Piao Yun's CrackMe003简单算法分析+VB注册机源码
【破文标题】Piao Yun's CrackMe003简单算法分析+VB注册机源码
【破解作者】hrbx
【作者主页】hrbx.ys168.com
【作者邮箱】[email protected]
【破解平台】WinXP
【使用工具】flyOD1.10、Peid
【破解日期】2006-03-27
【软件名称】Piao Yun's CrackMe003
【软件大小】56.5KB
【下载地址】https://www.chinapyg.com/viewthread.php?tid=4214&extra=page%3D1
【加壳方式】UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
【软件简介】Piao Yun's CrackMe003
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
-----------------------------------------------------------------------------------------------
【破解过程】
1.脱壳。用Peid扫描,显示为:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo,直接用PEID自带的
脱壳插件脱之。再次用用Peid扫描,显示为:Microsoft Visual Basic 5.0 / 6.0。
2.试运行crackme。输入注册信息:
====================================================================
Hard Code:16856497051497056666666666666653371299410299411333333333333330
Serial:9876543210
====================================================================
点击Check按钮,主窗体关闭,弹出一个"Bye!Dear Cracker!"提示窗体。
3.找出Hard Code的由来。OD载入,命令行下断点:bp__vbaLenBstr,回车,F9运行,中断:
660E5F5F MS>8B4424 04 mov eax,dword ptr ss: ; 在此中断
660E5F63 85C0 test eax,eax
660E5F65 74 05 je short MSVBVM60.660E5F6C
660E5F67 8B40 FC mov eax,dword ptr ds:
660E5F6A D1E8 shr eax,1
观察堆栈友好提示:
0012F9A0 660E5FAD 返回到 MSVBVM60.660E5FAD 来自 MSVBVM60.__vbaLenBstr
0012F9A4 0015DE64 UNICODE "D81F31F8"
堆栈中的 "D81F31F8"是C盘卷标号:D81F-31F8去掉中间的"-"得到的字符串,ALT+F9返回,来到:
0041023B FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVar>] ; 获取字符串"D81F31F8"长度,EAX=8
00410241 50 push eax ; 返回到这里
00410242 FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaI2Var>]
00410248 8985 58FFFFFF mov dword ptr ss:,eax ; 字符串长度EAX=8保存
0041024E 66:C746 68 0100 mov word ptr ds:,1
00410254 66:8B46 68 mov ax,word ptr ds: ; 循环次数给AX
00410258 66:3B85 58FFFFF>cmp ax,word ptr ss: ; 循环次数与字符串长度比较
0041025F 0F8F 97000000 jg CrackMe0.004102FC ; 大于则跳,否则继续
00410265 0FBFD0 movsx edx,ax
00410268 8D4D CC lea ecx,dword ptr ss:
0041026B 8D46 6C lea eax,dword ptr ds:
0041026E 51 push ecx
0041026F 52 push edx
00410270 50 push eax
00410271 8D45 BC lea eax,dword ptr ss:
00410274 BF 02000000 mov edi,2
00410279 50 push eax
0041027A C745 D4 0100000>mov dword ptr ss:,1
00410281 897D CC mov dword ptr ss:,edi
00410284 FF15 AC104000 call dword ptr ds:[<&MSVBVM60.rtcMidCharVar>] ; 从字符串"D81F31F8"第1位开始取1位字符
0041028A 8D4D BC lea ecx,dword ptr ss:
0041028D 8D55 E8 lea edx,dword ptr ss:
00410290 51 push ecx
00410291 52 push edx
00410292 FF15 4C114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
00410298 50 push eax
00410299 FF15 44104000 call dword ptr ds:[<&MSVBVM60.rtcAnsiValueBstr>]; 取字符的ASCII值,EAX=0X44("D")
0041029F 89BD 7CFFFFFF mov dword ptr ss:,edi
004102A5 66:8945 84 mov word ptr ss:,ax ; AX=0X44("D"),字符的ASCII值保存
004102A9 8D7E 34 lea edi,dword ptr ds:
004102AC 8D85 7CFFFFFF lea eax,dword ptr ss:
004102B2 57 push edi
004102B3 8D4D AC lea ecx,dword ptr ss:
004102B6 50 push eax
004102B7 51 push ecx
004102B8 FF15 54114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 字符的ASCII值转为10进制后依次连接
004102BE 8BD0 mov edx,eax ; 最后得到字符串"6856497051497056"
004102C0 8BCF mov ecx,edi
004102C2 FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
004102C8 8D4D E8 lea ecx,dword ptr ss:
004102CB FF15 E4114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
004102D1 8D55 AC lea edx,dword ptr ss:
004102D4 8D45 BC lea eax,dword ptr ss:
004102D7 52 push edx
004102D8 8D4D CC lea ecx,dword ptr ss:
004102DB 50 push eax
004102DC 51 push ecx
004102DD 6A 03 push 3
004102DF FFD3 call ebx
004102E1 B8 01000000 mov eax,1
004102E6 83C4 10 add esp,10
004102E9 66:0346 68 add ax,word ptr ds:
004102ED 0F80 77020000 jo CrackMe0.0041056A
004102F3 66:8946 68 mov word ptr ds:,ax
004102F7 ^ E9 58FFFFFF jmp CrackMe0.00410254 ; 跳回去继续取一位字符
004102FC 8D7E 34 lea edi,dword ptr ds:
004102FF 8D55 8C lea edx,dword ptr ss:
00410302 57 push edi
00410303 52 push edx
00410304 8D45 CC lea eax,dword ptr ss:
00410307 57 push edi
00410308 50 push eax
00410309 C745 94 1E00000>mov dword ptr ss:,1E ; 常数0x1E(30)
00410310 C745 8C 0200000>mov dword ptr ss:,2
00410317 FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVar>] ; 获取字符串"6856497051497056"长度0x10
0041031D 8D4D BC lea ecx,dword ptr ss:
00410320 50 push eax
00410321 51 push ecx
00410322 FF15 04104000 call dword ptr ds:[<&MSVBVM60.__vbaVarSub>] ; 0x1E-x10=0xE
00410328 50 push eax
00410329 FF15 94114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]
0041032F 8D55 AC lea edx,dword ptr ss: ; EAX=0xE
00410332 50 push eax
00410333 52 push edx
00410334 FF15 38114000 call dword ptr ds:[<&MSVBVM60.rtcStringVar>] ; 内置字符串"66666666666666"
0041033A 8D45 AC lea eax,dword ptr ss: ; 字符串长度为上面相减得到的差(0xE)
0041033D 57 push edi
0041033E 8D4D 9C lea ecx,dword ptr ss:
00410341 50 push eax
00410342 51 push ecx
00410343 FF15 54114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 连接字符串"6856497051497056"
; 与"66666666666666"
00410349 8BD0 mov edx,eax ; 得到"685649705149705666666666666666"
0041034B 8BCF mov ecx,edi
