[PYG]成员认证试题的破解及详细算法分析(应该是古董咯!嘿嘿~)
标 题: 成员认证试题的破解及详细算法分析【原创】作 者: dewar
时 间: 2006-12-26,19:38
链 接: http://bbs.pediy.com/showthread.php?threadid=36977
【文章标题】: CrackMe(成员认证试题)的破解及详细算法分析
【文章作者】: dewar
【作者QQ号】: 18362891
【软件名称】: PYG成员认证试题
【加壳方式】: 无
【保护方式】: 序列号
【编写语言】: VB
【使用工具】: OD
【操作平台】: WINXP
【软件介绍】: PYG成员认证试题
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
不知过期没有,应该过期了,希望的大大们不要怪罪^_^
1.先试运行程序进行注册,不成功会弹出一个对话框"还要加油哦!",我们就从这个对话框下手^_^
2.首先OD载入,有个入口点警告(不知何故,并未加壳),选不分析.
3.由于程序注册不管成功与否都会弹出一个对话框,我们Alt+E打开模块窗口,双击MSVBVM60.DLL,Ctrl+N找到rtcMsgBox,按F2下断(这个函数是VB弹出对话框的函数).
4.F9,运行程序.输入注册信息(当然是假的^_^)
用户名:dewar
注册码:123456-234567-345678-456789
5.点"确定"后程序中断,看堆栈,栈顶指向0040851D,Ctrl+G到该处代码,这是程序判断注册码不对弹出出错提示对话框后的地方.由此我们知道程序比较注册码的地方一定在这一句的上面.我们向上找,经过反复观察找到00407D95处下F2断点.
下面是程序和算法分析:
......
00407D95 FF91 A0000000 CALL DWORD PTR DS: ; 取得注册名
00407D9B 3BC7 CMP EAX, EDI
00407D9D DBE2 FCLEX
00407D9F 7D 18 JGE SHORT Cra.00407DB9
00407DA1 8B8D 70FEFFFF MOV ECX, DWORD PTR SS:
00407DA7 68 A0000000 PUSH 0A0
00407DAC 68 205D4000 PUSH Cra.00405D20
00407DB1 51 PUSH ECX
00407DB2 50 PUSH EAX
00407DB3 FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheckObj>] ; MSVBVM60.__vbaHresultCheckObj
00407DB9 8B85 30FFFFFF MOV EAX, DWORD PTR SS:
00407DBF 8D95 14FFFFFF LEA EDX, DWORD PTR SS:
00407DC5 8D4D DC LEA ECX, DWORD PTR SS:
00407DC8 89BD 30FFFFFF MOV DWORD PTR SS:, EDI
00407DCE 8985 1CFFFFFF MOV DWORD PTR SS:, EAX
00407DD4 C785 14FFFFFF 0>MOV DWORD PTR SS:, 8
00407DDE FFD6 CALL ESI
00407DE0 8D8D 24FFFFFF LEA ECX, DWORD PTR SS:
00407DE6 FF15 D0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00407DEC 8B13 MOV EDX, DWORD PTR DS:
00407DEE 53 PUSH EBX
00407DEF FF92 0C030000 CALL DWORD PTR DS:
00407DF5 50 PUSH EAX
00407DF6 8D85 24FFFFFF LEA EAX, DWORD PTR SS:
00407DFC 50 PUSH EAX
00407DFD FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00407E03 8B08 MOV ECX, DWORD PTR DS:
00407E05 8D95 30FFFFFF LEA EDX, DWORD PTR SS:
00407E0B 52 PUSH EDX
00407E0C 50 PUSH EAX
00407E0D 8985 70FEFFFF MOV DWORD PTR SS:, EAX
00407E13 FF91 A0000000 CALL DWORD PTR DS: ; 取得第一组注册码
00407E19 3BC7 CMP EAX, EDI
00407E1B DBE2 FCLEX
00407E1D 7D 18 JGE SHORT Cra.00407E37
00407E1F 8B8D 70FEFFFF MOV ECX, DWORD PTR SS:
00407E25 68 A0000000 PUSH 0A0
00407E2A 68 205D4000 PUSH Cra.00405D20
00407E2F 51 PUSH ECX
00407E30 50 PUSH EAX
00407E31 FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheckObj>] ; MSVBVM60.__vbaHresultCheckObj
00407E37 8B85 30FFFFFF MOV EAX, DWORD PTR SS:
00407E3D 8D95 14FFFFFF LEA EDX, DWORD PTR SS:
00407E43 8D8D 7CFFFFFF LEA ECX, DWORD PTR SS:
00407E49 89BD 30FFFFFF MOV DWORD PTR SS:, EDI
