随想桌面变身V3.1.2005.0328算法分析-软件逆向-看雪-安全社区|安全招聘|kanxue.com

随想桌面变身V3.1.2005.0328算法分析

2005-4-15 20:17 7206

随想桌面变身V3.1.2005.0328算法分析

落魄浪子

2005-4-15 20:17

7206

【破解作者】落魄浪子
【使用工具】 FlyOD1.1修改版
【破解平台】 Win9x/NT/2000/XP
【软件名称】随想桌面变身V3.1.2005.0328
【下载地址】 http://www.capricciososoft.com
【软件简介】桌面天气、桌面时钟、桌面日历、桌面媒体播放器、桌面按钮、桌面音量调节器等丰富且极具艺术性的桌面组件 + 管理设置方便的桌面墙纸切换功能 + 可分配独立任务、墙纸甚至存储文件的超级虚拟桌面 = 随想桌面变身（CS DESKTOP MAKE-UP）V3.0，她是一款全方位的桌面增强工具，将众多桌面增强功能有机结合为一体。
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享：）
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享：）
--------------------------------------------------------------------------------
【破解内容】
软件没有加壳，是VB程序。软件启动时要求你激活，也就是要付费注册。激活码错误时有出错提示。下断点
RtcMsgBox,断下后找到关键点。

00475404 .  E8 87BDFEFF       call CSDeskto.00461190    断在这里，进入。
00475409 .  66:85C0          test ax,ax
0047540C .  0F84 36020000    je CSDeskto.00475648

