lhl-crackme简单算法分析+VB注册机源码
【破文标题】lhl-crackme简单算法分析+VB注册机源码
【破解作者】hrbx
【作者主页】hrbx.ys168.com
【作者邮箱】[email protected]
【破解平台】WinXP
【使用工具】flyOD1.10、Peid
【破解日期】2006-05-21
【软件名称】lhl-crackme
【软件大小】28.0KB
【下载地址】见附件
【加壳方式】无
【软件简介】lhl-crackme
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
-----------------------------------------------------------------------------------------------
【破解过程】
1.查壳。用Peid扫描脱壳后的程序,显示为:Microsoft Visual Basic 5.0 / 6.0,无壳。
2.试运行。输入注册码,当注册码长度大于等于7位时弹出提示"通过第一关",但"确定"按钮仍为灰色。
3.追出算法。OD载入CrackMe,用OD的ApiBreak插件下 Point H 断点,利用粘贴的方式输入注册信息:
===================
注册码:9876543210
===================
立即中断:
77D29303 F3:A5 rep movs dword ptr es:,dword ptr ds: ; 断点在这里
77D29305 8BC8 mov ecx,eax
77D29307 83E1 03 and ecx,3
77D2930A F3:A4 rep movs byte ptr es:,byte ptr ds:
77D2930C E8 04F9FFFF call USER32.77D28C15
77D29311 5F pop edi
77D29312 5E pop esi
中断后取消断点,F8直到返回程序领空:
004032AD .FF91 A00000>call dword ptr ds:
004032B3 .3BC6 cmp eax,esi ;返回来到这里
004032B5 .DBE2 fclex
004032B7 .7D 12 jge short lhl-crac.004032CB
向上查找,来到004031A0处F2下断,F9运行,重新输入注册信息,中断后来到:
004031A0 > \55 push ebp ;F2在此下断,中断后F8往下走
004031A1 .8BEC mov ebp,esp
004031A3 .83EC 0C sub esp,0C
.......................................................
省略部分代码
.......................................................
004032AA .57 push edi
004032AB .8B0F mov ecx,dword ptr ds:
004032AD .FF91 A0000000call dword ptr ds:
004032B3 .3BC6 cmp eax,esi ;返回来到这里
004032B5 .DBE2 fclex
004032B7 .7D 12 jge short lhl-crac.004032CB
004032B9 .68 A0000000 push 0A0
004032BE .68 D8254000 push lhl-crac.004025D8
004032C3 .57 push edi
004032C4 .50 push eax
004032C5 .FF15 34104000call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckO>
004032CB >8B45 A8 mov eax,dword ptr ss: ;假码"9876543210"
004032CE .50 push eax
004032CF .FF15 18104000call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ;获取注册码长度,EAX=A
004032D5 .8B3D 0C104000mov edi,dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
004032DB .8D95 A4FEFFFFlea edx,dword ptr ss:
004032E1 .8D4D DC lea ecx,dword ptr ss:
004032E4 .8985 ACFEFFFFmov dword ptr ss:,eax ;注册码长度保存
004032EA .C785 A4FEFFFF >mov dword ptr ss:,3
004032F4 .FFD7 call edi
004032F6 .8D4D A8 lea ecx,dword ptr ss:
004032F9 .FF15 EC104000call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
004032FF .8D4D 94 lea ecx,dword ptr ss:
00403302 .FF15 F0104000call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]
00403308 .8D4D DC lea ecx,dword ptr ss:
0040330B .8D95 A4FEFFFFlea edx,dword ptr ss:
00403311 .51 push ecx
00403312 .52 push edx
00403313 .C785 ACFEFFFF >mov dword ptr ss:,7 ;常数,7
0040331D .C785 A4FEFFFF >mov dword ptr ss:,8002
00403327 .FF15 CC104000call dword ptr ds:[<&MSVBVM60.__vbaVarTstGe>] ;比较注册码长度是否大于7
0040332D .66:85C0 test ax,ax
00403330 .8B03 mov eax,dword ptr ds:
00403332 .53 push ebx
00403333 .0F84 70090000je lhl-crac.00403CA9 ;注册码长度不大于则Over,暴破点1,Nop掉
00403339 .FF90 00030000call dword ptr ds:
0040333F .8D4D 94 lea ecx,dword ptr ss:
00403342 .50 push eax
00403343 .51 push ecx
00403344 .FF15 40104000call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]
0040334A .8B10 mov edx,dword ptr ds:
0040334C .8D4D A8 lea ecx,dword ptr ss:
0040334F .51 push ecx
00403350 .50 push eax
00403351 .8985 10FEFFFFmov dword ptr ss:,eax
00403357 .FF92 A0000000call dword ptr ds:
0040335D .3BC6 cmp eax,esi
0040335F .DBE2 fclex
00403361 .7D 18 jge short lhl-crac.0040337B
00403363 .8B95 10FEFFFFmov edx,dword ptr ss:
00403369 .68 A0000000 push 0A0
0040336E .68 D8254000 push lhl-crac.004025D8
00403373 .52 push edx
00403374 .50 push eax
00403375 .FF15 34104000call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckO>
0040337B >8B45 A8 mov eax,dword ptr ss: ;假码"9876543210"
