简单的 Skip Manager 1.79注册算法
【破文标题】Skip Manager 1.79注册算法【破文作者】XXNB
【作者邮箱】支持PYG
【作者主页】binbinbin7456.ys168.com
【破解工具】OD
【破解平台】XPsp2
【软件名称】Skip Manager 1.79
【软件大小】17834KB
【原版下载】http://www.newhua.com/soft/53764.htm
【保护方式】码
【软件简介】一款能让你在系统中设置你所要「忽略」项目的软件。经由设置为忽略的项目後,便会自动忽略此项目的存取动作,加快系统的
运行速度
【破解声明】菜鸟向高手学习!只为学习!
------------------------------------------------------------------------
【破解过程】
1、老罗的字符串查找Unicode“registered”可以轻松定位。
004FB250 > \55 push ebp
004FB251 .8BEC mov ebp, esp
004FB253 .83EC 0C sub esp, 0C
004FB256 .68 F62E4000 push <jmp.&MSVBVM60.__vbaExceptHandle>;SE 处理程序安装
004FB25B .64:A1 0000000>mov eax, dword ptr fs:
004FB261 .50 push eax
004FB262 .64:8925 00000>mov dword ptr fs:, esp
004FB269 .81EC B8000000 sub esp, 0B8
004FB26F .53 push ebx
004FB270 .56 push esi
004FB271 .57 push edi
004FB272 .8965 F4 mov dword ptr , esp
004FB275 .C745 F8 88284>mov dword ptr , 00402888
004FB27C .8B75 08 mov esi, dword ptr
004FB27F .8BC6 mov eax, esi
004FB281 .83E0 01 and eax, 1
004FB284 .8945 FC mov dword ptr , eax
004FB287 .83E6 FE and esi, FFFFFFFE
004FB28A .8B0E mov ecx, dword ptr
004FB28C .56 push esi
004FB28D .8975 08 mov dword ptr , esi
004FB290 .FF51 04 call dword ptr
004FB293 .8B16 mov edx, dword ptr
004FB295 .33FF xor edi, edi
004FB297 .56 push esi
004FB298 .897D E8 mov dword ptr , edi
004FB29B .897D E4 mov dword ptr , edi
004FB29E .897D E0 mov dword ptr , edi
004FB2A1 .897D DC mov dword ptr , edi
004FB2A4 .897D CC mov dword ptr , edi
004FB2A7 .897D BC mov dword ptr , edi
004FB2AA .897D AC mov dword ptr , edi
004FB2AD .897D 9C mov dword ptr , edi
004FB2B0 .897D 8C mov dword ptr , edi
004FB2B3 .89BD 7CFFFFFF mov dword ptr , edi
004FB2B9 .FF92 08030000 call dword ptr
004FB2BF .8B1D B0104000 mov ebx, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaObjSet
004FB2C5 .50 push eax
004FB2C6 .8D45 E0 lea eax, dword ptr
004FB2C9 .50 push eax
004FB2CA .FFD3 call ebx ;<&MSVBVM60.__vbaObjSet>
004FB2CC .8B08 mov ecx, dword ptr
004FB2CE .8D55 E8 lea edx, dword ptr
004FB2D1 .52 push edx
004FB2D2 .50 push eax
004FB2D3 .8985 58FFFFFF mov dword ptr , eax
004FB2D9 .FF91 A0000000 call dword ptr
004FB2DF .DBE2 fclex
004FB2E1 .3BC7 cmp eax, edi
004FB2E3 .7D 18 jge short 004FB2FD
004FB2E5 .8B8D 58FFFFFF mov ecx, dword ptr
004FB2EB .68 A0000000 push 0A0 ; /Arg4 = 000000A0
004FB2F0 .68 48554200 push 00425548 ; |Arg3 = 00425548
004FB2F5 .51 push ecx ; |Arg2
004FB2F6 .50 push eax ; |Arg1
004FB2F7 .FF15 78104000 call dword ptr [<&MSVBVM60.__vbaHresu>; \__vbaHresultCheckObj
004FB2FD >8B55 E8 mov edx, dword ptr ;照例,假码出现了
004FB300 .8D4D E4 lea ecx, dword ptr
004FB303 .897D E8 mov dword ptr , edi
004FB306 .FF15 68124000 call dword ptr [<&MSVBVM60.__vbaStrMo>;MSVBVM60.__vbaStrMove
004FB30C .8D55 E4 lea edx, dword ptr ;移动到eax
004FB30F .52 push edx
004FB310 .8D45 CC lea eax, dword ptr
004FB313 .50 push eax
