- UID
- 45500
注册时间2008-2-14
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
最近弄一个软件,VB的,明码比较
求助里面的 msvbvm60.__vbaVarIndexLoadRef 和 msvbvm60.__vbaVarIndexLoad 两个函数的解释。
软件先把 一个固定字符串和机器码及固定字符串连接,然后算出32位MD5值。再通过运算得出一个32位的数字。取数字前8位为注册码。
如MD5值:158bf6da6e6abf470656486d398bcf2f 算出为 24511602536023448531953420525694。
我已经弄出了内存注册机,现在学着分析算法,分析了一部分,被难住了,在下初学,请各位指点:
EDX中为MD5值,压入堆栈后调用 00430540,下面是我截取的关键部分。
00422E93 . E8 A8D60000 call 软件.00430540 ;得出注册码的最后算法,注册码返回在EAX中
00431DC7 . BE 01000000 mov esi,1 ; SI作为计数器,从1到32
00431DCC > 66:3BB5 9CF8F>cmp si,word ptr ss:[ebp-764] ; 比较 SI 是否为32
00431DD3 . 0F8F E7010000 jg 软件.00431FC0 ; 比较 SI 是否为32,是就跳
00431DD9 . 0FBFC6 movsx eax,si ; 当前计数送 EAX
00431DDC . 8D55 B0 lea edx,dword ptr ss:[ebp-50]
00431DDF . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
00431DE2 . 52 push edx ; /Length8 为0
00431DE3 . 50 push eax ; |Start 为SI的数值
00431DE4 . 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-12C] ; | 值:00004002 是什么意思?
00431DEA . C745 B8 01000>mov dword ptr ss:[ebp-48],1 ; |
00431DF1 . 50 push eax ; |dString8
00431DF2 . 51 push ecx ; |RetBUFFER 值:0
00431DF3 . 895D B0 mov dword ptr ss:[ebp-50],ebx ; |
00431DF6 . 89BD DCFEFFFF mov dword ptr ss:[ebp-124],edi ; |
00431DFC . C785 D4FEFFFF>mov dword ptr ss:[ebp-12C],4008 ; |
00431E06 . FF15 E8104000 call dword ptr ds:[<&MSVBVM60.#632>] ; \rtcMidCharVar
00431E0C . 8D55 A0 lea edx,dword ptr ss:[ebp-60]
00431E0F . 52 push edx
00431E10 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVa>; msvbvm60.__vbaStrVarMove
00431E16 . 8BD0 mov edx,eax
00431E18 . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00431E1B . FF15 70124000 call dword ptr ds:[<&MSVBVM60.__vbaStrMo>; msvbvm60.__vbaStrMove
00431E21 . 8D45 C0 lea eax,dword ptr ss:[ebp-40]
00431E24 . 50 push eax 得到ASCLL码,在EAX中内存地址中
00431E25 . E8 C6020000 call 软件.004320F0
00431E2A . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00431E2D . 8945 E0 mov dword ptr ss:[ebp-20],eax
00431E30 . FF15 AC124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; msvbvm60.__vbaFreeStr
00431E36 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
00431E39 . 8D55 B0 lea edx,dword ptr ss:[ebp-50]
00431E3C . 51 push ecx
00431E3D . 52 push edx
00431E3E . 53 push ebx
00431E3F . FF15 34104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; msvbvm60.__vbaFreeVarList
00431E45 . 8B0F mov ecx,dword ptr ds:[edi]
00431E47 . 83C4 0C add esp,0C
00431E4A . 8D45 B0 lea eax,dword ptr ss:[ebp-50]
00431E4D . C745 B8 01000>mov dword ptr ss:[ebp-48],1
00431E54 . 50 push eax ; /Length8
00431E55 . 51 push ecx ; |/String
00431E56 . 895D B0 mov dword ptr ss:[ebp-50],ebx ; ||
00431E59 . 89BD DCFEFFFF mov dword ptr ss:[ebp-124],edi ; ||
00431E5F . C785 D4FEFFFF>mov dword ptr ss:[ebp-12C],4008 ; ||
00431E69 . FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBs>; |\__vbaLenBstr
00431E6F . 8BD0 mov edx,eax ; |
00431E71 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60] ; |
00431E74 . 0FBFC6 movsx eax,si ; |
00431E77 . 2BD0 sub edx,eax ; |
00431E79 . 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-12C] ; |
00431E7F . 0F80 5C020000 jo 软件.004320E1 ; |
00431E85 . 83C2 01 add edx,1 ; |
00431E88 . 0F80 53020000 jo 软件.004320E1 ; |
00431E8E . 52 push edx ; |Start
00431E8F . 50 push eax ; |dString8
00431E90 . 51 push ecx ; |RetBUFFER
00431E91 . FF15 E8104000 call dword ptr ds:[<&MSVBVM60.#632>] ; \rtcMidCharVar
00431E97 . 8D55 A0 lea edx,dword ptr ss:[ebp-60]
00431E9A . 52 push edx
00431E9B . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVa>; msvbvm60.__vbaStrVarMove
00431EA1 . 8BD0 mov edx,eax
00431EA3 . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00431EA6 . FF15 70124000 call dword ptr ds:[<&MSVBVM60.__vbaStrMo>; msvbvm60.__vbaStrMove
00431EAC . 8D45 C0 lea eax,dword ptr ss:[ebp-40]
00431EAF . 50 push eax