0040337E .8D55 84 lea edx,dword ptr ss:
00403381 .8D4D CC lea ecx,dword ptr ss:
00403384 .8975 A8 mov dword ptr ss:,esi
00403387 .8945 8C mov dword ptr ss:,eax
0040338A .C745 84 080000>mov dword ptr ss:,8
00403391 .FFD7 call edi
00403393 .8D4D 94 lea ecx,dword ptr ss:
00403396 .FF15 F0104000call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]
0040339C .8B35 94104000mov esi,dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>>
004033A2 .8D45 CC lea eax,dword ptr ss:
004033A5 .6A 07 push 7 ;常数,7
004033A7 .8D4D A8 lea ecx,dword ptr ss:
004033AA .50 push eax
004033AB .51 push ecx
004033AC .FFD6 call esi ;__vbaStrVarVal,注册码转为字符串
004033AE .50 push eax ;假码"9876543210"
004033AF .FF15 D0104000call dword ptr ds:[<&MSVBVM60.#616>] ;rtcLeftCharBstr,取假码左边7位字符
004033B5 .8D55 84 lea edx,dword ptr ss:
004033B8 .8D4D BC lea ecx,dword ptr ss:
004033BB .8945 8C mov dword ptr ss:,eax ;注册码左边7位字符"9876543"
004033BE .C745 84 080000>mov dword ptr ss:,8
004033C5 .FFD7 call edi
004033C7 .8D4D A8 lea ecx,dword ptr ss:
004033CA .FF15 EC104000call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
004033D0 .8D55 CC lea edx,dword ptr ss:
004033D3 .6A 07 push 7 ;常数,7
004033D5 .8D45 A8 lea eax,dword ptr ss:
004033D8 .52 push edx
004033D9 .50 push eax
004033DA .FFD6 call esi ;__vbaStrVarVal,注册码转为字符串
004033DC .50 push eax ;假码"9876543210"
004033DD .FF15 DC104000call dword ptr ds:[<&MSVBVM60.#618>] ;rtcRightCharBstr,取假码右边7位字符
004033E3 .8D55 84 lea edx,dword ptr ss:
004033E6 .8D4D AC lea ecx,dword ptr ss:
004033E9 .8945 8C mov dword ptr ss:,eax ;注册码右边7位字符"6543210"
004033EC .C745 84 080000>mov dword ptr ss:,8
004033F3 .FFD7 call edi
004033F5 .8D4D A8 lea ecx,dword ptr ss:
004033F8 .FF15 EC104000call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
004033FE .8B35 C8104000mov esi,dword ptr ds:[<&MSVBVM60.__vbaVarMod>]
00403404 .B8 03000000 mov eax,3
00403409 .8D4D BC lea ecx,dword ptr ss:
0040340C .8985 94FEFFFFmov dword ptr ss:,eax
00403412 .8985 34FEFFFFmov dword ptr ss:,eax
00403418 .8985 14FEFFFFmov dword ptr ss:,eax
0040341E .8D95 A4FEFFFFlea edx,dword ptr ss:
00403424 .51 push ecx
00403425 .8D45 84 lea eax,dword ptr ss:
00403428 .BF 02000000 mov edi,2
0040342D .52 push edx
0040342E .50 push eax
0040342F .C785 ACFEFFFF >mov dword ptr ss:,42 ;常数1-0x42
00403439 .89BD A4FEFFFFmov dword ptr ss:,edi
0040343F .C785 9CFEFFFF >mov dword ptr ss:,186A0 ;常数2-0x186A0
00403449 .C785 8CFEFFFF >mov dword ptr ss:,12 ;常数3-0x12
00403453 .89BD 84FEFFFFmov dword ptr ss:,edi
00403459 .C785 7CFEFFFF >mov dword ptr ss:,3E8 ;常数4-0x3E8
00403463 .89BD 74FEFFFFmov dword ptr ss:,edi
00403469 .C785 6CFEFFFF >mov dword ptr ss:,63 ;常数5-0x63
00403473 .89BD 64FEFFFFmov dword ptr ss:,edi
00403479 .89BD 5CFEFFFFmov dword ptr ss:,edi
0040347F .89BD 54FEFFFFmov dword ptr ss:,edi
00403485 .C785 4CFEFFFF >mov dword ptr ss:,5 ;常数6-0x5
0040348F .89BD 44FEFFFFmov dword ptr ss:,edi
00403495 .C785 3CFEFFFF >mov dword ptr ss:,80000007 ;常数7-0x80000007
0040349F .C785 2CFEFFFF >mov dword ptr ss:,9 ;常数8-0x9
004034A9 .89BD 24FEFFFFmov dword ptr ss:,edi
004034AF .C785 1CFEFFFF >mov dword ptr ss:,6390F22 ;常数9-0x6390F22
004034B9 .FFD6 call esi ;注册码左边七位转为16进制数 Mod 常数1
004034BB .8D8D 94FEFFFFlea ecx,dword ptr ss: ;0x96B43F(9876543) Mod 0x42=0x27
004034C1 .50 push eax
004034C2 .8D95 74FFFFFFlea edx,dword ptr ss:
004034C8 .51 push ecx
004034C9 .52 push edx
004034CA .FF15 7C104000call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ;Mod 结果乘以常数2
004034D0 .50 push eax ;0x27*0x186A0=0x3B8260
004034D1 .8D45 BC lea eax,dword ptr ss:
004034D4 .8D8D 84FEFFFFlea ecx,dword ptr ss:
004034DA .50 push eax
004034DB .51 push ecx
004034DC .8D95 64FFFFFFlea edx,dword ptr ss:
004034E2 .52 push edx
004034E3 .FFD6 call esi ;注册码左边七位转为16进制数 Mod 常数3
