OD, jump to the "00401000" position (this address should be familiar, it is a common loading program entrance), and use the Chinese search intelligent search to find the string as shown in the figure (the last string of 00000).
After double-clicking to jump, switch the breakpoint under F2 at the place shown in the figure 2 (at the second mov of the two movs in the middle of the 3 calls), and then F9 runs the program
It can be seen that after the successful disconnection, the machine code of this machine appears in the window as shown in the figure
Right-click on the machine code, select "Follow in Data Window", select the machine code below and right-click Binary-Edit to replace it with the machine code that has been verified to work normally
After replacement, F9 continues to run, and you can see that the machine code of the software interface has been changed to the machine code above
View the process (additional process under OD) in Process Explorer to know its PID, clear the event in Process Monitor to stop the capture, set the filter according to the PID, and turn on the capture
Then paste the password corresponding to the machine code to open it successfully, click print in the upper right corner, and a window prohibiting printing will pop up. After the software is opened, screenshots are prohibited (clipboard is disabled) and the opening of certain software and windows is prohibited (copyright, anti-theft), and can only be taken with the mobile phone to present (pixels will be undefined)
Or use OD to search for "prohibit printing", find the key statement, and directly NOP the jnz statement that judges the jump to start printing
Note: You also need to enable the system's Print Spooler service to enable the printing function
I thought that I should be able to export PDF printing at this point, and I thought it was done, but when I printed, I made such an error and crashed (PS: If there is no error, just continue to do it according to reference article 1)
This Access Violation still hasn't been solved using Baidu's method, which is really helpless. That's why the Process Explorer, Process Monitor, and PCHunter mentioned above are used
By this time, Process Monitor should have captured many, many events. Guessing software works by releasing temporary files (.tmp files), just look at the operation of the file in the Process Monitor
Noticed that the software released a temporary file named 6b5df in the C:Users username AppdataLocalTemp directory when it was running, and guessed that this was the PDF file (note that there are also a lot of operations on the file in Process Monitor, and there are many temporary files that appear later, but here you only need to look at the temporary file that appears for the first time)
Next, in the PCHunter file, expand the C:Users username AppdataLocalTemp directory, find the file named 6b5df.tmp, and double-click to open it. The pop-up window asks how it opens, and select Adobe Acrobat DC
Finally, I successfully opened the PDF file, and after reviewing, the number of pages was still 126 pages, and the file was complete
Finally, use the save as function to export as a PDF file, and the extraction is completed
|
Posted on 11/21/2018 9:08:27 AM
|
|
|
|
Posted on 4/17/2020 4:22:35 PM
|
