CrackMe By [PYG]Zass//20091108算法分析+VB注册机源码
【破文标题】CrackMe By Zass//20091108算法分析+VB注册机源码【破解作者】hrbx
【破解日期】2010-4-14
【软件简介】CrackMe By Zass//20091108
【下载地址】https://www.chinapyg.com/viewthread.php?tid=52514&extra=page%3D1
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
-----------------------------------------------------------------------------------------------
【破解过程】
1.查壳。用Peid扫描,显示为:Microsoft Visual Basic 5.0 / 6.0,无壳。
2.查找程序控件事件地址。OD载入,Ctrl+B,在Hex栏输入:816C24,查找VB各控件事件地址:
==================================================================
004020DD .816C24 04 8F000000 sub dword ptr , 8F
004020E5 .E9 363C0000 jmp 00405D20 ;确定按钮
004020EA .816C24 04 87000000 sub dword ptr , 87
004020F2 .E9 09410000 jmp 00406200 ;窗体加载前初始化
==================================================================
3.算法分析。OD载入,Ctrl+G,输入窗体加载前初始化事件地址:00406200,确定后F2下断,F9运行后中断:
00406200 > \55 push ebp ;中断后F8往下
00406201 .8BEC mov ebp, esp
00406203 .83EC 0C sub esp, 0C
00406206 .68 F6124000 push <jmp.&MSVBVM60.__vbaExceptHandler> ;SE 处理程序安装
0040620B .64:A1 00000000 mov eax, dword ptr fs:
00406211 .50 push eax
00406212 .64:8925 00000000 mov dword ptr fs:, esp
00406219 .81EC 10010000 sub esp, 110
0040621F .53 push ebx
00406220 .56 push esi
00406221 .57 push edi
00406222 .8965 F4 mov dword ptr , esp
00406225 .C745 F8 C0124000 mov dword ptr , 004012C0
0040622C .8B75 08 mov esi, dword ptr
0040622F .8BC6 mov eax, esi
00406231 .83E0 01 and eax, 1
00406234 .8945 FC mov dword ptr , eax
00406237 .83E6 FE and esi, FFFFFFFE
0040623A .56 push esi
0040623B .8975 08 mov dword ptr , esi
0040623E .8B0E mov ecx, dword ptr
00406240 .FF51 04 call dword ptr
00406243 .8B16 mov edx, dword ptr
00406245 .33FF xor edi, edi
00406247 .56 push esi
00406248 .897D DC mov dword ptr , edi
0040624B .897D D8 mov dword ptr , edi
0040624E .897D C8 mov dword ptr , edi
00406251 .897D C4 mov dword ptr , edi
00406254 .897D C0 mov dword ptr , edi
00406257 .897D BC mov dword ptr , edi
0040625A .897D B8 mov dword ptr , edi
0040625D .897D B4 mov dword ptr , edi
00406260 .897D B0 mov dword ptr , edi
00406263 .897D AC mov dword ptr , edi
00406266 .897D 9C mov dword ptr , edi
00406269 .897D 8C mov dword ptr , edi
0040626C .89BD 7CFFFFFF mov dword ptr , edi
00406272 .89BD 6CFFFFFF mov dword ptr , edi
00406278 .89BD 5CFFFFFF mov dword ptr , edi
0040627E .89BD 4CFFFFFF mov dword ptr , edi
00406284 .89BD 3CFFFFFF mov dword ptr , edi
0040628A .89BD 2CFFFFFF mov dword ptr , edi
00406290 .89BD 28FFFFFF mov dword ptr , edi
00406296 .89BD 04FFFFFF mov dword ptr , edi
0040629C .89BD F4FEFFFF mov dword ptr , edi
004062A2 .FF92 00030000 call dword ptr
004062A8 .50 push eax
004062A9 .8D45 AC lea eax, dword ptr
004062AC .50 push eax
004062AD .FF15 60104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
004062B3 .8BD8 mov ebx, eax
004062B5 .68 C0244000 push 004024C0
004062BA .53 push ebx
004062BB .8B0B mov ecx, dword ptr
004062BD .FF91 A4000000 call dword ptr
004062C3 .3BC7 cmp eax, edi
004062C5 .DBE2 fclex
004062C7 .7D 12 jge short 004062DB
004062C9 .68 A4000000 push 0A4
004062CE .68 20254000 push 00402520
004062D3 .53 push ebx
004062D4 .50 push eax
004062D5 .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaHresultChec>
004062DB >8D4D AC lea ecx, dword ptr
004062DE .FF15 74114000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
004062E4 .8B16 mov edx, dword ptr
004062E6 .56 push esi
004062E7 .FF92 04030000 call dword ptr
004062ED .50 push eax
004062EE .8D45 AC lea eax, dword ptr
004062F1 .50 push eax
004062F2 .FF15 60104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
004062F8 .8BD8 mov ebx, eax
004062FA .BA 50254000 mov edx, 00402550 ;c:\
004062FF .8D4D C0 lea ecx, dword ptr
00406302 .899D 18FFFFFF mov dword ptr , ebx
00406308 .FF15 2C114000 call dword ptr [<&MSVBVM60.__vbaStrCopy>]
0040630E .8B0E mov ecx, dword ptr
00406310 .8D95 28FFFFFF lea edx, dword ptr
00406316 .8D45 C0 lea eax, dword ptr
00406319 .52 push edx
0040631A .50 push eax
0040631B .56 push esi
0040631C .FF91 34070000 call dword ptr
00406322 .3BC7 cmp eax, edi
00406324 .7D 12 jge short 00406338
00406326 .68 34070000 push 734
0040632B .68 40224000 push 00402240
00406330 .56 push esi
00406331 .50 push eax
00406332 .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaHresultChec>
00406338 >8B8D 28FFFFFF mov ecx, dword ptr
0040633E .8B1B mov ebx, dword ptr
00406340 .FF15 54104000 call dword ptr [<&MSVBVM60.__vbaI4Abs>]
00406346 .50 push eax
00406347 .FF15 08104000 call dword ptr [<&MSVBVM60.__vbaStrI4>]
0040634D .8BD0 mov edx, eax
0040634F .8D4D BC lea ecx, dword ptr
00406352 .FF15 58114000 call dword ptr [<&MSVBVM60.__vbaStrMove>]
00406358 .8BCB mov ecx, ebx
0040635A .8B9D 18FFFFFF mov ebx, dword ptr
00406360 .50 push eax
00406361 .53 push ebx
00406362 .FF91 A4000000 call dword ptr
00406368 .3BC7 cmp eax, edi
0040636A .DBE2 fclex
0040636C .7D 12 jge short 00406380
0040636E .68 A4000000 push 0A4
00406373 .68 20254000 push 00402520
00406378 .53 push ebx
00406379 .50 push eax
0040637A .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaHresultChec>
00406380 >8D55 BC lea edx, dword ptr
00406383 .8D45 C0 lea eax, dword ptr
00406386 .52 push edx
00406387 .50 push eax
00406388 .6A 02 push 2
0040638A .FF15 30114000 call dword ptr [<&MSVBVM60.__vbaFreeStrList>
00406390 .83C4 0C add esp, 0C
00406393 .8D4D AC lea ecx, dword ptr
00406396 .FF15 74114000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
0040639C .BA 50254000 mov edx, 00402550 ;c:\
004063A1 .8D4D C0 lea ecx, dword ptr
004063A4 .FF15 2C114000 call dword ptr [<&MSVBVM60.__vbaStrCopy>]
004063AA .8B0E mov ecx, dword ptr