00407E4F 8985 1CFFFFFF MOV DWORD PTR SS:, EAX
00407E55 C785 14FFFFFF 0>MOV DWORD PTR SS:, 8
00407E5F FFD6 CALL ESI
00407E61 8D8D 24FFFFFF LEA ECX, DWORD PTR SS:
00407E67 FF15 D0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00407E6D 8B13 MOV EDX, DWORD PTR DS:
00407E6F 53 PUSH EBX
00407E70 FF92 08030000 CALL DWORD PTR DS:
00407E76 50 PUSH EAX
00407E77 8D85 24FFFFFF LEA EAX, DWORD PTR SS:
00407E7D 50 PUSH EAX
00407E7E FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00407E84 8B08 MOV ECX, DWORD PTR DS:
00407E86 8D95 30FFFFFF LEA EDX, DWORD PTR SS:
00407E8C 52 PUSH EDX
00407E8D 50 PUSH EAX
00407E8E 8985 70FEFFFF MOV DWORD PTR SS:, EAX
00407E94 FF91 A0000000 CALL DWORD PTR DS: ; 取得第二组注册码
00407E9A 3BC7 CMP EAX, EDI
00407E9C DBE2 FCLEX
00407E9E 7D 18 JGE SHORT Cra.00407EB8
00407EA0 8B8D 70FEFFFF MOV ECX, DWORD PTR SS:
00407EA6 68 A0000000 PUSH 0A0
00407EAB 68 205D4000 PUSH Cra.00405D20
00407EB0 51 PUSH ECX
00407EB1 50 PUSH EAX
00407EB2 FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheckObj>] ; MSVBVM60.__vbaHresultCheckObj
00407EB8 8B85 30FFFFFF MOV EAX, DWORD PTR SS:
00407EBE 8D95 14FFFFFF LEA EDX, DWORD PTR SS:
00407EC4 8D8D 5CFFFFFF LEA ECX, DWORD PTR SS:
00407ECA 89BD 30FFFFFF MOV DWORD PTR SS:, EDI
00407ED0 8985 1CFFFFFF MOV DWORD PTR SS:, EAX
00407ED6 C785 14FFFFFF 0>MOV DWORD PTR SS:, 8
00407EE0 FFD6 CALL ESI
00407EE2 8D8D 24FFFFFF LEA ECX, DWORD PTR SS:
00407EE8 FF15 D0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00407EEE 8B13 MOV EDX, DWORD PTR DS:
00407EF0 53 PUSH EBX
00407EF1 FF92 04030000 CALL DWORD PTR DS:
00407EF7 50 PUSH EAX
00407EF8 8D85 24FFFFFF LEA EAX, DWORD PTR SS:
00407EFE 50 PUSH EAX
00407EFF FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00407F05 8B08 MOV ECX, DWORD PTR DS:
00407F07 8D95 30FFFFFF LEA EDX, DWORD PTR SS:
00407F0D 52 PUSH EDX
00407F0E 50 PUSH EAX
00407F0F 8985 70FEFFFF MOV DWORD PTR SS:, EAX
00407F15 FF91 A0000000 CALL DWORD PTR DS: ; 获取第三组注册码
00407F1B 3BC7 CMP EAX, EDI
00407F1D DBE2 FCLEX
00407F1F 7D 18 JGE SHORT Cra.00407F39
00407F21 8B8D 70FEFFFF MOV ECX, DWORD PTR SS:
00407F27 68 A0000000 PUSH 0A0
00407F2C 68 205D4000 PUSH Cra.00405D20
00407F31 51 PUSH ECX
00407F32 50 PUSH EAX
00407F33 FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheckObj>] ; MSVBVM60.__vbaHresultCheckObj
00407F39 8B85 30FFFFFF MOV EAX, DWORD PTR SS:
00407F3F 8D95 14FFFFFF LEA EDX, DWORD PTR SS:
00407F45 8D8D 3CFFFFFF LEA ECX, DWORD PTR SS:
00407F4B 89BD 30FFFFFF MOV DWORD PTR SS:, EDI
00407F51 8985 1CFFFFFF MOV DWORD PTR SS:, EAX
00407F57 C785 14FFFFFF 0>MOV DWORD PTR SS:, 8
