- UID
- 5592
注册时间2005-12-21
阅读权限40
最后登录1970-1-1
独步武林
 
TA的每日心情 | 慵懒
2019-1-18 17:27 |
|---|
签到天数: 30 天 [LV.5]常住居民I
|
【破文标题】家庭理财 V2.2.0 主程序破解及算法
【破文作者】lzq1973[PYG][CZG]
【作者邮箱】[email protected]
【作者主页】
【破解工具】OD、PEiD、C32Asm
【破解平台】WIN98、WIN2000
【软件名称】家庭理财 V2.2.0
【软件大小】6175 KB
【原版下载】http://www4.skycn.com/soft/22911.html
【保护方式】无壳(VB6)
【软件简介】 家庭理财是一款为自己家庭开发的一款软件,友好的界面,操作方便、直观,支持个性化用户界面,可以自己设定自己的界面和背景色值,新版本V1.2.0支持数据的导出到Excel文件、打印、备份和恢复等功能。
家庭理财目前版本包含以下模块:
★ 经费收支管理:主要实现平时家庭(个人)经费收入和开支功能,两功能做为独立模块操作,各收支项目有系统默认项,也可以家庭自定义。在经费开支模块中,如设定年度经费预算值,在实际开支中将时刻提醒本年度、本月份已可开支金额和已开支金额。
★ 年初家庭经费预算管理:设定年度经费开支预算值,可按月设定,也可按年设定。
★ 年度经费核算管理:实现年度经费统计和核算功能,可以由系统自动统计,也可以按用户个人需要,进行有选择分收、支和项目统计。
★ 年度经费统计和汇总:可以根据年度,也可以根据用户指定的日期范围,可按不同的组合类别(最多分为10个类别)进行统计和汇总。
★ 银行存取款帐户和密码管理:记录平时银行存款帐号和密码功能,提供帐户销户功能,系统能自动记录销户后利息作为家庭收入项目。同时管理银行帐户密码。用户所输入的密码将由系统自动加密后保存,要获取需提供登录密码验证后才能显示,提高了管理的安全性。
★ 银行存取法款流水帐管理:记录平时对银行帐户金额流水帐管理,以便日后或销户后可以随时查询存取日期和相关记录。
★ 股票交易管理:为炒股的朋友提供流水记录,对炒股盈利的金额可由用户选择是否保存到经费收入数据库。
★ 区号、邮编查询。
★ 家庭通讯录管理:记录和查询您的朋友相关通讯信息。
0.《家庭理财》原名为《家庭经费管理系统》v1.1.0,应朋友的建议,自v1.1.1版本后更名为《家庭理财》,原《家庭经费管理系统》v1.1.0用户可以继续使用以前的数据,系统会自动升级原数据库,具体操作请看下载解压包中的《使用说明.txt》文件。
1.《家庭理财》作为共享软件发布。注册用户可免费升级以后的版本,以后有新版本将会及时通知注册用户,新版本将支持以前旧版本的数据库格式且能自动实现升级旧版本的数据库。
2.该软件可以解决多家庭多用户使用,各家庭间数据不能共享。同一家庭中不同用户数据可以共享统计或查询,但需该用户授权,而且不能修改。
3.该软件操作简单,界面友好。未注册版本没有功能限制但可使用30次。用户注册后均可免费升级新的版本,试用期间的数据库可以继续使用(如试用期间数据库版本较旧,系统会自动升级到最新版本)。注册办法可查看帮助文件。
4.《家庭理财》系统目前还在进一步完善和修正中,欢迎广大用户对本软件提出需新增的功能。
5.用户使用前请注意查看《使用说明.txt》文件。
另:拟在新版本中增加家庭记事本和备忘和家庭用户间留言的功能、各种提醒功能、节日查询生活常识等功能。
【破解声明】俺是只小小鸟,纯为学习,愿与大家分享!
------------------------------------------------------------------------
【破解过程】
先运行程序,启动时提示“未注册版本,还有XX次可有试用!请及时注册!!”等字样。进入主界面来到注窗口,乱输注册码后点击注册,说重启程序,原来是程启验证。
我的硬件号(程序中说是信息码)为12370,输入的注册名为lzq1973。
[1、找注册码]
用C32Asm载入程序查找有关字符后,OD载入断在里。
005D81EA . FF15 58124000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeStrList
005D81F0 . 83C4 0C add esp,0C
005D81F3 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
005D81F6 . FF15 20134000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeObj
005D81FC . E9 0A040000 jmp PFIN.005D860B
005D8201 > E8 8A670B00 call PFIN.0068E990 ; 计算硬件号(取C盘序列号)
005D8206 . 8BD0 mov edx,eax ; (UNICODE "12370")
005D8208 . 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
005D820B . FFD6 call esi
005D820D . 68 343C4500 push PFIN.00453C34 ; UNICODE "Txt='"
005D8212 . 8D45 D8 lea eax,dword ptr ss:[ebp-28]
005D8215 . 50 push eax
005D8216 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
005D8219 . 51 push ecx
005D821A . E8 A16B0B00 call PFIN.0068EDC0 ; 计算注册码
005D821F . 8BD0 mov edx,eax ; (UNICODE "RRVPP1RQZPQP1RRV")这里可做内存注册器
005D8221 . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
005D8224 . FFD6 call esi
005D8226 . 50 push eax
005D8227 . FF15 70104000 call dword ptr ds:[<&MSVBVM60.__vbaS>; MSVBVM60.__vbaStrCat
005D822D . 8BD0 mov edx,eax
005D822F . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
005D8232 . FFD6 call esi
005D8234 . 50 push eax
005D8235 . 68 A83C4500 push PFIN.00453CA8
005D823A . FF15 70104000 call dword ptr ds:[<&MSVBVM60.__vbaS>; MSVBVM60.__vbaStrCat
005D8240 . 8BD0 mov edx,eax
005D8242 . 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
005D8245 . FFD6 call esi
005D8247 . BA 203C4500 mov edx,PFIN.00453C20 ; UNICODE "Memory"
005D824C . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
005D824F . FFD7 call edi
005D8251 . 8D55 C8 lea edx,dword ptr ss:[ebp-38]
005D8254 . 52 push edx
005D8255 . 8D45 CC lea eax,dword ptr ss:[ebp-34]
005D8258 . 50 push eax
005D8259 . E8 B2B10000 call PFIN.005E3410
005D825E . 66:8945 B4 mov word ptr ss:[ebp-4C],ax
005D8262 . 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
005D8265 . 51 push ecx
005D8266 . 8D55 CC lea edx,dword ptr ss:[ebp-34]
005D8269 . 52 push edx
005D826A . 8D45 D0 lea eax,dword ptr ss:[ebp-30]
005D826D . 50 push eax
005D826E . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
005D8271 . 51 push ecx
005D8272 . 8D55 D8 lea edx,dword ptr ss:[ebp-28]
005D8275 . 52 push edx
005D8276 . 6A 05 push 5
005D8278 . FF15 58124000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeStrList
005D827E . 83C4 18 add esp,18
005D8281 . 66:837D B4 00 cmp word ptr ss:[ebp-4C],0 ; 比较是否相等
005D8286 . 0F84 A6000000 je PFIN.005D8332 ; 不等就跳(这里可爆破)
005D828C . 66:C705 5C2088>mov word ptr ds:[88205C],0FFFF
005D8295 . 8B45 A4 mov eax,dword ptr ss:[ebp-5C]
005D8298 . 8B08 mov ecx,dword ptr ds:[eax]
005D829A . 50 push eax
005D829B . FF91 00030000 call dword ptr ds:[ecx+300]
005D82A1 . 50 push eax
005D82A2 . 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
005D82A5 . 52 push edx
005D82A6 . FFD3 call ebx
005D82A8 . 8BF8 mov edi,eax
005D82AA . 8B07 mov eax,dword ptr ds:[edi]
005D82AC . 6A 00 push 0
005D82AE . 57 push edi
005D82AF . FF90 9C000000 call dword ptr ds:[eax+9C]
005D82B5 . DBE2 fclex
005D82B7 . 85C0 test eax,eax
005D82B9 . 7D 12 jge short PFIN.005D82CD
005D82BB . 68 9C000000 push 9C
