- UID
- 346
注册时间2005-3-21
阅读权限30
最后登录1970-1-1
龙战于野
TA的每日心情 | 奋斗
2016-10-21 20:30 |
|---|
签到天数: 1 天 [LV.1]初来乍到
|
【破文标题】Zass CrackMe #3算法分析
【破解作者】hrbx
【破解日期】2010-04-15
【软件简介】Zass CrackMe #3算法分析
【下载地址】https://www.chinapyg.com/viewthr ... &extra=page%3D1
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
-----------------------------------------------------------------------------------------------
【破解过程】
1.查壳。用Peid扫描,显示为:Microsoft Visual Basic 5.0 / 6.0,无壳。
2.查找程序控件事件地址。OD载入,Ctrl+B,在Hex栏输入:816C24,查找VB各控件事件地址:
==================================================================
004029A0 . 816C24 04 43000> sub dword ptr [esp+4], 43 ; 确定按钮_Click
004029A8 . E9 53010000 jmp 00402B00
==================================================================
3.算法分析。OD载入,Ctrl+G,输入确定按钮_Click事件地址:00402B00,确定后F2下断,F9运行,输入注册信息:
======================================
ID:hrbx
RegCode:98765432
======================================
点确定按钮后,程序立即中断:
00402B00 > \55 push ebp ; F2下断
00402B01 . 8BEC mov ebp, esp
00402B03 . 83EC 0C sub esp, 0C
00402B06 . 68 16114000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; SE 处理程序安装
00402B0B . 64:A1 00000000 mov eax, dword ptr fs:[0]
00402B11 . 50 push eax
00402B12 . 64:8925 00000000 mov dword ptr fs:[0], esp
00402B19 . 81EC F8000000 sub esp, 0F8
00402B1F . 53 push ebx
00402B20 . 56 push esi
00402B21 . 57 push edi
00402B22 . 8965 F4 mov dword ptr [ebp-C], esp
00402B25 . C745 F8 E0104000 mov dword ptr [ebp-8], 004010E0
00402B2C . 8B75 08 mov esi, dword ptr [ebp+8]
00402B2F . 8BC6 mov eax, esi
00402B31 . 83E0 01 and eax, 1
00402B34 . 8945 FC mov dword ptr [ebp-4], eax
00402B37 . 83E6 FE and esi, FFFFFFFE
00402B3A . 56 push esi
00402B3B . 8975 08 mov dword ptr [ebp+8], esi
00402B3E . 8B0E mov ecx, dword ptr [esi]
00402B40 . FF51 04 call dword ptr [ecx+4]
00402B43 . 8B16 mov edx, dword ptr [esi]
00402B45 . 33DB xor ebx, ebx
00402B47 . 56 push esi
00402B48 . 895D E4 mov dword ptr [ebp-1C], ebx
00402B4B . 895D D0 mov dword ptr [ebp-30], ebx
00402B4E . 895D C8 mov dword ptr [ebp-38], ebx
00402B51 . 895D C4 mov dword ptr [ebp-3C], ebx
00402B54 . 895D C0 mov dword ptr [ebp-40], ebx
00402B57 . 895D BC mov dword ptr [ebp-44], ebx
00402B5A . 895D B8 mov dword ptr [ebp-48], ebx
00402B5D . 895D B4 mov dword ptr [ebp-4C], ebx
00402B60 . 895D A4 mov dword ptr [ebp-5C], ebx
00402B63 . 895D 94 mov dword ptr [ebp-6C], ebx
00402B66 . 895D 84 mov dword ptr [ebp-7C], ebx
00402B69 . 899D 74FFFFFF mov dword ptr [ebp-8C], ebx
00402B6F . 899D 64FFFFFF mov dword ptr [ebp-9C], ebx
00402B75 . 899D 54FFFFFF mov dword ptr [ebp-AC], ebx
00402B7B . 899D 44FFFFFF mov dword ptr [ebp-BC], ebx
