- UID
- 346
注册时间2005-3-21
阅读权限30
最后登录1970-1-1
龙战于野
TA的每日心情 | 奋斗
2016-10-21 20:30 |
|---|
签到天数: 1 天 [LV.1]初来乍到
|
【破文标题】CrackMe By [PYG]Zass//20091108算法分析+VB注册机源码
【破解作者】hrbx
【破解日期】2010-4-14
【软件简介】CrackMe By [PYG]Zass//20091108
【下载地址】https://www.chinapyg.com/viewthr ... &extra=page%3D1
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
-----------------------------------------------------------------------------------------------
【破解过程】
1.查壳。用Peid扫描,显示为:Microsoft Visual Basic 5.0 / 6.0,无壳。
2.查找程序控件事件地址。OD载入,Ctrl+B,在Hex栏输入:816C24,查找VB各控件事件地址:
==================================================================
004020DD . 816C24 04 8F000000 sub dword ptr [esp+4], 8F
004020E5 . E9 363C0000 jmp 00405D20 ; 确定按钮
004020EA . 816C24 04 87000000 sub dword ptr [esp+4], 87
004020F2 . E9 09410000 jmp 00406200 ; 窗体加载前初始化
==================================================================
3.算法分析。OD载入,Ctrl+G,输入窗体加载前初始化事件地址:00406200,确定后F2下断,F9运行后中断:
00406200 > \55 push ebp ; 中断后F8往下
00406201 . 8BEC mov ebp, esp
00406203 . 83EC 0C sub esp, 0C
00406206 . 68 F6124000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; SE 处理程序安装
0040620B . 64:A1 00000000 mov eax, dword ptr fs:[0]
00406211 . 50 push eax
00406212 . 64:8925 00000000 mov dword ptr fs:[0], esp
00406219 . 81EC 10010000 sub esp, 110
0040621F . 53 push ebx
00406220 . 56 push esi
00406221 . 57 push edi
00406222 . 8965 F4 mov dword ptr [ebp-C], esp
00406225 . C745 F8 C0124000 mov dword ptr [ebp-8], 004012C0
0040622C . 8B75 08 mov esi, dword ptr [ebp+8]
0040622F . 8BC6 mov eax, esi
00406231 . 83E0 01 and eax, 1
00406234 . 8945 FC mov dword ptr [ebp-4], eax
00406237 . 83E6 FE and esi, FFFFFFFE
0040623A . 56 push esi
0040623B . 8975 08 mov dword ptr [ebp+8], esi
0040623E . 8B0E mov ecx, dword ptr [esi]
00406240 . FF51 04 call dword ptr [ecx+4]
00406243 . 8B16 mov edx, dword ptr [esi]
00406245 . 33FF xor edi, edi
00406247 . 56 push esi
00406248 . 897D DC mov dword ptr [ebp-24], edi
0040624B . 897D D8 mov dword ptr [ebp-28], edi
0040624E . 897D C8 mov dword ptr [ebp-38], edi
00406251 . 897D C4 mov dword ptr [ebp-3C], edi
00406254 . 897D C0 mov dword ptr [ebp-40], edi
00406257 . 897D BC mov dword ptr [ebp-44], edi
0040625A . 897D B8 mov dword ptr [ebp-48], edi
0040625D . 897D B4 mov dword ptr [ebp-4C], edi
00406260 . 897D B0 mov dword ptr [ebp-50], edi
00406263 . 897D AC mov dword ptr [ebp-54], edi
00406266 . 897D 9C mov dword ptr [ebp-64], edi
00406269 . 897D 8C mov dword ptr [ebp-74], edi
0040626C . 89BD 7CFFFFFF mov dword ptr [ebp-84], edi
00406272 . 89BD 6CFFFFFF mov dword ptr [ebp-94], edi
00406278 . 89BD 5CFFFFFF mov dword ptr [ebp-A4], edi
0040627E . 89BD 4CFFFFFF mov dword ptr [ebp-B4], edi
00406284 . 89BD 3CFFFFFF mov dword ptr [ebp-C4], edi
0040628A . 89BD 2CFFFFFF mov dword ptr [ebp-D4], edi
00406290 . 89BD 28FFFFFF mov dword ptr [ebp-D8], edi
00406296 . 89BD 04FFFFFF mov dword ptr [ebp-FC], edi
0040629C . 89BD F4FEFFFF mov dword ptr [ebp-10C], edi
004062A2 . FF92 00030000 call dword ptr [edx+300]
004062A8 . 50 push eax
004062A9 . 8D45 AC lea eax, dword ptr [ebp-54]
004062AC . 50 push eax
004062AD . FF15 60104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
004062B3 . 8BD8 mov ebx, eax
004062B5 . 68 C0244000 push 004024C0
004062BA . 53 push ebx
004062BB . 8B0B mov ecx, dword ptr [ebx]
004062BD . FF91 A4000000 call dword ptr [ecx+A4]
004062C3 . 3BC7 cmp eax, edi
004062C5 . DBE2 fclex
004062C7 . 7D 12 jge short 004062DB
004062C9 . 68 A4000000 push 0A4
004062CE . 68 20254000 push 00402520
004062D3 . 53 push ebx
004062D4 . 50 push eax
004062D5 . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaHresultChec>
004062DB > 8D4D AC lea ecx, dword ptr [ebp-54]
004062DE . FF15 74114000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
004062E4 . 8B16 mov edx, dword ptr [esi]
004062E6 . 56 push esi
004062E7 . FF92 04030000 call dword ptr [edx+304]
004062ED . 50 push eax
004062EE . 8D45 AC lea eax, dword ptr [ebp-54]
004062F1 . 50 push eax
004062F2 . FF15 60104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
004062F8 . 8BD8 mov ebx, eax
004062FA . BA 50254000 mov edx, 00402550 ; c:\
004062FF . 8D4D C0 lea ecx, dword ptr [ebp-40]
00406302 . 899D 18FFFFFF mov dword ptr [ebp-E8], ebx
00406308 . FF15 2C114000 call dword ptr [<&MSVBVM60.__vbaStrCopy>]
0040630E . 8B0E mov ecx, dword ptr [esi]
00406310 . 8D95 28FFFFFF lea edx, dword ptr [ebp-D8]
00406316 . 8D45 C0 lea eax, dword ptr [ebp-40]
00406319 . 52 push edx
0040631A . 50 push eax
0040631B . 56 push esi
0040631C . FF91 34070000 call dword ptr [ecx+734]
00406322 . 3BC7 cmp eax, edi
00406324 . 7D 12 jge short 00406338
00406326 . 68 34070000 push 734
0040632B . 68 40224000 push 00402240
00406330 . 56 push esi
00406331 . 50 push eax
00406332 . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaHresultChec>
00406338 > 8B8D 28FFFFFF mov ecx, dword ptr [ebp-D8]
0040633E . 8B1B mov ebx, dword ptr [ebx]
00406340 . FF15 54104000 call dword ptr [<&MSVBVM60.__vbaI4Abs>]
00406346 . 50 push eax
00406347 . FF15 08104000 call dword ptr [<&MSVBVM60.__vbaStrI4>]
0040634D . 8BD0 mov edx, eax
0040634F . 8D4D BC lea ecx, dword ptr [ebp-44]
00406352 . FF15 58114000 call dword ptr [<&MSVBVM60.__vbaStrMove>]
00406358 . 8BCB mov ecx, ebx
0040635A . 8B9D 18FFFFFF mov ebx, dword ptr [ebp-E8]
00406360 . 50 push eax
00406361 . 53 push ebx
00406362 . FF91 A4000000 call dword ptr [ecx+A4]
00406368 . 3BC7 cmp eax, edi
0040636A . DBE2 fclex
0040636C . 7D 12 jge short 00406380
0040636E . 68 A4000000 push 0A4
00406373 . 68 20254000 push 00402520
00406378 . 53 push ebx
00406379 . 50 push eax
0040637A . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaHresultChec>
00406380 > 8D55 BC lea edx, dword ptr [ebp-44]
00406383 . 8D45 C0 lea eax, dword ptr [ebp-40]
00406386 . 52 push edx
00406387 . 50 push eax
00406388 . 6A 02 push 2
0040638A . FF15 30114000 call dword ptr [<&MSVBVM60.__vbaFreeStrList>
00406390 . 83C4 0C add esp, 0C
00406393 . 8D4D AC lea ecx, dword ptr [ebp-54]
00406396 . FF15 74114000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
0040639C . BA 50254000 mov edx, 00402550 ; c:\
004063A1 . 8D4D C0 lea ecx, dword ptr [ebp-40]
004063A4 . FF15 2C114000 call dword ptr [<&MSVBVM60.__vbaStrCopy>]
004063AA . 8B0E mov ecx, dword ptr [esi]