004034E5 .50 push eax ;0x96B43F(9876543) Mod 0x12=0xF
004034E6 .8D85 74FEFFFFlea eax,dword ptr ss:
004034EC .8D8D 54FFFFFFlea ecx,dword ptr ss:
004034F2 .50 push eax
004034F3 .51 push ecx
004034F4 .FF15 7C104000call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ;第2次Mod 结果乘以常数4
004034FA .8B35 C0104000mov esi,dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ;0xF*0x3E8=0x3A98
00403500 .8D95 44FFFFFFlea edx,dword ptr ss:
00403506 .50 push eax
00403507 .52 push edx
00403508 .FFD6 call esi ;两次Mod结果相加
0040350A .50 push eax ;0x3B8260+0x3A98=0x3BBCF8
0040350B .8D45 BC lea eax,dword ptr ss:
0040350E .8D8D 64FEFFFFlea ecx,dword ptr ss:
00403514 .50 push eax
00403515 .8D95 34FFFFFFlea edx,dword ptr ss:
0040351B .51 push ecx
0040351C .52 push edx
0040351D .FF15 C8104000call dword ptr ds:[<&MSVBVM60.__vbaVarMod>] ;注册码左边七位转为16进制数 Mod 常数5
00403523 .50 push eax ;0x96B43F(9876543) Mod 0x63=0x6
00403524 .8D85 54FEFFFFlea eax,dword ptr ss:
0040352A .8D8D 24FFFFFFlea ecx,dword ptr ss:
00403530 .50 push eax
00403531 .51 push ecx
00403532 .FF15 7C104000call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ;第3次Mod 结果乘以2
00403538 .50 push eax ;0x6*2=0xC
00403539 .8D95 44FEFFFFlea edx,dword ptr ss:
0040353F .8D85 14FFFFFFlea eax,dword ptr ss:
00403545 .52 push edx
00403546 .50 push eax
00403547 .FF15 7C104000call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ;乘以2后再乘以常数6
0040354D .8D8D 04FFFFFFlea ecx,dword ptr ss: ;0xC*5=0x3C
00403553 .50 push eax
00403554 .51 push ecx
00403555 .FFD6 call esi ;3次Mod结果相加
00403557 .50 push eax ;0x3BBCF8+0x3C=0x03BBD34
00403558 .8D55 BC lea edx,dword ptr ss:
0040355B .8D85 34FEFFFFlea eax,dword ptr ss:
00403561 .52 push edx
00403562 .8D8D F4FEFFFFlea ecx,dword ptr ss:
00403568 .50 push eax
00403569 .51 push ecx
0040356A .FF15 74104000call dword ptr ds:[<&MSVBVM60.__vbaVarAnd>] ;注册码左边七位转为16进制数 And 常数7
00403570 .8D95 E4FEFFFFlea edx,dword ptr ss: ;0x96B43F(9876543) And 0x80000007=0x7
00403576 .50 push eax
00403577 .52 push edx
00403578 .FFD6 call esi ;And 结果加上前面3次Mod结果
0040357A .50 push eax ;0x03BBD34+0x7=0x3BBD3B
0040357B .8D85 24FEFFFFlea eax,dword ptr ss:
00403581 .8D8D D4FEFFFFlea ecx,dword ptr ss:
00403587 .50 push eax
00403588 .51 push ecx
00403589 .FFD6 call esi ;上面加法结果再加上常数8
0040358B .50 push eax ;0x03BBD3B+0x9=0x3BBD44
0040358C .8D95 14FEFFFFlea edx,dword ptr ss:
00403592 .8D85 C4FEFFFFlea eax,dword ptr ss:
00403598 .52 push edx
00403599 .50 push eax
0040359A .FFD6 call esi ;加法结果继续加上常数9
0040359C .8BD0 mov edx,eax ;0x03BBD44+0x6390F22=0x674CC66
0040359E .8D4B 44 lea ecx,dword ptr ds: ;将加法结果用10进制表示转为字符串,记为str1
004035A1 .FF15 0C104000call dword ptr ds:[<&MSVBVM60.__vbaVarMove>] ;0x674CC66(108317798)-->"108317798"
004035A7 .8D8D C4FEFFFFlea ecx,dword ptr ss:
004035AD .8D95 D4FEFFFFlea edx,dword ptr ss:
004035B3 .51 push ecx
004035B4 .8D85 E4FEFFFFlea eax,dword ptr ss:
004035BA .52 push edx
004035BB .8D8D 04FFFFFFlea ecx,dword ptr ss:
004035C1 .50 push eax
004035C2 .8D95 44FFFFFFlea edx,dword ptr ss:
004035C8 .51 push ecx
004035C9 .52 push edx
004035CA .6A 05 push 5
004035CC .FF15 1C104000call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>]
004035D2 .83C4 18 add esp,18
004035D5 .C785 ACFEFFFF >mov dword ptr ss:,42 ;常数1-0x42
004035DF .89BD A4FEFFFFmov dword ptr ss:,edi
004035E5 .C785 9CFEFFFF >mov dword ptr ss:,186A0 ;常数2-0x186A0
004035EF .B8 03000000 mov eax,3
004035F4 .8D8D A4FEFFFFlea ecx,dword ptr ss:
004035FA .8985 94FEFFFFmov dword ptr ss:,eax
00403600 .8985 34FEFFFFmov dword ptr ss:,eax
00403606 .8985 14FEFFFFmov dword ptr ss:,eax
0040360C .8D45 BC lea eax,dword ptr ss:
0040360F .50 push eax
00403610 .8D55 84 lea edx,dword ptr ss:
00403613 .51 push ecx
00403614 .52 push edx
