小蜜蜂CrackMe简单算法分析+VB注册机源码

hrbx · 发表于 2007-11-16 21:50:48

【破文标题】小蜜蜂CrackMe简单算法分析+VB注册机源码
【破解作者】hrbx
【使用工具】OllDbg1.10、Peid
【破解日期】2007-11-16
【下载地址】https://www.chinapyg.com/viewthread.php?tid=22178
【软件简介】小蜜蜂CrackMe
-------------------------------------------------------------------------
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享:)
-------------------------------------------------------------------------
【破解过程】
1.脱壳。用PEID扫描，显示为：Microsoft Visual C++ 6.0 [Overlay]，实际上是易语言的程序，因为调试时可以见到易语言的krnln库。
2.追出算法。OD载入CrackMe，F9运行，输入注册信息后点击"注册"按钮，弹出错误提示"加油，注册不成功!"
F12暂停，Alt+K查看调用堆栈，找到：
===================================================================
地址堆栈函数例程 / 参数调用来自
0012F8C0 0041D7E4 小蜜蜂V1.0041DD4E 小蜜蜂V1.0041D7DF
===================================================================
Ctrl+G,输入：0041D7DF，回车，来到：
0041D7DF E8 6A050000 call 小蜜蜂V1.0041DD4E
0041D7E4 83C4 28 add esp,28
0041D7E7 8B5D F8 mov ebx,dword ptr ss:[ebp-8]
向上查找，0041CF51处F2下断，Ctrl+F2重新载入程序，F9运行，输入注册信息：
====================================================
注册名:hrbx
注册码:9876543210
====================================================
点击"注册"按钮，立即中断：
0041CF51 55 push ebp ; F2在此下断，中断后F8往下走
0041CF52 8BEC mov ebp,esp
0041CF54 81EC 44000000 sub esp,44
0041CF5A C745 FC 00000000 mov dword ptr ss:[ebp-4],0
0041CF61 C745 F8 00000000 mov dword ptr ss:[ebp-8],0
0041CF68 C745 F4 00000000 mov dword ptr ss:[ebp-C],0
0041CF6F 6A FF push -1
0041CF71 6A 08 push 8
0041CF73 68 10000116 push 16010010
0041CF78 68 01000152 push 52010001
0041CF7D E8 EA0D0000 call 小蜜蜂V1.0041DD6C ; 获取用户名
0041CF82 83C4 10 add esp,10
0041CF85 8945 F0 mov dword ptr ss:[ebp-10],eax ; 用户名"hrbx"
0041CF88 68 04000080 push 80000004
0041CF8D 6A 00 push 0
0041CF8F 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0041CF92 85C0 test eax,eax
0041CF94 75 05 jnz short 小蜜蜂V1.0041CF9B
0041CF96 B8 0AC14000 mov eax,小蜜蜂V1.0040C10A
0041CF9B 50 push eax
0041CF9C 68 01000000 push 1
0041CFA1 BB 30010000 mov ebx,130
0041CFA6 E8 A30D0000 call 小蜜蜂V1.0041DD4E ; 获取用户名长度
0041CFAB 83C4 10 add esp,10
0041CFAE 8945 EC mov dword ptr ss:[ebp-14],eax ; 用户名长度保存,EAX=0x4
0041CFB1 8B5D F0 mov ebx,dword ptr ss:[ebp-10]
0041CFB4 85DB test ebx,ebx
0041CFB6 74 09 je short 小蜜蜂V1.0041CFC1
0041CFB8 53 push ebx
0041CFB9 E8 A20D0000 call 小蜜蜂V1.0041DD60
0041CFBE 83C4 04 add esp,4
0041CFC1 8B45 EC mov eax,dword ptr ss:[ebp-14]
0041CFC4 33C9 xor ecx,ecx
0041CFC6 50 push eax
0041CFC7 8D45 FC lea eax,dword ptr ss:[ebp-4]
0041CFCA 8BD8 mov ebx,eax
0041CFCC 58 pop eax
0041CFCD 41 inc ecx
0041CFCE 51 push ecx
0041CFCF 53 push ebx
0041CFD0 890B mov dword ptr ds:[ebx],ecx
0041CFD2 50 push eax
0041CFD3 3BC8 cmp ecx,eax
0041CFD5 0F8F 17010000 jg 小蜜蜂V1.0041D0F2
0041CFDB 6A FF push -1
0041CFDD 6A 08 push 8
0041CFDF 68 10000116 push 16010010
0041CFE4 68 01000152 push 52010001
0041CFE9 E8 7E0D0000 call 小蜜蜂V1.0041DD6C
0041CFEE 83C4 10 add esp,10
0041CFF1 8945 F0 mov dword ptr ss:[ebp-10],eax
0041CFF4 68 01030080 push 80000301
0041CFF9 6A 00 push 0
0041CFFB FF75 FC push dword ptr ss:[ebp-4]
0041CFFE 68 04000080 push 80000004
0041D003 6A 00 push 0
0041D005 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0041D008 85C0 test eax,eax
0041D00A 75 05 jnz short 小蜜蜂V1.0041D011
0041D00C B8 0AC14000 mov eax,小蜜蜂V1.0040C10A
0041D011 50 push eax ; 用户名"hrbx"
0041D012 68 02000000 push 2
0041D017 BB 44010000 mov ebx,144
0041D01C E8 2D0D0000 call 小蜜蜂V1.0041DD4E ; 依次取用户名每一位字符的ASCII值
0041D021 83C4 1C add esp,1C
0041D024 8945 EC mov dword ptr ss:[ebp-14],eax ; EAX=0x68
