lhl-crackme简单算法分析＋VB注册机源码

hrbx · 发表于 2006-5-22 00:53:50

【破文标题】lhl-crackme简单算法分析＋VB注册机源码
【破解作者】hrbx
【作者主页】hrbx.ys168.com
【作者邮箱】[email protected]
【破解平台】WinXP
【使用工具】flyOD1.10、Peid
【破解日期】2006-05-21
【软件名称】lhl-crackme
【软件大小】28.0KB
【下载地址】见附件
【加壳方式】无
【软件简介】lhl-crackme
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享：）
-----------------------------------------------------------------------------------------------
【破解过程】
1.查壳。用Peid扫描脱壳后的程序，显示为：Microsoft Visual Basic 5.0 / 6.0，无壳。
2.试运行。输入注册码，当注册码长度大于等于7位时弹出提示"通过第一关"，但"确定"按钮仍为灰色。
3.追出算法。OD载入CrackMe,用OD的ApiBreak插件下 Point H 断点,利用粘贴的方式输入注册信息：
===================
注册码：9876543210
===================
立即中断：
77D29303 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi] ; 断点在这里
77D29305 8BC8 mov ecx,eax
77D29307 83E1 03 and ecx,3
77D2930A F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
77D2930C E8 04F9FFFF call USER32.77D28C15
77D29311 5F pop edi
77D29312 5E pop esi
中断后取消断点，F8直到返回程序领空：
004032AD . FF91 A00000>call dword ptr ds:[ecx+A0]
004032B3 . 3BC6 cmp eax,esi ; 返回来到这里
004032B5 . DBE2 fclex
004032B7 . 7D 12 jge short lhl-crac.004032CB
向上查找，来到004031A0处F2下断，F9运行，重新输入注册信息，中断后来到：
004031A0 > \55 push ebp ; F2在此下断，中断后F8往下走
004031A1 . 8BEC mov ebp,esp
004031A3 . 83EC 0C sub esp,0C
.......................................................
省略部分代码
.......................................................
004032AA . 57 push edi
004032AB . 8B0F mov ecx,dword ptr ds:[edi]
004032AD . FF91 A0000000 call dword ptr ds:[ecx+A0]
004032B3 . 3BC6 cmp eax,esi ; 返回来到这里
004032B5 . DBE2 fclex
004032B7 . 7D 12 jge short lhl-crac.004032CB
004032B9 . 68 A0000000 push 0A0
004032BE . 68 D8254000 push lhl-crac.004025D8
004032C3 . 57 push edi
004032C4 . 50 push eax
004032C5 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckO>
004032CB > 8B45 A8 mov eax,dword ptr ss:[ebp-58] ; 假码"9876543210"
004032CE . 50 push eax
004032CF . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 获取注册码长度，EAX＝A
004032D5 . 8B3D 0C104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
004032DB . 8D95 A4FEFFFF lea edx,dword ptr ss:[ebp-15C]
004032E1 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004032E4 . 8985 ACFEFFFF mov dword ptr ss:[ebp-154],eax ; 注册码长度保存
004032EA . C785 A4FEFFFF >mov dword ptr ss:[ebp-15C],3
004032F4 . FFD7 call edi
004032F6 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004032F9 . FF15 EC104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
004032FF . 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
00403302 . FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]
00403308 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
0040330B . 8D95 A4FEFFFF lea edx,dword ptr ss:[ebp-15C]
00403311 . 51 push ecx
00403312 . 52 push edx
00403313 . C785 ACFEFFFF >mov dword ptr ss:[ebp-154],7 ; 常数,7
0040331D . C785 A4FEFFFF >mov dword ptr ss:[ebp-15C],8002
00403327 . FF15 CC104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstGe>] ; 比较注册码长度是否大于7
0040332D . 66:85C0 test ax,ax
00403330 . 8B03 mov eax,dword ptr ds:[ebx]
00403332 . 53 push ebx
00403333 . 0F84 70090000 je lhl-crac.00403CA9 ; 注册码长度不大于则Over,暴破点1,Nop掉
00403339 . FF90 00030000 call dword ptr ds:[eax+300]
0040333F . 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
00403342 . 50 push eax
00403343 . 51 push ecx
00403344 . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]
0040334A . 8B10 mov edx,dword ptr ds:[eax]
0040334C . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0040334F . 51 push ecx
00403350 . 50 push eax
00403351 . 8985 10FEFFFF mov dword ptr ss:[ebp-1F0],eax
00403357 . FF92 A0000000 call dword ptr ds:[edx+A0]
0040335D . 3BC6 cmp eax,esi
0040335F . DBE2 fclex
00403361 . 7D 18 jge short lhl-crac.0040337B
00403363 . 8B95 10FEFFFF mov edx,dword ptr ss:[ebp-1F0]
00403369 . 68 A0000000 push 0A0
0040336E . 68 D8254000 push lhl-crac.004025D8
00403373 . 52 push edx
00403374 . 50 push eax
00403375 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckO>
0040337B > 8B45 A8 mov eax,dword ptr ss:[ebp-58] ; 假码"9876543210"
0040337E . 8D55 84 lea edx,dword ptr ss:[ebp-7C]
00403381 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00403384 . 8975 A8 mov dword ptr ss:[ebp-58],esi
00403387 . 8945 8C mov dword ptr ss:[ebp-74],eax
0040338A . C745 84 080000>mov dword ptr ss:[ebp-7C],8
00403391 . FFD7 call edi
00403393 . 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
00403396 . FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]
0040339C . 8B35 94104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>>
004033A2 . 8D45 CC lea eax,dword ptr ss:[ebp-34]
004033A5 . 6A 07 push 7 ; 常数,7
004033A7 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004033AA . 50 push eax
