简单的 墙纸千百变 1.1注册算法
【破文标题】墙纸千百变 1.1注册算法【破文作者】XXNB
【作者邮箱】支持PYG
【作者主页】binbinbin7456.ys168.com
【破解工具】OD
【破解平台】XPsp2
【软件名称】墙纸千百变 1.1
【软件大小】4164KB
【原版下载】http://www.newhua.com/soft/53653.htm
【保护方式】名+码
【软件简介】本软件为电脑桌面墙纸(壁纸)管理程序。
●功能简介:
1、预先选择设定时间间隔,程序可以自动定时变换电脑桌面墙纸。
2、可以添加、删除自定义的墙纸图片(格式包括BMP、JPG、GIF等)。
●操作方法:
1、运行程序后,在墙纸列表中单击图片名可以进行预览,双击图片名或点“应用”按钮即可完成设置。
2、点“重置”按钮可以停止计时器运行。
●注意事项:
墙纸预览时为拉伸方式,在系统设置中最好也选拉伸方式。
【破解声明】向前辈们学习!只为学习交流!
------------------------------------------------------------------------
【破解过程】
1、rtcMsgBox下断可以找到下面关键代码:
0043E10A > \8B45 E8 mov eax, dword ptr ;假码
0043E10D .8D4D 94 lea ecx, dword ptr
0043E110 .8945 AC mov dword ptr , eax
0043E113 .8D45 A4 lea eax, dword ptr
0043E116 .50 push eax
0043E117 .51 push ecx
0043E118 .C745 E8 00000>mov dword ptr , 0
0043E11F .C745 A4 08000>mov dword ptr , 8
0043E126 .FFD7 call edi
0043E128 .8D55 94 lea edx, dword ptr
0043E12B .8D45 84 lea eax, dword ptr
0043E12E .52 push edx
0043E12F .50 push eax
0043E130 .FF15 0C114000 call dword ptr [<&MSVBVM60.#528>] ;MSVBVM60.rtcUpperCaseVar
0043E136 .8D4D 84 lea ecx, dword ptr
0043E139 .51 push ecx
0043E13A .FF15 34104000 call dword ptr [<&MSVBVM60.__vbaStrVa>;MSVBVM60.__vbaStrVarMove
0043E140 .8BD0 mov edx, eax
0043E142 .B9 30104400 mov ecx, 00441030
0043E147 .FF15 60124000 call dword ptr [<&MSVBVM60.__vbaStrMo>;MSVBVM60.__vbaStrMove
0043E14D .8D4D C0 lea ecx, dword ptr
0043E150 .FFD3 call ebx
0043E152 .8D55 84 lea edx, dword ptr
0043E155 .8D45 94 lea eax, dword ptr
0043E158 .52 push edx
0043E159 .8D4D A4 lea ecx, dword ptr
0043E15C .50 push eax
0043E15D .51 push ecx
0043E15E .6A 03 push 3
0043E160 .FF15 3C104000 call dword ptr [<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
0043E166 .8B15 2C104400 mov edx, dword ptr
0043E16C .8B35 14114000 mov esi, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaStrCmp
0043E172 .83C4 10 add esp, 10 ;让esi为比较函数
0043E175 .52 push edx
0043E176 .68 80604000 push 00406080
0043E17B .FFD6 call esi ;<&MSVBVM60.__vbaStrCmp>
0043E17D .85C0 test eax, eax
0043E17F .75 10 jnz short 0043E191
0043E181 .BA A86F4000 mov edx, 00406FA8 ;none
0043E186 .B9 2C104400 mov ecx, 0044102C
0043E18B .FF15 F8114000 call dword ptr [<&MSVBVM60.__vbaStrCo>;MSVBVM60.__vbaStrCopy
0043E191 >A1 30104400 mov eax, dword ptr
0043E196 .50 push eax
0043E197 .68 80604000 push 00406080
0043E19C .FFD6 call esi
0043E19E .85C0 test eax, eax
0043E1A0 .75 10 jnz short 0043E1B2
0043E1A2 .BA A86F4000 mov edx, 00406FA8 ;none
0043E1A7 .B9 30104400 mov ecx, 00441030
0043E1AC .FF15 F8114000 call dword ptr [<&MSVBVM60.__vbaStrCo>;MSVBVM60.__vbaStrCopy