00402B81 . 899D 34FFFFFF mov dword ptr [ebp-CC], ebx
00402B87 . 899D 20FFFFFF mov dword ptr [ebp-E0], ebx
00402B8D . FF92 14030000 call dword ptr [edx+314]
00402B93 . 50 push eax
00402B94 . 8D45 B8 lea eax, dword ptr [ebp-48]
00402B97 . 50 push eax
00402B98 . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
00402B9E . 8BF8 mov edi, eax
00402BA0 . 53 push ebx
00402BA1 . 57 push edi
00402BA2 . 8B0F mov ecx, dword ptr [edi]
00402BA4 . FF91 9C000000 call dword ptr [ecx+9C]
00402BAA . 3BC3 cmp eax, ebx
00402BAC . DBE2 fclex
00402BAE . 7D 12 jge short 00402BC2
00402BB0 . 68 9C000000 push 9C
00402BB5 . 68 F4224000 push 004022F4
00402BBA . 57 push edi
00402BBB . 50 push eax
00402BBC . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheck>
00402BC2 > 8D4D B8 lea ecx, dword ptr [ebp-48]
00402BC5 . FF15 D4104000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
00402BCB . 8B16 mov edx, dword ptr [esi]
00402BCD . 56 push esi
00402BCE . FF92 08030000 call dword ptr [edx+308]
00402BD4 . 50 push eax
00402BD5 . 8D45 B8 lea eax, dword ptr [ebp-48]
00402BD8 . 50 push eax
00402BD9 . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
00402BDF . 8BF8 mov edi, eax
00402BE1 . 8D55 C4 lea edx, dword ptr [ebp-3C]
00402BE4 . 52 push edx
00402BE5 . 57 push edi
00402BE6 . 8B0F mov ecx, dword ptr [edi]
00402BE8 . FF91 A0000000 call dword ptr [ecx+A0]
00402BEE . 3BC3 cmp eax, ebx
00402BF0 . DBE2 fclex
00402BF2 . 7D 12 jge short 00402C06
00402BF4 . 68 A0000000 push 0A0
00402BF9 . 68 04234000 push 00402304
00402BFE . 57 push edi
00402BFF . 50 push eax
00402C00 . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheck>
00402C06 > 8B06 mov eax, dword ptr [esi]
00402C08 . 56 push esi
00402C09 . FF90 04030000 call dword ptr [eax+304]
00402C0F . 8D4D B4 lea ecx, dword ptr [ebp-4C]
00402C12 . 50 push eax
00402C13 . 51 push ecx
00402C14 . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
00402C1A . 8BF8 mov edi, eax
00402C1C . 8D45 C0 lea eax, dword ptr [ebp-40]
00402C1F . 50 push eax
00402C20 . 57 push edi
00402C21 . 8B17 mov edx, dword ptr [edi]
00402C23 . FF92 A0000000 call dword ptr [edx+A0]
00402C29 . 3BC3 cmp eax, ebx
00402C2B . DBE2 fclex
00402C2D . 7D 12 jge short 00402C41
00402C2F . 68 A0000000 push 0A0
00402C34 . 68 04234000 push 00402304
00402C39 . 57 push edi
00402C3A . 50 push eax
00402C3B . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheck>
00402C41 > 8B4D C0 mov ecx, dword ptr [ebp-40] ; 注册码"98765432"
00402C44 . 51 push ecx
00402C45 . 68 18234000 push 00402318
00402C4A . FF15 60104000 call dword ptr [<&MSVBVM60.__vbaStrCmp>] ; 检查注册码是否为空
00402C50 . 8B55 C4 mov edx, dword ptr [ebp-3C] ; 用户名"hrbx"
