|
|
【破解作者】 鹭影依凌
【使用工具】 OD v1.0 + Peid V0.94
【破解平台】 Win9x/NT/2000/XP
【软件名称】 某出纳管理系统 V5.0[脱壳+去ANTI+算法分析]
游客,本帖隐藏的内容需要积分高于 5000 才可浏览,您当前积分为 0
【软件简介】 适合各种中小企事业单位的出纳管理系统。完善的日常业务处理功能及与手工帐簿一样的打印功能,智能化的查询功能,都将为您企业的蓬勃发展提高工作效率。帐簿分现金日记帐、银行日记帐,并且可对银行对帐单、银行存款余额调节表进行实时查看、核对,报表中心为您总结统计资金日报表,未达帐项等等
【加壳方式】 ASPack v2.12
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
一、脱壳
PEiD:ASPack 2.12 -> Alexey Solodovnikov
ESP定律搞定
试运行程序
提示:严重警告,您是在运行注册机么....请支持正版
=>显然不是因为修复的问题而无法正常运行
看来,程序里面有ANTI代码,进行了自我监测OoO
二、去除ANTI代码
OD载入,超级字符串搜索下
晕,一个中文的字符串都没有,难道字符串又加密了
PEiD查下:Microsoft Visual Basic 5.0 / 6.0
呼,虚惊一场
进行字符串替换吧
GetVBRes搞定
一共三处:
1.ANTI提示 => notice
2.注册成功 => rightreg
3.注册失败 => wrongreg
注:2、3在算法分析的时候会用到
006923CE . 50 push eax
006923CF . 68 68A94300 push 0043A968 ; desktop.ini
006923D4 . F7DB neg ebx
006923D6 . FF15 58114000 call dword ptr [<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
006923DC . F7D8 neg eax
006923DE . 1BC0 sbb eax, eax
006923E0 . 40 inc eax
006923E1 . 0BD8 or ebx, eax ; 下面不跳就跳出支持正版的对话框
006923E3 0F85 E9000000 jnz 006924D2 ; //这块修改成JMP,跳过提示
006923E9 B9 04000280 mov ecx, 80020004
006923EE . B8 0A000000 mov eax, 0A
006923F3 . 894D 94 mov dword ptr [ebp-6C], ecx
006923F6 . 894D A4 mov dword ptr [ebp-5C], ecx
006923F9 . BB 08000000 mov ebx, 8
006923FE . 8D95 7CFFFFFF lea edx, dword ptr [ebp-84]
00692404 . 8D4D AC lea ecx, dword ptr [ebp-54]
00692407 . 8945 8C mov dword ptr [ebp-74], eax
0069240A . 8945 9C mov dword ptr [ebp-64], eax
0069240D . C745 84 14A84>mov dword ptr [ebp-7C], 0043A814
00692414 . 899D 7CFFFFFF mov dword ptr [ebp-84], ebx
0069241A . FF15 B0124000 call dword ptr [<&MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
00692420 . 68 84A94300 push 0043A984 ; |*|关键字notice
00692425 . 68 38984300 push 00439838 ; \n\n
0069242A . FFD7 call edi
0069242C . 8BD0 mov edx, eax
0069242E . 8D4D E0 lea ecx, dword ptr [ebp-20]
00692431 . FFD6 call esi
00692433 . 50 push eax
00692434 . 68 38984300 push 00439838 ; \n\n
00692439 . FFD7 call edi
0069243B . 8BD0 mov edx, eax
0069243D . 8D4D DC lea ecx, dword ptr [ebp-24]
00692440 . FFD6 call esi
00692442 . 50 push eax
00692443 . 68 DCA94300 push 0043A9DC ; mention
00692448 . FFD7 call edi
0069244A . 8BD0 mov edx, eax
0069244C . 8D4D D8 lea ecx, dword ptr [ebp-28]
0069244F . FFD6 call esi
00692451 . 50 push eax
00692452 . 68 38984300 push 00439838 ; \n\n
00692457 . FFD7 call edi
00692459 . 8BD0 mov edx, eax
0069245B . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0069245E . FFD6 call esi
00692460 . 50 push eax
00692461 . 68 38984300 push 00439838 ; \n\n
00692466 . FFD7 call edi
00692468 . 8BD0 mov edx, eax
0069246A . 8D4D D0 lea ecx, dword ptr [ebp-30]
0069246D . FFD6 call esi
0069246F . 50 push eax
00692470 . 68 34AA4300 push 0043AA34
00692475 . FFD7 call edi
00692477 . 8D4D 8C lea ecx, dword ptr [ebp-74]
0069247A . 8945 C4 mov dword ptr [ebp-3C], eax
0069247D . 8D55 9C lea edx, dword ptr [ebp-64]
00692480 . 51 push ecx
00692481 . 8D45 AC lea eax, dword ptr [ebp-54]
00692484 . 52 push edx
00692485 . 50 push eax
00692486 . 8D4D BC lea ecx, dword ptr [ebp-44]
00692489 . 6A 10 push 10
0069248B . 51 push ecx
0069248C . 895D BC mov dword ptr [ebp-44], ebx
0069248F . FF15 CC104000 call dword ptr [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