004FB314 .E8 4780F9FF call 00493360 ;这个放眼都猜到是算法call。跟进看看《《《《《----
004FB319 .8D4D CC lea ecx, dword ptr
004FB31C .51 push ecx
004FB31D .FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaBoolV>;MSVBVM60.__vbaBoolVarNull
004FB323 .8D4D E4 lea ecx, dword ptr
004FB326 .66:8985 50FFF>mov word ptr , ax
004FB32D .FF15 98124000 call dword ptr [<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
004FB333 .8D4D E0 lea ecx, dword ptr
004FB336 .FF15 94124000 call dword ptr [<&MSVBVM60.__vbaFreeO>;MSVBVM60.__vbaFreeObj
004FB33C .8D4D CC lea ecx, dword ptr
004FB33F .FF15 24104000 call dword ptr [<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVar
004FB345 .66:39BD 50FFF>cmp word ptr , di
004FB34C .B9 04000280 mov ecx, 80020004
004FB351 .B8 0A000000 mov eax, 0A
004FB356 .894D A4 mov dword ptr , ecx
004FB359 .8945 9C mov dword ptr , eax
004FB35C .894D B4 mov dword ptr , ecx
004FB35F .8945 AC mov dword ptr , eax
004FB362 .894D C4 mov dword ptr , ecx
004FB365 .8945 BC mov dword ptr , eax
004FB368 .0F84 C1010000 je 004FB52F ;关键跳转
004FB36E .8D55 8C lea edx, dword ptr
004FB371 .8D4D CC lea ecx, dword ptr ;成功信息
004FB374 .C745 94 98F84>mov dword ptr , 0042F898 ;thank you.your product is now registered.
004FB37B .C745 8C 08000>mov dword ptr , 8
004FB382 .FF15 34124000 call dword ptr [<&MSVBVM60.__vbaVarDu>;MSVBVM60.__vbaVarDup
004FB388 .8D55 9C lea edx, dword ptr
004FB38B .52 push edx
004FB38C .8D45 AC lea eax, dword ptr
........
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2、
00493360 $55 push ebp
00493361 .8BEC mov ebp, esp
00493363 .83EC 0C sub esp, 0C
00493366 .68 F62E4000 push <jmp.&MSVBVM60.__vbaExceptHandle>;SE 处理程序安装
0049336B .64:A1 0000000>mov eax, dword ptr fs:
00493371 .50 push eax
00493372 .64:8925 00000>mov dword ptr fs:, esp
00493379 .81EC 00040000 sub esp, 400
0049337F .53 push ebx
00493380 .56 push esi
00493381 .57 push edi
00493382 .8965 F4 mov dword ptr , esp
00493385 .C745 F8 10144>mov dword ptr , 00401410
0049338C .33F6 xor esi, esi
0049338E .8D95 0CFDFFFF lea edx, dword ptr
00493394 .8D8D 7CFFFFFF lea ecx, dword ptr
0049339A .8975 DC mov dword ptr , esi
0049339D .8975 CC mov dword ptr , esi
004933A0 .8975 BC mov dword ptr , esi
004933A3 .8975 B8 mov dword ptr , esi
004933A6 .8975 B4 mov dword ptr , esi
004933A9 .8975 B0 mov dword ptr , esi
004933AC .8975 AC mov dword ptr , esi
004933AF .8975 A8 mov dword ptr , esi
004933B2 .8975 A4 mov dword ptr , esi
004933B5 .8975 A0 mov dword ptr , esi
004933B8 .8975 9C mov dword ptr , esi
004933BB .8975 98 mov dword ptr , esi
004933BE .8975 94 mov dword ptr , esi
004933C1 .8975 90 mov dword ptr , esi
004933C4 .8975 8C mov dword ptr , esi
004933C7 .89B5 7CFFFFFF mov dword ptr , esi
004933CD .89B5 6CFFFFFF mov dword ptr , esi
004933D3 .89B5 5CFFFFFF mov dword ptr , esi
004933D9 .89B5 4CFFFFFF mov dword ptr , esi
