- UID
- 22350
注册时间2006-10-1
阅读权限30
最后登录1970-1-1
龙战于野
TA的每日心情 | 奋斗
2017-6-11 12:16 |
|---|
签到天数: 10 天 [LV.3]偶尔看看II
|
【破文标题】墙纸千百变 1.1注册算法
【破文作者】XXNB
【作者邮箱】支持PYG
【作者主页】binbinbin7456.ys168.com
【破解工具】OD
【破解平台】XPsp2
【软件名称】墙纸千百变 1.1
【软件大小】4164KB
【原版下载】http://www.newhua.com/soft/53653.htm
【保护方式】名+码
【软件简介】本软件为电脑桌面墙纸(壁纸)管理程序。
●功能简介:
1、预先选择设定时间间隔,程序可以自动定时变换电脑桌面墙纸。
2、可以添加、删除自定义的墙纸图片(格式包括BMP、JPG、GIF等)。
●操作方法:
1、运行程序后,在墙纸列表中单击图片名可以进行预览,双击图片名或点“应用”按钮即可完成设置。
2、点“重置”按钮可以停止计时器运行。
●注意事项:
墙纸预览时为拉伸方式,在系统设置中最好也选拉伸方式。
【破解声明】向前辈们学习!只为学习交流!
------------------------------------------------------------------------
【破解过程】
1、rtcMsgBox下断可以找到下面关键代码:
0043E10A > \8B45 E8 mov eax, dword ptr [ebp-18] ; 假码
0043E10D . 8D4D 94 lea ecx, dword ptr [ebp-6C]
0043E110 . 8945 AC mov dword ptr [ebp-54], eax
0043E113 . 8D45 A4 lea eax, dword ptr [ebp-5C]
0043E116 . 50 push eax
0043E117 . 51 push ecx
0043E118 . C745 E8 00000>mov dword ptr [ebp-18], 0
0043E11F . C745 A4 08000>mov dword ptr [ebp-5C], 8
0043E126 . FFD7 call edi
0043E128 . 8D55 94 lea edx, dword ptr [ebp-6C]
0043E12B . 8D45 84 lea eax, dword ptr [ebp-7C]
0043E12E . 52 push edx
0043E12F . 50 push eax
0043E130 . FF15 0C114000 call dword ptr [<&MSVBVM60.#528>] ; MSVBVM60.rtcUpperCaseVar
0043E136 . 8D4D 84 lea ecx, dword ptr [ebp-7C]
0043E139 . 51 push ecx
0043E13A . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarMove
0043E140 . 8BD0 mov edx, eax
0043E142 . B9 30104400 mov ecx, 00441030
0043E147 . FF15 60124000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0043E14D . 8D4D C0 lea ecx, dword ptr [ebp-40]
0043E150 . FFD3 call ebx
0043E152 . 8D55 84 lea edx, dword ptr [ebp-7C]
0043E155 . 8D45 94 lea eax, dword ptr [ebp-6C]
0043E158 . 52 push edx
0043E159 . 8D4D A4 lea ecx, dword ptr [ebp-5C]
0043E15C . 50 push eax
0043E15D . 51 push ecx
0043E15E . 6A 03 push 3
0043E160 . FF15 3C104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0043E166 . 8B15 2C104400 mov edx, dword ptr [44102C]
0043E16C . 8B35 14114000 mov esi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrCmp
0043E172 . 83C4 10 add esp, 10 ; 让esi为比较函数
0043E175 . 52 push edx
0043E176 . 68 80604000 push 00406080
0043E17B . FFD6 call esi ; <&MSVBVM60.__vbaStrCmp>
0043E17D . 85C0 test eax, eax
0043E17F . 75 10 jnz short 0043E191
0043E181 . BA A86F4000 mov edx, 00406FA8 ; none
0043E186 . B9 2C104400 mov ecx, 0044102C
0043E18B . FF15 F8114000 call dword ptr [<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
0043E191 > A1 30104400 mov eax, dword ptr [441030]
0043E196 . 50 push eax
0043E197 . 68 80604000 push 00406080
0043E19C . FFD6 call esi
0043E19E . 85C0 test eax, eax
0043E1A0 . 75 10 jnz short 0043E1B2
0043E1A2 . BA A86F4000 mov edx, 00406FA8 ; none
0043E1A7 . B9 30104400 mov ecx, 00441030
0043E1AC . FF15 F8114000 call dword ptr [<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