00403615 .C785 8CFEFFFF >mov dword ptr ss:,12 ;常数3-0x12
0040361F .89BD 84FEFFFFmov dword ptr ss:,edi
00403625 .C785 7CFEFFFF >mov dword ptr ss:,3E8 ;常数4-0x3E8
0040362F .89BD 74FEFFFFmov dword ptr ss:,edi
00403635 .C785 6CFEFFFF >mov dword ptr ss:,63 ;常数5-0x63
0040363F .89BD 64FEFFFFmov dword ptr ss:,edi
00403645 .89BD 5CFEFFFFmov dword ptr ss:,edi
0040364B .89BD 54FEFFFFmov dword ptr ss:,edi
00403651 .C785 4CFEFFFF >mov dword ptr ss:,5 ;常数6-0x5
0040365B .89BD 44FEFFFFmov dword ptr ss:,edi
00403661 .C785 3CFEFFFF >mov dword ptr ss:,80000007 ;常数7-0x80000007
0040366B .C785 2CFEFFFF >mov dword ptr ss:,9 ;常数8-0x9
00403675 .89BD 24FEFFFFmov dword ptr ss:,edi
0040367B .C785 1CFEFFFF >mov dword ptr ss:,37FEDD ;常数10-0x37FEDD
00403685 .FF15 C8104000call dword ptr ds:[<&MSVBVM60.__vbaVarMod>] ;以下运算部分,除常数10不同外,与上面相同,
分析略
0040368B .50 push eax
0040368C .8D85 94FEFFFFlea eax,dword ptr ss:
00403692 .8D8D 74FFFFFFlea ecx,dword ptr ss:
00403698 .50 push eax
00403699 .51 push ecx
0040369A .FF15 7C104000call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ;MSVBVM60.__vbaVarMul
004036A0 .50 push eax
004036A1 .8D55 BC lea edx,dword ptr ss:
004036A4 .8D85 84FEFFFFlea eax,dword ptr ss:
004036AA .52 push edx
004036AB .8D8D 64FFFFFFlea ecx,dword ptr ss:
004036B1 .50 push eax
004036B2 .51 push ecx
004036B3 .FF15 C8104000call dword ptr ds:[<&MSVBVM60.__vbaVarMod>] ;MSVBVM60.__vbaVarMod
004036B9 .50 push eax
004036BA .8D95 74FEFFFFlea edx,dword ptr ss:
004036C0 .8D85 54FFFFFFlea eax,dword ptr ss:
004036C6 .52 push edx
004036C7 .50 push eax
004036C8 .FF15 7C104000call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ;MSVBVM60.__vbaVarMul
004036CE .8D8D 44FFFFFFlea ecx,dword ptr ss:
004036D4 .50 push eax
004036D5 .51 push ecx
004036D6 .FFD6 call esi ;<&MSVBVM60.__vbaVarAdd>
004036D8 .50 push eax
004036D9 .8D55 BC lea edx,dword ptr ss:
004036DC .8D85 64FEFFFFlea eax,dword ptr ss:
004036E2 .52 push edx
004036E3 .8D8D 34FFFFFFlea ecx,dword ptr ss:
004036E9 .50 push eax
004036EA .51 push ecx
004036EB .FF15 C8104000call dword ptr ds:[<&MSVBVM60.__vbaVarMod>] ;MSVBVM60.__vbaVarMod
004036F1 .50 push eax
004036F2 .8D95 54FEFFFFlea edx,dword ptr ss:
004036F8 .8D85 24FFFFFFlea eax,dword ptr ss:
004036FE .52 push edx
004036FF .50 push eax
00403700 .FF15 7C104000call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ;MSVBVM60.__vbaVarMul
00403706 .8D8D 44FEFFFFlea ecx,dword ptr ss:
0040370C .50 push eax
0040370D .8D95 14FFFFFFlea edx,dword ptr ss:
00403713 .51 push ecx
00403714 .52 push edx
00403715 .FF15 7C104000call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ;MSVBVM60.__vbaVarMul
0040371B .50 push eax
0040371C .8D85 04FFFFFFlea eax,dword ptr ss:
00403722 .50 push eax
00403723 .FFD6 call esi ;<&MSVBVM60.__vbaVarAdd>
00403725 .8D4D BC lea ecx,dword ptr ss:
00403728 .50 push eax
00403729 .8D95 34FEFFFFlea edx,dword ptr ss:
0040372F .51 push ecx
00403730 .8D85 F4FEFFFFlea eax,dword ptr ss:
00403736 .52 push edx
00403737 .50 push eax
00403738 .FF15 74104000call dword ptr ds:[<&MSVBVM60.__vbaVarAnd>] ;MSVBVM60.__vbaVarAnd
0040373E .8D8D E4FEFFFFlea ecx,dword ptr ss:
00403744 .50 push eax
00403745 .51 push ecx
00403746 .FFD6 call esi ;<&MSVBVM60.__vbaVarAdd>
00403748 .50 push eax
00403749 .8D95 24FEFFFFlea edx,dword ptr ss:
0040374F .8D85 D4FEFFFFlea eax,dword ptr ss:
00403755 .52 push edx
00403756 .50 push eax
00403757 .FFD6 call esi ;<&MSVBVM60.__vbaVarAdd>
00403759 .8D8D 14FEFFFFlea ecx,dword ptr ss:
0040375F .50 push eax
00403760 .8D95 C4FEFFFFlea edx,dword ptr ss:
00403766 .51 push ecx
00403767 .52 push edx
00403768 .FFD6 call esi ;加法结果继续加上常数10
0040376A .50 push eax ;0x03BBD44+0x37FEDD=0x73BC21
0040376B .8D85 B4FEFFFFlea eax,dword ptr ss:
00403771 .50 push eax