0041034D FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
00410353 8D55 9C lea edx,dword ptr ss:
00410356 8D45 AC lea eax,dword ptr ss:
00410359 52 push edx
0041035A 50 push eax
0041035B 6A 02 push 2
0041035D FFD3 call ebx
0041035F 83C4 0C add esp,0C
00410362 8D4D CC lea ecx,dword ptr ss:
00410365 8D55 BC lea edx,dword ptr ss:
00410368 C745 D4 3900000>mov dword ptr ss:,39
0041036F 51 push ecx
00410370 6A 1E push 1E ; 0x1E(30)
00410372 52 push edx
00410373 C745 CC 0200000>mov dword ptr ss:,2
0041037A FF15 38114000 call dword ptr ds:[<&MSVBVM60.rtcStringVar>] ; 内置固定字符串,长度为0x1E(30)
00410380 8D4E 44 lea ecx,dword ptr ds: ; "999999999999999999999999999999"
00410383 8D55 BC lea edx,dword ptr ss:
00410386 FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
0041038C 8D45 BC lea eax,dword ptr ss:
0041038F 8D4D CC lea ecx,dword ptr ss:
00410392 50 push eax
00410393 51 push ecx
00410394 6A 02 push 2
00410396 FFD3 call ebx
00410398 8B1D 48104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaStrErrVarCo>
0041039E 83C4 0C add esp,0C
004103A1 8D46 44 lea eax,dword ptr ds:
004103A4 50 push eax
004103A5 FFD3 call ebx
004103A7 8BD0 mov edx,eax
004103A9 8D4D E4 lea ecx,dword ptr ss:
004103AC FF15 C4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
004103B2 57 push edi
004103B3 FFD3 call ebx
004103B5 8BD0 mov edx,eax
004103B7 8D4D E8 lea ecx,dword ptr ss:
004103BA FF15 C4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
004103C0 8B16 mov edx,dword ptr ds:
004103C2 8D45 CC lea eax,dword ptr ss:
004103C5 50 push eax
004103C6 8D4D E4 lea ecx,dword ptr ss:
004103C9 8D45 E8 lea eax,dword ptr ss:
004103CC 51 push ecx
004103CD 50 push eax
004103CE 56 push esi
004103CF FF92 00070000 call dword ptr ds: ; 关键CALL,F7进入
004103D5 85C0 test eax,eax
004103D7 7D 12 jge short CrackMe0.004103EB
004103D9 68 00070000 push 700
004103DE 68 C43B4000 push CrackMe0.00403BC4
004103E3 56 push esi
004103E4 50 push eax
004103E5 FF15 74104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckOb>
004103EB 8D7E 54 lea edi,dword ptr ds:
004103EE 8D55 CC lea edx,dword ptr ss:
004103F1 8BCF mov ecx,edi
004103F3 FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
004103F9 8D4D E4 lea ecx,dword ptr ss:
004103FC 8D55 E8 lea edx,dword ptr ss:
004103FF 51 push ecx
00410400 52 push edx
00410401 6A 02 push 2
00410403 FF15 7C114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>]
00410409 83C4 0C add esp,0C
0041040C 8D4D CC lea ecx,dword ptr ss:
0041040F FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
00410415 8B06 mov eax,dword ptr ds:
00410417 56 push esi
00410418 FF90 00030000 call dword ptr ds:
0041041E 8D4D DC lea ecx,dword ptr ss:
00410421 50 push eax
00410422 51 push ecx
00410423 FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]
00410429 57 push edi
0041042A 8985 74FFFFFF mov dword ptr ss:,eax
00410430 FFD3 call ebx
00410432 57 push edi
00410433 8945 C4 mov dword ptr ss:,eax ; 字符串"1685649705149705666666666666665"
00410436 C745 BC 0800000>mov dword ptr ss:,8
0041043D FFD3 call ebx
0041043F 8BD0 mov edx,eax
00410441 8D4D E4 lea ecx,dword ptr ss:
00410444 FF15 C4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
0041044A 57 push edi
0041044B FFD3 call ebx
0041044D 8BD0 mov edx,eax ; 字符串"1685649705149705666666666666665"
0041044F 8D4D E8 lea ecx,dword ptr ss:
00410452 FF15 C4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
00410458 8B16 mov edx,dword ptr ds:
0041045A 8D45 CC lea eax,dword ptr ss:
0041045D 50 push eax
0041045E 8D4D E4 lea ecx,dword ptr ss:
00410461 8D45 E8 lea eax,dword ptr ss:
00410464 51 push ecx
00410465 50 push eax
00410466 56 push esi
00410467 FF92 00070000 call dword ptr ds: ; 同上面关键CALL,参加运算的两个字符串都变成
0041046D 85C0 test eax,eax ; "1685649705149705666666666666665"
0041046F 7D 12 jge short CrackMe0.00410483 ; 运算结果得到字符串
00410471 68 00070000 push 700 ; "3371299410299411333333333333330"
00410476 68 C43B4000 push CrackMe0.00403BC4
0041047B 56 push esi
0041047C 50 push eax
0041047D FF15 74104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckOb>
00410483 8BB5 74FFFFFF mov esi,dword ptr ss:
00410489 8D4D BC lea ecx,dword ptr ss:
0041048C 8D55 CC lea edx,dword ptr ss:
0041048F 51 push ecx
00410490 8B3E mov edi,dword ptr ds:
00410492 8D45 AC lea eax,dword ptr ss:
00410495 52 push edx
00410496 50 push eax
00410497 FF15 54114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 连接两次运算得到的字符串
0041049D 8D4D E0 lea ecx,dword ptr ss:
004104A0 50 push eax
004104A1 51 push ecx
004104A2 FF15 4C114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
004104A8 50 push eax ; 得到Hard Code"168564970514970566666666
004104A9 56 push esi ; 66666653371299410299411333333333333330"
F7进入004103D5处的关键CALL,来到:
00402E9D /E9 CED60000 jmp CrackMe0.00410570
00402EA2 |816C24 04 B7000>sub dword ptr ss:,0B7
00402EAA |E9 11DE0000 jmp CrackMe0.00410CC0
再F8一次,来到:
00410570 55 push ebp
00410571 8BEC mov ebp,esp
.......................................................
省略部分代码
.......................................................
