Acrobat Reader 5.1中文版+windows2000 sp0+softice
网上下载的pdf文件经常打开后只能阅读,不能打印、拷贝等功能,前几天幸好有一个这样的文件急需打印,破解过程如下:
1。打开softice;
2。打开Acrobat Reader,打开要阅读的文件;
3。ctrl+d调出softice,下断bpx Enablemenuitem
4。在reader中点击菜单file;
5。F12三次,往回找可以看到以下代码;
:00414E71 55 push ebp
:00414E72 8BEC mov ebp, esp
:00414E74 A130F17400 mov eax, dword ptr [0074F130]
:00414E79 56 push esi
:00414E7A 8BF1 mov esi, ecx
:00414E7C 8B8818020000 mov ecx, dword ptr [eax+00000218]
:00414E82 85C9 test ecx, ecx
:00414E84 741A je 00414EA0
:00414E86 FF7514 push [ebp+14]
:00414E89 8B01 mov eax, dword ptr [ecx]
:00414E8B FF7510 push [ebp+10]
:00414E8E FF750C push [ebp+0C]
:00414E91 FF7508 push [ebp+08]6。清除所有断点,然后在此下断,F5执行,可以看到push的内容,其是菜单的id号,执行多次,一直到push 1784(print。。。的ID号)
:00414E94 FF500C call [eax+0C]7。进入该调用,将进入如下的程序。
-----------------------------------------------------------------
:00411233 55 push ebp
:00411234 8BEC mov ebp, esp
:00411236 8D4508 lea eax, dword ptr [ebp+08]
:00411239 56 push esi
:0041123A 50 push eax
:0041123B 83C138 add ecx, 00000038
:0041123E FF7508 push [ebp+08]
:00411241 E853450000 call 004157998。该程序得到Reader每个菜单的属性表(权且先这么命名)
仔细分析程序415799可以得到Acrobat Reader中很重要的数据结构。Acrobat Reader中将所有的菜单分为11个组,即
MenuGroup *MenuGroupArray[11];针对不同的菜单项具体在哪个组中可以通过ID号来计算。MenuGroupNo=(ID>>4) mod 11;
而MenuGroup是一个链表:
struct MenuGroup{
MenuGroup * PrevMenuGroup;
DWORD MenuGroupNo;
DWORD MenuID;
MenuAttribute * MenuAttrPtr;
}
知道了某个菜单的ID号,最重要的数据是MenuAttrPtr,知道了这个值就可以找到每个菜单项对应的属性以及该菜单对应的执行程序。
:00411246 8BF0 mov esi, eaxesi=*MenuAttrPtr
:00411248 F7DE neg esi
:0041124A 1BF6 sbb esi, esi
:0041124C 237508 and esi, dword ptr [ebp+08]
:0041124F 85F6 test esi, esi
:00411251 7440 je 00411293
:00411253 57 push edi
:00411254 8B7D10 mov edi, dword ptr [ebp+10]
:00411257 85FF test edi, edi
:00411259 742B je 00411286
:0041125B 53 push ebx
:0041125C 8B1F mov ebx, dword ptr [edi]
:0041125E 56 push esi;ESI=*MenuAttrPtr
:0041125F E8387A0700 call 00488C9C9。该程序的调用返回结果直接影响下面的EnableMenuItem,跟进去;
:00411264 0FB7C0 movzx eax, ax
:00411267 59 pop ecx
:00411268 50 push eax
:00411269 8BCF mov ecx, edi
:0041126B FF13 call dword ptr [ebx]10。EnableMenuItem在该程序中调用。
:0041126D 8B1F mov ebx, dword ptr [edi]
:0041126F 56 push esi
:00411270 E8C07A0700 call 00488D35
:00411275 66F7D8 neg ax
:00411278 1BC0 sbb eax, eax
:0041127A 59 pop ecx
:0041127B F7D8 neg eax
:0041127D 50 push eax
:0041127E 8BCF mov ecx, edi
:00411280 FF5304 call [ebx+04]
:00411283 5B pop ebx
:00411284 EB07 jmp 0041128D
------------------------------------------------------------------
:00488C9C B890C36900 mov eax, 0069C390
:00488CA1 E8DAFDFDFF call 00468A80;加入SEH例外处理
:00488CA6 83EC18 sub esp, 00000018
:00488CA9 53 push ebx
:00488CAA 56 push esi
:00488CAB 8B7508 mov esi, dword ptr [ebp+08]
:00488CAE 57 push edi
:00488CAF 33FF xor edi, edi
:00488CB1 8965F0 push 00000001
:00488CC2 5B pop ebx