004063AC . 8D95 28FFFFFF lea edx, dword ptr [ebp-D8]
004063B2 . 8D45 C0 lea eax, dword ptr [ebp-40]
004063B5 . 52 push edx
004063B6 . 50 push eax
004063B7 . 56 push esi
004063B8 . FF91 34070000 call dword ptr [ecx+734] ; KeyGenme.004020CB
004063BE . 3BC7 cmp eax, edi ; 调用GetVolumeInformationA函数获取C盘卷序列号
004063C0 . 7D 12 jge short 004063D4 ; C盘卷序列号:-1460319485
004063C2 . 68 34070000 push 734 ; 16进制双字节表示(-1460319485=0xA8F54B03)
004063C7 . 68 40224000 push 00402240
004063CC . 56 push esi
004063CD . 50 push eax
004063CE . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaHresultChec>
004063D4 > 8B8D 28FFFFFF mov ecx, dword ptr [ebp-D8] ; ECX=ss:[0012FA3C]=A8F54B03
004063DA . FF15 54104000 call dword ptr [<&MSVBVM60.__vbaI4Abs>] ; Abs函数取绝对值,neg(A8F54B03)=570AB4FD
004063E0 . 8D4D 9C lea ecx, dword ptr [ebp-64]
004063E3 . 8D55 8C lea edx, dword ptr [ebp-74]
004063E6 . 51 push ecx
004063E7 . 52 push edx
004063E8 . 8945 A4 mov dword ptr [ebp-5C], eax ; EAX=0x570AB4FD
004063EB . C745 9C 03000000 mov dword ptr [ebp-64], 3
004063F2 . FF15 28114000 call dword ptr [<&MSVBVM60.#573>] ; MSVBVM60.rtcHexVarFromVar
004063F8 . 8D45 8C lea eax, dword ptr [ebp-74] ; 数值转为字符串"570AB4FD"
004063FB . 50 push eax
004063FC . FF15 18104000 call dword ptr [<&MSVBVM60.__vbaStrVarMove>>
00406402 . 8B1D 58114000 mov ebx, dword ptr [<&MSVBVM60.__vbaStrMov>
00406408 . 8BD0 mov edx, eax ; EAX="570AB4FD"
0040640A . 8D4D BC lea ecx, dword ptr [ebp-44]
0040640D . FFD3 call ebx
0040640F . 8B0E mov ecx, dword ptr [esi]
00406411 . 8D55 B8 lea edx, dword ptr [ebp-48]
00406414 . 8D45 BC lea eax, dword ptr [ebp-44]
00406417 . 52 push edx
00406418 . 50 push eax
00406419 . 56 push esi
0040641A . FF91 38070000 call dword ptr [ecx+738] ; Keygenme.004020D8,字符串倒序
00406420 . 3BC7 cmp eax, edi ; "570AB4FD"--->"DF4BA075"
00406422 . 7D 12 jge short 00406436
00406424 . 68 38070000 push 738
00406429 . 68 40224000 push 00402240
0040642E . 56 push esi
0040642F . 50 push eax
00406430 . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaHresultChec>
00406436 > 8B55 B8 mov edx, dword ptr [ebp-48] ; EDX=ss:[0012FACC]="DF4BA075"
00406439 . 8D4D B4 lea ecx, dword ptr [ebp-4C]
0040643C . 897D B8 mov dword ptr [ebp-48], edi
0040643F . FFD3 call ebx
00406441 . 8B0E mov ecx, dword ptr [esi]
00406443 . 8D55 B0 lea edx, dword ptr [ebp-50]
00406446 . 8D45 B4 lea eax, dword ptr [ebp-4C]
00406449 . 52 push edx
0040644A . 50 push eax
0040644B . 56 push esi
0040644C . FF91 18070000 call dword ptr [ecx+718] ; F7进入,对倒序后的字符串进行MD5加密
00406452 . 3BC7 cmp eax, edi ; MD5("DF4BA075")="DD29C6AFF93CB721D4DE5817CDA9B441"
00406454 . 7D 12 jge short 00406468
00406456 . 68 18070000 push 718
0040645B . 68 40224000 push 00402240
00406460 . 56 push esi
00406461 . 50 push eax
00406462 . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaHresultChec>
00406468 > 8B55 B0 mov edx, dword ptr [ebp-50] ; ss:[0012FAC4]="DD29C6AFF93CB721D4DE5817CDA9B441"
0040646B . 8D4D C4 lea ecx, dword ptr [ebp-3C]
0040646E . 897D B0 mov dword ptr [ebp-50], edi
00406471 . FFD3 call ebx
00406473 . 8D4D B4 lea ecx, dword ptr [ebp-4C]
00406476 . 8D55 BC lea edx, dword ptr [ebp-44]
00406479 . 51 push ecx
0040647A . 8D45 C0 lea eax, dword ptr [ebp-40]
0040647D . 52 push edx
0040647E . 50 push eax
0040647F . 6A 03 push 3
00406481 . FF15 30114000 call dword ptr [<&MSVBVM60.__vbaFreeStrList>
00406487 . 8D4D 8C lea ecx, dword ptr [ebp-74]
0040648A . 8D55 9C lea edx, dword ptr [ebp-64]
0040648D . 51 push ecx
0040648E . 52 push edx
0040648F . 6A 02 push 2
00406491 . FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>
00406497 . 8B06 mov eax, dword ptr [esi]
00406499 . 83C4 1C add esp, 1C
0040649C . 8D4D C0 lea ecx, dword ptr [ebp-40]
0040649F . 51 push ecx
004064A0 . 56 push esi
004064A1 . FF90 3C070000 call dword ptr [eax+73C] ; F7进入,调用rtcRandomize函数产生8个0-0xF的随机数
004064A7 . 3BC7 cmp eax, edi ; 连接8个随机数转成字符串"43E53E47"
004064A9 . 7D 12 jge short 004064BD
004064AB . 68 3C070000 push 73C
004064B0 . 68 40224000 push 00402240
004064B5 . 56 push esi
004064B6 . 50 push eax
004064B7 . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaHresultChec>
004064BD > 8B55 C0 mov edx, dword ptr [ebp-40] ; ss:[0012FAD4]="43E53E47"
004064C0 . 8D7E 34 lea edi, dword ptr [esi+34]
004064C3 . 8BCF mov ecx, edi
004064C5 . FF15 2C114000 call dword ptr [<&MSVBVM60.__vbaStrCopy>]
004064CB . 8D4D C0 lea ecx, dword ptr [ebp-40]
004064CE . FF15 70114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
004064D4 . 8B17 mov edx, dword ptr [edi]
004064D6 . BB 01000000 mov ebx, 1
004064DB . 52 push edx ; /String="43E53E47"
004064DC . 899D 64FFFFFF mov dword ptr [ebp-9C], ebx ; |
004064E2 . C785 5CFFFFFF 02>mov dword ptr [ebp-A4], 2 ; |
004064EC . FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaLenBstr>] ; \__vbaLenBstr,获取字符串长度
004064F2 . 8985 54FFFFFF mov dword ptr [ebp-AC], eax ; EAX=0x8
004064F8 . 8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
004064FE . 8D8D 4CFFFFFF lea ecx, dword ptr [ebp-B4]
00406504 . 50 push eax ; /Step8
00406505 . 8D95 3CFFFFFF lea edx, dword ptr [ebp-C4] ; |
0040650B . 51 push ecx ; |End8
0040650C . 8D85 F4FEFFFF lea eax, dword ptr [ebp-10C] ; |
00406512 . 52 push edx ; |Start8
00406513 . 8D8D 04FFFFFF lea ecx, dword ptr [ebp-FC] ; |
00406519 . 50 push eax ; |TMPend8
0040651A . 8D55 DC lea edx, dword ptr [ebp-24] ; |
0040651D . 51 push ecx ; |TMPstep8
0040651E . 52 push edx ; |Counter8
0040651F . C785 4CFFFFFF 03>mov dword ptr [ebp-B4], 3 ; |
00406529 . 899D 44FFFFFF mov dword ptr [ebp-BC], ebx ; |
0040652F . C785 3CFFFFFF 02>mov dword ptr [ebp-C4], 2 ; |
00406539 . FF15 4C104000 call dword ptr [<&MSVBVM60.__vbaVarForInit>>; \__vbaVarForInit
0040653F . 8B3D 84104000 mov edi, dword ptr [<&MSVBVM60.#632>]
00406545 . 8B1D F8104000 mov ebx, dword ptr [<&MSVBVM60.__vbaVarCat>
0040654B > 85C0 test eax, eax
0040654D . 0F84 54010000 je 004066A7
00406553 . 8D46 34 lea eax, dword ptr [esi+34]
00406556 . 8D4D DC lea ecx, dword ptr [ebp-24]
00406559 . 8985 64FFFFFF mov dword ptr [ebp-9C], eax
0040655F . 8D45 9C lea eax, dword ptr [ebp-64]
00406562 . 50 push eax
00406563 . 51 push ecx
00406564 . C745 A4 01000000 mov dword ptr [ebp-5C], 1
0040656B . C745 9C 02000000 mov dword ptr [ebp-64], 2
00406572 . C785 5CFFFFFF 08>mov dword ptr [ebp-A4], 4008
