【文章标题】: ***装修预算V3.0算法分析
【作 者】: dvchen[OCN][D4s][FCG][YCG][YMON]...
【主 页】: http://www.^o^.net
【软件名称】: ***装修预算V3.0
【大 小】: 6465 KB
【下载地址】: 自己找
【编写语言】: VB
【工 具】: PEID,OD
【软件介绍】: 本软件由大连金手指电子技术有限公司出品,先后经历3个版本的变化,经上百家装修公司使用,历时两年多,终于在一片掌声中,最新版本和大家见面了,本软件充分考虑装修公司的实际情况提供了非常多的便捷工具和技巧,软件制作人员的匠心所在比比皆是,可谓精益之作,甚至可以说是当前国内同类软件中最实用、最方便的软件。
【作者声明】: 只是感兴趣,没有其他目的。绝对不是专拿软柿子捏,朋友要看看如何破解并计算,就贴上了!不要拍砖,适合初级练习。
--------------------------------------------------------------------------------
【详细过程】
---------------------------------------------------------------------------------------------------
0050BCAC FF15 68124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
0050BCB2 A1 40205800 mov eax,dword ptr ds:[582040] ; 机器码出来了151677774
0050BCB7 50 push eax ; 090A6B4E
0050BCB8 FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI4>] ; MSVBVM60.__vbaStrI4
0050BCBE 8BD0 mov edx,eax
0050BCC0 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
0050BCC3 FF15 2C124000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0050BCC9 50 push eax
0050BCCA FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
0050BCD0 8BC8 mov ecx,eax
0050BCD2 FF15 FC104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4
0050BCD8 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
0050BCDB 8985 44FEFFFF mov dword ptr ss:[ebp-1BC],eax
0050BCE1 C745 E8 0100000>mov dword ptr ss:[ebp-18],1
0050BCE8 FF15 64124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
0050BCEE 66:8B8D 44FEFFF>mov cx,word ptr ss:[ebp-1BC]
0050BCF5 66:394D E8 cmp word ptr ss:[ebp-18],cx
0050BCF9 0F8F AE000000 jg 金手指装.0050BDAD
0050BCFF 8B15 40205800 mov edx,dword ptr ds:[582040]
0050BD05 C785 78FFFFFF 0>mov dword ptr ss:[ebp-88],1
0050BD0F 52 push edx
0050BD10 C785 70FFFFFF 0>mov dword ptr ss:[ebp-90],2
0050BD1A FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI4>] ; MSVBVM60.__vbaStrI4
0050BD20 0FBF4D E8 movsx ecx,word ptr ss:[ebp-18]
0050BD24 8945 88 mov dword ptr ss:[ebp-78],eax ; 151677774
0050BD27 8D85 70FFFFFF lea eax,dword ptr ss:[ebp-90]
0050BD2D 50 push eax
0050BD2E 8D55 80 lea edx,dword ptr ss:[ebp-80]
0050BD31 51 push ecx
0050BD32 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-A0]
0050BD38 52 push edx
0050BD39 50 push eax
0050BD3A C745 80 0800000>mov dword ptr ss:[ebp-80],8
0050BD41 FF15 CC104000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
0050BD47 8D8D 60FFFFFF lea ecx,dword ptr ss:[ebp-A0]
0050BD4D 8D55 B0 lea edx,dword ptr ss:[ebp-50]
0050BD50 51 push ecx
0050BD51 52 push edx
0050BD52 FF15 80114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
0050BD58 50 push eax ; 1
0050BD59 FF15 3C104000 call dword ptr ds:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
0050BD5F 8B4D E4 mov ecx,dword ptr ss:[ebp-1C]
0050BD62 0FBFC0 movsx eax,ax ; 31 35
0050BD65 03C1 add eax,ecx ; 相加=1DD
一、取机器码各位Ansiic值依次相加得到1DD(477)
-----------------------------------------------------------------------------------------------------
0050BDB1 FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI4>] ; MSVBVM60.__vbaStrI4
0050BDB7 8BD0 mov edx,eax ; 1DD=477
0050BDB9 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
0050BDBC FF15 2C124000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0050BDC2 50 push eax
0050BDC3 FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
0050BDC9 8BC8 mov ecx,eax
0050BDCB FF15 FC104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4