004033AB . 51 push ecx
004033AC . FFD6 call esi ; __vbaStrVarVal,注册码转为字符串
004033AE . 50 push eax ; 假码"9876543210"
004033AF . FF15 D0104000 call dword ptr ds:[<&MSVBVM60.#616>] ; rtcLeftCharBstr,取假码左边7位字符
004033B5 . 8D55 84 lea edx,dword ptr ss:[ebp-7C]
004033B8 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
004033BB . 8945 8C mov dword ptr ss:[ebp-74],eax ; 注册码左边7位字符"9876543"
004033BE . C745 84 080000>mov dword ptr ss:[ebp-7C],8
004033C5 . FFD7 call edi
004033C7 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004033CA . FF15 EC104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
004033D0 . 8D55 CC lea edx,dword ptr ss:[ebp-34]
004033D3 . 6A 07 push 7 ; 常数,7
004033D5 . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
004033D8 . 52 push edx
004033D9 . 50 push eax
004033DA . FFD6 call esi ; __vbaStrVarVal,注册码转为字符串
004033DC . 50 push eax ; 假码"9876543210"
004033DD . FF15 DC104000 call dword ptr ds:[<&MSVBVM60.#618>] ; rtcRightCharBstr,取假码右边7位字符
004033E3 . 8D55 84 lea edx,dword ptr ss:[ebp-7C]
004033E6 . 8D4D AC lea ecx,dword ptr ss:[ebp-54]
004033E9 . 8945 8C mov dword ptr ss:[ebp-74],eax ; 注册码右边7位字符"6543210"
004033EC . C745 84 080000>mov dword ptr ss:[ebp-7C],8
004033F3 . FFD7 call edi
004033F5 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004033F8 . FF15 EC104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
004033FE . 8B35 C8104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaVarMod>]
00403404 . B8 03000000 mov eax,3
00403409 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
0040340C . 8985 94FEFFFF mov dword ptr ss:[ebp-16C],eax
00403412 . 8985 34FEFFFF mov dword ptr ss:[ebp-1CC],eax
00403418 . 8985 14FEFFFF mov dword ptr ss:[ebp-1EC],eax
0040341E . 8D95 A4FEFFFF lea edx,dword ptr ss:[ebp-15C]
00403424 . 51 push ecx
00403425 . 8D45 84 lea eax,dword ptr ss:[ebp-7C]
00403428 . BF 02000000 mov edi,2
0040342D . 52 push edx
0040342E . 50 push eax
0040342F . C785 ACFEFFFF >mov dword ptr ss:[ebp-154],42 ; 常数1-0x42
00403439 . 89BD A4FEFFFF mov dword ptr ss:[ebp-15C],edi
0040343F . C785 9CFEFFFF >mov dword ptr ss:[ebp-164],186A0 ; 常数2-0x186A0
00403449 . C785 8CFEFFFF >mov dword ptr ss:[ebp-174],12 ; 常数3-0x12
00403453 . 89BD 84FEFFFF mov dword ptr ss:[ebp-17C],edi
00403459 . C785 7CFEFFFF >mov dword ptr ss:[ebp-184],3E8 ; 常数4-0x3E8
00403463 . 89BD 74FEFFFF mov dword ptr ss:[ebp-18C],edi
00403469 . C785 6CFEFFFF >mov dword ptr ss:[ebp-194],63 ; 常数5-0x63
00403473 . 89BD 64FEFFFF mov dword ptr ss:[ebp-19C],edi
00403479 . 89BD 5CFEFFFF mov dword ptr ss:[ebp-1A4],edi
0040347F . 89BD 54FEFFFF mov dword ptr ss:[ebp-1AC],edi
00403485 . C785 4CFEFFFF >mov dword ptr ss:[ebp-1B4],5 ; 常数6-0x5
0040348F . 89BD 44FEFFFF mov dword ptr ss:[ebp-1BC],edi
00403495 . C785 3CFEFFFF >mov dword ptr ss:[ebp-1C4],80000007 ; 常数7-0x80000007
0040349F . C785 2CFEFFFF >mov dword ptr ss:[ebp-1D4],9 ; 常数8-0x9
004034A9 . 89BD 24FEFFFF mov dword ptr ss:[ebp-1DC],edi
004034AF . C785 1CFEFFFF >mov dword ptr ss:[ebp-1E4],6390F22 ; 常数9-0x6390F22
004034B9 . FFD6 call esi ; 注册码左边七位转为16进制数 Mod 常数1
004034BB . 8D8D 94FEFFFF lea ecx,dword ptr ss:[ebp-16C] ; 0x96B43F(9876543) Mod 0x42=0x27
004034C1 . 50 push eax
004034C2 . 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-8C]
004034C8 . 51 push ecx
004034C9 . 52 push edx
004034CA . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; Mod 结果乘以常数2
004034D0 . 50 push eax ; 0x27*0x186A0=0x3B8260
004034D1 . 8D45 BC lea eax,dword ptr ss:[ebp-44]
004034D4 . 8D8D 84FEFFFF lea ecx,dword ptr ss:[ebp-17C]
004034DA . 50 push eax
004034DB . 51 push ecx
004034DC . 8D95 64FFFFFF lea edx,dword ptr ss:[ebp-9C]
004034E2 . 52 push edx
004034E3 . FFD6 call esi ; 注册码左边七位转为16进制数 Mod 常数3
004034E5 . 50 push eax ; 0x96B43F(9876543) Mod 0x12=0xF
004034E6 . 8D85 74FEFFFF lea eax,dword ptr ss:[ebp-18C]
004034EC . 8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-AC]
004034F2 . 50 push eax
004034F3 . 51 push ecx
004034F4 . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; 第2次Mod 结果乘以常数4
004034FA . 8B35 C0104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; 0xF*0x3E8=0x3A98
00403500 . 8D95 44FFFFFF lea edx,dword ptr ss:[ebp-BC]
00403506 . 50 push eax
00403507 . 52 push edx
00403508 . FFD6 call esi ; 两次Mod结果相加
0040350A . 50 push eax ; 0x3B8260+0x3A98=0x3BBCF8
0040350B . 8D45 BC lea eax,dword ptr ss:[ebp-44]
0040350E . 8D8D 64FEFFFF lea ecx,dword ptr ss:[ebp-19C]
00403514 . 50 push eax
00403515 . 8D95 34FFFFFF lea edx,dword ptr ss:[ebp-CC]
0040351B . 51 push ecx
0040351C . 52 push edx
0040351D . FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMod>] ; 注册码左边七位转为16进制数 Mod 常数5
