12:02 2005-7-6
又有一个月未登录了,发现还是老面孔!现在已经是假期,这是怎么回事呢,又看到了投票贴,原来……
记有有个看雪用户的签名是这样:如果大家只是索取,那么资源就会枯竭……
赶快用Baidu搜一下,Down下来几个软件……
水平有限,写几篇文章来充充数。
软件名称:口令保管王
软件简介:“口令”亦称为密码,是用于加密的信息;“口令保管”用于保管用户的各种口令,以在用户忘记口令时查询.
下载地址:http://vnet.softreg.com.cn/product.asp?id=/4E53A292-CE2E-402B-8867-2FB19529BDB6
破解作者:wofan[OCN]
传言说:西有张家界,东有酒埠江,我在酒仙湖身旁!
先运行程序,就会在目录内生成一个:PwdDat.vxd
感觉的点异样,(后来发现本软件的算法超级简单。也是那种经典的比较)
机器码:893102327
注册码:*********
字符串被加密,因为是VB编成的,那么就用:Colocar BreakPoints吧。
OD载入,F9运行,打开注册Form,填好注册信息,回到OD界面,Alt+F12使用VB万能断点插件,就是Colocar BreakPoints啦。
断下,几步就到了这里:
00429A1E > \8B55 D8 mov edx,dword ptr ss:[ebp-28] *******机器码893102327
00429A21 . 8B1D 88114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
00429A27 . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00429A2A . 897D D8 mov dword ptr ss:[ebp-28],edi
00429A2D . FFD3 call ebx *******取得注册码87654321 ; <&MSVBVM60.__vbaStrMove>
00429A2F . 8B4D DC mov ecx,dword ptr ss:[ebp-24] *******注册码送ECX
00429A32 . 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
00429A35 . 51 push ecx *******push 注册码
00429A36 . 52 push edx
00429A37 . E8 D49FFFFF call PdSafe.00423A10 ************看一下如何通过机器码计算得到注册码********
00429A3C . 8BD0 mov edx,eax
00429A3E . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
00429A41 . FFD3 call ebx
00429A43 . 50 push eax *******push 真注册码!!!!
00429A44 . FF15 A4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
00429A4A . 8BF0 mov esi,eax *******返回值在EAX中,如果不是1而是0,就会注册成功。
……
00429AD9 . 68 00714000 push PdSafe.00407100 ; UNICODE "Key02"
00429ADE . 68 E8704000 push PdSafe.004070E8 ; UNICODE "Section1"
00429AE3 . 68 985F4000 push PdSafe.00405F98 ; UNICODE "OpjupkrXojhoi{Fmdmfhu"
00429AE8 . FF15 04104000 call dword ptr ds:[<&MSVBVM60.#690>] ; MSVBVM60.rtcSaveSetting
00429AEE . 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
00429AF1 . 52 push edx
00429AF2 . E8 9995FFFF call PdSafe.00423090
00429AF7 . 8BD0 mov edx,eax
00429AF9 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
00429AFC . FFD3 call ebx
00429AFE . 50 push eax
00429AFF . 68 E4D14200 push PdSafe.0042D1E4 ; UNICODE ".(E2kzC-4c" 这些应该是Msgbox相关的信息的密文状态。
00429B04 . 6A 12 push 12
00429B06 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaLsetFixs>; MSVBVM60.__vbaLsetFixstr
……
00429B8A . FF15 68104000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox 返回注册成功字样的Msgbox
************看一下如何通过机器码计算得到注册码********
00423A6B . FF15 28114000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str 机器码
00423A71 . DC0D C8134000 fmul qword ptr ds:[4013C8] *****qword ptr ds:[4013C8]=7*****fmul---->893102327 * 7=6251716288.9999994880
00423A77 . 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
00423A7A . 8D55 C8 lea edx,dword ptr ss:[ebp-38]
00423A7D . 51 push ecx
00423A7E . 52 push edx
00423A7F . DC25 C0134000 fsub qword ptr ds:[4013C0] *****qword ptr ds:[4013C0]=6 *****fsub---->6251716283.0000005120
****************************
st=6251716288.9999994880
ds:[004013C0]=6.000000000000000
**************************
00423A85 . C745 D8 05000000 mov dword ptr ss:[ebp-28],5