0043E1B2 >68 30104400 push 00441030
0043E1B7 .68 2C104400 push 0044102C
0043E1BC .E8 0F8CFEFF call 00426DD0 ;算法call《《《《《《《《《《《《《《《------
0043E1C1 .66:833D 34104>cmp word ptr , 0
0043E1C9 .A1 E0174400 mov eax, dword ptr
0043E1CE .0F85 F0000000 jnz 0043E2C4 ;关键跳
0043E1D4 .85C0 test eax, eax
0043E1D6 .75 10 jnz short 0043E1E8
0043E1D8 .68 E0174400 push 004417E0 ;<算
0043E1DD .68 C8684000 push 004068C8
0043E1E2 .FF15 E4114000 call dword ptr [<&MSVBVM60.__vbaNew2>>;MSVBVM60.__vbaNew2
0043E1E8 >8B35 E0174400 mov esi, dword ptr
0043E1EE .8D55 C0 lea edx, dword ptr
0043E1F1 .52 push edx
0043E1F2 .56 push esi
0043E1F3 .8B0E mov ecx, dword ptr
0043E1F5 .FF51 14 call dword ptr
0043E1F8 .85C0 test eax, eax
0043E1FA .DBE2 fclex
0043E1FC .7D 0F jge short 0043E20D
0043E1FE .6A 14 push 14
0043E200 .68 B8684000 push 004068B8
0043E205 .56 push esi
0043E206 .50 push eax
0043E207 .FF15 88104000 call dword ptr [<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
0043E20D >8B45 C0 mov eax, dword ptr
0043E210 .8D55 E8 lea edx, dword ptr
0043E213 .52 push edx
0043E214 .50 push eax
0043E215 .8B08 mov ecx, dword ptr
0043E217 .8BF0 mov esi, eax
0043E219 .FF51 60 call dword ptr
0043E21C .85C0 test eax, eax
0043E21E .DBE2 fclex
0043E220 .7D 0F jge short 0043E231
0043E222 .6A 60 push 60
0043E224 .68 D8684000 push 004068D8
0043E229 .56 push esi
0043E22A .50 push eax
0043E22B .FF15 88104000 call dword ptr [<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
0043E231 >B8 04000280 mov eax, 80020004
0043E236 .B9 0A000000 mov ecx, 0A
0043E23B .8985 7CFFFFFF mov dword ptr , eax
0043E241 .8945 8C mov dword ptr , eax ;“QZF6B9”最终注册码
0043E244 .8B45 E8 mov eax, dword ptr
0043E247 .898D 74FFFFFF mov dword ptr , ecx
0043E24D .8945 9C mov dword ptr , eax
0043E250 .894D 84 mov dword ptr , ecx
0043E253 .B8 08000000 mov eax, 8
0043E258 .8D95 64FFFFFF lea edx, dword ptr
0043E25E .8D4D A4 lea ecx, dword ptr
0043E261 .C745 E8 00000>mov dword ptr , 0
0043E268 .8945 94 mov dword ptr , eax
0043E26B .C785 6CFFFFFF>mov dword ptr , 00409968
0043E275 .8985 64FFFFFF mov dword ptr , eax
0043E27B .FF15 38124000 call dword ptr [<&MSVBVM60.__vbaVarDu>;MSVBVM60.__vbaVarDup
0043E281 .8D85 74FFFFFF lea eax, dword ptr
0043E287 .8D4D 84 lea ecx, dword ptr
0043E28A .50 push eax
0043E28B .8D55 94 lea edx, dword ptr
0043E28E .51 push ecx
0043E28F .52 push edx
0043E290 .8D45 A4 lea eax, dword ptr
0043E293 .6A 30 push 30
0043E295 .50 push eax
0043E296 .FF15 B0104000 call dword ptr [<&MSVBVM60.#595>] ;MSVBVM60.rtcMsgBox 断在这里,(返回到这里)。往上