005D82C0 . 68 D8484500 push PFIN.004548D8
005D82C5 . 57 push edi
005D82C6 . 50 push eax
005D82C7 . FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaH>; MSVBVM60.__vbaHresultCheckObj
005D82CD > 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
005D82D0 . FF15 20134000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeObj
005D82D6 . 8B45 A4 mov eax,dword ptr ss:[ebp-5C]
005D82D9 . 8B08 mov ecx,dword ptr ds:[eax]
005D82DB . 50 push eax
005D82DC . FF91 04030000 call dword ptr ds:[ecx+304]
005D82E2 . 50 push eax
005D82E3 . 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
005D82E6 . 52 push edx
005D82E7 . FFD3 call ebx
005D82E9 . 8BF8 mov edi,eax
005D82EB . 8B1F mov ebx,dword ptr ds:[edi]
005D82ED . 68 BCF24500 push PFIN.0045F2BC ; \->: 注册信息:本软件已由【
005D82F2 . 8B45 DC mov eax,dword ptr ss:[ebp-24]
005D82F5 . 50 push eax
005D82F6 . FF15 70104000 call dword ptr ds:[<&MSVBVM60.__vbaS>; MSVBVM60.__vbaStrCat
005D82FC . 8BD0 mov edx,eax
005D82FE . 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
005D8301 . FFD6 call esi
005D8303 . 50 push eax
005D8304 . 68 D8F24500 push PFIN.0045F2D8 ; \->: 】注册使用!
005D8309 . FF15 70104000 call dword ptr ds:[<&MSVBVM60.__vbaS>; MSVBVM60.__vbaStrCat
005D830F . 8BD0 mov edx,eax
005D8311 . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
005D8314 . FFD6 call esi
005D8316 . 50 push eax
005D8317 . 57 push edi
005D8318 . FF53 54 call dword ptr ds:[ebx+54]
005D831B . DBE2 fclex
005D831D . 85C0 test eax,eax
005D831F . 0F8D FE010000 jge PFIN.005D8523
005D8325 . 6A 54 push 54
005D8327 . 68 D8484500 push PFIN.004548D8
005D832C . 57 push edi
005D832D . E9 EA010000 jmp PFIN.005D851C
005D8332 > 66:C705 5C2088>mov word ptr ds:[88205C],0
005D833B . 8B45 A4 mov eax,dword ptr ss:[ebp-5C]
005D833E . 8B08 mov ecx,dword ptr ds:[eax]
005D8340 . 50 push eax
005D8341 . FF91 04030000 call dword ptr ds:[ecx+304]
005D8347 . 50 push eax
005D8348 . 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
005D834B . 52 push edx
005D834C . FFD3 call ebx
005D834E . 8BD8 mov ebx,eax
005D8350 . 8B03 mov eax,dword ptr ds:[ebx]
005D8352 . 68 50F24500 push PFIN.0045F250 ; \->: 未注册版本,还有 次可有试用!请及时注册!!
005D8357 . 53 push ebx
005D8358 . FF50 54 call dword ptr ds:[eax+54]
由于是明码比较,至此基本上完工了。
[2、找算法]
在 005D821A E8 A16B0B00 call PFIN.0068EDC0 处F7跟进,来到这里
0068EDC0 $ 55 push ebp
0068EDC1 . 8BEC mov ebp,esp
0068EDC3 . 83EC 0C sub esp,0C
0068EDC6 . 68 76FC4000 push <jmp.&MSVBVM60.__vbaExceptHandl>; SE handler installation
0068EDCB . 64:A1 00000000 mov eax,dword ptr fs:[0]
0068EDD1 . 50 push eax
0068EDD2 . 64:8925 000000>mov dword ptr fs:[0],esp
0068EDD9 . 81EC 88000000 sub esp,88
0068EDDF . 53 push ebx
0068EDE0 . 56 push esi
0068EDE1 . 57 push edi
0068EDE2 . 8965 F4 mov dword ptr ss:[ebp-C],esp
0068EDE5 . C745 F8 506E40>mov dword ptr ss:[ebp-8],PFIN.00406E>
0068EDEC . 33C0 xor eax,eax
0068EDEE . BA 203B4500 mov edx,PFIN.00453B20
0068EDF3 . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0068EDF6 . 8945 E4 mov dword ptr ss:[ebp-1C],eax
0068EDF9 . 8945 E0 mov dword ptr ss:[ebp-20],eax
0068EDFC . 8945 DC mov dword ptr ss:[ebp-24],eax
0068EDFF . 8945 D8 mov dword ptr ss:[ebp-28],eax
0068EE02 . 8945 D4 mov dword ptr ss:[ebp-2C],eax
0068EE05 . 8945 D0 mov dword ptr ss:[ebp-30],eax
0068EE08 . 8945 CC mov dword ptr ss:[ebp-34],eax
0068EE0B . 8945 C8 mov dword ptr ss:[ebp-38],eax
0068EE0E . 8945 C4 mov dword ptr ss:[ebp-3C],eax
0068EE11 . 8945 C0 mov dword ptr ss:[ebp-40],eax
0068EE14 . 8945 B0 mov dword ptr ss:[ebp-50],eax
0068EE17 . 8945 A0 mov dword ptr ss:[ebp-60],eax
0068EE1A . FF15 44124000 call dword ptr ds:[<&MSVBVM60.__vbaS>; MSVBVM60.__vbaStrCopy
0068EE20 . 8B45 08 mov eax,dword ptr ss:[ebp+8]
0068EE23 . 8B08 mov ecx,dword ptr ds:[eax]
0068EE25 . 51 push ecx ; 用户名进栈(UNICODE "lzq1973")
0068EE26 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaL>; MSVBVM60.__vbaLenBstr
0068EE2C . 8BC8 mov ecx,eax
0068EE2E . FF15 3C114000 call dword ptr ds:[<&MSVBVM60.__vbaI>; MSVBVM60.__vbaI2I4
0068EE34 . 8B35 D8124000 mov esi,dword ptr ds:[<&MSVBVM60.__v>; MSVBVM60.__vbaStrMove
0068EE3A . 8B1D 70104000 mov ebx,dword ptr ds:[<&MSVBVM60.__v>; MSVBVM60.__vbaStrCat
0068EE40 . 8985 78FFFFFF mov dword ptr ss:[ebp-88],eax
0068EE46 . BF 01000000 mov edi,1
0068EE4B > 66:3BBD 78FFFF>cmp di,word ptr ss:[ebp-88] ; /将用户名转为ASCII
0068EE52 . 0F8F D1000000 jg PFIN.0068EF29
0068EE58 . 8B55 08 mov edx,dword ptr ss:[ebp+8]
0068EE5B . 8B02 mov eax,dword ptr ds:[edx]
0068EE5D . 50 push eax
0068EE5E . FF15 60104000 call dword ptr ds:[<&MSVBVM60.#519>] ; MSVBVM60.rtcTrimBstr
0068EE64 . 8BD0 mov edx,eax
0068EE66 . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
0068EE69 . FFD6 call esi
0068EE6B . 8B55 C0 mov edx,dword ptr ss:[ebp-40]
0068EE6E . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
0068EE71 . 0FBFC7 movsx eax,di
0068EE74 . 51 push ecx
0068EE75 . 50 push eax
0068EE76 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