00403772 .FF15 AC104000call dword ptr ds:[<&MSVBVM60.#573>] ;加法结果以16进制表示转为字符串,记为str2
00403778 .8D4B 34 lea ecx,dword ptr ds: ;0x73BC21-->"73BC21"
0040377B .8D95 B4FEFFFFlea edx,dword ptr ss:
00403781 .FF15 0C104000call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
00403787 .8D8D B4FEFFFFlea ecx,dword ptr ss:
0040378D .8B35 1C104000mov esi,dword ptr ds:[<&MSVBVM60.__vbaFreeVarLis>
00403793 .8D95 C4FEFFFFlea edx,dword ptr ss:
00403799 .51 push ecx
0040379A .8D85 D4FEFFFFlea eax,dword ptr ss:
004037A0 .52 push edx
004037A1 .8D8D E4FEFFFFlea ecx,dword ptr ss:
004037A7 .50 push eax
004037A8 .8D95 04FFFFFFlea edx,dword ptr ss:
004037AE .51 push ecx
004037AF .8D85 44FFFFFFlea eax,dword ptr ss:
004037B5 .52 push edx
004037B6 .50 push eax
004037B7 .6A 06 push 6
004037B9 .FFD6 call esi
004037BB .83C4 1C add esp,1C
004037BE .8D95 A4FEFFFFlea edx,dword ptr ss:
004037C4 .8D4D 84 lea ecx,dword ptr ss:
004037C7 C785 ACFEFFFF >mov dword ptr ss:,lhl-crac.004025EC ;固定字符串1-"pyg"
004037D1 .C785 A4FEFFFF >mov dword ptr ss:,8
004037DB .FF15 C4104000call dword ptr ds:[<&MSVBVM60.__vbaVarDup>]
004037E1 .8B0B mov ecx,dword ptr ds:
004037E3 .8D95 74FFFFFFlea edx,dword ptr ss:
004037E9 .8D45 84 lea eax,dword ptr ss:
004037EC .52 push edx
004037ED .50 push eax
004037EE .53 push ebx
004037EF .FF91 FC060000call dword ptr ds: ;此CALL将"pyg"每位字符的ASCII值的16进制形式
连接成字符串
004037F5 .8D4B 54 lea ecx,dword ptr ds: ;'p'->0x70,'y'->79,'g'->67==>"707967",记为
str3
004037F8 .8D95 74FFFFFFlea edx,dword ptr ss:
004037FE .FF15 0C104000call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
00403804 .8D8D 74FFFFFFlea ecx,dword ptr ss:
0040380A .8D55 84 lea edx,dword ptr ss:
0040380D .51 push ecx
0040380E .52 push edx
0040380F .57 push edi
00403810 .FFD6 call esi
00403812 .83C4 0C add esp,0C
00403815 .8D95 A4FEFFFFlea edx,dword ptr ss:
0040381B .8D4D 84 lea ecx,dword ptr ss:
0040381E .C785 ACFEFFFF >mov dword ptr ss:,lhl-crac.004025F8 ;固定字符串2-"lhl"
00403828 .C785 A4FEFFFF >mov dword ptr ss:,8
00403832 .FF15 C4104000call dword ptr ds:[<&MSVBVM60.__vbaVarDup>]
00403838 .8B03 mov eax,dword ptr ds:
0040383A .8D8D 74FFFFFFlea ecx,dword ptr ss:
00403840 .8D55 84 lea edx,dword ptr ss:
00403843 .51 push ecx
00403844 .52 push edx
00403845 .53 push ebx
00403846 .FF90 F8060000call dword ptr ds: ;同上面CALL,"lhl"--->"108104108",记为str4
0040384C .8D4B 64 lea ecx,dword ptr ds:
0040384F .8D95 74FFFFFFlea edx,dword ptr ss:
00403855 .FF15 0C104000call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
0040385B .8D85 74FFFFFFlea eax,dword ptr ss:
00403861 .8D4D 84 lea ecx,dword ptr ss:
00403864 .50 push eax
00403865 .51 push ecx
00403866 .57 push edi
00403867 .FFD6 call esi
00403869 .83C4 0C add esp,0C
0040386C .8D95 74FFFFFFlea edx,dword ptr ss:
00403872 .8D43 64 lea eax,dword ptr ds:
00403875 .C785 7CFFFFFF >mov dword ptr ss:,1
0040387F .52 push edx
00403880 .6A 05 push 5 ;常数,5
00403882 .50 push eax
00403883 .8D45 A0 lea eax,dword ptr ss:
00403886 .50 push eax
00403887 .89BD 74FFFFFFmov dword ptr ss:,edi
0040388D .FF15 94104000call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
00403893 .50 push eax ;字符串str4--"108104108"
00403894 .FF15 50104000call dword ptr ds:[<&MSVBVM60.#631>] ;rtcMidCharBstr,取字符串str4第5位字符
0040389A .8BD0 mov edx,eax ;d EAX=0x30('0')
0040389C .8D4D 98 lea ecx,dword ptr ss:
0040389F .FF15 D8104000call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
004038A5 .8B4D 98 mov ecx,dword ptr ss:
004038A8 .8D55 84 lea edx,dword ptr ss:
004038AB .52 push edx
004038AC .8D43 44 lea eax,dword ptr ds:
004038AF .6A 05 push 5
004038B1 .50 push eax
004038B2 .8D45 A8 lea eax,dword ptr ss:
004038B5 .C745 8C 010000>mov dword ptr ss:,1
004038BC .50 push eax
004038BD .897D 84 mov dword ptr ss:,edi
