用户名必须是8位的说法,貌似有点小失误!!!
/:017 /:017 /:017
简单的分析下算法
算法的大概9楼的大侠已经就说明了.......
OD载入CM,F9运行,输入
Name: hflywolf
Serial: 1234567890
下断BP ShowWindow 按"Chack"按钮就断下了,去除断点,Ctrl+F9返回00406120 > \55 push ebp ;段首,在这下断。
00406121 .8BEC mov ebp, esp
00406123 .83EC 0C sub esp, 0C
00406126 .68 86124000 push <jmp.&MSVBVM60.__vbaExceptHandle>;SE 处理程序安装
0040612B .64:A1 0000000>mov eax, dword ptr fs:
00406131 .50 push eax
00406132 .64:8925 00000>mov dword ptr fs:, esp
00406139 .81EC BC010000 sub esp, 1BC
........省略N句
00406AA2 .8B45 08 mov eax, dword ptr ;返回到这,往上找到段首.Ctrl+F2重新载入CM,F9运行,输入
Name: hflywolf
Serial: 1234567890
按下"Chack"按钮就断在00406120处.一直单步F800406120 > \55 push ebp ;断在这,F8跟下去.
........省略N句
00406239 > \8B85 4CFFFFFF mov eax, dword ptr ;Name送入EAX
0040623F .8D95 B4FEFFFF lea edx, dword ptr
00406245 .8D4D CC lea ecx, dword ptr
00406248 .8985 BCFEFFFF mov dword ptr , eax
0040624E .C785 B4FEFFFF>mov dword ptr , 8
00406258 .FF15 38114000 call dword ptr [<&MSVBVM60.__vbaVarCo>;将数值8送到EAX所存的地址里
0040625E .8B1D 54114000 mov ebx, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaFreeStr
00406264 .8D8D 4CFFFFFF lea ecx, dword ptr
0040626A .FFD3 call ebx ;<&MSVBVM60.__vbaFreeStr>
0040626C .8D8D 44FFFFFF lea ecx, dword ptr
00406272 .FF15 58114000 call dword ptr [<&MSVBVM60.__vbaFreeO>;MSVBVM60.__vbaFreeObj
00406278 .8D4D CC lea ecx, dword ptr
0040627B .8D95 34FFFFFF lea edx, dword ptr
00406281 .51 push ecx ; /var18
00406282 .52 push edx ; |retBuffer8
00406283 .FF15 4C104000 call dword ptr [<&MSVBVM60.__vbaLenVa>; \__vbaLenVar
00406289 .8B35 0C104000 mov esi, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaVarMove
0040628F .8BD0 mov edx, eax
00406291 .8D4D B8 lea ecx, dword ptr
00406294 .FFD6 call esi ;<&MSVBVM60.__vbaVarMove>
00406296 .B8 02800000 mov eax, 8002
0040629B .B9 02000000 mov ecx, 2
004062A0 .8985 B4FEFFFF mov dword ptr , eax
004062A6 .8985 94FEFFFF mov dword ptr , eax
004062AC .8985 84FEFFFF mov dword ptr , eax
004062B2 .8985 74FEFFFF mov dword ptr , eax
004062B8 .898D ACFEFFFF mov dword ptr , ecx
004062BE .898D A4FEFFFF mov dword ptr , ecx
004062C4 .8D45 B8 lea eax, dword ptr
004062C7 .8D8D B4FEFFFF lea ecx, dword ptr
004062CD .50 push eax ; /var18
004062CE .8D95 34FFFFFF lea edx, dword ptr ; |
004062D4 .51 push ecx ; |var28
004062D5 .52 push edx ; |SaveTo8
004062D6 .89BD BCFEFFFF mov dword ptr , edi ; |
004062DC .89BD 9CFEFFFF mov dword ptr , edi ; |
004062E2 .C785 8CFEFFFF>mov dword ptr , 8 ; 用户名长度最小为8
004062EC .C785 7CFEFFFF>mov dword ptr , 18 ; 用户名长度最大为24(HEX(18))
004062F6 .FF15 28114000 call dword ptr [<&MSVBVM60.__vbaVarCm>; 如果用户名为空则为0xFFFF,反之为0
004062FC .50 push eax
004062FD .8D45 B8 lea eax, dword ptr
00406300 .8D8D A4FEFFFF lea ecx, dword ptr
00406306 .50 push eax ; /var18
00406307 .8D95 24FFFFFF lea edx, dword ptr ; |
0040630D .51 push ecx ; |var28
0040630E .52 push edx ; |SaveTo8
0040630F .FF15 30114000 call dword ptr [<&MSVBVM60.__vbaVarMo>; 用户名长度除于2,余数返回到
00406315 .50 push eax
