【破文标题】:AA桌面即时贴1.8简单算法----菜鸟的第一次VB算法分析
【破解目标】:AA桌面即时贴1.8
【破解作者】:jney2
【破解日期】:2005年3月31日
【作者声明】:破解,我是菜鸟,更要学习,练习!!!一点心得,大家分享。如有错误,蒙请老大指正。
【破解平台】:XP+OD
【软件介绍】:我们在日常生活中,经常会有一些事情需要临时记下来。比如临时的电话号码,或者临时的一些事情的提醒。使用本软件,您可以在操作电脑的同时,把需要临时记忆的信息随手贴在电脑的屏幕上。本软件可以使您有效的管理信息。
这个软件使用方便,您可以随心所欲的在桌面上创建即时贴,还可以设定在某一特定时间,弹出特定的即时贴,来对重要的事情进行提醒。是您工作和学习的好帮手。
“AA”桌面即时贴是一款共享软件,您可以免费试用15天,15天之后,如果您想继续使用这个软件,请购买正式版本的序列号。感谢您对我们的支持,同时也非常欢迎您对我们的产品提出宝贵的意见。
【简要说明】:软件下载来自天空软件站,这是jney2的第一次VB算法分析,总算迈出了VB算法分析的第一步。
【破解过程】:
1、PEID查壳,UPX的壳,我用UPX-ripper脱之,再查,没有显示,用OD载入一看,原来是VB的东东;
2、F9运行,进入注册对话框,输入任意字符,在OD中下BP MSVBVM60.__vbaStrCmp,再回到注册对话框,点确定,断在0043EDF8处:
0043EDC7 . 50 PUSH EAX
0043EDC8 . FF15 5C10400>CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheckObj>] ; MSVBVM60.__vbaHresultCheckObj
0043EDCE > 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
0043EDD1 . B9 44204400 MOV ECX,StickyNo.00442044
0043EDD6 . 897D D8 MOV DWORD PTR SS:[EBP-28],EDI
0043EDD9 . FFD3 CALL EBX
0043EDDB . 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
0043EDDE . FF15 E011400>CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
0043EDE4 . 68 44204400 PUSH StickyNo.00442044
0043EDE9 . E8 B2030000 CALL StickyNo.0043F1A0 ; 关键CALL
0043EDEE . 8BD0 MOV EDX,EAX
0043EDF0 . 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
0043EDF3 . FFD3 CALL EBX
0043EDF5 . 50 PUSH EAX
0043EDF6 . 68 CC624000 PUSH StickyNo.004062CC ; UNICODE "success"
0043EDFB . FF15 B410400>CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
; 断在这里。此时EAX和EDX指字符串UNICODE "fail"
0043EE01 . 8BF0 MOV ESI,EAX
0043EE03 . 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
0043EE06 . F7DE NEG ESI
3、很显然程序通过判断注册码来返回"success"或"fail"来显示注册成功与否,于是往上找到关键CALL:StickyNo.0043F1A0
4、取消MSVBVM60.__vbaStrCmp断点,BP 0043F1A0,F2重来。
5、看下面分析:
0043F1A0 $ 55 PUSH EBP
0043F1A1 . 8BEC MOV EBP,ESP
0043F1A3 . 83EC 0C SUB ESP,0C
0043F1A6 . 68 96154000 PUSH <JMP.&MSVBVM60.__vbaExceptHandler> ; SE handler installation
0043F1AB . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0043F1B1 . 50 PUSH EAX
0043F1B2 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
0043F1B9 . 83EC 64 SUB ESP,64
0043F1BC . 53 PUSH EBX
0043F1BD . 56 PUSH ESI
0043F1BE . 57 PUSH EDI
0043F1BF . 8965 F4 MOV DWORD PTR SS:[EBP-C],ESP
0043F1C2 . C745 F8 80144>MOV DWORD PTR SS:[EBP-8],StickyNo.004014>
0043F1C9 . 33C0 XOR EAX,EAX
0043F1CB . 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
0043F1CE . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
0043F1D1 . 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
0043F1D4 . 8945 DC MOV DWORD PTR SS:[EBP-24],EAX
0043F1D7 . 8945 CC MOV DWORD PTR SS:[EBP-34],EAX
0043F1DA . 8945 BC MOV DWORD PTR SS:[EBP-44],EAX
0043F1DD . 8945 AC MOV DWORD PTR SS:[EBP-54],EAX
0043F1E0 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0043F1E3 . 50 PUSH EAX