0040657C . FF15 44114000 call dword ptr [<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var
00406582 . 50 push eax
00406583 . 8D95 5CFFFFFF lea edx, dword ptr [ebp-A4]
00406589 . 8D45 8C lea eax, dword ptr [ebp-74]
0040658C . 52 push edx
0040658D . 50 push eax
0040658E . FFD7 call edi
00406590 . 8D55 8C lea edx, dword ptr [ebp-74]
00406593 . 8D4D C8 lea ecx, dword ptr [ebp-38]
00406596 . FF15 0C104000 call dword ptr [<&MSVBVM60.__vbaVarMove>]
0040659C . 8D4D 9C lea ecx, dword ptr [ebp-64]
0040659F . FF15 14104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>]
004065A5 . 8D8D 5CFFFFFF lea ecx, dword ptr [ebp-A4]
004065AB . 8D55 C8 lea edx, dword ptr [ebp-38]
004065AE . 51 push ecx
004065AF . 8D45 9C lea eax, dword ptr [ebp-64]
004065B2 . 52 push edx
004065B3 . 50 push eax
004065B4 . C785 64FFFFFF 34>mov dword ptr [ebp-9C], 00402534 ; 00402534="&h"
004065BE . C785 5CFFFFFF 08>mov dword ptr [ebp-A4],
004065C8 . FFD3 call ebx ; __vbaVarCat,取出的字符串与"&h"连接,即转为16进制
004065CA . 8D4D C0 lea ecx, dword ptr [ebp-40]
004065CD . 50 push eax ; /String8
004065CE . 51 push ecx ; |ARG2
004065CF . FF15 F4104000 call dword ptr [<&MSVBVM60.__vbaStrVarVal>] ; \__vbaStrVarVal
004065D5 . 50 push eax ; EAX="&h4"
004065D6 . FF15 78114000 call dword ptr [<&MSVBVM60.#581>] ; rtcR8ValFromBstr
004065DC . DD9D 20FFFFFF fstp qword ptr [ebp-E0] ; st=4.0000000000000000000
004065E2 . 8B55 D8 mov edx, dword ptr [ebp-28]
004065E5 . 8D4D 8C lea ecx, dword ptr [ebp-74]
004065E8 . DD85 20FFFFFF fld qword ptr [ebp-E0]
004065EE . 8D45 C4 lea eax, dword ptr [ebp-3C]
004065F1 . 51 push ecx
004065F2 . 8995 34FFFFFF mov dword ptr [ebp-CC], edx
004065F8 . C785 2CFFFFFF 08>mov dword ptr [ebp-D4], 8
00406602 . C745 94 01000000 mov dword ptr [ebp-6C], 1
00406609 . C745 8C 02000000 mov dword ptr [ebp-74], 2
00406610 . 8985 54FFFFFF mov dword ptr [ebp-AC], eax
00406616 . C785 4CFFFFFF 08>mov dword ptr [ebp-B4], 4008
00406620 . FF15 50114000 call dword ptr [<&MSVBVM60.__vbaFpI4>] ; 浮点数转为整数
00406626 . 50 push eax ; EAX=0x4
00406627 . 8D95 4CFFFFFF lea edx, dword ptr [ebp-B4]
0040662D . 8D85 7CFFFFFF lea eax, dword ptr [ebp-84]
00406633 . 52 push edx
00406634 . 50 push eax
00406635 . FFD7 call edi ; rtcMidCharVar,根据EAX的值从"DD29C6AFF93CB721D4DE5817CDA9B441"取字符
00406637 . 8D8D 2CFFFFFF lea ecx, dword ptr [ebp-D4]
0040663D . 8D95 7CFFFFFF lea edx, dword ptr [ebp-84]
00406643 . 51 push ecx
00406644 . 8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
0040664A . 52 push edx
0040664B . 50 push eax
0040664C . FFD3 call ebx ; __vbaVarCat,取出的字符依次连接
0040664E . 50 push eax
0040664F . FF15 18104000 call dword ptr [<&MSVBVM60.__vbaStrVarMove>>;
00406655 . 8BD0 mov edx, eax ; EAX="927C279A"
00406657 . 8D4D D8 lea ecx, dword ptr [ebp-28]
0040665A . FF15 58114000 call dword ptr [<&MSVBVM60.__vbaStrMove>]
00406660 . 8D4D C0 lea ecx, dword ptr [ebp-40]
00406663 . FF15 70114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
00406669 . 8D8D 6CFFFFFF lea ecx, dword ptr [ebp-94]
0040666F . 8D95 7CFFFFFF lea edx, dword ptr [ebp-84]
00406675 . 51 push ecx
00406676 . 8D45 8C lea eax, dword ptr [ebp-74]
00406679 . 52 push edx
0040667A . 8D4D 9C lea ecx, dword ptr [ebp-64]
0040667D . 50 push eax
0040667E . 51 push ecx
0040667F . 6A 04 push 4
00406681 . FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>
00406687 . 83C4 14 add esp, 14
0040668A . 8D95 F4FEFFFF lea edx, dword ptr [ebp-10C]
00406690 . 8D85 04FFFFFF lea eax, dword ptr [ebp-FC]
00406696 . 52 push edx ; /TMPend8
00406697 . 8D4D DC lea ecx, dword ptr [ebp-24] ; |
0040669A . 50 push eax ; |TMPstep8
0040669B . 51 push ecx ; |Counter8
0040669C . FF15 68114000 call dword ptr [<&MSVBVM60.__vbaVarForNext>>; \__vbaVarForNext
004066A2 .^ E9 A4FEFFFF jmp 0040654B
004066A7 > 8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
004066AD . 8D4D 9C lea ecx, dword ptr [ebp-64]
004066B0 . 8D55 D8 lea edx, dword ptr [ebp-28]
004066B3 . 50 push eax
004066B4 . 51 push ecx
004066B5 . 8995 64FFFFFF mov dword ptr [ebp-9C], edx
004066BB . C785 5CFFFFFF 08>mov dword ptr [ebp-A4], 4008
004066C5 . FF15 9C104000 call dword ptr [<&MSVBVM60.#528>] ; rtcUpperCaseVar,字符转为大写
004066CB . 8D55 9C lea edx, dword ptr [ebp-64]
004066CE . 52 push edx
004066CF . FF15 18104000 call dword ptr [<&MSVBVM60.__vbaStrVarMove>>
004066D5 . 8BD0 mov edx, eax ; 字符串"927C279A"
004066D7 . 8D4D C0 lea ecx, dword ptr [ebp-40]
004066DA . FF15 58114000 call dword ptr [<&MSVBVM60.__vbaStrMove>]
004066E0 . 8B06 mov eax, dword ptr [esi]
004066E2 . 8D4D BC lea ecx, dword ptr [ebp-44]
004066E5 . 8D55 C0 lea edx, dword ptr [ebp-40]
004066E8 . 51 push ecx
004066E9 . 52 push edx
004066EA . 56 push esi
004066EB . FF90 18070000 call dword ptr [eax+718] ; 对字符串"927C279A"进行MD5加密
004066F1 . 85C0 test eax, eax
004066F3 . 7D 12 jge short 00406707
004066F5 . 68 18070000 push 718
004066FA . 68 40224000 push 00402240
004066FF . 56 push esi
00406700 . 50 push eax
00406701 . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaHresultChec>
00406707 > 8B55 BC mov edx, dword ptr [ebp-44] ; MD5("927C279")="9E7F4ED9D6D89E0FD8A4F75B68809F81"
0040670A . 8D4E 38 lea ecx, dword ptr [esi+38]
0040670D . FF15 2C114000 call dword ptr [<&MSVBVM60.__vbaStrCopy>]
00406713 . 8D45 BC lea eax, dword ptr [ebp-44]
00406716 . 8D4D C0 lea ecx, dword ptr [ebp-40]
00406719 . 50 push eax
0040671A . 51 push ecx
0040671B . 6A 02 push 2
F7进入0040644C处的call dword ptr [ecx+718],来到:
00402F10 > \55 push ebp
00402F11 . 8BEC mov ebp, esp
00402F13 . 83EC 0C sub esp, 0C
00402F16 . 68 F6124000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; SE 处理程序安装
00402F1B . 64:A1 00000000 mov eax, dword ptr fs:[0]
00402F21 . 50 push eax
00402F22 . 64:8925 00000000 mov dword ptr fs:[0], esp
00402F29 . 83EC 54 sub esp, 54
00402F2C . 53 push ebx
00402F2D . 56 push esi
00402F2E . 57 push edi
00402F2F . 8965 F4 mov dword ptr [ebp-C], esp
00402F32 . C745 F8 C0114000 mov dword ptr [ebp-8], 004011C0
00402F39 . 33FF xor edi, edi
00402F3B . 897D FC mov dword ptr [ebp-4], edi
00402F3E . 8B75 08 mov esi, dword ptr [ebp+8]
00402F41 . 56 push esi
00402F42 . 8B06 mov eax, dword ptr [esi]
00402F44 . FF50 04 call dword ptr [eax+4]
00402F47 . 8B4D 10 mov ecx, dword ptr [ebp+10]
00402F4A . 56 push esi
00402F4B . 897D E8 mov dword ptr [ebp-18], edi