0068EE79 . C745 B8 010000>mov dword ptr ss:[ebp-48],1
0068EE80 . C745 B0 020000>mov dword ptr ss:[ebp-50],2
0068EE87 . C745 C0 000000>mov dword ptr ss:[ebp-40],0 ; 用户名
0068EE8E . FFD6 call esi
0068EE90 . 50 push eax
0068EE91 . FF15 00114000 call dword ptr ds:[<&MSVBVM60.#631>] ; MSVBVM60.rtcMidCharBstr
0068EE97 . 8BD0 mov edx,eax
0068EE99 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
0068EE9C . FFD6 call esi
0068EE9E . 50 push eax
0068EE9F . FF15 54104000 call dword ptr ds:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
0068EEA5 . 8BC8 mov ecx,eax
0068EEA7 . FF15 64104000 call dword ptr ds:[<&MSVBVM60.__vbaI>; MSVBVM60.__vbaI2Abs
0068EEAD . 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
0068EEB0 . 8D55 A0 lea edx,dword ptr ss:[ebp-60]
0068EEB3 . 51 push ecx
0068EEB4 . 52 push edx
0068EEB5 . 66:8945 A8 mov word ptr ss:[ebp-58],ax
0068EEB9 . C745 A0 020000>mov dword ptr ss:[ebp-60],2
0068EEC0 . FF15 08124000 call dword ptr ds:[<&MSVBVM60.#536>] ; MSVBVM60.rtcStrFromVar
0068EEC6 . 8BD0 mov edx,eax ; 逐位转换
0068EEC8 . 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0068EECB . FFD6 call esi
0068EECD . 50 push eax
0068EECE . FF15 60104000 call dword ptr ds:[<&MSVBVM60.#519>] ; MSVBVM60.rtcTrimBstr
0068EED4 . 8BD0 mov edx,eax
0068EED6 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
0068EED9 . FFD6 call esi
0068EEDB . 50 push eax
0068EEDC . FFD3 call ebx
0068EEDE . 8BD0 mov edx,eax ; 逐位拼接
0068EEE0 . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0068EEE3 . FFD6 call esi
0068EEE5 . 8D45 C0 lea eax,dword ptr ss:[ebp-40]
0068EEE8 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
0068EEEB . 50 push eax
0068EEEC . 8D55 C8 lea edx,dword ptr ss:[ebp-38]
0068EEEF . 51 push ecx
0068EEF0 . 8D45 CC lea eax,dword ptr ss:[ebp-34]
0068EEF3 . 52 push edx
0068EEF4 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
0068EEF7 . 50 push eax
0068EEF8 . 51 push ecx
0068EEF9 . 6A 05 push 5
0068EEFB . FF15 58124000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeStrList
0068EF01 . 8D55 A0 lea edx,dword ptr ss:[ebp-60]
0068EF04 . 8D45 B0 lea eax,dword ptr ss:[ebp-50]
0068EF07 . 52 push edx
0068EF08 . 50 push eax
0068EF09 . 6A 02 push 2
0068EF0B . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeVarList
0068EF11 . B8 01000000 mov eax,1
0068EF16 . 83C4 24 add esp,24
0068EF19 . 66:03C7 add ax,di
0068EF1C . 0F80 E9010000 jo PFIN.0068F10B
0068EF22 . 8BF8 mov edi,eax
0068EF24 .^ E9 22FFFFFF jmp PFIN.0068EE4B ; \循环
0068EF29 > BA 203B4500 mov edx,PFIN.00453B20
0068EF2E . 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
0068EF31 . FF15 44124000 call dword ptr ds:[<&MSVBVM60.__vbaS>; MSVBVM60.__vbaStrCopy
0068EF37 . 8B4D 0C mov ecx,dword ptr ss:[ebp+C]
0068EF3A . 8B11 mov edx,dword ptr ds:[ecx]
0068EF3C . 52 push edx
0068EF3D . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaL>; MSVBVM60.__vbaLenBstr
0068EF43 . 8BC8 mov ecx,eax
0068EF45 . FF15 3C114000 call dword ptr ds:[<&MSVBVM60.__vbaI>; MSVBVM60.__vbaI2I4
0068EF4B > 8BF8 mov edi,eax ; /硬件号翻转
0068EF4D . B8 01000000 mov eax,1
0068EF52 . 66:3BF8 cmp di,ax
0068EF55 . 8945 B8 mov dword ptr ss:[ebp-48],eax
0068EF58 . C745 B0 020000>mov dword ptr ss:[ebp-50],2
0068EF5F . 7C 49 jl short PFIN.0068EFAA
0068EF61 . 8B45 D8 mov eax,dword ptr ss:[ebp-28]
0068EF64 . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
0068EF67 . 50 push eax
0068EF68 . 8B45 0C mov eax,dword ptr ss:[ebp+C]
0068EF6B . 0FBFD7 movsx edx,di
0068EF6E . 51 push ecx
0068EF6F . 8B08 mov ecx,dword ptr ds:[eax]
0068EF71 . 52 push edx
0068EF72 . 51 push ecx
0068EF73 . FF15 00114000 call dword ptr ds:[<&MSVBVM60.#631>] ; MSVBVM60.rtcMidCharBstr
0068EF79 . 8BD0 mov edx,eax
0068EF7B . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
0068EF7E . FFD6 call esi
0068EF80 . 50 push eax
0068EF81 . FFD3 call ebx
0068EF83 . 8BD0 mov edx,eax
0068EF85 . 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
0068EF88 . FFD6 call esi
0068EF8A . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
0068EF8D . FF15 1C134000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeStr
0068EF93 . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
0068EF96 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeVar
0068EF9C . 83C8 FF or eax,FFFFFFFF
0068EF9F . 66:03C7 add ax,di
0068EFA2 . 0F80 63010000 jo PFIN.0068F10B
0068EFA8 .^ EB A1 jmp short PFIN.0068EF4B ; \循环
0068EFAA > 8B7D 0C mov edi,dword ptr ss:[ebp+C]
0068EFAD . 8D55 B0 lea edx,dword ptr ss:[ebp-50]
0068EFB0 . 52 push edx
0068EFB1 . 6A 03 push 3
0068EFB3 . 8B07 mov eax,dword ptr ds:[edi]
0068EFB5 . 50 push eax
0068EFB6 . FF15 00114000 call dword ptr ds:[<&MSVBVM60.#631>] ; MSVBVM60.rtcMidCharBstr
0068EFBC . 8BD0 mov edx,eax
0068EFBE . 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0068EFC1 . FFD6 call esi
0068EFC3 . 8B4D D8 mov ecx,dword ptr ss:[ebp-28] ; (UNICODE "07321")