0043F1E4 . E8 67150000 CALL StickyNo.00440750 ; 取注册码,EAX为地址指针
0043F1E9 . 8BD0 MOV EDX,EAX
0043F1EB . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
0043F1EE . FF15 B0114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0043F1F4 . 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20]
0043F1F7 . 51 PUSH ECX
0043F1F8 . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
; 取注册码字符串长度
0043F1FE . 83F8 1C CMP EAX,1C
0043F201 . 7D 18 JGE SHORT StickyNo.0043F21B ; 注册码长度须大于等于28位
0043F203 > BA FC734000 MOV EDX,StickyNo.004073FC ; UNICODE "fail"
0043F208 . 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
0043F20B . FF15 60114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
0043F211 . 68 18F34300 PUSH StickyNo.0043F318
0043F216 . E9 F3000000 JMP StickyNo.0043F30E
0043F21B > 8B3D 28104000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrVarMove
0043F221 . 8B1D 9C104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
0043F227 . B8 06000000 MOV EAX,6
0043F22C . 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
0043F22F > B9 10000000 MOV ECX,10
0043F234 . 66:3BC1 CMP AX,CX
0043F237 . 0F8F 90000000 JG StickyNo.0043F2CD ; 大于16,则跳到注册成功
0043F23D . 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
0043F240 . 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
0043F243 . 8955 B4 MOV DWORD PTR SS:[EBP-4C],EDX
0043F246 . 51 PUSH ECX
0043F247 . 0FBFD0 MOVSX EDX,AX
0043F24A . 8D45 AC LEA EAX,DWORD PTR SS:[EBP-54]
0043F24D . 52 PUSH EDX
0043F24E . 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
0043F251 . 50 PUSH EAX
0043F252 . 51 PUSH ECX
0043F253 . C745 D4 01000>MOV DWORD PTR SS:[EBP-2C],1
0043F25A . C745 CC 02000>MOV DWORD PTR SS:[EBP-34],2
0043F261 . C745 AC 08400>MOV DWORD PTR SS:[EBP-54],4008
0043F268 . FFD3 CALL EBX ; MSVBVM60.rtcMidCharVar
0043F26A . 8D55 BC LEA EDX,DWORD PTR SS:[EBP-44]
0043F26D . 52 PUSH EDX
0043F26E . FFD7 CALL EDI ; MSVBVM60.__vbaStrVarMove
0043F270 . 8BD0 MOV EDX,EAX
0043F272 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
0043F275 . FF15 B0114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0043F27B . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
0043F27E . 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
0043F281 . 50 PUSH EAX ; 取得的注册码地址指针
0043F282 . 51 PUSH ECX
0043F283 . E8 B8130000 CALL StickyNo.00440640 ; 关键CALL,F7跟进
0043F288 . 66:8BF0 MOV SI,AX
0043F28B . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
0043F28E . 66:4E DEC SI
0043F290 . 66:F7DE NEG SI
0043F293 . 1BF6 SBB ESI,ESI
0043F295 . 46 INC ESI
0043F296 . F7DE NEG ESI
0043F298 . FF15 DC114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0043F29E . 8D55 BC LEA EDX,DWORD PTR SS:[EBP-44]
0043F2A1 . 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
0043F2A4 . 52 PUSH EDX
0043F2A5 . 50 PUSH EAX