0041D027 8B5D F0 mov ebx,dword ptr ss:[ebp-10]
0041D02A 85DB test ebx,ebx
0041D02C 74 09 je short 小蜜蜂V1.0041D037
0041D02E 53 push ebx
0041D02F E8 2C0D0000 call 小蜜蜂V1.0041DD60
0041D034 83C4 04 add esp,4
0041D037 DB45 EC fild dword ptr ss:[ebp-14] ; ss:[0012F91C]=0x68(104)
0041D03A DD5D E4 fstp qword ptr ss:[ebp-1C] ; ASCII值转为浮点数运算，计为N[i]
0041D03D DD45 E4 fld qword ptr ss:[ebp-1C]
0041D040 DC05 0BC14000 fadd qword ptr ds:[40C10B] ; (N[i]+27.0),ds:[0040C10B]=27.0
0041D046 DD5D DC fstp qword ptr ss:[ebp-24] ; st=131.0
0041D049 DD45 DC fld qword ptr ss:[ebp-24]
0041D04C DC0D 13C14000 fmul qword ptr ds:[40C113] ; (N[i]+27.0)*4,ds:[0040C113]=4.0
0041D052 DD5D D4 fstp qword ptr ss:[ebp-2C] ; st=524.0
0041D055 68 01060080 push 80000601
0041D05A 68 00003B40 push 403B0000
0041D05F 68 00000000 push 0
0041D064 68 01060080 push 80000601
0041D069 FF75 D8 push dword ptr ss:[ebp-28]
0041D06C FF75 D4 push dword ptr ss:[ebp-2C]
0041D06F 68 02000000 push 2
0041D074 BB 48000000 mov ebx,48
0041D079 E8 D00C0000 call 小蜜蜂V1.0041DD4E ; (N[i]+27.0)*4 MOD 27.0
0041D07E 83C4 1C add esp,1C
0041D081 8945 C4 mov dword ptr ss:[ebp-3C],eax
0041D084 8955 C8 mov dword ptr ss:[ebp-38],edx
0041D087 DD45 C4 fld qword ptr ss:[ebp-3C] ; 运算结果，ss:[0012F8F4]=11.00000000000000
0041D08A E8 37FDFFFF call 小蜜蜂V1.0041CDC6 ; 转为16进制数，11.0-->0xB
0041D08F 68 01030080 push 80000301
0041D094 6A 00 push 0
0041D096 50 push eax
0041D097 68 01000000 push 1
0041D09C BB D4010000 mov ebx,1D4
0041D0A1 E8 A80C0000 call 小蜜蜂V1.0041DD4E ; 16进制数转为字符串,0xB-->"B"
0041D0A6 83C4 10 add esp,10
0041D0A9 8945 C0 mov dword ptr ss:[ebp-40],eax ; D EAX "B"
0041D0AC FF75 C0 push dword ptr ss:[ebp-40]
0041D0AF FF75 F8 push dword ptr ss:[ebp-8]
0041D0B2 B9 02000000 mov ecx,2
0041D0B7 E8 9CFDFFFF call 小蜜蜂V1.0041CE58 ; 依次连接每次Mod结果
0041D0BC 83C4 08 add esp,8
0041D0BF 8945 BC mov dword ptr ss:[ebp-44],eax ; 连接后的字符串"B18E15"保存
0041D0C2 8B5D C0 mov ebx,dword ptr ss:[ebp-40]
0041D0C5 85DB test ebx,ebx
0041D0C7 74 09 je short 小蜜蜂V1.0041D0D2
0041D0C9 53 push ebx
0041D0CA E8 910C0000 call 小蜜蜂V1.0041DD60
0041D0CF 83C4 04 add esp,4
0041D0D2 8B45 BC mov eax,dword ptr ss:[ebp-44]
0041D0D5 50 push eax
0041D0D6 8B5D F8 mov ebx,dword ptr ss:[ebp-8]
0041D0D9 85DB test ebx,ebx
0041D0DB 74 09 je short 小蜜蜂V1.0041D0E6
0041D0DD 53 push ebx
0041D0DE E8 7D0C0000 call 小蜜蜂V1.0041DD60
0041D0E3 83C4 04 add esp,4
0041D0E6 58 pop eax
0041D0E7 8945 F8 mov dword ptr ss:[ebp-8],eax
0041D0EA 58 pop eax
0041D0EB 5B pop ebx
0041D0EC 59 pop ecx
0041D0ED ^ E9 DBFEFFFF jmp 小蜜蜂V1.0041CFCD
0041D0F2 83C4 0C add esp,0C
0041D0F5 837D FC 02 cmp dword ptr ss:[ebp-4],2
0041D0F9 0F8E D5000000 jle 小蜜蜂V1.0041D1D4
0041D0FF 6A FF push -1
0041D101 6A 08 push 8
0041D103 68 11000116 push 16010011
0041D108 68 01000152 push 52010001
0041D10D E8 5A0C0000 call 小蜜蜂V1.0041DD6C ; 获取假码
0041D112 83C4 10 add esp,10
0041D115 8945 EC mov dword ptr ss:[ebp-14],eax ; 假码"987654321012345678901234567890"
0041D118 68 01030080 push 80000301
0041D11D 6A 00 push 0
0041D11F 68 04000000 push 4 ; 常数,4
0041D124 68 04000080 push 80000004
0041D129 6A 00 push 0
0041D12B 8B45 EC mov eax,dword ptr ss:[ebp-14]
0041D12E 85C0 test eax,eax
0041D130 75 05 jnz short 小蜜蜂V1.0041D137
0041D132 B8 0AC14000 mov eax,小蜜蜂V1.0040C10A
0041D137 50 push eax
0041D138 68 02000000 push 2
0041D13D BB 38010000 mov ebx,138
0041D142 E8 070C0000 call 小蜜蜂V1.0041DD4E ; 取假码最后4位
0041D147 83C4 1C add esp,1C
0041D14A 8945 E8 mov dword ptr ss:[ebp-18],eax ; 假码后4位"7890"
0041D14D 8B5D EC mov ebx,dword ptr ss:[ebp-14]