0043E29C .8D4D C0 lea ecx, dword ptr
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2、跟进:0043E1BC .E8 0F8CFEFF call 00426DD0这个算法,我们可以得到:
00426DD0 $55 push ebp
00426DD1 .8BEC mov ebp, esp
00426DD3 .83EC 08 sub esp, 8
00426DD6 .68 96264000 push <jmp.&MSVBVM60.__vbaExceptHandle>;SE 处理程序安装
00426DDB .64:A1 0000000>mov eax, dword ptr fs:
00426DE1 .50 push eax
00426DE2 .64:8925 00000>mov dword ptr fs:, esp
00426DE9 .83EC 54 sub esp, 54
00426DEC .53 push ebx
00426DED .56 push esi
00426DEE .57 push edi
00426DEF .8965 F8 mov dword ptr , esp
00426DF2 .C745 FC A01F4>mov dword ptr , 00401FA0
00426DF9 .33C0 xor eax, eax
00426DFB .8945 E8 mov dword ptr , eax
00426DFE .8945 E4 mov dword ptr , eax
00426E01 .8945 D4 mov dword ptr , eax
00426E04 .8945 C4 mov dword ptr , eax
00426E07 .8945 B4 mov dword ptr , eax
00426E0A .8945 A0 mov dword ptr , eax
00426E0D .66:A3 3410440>mov word ptr , ax
00426E13 .50 push eax
00426E14 .8D45 D4 lea eax, dword ptr
00426E17 .50 push eax
00426E18 .FF15 A4114000 call dword ptr [<&MSVBVM60.#608>] ;MSVBVM60.rtcVarBstrFromAnsi
00426E1E .8D4D D4 lea ecx, dword ptr
00426E21 .8D55 C4 lea edx, dword ptr
00426E24 .51 push ecx
00426E25 .68 FF000000 push 0FF
00426E2A .52 push edx
00426E2B .FF15 9C114000 call dword ptr [<&MSVBVM60.#607>] ;MSVBVM60.rtcStringVar
00426E31 .8B3D 34104000 mov edi, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaStrVarMove
00426E37 .8D45 C4 lea eax, dword ptr
00426E3A .50 push eax
00426E3B .FFD7 call edi ;<&MSVBVM60.__vbaStrVarMove>
00426E3D .8B35 60124000 mov esi, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaStrMove
00426E43 .8BD0 mov edx, eax
00426E45 .B9 28104400 mov ecx, 00441028
00426E4A .FFD6 call esi ;<&MSVBVM60.__vbaStrMove>
00426E4C .8D4D C4 lea ecx, dword ptr
00426E4F .8D55 D4 lea edx, dword ptr
00426E52 .51 push ecx
00426E53 .52 push edx
00426E54 .6A 02 push 2
00426E56 .FF15 3C104000 call dword ptr [<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
00426E5C .8B0D 28104400 mov ecx, dword ptr
00426E62 .83C4 0C add esp, 0C
00426E65 .8D45 A0 lea eax, dword ptr
00426E68 .8D55 E4 lea edx, dword ptr
00426E6B .50 push eax
00426E6C .51 push ecx
00426E6D .52 push edx
00426E6E .C745 A0 FF000>mov dword ptr , 0FF
00426E75 .FF15 3C124000 call dword ptr [<&MSVBVM60.__vbaStrTo>;MSVBVM60.__vbaStrToAnsi
00426E7B .50 push eax
00426E7C .E8 CBF7FDFF call 0040664C ;计算机名
00426E81 .FF15 80104000 call dword ptr [<&MSVBVM60.__vbaSetSy>;MSVBVM60.__vbaSetSystemError
00426E87 .8B45 E4 mov eax, dword ptr ;计算机名
00426E8A .50 push eax