004038C0 .898D FCFDFFFFmov dword ptr ss:,ecx
004038C6 .C745 98 000000>mov dword ptr ss:,0
004038CD .FF15 94104000call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
004038D3 .50 push eax ;字符串str1--"108317798"
004038D4 .FF15 50104000call dword ptr ds:[<&MSVBVM60.#631>] ;rtcMidCharBstr,取字符串str1第5位字符
004038DA .8BD0 mov edx,eax ;d EAX=0x31('1')
004038DC .8D4D A4 lea ecx,dword ptr ss:
004038DF .FF15 D8104000call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
004038E5 .50 push eax
004038E6 .FF15 9C104000call dword ptr ds:[<&MSVBVM60.__vbaR8Str>] ;字符串转为浮点数,'1'-->1.0
004038EC .8B95 FCFDFFFFmov edx,dword ptr ss:
004038F2 .8D4D 9C lea ecx,dword ptr ss:
004038F5 .DD9D F4FDFFFFfstp qword ptr ss:
004038FB .FF15 D8104000call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
00403901 .50 push eax
00403902 .FF15 9C104000call dword ptr ds:[<&MSVBVM60.__vbaR8Str>] ;字符串转为浮点数,'0'-->0.0
00403908 .DC9D F4FDFFFFfcomp qword ptr ss: ;比较两个值是否相等
0040390E .C785 F0FDFFFF >mov dword ptr ss:,1
00403918 .DFE0 fstsw ax
0040391A .F6C4 40 test ah,40
0040391D .75 0A jnz short lhl-crac.00403929
0040391F .C785 F0FDFFFF >mov dword ptr ss:,0
00403929 >8D4D 98 lea ecx,dword ptr ss:
0040392C .8D55 9C lea edx,dword ptr ss:
0040392F .51 push ecx
00403930 .8D45 A0 lea eax,dword ptr ss:
00403933 .52 push edx
00403934 .8D4D A4 lea ecx,dword ptr ss:
00403937 .50 push eax
00403938 .8D55 A8 lea edx,dword ptr ss:
0040393B .51 push ecx
0040393C .52 push edx
0040393D .6A 05 push 5
0040393F .FF15 B0104000call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>]
00403945 .8D85 74FFFFFFlea eax,dword ptr ss:
0040394B .8D4D 84 lea ecx,dword ptr ss:
0040394E .50 push eax
0040394F .51 push ecx
00403950 .57 push edi
00403951 .FFD6 call esi
00403953 .8B85 F0FDFFFFmov eax,dword ptr ss:
00403959 .83C4 24 add esp,24
0040395C .F7D8 neg eax
0040395E .66:85C0 test ax,ax
00403961 0F84 6A020000je lhl-crac.00403BD1 ;不等则Over,暴破点2,Nop掉
00403967 .8D55 84 lea edx,dword ptr ss:
0040396A .8D43 34 lea eax,dword ptr ds:
0040396D .52 push edx
0040396E .6A 05 push 5
00403970 .50 push eax
00403971 .8D45 A8 lea eax,dword ptr ss:
00403974 .50 push eax
00403975 .897D 8C mov dword ptr ss:,edi
00403978 .897D 84 mov dword ptr ss:,edi
0040397B .89BD 7CFFFFFFmov dword ptr ss:,edi
00403981 .89BD 74FFFFFFmov dword ptr ss:,edi
00403987 .FF15 94104000call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
0040398D .50 push eax ;字符串str2--"73BC21"
0040398E .FF15 50104000call dword ptr ds:[<&MSVBVM60.#631>] ;rtcMidCharBstr,从字符串str2第5位开始取字符
至结束
00403994 .8BD0 mov edx,eax ;得到字符串"21"
00403996 .8D4D A0 lea ecx,dword ptr ss:
00403999 .FF15 D8104000call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
0040399F .8D8D 74FFFFFFlea ecx,dword ptr ss:
004039A5 .50 push eax
004039A6 .51 push ecx
004039A7 .8D43 54 lea eax,dword ptr ds:
004039AA .6A 05 push 5
004039AC .8D55 A4 lea edx,dword ptr ss:
004039AF .50 push eax
004039B0 .52 push edx
004039B1 .FF15 94104000call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
004039B7 .50 push eax ;字符串str3--"707967"
004039B8 .FF15 50104000call dword ptr ds:[<&MSVBVM60.#631>] ;rtcMidCharBstr,从字符串str3第5位开始取字符
至结束
004039BE .8BD0 mov edx,eax ;得到字符串"67"
004039C0 .8D4D 9C lea ecx,dword ptr ss:
004039C3 .FF15 D8104000call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
004039C9 .50 push eax
004039CA .FF15 5C104000call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ;比较取出的两个字符串是否相等
004039D0 .F7D8 neg eax
004039D2 .1BC0 sbb eax,eax
004039D4 .8D4D A0 lea ecx,dword ptr ss:
004039D7 .40 inc eax
004039D8 .8D55 A4 lea edx,dword ptr ss:
004039DB .F7D8 neg eax
004039DD .66:8985 10FEFF>mov word ptr ss:,ax
004039E4 .8D45 9C lea eax,dword ptr ss:
004039E7 .50 push eax