004063AC .8D95 28FFFFFF lea edx, dword ptr
004063B2 .8D45 C0 lea eax, dword ptr
004063B5 .52 push edx
004063B6 .50 push eax
004063B7 .56 push esi
004063B8 .FF91 34070000 call dword ptr ;Keygenme.004020CB
004063BE .3BC7 cmp eax, edi ;调用GetVolumeInformationA函数获取C盘卷序列号
004063C0 .7D 12 jge short 004063D4 ;C盘卷序列号:-1460319485
004063C2 .68 34070000 push 734 ;16进制双字节表示(-1460319485=0xA8F54B03)
004063C7 .68 40224000 push 00402240
004063CC .56 push esi
004063CD .50 push eax
004063CE .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaHresultChec>
004063D4 >8B8D 28FFFFFF mov ecx, dword ptr ;ECX=ss:=A8F54B03
004063DA .FF15 54104000 call dword ptr [<&MSVBVM60.__vbaI4Abs>] ;Abs函数取绝对值,neg(A8F54B03)=570AB4FD
004063E0 .8D4D 9C lea ecx, dword ptr
004063E3 .8D55 8C lea edx, dword ptr
004063E6 .51 push ecx
004063E7 .52 push edx
004063E8 .8945 A4 mov dword ptr , eax ;EAX=0x570AB4FD
004063EB .C745 9C 03000000 mov dword ptr , 3
004063F2 .FF15 28114000 call dword ptr [<&MSVBVM60.#573>] ;MSVBVM60.rtcHexVarFromVar
004063F8 .8D45 8C lea eax, dword ptr ;数值转为字符串"570AB4FD"
004063FB .50 push eax
004063FC .FF15 18104000 call dword ptr [<&MSVBVM60.__vbaStrVarMove>>
00406402 .8B1D 58114000 mov ebx, dword ptr [<&MSVBVM60.__vbaStrMov>
00406408 .8BD0 mov edx, eax ;EAX="570AB4FD"
0040640A .8D4D BC lea ecx, dword ptr
0040640D .FFD3 call ebx
0040640F .8B0E mov ecx, dword ptr
00406411 .8D55 B8 lea edx, dword ptr
00406414 .8D45 BC lea eax, dword ptr
00406417 .52 push edx
00406418 .50 push eax
00406419 .56 push esi
0040641A .FF91 38070000 call dword ptr ;Keygenme.004020D8,字符串倒序
00406420 .3BC7 cmp eax, edi ;"570AB4FD"--->"DF4BA075"
00406422 .7D 12 jge short 00406436
00406424 .68 38070000 push 738
00406429 .68 40224000 push 00402240
0040642E .56 push esi
0040642F .50 push eax
00406430 .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaHresultChec>
00406436 >8B55 B8 mov edx, dword ptr ;EDX=ss:="DF4BA075"
00406439 .8D4D B4 lea ecx, dword ptr
0040643C .897D B8 mov dword ptr , edi
0040643F .FFD3 call ebx
00406441 .8B0E mov ecx, dword ptr
00406443 .8D55 B0 lea edx, dword ptr
00406446 .8D45 B4 lea eax, dword ptr
00406449 .52 push edx
0040644A .50 push eax
0040644B .56 push esi
0040644C .FF91 18070000 call dword ptr ;F7进入,对倒序后的字符串进行MD5加密
00406452 .3BC7 cmp eax, edi ;MD5("DF4BA075")="DD29C6AFF93CB721D4DE5817CDA9B441"
00406454 .7D 12 jge short 00406468
00406456 .68 18070000 push 718
0040645B .68 40224000 push 00402240
00406460 .56 push esi
00406461 .50 push eax
00406462 .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaHresultChec>
00406468 >8B55 B0 mov edx, dword ptr ;ss:="DD29C6AFF93CB721D4DE5817CDA9B441"
0040646B .8D4D C4 lea ecx, dword ptr
0040646E .897D B0 mov dword ptr , edi
00406471 .FFD3 call ebx
00406473 .8D4D B4 lea ecx, dword ptr
00406476 .8D55 BC lea edx, dword ptr
00406479 .51 push ecx
0040647A .8D45 C0 lea eax, dword ptr
0040647D .52 push edx
0040647E .50 push eax
0040647F .6A 03 push 3
00406481 .FF15 30114000 call dword ptr [<&MSVBVM60.__vbaFreeStrList>
00406487 .8D4D 8C lea ecx, dword ptr
0040648A .8D55 9C lea edx, dword ptr
0040648D .51 push ecx
0040648E .52 push edx
0040648F .6A 02 push 2
00406491 .FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>
00406497 .8B06 mov eax, dword ptr
00406499 .83C4 1C add esp, 1C
0040649C .8D4D C0 lea ecx, dword ptr
0040649F .51 push ecx
004064A0 .56 push esi
004064A1 .FF90 3C070000 call dword ptr ;F7进入,调用rtcRandomize函数产生8个0-0xF的随机数
004064A7 .3BC7 cmp eax, edi ;连接8个随机数转成字符串"43E53E47"
004064A9 .7D 12 jge short 004064BD
004064AB .68 3C070000 push 73C
004064B0 .68 40224000 push 00402240
004064B5 .56 push esi
004064B6 .50 push eax
004064B7 .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaHresultChec>
004064BD >8B55 C0 mov edx, dword ptr ;ss:="43E53E47"
004064C0 .8D7E 34 lea edi, dword ptr
004064C3 .8BCF mov ecx, edi
004064C5 .FF15 2C114000 call dword ptr [<&MSVBVM60.__vbaStrCopy>]
004064CB .8D4D C0 lea ecx, dword ptr
004064CE .FF15 70114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
004064D4 .8B17 mov edx, dword ptr
004064D6 .BB 01000000 mov ebx, 1
004064DB .52 push edx ; /String="43E53E47"
004064DC .899D 64FFFFFF mov dword ptr , ebx ; |
004064E2 .C785 5CFFFFFF 02>mov dword ptr , 2 ; |
004064EC .FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaLenBstr>] ; \__vbaLenBstr,获取字符串长度
004064F2 .8985 54FFFFFF mov dword ptr , eax ;EAX=0x8
004064F8 .8D85 5CFFFFFF lea eax, dword ptr
004064FE .8D8D 4CFFFFFF lea ecx, dword ptr
00406504 .50 push eax ; /Step8
00406505 .8D95 3CFFFFFF lea edx, dword ptr ; |
0040650B .51 push ecx ; |End8
0040650C .8D85 F4FEFFFF lea eax, dword ptr ; |
00406512 .52 push edx ; |Start8
00406513 .8D8D 04FFFFFF lea ecx, dword ptr ; |
00406519 .50 push eax ; |TMPend8
0040651A .8D55 DC lea edx, dword ptr ; |
0040651D .51 push ecx ; |TMPstep8
0040651E .52 push edx ; |Counter8
0040651F .C785 4CFFFFFF 03>mov dword ptr , 3 ; |
00406529 .899D 44FFFFFF mov dword ptr , ebx ; |
0040652F .C785 3CFFFFFF 02>mov dword ptr , 2 ; |
00406539 .FF15 4C104000 call dword ptr [<&MSVBVM60.__vbaVarForInit>>; \__vbaVarForInit
0040653F .8B3D 84104000 mov edi, dword ptr [<&MSVBVM60.#632>]
00406545 .8B1D F8104000 mov ebx, dword ptr [<&MSVBVM60.__vbaVarCat>
0040654B >85C0 test eax, eax
0040654D .0F84 54010000 je 004066A7
00406553 .8D46 34 lea eax, dword ptr
00406556 .8D4D DC lea ecx, dword ptr
00406559 .8985 64FFFFFF mov dword ptr , eax
0040655F .8D45 9C lea eax, dword ptr
00406562 .50 push eax
00406563 .51 push ecx
00406564 .C745 A4 01000000 mov dword ptr , 1
0040656B .C745 9C 02000000 mov dword ptr , 2
00406572 .C785 5CFFFFFF 08>mov dword ptr , 4008