00402C53 . 8BF8 mov edi, eax
00402C55 . F7DF neg edi
00402C57 . 1BFF sbb edi, edi
00402C59 . 52 push edx
00402C5A . F7DF neg edi
00402C5C . 68 18234000 push 00402318
00402C61 . F7DF neg edi
00402C63 . FF15 60104000 call dword ptr [<&MSVBVM60.__vbaStrCmp>] ; 检查用户名是否为空
00402C69 . F7D8 neg eax
00402C6B . 1BC0 sbb eax, eax
00402C6D . 8D4D C4 lea ecx, dword ptr [ebp-3C]
00402C70 . F7D8 neg eax
00402C72 . F7D8 neg eax
00402C74 . 23F8 and edi, eax
00402C76 . 8D45 C0 lea eax, dword ptr [ebp-40]
00402C79 . 50 push eax
00402C7A . 51 push ecx
00402C7B . 6A 02 push 2
00402C7D . FF15 A0104000 call dword ptr [<&MSVBVM60.__vbaFreeStrList>>
00402C83 . 8D55 B4 lea edx, dword ptr [ebp-4C]
00402C86 . 8D45 B8 lea eax, dword ptr [ebp-48]
00402C89 . 52 push edx
00402C8A . 50 push eax
00402C8B . 6A 02 push 2
00402C8D . FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeObjList>>
00402C93 . 83C4 18 add esp, 18
00402C96 . 66:3BFB cmp di, bx
00402C99 . 0F84 97030000 je 00403036 ; 注册码或用户名为空则Over
00402C9F . 8B0E mov ecx, dword ptr [esi]
00402CA1 . 56 push esi
00402CA2 . FF91 08030000 call dword ptr [ecx+308]
00402CA8 . 8D55 B8 lea edx, dword ptr [ebp-48]
00402CAB . 50 push eax
00402CAC . 52 push edx
00402CAD . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
00402CB3 . 8BF8 mov edi, eax
00402CB5 . 8D4D C4 lea ecx, dword ptr [ebp-3C]
00402CB8 . 51 push ecx
00402CB9 . 57 push edi
00402CBA . 8B07 mov eax, dword ptr [edi]
00402CBC . FF90 A0000000 call dword ptr [eax+A0]
00402CC2 . 3BC3 cmp eax, ebx
00402CC4 . DBE2 fclex
00402CC6 . 7D 12 jge short 00402CDA
00402CC8 . 68 A0000000 push 0A0
00402CCD . 68 04234000 push 00402304
00402CD2 . 57 push edi
00402CD3 . 50 push eax
00402CD4 . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheck>
00402CDA > 8B55 C4 mov edx, dword ptr [ebp-3C] ; 用户名"hrbx"
00402CDD . 8B3D C0104000 mov edi, dword ptr [<&MSVBVM60.__vbaStrMove>
00402CE3 . 8D4D C0 lea ecx, dword ptr [ebp-40]
00402CE6 . 895D C4 mov dword ptr [ebp-3C], ebx
00402CE9 . FFD7 call edi
00402CEB . 8B16 mov edx, dword ptr [esi]
00402CED . 8D45 BC lea eax, dword ptr [ebp-44]
00402CF0 . 8D4D C0 lea ecx, dword ptr [ebp-40]
00402CF3 . 50 push eax
00402CF4 . 51 push ecx
00402CF5 . 56 push esi
00402CF6 . FF92 F8060000 call dword ptr [edx+6F8] ; 去除用户名左右空格并转为大写
00402CFC . 3BC3 cmp eax, ebx
00402CFE . 7D 12 jge short 00402D12
00402D00 . 68 F8060000 push 6F8
00402D05 . 68 D0214000 push 004021D0
00402D0A . 56 push esi
00402D0B . 50 push eax
00402D0C . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheck>
00402D12 > 8B55 BC mov edx, dword ptr [ebp-44] ; 转为大写后的用户名"HRBX"