0043E1B2 > 68 30104400 push 00441030
0043E1B7 . 68 2C104400 push 0044102C
0043E1BC . E8 0F8CFEFF call 00426DD0 ; 算法call《《《《《《《《《《《《《《《------
0043E1C1 . 66:833D 34104>cmp word ptr [441034], 0
0043E1C9 . A1 E0174400 mov eax, dword ptr [4417E0]
0043E1CE . 0F85 F0000000 jnz 0043E2C4 ; 关键跳
0043E1D4 . 85C0 test eax, eax
0043E1D6 . 75 10 jnz short 0043E1E8
0043E1D8 . 68 E0174400 push 004417E0 ; <算
0043E1DD . 68 C8684000 push 004068C8
0043E1E2 . FF15 E4114000 call dword ptr [<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
0043E1E8 > 8B35 E0174400 mov esi, dword ptr [4417E0]
0043E1EE . 8D55 C0 lea edx, dword ptr [ebp-40]
0043E1F1 . 52 push edx
0043E1F2 . 56 push esi
0043E1F3 . 8B0E mov ecx, dword ptr [esi]
0043E1F5 . FF51 14 call dword ptr [ecx+14]
0043E1F8 . 85C0 test eax, eax
0043E1FA . DBE2 fclex
0043E1FC . 7D 0F jge short 0043E20D
0043E1FE . 6A 14 push 14
0043E200 . 68 B8684000 push 004068B8
0043E205 . 56 push esi
0043E206 . 50 push eax
0043E207 . FF15 88104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0043E20D > 8B45 C0 mov eax, dword ptr [ebp-40]
0043E210 . 8D55 E8 lea edx, dword ptr [ebp-18]
0043E213 . 52 push edx
0043E214 . 50 push eax
0043E215 . 8B08 mov ecx, dword ptr [eax]
0043E217 . 8BF0 mov esi, eax
0043E219 . FF51 60 call dword ptr [ecx+60]
0043E21C . 85C0 test eax, eax
0043E21E . DBE2 fclex
0043E220 . 7D 0F jge short 0043E231
0043E222 . 6A 60 push 60
0043E224 . 68 D8684000 push 004068D8
0043E229 . 56 push esi
0043E22A . 50 push eax
0043E22B . FF15 88104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0043E231 > B8 04000280 mov eax, 80020004
0043E236 . B9 0A000000 mov ecx, 0A
0043E23B . 8985 7CFFFFFF mov dword ptr [ebp-84], eax
0043E241 . 8945 8C mov dword ptr [ebp-74], eax ; “QZF6B9”最终注册码
0043E244 . 8B45 E8 mov eax, dword ptr [ebp-18]
0043E247 . 898D 74FFFFFF mov dword ptr [ebp-8C], ecx
0043E24D . 8945 9C mov dword ptr [ebp-64], eax
0043E250 . 894D 84 mov dword ptr [ebp-7C], ecx
0043E253 . B8 08000000 mov eax, 8
0043E258 . 8D95 64FFFFFF lea edx, dword ptr [ebp-9C]
0043E25E . 8D4D A4 lea ecx, dword ptr [ebp-5C]
0043E261 . C745 E8 00000>mov dword ptr [ebp-18], 0
0043E268 . 8945 94 mov dword ptr [ebp-6C], eax
0043E26B . C785 6CFFFFFF>mov dword ptr [ebp-94], 00409968
0043E275 . 8985 64FFFFFF mov dword ptr [ebp-9C], eax
0043E27B . FF15 38124000 call dword ptr [<&MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
0043E281 . 8D85 74FFFFFF lea eax, dword ptr [ebp-8C]
0043E287 . 8D4D 84 lea ecx, dword ptr [ebp-7C]
0043E28A . 50 push eax
0043E28B . 8D55 94 lea edx, dword ptr [ebp-6C]
0043E28E . 51 push ecx
0043E28F . 52 push edx
0043E290 . 8D45 A4 lea eax, dword ptr [ebp-5C]
0043E293 . 6A 30 push 30
0043E295 . 50 push eax
0043E296 . FF15 B0104000 call dword ptr [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox 断在这里,(返回到这里)。往上