00402F4E . 897D E4 mov dword ptr [ebp-1C], edi
00402F51 . 8939 mov dword ptr [ecx], edi
00402F53 . 8B16 mov edx, dword ptr [esi]
00402F55 . 897D D4 mov dword ptr [ebp-2C], edi
00402F58 . 897D C4 mov dword ptr [ebp-3C], edi
00402F5B . 897D B4 mov dword ptr [ebp-4C], edi
00402F5E . 897D B0 mov dword ptr [ebp-50], edi
00402F61 . 897D A8 mov dword ptr [ebp-58], edi
00402F64 . 897D A4 mov dword ptr [ebp-5C], edi
00402F67 . FF92 24070000 call dword ptr [edx+724] ; F7进入,可见MD5加密的4个常数
00402F6D . 3BC7 cmp eax, edi
00402F6F . 7D 16 jge short 00402F87
00402F71 . 8B3D 38104000 mov edi, dword ptr [<&MSVBVM60.__vbaHresul>
00402F77 . 68 24070000 push 724
00402F7C . 68 40224000 push 00402240
00402F81 . 56 push esi
00402F82 . 50 push eax
00402F83 . FFD7 call edi
00402F85 . EB 06 jmp short 00402F8D
00402F87 > 8B3D 38104000 mov edi, dword ptr [<&MSVBVM60.__vbaHresul>
00402F8D > 8B5D 0C mov ebx, dword ptr [ebp+C]
00402F90 . 6A 00 push 0
00402F92 . 8D45 B4 lea eax, dword ptr [ebp-4C]
00402F95 . 68 80000000 push 80
00402F9A . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00402F9D . 50 push eax
00402F9E . 51 push ecx
00402F9F . 895D BC mov dword ptr [ebp-44], ebx
00402FA2 . C745 B4 08400000 mov dword ptr [ebp-4C], 4008
00402FA9 . FF15 EC104000 call dword ptr [<&MSVBVM60.#717>] ; MSVBVM60.rtcStrConvVar2
00402FAF . 8B16 mov edx, dword ptr [esi]
00402FB1 . 8D45 A8 lea eax, dword ptr [ebp-58]
00402FB4 . 50 push eax
00402FB5 . 53 push ebx
00402FB6 . 56 push esi
00402FB7 . FF92 40070000 call dword ptr [edx+740]
00402FBD . 8D4D A8 lea ecx, dword ptr [ebp-58]
00402FC0 . 8D55 A4 lea edx, dword ptr [ebp-5C]
00402FC3 . 51 push ecx
00402FC4 . 52 push edx
00402FC5 . FF15 10104000 call dword ptr [<&MSVBVM60.__vbaAryMove>]
00402FCB . 8D45 D4 lea eax, dword ptr [ebp-2C]
00402FCE . 8D4D C4 lea ecx, dword ptr [ebp-3C]
00402FD1 . 50 push eax
00402FD2 . 51 push ecx
00402FD3 . FF15 60114000 call dword ptr [<&MSVBVM60.__vbaLenVarB>]
00402FD9 . 50 push eax
00402FDA . FF15 44114000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
00402FE0 . 8B16 mov edx, dword ptr [esi]
00402FE2 . 8945 B0 mov dword ptr [ebp-50], eax
00402FE5 . 8D45 A4 lea eax, dword ptr [ebp-5C]
00402FE8 . 8D4D B0 lea ecx, dword ptr [ebp-50]
00402FEB . 50 push eax
00402FEC . 51 push ecx
00402FED . 56 push esi
00402FEE . FF92 2C070000 call dword ptr [edx+72C]
00402FF4 . 85C0 test eax, eax
00402FF6 . 7D 0E jge short 00403006
00402FF8 . 68 2C070000 push 72C
00402FFD . 68 40224000 push 00402240
00403002 . 56 push esi
00403003 . 50 push eax
00403004 . FFD7 call edi
00403006 > 8D4D D4 lea ecx, dword ptr [ebp-2C]
00403009 . FF15 14104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>]
0040300F . 8D55 A4 lea edx, dword ptr [ebp-5C]
00403012 . 52 push edx
00403013 . 6A 00 push 0
00403015 . FF15 7C104000 call dword ptr [<&MSVBVM60.__vbaErase>] ; MSVBVM60.__vbaErase
0040301B . 8B06 mov eax, dword ptr [esi]
0040301D . 56 push esi
0040301E . FF90 28070000 call dword ptr [eax+728]
00403024 . 85C0 test eax, eax
00403026 . 7D 0E jge short 00403036
00403028 . 68 28070000 push 728
0040302D . 68 40224000 push 00402240
00403032 . 56 push esi
00403033 . 50 push eax
00403034 . FFD7 call edi
00403036 > 8B0E mov ecx, dword ptr [esi]
00403038 . 8D55 E4 lea edx, dword ptr [ebp-1C]
0040303B . 52 push edx
0040303C . 56 push esi
0040303D . FF91 20070000 call dword ptr [ecx+720] ; 将MD5加密的4段字符连接
00403043 . 85C0 test eax, eax
00403045 . 7D 0E jge short 00403055
00403047 . 68 20070000 push 720
0040304C . 68 40224000 push 00402240
00403051 . 56 push esi
00403052 . 50 push eax
00403053 . FFD7 call edi
00403055 > 8B55 E4 mov edx, dword ptr [ebp-1C] ; "DD29C6AFF93CB721D4DE5817CDA9B441"
00403058 . 8D4D E8 lea ecx, dword ptr [ebp-18]
0040305B . C745 E4 00000000 mov dword ptr [ebp-1C], 0
00403062 . FF15 58114000 call dword ptr [<&MSVBVM60.__vbaStrMove>]
00403068 . 68 B2304000 push 004030B2
0040306D . EB 2C jmp short 0040309B
0040306F . F645 FC 04 test byte ptr [ebp-4], 4
00403073 . 74 09 je short 0040307E
00403075 . 8D4D E8 lea ecx, dword ptr [ebp-18]
00403078 . FF15 70114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
0040307E > 8D4D E4 lea ecx, dword ptr [ebp-1C]
00403081 . FF15 70114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
00403087 . 8D45 C4 lea eax, dword ptr [ebp-3C]
0040308A . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0040308D . 50 push eax
0040308E . 51 push ecx
0040308F . 6A 02 push 2
00403091 . FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>
00403097 . 83C4 0C add esp, 0C
0040309A . C3 retn
0040309B > 8B35 44104000 mov esi, dword ptr [<&MSVBVM60.__vbaAryDes>
004030A1 . 8D55 A8 lea edx, dword ptr [ebp-58]
004030A4 . 52 push edx
004030A5 . 6A 00 push 0
004030A7 . FFD6 call esi
004030A9 . 8D45 A4 lea eax, dword ptr [ebp-5C]
004030AC . 50 push eax
004030AD . 6A 00 push 0
004030AF . FFD6 call esi
004030B1 . C3 retn
004030B2 . 8B45 08 mov eax, dword ptr [ebp+8]
004030B5 . 50 push eax
004030B6 . 8B08 mov ecx, dword ptr [eax]
004030B8 . FF51 08 call dword ptr [ecx+8]
004030BB . 8B55 10 mov edx, dword ptr [ebp+10]
004030BE . 8B45 E8 mov eax, dword ptr [ebp-18]
004030C1 . 8902 mov dword ptr [edx], eax
004030C3 . 8B45 FC mov eax, dword ptr [ebp-4]
004030C6 . 8B4D EC mov ecx, dword ptr [ebp-14]
004030C9 . 5F pop edi
004030CA . 5E pop esi
004030CB . 64:890D 00000000 mov dword ptr fs:[0], ecx
004030D2 . 5B pop ebx
004030D3 . 8BE5 mov esp, ebp
004030D5 . 5D pop ebp
004030D6 . C2 0C00 retn 0C
F7进入00402F67处的call dword ptr [edx+724],来到:
00403A50 /> \55 push ebp
00403A51 |. 8BEC mov ebp, esp
00403A53 |. 83EC 0C sub esp, 0C
00403A56 |. 68 F6124000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; SE 处理程序安装
00403A5B |. 64:A1 00000000 mov eax, dword ptr fs:[0]
00403A61 |. 50 push eax
00403A62 |. 64:8925 00000000 mov dword ptr fs:[0], esp
00403A69 |. 83EC 18 sub esp, 18
00403A6C |. 53 push ebx
00403A6D |. 56 push esi
00403A6E |. 57 push edi
00403A6F |. 8965 F4 mov dword ptr [ebp-C], esp
00403A72 |. C745 F8 28124000 mov dword ptr [ebp-8], 00401228
00403A79 |. 33FF xor edi, edi
00403A7B |. 897D FC mov dword ptr [ebp-4], edi
00403A7E |. 8B75 08 mov esi, dword ptr [ebp+8]
00403A81 |. 56 push esi
00403A82 |. 8B06 mov eax, dword ptr [esi]
00403A84 |. FF50 04 call dword ptr [eax+4]
00403A87 |. 8B0E mov ecx, dword ptr [esi]