0068EFC6 . 8B55 E0 mov edx,dword ptr ss:[ebp-20] ; (UNICODE "10812211349575551")
0068EFC9 . 50 push eax
0068EFCA . 51 push ecx
0068EFCB . 52 push edx
0068EFCC . FFD3 call ebx
0068EFCE . 8BD0 mov edx,eax ; (UNICODE "0732110812211349575551")
0068EFD0 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
0068EFD3 . FFD6 call esi
0068EFD5 . 50 push eax
0068EFD6 . 8B07 mov eax,dword ptr ds:[edi] ; (UNICODE "12370")
0068EFD8 . 50 push eax
0068EFD9 . FFD3 call ebx
0068EFDB . 8BD0 mov edx,eax ; (UNICODE "073211081221134957555112370")
0068EFDD . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
0068EFE0 . FFD6 call esi
0068EFE2 . 50 push eax
0068EFE3 . FF15 60104000 call dword ptr ds:[<&MSVBVM60.#519>] ; MSVBVM60.rtcTrimBstr
0068EFE9 . 8BD0 mov edx,eax
0068EFEB . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
0068EFEE . FFD6 call esi
0068EFF0 . 50 push eax ; (UNICODE "073211081221134957555112370")
0068EFF1 . FFD3 call ebx ; 在其前面加3
0068EFF3 . 8BD0 mov edx,eax ; (UNICODE "3073211081221134957555112370")
0068EFF5 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
0068EFF8 . FFD6 call esi
0068EFFA . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
0068EFFD . 8D55 C8 lea edx,dword ptr ss:[ebp-38]
0068F000 . 51 push ecx
0068F001 . 8D45 CC lea eax,dword ptr ss:[ebp-34]
0068F004 . 52 push edx
0068F005 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
0068F008 . 50 push eax
0068F009 . 51 push ecx
0068F00A . 6A 04 push 4
0068F00C . FF15 58124000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeStrList
0068F012 . 83C4 14 add esp,14
0068F015 . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
0068F018 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeVar
0068F01E . 8B55 DC mov edx,dword ptr ss:[ebp-24]
0068F021 . 52 push edx
0068F022 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaL>; MSVBVM60.__vbaLenBstr
0068F028 . 83F8 10 cmp eax,10
0068F02B . 6A 10 push 10
0068F02D . 7D 29 jge short PFIN.0068F058
0068F02F . 8B45 DC mov eax,dword ptr ss:[ebp-24]
0068F032 . 8B0F mov ecx,dword ptr ds:[edi]
0068F034 . 50 push eax
0068F035 . 51 push ecx
0068F036 . FFD3 call ebx
0068F038 . 8BD0 mov edx,eax
0068F03A . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
0068F03D . FFD6 call esi
0068F03F . 50 push eax
0068F040 . FF15 C0124000 call dword ptr ds:[<&MSVBVM60.#616>] ; MSVBVM60.rtcLeftCharBstr
0068F046 . 8BD0 mov edx,eax
0068F048 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
0068F04B . FFD6 call esi
0068F04D . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
0068F050 . FF15 1C134000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeStr
0068F056 . EB 11 jmp short PFIN.0068F069
0068F058 > 8B55 DC mov edx,dword ptr ss:[ebp-24]
0068F05B . 52 push edx
0068F05C . FF15 C0124000 call dword ptr ds:[<&MSVBVM60.#616>] ; MSVBVM60.rtcLeftCharBstr
0068F062 . 8BD0 mov edx,eax ; 取前16位(UNICODE "3073211081221134")
0068F064 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
0068F067 . FFD6 call esi
0068F069 > BA 04994600 mov edx,PFIN.00469904 ; (UNICODE "cabacb")
0068F06E . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
0068F071 . FF15 44124000 call dword ptr ds:[<&MSVBVM60.__vbaS>; MSVBVM60.__vbaStrCopy
0068F077 . 8D45 D0 lea eax,dword ptr ss:[ebp-30]
0068F07A . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
0068F07D . 50 push eax
0068F07E . 51 push ecx
0068F07F . E8 8C68F5FF call PFIN.005E5910 ; 注册算法
0068F084 . 8BD0 mov edx,eax ; (UNICODE "RRVPP1RQZPQP1RRV")这里也可内存注册器
0068F086 . 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
0068F089 . FFD6 call esi
0068F08B . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
0068F08E . FF15 1C134000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeStr
0068F094 . 68 F5F06800 push PFIN.0068F0F5
0068F099 . EB 3F jmp short PFIN.0068F0DA
0068F09B . F645 FC 04 test byte ptr ss:[ebp-4],4
0068F09F . 74 09 je short PFIN.0068F0AA
0068F0A1 . 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
0068F0A4 . FF15 1C134000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeStr
0068F0AA > 8D55 C0 lea edx,dword ptr ss:[ebp-40]
0068F0AD . 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
0068F0B0 . 52 push edx
0068F0B1 . 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0068F0B4 . 50 push eax
0068F0B5 . 8D55 CC lea edx,dword ptr ss:[ebp-34]
0068F0B8 . 51 push ecx
0068F0B9 . 8D45 D0 lea eax,dword ptr ss:[ebp-30]
0068F0BC . 52 push edx
0068F0BD . 50 push eax
0068F0BE . 6A 05 push 5
0068F0C0 . FF15 58124000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeStrList
0068F0C6 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
0068F0C9 . 8D55 B0 lea edx,dword ptr ss:[ebp-50]
0068F0CC . 51 push ecx
0068F0CD . 52 push edx
0068F0CE . 6A 02 push 2
0068F0D0 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeVarList
0068F0D6 . 83C4 24 add esp,24
0068F0D9 . C3 retn
0068F0DA > 8B35 1C134000 mov esi,dword ptr ds:[<&MSVBVM60.__v>; MSVBVM60.__vbaFreeStr