00461190 $  55                push ebp    来到这里
00461191 .  8BEC             mov ebp,esp
00461193 .  83EC 08          sub esp,8
00461196 .  68 F6284000       push <jmp.&MSVBVM60.__vbaExceptHandle>;  SE handler installation
0046119B .  64:A1 00000000    mov eax,dword ptr fs:[0]
004611A1 .  50                push eax
004611A2 .  64:8925 00000000 mov dword ptr fs:[0],esp
004611A9 .  81EC A0010000    sub esp,1A0
004611AF .  53                push ebx
004611B0 .  56                push esi
004611B1 .  57                push edi
004611B2 .  8965 F8          mov dword ptr ss:[ebp-8],esp
004611B5 .  C745 FC 00204000 mov dword ptr ss:[ebp-4],CSDeskto.004>
004611BC .  33FF             xor edi,edi
004611BE .  A1 38804700       mov eax,dword ptr ds:[478038]    机器码入EAX
004611C3 .  50                push eax
004611C4 .  897D E8          mov dword ptr ss:[ebp-18],edi
004611C7 .  897D E4          mov dword ptr ss:[ebp-1C],edi
004611CA .  897D E0          mov dword ptr ss:[ebp-20],edi
004611CD .  897D DC          mov dword ptr ss:[ebp-24],edi
004611D0 .  897D D8          mov dword ptr ss:[ebp-28],edi
004611D3 .  897D D4          mov dword ptr ss:[ebp-2C],edi
004611D6 .  897D D0          mov dword ptr ss:[ebp-30],edi
004611D9 .  897D CC          mov dword ptr ss:[ebp-34],edi
004611DC .  897D C8          mov dword ptr ss:[ebp-38],edi
004611DF .  897D C4          mov dword ptr ss:[ebp-3C],edi
004611E2 .  897D C0          mov dword ptr ss:[ebp-40],edi
004611E5 .  897D BC          mov dword ptr ss:[ebp-44],edi
004611E8 .  897D B8          mov dword ptr ss:[ebp-48],edi
004611EB .  897D B4          mov dword ptr ss:[ebp-4C],edi
004611EE .  897D B0          mov dword ptr ss:[ebp-50],edi
004611F1 .  897D AC          mov dword ptr ss:[ebp-54],edi
004611F4 .  897D A8          mov dword ptr ss:[ebp-58],edi
004611F7 .  897D A4          mov dword ptr ss:[ebp-5C],edi
004611FA .  897D A0          mov dword ptr ss:[ebp-60],edi
004611FD .  897D 9C          mov dword ptr ss:[ebp-64],edi
00461200 .  897D 98          mov dword ptr ss:[ebp-68],edi
00461203 .  897D 94          mov dword ptr ss:[ebp-6C],edi
00461206 .  897D 90          mov dword ptr ss:[ebp-70],edi
00461209 .  897D 8C          mov dword ptr ss:[ebp-74],edi
0046120C .  897D 88          mov dword ptr ss:[ebp-78],edi
0046120F .  897D 84          mov dword ptr ss:[ebp-7C],edi
00461212 .  897D 80          mov dword ptr ss:[ebp-80],edi
00461215 .  89BD 7CFFFFFF    mov dword ptr ss:[ebp-84],edi
0046121B .  89BD 78FFFFFF    mov dword ptr ss:[ebp-88],edi
00461221 .  89BD 74FFFFFF    mov dword ptr ss:[ebp-8C],edi
00461227 .  89BD 70FFFFFF    mov dword ptr ss:[ebp-90],edi
0046122D .  89BD 6CFFFFFF    mov dword ptr ss:[ebp-94],edi
00461233 .  89BD 68FFFFFF    mov dword ptr ss:[ebp-98],edi
00461239 .  89BD 64FFFFFF    mov dword ptr ss:[ebp-9C],edi
0046123F .  89BD 60FFFFFF    mov dword ptr ss:[ebp-A0],edi
00461245 .  89BD 5CFFFFFF    mov dword ptr ss:[ebp-A4],edi
0046124B .  89BD 58FFFFFF    mov dword ptr ss:[ebp-A8],edi
00461251 .  89BD 54FFFFFF    mov dword ptr ss:[ebp-AC],edi
00461257 .  89BD 50FFFFFF    mov dword ptr ss:[ebp-B0],edi
0046125D .  89BD 4CFFFFFF    mov dword ptr ss:[ebp-B4],edi
00461263 .  89BD 48FFFFFF    mov dword ptr ss:[ebp-B8],edi
00461269 .  89BD 44FFFFFF    mov dword ptr ss:[ebp-BC],edi
0046126F .  89BD 40FFFFFF    mov dword ptr ss:[ebp-C0],edi
00461275 .  89BD 3CFFFFFF    mov dword ptr ss:[ebp-C4],edi
0046127B .  89BD 38FFFFFF    mov dword ptr ss:[ebp-C8],edi
00461281 .  89BD 34FFFFFF    mov dword ptr ss:[ebp-CC],edi
00461287 .  89BD 30FFFFFF    mov dword ptr ss:[ebp-D0],edi
0046128D .  89BD 2CFFFFFF    mov dword ptr ss:[ebp-D4],edi
00461293 .  89BD 28FFFFFF    mov dword ptr ss:[ebp-D8],edi
00461299 .  89BD 24FFFFFF    mov dword ptr ss:[ebp-DC],edi
0046129F .  89BD 20FFFFFF    mov dword ptr ss:[ebp-E0],edi
004612A5 .  89BD 1CFFFFFF    mov dword ptr ss:[ebp-E4],edi
004612AB .  89BD 18FFFFFF    mov dword ptr ss:[ebp-E8],edi
004612B1 .  89BD 14FFFFFF    mov dword ptr ss:[ebp-EC],edi
004612B7 .  89BD 10FFFFFF    mov dword ptr ss:[ebp-F0],edi
004612BD .  89BD 0CFFFFFF    mov dword ptr ss:[ebp-F4],edi
004612C3 .  89BD 08FFFFFF    mov dword ptr ss:[ebp-F8],edi
004612C9 .  89BD 04FFFFFF    mov dword ptr ss:[ebp-FC],edi
004612CF .  89BD 00FFFFFF    mov dword ptr ss:[ebp-100],edi
004612D5 .  89BD FCFEFFFF    mov dword ptr ss:[ebp-104],edi
004612DB .  89BD F8FEFFFF    mov dword ptr ss:[ebp-108],edi
004612E1 .  89BD E8FEFFFF    mov dword ptr ss:[ebp-118],edi
004612E7 .  89BD D8FEFFFF    mov dword ptr ss:[ebp-128],edi
004612ED .  FF15 30124000    call near dword ptr ds:[<&MSVBVM60.#5>;  MSVBVM60.rtcR8ValFromBstr 转换为浮点数
004612F3 .  DC35 88154000    fdiv qword ptr ds:[401588] 浮点指令：除法  相当于VB的“/” 401588=3
004612F9 .  FF15 1C124000    call near dword ptr ds:[<&MSVBVM60.__>;  MSVBVM60.__vbaFPInt 取整
004612FF .  DC05 F81F4000    fadd qword ptr ds:[401FF8] 浮点指令：相加 401FF8=265
00461305 .  8D8D E8FEFFFF    lea ecx,dword ptr ss:[ebp-118]
0046130B .  C785 E8FEFFFF 0500>mov dword ptr ss:[ebp-118],5
00461315 .  DD9D F0FEFFFF    fstp qword ptr ss:[ebp-110] 浮点指令：保存st(0)到变量，并出栈
0046131B .  51                push ecx
0046131C .  8D95 D8FEFFFF    lea edx,dword ptr ss:[ebp-128]
00461322 .  52                push edx
00461323 .  FF15 D4114000    call near dword ptr ds:[<&MSVBVM60.#6>;  MSVBVM60.rtcVarStrFromVar
00461329 .  57                push edi
0046132A .  6A FF             push -1
0046132C .  6A 01             push 1
0046132E .  68 F0ED4000       push CSDeskto.0040EDF0             0040EDF0=41=A
00461333 .  68 4CE74000       push CSDeskto.0040E74C             ;  UNICODE "15"
查找算出的注册码中是否有“15”，有则替换为"A"
00461338 .  8D85 D8FEFFFF    lea eax,dword ptr ss:[ebp-128]
