软件:简明统计学处理器
用途:往好用的一个统计小软件。
说明:未注册时有项数限制。
工具:PeID v0.92 W32dasm 无极版 GetVBRes v0.51 Ollydbg v1.10
破解者:wit
这是我的第一个作品,也是我的第一篇破文,感谢看雪,感谢黑基,感谢kcarhc.
安装后打开,注册,跳出对话框:“注册不成功!”
用PeID v0.92检测,还好,没有加壳.
用 W32dasm 无极版载入,发现显示的是乱码,用PeID v0.92检测用的语
言是VB,用GetVBRes v0.51修改“注册不成功”为“111111”。
再次用 W32dasm 无极版载入,来到这里
:004276A4 FF1590114000 Call dword ptr [00401190]
:004276AA E996000000 jmp 00427745
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004273DA(C)
|
:004276AF B904000280 mov ecx, 80020004
:004276B4 B80A000000 mov eax, 0000000A
:004276B9 898D5CFFFFFF mov dword ptr [ebp+FFFFFF5C], ecx
:004276BF 898D6CFFFFFF mov dword ptr [ebp+FFFFFF6C], ecx
:004276C5 898D7CFFFFFF mov dword ptr [ebp+FFFFFF7C], ecx
:004276CB 8D9544FFFFFF lea edx, dword ptr [ebp+FFFFFF44]
:004276D1 8D4D84 lea ecx, dword ptr [ebp-7C]
:004276D4 898554FFFFFF mov dword ptr [ebp+FFFFFF54], eax
:004276DA 898564FFFFFF mov dword ptr [ebp+FFFFFF64], eax
:004276E0 898574FFFFFF mov dword ptr [ebp+FFFFFF74], eax
* Possible StringData Ref from Code Obj ->"1111111"
|
:004276E6 C7854CFFFFFFC8914000 mov dword ptr [ebp+FFFFFF4C],
004091C8
:004276F0 C78544FFFFFF08000000 mov dword ptr [ebp+FFFFFF44],
00000008
根据学习中介绍的经验,向上找,不远处有一个跳转,而这个注册错误的对话框就
是由那个跳转引起的。
去到004273DA
* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:004273CE FF1528104000 Call dword ptr [00401028]
:004273D4 83C40C add esp, 0000000C
:004273D7 6685F6 test si, si
:004273DA 0F84CF020000 je 004276AF ;关键跳转,等于则跳
:004273E0 A124944200 mov eax, dword ptr [00429424]
:004273E5 85C0 test eax, eax
我们再往上看
:00427361 FF92A0000000 call dword ptr [edx+000000A0]
:00427367 DBE2 fclex
:00427369 85C0 test eax, eax
:0042736B 7D12 jge 0042737F
:0042736D 68A0000000 push 000000A0
* Possible StringData Ref from Code Obj ->"嵛????"
|
:00427372 6880874000 push 00408780
:00427377 56 push esi
:00427378 50 push eax
* Reference To: MSVBVM60.__vbaHresultCheckObj, Ord:0000h
|
:00427379 FF1554104000 Call dword ptr [00401054]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042736B(C)
|
:0042737F 8B45A8 mov eax, dword ptr [ebp-58];又一个跳转
:00427382 8D4D84 lea ecx, dword ptr [ebp-7C]
:00427385 8D9574FFFFFF lea edx, dword ptr [ebp+FFFFFF74]
:0042738B 51 push ecx
:0042738C 52 push edx
程序是由0042736B跳0042737F的
再往上,来到
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00427191(C) ;又一跳转,怀疑为下面为计算注册码。
|
:00427231 8B4DAC mov ecx, dword ptr [ebp-54] ;在这里下断
。
:00427234 51 push ecx
* Reference To: MSVBVM60.__vbaR8Str, Ord:0000h
|
:00427235 FF1528114000 Call dword ptr [00401128]
用Ollydbg v1.10将程序载入
注册:用户名: wit 注册码12121212,点注册,程序被断于00427231处
,点F8
004272C9 . FF15 CC104000 CALL DWORD PTR DS:
[<&MSVBVM60.__vbaStrR8>; MSVBVM60.__vbaStrR8
004272CF . 8D55 84 LEA EDX,DWORD PTR SS:[EBP-7C];此处
EAX寄存器显示EAX 00436D78 UNICODE "3889568914"
004272D2 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
004272D5 . 8945 8C MOV DWORD PTR SS:[EBP-74],EAX;此处
EAX寄存器显示EAX 00436D78 UNICODE "3889568914",估计就是正
确的注册码。
004272D8 . C745 84 080000>MOV DWORD PTR SS:[EBP-7C],8
004272DF . FFD6 CALL ESI
004272E1 . B8 02000000 MOV EAX,2
此往下应为用算出的注册码与输入的注册码比较
0042737F > 8B45 A8 MOV EAX,DWORD PTR SS:[EBP-58]
00427382 . 8D4D 84 LEA ECX,DWORD PTR SS:[EBP-7C]
00427385 . 8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
0042738B . 51 PUSH ECX
0042738C . 52 PUSH EDX
0042738D . C745 A8 000000>MOV DWORD PTR SS:[EBP-58],0
00427394 . 8945 8C MOV DWORD PTR SS:[EBP-74],EAX
00427397 . C745 84 080000>MOV DWORD PTR SS:[EBP-7C],8
0042739E . FF15 84104000 CALL DWORD PTR DS:
[<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
004273A4 . 8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
004273AA . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
用 "3889568914"注册,仍显示:“注册不成功”,郁闷ing……
经反复尝试,第五位数字“5”改为连接号“-”时显示注册成功。
注册机无法完成,郁闷……
此时英格兰与特立尼达与多巴哥激战ing,鲁尼上场了,0:0ing.我也看球去了。明天再复习吧
。
由于是处女作,高手就别笑了,请多指导。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