00410617 8B35 2C104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
0041061D 50 push eax ; 字符串1"649705149705666666666666665337"
0041061E FFD6 call esi ; 获取字符串1长度,EAX=0x1E(30)
00410620 8B1D 20104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
00410626 8D95 10FFFFFF lea edx,dword ptr ss:
0041062C 8D4D CC lea ecx,dword ptr ss:
0041062F 8985 18FFFFFF mov dword ptr ss:,eax ; 字符串1长度EAX=0x1E(30)保存
00410635 C785 10FFFFFF 0>mov dword ptr ss:,3
0041063F FFD3 call ebx
00410641 8B4D 10 mov ecx,dword ptr ss:
00410644 8B11 mov edx,dword ptr ds:
00410646 52 push edx ; 字符串2"999999999999999999999999999999"
00410647 FFD6 call esi ; 获取字符串2长度,EAX=0x1E(30)
00410649 8D95 10FFFFFF lea edx,dword ptr ss:
0041064F 8D4D AC lea ecx,dword ptr ss:
00410652 8985 18FFFFFF mov dword ptr ss:,eax ; 字符串2长度EAX=0x1E(30)保存
00410658 C785 10FFFFFF 0>mov dword ptr ss:,3
.......................................................
省略部分代码
.......................................................
0041084B 52 push edx
0041084C C785 00FFFFFF 0>mov dword ptr ss:,4008
00410856 FF15 04104000 call dword ptr ds:[<&MSVBVM60.__vbaVarSub>] ; 字符串1长度(0x1E)-循环次数
0041085C 50 push eax
0041085D 8D85 10FFFFFF lea eax,dword ptr ss:
00410863 8D8D 40FFFFFF lea ecx,dword ptr ss:
00410869 50 push eax
0041086A 51 push ecx
0041086B FFD6 call esi ; 再加上1,准备从字符串1最后一位开始取
0041086D 50 push eax
0041086E FF15 94114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]
00410874 50 push eax ; EAX=0x1E
00410875 8D95 00FFFFFF lea edx,dword ptr ss:
0041087B 8D85 20FFFFFF lea eax,dword ptr ss:
00410881 52 push edx
00410882 50 push eax
00410883 FF15 AC104000 call dword ptr ds:[<&MSVBVM60.rtcMidCharVar>] ; 字符串1"685649705149705666666666666666"
00410889 8D8D 20FFFFFF lea ecx,dword ptr ss: ; 从字符串1最后一位开始倒序取一位字符
0041088F 8D95 60FFFFFF lea edx,dword ptr ss:
00410895 51 push ecx
00410896 52 push edx
00410897 FF15 4C114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
0041089D 50 push eax
0041089E FF15 EC114000 call dword ptr ds:[<&MSVBVM60.rtcR8ValFromBstr>]; 取出的字符转为实数,"6"-->6.0
004108A4 DD9D E8FEFFFF fstp qword ptr ss: ; st=6.0000000000000000000
004108AA 8D95 E0FEFFFF lea edx,dword ptr ss:
004108B0 8D4D 88 lea ecx,dword ptr ss:
004108B3 C785 E0FEFFFF 0>mov dword ptr ss:,5
004108BD FFD3 call ebx
004108BF 8D8D 60FFFFFF lea ecx,dword ptr ss:
004108C5 FF15 E4114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
004108CB 8D85 20FFFFFF lea eax,dword ptr ss:
004108D1 8D8D 30FFFFFF lea ecx,dword ptr ss:
004108D7 50 push eax
004108D8 8D95 40FFFFFF lea edx,dword ptr ss:
004108DE 51 push ecx
004108DF 52 push edx
004108E0 6A 03 push 3
004108E2 FFD7 call edi
004108E4 B8 02000000 mov eax,2
004108E9 B9 01000000 mov ecx,1
004108EE 8985 30FFFFFF mov dword ptr ss:,eax
004108F4 8985 10FFFFFF mov dword ptr ss:,eax
004108FA 8B45 10 mov eax,dword ptr ss:
004108FD 83C4 10 add esp,10
00410900 898D 38FFFFFF mov dword ptr ss:,ecx
00410906 898D 18FFFFFF mov dword ptr ss:,ecx
0041090C 8D8D 30FFFFFF lea ecx,dword ptr ss:
00410912 8985 08FFFFFF mov dword ptr ss:,eax
00410918 8D55 BC lea edx,dword ptr ss:
0041091B 51 push ecx
0041091C 8D45 DC lea eax,dword ptr ss:
0041091F 52 push edx
00410920 8D8D 50FFFFFF lea ecx,dword ptr ss:
00410926 50 push eax
00410927 51 push ecx
00410928 C785 00FFFFFF 0>mov dword ptr ss:,4008
00410932 FF15 04104000 call dword ptr ds:[<&MSVBVM60.__vbaVarSub>] ; 字符串2长度(0x1E)-循环次数
00410938 50 push eax
00410939 8D95 10FFFFFF lea edx,dword ptr ss:
0041093F 8D85 40FFFFFF lea eax,dword ptr ss:
00410945 52 push edx
00410946 50 push eax
00410947 FFD6 call esi ; 再加上1,准备从字符串2最后一位开始取
00410949 50 push eax
0041094A FF15 94114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]
00410950 8D8D 00FFFFFF lea ecx,dword ptr ss:
00410956 50 push eax
00410957 8D95 20FFFFFF lea edx,dword ptr ss:
0041095D 51 push ecx
0041095E 52 push edx
0041095F FF15 AC104000 call dword ptr ds:[<&MSVBVM60.rtcMidCharVar>] ; 字符串2"999999999999999999999999999999"
00410965 8D85 20FFFFFF lea eax,dword ptr ss: ; 从字符串2最后一位开始倒序取一位字符
0041096B 8D8D 60FFFFFF lea ecx,dword ptr ss:
00410971 50 push eax
00410972 51 push ecx
00410973 FF15 4C114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
00410979 50 push eax
0041097A FF15 EC114000 call dword ptr ds:[<&MSVBVM60.rtcR8ValFromBstr>]; 取出的字符转为实数,"9"-->9.0
00410980 DD9D E8FEFFFF fstp qword ptr ss: ; st=9.0000000000000000000
00410986 8D95 E0FEFFFF lea edx,dword ptr ss:
0041098C 8D8D 68FFFFFF lea ecx,dword ptr ss:
00410992 C785 E0FEFFFF 0>mov dword ptr ss:,5
0041099C FFD3 call ebx
0041099E 8D8D 60FFFFFF lea ecx,dword ptr ss:
004109A4 FF15 E4114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
004109AA 8D95 20FFFFFF lea edx,dword ptr ss:
004109B0 8D85 30FFFFFF lea eax,dword ptr ss:
004109B6 52 push edx
004109B7 8D8D 40FFFFFF lea ecx,dword ptr ss:
004109BD 50 push eax
004109BE 51 push ecx
004109BF 6A 03 push 3
004109C1 FFD7 call edi
004109C3 83C4 10 add esp,10
004109C6 8D55 88 lea edx,dword ptr ss:
004109C9 8D85 68FFFFFF lea eax,dword ptr ss:
004109CF 8D8D 50FFFFFF lea ecx,dword ptr ss:
004109D5 52 push edx
004109D6 50 push eax
004109D7 51 push ecx