00402D15 . 8D4D C8 lea ecx, dword ptr [ebp-38]
00402D18 . 895D BC mov dword ptr [ebp-44], ebx
00402D1B . FFD7 call edi
00402D1D . 8D4D C0 lea ecx, dword ptr [ebp-40]
00402D20 . FF15 D8104000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
00402D26 . 8D4D B8 lea ecx, dword ptr [ebp-48]
00402D29 . FF15 D4104000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
00402D2F . 8B16 mov edx, dword ptr [esi]
00402D31 . 8D85 20FFFFFF lea eax, dword ptr [ebp-E0]
00402D37 . 8D4D C8 lea ecx, dword ptr [ebp-38]
00402D3A . 50 push eax
00402D3B . 51 push ecx
00402D3C . 56 push esi
00402D3D . FF92 FC060000 call dword ptr [edx+6FC] ; 变化后的用户名"HRBX"各位字符的ASCII值之和
00402D43 . 3BC3 cmp eax, ebx ; Sum("HRBX")=0x134
00402D45 . 7D 12 jge short 00402D59
00402D47 . 68 FC060000 push 6FC
00402D4C . 68 D0214000 push 004021D0
00402D51 . 56 push esi
00402D52 . 50 push eax
00402D53 . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheck>
00402D59 > 8B95 20FFFFFF mov edx, dword ptr [ebp-E0]
00402D5F . 8B06 mov eax, dword ptr [esi]
00402D61 . 56 push esi
00402D62 . 8955 E8 mov dword ptr [ebp-18], edx
00402D65 . FF90 04030000 call dword ptr [eax+304]
00402D6B . 8D4D B8 lea ecx, dword ptr [ebp-48]
00402D6E . 50 push eax
00402D6F . 51 push ecx
00402D70 . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
00402D76 . 8BF8 mov edi, eax
00402D78 . 8D45 C4 lea eax, dword ptr [ebp-3C]
00402D7B . 50 push eax
00402D7C . 57 push edi
00402D7D . 8B17 mov edx, dword ptr [edi]
00402D7F . FF92 A0000000 call dword ptr [edx+A0]
00402D85 . 3BC3 cmp eax, ebx
00402D87 . DBE2 fclex
00402D89 . 7D 12 jge short 00402D9D
00402D8B . 68 A0000000 push 0A0
00402D90 . 68 04234000 push 00402304
00402D95 . 57 push edi
00402D96 . 50 push eax
00402D97 . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheck>
00402D9D > 8B55 C4 mov edx, dword ptr [ebp-3C] ; 注册码"98765432"
00402DA0 . 8B3D C0104000 mov edi, dword ptr [<&MSVBVM60.__vbaStrMove>
00402DA6 . 8D4D C0 lea ecx, dword ptr [ebp-40]
00402DA9 . 895D C4 mov dword ptr [ebp-3C], ebx
00402DAC . FFD7 call edi
00402DAE . 8B0E mov ecx, dword ptr [esi]
00402DB0 . 8D55 BC lea edx, dword ptr [ebp-44]
00402DB3 . 8D45 C0 lea eax, dword ptr [ebp-40]
00402DB6 . 52 push edx
00402DB7 . 50 push eax
00402DB8 . 56 push esi
00402DB9 . FF91 F8060000 call dword ptr [ecx+6F8] ; 去除注册码左右空格并转为大写
00402DBF . 3BC3 cmp eax, ebx
00402DC1 . 7D 12 jge short 00402DD5
00402DC3 . 68 F8060000 push 6F8
00402DC8 . 68 D0214000 push 004021D0
00402DCD . 56 push esi
00402DCE . 50 push eax
00402DCF . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheck>
00402DD5 > 8B55 BC mov edx, dword ptr [ebp-44]
00402DD8 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