00406316 .8D85 94FEFFFF lea eax, dword ptr
0040631C .8D8D 14FFFFFF lea ecx, dword ptr
00406322 .50 push eax
00406323 .51 push ecx
00406324 .FF15 3C104000 call dword ptr [<&MSVBVM60.__vbaVarCm>;用户名长度不是偶数则为0xFFFF,反之为0
0040632A .8D95 04FFFFFF lea edx, dword ptr
00406330 .50 push eax
00406331 .52 push edx
00406332 .FF15 9C104000 call dword ptr [<&MSVBVM60.__vbaVarOr>;将上面两个CALL(4062F6与406324)返回的结果进行或运算。
00406338 .50 push eax ;运算的结果返回到EAX并压栈
00406339 .8D45 B8 lea eax, dword ptr
0040633C .8D8D 84FEFFFF lea ecx, dword ptr
00406342 .50 push eax
00406343 .8D95 F4FEFFFF lea edx, dword ptr
00406349 .51 push ecx
0040634A .52 push edx
0040634B .FF15 10114000 call dword ptr [<&MSVBVM60.__vbaVarCm>;用户名长度小于8则为0xFFFF,反之为0
00406351 .50 push eax
00406352 .8D85 E4FEFFFF lea eax, dword ptr
00406358 .50 push eax
00406359 .FF15 9C104000 call dword ptr [<&MSVBVM60.__vbaVarOr>;将上面两个CALL(406332与40634B)返回的结果进行或运算,结
果返回到EAX
0040635F .8D4D B8 lea ecx, dword ptr
00406362 .50 push eax
00406363 .8D95 74FEFFFF lea edx, dword ptr
00406369 .51 push ecx
0040636A .8D85 D4FEFFFF lea eax, dword ptr
00406370 .52 push edx
00406371 .50 push eax
00406372 .FF15 78104000 call dword ptr [<&MSVBVM60.__vbaVarCm>;用户名长度大于24则为0xFFFF,反之为0
00406378 .8D8D C4FEFFFF lea ecx, dword ptr
0040637E .50 push eax
0040637F .51 push ecx
00406380 .FF15 9C104000 call dword ptr [<&MSVBVM60.__vbaVarOr>;将上面两个CALL(406359与406372)返回的结果进行或运算
00406386 .50 push eax ;运算的结果返回到EAX并压栈
00406387 .FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaBoolV>;如果上面CALL(406380)返回的结果是OxFFFF则EAX=FFFFFFFF,
如是0则EAX=0
0040638D .66:85C0 test ax, ax
00406390 .0F84 AE000000 je 00406444 ;如果EAX=0就跳,如果EAX=FFFFFFFF就不跳.以上是判断用户名的合法性...
用户名长度必须在8位-24位之间,且是偶数...00406444 > \B9 02000000 mov ecx, 2 ;跳到这.
...................
0040646F .51 push ecx ; 步长
00406470 .8D85 A4FEFFFF lea eax, dword ptr ; |
00406476 .52 push edx ; 终值
00406477 .8D8D 48FEFFFF lea ecx, dword ptr ; |
0040647D .50 push eax ; 初值
0040647E .8D95 58FEFFFF lea edx, dword ptr ; |
00406484 .51 push ecx ; 临时终值
00406485 .8D45 DC lea eax, dword ptr ; |
00406488 .52 push edx ; 临时增量
00406489 .50 push eax ; 循环变量
0040648A .FF15 58104000 call dword ptr [<&MSVBVM60.__vbaVarFo>;初始化循环
..................
004064B7 .FF15 24114000 call dword ptr [<&MSVBVM60.__vbaI4Var>;MSVBVM60.__vbaI4Var
004064BD .50 push eax ; |Start
004064BE .8D45 CC lea eax, dword ptr ; |
004064C1 .8D8D 24FFFFFF lea ecx, dword ptr ; |
004064C7 .50 push eax ; |dString8
004064C8 .51 push ecx ; |RetBUFFER
004064C9 .FF15 7C104000 call dword ptr [<&MSVBVM60.#632>] ; Mid(RetBuFFER,dString8,Strart)依次取用户名的一个字符
004064CF .8D95 24FFFFFF lea edx, dword ptr
004064D5 .8D85 4CFFFFFF lea eax, dword ptr
004064DB .52 push edx ; /String8
004064DC .50 push eax ; |ARG2
004064DD .FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaStrVa>; \__vbaStrVarVal
004064E3 .50 push eax ; /String
004064E4 .FF15 30104000 call dword ptr [<&MSVBVM60.#516>] ; 取字符的ACALL值
.....................