004933DF .89B5 3CFFFFFF mov dword ptr , esi
004933E5 .89B5 2CFFFFFF mov dword ptr , esi
004933EB .89B5 1CFFFFFF mov dword ptr , esi
004933F1 .89B5 0CFFFFFF mov dword ptr , esi
004933F7 .89B5 FCFEFFFF mov dword ptr , esi
004933FD .89B5 ECFEFFFF mov dword ptr , esi
00493403 .89B5 DCFEFFFF mov dword ptr , esi
00493409 .89B5 CCFEFFFF mov dword ptr , esi
0049340F .89B5 BCFEFFFF mov dword ptr , esi
00493415 .89B5 ACFEFFFF mov dword ptr , esi
0049341B .89B5 9CFEFFFF mov dword ptr , esi
00493421 .89B5 8CFEFFFF mov dword ptr , esi
00493427 .89B5 7CFEFFFF mov dword ptr , esi
0049342D .89B5 6CFEFFFF mov dword ptr , esi
00493433 .89B5 5CFEFFFF mov dword ptr , esi
00493439 .89B5 4CFEFFFF mov dword ptr , esi
0049343F .89B5 3CFEFFFF mov dword ptr , esi
00493445 .89B5 2CFEFFFF mov dword ptr , esi
0049344B .89B5 1CFEFFFF mov dword ptr , esi
00493451 .89B5 0CFEFFFF mov dword ptr , esi
00493457 .89B5 FCFDFFFF mov dword ptr , esi
0049345D .89B5 ECFDFFFF mov dword ptr , esi
00493463 .89B5 DCFDFFFF mov dword ptr , esi
00493469 .89B5 CCFDFFFF mov dword ptr , esi
0049346F .89B5 BCFDFFFF mov dword ptr , esi
00493475 .89B5 ACFDFFFF mov dword ptr , esi
0049347B .89B5 9CFDFFFF mov dword ptr , esi
00493481 .89B5 8CFDFFFF mov dword ptr , esi
00493487 .89B5 7CFDFFFF mov dword ptr , esi
0049348D .89B5 6CFDFFFF mov dword ptr , esi
00493493 .89B5 5CFDFFFF mov dword ptr , esi
00493499 .89B5 4CFDFFFF mov dword ptr , esi
0049349F .89B5 3CFDFFFF mov dword ptr , esi
004934A5 .89B5 2CFDFFFF mov dword ptr , esi
004934AB .89B5 1CFDFFFF mov dword ptr , esi
004934B1 .C785 04FDFFFF>mov dword ptr , 1EE86000 ;常数518545408
004934BB .C785 08FDFFFF>mov dword ptr , 426CBE99 ;常数1114422937
004934C5 .C785 FCFCFFFF>mov dword ptr , 5 ;常数
004934CF .C785 14FDFFFF>mov dword ptr , 00424C78 ;ssyynnddmmhh
004934D9 .C785 0CFDFFFF>mov dword ptr , 8 ;常数
004934E3 .FF15 34124000 call dword ptr [<&MSVBVM60.__vbaVarDu>;MSVBVM60.__vbaVarDup
004934E9 .6A 01 push 1
004934EB .6A 01 push 1
004934ED .8D85 7CFFFFFF lea eax, dword ptr
004934F3 .50 push eax
004934F4 .8D8D 1CFDFFFF lea ecx, dword ptr
004934FA .51 push ecx
004934FB .8D95 6CFFFFFF lea edx, dword ptr
00493501 .52 push edx
00493502 .C785 24FDFFFF>mov dword ptr , 00522084
0049350C .C785 1CFDFFFF>mov dword ptr , 4008
00493516 .FF15 60104000 call dword ptr [<&MSVBVM60.#660>] ;MSVBVM60.rtcVarFromFormatVar
0049351C .8D85 FCFCFFFF lea eax, dword ptr
00493522 .50 push eax
00493523 .8D8D 6CFFFFFF lea ecx, dword ptr
00493529 .51 push ecx
0049352A .8D95 5CFFFFFF lea edx, dword ptr
00493530 .52 push edx
00493531 .FF15 00104000 call dword ptr [<&MSVBVM60.__vbaVarSu>;MSVBVM60.__vbaVarSub
00493537 .8BD0 mov edx, eax
00493539 .8D4D BC lea ecx, dword ptr
0049353C .FF15 18104000 call dword ptr [<&MSVBVM60.__vbaVarMo>;MSVBVM60.__vbaVarMove
00493542 .8D85 6CFFFFFF lea eax, dword ptr