0043F2A6 . 6A 02 PUSH 2
0043F2A8 . FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0043F2AE . 83C4 0C ADD ESP,0C
0043F2B1 . 66:85F6 TEST SI,SI
0043F2B4 .^ 0F85 49FFFFFF JNZ StickyNo.0043F203 ; SI不为零,则跳走,OVER
0043F2BA . B8 01000000 MOV EAX,1
0043F2BF . 66:0345 E8 ADD AX,WORD PTR SS:[EBP-18] ; 计数加1
0043F2C3 . 70 69 JO SHORT StickyNo.0043F32E
0043F2C5 . 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX ; 保存计数
0043F2C8 .^ E9 62FFFFFF JMP StickyNo.0043F22F ; 继续循环
0043F2CD > BA CC624000 MOV EDX,StickyNo.004062CC ; UNICODE "success"
0043F2D2 . 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
0043F2D5 . FF15 60114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
0043F2DB . 68 18F34300 PUSH StickyNo.0043F318
0043F2E0 . EB 2C JMP SHORT StickyNo.0043F30E
0043F2E2 . F645 FC 04 TEST BYTE PTR SS:[EBP-4],4
0043F2E6 . 74 09 JE SHORT StickyNo.0043F2F1
0043F2E8 . 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
0043F2EB . FF15 DC114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0043F2F1 > 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
0043F2F4 . FF15 DC114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0043F2FA . 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
0043F2FD . 8D55 CC LEA EDX,DWORD PTR SS:[EBP-34]
0043F300 . 51 PUSH ECX
0043F301 . 52 PUSH EDX
0043F302 . 6A 02 PUSH 2
0043F304 . FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0043F30A . 83C4 0C ADD ESP,0C
0043F30D . C3 RETN
0043F30E > 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
0043F311 . FF15 DC114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0043F317 . C3 RETN
0043F318 . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
0043F31B . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
0043F31E . 5F POP EDI
0043F31F . 5E POP ESI
0043F320 . 64:890D 00000>MOV DWORD PTR FS:[0],ECX
0043F327 . 5B POP EBX
0043F328 . 8BE5 MOV ESP,EBP
0043F32A . 5D POP EBP
0043F32B . C2 0400 RETN 4
0043F32E > FF15 40114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaError>; MSVBVM60.__vbaErrorOverflow
0043F334 . 90 NOP
0043F335
6、看关键CALL:StickyNo.00440640的分析:
00440640 $ 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
00440644 . 0FBF00 MOVSX EAX,WORD PTR DS:[EAX]
00440647 . 83C0 FA ADD EAX,-6 ; Switch (cases 6..10)
0044064A . 83F8 0A CMP EAX,0A
0044064D . 0F87 C000000>JA StickyNo.00440713
00440653 . FF2485 18074>JMP DWORD PTR DS:[EAX*4+440718]
0044065A > 8B4C24 08 MOV ECX,DWORD PTR SS:[ESP+8] ; Case 7 of switch 00440647
0044065E . 6A 01 PUSH 1
00440660 . 68 90754000 PUSH StickyNo.00407590 ; UNICODE "DKNP"
00440665 . 8B11 MOV EDX,DWORD PTR DS:[ECX]
00440667 . 52 PUSH EDX
00440668 . E9 89000000 JMP StickyNo.004406F6
0044066D > 6A 01 PUSH 1 ; Case 6 of switch 00440647
0044066F . 68 A0754000 PUSH StickyNo.004075A0 ; UNICODE "279"