:00488CC3 895D08 mov dword ptr [ebp+08], ebx
:00488CC6 7450 je 00488D18
:00488CC8 57 push edi
:00488CC9 E8ECE4FFFF call 004871BA
:00488CCE 6685C0 test ax, ax
:00488CD1 59 pop ecx
:00488CD2 7544 jne 00488D18
:00488CD4 53 push ebx
:00488CD5 E830E5FFFF call 0048720A
:00488CDA 59 pop ecx
:00488CDB 897DFC mov dword ptr [ebp-04], edi
:00488CDE E8FF141700 call 005FA1E2
:00488CE3 8945EC mov dword ptr [ebp-14], eax
:00488CE6 8B08 mov ecx, dword ptr [eax]
:00488CE8 894DE4 mov dword ptr [ebp-1C], ecx
:00488CEB 8D4DE4 lea ecx, dword ptr [ebp-1C]
:00488CEE 8908 mov dword ptr [eax], ecx
:00488CF0 C745E8C3A15F00 mov [ebp-18], 005FA1C3
:00488CF7 FF7634 push [esi+34]
:00488CFA 885DFC mov byte ptr [ebp-04], bl
:00488CFD FF5630 call [esi+30]11.*(*MenuAttrPtr+30)对应不同菜单项的可执行程序,call 49f7c4
------------------------------------------------------------------------------
:0049F7C4 56 push esi
:0049F7C5 FF742408 push [esp+08]
:0049F7C9 E8B6F4FFFF call 0049EC84
:0049F7CE 8BF0 mov esi, eax
:0049F7D0 59 pop ecx
:0049F7D1 85F6 test esi, esi
:0049F7D3 7429 je 0049F7FE
:0049F7D5 6A0A push 0000000A
:0049F7D7 6A01 push 00000001
:0049F759 5B push esi
:0049F7DA E8BFEEFDFF call 0047E69E12.跟进去。
:0049F7DF 83C40C add esp, 0000000C
:0049F7E2 6685C0 test ax, ax
:0049F7E5 7512 jne 0049F7F9
:0049F7E7 6A0B push 0000000B
:0049F7E9 6A01 push 00000001
:0049F7EB 56 push esi
:0049F7EC E8ADEEFDFF call 0047E69E
:0049F7F1 83C40C add esp, 0000000C
:0049F7F4 6685C0 test ax, ax
:0049F7F7 7405 je 0049F7FE
--------------------------------------------------------------------
:0047E69E 53 push ebx
:0047E69F 8B5C2410 mov ebx, dword ptr [esp+10];0A
:0047E6A3 56 push esi
:0047E6A4 8B74240C mov esi, dword ptr [esp+0C];*MenuAttrPtr
:0047E6A8 57 push edi
:0047E6A9 8B7C2414 mov edi, dword ptr [esp+14];01
:0047E6AD 83FF01 cmp edi, 00000001
:0047E6B0 7523 jne 0047E6D5
:0047E6B2 83FB13 cmp ebx, 00000013
:0047E6B5 751E jne 0047E6D513.跳转
:0047E6B7 85F6 test esi, esi
:0047E6B9 7504 jne 0047E6BF
:0047E6BB 33C0 xor eax, eax
:0047E6BD EB03 jmp 0047E6C2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047E6B9(C)
|
:0047E6BF 8B4650 mov eax, dword ptr [esi+50]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047E6BD(U)
|
:0047E6C2 50 push eax
:0047E6C3 E884CF0600 call 004EB64C
:0047E6C8 50 push eax
:0047E6C9 E8984E0900 call 00513566
:0047E6CE 59 pop ecx
:0047E6CF 6685C0 test ax, ax
:0047E6D2 59 pop ecx
:0047E6D3 7463 je 0047E738
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047E6B0(C), :0047E6B5(C)
|
:0047E6D5 56 push esi;esi=*MenuAttrPtr
:0047E6D6 E874FFFFFF call 0047E64F
:0047E6DB 6685C0 test ax, ax
:0047E6DE 59 pop ecx
:0047E6DF 7429 je 0047E70A;跳转
:0047E6E1 83FF01 cmp edi, 00000001
:0047E6E4 7415 je 0047E6FB
:0047E6E6 83FF02 cmp edi, 00000002
:0047E6E9 7409 je 0047E6F4
:0047E6EB 761D jbe 0047E70A
:0047E6ED 83FF08 cmp edi, 00000008