004039E8 .51 push ecx
004039E9 .8D45 A8 lea eax,dword ptr ss:
004039EC .52 push edx
004039ED .50 push eax
004039EE .6A 04 push 4
004039F0 .FF15 B0104000call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>]
004039F6 .8D8D 74FFFFFFlea ecx,dword ptr ss:
004039FC .8D55 84 lea edx,dword ptr ss:
004039FF .51 push ecx
00403A00 .52 push edx
00403A01 .57 push edi
00403A02 .FFD6 call esi
00403A04 .83C4 20 add esp,20
00403A07 .66:83BD 10FEFF>cmp word ptr ss:,0
00403A0F /0F84 DB000000je lhl-crac.00403AF0 ;不等则Over,暴破点3,Nop掉
00403A15 . |8B03 mov eax,dword ptr ds:
00403A17 . |53 push ebx
00403A18 . |FF90 FC020000call dword ptr ds:
00403A1E . |8D4D 94 lea ecx,dword ptr ss:
00403A21 . |50 push eax
00403A22 . |51 push ecx
00403A23 . |FF15 40104000call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]
00403A29 . |8BF8 mov edi,eax
00403A2B . |6A FF push -1
00403A2D . |57 push edi
00403A2E . |8B17 mov edx,dword ptr ds:
00403A30 . |FF92 8C000000call dword ptr ds:
00403A36 . |85C0 test eax,eax
00403A38 . |DBE2 fclex
00403A3A . |7D 12 jge short lhl-crac.00403A4E
00403A3C . |68 8C000000 push 8C
00403A41 . |68 00264000 push lhl-crac.00402600
00403A46 . |57 push edi
00403A47 . |50 push eax
00403A48 . |FF15 34104000call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckO>
00403A4E > |8D4D 94 lea ecx,dword ptr ss:
00403A51 . |FF15 F0104000call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]
00403A57 . |B9 04000280 mov ecx,80020004
00403A5C . |B8 0A000000 mov eax,0A
00403A61 . |898D 5CFFFFFFmov dword ptr ss:,ecx
00403A67 . |898D 6CFFFFFFmov dword ptr ss:,ecx
00403A6D . |898D 7CFFFFFFmov dword ptr ss:,ecx
00403A73 . |8D95 A4FEFFFFlea edx,dword ptr ss:
00403A79 . |8D4D 84 lea ecx,dword ptr ss:
00403A7C . |8985 54FFFFFFmov dword ptr ss:,eax
00403A82 . |8985 64FFFFFFmov dword ptr ss:,eax
00403A88 . |8985 74FFFFFFmov dword ptr ss:,eax
00403A8E . |C785 ACFEFFFF >mov dword ptr ss:,lhl-crac.00402614
00403A98 . |C785 A4FEFFFF >mov dword ptr ss:,8
00403AA2 . |FF15 C4104000call dword ptr ds:[<&MSVBVM60.__vbaVarDup>]
00403AA8 . |8D85 54FFFFFFlea eax,dword ptr ss:
00403AAE . |8D8D 64FFFFFFlea ecx,dword ptr ss:
00403AB4 . |50 push eax
00403AB5 . |8D95 74FFFFFFlea edx,dword ptr ss:
00403ABB . |51 push ecx
00403ABC . |52 push edx
00403ABD . |8D45 84 lea eax,dword ptr ss:
00403AC0 . |6A 00 push 0
00403AC2 . |50 push eax
00403AC3 . |FF15 3C104000call dword ptr ds:[<&MSVBVM60.#595>] ;rtcMsgBox,弹出"通过第3关"提示
00403AC9 . |8D8D 54FFFFFFlea ecx,dword ptr ss:
00403ACF . |8D95 64FFFFFFlea edx,dword ptr ss:
00403AD5 . |51 push ecx
00403AD6 . |8D85 74FFFFFFlea eax,dword ptr ss:
00403ADC . |52 push edx
弹出"通过第3关"提示后,"确定"按钮也变为可点击,点击按钮弹出"你比我菜!"提示。
命令栏输入:bp rtcMsgBox,回车,点击"确定"按钮,中断:
660DC5F3 M>55 push ebp
660DC5F4 8BEC mov ebp,esp
660DC5F6 83EC 4C sub esp,4C
660DC5F9 8B4D 14 mov ecx,dword ptr ss:
观察堆栈友好提示:
0012F3C8 00403023 返回到 lhl-crac.00403023 来自 MSVBVM60.rtcMsgBox
0012F3CC 0012F464
Alt+F9返回,点击提示窗口中的"确定"按钮,来到:
00403023 .8D45 AC lea eax,dword ptr ss: ;Alt+F9返回来到这里
00403026 .8D4D BC lea ecx,dword ptr ss:
00403029 .50 push eax
0040302A .8D55 CC lea edx,dword ptr ss:
0040302D .51 push ecx
向上查找,来到00402F20处F2下断,再次点击"确定"按钮,立即中断:
00402F20 > \55 push ebp ;F2在此下断,中断后F8往下走
00402F21 .8BEC mov ebp,esp
00402F23 .83EC 0C sub esp,0C
00402F26 .68 56114000 push <jmp.&MSVBVM60.__vbaExceptHandler>
00402F2B .64:A1 00000000 mov eax,dword ptr fs:
00402F31 .50 push eax
00402F32 .64:8925 000000>mov dword ptr fs:,esp
00402F39 .81EC 88000000sub esp,88
00402F3F .53 push ebx
00402F40 .56 push esi
00402F41 .57 push edi
00402F42 .8965 F4 mov dword ptr ss:,esp
00402F45 .C745 F8 181140>mov dword ptr ss:,lhl-crac.00401118
00402F4C .8B75 08 mov esi,dword ptr ss:
00402F4F .8BC6 mov eax,esi
00402F51 .83E0 01 and eax,1