0040657C .FF15 44114000 call dword ptr [<&MSVBVM60.__vbaI4Var>] ;MSVBVM60.__vbaI4Var
00406582 .50 push eax
00406583 .8D95 5CFFFFFF lea edx, dword ptr
00406589 .8D45 8C lea eax, dword ptr
0040658C .52 push edx
0040658D .50 push eax
0040658E .FFD7 call edi
00406590 .8D55 8C lea edx, dword ptr
00406593 .8D4D C8 lea ecx, dword ptr
00406596 .FF15 0C104000 call dword ptr [<&MSVBVM60.__vbaVarMove>]
0040659C .8D4D 9C lea ecx, dword ptr
0040659F .FF15 14104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>]
004065A5 .8D8D 5CFFFFFF lea ecx, dword ptr
004065AB .8D55 C8 lea edx, dword ptr
004065AE .51 push ecx
004065AF .8D45 9C lea eax, dword ptr
004065B2 .52 push edx
004065B3 .50 push eax
004065B4 .C785 64FFFFFF 34>mov dword ptr , 00402534 ;00402534="&h"
004065BE .C785 5CFFFFFF 08>mov dword ptr ,
004065C8 .FFD3 call ebx ;__vbaVarCat,取出的字符串与"&h"连接,即转为16进制
004065CA .8D4D C0 lea ecx, dword ptr
004065CD .50 push eax ; /String8
004065CE .51 push ecx ; |ARG2
004065CF .FF15 F4104000 call dword ptr [<&MSVBVM60.__vbaStrVarVal>] ; \__vbaStrVarVal
004065D5 .50 push eax ;EAX="&h4"
004065D6 .FF15 78114000 call dword ptr [<&MSVBVM60.#581>] ;rtcR8ValFromBstr
004065DC .DD9D 20FFFFFF fstp qword ptr ;st=4.0000000000000000000
004065E2 .8B55 D8 mov edx, dword ptr
004065E5 .8D4D 8C lea ecx, dword ptr
004065E8 .DD85 20FFFFFF fld qword ptr
004065EE .8D45 C4 lea eax, dword ptr
004065F1 .51 push ecx
004065F2 .8995 34FFFFFF mov dword ptr , edx
004065F8 .C785 2CFFFFFF 08>mov dword ptr , 8
00406602 .C745 94 01000000 mov dword ptr , 1
00406609 .C745 8C 02000000 mov dword ptr , 2
00406610 .8985 54FFFFFF mov dword ptr , eax
00406616 .C785 4CFFFFFF 08>mov dword ptr , 4008
00406620 .FF15 50114000 call dword ptr [<&MSVBVM60.__vbaFpI4>] ;浮点数转为整数
00406626 .50 push eax ;EAX=0x4
00406627 .8D95 4CFFFFFF lea edx, dword ptr
0040662D .8D85 7CFFFFFF lea eax, dword ptr
00406633 .52 push edx
00406634 .50 push eax
00406635 .FFD7 call edi ;rtcMidCharVar,根据EAX的值从"DD29C6AFF93CB721D4DE5817CDA9B441"取字符
00406637 .8D8D 2CFFFFFF lea ecx, dword ptr
0040663D .8D95 7CFFFFFF lea edx, dword ptr
00406643 .51 push ecx
00406644 .8D85 6CFFFFFF lea eax, dword ptr
0040664A .52 push edx
0040664B .50 push eax
0040664C .FFD3 call ebx ;__vbaVarCat,取出的字符依次连接
0040664E .50 push eax
0040664F .FF15 18104000 call dword ptr [<&MSVBVM60.__vbaStrVarMove>>;
00406655 .8BD0 mov edx, eax ;EAX="927C279A"
00406657 .8D4D D8 lea ecx, dword ptr
0040665A .FF15 58114000 call dword ptr [<&MSVBVM60.__vbaStrMove>]
00406660 .8D4D C0 lea ecx, dword ptr
00406663 .FF15 70114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
00406669 .8D8D 6CFFFFFF lea ecx, dword ptr
0040666F .8D95 7CFFFFFF lea edx, dword ptr
00406675 .51 push ecx
00406676 .8D45 8C lea eax, dword ptr
00406679 .52 push edx
0040667A .8D4D 9C lea ecx, dword ptr
0040667D .50 push eax
0040667E .51 push ecx
0040667F .6A 04 push 4
00406681 .FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>
00406687 .83C4 14 add esp, 14
0040668A .8D95 F4FEFFFF lea edx, dword ptr
00406690 .8D85 04FFFFFF lea eax, dword ptr
00406696 .52 push edx ; /TMPend8
00406697 .8D4D DC lea ecx, dword ptr ; |
0040669A .50 push eax ; |TMPstep8
0040669B .51 push ecx ; |Counter8
0040669C .FF15 68114000 call dword ptr [<&MSVBVM60.__vbaVarForNext>>; \__vbaVarForNext
004066A2 .^ E9 A4FEFFFF jmp 0040654B
004066A7 >8D85 5CFFFFFF lea eax, dword ptr
004066AD .8D4D 9C lea ecx, dword ptr
004066B0 .8D55 D8 lea edx, dword ptr
004066B3 .50 push eax
004066B4 .51 push ecx
004066B5 .8995 64FFFFFF mov dword ptr , edx
004066BB .C785 5CFFFFFF 08>mov dword ptr , 4008
004066C5 .FF15 9C104000 call dword ptr [<&MSVBVM60.#528>] ;rtcUpperCaseVar,字符转为大写
004066CB .8D55 9C lea edx, dword ptr
004066CE .52 push edx
004066CF .FF15 18104000 call dword ptr [<&MSVBVM60.__vbaStrVarMove>>
004066D5 .8BD0 mov edx, eax ;字符串"927C279A"
004066D7 .8D4D C0 lea ecx, dword ptr
004066DA .FF15 58114000 call dword ptr [<&MSVBVM60.__vbaStrMove>]
004066E0 .8B06 mov eax, dword ptr
004066E2 .8D4D BC lea ecx, dword ptr
004066E5 .8D55 C0 lea edx, dword ptr
004066E8 .51 push ecx
004066E9 .52 push edx
004066EA .56 push esi
004066EB .FF90 18070000 call dword ptr ;对字符串"927C279A"进行MD5加密
004066F1 .85C0 test eax, eax
004066F3 .7D 12 jge short 00406707
004066F5 .68 18070000 push 718
004066FA .68 40224000 push 00402240
004066FF .56 push esi
00406700 .50 push eax
00406701 .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaHresultChec>
00406707 >8B55 BC mov edx, dword ptr ;MD5("927C279")="9E7F4ED9D6D89E0FD8A4F75B68809F81"
0040670A .8D4E 38 lea ecx, dword ptr
0040670D .FF15 2C114000 call dword ptr [<&MSVBVM60.__vbaStrCopy>]
00406713 .8D45 BC lea eax, dword ptr
00406716 .8D4D C0 lea ecx, dword ptr
00406719 .50 push eax
0040671A .51 push ecx
0040671B .6A 02 push 2
F7进入0040644C处的call dword ptr ,来到:
00402F10 > \55 push ebp
00402F11 .8BEC mov ebp, esp
00402F13 .83EC 0C sub esp, 0C
00402F16 .68 F6124000 push <jmp.&MSVBVM60.__vbaExceptHandler> ;SE 处理程序安装
00402F1B .64:A1 00000000 mov eax, dword ptr fs:
00402F21 .50 push eax
00402F22 .64:8925 00000000 mov dword ptr fs:, esp
00402F29 .83EC 54 sub esp, 54
00402F2C .53 push ebx
00402F2D .56 push esi
00402F2E .57 push edi
00402F2F .8965 F4 mov dword ptr , esp
00402F32 .C745 F8 C0114000 mov dword ptr , 004011C0
00402F39 .33FF xor edi, edi
00402F3B .897D FC mov dword ptr , edi
00402F3E .8B75 08 mov esi, dword ptr
00402F41 .56 push esi
00402F42 .8B06 mov eax, dword ptr
00402F44 .FF50 04 call dword ptr
00402F47 .8B4D 10 mov ecx, dword ptr
00402F4A .56 push esi
00402F4B .897D E8 mov dword ptr , edi
00402F4E .897D E4 mov dword ptr , edi
00402F51 .8939 mov dword ptr , edi