00407F61 FFD6 CALL ESI
00407F63 8D8D 24FFFFFF LEA ECX, DWORD PTR SS:
00407F69 FF15 D0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00407F6F 8B13 MOV EDX, DWORD PTR DS:
00407F71 53 PUSH EBX
00407F72 FF92 00030000 CALL DWORD PTR DS:
00407F78 50 PUSH EAX
00407F79 8D85 24FFFFFF LEA EAX, DWORD PTR SS:
00407F7F 50 PUSH EAX
00407F80 FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00407F86 8BD8 MOV EBX, EAX
00407F88 8D95 30FFFFFF LEA EDX, DWORD PTR SS:
00407F8E 52 PUSH EDX
00407F8F 53 PUSH EBX
00407F90 8B0B MOV ECX, DWORD PTR DS:
00407F92 FF91 A0000000 CALL DWORD PTR DS: ; 获取第四组注册码
00407F98 3BC7 CMP EAX, EDI
00407F9A DBE2 FCLEX
00407F9C 7D 12 JGE SHORT Cra.00407FB0
00407F9E 68 A0000000 PUSH 0A0
00407FA3 68 205D4000 PUSH Cra.00405D20
00407FA8 53 PUSH EBX
00407FA9 50 PUSH EAX
00407FAA FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheckObj>] ; MSVBVM60.__vbaHresultCheckObj
00407FB0 8B95 30FFFFFF MOV EDX, DWORD PTR SS:
00407FB6 8D8D 34FFFFFF LEA ECX, DWORD PTR SS:
00407FBC 89BD 30FFFFFF MOV DWORD PTR SS:, EDI
00407FC2 FF15 C0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
00407FC8 8D8D 24FFFFFF LEA ECX, DWORD PTR SS:
00407FCE FF15 D0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00407FD4 8D45 DC LEA EAX, DWORD PTR SS:
00407FD7 8D8D 14FFFFFF LEA ECX, DWORD PTR SS:
00407FDD 50 PUSH EAX
00407FDE 51 PUSH ECX
00407FDF 89BD ACFEFFFF MOV DWORD PTR SS:, EDI
00407FE5 C785 A4FEFFFF 0>MOV DWORD PTR SS:, 8002
00407FEF FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; 取得注册名长度
00407FF5 8D95 A4FEFFFF LEA EDX, DWORD PTR SS:
00407FFB 50 PUSH EAX
00407FFC 52 PUSH EDX
00407FFD FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTstEq>] ; 注册名长度与0比较(检查有无输入注册名)
00408003 66:85C0 TEST AX, AX
00408006 74 5A JE SHORT Cra.00408062 ; 有输入就跳
00408008 8B35 B8104000 MOV ESI, DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>] ; 无输入就向下到出错提示
0040800E B9 04000280 MOV ECX, 80020004
00408013 898D ECFEFFFF MOV DWORD PTR SS:, ECX
00408019 B8 0A000000 MOV EAX, 0A
0040801E 898D FCFEFFFF MOV DWORD PTR SS:, ECX
00408024 BB 08000000 MOV EBX, 8
00408029 8D95 94FEFFFF LEA EDX, DWORD PTR SS:
0040802F 8D8D 04FFFFFF LEA ECX, DWORD PTR SS:
00408035 8985 E4FEFFFF MOV DWORD PTR SS:, EAX
0040803B 8985 F4FEFFFF MOV DWORD PTR SS:, EAX
00408041 C785 9CFEFFFF 5>MOV DWORD PTR SS:, Cra.00405D50 ; ASCII "衏:y"
0040804B 899D 94FEFFFF MOV DWORD PTR SS:, EBX
00408051 FFD6 CALL ESI
00408053 C785 ACFEFFFF 3>MOV DWORD PTR SS:, Cra.00405D34
0040805D E9 84040000 JMP Cra.004084E6 ;跳去出错提示
00408062 8D95 F4FEFFFF LEA EDX, DWORD PTR SS:不 ;<----判断有输入注册名后跳到这里