00426E8B .68 28104400 push 00441028
00426E90 .FF15 78114000 call dword ptr [<&MSVBVM60.__vbaStrTo>;MSVBVM60.__vbaStrToUnicode
00426E96 .8D4D E4 lea ecx, dword ptr ;转成Unicode
00426E99 .FF15 9C124000 call dword ptr [<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
00426E9F .8D4D B4 lea ecx, dword ptr
00426EA2 .68 FF000000 push 0FF
00426EA7 .8D55 D4 lea edx, dword ptr
00426EAA .51 push ecx
00426EAB .52 push edx
00426EAC .C745 BC 28104>mov dword ptr , 00441028
00426EB3 .C745 B4 08400>mov dword ptr , 4008
00426EBA .FF15 58124000 call dword ptr [<&MSVBVM60.#617>] ;MSVBVM60.rtcLeftCharVar
00426EC0 .8D45 D4 lea eax, dword ptr
00426EC3 .50 push eax
00426EC4 .FFD7 call edi
00426EC6 .8BD0 mov edx, eax ;计算机名
00426EC8 .B9 28104400 mov ecx, 00441028
00426ECD .FFD6 call esi
00426ECF .8B1D 24104000 mov ebx, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaFreeVar
00426ED5 .8D4D D4 lea ecx, dword ptr
00426ED8 .FFD3 call ebx ;<&MSVBVM60.__vbaFreeVar>
00426EDA .8D4D D4 lea ecx, dword ptr
00426EDD .6A 00 push 0
00426EDF .51 push ecx
00426EE0 .FF15 A4114000 call dword ptr [<&MSVBVM60.#608>] ;MSVBVM60.rtcVarBstrFromAnsi
00426EE6 .6A 00 push 0
00426EE8 .6A FF push -1
00426EEA .6A 01 push 1
00426EEC .68 80604000 push 00406080
00426EF1 .8D55 D4 lea edx, dword ptr
00426EF4 .8D45 E4 lea eax, dword ptr
00426EF7 .52 push edx
00426EF8 .50 push eax
00426EF9 .FF15 B8114000 call dword ptr [<&MSVBVM60.__vbaStrVa>;MSVBVM60.__vbaStrVarVal
00426EFF .8B0D 28104400 mov ecx, dword ptr
00426F05 .50 push eax
00426F06 .51 push ecx
00426F07 .FF15 7C114000 call dword ptr [<&MSVBVM60.#712>] ;MSVBVM60.rtcReplace
00426F0D .8BD0 mov edx, eax
00426F0F .B9 28104400 mov ecx, 00441028
00426F14 .FFD6 call esi
00426F16 .8D4D E4 lea ecx, dword ptr
00426F19 .FF15 9C124000 call dword ptr [<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
00426F1F .8D4D D4 lea ecx, dword ptr
00426F22 .FFD3 call ebx
00426F24 .8D55 B4 lea edx, dword ptr
00426F27 .8D45 D4 lea eax, dword ptr
00426F2A .52 push edx
00426F2B .50 push eax
00426F2C .C745 BC 28104>mov dword ptr , 00441028
00426F33 .C745 B4 08400>mov dword ptr , 4008
00426F3A .FF15 C4104000 call dword ptr [<&MSVBVM60.#520>] ;MSVBVM60.rtcTrimVar
00426F40 .8D4D D4 lea ecx, dword ptr
00426F43 .51 push ecx
00426F44 .FFD7 call edi
00426F46 .8BD0 mov edx, eax
00426F48 .B9 28104400 mov ecx, 00441028
00426F4D .FFD6 call esi
00426F4F .8D4D D4 lea ecx, dword ptr
00426F52 .FFD3 call ebx
00426F54 .8D55 B4 lea edx, dword ptr
00426F57 .8D45 D4 lea eax, dword ptr
00426F5A .52 push edx
00426F5B .50 push eax