00692495 . 8D55 D0 lea edx, dword ptr [ebp-30]
00692498 . 8D45 D4 lea eax, dword ptr [ebp-2C]
0069249B . 52 push edx
0069249C . 8D4D D8 lea ecx, dword ptr [ebp-28]
0069249F . 50 push eax
006924A0 . 8D55 DC lea edx, dword ptr [ebp-24]
006924A3 . 51 push ecx
006924A4 . 8D45 E0 lea eax, dword ptr [ebp-20]
006924A7 . 52 push edx
006924A8 . 50 push eax
006924A9 . 6A 05 push 5
006924AB . FF15 74124000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
006924B1 . 8D4D 8C lea ecx, dword ptr [ebp-74]
006924B4 . 8D55 9C lea edx, dword ptr [ebp-64]
006924B7 . 51 push ecx
006924B8 . 8D45 AC lea eax, dword ptr [ebp-54]
006924BB . 52 push edx
006924BC . 8D4D BC lea ecx, dword ptr [ebp-44]
006924BF . 50 push eax
006924C0 . 51 push ecx
006924C1 . 6A 04 push 4
006924C3 . FF15 44104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
006924C9 . 83C4 2C add esp, 2C
006924CC . FF15 40104000 call dword ptr [<&MSVBVM60.__vbaEnd>] ; MSVBVM60.__vbaEnd
006924D2 > 66:8B95 4CFFF>mov dx, word ptr [ebp-B4] ; //跳过提示,来到这
006924D9 . 8B5D 08 mov ebx, dword ptr [ebp+8]
006924DC . 66:0355 EC add dx, word ptr [ebp-14]
006924E0 . 70 72 jo short 00692554
006924E2 . 8955 EC mov dword ptr [ebp-14], edx
006924E5 .^ E9 D0FDFFFF jmp 006922BA
006924EA > 68 3F256900 push 0069253F
OD邮件保存下,再次运行....
哦了,这次就可以正常进入程序界面了
三、代码分析
还是OD载入,超级字符串定位,代码分析如下
;=====================================================================
****************************主注册程序段******************************
;=====================================================================
007C0BD0 > \55 push ebp ; //开始
007C0BD1 . 8BEC mov ebp, esp
007C0BD3 . 83EC 18 sub esp, 18
007C0BD6 . 68 F65D4000 push <jmp.&MSVBVM60.__vbaExceptHandle>; SE 处理程序安装
007C0BDB . 64:A1 0000000>mov eax, dword ptr fs:[0]
007C0BE1 . 50 push eax
007C0BE2 . 64:8925 00000>mov dword ptr fs:[0], esp
007C0BE9 . B8 9C010000 mov eax, 19C
007C0BEE . E8 FD51C4FF call <jmp.&MSVBVM60.__vbaChkstk>
007C0BF3 . 53 push ebx
007C0BF4 . 56 push esi
007C0BF5 . 57 push edi
007C0BF6 . 8965 E8 mov dword ptr [ebp-18], esp
007C0BF9 . C745 EC 204D4>mov dword ptr [ebp-14], 00404D20
007C0C00 . 8B45 08 mov eax, dword ptr [ebp+8]
007C0C03 . 83E0 01 and eax, 1
007C0C06 . 8945 F0 mov dword ptr [ebp-10], eax
007C0C09 . 8B4D 08 mov ecx, dword ptr [ebp+8]
007C0C0C . 83E1 FE and ecx, FFFFFFFE
007C0C0F . 894D 08 mov dword ptr [ebp+8], ecx
007C0C12 . C745 F4 00000>mov dword ptr [ebp-C], 0
007C0C19 . 8B55 08 mov edx, dword ptr [ebp+8]
007C0C1C . 8B02 mov eax, dword ptr [edx]
007C0C1E . 8B4D 08 mov ecx, dword ptr [ebp+8]
007C0C21 . 51 push ecx
007C0C22 . FF50 04 call dword ptr [eax+4]
007C0C25 . C745 FC 01000>mov dword ptr [ebp-4], 1
007C0C2C . C745 FC 02000>mov dword ptr [ebp-4], 2
007C0C33 . 6A FF push -1
007C0C35 . FF15 C8104000 call dword ptr [<&MSVBVM60.__vbaOnErr>; MSVBVM60.__vbaOnError
007C0C3B . C745 FC 03000>mov dword ptr [ebp-4], 3
007C0C42 . 68 D03C4400 push 00443CD0
007C0C47 . 68 38984300 push 00439838 ; \n\n
007C0C4C . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
007C0C52 . 8BD0 mov edx, eax
007C0C54 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
007C0C57 . FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
007C0C5D . 50 push eax
