- UID
- 1479
注册时间2005-5-9
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
中国法律案例大全 2004
【加密方式】 用户名+注册码
【破解工具】 FlyOD V1.10、
【软件限制】 21天限制
【下载地址】 http://www.shareware.cn/
【破解平台】 Microsoft Windows XP SP2
vb编写。
下vbastrcmp断点
先停一次
00467569 . FF15 E4104000 call dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaStrCmp
0046756F . 85C0 test eax,eax
00467571 0F84 E1000000 je law.00467658
00467577 . 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
0046757A . 51 push ecx
0046757B . FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaLenBstr
00467581 . 8BC8 mov ecx,eax
00467583 . FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaI2I4
00467589 . 8B3D 00124000 mov edi,dword ptr ds:[<&MSVBVM60._>; MSVBVM60.__vbaStrMove
按f9又停一次
00467569 . FF15 E4104000 call dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaStrCmp
0046756F . 85C0 test eax,eax
00467571 0F84 E1000000 je law.00467658
00467577 . 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
0046757A . 51 push ecx
0046757B . FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaLenBstr
00467581 . 8BC8 mov ecx,eax
00467583 . FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaI2I4
00467589 . 8B3D 00124000 mov edi,dword ptr ds:[<&MSVBVM60._>; MSVBVM60.__vbaStrMove
0046758F . 8B1D 24104000 mov ebx,dword ptr ds:[<&MSVBVM60._>; MSVBVM60.__vbaStrVarMove
00467595 . 8945 80 mov dword ptr ss:[ebp-80],eax
然后一步一步的用f8往下走,过一个vb6.0的控件后,来到下面.
004648CD . 66:3D FFFF cmp ax,0FFFF
004648D1 . 0F94C1 sete cl
004648D4 . F7D9 neg ecx
004648D6 . 66:8BF1 mov si,cx
004648D9 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004648DC . FFD3 call ebx ; <&MSVBVM60.__vbaFreeVar>
004648DE . 66:85F6 test si,si
004648E1 0F84 00010000 je law.004649E7------------------------改jne这是是否弹出提示界面的跳转
004648E7 . A1 C4984600 mov eax,dword ptr ds:[4698C4]
004648EC . 85C0 test eax,eax
004648EE . 75 14 jnz short law.00464904
004648F0 . 8B3D 78114000 mov edi,dword ptr ds:[<&MSVBVM60._>; MSVBVM60.__vbaNew2
004648F6 . 68 C4984600 push law.004698C4
004648FB . 68 948A4000 push law.00408A94
00464900 . FFD7 call edi ; <&MSVBVM60.__vbaNew2>
00464902 . EB 06 jmp short law.0046490A
00464904 > 8B3D 78114000 mov edi,dword ptr ds:[<&MSVBVM60._>; MSVBVM60.__vbaNew2
0046490A > A1 3C924600 mov eax,dword ptr ds:[46923C]
0046490F . 8B35 C4984600 mov esi,dword ptr ds:[4698C4]
00464915 . 85C0 test eax,eax
00464917 . 75 0C jnz short law.00464925
00464919 . 68 3C924600 push law.0046923C
0046491E . 68 68324000 push law.00403268
00464923 . FFD7 call edi
00464925 > 8B15 3C924600 mov edx,dword ptr ds:[46923C]
0046492B . 8B1E mov ebx,dword ptr ds:[esi]
0046492D . 8D45 EC lea eax,dword ptr ss:[ebp-14]
00464930 . 52 push edx
00464931 . 50 push eax
00464932 . FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaObjSetAddref
00464938 . 50 push eax
00464939 . 56 push esi
0046493A . FF53 10 call dword ptr ds:[ebx+10]
0046493D . 85C0 test eax,eax
0046493F . DBE2 fclex
00464941 . 7D 0F jge short law.00464952
00464943 . 6A 10 push 10
00464945 . 68 848A4000 push law.00408A84
0046494A . 56 push esi
0046494B . 50 push eax
0046494C . FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaHresultCheckObj
00464952 > 8D4D EC lea ecx,dword ptr ss:[ebp-14]
00464955 . FF15 28124000 call dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaFreeObj
0046495B . A1 28924600 mov eax,dword ptr ds:[469228]
00464960 . 85C0 test eax,eax
00464962 . 75 0C jnz short law.00464970
00464964 . 68 28924600 push law.00469228
00464969 . 68 80284000 push law.00402880
0046496E . FFD7 call edi
00464970 > 83EC 10 sub esp,10
00464973 . B9 0A000000 mov ecx,0A
00464978 . 8BDC mov ebx,esp
0046497A . 894D 8C mov dword ptr ss:[ebp-74],ecx
0046497D . 894D 9C mov dword ptr ss:[ebp-64],ecx
00464980 . B8 04000280 mov eax,80020004
00464985 . 890B mov dword ptr ds:[ebx],ecx
00464987 . 8B4D 90 mov ecx,dword ptr ss:[ebp-70]
0046498A . 8945 94 mov dword ptr ss:[ebp-6C],eax
0046498D . 8BD0 mov edx,eax
0046498F . 894B 04 mov dword ptr ds:[ebx+4],ecx
00464992 . 83EC 10 sub esp,10