00493548 .50 push eax
00493549 .8D8D 7CFFFFFF lea ecx, dword ptr
0049354F .51 push ecx
00493550 .6A 02 push 2
00493552 .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
00493558 .8B3D E8104000 mov edi, dword ptr [<&MSVBVM60.#632>>;MSVBVM60.rtcMidCharVar
0049355E .83C4 0C add esp, 0C ;上面把 rtcMidChar函数赋给了edi,
00493561 .8D95 5CFFFFFF lea edx, dword ptr ;以后的call edi就是取字符了
00493567 .52 push edx
00493568 .6A 08 push 8 ;取第八位
0049356A .8D45 BC lea eax, dword ptr ;当然是取机器码的第八位了。下面就省略了
0049356D .50 push eax
0049356E .8D8D 4CFFFFFF lea ecx, dword ptr
00493574 .51 push ecx
00493575 .C785 64FFFFFF>mov dword ptr , 1
0049357F .C785 5CFFFFFF>mov dword ptr , 2 ;哪,下面这个call是取字符了,
00493589 .FFD7 call edi ;<&MSVBVM60.#632>
0049358B .8B1D A8114000 mov ebx, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaStrVarVal
00493591 .8D95 4CFFFFFF lea edx, dword ptr
00493597 .52 push edx
00493598 .8D45 B4 lea eax, dword ptr
0049359B .50 push eax
0049359C .FFD3 call ebx ;<&MSVBVM60.__vbaStrVarVal>
0049359E .50 push eax
0049359F .FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ;MSVBVM60.rtcR8ValFromBstr
004935A5 .DD9D 34FCFFFF fstp qword ptr ;“8”。这个是上面取得的字符转成实数,准备计算好用
004935AB .8D8D 3CFFFFFF lea ecx, dword ptr
004935B1 .51 push ecx
004935B2 .B8 02000000 mov eax, 2 ;不过这里显示要取两个字符.
004935B7 .6A 0A push 0A ;同理,取第10位
004935B9 .8D55 BC lea edx, dword ptr
004935BC .8985 44FFFFFF mov dword ptr , eax
004935C2 .8985 3CFFFFFF mov dword ptr , eax
004935C8 .52 push edx
004935C9 .8D85 2CFFFFFF lea eax, dword ptr
004935CF .50 push eax
004935D0 .FFD7 call edi ;这里是Mid()
004935D2 .8D8D 2CFFFFFF lea ecx, dword ptr
004935D8 .51 push ecx
004935D9 .8D55 B0 lea edx, dword ptr
004935DC .52 push edx
004935DD .FFD3 call ebx
004935DF .50 push eax ;这里就得到了。“87”
004935E0 .FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ;MSVBVM60.rtcR8ValFromBstr
004935E6 .DD9D 2CFCFFFF fstp qword ptr ;87
004935EC .8D85 1CFFFFFF lea eax, dword ptr
004935F2 .50 push eax
004935F3 .6A 0B push 0B ;取第11位数
004935F5 .8D4D BC lea ecx, dword ptr
004935F8 .51 push ecx
004935F9 .8D95 0CFFFFFF lea edx, dword ptr
004935FF .52 push edx
00493600 .C785 24FFFFFF>mov dword ptr , 1
0049360A .C785 1CFFFFFF>mov dword ptr , 2
00493614 .FFD7 call edi
00493616 .8D85 0CFFFFFF lea eax, dword ptr
0049361C .50 push eax
0049361D .8D4D AC lea ecx, dword ptr
00493620 .51 push ecx
00493621 .FFD3 call ebx
00493623 .50 push eax
00493624 .FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ;MSVBVM60.rtcR8ValFromBstr
0049362A .DD9D 24FCFFFF fstp qword ptr ;“7”
00493630 .8D95 9CFEFFFF lea edx, dword ptr
00493636 .52 push edx
00493637 .6A 01 push 1 ;取第一位
00493639 .8D45 BC lea eax, dword ptr
0049363C .50 push eax
0049363D .8D8D 8CFEFFFF lea ecx, dword ptr
00493643 .C785 A4FEFFFF>mov dword ptr , 1
0049364D .C785 9CFEFFFF>mov dword ptr , 2
00493657 .51 push ecx