0068F0E0 . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0068F0E3 . FFD6 call esi ; <&MSVBVM60.__vbaFreeStr>
0068F0E5 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
0068F0E8 . FFD6 call esi
0068F0EA . 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
0068F0ED . FFD6 call esi
0068F0EF . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
0068F0F2 . FFD6 call esi
0068F0F4 . C3 retn
0068F0F5 . 8B4D EC mov ecx,dword ptr ss:[ebp-14]
0068F0F8 . 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
0068F0FB . 5F pop edi
0068F0FC . 5E pop esi
0068F0FD . 64:890D 000000>mov dword ptr fs:[0],ecx
0068F104 . 5B pop ebx
0068F105 . 8BE5 mov esp,ebp
0068F107 . 5D pop ebp
0068F108 . C2 0800 retn 8
上面代码的大意是:
A、先将用户名转为ASCII;
B、再将哽件号翻转;
C、连接(翻转后的放在前面即左边,用户名转后的ASCII放在中间,后面是硬件号);
D、在连接好的前面加3;
E、取整个字串的前16位即3073211081221134;
F、将常量"cabacb"转为ASCII;
G、最后用“F”与“E”进行运算得到注册码。
[3、具体算法]
在0068F07F E8 8C68F5FF call PFIN.005E5910处F7跟进,来到这里
005E5910 $ 55 push ebp
005E5911 . 8BEC mov ebp,esp
005E5913 . 83EC 0C sub esp,0C
005E5916 . 68 76FC4000 push <jmp.&MSVBVM60.__vbaExceptHandl>; SE handler installation
005E591B . 64:A1 00000000 mov eax,dword ptr fs:[0]
005E5921 . 50 push eax
005E5922 . 64:8925 000000>mov dword ptr fs:[0],esp
005E5929 . 81EC 98000000 sub esp,98
005E592F . 53 push ebx
005E5930 . 56 push esi
005E5931 . 57 push edi
005E5932 . 8965 F4 mov dword ptr ss:[ebp-C],esp
005E5935 . C745 F8 183A40>mov dword ptr ss:[ebp-8],PFIN.00403A>
005E593C . 8B45 0C mov eax,dword ptr ss:[ebp+C]
005E593F . 33FF xor edi,edi
005E5941 . 897D E0 mov dword ptr ss:[ebp-20],edi
005E5944 . 897D D8 mov dword ptr ss:[ebp-28],edi
005E5947 . 8B08 mov ecx,dword ptr ds:[eax] ; (UNICODE "cabacb")
005E5949 . 897D D4 mov dword ptr ss:[ebp-2C],edi
005E594C . 51 push ecx ; (UNICODE "cabacb")
005E594D . 897D D0 mov dword ptr ss:[ebp-30],edi
005E5950 . 897D C0 mov dword ptr ss:[ebp-40],edi
005E5953 . 897D B0 mov dword ptr ss:[ebp-50],edi
005E5956 . 897D A0 mov dword ptr ss:[ebp-60],edi
005E5959 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaL>; MSVBVM60.__vbaLenBstr
005E595F . 8BC8 mov ecx,eax
005E5961 . FF15 3C114000 call dword ptr ds:[<&MSVBVM60.__vbaI>; MSVBVM60.__vbaI2I4
005E5967 . 8BF0 mov esi,eax
005E5969 . 57 push edi
005E596A . 0FBFD6 movsx edx,si
005E596D . 52 push edx
005E596E . 6A 01 push 1
005E5970 . 6A 02 push 2
005E5972 . 68 24258800 push PFIN.00882524
005E5977 . 6A 02 push 2
005E5979 . 68 80000000 push 80
005E597E . 8975 DC mov dword ptr ss:[ebp-24],esi
005E5981 . FF15 70114000 call dword ptr ds:[<&MSVBVM60.__vbaR>; MSVBVM60.__vbaRedim
005E5987 . 83C4 1C add esp,1C
005E598A . 66:83EE 01 sub si,1
005E598E . 0F80 CA040000 jo PFIN.005E5E5E
005E5994 . 0FBFC6 movsx eax,si
005E5997 . 8985 78FFFFFF mov dword ptr ss:[ebp-88],eax
005E599D . 33C0 xor eax,eax
005E599F . BB 01000000 mov ebx,1
005E59A4 . A3 1C258800 mov dword ptr ds:[88251C],eax
005E59A9 > 3B85 78FFFFFF cmp eax,dword ptr ss:[ebp-88] ; /将cabac转为ASCII
005E59AF . 0F8F 07010000 jg PFIN.005E5ABC
005E59B5 . 8B4D 0C mov ecx,dword ptr ss:[ebp+C]
005E59B8 . 8D55 C0 lea edx,dword ptr ss:[ebp-40]
005E59BB . 83C0 01 add eax,1
005E59BE . 52 push edx
005E59BF . 0F80 99040000 jo PFIN.005E5E5E
005E59C5 . 50 push eax
005E59C6 . 894D A8 mov dword ptr ss:[ebp-58],ecx
005E59C9 . 8D45 A0 lea eax,dword ptr ss:[ebp-60]
005E59CC . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
005E59CF . 50 push eax
005E59D0 . 51 push ecx
005E59D1 . C745 C8 010000>mov dword ptr ss:[ebp-38],1
005E59D8 . C745 C0 020000>mov dword ptr ss:[ebp-40],2
005E59DF . C745 A0 084000>mov dword ptr ss:[ebp-60],4008
005E59E6 . FF15 04114000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
005E59EC . 8D55 B0 lea edx,dword ptr ss:[ebp-50]
005E59EF . 8D45 D8 lea eax,dword ptr ss:[ebp-28]
005E59F2 . 52 push edx
005E59F3 . 50 push eax
005E59F4 . FF15 FC114000 call dword ptr ds:[<&MSVBVM60.__vbaS>; MSVBVM60.__vbaStrVarVal
005E59FA . 50 push eax
005E59FB . FF15 54104000 call dword ptr ds:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
005E5A01 . 8BF0 mov esi,eax
005E5A03 . A1 24258800 mov eax,dword ptr ds:[882524]
005E5A08 . 3BC7 cmp eax,edi
005E5A0A . 74 22 je short PFIN.005E5A2E
005E5A0C . 66:8338 01 cmp word ptr ds:[eax],1
005E5A10 . 75 1C jnz short PFIN.005E5A2E
005E5A12 . 8B3D 1C258800 mov edi,dword ptr ds:[88251C]
005E5A18 . 8B50 14 mov edx,dword ptr ds:[eax+14]
005E5A1B . 8B48 10 mov ecx,dword ptr ds:[eax+10]
005E5A1E . 2BFA sub edi,edx
005E5A20 . 3BF9 cmp edi,ecx
005E5A22 . 72 06 jb short PFIN.005E5A2A
005E5A24 . FF15 18114000 call dword ptr ds:[<&MSVBVM60.__vbaG>; MSVBVM60.__vbaGenerateBoundsError
005E5A2A > 03FF add edi,edi
005E5A2C . EB 08 jmp short PFIN.005E5A36
005E5A2E > FF15 18114000 call dword ptr ds:[<&MSVBVM60.__vbaG>; MSVBVM60.__vbaGenerateBoundsError
005E5A34 . 8BF8 mov edi,eax
005E5A36 > 6A 02 push 2
005E5A38 . 8BCE mov ecx,esi
005E5A3A . FF15 64104000 call dword ptr ds:[<&MSVBVM60.__vbaI>; MSVBVM60.__vbaI2Abs