007C0C5E . 68 103D4400 push 00443D10 ; hr,g:<v 5.4>
007C0C63 . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
007C0C69 . 8BD0 mov edx, eax
007C0C6B . 8D4D D0 lea ecx, dword ptr [ebp-30]
007C0C6E . FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
007C0C74 . 50 push eax
007C0C75 . 68 38984300 push 00439838 ; \n\n
007C0C7A . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
007C0C80 . 8BD0 mov edx, eax
007C0C82 . 8D4D CC lea ecx, dword ptr [ebp-34]
007C0C85 . FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
007C0C8B . 50 push eax
007C0C8C . 68 2C3D4400 push 00443D2C
007C0C91 . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
007C0C97 . 8BD0 mov edx, eax
007C0C99 . 8D4D DC lea ecx, dword ptr [ebp-24]
007C0C9C . FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
007C0CA2 . 8D55 CC lea edx, dword ptr [ebp-34]
007C0CA5 . 52 push edx
007C0CA6 . 8D45 D0 lea eax, dword ptr [ebp-30]
007C0CA9 . 50 push eax
007C0CAA . 8D4D D4 lea ecx, dword ptr [ebp-2C]
007C0CAD . 51 push ecx
007C0CAE . 6A 03 push 3
007C0CB0 . FF15 74124000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
007C0CB6 . 83C4 10 add esp, 10
007C0CB9 . C745 FC 04000>mov dword ptr [ebp-4], 4
007C0CC0 . E8 5B3FEDFF call 00694C20
007C0CC5 . 8BD0 mov edx, eax
007C0CC7 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
007C0CCA . FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
007C0CD0 . 68 983D4400 push 00443D98 ; ASCII "o忲N(u7b",CR,"T:"
007C0CD5 . 8D55 D4 lea edx, dword ptr [ebp-2C]
007C0CD8 . 52 push edx
007C0CD9 . E8 52A7EDFF call 0069B430 ; //计算机器码
007C0CDE . 8BD0 mov edx, eax ; EDX = 机器码[d1a4e3ae478a5b2b]
007C0CE0 . 8D4D D0 lea ecx, dword ptr [ebp-30]
007C0CE3 . FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
007C0CE9 . 50 push eax
007C0CEA . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
......................................................................
............................一路F8跟下来.............................
......................................................................
007C0FA8 . 8985 88FEFFFF mov dword ptr [ebp-178], eax
007C0FAE . 83BD 88FEFFFF>cmp dword ptr [ebp-178], 3
007C0FB5 . 0F87 8E0C0000 ja 007C1C49
007C0FBB . 8B8D 88FEFFFF mov ecx, dword ptr [ebp-178]
007C0FC1 . FF248D 571D7C>jmp dword ptr [ecx*4+7C1D57]
007C0FC8 . E9 7C0C0000 jmp 007C1C49
007C0FCD > C745 FC 07000>mov dword ptr [ebp-4], 7
007C0FD4 . E8 473CEDFF call 00694C20
007C0FD9 . 8BD0 mov edx, eax ; //硬件特征码"ST3802110A3LR08A7Z")
007C0FDB . 8D4D D4 lea ecx, dword ptr [ebp-2C]
007C0FDE . FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
007C0FE4 . 8D55 D4 lea edx, dword ptr [ebp-2C]
007C0FE7 . 52 push edx
007C0FE8 . E8 43A4EDFF call 0069B430 ; //取机器码"d1a4e3ae478a5b2b"
007C0FED . 8BD0 mov edx, eax
007C0FEF . 8D4D C4 lea ecx, dword ptr [ebp-3C]
007C0FF2 . FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
007C0FF8 . 8B45 08 mov eax, dword ptr [ebp+8]
007C0FFB . 8B08 mov ecx, dword ptr [eax]
007C0FFD . 8B55 08 mov edx, dword ptr [ebp+8]
007C1000 . 52 push edx
007C1001 . FF91 00030000 call dword ptr [ecx+300]
007C1007 . 50 push eax
007C1008 . 8D85 70FFFFFF lea eax, dword ptr [ebp-90]
007C100E . 50 push eax
007C100F . FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