00403A89 |. 8D55 E8 lea edx, dword ptr [ebp-18]
00403A8C |. 8D45 E0 lea eax, dword ptr [ebp-20]
00403A8F |. 52 push edx
00403A90 |. 50 push eax
00403A91 |. 897D E0 mov dword ptr [ebp-20], edi
00403A94 |. 897D E4 mov dword ptr [ebp-1C], edi
00403A97 |. 56 push esi
00403A98 |. 897D E8 mov dword ptr [ebp-18], edi
00403A9B |. 897E 58 mov dword ptr [esi+58], edi
00403A9E |. C745 E0 000040C0 mov dword ptr [ebp-20], C0400000
00403AA5 |. C745 E4 48D1D941 mov dword ptr [ebp-1C], 41D9D148
00403AAC |. FF91 68070000 call dword ptr [ecx+768] ; MD5的第1个常数0x67452301,以浮点数表示
00403AB2 |. 8B4E 4C mov ecx, dword ptr [esi+4C] ; 0x67452301=1732584193.000000
00403AB5 |. 8B55 E8 mov edx, dword ptr [ebp-18]
00403AB8 |. 8951 04 mov dword ptr [ecx+4], edx
00403ABB |. 8B06 mov eax, dword ptr [esi]
00403ABD |. 8D4D E8 lea ecx, dword ptr [ebp-18]
00403AC0 |. 8D55 E0 lea edx, dword ptr [ebp-20]
00403AC3 |. 51 push ecx
00403AC4 |. 52 push edx
00403AC5 |. 56 push esi
00403AC6 |. C745 E0 00002071 mov dword ptr [ebp-20], 71200000
00403ACD |. C745 E4 B5F9ED41 mov dword ptr [ebp-1C], 41EDF9B5
00403AD4 |. FF90 68070000 call dword ptr [eax+768] ; MD5的第2个常数0xEFCDAB89,以浮点数表示
00403ADA |. 8B46 4C mov eax, dword ptr [esi+4C] ; 0xEFCDAB89=4023233417.000000
00403ADD |. 8B4D E8 mov ecx, dword ptr [ebp-18]
00403AE0 |. 8948 08 mov dword ptr [eax+8], ecx
00403AE3 |. 8B16 mov edx, dword ptr [esi]
00403AE5 |. 8D45 E8 lea eax, dword ptr [ebp-18]
00403AE8 |. 8D4D E0 lea ecx, dword ptr [ebp-20]
00403AEB |. 50 push eax
00403AEC |. 51 push ecx
00403AED |. 56 push esi
00403AEE |. C745 E0 0000C09F mov dword ptr [ebp-20], 9FC00000
00403AF5 |. C745 E4 5B17E341 mov dword ptr [ebp-1C], 41E3175B
00403AFC |. FF92 68070000 call dword ptr [edx+768] ; MD5的第3个常数0x98BADCFE,以浮点数表示
00403B02 |. 8B56 4C mov edx, dword ptr [esi+4C] ; 0x98BADCFE=2562383102.0000000000
00403B05 |. 8B45 E8 mov eax, dword ptr [ebp-18]
00403B08 |. 8942 0C mov dword ptr [edx+C], eax
00403B0B |. 8B0E mov ecx, dword ptr [esi]
00403B0D |. 8D55 E8 lea edx, dword ptr [ebp-18]
00403B10 |. 8D45 E0 lea eax, dword ptr [ebp-20]
00403B13 |. 52 push edx
00403B14 |. 50 push eax
00403B15 |. 56 push esi
00403B16 |. C745 E0 00000076 mov dword ptr [ebp-20], 76000000
00403B1D |. C745 E4 5432B041 mov dword ptr [ebp-1C], 41B03254
00403B24 |. FF91 68070000 call dword ptr [ecx+768] ; MD5的第2个常数0x10325476,以浮点数表示
00403B2A |. 8B4E 4C mov ecx, dword ptr [esi+4C] ; 0x10325476=271733878.0000000000
00403B2D |. 8B55 E8 mov edx, dword ptr [ebp-18]
00403B30 |. 8951 10 mov dword ptr [ecx+10], edx
00403B33 |. 8B45 08 mov eax, dword ptr [ebp+8]
00403B36 |. 50 push eax
00403B37 |. 8B08 mov ecx, dword ptr [eax]
00403B39 |. FF51 08 call dword ptr [ecx+8]
00403B3C |. 8B45 FC mov eax, dword ptr [ebp-4]
00403B3F |. 8B4D EC mov ecx, dword ptr [ebp-14]
00403B42 |. 5F pop edi
00403B43 |. 5E pop esi
00403B44 |. 64:890D 00000000 mov dword ptr fs:[0], ecx
00403B4B |. 5B pop ebx
00403B4C |. 8BE5 mov esp, ebp
00403B4E |. 5D pop ebp
00403B4F \. C2 0400 retn 4
F7进入004064A1处的call dword ptr [eax+73C],来到:
004067F0 > \55 push ebp
004067F1 . 8BEC mov ebp, esp
004067F3 . 83EC 0C sub esp, 0C
004067F6 . 68 F6124000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; SE 处理程序安装
004067FB . 64:A1 00000000 mov eax, dword ptr fs:[0]
00406801 . 50 push eax
00406802 . 64:8925 00000000 mov dword ptr fs:[0], esp
00406809 . 81EC B4000000 sub esp, 0B4
0040680F . 53 push ebx
00406810 . 56 push esi
00406811 . 57 push edi
00406812 . 8965 F4 mov dword ptr [ebp-C], esp
00406815 . C745 F8 D8124000 mov dword ptr [ebp-8], 004012D8
0040681C . 33F6 xor esi, esi
0040681E . 8975 FC mov dword ptr [ebp-4], esi
00406821 . 8B45 08 mov eax, dword ptr [ebp+8]
00406824 . 50 push eax
00406825 . 8B08 mov ecx, dword ptr [eax]
00406827 . FF51 04 call dword ptr [ecx+4]
0040682A . 8B55 0C mov edx, dword ptr [ebp+C]
0040682D . B8 02000000 mov eax, 2
00406832 . 8975 88 mov dword ptr [ebp-78], esi
00406835 . 89B5 78FFFFFF mov dword ptr [ebp-88], esi
0040683B . 89B5 68FFFFFF mov dword ptr [ebp-98], esi
00406841 . B9 01000000 mov ecx, 1
00406846 . 8945 88 mov dword ptr [ebp-78], eax
00406849 . 8985 78FFFFFF mov dword ptr [ebp-88], eax
0040684F . 8985 68FFFFFF mov dword ptr [ebp-98], eax
00406855 . 894D 90 mov dword ptr [ebp-70], ecx
00406858 . 898D 70FFFFFF mov dword ptr [ebp-90], ecx
0040685E . 8D45 88 lea eax, dword ptr [ebp-78]
00406861 . 8932 mov dword ptr [edx], esi
00406863 . 8D8D 78FFFFFF lea ecx, dword ptr [ebp-88]
00406869 . 50 push eax ; /Step8
0040686A . 8D95 68FFFFFF lea edx, dword ptr [ebp-98] ; |
00406870 . 51 push ecx ; |End8
00406871 . 8D85 44FFFFFF lea eax, dword ptr [ebp-BC] ; |
00406877 . 52 push edx ; |Start8
00406878 . 8D8D 54FFFFFF lea ecx, dword ptr [ebp-AC] ; |
0040687E . 50 push eax ; |TMPend8
0040687F . 8D55 D8 lea edx, dword ptr [ebp-28] ; |
00406882 . 51 push ecx ; |TMPstep8
00406883 . 52 push edx ; |Counter8
00406884 . 8975 E8 mov dword ptr [ebp-18], esi ; |
00406887 . 8975 D8 mov dword ptr [ebp-28], esi ; |
0040688A . 8975 C8 mov dword ptr [ebp-38], esi ; |
0040688D . 8975 B8 mov dword ptr [ebp-48], esi ; |
00406890 . 8975 A8 mov dword ptr [ebp-58], esi ; |
00406893 . 8975 98 mov dword ptr [ebp-68], esi ; |
00406896 . 89B5 54FFFFFF mov dword ptr [ebp-AC], esi ; |
0040689C . 89B5 44FFFFFF mov dword ptr [ebp-BC], esi ; |
004068A2 . C745 80 08000000 mov dword ptr [ebp-80], 8 ; |
004068A9 . FF15 4C104000 call dword ptr [<&MSVBVM60.__vbaVarForInit>>; \__vbaVarForInit
004068AF . 8B35 58104000 mov esi, dword ptr [<&MSVBVM60.#594>] ; rtcRandomize函数,产生随机数
004068B5 . 8B3D 14104000 mov edi, dword ptr [<&MSVBVM60.__vbaFreeVa>
004068BB . 8B1D 58114000 mov ebx, dword ptr [<&MSVBVM60.__vbaStrMov>
004068C1 > 85C0 test eax, eax
004068C3 . 0F84 D9000000 je 004069A2
004068C9 . 8D45 C8 lea eax, dword ptr [ebp-38]
004068CC . C745 D0 04000280 mov dword ptr [ebp-30], 80020004
004068D3 . 50 push eax
004068D4 . C745 C8 0A000000 mov dword ptr [ebp-38], 0A
004068DB . FFD6 call esi
004068DD . 8D4D C8 lea ecx, dword ptr [ebp-38]
004068E0 . FFD7 call edi
004068E2 . 8D4D C8 lea ecx, dword ptr [ebp-38]
004068E5 . C745 D0 04000280 mov dword ptr [ebp-30], 80020004
004068EC . 51 push ecx ; /arg
004068ED . C745 C8 0A000000 mov dword ptr [ebp-38], 0A ; |
004068F4 . FF15 50104000 call dword ptr [<&MSVBVM60.#593>] ; \rtcRandomNext,产生随机数