00403523 . 50 push eax ; 0x96B43F(9876543) Mod 0x63=0x6
00403524 . 8D85 54FEFFFF lea eax,dword ptr ss:[ebp-1AC]
0040352A . 8D8D 24FFFFFF lea ecx,dword ptr ss:[ebp-DC]
00403530 . 50 push eax
00403531 . 51 push ecx
00403532 . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; 第3次Mod 结果乘以2
00403538 . 50 push eax ; 0x6*2=0xC
00403539 . 8D95 44FEFFFF lea edx,dword ptr ss:[ebp-1BC]
0040353F . 8D85 14FFFFFF lea eax,dword ptr ss:[ebp-EC]
00403545 . 52 push edx
00403546 . 50 push eax
00403547 . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; 乘以2后再乘以常数6
0040354D . 8D8D 04FFFFFF lea ecx,dword ptr ss:[ebp-FC] ; 0xC*5=0x3C
00403553 . 50 push eax
00403554 . 51 push ecx
00403555 . FFD6 call esi ; 3次Mod结果相加
00403557 . 50 push eax ; 0x3BBCF8+0x3C=0x03BBD34
00403558 . 8D55 BC lea edx,dword ptr ss:[ebp-44]
0040355B . 8D85 34FEFFFF lea eax,dword ptr ss:[ebp-1CC]
00403561 . 52 push edx
00403562 . 8D8D F4FEFFFF lea ecx,dword ptr ss:[ebp-10C]
00403568 . 50 push eax
00403569 . 51 push ecx
0040356A . FF15 74104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAnd>] ; 注册码左边七位转为16进制数 And 常数7
00403570 . 8D95 E4FEFFFF lea edx,dword ptr ss:[ebp-11C] ; 0x96B43F(9876543) And 0x80000007=0x7
00403576 . 50 push eax
00403577 . 52 push edx
00403578 . FFD6 call esi ; And 结果加上前面3次Mod结果
0040357A . 50 push eax ; 0x03BBD34+0x7=0x3BBD3B
0040357B . 8D85 24FEFFFF lea eax,dword ptr ss:[ebp-1DC]
00403581 . 8D8D D4FEFFFF lea ecx,dword ptr ss:[ebp-12C]
00403587 . 50 push eax
00403588 . 51 push ecx
00403589 . FFD6 call esi ; 上面加法结果再加上常数8
0040358B . 50 push eax ; 0x03BBD3B+0x9=0x3BBD44
0040358C . 8D95 14FEFFFF lea edx,dword ptr ss:[ebp-1EC]
00403592 . 8D85 C4FEFFFF lea eax,dword ptr ss:[ebp-13C]
00403598 . 52 push edx
00403599 . 50 push eax
0040359A . FFD6 call esi ; 加法结果继续加上常数9
0040359C . 8BD0 mov edx,eax ; 0x03BBD44+0x6390F22=0x674CC66
0040359E . 8D4B 44 lea ecx,dword ptr ds:[ebx+44] ; 将加法结果用10进制表示转为字符串，记为str1
004035A1 . FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>] ; 0x674CC66(108317798)-->"108317798"
004035A7 . 8D8D C4FEFFFF lea ecx,dword ptr ss:[ebp-13C]
004035AD . 8D95 D4FEFFFF lea edx,dword ptr ss:[ebp-12C]
004035B3 . 51 push ecx
004035B4 . 8D85 E4FEFFFF lea eax,dword ptr ss:[ebp-11C]
004035BA . 52 push edx
004035BB . 8D8D 04FFFFFF lea ecx,dword ptr ss:[ebp-FC]
004035C1 . 50 push eax
004035C2 . 8D95 44FFFFFF lea edx,dword ptr ss:[ebp-BC]
004035C8 . 51 push ecx
004035C9 . 52 push edx
004035CA . 6A 05 push 5
004035CC . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>]
004035D2 . 83C4 18 add esp,18
004035D5 . C785 ACFEFFFF >mov dword ptr ss:[ebp-154],42 ; 常数1-0x42
004035DF . 89BD A4FEFFFF mov dword ptr ss:[ebp-15C],edi
004035E5 . C785 9CFEFFFF >mov dword ptr ss:[ebp-164],186A0 ; 常数2-0x186A0
004035EF . B8 03000000 mov eax,3
004035F4 . 8D8D A4FEFFFF lea ecx,dword ptr ss:[ebp-15C]
004035FA . 8985 94FEFFFF mov dword ptr ss:[ebp-16C],eax
00403600 . 8985 34FEFFFF mov dword ptr ss:[ebp-1CC],eax
00403606 . 8985 14FEFFFF mov dword ptr ss:[ebp-1EC],eax
0040360C . 8D45 BC lea eax,dword ptr ss:[ebp-44]
0040360F . 50 push eax
00403610 . 8D55 84 lea edx,dword ptr ss:[ebp-7C]
00403613 . 51 push ecx
00403614 . 52 push edx
00403615 . C785 8CFEFFFF >mov dword ptr ss:[ebp-174],12 ; 常数3-0x12
0040361F . 89BD 84FEFFFF mov dword ptr ss:[ebp-17C],edi
00403625 . C785 7CFEFFFF >mov dword ptr ss:[ebp-184],3E8 ; 常数4-0x3E8
0040362F . 89BD 74FEFFFF mov dword ptr ss:[ebp-18C],edi
00403635 . C785 6CFEFFFF >mov dword ptr ss:[ebp-194],63 ; 常数5-0x63
0040363F . 89BD 64FEFFFF mov dword ptr ss:[ebp-19C],edi
00403645 . 89BD 5CFEFFFF mov dword ptr ss:[ebp-1A4],edi
0040364B . 89BD 54FEFFFF mov dword ptr ss:[ebp-1AC],edi
00403651 . C785 4CFEFFFF >mov dword ptr ss:[ebp-1B4],5 ; 常数6-0x5
0040365B . 89BD 44FEFFFF mov dword ptr ss:[ebp-1BC],edi
00403661 . C785 3CFEFFFF >mov dword ptr ss:[ebp-1C4],80000007 ; 常数7-0x80000007
0040366B . C785 2CFEFFFF >mov dword ptr ss:[ebp-1D4],9 ; 常数8-0x9
00403675 . 89BD 24FEFFFF mov dword ptr ss:[ebp-1DC],edi
0040367B . C785 1CFEFFFF >mov dword ptr ss:[ebp-1E4],37FEDD ; 常数10-0x37FEDD
00403685 . FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMod>] ; 以下运算部分，除常数10不同外，与上面相同，
分析略
0040368B . 50 push eax
0040368C . 8D85 94FEFFFF lea eax,dword ptr ss:[ebp-16C]
00403692 . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-8C]
00403698 . 50 push eax
00403699 . 51 push ecx
0040369A . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; MSVBVM60.__vbaVarMul
004036A0 . 50 push eax
004036A1 . 8D55 BC lea edx,dword ptr ss:[ebp-44]
004036A4 . 8D85 84FEFFFF lea eax,dword ptr ss:[ebp-17C]
004036AA . 52 push edx
004036AB . 8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-9C]
004036B1 . 50 push eax