00423A8C . DC0D B8134000 fmul qword ptr ds:[4013B8] ****qword ptr ds:[4013B8]=9 ****fmul--->5.6265446547000002560e+10
******************************
st=6251716283.0000005120
ds:[004013B8]=9.000000000000000
******************************
00423A92 . DC05 B0134000 fadd qword ptr ds:[4013B0] *****qword ptr ds:[4013B0]=2****fadd---->st=5.6265446548999997440e+10
*****************************
st=5.6265446547000002560e+10
ds:[004013B0]=2.000000000000000
*****************************
00423A98 . DD5D E0 fstp qword ptr ss:[ebp-20]
00423A9B . DFE0 fstsw ax
00423A9D . A8 0D test al,0D
00423A9F . 0F85 39010000 jnz PdSafe.00423BDE
00423AA5 . FF15 6C114000 call dword ptr ds:[<&MSVBVM60.#613>] ; MSVBVM60.rtcVarStrFromVar***数值转字符
00423AAB . 8D45 C8 lea eax,dword ptr ss:[ebp-38]
00423AAE . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
00423AB1 . 50 push eax
00423AB2 . 51 push ecx
00423AB3 . FF15 84104000 call dword ptr ds:[<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar ****去掉前,后置空格
00423AB9 . 8D55 A8 lea edx,dword ptr ss:[ebp-58]
00423ABC . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
00423ABF . 52 push edx
00423AC0 . 6A 01 push 1
00423AC2 . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
00423AC5 . 50 push eax
00423AC6 . 51 push ecx
00423AC7 . C745 B0 09000000 mov dword ptr ss:[ebp-50],9 **********************9
00423ACE . C745 A8 02000000 mov dword ptr ss:[ebp-58],2 **********************2
00423AD5 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar ****裁取字符,取前九位为真注册码
00423ADB . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-C8]
00423AE1 . 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
00423AE4 . C785 40FFFFFF 706>mov dword ptr ss:[ebp-C0],PdSafe.00406C70
00423AEE . C785 38FFFFFF 080>mov dword ptr ss:[ebp-C8],8
00423AF8 . FF15 68114000 call dword ptr ds:[<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup ***复制字符串
00423AFE . 8B06 mov eax,dword ptr ds:[esi]
00423B00 . 8D55 88 lea edx,dword ptr ss:[ebp-78]
00423B03 . 52 push edx
00423B04 . 50 push eax
00423B05 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
00423B0B . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
00423B11 . 50 push eax
00423B12 . 51 push ecx
00423B13 . FF15 F0104000 call dword ptr ds:[<&MSVBVM60.#607>] ; MSVBVM60.rtcStringVar
00423B19 . 6A 01 push 1
00423B1B . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88]
00423B21 . 6A 01 push 1
00423B23 . 8D45 98 lea eax,dword ptr ss:[ebp-68]
00423B26 . 52 push edx
00423B27 . 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-98]
00423B2D . 50 push eax
00423B2E . 51 push ecx
00423B2F . FF15 40104000 call dword ptr ds:[<&MSVBVM60.#660>] ; MSVBVM60.rtcVarFromFormatVar
00423B35 . 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
00423B3B . 52 push edx
00423B3C . FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>] ; MSVBVM60.__vbaStrVarMove
00423B42 . 8BD0 mov edx,eax *************************mov ---->edx=562654465****真注册码返回去strcomp
……
00423BC6 . C3 retn
总结:
(机器码×7-6)×9+2=code 取它的前九位就是注册码
(893102327×7-6)×9+2=56265446549 取它的前九位为:562654465
by wofan[OCN] 13:02 2005-7-6
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