004064FA .51 push ecx ; /var18
004064FB .8D85 14FFFFFF lea eax, dword ptr ; |
00406501 .52 push edx ; |var28
00406502 .50 push eax ; |saveto8
00406503 .C785 A4FEFFFF>mov dword ptr , 2 ; |
0040650D .FF15 2C114000 call dword ptr [<&MSVBVM60.__vbaVarAd>; 加用户名各位字符的ASCALL值
......................
0040654A .50 push eax ; /TMPend8
0040654B .51 push ecx ; |TMPstep8
0040654C .52 push edx ; |Counter8
0040654D .FF15 4C114000 call dword ptr [<&MSVBVM60.__vbaVarFo>; 循环
00406553 .^ E9 38FFFFFF jmp 00406490
......................
00406583 .8D45 CC lea eax, dword ptr
00406586 .51 push ecx ; /Length8
00406587 .52 push edx ; |Start
00406588 .8D8D 24FFFFFF lea ecx, dword ptr ; |
0040658E .50 push eax ; |dString8
0040658F .51 push ecx ; |RetBUFFER
00406590 .C785 3CFFFFFF>mov dword ptr , 1 ; |
0040659A .C785 34FFFFFF>mov dword ptr , 2 ; |
004065A4 .FF15 7C104000 call dword ptr [<&MSVBVM60.#632>] ; 取用户偶数位字符
004065AA .8D95 24FFFFFF lea edx, dword ptr
004065B0 .8D85 4CFFFFFF lea eax, dword ptr
004065B6 .52 push edx ; /String8
004065B7 .50 push eax ; |ARG2
004065B8 .FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaStrVa>; \__vbaStrVarVal
004065BE .50 push eax ; /String
004065BF .FF15 30104000 call dword ptr [<&MSVBVM60.#516>] ; 取用户偶数位字符的ASCALL值
004065C5 .8D8D 64FFFFFF lea ecx, dword ptr
004065CB .66:8985 ACFEF>mov word ptr , ax
004065D2 .8D95 A4FEFFFF lea edx, dword ptr
004065D8 .51 push ecx ; /var18
004065D9 .8D85 14FFFFFF lea eax, dword ptr ; |
004065DF .52 push edx ; |var28
004065E0 .50 push eax ; |saveto8
004065E1 .C785 A4FEFFFF>mov dword ptr , 2 ; |
004065EB .FF15 2C114000 call dword ptr [<&MSVBVM60.__vbaVarAd>; 累加用户偶数位字符的ASCALL值
........................
00406639 .^ E9 2FFFFFFF jmp 0040656D
0040663E >8D45 88 lea eax, dword ptr
00406641 .8D8D 64FFFFFF lea ecx, dword ptr
00406647 .50 push eax ; /var18
00406648 .8D95 34FFFFFF lea edx, dword ptr ; |
0040664E .51 push ecx ; |var28
0040664F .52 push edx ; |SaveTo8
00406650 .FF15 00104000 call dword ptr [<&MSVBVM60.__vbaVarSu>; 各位字符ASC的累加值-偶数位字符ASC累加值
00406656 .8BD0 mov edx, eax ;=上面相减的结果.记作Num1
00406658 .8D8D 54FFFFFF lea ecx, dword ptr
.......................
00406696 .50 push eax ; |var28
00406697 .51 push ecx ; |SaveTo8
00406698 .FF15 C0104000 call dword ptr [<&MSVBVM60.__vbaVarMu>; Num1*4
0040669E .50 push eax
0040669F .FF15 24114000 call dword ptr [<&MSVBVM60.__vbaI4Var>; EAX=相乘的结果。记作Num2
004066A5 .50 push eax
004066A6 .FF15 10104000 call dword ptr [<&MSVBVM60.__vbaStrI4>; Num2转十进制,再转换为字符串,记作STR1
........................
004066C2 .52 push edx
004066C3 .E8 68050000 call 00406C30 ;计算STR1的MD5值
........................
004066FC .50 push eax ; /String
004066FD .FF15 C8104000 call dword ptr [<&MSVBVM60.#713>] ; 将计算的MD5值逆序,记作STR2
........................
0040672F .52 push edx ; /Length8
00406730 .6A 0B push 0B ; |Start = B
00406732 .8D8D 24FFFFFF lea ecx, dword ptr ; |
00406738 .50 push eax ; |dString8
00406739 .51 push ecx ; |RetBUFFER
0040673A .C785 3CFFFFFF>mov dword ptr , 0A ; |
00406744 .C785 34FFFFFF>mov dword ptr , 2 ; |
0040674E .FF15 7C104000 call dword ptr [<&MSVBVM60.#632>] ;Mid(STR2,11,10) 从逆序后的MD5值的11位开始截取10位字符
00406754 .8D95 24FFFFFF lea edx, dword ptr
0040675A .52 push edx
0040675B .FF15 20104000 call dword ptr [<&MSVBVM60.__vbaStrVa>;MSVBVM60.__vbaStrVarMove
00406761 .8BD0 mov edx, eax ;截取的结果送EDX,记作Codestr2
........................
