- UID
- 2
注册时间2004-12-1
阅读权限255
最后登录1970-1-1
总坛主
TA的每日心情 | 开心
2024-12-1 11:04 |
|---|
签到天数: 12 天 [LV.3]偶尔看看II
|
发表于 2007-6-16 13:31:14
|
显示全部楼层
简单静态分析
按钮事件:
0040276C: F5 00 00 00 00 LitI4: Push 00000000
00402771: 71 68 FF FStR4 Pop#4 [local_98]
00402774: F5 00 00 00 00 LitI4: Push 00000000
00402779: 71 64 FF FStR4 Pop#4 [local_9C]
0040277C: 04 5C FF FLdRfVar Push local_A4
0040277F: 21 FLdPrThis [SR]=[stack2]
00402780: 0F 0C 03 VCallAd
00402783: 19 60 FF FStAdFunc
00402786: 08 60 FF FLdPr [SR]=[local_A0]
00402789: 0D A0 00 02 00 VCallHresult
0040278E: 3E 5C FF FLdZeroAd Push#4 [local_A4]; [local_A4]=0
00402791: 31 70 FF FStStr SysFreeString [local_90]; [local_90]=Pop
00402794: 1A 60 FF FFree1Ad Push [local_A0]; Call [[[local_A0]]+8]; [[local_A0]]=0
00402797: 04 5C FF FLdRfVar Push local_A4
0040279A: 21 FLdPrThis [SR]=[stack2]
0040279B: 0F 08 03 VCallAd
0040279E: 19 60 FF FStAdFunc
004027A1: 08 60 FF FLdPr [SR]=[local_A0]
004027A4: 0D A0 00 02 00 VCallHresult
004027A9: 3E 5C FF FLdZeroAd Push#4 [local_A4]; [local_A4]=0
004027AC: 31 6C FF FStStr SysFreeString [local_94]; [local_94]=Pop
004027AF: 1A 60 FF FFree1Ad Push [local_A0]; Call [[[local_A0]]+8]; [[local_A0]]=0
004027B2: 6C 70 FF ILdRf Push#4 [local_90] //★姓名压栈!
004027B5: 4A FnLenStr vbaLenBstr //★用户名长度
004027B6: F5 09 00 00 00 LitI4: Push 00000009 //★参数:9
004027BB: D1 LtI4
004027BC: 6C 70 FF ILdRf Push#4 [local_90]
004027BF: 4A FnLenStr vbaLenBstr //★再次取长度
004027C0: F5 0B 00 00 00 LitI4: Push 0000000B //★参数:11(0x0B的十进制)
004027C5: DB GtI4 Push (Pop1 > Pop2) //★作者的原意应该是限制用户名在9-11之间,但是实际
却没起作用,估计是逻辑符号用混了~~ 不管它啦~~~ 就按照原意分析之,后面的注册机也如此
0=False, -1=True (#4 comparison)
004027C6: C4 AndI4
004027C7: 6C 6C FF ILdRf Push#4 [local_94] //★注册码压栈!
004027CA: 4A FnLenStr vbaLenBstr //★取注册码长度
004027CB: F5 09 00 00 00 LitI4: Push 00000009 //★参数:9
004027D0: D1 LtI4 //★同理分析出注册码最少为9位
004027D1: C5 OrI4
004027D2: 1C 6E 00 BranchF If Pop=0 then ESI=ProcPC+006E
004027D5: 10 F8 06 03 00 ThisVCallHresult
004027DA: F4 01 LitI2_Byte: Push 01 //★压入参数:1//循环的步进值
004027DC: 04 76 FF FLdRfVar Push local_8A
004027DF: 6C 70 FF ILdRf Push#4 [local_90] //★姓名压栈!