004036B2 . 51 push ecx
004036B3 . FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMod>] ; MSVBVM60.__vbaVarMod
004036B9 . 50 push eax
004036BA . 8D95 74FEFFFF lea edx,dword ptr ss:[ebp-18C]
004036C0 . 8D85 54FFFFFF lea eax,dword ptr ss:[ebp-AC]
004036C6 . 52 push edx
004036C7 . 50 push eax
004036C8 . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; MSVBVM60.__vbaVarMul
004036CE . 8D8D 44FFFFFF lea ecx,dword ptr ss:[ebp-BC]
004036D4 . 50 push eax
004036D5 . 51 push ecx
004036D6 . FFD6 call esi ; <&MSVBVM60.__vbaVarAdd>
004036D8 . 50 push eax
004036D9 . 8D55 BC lea edx,dword ptr ss:[ebp-44]
004036DC . 8D85 64FEFFFF lea eax,dword ptr ss:[ebp-19C]
004036E2 . 52 push edx
004036E3 . 8D8D 34FFFFFF lea ecx,dword ptr ss:[ebp-CC]
004036E9 . 50 push eax
004036EA . 51 push ecx
004036EB . FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMod>] ; MSVBVM60.__vbaVarMod
004036F1 . 50 push eax
004036F2 . 8D95 54FEFFFF lea edx,dword ptr ss:[ebp-1AC]
004036F8 . 8D85 24FFFFFF lea eax,dword ptr ss:[ebp-DC]
004036FE . 52 push edx
004036FF . 50 push eax
00403700 . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; MSVBVM60.__vbaVarMul
00403706 . 8D8D 44FEFFFF lea ecx,dword ptr ss:[ebp-1BC]
0040370C . 50 push eax
0040370D . 8D95 14FFFFFF lea edx,dword ptr ss:[ebp-EC]
00403713 . 51 push ecx
00403714 . 52 push edx
00403715 . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; MSVBVM60.__vbaVarMul
0040371B . 50 push eax
0040371C . 8D85 04FFFFFF lea eax,dword ptr ss:[ebp-FC]
00403722 . 50 push eax
00403723 . FFD6 call esi ; <&MSVBVM60.__vbaVarAdd>
00403725 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
00403728 . 50 push eax
00403729 . 8D95 34FEFFFF lea edx,dword ptr ss:[ebp-1CC]
0040372F . 51 push ecx
00403730 . 8D85 F4FEFFFF lea eax,dword ptr ss:[ebp-10C]
00403736 . 52 push edx
00403737 . 50 push eax
00403738 . FF15 74104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAnd>] ; MSVBVM60.__vbaVarAnd
0040373E . 8D8D E4FEFFFF lea ecx,dword ptr ss:[ebp-11C]
00403744 . 50 push eax
00403745 . 51 push ecx
00403746 . FFD6 call esi ; <&MSVBVM60.__vbaVarAdd>
00403748 . 50 push eax
00403749 . 8D95 24FEFFFF lea edx,dword ptr ss:[ebp-1DC]
0040374F . 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-12C]
00403755 . 52 push edx
00403756 . 50 push eax
00403757 . FFD6 call esi ; <&MSVBVM60.__vbaVarAdd>
00403759 . 8D8D 14FEFFFF lea ecx,dword ptr ss:[ebp-1EC]
0040375F . 50 push eax
00403760 . 8D95 C4FEFFFF lea edx,dword ptr ss:[ebp-13C]
00403766 . 51 push ecx
00403767 . 52 push edx
00403768 . FFD6 call esi ; 加法结果继续加上常数10
0040376A . 50 push eax ; 0x03BBD44+0x37FEDD=0x73BC21
0040376B . 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-14C]
00403771 . 50 push eax
00403772 . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.#573>] ; 加法结果以16进制表示转为字符串,记为str2
00403778 . 8D4B 34 lea ecx,dword ptr ds:[ebx+34] ; 0x73BC21-->"73BC21"
0040377B . 8D95 B4FEFFFF lea edx,dword ptr ss:[ebp-14C]
00403781 . FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
00403787 . 8D8D B4FEFFFF lea ecx,dword ptr ss:[ebp-14C]
0040378D . 8B35 1C104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaFreeVarLis>
00403793 . 8D95 C4FEFFFF lea edx,dword ptr ss:[ebp-13C]
00403799 . 51 push ecx
0040379A . 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-12C]
004037A0 . 52 push edx
004037A1 . 8D8D E4FEFFFF lea ecx,dword ptr ss:[ebp-11C]
004037A7 . 50 push eax
004037A8 . 8D95 04FFFFFF lea edx,dword ptr ss:[ebp-FC]
004037AE . 51 push ecx
004037AF . 8D85 44FFFFFF lea eax,dword ptr ss:[ebp-BC]
004037B5 . 52 push edx
004037B6 . 50 push eax
004037B7 . 6A 06 push 6
004037B9 . FFD6 call esi
004037BB . 83C4 1C add esp,1C
004037BE . 8D95 A4FEFFFF lea edx,dword ptr ss:[ebp-15C]
004037C4 . 8D4D 84 lea ecx,dword ptr ss:[ebp-7C]
004037C7 C785 ACFEFFFF >mov dword ptr ss:[ebp-154],lhl-crac.004025EC ; 固定字符串1－"pyg"
004037D1 . C785 A4FEFFFF >mov dword ptr ss:[ebp-15C],8
004037DB . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarDup>]
004037E1 . 8B0B mov ecx,dword ptr ds:[ebx]
004037E3 . 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-8C]
004037E9 . 8D45 84 lea eax,dword ptr ss:[ebp-7C]
004037EC . 52 push edx
004037ED . 50 push eax
004037EE . 53 push ebx
004037EF . FF91 FC060000 call dword ptr ds:[ecx+6FC] ; 此CALL将"pyg"每位字符的ASCII值的16进制形式
连接成字符串
004037F5 . 8D4B 54 lea ecx,dword ptr ds:[ebx+54] ; 'p'->0x70,'y'->79,'g'->67 ==>"707967",记为
str3
004037F8 . 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-8C]
004037FE . FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
00403804 . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-8C]
0040380A . 8D55 84 lea edx,dword ptr ss:[ebp-7C]