005E5A40 . 50 push eax
005E5A41 . FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaS>; MSVBVM60.__vbaStrI2
005E5A47 . 8B35 D8124000 mov esi,dword ptr ds:[<&MSVBVM60.__v>; MSVBVM60.__vbaStrMove
005E5A4D . 8BD0 mov edx,eax
005E5A4F . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
005E5A52 . FFD6 call esi ; <&MSVBVM60.__vbaStrMove>
005E5A54 . 50 push eax
005E5A55 . FF15 C0124000 call dword ptr ds:[<&MSVBVM60.#616>] ; MSVBVM60.rtcLeftCharBstr
005E5A5B . 8BD0 mov edx,eax
005E5A5D . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
005E5A60 . FFD6 call esi
005E5A62 . 50 push eax
005E5A63 . FF15 24134000 call dword ptr ds:[<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
005E5A69 . FF15 B0124000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFpI2
005E5A6F . 8B0D 24258800 mov ecx,dword ptr ds:[882524]
005E5A75 . 8B51 0C mov edx,dword ptr ds:[ecx+C]
005E5A78 . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
005E5A7B . 66:89043A mov word ptr ds:[edx+edi],ax
005E5A7F . 8D45 D0 lea eax,dword ptr ss:[ebp-30]
005E5A82 . 50 push eax
005E5A83 . 8D55 D8 lea edx,dword ptr ss:[ebp-28]
005E5A86 . 51 push ecx
005E5A87 . 52 push edx
005E5A88 . 6A 03 push 3
005E5A8A . FF15 58124000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeStrList
005E5A90 . 8D45 B0 lea eax,dword ptr ss:[ebp-50]
005E5A93 . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
005E5A96 . 50 push eax
005E5A97 . 51 push ecx
005E5A98 . 6A 02 push 2
005E5A9A . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeVarList
005E5AA0 . A1 1C258800 mov eax,dword ptr ds:[88251C]
005E5AA5 . 83C4 1C add esp,1C
005E5AA8 . 03C3 add eax,ebx
005E5AAA . 0F80 AE030000 jo PFIN.005E5E5E
005E5AB0 . A3 1C258800 mov dword ptr ds:[88251C],eax
005E5AB5 . 33FF xor edi,edi
005E5AB7 .^ E9 EDFEFFFF jmp PFIN.005E59A9 ; \循环(将cabac转为ASCII)
005E5ABC > 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
005E5ABF . 8B13 mov edx,dword ptr ds:[ebx] ; (UNICODE "3073211081221134")
005E5AC1 . 52 push edx
005E5AC2 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaL>; MSVBVM60.__vbaLenBstr
005E5AC8 . 8BC8 mov ecx,eax
005E5ACA . FF15 3C114000 call dword ptr ds:[<&MSVBVM60.__vbaI>; MSVBVM60.__vbaI2I4
005E5AD0 . 8BF0 mov esi,eax
005E5AD2 . 57 push edi
005E5AD3 . 0FBFC6 movsx eax,si
005E5AD6 . 50 push eax
005E5AD7 . 6A 01 push 1
005E5AD9 . 6A 02 push 2
005E5ADB . 68 20258800 push PFIN.00882520
005E5AE0 . 6A 02 push 2
005E5AE2 . 68 80000000 push 80
005E5AE7 . 8975 E8 mov dword ptr ss:[ebp-18],esi
005E5AEA . FF15 70114000 call dword ptr ds:[<&MSVBVM60.__vbaR>; MSVBVM60.__vbaRedim
005E5AF0 . 66:8BCE mov cx,si
005E5AF3 . 83C4 1C add esp,1C
005E5AF6 . 66:83E9 01 sub cx,1
005E5AFA . BF 01000000 mov edi,1
005E5AFF . 0F80 59030000 jo PFIN.005E5E5E
005E5B05 . 0FBFD1 movsx edx,cx
005E5B08 . 33C0 xor eax,eax
005E5B0A . 8995 70FFFFFF mov dword ptr ss:[ebp-90],edx
005E5B10 . A3 1C258800 mov dword ptr ds:[88251C],eax
005E5B15 > 3B85 70FFFFFF cmp eax,dword ptr ss:[ebp-90]
005E5B1B . 0F8F BF000000 jg PFIN.005E5BE0
005E5B21 . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
005E5B24 . 83C0 01 add eax,1
005E5B27 . 51 push ecx
005E5B28 . 8D55 A0 lea edx,dword ptr ss:[ebp-60]
005E5B2B . 0F80 2D030000 jo PFIN.005E5E5E
005E5B31 . 50 push eax
005E5B32 . 8D45 B0 lea eax,dword ptr ss:[ebp-50]
005E5B35 . 52 push edx
005E5B36 . 50 push eax
005E5B37 . C745 C8 010000>mov dword ptr ss:[ebp-38],1
005E5B3E . C745 C0 020000>mov dword ptr ss:[ebp-40],2
005E5B45 . 895D A8 mov dword ptr ss:[ebp-58],ebx
005E5B48 . C745 A0 084000>mov dword ptr ss:[ebp-60],4008
005E5B4F . FF15 04114000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
005E5B55 . A1 20258800 mov eax,dword ptr ds:[882520]
005E5B5A . 85C0 test eax,eax
005E5B5C . 74 22 je short PFIN.005E5B80
005E5B5E . 66:8338 01 cmp word ptr ds:[eax],1
005E5B62 . 75 1C jnz short PFIN.005E5B80
005E5B64 . 8B35 1C258800 mov esi,dword ptr ds:[88251C]
005E5B6A . 8B50 14 mov edx,dword ptr ds:[eax+14]
005E5B6D . 8B48 10 mov ecx,dword ptr ds:[eax+10]
005E5B70 . 2BF2 sub esi,edx
005E5B72 . 3BF1 cmp esi,ecx
005E5B74 . 72 06 jb short PFIN.005E5B7C
005E5B76 . FF15 18114000 call dword ptr ds:[<&MSVBVM60.__vbaG>; MSVBVM60.__vbaGenerateBoundsError
005E5B7C > 03F6 add esi,esi
005E5B7E . EB 08 jmp short PFIN.005E5B88
005E5B80 > FF15 18114000 call dword ptr ds:[<&MSVBVM60.__vbaG>; MSVBVM60.__vbaGenerateBoundsError
005E5B86 . 8BF0 mov esi,eax
005E5B88 > 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
005E5B8B . 8D55 D8 lea edx,dword ptr ss:[ebp-28]
005E5B8E . 51 push ecx
005E5B8F . 52 push edx
005E5B90 . FF15 FC114000 call dword ptr ds:[<&MSVBVM60.__vbaS>; MSVBVM60.__vbaStrVarVal
005E5B96 . 50 push eax
005E5B97 . FF15 54104000 call dword ptr ds:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
005E5B9D . 8B0D 20258800 mov ecx,dword ptr ds:[882520]
005E5BA3 . 8B51 0C mov edx,dword ptr ds:[ecx+C]