00426F5C .C745 BC 28104>mov dword ptr , 00441028
00426F63 .C745 B4 08400>mov dword ptr , 4008
00426F6A .FF15 58104000 call dword ptr [<&MSVBVM60.#518>] ;MSVBVM60.rtcLowerCaseVar
00426F70 .8D4D D4 lea ecx, dword ptr ;变成小写的函数
00426F73 .51 push ecx
00426F74 .FFD7 call edi
00426F76 .8BD0 mov edx, eax
00426F78 .B9 28104400 mov ecx, 00441028
00426F7D .FFD6 call esi
00426F7F .8D4D D4 lea ecx, dword ptr
00426F82 .FFD3 call ebx
00426F84 .8B55 08 mov edx, dword ptr
00426F87 .8D45 B4 lea eax, dword ptr ;这里看得到小写的计算机名了
00426F8A .8D4D D4 lea ecx, dword ptr
00426F8D .50 push eax
00426F8E .51 push ecx
00426F8F .8955 BC mov dword ptr , edx
00426F92 .C745 B4 08400>mov dword ptr , 4008
00426F99 .FF15 58104000 call dword ptr [<&MSVBVM60.#518>] ;MSVBVM60.rtcLowerCaseVar
00426F9F .8D55 D4 lea edx, dword ptr
00426FA2 .52 push edx
00426FA3 .FFD7 call edi
00426FA5 .8B4D 08 mov ecx, dword ptr
00426FA8 .8BD0 mov edx, eax ;用户名
00426FAA .FFD6 call esi
00426FAC .8D4D D4 lea ecx, dword ptr
00426FAF .FFD3 call ebx
00426FB1 .8B45 0C mov eax, dword ptr
00426FB4 .8D4D B4 lea ecx, dword ptr
00426FB7 .8D55 D4 lea edx, dword ptr
00426FBA .51 push ecx
00426FBB .52 push edx
00426FBC .8945 BC mov dword ptr , eax
00426FBF .C745 B4 08400>mov dword ptr , 4008
00426FC6 .FF15 0C114000 call dword ptr [<&MSVBVM60.#528>] ;MSVBVM60.rtcUpperCaseVar
00426FCC .8D45 D4 lea eax, dword ptr
00426FCF .50 push eax
00426FD0 .FFD7 call edi
00426FD2 .8B4D 0C mov ecx, dword ptr
00426FD5 .8BD0 mov edx, eax ;假码
00426FD7 .FFD6 call esi
00426FD9 .8D4D D4 lea ecx, dword ptr
00426FDC .FFD3 call ebx
00426FDE .BA D47E4000 mov edx, 00407ED4 ;0
00426FE3 .8D4D E8 lea ecx, dword ptr
00426FE6 .FF15 F8114000 call dword ptr [<&MSVBVM60.__vbaStrCo>;MSVBVM60.__vbaStrCopy
00426FEC .8B0D 28104400 mov ecx, dword ptr ;小写的计算机名
00426FF2 .51 push ecx
00426FF3 .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaLenBs>;MSVBVM60.__vbaLenBstr
00426FF9 .8945 EC mov dword ptr , eax ;计算机名位数
00426FFC >85C0 test eax, eax ;循环开始
00426FFE .0F8E A5000000 jle 004270A9 ;计数器取的值是计算机名字符串长度
00427004 .8D55 D4 lea edx, dword ptr
00427007 .8D4D C4 lea ecx, dword ptr
0042700A .52 push edx
0042700B .50 push eax
0042700C .8D45 B4 lea eax, dword ptr
0042700F .C745 DC 01000>mov dword ptr , 1
00427016 .50 push eax
00427017 .51 push ecx
00427018 .C745 D4 02000>mov dword ptr , 2
0042701F .C745 BC 28104>mov dword ptr , 00441028
00427026 .C745 B4 08400>mov dword ptr , 4008
0042702D .FF15 F0104000 call dword ptr [<&MSVBVM60.#632>] ;MSVBVM60.rtcMidCharVar
00427033 .8D55 C4 lea edx, dword ptr