0046133E .  50                push eax
0046133F .  8D4D E8          lea ecx,dword ptr ss:[ebp-18]
00461342 .  51                push ecx
00461343 .  FF15 60114000    call near dword ptr ds:[<&MSVBVM60.__>;  MSVBVM60.__vbaStrVarVal
00461349 .  8B1D 34114000    mov ebx,dword ptr ds:[<&MSVBVM60.#712>;  MSVBVM60.rtcReplace 替换
0046134F .  50                push eax
00461350 .  FFD3             call near ebx                      ;  <&MSVBVM60.#712>
00461352 .  8B35 F8114000    mov esi,dword ptr ds:[<&MSVBVM60.__vb>;  MSVBVM60.__vbaStrMove
00461358 .  8BD0             mov edx,eax
0046135A .  8D8D 68FFFFFF    lea ecx,dword ptr ss:[ebp-98]
00461360 .  FFD6             call near esi                      ;  <&MSVBVM60.__vbaStrMove>
00461362 .  8B95 68FFFFFF    mov edx,dword ptr ss:[ebp-98]
00461368 .  57                push edi
00461369 .  6A FF             push -1
0046136B .  6A 01             push 1
0046136D .  68 F8EE4000       push CSDeskto.0040EEF8             0040EEF8=42=B
00461372 .  68 D0E74000       push CSDeskto.0040E7D0             ;  UNICODE "24"
查找算出的注册码中是否有“24”，有则替换为"B"
00461377 .  8D4D E4          lea ecx,dword ptr ss:[ebp-1C]
0046137A .  89BD 68FFFFFF    mov dword ptr ss:[ebp-98],edi
00461380 .  FFD6             call near esi
00461382 .  50                push eax
00461383 .  FFD3             call near ebx
00461385 .  8BD0             mov edx,eax
00461387 .  8D8D 64FFFFFF    lea ecx,dword ptr ss:[ebp-9C]
0046138D .  FFD6             call near esi
0046138F .  8B95 64FFFFFF    mov edx,dword ptr ss:[ebp-9C]
00461395 .  57                push edi
00461396 .  6A FF             push -1
00461398 .  6A 01             push 1
0046139A .  68 A8F54000       push CSDeskto.0040F5A8             0040F5A8=43=C
0046139F .  68 D4E64000       push CSDeskto.0040E6D4             ;  UNICODE "34"
查找算出的注册码中是否有“34”，有则替换为"C"
004613A4 .  8D4D E0          lea ecx,dword ptr ss:[ebp-20]
004613A7 .  89BD 64FFFFFF    mov dword ptr ss:[ebp-9C],edi
004613AD .  FFD6             call near esi
004613AF .  50                push eax
004613B0 .  FFD3             call near ebx
004613B2 .  8BD0             mov edx,eax
004613B4 .  8D8D 60FFFFFF    lea ecx,dword ptr ss:[ebp-A0]
004613BA .  FFD6             call near esi
004613BC .  8B95 60FFFFFF    mov edx,dword ptr ss:[ebp-A0]
004613C2 .  57                push edi
004613C3 .  6A FF             push -1
004613C5 .  6A 01             push 1
004613C7 .  68 BCF54000       push CSDeskto.0040F5BC             0040F5BC=44=D
004613CC .  68 B0F54000       push CSDeskto.0040F5B0             ;  UNICODE "41"
查找算出的注册码中是否有“41”，有则替换为"D"
004613D1 .  8D4D DC          lea ecx,dword ptr ss:[ebp-24]
004613D4 .  89BD 60FFFFFF    mov dword ptr ss:[ebp-A0],edi
004613DA .  FFD6             call near esi
004613DC .  50                push eax
004613DD .  FFD3             call near ebx
004613DF .  8BD0             mov edx,eax
004613E1 .  8D8D 5CFFFFFF    lea ecx,dword ptr ss:[ebp-A4]
004613E7 .  FFD6             call near esi
004613E9 .  8B95 5CFFFFFF    mov edx,dword ptr ss:[ebp-A4]
004613EF .  57                push edi
004613F0 .  6A FF             push -1
004613F2 .  6A 01             push 1
004613F4 .  68 C4F54000       push CSDeskto.0040F5C4             0040F5C4=45=E
004613F9 .  68 C4E74000       push CSDeskto.0040E7C4             ;  UNICODE "92"
查找算出的注册码中是否有“92”，有则替换为"E"
004613FE .  8D4D D8          lea ecx,dword ptr ss:[ebp-28]
00461401 .  89BD 5CFFFFFF    mov dword ptr ss:[ebp-A4],edi
00461407 .  FFD6             call near esi
00461409 .  50                push eax
0046140A .  FFD3             call near ebx
0046140C .  8BD0             mov edx,eax
0046140E .  8D8D 58FFFFFF    lea ecx,dword ptr ss:[ebp-A8]
00461414 .  FFD6             call near esi
00461416 .  8B95 58FFFFFF    mov edx,dword ptr ss:[ebp-A8]
0046141C .  57                push edi
0046141D .  6A FF             push -1
0046141F .  89BD 58FFFFFF    mov dword ptr ss:[ebp-A8],edi
00461425 .  6A 01             push 1
00461427 .  68 D8F54000       push CSDeskto.0040F5D8             0040F5D8=46=F
0046142C .  68 CCF54000       push CSDeskto.0040F5CC             ;  UNICODE "83"
查找算出的注册码中是否有“83”，有则替换为"F"
00461431 .  8D4D D4          lea ecx,dword ptr ss:[ebp-2C]
00461434 .  FFD6             call near esi
00461436 .  50                push eax
00461437 .  FFD3             call near ebx
00461439 .  8BD0             mov edx,eax
0046143B .  8D8D 54FFFFFF    lea ecx,dword ptr ss:[ebp-AC]
00461441 .  FFD6             call near esi
00461443 .  8B95 54FFFFFF    mov edx,dword ptr ss:[ebp-AC]
00461449 .  57                push edi
0046144A .  6A FF             push -1
0046144C .  6A 01             push 1
0046144E .  68 E0F54000       push CSDeskto.0040F5E0             0040F5E0=47=G
00461453 .  68 88E74000       push CSDeskto.0040E788             ;  UNICODE "76"
查找算出的注册码中是否有“76”，有则替换为"G"
00461458 .  8D4D D0          lea ecx,dword ptr ss:[ebp-30]
0046145B .  89BD 54FFFFFF    mov dword ptr ss:[ebp-AC],edi
00461461 .  FFD6             call near esi
00461463 .  50                push eax
00461464 .  FFD3             call near ebx
00461466 .  8BD0             mov edx,eax
00461468 .  8D8D 50FFFFFF    lea ecx,dword ptr ss:[ebp-B0]
0046146E .  FFD6             call near esi
00461470 .  8B95 50FFFFFF    mov edx,dword ptr ss:[ebp-B0]
00461476 .  57                push edi
00461477 .  6A FF             push -1
00461479 .  6A 01             push 1
0046147B .  68 E8F54000       push CSDeskto.0040F5E8             0040F5E8=48=H
00461480 .  68 A4E64000       push CSDeskto.0040E6A4             ;  UNICODE "45"
查找算出的注册码中是否有“45”，有则替换为"H"
00461485 .  8D4D CC          lea ecx,dword ptr ss:[ebp-34]
00461488 .  89BD 50FFFFFF    mov dword ptr ss:[ebp-B0],edi