00402DDB . 895D BC mov dword ptr [ebp-44], ebx
00402DDE . FFD7 call edi
00402DE0 . 8D4D C0 lea ecx, dword ptr [ebp-40]
00402DE3 . FF15 D8104000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
00402DE9 . 8D4D B8 lea ecx, dword ptr [ebp-48]
00402DEC . FF15 D4104000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
00402DF2 . 8B0E mov ecx, dword ptr [esi]
00402DF4 . 8D95 20FFFFFF lea edx, dword ptr [ebp-E0]
00402DFA . 8D45 E4 lea eax, dword ptr [ebp-1C]
00402DFD . 52 push edx
00402DFE . 50 push eax
00402DFF . 56 push esi
00402E00 . FF91 FC060000 call dword ptr [ecx+6FC] ; 变化后的注册码"98765432"各位字符的ASCII值之和
00402E06 . 3BC3 cmp eax, ebx ; Sum("98765432")=0x1AC
00402E08 . 7D 12 jge short 00402E1C
00402E0A . 68 FC060000 push 6FC
00402E0F . 68 D0214000 push 004021D0
00402E14 . 56 push esi
00402E15 . 50 push eax
00402E16 . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheck>
00402E1C > 8B4D E4 mov ecx, dword ptr [ebp-1C] ; 注册码"98765432"
00402E1F . 8BBD 20FFFFFF mov edi, dword ptr [ebp-E0] ; EDI=Sum("98765432")=0x1AC
00402E25 . 51 push ecx ; /String
00402E26 . FF15 10104000 call dword ptr [<&MSVBVM60.__vbaLenBstr>] ; \__vbaLenBstr
00402E2C . 83F8 08 cmp eax, 8 ; 注册码长度与8比较
00402E2F . 0F85 01020000 jnz 00403036 ; 不等则Over
00402E35 . 8B4D E8 mov ecx, dword ptr [ebp-18] ; ECX=ss:[0012F4F0]=Sum("HRBX")=0x134
00402E38 . B8 1F85EB51 mov eax, 51EB851F ; EAX=0x51EB851F
00402E3D . 33F9 xor edi, ecx ; EDI=EDI xor ECX
00402E3F . C785 54FFFFFF 0200>mov dword ptr [ebp-AC], 2
00402E49 . 0FBFCF movsx ecx, di ; ECX=DI=0x98
00402E4C . F7E9 imul ecx ; EAX=EAX*ECX,EAX=A3D70A68,EDX=30
00402E4E . C1FA 05 sar edx, 5 ; EDX=EDX sar 5=1,相当于除以2的5次方
00402E51 . 8BC2 mov eax, edx ; EAX=EDX
00402E53 . 8D4D D0 lea ecx, dword ptr [ebp-30]
00402E56 . C1E8 1F shr eax, 1F ; EAX=EAX shr 0x1F=0
00402E59 . 03D0 add edx, eax ; EDX=EDX+EAX=1
00402E5B . 66:8995 5CFFFFFF mov word ptr [ebp-A4], dx ; DX保存
00402E62 . 8D95 54FFFFFF lea edx, dword ptr [ebp-AC]
00402E68 . FF15 08104000 call dword ptr [<&MSVBVM60.__vbaVarMove>]
00402E6E . 66:8BC7 mov ax, di ; AX=DI=0x98
00402E71 . 66:B9 1F00 mov cx, 1F ; CX=0x1F
00402E75 . 66:99 cwd
00402E77 . 66:F7F9 idiv cx ; AX/CX
00402E7A . 8D45 D0 lea eax, dword ptr [ebp-30]
00402E7D . C785 54FFFFFF 0280>mov dword ptr [ebp-AC], 8002
00402E87 . 66:8995 5CFFFFFF mov word ptr [ebp-A4], dx ; 余数保存,DX=0x1C
00402E8E . 8D95 54FFFFFF lea edx, dword ptr [ebp-AC]
00402E94 . 52 push edx ; /var18=EDX=0x1C
00402E95 . 50 push eax ; |var28=1
00402E96 . FF15 64104000 call dword ptr [<&MSVBVM60.__vbaVarTstEq>] ; \__vbaVarTstEq,比较是否相等
00402E9C . 66:85C0 test ax, ax