007C1015 . 8985 DCFEFFFF mov dword ptr [ebp-124], eax
007C101B . 8D8D 6CFFFFFF lea ecx, dword ptr [ebp-94]
007C1021 . 51 push ecx
007C1022 . 6A 01 push 1
007C1024 . 8B95 DCFEFFFF mov edx, dword ptr [ebp-124]
007C102A . 8B02 mov eax, dword ptr [edx]
007C102C . 8B8D DCFEFFFF mov ecx, dword ptr [ebp-124]
007C1032 . 51 push ecx
007C1033 . FF50 40 call dword ptr [eax+40]
007C1036 . DBE2 fclex
007C1038 . 8985 D8FEFFFF mov dword ptr [ebp-128], eax
007C103E . 83BD D8FEFFFF>cmp dword ptr [ebp-128], 0
007C1045 . 7D 23 jge short 007C106A
007C1047 . 6A 40 push 40
007C1049 . 68 20C24300 push 0043C220
007C104E . 8B95 DCFEFFFF mov edx, dword ptr [ebp-124]
007C1054 . 52 push edx
007C1055 . 8B85 D8FEFFFF mov eax, dword ptr [ebp-128]
007C105B . 50 push eax
007C105C . FF15 98104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
007C1062 . 8985 84FEFFFF mov dword ptr [ebp-17C], eax
007C1068 . EB 0A jmp short 007C1074
007C106A > C785 84FEFFFF>mov dword ptr [ebp-17C], 0
007C1074 > 8B8D 6CFFFFFF mov ecx, dword ptr [ebp-94]
007C107A . 898D D4FEFFFF mov dword ptr [ebp-12C], ecx
007C1080 . 8D55 CC lea edx, dword ptr [ebp-34]
007C1083 . 52 push edx
007C1084 . 8B85 D4FEFFFF mov eax, dword ptr [ebp-12C]
007C108A . 8B08 mov ecx, dword ptr [eax]
007C108C . 8B95 D4FEFFFF mov edx, dword ptr [ebp-12C]
007C1092 . 52 push edx
007C1093 . FF91 A0000000 call dword ptr [ecx+A0]
007C1099 . DBE2 fclex
007C109B . 8985 D0FEFFFF mov dword ptr [ebp-130], eax
007C10A1 . 83BD D0FEFFFF>cmp dword ptr [ebp-130], 0
007C10A8 . 7D 26 jge short 007C10D0
007C10AA . 68 A0000000 push 0A0
007C10AF . 68 0C9F4300 push 00439F0C
007C10B4 . 8B85 D4FEFFFF mov eax, dword ptr [ebp-12C]
007C10BA . 50 push eax
007C10BB . 8B8D D0FEFFFF mov ecx, dword ptr [ebp-130]
007C10C1 . 51 push ecx
007C10C2 . FF15 98104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
007C10C8 . 8985 80FEFFFF mov dword ptr [ebp-180], eax
007C10CE . EB 0A jmp short 007C10DA
007C10D0 > C785 80FEFFFF>mov dword ptr [ebp-180], 0
007C10DA > 8B55 CC mov edx, dword ptr [ebp-34] ; EDX = 假序列号[9876543210abcdef]
007C10DD . 8995 A0FEFFFF mov dword ptr [ebp-160], edx
007C10E3 . C745 CC 00000>mov dword ptr [ebp-34], 0
007C10EA . 8B95 A0FEFFFF mov edx, dword ptr [ebp-160]
007C10F0 . 8D4D C8 lea ecx, dword ptr [ebp-38]
007C10F3 . FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
007C10F9 . 8B45 C4 mov eax, dword ptr [ebp-3C] ; EAX = 机器码[d1a4e3ae478a5b2b]
007C10FC . 8985 9CFEFFFF mov dword ptr [ebp-164], eax
007C1102 . C745 C4 00000>mov dword ptr [ebp-3C], 0
007C1109 . 8B95 9CFEFFFF mov edx, dword ptr [ebp-164]
007C110F . 8D4D D0 lea ecx, dword ptr [ebp-30]
007C1112 . FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
007C1118 . 8D4D C8 lea ecx, dword ptr [ebp-38]
007C111B . 51 push ecx
007C111C . 8D55 D0 lea edx, dword ptr [ebp-30]
007C111F . 52 push edx
007C1120 . E8 7B3BEDFF call 00694CA0 ; |*|关键CALL
007C1125 . 33C9 xor ecx, ecx ; ECX置零
007C1127 . 66:3D FFFF cmp ax, 0FFFF
007C112B . 0F94C1 sete cl ; 设置标志位
007C112E . F7D9 neg ecx ; ECX取反
007C1130 . 66:898D CCFEF>mov word ptr [ebp-134], cx ; [ebp-134] = cx
007C1137 . 8D55 C4 lea edx, dword ptr [ebp-3C]
007C113A . 52 push edx
007C113B . 8D45 C8 lea eax, dword ptr [ebp-38]
007C113E . 50 push eax