004068FA . D99D 64FFFFFF fstp dword ptr [ebp-9C] ; 获得的随机数,st=0.1904980731010437012
00406900 . D985 64FFFFFF fld dword ptr [ebp-9C] ; ss:[0012F938]=0.1904981
00406906 . D80D D4124000 fmul dword ptr [4012D4] ; 产生的随机数与ds:[004012D4]处的数值相乘,ds:[004012D4]=14.00000,常数
0040690C . 8B55 E8 mov edx, dword ptr [ebp-18]
0040690F . 8D4D A8 lea ecx, dword ptr [ebp-58]
00406912 . 8995 70FFFFFF mov dword ptr [ebp-90], edx
00406918 . C785 68FFFFFF 08>mov dword ptr [ebp-98], 8
00406922 . D805 D0124000 fadd dword ptr [4012D0] ; 相乘得到的积加上ds:[004012D0]处的数值,ds:[004012D0]=1.000000,常数
00406928 . C745 B8 04000000 mov dword ptr [ebp-48], 4
0040692F . D95D C0 fstp dword ptr [ebp-40] ; 加法得到的和,st=3.6669730234146118168
00406932 . DFE0 fstsw ax
00406934 . A8 0D test al, 0D
00406936 . 0F85 E3000000 jnz 00406A1F
0040693C . 8D45 B8 lea eax, dword ptr [ebp-48]
0040693F . 50 push eax
00406940 . 51 push ecx
00406941 . FF15 28114000 call dword ptr [<&MSVBVM60.#573>] ; rtcHexVarFromVar,取加法的和取整后转为字符
00406947 . 8D95 68FFFFFF lea edx, dword ptr [ebp-98]
0040694D . 8D45 A8 lea eax, dword ptr [ebp-58]
00406950 . 52 push edx
00406951 . 8D4D 98 lea ecx, dword ptr [ebp-68]
00406954 . 50 push eax
00406955 . 51 push ecx
00406956 . FF15 F8104000 call dword ptr [<&MSVBVM60.__vbaVarCat>] ; __vbaVarCat,依次连接得到的字符
0040695C . 50 push eax
0040695D . FF15 18104000 call dword ptr [<&MSVBVM60.__vbaStrVarMove>>;
00406963 . 8BD0 mov edx, eax ; 连接后的字符串,EAX="43E53E47"
00406965 . 8D4D E8 lea ecx, dword ptr [ebp-18]
00406968 . FFD3 call ebx
0040696A . 8D55 98 lea edx, dword ptr [ebp-68]
0040696D . 8D45 A8 lea eax, dword ptr [ebp-58]
00406970 . 52 push edx
00406971 . 8D4D B8 lea ecx, dword ptr [ebp-48]
00406974 . 50 push eax
00406975 . 8D55 C8 lea edx, dword ptr [ebp-38]
00406978 . 51 push ecx
00406979 . 52 push edx
0040697A . 6A 04 push 4
0040697C . FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>
00406982 . 83C4 14 add esp, 14
00406985 . 8D85 44FFFFFF lea eax, dword ptr [ebp-BC]
0040698B . 8D8D 54FFFFFF lea ecx, dword ptr [ebp-AC]
00406991 . 8D55 D8 lea edx, dword ptr [ebp-28]
00406994 . 50 push eax ; /TMPend8
00406995 . 51 push ecx ; |TMPstep8
00406996 . 52 push edx ; |Counter8
00406997 . FF15 68114000 call dword ptr [<&MSVBVM60.__vbaVarForNext>>; \__vbaVarForNext
0040699D .^ E9 1FFFFFFF jmp 004068C1
004069A2 > 9B wait
004069A3 . 68 F8694000 push 004069F8
004069A8 . EB 2B jmp short 004069D5
004069AA . F645 FC 04 test byte ptr [ebp-4], 4
004069AE . 74 09 je short 004069B9
004069B0 . 8D4D E8 lea ecx, dword ptr [ebp-18]
004069B3 . FF15 70114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
004069B9 > 8D45 98 lea eax, dword ptr [ebp-68]
004069BC . 8D4D A8 lea ecx, dword ptr [ebp-58]
004069BF . 50 push eax
004069C0 . 8D55 B8 lea edx, dword ptr [ebp-48]
004069C3 . 51 push ecx
004069C4 . 8D45 C8 lea eax, dword ptr [ebp-38]
004069C7 . 52 push edx
004069C8 . 50 push eax
004069C9 . 6A 04 push 4
004069CB . FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>
004069D1 . 83C4 14 add esp, 14
004069D4 . C3 retn
004069D5 > 8D8D 44FFFFFF lea ecx, dword ptr [ebp-BC]
004069DB . 8D95 54FFFFFF lea edx, dword ptr [ebp-AC]
004069E1 . 51 push ecx
004069E2 . 52 push edx
004069E3 . 6A 02 push 2
004069E5 . FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>
004069EB . 83C4 0C add esp, 0C
004069EE . 8D4D D8 lea ecx, dword ptr [ebp-28]
004069F1 . FF15 14104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>]
004069F7 . C3 retn
004069F8 . 8B45 08 mov eax, dword ptr [ebp+8]
004069FB . 50 push eax
004069FC . 8B08 mov ecx, dword ptr [eax]
004069FE . FF51 08 call dword ptr [ecx+8]
00406A01 . 8B55 0C mov edx, dword ptr [ebp+C]
00406A04 . 8B45 E8 mov eax, dword ptr [ebp-18]
00406A07 . 8902 mov dword ptr [edx], eax
00406A09 . 8B45 FC mov eax, dword ptr [ebp-4]
00406A0C . 8B4D EC mov ecx, dword ptr [ebp-14]
00406A0F . 5F pop edi
00406A10 . 5E pop esi
00406A11 . 64:890D 00000000 mov dword ptr fs:[0], ecx
00406A18 . 5B pop ebx
00406A19 . 8BE5 mov esp, ebp
00406A1B . 5D pop ebp
00406A1C . C2 0800 retn 8
清除上面设的断点,Ctrl+G,输入确定按钮事件地址:00405D20,确定后F2下断,F9运行,输入注册信息:
======================================
机器码:1460319485
注册码:9876543210abcde
======================================
点确定按钮后,程序立即中断:
00405D20 > \55 push ebp ; F2下断
00405D21 . 8BEC mov ebp, esp
00405D23 . 83EC 0C sub esp, 0C
00405D26 . 68 F6124000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; SE 处理程序安装
00405D2B . 64:A1 00000000 mov eax, dword ptr fs:[0]
00405D31 . 50 push eax
00405D32 . 64:8925 00000000 mov dword ptr fs:[0], esp
00405D39 . 81EC F8000000 sub esp, 0F8
00405D3F . 53 push ebx
00405D40 . 56 push esi
00405D41 . 57 push edi
00405D42 . 8965 F4 mov dword ptr [ebp-C], esp
00405D45 . C745 F8 B0124000 mov dword ptr [ebp-8], 004012B0
00405D4C . 8B7D 08 mov edi, dword ptr [ebp+8]
00405D4F . 8BC7 mov eax, edi
00405D51 . 83E0 01 and eax, 1
00405D54 . 8945 FC mov dword ptr [ebp-4], eax
00405D57 . 83E7 FE and edi, FFFFFFFE
00405D5A . 57 push edi
00405D5B . 897D 08 mov dword ptr [ebp+8], edi
00405D5E . 8B0F mov ecx, dword ptr [edi]
00405D60 . FF51 04 call dword ptr [ecx+4]
00405D63 . 8B17 mov edx, dword ptr [edi]
00405D65 . 33F6 xor esi, esi
00405D67 . 57 push edi
00405D68 . 8975 E8 mov dword ptr [ebp-18], esi
00405D6B . 8975 D8 mov dword ptr [ebp-28], esi
00405D6E . 8975 D4 mov dword ptr [ebp-2C], esi
00405D71 . 8975 D0 mov dword ptr [ebp-30], esi
00405D74 . 8975 C0 mov dword ptr [ebp-40], esi
00405D77 . 8975 BC mov dword ptr [ebp-44], esi
00405D7A . 8975 B8 mov dword ptr [ebp-48], esi
00405D7D . 8975 A8 mov dword ptr [ebp-58], esi
00405D80 . 8975 98 mov dword ptr [ebp-68], esi
00405D83 . 8975 88 mov dword ptr [ebp-78], esi
00405D86 . 89B5 78FFFFFF mov dword ptr [ebp-88], esi
00405D8C . 89B5 68FFFFFF mov dword ptr [ebp-98], esi
00405D92 . 89B5 58FFFFFF mov dword ptr [ebp-A8], esi
00405D98 . 89B5 48FFFFFF mov dword ptr [ebp-B8], esi
00405D9E . 89B5 38FFFFFF mov dword ptr [ebp-C8], esi
00405DA4 . 89B5 18FFFFFF mov dword ptr [ebp-E8], esi
00405DAA . 89B5 08FFFFFF mov dword ptr [ebp-F8], esi
00405DB0 . FF92 00030000 call dword ptr [edx+300]
00405DB6 . 50 push eax
00405DB7 . 8D45 B8 lea eax, dword ptr [ebp-48]
00405DBA . 50 push eax
00405DBB . FF15 60104000 call dword ptr [<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00405DC1 . 8BF8 mov edi, eax