00427036 .8D45 E4 lea eax, dword ptr
00427039 .52 push edx
0042703A .50 push eax
0042703B .FF15 B8114000 call dword ptr [<&MSVBVM60.__vbaStrVa>;MSVBVM60.__vbaStrVarVal
00427041 .50 push eax
00427042 .FF15 50104000 call dword ptr [<&MSVBVM60.#516>] ;MSVBVM60.rtcAnsiValueBstr
00427048 .8BC8 mov ecx, eax ;从后面开始逐个取小写的用户名的ascii码值
0042704A .FF15 60104000 call dword ptr [<&MSVBVM60.__vbaI2Abs>;MSVBVM60.__vbaI2Abs
00427050 .8B4D E8 mov ecx, dword ptr
00427053 .51 push ecx
00427054 .0FBFD8 movsx ebx, ax
00427057 .FF15 00124000 call dword ptr [<&MSVBVM60.__vbaI4Str>;MSVBVM60.__vbaI4Str
0042705D .03D8 add ebx, eax ;加上一次循环的值,就是在这里循环累加了
0042705F .0F80 34020000 jo 00427299 ;结果存放在ebx
00427065 .53 push ebx
00427066 .FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaStrI4>;MSVBVM60.__vbaStrI4
0042706C .8BD0 mov edx, eax ;上面的累加值,转成10进制字符串
0042706E .8D4D E8 lea ecx, dword ptr
00427071 .FFD6 call esi
00427073 .8D4D E4 lea ecx, dword ptr
00427076 .FF15 9C124000 call dword ptr [<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
0042707C .8D55 C4 lea edx, dword ptr
0042707F .8D45 D4 lea eax, dword ptr
00427082 .52 push edx
00427083 .50 push eax
00427084 .6A 02 push 2
00427086 .FF15 3C104000 call dword ptr [<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
0042708C .8B45 EC mov eax, dword ptr
0042708F .8B1D 24104000 mov ebx, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaFreeVar
00427095 .83C4 0C add esp, 0C
00427098 .83E8 01 sub eax, 1 ;计数器-1继续循环
0042709B .0F80 F8010000 jo 00427299
004270A1 .8945 EC mov dword ptr , eax
004270A4 .^ E9 53FFFFFF jmp 00426FFC ;循环结束
004270A9 >8B4D 08 mov ecx, dword ptr
004270AC .8B11 mov edx, dword ptr ;用户名
004270AE .52 push edx
004270AF .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaLenBs>;MSVBVM60.__vbaLenBstr
004270B5 .8945 EC mov dword ptr , eax ;得到用户名位数
004270B8 >85C0 test eax, eax ;又一个循环开始
004270BA .0F8E A4000000 jle 00427164
004270C0 .8B4D 08 mov ecx, dword ptr
004270C3 .8D55 D4 lea edx, dword ptr
004270C6 .52 push edx
004270C7 .50 push eax
004270C8 .894D BC mov dword ptr , ecx
004270CB .8D45 B4 lea eax, dword ptr
004270CE .8D4D C4 lea ecx, dword ptr
004270D1 .50 push eax
004270D2 .51 push ecx
004270D3 .C745 DC 01000>mov dword ptr , 1
004270DA .C745 D4 02000>mov dword ptr , 2
004270E1 .C745 B4 08400>mov dword ptr , 4008
004270E8 .FF15 F0104000 call dword ptr [<&MSVBVM60.#632>] ;MSVBVM60.rtcMidCharVar
004270EE .8D55 C4 lea edx, dword ptr
004270F1 .8D45 E4 lea eax, dword ptr
004270F4 .52 push edx
004270F5 .50 push eax