00408068 8D45 DC LEA EAX, DWORD PTR SS:
0040806B 52 PUSH EDX
0040806C 6A 01 PUSH 1
0040806E 8D8D E4FEFFFF LEA ECX, DWORD PTR SS:
00408074 50 PUSH EAX
00408075 51 PUSH ECX
00408076 C785 FCFEFFFF 0>MOV DWORD PTR SS:, 1
00408080 C785 F4FEFFFF 0>MOV DWORD PTR SS:, 2
0040808A FF15 4C104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; 取注册名的第一个字符
00408090 8B1D 88104000 MOV EBX, DWORD PTR DS:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
00408096 8D95 E4FEFFFF LEA EDX, DWORD PTR SS:
0040809C 8D85 30FFFFFF LEA EAX, DWORD PTR SS:
004080A2 52 PUSH EDX
004080A3 50 PUSH EAX
004080A4 FFD3 CALL EBX
004080A6 50 PUSH EAX
004080A7 FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ; 取该字符的ASCII
004080AD 8D4D DC LEA ECX, DWORD PTR SS:
004080B0 8D95 14FFFFFF LEA EDX, DWORD PTR SS:
004080B6 51 PUSH ECX
004080B7 52 PUSH EDX
004080B8 66:8985 9CFEFFF>MOV WORD PTR SS:, AX ; 将ASCII保存在堆栈中
004080BF C785 94FEFFFF 0>MOV DWORD PTR SS:, 2
004080C9 FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; 取注册名长度
004080CF 50 PUSH EAX
004080D0 8D45 AC LEA EAX, DWORD PTR SS:
004080D3 8D8D 04FFFFFF LEA ECX, DWORD PTR SS:
004080D9 50 PUSH EAX
004080DA 51 PUSH ECX
004080DB FF15 74104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMul>] ; 注册名长度*25F5得数x存入[+8]
004080E1 50 PUSH EAX
004080E2 8D95 94FEFFFF LEA EDX, DWORD PTR SS:
004080E8 8D85 6CFFFFFF LEA EAX, DWORD PTR SS:
004080EE 52 PUSH EDX
004080EF 8D8D D4FEFFFF LEA ECX, DWORD PTR SS:
004080F5 50 PUSH EAX
004080F6 51 PUSH ECX
004080F7 FF15 74104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMul>] ; 该ASCII码*29得数y存入[+8]
004080FD 8D95 C4FEFFFF LEA EDX, DWORD PTR SS:
00408103 50 PUSH EAX
00408104 52 PUSH EDX
00408105 FF15 B0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>] ; 两数相加(x+y),得到第一个数A
0040810B 8BD0 MOV EDX, EAX
0040810D 8D4D CC LEA ECX, DWORD PTR SS:
00408110 FFD6 CALL ESI
00408112 8D8D 30FFFFFF LEA ECX, DWORD PTR SS:
00408118 FF15 D4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
0040811E 8D85 E4FEFFFF LEA EAX, DWORD PTR SS:
00408124 8D8D F4FEFFFF LEA ECX, DWORD PTR SS:
0040812A 50 PUSH EAX
0040812B 51 PUSH ECX
0040812C 6A 02 PUSH 2
0040812E FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
00408134 83C4 0C ADD ESP, 0C
00408137 8D95 14FFFFFF LEA EDX, DWORD PTR SS:
0040813D 8D45 DC LEA EAX, DWORD PTR SS:
00408140 8D8D 04FFFFFF LEA ECX, DWORD PTR SS:
00408146 52 PUSH EDX
00408147 6A 01 PUSH 1
00408149 50 PUSH EAX
0040814A 51 PUSH ECX
0040814B C785 1CFFFFFF 0>MOV DWORD PTR SS:, 1
00408155 C785 14FFFFFF 0>MOV DWORD PTR SS:, 2
0040815F FF15 4C104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; 取注册名的第一个字符