00405DC3 . 8D55 BC lea edx, dword ptr [ebp-44]
00405DC6 . 52 push edx
00405DC7 . 57 push edi
00405DC8 . 8B0F mov ecx, dword ptr [edi]
00405DCA . FF91 A0000000 call dword ptr [ecx+A0]
00405DD0 . 3BC6 cmp eax, esi
00405DD2 . DBE2 fclex
00405DD4 . 7D 12 jge short 00405DE8
00405DD6 . 68 A0000000 push 0A0
00405DDB . 68 20254000 push 00402520
00405DE0 . 57 push edi
00405DE1 . 50 push eax
00405DE2 . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaHresultC>
00405DE8 > 8B45 BC mov eax, dword ptr [ebp-44] ; 注册码"9876543210abcde"
00405DEB . 8D4D 98 lea ecx, dword ptr [ebp-68]
00405DEE . 8945 B0 mov dword ptr [ebp-50], eax
00405DF1 . 8D45 A8 lea eax, dword ptr [ebp-58]
00405DF4 . 50 push eax
00405DF5 . 51 push ecx
00405DF6 . 8975 BC mov dword ptr [ebp-44], esi
00405DF9 . C745 A8 08000000 mov dword ptr [ebp-58], 8
00405E00 . FF15 70104000 call dword ptr [<&MSVBVM60.#522>] ; rtcLeftTrimVar,去掉注册码左边空格
00405E06 . 8B3D 18104000 mov edi, dword ptr [<&MSVBVM60.__vbaStr>
00405E0C . 8D55 98 lea edx, dword ptr [ebp-68]
00405E0F . 52 push edx
00405E10 . FFD7 call edi
00405E12 . 8B1D 58114000 mov ebx, dword ptr [<&MSVBVM60.__vbaStr>
00405E18 . 8BD0 mov edx, eax
00405E1A . 8D4D D0 lea ecx, dword ptr [ebp-30]
00405E1D . FFD3 call ebx
00405E1F . 8D4D B8 lea ecx, dword ptr [ebp-48]
00405E22 . FF15 74114000 call dword ptr [<&MSVBVM60.__vbaFreeObj>>
00405E28 . 8D45 98 lea eax, dword ptr [ebp-68]
00405E2B . 8D4D A8 lea ecx, dword ptr [ebp-58]
00405E2E . 50 push eax
00405E2F . 51 push ecx
00405E30 . 6A 02 push 2
00405E32 . FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarL>
00405E38 . 83C4 0C add esp, 0C
00405E3B . 8D85 68FFFFFF lea eax, dword ptr [ebp-98]
00405E41 . 8D4D A8 lea ecx, dword ptr [ebp-58]
00405E44 . 8D55 D0 lea edx, dword ptr [ebp-30]
00405E47 . 50 push eax
00405E48 . 51 push ecx
00405E49 . 8995 70FFFFFF mov dword ptr [ebp-90], edx
00405E4F . C785 68FFFFFF 08400000 mov dword ptr [ebp-98], 4008
00405E59 . FF15 80104000 call dword ptr [<&MSVBVM60.#524>] ; rtcRightTrimVar,去掉注册码右边空格
00405E5F . 8D55 A8 lea edx, dword ptr [ebp-58]
00405E62 . 52 push edx
00405E63 . FFD7 call edi
00405E65 . 8BD0 mov edx, eax
00405E67 . 8D4D D0 lea ecx, dword ptr [ebp-30]
00405E6A . FFD3 call ebx
00405E6C . 8D4D A8 lea ecx, dword ptr [ebp-58]
00405E6F . FF15 14104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>>
00405E75 . 8D8D 68FFFFFF lea ecx, dword ptr [ebp-98]
00405E7B . 8D55 A8 lea edx, dword ptr [ebp-58]
00405E7E . 8D45 D0 lea eax, dword ptr [ebp-30]
00405E81 . 51 push ecx
00405E82 . 52 push edx
00405E83 . 8985 70FFFFFF mov dword ptr [ebp-90], eax
00405E89 . C785 68FFFFFF 08400000 mov dword ptr [ebp-98], 4008
00405E93 . FF15 9C104000 call dword ptr [<&MSVBVM60.#528>] ; rtcUpperCaseVar,注册码转为大写
00405E99 . 8D45 A8 lea eax, dword ptr [ebp-58]
00405E9C . 50 push eax
00405E9D . FFD7 call edi
00405E9F . 8BD0 mov edx, eax
00405EA1 . 8D4D D0 lea ecx, dword ptr [ebp-30]
00405EA4 . FFD3 call ebx
00405EA6 . 8D4D A8 lea ecx, dword ptr [ebp-58]
00405EA9 . FF15 14104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>>
00405EAF . 8B4D D0 mov ecx, dword ptr [ebp-30] ; 转为大写后的注册码"9876543210ABCDE"
00405EB2 . 8B3D 1C104000 mov edi, dword ptr [<&MSVBVM60.__vbaLen>
00405EB8 . 51 push ecx ; /String
00405EB9 . FFD7 call edi ; \__vbaLenBstr,获取注册码长度
00405EBB . 83F8 0F cmp eax, 0F ; 注册码长度与0xF比较
00405EBE . 0F85 9D020000 jnz 00406161 ; 不等则Over,暴破点1,改为NOP
00405EC4 . 8B55 08 mov edx, dword ptr [ebp+8]
00405EC7 . BE 01000000 mov esi, 1
00405ECC . 89B5 70FFFFFF mov dword ptr [ebp-90], esi
00405ED2 . C785 68FFFFFF 02000000 mov dword ptr [ebp-98], 2
00405EDC . 8D42 34 lea eax, dword ptr [edx+34]
00405EDF . 8B42 34 mov eax, dword ptr [edx+34] ; 程序产生的随机数字符串"43E53E47"
00405EE2 . 50 push eax ; /String
00405EE3 . FFD7 call edi ; \__vbaLenBstr,获取字符串长度
00405EE5 . 8D8D 68FFFFFF lea ecx, dword ptr [ebp-98]
00405EEB . 8985 60FFFFFF mov dword ptr [ebp-A0], eax
00405EF1 . 8D95 58FFFFFF lea edx, dword ptr [ebp-A8]
00405EF7 . 51 push ecx ; /Step8
00405EF8 . 8D85 48FFFFFF lea eax, dword ptr [ebp-B8] ; |
00405EFE . 52 push edx ; |End8
00405EFF . 8D8D 08FFFFFF lea ecx, dword ptr [ebp-F8] ; |
00405F05 . 50 push eax ; |Start8
00405F06 . 8D95 18FFFFFF lea edx, dword ptr [ebp-E8] ; |
00405F0C . 51 push ecx ; |TMPend8
00405F0D . 8D45 D8 lea eax, dword ptr [ebp-28] ; |
00405F10 . 52 push edx ; |TMPstep8
00405F11 . 50 push eax ; |Counter8
00405F12 . C785 58FFFFFF 03000000 mov dword ptr [ebp-A8], 3 ; |
00405F1C . 89B5 50FFFFFF mov dword ptr [ebp-B0], esi ; |
00405F22 . C785 48FFFFFF 02000000 mov dword ptr [ebp-B8], 2 ; |
00405F2C . FF15 4C104000 call dword ptr [<&MSVBVM60.__vbaVarForIn>; \__vbaVarForInit
00405F32 . 8B35 84104000 mov esi, dword ptr [<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
00405F38 . 8B3D F8104000 mov edi, dword ptr [<&MSVBVM60.__vbaVar>; MSVBVM60.__vbaVarCat
00405F3E > 85C0 test eax, eax
00405F40 . 0F84 4A010000 je 00406090
00405F46 . 8B4D 08 mov ecx, dword ptr [ebp+8]
00405F49 . 8D55 A8 lea edx, dword ptr [ebp-58]
00405F4C . 52 push edx
00405F4D . C745 B0 01000000 mov dword ptr [ebp-50], 1
00405F54 . 8D41 34 lea eax, dword ptr [ecx+34]
00405F57 . C745 A8 02000000 mov dword ptr [ebp-58], 2
00405F5E . 8985 70FFFFFF mov dword ptr [ebp-90], eax
00405F64 . 8D45 D8 lea eax, dword ptr [ebp-28]
00405F67 . 50 push eax
00405F68 . C785 68FFFFFF 08400000 mov dword ptr [ebp-98], 4008
00405F72 . FF15 44114000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
00405F78 . 8D8D 68FFFFFF lea ecx, dword ptr [ebp-98]
00405F7E . 50 push eax
00405F7F . 8D55 98 lea edx, dword ptr [ebp-68]
00405F82 . 51 push ecx
00405F83 . 52 push edx
00405F84 . FFD6 call esi
00405F86 . 8D55 98 lea edx, dword ptr [ebp-68]
00405F89 . 8D4D C0 lea ecx, dword ptr [ebp-40]
00405F8C . FF15 0C104000 call dword ptr [<&MSVBVM60.__vbaVarMove>>;
00405F92 . 8D4D A8 lea ecx, dword ptr [ebp-58]
00405F95 . FF15 14104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>>
00405F9B . 8D85 68FFFFFF lea eax, dword ptr [ebp-98]
00405FA1 . 8D4D C0 lea ecx, dword ptr [ebp-40]
00405FA4 . 50 push eax
00405FA5 . 8D55 A8 lea edx, dword ptr [ebp-58]
00405FA8 . 51 push ecx
00405FA9 . 52 push edx
00405FAA . C785 70FFFFFF 34254000 mov dword ptr [ebp-90], 00402534 ; &h