004270F6 .FF15 B8114000 call dword ptr [<&MSVBVM60.__vbaStrVa>;MSVBVM60.__vbaStrVarVal
004270FC .50 push eax ;track后,发现是从后面开始取字符的ascii码值16进制
004270FD .FF15 50104000 call dword ptr [<&MSVBVM60.#516>] ;MSVBVM60.rtcAnsiValueBstr
00427103 .8BC8 mov ecx, eax
00427105 .FF15 60104000 call dword ptr [<&MSVBVM60.__vbaI2Abs>;MSVBVM60.__vbaI2Abs
0042710B .8B4D E8 mov ecx, dword ptr ;这里的ebp-18是上面对计算机名累加的结果的10进制字符串
0042710E .51 push ecx
0042710F .0FBFD8 movsx ebx, ax
00427112 .FF15 00124000 call dword ptr [<&MSVBVM60.__vbaI4Str>;MSVBVM60.__vbaI4Str
00427118 .03D8 add ebx, eax ;这里继续累加。就是计算机名的累加值再累加用户名ascii码
值
0042711A .0F80 79010000 jo 00427299
00427120 .53 push ebx
00427121 .FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaStrI4>;MSVBVM60.__vbaStrI4
00427127 .8BD0 mov edx, eax ;转成10进制字符串
00427129 .8D4D E8 lea ecx, dword ptr
0042712C .FFD6 call esi
0042712E .8D4D E4 lea ecx, dword ptr
00427131 .FF15 9C124000 call dword ptr [<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
00427137 .8D55 C4 lea edx, dword ptr
0042713A .8D45 D4 lea eax, dword ptr
0042713D .52 push edx
0042713E .50 push eax
0042713F .6A 02 push 2
00427141 .FF15 3C104000 call dword ptr [<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
00427147 .8B45 EC mov eax, dword ptr
0042714A .8B1D 24104000 mov ebx, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaFreeVar
00427150 .83C4 0C add esp, 0C
00427153 .83E8 01 sub eax, 1 ;计数器
00427156 .0F80 3D010000 jo 00427299
0042715C .8945 EC mov dword ptr , eax
0042715F .^ E9 54FFFFFF jmp 004270B8 ;循环结束
00427164 >8B4D E8 mov ecx, dword ptr ;“1270”这里就是计算机名和用户名的ascii码值累加值
00427167 .51 push ecx ;装成10进制字符串
00427168 .FF15 00124000 call dword ptr [<&MSVBVM60.__vbaI4Str>;MSVBVM60.__vbaI4Str
0042716E .05 C2EE0000 add eax, 0EEC2 ;上面的结果+0EEC2
00427173 .0F80 20010000 jo 00427299
00427179 .50 push eax
0042717A .FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaStrI4>;MSVBVM60.__vbaStrI4
00427180 .8BD0 mov edx, eax ;加的结果转成10进制字符串
00427182 .8D4D E8 lea ecx, dword ptr
00427185 .FFD6 call esi
00427187 .8D45 B4 lea eax, dword ptr
0042718A .6A 06 push 6
0042718C .8D4D D4 lea ecx, dword ptr
0042718F .8D55 E8 lea edx, dword ptr
00427192 .50 push eax
00427193 .51 push ecx
00427194 .8955 BC mov dword ptr , edx
00427197 .C745 B4 08400>mov dword ptr , 4008
0042719E .FF15 58124000 call dword ptr [<&MSVBVM60.#617>] ;MSVBVM60.rtcLeftCharVar
004271A4 .8D55 D4 lea edx, dword ptr
004271A7 .52 push edx
004271A8 .FFD7 call edi
004271AA .8BD0 mov edx, eax ;62392(10进制)
004271AC .8D4D E8 lea ecx, dword ptr
004271AF .FFD6 call esi