0040380D . 51 push ecx
0040380E . 52 push edx
0040380F . 57 push edi
00403810 . FFD6 call esi
00403812 . 83C4 0C add esp,0C
00403815 . 8D95 A4FEFFFF lea edx,dword ptr ss:[ebp-15C]
0040381B . 8D4D 84 lea ecx,dword ptr ss:[ebp-7C]
0040381E . C785 ACFEFFFF >mov dword ptr ss:[ebp-154],lhl-crac.004025F8 ; 固定字符串2－"lhl"
00403828 . C785 A4FEFFFF >mov dword ptr ss:[ebp-15C],8
00403832 . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarDup>]
00403838 . 8B03 mov eax,dword ptr ds:[ebx]
0040383A . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-8C]
00403840 . 8D55 84 lea edx,dword ptr ss:[ebp-7C]
00403843 . 51 push ecx
00403844 . 52 push edx
00403845 . 53 push ebx
00403846 . FF90 F8060000 call dword ptr ds:[eax+6F8] ; 同上面CALL,"lhl"--->"108104108",记为str4
0040384C . 8D4B 64 lea ecx,dword ptr ds:[ebx+64]
0040384F . 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-8C]
00403855 . FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
0040385B . 8D85 74FFFFFF lea eax,dword ptr ss:[ebp-8C]
00403861 . 8D4D 84 lea ecx,dword ptr ss:[ebp-7C]
00403864 . 50 push eax
00403865 . 51 push ecx
00403866 . 57 push edi
00403867 . FFD6 call esi
00403869 . 83C4 0C add esp,0C
0040386C . 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-8C]
00403872 . 8D43 64 lea eax,dword ptr ds:[ebx+64]
00403875 . C785 7CFFFFFF >mov dword ptr ss:[ebp-84],1
0040387F . 52 push edx
00403880 . 6A 05 push 5 ; 常数，5
00403882 . 50 push eax
00403883 . 8D45 A0 lea eax,dword ptr ss:[ebp-60]
00403886 . 50 push eax
00403887 . 89BD 74FFFFFF mov dword ptr ss:[ebp-8C],edi
0040388D . FF15 94104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
00403893 . 50 push eax ; 字符串str4--"108104108"
00403894 . FF15 50104000 call dword ptr ds:[<&MSVBVM60.#631>] ; rtcMidCharBstr,取字符串str4第5位字符
0040389A . 8BD0 mov edx,eax ; d EAX=0x30('0')
0040389C . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
0040389F . FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
004038A5 . 8B4D 98 mov ecx,dword ptr ss:[ebp-68]
004038A8 . 8D55 84 lea edx,dword ptr ss:[ebp-7C]
004038AB . 52 push edx
004038AC . 8D43 44 lea eax,dword ptr ds:[ebx+44]
004038AF . 6A 05 push 5
004038B1 . 50 push eax
004038B2 . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
004038B5 . C745 8C 010000>mov dword ptr ss:[ebp-74],1
004038BC . 50 push eax
004038BD . 897D 84 mov dword ptr ss:[ebp-7C],edi
004038C0 . 898D FCFDFFFF mov dword ptr ss:[ebp-204],ecx
004038C6 . C745 98 000000>mov dword ptr ss:[ebp-68],0
004038CD . FF15 94104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
004038D3 . 50 push eax ; 字符串str1--"108317798"
004038D4 . FF15 50104000 call dword ptr ds:[<&MSVBVM60.#631>] ; rtcMidCharBstr,取字符串str1第5位字符
004038DA . 8BD0 mov edx,eax ; d EAX=0x31('1')
004038DC . 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
004038DF . FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
004038E5 . 50 push eax
004038E6 . FF15 9C104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>] ; 字符串转为浮点数，'1'-->1.0
004038EC . 8B95 FCFDFFFF mov edx,dword ptr ss:[ebp-204]
004038F2 . 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
004038F5 . DD9D F4FDFFFF fstp qword ptr ss:[ebp-20C]
004038FB . FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
00403901 . 50 push eax
00403902 . FF15 9C104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>] ; 字符串转为浮点数,'0'-->0.0
00403908 . DC9D F4FDFFFF fcomp qword ptr ss:[ebp-20C] ; 比较两个值是否相等
0040390E . C785 F0FDFFFF >mov dword ptr ss:[ebp-210],1
00403918 . DFE0 fstsw ax
0040391A . F6C4 40 test ah,40
0040391D . 75 0A jnz short lhl-crac.00403929
0040391F . C785 F0FDFFFF >mov dword ptr ss:[ebp-210],0
00403929 > 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
0040392C . 8D55 9C lea edx,dword ptr ss:[ebp-64]
0040392F . 51 push ecx
00403930 . 8D45 A0 lea eax,dword ptr ss:[ebp-60]
00403933 . 52 push edx
00403934 . 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
00403937 . 50 push eax
00403938 . 8D55 A8 lea edx,dword ptr ss:[ebp-58]
0040393B . 51 push ecx
0040393C . 52 push edx
0040393D . 6A 05 push 5
0040393F . FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>]
00403945 . 8D85 74FFFFFF lea eax,dword ptr ss:[ebp-8C]
0040394B . 8D4D 84 lea ecx,dword ptr ss:[ebp-7C]
0040394E . 50 push eax
0040394F . 51 push ecx
00403950 . 57 push edi
00403951 . FFD6 call esi
00403953 . 8B85 F0FDFFFF mov eax,dword ptr ss:[ebp-210]
00403959 . 83C4 24 add esp,24
0040395C . F7D8 neg eax
0040395E . 66:85C0 test ax,ax
00403961 0F84 6A020000 je lhl-crac.00403BD1 ; 不等则Over,暴破点2,Nop掉
00403967 . 8D55 84 lea edx,dword ptr ss:[ebp-7C]
0040396A . 8D43 34 lea eax,dword ptr ds:[ebx+34]
0040396D . 52 push edx
0040396E . 6A 05 push 5