004109D8 FFD6 call esi ; MSVBVM60.__vbaVarAdd,取出的两个实数相加
004109DA 50 push eax ; 9.0+6.0=15.0
004109DB 8D55 98 lea edx,dword ptr ss:
004109DE 8D85 40FFFFFF lea eax,dword ptr ss:
004109E4 52 push edx
004109E5 50 push eax
004109E6 FFD6 call esi ; __vbaVarAdd,前一次运算结果若大于9则再加上1
004109E8 50 push eax
004109E9 FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaI2Var>]
004109EF 8D8D 40FFFFFF lea ecx,dword ptr ss:
004109F5 8D95 50FFFFFF lea edx,dword ptr ss:
004109FB 51 push ecx
004109FC 52 push edx
004109FD 6A 02 push 2
004109FF 8985 64FFFFFF mov dword ptr ss:,eax
00410A05 FFD7 call edi
00410A07 8B85 64FFFFFF mov eax,dword ptr ss:
00410A0D 83C4 0C add esp,0C
00410A10 66:3D 0900 cmp ax,9 ; 相加之和与9比较,AX=0xF(15)
00410A14 7E 1C jle short CrackMe0.00410A32 ; 若小于等于9则跳
00410A16 66:2D 0A00 sub ax,0A ; 否则AX=AX-0xA=5
00410A1A C785 18FFFFFF 0>mov dword ptr ss:,1 ; 将数字1放入地址ss:,加到下次运算中
00410A24 0F80 86020000 jo CrackMe0.00410CB0
00410A2A 8985 64FFFFFF mov dword ptr ss:,eax ; 保存AX
00410A30 EB 0A jmp short CrackMe0.00410A3C
00410A32 C785 18FFFFFF 0>mov dword ptr ss:,0
00410A3C 8D95 10FFFFFF lea edx,dword ptr ss:
00410A42 8D4D 98 lea ecx,dword ptr ss:
00410A45 C785 10FFFFFF 0>mov dword ptr ss:,2
00410A4F FFD3 call ebx
00410A51 8D8D 10FFFFFF lea ecx,dword ptr ss:
00410A57 8D95 50FFFFFF lea edx,dword ptr ss:
00410A5D 8D85 64FFFFFF lea eax,dword ptr ss:
00410A63 51 push ecx
00410A64 52 push edx
00410A65 8985 18FFFFFF mov dword ptr ss:,eax
00410A6B C785 10FFFFFF 0>mov dword ptr ss:,4002
00410A75 FF15 A8114000 call dword ptr ds:[<&MSVBVM60.rtcVarStrFromVar>]; 将相减之后所得的数字转为字符串,5-->"5"
00410A7B 8D85 50FFFFFF lea eax,dword ptr ss:
00410A81 6A 01 push 1
00410A83 8D8D 40FFFFFF lea ecx,dword ptr ss:
00410A89 50 push eax
00410A8A 51 push ecx
00410A8B FF15 C8114000 call dword ptr ds:[<&MSVBVM60.rtcRightCharVar>] ; 取字符串"5"右边一位字符"5"
00410A91 8B55 A8 mov edx,dword ptr ss:
00410A94 8D85 40FFFFFF lea eax,dword ptr ss:
00410A9A 8995 08FFFFFF mov dword ptr ss:,edx
00410AA0 8D8D 00FFFFFF lea ecx,dword ptr ss:
00410AA6 50 push eax
00410AA7 8D95 30FFFFFF lea edx,dword ptr ss:
00410AAD 51 push ecx
00410AAE 52 push edx
00410AAF C785 00FFFFFF 0>mov dword ptr ss:,8
00410AB9 FFD6 call esi ; VarBstrCat,连接每次得到的字符
00410ABB 50 push eax
00410ABC FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>]
00410AC2 8BD0 mov edx,eax
00410AC4 8D4D A8 lea ecx,dword ptr ss:
00410AC7 FF15 C4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
00410ACD 8D85 30FFFFFF lea eax,dword ptr ss:
00410AD3 8D8D 40FFFFFF lea ecx,dword ptr ss:
00410AD9 50 push eax
00410ADA 8D95 50FFFFFF lea edx,dword ptr ss:
00410AE0 51 push ecx
00410AE1 52 push edx
00410AE2 6A 03 push 3
00410AE4 FFD7 call edi
00410AE6 83C4 10 add esp,10
00410AE9 8D85 C0FEFFFF lea eax,dword ptr ss:
00410AEF 8D8D D0FEFFFF lea ecx,dword ptr ss:
00410AF5 8D55 DC lea edx,dword ptr ss:
00410AF8 50 push eax
00410AF9 51 push ecx
00410AFA 52 push edx
00410AFB FF15 DC114000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>]
00410B01 ^ E9 FDFCFFFF jmp CrackMe0.00410803
00410B06 8D45 98 lea eax,dword ptr ss:
00410B09 8D8D 10FFFFFF lea ecx,dword ptr ss:
00410B0F 50 push eax
00410B10 51 push ecx
00410B11 C785 18FFFFFF 0>mov dword ptr ss:,0
00410B1B C785 10FFFFFF 0>mov dword ptr ss:,8002
00410B25 FF15 90114000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstNe>]
00410B2B 66:85C0 test ax,ax
00410B2E 74 7F je short CrackMe0.00410BAF
00410B30 8D55 98 lea edx,dword ptr ss:
00410B33 8D85 50FFFFFF lea eax,dword ptr ss:
00410B39 52 push edx
00410B3A 50 push eax
00410B3B FF15 A8114000 call dword ptr ds:[<&MSVBVM60.rtcVarStrFromVar>]
00410B41 8D8D 50FFFFFF lea ecx,dword ptr ss:
00410B47 6A 01 push 1
00410B49 8D95 40FFFFFF lea edx,dword ptr ss:
00410B4F 51 push ecx
00410B50 52 push edx
00410B51 FF15 C8114000 call dword ptr ds:[<&MSVBVM60.rtcRightCharVar>]
00410B57 8B45 A8 mov eax,dword ptr ss: ; 得到字符串"685649705149705666666666666665"
00410B5A 8D8D 40FFFFFF lea ecx,dword ptr ss:
00410B60 8985 18FFFFFF mov dword ptr ss:,eax
00410B66 8D95 10FFFFFF lea edx,dword ptr ss:
00410B6C 51 push ecx
00410B6D 8D85 30FFFFFF lea eax,dword ptr ss:
00410B73 52 push edx
00410B74 50 push eax
00410B75 C785 10FFFFFF 0>mov dword ptr ss:,8
00410B7F FFD6 call esi ; VarBstrCat,最后一次运算结果大于9
; 所以在字符串前再连接字符"1"
00410B81 50 push eax ; 得到字符串"1685649705149705666666666666665"
00410B82 FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>]
4.追出算法。OD载入,F9运行程序,输入注册信息后,命令栏下断点:bp rtcMidCharBstr,回车,点Check按钮,中断:
660E64A6 MS>55 push ebp ; 在此中断
660E64A7 8BEC mov ebp,esp
660E64A9 83EC 10 sub esp,10
660E64AC 8B45 10 mov eax,dword ptr ss:
命令栏输入:bc rtcMidCharBstr,回车,清除断点,ALT+F9返回,来到:
0040F72C FF15 AC104000 call dword ptr ds:[<&MSVBVM60.rtcMidCharVar>] ; MSVBVM60.rtcMidCharVar
0040F732 8D5E 34 lea ebx,dword ptr ds: ; 返回来到这里
0040F735 8D55 A8 lea edx,dword ptr ss:
0040F738 8BCB mov ecx,ebx
0040F73A FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
向上查找,来到0040F650 处F2下断,Ctrl+F2重新载入程序,输入注册信息后点Check按钮,立即中断:
0040F650 55 push ebp ; 在此下断
0040F651 8BEC mov ebp,esp
.......................................................