0050BDD1 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
0050BDD4 8985 3CFEFFFF mov dword ptr ss:[ebp-1C4],eax
0050BDDA C745 E8 0100000>mov dword ptr ss:[ebp-18],1
0050BDE1 FF15 64124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
0050BDE7 66:8B95 3CFEFFF>mov dx,word ptr ss:[ebp-1C4]
0050BDEE 66:3955 E8 cmp word ptr ss:[ebp-18],dx
0050BDF2 0F8F 14010000 jg 金手指装.0050BF0C
0050BDF8 66:8B45 D4 mov ax,word ptr ss:[ebp-2C]
0050BDFC 8B55 E4 mov edx,dword ptr ss:[ebp-1C]
0050BDFF 8B4D C0 mov ecx,dword ptr ss:[ebp-40]
0050BE02 66:05 0A00 add ax,0A ; AX+0A 0A 14 1E
0050BE06 0F80 1DB80000 jo 金手指装.00517629
0050BE0C 52 push edx
0050BE0D 8945 D4 mov dword ptr ss:[ebp-2C],eax
0050BE10 898D E8FEFFFF mov dword ptr ss:[ebp-118],ecx
0050BE16 C785 E0FEFFFF 0>mov dword ptr ss:[ebp-120],8
0050BE20 C785 78FFFFFF 0>mov dword ptr ss:[ebp-88],1
0050BE2A C785 70FFFFFF 0>mov dword ptr ss:[ebp-90],2
0050BE34 FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI4>] ; MSVBVM60.__vbaStrI4
0050BE3A 0FBF4D E8 movsx ecx,word ptr ss:[ebp-18]
0050BE3E 8945 88 mov dword ptr ss:[ebp-78],eax ; 477
0050BE41 8D85 70FFFFFF lea eax,dword ptr ss:[ebp-90]
0050BE47 50 push eax
0050BE48 8D55 80 lea edx,dword ptr ss:[ebp-80]
0050BE4B 51 push ecx
0050BE4C 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-A0]
0050BE52 52 push edx
0050BE53 50 push eax
0050BE54 C745 80 0800000>mov dword ptr ss:[ebp-80],8
0050BE5B FF15 CC104000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
0050BE61 8D8D 60FFFFFF lea ecx,dword ptr ss:[ebp-A0]
0050BE67 8D55 B0 lea edx,dword ptr ss:[ebp-50]
0050BE6A 51 push ecx
0050BE6B 52 push edx
0050BE6C FF15 80114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
0050BE72 50 push eax ; 4
0050BE73 FF15 3C104000 call dword ptr ds:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
0050BE79 66:0345 D4 add ax,word ptr ss:[ebp-2C] ; 34+A 37+14 37+1E
0050BE7D 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-B0]
0050BE83 0F80 A0B70000 jo 金手指装.00517629
0050BE89 0FBFC0 movsx eax,ax ; 3E 4B 55
二、1DD的10进制477,取其各位的ASIIC值分别加上A、14、1E得到3E 4B 55,转换为UNICODE就是>KU
-----------------------------------------------------------------------------------------------------
0050BF0C 8B0D 40205800 mov ecx,dword ptr ds:[582040] ; 090A6B4E
0050BF12 C745 D4 0000000>mov dword ptr ss:[ebp-2C],0
0050BF19 51 push ecx
0050BF1A FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI4>] ; MSVBVM60.__vbaStrI4
0050BF20 8BD0 mov edx,eax
0050BF22 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
0050BF25 FF15 2C124000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0050BF2B 50 push eax
0050BF2C FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
0050BF32 8BC8 mov ecx,eax
0050BF34 FF15 FC104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4
0050BF3A 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
0050BF3D 8985 34FEFFFF mov dword ptr ss:[ebp-1CC],eax
0050BF43 C745 E8 0100000>mov dword ptr ss:[ebp-18],1
0050BF4A FF15 64124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
0050BF50 66:8B95 34FEFFF>mov dx,word ptr ss:[ebp-1CC]
0050BF57 66:3955 E8 cmp word ptr ss:[ebp-18],dx
0050BF5B 0F8F 17010000 jg 金手指装.0050C078
0050BF61 66:8B45 D4 mov ax,word ptr ss:[ebp-2C]
0050BF65 8B15 40205800 mov edx,dword ptr ds:[582040]
0050BF6B 8B4D C8 mov ecx,dword ptr ss:[ebp-38]
0050BF6E 66:05 0700 add ax,7 ; ax+7 7 E 15
0050BF72 0F80 B1B60000 jo 金手指装.00517629
0050BF78 52 push edx
0050BF79 8945 D4 mov dword ptr ss:[ebp-2C],eax