0043E29C . 8D4D C0 lea ecx, dword ptr [ebp-40]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2、跟进:0043E1BC . E8 0F8CFEFF call 00426DD0 这个算法,我们可以得到:
00426DD0 $ 55 push ebp
00426DD1 . 8BEC mov ebp, esp
00426DD3 . 83EC 08 sub esp, 8
00426DD6 . 68 96264000 push <jmp.&MSVBVM60.__vbaExceptHandle>; SE 处理程序安装
00426DDB . 64:A1 0000000>mov eax, dword ptr fs:[0]
00426DE1 . 50 push eax
00426DE2 . 64:8925 00000>mov dword ptr fs:[0], esp
00426DE9 . 83EC 54 sub esp, 54
00426DEC . 53 push ebx
00426DED . 56 push esi
00426DEE . 57 push edi
00426DEF . 8965 F8 mov dword ptr [ebp-8], esp
00426DF2 . C745 FC A01F4>mov dword ptr [ebp-4], 00401FA0
00426DF9 . 33C0 xor eax, eax
00426DFB . 8945 E8 mov dword ptr [ebp-18], eax
00426DFE . 8945 E4 mov dword ptr [ebp-1C], eax
00426E01 . 8945 D4 mov dword ptr [ebp-2C], eax
00426E04 . 8945 C4 mov dword ptr [ebp-3C], eax
00426E07 . 8945 B4 mov dword ptr [ebp-4C], eax
00426E0A . 8945 A0 mov dword ptr [ebp-60], eax
00426E0D . 66:A3 3410440>mov word ptr [441034], ax
00426E13 . 50 push eax
00426E14 . 8D45 D4 lea eax, dword ptr [ebp-2C]
00426E17 . 50 push eax
00426E18 . FF15 A4114000 call dword ptr [<&MSVBVM60.#608>] ; MSVBVM60.rtcVarBstrFromAnsi
00426E1E . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00426E21 . 8D55 C4 lea edx, dword ptr [ebp-3C]
00426E24 . 51 push ecx
00426E25 . 68 FF000000 push 0FF
00426E2A . 52 push edx
00426E2B . FF15 9C114000 call dword ptr [<&MSVBVM60.#607>] ; MSVBVM60.rtcStringVar
00426E31 . 8B3D 34104000 mov edi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrVarMove
00426E37 . 8D45 C4 lea eax, dword ptr [ebp-3C]
00426E3A . 50 push eax
00426E3B . FFD7 call edi ; <&MSVBVM60.__vbaStrVarMove>
00426E3D . 8B35 60124000 mov esi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrMove
00426E43 . 8BD0 mov edx, eax
00426E45 . B9 28104400 mov ecx, 00441028
00426E4A . FFD6 call esi ; <&MSVBVM60.__vbaStrMove>
00426E4C . 8D4D C4 lea ecx, dword ptr [ebp-3C]
00426E4F . 8D55 D4 lea edx, dword ptr [ebp-2C]
00426E52 . 51 push ecx
00426E53 . 52 push edx
00426E54 . 6A 02 push 2
00426E56 . FF15 3C104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
00426E5C . 8B0D 28104400 mov ecx, dword ptr [441028]
00426E62 . 83C4 0C add esp, 0C
00426E65 . 8D45 A0 lea eax, dword ptr [ebp-60]
00426E68 . 8D55 E4 lea edx, dword ptr [ebp-1C]
00426E6B . 50 push eax
00426E6C . 51 push ecx
00426E6D . 52 push edx
00426E6E . C745 A0 FF000>mov dword ptr [ebp-60], 0FF
00426E75 . FF15 3C124000 call dword ptr [<&MSVBVM60.__vbaStrTo>; MSVBVM60.__vbaStrToAnsi
00426E7B . 50 push eax
00426E7C . E8 CBF7FDFF call 0040664C ; 计算机名
00426E81 . FF15 80104000 call dword ptr [<&MSVBVM60.__vbaSetSy>; MSVBVM60.__vbaSetSystemError
00426E87 . 8B45 E4 mov eax, dword ptr [ebp-1C] ; 计算机名
00426E8A . 50 push eax
00426E8B . 68 28104400 push 00441028
