【破解总结】
1、如果用户名长度不大于4,则用户名全部参与运算,否则,只取前4位参与运算,记为str.
2、注册码必须为32位。
3、注册码前3位为str的ASCII值与"chin"各位的ASCII值之和(程序依次将"chin"每一个字符与用户名各位连接)。
4、如果用户名长度不大于17位,则注册码第4位为用户名长度/2,否则,注册码第4位固定为9。
5、注册码后28位为固定字符串"7A11458A1941DDC97BD7A019F4EE79ED"后28位字符。
一组可用注册码:
Name:hrbx
Serial:8542458A1941DDC97BD7A019F4EE79ED
楼主破文中的固定字符串"7A11458A1941DDC97BD7A019F4EE79ED"并非固定的,而是由C盘序列号计算出的,不同机器上是不同的,且在程序启动时已生成。
看这段代码:
0041A6E7 > \53 push ebx
0041A6E8 .6A 02 push 2
0041A6EA .6A 01 push 1
0041A6EC .8D8D 14FFFFFF lea ecx,
0041A6F2 .53 push ebx
0041A6F3 .51 push ecx
0041A6F4 .6A 10 push 10
0041A6F6 .68 80080000 push 880
0041A6FB .FF15 D8104000 call [<&MSVBVM60.__vbaRedim>] ;MSVBVM60.__vbaRedim
0041A701 .8B85 14FFFFFF mov eax,
0041A707 .C785 0CFFFFFF>mov dword ptr , 63
0041A711 .C785 04FFFFFF>mov dword ptr , 2
0041A71B .83C4 1C add esp, 1C
0041A71E .8B48 14 mov ecx,
0041A721 .8D95 04FFFFFF lea edx,
0041A727 .C1E1 04 shl ecx, 4
0041A72A .8BF9 mov edi, ecx
0041A72C .8B48 0C mov ecx,
0041A72F .2BCF sub ecx, edi
0041A731 .8B3D 14104000 mov edi, [<&MSVBVM60.__vbaVarMove>];MSVBVM60.__vbaVarMove
0041A737 .FFD7 call edi ;<&MSVBVM60.__vbaVarMove>
0041A739 .8B85 14FFFFFF mov eax,
0041A73F .C785 FCFEFFFF>mov dword ptr , 3A
0041A749 .C785 F4FEFFFF>mov dword ptr , 2
0041A753 .8D95 F4FEFFFF lea edx,
0041A759 .8B48 14 mov ecx,
0041A75C .C1E1 04 shl ecx, 4
0041A75F .898D A4FEFFFF mov , ecx
0041A765 .8B48 0C mov ecx,
0041A768 .8B85 A4FEFFFF mov eax,
0041A76E .2BC8 sub ecx, eax
0041A770 .83C1 10 add ecx, 10
0041A773 .FFD7 call edi
0041A775 .8B85 14FFFFFF mov eax,
0041A77B .B9 02000000 mov ecx, 2
0041A780 .C785 ECFEFFFF>mov dword ptr , 5C
0041A78A .898D E4FEFFFF mov , ecx
0041A790 .2B48 14 sub ecx,
0041A793 .8D95 E4FEFFFF lea edx,
0041A799 .C1E1 04 shl ecx, 4
0041A79C .0348 0C add ecx,
0041A79F .FFD7 call edi
0041A7A1 .8D8D 14FFFFFF lea ecx,
0041A7A7 .8D95 48FFFFFF lea edx,
0041A7AD .51 push ecx
0041A7AE .52 push edx
0041A7AF .FF15 EC104000 call [<&MSVBVM60.#601>] ;MSVBVM60.rtcArray
0041A7B5 .8D85 14FFFFFF lea eax,
0041A7BB .50 push eax
0041A7BC .53 push ebx
0041A7BD .FF15 9C104000 call [<&MSVBVM60.__vbaErase>] ;MSVBVM60.__vbaErase
0041A7C3 .8D8D 48FFFFFF lea ecx,
0041A7C9 .51 push ecx
0041A7CA .68 0C200000 push 200C
0041A7CF .FF15 68104000 call [<&MSVBVM60.__vbaAryVar>] ;MSVBVM60.__vbaAryVar
0041A7D5 .8985 E0FEFFFF mov , eax
0041A7DB .8D95 E0FEFFFF lea edx,
0041A7E1 .8D45 84 lea eax,
0041A7E4 .52 push edx
0041A7E5 .50 push eax
0041A7E6 .FF15 B8114000 call [<&MSVBVM60.__vbaAryCopy>] ;MSVBVM60.__vbaAryCopy
0041A7EC .8D8D 48FFFFFF lea ecx,
0041A7F2 .FF15 1C104000 call [<&MSVBVM60.__vbaFreeVar>] ;MSVBVM60.__vbaFreeVar
0041A7F8 .BA 90224100 mov edx, 00412290