0050BF7C 898D E8FEFFFF mov dword ptr ss:[ebp-118],ecx
0050BF82 C785 E0FEFFFF 0>mov dword ptr ss:[ebp-120],8
0050BF8C C785 78FFFFFF 0>mov dword ptr ss:[ebp-88],1
0050BF96 C785 70FFFFFF 0>mov dword ptr ss:[ebp-90],2
0050BFA0 FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI4>] ; MSVBVM60.__vbaStrI4
0050BFA6 0FBF4D E8 movsx ecx,word ptr ss:[ebp-18]
0050BFAA 8945 88 mov dword ptr ss:[ebp-78],eax ; 151677774
0050BFAD 8D85 70FFFFFF lea eax,dword ptr ss:[ebp-90]
0050BFB3 50 push eax
0050BFB4 8D55 80 lea edx,dword ptr ss:[ebp-80]
0050BFB7 51 push ecx
0050BFB8 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-A0]
0050BFBE 52 push edx
0050BFBF 50 push eax
0050BFC0 C745 80 0800000>mov dword ptr ss:[ebp-80],8
0050BFC7 FF15 CC104000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
0050BFCD 8D8D 60FFFFFF lea ecx,dword ptr ss:[ebp-A0]
0050BFD3 8D55 B0 lea edx,dword ptr ss:[ebp-50]
0050BFD6 51 push ecx
0050BFD7 52 push edx
0050BFD8 FF15 80114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
0050BFDE 50 push eax ; 1
0050BFDF FF15 3C104000 call dword ptr ds:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
0050BFE5 66:0345 D4 add ax,word ptr ss:[ebp-2C] ; 31+7 35+E
0050BFE9 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-B0]
0050BFEF 0F80 34B60000 jo 金手指装.00517629
0050BFF5 0FBFC0 movsx eax,ax ; 38 43 46 52
0050BFF8 50 push eax
三、再次把机器码的各位的ASIIC值分别与7的倍数相加,得到38 43 46 52...转换为UNICODE就是8CFRZahos
------------------------------------------------------------------------------------------------
0050C0B5 FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
0050C0BB 83E8 05 sub eax,5 ; 减去五位
0050C0BE 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-90]
0050C0C4 0F80 5FB50000 jo 金手指装.00517629
0050C0CA 50 push eax
0050C0CB 8D85 E0FEFFFF lea eax,dword ptr ss:[ebp-120]
0050C0D1 50 push eax
0050C0D2 51 push ecx
0050C0D3 FF15 1C124000 call dword ptr ds:[<&MSVBVM60.#617>] ; 左边开始取四位
0050C0D9 8D55 80 lea edx,dword ptr ss:[ebp-80]
0050C0DC 8D85 70FFFFFF lea eax,dword ptr ss:[ebp-90]
0050C0E2 52 push edx
0050C0E3 8D8D 60FFFFFF lea ecx,dword ptr ss:[ebp-A0]
0050C0E9 50 push eax
0050C0EA 51 push ecx
0050C0EB FF15 84114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; MSVBVM60.__vbaVarCat
0050C0F1 50 push eax
0050C0F2 FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>>; MSVBVM60.__vbaStrVarMove
0050C0F8 8BD0 mov edx,eax ; "Zahos8CFR"
四、取8CFRZahos左边四位8CFR,并连接Zahos,形成Zahos8CFR
--------------------------------------------------------------------------------------------------
0050C117 FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaFreeVarList
0050C11D 8B55 C0 mov edx,dword ptr ss:[ebp-40] ; 出现>KU
0050C120 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
0050C123 83C4 10 add esp,10
0050C126 52 push edx
0050C127 50 push eax ;
0050C128 FF15 54104000 call dword ptr ds:[<&MSVBVM60.__vb>; 连接形成注册码>KUZahos8CFR
五、连接>KU和Zahos8CFR,形成注册码。
--------------------------------------------------------------------------------
【总结】
一、取机器码的各位Ansiic值依次相加得到1DD(477)
二、1DD的10进制477,取其各位的ASIIC值分别加上A、14、1E得到3E 4B 55,转换为UNICODE就是>KU
三、再次把机器码的各位的ASIIC值分别与7的倍数相加,得到38 43 46 52...转换为UNICODE就是8CFRZahos
四、取8CFRZahos左边四位8CFR,并连接Zahos,形成Zahos8CFR
五、连接>KU和Zahos8CFR,形成注册码。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于OCN论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年02月10日 22:46:40
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!