省略部分代码
.......................................................
0040F706 8945 D0 mov dword ptr ss:,eax ; 硬盘号"1685649705149705666666666666665337
0040F709 8D45 B8 lea eax,dword ptr ss: ; 1299410299411333333333333330"
0040F70C 50 push eax
0040F70D 6A 05 push 5 ; 常数5
0040F70F 8D55 A8 lea edx,dword ptr ss:
0040F712 51 push ecx
0040F713 52 push edx
0040F714 C745 C0 1E00000>mov dword ptr ss:,1E ; 常数0x1E(30)
0040F71B C745 B8 0200000>mov dword ptr ss:,2
0040F722 895D E0 mov dword ptr ss:,ebx
0040F725 C745 C8 0800000>mov dword ptr ss:,8
0040F72C FF15 AC104000 call dword ptr ds:[<&MSVBVM60.rtcMidCharVar>]; 从字符串第5位开始取0x1E(30)位字符
0040F732 8D5E 34 lea ebx,dword ptr ds: ; 得到字符串"649705149705666666666666665337"
0040F735 8D55 A8 lea edx,dword ptr ss:
0040F738 8BCB mov ecx,ebx
0040F73A FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
0040F740 8D4D D8 lea ecx,dword ptr ss:
0040F743 FF15 E8114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]
0040F749 8D45 A8 lea eax,dword ptr ss:
0040F74C 8D4D B8 lea ecx,dword ptr ss:
0040F74F 50 push eax
0040F750 8D55 C8 lea edx,dword ptr ss:
0040F753 51 push ecx
0040F754 52 push edx
0040F755 6A 03 push 3
0040F757 FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
0040F75D 8B06 mov eax,dword ptr ds:
0040F75F 83C4 10 add esp,10
0040F762 56 push esi
0040F763 FF90 00030000 call dword ptr ds:
0040F769 8D4D D8 lea ecx,dword ptr ss:
0040F76C 50 push eax
0040F76D 51 push ecx
0040F76E FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]
0040F774 8BF8 mov edi,eax
0040F776 8D45 E0 lea eax,dword ptr ss:
0040F779 50 push eax
0040F77A 57 push edi
0040F77B 8B17 mov edx,dword ptr ds:
0040F77D FF92 A0000000 call dword ptr ds:
0040F783 85C0 test eax,eax
0040F785 DBE2 fclex
0040F787 7D 12 jge short CrackMe0.0040F79B
0040F789 68 A0000000 push 0A0
0040F78E 68 743E4000 push CrackMe0.00403E74
0040F793 57 push edi
0040F794 50 push eax
0040F795 FF15 74104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
0040F79B 8B45 E0 mov eax,dword ptr ss: ; 硬盘号"1685649705149705666666666666665337
0040F79E 8D4D C8 lea ecx,dword ptr ss: ; 1299410299411333333333333330"
0040F7A1 6A 1E push 1E ; 常数0x1E(30)
0040F7A3 8D55 B8 lea edx,dword ptr ss:
0040F7A6 51 push ecx
0040F7A7 52 push edx
0040F7A8 C745 E0 0000000>mov dword ptr ss:,0
0040F7AF 8945 D0 mov dword ptr ss:,eax
0040F7B2 C745 C8 0800000>mov dword ptr ss:,8
0040F7B9 FF15 C8114000 call dword ptr ds:[<&MSVBVM60.rtcRightCharVar>>; 取字符串右边30位字符
0040F7BF 8D7E 44 lea edi,dword ptr ds: ; 得到字符串"371299410299411333333333333330"
0040F7C2 8D55 B8 lea edx,dword ptr ss:
0040F7C5 8BCF mov ecx,edi
0040F7C7 FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
0040F7CD 8D4D D8 lea ecx,dword ptr ss:
0040F7D0 FF15 E8114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]
0040F7D6 8D45 B8 lea eax,dword ptr ss:
0040F7D9 8D4D C8 lea ecx,dword ptr ss:
0040F7DC 50 push eax
0040F7DD 51 push ecx
0040F7DE 6A 02 push 2
0040F7E0 FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>;
0040F7E6 83C4 0C add esp,0C
0040F7E9 57 push edi
0040F7EA FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaStrErrVarCo>
0040F7F0 8B3D C4114000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaStrMove>>
0040F7F6 8BD0 mov edx,eax
0040F7F8 8D4D DC lea ecx,dword ptr ss:
0040F7FB FFD7 call edi
0040F7FD 53 push ebx
0040F7FE FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaStrErrVarCo>
0040F804 8BD0 mov edx,eax
0040F806 8D4D E0 lea ecx,dword ptr ss:
0040F809 FFD7 call edi
0040F80B 8B16 mov edx,dword ptr ds:
0040F80D 8D45 C8 lea eax,dword ptr ss:
0040F810 50 push eax
0040F811 8D4D DC lea ecx,dword ptr ss:
0040F814 8D45 E0 lea eax,dword ptr ss:
0040F817 51 push ecx
0040F818 50 push eax
0040F819 56 push esi
0040F81A FF92 00070000 call dword ptr ds: ; 同关键CALL,运算的字符串换成上面两个字符串
0040F820 85C0 test eax,eax ; 得到字符串"1021004560005078000000000000459"
0040F822 7D 12 jge short CrackMe0.0040F836
0040F824 68 00070000 push 700
0040F829 68 C43B4000 push CrackMe0.00403BC4
0040F82E 56 push esi
0040F82F 50 push eax
0040F830 FF15 74104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
0040F836 8D5E 54 lea ebx,dword ptr ds:
0040F839 8D55 C8 lea edx,dword ptr ss:
0040F83C 8BCB mov ecx,ebx
0040F83E FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
0040F844 8D4D DC lea ecx,dword ptr ss:
0040F847 8D55 E0 lea edx,dword ptr ss:
0040F84A 51 push ecx
0040F84B 52 push edx
0040F84C 6A 02 push 2
0040F84E FF15 7C114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>;
0040F854 83C4 0C add esp,0C