00402F53 .8B16 mov edx, dword ptr
00402F55 .897D D4 mov dword ptr , edi
00402F58 .897D C4 mov dword ptr , edi
00402F5B .897D B4 mov dword ptr , edi
00402F5E .897D B0 mov dword ptr , edi
00402F61 .897D A8 mov dword ptr , edi
00402F64 .897D A4 mov dword ptr , edi
00402F67 .FF92 24070000 call dword ptr ;F7进入,可见MD5加密的4个常数
00402F6D .3BC7 cmp eax, edi
00402F6F .7D 16 jge short 00402F87
00402F71 .8B3D 38104000 mov edi, dword ptr [<&MSVBVM60.__vbaHresul>
00402F77 .68 24070000 push 724
00402F7C .68 40224000 push 00402240
00402F81 .56 push esi
00402F82 .50 push eax
00402F83 .FFD7 call edi
00402F85 .EB 06 jmp short 00402F8D
00402F87 >8B3D 38104000 mov edi, dword ptr [<&MSVBVM60.__vbaHresul>
00402F8D >8B5D 0C mov ebx, dword ptr
00402F90 .6A 00 push 0
00402F92 .8D45 B4 lea eax, dword ptr
00402F95 .68 80000000 push 80
00402F9A .8D4D D4 lea ecx, dword ptr
00402F9D .50 push eax
00402F9E .51 push ecx
00402F9F .895D BC mov dword ptr , ebx
00402FA2 .C745 B4 08400000 mov dword ptr , 4008
00402FA9 .FF15 EC104000 call dword ptr [<&MSVBVM60.#717>] ;MSVBVM60.rtcStrConvVar2
00402FAF .8B16 mov edx, dword ptr
00402FB1 .8D45 A8 lea eax, dword ptr
00402FB4 .50 push eax
00402FB5 .53 push ebx
00402FB6 .56 push esi
00402FB7 .FF92 40070000 call dword ptr
00402FBD .8D4D A8 lea ecx, dword ptr
00402FC0 .8D55 A4 lea edx, dword ptr
00402FC3 .51 push ecx
00402FC4 .52 push edx
00402FC5 .FF15 10104000 call dword ptr [<&MSVBVM60.__vbaAryMove>]
00402FCB .8D45 D4 lea eax, dword ptr
00402FCE .8D4D C4 lea ecx, dword ptr
00402FD1 .50 push eax
00402FD2 .51 push ecx
00402FD3 .FF15 60114000 call dword ptr [<&MSVBVM60.__vbaLenVarB>]
00402FD9 .50 push eax
00402FDA .FF15 44114000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
00402FE0 .8B16 mov edx, dword ptr
00402FE2 .8945 B0 mov dword ptr , eax
00402FE5 .8D45 A4 lea eax, dword ptr
00402FE8 .8D4D B0 lea ecx, dword ptr
00402FEB .50 push eax
00402FEC .51 push ecx
00402FED .56 push esi
00402FEE .FF92 2C070000 call dword ptr
00402FF4 .85C0 test eax, eax
00402FF6 .7D 0E jge short 00403006
00402FF8 .68 2C070000 push 72C
00402FFD .68 40224000 push 00402240
00403002 .56 push esi
00403003 .50 push eax
00403004 .FFD7 call edi
00403006 >8D4D D4 lea ecx, dword ptr
00403009 .FF15 14104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>]
0040300F .8D55 A4 lea edx, dword ptr
00403012 .52 push edx
00403013 .6A 00 push 0
00403015 .FF15 7C104000 call dword ptr [<&MSVBVM60.__vbaErase>] ;MSVBVM60.__vbaErase
0040301B .8B06 mov eax, dword ptr
0040301D .56 push esi
0040301E .FF90 28070000 call dword ptr
00403024 .85C0 test eax, eax
00403026 .7D 0E jge short 00403036
00403028 .68 28070000 push 728
0040302D .68 40224000 push 00402240
00403032 .56 push esi
00403033 .50 push eax
00403034 .FFD7 call edi
00403036 >8B0E mov ecx, dword ptr
00403038 .8D55 E4 lea edx, dword ptr
0040303B .52 push edx
0040303C .56 push esi
0040303D .FF91 20070000 call dword ptr ;将MD5加密的4段字符连接
00403043 .85C0 test eax, eax
00403045 .7D 0E jge short 00403055
00403047 .68 20070000 push 720
0040304C .68 40224000 push 00402240
00403051 .56 push esi
00403052 .50 push eax
00403053 .FFD7 call edi
00403055 >8B55 E4 mov edx, dword ptr ;"DD29C6AFF93CB721D4DE5817CDA9B441"
00403058 .8D4D E8 lea ecx, dword ptr
0040305B .C745 E4 00000000 mov dword ptr , 0
00403062 .FF15 58114000 call dword ptr [<&MSVBVM60.__vbaStrMove>]
00403068 .68 B2304000 push 004030B2
0040306D .EB 2C jmp short 0040309B
0040306F .F645 FC 04 test byte ptr , 4
00403073 .74 09 je short 0040307E
00403075 .8D4D E8 lea ecx, dword ptr
00403078 .FF15 70114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
0040307E >8D4D E4 lea ecx, dword ptr
00403081 .FF15 70114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
00403087 .8D45 C4 lea eax, dword ptr
0040308A .8D4D D4 lea ecx, dword ptr
0040308D .50 push eax
0040308E .51 push ecx
0040308F .6A 02 push 2
00403091 .FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>
00403097 .83C4 0C add esp, 0C
0040309A .C3 retn
0040309B >8B35 44104000 mov esi, dword ptr [<&MSVBVM60.__vbaAryDes>
004030A1 .8D55 A8 lea edx, dword ptr
004030A4 .52 push edx
004030A5 .6A 00 push 0
004030A7 .FFD6 call esi
004030A9 .8D45 A4 lea eax, dword ptr
004030AC .50 push eax
004030AD .6A 00 push 0
004030AF .FFD6 call esi
004030B1 .C3 retn
004030B2 .8B45 08 mov eax, dword ptr
004030B5 .50 push eax
004030B6 .8B08 mov ecx, dword ptr
004030B8 .FF51 08 call dword ptr
004030BB .8B55 10 mov edx, dword ptr
004030BE .8B45 E8 mov eax, dword ptr
004030C1 .8902 mov dword ptr , eax
004030C3 .8B45 FC mov eax, dword ptr
004030C6 .8B4D EC mov ecx, dword ptr
004030C9 .5F pop edi
004030CA .5E pop esi
004030CB .64:890D 00000000 mov dword ptr fs:, ecx
004030D2 .5B pop ebx
004030D3 .8BE5 mov esp, ebp
004030D5 .5D pop ebp
004030D6 .C2 0C00 retn 0C
F7进入00402F67处的call dword ptr ,来到:
00403A50/> \55 push ebp
00403A51|.8BEC mov ebp, esp
00403A53|.83EC 0C sub esp, 0C
00403A56|.68 F6124000 push <jmp.&MSVBVM60.__vbaExceptHandler> ;SE 处理程序安装
00403A5B|.64:A1 00000000 mov eax, dword ptr fs:
00403A61|.50 push eax
00403A62|.64:8925 00000000 mov dword ptr fs:, esp
00403A69|.83EC 18 sub esp, 18
00403A6C|.53 push ebx
00403A6D|.56 push esi
00403A6E|.57 push edi
00403A6F|.8965 F4 mov dword ptr , esp
00403A72|.C745 F8 28124000 mov dword ptr , 00401228
00403A79|.33FF xor edi, edi
00403A7B|.897D FC mov dword ptr , edi
00403A7E|.8B75 08 mov esi, dword ptr
00403A81|.56 push esi
00403A82|.8B06 mov eax, dword ptr
00403A84|.FF50 04 call dword ptr
00403A87|.8B0E mov ecx, dword ptr
00403A89|.8D55 E8 lea edx, dword ptr
00403A8C|.8D45 E0 lea eax, dword ptr
00403A8F|.52 push edx