00402F54 .8945 FC mov dword ptr ss:,eax
00402F57 .83E6 FE and esi,FFFFFFFE
00402F5A .56 push esi
00402F5B .8975 08 mov dword ptr ss:,esi
00402F5E .8B0E mov ecx,dword ptr ds:
00402F60 .FF51 04 call dword ptr ds:
00402F63 .8D56 64 lea edx,dword ptr ds:
00402F66 .33FF xor edi,edi
00402F68 .52 push edx
00402F69 .897D DC mov dword ptr ss:,edi
00402F6C .897D CC mov dword ptr ss:,edi
00402F6F .897D BC mov dword ptr ss:,edi
00402F72 .897D AC mov dword ptr ss:,edi
00402F75 .897D 9C mov dword ptr ss:,edi
00402F78 .FF15 8C104000call dword ptr ds:[<&MSVBVM60.__vbaR8ErrVar>]
00402F7E .8B1D 60104000mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>]
00402F84 .8D46 44 lea eax,dword ptr ds: ;字符串str4"108104108"转为浮点数
00402F87 .DD5D A4 fstp qword ptr ss: ;st=108104108.00000000000
00402F8A .8D4D 9C lea ecx,dword ptr ss:
00402F8D .50 push eax
00402F8E .51 push ecx
00402F8F .C745 9C 058000>mov dword ptr ss:,8005 ;字符串str1"108317798"-->108317798.0
00402F96 .FFD3 call ebx ;__vbaVarTstEq,与字符串str1表示的浮点数比较
00402F98 .66:85C0 test ax,ax
00402F9B .74 39 je short lhl-crac.00402FD6 ;不等则Over,暴破点4,Nop掉
00402F9D .8D56 54 lea edx,dword ptr ds:
00402FA0 .52 push edx
00402FA1 .FF15 8C104000call dword ptr ds:[<&MSVBVM60.__vbaR8ErrVar>]
00402FA7 .DD5D A4 fstp qword ptr ss: ;字符串str3"707967"转为浮点数
00402FAA .8D46 34 lea eax,dword ptr ds: ;st=707967.0
00402FAD .8D4D 9C lea ecx,dword ptr ss:
00402FB0 .50 push eax
00402FB1 .51 push ecx
00402FB2 .C745 9C 058000>mov dword ptr ss:,8005 ;字符串str2"73BC21"-->7584801.0
00402FB9 .FFD3 call ebx ;__vbaVarTstEq,与字符串str2表示的浮点数比较
00402FBB .66:85C0 test ax,ax
00402FBE .74 7E je short lhl-crac.0040303E ;不等则Over,暴破点5,Nop掉
00402FC0 .68 68254000 push lhl-crac.00402568
00402FC5 .56 push esi
00402FC6 .68 7C254000 push lhl-crac.0040257C
-----------------------------------------------------------------------------------------------
【破解总结】
1.注册码长度应大于等于7位, 则通过第一关。
2.取注册码前7位进行2次运算,每次运算用到9个常数。2次运算过程中除最后一个常数不同外,其它常数
及运算过程相同,第一次运算结果用10进制整数表示转为字符串,记为str1;第二次运算结果用16进制整数表示转为字符串,记为str2.
3.内置两个固定字符串,"pyg","lhl",分别依次取两个固定字符串每位字符的ASCII值用16进制数表示转为字符串,记为str3,str4.
4.取字符串str1和str4的第5位字符,相等则通过第二关。
5.从取字符串str2和str3第5位字符开始取直到字符串结束,相等则通过第三关。
6.将字符串str1和str4,str2和str3转为浮点数分别比较,相等则通过第四关。
一组可用注册码:
===================
注册码:1000135
===================
暴破更改以下位置:
00403333 je lhl-crac.00403CA9 ;je===>Nop
00403961 je lhl-crac.00403BD1 ;je===>Nop
00403A0F je lhl-crac.00403AF0 ;je===>Nop
00402F9B je short lhl-crac.00402FD6 ;je===>Nop
00402FBE je short lhl-crac.0040303E ;je===>Nop
【VB注册机源码】
Private Sub Generate_Click()
On Error Resume Next
Dim i As Long
Dim n1 As Long
Dim n2 As Long
Dim num1 As Long
Dim num2 As Long
Dim num3 As Long
Dim num4 As Long
Dim temp As Long
temp = (9999999 - 1000000) * Rnd() + 1000000
For i = temp To 9999999
num1 = (i Mod &H42) * &H186A0
num2 = (i Mod &H12) * &H3E8
num3 = (i Mod &H63) * 5 * 2
num4 = i And &H80000007
n1 = num1 + num2 + num3 + num4 + 9 + &H6390F22
n2 = num1 + num2 + num3 + num4 + 9 + &H37FEDD
If (n1 = 108104108) And (n2 = 7371111) Then GoTo done'0x707969= 7371111
Next i
done:
Text1 = i
End Sub
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 hrbx 于 2006-5-22 12:59 编辑 ] 呵呵,讲的真是不错。 hrbx兄厉害。佩服!!!! 原帖由 lhl8730 于 2006-5-22 09:17 发表
hrbx兄厉害。佩服!!!!
:victory::victory: hrbx兄做个动画演示出来让大家学习一下。 原帖由 lhl8730 于 2006-5-23 12:00 发表
hrbx兄做个动画演示出来让大家学习一下。
那我们菜鸟们就有福啦。。。
伸长着脖子等待ing... :L :L
++++++++++++++++++++++
建议使用录像专家 V6.0 来录制。
录制的时候动作慢点。语音讲解最爽。。。不然猫会看睡觉去的。。。
录的文件大,上传到FTP服务器吧。 呵呵,写破文勉强可以,做动画就留给论坛上的其他兄弟吧。。。:P 請問大大 中断后取消断点,F8直到返回程序领空:
我一直按f8 數十次還是無法返回到你所講的
004032B3 .3BC6 cmp eax,esi ;返回来到这里
正確的作法應該是怎樣做才有辦法返回
004032AD .FF91 A00000>call dword ptr ds:
004032B3 .3BC6 cmp eax,esi ;返回来到这里
004032B5 .DBE2 fclex
004032B7 .7D 12 jge short lhl-crac.004032CB
页:
[1]