00493658 .FFD7 call edi
0049365A .8D95 8CFEFFFF lea edx, dword ptr
00493660 .52 push edx
00493661 .8D45 A4 lea eax, dword ptr
00493664 .50 push eax
00493665 .FFD3 call ebx
00493667 .50 push eax
00493668 .FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ;MSVBVM60.rtcR8ValFromBstr
0049366E .DD9D 1CFCFFFF fstp qword ptr ;“5”
00493674 .8D8D 7CFEFFFF lea ecx, dword ptr
0049367A .51 push ecx
0049367B .B8 02000000 mov eax, 2 ;这里又显示要取两位了。
00493680 .6A 07 push 7 ;从第7位开始取
00493682 .8D55 BC lea edx, dword ptr
00493685 .8985 84FEFFFF mov dword ptr , eax
0049368B .8985 7CFEFFFF mov dword ptr , eax
00493691 .52 push edx
00493692 .8D85 6CFEFFFF lea eax, dword ptr
00493698 .50 push eax
00493699 .FFD7 call edi
0049369B .8D8D 6CFEFFFF lea ecx, dword ptr
004936A1 .51 push ecx
004936A2 .8D55 A0 lea edx, dword ptr
004936A5 .52 push edx
004936A6 .FFD3 call ebx
004936A8 .50 push eax ;取得“08”
004936A9 .FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ;MSVBVM60.rtcR8ValFromBstr
004936AF .DD9D 14FCFFFF fstp qword ptr ;“8”转成实数当然去掉0
004936B5 .8D85 5CFEFFFF lea eax, dword ptr
004936BB .50 push eax
004936BC .6A 0C push 0C ;取第12位
004936BE .8D4D BC lea ecx, dword ptr
004936C1 .51 push ecx
004936C2 .8D95 4CFEFFFF lea edx, dword ptr
004936C8 .52 push edx
004936C9 .C785 64FEFFFF>mov dword ptr , 1
004936D3 .C785 5CFEFFFF>mov dword ptr , 2
004936DD .FFD7 call edi
004936DF .8D85 4CFEFFFF lea eax, dword ptr
004936E5 .50 push eax
004936E6 .8D4D 9C lea ecx, dword ptr
004936E9 .51 push ecx
004936EA .FFD3 call ebx
004936EC .50 push eax
004936ED .FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ;MSVBVM60.rtcR8ValFromBstr
004936F3 .DD9D 0CFCFFFF fstp qword ptr ;7
004936F9 .8D95 CCFDFFFF lea edx, dword ptr
004936FF .52 push edx
00493700 .6A 01 push 1 ;取第一位
00493702 .8D45 BC lea eax, dword ptr
00493705 .50 push eax
00493706 .8D8D BCFDFFFF lea ecx, dword ptr
0049370C .51 push ecx
0049370D .C785 D4FDFFFF>mov dword ptr , 1
00493717 .C785 CCFDFFFF>mov dword ptr , 2
00493721 .FFD7 call edi
00493723 .8D95 BCFDFFFF lea edx, dword ptr
00493729 .52 push edx
0049372A .8D45 94 lea eax, dword ptr
0049372D .50 push eax
0049372E .FFD3 call ebx
00493730 .50 push eax
00493731 .FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ;MSVBVM60.rtcR8ValFromBstr
00493737 .DD9D 04FCFFFF fstp qword ptr ;5
0049373D .8D8D ACFDFFFF lea ecx, dword ptr
00493743 .51 push ecx
00493744 .B8 02000000 mov eax, 2 ;又取两位
00493749 .6A 04 push 4 ;从第四位开始
0049374B .8D55 BC lea edx, dword ptr
0049374E .8985 B4FDFFFF mov dword ptr , eax
00493754 .8985 ACFDFFFF mov dword ptr , eax
0049375A .52 push edx
0049375B .8D85 9CFDFFFF lea eax, dword ptr
00493761 .50 push eax
00493762 .FFD7 call edi
00493764 .8D8D 9CFDFFFF lea ecx, dword ptr
0049376A .51 push ecx
0049376B .8D55 90 lea edx, dword ptr
0049376E .52 push edx
0049376F .FFD3 call ebx