00403A90|.50 push eax
00403A91|.897D E0 mov dword ptr , edi
00403A94|.897D E4 mov dword ptr , edi
00403A97|.56 push esi
00403A98|.897D E8 mov dword ptr , edi
00403A9B|.897E 58 mov dword ptr , edi
00403A9E|.C745 E0 000040C0 mov dword ptr , C0400000
00403AA5|.C745 E4 48D1D941 mov dword ptr , 41D9D148
00403AAC|.FF91 68070000 call dword ptr ;MD5的第1个常数0x67452301,以浮点数表示
00403AB2|.8B4E 4C mov ecx, dword ptr ;0x67452301=1732584193.000000
00403AB5|.8B55 E8 mov edx, dword ptr
00403AB8|.8951 04 mov dword ptr , edx
00403ABB|.8B06 mov eax, dword ptr
00403ABD|.8D4D E8 lea ecx, dword ptr
00403AC0|.8D55 E0 lea edx, dword ptr
00403AC3|.51 push ecx
00403AC4|.52 push edx
00403AC5|.56 push esi
00403AC6|.C745 E0 00002071 mov dword ptr , 71200000
00403ACD|.C745 E4 B5F9ED41 mov dword ptr , 41EDF9B5
00403AD4|.FF90 68070000 call dword ptr ;MD5的第2个常数0xEFCDAB89,以浮点数表示
00403ADA|.8B46 4C mov eax, dword ptr ;0xEFCDAB89=4023233417.000000
00403ADD|.8B4D E8 mov ecx, dword ptr
00403AE0|.8948 08 mov dword ptr , ecx
00403AE3|.8B16 mov edx, dword ptr
00403AE5|.8D45 E8 lea eax, dword ptr
00403AE8|.8D4D E0 lea ecx, dword ptr
00403AEB|.50 push eax
00403AEC|.51 push ecx
00403AED|.56 push esi
00403AEE|.C745 E0 0000C09F mov dword ptr , 9FC00000
00403AF5|.C745 E4 5B17E341 mov dword ptr , 41E3175B
00403AFC|.FF92 68070000 call dword ptr ;MD5的第3个常数0x98BADCFE,以浮点数表示
00403B02|.8B56 4C mov edx, dword ptr ;0x98BADCFE=2562383102.0000000000
00403B05|.8B45 E8 mov eax, dword ptr
00403B08|.8942 0C mov dword ptr , eax
00403B0B|.8B0E mov ecx, dword ptr
00403B0D|.8D55 E8 lea edx, dword ptr
00403B10|.8D45 E0 lea eax, dword ptr
00403B13|.52 push edx
00403B14|.50 push eax
00403B15|.56 push esi
00403B16|.C745 E0 00000076 mov dword ptr , 76000000
00403B1D|.C745 E4 5432B041 mov dword ptr , 41B03254
00403B24|.FF91 68070000 call dword ptr ;MD5的第2个常数0x10325476,以浮点数表示
00403B2A|.8B4E 4C mov ecx, dword ptr ;0x10325476=271733878.0000000000
00403B2D|.8B55 E8 mov edx, dword ptr
00403B30|.8951 10 mov dword ptr , edx
00403B33|.8B45 08 mov eax, dword ptr
00403B36|.50 push eax
00403B37|.8B08 mov ecx, dword ptr
00403B39|.FF51 08 call dword ptr
00403B3C|.8B45 FC mov eax, dword ptr
00403B3F|.8B4D EC mov ecx, dword ptr
00403B42|.5F pop edi
00403B43|.5E pop esi
00403B44|.64:890D 00000000 mov dword ptr fs:, ecx
00403B4B|.5B pop ebx
00403B4C|.8BE5 mov esp, ebp
00403B4E|.5D pop ebp
00403B4F\.C2 0400 retn 4
F7进入004064A1处的call dword ptr ,来到:
004067F0 > \55 push ebp
004067F1 .8BEC mov ebp, esp
004067F3 .83EC 0C sub esp, 0C
004067F6 .68 F6124000 push <jmp.&MSVBVM60.__vbaExceptHandler> ;SE 处理程序安装
004067FB .64:A1 00000000 mov eax, dword ptr fs:
00406801 .50 push eax
00406802 .64:8925 00000000 mov dword ptr fs:, esp
00406809 .81EC B4000000 sub esp, 0B4
0040680F .53 push ebx
00406810 .56 push esi
00406811 .57 push edi
00406812 .8965 F4 mov dword ptr , esp
00406815 .C745 F8 D8124000 mov dword ptr , 004012D8
0040681C .33F6 xor esi, esi
0040681E .8975 FC mov dword ptr , esi
00406821 .8B45 08 mov eax, dword ptr
00406824 .50 push eax
00406825 .8B08 mov ecx, dword ptr
00406827 .FF51 04 call dword ptr
0040682A .8B55 0C mov edx, dword ptr
0040682D .B8 02000000 mov eax, 2
00406832 .8975 88 mov dword ptr , esi
00406835 .89B5 78FFFFFF mov dword ptr , esi
0040683B .89B5 68FFFFFF mov dword ptr , esi
00406841 .B9 01000000 mov ecx, 1
00406846 .8945 88 mov dword ptr , eax
00406849 .8985 78FFFFFF mov dword ptr , eax
0040684F .8985 68FFFFFF mov dword ptr , eax
00406855 .894D 90 mov dword ptr , ecx
00406858 .898D 70FFFFFF mov dword ptr , ecx
0040685E .8D45 88 lea eax, dword ptr
00406861 .8932 mov dword ptr , esi
00406863 .8D8D 78FFFFFF lea ecx, dword ptr
00406869 .50 push eax ; /Step8
0040686A .8D95 68FFFFFF lea edx, dword ptr ; |
00406870 .51 push ecx ; |End8
00406871 .8D85 44FFFFFF lea eax, dword ptr ; |
00406877 .52 push edx ; |Start8
00406878 .8D8D 54FFFFFF lea ecx, dword ptr ; |
0040687E .50 push eax ; |TMPend8
0040687F .8D55 D8 lea edx, dword ptr ; |
00406882 .51 push ecx ; |TMPstep8
00406883 .52 push edx ; |Counter8
00406884 .8975 E8 mov dword ptr , esi ; |
00406887 .8975 D8 mov dword ptr , esi ; |
0040688A .8975 C8 mov dword ptr , esi ; |
0040688D .8975 B8 mov dword ptr , esi ; |
00406890 .8975 A8 mov dword ptr , esi ; |
00406893 .8975 98 mov dword ptr , esi ; |
00406896 .89B5 54FFFFFF mov dword ptr , esi ; |
0040689C .89B5 44FFFFFF mov dword ptr , esi ; |
004068A2 .C745 80 08000000 mov dword ptr , 8 ; |
004068A9 .FF15 4C104000 call dword ptr [<&MSVBVM60.__vbaVarForInit>>; \__vbaVarForInit
004068AF .8B35 58104000 mov esi, dword ptr [<&MSVBVM60.#594>] ;rtcRandomize函数,产生随机数
004068B5 .8B3D 14104000 mov edi, dword ptr [<&MSVBVM60.__vbaFreeVa>
004068BB .8B1D 58114000 mov ebx, dword ptr [<&MSVBVM60.__vbaStrMov>
004068C1 >85C0 test eax, eax
004068C3 .0F84 D9000000 je 004069A2
004068C9 .8D45 C8 lea eax, dword ptr
004068CC .C745 D0 04000280 mov dword ptr , 80020004
004068D3 .50 push eax
004068D4 .C745 C8 0A000000 mov dword ptr , 0A
004068DB .FFD6 call esi
004068DD .8D4D C8 lea ecx, dword ptr
004068E0 .FFD7 call edi
004068E2 .8D4D C8 lea ecx, dword ptr
004068E5 .C745 D0 04000280 mov dword ptr , 80020004
004068EC .51 push ecx ; /arg
004068ED .C745 C8 0A000000 mov dword ptr , 0A ; |
004068F4 .FF15 50104000 call dword ptr [<&MSVBVM60.#593>] ; \rtcRandomNext,产生随机数
004068FA .D99D 64FFFFFF fstp dword ptr ;获得的随机数,st=0.1904980731010437012
00406900 .D985 64FFFFFF fld dword ptr ;ss:=0.1904981
00406906 .D80D D4124000 fmul dword ptr ;产生的随机数与ds:处的数值相乘,ds:=14.00000,常数
0040690C .8B55 E8 mov edx, dword ptr
0040690F .8D4D A8 lea ecx, dword ptr
00406912 .8995 70FFFFFF mov dword ptr , edx