0040F857 8D4D C8 lea ecx,dword ptr ss:
0040F85A FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
0040F860 66:8B86 8200000>mov ax,word ptr ds: ; ax=0x300(768),ds:=0x400(1024)
0040F867 66:0386 8000000>add ax,word ptr ds: ; ax=ax+ds:=0x300+0x400=x700
0040F86E 0F80 42040000 jo CrackMe0.0040FCB6
0040F874 50 push eax ; eax=0x700(1792)
0040F875 FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI2>] ; 整数转为字符串"1792",1792-->"1792"
0040F87B 8BD0 mov edx,eax
0040F87D 8D4D E4 lea ecx,dword ptr ss:
0040F880 FFD7 call edi
0040F882 8B55 E4 mov edx,dword ptr ss:
0040F885 8D4D DC lea ecx,dword ptr ss:
0040F888 FF15 74114000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>]
0040F88E 53 push ebx
0040F88F FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaStrErrVarCo>
0040F895 8BD0 mov edx,eax
0040F897 8D4D E0 lea ecx,dword ptr ss:
0040F89A FFD7 call edi
0040F89C 8B0E mov ecx,dword ptr ds:
0040F89E 8D55 C8 lea edx,dword ptr ss:
0040F8A1 52 push edx
0040F8A2 8D45 DC lea eax,dword ptr ss:
0040F8A5 8D55 E0 lea edx,dword ptr ss:
0040F8A8 50 push eax
0040F8A9 52 push edx
0040F8AA 56 push esi
0040F8AB FF91 00070000 call dword ptr ds: ; 同关键CALL,运算的字符串换成上面两个字符串
0040F8B1 85C0 test eax,eax ; 得到字符串"1021004560005078000000000000459"
0040F8B3 7D 12 jge short CrackMe0.0040F8C7
0040F8B5 68 00070000 push 700
0040F8BA 68 C43B4000 push CrackMe0.00403BC4
0040F8BF 56 push esi
0040F8C0 50 push eax
0040F8C1 FF15 74104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
0040F8C7 8D45 C8 lea eax,dword ptr ss:
0040F8CA 50 push eax
0040F8CB FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>>
0040F8D1 8BD0 mov edx,eax ; 真码"1021004560005078000000000000459"
0040F8D3 8D4D E4 lea ecx,dword ptr ss:
0040F8D6 FFD7 call edi
0040F8D8 8D4D DC lea ecx,dword ptr ss:
0040F8DB 8D55 E0 lea edx,dword ptr ss:
0040F8DE 51 push ecx
0040F8DF 52 push edx
0040F8E0 6A 02 push 2
0040F8E2 FF15 7C114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>
0040F8E8 83C4 0C add esp,0C
0040F8EB 8D4D C8 lea ecx,dword ptr ss:
0040F8EE FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
0040F8F4 8B45 E4 mov eax,dword ptr ss:
0040F8F7 50 push eax
0040F8F8 FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 获取真码长度,EAX=0x1F(31)
0040F8FE 8BC8 mov ecx,eax
0040F900 FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>]
0040F906 8B1D 90114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarTstNe>
0040F90C 66:8946 68 mov word ptr ds:,ax
0040F910 B8 01000000 mov eax,1
0040F915 66:3946 68 cmp word ptr ds:,ax
0040F919 0F8C 10010000 jl CrackMe0.0040FA2F
0040F91F 8B0E mov ecx,dword ptr ds:
0040F921 56 push esi
0040F922 FF91 04030000 call dword ptr ds:
0040F928 8D55 D8 lea edx,dword ptr ss:
0040F92B 50 push eax
0040F92C 52 push edx
0040F92D FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]
0040F933 8BF8 mov edi,eax
0040F935 8D4D E0 lea ecx,dword ptr ss:
0040F938 51 push ecx
0040F939 57 push edi
0040F93A 8B07 mov eax,dword ptr ds:
0040F93C FF90 A0000000 call dword ptr ds:
0040F942 85C0 test eax,eax
0040F944 DBE2 fclex
0040F946 7D 12 jge short CrackMe0.0040F95A
0040F948 68 A0000000 push 0A0
0040F94D 68 743E4000 push CrackMe0.00403E74
0040F952 57 push edi
0040F953 50 push eax
0040F954 FF15 74104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
0040F95A 8B45 E0 mov eax,dword ptr ss: ; 假码"9876543210"
0040F95D 8B3D AC104000 mov edi,dword ptr ds:[<&MSVBVM60.rtcMidCharVar>
0040F963 8945 D0 mov dword ptr ss:,eax
0040F966 8D55 B8 lea edx,dword ptr ss:
0040F969 0FBF46 68 movsx eax,word ptr ds:
0040F96D 52 push edx
0040F96E 8D4D C8 lea ecx,dword ptr ss:
0040F971 50 push eax
0040F972 8D55 A8 lea edx,dword ptr ss:
0040F975 51 push ecx
0040F976 52 push edx
0040F977 C745 C0 0100000>mov dword ptr ss:,1
0040F97E C745 B8 0200000>mov dword ptr ss:,2
0040F985 C745 E0 0000000>mov dword ptr ss:,0
0040F98C C745 C8 0800000>mov dword ptr ss:,8
0040F993 FFD7 call edi ; rtcMidCharVar,循环取假码每一个字符
0040F995 0FBF56 68 movsx edx,word ptr ds:
0040F999 8D45 E4 lea eax,dword ptr ss:
0040F99C 8D4D 98 lea ecx,dword ptr ss:
0040F99F 8985 60FFFFFF mov dword ptr ss:,eax
0040F9A5 51 push ecx
0040F9A6 8D85 58FFFFFF lea eax,dword ptr ss:
0040F9AC 52 push edx
0040F9AD 8D4D 88 lea ecx,dword ptr ss:
0040F9B0 50 push eax
0040F9B1 51 push ecx
0040F9B2 C745 A0 0100000>mov dword ptr ss:,1
0040F9B9 C745 98 0200000>mov dword ptr ss:,2
0040F9C0 C785 58FFFFFF 0>mov dword ptr ss:,4008
0040F9CA FFD7 call edi ; rtcMidCharVar,循环取真码每一个字符
0040F9CC 8D55 A8 lea edx,dword ptr ss:
0040F9CF 8D45 88 lea eax,dword ptr ss:
0040F9D2 52 push edx
0040F9D3 50 push eax
0040F9D4 FFD3 call ebx ; __vbaVarTstNe,真假码逐位字符进行比较
0040F9D6 8D4D D8 lea ecx,dword ptr ss:
0040F9D9 8BF8 mov edi,eax
0040F9DB FF15 E8114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]
0040F9E1 8D4D 88 lea ecx,dword ptr ss:
0040F9E4 8D55 A8 lea edx,dword ptr ss:
0040F9E7 51 push ecx
0040F9E8 8D45 98 lea eax,dword ptr ss:
0040F9EB 52 push edx
0040F9EC 8D4D B8 lea ecx,dword ptr ss:
0040F9EF 50 push eax
0040F9F0 8D55 C8 lea edx,dword ptr ss:
0040F9F3 51 push ecx
0040F9F4 52 push edx
0040F9F5 6A 05 push 5
0040F9F7 FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
0040F9FD 83C4 18 add esp,18
0040FA00 66:85FF test di,di
0040FA03 75 11 jnz short CrackMe0.0040FA16
0040FA05 66:8B45 E8 mov ax,word ptr ss:
0040FA09 66:05 0100 add ax,1
0040FA0D 0F80 A3020000 jo CrackMe0.0040FCB6
0040FA13 8945 E8 mov dword ptr ss:,eax
0040FA16 66:8B4E 68 mov cx,word ptr ds:
0040FA1A 83C8 FF or eax,FFFFFFFF
0040FA1D 66:03C8 add cx,ax
0040FA20 0F80 90020000 jo CrackMe0.0040FCB6
0040FA26 66:894E 68 mov word ptr ds:,cx
0040FA2A ^ E9 E1FEFFFF jmp CrackMe0.0040F910
0040FA2F 8B55 E4 mov edx,dword ptr ss:
0040FA32 52 push edx
0040FA33 FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>]
0040FA39 8BC8 mov ecx,eax
0040FA3B FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>]
0040FA41 8B4D E8 mov ecx,dword ptr ss:
0040FA44 66:3BC8 cmp cx,ax
0040FA47 0F85 21010000 jnz CrackMe0.0040FB6E ; 暴破点1,NOP掉
0040FA4D 8B06 mov eax,dword ptr ds:
0040FA4F 56 push esi
0040FA50 FF90 08030000 call dword ptr ds:
0040FA56 8B1D 8C104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaObjSet>]
0040FA5C 8D4D D8 lea ecx,dword ptr ss:
0040FA5F 50 push eax
0040FA60 51 push ecx
0040FA61 FFD3 call ebx
0040FA63 8BF8 mov edi,eax
0040FA65 68 883E4000 push CrackMe0.00403E88 ; UNICODE "^OK^"
0040FA6A 57 push edi
0040FA6B 8B17 mov edx,dword ptr ds:
0040FA6D FF52 54 call dword ptr ds:
0040FA70 85C0 test eax,eax
0040FA72 DBE2 fclex
0040FA74 7D 0F jge short CrackMe0.0040FA85
.......................................................
省略部分代码
.......................................................
0040FB99 A1 38E04100 mov eax,dword ptr ds:
0040FB9E 85C0 test eax,eax
0040FBA0 75 10 jnz short CrackMe0.0040FBB2 ; 暴破点2,NOP掉
5.屏幕分辨率问题。找出0040F860处的mov ax,word ptr ds:中,地址ds:和ds:中的数值的来源。
由于ds:=0015C06A,Ctrl+F2重新载入程序,F9运行,
命令栏输入D 0015C06A,然后在0015C06A下内存写入断点,切换到程序窗口,中断:
00410EEB 66:8982 8200000>mov word ptr ds:,ax ; 中断在这里
00410EF2 8D45 E4 lea eax,dword ptr ss:
00410EF5 50 push eax
00410EF6 51 push ecx
向上查找,来到00410CC0处F2下断,Ctrl+F2重新载入程序,F9运行,中断:
00410CC0 55 push ebp
00410CC1 8BEC mov ebp,esp
.......................................................
省略部分代码
.......................................................
00410D93 8B35 08E54100 mov esi,dword ptr ds:
00410D99 8D45 E4 lea eax,dword ptr ss:
00410D9C 50 push eax
00410D9D 56 push esi
00410D9E 8B16 mov edx,dword ptr ds:
00410DA0 FF52 18 call dword ptr ds: ; 关键CALL-1,F7进入
00410DA3 3BC3 cmp eax,ebx
00410DA5 DBE2 fclex
00410DA7 7D 0B jge short CrackMe0.00410DB4
00410DA9 6A 18 push 18
00410DAB 68 50404000 push CrackMe0.00404050
00410DB0 56 push esi
00410DB1 50 push eax
00410DB2 FFD7 call edi
00410DB4 8B45 E4 mov eax,dword ptr ss:
00410DB7 8D55 DC lea edx,dword ptr ss:
00410DBA 52 push edx
00410DBB 50 push eax
00410DBC 8B08 mov ecx,dword ptr ds:
00410DBE 8BF0 mov esi,eax
00410DC0 FF91 80000000 call dword ptr ds:
00410DC6 3BC3 cmp eax,ebx
00410DC8 DBE2 fclex
00410DCA 7D 0E jge short CrackMe0.00410DDA
00410DCC 68 80000000 push 80
00410DD1 68 70404000 push CrackMe0.00404070
00410DD6 56 push esi
00410DD7 50 push eax
00410DD8 FFD7 call edi
00410DDA D945 DC fld dword ptr ss: ; 载入实数,ss:=15.00000
00410DDD 8B1D B4114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaFpI4>]
00410DE3 FFD3 call ebx ; 15.00000转为长整型0xF
00410DE5 D945 E0 fld dword ptr ss: ; 载入实数,ss:=15360.00
00410DE8 8BF0 mov esi,eax ; ESI=EAX=0xF
00410DEA FFD3 call ebx ; 15360.00转成长整型0x3C00,EAX=0x3C00
00410DEC 99 cdq
00410DED F7FE idiv esi ; EAX/ESI,商给EAX,余数给EDX
00410DEF 8BC8 mov ecx,eax ; EAX=0x400,VB默认单位为Twip,转为以像素为单位
00410DF1 FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>]
00410DF7 8B4D 08 mov ecx,dword ptr ss:
00410DFA 8D55 E4 lea edx,dword ptr ss:
00410DFD 52 push edx
00410DFE 66:8981 8000000>mov word ptr ds:,ax ; AX=0x400保存在地址ds:处
00410E05 8D45 E8 lea eax,dword ptr ss:
00410E08 50 push eax
.......................................................
省略部分代码
.......................................................
