飘云阁让程序自己显示注册码 - Powered by Discuz! Archiver

kangroo 发表于 2007-10-16 14:41:15

让程序自己显示注册码

【文章标题】: 让程序自己显示注册码
【文章作者】: kangroo
【作者邮箱】: [email protected]
【软件大小】: 400KB
【下载地址】: http://www.skycn.com/soft/2063.html
【加壳方式】: ASPack 2.11
【保护方式】: 重起验证
【编写语言】: VB
【使用工具】: OD PEID
【操作平台】: XP sp2
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
先用PEID 查壳是ASPack 2.11就用自带的插件PEID Generic unpacker脱它，再查得是VB语言编写的。用OD 载入脱壳后的
程序超级字符串参考找到RegCodeTrue 在汇编代码中跟随来到向下找关键跳转
0042D0C1 .68 C89D4000 PUSH CODE_u.00409DC8                   ;UNICODE "RegCodeTrue"
0042D0C6 .68 BC9D4000 PUSH CODE_u.00409DBC                   ;UNICODE "Reg"
0042D0CB .8908       MOV DWORD PTR DS:,ECX
0042D0CD .8B8D 1CFFFFFFMOV ECX,DWORD PTR SS:
0042D0D3 .68 849D4000 PUSH CODE_u.00409D84          ;UNICODE "Stock-Star-Website\Code41"
0042D0D8 .8950 04    MOV DWORD PTR DS:,EDX
0042D0DB .8B95 20FFFFFFMOV EDX,DWORD PTR SS:
0042D0E1 .8948 08    MOV DWORD PTR DS:,ECX
0042D0E4 .8950 0C    MOV DWORD PTR DS:,EDX
0042D0E7 .FF15 CCF34300CALL DWORD PTR DS:[<&MSVBVM50.#689>] ;MSVBVM50.rtcGetSetting
0042D0ED .8BD0       MOV EDX,EAX
0042D0EF .8D8D 38FFFFFFLEA ECX,DWORD PTR SS:
0042D0F5 .FF15 04F44300CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;MSVBVM50.__vbaStrMove
0042D0FB .50          PUSH EAX
0042D0FC .FF15 30F44300CALL DWORD PTR DS:[<&MSVBVM50.#581>] ;MSVBVM50.rtcR8ValFromBstr
0042D102 .DD9D ECFEFFFFFSTP QWORD PTR SS:
0042D108 .8D95 E4FEFFFFLEA EDX,DWORD PTR SS:
0042D10E .8D4D CC    LEA ECX,DWORD PTR SS:
0042D111 .C785 E4FEFFFF >MOV DWORD PTR SS:,5
0042D11B .FFD6       CALL ESI
0042D11D .8D8D 38FFFFFFLEA ECX,DWORD PTR SS:
0042D123 .FF15 28F44300CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;MSVBVM50.__vbaFreeStr
0042D129 .8D85 14FFFFFFLEA EAX,DWORD PTR SS:
0042D12F .8D8D 24FFFFFFLEA ECX,DWORD PTR SS:
0042D135 .50          PUSH EAX
0042D136 .51          PUSH ECX
0042D137 .6A 02       PUSH 2
0042D139 .FF15 64F24300CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;MSVBVM50.__vbaFreeVarList
0042D13F .83C4 0C    ADD ESP,0C
0042D142 .8D95 3CFFFFFFLEA EDX,DWORD PTR SS:
0042D148 .8D85 6CFFFFFFLEA EAX,DWORD PTR SS:
0042D14E .8D8D 24FFFFFFLEA ECX,DWORD PTR SS:
0042D154 .52          PUSH EDX
0042D155 .50          PUSH EAX
0042D156 .51          PUSH ECX
0042D157 .FF15 D4F34300CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarAd>;MSVBVM50.__vbaVarAdd
0042D15D .50          PUSH EAX
0042D15E .8D95 6CFFFFFFLEA EDX,DWORD PTR SS:
0042D164 .8D85 14FFFFFFLEA EAX,DWORD PTR SS:
0042D16A .52          PUSH EDX
0042D16B .50          PUSH EAX
0042D16C .FF15 A4F24300CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarXo>;MSVBVM50.__vbaVarXor
0042D172 .8BD0       MOV EDX,EAX
0042D174 .8D8D 4CFFFFFFLEA ECX,DWORD PTR SS:
0042D17A .FFD6       CALL ESI
0042D17C .8D8D 24FFFFFFLEA ECX,DWORD PTR SS:
0042D182 .FF15 50F24300CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;MSVBVM50.__vbaFreeVar
0042D188 .8D4D CC    LEA ECX,DWORD PTR SS:
0042D18B .8D95 4CFFFFFFLEA EDX,DWORD PTR SS:
0042D191 .51          PUSH ECX
0042D192 .52          PUSH EDX