00426E90 . FF15 78114000 call dword ptr [<&MSVBVM60.__vbaStrTo>; MSVBVM60.__vbaStrToUnicode
00426E96 . 8D4D E4 lea ecx, dword ptr [ebp-1C] ; 转成Unicode
00426E99 . FF15 9C124000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00426E9F . 8D4D B4 lea ecx, dword ptr [ebp-4C]
00426EA2 . 68 FF000000 push 0FF
00426EA7 . 8D55 D4 lea edx, dword ptr [ebp-2C]
00426EAA . 51 push ecx
00426EAB . 52 push edx
00426EAC . C745 BC 28104>mov dword ptr [ebp-44], 00441028
00426EB3 . C745 B4 08400>mov dword ptr [ebp-4C], 4008
00426EBA . FF15 58124000 call dword ptr [<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar
00426EC0 . 8D45 D4 lea eax, dword ptr [ebp-2C]
00426EC3 . 50 push eax
00426EC4 . FFD7 call edi
00426EC6 . 8BD0 mov edx, eax ; 计算机名
00426EC8 . B9 28104400 mov ecx, 00441028
00426ECD . FFD6 call esi
00426ECF . 8B1D 24104000 mov ebx, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaFreeVar
00426ED5 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00426ED8 . FFD3 call ebx ; <&MSVBVM60.__vbaFreeVar>
00426EDA . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00426EDD . 6A 00 push 0
00426EDF . 51 push ecx
00426EE0 . FF15 A4114000 call dword ptr [<&MSVBVM60.#608>] ; MSVBVM60.rtcVarBstrFromAnsi
00426EE6 . 6A 00 push 0
00426EE8 . 6A FF push -1
00426EEA . 6A 01 push 1
00426EEC . 68 80604000 push 00406080
00426EF1 . 8D55 D4 lea edx, dword ptr [ebp-2C]
00426EF4 . 8D45 E4 lea eax, dword ptr [ebp-1C]
00426EF7 . 52 push edx
00426EF8 . 50 push eax
00426EF9 . FF15 B8114000 call dword ptr [<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
00426EFF . 8B0D 28104400 mov ecx, dword ptr [441028]
00426F05 . 50 push eax
00426F06 . 51 push ecx
00426F07 . FF15 7C114000 call dword ptr [<&MSVBVM60.#712>] ; MSVBVM60.rtcReplace
00426F0D . 8BD0 mov edx, eax
00426F0F . B9 28104400 mov ecx, 00441028
00426F14 . FFD6 call esi
00426F16 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
00426F19 . FF15 9C124000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00426F1F . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00426F22 . FFD3 call ebx
00426F24 . 8D55 B4 lea edx, dword ptr [ebp-4C]
00426F27 . 8D45 D4 lea eax, dword ptr [ebp-2C]
00426F2A . 52 push edx
00426F2B . 50 push eax
00426F2C . C745 BC 28104>mov dword ptr [ebp-44], 00441028
00426F33 . C745 B4 08400>mov dword ptr [ebp-4C], 4008
00426F3A . FF15 C4104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
00426F40 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00426F43 . 51 push ecx
00426F44 . FFD7 call edi
00426F46 . 8BD0 mov edx, eax
00426F48 . B9 28104400 mov ecx, 00441028
00426F4D . FFD6 call esi
00426F4F . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00426F52 . FFD3 call ebx
00426F54 . 8D55 B4 lea edx, dword ptr [ebp-4C]
00426F57 . 8D45 D4 lea eax, dword ptr [ebp-2C]
00426F5A . 52 push edx
00426F5B . 50 push eax
00426F5C . C745 BC 28104>mov dword ptr [ebp-44], 00441028