005E5BA6 . 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
005E5BA9 . 66:890432 mov word ptr ds:[edx+esi],ax
005E5BAD . FF15 1C134000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeStr
005E5BB3 . 8D45 B0 lea eax,dword ptr ss:[ebp-50]
005E5BB6 . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
005E5BB9 . 50 push eax
005E5BBA . 51 push ecx
005E5BBB . 6A 02 push 2
005E5BBD . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeVarList
005E5BC3 . A1 1C258800 mov eax,dword ptr ds:[88251C]
005E5BC8 . 8B75 E8 mov esi,dword ptr ss:[ebp-18]
005E5BCB . 83C4 0C add esp,0C
005E5BCE . 03C7 add eax,edi
005E5BD0 . 0F80 88020000 jo PFIN.005E5E5E
005E5BD6 . A3 1C258800 mov dword ptr ds:[88251C],eax
005E5BDB .^ E9 35FFFFFF jmp PFIN.005E5B15
005E5BE0 > 66:8BD6 mov dx,si
005E5BE3 . 33C9 xor ecx,ecx
005E5BE5 . 66:83EA 01 sub dx,1
005E5BE9 . 0F80 6F020000 jo PFIN.005E5E5E
005E5BEF . 0FBFC2 movsx eax,dx
005E5BF2 . 8985 68FFFFFF mov dword ptr ss:[ebp-98],eax
005E5BF8 . 33C0 xor eax,eax
005E5BFA . A3 1C258800 mov dword ptr ds:[88251C],eax
005E5BFF > 3B85 68FFFFFF cmp eax,dword ptr ss:[ebp-98] ; /将ASCII转为字符串
005E5C05 . 0F8F 20010000 jg PFIN.005E5D2B
005E5C0B . 66:3B4D DC cmp cx,word ptr ss:[ebp-24]
005E5C0F . 7C 09 jl short PFIN.005E5C1A
005E5C11 . C745 E4 000000>mov dword ptr ss:[ebp-1C],0
005E5C18 . EB 0D jmp short PFIN.005E5C27
005E5C1A > 66:83C1 01 add cx,1
005E5C1E . 0F80 3A020000 jo PFIN.005E5E5E
005E5C24 . 894D E4 mov dword ptr ss:[ebp-1C],ecx
005E5C27 > 8B0D 20258800 mov ecx,dword ptr ds:[882520]
005E5C2D . 85C9 test ecx,ecx
005E5C2F . 74 32 je short PFIN.005E5C63
005E5C31 . 66:8339 01 cmp word ptr ds:[ecx],1
005E5C35 . 75 2C jnz short PFIN.005E5C63
005E5C37 . 8B79 14 mov edi,dword ptr ds:[ecx+14]
005E5C3A . 8B51 10 mov edx,dword ptr ds:[ecx+10]
005E5C3D . 8B1D 18114000 mov ebx,dword ptr ds:[<&MSVBVM60.__v>; MSVBVM60.__vbaGenerateBoundsError
005E5C43 . 8BF0 mov esi,eax
005E5C45 . 2BF7 sub esi,edi
005E5C47 . 3BF2 cmp esi,edx
005E5C49 . 72 0D jb short PFIN.005E5C58
005E5C4B . FFD3 call ebx ; <&MSVBVM60.__vbaGenerateBoundsError>
005E5C4D . 8B0D 20258800 mov ecx,dword ptr ds:[882520]
005E5C53 . A1 1C258800 mov eax,dword ptr ds:[88251C]
005E5C58 > 8D1436 lea edx,dword ptr ds:[esi+esi]
005E5C5B . 8995 54FFFFFF mov dword ptr ss:[ebp-AC],edx
005E5C61 . EB 1D jmp short PFIN.005E5C80
005E5C63 > FF15 18114000 call dword ptr ds:[<&MSVBVM60.__vbaG>; MSVBVM60.__vbaGenerateBoundsError
005E5C69 . 8B0D 20258800 mov ecx,dword ptr ds:[882520]
005E5C6F . 8B1D 18114000 mov ebx,dword ptr ds:[<&MSVBVM60.__v>; MSVBVM60.__vbaGenerateBoundsError
005E5C75 . 8985 54FFFFFF mov dword ptr ss:[ebp-AC],eax
005E5C7B . A1 1C258800 mov eax,dword ptr ds:[88251C]
005E5C80 > 8B15 24258800 mov edx,dword ptr ds:[882524]
005E5C86 . 85D2 test edx,edx
005E5C88 . 74 27 je short PFIN.005E5CB1
005E5C8A . 66:833A 01 cmp word ptr ds:[edx],1
005E5C8E . 75 21 jnz short PFIN.005E5CB1
005E5C90 . 0FBF75 E4 movsx esi,word ptr ss:[ebp-1C]
005E5C94 . 8B7A 14 mov edi,dword ptr ds:[edx+14]
005E5C97 . 2BF7 sub esi,edi
005E5C99 . 8B7A 10 mov edi,dword ptr ds:[edx+10]
005E5C9C . 3BF7 cmp esi,edi
005E5C9E . 72 0D jb short PFIN.005E5CAD
005E5CA0 . FFD3 call ebx
005E5CA2 . 8B0D 20258800 mov ecx,dword ptr ds:[882520]
005E5CA8 . A1 1C258800 mov eax,dword ptr ds:[88251C]
005E5CAD > 03F6 add esi,esi
005E5CAF . EB 0F jmp short PFIN.005E5CC0
005E5CB1 > FFD3 call ebx
005E5CB3 . 8B0D 20258800 mov ecx,dword ptr ds:[882520]
005E5CB9 . 8BF0 mov esi,eax
005E5CBB . A1 1C258800 mov eax,dword ptr ds:[88251C]
005E5CC0 > 85C9 test ecx,ecx
005E5CC2 . 74 1F je short PFIN.005E5CE3
005E5CC4 . 66:8339 01 cmp word ptr ds:[ecx],1
005E5CC8 . 75 19 jnz short PFIN.005E5CE3
005E5CCA . 2B41 14 sub eax,dword ptr ds:[ecx+14]
005E5CCD . 8BF8 mov edi,eax
005E5CCF . 8B41 10 mov eax,dword ptr ds:[ecx+10]
005E5CD2 . 3BF8 cmp edi,eax
005E5CD4 . 72 08 jb short PFIN.005E5CDE
005E5CD6 . FFD3 call ebx
005E5CD8 . 8B0D 20258800 mov ecx,dword ptr ds:[882520]
005E5CDE > 8D043F lea eax,dword ptr ds:[edi+edi]
005E5CE1 . EB 08 jmp short PFIN.005E5CEB
005E5CE3 > FFD3 call ebx
005E5CE5 . 8B0D 20258800 mov ecx,dword ptr ds:[882520]
005E5CEB > 8B15 24258800 mov edx,dword ptr ds:[882524]
005E5CF1 . 8B49 0C mov ecx,dword ptr ds:[ecx+C] ; (UNICODE "3073211081221134")
005E5CF4 . 8B52 0C mov edx,dword ptr ds:[edx+C] ; (UNICODE "cabacb")
005E5CF7 . 66:8B1432 mov dx,word ptr ds:[edx+esi]
005E5CFB . 8BB5 54FFFFFF mov esi,dword ptr ss:[ebp-AC]
005E5D01 . 66:331431 xor dx,word ptr ds:[ecx+esi]
005E5D05 . 8B75 E8 mov esi,dword ptr ss:[ebp-18] ;这里是转换的(如何转不明)
005E5D08 . 66:891401 mov word ptr ds:[ecx+eax],dx
005E5D0C . A1 1C258800 mov eax,dword ptr ds:[88251C]
005E5D11 . B9 01000000 mov ecx,1
005E5D16 . 03C1 add eax,ecx
005E5D18 . 8B4D E4 mov ecx,dword ptr ss:[ebp-1C]
005E5D1B . 0F80 3D010000 jo PFIN.005E5E5E
005E5D21 . A3 1C258800 mov dword ptr ds:[88251C],eax
005E5D26 .^ E9 D4FEFFFF jmp PFIN.005E5BFF ; \循环(将ASCII转为字符串)