0041A7FD .8D4D C4 lea ecx,
0041A800 .FF15 74114000 call [<&MSVBVM60.__vbaStrCopy>] ;MSVBVM60.__vbaStrCopy
0041A806 .8B3D F0104000 mov edi, [<&MSVBVM60.__vbaUI1I2>] ;MSVBVM60.__vbaUI1I2
0041A80C .B9 02000000 mov ecx, 2
0041A811 .FFD7 call edi ;<&MSVBVM60.__vbaUI1I2>
0041A813 .33C9 xor ecx, ecx
0041A815 .8885 B4FEFFFF mov , al
0041A81B .FFD7 call edi
0041A81D .8B1D 90114000 mov ebx, [<&MSVBVM60.__vbaI4Var>] ;MSVBVM60.__vbaI4Var
0041A823 .8845 E8 mov , al
0041A826 >8A4D E8 mov cl,
0041A829 .8A85 B4FEFFFF mov al,
0041A82F .8B55 C4 mov edx,
0041A832 .3AC8 cmp cl, al
0041A834 .8995 0CFFFFFF mov , edx
0041A83A .C785 04FFFFFF>mov dword ptr , 8
0041A844 .0F87 AC000000 ja 0041A8F6
0041A84A .8B4D 84 mov ecx,
0041A84D .85C9 test ecx, ecx
0041A84F .74 2B je short 0041A87C
0041A851 .66:8339 01 cmp word ptr , 1
0041A855 .75 25 jnz short 0041A87C
0041A857 .8B7D E8 mov edi,
0041A85A .8B51 14 mov edx,
0041A85D .8B41 10 mov eax,
0041A860 .81E7 FF000000 and edi, 0FF
0041A866 .2BFA sub edi, edx
0041A868 .3BF8 cmp edi, eax
0041A86A .72 09 jb short 0041A875
0041A86C .FF15 B4104000 call [<&MSVBVM60.__vbaGenerateBoundsE>;MSVBVM60.__vbaGenerateBoundsError
0041A872 .8B4D 84 mov ecx,
0041A875 >C1E7 04 shl edi, 4
0041A878 .8BC7 mov eax, edi
0041A87A .EB 09 jmp short 0041A885
0041A87C >FF15 B4104000 call [<&MSVBVM60.__vbaGenerateBoundsE>;MSVBVM60.__vbaGenerateBoundsError
0041A882 .8B4D 84 mov ecx,
0041A885 >8B49 0C mov ecx,
0041A888 .03C8 add ecx, eax
0041A88A .51 push ecx
0041A88B .FFD3 call ebx
0041A88D .8D95 48FFFFFF lea edx,
0041A893 .50 push eax
0041A894 .52 push edx
0041A895 .FF15 1C114000 call [<&MSVBVM60.#608>] ;MSVBVM60.rtcVarBstrFromAnsi
0041A89B .8D85 04FFFFFF lea eax,
0041A8A1 .8D8D 48FFFFFF lea ecx,
0041A8A7 .50 push eax
0041A8A8 .8D95 38FFFFFF lea edx,
0041A8AE .51 push ecx
0041A8AF .52 push edx
0041A8B0 .FF15 34114000 call [<&MSVBVM60.__vbaVarCat>] ;MSVBVM60.__vbaVarCat
0041A8B6 .50 push eax
0041A8B7 .FF15 20104000 call [<&MSVBVM60.__vbaStrVarMove>] ;MSVBVM60.__vbaStrVarMove
0041A8BD .8BD0 mov edx, eax
0041A8BF .8D4D C4 lea ecx,
0041A8C2 .FF15 BC114000 call [<&MSVBVM60.__vbaStrMove>] ;MSVBVM60.__vbaStrMove
0041A8C8 .8D85 38FFFFFF lea eax,
0041A8CE .8D8D 48FFFFFF lea ecx,
0041A8D4 .50 push eax
0041A8D5 .51 push ecx
0041A8D6 .6A 02 push 2
0041A8D8 .FF15 28104000 call [<&MSVBVM60.__vbaFreeVarList>] ;MSVBVM60.__vbaFreeVarList
0041A8DE .8A4D E8 mov cl,
0041A8E1 .B0 01 mov al, 1
0041A8E3 .83C4 0C add esp, 0C
0041A8E6 .02C1 add al, cl
0041A8E8 .0F82 17030000 jb 0041AC05
0041A8EE .8845 E8 mov , al
0041A8F1 .^ E9 30FFFFFF jmp 0041A826
0041A8F6 >8B3D A4114000 mov edi, [<&MSVBVM60.__vbaVarCopy>];MSVBVM60.__vbaVarCopy