00493771 .50 push eax ;得到“02”
00493772 .FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ;MSVBVM60.rtcR8ValFromBstr
00493778 .DD9D FCFBFFFF fstp qword ptr ;"2"转成实数,02就是2
0049377E .8D85 8CFDFFFF lea eax, dword ptr
00493784 .50 push eax
00493785 .6A 0A push 0A ;又取第十位
00493787 .8D4D BC lea ecx, dword ptr
0049378A .51 push ecx
0049378B .8D95 7CFDFFFF lea edx, dword ptr
00493791 .52 push edx
00493792 .C785 94FDFFFF>mov dword ptr , 1
0049379C .C785 8CFDFFFF>mov dword ptr , 2
004937A6 .FFD7 call edi
004937A8 .8D85 7CFDFFFF lea eax, dword ptr
004937AE .50 push eax
004937AF .8D4D 8C lea ecx, dword ptr
004937B2 .51 push ecx
004937B3 .FFD3 call ebx
004937B5 .50 push eax
004937B6 .FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ;MSVBVM60.rtcR8ValFromBstr
004937BC .DD9D F4FBFFFF fstp qword ptr ;“8”
004937C2 .8D95 7CFFFFFF lea edx, dword ptr ;终于取完了。
004937C8 .52 push edx ;下面开始对取出来的数进行运算
004937C9 .6A 05 push 5 ;注意啊,这里还要取第五位。
004937CB .8D45 BC lea eax, dword ptr
004937CE .50 push eax
004937CF .8D8D 6CFFFFFF lea ecx, dword ptr
004937D5 .51 push ecx
004937D6 .C745 84 01000>mov dword ptr , 1
004937DD .C785 7CFFFFFF>mov dword ptr , 2
004937E7 .FFD7 call edi
004937E9 .8D95 6CFFFFFF lea edx, dword ptr
004937EF .52 push edx
004937F0 .8D45 B8 lea eax, dword ptr
004937F3 .50 push eax
004937F4 .FFD3 call ebx ;我的机器码:577020080877
004937F6 .50 push eax ;下面是取得的第五位直接参与运算。
004937F7 .FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ;MSVBVM60.rtcR8ValFromBstr
004937FD .DC8D 34FCFFFF fmul qword ptr ;2*8
00493803 .DC8D 2CFCFFFF fmul qword ptr ;16*87
00493809 .DCA5 24FCFFFF fsub qword ptr ;1392-7
0049380F .DFE0 fstsw ax
00493811 .A8 0D test al, 0D
00493813 .0F85 FC040000 jnz 00493D15
00493819 .FF15 88124000 call dword ptr [<&MSVBVM60.__vbaFPInt>;MSVBVM60.__vbaFPInt
0049381F .DD9D 04FFFFFF fstp qword ptr ;1385。运算结果
00493825 .8D8D FCFEFFFF lea ecx, dword ptr
0049382B .51 push ecx
0049382C .8D95 ECFEFFFF lea edx, dword ptr
00493832 .52 push edx
00493833 .C785 FCFEFFFF>mov dword ptr , 5
0049383D .FF15 3C124000 call dword ptr [<&MSVBVM60.#613>] ;MSVBVM60.rtcVarStrFromVar
00493843 .8D85 ECFEFFFF lea eax, dword ptr
00493849 .50 push eax
0049384A .8D8D DCFEFFFF lea ecx, dword ptr
00493850 .51 push ecx
00493851 .FF15 D4104000 call dword ptr [<&MSVBVM60.#520>] ;MSVBVM60.rtcTrimVar
00493857 .8D95 BCFEFFFF lea edx, dword ptr
0049385D .52 push edx
0049385E .6A 03 push 3 ;取第三位,然后直接运算
00493860 .8D45 BC lea eax, dword ptr
00493863 .50 push eax
00493864 .8D8D ACFEFFFF lea ecx, dword ptr
0049386A .51 push ecx
0049386B .C785 C4FEFFFF>mov dword ptr , 1
00493875 .C785 BCFEFFFF>mov dword ptr , 2
0049387F .FFD7 call edi
00493881 .8D95 ACFEFFFF lea edx, dword ptr
00493887 .52 push edx
00493888 .8D45 A8 lea eax, dword ptr
0049388B .50 push eax
0049388C .FFD3 call ebx
0049388E .50 push eax ;我的第三位是7。所以..