0041D150 85DB test ebx,ebx
0041D152 74 09 je short 小蜜蜂V1.0041D15D
0041D154 53 push ebx
0041D155 E8 060C0000 call 小蜜蜂V1.0041DD60
0041D15A 83C4 04 add esp,4
0041D15D 68 6A000000 push 6A
0041D162 B8 1BC14000 mov eax,小蜜蜂V1.0040C11B
0041D167 8945 E4 mov dword ptr ss:[ebp-1C],eax
0041D16A 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
0041D16D 50 push eax
0041D16E E8 98060000 call 小蜜蜂V1.0041D80B
0041D173 8945 E0 mov dword ptr ss:[ebp-20],eax ; 固定字符串1"-KAN"
0041D176 8B5D E4 mov ebx,dword ptr ss:[ebp-1C]
0041D179 85DB test ebx,ebx
0041D17B 74 09 je short 小蜜蜂V1.0041D186
0041D17D 53 push ebx
0041D17E E8 DD0B0000 call 小蜜蜂V1.0041DD60
0041D183 83C4 04 add esp,4
0041D186 8B45 E0 mov eax,dword ptr ss:[ebp-20]
0041D189 50 push eax ; 固定字符串1"-KAN"
0041D18A FF75 E8 push dword ptr ss:[ebp-18] ; 假码后4位"7890"
0041D18D E8 22FDFFFF call 小蜜蜂V1.0041CEB4 ; 比较两者是否相等
0041D192 83C4 08 add esp,8
0041D195 83F8 00 cmp eax,0
0041D198 B8 00000000 mov eax,0
0041D19D 0F94C0 sete al
0041D1A0 8945 DC mov dword ptr ss:[ebp-24],eax
0041D1A3 8B5D E8 mov ebx,dword ptr ss:[ebp-18]
0041D1A6 85DB test ebx,ebx
0041D1A8 74 09 je short 小蜜蜂V1.0041D1B3
0041D1AA 53 push ebx
0041D1AB E8 B00B0000 call 小蜜蜂V1.0041DD60
0041D1B0 83C4 04 add esp,4
0041D1B3 8B5D E0 mov ebx,dword ptr ss:[ebp-20]
0041D1B6 85DB test ebx,ebx
0041D1B8 74 09 je short 小蜜蜂V1.0041D1C3
0041D1BA 53 push ebx
0041D1BB E8 A00B0000 call 小蜜蜂V1.0041DD60
0041D1C0 83C4 04 add esp,4
0041D1C3 837D DC 00 cmp dword ptr ss:[ebp-24],0
0041D1C7 0F84 07000000 je 小蜜蜂V1.0041D1D4 ; 不等则Over,暴破点1,NOP掉
0041D1CD B8 01000000 mov eax,1
0041D1D2 EB 02 jmp short 小蜜蜂V1.0041D1D6
0041D1D4 33C0 xor eax,eax
0041D1D6 85C0 test eax,eax
0041D1D8 0F84 CD050000 je 小蜜蜂V1.0041D7AB
0041D1DE 68 01030080 push 80000301
0041D1E3 6A 00 push 0
0041D1E5 68 04000000 push 4
0041D1EA 68 01030080 push 80000301
0041D1EF 6A 00 push 0
0041D1F1 68 01000000 push 1
0041D1F6 68 02000000 push 2
0041D1FB BB 94000000 mov ebx,94
0041D200 E8 490B0000 call 小蜜蜂V1.0041DD4E
0041D205 83C4 1C add esp,1C
0041D208 8945 F0 mov dword ptr ss:[ebp-10],eax
0041D20B 68 01030080 push 80000301
0041D210 6A 00 push 0
0041D212 68 F2000000 push 0F2
0041D217 68 01030080 push 80000301
0041D21C 6A 00 push 0
0041D21E FF75 F0 push dword ptr ss:[ebp-10]
0041D221 68 01030080 push 80000301
0041D226 6A 00 push 0
0041D228 68 0A000000 push 0A
0041D22D 68 03000000 push 3
0041D232 BB 10000000 mov ebx,10
0041D237 B8 01000000 mov eax,1
0041D23C E8 190B0000 call 小蜜蜂V1.0041DD5A
0041D241 83C4 28 add esp,28
0041D244 6A FF push -1
0041D246 6A 08 push 8
0041D248 68 11000116 push 16010011
0041D24D 68 01000152 push 52010001
0041D252 E8 150B0000 call 小蜜蜂V1.0041DD6C
0041D257 83C4 10 add esp,10
0041D25A 8945 F0 mov dword ptr ss:[ebp-10],eax ; 假码"98765432101234567890"
0041D25D 68 01030080 push 80000301
0041D262 6A 00 push 0
0041D264 68 13000000 push 13 ; 常数,0x13(19)
0041D269 68 04000080 push 80000004
0041D26E 6A 00 push 0
0041D270 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0041D273 85C0 test eax,eax
0041D275 75 05 jnz short 小蜜蜂V1.0041D27C
0041D277 B8 0AC14000 mov eax,小蜜蜂V1.0040C10A
0041D27C 50 push eax
0041D27D 68 02000000 push 2
0041D282 BB 34010000 mov ebx,134
0041D287 E8 C20A0000 call 小蜜蜂V1.0041DD4E ; 取假码前19位
0041D28C 83C4 1C add esp,1C
0041D28F 8945 EC mov dword ptr ss:[ebp-14],eax ; 假码前19位"9876543210123456789"
0041D292 8B5D F0 mov ebx,dword ptr ss:[ebp-10]
0041D295 85DB test ebx,ebx
0041D297 74 09 je short 小蜜蜂V1.0041D2A2
0041D299 53 push ebx
0041D29A E8 C10A0000 call 小蜜蜂V1.0041DD60
0041D29F 83C4 04 add esp,4
