2: Obtain a copy of ollydbg at http://www.ollydbg.de
Start PDF2Word and you will see a screen with title "Please register .."
Type in an email address and a bogus registration key and hit OK.
Write down the error message you get since we will need it later on: "Series number error, please check it and try again."
Now close pdf2word and start Ollydbg. From within ollydbg go to file, open and browse to C:Program FilesPDF2Word v1.6 and select pdf2rtf.exe.
Once the program is loaded right-click somewhere in the code table and select Search for
Then select All referenced text strings".
A new window will open with all text strings in the program. Scroll up and right-click once more.
Now select [i]Search for text and put in the errorstring you had earlier in the program: "Series number error, please check it and try again.".
deselect "Case Sensitive" and press OK.
You will see the following line highlighted:
00429F6F | PUSH pdf2rtf.00468270 | ASCII "Series number error, please check it and try again."
Now press <F2> to put a breakpoint on it. Directly above you will find some other strings
which might be of interest as well so put a breakpoint on them to. These are: "Thank you registered" and "Thank you registered VeryPDF PDF2Word v1.6."
Now double click on one of the lines and press <F9> to start the program.
The registration window will come up again, so now put in an email address, a dummy registration-key
and press OK.
Go back to Olly and you will see the following line highlighted:
00429F6F . 68 70824600 PUSH pdf2rtf.00468270 ; |Text = "Series number error, please check it and try again."
This is our error message again and the program has stopped right before displaying it.
You can see this error message is part of a [color=red]MessageBoxA[/color] call, this is the
API responsible for displaying the Message. If you look a couple of lines earlier you will
see another MessageBoxA call where instead of our errormessage now the
message "Thank you registered VeryPDF PDF2Word v1.6." is located.
This means that if we have the correct serial it will display the registered message, and if
we don't we will get the error.
The program will need to decide if your serial is correct before it can display any of these
messages. The code to do so is usually located close to the messages so scroll up a bit until
you see a piece of code containing a JNE,JE,JNZ or JZ. These are jumps that occur when a specific
event is met.
Usually the event is tested in the code directly in front of it.
In this case you should end up at the following lines:
00429F2E . 85C0 TEST EAX,EAX
00429F30 . 74 39 JE SHORT pdf2rtf.00429F6B
As you can see EAX is tested against itself which in this case will jump to 00429F6B if
EAX has the value 0.
if we trace the jump we will see that it will jump over the registered message and end up
right before the error message. This means that if EAX = 0 we will get the error message and
our serial is wrong.
At this point we could remove the JE SHORT pdf2rtf.00429F6B code and fill it with
NOP so we will always get the correct message since the jump is never made, but that won't help
here cause if you restart the program it will still ask you to register.
So we need to continue our search. We need to figure out where EAX is getting it's value from.
2 lines above TEST EAX,EAX we see
00429F26 . E8 F5F7FFFF CALL pdf2rtf.00429720
This is a call to a function somewhere else in the program and you can bet your life it is this
function that sets the EAX value.
And so we need to figure out what this function does. To do this we will put another breakpoint
at CALL pdf2rtf.00429720 by highlighting the line and press <F2>.
Now we want to restart the program to make it break on the function call. This is done by
pressing <CTRL>+<F2>. Select YES to the question asked (press left arrow and hit enter) and the program is restarted.
Now press <F9> again to let the program run.
You will see the registration box pop-up again, so put in an email address and a bogus serial and press OK.
As you can see the program will break on the CALL pdf2rtf.00429720 line.
Now press <F7> to step into the call.
The first 4 lines are not of interest to us so we will start analyzing the code from 00429725.
The code we have there is
I've copied the entire block until the first check of the serial above to safe space, so refer
to above code in this explanation.
1st line --> move our entered serial to ESI
2nd line --> not important
3rd line --> move the first byte (character) of our serial into AL
4th line --> move the second byte (first+1) of our serial into CL
5th line --> move the 13th byte (first+E) of our serial into DL
6th line --> move content of AL (first character of our serial) into [ESP+18]
7th line --> clear the contents of AL
8th line --> move the content of CL (second character) into [ESP+30]
9th line --> move the 14th byte (first+F) of our serial into CL
10th,11th,12th,13th line --> clear the contents of [ESP+19],[ESP+31],[ESP+25] & [ESP+D] since AL still is empty.
14th line --> move the third byte (first+2) of our serial into AL
15th line --> compare content of AL with 0x24 (hex for the $ sign)
16th line --> move the 13th byte of our serial into [ESP+24]
17th line --> move the 14th byte of our serial into [ESP+C]
18th line --> Jump to 004297B0 if AL is not equal to 24 ($ sign).
If you trace the jump in the 18th line you will see that it jumps to the following code:
004297B0 |> 5F POP EDI
004297B1 |. 5E POP ESI
004297B2 |. 33C0 XOR EAX,EAX
004297B4 |. 5D POP EBP
004297B5 |. 83C4 30 ADD ESP,30
004297B8 . C3 RETN
Which means so much as restore values, set EAX to 0 and return from where we were called.