0049388F .FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ;MSVBVM60.rtcR8ValFromBstr
00493895 .DC8D 1CFCFFFF fmul qword ptr ;7*5
0049389B .DC8D 14FCFFFF fmul qword ptr ;35*8
004938A1 .DCA5 0CFCFFFF fsub qword ptr ;280-7
004938A7 .DFE0 fstsw ax
004938A9 .A8 0D test al, 0D
004938AB .0F85 64040000 jnz 00493D15
004938B1 .FF15 88124000 call dword ptr [<&MSVBVM60.__vbaFPInt>;MSVBVM60.__vbaFPInt
004938B7 .DD9D 44FEFFFF fstp qword ptr ;273 运算结果
004938BD .8D8D 3CFEFFFF lea ecx, dword ptr
004938C3 .51 push ecx
004938C4 .8D95 2CFEFFFF lea edx, dword ptr
004938CA .52 push edx
004938CB .C785 3CFEFFFF>mov dword ptr , 5
004938D5 .FF15 3C124000 call dword ptr [<&MSVBVM60.#613>] ;MSVBVM60.rtcVarStrFromVar
004938DB .8D85 2CFEFFFF lea eax, dword ptr
004938E1 .50 push eax
004938E2 .8D8D 1CFEFFFF lea ecx, dword ptr
004938E8 .51 push ecx
004938E9 .FF15 D4104000 call dword ptr [<&MSVBVM60.#520>] ;MSVBVM60.rtcTrimVar
004938EF .8D95 ECFDFFFF lea edx, dword ptr
004938F5 .52 push edx
004938F6 .6A 01 push 1 ;取第一位直接运算
004938F8 .8D45 BC lea eax, dword ptr
004938FB .50 push eax
004938FC .8D8D DCFDFFFF lea ecx, dword ptr
00493902 .51 push ecx
00493903 .C785 F4FDFFFF>mov dword ptr , 1
0049390D .C785 ECFDFFFF>mov dword ptr , 2
00493917 .FFD7 call edi
00493919 .8D95 DCFDFFFF lea edx, dword ptr
0049391F .52 push edx
00493920 .8D45 98 lea eax, dword ptr
00493923 .50 push eax
00493924 .FFD3 call ebx
00493926 .50 push eax ;我的第一位是5
00493927 .FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ;MSVBVM60.rtcR8ValFromBstr
0049392D .DC8D 04FCFFFF fmul qword ptr ;5*5
00493933 .DC8D FCFBFFFF fmul qword ptr ;25*2
00493939 .DCA5 F4FBFFFF fsub qword ptr ;50-8
0049393F .DFE0 fstsw ax
00493941 .A8 0D test al, 0D
00493943 .0F85 CC030000 jnz 00493D15
00493949 .FF15 88124000 call dword ptr [<&MSVBVM60.__vbaFPInt>;MSVBVM60.__vbaFPInt
0049394F .DD9D 74FDFFFF fstp qword ptr ;42运算结果
00493955 .8D8D 6CFDFFFF lea ecx, dword ptr
0049395B .51 push ecx
0049395C .8D95 5CFDFFFF lea edx, dword ptr
00493962 .52 push edx
00493963 .C785 6CFDFFFF>mov dword ptr , 5
0049396D .FF15 3C124000 call dword ptr [<&MSVBVM60.#613>] ;MSVBVM60.rtcVarStrFromVar
00493973 .8D85 5CFDFFFF lea eax, dword ptr
00493979 .50 push eax
0049397A .8D8D 4CFDFFFF lea ecx, dword ptr
00493980 .51 push ecx
00493981 .FF15 D4104000 call dword ptr [<&MSVBVM60.#520>] ;MSVBVM60.rtcTrimVar