00402E9F . 74 41 je short 00402EE2 ; 不等则跳
00402EA1 . 0FBFCF movsx ecx, di ; 相等进行以下运算,即用户名与注册码相同,ECX=DI
00402EA4 . B8 43082184 mov eax, 84210843 ; EAX=0x84210843
00402EA9 . C785 54FFFFFF 0200>mov dword ptr [ebp-AC], 2
00402EB3 . F7E9 imul ecx ; EAX=EAX*ECX
00402EB5 . 8BC2 mov eax, edx ; EAX=EDX
00402EB7 . 03C1 add eax, ecx ; EDX=EDX+ECX
00402EB9 . C1F8 04 sar eax, 4 ; EDX=EDX sar 4,相当于除以2的4次方
00402EBC . 8BC8 mov ecx, eax ; ECX=EAX
00402EBE . C1E9 1F shr ecx, 1F ; EAX=EAX shr 0x1F
00402EC1 . 03C1 add eax, ecx ; EAX=EAX+ECX
00402EC3 . 66:B9 0600 mov cx, 6 ; CX=6
00402EC7 . 66:99 cwd
00402EC9 . 66:F7F9 idiv cx ; AX/CX
00402ECC . 8D4D D0 lea ecx, dword ptr [ebp-30]
00402ECF . 66:8995 5CFFFFFF mov word ptr [ebp-A4], dx ; 除法余数保存,记为TmpNum
00402ED6 . 8D95 54FFFFFF lea edx, dword ptr [ebp-AC]
00402EDC . FF15 08104000 call dword ptr [<&MSVBVM60.__vbaVarMove>]
00402EE2 > 8B16 mov edx, dword ptr [esi]
00402EE4 . 56 push esi
00402EE5 . FF92 14030000 call dword ptr [edx+314]
00402EEB . 50 push eax
00402EEC . 8D45 B8 lea eax, dword ptr [ebp-48]
00402EEF . 50 push eax
00402EF0 . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
00402EF6 . 8BF8 mov edi, eax
00402EF8 . 6A FF push -1
00402EFA . 57 push edi
00402EFB . 8B0F mov ecx, dword ptr [edi]
00402EFD . FF91 9C000000 call dword ptr [ecx+9C]
00402F03 . 3BC3 cmp eax, ebx
00402F05 . DBE2 fclex
00402F07 . 7D 12 jge short 00402F1B
00402F09 . 68 9C000000 push 9C
00402F0E . 68 F4224000 push 004022F4
00402F13 . 57 push edi
00402F14 . 50 push eax
00402F15 . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheck>
00402F1B > 8D4D B8 lea ecx, dword ptr [ebp-48]
00402F1E . FF15 D4104000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
00402F24 . 8B16 mov edx, dword ptr [esi]
00402F26 . 56 push esi
00402F27 . FF92 14030000 call dword ptr [edx+314]
00402F2D . 50 push eax
00402F2E . 8D45 B8 lea eax, dword ptr [ebp-48]
00402F31 . 50 push eax
00402F32 . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
00402F38 . B9 06000000 mov ecx, 6 ; ECX=6,常数
00402F3D . 8BF0 mov esi, eax
00402F3F . 898D 7CFFFFFF mov dword ptr [ebp-84], ecx
00402F45 . B8 02000000 mov eax, 2
00402F4A . 898D 5CFFFFFF mov dword ptr [ebp-A4], ecx
00402F50 . 8D95 34FFFFFF lea edx, dword ptr [ebp-CC]
00402F56 . 8D4D 84 lea ecx, dword ptr [ebp-7C]
00402F59 . 8985 74FFFFFF mov dword ptr [ebp-8C], eax
00402F5F . 8985 54FFFFFF mov dword ptr [ebp-AC], eax
00402F65 . C785 4CFFFFFF 0100>mov dword ptr [ebp-B4], 1
00402F6F . 8985 44FFFFFF mov dword ptr [ebp-BC], eax
00402F75 . C785 3CFFFFFF 2421>mov dword ptr [ebp-C4], 00402124 ; 内置字符串"Bingo!Oh!No!ReTry!Oh!No!Oh............................Oh!No!"