005E5D2B > BA 203B4500 mov edx,PFIN.00453B20
005E5D30 . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
005E5D33 . FF15 44124000 call dword ptr ds:[<&MSVBVM60.__vbaS>; MSVBVM60.__vbaStrCopy
005E5D39 . 66:83EE 01 sub si,1
005E5D3D . 8B1D 38104000 mov ebx,dword ptr ds:[<&MSVBVM60.__v>; MSVBVM60.__vbaStrVarMove
005E5D43 . 0F80 15010000 jo PFIN.005E5E5E
005E5D49 . 0FBFC6 movsx eax,si
005E5D4C . 8985 60FFFFFF mov dword ptr ss:[ebp-A0],eax
005E5D52 . 33C0 xor eax,eax
005E5D54 . BF 01000000 mov edi,1
005E5D59 . A3 1C258800 mov dword ptr ds:[88251C],eax
005E5D5E > 3B85 60FFFFFF cmp eax,dword ptr ss:[ebp-A0]
005E5D64 . 0F8F 9E000000 jg PFIN.005E5E08
005E5D6A . 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
005E5D6D . C745 A0 080000>mov dword ptr ss:[ebp-60],8
005E5D74 . 894D A8 mov dword ptr ss:[ebp-58],ecx
005E5D77 . 8B0D 20258800 mov ecx,dword ptr ds:[882520]
005E5D7D . 85C9 test ecx,ecx
005E5D7F . 74 23 je short PFIN.005E5DA4
005E5D81 . 66:8339 01 cmp word ptr ds:[ecx],1
005E5D85 . 75 1D jnz short PFIN.005E5DA4
005E5D87 . 2B41 14 sub eax,dword ptr ds:[ecx+14]
005E5D8A . 8BF0 mov esi,eax
005E5D8C . 8B41 10 mov eax,dword ptr ds:[ecx+10]
005E5D8F . 3BF0 cmp esi,eax
005E5D91 . 72 0C jb short PFIN.005E5D9F
005E5D93 . FF15 18114000 call dword ptr ds:[<&MSVBVM60.__vbaG>; MSVBVM60.__vbaGenerateBoundsError
005E5D99 . 8B0D 20258800 mov ecx,dword ptr ds:[882520]
005E5D9F > 8D0436 lea eax,dword ptr ds:[esi+esi]
005E5DA2 . EB 0C jmp short PFIN.005E5DB0
005E5DA4 > FF15 18114000 call dword ptr ds:[<&MSVBVM60.__vbaG>; MSVBVM60.__vbaGenerateBoundsError
005E5DAA . 8B0D 20258800 mov ecx,dword ptr ds:[882520]
005E5DB0 > 8B51 0C mov edx,dword ptr ds:[ecx+C]
005E5DB3 . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
005E5DB6 . 0FBF0402 movsx eax,word ptr ds:[edx+eax]
005E5DBA . 50 push eax
005E5DBB . 51 push ecx
005E5DBC . FF15 E0114000 call dword ptr ds:[<&MSVBVM60.#608>] ; MSVBVM60.rtcVarBstrFromAnsi
005E5DC2 . 8D55 A0 lea edx,dword ptr ss:[ebp-60]
005E5DC5 . 8D45 C0 lea eax,dword ptr ss:[ebp-40]
005E5DC8 . 52 push edx
005E5DC9 . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
005E5DCC . 50 push eax
005E5DCD . 51 push ecx
005E5DCE . FF15 00124000 call dword ptr ds:[<&MSVBVM60.__vbaV>; MSVBVM60.__vbaVarCat
005E5DD4 . 50 push eax
005E5DD5 . FFD3 call ebx
005E5DD7 . 8BD0 mov edx,eax
005E5DD9 . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
005E5DDC . FF15 D8124000 call dword ptr ds:[<&MSVBVM60.__vbaS>; MSVBVM60.__vbaStrMove
005E5DE2 . 8D55 B0 lea edx,dword ptr ss:[ebp-50]
005E5DE5 . 8D45 C0 lea eax,dword ptr ss:[ebp-40]
005E5DE8 . 52 push edx
005E5DE9 . 50 push eax
005E5DEA . 6A 02 push 2
005E5DEC . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeVarList
005E5DF2 . A1 1C258800 mov eax,dword ptr ds:[88251C]
005E5DF7 . 83C4 0C add esp,0C
005E5DFA . 03C7 add eax,edi
005E5DFC . 70 60 jo short PFIN.005E5E5E
005E5DFE . A3 1C258800 mov dword ptr ds:[88251C],eax
005E5E03 .^ E9 56FFFFFF jmp PFIN.005E5D5E
005E5E08 > 9B wait
005E5E09 . 68 485E5E00 push PFIN.005E5E48
005E5E0E . EB 37 jmp short PFIN.005E5E47
005E5E10 . F645 FC 04 test byte ptr ss:[ebp-4],4
005E5E14 . 74 09 je short PFIN.005E5E1F
005E5E16 . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
005E5E19 . FF15 1C134000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeStr
005E5E1F > 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
005E5E22 . 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
005E5E25 . 51 push ecx
005E5E26 . 8D45 D8 lea eax,dword ptr ss:[ebp-28]
005E5E29 . 52 push edx
005E5E2A . 50 push eax
005E5E2B . 6A 03 push 3
005E5E2D . FF15 58124000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeStrList
005E5E33 . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
005E5E36 . 8D55 C0 lea edx,dword ptr ss:[ebp-40]
005E5E39 . 51 push ecx
005E5E3A . 52 push edx
005E5E3B . 6A 02 push 2
005E5E3D . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeVarList
005E5E43 . 83C4 1C add esp,1C
005E5E46 . C3 retn
005E5E47 > C3 retn ; RET used as a jump to 005E5E48
005E5E48 > 8B4D EC mov ecx,dword ptr ss:[ebp-14]
005E5E4B . 8B45 E0 mov eax,dword ptr ss:[ebp-20]
005E5E4E . 5F pop edi
005E5E4F . 5E pop esi
005E5E50 . 64:890D 000000>mov dword ptr fs:[0],ecx
005E5E57 . 5B pop ebx
005E5E58 . 8BE5 mov esp,ebp
005E5E5A . 5D pop ebp
005E5E5B . C2 0800 retn 8
这部分有点看不懂~~~~
------------------------------------------------------------------------
【破解总结】
此次破解不是很顺利,最后的那个算法不懂,之所以写出来,是希望与大家一起探讨!
小子我献丑了!
内存注册器
中断地址:68F084
中断次数:1
第一字节:8B
指令长度:2
注 册 码:内存方式--寄存器--EDX--宽字符串
其实有多处可做的,大家在文中找找吧!
最后再说两句:
注册信息在数据库PFin.mdb的Memory表里,清除字段RegPwd里的注册码就成为未注册版!
数据库密码:yw@131#$4.10&_*
------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者信息并保持文章的完整,谢谢!
[ 本帖最后由 lzq1973 于 2006-4-12 04:30 编辑 ] |
|
IP卡
发表于 2006-2-10 22:40:49
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2006-2-11 22:35:19
发表于 2006-2-13 23:28:00
发表于 2006-4-21 14:28:47