0046148E .  FFD6             call near esi
00461490 .  50                push eax
00461491 .  FFD3             call near ebx
00461493 .  8BD0             mov edx,eax
00461495 .  8D8D 4CFFFFFF    lea ecx,dword ptr ss:[ebp-B4]
0046149B .  FFD6             call near esi
0046149D .  8B95 4CFFFFFF    mov edx,dword ptr ss:[ebp-B4]
004614A3 .  57                push edi
004614A4 .  6A FF             push -1
004614A6 .  6A 01             push 1
004614A8 .  68 84F44000       push CSDeskto.0040F484             0040F484=49=I
004614AD .  68 F0F54000       push CSDeskto.0040F5F0             ;  UNICODE "28"
查找算出的注册码中是否有“28”，有则替换为"I"
004614B2 .  8D4D C8          lea ecx,dword ptr ss:[ebp-38]
004614B5 .  89BD 4CFFFFFF    mov dword ptr ss:[ebp-B4],edi
004614BB .  FFD6             call near esi
004614BD .  50                push eax
004614BE .  FFD3             call near ebx
004614C0 .  8BD0             mov edx,eax
004614C2 .  8D8D 48FFFFFF    lea ecx,dword ptr ss:[ebp-B8]
004614C8 .  FFD6             call near esi
004614CA .  8B95 48FFFFFF    mov edx,dword ptr ss:[ebp-B8]
004614D0 .  57                push edi
004614D1 .  6A FF             push -1
004614D3 .  6A 01             push 1
004614D5 .  68 8CF44000       push CSDeskto.0040F48C             0040F48C=4A=J
004614DA .  68 E4F44000       push CSDeskto.0040F4E4             ;  UNICODE "29"
查找算出的注册码中是否有“29”，有则替换为"J"
004614DF .  8D4D C4          lea ecx,dword ptr ss:[ebp-3C]
004614E2 .  89BD 48FFFFFF    mov dword ptr ss:[ebp-B8],edi
004614E8 .  FFD6             call near esi
004614EA .  50                push eax
004614EB .  FFD3             call near ebx
004614ED .  8BD0             mov edx,eax
004614EF .  8D8D 44FFFFFF    lea ecx,dword ptr ss:[ebp-BC]
004614F5 .  FFD6             call near esi
004614F7 .  8B95 44FFFFFF    mov edx,dword ptr ss:[ebp-BC]
004614FD .  57                push edi
004614FE .  6A FF             push -1
00461500 .  6A 01             push 1
00461502 .  68 ECF34000       push CSDeskto.0040F3EC             0040F3EC=4B=K
00461507 .  68 7CE44000       push CSDeskto.0040E47C             ;  UNICODE "30"
查找算出的注册码中是否有“30”，有则替换为"K"
0046150C .  8D4D C0          lea ecx,dword ptr ss:[ebp-40]
0046150F .  89BD 44FFFFFF    mov dword ptr ss:[ebp-BC],edi
00461515 .  FFD6             call near esi
00461517 .  50                push eax
00461518 .  FFD3             call near ebx
0046151A .  8BD0             mov edx,eax
0046151C .  8D8D 40FFFFFF    lea ecx,dword ptr ss:[ebp-C0]
00461522 .  FFD6             call near esi
00461524 .  8B95 40FFFFFF    mov edx,dword ptr ss:[ebp-C0]
0046152A .  89BD 40FFFFFF    mov dword ptr ss:[ebp-C0],edi
00461530 .  57                push edi
00461531 .  6A FF             push -1
00461533 .  6A 01             push 1
00461535 .  68 F4F34000       push CSDeskto.0040F3F4             0040F3F4=4C=L
0046153A .  68 7CE74000       push CSDeskto.0040E77C             ;  UNICODE "99"
查找算出的注册码中是否有“99”，有则替换为"L"
0046153F .  8D4D BC          lea ecx,dword ptr ss:[ebp-44]
00461542 .  FFD6             call near esi
00461544 .  50                push eax
00461545 .  FFD3             call near ebx
00461547 .  8BD0             mov edx,eax
00461549 .  8D8D 3CFFFFFF    lea ecx,dword ptr ss:[ebp-C4]
0046154F .  FFD6             call near esi
00461551 .  8B95 3CFFFFFF    mov edx,dword ptr ss:[ebp-C4]
00461557 .  57                push edi
00461558 .  6A FF             push -1
0046155A .  6A 01             push 1
0046155C .  68 9CF34000       push CSDeskto.0040F39C             0040F39C=4D=M
00461561 .  68 FCF34000       push CSDeskto.0040F3FC             ;  UNICODE "40"
查找算出的注册码中是否有“40”，有则替换为"M"
00461566 .  8D4D B8          lea ecx,dword ptr ss:[ebp-48]
00461569 .  89BD 3CFFFFFF    mov dword ptr ss:[ebp-C4],edi
0046156F .  FFD6             call near esi
00461571 .  50                push eax
00461572 .  FFD3             call near ebx
00461574 .  8BD0             mov edx,eax
00461576 .  8D8D 38FFFFFF    lea ecx,dword ptr ss:[ebp-C8]
0046157C .  FFD6             call near esi
0046157E .  8B95 38FFFFFF    mov edx,dword ptr ss:[ebp-C8]
00461584 .  57                push edi
00461585 .  6A FF             push -1
00461587 .  6A 01             push 1
00461589 .  68 3CF34000       push CSDeskto.0040F33C             0040F33C=4E=N
0046158E .  68 30F34000       push CSDeskto.0040F330             ;  UNICODE "88"
查找算出的注册码中是否有“88”，有则替换为"N"
00461593 .  8D4D B4          lea ecx,dword ptr ss:[ebp-4C]
00461596 .  89BD 38FFFFFF    mov dword ptr ss:[ebp-C8],edi
0046159C .  FFD6             call near esi
0046159E .  50                push eax
0046159F .  FFD3             call near ebx
004615A1 .  8BD0             mov edx,eax
004615A3 .  8D8D 34FFFFFF    lea ecx,dword ptr ss:[ebp-CC]
004615A9 .  FFD6             call near esi
004615AB .  8B95 34FFFFFF    mov edx,dword ptr ss:[ebp-CC]
004615B1 .  57                push edi
004615B2 .  6A FF             push -1
004615B4 .  6A 01             push 1
004615B6 .  68 A4F34000       push CSDeskto.0040F3A4             0040F3A4=4F=O
004615BB .  68 44F34000       push CSDeskto.0040F344             ;  UNICODE "78"
查找算出的注册码中是否有“78”，有则替换为"O"
004615C0 .  8D4D B0          lea ecx,dword ptr ss:[ebp-50]
004615C3 .  89BD 34FFFFFF    mov dword ptr ss:[ebp-CC],edi
004615C9 .  FFD6             call near esi
004615CB .  50                push eax
004615CC .  FFD3             call near ebx
004615CE .  8BD0             mov edx,eax
004615D0 .  8D8D 30FFFFFF    lea ecx,dword ptr ss:[ebp-D0]
004615D6 .  FFD6             call near esi
004615D8 .  8B95 30FFFFFF    mov edx,dword ptr ss:[ebp-D0]
004615DE .  57                push edi
004615DF .  6A FF             push -1
004615E1 .  6A 01             push 1