00426F63 . C745 B4 08400>mov dword ptr [ebp-4C], 4008
00426F6A . FF15 58104000 call dword ptr [<&MSVBVM60.#518>] ; MSVBVM60.rtcLowerCaseVar
00426F70 . 8D4D D4 lea ecx, dword ptr [ebp-2C] ; 变成小写的函数
00426F73 . 51 push ecx
00426F74 . FFD7 call edi
00426F76 . 8BD0 mov edx, eax
00426F78 . B9 28104400 mov ecx, 00441028
00426F7D . FFD6 call esi
00426F7F . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00426F82 . FFD3 call ebx
00426F84 . 8B55 08 mov edx, dword ptr [ebp+8]
00426F87 . 8D45 B4 lea eax, dword ptr [ebp-4C] ; 这里看得到小写的计算机名了
00426F8A . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00426F8D . 50 push eax
00426F8E . 51 push ecx
00426F8F . 8955 BC mov dword ptr [ebp-44], edx
00426F92 . C745 B4 08400>mov dword ptr [ebp-4C], 4008
00426F99 . FF15 58104000 call dword ptr [<&MSVBVM60.#518>] ; MSVBVM60.rtcLowerCaseVar
00426F9F . 8D55 D4 lea edx, dword ptr [ebp-2C]
00426FA2 . 52 push edx
00426FA3 . FFD7 call edi
00426FA5 . 8B4D 08 mov ecx, dword ptr [ebp+8]
00426FA8 . 8BD0 mov edx, eax ; 用户名
00426FAA . FFD6 call esi
00426FAC . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00426FAF . FFD3 call ebx
00426FB1 . 8B45 0C mov eax, dword ptr [ebp+C]
00426FB4 . 8D4D B4 lea ecx, dword ptr [ebp-4C]
00426FB7 . 8D55 D4 lea edx, dword ptr [ebp-2C]
00426FBA . 51 push ecx
00426FBB . 52 push edx
00426FBC . 8945 BC mov dword ptr [ebp-44], eax
00426FBF . C745 B4 08400>mov dword ptr [ebp-4C], 4008
00426FC6 . FF15 0C114000 call dword ptr [<&MSVBVM60.#528>] ; MSVBVM60.rtcUpperCaseVar
00426FCC . 8D45 D4 lea eax, dword ptr [ebp-2C]
00426FCF . 50 push eax
00426FD0 . FFD7 call edi
00426FD2 . 8B4D 0C mov ecx, dword ptr [ebp+C]
00426FD5 . 8BD0 mov edx, eax ; 假码
00426FD7 . FFD6 call esi
00426FD9 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00426FDC . FFD3 call ebx
00426FDE . BA D47E4000 mov edx, 00407ED4 ; 0
00426FE3 . 8D4D E8 lea ecx, dword ptr [ebp-18]
00426FE6 . FF15 F8114000 call dword ptr [<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
00426FEC . 8B0D 28104400 mov ecx, dword ptr [441028] ; 小写的计算机名
00426FF2 . 51 push ecx
00426FF3 . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
00426FF9 . 8945 EC mov dword ptr [ebp-14], eax ; 计算机名位数
00426FFC > 85C0 test eax, eax ; 循环开始
00426FFE . 0F8E A5000000 jle 004270A9 ; 计数器取的值是计算机名字符串长度
00427004 . 8D55 D4 lea edx, dword ptr [ebp-2C]
00427007 . 8D4D C4 lea ecx, dword ptr [ebp-3C]
0042700A . 52 push edx
0042700B . 50 push eax
0042700C . 8D45 B4 lea eax, dword ptr [ebp-4C]
0042700F . C745 DC 01000>mov dword ptr [ebp-24], 1
00427016 . 50 push eax
00427017 . 51 push ecx
00427018 . C745 D4 02000>mov dword ptr [ebp-2C], 2
0042701F . C745 BC 28104>mov dword ptr [ebp-44], 00441028
00427026 . C745 B4 08400>mov dword ptr [ebp-4C], 4008
0042702D . FF15 F0104000 call dword ptr [<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