00406918 .C785 68FFFFFF 08>mov dword ptr , 8
00406922 .D805 D0124000 fadd dword ptr ;相乘得到的积加上ds:处的数值,ds:=1.000000,常数
00406928 .C745 B8 04000000 mov dword ptr , 4
0040692F .D95D C0 fstp dword ptr ;加法得到的和,st=3.6669730234146118168
00406932 .DFE0 fstsw ax
00406934 .A8 0D test al, 0D
00406936 .0F85 E3000000 jnz 00406A1F
0040693C .8D45 B8 lea eax, dword ptr
0040693F .50 push eax
00406940 .51 push ecx
00406941 .FF15 28114000 call dword ptr [<&MSVBVM60.#573>] ;rtcHexVarFromVar,取加法的和取整后转为字符
00406947 .8D95 68FFFFFF lea edx, dword ptr
0040694D .8D45 A8 lea eax, dword ptr
00406950 .52 push edx
00406951 .8D4D 98 lea ecx, dword ptr
00406954 .50 push eax
00406955 .51 push ecx
00406956 .FF15 F8104000 call dword ptr [<&MSVBVM60.__vbaVarCat>] ;__vbaVarCat,依次连接得到的字符
0040695C .50 push eax
0040695D .FF15 18104000 call dword ptr [<&MSVBVM60.__vbaStrVarMove>>;
00406963 .8BD0 mov edx, eax ;连接后的字符串,EAX="43E53E47"
00406965 .8D4D E8 lea ecx, dword ptr
00406968 .FFD3 call ebx
0040696A .8D55 98 lea edx, dword ptr
0040696D .8D45 A8 lea eax, dword ptr
00406970 .52 push edx
00406971 .8D4D B8 lea ecx, dword ptr
00406974 .50 push eax
00406975 .8D55 C8 lea edx, dword ptr
00406978 .51 push ecx
00406979 .52 push edx
0040697A .6A 04 push 4
0040697C .FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>
00406982 .83C4 14 add esp, 14
00406985 .8D85 44FFFFFF lea eax, dword ptr
0040698B .8D8D 54FFFFFF lea ecx, dword ptr
00406991 .8D55 D8 lea edx, dword ptr
00406994 .50 push eax ; /TMPend8
00406995 .51 push ecx ; |TMPstep8
00406996 .52 push edx ; |Counter8
00406997 .FF15 68114000 call dword ptr [<&MSVBVM60.__vbaVarForNext>>; \__vbaVarForNext
0040699D .^ E9 1FFFFFFF jmp 004068C1
004069A2 >9B wait
004069A3 .68 F8694000 push 004069F8
004069A8 .EB 2B jmp short 004069D5
004069AA .F645 FC 04 test byte ptr , 4
004069AE .74 09 je short 004069B9
004069B0 .8D4D E8 lea ecx, dword ptr
004069B3 .FF15 70114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
004069B9 >8D45 98 lea eax, dword ptr
004069BC .8D4D A8 lea ecx, dword ptr
004069BF .50 push eax
004069C0 .8D55 B8 lea edx, dword ptr
004069C3 .51 push ecx
004069C4 .8D45 C8 lea eax, dword ptr
004069C7 .52 push edx
004069C8 .50 push eax
004069C9 .6A 04 push 4
004069CB .FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>
004069D1 .83C4 14 add esp, 14
004069D4 .C3 retn
004069D5 >8D8D 44FFFFFF lea ecx, dword ptr
004069DB .8D95 54FFFFFF lea edx, dword ptr
004069E1 .51 push ecx
004069E2 .52 push edx
004069E3 .6A 02 push 2
004069E5 .FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>
004069EB .83C4 0C add esp, 0C
004069EE .8D4D D8 lea ecx, dword ptr
004069F1 .FF15 14104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>]
004069F7 .C3 retn
004069F8 .8B45 08 mov eax, dword ptr
004069FB .50 push eax
004069FC .8B08 mov ecx, dword ptr
004069FE .FF51 08 call dword ptr
00406A01 .8B55 0C mov edx, dword ptr
00406A04 .8B45 E8 mov eax, dword ptr
00406A07 .8902 mov dword ptr , eax
00406A09 .8B45 FC mov eax, dword ptr
00406A0C .8B4D EC mov ecx, dword ptr
00406A0F .5F pop edi
00406A10 .5E pop esi
00406A11 .64:890D 00000000 mov dword ptr fs:, ecx
00406A18 .5B pop ebx
00406A19 .8BE5 mov esp, ebp
00406A1B .5D pop ebp
00406A1C .C2 0800 retn 8
清除上面设的断点,Ctrl+G,输入确定按钮事件地址:00405D20,确定后F2下断,F9运行,输入注册信息:
======================================
机器码:1460319485
注册码:9876543210abcde
======================================
点确定按钮后,程序立即中断:
00405D20 > \55 push ebp ;F2下断
00405D21 .8BEC mov ebp, esp
00405D23 .83EC 0C sub esp, 0C
00405D26 .68 F6124000 push <jmp.&MSVBVM60.__vbaExceptHandler>;SE 处理程序安装
00405D2B .64:A1 00000000 mov eax, dword ptr fs:
00405D31 .50 push eax
00405D32 .64:8925 00000000 mov dword ptr fs:, esp
00405D39 .81EC F8000000 sub esp, 0F8
00405D3F .53 push ebx
00405D40 .56 push esi
00405D41 .57 push edi
00405D42 .8965 F4 mov dword ptr , esp
00405D45 .C745 F8 B0124000 mov dword ptr , 004012B0
00405D4C .8B7D 08 mov edi, dword ptr
00405D4F .8BC7 mov eax, edi
00405D51 .83E0 01 and eax, 1
00405D54 .8945 FC mov dword ptr , eax
00405D57 .83E7 FE and edi, FFFFFFFE
00405D5A .57 push edi
00405D5B .897D 08 mov dword ptr , edi
00405D5E .8B0F mov ecx, dword ptr
00405D60 .FF51 04 call dword ptr
00405D63 .8B17 mov edx, dword ptr
00405D65 .33F6 xor esi, esi
00405D67 .57 push edi
00405D68 .8975 E8 mov dword ptr , esi
00405D6B .8975 D8 mov dword ptr , esi
00405D6E .8975 D4 mov dword ptr , esi
00405D71 .8975 D0 mov dword ptr , esi
00405D74 .8975 C0 mov dword ptr , esi
00405D77 .8975 BC mov dword ptr , esi
00405D7A .8975 B8 mov dword ptr , esi
00405D7D .8975 A8 mov dword ptr , esi
00405D80 .8975 98 mov dword ptr , esi
00405D83 .8975 88 mov dword ptr , esi
00405D86 .89B5 78FFFFFF mov dword ptr , esi
00405D8C .89B5 68FFFFFF mov dword ptr , esi
00405D92 .89B5 58FFFFFF mov dword ptr , esi
00405D98 .89B5 48FFFFFF mov dword ptr , esi
00405D9E .89B5 38FFFFFF mov dword ptr , esi
00405DA4 .89B5 18FFFFFF mov dword ptr , esi
00405DAA .89B5 08FFFFFF mov dword ptr , esi
00405DB0 .FF92 00030000 call dword ptr
00405DB6 .50 push eax
00405DB7 .8D45 B8 lea eax, dword ptr
00405DBA .50 push eax
00405DBB .FF15 60104000 call dword ptr [<&MSVBVM60.__vbaObjSet>] ;MSVBVM60.__vbaObjSet
00405DC1 .8BF8 mov edi, eax
00405DC3 .8D55 BC lea edx, dword ptr
00405DC6 .52 push edx
00405DC7 .57 push edi
00405DC8 .8B0F mov ecx, dword ptr
00405DCA .FF91 A0000000 call dword ptr
00405DD0 .3BC6 cmp eax, esi
00405DD2 .DBE2 fclex
00405DD4 .7D 12 jge short 00405DE8
00405DD6 .68 A0000000 push 0A0
00405DDB .68 20254000 push 00402520
00405DE0 .57 push edi
00405DE1 .50 push eax
00405DE2 .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaHresultC>