0042D193 .FF15 0CF34300CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarTs>;MSVBVM50.__vbaVarTstEq
0042D199 .66:85C0    TEST AX,AX
0042D19C .0F84 C8000000JE CODE_u.0042D26A / /将此处NOP 掉保存就可以在注册窗口显示注册码
0042D1A2 .8B85 CCFEFFFFMOV EAX,DWORD PTR SS:
0042D1A8 .53          PUSH EBX
0042D1A9 .FF90 18030000CALL DWORD PTR DS:
0042D1AF .8D8D 34FFFFFFLEA ECX,DWORD PTR SS:
0042D1B5 .50          PUSH EAX
0042D1B6 .51          PUSH ECX
0042D1B7 .FF15 B4F24300CALL DWORD PTR DS:[<&MSVBVM50.__vbaObjSe>;MSVBVM50.__vbaObjSet
0042D1BD .8B30       MOV ESI,DWORD PTR DS:
0042D1BF .8985 DCFEFFFFMOV DWORD PTR SS:,EAX
0042D1C5 .8D95 4CFFFFFFLEA EDX,DWORD PTR SS:
0042D1CB .8D85 38FFFFFFLEA EAX,DWORD PTR SS:
0042D1D1 .52          PUSH EDX
0042D1D2 .50          PUSH EAX
0042D1D3 .FF15 74F34300CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrVa>;MSVBVM50.__vbaStrVarVal
0042D1D9 .89B5 C4FEFFFFMOV DWORD PTR SS:,ESI
0042D1DF .8BB5 DCFEFFFFMOV ESI,DWORD PTR SS:
0042D1E5 .8B8D C4FEFFFFMOV ECX,DWORD PTR SS:
0042D1EB .50          PUSH EAX
0042D1EC .56          PUSH ESI
0042D1ED .FF91 A4000000CALL DWORD PTR DS:
0042D1F3 .3BC7       CMP EAX,EDI
0042D1F5 .7D 12       JGE SHORT CODE_u.0042D209
0042D1F7 .68 A4000000 PUSH 0A4
0042D1FC .68 F4994000 PUSH CODE_u.004099F4
0042D201 .56          PUSH ESI
0042D202 .50          PUSH EAX
0042D203 .FF15 8CF24300CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;MSVBVM50.__vbaHresultCheckObj
0042D209 >8D8D 38FFFFFFLEA ECX,DWORD PTR SS:
0042D20F .FF15 28F44300CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;MSVBVM50.__vbaFreeStr
0042D215 .8D8D 34FFFFFFLEA ECX,DWORD PTR SS:
0042D21B .FF15 2CF44300CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>;MSVBVM50.__vbaFreeObj
0042D221 .8B95 CCFEFFFFMOV EDX,DWORD PTR SS:
0042D227 .53          PUSH EBX
0042D228 .FF92 24030000CALL DWORD PTR DS:
0042D22E .50          PUSH EAX
0042D22F .8D85 34FFFFFFLEA EAX,DWORD PTR SS:
0042D235 .50          PUSH EAX
0042D236 .FF15 B4F24300CALL DWORD PTR DS:[<&MSVBVM50.__vbaObjSe>;MSVBVM50.__vbaObjSet
0042D23C .8BF0       MOV ESI,EAX
0042D23E .57          PUSH EDI
0042D23F .56          PUSH ESI
0042D240 .8B0E       MOV ECX,DWORD PTR DS:
0042D242 .FF91 8C000000CALL DWORD PTR DS:
0042D248 .3BC7       CMP EAX,EDI
0042D24A .7D 12       JGE SHORT CODE_u.0042D25E
0042D24C .68 8C000000 PUSH 8C
0042D251 .68 28A24000 PUSH CODE_u.0040A228
0042D256 .56          PUSH ESI
0042D257 .50          PUSH EAX
0042D258 .FF15 8CF24300CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;MSVBVM50.__vbaHresultCheckObj
0042D25E >8D8D 34FFFFFFLEA ECX,DWORD PTR SS:
0042D264 .FF15 2CF44300CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>;MSVBVM50.__vbaFreeObj
0042D26A >8B95 CCFEFFFFMOV EDX,DWORD PTR SS:
0042D270 .53          PUSH EBX
0042D271 .FF92 20030000CALL DWORD PTR DS:
0042D277 .50          PUSH EAX
0042D278 .8D85 34FFFFFFLEA EAX,DWORD PTR SS:
0042D27E .50          PUSH EAX
0042D27F .FF15 B4F24300CALL DWORD PTR DS:[<&MSVBVM50.__vbaObjSe>;MSVBVM50.__vbaObjSet
0042D285 .8D8D 3CFFFFFFLEA ECX,DWORD PTR SS:
0042D28B .8BF0       MOV ESI,EAX
0042D28D .8D95 38FFFFFFLEA EDX,DWORD PTR SS:
0042D293 .51          PUSH ECX
0042D294 .8B1E       MOV EBX,DWORD PTR DS:
0042D296 .52          PUSH EDX
0042D297 .FF15 74F34300CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrVa>;MSVBVM50.__vbaStrVarVal
0042D29D .50          PUSH EAX
0042D29E .56          PUSH ESI
0042D29F .FF93 A4000000CALL DWORD PTR DS:
0042D2A5 .3BC7       CMP EAX,EDI
0042D2A7 .7D 12       JGE SHORT CODE_u.0042D2BB
0042D2A9 .68 A4000000 PUSH 0A4
0042D2AE .68 F4994000 PUSH CODE_u.004099F4
0042D2B3 .56          PUSH ESI
0042D2B4 .50          PUSH EAX
0042D2B5 .FF15 8CF24300CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;MSVBVM50.__vbaHresultCheckObj
0042D2BB >8D8D 38FFFFFFLEA ECX,DWORD PTR SS:
0042D2C1 .FF15 28F44300CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;MSVBVM50.__vbaFreeStr
0042D2C7 .8D8D 34FFFFFFLEA ECX,DWORD PTR SS:
0042D2CD .FF15 2CF44300CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>;MSVBVM50.__vbaFreeObj
0042D2D3 .897D FC    MOV DWORD PTR SS:,EDI
0042D2D6 .9B          WAIT
0042D2D7 .68 64D34200 PUSH CODE_u.0042D364
0042D2DC .EB 39       JMP SHORT CODE_u.0042D317
0042D2DE .8D8D 38FFFFFFLEA ECX,DWORD PTR SS:
0042D2E4 .FF15 28F44300CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;MSVBVM50.__vbaFreeStr
0042D2EA .8D8D 34FFFFFFLEA ECX,DWORD PTR SS:
0042D2F0 .FF15 2CF44300CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>;MSVBVM50.__vbaFreeObj
0042D2F6 .8D85 04FFFFFFLEA EAX,DWORD PTR SS:
0042D2FC .8D8D 14FFFFFFLEA ECX,DWORD PTR SS:
0042D302 .50          PUSH EAX
0042D303 .8D95 24FFFFFFLEA EDX,DWORD PTR SS:
0042D309 .51          PUSH ECX
0042D30A .52          PUSH EDX
0042D30B .6A 03       PUSH 3
0042D30D .FF15 64F24300CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;MSVBVM50.__vbaFreeVarList
0042D313 .83C4 10    ADD ESP,10
0042D316 .C3          RETN
0042D317 >8B35 50F24300MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaFr>;MSVBVM50.__vbaFreeVar
0042D31D .8D4D DC    LEA ECX,DWORD PTR SS:
0042D320 .FFD6       CALL ESI                               ;<&MSVBVM50.__vbaFreeVar>
0042D322 .8D4D CC    LEA ECX,DWORD PTR SS:
0042D325 .FFD6       CALL ESI
0042D327 .8D4D BC    LEA ECX,DWORD PTR SS:
0042D32A .FFD6       CALL ESI
0042D32C .8D4D AC    LEA ECX,DWORD PTR SS:
0042D32F .FFD6       CALL ESI
0042D331 .8D4D 9C    LEA ECX,DWORD PTR SS:
0042D334 .FFD6       CALL ESI
0042D336 .8D4D 8C    LEA ECX,DWORD PTR SS:
0042D339 .FFD6       CALL ESI
0042D33B .8D8D 7CFFFFFFLEA ECX,DWORD PTR SS:
0042D341 .FFD6       CALL ESI
0042D343 .8D8D 6CFFFFFFLEA ECX,DWORD PTR SS:
0042D349 .FFD6       CALL ESI
0042D34B .8D8D 5CFFFFFFLEA ECX,DWORD PTR SS:
0042D351 .FFD6       CALL ESI
0042D353 .8D8D 4CFFFFFFLEA ECX,DWORD PTR SS:
0042D359 .FFD6       CALL ESI
0042D35B .8D8D 3CFFFFFFLEA ECX,DWORD PTR SS:
0042D361 .FFE6       JMP ESI
0042D363 .C3          RETN
--------------------------------------------------------------------------------
【经验总结】
软件是重起验证类型，保护比较简单，我偷懒直接把地址0042D19C 处代码NOP掉，让它直接显示注册码，省去了分析算法
的时间。运行修改后的程序，点击注册后，在注册窗口就会出现注册码了，再运行未修改过的原程序填入刚才的注册码，重起后程序就变成注册的了，其实修改后的程序就相当于注册机了。如果有哪位高手有空分析出算法，那我就非常感谢了。

