手机视频压缩专家(TO 3GP)V1.0.0算法分析
作者:lchhome
第一步:用PEID侦得为用Microsoft Visual Basic 5.0 / 6.0编写的程序,无壳,爽!
第二步:老规矩用OD载入程序,如下:
004013B0 Z> $ 68 58264000 push ZHUCE.00402658 停在这里
004013B5 . E8 EEFFFFFF call <jmp.&MSVBVM60.#100>
004013BA . 0000 add byte ptr ds:[eax],al
004013BC . 0000 add byte ptr ds:[eax],al
004013BE . 0000 add byte ptr ds:[eax],al
004013C0 . 3000 xor byte ptr ds:[eax],al
我们按F9运行,出现注册框,我们填入信息:
注册名:lch
E-Mail:lch@163.com
注册码:1234567
先不要按注册,我们分析一下:
在VB里下断点时,一般都用vbaStrCopy、__vbaStrComp、__vbaStrCmp等这些常用的断点,它们都是比较字符串的断点,我们就用vbaStrCopy这个函数吧,Alt+E,来到可执行模块窗口
可执行模块
基数 大小 入口 名称 (syst 文件版本 路径
00400000 00009000 004013B0 ZHUCE.<ModuleEntryPoint> ZHUCE 13.00 D:\Program Files\手机视频压缩专家(TO 3GP)\ZHUCE.EXE
62C20000 00009000 62C22EAD LPK.LpkDllInitialize LPK (syst 5.1.2600.218 C:\WINDOWS\system32\LPK.DLL
66000000 00152000 66001AEC MSVBVM60.<ModuleEntryPoint> MSVBVM60 6.00.9782 D:\Program Files\手机视频压缩专家(TO 3GP)\MSVBVM60.DLL 我们找到这个DLL(VB都是调用这个DLL),双击
73FA0000 0006B000 73FDAEB6 USP10.<ModuleEntryPoint> USP10 (syst 1.0420.2600. C:\WINDOWS\system32\USP10.dll
双击后返回CPU窗口:
66001000 <> 2F das 停在这里,按Ctrl+N,
66001001 0881 7CA9CC80 or byte ptr ds:[ecx+80CCA97C],al
66001007 7C 58 jl short MSVBVM60.66001061
66001009 CD 80 int 80
会出现以下窗口: 往下拉,
名称位于 MSVBVM60
地址 区段 类型 ( 名称 注释
66001A4C .text 导入 OLEAUT32.#10
66001AAC .text 导入 OLEAUT32.#100
66001AD8 .text 导入 OLEAUT32.#104
66001AB4 .text 导入 OLEAUT32.#109
省略一部分
660DF945 .text 导出 __vbaStrBool
660E5F3A .text 导出 __vbaStrCat
660E8A03 .text 导出 __vbaStrCmp
6601B0C6 .text 导出 __vbaStrComp
660E7002 .text 导出 __vbaStrCompVar
660E610E .text 导出 __vbaStrCopy 找到这个函数后,按F2,再点注册
660DFAC5 .text 导出 __vbaStrCy
程序被中断了:
660E610E M> 56 push esi 中断在这里
660E610F 57 push edi
660E6110 85D2 test edx,edx
660E6112 8BF9 mov edi,ecx
660E6114 74 17 je short MSVBVM60.660E612D
我们按F8前进,它会返回到004040F5句:
004040F5 . 8D45 80 lea eax,dword ptr ss:[ebp-80] 到这里
004040F8 . 8D4D 84 lea ecx,dword ptr ss:[ebp-7C]
004040FB . 50 push eax
004040FC . 51 push ecx
004040FD . 6A 02 push 2
我们按F8往下走,去找关键点吧:会一直走这里:
0040428E > /8B85 34FDFFFF mov eax,dword ptr ss:[ebp-2CC]
00404294 . |85C0 test eax,eax
00404296 . |0F84 25010000 je ZHUCE.004043C1
0040429C . |8B06 mov eax,dword ptr ds:[esi]
0040429E . |56 push esi
0040429F . |FF90 1C030000 call dword ptr ds:[eax+31C]
004042A5 . |8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
004042AB . |8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8]
004042B1 . |51 push ecx
004042B2 . |52 push edx
省略一段
0040438F . 52 push edx
00404390 . 50 push eax
00404391 . FF15 FC104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; MSVBVM60.__vbaVarAdd 看到这个函数没有,这是个加法运算函数,跟进看看,按F7:
00404397 . 8BD0 mov edx,eax 算完后,返回到这里
00404399 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
0040439C . FFD7 call edi
0040439E . 8D8D 64FDFFFF lea ecx,dword ptr ss:[ebp-29C]