007C113F . 8D4D D0 lea ecx, dword ptr [ebp-30]
007C1142 . 51 push ecx
007C1143 . 8D55 D4 lea edx, dword ptr [ebp-2C]
007C1146 . 52 push edx
007C1147 . 6A 04 push 4
007C1149 . FF15 74124000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
007C114F . 83C4 14 add esp, 14
007C1152 . 8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
007C1158 . 50 push eax
007C1159 . 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
007C115F . 51 push ecx
007C1160 . 6A 02 push 2
007C1162 . FF15 4C104000 call dword ptr [<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObjList
007C1168 . 83C4 0C add esp, 0C
007C116B . 0FBF95 CCFEFF>movsx edx, word ptr [ebp-134] ; edx = [ebp-134]
007C1172 . 85D2 test edx, edx ; 测试标志位
007C1174 . 0F84 FF040000 je 007C1679 ; //跳向死亡
007C117A . C745 FC 08000>mov dword ptr [ebp-4], 8
007C1181 . 8B45 08 mov eax, dword ptr [ebp+8]
007C1184 . 8B08 mov ecx, dword ptr [eax]
007C1186 . 8B55 08 mov edx, dword ptr [ebp+8]
......................................................................
;...........................省略若干代码..............................
......................................................................
007C1D51 . 8BE5 mov esp, ebp
007C1D53 . 5D pop ebp
007C1D54 . C2 0800 retn 8 ; //结束
;=====================================================================
;***************************机器码产生的算法**************************
;=====================================================================
;在地址007C0CD9处F7跟进关键CALL->0069B430
;---------------------------------------------------------------------
0069B430 $ 55 push ebp ; //调用
0069B431 . 8BEC mov ebp, esp
0069B433 . 83EC 0C sub esp, 0C
0069B436 . 68 F65D4000 push <jmp.&MSVBVM60.__vbaExceptHandle>; SE 处理程序安装
0069B43B . 64:A1 0000000>mov eax, dword ptr fs:[0]
0069B441 . 50 push eax
0069B442 . 64:8925 00000>mov dword ptr fs:[0], esp
0069B449 . 83EC 54 sub esp, 54
0069B44C . 53 push ebx
0069B44D . 56 push esi
0069B44E . 57 push edi
0069B44F . 8965 F4 mov dword ptr [ebp-C], esp
0069B452 . C745 F8 F8154>mov dword ptr [ebp-8], 004015F8
0069B459 . 8B45 08 mov eax, dword ptr [ebp+8]
0069B45C . 33F6 xor esi, esi
0069B45E . 50 push eax
0069B45F . 8975 E8 mov dword ptr [ebp-18], esi
0069B462 . 8975 E4 mov dword ptr [ebp-1C], esi
0069B465 . 8975 D4 mov dword ptr [ebp-2C], esi
0069B468 . 8975 C4 mov dword ptr [ebp-3C], esi
0069B46B . 8975 B4 mov dword ptr [ebp-4C], esi
0069B46E . E8 BD000000 call 0069B530 ; |*|select函数"T302103L08"
0069B473 . 8B3D E4124000 mov edi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrMove
0069B479 . 8BD0 mov edx, eax
0069B47B . 8D4D E4 lea ecx, dword ptr [ebp-1C]
0069B47E . FFD7 call edi ; <&MSVBVM60.__vbaStrMove>
0069B480 . 8B45 E4 mov eax, dword ptr [ebp-1C]
0069B483 . 8D4D C4 lea ecx, dword ptr [ebp-3C]
0069B486 . 8945 DC mov dword ptr [ebp-24], eax
0069B489 . 8D55 D4 lea edx, dword ptr [ebp-2C]
0069B48C . 51 push ecx
0069B48D . 8D45 B4 lea eax, dword ptr [ebp-4C]
0069B490 . 52 push edx
0069B491 . 50 push eax
0069B492 . C745 CC 10000>mov dword ptr [ebp-34], 10
0069B499 . C745 C4 02000>mov dword ptr [ebp-3C], 2
0069B4A0 . 8975 E4 mov dword ptr [ebp-1C], esi
0069B4A3 . C745 D4 08000>mov dword ptr [ebp-2C], 8
0069B4AA . E8 A1BAFFFF call 00696F50
