1. 序言 之前因同事需要,破解过Asprise OCR 4.0试用版本,对这个库比较有印象。目前最新版本为15.3,网上已经能下载到它的试用破解版本,但似乎没有看到此版本的破解文章。AspriseOCR 15.3与4.0比较,基本上没有加强保护强度,因此破解方法也可以参考网上公布的4.0版本的破解方法,只有一点点不同。AspriseOCR 15.3破解方法相当简单,甚至都用不到OllyDbg,用IDA 分析一下,找到关键修改一下就OK了。当然,这毕竟是免费试用版本,如果有经济条件的话,还是建议去购买官方正式版本。 2. 介绍 Asprise OCR是一个强大的商业的OCR(光学字符识别)库,支持文字识别和二维码识别。AspriseOCR SDK有Java、C# .net、VB .net、Python、C/C++、Pascal等众多语言版本,并支持Windows、Linux、Mac OSX等操作系统平台。本篇对AspriseOCR SDK 15.3 C/C++ Windows免费试用版本进行破解,其他语言和平台版本相差不大,可依葫芦画瓢。官方下载链接:http://asprise.com/royalty-free-library/c-c++-ocr-for-windows-mac-linux-download.html 3. 编写demo 官方提供的C++ Windows免费试用版本,包含了一个头文件(asprise_ocr_api.h)和一个DLL文件(aocr.dll)。官方页面中也提供了C/C++ demo代码,但没提供相应的C/C++demo程序,因此需要自己编写demo程序,主要代码如下,不多说 void testOcr() { const char * libFolder = "libaocr"; LIBRARY_HANDLE libHandle = dynamic_load_aocr_library(libFolder); // one time setup int setup = c_com_asprise_ocr_setup(false); // starts the ocr engine; the pointer must be of long long type long long ptrToApi = c_com_asprise_ocr_start("eng", OCR_SPEED_FAST, NULL, NULL, NULL); char * s = c_com_asprise_ocr_recognize(ptrToApi, "image.png", -1, -1, -1, -1, -1, OCR_RECOGNIZE_TYPE_ALL, OCR_OUTPUT_FORMAT_PDF, "PROP_PDF_OUTPUT_FILE=result.pdf|PROP_PDF_OUTPUT_TEXT_VISIBLE=true|\ PROP_PDF_OUTPUT_RETURN_TEXT=text", "|", "="); std::cout << "Returned: " << s << std::endl; // do more recognition here ... // finally, stops the OCR engine. c_com_asprise_ocr_stop(ptrToApi); dynamic_unload_aocr_library(libHandle); } 运行效果: 1) 每次运行时,有一定概率会弹出如下提示: 2) 过期后提示 4. 分析DLL1) 用IDA加载aocr.dll。 2) 打开字符串列表窗口,搜索“evaluating Asprise”,找到其引用位置,F5反编译,得到如下代码: BOOL sub_1005B820() { signed int v0; // edi@1 signed __int64 v1; // rax@12 void *v2; // esi@13 char *v3; // eax@16 char *v4; // ebx@16 DWORD dwDisposition; // [sp+Ch] [bp-128h]@1 __int64 v7; // [sp+10h] [bp-124h]@1 BYTE v8[4]; // [sp+1Ch] [bp-118h]@6 HKEY phkResult; // [sp+20h] [bp-114h]@1 BYTE Data[4]; // [sp+24h] [bp-110h]@3 CHAR SubKey; // [sp+28h] [bp-10Ch]@1 sub_1025AF9F(&v7); sprintf_s(&SubKey, 0x100u, "Software\\Lab Asprise!\\%s\\%s\\Settings", "Asprise OCR", "15.3"); v0 = 0; if ( RegCreateKeyExA(HKEY_CURRENT_USER, &SubKey, 0, 0, 0, 0xF003Fu, 0, &phkResult, &dwDisposition) ) { v0 = 5; LABEL_16: v3 = (char *)sub_10257E26(256); v4 = v3; if ( v0 == 1 ) sprintf_s( v3, 0x100u, "Evaluation license expired (%s %s). Please remove the evaluation kit from your computer.", "Asprise OCR", "15.3"); else sprintf_s( v3, 0x100u, "Evaluation license control error #%d (%s %s). Please contact us at [email protected].", v0, "Asprise