00403970 . 50 push eax
00403971 . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
00403974 . 50 push eax
00403975 . 897D 8C mov dword ptr ss:[ebp-74],edi
00403978 . 897D 84 mov dword ptr ss:[ebp-7C],edi
0040397B . 89BD 7CFFFFFF mov dword ptr ss:[ebp-84],edi
00403981 . 89BD 74FFFFFF mov dword ptr ss:[ebp-8C],edi
00403987 . FF15 94104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
0040398D . 50 push eax ; 字符串str2--"73BC21"
0040398E . FF15 50104000 call dword ptr ds:[<&MSVBVM60.#631>] ; rtcMidCharBstr,从字符串str2第5位开始取字符
至结束
00403994 . 8BD0 mov edx,eax ; 得到字符串"21"
00403996 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
00403999 . FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
0040399F . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-8C]
004039A5 . 50 push eax
004039A6 . 51 push ecx
004039A7 . 8D43 54 lea eax,dword ptr ds:[ebx+54]
004039AA . 6A 05 push 5
004039AC . 8D55 A4 lea edx,dword ptr ss:[ebp-5C]
004039AF . 50 push eax
004039B0 . 52 push edx
004039B1 . FF15 94104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
004039B7 . 50 push eax ; 字符串str3--"707967"
004039B8 . FF15 50104000 call dword ptr ds:[<&MSVBVM60.#631>] ; rtcMidCharBstr,从字符串str3第5位开始取字符
至结束
004039BE . 8BD0 mov edx,eax ; 得到字符串"67"
004039C0 . 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
004039C3 . FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
004039C9 . 50 push eax
004039CA . FF15 5C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; 比较取出的两个字符串是否相等
004039D0 . F7D8 neg eax
004039D2 . 1BC0 sbb eax,eax
004039D4 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
004039D7 . 40 inc eax
004039D8 . 8D55 A4 lea edx,dword ptr ss:[ebp-5C]
004039DB . F7D8 neg eax
004039DD . 66:8985 10FEFF>mov word ptr ss:[ebp-1F0],ax
004039E4 . 8D45 9C lea eax,dword ptr ss:[ebp-64]
004039E7 . 50 push eax
004039E8 . 51 push ecx
004039E9 . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
004039EC . 52 push edx
004039ED . 50 push eax
004039EE . 6A 04 push 4
004039F0 . FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>]
004039F6 . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-8C]
004039FC . 8D55 84 lea edx,dword ptr ss:[ebp-7C]
004039FF . 51 push ecx
00403A00 . 52 push edx
00403A01 . 57 push edi
00403A02 . FFD6 call esi
00403A04 . 83C4 20 add esp,20
00403A07 . 66:83BD 10FEFF>cmp word ptr ss:[ebp-1F0],0
00403A0F /0F84 DB000000 je lhl-crac.00403AF0 ; 不等则Over,暴破点3,Nop掉
00403A15 . |8B03 mov eax,dword ptr ds:[ebx]
00403A17 . |53 push ebx
00403A18 . |FF90 FC020000 call dword ptr ds:[eax+2FC]
00403A1E . |8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
00403A21 . |50 push eax
00403A22 . |51 push ecx
00403A23 . |FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]
00403A29 . |8BF8 mov edi,eax
00403A2B . |6A FF push -1
00403A2D . |57 push edi
00403A2E . |8B17 mov edx,dword ptr ds:[edi]
00403A30 . |FF92 8C000000 call dword ptr ds:[edx+8C]
00403A36 . |85C0 test eax,eax
00403A38 . |DBE2 fclex
00403A3A . |7D 12 jge short lhl-crac.00403A4E
00403A3C . |68 8C000000 push 8C
00403A41 . |68 00264000 push lhl-crac.00402600
00403A46 . |57 push edi
00403A47 . |50 push eax
00403A48 . |FF15 34104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckO>
00403A4E > |8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
00403A51 . |FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]
00403A57 . |B9 04000280 mov ecx,80020004
00403A5C . |B8 0A000000 mov eax,0A
00403A61 . |898D 5CFFFFFF mov dword ptr ss:[ebp-A4],ecx
00403A67 . |898D 6CFFFFFF mov dword ptr ss:[ebp-94],ecx
00403A6D . |898D 7CFFFFFF mov dword ptr ss:[ebp-84],ecx
00403A73 . |8D95 A4FEFFFF lea edx,dword ptr ss:[ebp-15C]
00403A79 . |8D4D 84 lea ecx,dword ptr ss:[ebp-7C]
00403A7C . |8985 54FFFFFF mov dword ptr ss:[ebp-AC],eax
00403A82 . |8985 64FFFFFF mov dword ptr ss:[ebp-9C],eax
00403A88 . |8985 74FFFFFF mov dword ptr ss:[ebp-8C],eax
00403A8E . |C785 ACFEFFFF >mov dword ptr ss:[ebp-154],lhl-crac.00402614
00403A98 . |C785 A4FEFFFF >mov dword ptr ss:[ebp-15C],8
00403AA2 . |FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarDup>]
00403AA8 . |8D85 54FFFFFF lea eax,dword ptr ss:[ebp-AC]
00403AAE . |8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-9C]
00403AB4 . |50 push eax
00403AB5 . |8D95 74FFFFFF lea edx,dword ptr ss:[ebp-8C]
00403ABB . |51 push ecx
00403ABC . |52 push edx
00403ABD . |8D45 84 lea eax,dword ptr ss:[ebp-7C]
00403AC0 . |6A 00 push 0
00403AC2 . |50 push eax
00403AC3 . |FF15 3C104000 call dword ptr ds:[<&MSVBVM60.#595>] ; rtcMsgBox，弹出"通过第3关"提示
00403AC9 . |8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-AC]
00403ACF . |8D95 64FFFFFF lea edx,dword ptr ss:[ebp-9C]