004027E2: 4A FnLenStr vbaLenBstr //★取长度//循环条件
004027E3: E4 CI2I4 Verify [stack] high word is 0000, ECX=[ECX]
004027E4: FE 63 58 FF BD 00 ForI2:
004027EA: 27 38 FF LitVar_Missing PushVarError 80020004 (missing) //★for循环,次数由用户名长度决定
VT_ERROR signifies an optional argument that is missing
004027ED: 6B 76 FF FLdI2 Push#2 [local_8A] //★下面逐位取得用户名ASCII值
004027F0: E7 CI4UI1
004027F1: 6C 70 FF ILdRf Push#4 [local_90]
004027F4: 0B 04 00 0C 00 ImpAdCallI2 Call Ptr_00401036; check stack 000C; Push EAX
004027F9: 23 5C FF FStStrNoPop SysFreeString [local_A4]; [local_A4]=[stack]
004027FC: 0B 05 00 04 00 ImpAdCallI2 Call Ptr_0040103C; check stack 0004; Push EAX
00402801: E7 CI4UI1
00402802: 71 78 FF FStR4 Pop#4 [local_88]
00402805: 2F 5C FF FFree1Str SysFreeString [local_A4]; [local_A4]=0
00402808: 35 38 FF FFree1Var
0040280B: 6C 68 FF ILdRf Push#4 [local_98]
0040280E: 6C 78 FF ILdRf Push#4 [local_88]
00402811: F5 04 00 00 00 LitI4: Push 00000004 //★参数:4
00402816: B2 MulI4 //★用户名ASCII值*4
00402817: AA AddI4
00402818: F5 12 00 00 00 LitI4: Push 00000012 //★参数:18(0x12的十进制)
0040281D: AA AddI4 //★上面的结果+18
0040281E: 71 68 FF FStR4 Pop#4 [local_98]
00402821: 04 76 FF FLdRfVar Push local_8A
00402824: 64 58 FF 7E 00 NextI2: //★(for....)Next //循环完毕得到累加和
00402829: 6C 68 FF ILdRf Push#4 [local_98]
0040282C: F5 B0 FD 17 08 LitI4: Push 0817FDB0 //★参数:135790000(0x0817FDB0的十进制)
00402831: AA AddI4 //★和前面累加的结果相加
00402832: 71 68 FF FStR4 Pop#4 [local_98]
00402835: 6C 6C FF ILdRf Push#4 [local_94] //★注册码压栈!
00402838: 0A 06 00 04 00 ImpAdCallFPR4 Call Ptr_00401042; check stack 0004 (no return value)
0040283D: F4 18 LitI2_Byte: Push 18 //★参数:24(0x18的十进制)
0040283F: EB CR8I2
00402840: AB AddR8 //★注册码+24
00402841: E8 CI4R8
00402842: 71 64 FF FStR4 Pop#4 [local_9C]
00402845: 6C 68 FF ILdRf Push#4 [local_98]
00402848: 6C 64 FF ILdRf Push#4 [local_9C]
0040284B: C7 EqI4 //★关键比较~~
0040284C: 1C FB 00 BranchF If Pop=0 then ESI=ProcPC+00FB //★关键跳转 爆破改为1D FB 00
0040284F: 1B 07 00 LitStr: Push Ptr_00402080
00402852: 21 FLdPrThis [SR]=[stack2]
00402853: 0F 00 03 VCallAd
00402856: 19 60 FF FStAdFunc
00402859: 08 60 FF FLdPr [SR]=[local_A0]
0040285C: 0D 54 00 08 00 VCallHresult
00402861: 1A 60 FF FFree1Ad Push [local_A0]; Call [[[local_A0]]+8]; [[local_A0]]=0
00402864: 1E 00 01 Branch ESI=ProcPC+0100
00402867: 10 F8 06 03 00 ThisVCallHresult
0040286C: 13 ExitProcHresult
0040286D: 00 00 LargeBos IDE beginning of line with 00 byte codes
0040286F: 00 C4 LargeBos IDE beginning of line with C4 byte codes
算法这样就出来了~~
*******************VB注册机*************************
- Private Sub Command1_Click()
- Dim Name As String
- Dim LenName As Integer
- Dim Sum As Long
- Name = Text1.Text
- LenName = Len(Name)
- ' If LenName >= 9 And LenName <= 11 Then
- For i = 1 To LenName Step 1
- Sum = Sum + (Asc(Mid(Name, i, 1)) * 4) + 18
- Next
-
- Sum = Sum + 135790000
- Text2.Text = Sum - 24 '注册码求逆
- ' Else
- ' Text2.Text = "用户名在9-11位之间"
- ' End If
- End Sub
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?加入我们
x
|
IP卡
发表于 2007-6-16 08:31:34
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