004615E3 .  68 BCF24000       push CSDeskto.0040F2BC             0040F2BC=50=P
004615E8 .  68 B0F24000       push CSDeskto.0040F2B0             ;  UNICODE "87"
查找算出的注册码中是否有“87”，有则替换为"P"
004615ED .  8D4D AC          lea ecx,dword ptr ss:[ebp-54]
004615F0 .  89BD 30FFFFFF    mov dword ptr ss:[ebp-D0],edi
004615F6 .  FFD6             call near esi
004615F8 .  50                push eax
004615F9 .  FFD3             call near ebx
004615FB .  8BD0             mov edx,eax
004615FD .  8D8D 2CFFFFFF    lea ecx,dword ptr ss:[ebp-D4]
00461603 .  FFD6             call near esi
00461605 .  8B95 2CFFFFFF    mov edx,dword ptr ss:[ebp-D4]
0046160B .  57                push edi
0046160C .  6A FF             push -1
0046160E .  6A 01             push 1
00461610 .  68 C4F24000       push CSDeskto.0040F2C4                0040F2C4=51=Q
00461615 .  68 10E74000       push CSDeskto.0040E710             ;  UNICODE "66"
查找算出的注册码中是否有“66”，有则替换为"Q"
0046161A .  8D4D A8          lea ecx,dword ptr ss:[ebp-58]
0046161D .  89BD 2CFFFFFF    mov dword ptr ss:[ebp-D4],edi
00461623 .  FFD6             call near esi
00461625 .  50                push eax
00461626 .  FFD3             call near ebx
00461628 .  8BD0             mov edx,eax
0046162A .  8D8D 28FFFFFF    lea ecx,dword ptr ss:[ebp-D8]
00461630 .  FFD6             call near esi
00461632 .  8B95 28FFFFFF    mov edx,dword ptr ss:[ebp-D8]
00461638 .  57                push edi
00461639 .  6A FF             push -1
0046163B .  6A 01             push 1
0046163D .  68 C4F14000       push CSDeskto.0040F1C4             0040F1C4=52=R
00461642 .  68 08F24000       push CSDeskto.0040F208             ;  UNICODE "50"
查找算出的注册码中是否有“50”，有则替换为"R"
00461647 .  8D4D A4          lea ecx,dword ptr ss:[ebp-5C]
0046164A .  89BD 28FFFFFF    mov dword ptr ss:[ebp-D8],edi
00461650 .  FFD6             call near esi
00461652 .  50                push eax
00461653 .  FFD3             call near ebx
00461655 .  8BD0             mov edx,eax
00461657 .  8D8D 24FFFFFF    lea ecx,dword ptr ss:[ebp-DC]
0046165D .  FFD6             call near esi
0046165F .  8B95 24FFFFFF    mov edx,dword ptr ss:[ebp-DC]
00461665 .  57                push edi
00461666 .  6A FF             push -1
00461668 .  6A 01             push 1
0046166A .  68 CCF14000       push CSDeskto.0040F1CC             0040F1CC=53=S
0046166F .  68 40E74000       push CSDeskto.0040E740             ;  UNICODE "52"
查找算出的注册码中是否有“52”，有则替换为"S"
00461674 .  8D4D A0          lea ecx,dword ptr ss:[ebp-60]
00461677 .  89BD 24FFFFFF    mov dword ptr ss:[ebp-DC],edi
0046167D .  FFD6             call near esi
0046167F .  50                push eax
00461680 .  FFD3             call near ebx
00461682 .  8BD0             mov edx,eax
00461684 .  8D8D 20FFFFFF    lea ecx,dword ptr ss:[ebp-E0]
0046168A .  FFD6             call near esi
0046168C .  8B95 20FFFFFF    mov edx,dword ptr ss:[ebp-E0]
00461692 .  57                push edi
00461693 .  6A FF             push -1
00461695 .  6A 01             push 1
00461697 .  68 D4F14000       push CSDeskto.0040F1D4                0040F1D4=54=T
0046169C .  68 F8E74000       push CSDeskto.0040E7F8             ;  UNICODE "71"
查找算出的注册码中是否有“71”，有则替换为"T"
004616A1 .  8D4D 9C          lea ecx,dword ptr ss:[ebp-64]
004616A4 .  89BD 20FFFFFF    mov dword ptr ss:[ebp-E0],edi
004616AA .  FFD6             call near esi
004616AC .  50                push eax
004616AD .  FFD3             call near ebx
004616AF .  8BD0             mov edx,eax
004616B1 .  8D8D 1CFFFFFF    lea ecx,dword ptr ss:[ebp-E4]
004616B7 .  FFD6             call near esi
004616B9 .  8B95 1CFFFFFF    mov edx,dword ptr ss:[ebp-E4]
004616BF .  57                push edi
004616C0 .  6A FF             push -1
004616C2 .  6A 01             push 1
004616C4 .  68 DCF14000       push CSDeskto.0040F1DC             0040F1DC=55=U
004616C9 .  68 10E74000       push CSDeskto.0040E710             ;  UNICODE "66"
查找算出的注册码中是否有“66”，有则替换为"U"
004616CE .  8D4D 98          lea ecx,dword ptr ss:[ebp-68]
004616D1 .  89BD 1CFFFFFF    mov dword ptr ss:[ebp-E4],edi
004616D7 .  FFD6             call near esi
004616D9 .  50                push eax
004616DA .  FFD3             call near ebx
004616DC .  8BD0             mov edx,eax
004616DE .  8D8D 18FFFFFF    lea ecx,dword ptr ss:[ebp-E8]
004616E4 .  FFD6             call near esi
004616E6 .  8B95 18FFFFFF    mov edx,dword ptr ss:[ebp-E8]
004616EC .  57                push edi
004616ED .  6A FF             push -1
004616EF .  6A 01             push 1
004616F1 .  68 50F14000       push CSDeskto.0040F150             0040F150=56=V
004616F6 .  68 B0E64000       push CSDeskto.0040E6B0             ;  UNICODE "33"
查找算出的注册码中是否有“33”，有则替换为"V"
004616FB .  8D4D 94          lea ecx,dword ptr ss:[ebp-6C]
004616FE .  89BD 18FFFFFF    mov dword ptr ss:[ebp-E8],edi
00461704 .  FFD6             call near esi
00461706 .  50                push eax
00461707 .  FFD3             call near ebx
00461709 .  8BD0             mov edx,eax
0046170B .  8D8D 14FFFFFF    lea ecx,dword ptr ss:[ebp-EC]
00461711 .  FFD6             call near esi
00461713 .  8B95 14FFFFFF    mov edx,dword ptr ss:[ebp-EC]
00461719 .  57                push edi
0046171A .  6A FF             push -1
0046171C .  6A 01             push 1
0046171E .  68 58F14000       push CSDeskto.0040F158                0040F158=57=W
00461723 .  68 C8E64000       push CSDeskto.0040E6C8             ;  UNICODE "22"
查找算出的注册码中是否有“22”，有则替换为"W"
00461728 .  8D4D 90          lea ecx,dword ptr ss:[ebp-70]
0046172B .  89BD 14FFFFFF    mov dword ptr ss:[ebp-EC],edi
00461731 .  FFD6             call near esi
00461733 .  50                push eax
00461734 .  FFD3             call near ebx