00440674 . EB 79 JMP SHORT StickyNo.004406EF
00440676 > 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8] ; Case 8 of switch 00440647
0044067A . 6A 01 PUSH 1
0044067C . 68 AC754000 PUSH StickyNo.004075AC ; UNICODE "Gi"
00440681 . 8B02 MOV EAX,DWORD PTR DS:[EDX]
00440683 . 50 PUSH EAX
00440684 . EB 70 JMP SHORT StickyNo.004406F6
00440686 > 8B4C24 08 MOV ECX,DWORD PTR SS:[ESP+8] ; Case C of switch 00440647
0044068A . 6A 01 PUSH 1
0044068C . 68 B8754000 PUSH StickyNo.004075B8 ; UNICODE "WLES"
00440691 . 8B11 MOV EDX,DWORD PTR DS:[ECX]
00440693 . 52 PUSH EDX
00440694 . EB 60 JMP SHORT StickyNo.004406F6
00440696 > 6A 01 PUSH 1 ; Case F of switch 00440647
00440698 . 68 C8754000 PUSH StickyNo.004075C8 ; UNICODE "39"
0044069D . EB 50 JMP SHORT StickyNo.004406EF
0044069F > 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8] ; Case B of switch 00440647
004406A3 . 6A 01 PUSH 1
004406A5 . 68 D4754000 PUSH StickyNo.004075D4 ; UNICODE "2357"
004406AA . 8B02 MOV EAX,DWORD PTR DS:[EDX]
004406AC . 50 PUSH EAX
004406AD . EB 47 JMP SHORT StickyNo.004406F6
004406AF > 8B4C24 08 MOV ECX,DWORD PTR SS:[ESP+8] ; Case 9 of switch 00440647
004406B3 . 6A 01 PUSH 1
004406B5 . 68 E4754000 PUSH StickyNo.004075E4 ; UNICODE "6Th"
004406BA . 8B11 MOV EDX,DWORD PTR DS:[ECX]
004406BC . 52 PUSH EDX
004406BD . EB 37 JMP SHORT StickyNo.004406F6
004406BF > 6A 01 PUSH 1 ; Case D of switch 00440647
004406C1 . 68 F0754000 PUSH StickyNo.004075F0 ; UNICODE "9gu"
004406C6 . EB 27 JMP SHORT StickyNo.004406EF
004406C8 > 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8] ; Case E of switch 00440647
004406CC . 6A 01 PUSH 1
004406CE . 68 FC754000 PUSH StickyNo.004075FC ; UNICODE "5iwNF"
004406D3 . 8B02 MOV EAX,DWORD PTR DS:[EDX]
004406D5 . 50 PUSH EAX
004406D6 . EB 1E JMP SHORT StickyNo.004406F6
004406D8 > 8B4C24 08 MOV ECX,DWORD PTR SS:[ESP+8] ; Case A of switch 00440647
004406DC . 6A 01 PUSH 1
004406DE . 68 0C764000 PUSH StickyNo.0040760C ; UNICODE "PpT24"
004406E3 . 8B11 MOV EDX,DWORD PTR DS:[ECX]
004406E5 . 52 PUSH EDX
004406E6 . EB 0E JMP SHORT StickyNo.004406F6
004406E8 > 6A 01 PUSH 1 ; Case 10 of switch 00440647
004406EA . 68 1C764000 PUSH StickyNo.0040761C ; UNICODE "yzw7"
004406EF > 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
004406F3 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
004406F5 . 51 PUSH ECX
004406F6 > 6A 00 PUSH 0
004406F8 . FF15 4C11400>CALL DWORD PTR DS:[<&MSVBVM60.__vbaInStr>] ; MSVBVM60.__vbaInStr
; 这是本程序注册码算法中的一个关键函数,它的作用是通过循环验证取得的注册码第6-16位是否在对应的字符串中。
004406FE . 8BC8 MOV ECX,EAX
00440700 . FF15 C010400>CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4
00440706 . 66:85C0 TEST AX,AX
00440709 . 7F 08 JG SHORT StickyNo.00440713 ; AX大于0则成功找到。
0044070B . B8 01000000 MOV EAX,1 ; 错误标志
00440710 . C2 0800 RETN 8
00440713 > 33C0 XOR EAX,EAX ; 正确标志