00405FB4 . C785 68FFFFFF 08000000 mov dword ptr [ebp-98], 8
00405FBE . FFD7 call edi ; __vbaVarCat,取出的字符串与"&h"连接,即转为16进制
00405FC0 . 50 push eax ; /String8
00405FC1 . 8D45 BC lea eax, dword ptr [ebp-44] ; |
00405FC4 . 50 push eax ; |ARG2
00405FC5 . FF15 F4104000 call dword ptr [<&MSVBVM60.__vbaStrVarVa>; \__vbaStrVarVal
00405FCB . 50 push eax ; EAX="&h4"
00405FCC . FF15 78114000 call dword ptr [<&MSVBVM60.#581>] ; rtcR8ValFromBstr
00405FD2 . DD9D 30FFFFFF fstp qword ptr [ebp-D0] ; st=4.0000000000000000000
00405FD8 . 8B4D D4 mov ecx, dword ptr [ebp-2C]
00405FDB . 8D45 98 lea eax, dword ptr [ebp-68]
00405FDE . DD85 30FFFFFF fld qword ptr [ebp-D0]
00405FE4 . 8D55 D0 lea edx, dword ptr [ebp-30]
00405FE7 . 50 push eax
00405FE8 . 898D 40FFFFFF mov dword ptr [ebp-C0], ecx
00405FEE . C785 38FFFFFF 08000000 mov dword ptr [ebp-C8], 8
00405FF8 . C745 A0 01000000 mov dword ptr [ebp-60], 1
00405FFF . C745 98 02000000 mov dword ptr [ebp-68], 2
00406006 . 8995 60FFFFFF mov dword ptr [ebp-A0], edx
0040600C . C785 58FFFFFF 08400000 mov dword ptr [ebp-A8], 4008
00406016 . FF15 50114000 call dword ptr [<&MSVBVM60.__vbaFpI4>] ; 浮点数转为整数
0040601C . 8D8D 58FFFFFF lea ecx, dword ptr [ebp-A8]
00406022 . 50 push eax ; EAX=0x4
00406023 . 8D55 88 lea edx, dword ptr [ebp-78]
00406026 . 51 push ecx
00406027 . 52 push edx
00406028 . FFD6 call esi ; rtcMidCharVar,根据EAX的值从注册码"9876543210ABCDE"取字符
0040602A . 8D85 38FFFFFF lea eax, dword ptr [ebp-C8]
00406030 . 8D4D 88 lea ecx, dword ptr [ebp-78]
00406033 . 50 push eax
00406034 . 8D95 78FFFFFF lea edx, dword ptr [ebp-88]
0040603A . 51 push ecx
0040603B . 52 push edx
0040603C . FFD7 call edi ; __vbaVarCat,取出的字符依次连接
0040603E . 50 push eax
0040603F . FF15 18104000 call dword ptr [<&MSVBVM60.__vbaStrVarMo>; MSVBVM60.__vbaStrVarMove
00406045 . 8BD0 mov edx, eax ; EAX="67D57D63"
00406047 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0040604A . FFD3 call ebx
0040604C . 8D4D BC lea ecx, dword ptr [ebp-44]
0040604F . FF15 70114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>>
00406055 . 8D85 78FFFFFF lea eax, dword ptr [ebp-88]
0040605B . 8D4D 88 lea ecx, dword ptr [ebp-78]
0040605E . 50 push eax
0040605F . 8D55 98 lea edx, dword ptr [ebp-68]
00406062 . 51 push ecx
00406063 . 8D45 A8 lea eax, dword ptr [ebp-58]
00406066 . 52 push edx
00406067 . 50 push eax
00406068 . 6A 04 push 4
0040606A . FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarL>
00406070 . 83C4 14 add esp, 14
00406073 . 8D8D 08FFFFFF lea ecx, dword ptr [ebp-F8]
00406079 . 8D95 18FFFFFF lea edx, dword ptr [ebp-E8]
0040607F . 51 push ecx ; /TMPend8
00406080 . 8D45 D8 lea eax, dword ptr [ebp-28] ; |
00406083 . 52 push edx ; |TMPstep8
00406084 . 50 push eax ; |Counter8
00406085 . FF15 68114000 call dword ptr [<&MSVBVM60.__vbaVarForNe>; \__vbaVarForNext
0040608B .^ E9 AEFEFFFF jmp 00405F3E
00406090 > 8B75 08 mov esi, dword ptr [ebp+8]
00406093 . 8D55 BC lea edx, dword ptr [ebp-44]
00406096 . 8D45 D4 lea eax, dword ptr [ebp-2C]
00406099 . 52 push edx
0040609A . 8B0E mov ecx, dword ptr [esi]
0040609C . 50 push eax
0040609D . 56 push esi
0040609E . FF91 18070000 call dword ptr [ecx+718] ; 同004066EB处一样的CALL,对字符串"67D57D63"进行MD5加密
004060A4 . 85C0 test eax, eax
004060A6 . 7D 12 jge short 004060BA
004060A8 . 68 18070000 push 718
004060AD . 68 40224000 push 00402240
004060B2 . 56 push esi
004060B3 . 50 push eax
004060B4 . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaHresultC>
004060BA > 8B55 BC mov edx, dword ptr [ebp-44]
004060BD . 8D4D E8 lea ecx, dword ptr [ebp-18]
004060C0 . C745 BC 00000000 mov dword ptr [ebp-44], 0
004060C7 . FFD3 call ebx
004060C9 . 8B4D E8 mov ecx, dword ptr [ebp-18] ; 根据注册码算出的MD5值
004060CC . 8B56 38 mov edx, dword ptr [esi+38] ; 根据机器码算出的MD5值
004060CF . 51 push ecx ; MD5("67D57D63")="06B0BF7EF2CED98E9E803C4D1C596D3D"
004060D0 . 52 push edx ; MD5("927C279")="9E7F4ED9D6D89E0FD8A4F75B68809F81"
004060D1 . FF15 A0104000 call dword ptr [<&MSVBVM60.__vbaStrCmp>] ; 比较两个MD5值是否相等
004060D7 . 85C0 test eax, eax
004060D9 . 0F85 80000000 jnz 0040615F ; 不等则Over,暴破点2,改为NOP
004060DF . 8B06 mov eax, dword ptr [esi]
004060E1 . 56 push esi
004060E2 . FF90 00030000 call dword ptr [eax+300]
004060E8 . 8B3D 60104000 mov edi, dword ptr [<&MSVBVM60.__vbaObj>
004060EE . 8D4D B8 lea ecx, dword ptr [ebp-48]
004060F1 . 50 push eax
004060F2 . 51 push ecx
004060F3 . FFD7 call edi
004060F5 . 8BD8 mov ebx, eax
004060F7 . 6A 00 push 0
004060F9 . 53 push ebx
004060FA . 8B13 mov edx, dword ptr [ebx]
004060FC . FF92 8C000000 call dword ptr [edx+8C]
00406102 . 85C0 test eax, eax
00406104 . DBE2 fclex
00406106 . 7D 12 jge short 0040611A
00406108 . 68 8C000000 push 8C
-----------------------------------------------------------------------------------------------
【破解总结】
1.程序调用GetVolumeInformationA函数获取C盘卷序列号,取绝对值后以10进制表示作为机器码。
2.机器码以16进制表示作为字符串,字符串倒序后进行MD5加密,MD5加密后的字符串记为str1。
3.程序调用rtcRandomize函数产生8个0-0xF的随机数,根据产生的随机数从字符串str1取相应位置的字符,连接后记为字符串str2。
4.对字符串str2进行MD5加密,MD5加密后的字符串记为str3。
5.去除注册码左右空格字符,检测去除空格后的注册码是否为0xF(15)位。
6.注册码字符转为大写后,根据第3步产生的随机数从注册码取相应位置的字符,连接后记为字符串str4。
7.对字符串str4进行MD5加密,MD5加密后的字符串记为str5。
8.比较字符串str3、str5是否相等,相等则注册成功。
9.根据分析,将机器码以16进制表示作为字符串,字符串倒序后进行MD5加密,取MD5值的前15位即为注册码。
一组可用注册信息:
==========================================
机器码:1460319485
注册码:DD29C6AFF93CB72
==========================================
暴破更改以下两处位置:
00405EBE jnz 00406161 ; jnz====>NOP
004060D9 jnz 0040615F ; jnz====>NOP
【VB注册机源码】
'定义一个10进制转换为16进制的函数,确保当机器码为较大的数值时转换不出错
Public Function DEC_to_HEX(ByVal x As String) As String
Dim Dec As Double
Dim Temp As Double
Dim Remain As Double
Dec = Val(x)
Do
Remain = Int(Dec / 16)
Temp = Remain * 16
DEC_to_HEX = Hex(Dec - Temp) & DEC_to_HEX
Dec = Remain
Loop While Dec
If Len(DEC_to_HEX) Mod 2 Then
DEC_to_HEX = "" & DEC_to_HEX
End If
End Function
Private Sub Generate_Click()
On Error Resume Next
Dim MachineCode As String
Dim RegCode As String
MachineCode = Trim(Text1.Text)
MachineCode = DEC_to_HEX(MachineCode)
MachineCode = StrReverse(MachineCode)
RegCode = Left(MD5(MachineCode),15)
Text2.Text = RegCode
End Sub
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 hrbx 于 2010-4-19 09:32 编辑 ] |
评分
-
查看全部评分
|
[复制链接]
IP卡
发表于 2010-4-15 11:28:50
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2010-4-15 19:02:10
发表于 2010-4-15 22:24:21
发表于 2010-5-6 20:35:22