--------------------------------------------------------------------------------

                                                   2007年10月16日下午 02:46:02

[ 本帖最后由 kangroo 于 2007-10-16 19:51 编辑 ]

lxk836 发表于 2007-10-16 15:40:44

好老的一款软件哦

5000 发表于 2007-10-16 19:16:19

/:good /:good学习谢谢

kangroo 发表于 2007-10-16 19:55:52

原帖由 lxk836 于 2007-10-16 15:40 发表 https://www.chinapyg.com/images/common/back.gif
好老的一款软件哦
是有点旧了，是我无聊的时候拿出来练手的，高手就不必看了，没什么技术，只是觉的会让程序在注册窗口出现注册码有点意思。

mazero 发表于 2007-10-17 16:44:44

好像不通用的吧??

暗笛飞声 发表于 2007-10-17 16:59:33

学习下,谢谢楼主!!!

悠悠魂 发表于 2007-10-17 17:09:02

原帖由 mazero 于 2007-10-17 16:44 发表 https://www.chinapyg.com/images/common/back.gif
好像不通用的吧??
其他程序当然是不行拉，要是能那样就没必要写什么注册机了。只要这样爆就出注册码，那还不爽死！

[ 本帖最后由悠悠魂于 2007-10-17 17:10 编辑 ]

lynn 发表于 2007-11-5 22:32:33

VB难得遇到~~

jeff54888 发表于 2007-11-6 12:22:40

学习学习~谢谢楼主了

游侠浪子 发表于 2007-11-6 14:09:58

学习学习~谢谢楼主了

页: [1] 2

飘云阁's Archiver

让程序自己显示注册码