00461736 .  8BD0             mov edx,eax
00461738 .  8D8D 10FFFFFF    lea ecx,dword ptr ss:[ebp-F0]
0046173E .  FFD6             call near esi
00461740 .  8B95 10FFFFFF    mov edx,dword ptr ss:[ebp-F0]
00461746 .  57                push edi
00461747 .  6A FF             push -1
00461749 .  6A 01             push 1
0046174B .  68 84EE4000       push CSDeskto.0040EE84                0040EE84=58=X
00461750 .  68 ACE74000       push CSDeskto.0040E7AC             ;  UNICODE "95"
查找算出的注册码中是否有“95”，有则替换为"X"
00461755 .  8D4D 8C          lea ecx,dword ptr ss:[ebp-74]
00461758 .  89BD 10FFFFFF    mov dword ptr ss:[ebp-F0],edi
0046175E .  FFD6             call near esi
00461760 .  50                push eax
00461761 .  FFD3             call near ebx
00461763 .  8BD0             mov edx,eax
00461765 .  8D8D 0CFFFFFF    lea ecx,dword ptr ss:[ebp-F4]
0046176B .  FFD6             call near esi
0046176D .  8B95 0CFFFFFF    mov edx,dword ptr ss:[ebp-F4]
00461773 .  57                push edi
00461774 .  6A FF             push -1
00461776 .  6A 01             push 1
00461778 .  68 0CF64000       push CSDeskto.0040F60C             0040F60C=59=Y
0046177D .  68 00F64000       push CSDeskto.0040F600             ;  UNICODE "11"
查找算出的注册码中是否有“11”，有则替换为"Y"
00461782 .  8D4D 88          lea ecx,dword ptr ss:[ebp-78]
00461785 .  89BD 0CFFFFFF    mov dword ptr ss:[ebp-F4],edi
0046178B .  FFD6             call near esi
0046178D .  50                push eax
0046178E .  FFD3             call near ebx
00461790 .  8BD0             mov edx,eax
00461792 .  8D8D 08FFFFFF    lea ecx,dword ptr ss:[ebp-F8]
00461798 .  FFD6             call near esi
0046179A .  8B95 08FFFFFF    mov edx,dword ptr ss:[ebp-F8]
004617A0 .  57                push edi
004617A1 .  6A FF             push -1
004617A3 .  6A 01             push 1
004617A5 .  68 14F64000       push CSDeskto.0040F614             0040F614=5A=Z
004617AA .  68 3CE64000       push CSDeskto.0040E63C             ;  UNICODE "13"
查找算出的注册码中是否有“13”，有则替换为"Z"
004617AF .  8D4D 84          lea ecx,dword ptr ss:[ebp-7C]
004617B2 .  89BD 08FFFFFF    mov dword ptr ss:[ebp-F8],edi
004617B8 .  FFD6             call near esi
004617BA .  50                push eax
004617BB .  FFD3             call near ebx
004617BD .  8BD0             mov edx,eax
004617BF .  8D8D 04FFFFFF    lea ecx,dword ptr ss:[ebp-FC]
004617C5 .  FFD6             call near esi
004617C7 .  8B95 04FFFFFF    mov edx,dword ptr ss:[ebp-FC]
004617CD .  57                push edi
004617CE .  6A FF             push -1
004617D0 .  6A 01             push 1
004617D2 .  68 58F14000       push CSDeskto.0040F158
004617D7 .  68 90D84000       push CSDeskto.0040D890
004617DC .  8D4D 80          lea ecx,dword ptr ss:[ebp-80]
004617DF .  89BD 04FFFFFF    mov dword ptr ss:[ebp-FC],edi
004617E5 .  FFD6             call near esi
004617E7 .  50                push eax
004617E8 .  FFD3             call near ebx
004617EA .  8BD0             mov edx,eax
004617EC .  8D8D 00FFFFFF    lea ecx,dword ptr ss:[ebp-100]
004617F2 .  FFD6             call near esi
004617F4 .  8B95 00FFFFFF    mov edx,dword ptr ss:[ebp-100]
004617FA .  57                push edi
004617FB .  6A FF             push -1
004617FD .  6A 01             push 1
004617FF .  68 1CF64000       push CSDeskto.0040F61C
00461804 .  68 E8E74000       push CSDeskto.0040E7E8
00461809 .  8D8D 7CFFFFFF    lea ecx,dword ptr ss:[ebp-84]
0046180F .  89BD 00FFFFFF    mov dword ptr ss:[ebp-100],edi
00461815 .  FFD6             call near esi
00461817 .  50                push eax
00461818 .  FFD3             call near ebx
0046181A .  8BD0             mov edx,eax
0046181C .  8D8D FCFEFFFF    lea ecx,dword ptr ss:[ebp-104]
00461822 .  FFD6             call near esi
00461824 .  8B95 FCFEFFFF    mov edx,dword ptr ss:[ebp-104]
0046182A .  57                push edi
0046182B .  6A FF             push -1
0046182D .  6A 01             push 1
0046182F .  68 C4F24000       push CSDeskto.0040F2C4       0040F2C4=51=Q  注册码前面加上Q
00461834 .  89BD FCFEFFFF    mov dword ptr ss:[ebp-104],edi
0046183A .  68 18DB4000       push CSDeskto.0040DB18
0046183F .  8D8D 78FFFFFF    lea ecx,dword ptr ss:[ebp-88]
00461845 .  FFD6             call near esi
00461847 .  50                push eax
00461848 .  FFD3             call near ebx
0046184A .  8BD0             mov edx,eax
0046184C .  8D8D F8FEFFFF    lea ecx,dword ptr ss:[ebp-108]
00461852 .  FFD6             call near esi
00461854 .  A1 3C804700       mov eax,dword ptr ds:[47803C]
00461859 .  8B95 F8FEFFFF    mov edx,dword ptr ss:[ebp-108]
0046185F .  50                push eax
00461860 .  68 9CF54000       push CSDeskto.0040F59C             ;  UNICODE "CS"
00461865 .  57                push edi
00461866 .  6A FF             push -1
00461868 .  6A 01             push 1
0046186A .  68 9CF34000       push CSDeskto.0040F39C
0046186F .  68 04E84000       push CSDeskto.0040E804
00461874 .  8D8D 74FFFFFF    lea ecx,dword ptr ss:[ebp-8C]
0046187A .  89BD F8FEFFFF    mov dword ptr ss:[ebp-108],edi
00461880 .  FFD6             call near esi
00461882 .  50                push eax
00461883 .  FFD3             call near ebx
00461885 .  8BD0             mov edx,eax
00461887 .  8D8D 70FFFFFF    lea ecx,dword ptr ss:[ebp-90]
0046188D .  FFD6             call near esi
0046188F .  50                push eax
00461890 .  FF15 48104000    call near dword ptr ds:[<&MSVBVM60.__>;  MSVBVM60.__vbaStrCat
注册码前面加上CS
00461896 .  8BD0             mov edx,eax
00461898 .  8D8D 6CFFFFFF    lea ecx,dword ptr ss:[ebp-94]
0046189E .  FFD6             call near esi
004618A0 .  50                push eax
004618A1 .  FF15 D8104000    call near dword ptr ds:[<&MSVBVM60.__>;  MSVBVM60.__vbaStrCmp