004043A4 . 8D95 74FDFFFF lea edx,dword ptr ss:[ebp-28C]
004043AA . 51 push ecx
004043AB . 8D45 98 lea eax,dword ptr ss:[ebp-68]
004043AE . 52 push edx
004043AF . 50 push eax
004043B0 . FF15 24114000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>] ; MSVBVM60.__vbaVarForNext
004043B6 . 8985 34FDFFFF mov dword ptr ss:[ebp-2CC],eax
004043BC .^ E9 CDFEFFFF jmp ZHUCE.0040428E 又跳回到 0040428E句,继续算,直至把注册名算完
0040428E―004043BC这一段循环是把注册名的ASCII码进行累加,我的注册名(lch)累加值为6C+63+68=137
按F7跟进00404391到这里:
66107801 M> FF7424 04 push dword ptr ss:[esp+4]
66107805 FF7424 0C push dword ptr ss:[esp+C]
66107809 FF7424 14 push dword ptr ss:[esp+14]
6610780D FF15 C0ED1066 call dword ptr ds:[6610EDC0] ; OLEAUT32.VarAdd 看到没有,是在这个CALL里作加法运算,F7跟进
66107813 85C0 test eax,eax
66107815 7D 0C jge short MSVBVM60.66107823
跟进6610780D句:
771002A9 O> 8BFF mov edi,edi ; MSVBVM60.__vbaVarMove
771002AB 55 push ebp
771002AC 8BEC mov ebp,esp
771002AE 83EC 28 sub esp,28
771002B1 8365 E8 00 and dword ptr ss:[ebp-18],0
771002B5 8365 D8 00 and dword ptr ss:[ebp-28],0
771002B9 53 push ebx
省略一段
771002E7 0FB680 AF001077 movzx eax,byte ptr ds:[eax+771000AF]
771002EE FF2485 BBFF0F77 jmp dword ptr ds:[eax*4+770FFFBB]
771002F5 0FBF46 08 movsx eax,word ptr ds:[esi+8] 走到这里[esi+8]初始值为0,移入eax
771002F9 0FBF4F 08 movsx ecx,word ptr ds:[edi+8] [edi+8]=6C,就是我的注册名的第一位的ASCII码,移入ecx
771002FD 03C1 add eax,ecx eax=eax+ecx=0+6C=6C
771002FF 0FBFC8 movsx ecx,ax
77100302 3BC1 cmp eax,ecx
77100304 8B4D 10 mov ecx,dword ptr ss:[ebp+10]
77100307 ^ 0F85 89F8FFFF jnz OLEAUT32.770FFB96 算完后,它会返回到00404397句
算完后,跳到004043C1句:
004043C1 > \8D95 38FEFFFF lea edx,dword ptr ss:[ebp-1C8] F8,继续走
004043C7 . 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
省略一段
004044AA > 8B85 30FDFFFF mov eax,dword ptr ss:[ebp-2D0]
004044B0 . 85C0 test eax,eax
004044B2 . 0F84 25010000 je ZHUCE.004045DD
004044B8 . 8B0E mov ecx,dword ptr ds:[esi]
004044BA . 56 push esi
004044BB . FF91 20030000 call dword ptr ds:[ecx+320]
004044C1 . 8985 60FFFFFF mov dword ptr ss:[ebp-A0],eax
004044C7 . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
004044CD . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8]
004044D3 . 52 push edx
004044D4 . 50 push eax
省略一段
0040459B . 83C4 18 add esp,18
0040459E . 8D55 88 lea edx,dword ptr ss:[ebp-78]
004045A1 . 8D45 DC lea eax,dword ptr ss:[ebp-24]
004045A4 . 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
004045AA . 52 push edx
004045AB . 50 push eax
004045AC . 51 push ecx
004045AD . FF15 FC104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; MSVBVM60.__vbaVarAdd 又是一个加法运算,F7跟进
004045B3 . 8BD0 mov edx,eax
004045B5 . 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
004045B8 . FFD7 call edi
004045BA . 8D95 44FDFFFF lea edx,dword ptr ss:[ebp-2BC]
004045C0 . 8D85 54FDFFFF lea eax,dword ptr ss:[ebp-2AC]