00427033 . 8D55 C4 lea edx, dword ptr [ebp-3C]
00427036 . 8D45 E4 lea eax, dword ptr [ebp-1C]
00427039 . 52 push edx
0042703A . 50 push eax
0042703B . FF15 B8114000 call dword ptr [<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
00427041 . 50 push eax
00427042 . FF15 50104000 call dword ptr [<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
00427048 . 8BC8 mov ecx, eax ; 从后面开始逐个取小写的用户名的ascii码值
0042704A . FF15 60104000 call dword ptr [<&MSVBVM60.__vbaI2Abs>; MSVBVM60.__vbaI2Abs
00427050 . 8B4D E8 mov ecx, dword ptr [ebp-18]
00427053 . 51 push ecx
00427054 . 0FBFD8 movsx ebx, ax
00427057 . FF15 00124000 call dword ptr [<&MSVBVM60.__vbaI4Str>; MSVBVM60.__vbaI4Str
0042705D . 03D8 add ebx, eax ; 加上一次循环的值,就是在这里循环累加了
0042705F . 0F80 34020000 jo 00427299 ; 结果存放在ebx
00427065 . 53 push ebx
00427066 . FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaStrI4>; MSVBVM60.__vbaStrI4
0042706C . 8BD0 mov edx, eax ; 上面的累加值,转成10进制字符串
0042706E . 8D4D E8 lea ecx, dword ptr [ebp-18]
00427071 . FFD6 call esi
00427073 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
00427076 . FF15 9C124000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0042707C . 8D55 C4 lea edx, dword ptr [ebp-3C]
0042707F . 8D45 D4 lea eax, dword ptr [ebp-2C]
00427082 . 52 push edx
00427083 . 50 push eax
00427084 . 6A 02 push 2
00427086 . FF15 3C104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0042708C . 8B45 EC mov eax, dword ptr [ebp-14]
0042708F . 8B1D 24104000 mov ebx, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaFreeVar
00427095 . 83C4 0C add esp, 0C
00427098 . 83E8 01 sub eax, 1 ; 计数器-1继续循环
0042709B . 0F80 F8010000 jo 00427299
004270A1 . 8945 EC mov dword ptr [ebp-14], eax
004270A4 .^ E9 53FFFFFF jmp 00426FFC ; 循环结束
004270A9 > 8B4D 08 mov ecx, dword ptr [ebp+8]
004270AC . 8B11 mov edx, dword ptr [ecx] ; 用户名
004270AE . 52 push edx
004270AF . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
004270B5 . 8945 EC mov dword ptr [ebp-14], eax ; 得到用户名位数
004270B8 > 85C0 test eax, eax ; 又一个循环开始
004270BA . 0F8E A4000000 jle 00427164
004270C0 . 8B4D 08 mov ecx, dword ptr [ebp+8]
004270C3 . 8D55 D4 lea edx, dword ptr [ebp-2C]
004270C6 . 52 push edx
004270C7 . 50 push eax
004270C8 . 894D BC mov dword ptr [ebp-44], ecx
004270CB . 8D45 B4 lea eax, dword ptr [ebp-4C]
004270CE . 8D4D C4 lea ecx, dword ptr [ebp-3C]
004270D1 . 50 push eax
004270D2 . 51 push ecx
004270D3 . C745 DC 01000>mov dword ptr [ebp-24], 1
004270DA . C745 D4 02000>mov dword ptr [ebp-2C], 2
004270E1 . C745 B4 08400>mov dword ptr [ebp-4C], 4008
004270E8 . FF15 F0104000 call dword ptr [<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
004270EE . 8D55 C4 lea edx, dword ptr [ebp-3C]
004270F1 . 8D45 E4 lea eax, dword ptr [ebp-1C]
004270F4 . 52 push edx
004270F5 . 50 push eax