If we let this happen then EAX will be 0 which will give us the error message.
So what do we know now from this code?
- AL should be equal to 0x24 or we will get the error message
- the program moves the third character of our serial into AL before comparing it to 0x24
- the program moves the 14th byte of our serial into CL
from above we can conclude that the third character of our serial should be a $ sign and
that our serial should be at least 14 characters long since the 14th character is moved.
So our serial will be something like: ..$...........
Let's analyze it:
1st line --> move the address of the function MSVCRT.atoi to EDI atoi is a function which converts ASCII characters to integers (numbers).
2nd line --> put the 16th byte of our serial into EDI
3rd line --> push our byte to the stack as an argument to atoi
4th line --> call atoi. the result will be in EAX
5th line --> move content of EAX into EBP
6th line --> move the first byte of our serial into EAX
7th line --> push our byte to the stack as an argument to atoi
8th line --> call atoi. the result will be in EAX
9th line --> add EAX to EBP and store the result in EBP
10th line --> not important to us
11th line --> compare EBX with the value 0x0A (10)
12th line --> if EBX is not 0x0A then jump to 004297B0 (put 0 into EAX and return).
[/quote] NOTE:You probably wonder how i figured out which byte is used to put into atoi, well here
it is: I've put in serials multiple times with different digits as values and compared them to
the output of atoi in EAX. This resulted in the corresponding bytes.
What do we know from this code?
- our 16th byte is put into EDI, this means that our serial must be at least 16 characters long
- the 16th byte is put into atoi, which means it much have a value between 0-9
- the 1st byte is put into atoi as well, which also means it must have a value between 0-9
- the value of our first byte is added to the value of our 16th byte and together they must be
equal to 0xA (10).
So now we have the following serial: 1.$............9
as you can imagine the values of our 1st and 16th byte can be anything as long as they both
are digits and when added to each other are equal to 10 decimal.
Let's analyze it:
1st line --> our 15th byte is put into ECX
2nd line --> push our byte to the stack as an argument to atoi
3rd line --> call atoi. the result will be in EAX
4th line --> our 2nd byte is put into EDX
5th line --> move the result of atoi into EBP
6th line --> push our 2nd byte to the stack as an argument to atoi
7th line --> call atoi. the result will be in EAX
8th line --> add the result of our 15th and 2nd byte together and store in EBP
9th line --> not important to us.
10th line --> check if our 15th byte + our 2nd byte added together is equal to 0x0A (10).
11th line --> if not, then another jump to 004297B0
As you can see this code is very similar to the codeblock before, so i won't explain it any
Now we have the following serial: 12$...........89
We still need to analyze some code, but we're getting somewhere ;-)
Lets take a look at the final piece of code from this call:
00429798 |. 807E 03 24 CMP BYTE PTR DS:[ESI+3],24
0042979C |. 75 12 JNZ SHORT pdf2rtf.004297B0
0042979E |. 8A4E 05 MOV CL,BYTE PTR DS:[ESI+5]
004297A1 |. 33C0 XOR EAX,EAX
004297A3 |. 80F9 23 CMP CL,23
004297A6 |. 5F POP EDI
004297A7 |. 5E POP ESI
004297A8 |. 5D POP EBP
004297A9 |. 0F94C0 SETE AL
004297AC |. 83C4 30 ADD ESP,30
004297AF |. C3 RETN
1st line --> since ESI still contains our serial, the 4th byte is now checked against value 0x24
2nd line --> if not equal, then goto the famous 004297B0
3rd line --> move our 6th byte to CL
4th line --> check if our 6th byte is equal to 0x23 (# sign)
5th,6th,7th line --> not important
8th line --> sets the byte in AL to 1 if our check above is equal
9th line --> not important
10th line --> return to where this call was called from.
What we see here is that our 4th byte is compared to 0x24 ($ sign remember?) as well and that
the 6th byte is compared to 0x23 (the # sign).
If that is correct then AL is set to 1 meaning EAX won't be 0 and so causing the program to
give the registered message.
-check if 3th == $
-check if 1st + 16th == 10
-check if 15th + 2nd == 10
-check if 4th == $
-check if 6th == #
All other characters are of no importance to create a valid serial so our result will be:
You can fill in the remaining dots with anything you like and as long as the rules above are
correct you can change the 1th,2nd,15th and 16th byte as well.
Now close OllyDbg and start PDF2Word.
Enter your email-address and enter one of your newly created serials.
When you press ok you will be thanked for registering. You're welcome ;-)
The result of your entered information is put in a string and written to %WINDIR%system32pdf2word.dat
In case you want another serial just delete the dat file and put in a new one.
Of course this is a very simple protection, but it is a nice example to cover the basics of
Cast your vote on this article 10 - Highest, 1 - Lowest
Comments: Published: 29 comments.
HackThisSite is is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.