0041A8FC .8D95 04FFFFFF lea edx,
0041A902 .8D4D 8C lea ecx,
0041A905 .FFD7 call edi ;<&MSVBVM60.__vbaVarCopy>
0041A907 .8D45 D8 lea eax,
0041A90A .50 push eax
0041A90B .FFD3 call ebx
0041A90D .8D4D AC lea ecx,
0041A910 .8985 D8FEFFFF mov , eax
0041A916 .51 push ecx
0041A917 .FFD3 call ebx
0041A919 .8D55 C8 lea edx,
0041A91C .8985 DCFEFFFF mov , eax
0041A922 .52 push edx
0041A923 .FFD3 call ebx
0041A925 .8B1D 9C114000 mov ebx, [<&MSVBVM60.__vbaStrToAnsi>>;MSVBVM60.__vbaStrToAnsi
0041A92B .8985 E0FEFFFF mov , eax
0041A931 .8B45 88 mov eax,
0041A934 .6A 7F push 7F
0041A936 .8D8D 60FFFFFF lea ecx,
0041A93C .50 push eax
0041A93D .51 push ecx
0041A93E .FFD3 call ebx ;<&MSVBVM60.__vbaStrToAnsi>
0041A940 .50 push eax
0041A941 .8D95 D8FEFFFF lea edx,
0041A947 .8D85 DCFEFFFF lea eax,
0041A94D .52 push edx
0041A94E .8D8D E0FEFFFF lea ecx,
0041A954 .50 push eax
0041A955 .51 push ecx
0041A956 .8D95 74FFFFFF lea edx,
0041A95C .6A 7F push 7F
0041A95E .8D85 68FFFFFF lea eax,
0041A964 .52 push edx
0041A965 .50 push eax
0041A966 .FF15 30114000 call [<&MSVBVM60.__vbaStrVarVal>] ;MSVBVM60.__vbaStrVarVal
0041A96C .8D8D 64FFFFFF lea ecx,
0041A972 .50 push eax
0041A973 .51 push ecx
0041A974 .FFD3 call ebx
0041A976 .50 push eax
0041A977 .8D55 8C lea edx,
0041A97A .8D85 70FFFFFF lea eax,
0041A980 .52 push edx
0041A981 .50 push eax
0041A982 .FF15 30114000 call [<&MSVBVM60.__vbaStrVarVal>] ;MSVBVM60.__vbaStrVarVal
0041A988 .8D8D 6CFFFFFF lea ecx,
0041A98E .50 push eax
0041A98F .51 push ecx
0041A990 .FFD3 call ebx
0041A992 .50 push eax
0041A993 .E8 7075FFFF call 00411F08
0041A998 .FF15 58104000 call [<&MSVBVM60.__vbaSetSystemError>>;MSVBVM60.__vbaSetSystemError
0041A99E .8B95 E0FEFFFF mov edx, ;C盘序列号入EDX
0041A9A4 .BB 03000000 mov ebx, 3
0041A9A9 .8995 0CFFFFFF mov , edx
0041A9AF .8D95 04FFFFFF lea edx,
0041A9B5 .8D4D C8 lea ecx,
0041A9B8 .899D 04FFFFFF mov , ebx
0041A9BE .FFD7 call edi
0041A9C0 .8B85 DCFEFFFF mov eax,
0041A9C6 .8D95 F4FEFFFF lea edx,
0041A9CC .8D4D AC lea ecx,
0041A9CF .8985 FCFEFFFF mov , eax
0041A9D5 .899D F4FEFFFF mov , ebx
0041A9DB .FFD7 call edi
0041A9DD .8B8D D8FEFFFF mov ecx,
0041A9E3 .8D95 E4FEFFFF lea edx,
0041A9E9 .898D ECFEFFFF mov , ecx
0041A9EF .8D4D D8 lea ecx,
0041A9F2 .899D E4FEFFFF mov , ebx
0041A9F8 .FFD7 call edi
0041A9FA .8B95 60FFFFFF mov edx,
0041AA00 .8D45 88 lea eax,
0041AA03 .52 push edx
0041AA04 .50 push eax
0041AA05 .FF15 08114000 call [<&MSVBVM60.__vbaStrToUnicode>];MSVBVM60.__vbaStrToUnicode
0041AA0B .8D8D 60FFFFFF lea ecx,
0041AA11 .8D95 64FFFFFF lea edx,
0041AA17 .51 push ecx
0041AA18 .52 push edx
0041AA19 .8D85 68FFFFFF lea eax,
0041AA1F .8D8D 6CFFFFFF lea ecx,
0041AA25 .50 push eax