00402F7F . C785 34FFFFFF 0800>mov dword ptr [ebp-CC], 8 ; 记为str
00402F89 . FF15 B8104000 call dword ptr [<&MSVBVM60.__vbaVarDup>]
00402F8F . 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
00402F95 . 8D95 54FFFFFF lea edx, dword ptr [ebp-AC]
00402F9B . 51 push ecx
00402F9C . 8D45 D0 lea eax, dword ptr [ebp-30]
00402F9F . 52 push edx ; /EDX=6,EDX为常数6,命令栏D EDX+8可查询EDX的数值
00402FA0 . 8D4D A4 lea ecx, dword ptr [ebp-5C] ; |
00402FA3 . 50 push eax ; |EAX=1,除法余数TmpNum
00402FA4 . 51 push ecx ; |
00402FA5 . FF15 78104000 call dword ptr [<&MSVBVM60.__vbaVarMul>] ; \EDX与EAX相乘,结果保存到ECX,记为Num1
00402FAB . 50 push eax ; /EAX=算法的积,EAX=Num1=6
00402FAC . 8D95 44FFFFFF lea edx, dword ptr [ebp-BC] ; |
00402FB2 . 8D45 94 lea eax, dword ptr [ebp-6C] ; |
00402FB5 . 52 push edx ; |EDX=1,常数1
00402FB6 . 50 push eax ; |
00402FB7 . FF15 B4104000 call dword ptr [<&MSVBVM60.__vbaVarAdd>] ; \EDX与EAX相加,结果保存到EAX,记为Num2
00402FBD . 50 push eax ; EAX=7
00402FBE . FF15 B0104000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
00402FC4 . 8D4D 84 lea ecx, dword ptr [ebp-7C] ; |
00402FC7 . 50 push eax ; |Start=EAX=7
00402FC8 . 8D95 64FFFFFF lea edx, dword ptr [ebp-9C] ; |
00402FCE . 51 push ecx ; |dString="Bingo!Oh!No!ReTry!Oh!No!Oh............................Oh!No!"
00402FCF . 52 push edx ; |RetBUFFER=EDX=6
00402FD0 . FF15 50104000 call dword ptr [<&MSVBVM60.#632>] ; \rtcMidCharVar,取字符,Mid(str,Num2,6)=Mid(str,7,6)="Oh!No!"
00402FD6 . 8B3E mov edi, dword ptr [esi]
00402FD8 . 8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
00402FDE . 8D4D C4 lea ecx, dword ptr [ebp-3C]
00402FE1 . 50 push eax ; /String8="Oh!No!",取得的字符
00402FE2 . 51 push ecx ; |ARG2
00402FE3 . FF15 8C104000 call dword ptr [<&MSVBVM60.__vbaStrVarVal>] ; \__vbaStrVarVal
00402FE9 . 50 push eax
00402FEA . 56 push esi
00402FEB . FF57 54 call dword ptr [edi+54]
00402FEE . 3BC3 cmp eax, ebx
-----------------------------------------------------------------------------------------------
【破解总结】
1.用户名去除左右空格转为大写,变化后的用户各位字符的ASCII值之和记为Sum1。
2.注册码去除左右空格转为大写,注册码必须为8位,变化后的注册码各位字符的ASCII值之和记为Sum2。
3.Sum1与Sum2进行Xor运算,结果记为TmpNum1=Sum1 xor Sum2。
4.TmpNum1乘以0x51EB851F,取结果数值的高8位,记为TmpNum2。
5.TmpNum2右移5位(sar 5),相当于除以2的5次方(0x20),结果记为TmpNum3。
6.TmpNum3右移0x1F位(shr 1F),结果记为TmpNum4,TmpNum3与TmpNum4相加后的和除以6取余数,记为TmpNum5。
7.程序内置固定字符串"Bingo!Oh!No!ReTry!Oh!No!Oh............................Oh!No!",记为str。
8.调用Mid函数取固定字符串str的子字符串Mid(str,TmpNum5*6+1,6),作为显示注册成功与否的标签。
9.另外,若用户名与注册码相同,且均为8位,则任意用户名注册成功。
一组可用注册信息:
==========================================
ID:hrbxO
RegCode:I&V&Q&Q&
==========================================
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 hrbx 于 2010-4-15 16:42 编辑 ] |
评分
-
查看全部评分
|
IP卡
发表于 2010-4-15 16:40:12
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2010-4-15 17:04:46