00405DE8 >8B45 BC mov eax, dword ptr ;注册码"9876543210abcde"
00405DEB .8D4D 98 lea ecx, dword ptr
00405DEE .8945 B0 mov dword ptr , eax
00405DF1 .8D45 A8 lea eax, dword ptr
00405DF4 .50 push eax
00405DF5 .51 push ecx
00405DF6 .8975 BC mov dword ptr , esi
00405DF9 .C745 A8 08000000 mov dword ptr , 8
00405E00 .FF15 70104000 call dword ptr [<&MSVBVM60.#522>] ;rtcLeftTrimVar,去掉注册码左边空格
00405E06 .8B3D 18104000 mov edi, dword ptr [<&MSVBVM60.__vbaStr>
00405E0C .8D55 98 lea edx, dword ptr
00405E0F .52 push edx
00405E10 .FFD7 call edi
00405E12 .8B1D 58114000 mov ebx, dword ptr [<&MSVBVM60.__vbaStr>
00405E18 .8BD0 mov edx, eax
00405E1A .8D4D D0 lea ecx, dword ptr
00405E1D .FFD3 call ebx
00405E1F .8D4D B8 lea ecx, dword ptr
00405E22 .FF15 74114000 call dword ptr [<&MSVBVM60.__vbaFreeObj>>
00405E28 .8D45 98 lea eax, dword ptr
00405E2B .8D4D A8 lea ecx, dword ptr
00405E2E .50 push eax
00405E2F .51 push ecx
00405E30 .6A 02 push 2
00405E32 .FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarL>
00405E38 .83C4 0C add esp, 0C
00405E3B .8D85 68FFFFFF lea eax, dword ptr
00405E41 .8D4D A8 lea ecx, dword ptr
00405E44 .8D55 D0 lea edx, dword ptr
00405E47 .50 push eax
00405E48 .51 push ecx
00405E49 .8995 70FFFFFF mov dword ptr , edx
00405E4F .C785 68FFFFFF 08400000 mov dword ptr , 4008
00405E59 .FF15 80104000 call dword ptr [<&MSVBVM60.#524>] ;rtcRightTrimVar,去掉注册码右边空格
00405E5F .8D55 A8 lea edx, dword ptr
00405E62 .52 push edx
00405E63 .FFD7 call edi
00405E65 .8BD0 mov edx, eax
00405E67 .8D4D D0 lea ecx, dword ptr
00405E6A .FFD3 call ebx
00405E6C .8D4D A8 lea ecx, dword ptr
00405E6F .FF15 14104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>>
00405E75 .8D8D 68FFFFFF lea ecx, dword ptr
00405E7B .8D55 A8 lea edx, dword ptr
00405E7E .8D45 D0 lea eax, dword ptr
00405E81 .51 push ecx
00405E82 .52 push edx
00405E83 .8985 70FFFFFF mov dword ptr , eax
00405E89 .C785 68FFFFFF 08400000 mov dword ptr , 4008
00405E93 .FF15 9C104000 call dword ptr [<&MSVBVM60.#528>] ;rtcUpperCaseVar,注册码转为大写
00405E99 .8D45 A8 lea eax, dword ptr
00405E9C .50 push eax
00405E9D .FFD7 call edi
00405E9F .8BD0 mov edx, eax
00405EA1 .8D4D D0 lea ecx, dword ptr
00405EA4 .FFD3 call ebx
00405EA6 .8D4D A8 lea ecx, dword ptr
00405EA9 .FF15 14104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>>
00405EAF .8B4D D0 mov ecx, dword ptr ;转为大写后的注册码"9876543210ABCDE"
00405EB2 .8B3D 1C104000 mov edi, dword ptr [<&MSVBVM60.__vbaLen>
00405EB8 .51 push ecx ; /String
00405EB9 .FFD7 call edi ; \__vbaLenBstr,获取注册码长度
00405EBB .83F8 0F cmp eax, 0F ;注册码长度与0xF比较
00405EBE .0F85 9D020000 jnz 00406161 ;不等则Over,暴破点1,改为NOP
00405EC4 .8B55 08 mov edx, dword ptr
00405EC7 .BE 01000000 mov esi, 1
00405ECC .89B5 70FFFFFF mov dword ptr , esi
00405ED2 .C785 68FFFFFF 02000000 mov dword ptr , 2
00405EDC .8D42 34 lea eax, dword ptr
00405EDF .8B42 34 mov eax, dword ptr ;程序产生的随机数字符串"43E53E47"
00405EE2 .50 push eax ; /String
00405EE3 .FFD7 call edi ; \__vbaLenBstr,获取字符串长度
00405EE5 .8D8D 68FFFFFF lea ecx, dword ptr
00405EEB .8985 60FFFFFF mov dword ptr , eax
00405EF1 .8D95 58FFFFFF lea edx, dword ptr
00405EF7 .51 push ecx ; /Step8
00405EF8 .8D85 48FFFFFF lea eax, dword ptr ; |
00405EFE .52 push edx ; |End8
00405EFF .8D8D 08FFFFFF lea ecx, dword ptr ; |
00405F05 .50 push eax ; |Start8
00405F06 .8D95 18FFFFFF lea edx, dword ptr ; |
00405F0C .51 push ecx ; |TMPend8
00405F0D .8D45 D8 lea eax, dword ptr ; |
00405F10 .52 push edx ; |TMPstep8
00405F11 .50 push eax ; |Counter8
00405F12 .C785 58FFFFFF 03000000 mov dword ptr , 3 ; |
00405F1C .89B5 50FFFFFF mov dword ptr , esi ; |
00405F22 .C785 48FFFFFF 02000000 mov dword ptr , 2 ; |
00405F2C .FF15 4C104000 call dword ptr [<&MSVBVM60.__vbaVarForIn>; \__vbaVarForInit
00405F32 .8B35 84104000 mov esi, dword ptr [<&MSVBVM60.#632>] ;MSVBVM60.rtcMidCharVar
00405F38 .8B3D F8104000 mov edi, dword ptr [<&MSVBVM60.__vbaVar>;MSVBVM60.__vbaVarCat
00405F3E >85C0 test eax, eax
00405F40 .0F84 4A010000 je 00406090
00405F46 .8B4D 08 mov ecx, dword ptr
00405F49 .8D55 A8 lea edx, dword ptr
00405F4C .52 push edx
00405F4D .C745 B0 01000000 mov dword ptr , 1
00405F54 .8D41 34 lea eax, dword ptr
00405F57 .C745 A8 02000000 mov dword ptr , 2
00405F5E .8985 70FFFFFF mov dword ptr , eax
00405F64 .8D45 D8 lea eax, dword ptr
00405F67 .50 push eax
00405F68 .C785 68FFFFFF 08400000 mov dword ptr , 4008
00405F72 .FF15 44114000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
00405F78 .8D8D 68FFFFFF lea ecx, dword ptr
00405F7E .50 push eax
00405F7F .8D55 98 lea edx, dword ptr
00405F82 .51 push ecx
00405F83 .52 push edx
00405F84 .FFD6 call esi
00405F86 .8D55 98 lea edx, dword ptr
00405F89 .8D4D C0 lea ecx, dword ptr
00405F8C .FF15 0C104000 call dword ptr [<&MSVBVM60.__vbaVarMove>>;
00405F92 .8D4D A8 lea ecx, dword ptr
00405F95 .FF15 14104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>>
00405F9B .8D85 68FFFFFF lea eax, dword ptr
00405FA1 .8D4D C0 lea ecx, dword ptr
00405FA4 .50 push eax
00405FA5 .8D55 A8 lea edx, dword ptr
00405FA8 .51 push ecx
00405FA9 .52 push edx
00405FAA .C785 70FFFFFF 34254000 mov dword ptr , 00402534 ;&h
00405FB4 .C785 68FFFFFF 08000000 mov dword ptr , 8
00405FBE .FFD7 call edi ;__vbaVarCat,取出的字符串与"&h"连接,即转为16进制
00405FC0 .50 push eax ; /String8
00405FC1 .8D45 BC lea eax, dword ptr ; |
00405FC4 .50 push eax ; |ARG2
00405FC5 .FF15 F4104000 call dword ptr [<&MSVBVM60.__vbaStrVarVa>; \__vbaStrVarVal
00405FCB .50 push eax ;EAX="&h4"
00405FCC .FF15 78114000 call dword ptr [<&MSVBVM60.#581>] ;rtcR8ValFromBstr
00405FD2 .DD9D 30FFFFFF fstp qword ptr ;st=4.0000000000000000000
00405FD8 .8B4D D4 mov ecx, dword ptr