0041D2A2 68 4F000000 push 4F
0041D2A7 B8 20C14000 mov eax,小蜜蜂V1.0040C120
0041D2AC 8945 E8 mov dword ptr ss:[ebp-18],eax
0041D2AF 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0041D2B2 50 push eax
0041D2B3 E8 53050000 call 小蜜蜂V1.0041D80B
0041D2B8 8945 E4 mov dword ptr ss:[ebp-1C],eax ; 固定字符串2"[DCG][OCN][PYG]-No."
0041D2BB 8B5D E8 mov ebx,dword ptr ss:[ebp-18]
0041D2BE 85DB test ebx,ebx
0041D2C0 74 09 je short 小蜜蜂V1.0041D2CB
0041D2C2 53 push ebx
0041D2C3 E8 980A0000 call 小蜜蜂V1.0041DD60
0041D2C8 83C4 04 add esp,4
0041D2CB 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
0041D2CE 50 push eax ; 固定字符串"[DCG][OCN][PYG]-No."
0041D2CF FF75 EC push dword ptr ss:[ebp-14] ; 假码前19位"9876543210123456789"
0041D2D2 E8 DDFBFFFF call 小蜜蜂V1.0041CEB4 ; 比较两者是否相等
0041D2D7 83C4 08 add esp,8
0041D2DA 83F8 00 cmp eax,0
0041D2DD B8 00000000 mov eax,0
0041D2E2 0F94C0 sete al
0041D2E5 8945 E0 mov dword ptr ss:[ebp-20],eax
0041D2E8 8B5D EC mov ebx,dword ptr ss:[ebp-14]
0041D2EB 85DB test ebx,ebx
0041D2ED 74 09 je short 小蜜蜂V1.0041D2F8
0041D2EF 53 push ebx
0041D2F0 E8 6B0A0000 call 小蜜蜂V1.0041DD60
0041D2F5 83C4 04 add esp,4
0041D2F8 8B5D E4 mov ebx,dword ptr ss:[ebp-1C]
0041D2FB 85DB test ebx,ebx
0041D2FD 74 09 je short 小蜜蜂V1.0041D308
0041D2FF 53 push ebx
0041D300 E8 5B0A0000 call 小蜜蜂V1.0041DD60
0041D305 83C4 04 add esp,4
0041D308 837D E0 00 cmp dword ptr ss:[ebp-20],0
0041D30C 0F84 58040000 je 小蜜蜂V1.0041D76A ; 不等则Over,暴破点2,NOP掉
0041D312 6A FF push -1
0041D314 6A 08 push 8
0041D316 68 11000116 push 16010011
0041D31B 68 01000152 push 52010001
0041D320 E8 470A0000 call 小蜜蜂V1.0041DD6C
0041D325 83C4 10 add esp,10
0041D328 8945 F0 mov dword ptr ss:[ebp-10],eax
0041D32B 68 04000080 push 80000004
0041D330 6A 00 push 0
0041D332 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0041D335 85C0 test eax,eax
0041D337 75 05 jnz short 小蜜蜂V1.0041D33E
0041D339 B8 0AC14000 mov eax,小蜜蜂V1.0040C10A
0041D33E 50 push eax
0041D33F 68 01000000 push 1
0041D344 BB 30010000 mov ebx,130
0041D349 E8 000A0000 call 小蜜蜂V1.0041DD4E
0041D34E 83C4 10 add esp,10
0041D351 8945 EC mov dword ptr ss:[ebp-14],eax
0041D354 8B5D F0 mov ebx,dword ptr ss:[ebp-10]
0041D357 85DB test ebx,ebx
0041D359 74 09 je short 小蜜蜂V1.0041D364
0041D35B 53 push ebx
0041D35C E8 FF090000 call 小蜜蜂V1.0041DD60
0041D361 83C4 04 add esp,4
0041D364 8B45 EC mov eax,dword ptr ss:[ebp-14]
0041D367 33C9 xor ecx,ecx
0041D369 50 push eax
0041D36A 8D45 FC lea eax,dword ptr ss:[ebp-4]
0041D36D 8BD8 mov ebx,eax
0041D36F 58 pop eax
0041D370 41 inc ecx
0041D371 51 push ecx
0041D372 53 push ebx
0041D373 890B mov dword ptr ds:[ebx],ecx
0041D375 50 push eax
0041D376 3BC8 cmp ecx,eax
0041D378 0F8F 17010000 jg 小蜜蜂V1.0041D495
0041D37E 6A FF push -1
0041D380 6A 08 push 8
0041D382 68 11000116 push 16010011
0041D387 68 01000152 push 52010001
0041D38C E8 DB090000 call 小蜜蜂V1.0041DD6C ; \从
0041D391 83C4 10 add esp,10 ; |之
0041D394 8945 F0 mov dword ptr ss:[ebp-10],eax ; |里
0041D397 68 01030080 push 80000301 ; |开
0041D39C 6A 00 push 0 ; |始
0041D39E FF75 FC push dword ptr ss:[ebp-4] ; |，
0041D3A1 68 04000080 push 80000004 ; |由
0041D3A6 6A 00 push 0 ; |注
0041D3A8 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; |册
0041D3AB 85C0 test eax,eax ; |码
0041D3AD 75 05 jnz short 小蜜蜂V1.0041D3B4 ; |反
0041D3AF B8 0AC14000 mov eax,小蜜蜂V1.0040C10A ; |算
0041D3B4 50 push eax ; |用
0041D3B5 68 02000000 push 2 ; |户
0041D3BA BB 44010000 mov ebx,144 ; |名
0041D3BF E8 8A090000 call 小蜜蜂V1.0041DD4E ; |，
0041D3C4 83C4 1C add esp,1C ; |若