00431EB0 . E8 3B020000 call 软件.004320F0
00431EB5 . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00431EB8 . 8945 E4 mov dword ptr ss:[ebp-1C],eax
00431EBB . FF15 AC124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; msvbvm60.__vbaFreeStr
00431EC1 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
00431EC4 . 8D55 B0 lea edx,dword ptr ss:[ebp-50]
00431EC7 . 51 push ecx
00431EC8 . 52 push edx
00431EC9 . 53 push ebx
00431ECA . FF15 34104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; msvbvm60.__vbaFreeVarList
00431ED0 . 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
00431ED3 . B9 02400000 mov ecx,4002
00431ED8 . 8985 BCFEFFFF mov dword ptr ss:[ebp-144],eax
00431EDE . 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
00431EE1 . 8D55 E0 lea edx,dword ptr ss:[ebp-20]
00431EE4 . 83C4 0C add esp,0C
00431EE7 . C785 B4FEFFFF>mov dword ptr ss:[ebp-14C],8
00431EF1 . 8985 CCFEFFFF mov dword ptr ss:[ebp-134],eax
00431EF7 . 898D C4FEFFFF mov dword ptr ss:[ebp-13C],ecx
00431EFD . 8995 DCFEFFFF mov dword ptr ss:[ebp-124],edx
00431F03 . 8D95 B4FEFFFF lea edx,dword ptr ss:[ebp-14C]
00431F09 . 898D D4FEFFFF mov dword ptr ss:[ebp-12C],ecx
00431F0F . 52 push edx
00431F10 . 83EC 10 sub esp,10
00431F13 . 8BD4 mov edx,esp
00431F15 . 6A 01 push 1
00431F17 . 890A mov dword ptr ds:[edx],ecx
00431F19 . 8B8D C8FEFFFF mov ecx,dword ptr ss:[ebp-138]
00431F1F . 83EC 10 sub esp,10
00431F22 . 894A 04 mov dword ptr ds:[edx+4],ecx
00431F25 . 8BCC mov ecx,esp
00431F27 . 6A 01 push 1
00431F29 . 8942 08 mov dword ptr ds:[edx+8],eax
00431F2C . 8B85 D0FEFFFF mov eax,dword ptr ss:[ebp-130]
00431F32 . 8942 0C mov dword ptr ds:[edx+C],eax
00431F35 . 8B95 D4FEFFFF mov edx,dword ptr ss:[ebp-12C]
00431F3B . 8B85 D8FEFFFF mov eax,dword ptr ss:[ebp-128]
00431F41 . 8911 mov dword ptr ds:[ecx],edx
00431F43 . 8B95 DCFEFFFF mov edx,dword ptr ss:[ebp-124]
00431F49 . 8941 04 mov dword ptr ds:[ecx+4],eax
00431F4C . 8B85 E0FEFFFF mov eax,dword ptr ss:[ebp-120]
00431F52 . 8951 08 mov dword ptr ds:[ecx+8],edx
00431F55 . 8D55 B0 lea edx,dword ptr ss:[ebp-50]
00431F58 . 8941 0C mov dword ptr ds:[ecx+C],eax
00431F5B . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00431F5E . 51 push ecx
00431F5F . 52 push edx
00431F60 . FF15 4C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarIn>; msvbvm60.__vbaVarIndexLoadRef
00431F66 . 83C4 1C add esp,1C
00431F69 . 50 push eax
00431F6A . 8D45 A0 lea eax,dword ptr ss:[ebp-60]
00431F6D . 50 push eax
00431F6E . FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaVarIn>; msvbvm60.__vbaVarIndexLoad
00431F74 . 83C4 1C add esp,1C
00431F77 . 8D4D 90 lea ecx,dword ptr ss:[ebp-70]
00431F7A . 50 push eax
00431F7B . 51 push ecx
00431F7C . FF15 BC114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCa>; msvbvm60.__vbaVarCat
00431F82 . 50 push eax
00431F83 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVa>; msvbvm60.__vbaStrVarMove
00431F89 . 8BD0 mov edx,eax
00431F8B . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00431F8E . FF15 70124000 call dword ptr ds:[<&MSVBVM60.__vbaStrMo>; msvbvm60.__vbaStrMove
00431F94 . 8D55 90 lea edx,dword ptr ss:[ebp-70]
00431F97 . 8D45 A0 lea eax,dword ptr ss:[ebp-60]
00431F9A . 52 push edx
00431F9B . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
00431F9E . 50 push eax
00431F9F . 51 push ecx
00431FA0 . 6A 03 push 3
00431FA2 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; msvbvm60.__vbaFreeVarList
00431FA8 . B8 01000000 mov eax,1
00431FAD . 83C4 10 add esp,10
00431FB0 . 66:03C6 add ax,si
00431FB3 . 0F80 28010000 jo 软件.004320E1
00431FB9 . 8BF0 mov esi,eax
00431FBB .^ E9 0CFEFFFF jmp 软件.00431DCC
00431FC0 > 8B55 D4 mov edx,dword ptr ss:[ebp-2C] ; 得出注册码 |
|
IP卡
发表于 2009-3-17 12:50:57
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2009-3-20 07:39:15