OCR", "15.3"); j_j__free(v4); v2 = (void *)sub_10257E26(512); sub_1025845D(v2, "%s?m=eval_error&p=%s&v=%s&e=%d", (unsigned int)"http://asprise.com/license-mesg.html"); MessageBoxA(0, v4, "Sorry, an error occurred", 0x40010u); goto LABEL_20; } if ( dwDisposition == 1 ) { *(_DWORD *)Data = v7; if ( RegSetValueExA(phkResult, "sys-DO-NOT-MODIFY", 0, 4u, Data, 4u) ) v0 = 2; } else if ( dwDisposition == 2 ) { *(_DWORD *)Data = 4; if ( RegQueryValueExA(phkResult, "sys-DO-NOT-MODIFY", 0, 0, v8, (LPDWORD)Data) ) { v0 = 3; } else if ( v7 >= (unsigned int)(*(_DWORD *)v8 + 2592000) ) { v0 = 1; } } else { v0 = 4; } RegCloseKey(phkResult); if ( v0 ) goto LABEL_16; sub_1025A11E(); ++dword_10635F4C; LODWORD(v1) = sub_1025AF9F(0); if ( !(v1 % 4) ) { v2 = (void *)sub_10257E26(512); sub_1025845D(v2, "%s?m=ok&p=%s&v=%s&e=%d", (unsigned int)"http://asprise.com/license-mesg.html"); if ( MessageBoxA( 0, "Thank you for evaluating Asprise products. \n" "Click the 'Yes' button below to visit our website or 'No' to continue: ", "Asprise Software - asprise.com", 0x1124u) != 6 ) { LABEL_21: j_j__free(v2); return v0 == 0; } LABEL_20: ShellExecuteA(0, "open", (LPCSTR)v2, 0, 0, 1); goto LABEL_21; } return v0 == 0; } 以上就是试用检测的关键代码,流程简要分析如下: 1) 第一个调用函数sub_1025AF9F的反编译代码如下: signed __int64 __cdecl sub_1025AF9F(signed __int64 *a1) { signed __int64 result; // rax@1 struct _FILETIME SystemTimeAsFileTime; // [sp+0h] [bp-8h]@1 GetSystemTimeAsFileTime(&SystemTimeAsFileTime); result = (*(_QWORD *)&SystemTimeAsFileTime - 116444736000000000i64) / 0x989680ui64; if ( result > 32535244799i64 ) result = -1i64; if ( a1 ) *a1 = result; return result; } 这实际上就是C运行库的time函数 2) 写注册表 *(_DWORD *)Data = v7; if ( RegSetValueExA(phkResult, "sys-DO-NOT-MODIFY", 0, 4u, Data, 4u) ) 写注册表的数据参数Data,源自v7,而v7是time函数调用的结果。以上是将初始时间写入到注册表中 3) 查询注册表 *(_DWORD *)Data = 4; if ( RegQueryValueExA(phkResult, "sys-DO-NOT-MODIFY", 0, 0, v8, (LPDWORD)Data) ) 读取第一次运行时存储的初始时间 4) 随机提示 LODWORD(v1) = sub_1025AF9F(0); if ( !(v1 % 4) ) { v2 = (void *)sub_10257E26(512); sub_1025845D(v2, "%s?m=ok&p=%s&v=%s&e=%d", (unsigned int)"http://asprise.com/license-mesg.html"); if ( MessageBoxA( 将time(0)的返回值模4,当结果为0时,则弹出试用提示 5. 破解过程1) 去掉随机提示 在IDA中找到下面一行 .text:1005B96D jnz loc_1005BA6D 点击菜单“Edit”->“Patch Program”->“Assemble”,修改为 .text:1005B96D jmp loc_1005BA6D 2) 修改过期检测 在IDA中找到下面一行 .text:1005B92F jb short loc_1005B93D 点击菜单“Edit”->“Patch Program” ->“Assemble”,修改为 .text:1005B92F jmp short loc_1005B93D 3) 生成破解DLL 点击菜单“Edit”->“Patch Program” ->“Applypatches to input file”,在弹出的对话框中点击“OK”,生成破解的DLL文件 (完)