:0047E6F0 7718 ja 0047E70A
:0047E6F2 EB44 jmp 0047E738
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047E6E9(C)
|
:0047E6F4 83FB05 cmp ebx, 00000005
:0047E6F7 7411 je 0047E70A
:0047E6F9 EB3D jmp 0047E738
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047E6E4(C)
|
:0047E6FB 83FB04 cmp ebx, 00000004
:0047E6FE 7438 je 0047E738
:0047E700 83FB14 cmp ebx, 00000014
:0047E703 7433 je 0047E738
:0047E705 83FB09 cmp ebx, 00000009
:0047E708 742E je 0047E738
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047E6DF(C), :0047E6EB(C), :0047E6F0(C), :0047E6F7(C)
|
:0047E70A 8D4610 lea eax, dword ptr [esi+10];MenuAttrPtr+10
:0047E70D 85C0 test eax, eax
:0047E70F 742C je 0047E73D
:0047E711 8B08 mov ecx, dword ptr [eax]
:0047E713 83F938 cmp ecx, 00000038
:0047E716 7625 jbe 0047E73D;跳转
:0047E718 6683783800 cmp word ptr [eax+38], 0000
:0047E71D 741E je 0047E73D
:0047E71F 83F93C cmp ecx, 0000003C
:0047E722 7619 jbe 0047E73D
:0047E724 8B403C mov eax, dword ptr [eax+3C]
:0047E727 85C0 test eax, eax
:0047E729 7412 je 0047E73D
:0047E72B 53 push ebx
:0047E72C 57 push edi
:0047E72D 56 push esi
:0047E72E FFD0 call eax
:0047E730 83C40C add esp, 0000000C
:0047E733 6685C0 test ax, ax
:0047E736 7405 je 0047E73D
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047E6D3(C), :0047E6F2(U), :0047E6F9(U), :0047E6FE(C), :0047E703(C)
|:0047E708(C)
|
:0047E738 6633C0 xor ax, ax
:0047E73B EB1E jmp 0047E75B
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047E70F(C), :0047E716(C), :0047E71D(C), :0047E722(C), :0047E729(C)
|:0047E736(C)
|
:0047E73D 85F6 test esi, esi
:0047E73F 7504 jne 0047E745;跳转
:0047E741 33C0 xor eax, eax
:0047E743 EB03 jmp 0047E748
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047E73F(C)
|
:0047E745 8B4650 mov eax, dword ptr [esi+50]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047E743(U)
|
:0047E748 6A00 push 00000000
:0047E74A 53 push ebx
:0047E74B 57 push edi
:0047E74C 50 push eax
:0047E74D E842EB0A00 call 0052D294;14。跟进此程序
:0047E752 83C410 add esp, 00000010
:0052D294 55 push ebp
:0052D295 8BEC mov ebp, esp
:0052D297 53 push ebx
:0052D298 56 push esi
:0052D299 57 push edi
:0052D29A 8B7D08 mov edi, dword ptr [ebp+08];*MenuAttrPtr
:0052D29D 85FF test edi, edi
:0052D29F 7508 jne 0052D2A9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0052D3DB(C)
|
:0052D2A1 6633C0 xor ax, ax
:0052D2A4 E943010000 jmp 0052D3EC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0052D29F(C)
|
:0052D2A9 8B4770 mov eax, dword ptr [edi+70];15。菜单的属性,如果可以打印此处将是0。
:0052D2AC 85C0 test eax, eax
:0052D2AE 7405 je 0052D2B5
:0052D2B0 8B5808 mov ebx, dword ptr [eax+08]
:0052D2B3 EB02 jmp 0052D2B7
修改程序,ultraedit打开程序acro32。exe,查找8B477085C074058B5808,将8B4770改成33c090,(xor EAX,EAX;NOP;)
存盘,退出。
运行改过的ACRO32.EXE
打开有打印限制的文件,此时打印菜单已经可以点击。在文本中选择,右键点击,可以看到“复制、全选”都可用。
时间关系写的简单,凑合看。
|