0069B4AF . 8D4D B4 lea ecx, dword ptr [ebp-4C]
0069B4B2 . 51 push ecx ; "T302103L08"
0069B4B3 . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaStrVa>; |*|算法MD5[16]
0069B4B9 . 8BD0 mov edx, eax ; //EDX = 机器码[d1a4e3ae478a5b2b]
0069B4BB . 8D4D E8 lea ecx, dword ptr [ebp-18]
0069B4BE . FFD7 call edi
0069B4C0 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
0069B4C3 . FF15 20134000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0069B4C9 . 8D55 B4 lea edx, dword ptr [ebp-4C]
0069B4CC . 8D45 C4 lea eax, dword ptr [ebp-3C]
0069B4CF . 52 push edx
0069B4D0 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0069B4D3 . 50 push eax
0069B4D4 . 51 push ecx
0069B4D5 . 6A 03 push 3
0069B4D7 . FF15 44104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0069B4DD . 83C4 10 add esp, 10
0069B4E0 . 68 18B56900 push 0069B518
0069B4E5 . EB 30 jmp short 0069B517
0069B4E7 . F645 FC 04 test byte ptr [ebp-4], 4
0069B4EB . 74 09 je short 0069B4F6
0069B4ED . 8D4D E8 lea ecx, dword ptr [ebp-18]
0069B4F0 . FF15 20134000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0069B4F6 > 8D4D E4 lea ecx, dword ptr [ebp-1C]
0069B4F9 . FF15 20134000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0069B4FF . 8D55 B4 lea edx, dword ptr [ebp-4C]
0069B502 . 8D45 C4 lea eax, dword ptr [ebp-3C]
0069B505 . 52 push edx
0069B506 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0069B509 . 50 push eax
0069B50A . 51 push ecx
0069B50B . 6A 03 push 3
0069B50D . FF15 44104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0069B513 . 83C4 10 add esp, 10
0069B516 . C3 retn
0069B517 > C3 retn ; RET 用作跳转到 0069B518
0069B518 > 8B4D EC mov ecx, dword ptr [ebp-14]
0069B51B . 8B45 E8 mov eax, dword ptr [ebp-18]
0069B51E . 5F pop edi
0069B51F . 5E pop esi
0069B520 . 64:890D 00000>mov dword ptr fs:[0], ecx
0069B527 . 5B pop ebx
0069B528 . 8BE5 mov esp, ebp
0069B52A . 5D pop ebp
0069B52B . C2 0400 retn 4 ; //返回
;=====================================================================
;***************************序列号产生的算法**************************
;=====================================================================
;在地址007C1120处跟进关键CALL->00694CA0
;---------------------------------------------------------------------
00694CA0 $ 55 push ebp ; //本地调用来自 00694DFB, 00694E54, 007C1120, 007C188A
00694CA1 . 8BEC mov ebp, esp
00694CA3 . 83EC 08 sub esp, 8
00694CA6 . 68 F65D4000 push <jmp.&MSVBVM60.__vbaExceptHandle>; SE 处理程序安装
00694CAB . 64:A1 0000000>mov eax, dword ptr fs:[0]
00694CB1 . 50 push eax
00694CB2 . 64:8925 00000>mov dword ptr fs:[0], esp
00694CB9 . 83EC 10 sub esp, 10
00694CBC . 53 push ebx
00694CBD . 56 push esi
00694CBE . 57 push edi
00694CBF . 8965 F8 mov dword ptr [ebp-8], esp
00694CC2 . C745 FC E8144>mov dword ptr [ebp-4], 004014E8
00694CC9 . 8B7D 08 mov edi, dword ptr [ebp+8]
00694CCC . 33C0 xor eax, eax
00694CCE . 57 push edi
00694CCF . 8945 EC mov dword ptr [ebp-14], eax
00694CD2 . 8945 E8 mov dword ptr [ebp-18], eax
00694CD5 . E8 56670000 call 0069B430 ; //算法CALL
00694CDA . 8B1D E4124000 mov ebx, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrMove
00694CE0 . 8BD0 mov edx, eax ; EDX = 真注册码[29c5215069e13f83]
00694CE2 . 8D4D E8 lea ecx, dword ptr [ebp-18]
00694CE5 . FFD3 call ebx ; <&MSVBVM60.__vbaStrMove>