00464995 . 8B35 28924600 mov esi,dword ptr ds:[469228]
0046499B . 8BCC mov ecx,esp
0046499D . 8943 08 mov dword ptr ds:[ebx+8],eax
004649A0 . 8B45 98 mov eax,dword ptr ss:[ebp-68]
004649A3 . 8955 A4 mov dword ptr ss:[ebp-5C],edx
004649A6 . 8B3E mov edi,dword ptr ds:[esi]
004649A8 . 8943 0C mov dword ptr ds:[ebx+C],eax
004649AB . 8B45 9C mov eax,dword ptr ss:[ebp-64]
004649AE . 8901 mov dword ptr ds:[ecx],eax
004649B0 . 8B45 A0 mov eax,dword ptr ss:[ebp-60]
004649B3 . 56 push esi
004649B4 . 8941 04 mov dword ptr ds:[ecx+4],eax
004649B7 . 8951 08 mov dword ptr ds:[ecx+8],edx
004649BA . 8B55 A8 mov edx,dword ptr ss:[ebp-58]
004649BD . 8951 0C mov dword ptr ds:[ecx+C],edx
004649C0 . FF97 B0020000 call dword ptr ds:[edi+2B0]
004649C6 . 85C0 test eax,eax
004649C8 . DBE2 fclex
004649CA . 0F8D 66010000 jge law.00464B36
004649D0 . 68 B0020000 push 2B0
004649D5 . 68 24A14000 push law.0040A124
004649DA . 56 push esi
004649DB . 50 push eax
004649DC . FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaHresultCheckObj
004649E2 . E9 4F010000 jmp law.00464B36
004649E7 > 8B85 60FFFFFF mov eax,dword ptr ss:[ebp-A0]--------下面是试用的范围
004649ED . 6A 00 push 0
004649EF . 68 02000360 push 60030002
004649F4 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004649F7 . 50 push eax
004649F8 . 51 push ecx
004649F9 . FFD7 call edi
004649FB . 83C4 10 add esp,10
004649FE . 50 push eax
004649FF . FF15 60114000 call dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaI2Var
00464A05 . 33D2 xor edx,edx
00464A07 . 66:3D 1500 cmp ax,15
00464A0B . 0F9CC2 setl dl
00464A0E . F7DA neg edx
00464A10 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
00464A13 . 66:8BF2 mov si,dx
00464A16 . FFD3 call ebx
00464A18 . 66:85F6 test si,si
00464A1B 0F84 90000000 je law.00464AB1--------------------------试用期是否过期的跳转
00464A21 . A1 3C924600 mov eax,dword ptr ds:[46923C]
00464A26 . 85C0 test eax,eax
00464A28 75 10 jnz short law.00464A3A
00464A2A . 68 3C924600 push law.0046923C
00464A2F . 68 68324000 push law.00403268
00464A34 . FF15 78114000 call dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaNew2
00464A3A > 83EC 10 sub esp,10
00464A3D . B9 0A000000 mov ecx,0A
00464A42 . 8BDC mov ebx,esp
00464A44 . 894D 8C mov dword ptr ss:[ebp-74],ecx
00464A47 . 894D 9C mov dword ptr ss:[ebp-64],ecx
00464A4A . B8 04000280 mov eax,80020004
00464A4F . 890B mov dword ptr ds:[ebx],ecx
00464A51 . 8B4D 90 mov ecx,dword ptr ss:[ebp-70]
00464A54 . 8945 94 mov dword ptr ss:[ebp-6C],eax
00464A57 . 8BD0 mov edx,eax
00464A59 . 894B 04 mov dword ptr ds:[ebx+4],ecx
00464A5C . 83EC 10 sub esp,10
00464A5F . 8B35 3C924600 mov esi,dword ptr ds:[46923C]
00464A65 . 8BCC mov ecx,esp
00464A67 . 8943 08 mov dword ptr ds:[ebx+8],eax
00464A6A . 8B45 98 mov eax,dword ptr ss:[ebp-68]
00464A6D . 8955 A4 mov dword ptr ss:[ebp-5C],edx
00464A70 . 8B3E mov edi,dword ptr ds:[esi]
00464A72 . 8943 0C mov dword ptr ds:[ebx+C],eax
00464A75 . 8B45 9C mov eax,dword ptr ss:[ebp-64]
00464A78 . 8901 mov dword ptr ds:[ecx],eax
00464A7A . 8B45 A0 mov eax,dword ptr ss:[ebp-60]
00464A7D . 56 push esi
00464A7E . 8941 04 mov dword ptr ds:[ecx+4],eax
00464A81 . 8951 08 mov dword ptr ds:[ecx+8],edx
00464A84 . 8B55 A8 mov edx,dword ptr ss:[ebp-58]
00464A87 . 8951 0C mov dword ptr ds:[ecx+C],edx
00464A8A . FF97 B0020000 call dword ptr ds:[edi+2B0]
00464A90 . 85C0 test eax,eax
00464A92 . DBE2 fclex
00464A94 . 0F8D 9C000000 jge law.00464B36
00464A9A . 68 B0020000 push 2B0
00464A9F . 68 A4A74000 push law.0040A7A4
00464AA4 . 56 push esi
00464AA5 . 50 push eax
00464AA6 . FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaHresultCheckObj
00464AAC . E9 85000000 jmp law.00464B36
如果跳到这里---------会出现过期提示
00464AB1 > 8B35 CC114000 mov esi,dword ptr ds:[<&MSVBVM60._>; MSVBVM60.__vbaVarDup
00464AB7 . B9 0A000000 mov ecx,0A
00464ABC . 894D AC mov dword ptr ss:[ebp-54],ecx
完全是靠运气碰出来的,因为提示注册的界面在主界面之前出现,可以断定是先判断再选择进入哪个界面.因此漫漫的在启动的过程里发掘就会找到判断点.
另外,关键跳是4659fd je 465af5 因为前面没有任何伪吗的信息,只好爆破.从启动过程入手.
[ 本帖最后由 tigerisme 于 2006-8-27 08:44 编辑 ] |
|
IP卡
发表于 2005-7-6 10:21:50
提升卡
置顶卡
变色卡
千斤顶
显身卡