00403AD5 . |51 push ecx
00403AD6 . |8D85 74FFFFFF lea eax,dword ptr ss:[ebp-8C]
00403ADC . |52 push edx
弹出"通过第3关"提示后，"确定"按钮也变为可点击,点击按钮弹出"你比我菜!"提示。
命令栏输入：bp rtcMsgBox,回车，点击"确定"按钮，中断：
660DC5F3 M> 55 push ebp
660DC5F4 8BEC mov ebp,esp
660DC5F6 83EC 4C sub esp,4C
660DC5F9 8B4D 14 mov ecx,dword ptr ss:[ebp+14]
观察堆栈友好提示：
0012F3C8 00403023 返回到 lhl-crac.00403023 来自 MSVBVM60.rtcMsgBox
0012F3CC 0012F464
Alt+F9返回，点击提示窗口中的"确定"按钮，来到：
00403023 . 8D45 AC lea eax,dword ptr ss:[ebp-54] ; Alt+F9返回来到这里
00403026 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
00403029 . 50 push eax
0040302A . 8D55 CC lea edx,dword ptr ss:[ebp-34]
0040302D . 51 push ecx
向上查找，来到00402F20处F2下断，再次点击"确定"按钮，立即中断：
00402F20 > \55 push ebp ; F2在此下断，中断后F8往下走
00402F21 . 8BEC mov ebp,esp
00402F23 . 83EC 0C sub esp,0C
00402F26 . 68 56114000 push <jmp.&MSVBVM60.__vbaExceptHandler>
00402F2B . 64:A1 00000000 mov eax,dword ptr fs:[0]
00402F31 . 50 push eax
00402F32 . 64:8925 000000>mov dword ptr fs:[0],esp
00402F39 . 81EC 88000000 sub esp,88
00402F3F . 53 push ebx
00402F40 . 56 push esi
00402F41 . 57 push edi
00402F42 . 8965 F4 mov dword ptr ss:[ebp-C],esp
00402F45 . C745 F8 181140>mov dword ptr ss:[ebp-8],lhl-crac.00401118
00402F4C . 8B75 08 mov esi,dword ptr ss:[ebp+8]
00402F4F . 8BC6 mov eax,esi
00402F51 . 83E0 01 and eax,1
00402F54 . 8945 FC mov dword ptr ss:[ebp-4],eax
00402F57 . 83E6 FE and esi,FFFFFFFE
00402F5A . 56 push esi
00402F5B . 8975 08 mov dword ptr ss:[ebp+8],esi
00402F5E . 8B0E mov ecx,dword ptr ds:[esi]
00402F60 . FF51 04 call dword ptr ds:[ecx+4]
00402F63 . 8D56 64 lea edx,dword ptr ds:[esi+64]
00402F66 . 33FF xor edi,edi
00402F68 . 52 push edx
00402F69 . 897D DC mov dword ptr ss:[ebp-24],edi
00402F6C . 897D CC mov dword ptr ss:[ebp-34],edi
00402F6F . 897D BC mov dword ptr ss:[ebp-44],edi
00402F72 . 897D AC mov dword ptr ss:[ebp-54],edi
00402F75 . 897D 9C mov dword ptr ss:[ebp-64],edi
00402F78 . FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaR8ErrVar>]
00402F7E . 8B1D 60104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>]
00402F84 . 8D46 44 lea eax,dword ptr ds:[esi+44] ; 字符串str4"108104108"转为浮点数
00402F87 . DD5D A4 fstp qword ptr ss:[ebp-5C] ; st=108104108.00000000000
00402F8A . 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
00402F8D . 50 push eax
00402F8E . 51 push ecx
00402F8F . C745 9C 058000>mov dword ptr ss:[ebp-64],8005 ; 字符串str1"108317798"-->108317798.0
00402F96 . FFD3 call ebx ; __vbaVarTstEq,与字符串str1表示的浮点数比较
00402F98 . 66:85C0 test ax,ax
00402F9B . 74 39 je short lhl-crac.00402FD6 ; 不等则Over,暴破点4，Nop掉
00402F9D . 8D56 54 lea edx,dword ptr ds:[esi+54]
00402FA0 . 52 push edx
00402FA1 . FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaR8ErrVar>]
00402FA7 . DD5D A4 fstp qword ptr ss:[ebp-5C] ; 字符串str3"707967"转为浮点数
00402FAA . 8D46 34 lea eax,dword ptr ds:[esi+34] ; st=707967.0
00402FAD . 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
00402FB0 . 50 push eax
00402FB1 . 51 push ecx
00402FB2 . C745 9C 058000>mov dword ptr ss:[ebp-64],8005 ; 字符串str2"73BC21"-->7584801.0
00402FB9 . FFD3 call ebx ; __vbaVarTstEq,与字符串str2表示的浮点数比较
00402FBB . 66:85C0 test ax,ax
00402FBE . 74 7E je short lhl-crac.0040303E ; 不等则Over,暴破点5，Nop掉
00402FC0 . 68 68254000 push lhl-crac.00402568
00402FC5 . 56 push esi
00402FC6 . 68 7C254000 push lhl-crac.0040257C
-----------------------------------------------------------------------------------------------
【破解总结】
1.注册码长度应大于等于7位, 则通过第一关。
2.取注册码前7位进行2次运算，每次运算用到9个常数。2次运算过程中除最后一个常数不同外，其它常数
及运算过程相同，第一次运算结果用10进制整数表示转为字符串，记为str1;第二次运算结果用16进制整数表示转为字符串，记为str2.
3.内置两个固定字符串，"pyg","lhl",分别依次取两个固定字符串每位字符的ASCII值用16进制数表示转为字符串，记为str3,str4.
4.取字符串str1和str4的第5位字符，相等则通过第二关。
5.从取字符串str2和str3第5位字符开始取直到字符串结束，相等则通过第三关。
6.将字符串str1和str4,str2和str3转为浮点数分别比较，相等则通过第四关。
一组可用注册码：
===================
注册码：1000135
===================
暴破更改以下位置：
00403333 je lhl-crac.00403CA9 ; je===>Nop
00403961 je lhl-crac.00403BD1 ; je===>Nop
00403A0F je lhl-crac.00403AF0 ; je===>Nop
00402F9B je short lhl-crac.00402FD6 ; je===>Nop
00402FBE je short lhl-crac.0040303E ; je===>Nop
【VB注册机源码】
Private Sub Generate_Click()
On Error Resume Next
Dim i As Long
Dim n1 As Long
Dim n2 As Long
Dim num1 As Long
Dim num2 As Long
Dim num3 As Long
Dim num4 As Long
Dim temp As Long
temp = (9999999 - 1000000) * Rnd() + 1000000
For i = temp To 9999999
num1 = (i Mod &H42) * &H186A0
num2 = (i Mod &H12) * &H3E8
num3 = (i Mod &H63) * 5 * 2
num4 = i And &H80000007
n1 = num1 + num2 + num3 + num4 + 9 + &H6390F22
n2 = num1 + num2 + num3 + num4 + 9 + &H37FEDD
If (n1 = 108104108) And (n2 = 7371111) Then GoTo done '0x707969= 7371111
Next i
done:
Text1 = i
End Sub
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!