004271B1 .8D4D D4 lea ecx, dword ptr
004271B4 .FFD3 call ebx
004271B6 .8B45 E8 mov eax, dword ptr
004271B9 .50 push eax
004271BA .FF15 00124000 call dword ptr [<&MSVBVM60.__vbaI4Str>;MSVBVM60.__vbaI4Str
004271C0 .8D4D D4 lea ecx, dword ptr ;“62392”的16进制表示=“F3B8”
004271C3 .8D55 C4 lea edx, dword ptr
004271C6 .51 push ecx
004271C7 .52 push edx
004271C8 .8945 DC mov dword ptr , eax
004271CB .C745 D4 03000>mov dword ptr , 3
004271D2 .FF15 F4114000 call dword ptr [<&MSVBVM60.#573>] ;MSVBVM60.rtcHexVarFromVar
004271D8 .8D45 C4 lea eax, dword ptr
004271DB .50 push eax
004271DC .FFD7 call edi
004271DE .8BD0 mov edx, eax ;“F3B8”。。“62392”的16进制字符串
004271E0 .8D4D E8 lea ecx, dword ptr
004271E3 .FFD6 call esi
004271E5 .8D4D C4 lea ecx, dword ptr
004271E8 .8D55 D4 lea edx, dword ptr
004271EB .51 push ecx
004271EC .52 push edx
004271ED .6A 02 push 2
004271EF .FF15 3C104000 call dword ptr [<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
004271F5 .8B45 E8 mov eax, dword ptr
004271F8 .83C4 0C add esp, 0C
004271FB .68 DC7E4000 push 00407EDC ;“QZ”固定字符串
00427200 .50 push eax ;一看就知道要连接了。
00427201 .FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaStrCa>;MSVBVM60.__vbaStrCat
00427207 .8BD0 mov edx, eax ;连接得到“QZF3B8”就是最终注册码了。
00427209 .8D4D E8 lea ecx, dword ptr
0042720C .FFD6 call esi
0042720E .8D55 B4 lea edx, dword ptr
00427211 .8D45 D4 lea eax, dword ptr
00427214 .8D4D E8 lea ecx, dword ptr
00427217 .52 push edx
00427218 .50 push eax
00427219 .894D BC mov dword ptr , ecx
0042721C .C745 B4 08400>mov dword ptr , 4008
00427223 .FF15 0C114000 call dword ptr [<&MSVBVM60.#528>] ;MSVBVM60.rtcUpperCaseVar
00427229 .8D4D D4 lea ecx, dword ptr ;“89”
0042722C .51 push ecx
0042722D .FFD7 call edi
0042722F .8BD0 mov edx, eax
00427231 .8D4D E8 lea ecx, dword ptr
00427234 .FFD6 call esi
00427236 .8D4D D4 lea ecx, dword ptr
00427239 .FFD3 call ebx
0042723B .8B55 0C mov edx, dword ptr
0042723E .8B4D E8 mov ecx, dword ptr
00427241 .8B02 mov eax, dword ptr ;执行到这个地方真假码都出现了
00427243 .50 push eax ;假码
00427244 .51 push ecx ;真码。
00427245 .FF15 14114000 call dword ptr [<&MSVBVM60.__vbaStrCm>;MSVBVM60.__vbaStrCmp
0042724B .85C0 test eax, eax ;比较函数
0042724D .75 09 jnz short 00427258 ;关键跳。爆破点
0042724F .66:C705 34104>mov word ptr , 0FFFF
00427258 >68 86724200 push 00427286
0042725D .EB 1D jmp short 0042727C
------------------------------------------------------------------------
【破解总结】
取得计算机名,转成小写,ascii码值累加。
取得输入的用户名,也转成小写,ascii码值累加。
上面得到的两个累加值相加,再加上0EEC2。得到的16进制字符串和“QZ”相连就是最终注册码了。 不错 学习~~ 学习一下,不错 顶》》》》》》》》》》》》》》》》》》》》》》》》》》》》
页:
[1]