004045C6 . 52 push edx
004045C7 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
004045CA . 50 push eax
004045CB . 51 push ecx
004045CC . FF15 24114000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>] ; MSVBVM60.__vbaVarForNext
004045D2 . 8985 30FDFFFF mov dword ptr ss:[ebp-2D0],eax
004045D8 .^ E9 CDFEFFFF jmp ZHUCE.004044AA
跟进004045AD句:
66107801 M> FF7424 04 push dword ptr ss:[esp+4]
66107805 FF7424 0C push dword ptr ss:[esp+C]
66107809 FF7424 14 push dword ptr ss:[esp+14]
6610780D FF15 C0ED1066 call dword ptr ds:[6610EDC0] ; OLEAUT32.VarAdd 在这里作加法运算,F7跟进
66107813 85C0 test eax,eax
66107815 7D 0C jge short MSVBVM60.66107823
跟进刚才的6610780D 句,这里同上面一样,是把E-Mail的ASCII码进行累加,我的(lch@163.com)累加值为6C+63+68+40+31+36+33+2E+63+6F+6D=37E
算完后跳到004045DD句:
004045DD > \DD05 40114000 fld qword ptr ds:[401140]
004045E3 . 833D 00704000 00 cmp dword ptr ds:[407000],0
004045EA . 75 08 jnz short ZHUCE.004045F4
004045EC . DC35 38114000 fdiv qword ptr ds:[401138]
004045F2 . EB 11 jmp short ZHUCE.00404605
省略一段
0040466A . 8D85 38FEFFFF lea eax,dword ptr ss:[ebp-1C8]
00404670 . 50 push eax
00404671 . 51 push ecx
00404672 . FF15 9C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>]; MSVBVM60.__vbaVarMul 乘法运算,F7跟进(1)
00404678 . 50 push eax 算完后,继续走
00404679 . 8D95 28FEFFFF lea edx,dword ptr ss:[ebp-1D8]
0040467F . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8]
00404685 . 52 push edx
00404686 . 50 push eax
00404687 . FF15 00104000 call dword ptr ds:[<&MSVBVM60.__vbaVarSub>]; MSVBVM60.__vbaVarSub 减法运算,F7跟进(2)
0040468D . 8D8D 18FEFFFF lea ecx,dword ptr ss:[ebp-1E8] 算完后,继续走
00404693 . 50 push eax
00404694 . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-C8]
0040469A . 51 push ecx
0040469B . 52 push edx
0040469C . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarDiv>]; MSVBVM60.__vbaVarDiv 除法运算,F7跟进(3)
004046A2 . 50 push eax 算完后,继续走
004046A3 . 8D85 08FEFFFF lea eax,dword ptr ss:[ebp-1F8]
004046A9 . 8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-D8]
004046AF . 50 push eax
004046B0 . 51 push ecx
004046B1 . FF15 FC104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>]; MSVBVM60.__vbaVarAdd 加法运算,F7跟进(4)
004046B7 . 50 push eax 算完后,继续走
004046B8 . 8D95 F8FDFFFF lea edx,dword ptr ss:[ebp-208]
004046BE . 8D85 18FFFFFF lea eax,dword ptr ss:[ebp-E8]
004046C4 . 52 push edx
004046C5 . 50 push eax
004046C6 . FF15 FC104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>]; MSVBVM60.__vbaVarAdd 加法运算,F7跟进(5)
004046CC . 8D8D 08FFFFFF lea ecx,dword ptr ss:[ebp-F8] 算完后,继续走
004046D2 . 50 push eax
004046D3 . 51 push ecx
004046D4 . FF15 D0104000 call dword ptr ds:[<&MSVBVM60.__vbaVarInt>]; MSVBVM60.__vbaVarInt 这是取整运算,把算的值取整为(31074)
004046DA . 8BD0 mov edx,eax
004046DC . 8D8D F8FEFFFF lea ecx,dword ptr ss:[ebp-108]
004046E2 . FFD7 call edi
