Reversing PDF Password Remover

Tools used – IDA Pro and Blizz XOR.

The main screen :


On pressing the buy license button :


Or drag and drop a pdf file or any file for that matter and you get :


If you click OK you get redirected to :

They want your money!!!!

Fine lets crack it !!!!

Default directory :


datadirectory :


VBProject and visible strings (Unicode) :


It uses components qpdf.exe and pdftk.exe in the data directory . The rest is just a UI wrapper over command line functionality.

This shareware can be cracked in 3 ways – keygen, patch or loader.This is simple user mode stuff. Let’s investigate further.

First we investigate the other files in the folders for clues. Setup.ini contains settings for the default directory, a skin file and a corresponding SkinH6.dll UI code.

HMM!! Notice codec.dll is not a dll or a PE file.


Just lots of junk(?) data.

Study the following function in IDA :


.text:004FA0FB loc_4FA0FB: ; CODE XREF: sub_4F9C26+4CCj

.text:004FA0FB push [ebp+var_3C]

.text:004FA0FE push offset aAsdfasdfasdfas ; "asdfasdfasdfasw"

.text:004FA103 call __vbaStrCat

.text:004FA108 movedx, eax

.text:004FA10A lea ecx, [ebp+var_40]

.text:004FA10D call __vbaStrMove

.text:004FA112 push eax

.text:004FA113 push offset aKk ; "kk"

.text:004FA118 call __vbaStrCat

.text:004FA11D movedx, eax

.text:004FA11F lea ecx, [ebp+var_38]

.text:004FA122 call __vbaStrMove

.text:004FA127 lea eax, [ebp+var_40]

.text:004FA12A push eax

.text:004FA12B lea eax, [ebp+var_3C]

.text:004FA12E push eax

.text:004FA12F push 2

.text:004FA131 call __vbaFreeStrList

.text:004FA136 add esp, 0Ch

.text:004FA139 lea ecx, [ebp+var_4C]

.text:004FA13C call __vbaFreeObj

.text:004FA141 mov [ebp+var_4], 0Dh

.text:004FA148 push [ebp+var_38]

.text:004FA14B push 1

.text:004FA14D push offset dword_4EAE58

.text:004FA152 call __vbaPrintFile

.text:004FA157 add esp, 0Ch

.text:004FA15A mov [ebp+var_4], 0Eh

.text:004FA161 push 1

.text:004FA163 call __vbaFileClose

.text:004FA168 mov [ebp+var_4], 0Fh

.text:004FA16F mov [ebp+var_88], 80020004h

.text:004FA179 mov [ebp+var_90], 0Ah

.text:004FA183 mov [ebp+var_78], 80020004h

.text:004FA18A mov [ebp+var_80], 0Ah

.text:004FA191 mov [ebp+var_A8], offset aSuccessful ; "Successful"

.text:004FA19B mov [ebp+var_B0], 8

.text:004FA1A5 lea edx, [ebp+var_B0]

.text:004FA1AB lea ecx, [ebp+var_70]

.text:004FA1AE call __vbaVarDup

.text:004FA1B3 mov [ebp+var_98], offset aRegisterSucces ; "Register Successfully! Please restart p"…

.text:004FA1BD mov [ebp+var_A0], 8

.text:004FA1C7 lea edx, [ebp+var_A0]

.text:004FA1CD lea ecx, [ebp+var_60]


The above is the GoodBoy function. On a debugging session, without wasting too much time, we can see that the VB functions it calls concatenate the strings referenced at the top of the call and adds “kk” further, then prints the strings to a file in the filesytem. Great so we just have to find out what are the parameter passed prior to this function. It turns out that the only file that has changed after the debugging session is the codec.dll file.

So for this shareware, the keyfile approach works the best. Codec.dll is the keyfile.

Diffing the original and the changed file.


32h and 31h have been replaced by 6B and 6B or “kk”. The 0D 0A is just file type strings that are platform specific especially on creation, here its windows.

Basically whatever the serial code you type after the purchase code, the keyfile in the end has to be the one ending with “kk”.

So don’t waste your time with keygens where the real crack is a 2 byte addition to the simple text file named codec.dll.

Further the tools qpdf and pdftk seem to be open source or GPL. I don’t see the need to pay for a GUI which refuses to decrypt more than one page after using the same tools.

After replacing the old codec.dll with the new codec.dll :


Now some more fun :

The final codec.dll fun can actually contain only the strings “kk”, delete rest of the junk.

That was an easy one though !


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s