00694CE7 . 50 push eax
00694CE8 . 8B45 0C mov eax, dword ptr [ebp+C]
00694CEB . 8B08 mov ecx, dword ptr [eax]
00694CED . 51 push ecx
00694CEE . FF15 58114000 call dword ptr [<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
00694CF4 . 8BF0 mov esi, eax
00694CF6 . 8D4D E8 lea ecx, dword ptr [ebp-18]
00694CF9 . F7DE neg esi
00694CFB . 1BF6 sbb esi, esi
00694CFD . 46 inc esi
00694CFE . F7DE neg esi
00694D00 . FF15 20134000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00694D06 . 66:85F6 test si, si
00694D09 . 74 0E je short 00694D19
00694D0B . C745 EC FFFFF>mov dword ptr [ebp-14], -1
00694D12 . 68 644D6900 push 00694D64
00694D17 . EB 4A jmp short 00694D63
00694D19 > 57 push edi
00694D1A . E8 11670000 call 0069B430
00694D1F . 8BD0 mov edx, eax
00694D21 . 8D4D E8 lea ecx, dword ptr [ebp-18]
00694D24 . FFD3 call ebx
00694D26 . 8B55 0C mov edx, dword ptr [ebp+C]
00694D29 . 50 push eax
00694D2A . 8B02 mov eax, dword ptr [edx]
00694D2C . 50 push eax
00694D2D . FF15 58114000 call dword ptr [<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
00694D33 . 8BF0 mov esi, eax
00694D35 . 8D4D E8 lea ecx, dword ptr [ebp-18]
00694D38 . F7DE neg esi
00694D3A . 1BF6 sbb esi, esi
00694D3C . F7DE neg esi
00694D3E . F7DE neg esi
00694D40 . FF15 20134000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00694D46 . 66:85F6 test si, si
00694D49 . 74 07 je short 00694D52
00694D4B . C745 EC 00000>mov dword ptr [ebp-14], 0
00694D52 > 68 644D6900 push 00694D64
00694D57 . EB 0A jmp short 00694D63
00694D59 . 8D4D E8 lea ecx, dword ptr [ebp-18]
00694D5C . FF15 20134000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00694D62 . C3 retn
00694D63 > C3 retn ; RET 用作跳转到 00694D64
00694D64 > 8B4D F0 mov ecx, dword ptr [ebp-10]
00694D67 . 66:8B45 EC mov ax, word ptr [ebp-14]
00694D6B . 5F pop edi
00694D6C . 5E pop esi
00694D6D . 64:890D 00000>mov dword ptr fs:[0], ecx
00694D74 . 5B pop ebx
00694D75 . 8BE5 mov esp, ebp
00694D77 . 5D pop ebp
00694D78 . C2 0800 retn 8 ; //返回
;=====================================================================
;在地址00694CD5处F7跟进关键CALL->0069B430
;---------------------------------------------------------------------
0069B430 $ 55 push ebp ; //调用
0069B431 . 8BEC mov ebp, esp
0069B433 . 83EC 0C sub esp, 0C
0069B436 . 68 F65D4000 push <jmp.&MSVBVM60.__vbaExceptHandle>; SE 处理程序安装
0069B43B . 64:A1 0000000>mov eax, dword ptr fs:[0]
0069B441 . 50 push eax
0069B442 . 64:8925 00000>mov dword ptr fs:[0], esp
0069B449 . 83EC 54 sub esp, 54
0069B44C . 53 push ebx
0069B44D . 56 push esi
0069B44E . 57 push edi
0069B44F . 8965 F4 mov dword ptr [ebp-C], esp
0069B452 . C745 F8 F8154>mov dword ptr [ebp-8], 004015F8
0069B459 . 8B45 08 mov eax, dword ptr [ebp+8]
0069B45C . 33F6 xor esi, esi
0069B45E . 50 push eax
0069B45F . 8975 E8 mov dword ptr [ebp-18], esi
0069B462 . 8975 E4 mov dword ptr [ebp-1C], esi
0069B465 . 8975 D4 mov dword ptr [ebp-2C], esi
0069B468 . 8975 C4 mov dword ptr [ebp-3C], esi
0069B46B . 8975 B4 mov dword ptr [ebp-4C], esi
0069B46E . E8 BD000000 call 0069B530 ; |*|select函数"1ae3a48ab2"
0069B473 . 8B3D E4124000 mov edi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrMove
0069B479 . 8BD0 mov edx, eax
0069B47B . 8D4D E4 lea ecx, dword ptr [ebp-1C]