004046E4 . 8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-108]
004046EA . 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118]
004046F0 . 52 push edx
004046F1 . 50 push eax
省略一段
0040479E . 8D85 C8FEFFFF lea eax,dword ptr ss:[ebp-138]
004047A4 . 50 push eax
004047A5 . FF15 9C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>]; MSVBVM60.__vbaVarMul 又是乘法运算,跟进(6)
004047AB . 8D8D C8FDFFFF lea ecx,dword ptr ss:[ebp-238]
004047B1 . 50 push eax
004047B2 . 8D95 B8FEFFFF lea edx,dword ptr ss:[ebp-148]
004047B8 . 51 push ecx
004047B9 . 52 push edx
004047BA . FF15 00104000 call dword ptr ds:[<&MSVBVM60.__vbaVarSub>]; MSVBVM60.__vbaVarSub 减法运算,跟进(7)
004047C0 . 50 push eax
004047C1 . 8D85 B8FDFFFF lea eax,dword ptr ss:[ebp-248]
004047C7 . 8D8D A8FEFFFF lea ecx,dword ptr ss:[ebp-158]
004047CD . 50 push eax
004047CE . 51 push ecx
004047CF . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarDiv>]; MSVBVM60.__vbaVarDiv 除法运算,跟进(8)
004047D5 . 50 push eax
004047D6 . 8D95 A8FDFFFF lea edx,dword ptr ss:[ebp-258]
004047DC . 8D85 98FEFFFF lea eax,dword ptr ss:[ebp-168]
004047E2 . 52 push edx
004047E3 . 50 push eax
004047E4 . FF15 FC104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>]; MSVBVM60.__vbaVarAdd 加法运算,跟进(9)
004047EA . 8D8D 98FDFFFF lea ecx,dword ptr ss:[ebp-268]
004047F0 . 50 push eax
004047F1 . 8D95 88FEFFFF lea edx,dword ptr ss:[ebp-178]
004047F7 . 51 push ecx
004047F8 . 52 push edx
004047F9 . FF15 FC104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>]; MSVBVM60.__vbaVarAdd 加法运算,跟进(10)
004047FF . 50 push eax
00404800 . 8D85 78FEFFFF lea eax,dword ptr ss:[ebp-188]
00404806 . 50 push eax
00404807 . FF15 D0104000 call dword ptr ds:[<&MSVBVM60.__vbaVarInt>]; MSVBVM60.__vbaVarInt 取整运算
0040480D . 8BD0 mov edx,eax
0040480F . 8D8D 68FEFFFF lea ecx,dword ptr ss:[ebp-198]
00404815 . FFD7 call edi
00404817 . 8D8D 68FEFFFF lea ecx,dword ptr ss:[ebp-198]
0040481D . 8D95 58FEFFFF lea edx,dword ptr ss:[ebp-1A8]
00404823 . 51 push ecx
00404824 . 52 push edx
00404825 . FF15 E0104000 call dword ptr ds:[<&MSVBVM60.#573>] ; MSVBVM60.rtcHexVarFromVar
0040482B . 8B3D C4104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; MSVBVM60.__vbaVarCat
00404831 . 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118]
00404837 . 8D8D E8FDFFFF lea ecx,dword ptr ss:[ebp-218]
0040483D . 50 push eax
0040483E . 8D95 D8FEFFFF lea edx,dword ptr ss:[ebp-128]
00404844 . 51 push ecx
00404845 . 52 push edx
00404846 . FFD7 call edi ; <&MSVBVM60.__vbaVarCat>
00404848 . 50 push eax
00404849 . 8D85 58FEFFFF lea eax,dword ptr ss:[ebp-1A8]
0040484F . 8D8D 48FEFFFF lea ecx,dword ptr ss:[ebp-1B8]
00404855 . 50 push eax
00404856 . 51 push ecx
00404857 . FFD7 call edi
00404859 . 50 push eax
0040485A . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>]; MSVBVM60.__vbaStrVarMove 走到这里,F7跟进(11)