00410EC0 68 88000000 push 88
00410EC5 68 70404000 push CrackMe0.00404070
00410ECA 56 push esi
00410ECB 50 push eax
00410ECC FFD7 call edi
00410ECE D945 DC fld dword ptr ss: ; 载入实数,ss:=15.00000
00410ED1 FFD3 call ebx ; 15.00000转为长整型0xF
00410ED3 D945 E0 fld dword ptr ss: ; 载入实数,ss:=11520.00
00410ED6 8BF0 mov esi,eax
00410ED8 FFD3 call ebx ; 15360.00转成长整型0x2D00,EAX=0x2D00
00410EDA 99 cdq
00410EDB F7FE idiv esi ; EAX/ESI,商给EAX,余数给EDX
00410EDD 8BC8 mov ecx,eax ; ECX=EAX=0x300
00410EDF FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4
00410EE5 8B55 08 mov edx,dword ptr ss:
00410EE8 8D4D E8 lea ecx,dword ptr ss:
00410EEB 66:8982 8200000>mov word ptr ds:,ax ; AX=0x300保存在地址ds:处
00410EF2 8D45 E4 lea eax,dword ptr ss:
00410EF5 50 push eax
00410EF6 51 push ecx
进入00410DA0处的关键CALL-1,来到:
660C8643 8B4C24 04 mov ecx,dword ptr ss:
660C8647 E8 D4FEFFFF call MSVBVM60.660C8520 ; 关键CALL-2,F7进入
660C864C 8B4C24 08 mov ecx,dword ptr ss:
660C8650 50 push eax
660C8651 8901 mov dword ptr ds:,eax
660C8653 8B08 mov ecx,dword ptr ds:
进入660C8647 处的关键CALL-1,来到:
660C8520 55 push ebp
660C8521 8BEC mov ebp,esp
660C8523 51 push ecx
660C8524 8379 40 00 cmp dword ptr ds:,0
660C8528 56 push esi
660C8529 8D71 40 lea esi,dword ptr ds:
660C852C 75 2F jnz short MSVBVM60.660C855D
660C852E 6A 01 push 1
660C8530 6A FF push -1
660C8532 6A 02 push 2
660C8534 8D45 FE lea eax,dword ptr ss:
660C8537 6A 00 push 0
660C8539 50 push eax
660C853A 68 201B0166 push MSVBVM60.66011B20 ; ASCII "Screen",屏幕分辨率
660C853F 8065 FF 00 and byte ptr ss:,0
660C8543 FF71 0C push dword ptr ds:
660C8546 C645 FE 0E mov byte ptr ss:,0E
660C854A 56 push esi
660C854B FF71 34 push dword ptr ds:
660C854E E8 0C1FF9FF call MSVBVM60.6605A45F
660C8553 85C0 test eax,eax
660C8555 74 06 je short MSVBVM60.660C855D
660C8557 50 push eax
660C8558 E8 4198F8FF call MSVBVM60.66051D9E
660C855D 8B06 mov eax,dword ptr ds:
660C855F 5E pop esi
660C8560 C9 leave
660C8561 C3 retn
-----------------------------------------------------------------------------------------------
【破解总结】
1.取系统所在盘的卷标号,去掉中间的"-",得到字符串st1.
2.循环取字符串st1中每一位字符的ASCII值的10进制形式,形成新的字符串st2.
3.在字符串st2后面补上6,直到补足0x1E(30)位,形成新的字符串st3.
4.内置长度为0x1E(30)位的字符串"99999……",记为字符串st4.
5.取字符串st3和st4上的数值进行相加,形成新字符串st5,作为硬盘号前半部分.
6.取字符串st5的数值*2形成新字符串st6,作为硬盘号后半部分.
7.从硬盘号第5位开始取0x1E(30)位字符,记为字符串st7.
8.取硬盘号右边0x1E(30)位字符,记为字符串st8.
9.取字符串st7和st8上的数值进行相加,结果再加上屏幕分辨率的两个数值(以像素为单位)即为注册码.
一组可用注册码:
Hard Code:16856497051497056666666666666653371299410299411333333333333330
Serial:1021004560005078000000000000459
暴破更改以下位置:
0040FA47 jnz CrackMe0.0040FB6E ; jnz====>NOP
0040FBA0 jnz short CrackMe0.0040FBB2 ; jnz====>NOP
内存注册机:
中断地址:0040F8D3
中断次数:1
第一字节:8D
指令长度:3
内存方式--->寄存器:EDX,同时勾选"宽字符串"
【VB注册机源码】
Private Sub Generate_Click()
Dim HardCode As String
Dim Serial As String
Dim str1 As String
Dim str2 As String
Dim str3 As String
Dim str4 As String
Dim i As Integer
Dim length As Integer
Dim Number As Integer
Dim Number1 As Integer
Dim Number2 As Integer
Dim Number3 As Integer
Dim ResWidth As Integer
Dim ResHeight As Integer
Dim ResPixel As Integer
HardCode = Text1.Text
Number3 = 0
str1 = Mid(HardCode, 5, 30)
str2 = Right(HardCode, 30)
For i = 1 To 30
Number1 = Mid(str1, 30 - i + 1, 1)
Number2 = Mid(str2, 30 - i + 1, 1)
Number = Number1 + Number2 + Number3
If (Number > 9) Then
Number = Number - 10
Number3 = 1
Else
Number3 = 0
End If
str3 = Number & str3
Next i
If (Number3 = 1) Then str3 = Number3 & str3
Number3 = 0
length = Len(str3)
ResWidth = Screen.Width \ Screen.TwipsPerPixelX
ResHeight = Screen.Height \ Screen.TwipsPerPixelY
ResPixel = ResWidth + ResHeight
str4 = ResPixel
For i = 1 To length - 4
str4 = "0" & str4
Next i
For i = 1 To length
Number1 = Mid(str3, length - i + 1, 1)
Number2 = Mid(str4, length - i + 1, 1)
Number = Number1 + Number2 + Number3
If (Number > 9) Then
Number = Number - 10
Number3 = 1
Else
Number3 = 0
End If
Serial = Number & Serial
Next i
If (Number3 = 1) Then Serial = Number3 & Serial
Text2.Text = Serial
End Sub
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 hrbx 于 2006-3-29 04:22 编辑 ] 兄弟分析得好,建议深入分析一下~~
你将 分辨率调成 800*600 试试注册机~~ 谢谢坛主提示!
用到2个参数为屏幕分辨率的值,已更改! 原帖由 hrbx 于 2006-3-27 08:18 发表
谢谢坛主提示!
用到2个参数为屏幕分辨率的值,已更改!
再完善一下 就是精华了~~
想必你的系统是装再C盘吧?聪明的你一定想到了 再次谢谢指点!
不知“再完善一下”指哪方面,
程序分析,还是注册机有误?
我的系统的确是装在C盘,跟这有关?
取系统所在盘的卷标号?而不一定是C盘? 原帖由 hrbx 于 2006-3-28 04:41 发表
再次谢谢指点!
不知“再完善一下”指哪方面,
程序分析,还是注册机有误?
我的系统的确是装在C盘,跟这有关?
取系统所在盘的卷标号?而不一定是C盘?
确实! 明白了!
再次谢谢指点!
页:
[1]