0041D3C7 8945 EC mov dword ptr ss:[ebp-14],eax ; |反
0041D3CA 8B5D F0 mov ebx,dword ptr ss:[ebp-10] ; |算
0041D3CD 85DB test ebx,ebx ; |出
0041D3CF 74 09 je short 小蜜蜂V1.0041D3DA ; |的
0041D3D1 53 push ebx ; |结
0041D3D2 E8 89090000 call 小蜜蜂V1.0041DD60 ; |果
0041D3D7 83C4 04 add esp,4 ; |与
0041D3DA DB45 EC fild dword ptr ss:[ebp-14] ; |用
0041D3DD DD5D E4 fstp qword ptr ss:[ebp-1C] ; |户
0041D3E0 DD45 E4 fld qword ptr ss:[ebp-1C] ; |名
0041D3E3 DC05 34C14000 fadd qword ptr ds:[40C134] ; |相
0041D3E9 DD5D DC fstp qword ptr ss:[ebp-24] ; |等
0041D3EC DD45 DC fld qword ptr ss:[ebp-24] ; |，
0041D3EF DC0D 13C14000 fmul qword ptr ds:[40C113] ; |则
0041D3F5 DD5D D4 fstp qword ptr ss:[ebp-2C] ; |不
0041D3F8 68 01060080 push 80000601 ; |提
0041D3FD 68 00003B40 push 403B0000 ; |示
0041D402 68 00000000 push 0 ; |注
0041D407 68 01060080 push 80000601 ; |册
0041D40C FF75 D8 push dword ptr ss:[ebp-28] ; |成
0041D40F FF75 D4 push dword ptr ss:[ebp-2C] ; |功
0041D412 68 02000000 push 2 ; |或
0041D417 BB 48000000 mov ebx,48 ; |失
0041D41C E8 2D090000 call 小蜜蜂V1.0041DD4E ; |败
0041D421 83C4 1C add esp,1C ; |。
0041D424 8945 C4 mov dword ptr ss:[ebp-3C],eax
0041D427 8955 C8 mov dword ptr ss:[ebp-38],edx
0041D42A DD45 C4 fld qword ptr ss:[ebp-3C]
0041D42D E8 94F9FFFF call 小蜜蜂V1.0041CDC6
0041D432 68 01030080 push 80000301
0041D437 6A 00 push 0
0041D439 50 push eax
0041D43A 68 01000000 push 1
0041D43F BB D4010000 mov ebx,1D4
0041D444 E8 05090000 call 小蜜蜂V1.0041DD4E
0041D449 83C4 10 add esp,10
0041D44C 8945 C0 mov dword ptr ss:[ebp-40],eax
0041D44F FF75 C0 push dword ptr ss:[ebp-40]
0041D452 FF75 F4 push dword ptr ss:[ebp-C]
0041D455 B9 02000000 mov ecx,2
0041D45A E8 F9F9FFFF call 小蜜蜂V1.0041CE58
0041D45F 83C4 08 add esp,8
0041D462 8945 BC mov dword ptr ss:[ebp-44],eax
0041D465 8B5D C0 mov ebx,dword ptr ss:[ebp-40]
0041D468 85DB test ebx,ebx
0041D46A 74 09 je short 小蜜蜂V1.0041D475
0041D46C 53 push ebx
0041D46D E8 EE080000 call 小蜜蜂V1.0041DD60
0041D472 83C4 04 add esp,4
0041D475 8B45 BC mov eax,dword ptr ss:[ebp-44]
0041D478 50 push eax
0041D479 8B5D F4 mov ebx,dword ptr ss:[ebp-C]
0041D47C 85DB test ebx,ebx
0041D47E 74 09 je short 小蜜蜂V1.0041D489
0041D480 53 push ebx
0041D481 E8 DA080000 call 小蜜蜂V1.0041DD60
0041D486 83C4 04 add esp,4
0041D489 58 pop eax
0041D48A 8945 F4 mov dword ptr ss:[ebp-C],eax
0041D48D 58 pop eax
0041D48E 5B pop ebx
0041D48F 59 pop ecx
0041D490 ^ E9 DBFEFFFF jmp 小蜜蜂V1.0041D370
0041D495 83C4 0C add esp,0C
0041D498 68 4F000000 push 4F
0041D49D B8 3CC14000 mov eax,小蜜蜂V1.0040C13C
0041D4A2 8945 F0 mov dword ptr ss:[ebp-10],eax
0041D4A5 8D45 F0 lea eax,dword ptr ss:[ebp-10]
0041D4A8 50 push eax
0041D4A9 E8 5D030000 call 小蜜蜂V1.0041D80B
0041D4AE 8945 EC mov dword ptr ss:[ebp-14],eax
0041D4B1 8B5D F0 mov ebx,dword ptr ss:[ebp-10]
0041D4B4 85DB test ebx,ebx
0041D4B6 74 09 je short 小蜜蜂V1.0041D4C1
0041D4B8 53 push ebx
0041D4B9 E8 A2080000 call 小蜜蜂V1.0041DD60
0041D4BE 83C4 04 add esp,4
0041D4C1 68 1B000000 push 1B
0041D4C6 B8 41C14000 mov eax,小蜜蜂V1.0040C141
0041D4CB 8945 E8 mov dword ptr ss:[ebp-18],eax
0041D4CE 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0041D4D1 50 push eax
0041D4D2 E8 34030000 call 小蜜蜂V1.0041D80B
0041D4D7 8945 E4 mov dword ptr ss:[ebp-1C],eax
0041D4DA 8B5D E8 mov ebx,dword ptr ss:[ebp-18]
0041D4DD 85DB test ebx,ebx
0041D4DF 74 09 je short 小蜜蜂V1.0041D4EA
0041D4E1 53 push ebx
0041D4E2 E8 79080000 call 小蜜蜂V1.0041DD60
0041D4E7 83C4 04 add esp,4
0041D4EA FF75 E4 push dword ptr ss:[ebp-1C]
0041D4ED FF75 F4 push dword ptr ss:[ebp-C]