0069B47E . FFD7 call edi ; <&MSVBVM60.__vbaStrMove>
0069B480 . 8B45 E4 mov eax, dword ptr [ebp-1C]
0069B483 . 8D4D C4 lea ecx, dword ptr [ebp-3C]
0069B486 . 8945 DC mov dword ptr [ebp-24], eax
0069B489 . 8D55 D4 lea edx, dword ptr [ebp-2C]
0069B48C . 51 push ecx
0069B48D . 8D45 B4 lea eax, dword ptr [ebp-4C]
0069B490 . 52 push edx
0069B491 . 50 push eax
0069B492 . C745 CC 10000>mov dword ptr [ebp-34], 10
0069B499 . C745 C4 02000>mov dword ptr [ebp-3C], 2
0069B4A0 . 8975 E4 mov dword ptr [ebp-1C], esi
0069B4A3 . C745 D4 08000>mov dword ptr [ebp-2C], 8
0069B4AA . E8 A1BAFFFF call 00696F50
0069B4AF . 8D4D B4 lea ecx, dword ptr [ebp-4C]
0069B4B2 . 51 push ecx ; "1ae3a48ab2"
0069B4B3 . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaStrVa>; |*|算法MD5[16]
0069B4B9 . 8BD0 mov edx, eax ; (UNICODE "29c5215069e13f83")
0069B4BB . 8D4D E8 lea ecx, dword ptr [ebp-18]
0069B4BE . FFD7 call edi
0069B4C0 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
0069B4C3 . FF15 20134000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0069B4C9 . 8D55 B4 lea edx, dword ptr [ebp-4C]
0069B4CC . 8D45 C4 lea eax, dword ptr [ebp-3C]
0069B4CF . 52 push edx
0069B4D0 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0069B4D3 . 50 push eax
0069B4D4 . 51 push ecx
0069B4D5 . 6A 03 push 3
0069B4D7 . FF15 44104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0069B4DD . 83C4 10 add esp, 10
0069B4E0 . 68 18B56900 push 0069B518
0069B4E5 . EB 30 jmp short 0069B517
0069B4E7 . F645 FC 04 test byte ptr [ebp-4], 4
0069B4EB . 74 09 je short 0069B4F6
0069B4ED . 8D4D E8 lea ecx, dword ptr [ebp-18]
0069B4F0 . FF15 20134000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0069B4F6 > 8D4D E4 lea ecx, dword ptr [ebp-1C]
0069B4F9 . FF15 20134000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0069B4FF . 8D55 B4 lea edx, dword ptr [ebp-4C]
0069B502 . 8D45 C4 lea eax, dword ptr [ebp-3C]
0069B505 . 52 push edx
0069B506 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0069B509 . 50 push eax
0069B50A . 51 push ecx
0069B50B . 6A 03 push 3
0069B50D . FF15 44104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0069B513 . 83C4 10 add esp, 10
0069B516 . C3 retn
0069B517 > C3 retn ; RET 用作跳转到 0069B518
0069B518 > 8B4D EC mov ecx, dword ptr [ebp-14]
0069B51B . 8B45 E8 mov eax, dword ptr [ebp-18]
0069B51E . 5F pop edi
0069B51F . 5E pop esi
0069B520 . 64:890D 00000>mov dword ptr fs:[0], ecx
0069B527 . 5B pop ebx
0069B528 . 8BE5 mov esp, ebp
0069B52A . 5D pop ebp
0069B52B . C2 0400 retn 4 ; //返回
;=====================================================================
--------------------------------------------------------------------------------
【破解总结】
算法总结:
声明:自定义函数select()
描述下select函数的功能:
取一个字符串的第2、3、5、6、7、9、11、12、14、15位组成一个新的字符串
硬盘型号+序列号:"ST3802110A3LR08A7Z"
select("ST3802110A3LR08A7Z") = "T302103L08"
MD5[16]("T302103L08") = "d1a4e3ae478a5b2b"
select("d1a4e3ae478a5b2b") = "1ae3a48ab2"
MD5[16]("1ae3a48ab2") = "29c5215069e13f83"
序列号计算公式
1.参数:机器码
Serial Number = MD5[16](select(机器码))
2.参数:硬盘型号+序列号
Serial Number = MD5[16](select(MD5[16](select(硬盘型号+序列号))))
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 鹭影依凌 于 2008-5-21 19:07 编辑 ] |
|
IP卡
发表于 2007-11-12 03:34:17
提升卡
置顶卡
变色卡
千斤顶
显身卡