00408165 8D95 04FFFFFF LEA EDX, DWORD PTR SS:
0040816B 8D85 30FFFFFF LEA EAX, DWORD PTR SS:
00408171 52 PUSH EDX
00408172 50 PUSH EAX
00408173 FFD3 CALL EBX
00408175 50 PUSH EAX
00408176 FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ; 取字符的ASCII
0040817C 8D8D 94FEFFFF LEA ECX, DWORD PTR SS:
00408182 66:8985 9CFEFFF>MOV WORD PTR SS:, AX
00408189 8D55 AC LEA EDX, DWORD PTR SS:
0040818C 51 PUSH ECX
0040818D 8D85 F4FEFFFF LEA EAX, DWORD PTR SS:
00408193 52 PUSH EDX
00408194 50 PUSH EAX
00408195 C785 94FEFFFF 0>MOV DWORD PTR SS:, 2
0040819F FF15 74104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMul>] ; ASCII*25F5存入[+8]
004081A5 8D8D 4CFFFFFF LEA ECX, DWORD PTR SS:
004081AB 50 PUSH EAX
004081AC 8D95 E4FEFFFF LEA EDX, DWORD PTR SS:
004081B2 51 PUSH ECX
004081B3 52 PUSH EDX
004081B4 FF15 74104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMul>] ; 再*7B存入[+8],得第二个数B
004081BA 8BD0 MOV EDX, EAX
004081BC 8D4D BC LEA ECX, DWORD PTR SS:
004081BF FFD6 CALL ESI
004081C1 8D8D 30FFFFFF LEA ECX, DWORD PTR SS:
004081C7 FF15 D4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
004081CD 8D85 04FFFFFF LEA EAX, DWORD PTR SS:
004081D3 8D8D 14FFFFFF LEA ECX, DWORD PTR SS:
004081D9 50 PUSH EAX
004081DA 51 PUSH ECX
004081DB 6A 02 PUSH 2
004081DD FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
004081E3 83C4 0C ADD ESP, 0C
004081E6 8D95 04FFFFFF LEA EDX, DWORD PTR SS:
004081EC 8D45 DC LEA EAX, DWORD PTR SS:
004081EF 8D8D F4FEFFFF LEA ECX, DWORD PTR SS:
004081F5 52 PUSH EDX
004081F6 6A 01 PUSH 1
004081F8 50 PUSH EAX
004081F9 51 PUSH ECX
004081FA C785 0CFFFFFF 0>MOV DWORD PTR SS:, 1
00408204 C785 04FFFFFF 0>MOV DWORD PTR SS:, 2
0040820E FF15 4C104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; 取注册名的第一位字符
00408214 8D95 F4FEFFFF LEA EDX, DWORD PTR SS:
0040821A 8D85 30FFFFFF LEA EAX, DWORD PTR SS:
00408220 52 PUSH EDX
00408221 50 PUSH EAX
00408222 FFD3 CALL EBX
00408224 50 PUSH EAX
00408225 FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ; 取字符的ASCII
0040822B 8D4D DC LEA ECX, DWORD PTR SS:
0040822E 66:8985 9CFEFFF>MOV WORD PTR SS:, AX
00408235 8D95 14FFFFFF LEA EDX, DWORD PTR SS:
0040823B B8 02000000 MOV EAX, 2
00408240 51 PUSH ECX
00408241 52 PUSH EDX
00408242 8985 94FEFFFF MOV DWORD PTR SS:, EAX
00408248 66:C785 8CFEFFF>MOV WORD PTR SS:, 19D5
00408251 8985 84FEFFFF MOV DWORD PTR SS:, EAX
00408257 FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; 取得注册名的长度
0040825D 50 PUSH EAX
0040825E 8D85 94FEFFFF LEA EAX, DWORD PTR SS:
00408264 8D8D E4FEFFFF LEA ECX, DWORD PTR SS:
0040826A 50 PUSH EAX
0040826B 51 PUSH ECX
0040826C FF15 74104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMul>] ; 注册名长度*ASCII码
00408272 50 PUSH EAX
00408273 8D95 84FEFFFF LEA EDX, DWORD PTR SS:
00408279 8D85 D4FEFFFF LEA EAX, DWORD PTR SS:
0040827F 52 PUSH EDX
00408280 50 PUSH EAX
00408281 FF15 74104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMul>] ; 再乘19D5,得到第三个数C
00408287 8BD0 MOV EDX, EAX
00408289 8D4D 9C LEA ECX, DWORD PTR SS:
0040828C FFD6 CALL ESI
0040828E 8D8D 30FFFFFF LEA ECX, DWORD PTR SS:
00408294 FF15 D4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
0040829A 8D8D F4FEFFFF LEA ECX, DWORD PTR SS:
004082A0 8D95 04FFFFFF LEA EDX, DWORD PTR SS:
004082A6 51 PUSH ECX
004082A7 52 PUSH EDX
004082A8 6A 02 PUSH 2
004082AA FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
004082B0 83C4 0C ADD ESP, 0C
004082B3 8D45 9C LEA EAX, DWORD PTR SS:
004082B6 8D4D AC LEA ECX, DWORD PTR SS:
004082B9 8D95 14FFFFFF LEA EDX, DWORD PTR SS:
004082BF 50 PUSH EAX
004082C0 51 PUSH ECX
004082C1 52 PUSH EDX
004082C2 FF15 B0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>] ; 第三个数C再加上25F5,得第四个数D
004082C8 8BD0 MOV EDX, EAX
004082CA 8D4D 8C LEA ECX, DWORD PTR SS:
004082CD FFD6 CALL ESI
004082CF 8D85 7CFFFFFF LEA EAX, DWORD PTR SS:
004082D5 50 PUSH EAX
004082D6 8D8D 30FFFFFF LEA ECX, DWORD PTR SS:
004082DC 51 PUSH ECX
004082DD FFD3 CALL EBX ; 取得第一组注册码
004082DF 50 PUSH EAX
004082E0 FF15 D8104000 CALL DWORD PTR DS:[<&MSVBVM60.#581>] ; 第一组注册码字串转为浮点数
004082E6 DD9D ACFEFFFF FSTP QWORD PTR SS:
004082EC 8D95 5CFFFFFF LEA EDX, DWORD PTR SS:
004082F2 8D85 2CFFFFFF LEA EAX, DWORD PTR SS:
004082F8 BE 05800000 MOV ESI, 8005
004082FD 52 PUSH EDX
004082FE 50 PUSH EAX
004082FF 89B5 A4FEFFFF MOV DWORD PTR SS:, ESI
00408305 FFD3 CALL EBX ; 取得第二组注册码
00408307 50 PUSH EAX
00408308 FF15 D8104000 CALL DWORD PTR DS:[<&MSVBVM60.#581>] ; 第二组注册码字串转为浮点数
0040830E DD9D 9CFEFFFF FSTP QWORD PTR SS:
00408314 8D8D 3CFFFFFF LEA ECX, DWORD PTR SS:
0040831A 8D95 28FFFFFF LEA EDX, DWORD PTR SS:
00408320 51 PUSH ECX
00408321 52 PUSH EDX
00408322 89B5 94FEFFFF MOV DWORD PTR SS:, ESI
00408328 FFD3 CALL EBX ; 取得第三组注册码
0040832A 50 PUSH EAX
0040832B FF15 D8104000 CALL DWORD PTR DS:[<&MSVBVM60.#581>] ; 第三组注册码转字串为浮点数
00408331 8B85 34FFFFFF MOV EAX, DWORD PTR SS: ; 取第四组注册码
00408337 89B5 84FEFFFF MOV DWORD PTR SS:, ESI
0040833D DD9D 8CFEFFFF FSTP QWORD PTR SS:
00408343 50 PUSH EAX
00408344 FF15 D8104000 CALL DWORD PTR DS:[<&MSVBVM60.#581>] ; 第四组注册码字串转为浮点数
0040834A DD9D 7CFEFFFF FSTP QWORD PTR SS:
00408350 8D8D A4FEFFFF LEA ECX, DWORD PTR SS:
00408356 8D55 CC LEA EDX, DWORD PTR SS:
00408359 51 PUSH ECX
0040835A 8D85 14FFFFFF LEA EAX, DWORD PTR SS:
00408360 89B5 74FEFFFF MOV DWORD PTR SS:, ESI
00408366 8B35 AC104000 MOV ESI, DWORD PTR DS:[<&MSVBVM60.__vbaVarCmpEq>] ; MSVBVM60.__vbaVarCmpEq
0040836C 52 PUSH EDX
0040836D 50 PUSH EAX
0040836E FFD6 CALL ESI ; A与第一组注册码(浮点数)比较结果存在
00408370 8D8D 94FEFFFF LEA ECX, DWORD PTR SS:
00408376 50 PUSH EAX
00408377 8D55 BC LEA EDX, DWORD PTR SS:
0040837A 51 PUSH ECX
0040837B 8D85 04FFFFFF LEA EAX, DWORD PTR SS:
00408381 52 PUSH EDX
00408382 50 PUSH EAX
00408383 FFD6 CALL ESI ; B与第二组注册码(浮点数)比较结果存在
00408385 8B1D 6C104000 MOV EBX, DWORD PTR DS:[<&MSVBVM60.__vbaVarAnd>] ; MSVBVM60.__vbaVarAnd
0040838B 8D8D F4FEFFFF LEA ECX, DWORD PTR SS:
00408391 50 PUSH EAX
00408392 51 PUSH ECX
00408393 FFD3 CALL EBX ; 和相与的结果存在
00408395 50 PUSH EAX
00408396 8D95 84FEFFFF LEA EDX, DWORD PTR SS:
0040839C 8D45 9C LEA EAX, DWORD PTR SS:
0040839F 52 PUSH EDX
004083A0 8D8D E4FEFFFF LEA ECX, DWORD PTR SS:
004083A6 50 PUSH EAX
004083A7 51 PUSH ECX
004083A8 FFD6 CALL ESI ; C与第三组注册码(浮点数)比较结果存在
004083AA 8D95 D4FEFFFF LEA EDX, DWORD PTR SS:
004083B0 50 PUSH EAX
004083B1 52 PUSH EDX
004083B2 FFD3 CALL EBX ; 和相与的结果存入
004083B4 50 PUSH EAX
004083B5 8D85 74FEFFFF LEA EAX, DWORD PTR SS:
004083BB 8D4D 8C LEA ECX, DWORD PTR SS:
004083BE 50 PUSH EAX
004083BF 8D95 C4FEFFFF LEA EDX, DWORD PTR SS:
004083C5 51 PUSH ECX
004083C6 52 PUSH EDX
004083C7 FFD6 CALL ESI ; D与第四组注册码(浮点数)比较的结果存入
004083C9 50 PUSH EAX
004083CA 8D85 B4FEFFFF LEA EAX, DWORD PTR SS:
004083D0 50 PUSH EAX
004083D1 FFD3 CALL EBX ; 和相与的结果存入
004083D3 50 PUSH EAX
004083D4 FF15 44104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaBoolVarNull>] ; 以上每次结果都为真,结果才正确,即正确的注册码分别为A、B、C、D表示的整数
004083DA 8D8D 28FFFFFF LEA ECX, DWORD PTR SS:
004083E0 8BF0 MOV ESI, EAX
004083E2 51 PUSH ECX
004083E3 8D95 2CFFFFFF LEA EDX, DWORD PTR SS:
004083E9 8D85 30FFFFFF LEA EAX, DWORD PTR SS:
004083EF 52 PUSH EDX
004083F0 50 PUSH EAX
004083F1 6A 03 PUSH 3
004083F3 FF15 9C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList
004083F9 83C4 10 ADD ESP, 10
004083FC B9 04000280 MOV ECX, 80020004
00408401 B8 0A000000 MOV EAX, 0A
00408406 66:3BF7 CMP SI, DI ;最后结果是否为真
00408409 898D ECFEFFFF MOV DWORD PTR SS:, ECX
0040840F 8985 E4FEFFFF MOV DWORD PTR SS:, EAX
00408415 898D FCFEFFFF MOV DWORD PTR SS:, ECX
0040841B 8985 F4FEFFFF MOV DWORD PTR SS:, EAX
00408421 0F84 8C000000 JE Cra.004084B3 ; 为假就跳到出错(爆破点)
00408427 8B35 B8104000 MOV ESI, DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>] ; 为真就向下到正确提示
0040842D BB 08000000 MOV EBX, 8
00408432 8D95 94FEFFFF LEA EDX, DWORD PTR SS:
00408438 8D8D 04FFFFFF LEA ECX, DWORD PTR SS:
0040843E C785 9CFEFFFF 7>MOV DWORD PTR SS:, Cra.00405D74
00408448 899D 94FEFFFF MOV DWORD PTR SS:, EBX
0040844E FFD6 CALL ESI
00408450 8D95 A4FEFFFF LEA EDX, DWORD PTR SS:
00408456 8D8D 14FFFFFF LEA ECX, DWORD PTR SS:
0040845C C785 ACFEFFFF 5>MOV DWORD PTR SS:, Cra.00405D5C
00408466 899D A4FEFFFF MOV DWORD PTR SS:, EBX
0040846C FFD6 CALL ESI
0040846E 8D8D E4FEFFFF LEA ECX, DWORD PTR SS:
00408474 8D95 F4FEFFFF LEA EDX, DWORD PTR SS:
0040847A 51 PUSH ECX
0040847B 8D85 04FFFFFF LEA EAX, DWORD PTR SS:
00408481 52 PUSH EDX
00408482 50 PUSH EAX
00408483 8D8D 14FFFFFF LEA ECX, DWORD PTR SS:
00408489 6A 40 PUSH 40
0040848B 51 PUSH ECX ; 成功
0040848C FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
00408492 8D95 E4FEFFFF LEA EDX, DWORD PTR SS:
00408498 8D85 F4FEFFFF LEA EAX, DWORD PTR SS:
0040849E 52 PUSH EDX
0040849F 8D8D 04FFFFFF LEA ECX, DWORD PTR SS:
004084A5 50 PUSH EAX
004084A6 8D95 14FFFFFF LEA EDX, DWORD PTR SS:
004084AC 51 PUSH ECX
004084AD 52 PUSH EDX
004084AE E9 86000000 JMP Cra.00408539
004084B3 8B35 B8104000 MOV ESI, DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
004084B9 BB 08000000 MOV EBX, 8
004084BE 8D95 94FEFFFF LEA EDX, DWORD PTR SS:
004084C4 8D8D 04FFFFFF LEA ECX, DWORD PTR SS:
004084CA C785 9CFEFFFF 9>MOV DWORD PTR SS:, Cra.00405D94 ; ASCII "1Y%?
004084D4 899D 94FEFFFF MOV DWORD PTR SS:, EBX
004084DA FFD6 CALL ESI
004084DC C785 ACFEFFFF 8>MOV DWORD PTR SS:, Cra.00405D80
004084E6 8D95 A4FEFFFF LEA EDX, DWORD PTR SS:
004084EC 8D8D 14FFFFFF LEA ECX, DWORD PTR SS:
004084F2 899D A4FEFFFF MOV DWORD PTR SS:, EBX
004084F8 FFD6 CALL ESI
004084FA 8D85 E4FEFFFF LEA EAX, DWORD PTR SS:
00408500 8D8D F4FEFFFF LEA ECX, DWORD PTR SS:
00408506 50 PUSH EAX
00408507 8D95 04FFFFFF LEA EDX, DWORD PTR SS:
0040850D 51 PUSH ECX
0040850E 52 PUSH EDX
0040850F 8D85 14FFFFFF LEA EAX, DWORD PTR SS:
00408515 57 PUSH EDI
00408516 50 PUSH EAX ; 未成功
00408517 FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
0040851D 8D8D E4FEFFFF LEA ECX, DWORD PTR SS: ;<-----栈顶指向这里,向上找
......
6.算法分析
(1)注册码的第一部分:
A=注册名长度*25F5+注册名的第一个字符的ASCII码*29
(2)注册码的第二部分:
B=注册名的第一个字符的ASCII*25F5*7B
(3)注册码的第三部分:
C=注册名的长度*注册名的第一个字符的ASCII*19D5
(4)注册码的第四部分:
D=C+25F5
由此可见,注册码只与注册名的第一个字符及注册码的长度有关。
以注册名dewar为例,来计算注册码(第一个字符d的ASCII码为64,注册名长度为5):
A=5*25F5+64*29=0CDCD(H)=52685(D)
B=64*25F5*7B=71FB77C(H)=119519100(D)
C=5*64*19D5=327404(H)=3306500(D)
D=327404(H)+25F5(H)=3299F9(H)=3316217(D)
算法分析到此结束,得出一组正确的注册码。
注册名:dewar
注册码:52685-119519100-3306500-3316217
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
页:
[1]