--------------------------------------------------------------------------------
【破解总结】
注册算法很简单，下面是VB注册机：
Dim A1, A2, A3
A1 = Format((Format(Text1.Text, 0)) / 3, 0) + 265
If Len(A1) / 2 > 0 Then A1 = Space(1) & A1
For A2 = 1 To Len(A1)
A3 = Mid(A1, A2, 2)
If A3 = 15 Then
A1 = Replace(A1, Mid(A1, A2, 2), "A")
ElseIf A3 = 24 Then
A1 = Replace(A1, Mid(A1, A2, 2), "B")
ElseIf A3 = 34 Then
A1 = Replace(A1, Mid(A1, A2, 2), "C")
ElseIf A3 = 41 Then
A1 = Replace(A1, Mid(A1, A2, 2), "D")
ElseIf A3 = 92 Then
A1 = Replace(A1, Mid(A1, A2, 2), "E")
ElseIf A3 = 83 Then
A1 = Replace(A1, Mid(A1, A2, 2), "F")
ElseIf A3 = 76 Then
A1 = Replace(A1, Mid(A1, A2, 2), "G")
ElseIf A3 = 45 Then
A1 = Replace(A1, Mid(A1, A2, 2), "H")
ElseIf A3 = 28 Then
A1 = Replace(A1, Mid(A1, A2, 2), "I")
ElseIf A3 = 29 Then
A1 = Replace(A1, Mid(A1, A2, 2), "J")
ElseIf A3 = 30 Then
A1 = Replace(A1, Mid(A1, A2, 2), "K")
ElseIf A3 = 99 Then
A1 = Replace(A1, Mid(A1, A2, 2), "L")
ElseIf A3 = 40 Then
A1 = Replace(A1, Mid(A1, A2, 2), "M")
ElseIf A3 = 88 Then
A1 = Replace(A1, Mid(A1, A2, 2), "N")
ElseIf A3 = 78 Then
A1 = Replace(A1, Mid(A1, A2, 2), "O")
ElseIf A3 = 87 Then
A1 = Replace(A1, Mid(A1, A2, 2), "P")
ElseIf A3 = 66 Then
A1 = Replace(A1, Mid(A1, A2, 2), "Q")
ElseIf A3 = 50 Then
A1 = Replace(A1, Mid(A1, A2, 2), "R")
ElseIf A3 = 52 Then
A1 = Replace(A1, Mid(A1, A2, 2), "S")
ElseIf A3 = 71 Then
A1 = Replace(A1, Mid(A1, A2, 2), "T")
ElseIf A3 = 66 Then
A1 = Replace(A1, Mid(A1, A2, 2), "U")
ElseIf A3 = 33 Then
A1 = Replace(A1, Mid(A1, A2, 2), "V")
ElseIf A3 = 22 Then
A1 = Replace(A1, Mid(A1, A2, 2), "W")
ElseIf A3 = 95 Then
A1 = Replace(A1, Mid(A1, A2, 2), "X")
ElseIf A3 = 11 Then
A1 = Replace(A1, Mid(A1, A2, 2), "Y")
ElseIf A3 = 13 Then
A1 = Replace(A1, Mid(A1, A2, 2), "Z")
End If
Next A2
Text2.Text = "CSQ" & Trim(A1)
本注册机在WIN SP2 VB6下编译通过。
--------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!