复制代码

[ 本帖最后由 hrbx 于 2006-5-22 12:59 编辑 ]

xingbing · 发表于 2006-5-22 08:58:26

呵呵，讲的真是不错。

lhl8730 · 发表于 2006-5-22 09:17:33

hrbx兄厉害。佩服！！！！

野猫III · 发表于 2006-5-22 21:57:27

原帖由 lhl8730 于 2006-5-22 09:17 发表
hrbx兄厉害。佩服！！！！

:victory::victory:

lhl8730 · 发表于 2006-5-23 12:00:31

hrbx兄做个动画演示出来让大家学习一下。

野猫III · 发表于 2006-5-23 12:19:00

原帖由 lhl8730 于 2006-5-23 12:00 发表
hrbx兄做个动画演示出来让大家学习一下。

那我们菜鸟们就有福啦。。。

伸长着脖子等待ing... :L :L

++++++++++++++++++++++

建议使用录像专家 V6.0 来录制。

录制的时候动作慢点。语音讲解最爽。。。不然猫会看睡觉去的。。。

录的文件大，上传到FTP服务器吧。

hrbx · 发表于 2006-5-23 14:19:04

呵呵，写破文勉强可以，做动画就留给论坛上的其他兄弟吧。。。:P

chuan0326 · 发表于 2006-5-26 07:17:48

請問大大中断后取消断点，F8直到返回程序领空：
我一直按f8 數十次還是無法返回到你所講的
004032B3 .  3BC6       cmp eax,esi                                        ;  返回来到这里
正確的作法應該是怎樣做才有辦法返回

004032AD .  FF91 A00000>call dword ptr ds:[ecx+A0]
004032B3 .  3BC6       cmp eax,esi                                        ;  返回来到这里
004032B5 .  DBE2       fclex
004032B7 .  7D 12    jge short lhl-crac.004032CB

		自动登录	找回密码
密码			加入我们

lhl-crackme简单算法分析＋VB注册机源码

本帖子中包含更多资源

相关帖子