0041D4F0 FF75 EC push dword ptr ss:[ebp-14]
0041D4F3 B9 03000000 mov ecx,3
0041D4F8 E8 5BF9FFFF call 小蜜蜂V1.0041CE58
0041D4FD 83C4 0C add esp,0C
0041D500 8945 E0 mov dword ptr ss:[ebp-20],eax
0041D503 8B5D EC mov ebx,dword ptr ss:[ebp-14]
0041D506 85DB test ebx,ebx
0041D508 74 09 je short 小蜜蜂V1.0041D513
0041D50A 53 push ebx
0041D50B E8 50080000 call 小蜜蜂V1.0041DD60
0041D510 83C4 04 add esp,4
0041D513 8B5D E4 mov ebx,dword ptr ss:[ebp-1C]
0041D516 85DB test ebx,ebx
0041D518 74 09 je short 小蜜蜂V1.0041D523
0041D51A 53 push ebx
0041D51B E8 40080000 call 小蜜蜂V1.0041DD60
0041D520 83C4 04 add esp,4
0041D523 8B45 E0 mov eax,dword ptr ss:[ebp-20]
0041D526 50 push eax
0041D527 8B5D F4 mov ebx,dword ptr ss:[ebp-C]
0041D52A 85DB test ebx,ebx
0041D52C 74 09 je short 小蜜蜂V1.0041D537
0041D52E 53 push ebx
0041D52F E8 2C080000 call 小蜜蜂V1.0041DD60
0041D534 83C4 04 add esp,4
0041D537 58 pop eax
0041D538 8945 F4 mov dword ptr ss:[ebp-C],eax
0041D53B 68 04000080 push 80000004
0041D540 6A 00 push 0
0041D542 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0041D545 85C0 test eax,eax
0041D547 75 05 jnz short 小蜜蜂V1.0041D54E
0041D549 B8 0AC14000 mov eax,小蜜蜂V1.0040C10A
0041D54E 50 push eax
0041D54F 68 01000000 push 1
0041D554 BB 30010000 mov ebx,130
0041D559 E8 F0070000 call 小蜜蜂V1.0041DD4E
0041D55E 83C4 10 add esp,10
0041D561 8945 F0 mov dword ptr ss:[ebp-10],eax
0041D564 6A FF push -1
0041D566 6A 08 push 8
0041D568 68 10000116 push 16010010
0041D56D 68 01000152 push 52010001
0041D572 E8 F5070000 call 小蜜蜂V1.0041DD6C
0041D577 83C4 10 add esp,10
0041D57A 8945 EC mov dword ptr ss:[ebp-14],eax
0041D57D 68 01030080 push 80000301
0041D582 6A 00 push 0
0041D584 FF75 F0 push dword ptr ss:[ebp-10]
0041D587 68 01030080 push 80000301
0041D58C 6A 00 push 0
0041D58E 68 01000000 push 1
0041D593 68 04000080 push 80000004
0041D598 6A 00 push 0
0041D59A 8B45 EC mov eax,dword ptr ss:[ebp-14]
0041D59D 85C0 test eax,eax
0041D59F 75 05 jnz short 小蜜蜂V1.0041D5A6
0041D5A1 B8 0AC14000 mov eax,小蜜蜂V1.0040C10A
0041D5A6 50 push eax
0041D5A7 68 03000000 push 3
0041D5AC BB 3C010000 mov ebx,13C
0041D5B1 E8 98070000 call 小蜜蜂V1.0041DD4E
0041D5B6 83C4 28 add esp,28
0041D5B9 8945 E8 mov dword ptr ss:[ebp-18],eax
0041D5BC 8B5D EC mov ebx,dword ptr ss:[ebp-14]
0041D5BF 85DB test ebx,ebx
0041D5C1 74 09 je short 小蜜蜂V1.0041D5CC
0041D5C3 53 push ebx
0041D5C4 E8 97070000 call 小蜜蜂V1.0041DD60
0041D5C9 83C4 04 add esp,4
0041D5CC 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0041D5CF 50 push eax
0041D5D0 FF75 E8 push dword ptr ss:[ebp-18]
0041D5D3 E8 DCF8FFFF call 小蜜蜂V1.0041CEB4
0041D5D8 83C4 08 add esp,8
0041D5DB 83F8 00 cmp eax,0
0041D5DE B8 00000000 mov eax,0
0041D5E3 0F95C0 setne al
0041D5E6 8945 E4 mov dword ptr ss:[ebp-1C],eax
0041D5E9 8B5D E8 mov ebx,dword ptr ss:[ebp-18]
0041D5EC 85DB test ebx,ebx
0041D5EE 74 09 je short 小蜜蜂V1.0041D5F9 ; |到
0041D5F0 53 push ebx ; |这
0041D5F1 E8 6A070000 call 小蜜蜂V1.0041DD60 ; |里
0041D5F6 83C4 04 add esp,4 ; |结
0041D5F9 837D E4 00 cmp dword ptr ss:[ebp-1C],0 ; |束
0041D5FD 0F84 62010000 je 小蜜蜂V1.0041D765 ; /。
0041D603 68 04000080 push 80000004
0041D608 6A 00 push 0
0041D60A 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0041D60D 85C0 test eax,eax
0041D60F 75 05 jnz short 小蜜蜂V1.0041D616
0041D611 B8 0AC14000 mov eax,小蜜蜂V1.0040C10A
0041D616 50 push eax
0041D617 68 01000000 push 1
0041D61C BB 30010000 mov ebx,130
0041D621 E8 28070000 call 小蜜蜂V1.0041DD4E
0041D626 83C4 10 add esp,10
0041D629 8945 F0 mov dword ptr ss:[ebp-10],eax
0041D62C 6A FF push -1