00406788 .FF15 34104000 call dword ptr [<&MSVBVM60.__vbaStrEr>;MSVBVM60.__vbaStrErrVarCopy
0040678E .8BD0 mov edx, eax ;Num1转十进制再换为字符串,记作Codestr功
00406790 .8D8D 4CFFFFFF lea ecx, dword ptr
00406796 .FFD7 call edi
00406798 .8B1D 40104000 mov ebx, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaStrCat
0040679E .50 push eax
0040679F .68 9C334000 push 0040339C ; /-
004067A4 .FFD3 call ebx ; 将Codestr3与"-"连接 记作Codestr1
004067A6 .8BD0 mov edx, eax
004067A8 .8D8D 48FFFFFF lea ecx, dword ptr
004067AE .FFD7 call edi
004067B0 .50 push eax
004067B1 .8B45 84 mov eax, dword ptr
004067B4 .50 push eax
004067B5 .FFD3 call ebx ;将Codestr1与Codestr2连接,记作Codestr(最终注册码)
......................
0040684A .52 push edx ; /var18
0040684B .50 push eax ; |var28
0040684C .C785 4CFFFFFF>mov dword ptr , 0 ; |
00406856 .C785 34FFFFFF>mov dword ptr , 8008 ; |
00406860 .FF15 94104000 call dword ptr [<&MSVBVM60.__vbaVarTs>; 真码与假码比较,相等则eax=ffffffff,反之为0
00406866 .8D8D 44FFFFFF lea ecx, dword ptr
0040686C .8BF0 mov esi, eax ;esi=eax
0040686E .FF15 58114000 call dword ptr [<&MSVBVM60.__vbaFreeO>;MSVBVM60.__vbaFreeObj
00406874 .8D8D 34FFFFFF lea ecx, dword ptr
0040687A .FF15 18104000 call dword ptr [<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVar
00406880 .66:85F6 test si, si
00406883 .0F84 A3000000 je 0040692C ;如果esi=0就跳,注册不成功。esi=ffffffff就反之.
00406889 .A1 80A04000 mov eax, dword ptr
0040688E .85C0 test eax, eax
......................
00406A42 .C3 retn/:001 /:001 /:001期待LZ开放源码
[ 本帖最后由 hflywolf 于 2008-9-18 17:43 编辑 ]
/:014 楼上的太牛了~~~仿佛看了偶的源码~~~/:018 什么都被看出来了/:good /:good 佩服佩服~~ 学习学习~~
:loveliness: 源码就发KeyGen源码了~~/:017都是一样的了,,稍微改几个字母就是CM~~~~'添加两个文本框
'添加MD5模块
Private Sub Text1_Change()
Dim Name, str1, str2, str3 As String
Dim L, i, J As Integer
Dim sn1, sn2, sn3, sn4 As Long
Name = CStr(Text1.Text)
L = Len(Name) 'L=用户名位数
If L = 0 Or L Mod 2 <> 0 Or L < 8 Or L > 24 Then '预设用户名条件
Text2.Text = "用户名位数必须为8-24之间的偶数"
Else
For i = 1 To L
sn1 = sn1 + Asc(Mid(Name, i, 1)) 'sn1=用户名ASCII之和
Next i
For J = 2 To L
sn2 = sn2 + Asc(Mid(Name, J, 1)) 'sn2=用户名偶数位ASCII之和
J = J + 1
Next J
sn3 = sn1 - sn2 'sn3=用户名奇数位ASCII之和
sn4 = sn2 * (L / 2)
str1 = MD5(CStr(sn4)) 'MD5运算
str2 = StrReverse(str1) '倒序
str3 = Mid(str2, 11, 10) '取倒序后的11-20位
str4 = CStr(sn3) & "-" & str3
Text2.Text = str4
End If
End Sub
hflywolf果然了得,看得清清楚楚,学习了/:good /:good /:good
“ 源码就发KeyGen源码了~~都是一样的了,,稍微改几个字母就是CM~~~~”
学习 下 楼主牛人 /:good
/:good 都是牛人··
怕VB的东东,调试时输入9位用户名就跳/:L ,就没继续往里看了!膜拜一下楼主和22楼的!
不是说晚上丢源码啊!!!我来了 蚊香丢啊!!:loveliness: :loveliness: /:013
学习下22楼兄弟的算法!
原帖由 夜冷风 于 2008-9-18 20:35 发表 https://www.chinapyg.com/images/common/back.gif
不是说晚上丢源码啊!!!我来了 蚊香丢啊!!:loveliness: :loveliness: /:013
:loveliness: 23楼的不就是么