00404860 . 8BD0 mov edx,eax eax寄存器放入真注册码(7962-E8BF),这里可作内存机
00404862 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00404865 . FFD3 call ebx
00404867 . 8D95 48FEFFFF lea edx,dword ptr ss:[ebp-1B8] 跟进(1):
661076A0 M> FF7424 04 push dword ptr ss:[esp+4]
661076A4 FF7424 0C push dword ptr ss:[esp+C]
661076A8 FF7424 14 push dword ptr ss:[esp+14]
661076AC FF15 E0ED1066 call dword ptr ds:[6610EDE0]; OLEAUT32.VarMul 在这里作乘法运算,F7跟进
661076B2 85C0 test eax,eax
661076B4 7D 0C jge short MSVBVM60.661076C2
跟进661076AC句:
77169D28 O> 8BFF mov edi,edi
77169D2A 55 push ebp
77169D2B 8BEC mov ebp,esp
77169D2D 83EC 30 sub esp,30
77169D30 8365 E0 00 and dword ptr ss:[ebp-20],0
77169D34 8365 D0 00 and dword ptr ss:[ebp-30],0
省略一段 77169E4D E9 AC030000 jmp OLEAUT32.7716A1FE
77169E52 0FB646 08 movzx eax,byte ptr ds:[esi+8]
77169E56 EB 0E jmp short OLEAUT32.77169E66
77169E58 0FBF46 08 movsx eax,word ptr ds:[esi+8]
77169E5C 0FB64F 08 movzx ecx,byte ptr ds:[edi+8]
77169E60 EB 08 jmp short OLEAUT32.77169E6A
77169E62 0FBF46 08 movsx eax,word ptr ds:[esi+8] 走到这里[esi+8]值=137(就是我的注册名累加值)移入eax
77169E66 0FBF4F 08 movsx ecx,word ptr ds:[edi+8] [edi+8]=C8移入ecx
77169E6A 0FAFC1 imul eax,ecx 137*C8=F2F8
77169E6D 0FBFC8 movsx ecx,ax
77169E70 3BC1 cmp eax,ecx
77169E72 0F85 34030000 jnz OLEAUT32.7716A1AC 算完跳回到00404678句
跟进(2)
6610782A M> FF7424 04 push dword ptr ss:[esp+4]
6610782E FF7424 0C push dword ptr ss:[esp+C]
66107832 FF7424 14 push dword ptr ss:[esp+14]
66107836 FF15 ECED1066 call dword ptr ds:[6610EDEC]; OLEAUT32.VarSub 这里做减法运算,F7跟进
6610783C 85C0 test eax,eax
6610783E 7D 0C jge short MSVBVM60.6610784C
跟进66107836句:
7710125F O> 8BFF mov edi,edi ; MSVBVM60.__vbaVarMove
77101261 55 push ebp
77101262 8BEC mov ebp,esp
省略一段
7710128F 8D04D0 lea eax,dword ptr ds:[eax+edx*8]
77101292 3D F4010000 cmp eax,1F4
77101297 ^ 0F87 A4FCFFFF ja OLEAUT32.77100F41
7710129D 0FB680 65101077 movzx eax,byte ptr ds:[eax+77101065]
771012A4 FF2485 810F1077 jmp dword ptr ds:[eax*4+77100F81]
771012AB 8B76 08 mov esi,dword ptr ds:[esi+8] [esi+8]=F2F8(刚才作乘法运算的值),放入esi
771012AE 8B7F 08 mov edi,dword ptr ds:[edi+8] [edi+8]=3A ,放入edi
771012B1 8BC6 mov eax,esi
771012B3 2BC7 sub eax,edi F2F8-3A=F2BE
771012B5 897D 08 mov dword ptr ss:[ebp+8],edi
771012B8 33FE xor edi,esi
771012BA BB 00000080 mov ebx,80000000
771012BF 85FB test ebx,edi
771012C1 8975 0C mov dword ptr ss:[ebp+C],esi
771012C4 ^ 0F85 A3F9FFFF jnz OLEAUT32.77100C6D
771012CA 8B4D 10 mov ecx,dword ptr ss:[ebp+10]
771012CD 6A 03 push 3
771012CF 8941 08 mov dword ptr ds:[ecx+8],eax
771012D2 5A pop edx
771012D3 8B45 10 mov eax,dword ptr ss:[ebp+10]
771012D6 66:8910 mov word ptr ds:[eax],dx
771012D9 33C0 xor eax,eax
771012DB 5F pop edi
771012DC 5E pop esi
771012DD 5B pop ebx
771012DE C9 leave
771012DF C2 0C00 retn 0C 算完返回到0040468D句
跟进(3):