00440715 . C2 0800 RETN 8
7、算法总结:
1、注册码长度必须大于等于28位;
2、注册码第6-16位满足如下条件:
注册码第6位是字符串"279"任一字符
注册码第7位是字符串"DKNP"任一字符
注册码第8位是字符串"Gi"任一字符
注册码第9位是字符串"6Th"任一字符
注册码第10位是字符串"PpT24"任一字符
注册码第11位是字符串"2357"任一字符
注册码第12位是字符串"WLES"任一字符
注册码第13位是字符串"9gu"任一字符
注册码第14位是字符串"5iwNF"任一字符
注册码第15位是字符串"39"任一字符
注册码第16位是字符串"yzw7"任一字符
8、注册码保存在注册表中:
[HKEY_LOCAL_MACHINE\SOFTWARE\ZealideaSNote\ssnn]
@="123452DG6P2W9537888888888888888888888"
9、以下附MSVBVM60.__vbaInStr函数的详细说明,免得大家到处去找:(来源于论坛上的VBHELP.CHM,好像在工具下载里找到的,非常感谢提供此帮助的老大。)
InStr/__vbaInStr
InStr:
返回 Variant (Long),指定一字符串在另一字符串中最先出现的位置。(字符位置)
语法
InStr([start, ]string1, string2[, compare])
InStr 函数的语法具有下面的参数:
部分 说明
start 可选参数。为数值表达式,设置每次搜索的起点。如果省略,将从第一个字符的位置开始。如果 start 包含 Null,将发生错误。如果指定了 compare 参数,则一定要有 start 参数。
string1 必要参数。接受搜索的字符串表达式。
string2 必要参数。被搜索的字符串表达式。
Compare 可选参数。指定字符串比较。如果 compare 是 Null,将发生错误。如果省略 compare,Option Compare 的设置将决定比较的类型。
InStr("我的VB函数", "VB")=3
InStrB("我的VB函数", "VB")=5
设置
compare 参数设置为:
常数 值 描述
vbUseCompareOption -1 使用Option Compare 语句设置执行一个比较。
vbBinaryCompare 0 执行一个二进制比较。
vbTextCompare 1 执行一个按照原文的比较。
vbDatabaseCompare 2 仅适用于Microsoft Access,执行一个基于数据库中信息的比较。
返回值
如果 InStr返回
string1 为零长度 0
string1 为 Null Null
string2 为零长度 Start
string2 为 Null Null
string2 找不到 0
在 string1 中找到string2 找到的位置
start > string2 0
说明
InStrB 函数作用于包含在字符串中的字节数据。所以 InStrB 返回的是字节位置,而不是字符位置。
--------------------------------------------------------------------------------
VB:
Private Sub Command1_Click()
A = InStr(2, "abcdefghijk", "f", 1) '(如参数换成变量,汇编相同)
MsgBox (A)
End Sub
ASM:
00401A62 . push 2 ;push 2
00401A64 . push Project1.004016D0 ; *004016D0 "abcdefghijk"(如参数换成变量,原理相同)
00401A69 . xor esi,esi
00401A6B . push Project1.004016EC ;*004016EC "f"(如参数换成变量,原理相同)
00401A70 . push 1 ;push 1
00401A72 . mov dword ptr ss:[ebp-24],esi
00401A75 . mov dword ptr ss:[ebp-34],esi
00401A78 . mov dword ptr ss:[ebp-44],esi
00401A7B . mov dword ptr ss:[ebp-54],esi
00401A7E . mov dword ptr ss:[ebp-64],esi
00401A81 . mov dword ptr ss:[ebp-74],esi
00401A84 . call dword ptr ds:[<&MSVBVM60.__vbaInStr>] ;eax=A
--------------------------------------------------------------------------------
VB:
Private Sub Command1_Click()
A = InStr("abcdefghijk", "f") '(如参数换成变量,汇编相同)
MsgBox (A)
End Sub
ASM:
00401A62 . push 1 ;push 1
00401A64 . xor esi,esi
00401A66 . push Project1.004016D0 ; *004016D0 "abcdefghijk"(如参数换成变量,原理相同)
00401A6B . push Project1.004016EC ; *004016EC "f"(如参数换成变量,原理相同)
00401A70 . push esi ;esi=0
00401A71 . mov dword ptr ss:[ebp-24],esi
00401A74 . mov dword ptr ss:[ebp-34],esi
00401A77 . mov dword ptr ss:[ebp-44],esi
00401A7A . mov dword ptr ss:[ebp-54],esi
00401A7D . mov dword ptr ss:[ebp-64],esi
00401A80 . mov dword ptr ss:[ebp-74],esi
00401A83 . call dword ptr ds:[<&MSVBVM60.__vbaInStr>];eax=A
本文完
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)