0041D62E 6A 08 push 8
0041D630 68 11000116 push 16010011
0041D635 68 01000152 push 52010001
0041D63A E8 2D070000 call 小蜜蜂V1.0041DD6C
0041D63F 83C4 10 add esp,10
0041D642 8945 EC mov dword ptr ss:[ebp-14],eax ; 假码"987654321012345678901234567890"
0041D645 68 01030080 push 80000301
0041D64A 6A 00 push 0
0041D64C FF75 F0 push dword ptr ss:[ebp-10]
0041D64F 68 01030080 push 80000301
0041D654 6A 00 push 0
0041D656 68 14000000 push 14 ; 常数,0x14(20)
0041D65B 68 04000080 push 80000004
0041D660 6A 00 push 0
0041D662 8B45 EC mov eax,dword ptr ss:[ebp-14]
0041D665 85C0 test eax,eax
0041D667 75 05 jnz short 小蜜蜂V1.0041D66E
0041D669 B8 0AC14000 mov eax,小蜜蜂V1.0040C10A
0041D66E 50 push eax
0041D66F 68 03000000 push 3
0041D674 BB 3C010000 mov ebx,13C
0041D679 E8 D0060000 call 小蜜蜂V1.0041DD4E ; 从假码第20位开始取
0041D67E 83C4 28 add esp,28
0041D681 8945 E8 mov dword ptr ss:[ebp-18],eax ; 取出的字符串"012345"
0041D684 8B5D EC mov ebx,dword ptr ss:[ebp-14]
0041D687 85DB test ebx,ebx
0041D689 74 09 je short 小蜜蜂V1.0041D694
0041D68B 53 push ebx
0041D68C E8 CF060000 call 小蜜蜂V1.0041DD60 ; 取用户名运算得到的字符串"B18E15"
0041D691 83C4 04 add esp,4
0041D694 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0041D697 50 push eax ; 用户名运算得到的字符串"B18E15"
0041D698 FF75 E8 push dword ptr ss:[ebp-18] ; 从假码取出的字符串"012345"
0041D69B E8 14F8FFFF call 小蜜蜂V1.0041CEB4 ; 比较两者是否相等
0041D6A0 83C4 08 add esp,8
0041D6A3 83F8 00 cmp eax,0
0041D6A6 B8 00000000 mov eax,0
0041D6AB 0F95C0 setne al
0041D6AE 8945 E4 mov dword ptr ss:[ebp-1C],eax
0041D6B1 8B5D E8 mov ebx,dword ptr ss:[ebp-18]
0041D6B4 85DB test ebx,ebx
0041D6B6 74 09 je short 小蜜蜂V1.0041D6C1
0041D6B8 53 push ebx
0041D6B9 E8 A2060000 call 小蜜蜂V1.0041DD60
0041D6BE 83C4 04 add esp,4
0041D6C1 837D E4 00 cmp dword ptr ss:[ebp-1C],0
0041D6C5 0F84 41000000 je 小蜜蜂V1.0041D70C ; 不等则Over,暴破点3,改为Jmp
0041D6CB 68 02000080 push 80000002
0041D6D0 6A 00 push 0
0041D6D2 68 01000000 push 1
0041D6D7 68 01000100 push 10001
0041D6DC 68 00000106 push 6010000
0041D6E1 68 01000152 push 52010001
0041D6E6 68 01000100 push 10001
0041D6EB 68 23000106 push 6010023
0041D6F0 68 24000152 push 52010024
0041D6F5 68 03000000 push 3
0041D6FA BB 20030000 mov ebx,320
0041D6FF E8 4A060000 call 小蜜蜂V1.0041DD4E
0041D704 83C4 28 add esp,28
0041D707 E9 59000000 jmp 小蜜蜂V1.0041D765
0041D70C 6A 00 push 0
-----------------------------------------------------------------------------
【破解总结】
1.依次取用户名每一位字符的ASCII值，记为N[i],进行运算(N[i]+27.0)*4 MOD 27.0，运算结果转为16进制数后再转为字符串依次连接，记为str2。
2.程序内置2个固定字符串，分别记为str1"[DCG][OCN][PYG]-No."和str3"-KAN"。
3.依次连接字符串str1,str2,str3即为注册码。
一组可用注册信息：
====================================================
注册名:hrbx
注册码:[DCG][OCN][PYG]-No.B18E15-KAN
====================================================
暴破更改以下位置：
0041D1C7 je 小蜜蜂V1.0041D1D4 ; je====>Nop
0041D30C je 小蜜蜂V1.0041D76A ; je====>Nop
0041D6C5 je 小蜜蜂V1.0041D70C ; je====>Jmp
--------------------------------------------------------------------------
【VB注册机源码】
Private Sub btnGenerate_Click(ByVal ClickReason As b2kClickReason)
Dim UserName As String
Dim Serial As String
Dim TmpStr As String
Dim Num As Integer
Dim Length As Integer
Dim i As Integer
On Error Resume Next
If Text1.Text = "" Then
Text2.Text = "请输入用户名！"
Else
UserName = Trim(Text1.Text)
Length = Len(UserName)
For i = 1 To Length
Num = ((Asc(Mid$(UserName, i, 1)) + 27) * 4) Mod 27
TmpStr = TmpStr & Hex(Num)
Next i
Serial = "[DCG][OCN][PYG]-No." & TmpStr & "-KAN"
Text2.Text = Serial
End If
-------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!