004270F6 . FF15 B8114000 call dword ptr [<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
004270FC . 50 push eax ; track后,发现是从后面开始取字符的ascii码值16进制
004270FD . FF15 50104000 call dword ptr [<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
00427103 . 8BC8 mov ecx, eax
00427105 . FF15 60104000 call dword ptr [<&MSVBVM60.__vbaI2Abs>; MSVBVM60.__vbaI2Abs
0042710B . 8B4D E8 mov ecx, dword ptr [ebp-18] ; 这里的ebp-18是上面对计算机名累加的结果的10进制字符串
0042710E . 51 push ecx
0042710F . 0FBFD8 movsx ebx, ax
00427112 . FF15 00124000 call dword ptr [<&MSVBVM60.__vbaI4Str>; MSVBVM60.__vbaI4Str
00427118 . 03D8 add ebx, eax ; 这里继续累加。就是计算机名的累加值再累加用户名ascii码
值
0042711A . 0F80 79010000 jo 00427299
00427120 . 53 push ebx
00427121 . FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaStrI4>; MSVBVM60.__vbaStrI4
00427127 . 8BD0 mov edx, eax ; 转成10进制字符串
00427129 . 8D4D E8 lea ecx, dword ptr [ebp-18]
0042712C . FFD6 call esi
0042712E . 8D4D E4 lea ecx, dword ptr [ebp-1C]
00427131 . FF15 9C124000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00427137 . 8D55 C4 lea edx, dword ptr [ebp-3C]
0042713A . 8D45 D4 lea eax, dword ptr [ebp-2C]
0042713D . 52 push edx
0042713E . 50 push eax
0042713F . 6A 02 push 2
00427141 . FF15 3C104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
00427147 . 8B45 EC mov eax, dword ptr [ebp-14]
0042714A . 8B1D 24104000 mov ebx, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaFreeVar
00427150 . 83C4 0C add esp, 0C
00427153 . 83E8 01 sub eax, 1 ; 计数器
00427156 . 0F80 3D010000 jo 00427299
0042715C . 8945 EC mov dword ptr [ebp-14], eax
0042715F .^ E9 54FFFFFF jmp 004270B8 ; 循环结束
00427164 > 8B4D E8 mov ecx, dword ptr [ebp-18] ; “1270”这里就是计算机名和用户名的ascii码值累加值
00427167 . 51 push ecx ; 装成10进制字符串
00427168 . FF15 00124000 call dword ptr [<&MSVBVM60.__vbaI4Str>; MSVBVM60.__vbaI4Str
0042716E . 05 C2EE0000 add eax, 0EEC2 ; 上面的结果+0EEC2
00427173 . 0F80 20010000 jo 00427299
00427179 . 50 push eax
0042717A . FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaStrI4>; MSVBVM60.__vbaStrI4
00427180 . 8BD0 mov edx, eax ; 加的结果转成10进制字符串
00427182 . 8D4D E8 lea ecx, dword ptr [ebp-18]
00427185 . FFD6 call esi
00427187 . 8D45 B4 lea eax, dword ptr [ebp-4C]
0042718A . 6A 06 push 6
0042718C . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0042718F . 8D55 E8 lea edx, dword ptr [ebp-18]
00427192 . 50 push eax
00427193 . 51 push ecx
00427194 . 8955 BC mov dword ptr [ebp-44], edx
00427197 . C745 B4 08400>mov dword ptr [ebp-4C], 4008
0042719E . FF15 58124000 call dword ptr [<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar
004271A4 . 8D55 D4 lea edx, dword ptr [ebp-2C]
004271A7 . 52 push edx
004271A8 . FFD7 call edi
004271AA . 8BD0 mov edx, eax ; 62392(10进制)
004271AC . 8D4D E8 lea ecx, dword ptr [ebp-18]
004271AF . FFD6 call esi
004271B1 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