[培训]《安卓高级研修班(网课)》月薪三万计划，掌握调试、分析还原ollvm、vmp的方法，定制art虚拟机自动化脱壳的方法

收藏・0

点赞・7

打赏

最新回复 (8)
baby2008 雪币： 442 活跃值： (1211) 能力值： ( LV12，RANK：1130 ) 在线值：发帖 87 回帖 1435 粉丝 5 关注私信	baby2008 28 2005-4-15 20:25 2 楼 0 支持！
MrOwl 雪币： 241 活跃值： (13) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 29 粉丝 0 关注私信	MrOwl 2005-4-15 20:28 3 楼 0 好贴，学习
东方青石雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 15 回帖 129 粉丝 0 关注私信	东方青石 2005-4-16 00:55 4 楼 0 RtcMsgBox 是VB专有的吗？
东方青石雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 15 回帖 129 粉丝 0 关注私信	东方青石 2005-4-16 01:02 5 楼 0 看了帖，是要顶的，无论我是不是会！这是我看帖的宗旨！
ww990 雪币： 217 活跃值： (81) 能力值： ( LV4，RANK：50 ) 在线值：发帖 19 回帖 282 粉丝 0 关注私信	ww990 1 2005-4-16 14:07 6 楼 0 你的VB代码根本算不到注册码，不如在寄存器窗口找注册码
落魄浪子雪币： 298 活跃值： (566) 能力值： ( LV9，RANK：530 ) 在线值：发帖 18 回帖 85 粉丝 1 关注私信	落魄浪子 13 2005-4-17 22:39 7 楼 0 最初由 ww990 发布你的VB代码根本算不到注册码，不如在寄存器窗口找注册码你试过吗？真的算不出来码？我有三台机都没有问题啊！（Win98 Win2000 sp4 WinXP sp2）。我对编程一点都不懂，只是ＶＢ入门快点，学写点注册机是没问题。望指点哪里错了。谢谢！
wenglingok 雪币： 671 活跃值： (723) 能力值： ( LV9，RANK：1060 ) 在线值：发帖 52 回帖 678 粉丝 1 关注私信	wenglingok 26 2005-4-18 07:03 8 楼 0 支持楼主,跟VB的程序，辛苦了！
shuair 雪币： 151 活跃值： (66) 能力值： ( LV6，RANK：90 ) 在线值：发帖 14 回帖 218 粉丝 0 关注私信	shuair 2 2005-4-18 09:20 9 楼 0 呵呵,看的懂,,学习~~,支持
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复