复制代码

[ 本帖最后由 hrbx 于 2007-11-18 12:59 编辑 ]

hrbx · 发表于 2007-11-16 21:57:00

截个图，：）

[ 本帖最后由 hrbx 于 2007-11-16 22:03 编辑 ]

dewar · 发表于 2007-11-17 09:11:40

原帖由奈落于 2007-11-16 22:05 发表
不知道有谁能介绍下浮点运算~这个有点不太懂`

google一下吧,很好找的

秋之夜 · 发表于 2007-11-18 01:08:25

好厉害，我也去试试。。

tianxj · 发表于 2007-11-18 11:55:13

好文，学习了

acafeel · 发表于 2007-11-19 10:27:58

牛人，厉害的说，用尽全力的顶！/:good /:good /:good

郑宇鸣 · 发表于 2007-11-19 13:25:59

我对注册机的皮肤也很感兴趣/:013

lgjxj · 发表于 2007-11-19 15:41:22

原帖由 acafeel 于 2007-11-19 10:27 发表
牛人，厉害的说，用尽全力的顶！/:good /:good /:good

太过分了，没点正经 /:017

sdprtf · 发表于 2007-11-21 21:14:31

好东西,下来看看!!!!

wulijin · 发表于 2007-12-31 10:39:40

OVERLAY是什么意思啊

		自动登录	找回密码
密码			加入我们

[原创] 小蜜蜂CrackMe简单算法分析+VB注册机源码

相关帖子

本帖子中包含更多资源