004271B4 . FFD3 call ebx
004271B6 . 8B45 E8 mov eax, dword ptr [ebp-18]
004271B9 . 50 push eax
004271BA . FF15 00124000 call dword ptr [<&MSVBVM60.__vbaI4Str>; MSVBVM60.__vbaI4Str
004271C0 . 8D4D D4 lea ecx, dword ptr [ebp-2C] ; “62392”的16进制表示=“F3B8”
004271C3 . 8D55 C4 lea edx, dword ptr [ebp-3C]
004271C6 . 51 push ecx
004271C7 . 52 push edx
004271C8 . 8945 DC mov dword ptr [ebp-24], eax
004271CB . C745 D4 03000>mov dword ptr [ebp-2C], 3
004271D2 . FF15 F4114000 call dword ptr [<&MSVBVM60.#573>] ; MSVBVM60.rtcHexVarFromVar
004271D8 . 8D45 C4 lea eax, dword ptr [ebp-3C]
004271DB . 50 push eax
004271DC . FFD7 call edi
004271DE . 8BD0 mov edx, eax ; “F3B8”。。“62392”的16进制字符串
004271E0 . 8D4D E8 lea ecx, dword ptr [ebp-18]
004271E3 . FFD6 call esi
004271E5 . 8D4D C4 lea ecx, dword ptr [ebp-3C]
004271E8 . 8D55 D4 lea edx, dword ptr [ebp-2C]
004271EB . 51 push ecx
004271EC . 52 push edx
004271ED . 6A 02 push 2
004271EF . FF15 3C104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
004271F5 . 8B45 E8 mov eax, dword ptr [ebp-18]
004271F8 . 83C4 0C add esp, 0C
004271FB . 68 DC7E4000 push 00407EDC ; “QZ”固定字符串
00427200 . 50 push eax ; 一看就知道要连接了。
00427201 . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
00427207 . 8BD0 mov edx, eax ; 连接得到“QZF3B8”就是最终注册码了。
00427209 . 8D4D E8 lea ecx, dword ptr [ebp-18]
0042720C . FFD6 call esi
0042720E . 8D55 B4 lea edx, dword ptr [ebp-4C]
00427211 . 8D45 D4 lea eax, dword ptr [ebp-2C]
00427214 . 8D4D E8 lea ecx, dword ptr [ebp-18]
00427217 . 52 push edx
00427218 . 50 push eax
00427219 . 894D BC mov dword ptr [ebp-44], ecx
0042721C . C745 B4 08400>mov dword ptr [ebp-4C], 4008
00427223 . FF15 0C114000 call dword ptr [<&MSVBVM60.#528>] ; MSVBVM60.rtcUpperCaseVar
00427229 . 8D4D D4 lea ecx, dword ptr [ebp-2C] ; “89”
0042722C . 51 push ecx
0042722D . FFD7 call edi
0042722F . 8BD0 mov edx, eax
00427231 . 8D4D E8 lea ecx, dword ptr [ebp-18]
00427234 . FFD6 call esi
00427236 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00427239 . FFD3 call ebx
0042723B . 8B55 0C mov edx, dword ptr [ebp+C]
0042723E . 8B4D E8 mov ecx, dword ptr [ebp-18]
00427241 . 8B02 mov eax, dword ptr [edx] ; 执行到这个地方真假码都出现了
00427243 . 50 push eax ; 假码
00427244 . 51 push ecx ; 真码。
00427245 . FF15 14114000 call dword ptr [<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
0042724B . 85C0 test eax, eax ; 比较函数
0042724D . 75 09 jnz short 00427258 ; 关键跳。爆破点
0042724F . 66:C705 34104>mov word ptr [441034], 0FFFF
00427258 > 68 86724200 push 00427286
0042725D . EB 1D jmp short 0042727C
------------------------------------------------------------------------
【破解总结】
取得计算机名,转成小写,ascii码值累加。
取得输入的用户名,也转成小写,ascii码值累加。
上面得到的两个累加值相加,再加上0EEC2。得到的16进制字符串和“QZ”相连就是最终注册码了。 |
|
IP卡
发表于 2006-11-25 00:35:47
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-11-25 22:37:16
发表于 2006-11-27 11:14:21