661076C9 M> FF7424 04 push dword ptr ss:[esp+4]
661076CD FF7424 0C push dword ptr ss:[esp+C]
661076D1 FF7424 14 push dword ptr ss:[esp+14]
661076D5 FF15 CCED1066 call dword ptr ds:[6610EDCC]; OLEAUT32.VarDiv 这里做除法运算,F7跟进
661076DB 85C0 test eax,eax
661076DD 7D 0C jge short MSVBVM60.661076EB
跟进661076D5句:
77101AAC O> 8BFF mov edi,edi ; MSVBVM60.__vbaVarMove
77101AAE 55 push ebp
77101AAF 8BEC mov ebp,esp
77101AB1 83EC 28 sub esp,28
77101AB4 8365 E8 00 and dword ptr ss:[ebp-18],0
77101AB8 8365 D8 00 and dword ptr ss:[ebp-28],0
77101ABC 53 push ebx
77101ABD 8B5D 0C mov ebx,dword ptr ss:[ebp+C]
77101AC0 56 push esi
77101AC1 8B75 08 mov esi,dword ptr ss:[ebp+8]
77101AC4 57 push edi
77101AC5 BF 00040000 mov edi,400
77101ACA 0FB70B movzx ecx,word ptr ds:[ebx]
77101ACD 83F9 11 cmp ecx,11
77101AD0 0FB706 movzx eax,word ptr ds:[esi]
77101AD3 ^ 0F87 96FAFFFF ja OLEAUT32.7710156F 跳
7710176E 8945 0C mov dword ptr ss:[ebp+C],eax 跳后走到这里
77101771 0F8C A9000000 jl OLEAUT32.77101820
77101777 DD45 F0 fld qword ptr ss:[ebp-10] 把F2BE的十进制62142放入浮点器st
7710177A DC75 E0 fdiv qword ptr ss:[ebp-20] 62142/[ebp-20]的值2=31071
7710177D E9 7D030000 jmp OLEAUT32.77101AFF 跳
77101AFF DD55 F8 fst qword ptr ss:[ebp-8]
77101B02 B8 0000F07F mov eax,7FF00000
77101B07 8B4D FC mov ecx,dword ptr ss:[ebp-4]
77101B0A 23C8 and ecx,eax
77101B0C 3BC8 cmp ecx,eax
77101B0E ^ 0F84 6EFCFFFF je OLEAUT32.77101782
77101B14 8B45 10 mov eax,dword ptr ss:[ebp+10]
77101B17 D9C0 fld st
77101B19 DD58 08 fstp qword ptr ds:[eax+8]
77101B1C 66:C700 0500 mov word ptr ds:[eax],5
77101B21 DDD8 fstp st
77101B23 33C0 xor eax,eax
77101B25 5F pop edi
77101B26 5E pop esi
77101B27 5B pop ebx
77101B28 C9 leave
77101B29 C2 0C00 retn 0C 返回到004046A2句
跟进(4),可得知它的加法运算为:31071+2=31073
跟进(5),可知它的加法运算为:31073+1=31074
跟进(6),可知运算为:37E(E-Mail的ASCII码累加值)*C8=2BA70
跟进(7),可知运算为:2BA70-3A=2BA36
跟进(8),可知运算为:2BA36的十进制(178742)/3=59580
跟进(9),可知运算为:59580+2=59582
跟进(10),可知运算为:59582+1=59583
跟进(11):
660E0DDB M> 56 push esi
660E0DDC 8B7424 08 mov esi,dword ptr ss:[esp+8]
660E0DE0 66:833E 08 cmp word ptr ds:[esi],8
660E0DE4 74 09 je short MSVBVM60.660E0DEF
660E0DE6 6A 08 push 8
660E0DE8 56 push esi
660E0DE9 56 push esi
660E0DEA E8 B8FBFFFF call MSVBVM60.660E09A7
660E0DEF 66:8326 00 and word ptr ds:[esi],0
660E0DF3 8B46 08 mov eax,dword ptr ds:[esi+8] 走到这里,看寄存器数据窗口
Stack ds:[0012F2B8]=00164E6C, (UNICODE "7962-E8BF") 7962的十进制就是31074,E8BF的十进制就是59583
eax=0012F2B0
可以看出,真注册码就是跟进(5)的十六进制+跟进(10)的十六进制,中间用“-”连起来
第三步 算法总结
1、(注册名的ASCII码的十六进制进行累加的值×C8-3A)的十进制/2+2+1=注册码的第一部分;
2、(E-Mail的ASCII码的十六进制进行累加值×C8-3A)的十进制/3+2+1=注册码的第二部分;
3、注册码的第一部分+“-"+注册码第二部分=真注册码
我的注册信息:
注册名:lch
E-Mail:lch@163.com
注册码:7962-E8BF
如果你的注册码正确的话,它会把你的注册信息写入C:\WINDOWS\WIN.INI文件里面。
这个软件的算法全在库里面进行,VB的程序看起来真累人,垃圾行太多了,写这个文章也用了二小时,不过总算写完了,看时间已到凌晨两点了,晕!收工!
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!