00493987 .8B3D 04114000 mov edi, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaVarAbs
0049398D .8D95 DCFEFFFF lea edx, dword ptr
00493993 .52 push edx
00493994 .8D85 CCFEFFFF lea eax, dword ptr
0049399A .50 push eax
0049399B .FFD7 call edi ;<&MSVBVM60.__vbaVarAbs>
0049399D .50 push eax
0049399E .8D8D 1CFEFFFF lea ecx, dword ptr
004939A4 .51 push ecx
004939A5 .8D95 0CFEFFFF lea edx, dword ptr
004939AB .52 push edx
004939AC .FFD7 call edi ;下面那堆vbaVarCat一看就知道要连接字符串
004939AE .8B1D AC114000 mov ebx, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaVarCat
004939B4 .50 push eax ;结果,track后发现是连接上面的那三个结果。
004939B5 .8D85 FCFDFFFF lea eax, dword ptr
004939BB .50 push eax ;连接后就是真注册码了。
004939BC .FFD3 call ebx ;<&MSVBVM60.__vbaVarCat>
004939BE .50 push eax
004939BF .8D8D 4CFDFFFF lea ecx, dword ptr
004939C5 .51 push ecx
004939C6 .8D95 3CFDFFFF lea edx, dword ptr
004939CC .52 push edx
004939CD .FFD7 call edi
004939CF .50 push eax
004939D0 .8D85 2CFDFFFF lea eax, dword ptr
004939D6 .50 push eax
004939D7 .FFD3 call ebx
004939D9 .8B3D 18104000 mov edi, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaVarMove
...........省略一点代码.....
00493B0C .6A 22 push 22
00493B0E .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
00493B14 .8B55 0C mov edx, dword ptr
00493B17 .8B02 mov eax, dword ptr ;假码出现了
00493B19 .81C4 C0000000 add esp, 0C0
00493B1F .8D8D 1CFDFFFF lea ecx, dword ptr
00493B25 .51 push ecx ; /Arg2
00493B26 .8D55 DC lea edx, dword ptr ; |
00493B29 .52 push edx ; |Arg1
00493B2A .8985 24FDFFFF mov dword ptr , eax ; |
00493B30 .C785 1CFDFFFF>mov dword ptr , 8008 ; |和上面计算的结果比较。变量比较
00493B3A .FF15 18114000 call dword ptr [<&MSVBVM60.__vbaVarTs>; \__vbaVarTstEq
00493B40 .66:85C0 test ax, ax ;标志位,不为0就注册成功
00493B43 .C785 24FDFFFF>mov dword ptr , -1
00493B4D 75 06 jnz short 00493B55 爆破点这里。
00493B4F .89B5 24FDFFFF mov dword ptr , esi
00493B55 >8D95 1CFDFFFF lea edx, dword ptr
00493B5B .8D4D CC lea ecx, dword ptr
00493B5E .C785 1CFDFFFF>mov dword ptr , 0B
00493B68 .FFD7 call edi
00493B6A .9B wait
------------------------------------------------------------------------
【破解总结】
比如我的机器码为:577020080877
1、整个算法就是对机器码的运算,而得到真注册码。
2、首先分别取出机器码的第8位、 10位、 11位 、 1位 、7位 、12位、 1 位 、4 位 、10位得到(有些取两位,具体看注释)。得到下面
第一组 8 87 7
第二组 5 08 7
第三组 5 02 8
3、对应第一组取第五位和他们运算。得到1385
对应第二组取第三位和他们运算。得到273
对应第三组取第一位和他们运算。得到42
4、连接结果得到138527342就是最终注册码了。 高产!学习!
页:
[1]