0041AA26 .8D95 70FFFFFF lea edx,
0041AA2C .51 push ecx
0041AA2D .52 push edx
0041AA2E .6A 05 push 5
0041AA30 .FF15 78114000 call [<&MSVBVM60.__vbaFreeStrList>] ;MSVBVM60.__vbaFreeStrList
0041AA36 .83C4 18 add esp, 18
0041AA39 .8D7E 38 lea edi,
0041AA3C .68 5C0B4100 push 00410B5C
0041AA41 .FF15 E8104000 call [<&MSVBVM60.__vbaNew>] ;MSVBVM60.__vbaNew
0041AA47 .50 push eax
0041AA48 .8D85 5CFFFFFF lea eax,
0041AA4E .50 push eax
0041AA4F .FF15 74104000 call [<&MSVBVM60.__vbaObjSet>] ;MSVBVM60.__vbaObjSet
0041AA55 .50 push eax
0041AA56 .57 push edi
0041AA57 .FF15 B0114000 call [<&MSVBVM60.__vbaVarSetObjAddref>;MSVBVM60.__vbaVarSetObjAddref
0041AA5D .8D8D 5CFFFFFF lea ecx,
0041AA63 .FF15 D8114000 call [<&MSVBVM60.__vbaFreeObj>] ;MSVBVM60.__vbaFreeObj
0041AA69 .B8 02000000 mov eax, 2
0041AA6E .8D4D C8 lea ecx,
0041AA71 .8985 0CFFFFFF mov , eax
0041AA77 .8985 04FFFFFF mov , eax
0041AA7D .8D95 04FFFFFF lea edx,
0041AA83 .51 push ecx
0041AA84 .8D85 48FFFFFF lea eax,
0041AA8A .52 push edx
0041AA8B .50 push eax
0041AA8C .C785 FCFEFFFF>mov dword ptr , 75BCD15
0041AA96 .899D F4FEFFFF mov , ebx
0041AA9C .FF15 18114000 call [<&MSVBVM60.__vbaVarDiv>] ;C盘序列号转十进制除2
0041AAA2 .8D8D 38FFFFFF lea ecx,
0041AAA8 .50 push eax
0041AAA9 .51 push ecx
0041AAAA .FF15 64114000 call [<&MSVBVM60.__vbaVarInt>] ; 结果取整
0041AAB0 .50 push eax
0041AAB1 .8D95 F4FEFFFF lea edx,
0041AAB7 .8D85 28FFFFFF lea eax,
0041AABD .52 push edx
0041AABE .50 push eax
0041AABF .FF15 98114000 call [<&MSVBVM60.__vbaVarAdd>] ;取整结果+123456789
0041AAC5 .8B10 mov edx,
0041AAC7 .83EC 10 sub esp, 10
0041AACA .8BCC mov ecx, esp
0041AACC .6A 01 push 1
0041AACE .68 5C254100 push 0041255C ;y
0041AAD3 .8911 mov , edx
0041AAD5 .8B50 04 mov edx,
0041AAD8 .57 push edi
0041AAD9 .8951 04 mov , edx
0041AADC .8B50 08 mov edx,
0041AADF .8B40 0C mov eax,
0041AAE2 .8951 08 mov , edx
0041AAE5 .8941 0C mov , eax
0041AAE8 .8D8D 18FFFFFF lea ecx,
0041AAEE .51 push ecx
0041AAEF .FF15 AC114000 call [<&MSVBVM60.__vbaVarLateMemCallL>;结果转字符串做MD5运算
0041AAF5 .83C4 20 add esp, 20 ;堆栈区看看......就能看到结果了!
在0041A6E7处F2下断点,F9运行跟踪以下就能看到结果了。 的确不同反响,都是高人.我只能NOP掉其中的校验,算法没跟出. 这么棒的文章怎么没带上附件?
快快加上来,我们等着练手! 原帖由 野猫III 于 2006-4-24 01:35 发表
这么棒的文章怎么没带上附件?
快快加上来,我们等着练手!
他都写软件名字了;P
https://www.chinapyg.com/viewthread.php?tid=2421&extra=page%3D1 谢谢busheler 兄指点,已更改!
用flyOD将0417849处的ja====>JMP可以避开检测,
但是如果改为用其它调试器(如UnKillOD),仍然会被检测到。
所以估计改0417849处并非是万全之策,请高手再指点如何完全避开对调试器的检测。
谢谢!
[ 本帖最后由 hrbx 于 2006-4-26 23:48 编辑 ] 原帖由 飘云 于 2006-4-24 06:47 发表
他都写软件名字了;P
https://www.chinapyg.com/viewthread.php?tid=2421&extra=page%3D1
是很高!这个咱都玩不动的。
算法是咱的弱点,所以得多下苦功夫才行。
羡慕中,努力中,望月兴叹,叹,什么时候我能练到这个地步。
羡慕中,努力中,望月兴叹,叹,什么时候我能练到这个地步。我只有一点基础,但离各位甚远。
页:
1
[2]