00405FDB .8D45 98 lea eax, dword ptr
00405FDE .DD85 30FFFFFF fld qword ptr
00405FE4 .8D55 D0 lea edx, dword ptr
00405FE7 .50 push eax
00405FE8 .898D 40FFFFFF mov dword ptr , ecx
00405FEE .C785 38FFFFFF 08000000 mov dword ptr , 8
00405FF8 .C745 A0 01000000 mov dword ptr , 1
00405FFF .C745 98 02000000 mov dword ptr , 2
00406006 .8995 60FFFFFF mov dword ptr , edx
0040600C .C785 58FFFFFF 08400000 mov dword ptr , 4008
00406016 .FF15 50114000 call dword ptr [<&MSVBVM60.__vbaFpI4>] ;浮点数转为整数
0040601C .8D8D 58FFFFFF lea ecx, dword ptr
00406022 .50 push eax ;EAX=0x4
00406023 .8D55 88 lea edx, dword ptr
00406026 .51 push ecx
00406027 .52 push edx
00406028 .FFD6 call esi ;rtcMidCharVar,根据EAX的值从注册码"9876543210ABCDE"取字符
0040602A .8D85 38FFFFFF lea eax, dword ptr
00406030 .8D4D 88 lea ecx, dword ptr
00406033 .50 push eax
00406034 .8D95 78FFFFFF lea edx, dword ptr
0040603A .51 push ecx
0040603B .52 push edx
0040603C .FFD7 call edi ;__vbaVarCat,取出的字符依次连接
0040603E .50 push eax
0040603F .FF15 18104000 call dword ptr [<&MSVBVM60.__vbaStrVarMo>;MSVBVM60.__vbaStrVarMove
00406045 .8BD0 mov edx, eax ;EAX="67D57D63"
00406047 .8D4D D4 lea ecx, dword ptr
0040604A .FFD3 call ebx
0040604C .8D4D BC lea ecx, dword ptr
0040604F .FF15 70114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>>
00406055 .8D85 78FFFFFF lea eax, dword ptr
0040605B .8D4D 88 lea ecx, dword ptr
0040605E .50 push eax
0040605F .8D55 98 lea edx, dword ptr
00406062 .51 push ecx
00406063 .8D45 A8 lea eax, dword ptr
00406066 .52 push edx
00406067 .50 push eax
00406068 .6A 04 push 4
0040606A .FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarL>
00406070 .83C4 14 add esp, 14
00406073 .8D8D 08FFFFFF lea ecx, dword ptr
00406079 .8D95 18FFFFFF lea edx, dword ptr
0040607F .51 push ecx ; /TMPend8
00406080 .8D45 D8 lea eax, dword ptr ; |
00406083 .52 push edx ; |TMPstep8
00406084 .50 push eax ; |Counter8
00406085 .FF15 68114000 call dword ptr [<&MSVBVM60.__vbaVarForNe>; \__vbaVarForNext
0040608B .^ E9 AEFEFFFF jmp 00405F3E
00406090 >8B75 08 mov esi, dword ptr
00406093 .8D55 BC lea edx, dword ptr
00406096 .8D45 D4 lea eax, dword ptr
00406099 .52 push edx
0040609A .8B0E mov ecx, dword ptr
0040609C .50 push eax
0040609D .56 push esi
0040609E .FF91 18070000 call dword ptr ;同004066EB处一样的CALL,对字符串"67D57D63"进行MD5加密
004060A4 .85C0 test eax, eax
004060A6 .7D 12 jge short 004060BA
004060A8 .68 18070000 push 718
004060AD .68 40224000 push 00402240
004060B2 .56 push esi
004060B3 .50 push eax
004060B4 .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaHresultC>
004060BA >8B55 BC mov edx, dword ptr
004060BD .8D4D E8 lea ecx, dword ptr
004060C0 .C745 BC 00000000 mov dword ptr , 0
004060C7 .FFD3 call ebx
004060C9 .8B4D E8 mov ecx, dword ptr ;根据注册码算出的MD5值
004060CC .8B56 38 mov edx, dword ptr ;根据机器码算出的MD5值
004060CF .51 push ecx ;MD5("67D57D63")="06B0BF7EF2CED98E9E803C4D1C596D3D"
004060D0 .52 push edx ;MD5("927C279")="9E7F4ED9D6D89E0FD8A4F75B68809F81"
004060D1 .FF15 A0104000 call dword ptr [<&MSVBVM60.__vbaStrCmp>] ;比较两个MD5值是否相等
004060D7 .85C0 test eax, eax
004060D9 .0F85 80000000 jnz 0040615F ;不等则Over,暴破点2,改为NOP
004060DF .8B06 mov eax, dword ptr
004060E1 .56 push esi
004060E2 .FF90 00030000 call dword ptr
004060E8 .8B3D 60104000 mov edi, dword ptr [<&MSVBVM60.__vbaObj>
004060EE .8D4D B8 lea ecx, dword ptr
004060F1 .50 push eax
004060F2 .51 push ecx
004060F3 .FFD7 call edi
004060F5 .8BD8 mov ebx, eax
004060F7 .6A 00 push 0
004060F9 .53 push ebx
004060FA .8B13 mov edx, dword ptr
004060FC .FF92 8C000000 call dword ptr
00406102 .85C0 test eax, eax
00406104 .DBE2 fclex
00406106 .7D 12 jge short 0040611A
00406108 .68 8C000000 push 8C
-----------------------------------------------------------------------------------------------
【破解总结】
1.程序调用GetVolumeInformationA函数获取C盘卷序列号,取绝对值后以10进制表示作为机器码。
2.机器码以16进制表示作为字符串,字符串倒序后进行MD5加密,MD5加密后的字符串记为str1。
3.程序调用rtcRandomize函数产生8个0-0xF的随机数,根据产生的随机数从字符串str1取相应位置的字符,连接后记为字符串str2。
4.对字符串str2进行MD5加密,MD5加密后的字符串记为str3。
5.去除注册码左右空格字符,检测去除空格后的注册码是否为0xF(15)位。
6.注册码字符转为大写后,根据第3步产生的随机数从注册码取相应位置的字符,连接后记为字符串str4。
7.对字符串str4进行MD5加密,MD5加密后的字符串记为str5。
8.比较字符串str3、str5是否相等,相等则注册成功。
9.根据分析,将机器码以16进制表示作为字符串,字符串倒序后进行MD5加密,取MD5值的前15位即为注册码。
一组可用注册信息:
==========================================
机器码:1460319485
注册码:DD29C6AFF93CB72
==========================================
暴破更改以下两处位置:
00405EBE jnz 00406161 ;jnz====>NOP
004060D9 jnz 0040615F ;jnz====>NOP
【VB注册机源码】
'定义一个10进制转换为16进制的函数,确保当机器码为较大的数值时转换不出错
Public Function DEC_to_HEX(ByVal x As String) As String
Dim Dec As Double
Dim Temp As Double
Dim Remain As Double
Dec = Val(x)
Do
Remain = Int(Dec / 16)
Temp = Remain * 16
DEC_to_HEX = Hex(Dec - Temp) & DEC_to_HEX
Dec = Remain
Loop While Dec
If Len(DEC_to_HEX) Mod 2 Then
DEC_to_HEX = "" & DEC_to_HEX
End If
End Function
Private Sub Generate_Click()
On Error Resume Next
Dim MachineCode As String
Dim RegCode As String
MachineCode = Trim(Text1.Text)
MachineCode = DEC_to_HEX(MachineCode)
MachineCode = StrReverse(MachineCode)
RegCode = Left(MD5(MachineCode),15)
Text2.Text = RegCode
End Sub
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 hrbx 于 2010-4-19 09:32 编辑 ] 截个图,:) 顶上去,楼主厉害! 距离太远了,无法学习 原帖由 lgjxj 于 2010-4-15 19:02 发表 https://www.chinapyg.com/images/common/back.gif
距离太远了,无法学习
同感,同感 cm杀手好久没现过身了/:good 楼上的大牛真的很久没现身了,仰慕啊 感谢 学习下
转自看雪!
浅谈VB6逆向工程 作 者: MengLonghttp://bbs.pediy.com/showthread.php?t=8794
http://bbs.pediy.com/showthread.php?t=8835
http://bbs.pediy.com/showthread.php?t=8914
http://bbs.pediy.com/showthread.php?t=8992
http://bbs.pediy.com/showthread.php?t=8993 路过,看过,感受过,好帖!
wow goldwow gold wow gold wow gold wow gold
页:
[1]