【破文标题】:与“插件王子”的小软件过招
【破文作者】:KuNgBiM{BCG}{DFCG}{DCM}{DCT}{SLT}
【作者邮箱】:kungbim@163.com
【软件名称】:多国语言互译专家 2006 V3.9
【软件大小】:2634 KB
【软件类别】:国产软件 / 共享版 / 转换翻译
【下载地址】:http://www.skycn.com/soft/26044.html
【更新时间】:2006-06-16
【软件简介】:一款迅速、便捷、高效、准确的迷你即时翻译工具,程序采用快速的动态在线翻译技术,可以帮助你将短文翻一款快速高效的多国语言翻译软件,不仅可以实现英汉互译、繁简互译,还可以实现荷兰、法国、德国、意大利、日本、韩国、葡萄牙、俄语、希腊等12国语言互译。并伴有语音朗读功能。她拥有超小的体积,强大的功能,使你在使用过程中更有效率,更得心应手,超乎你的想像!同时是翻译短小文章的最佳选择。
【保护方式】:试用次数限制 + 提示框 + 自校验 + 反调试器
【加密保护】:ASPack 2.12 -> Alexey Solodovnikov
【编译语言】:Microsoft Visual Basic 5.0 / 6.0
【调试环境】:Win2K3、PEiD、Ollydbg
【破解日期】:2006-06-17
【破解目的】:N/A
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
―――――――――――――――――――――――――――――――――
不愧是中国有名的“插件王子”,解包后发现压缩包内有2个插件,但没发现主程序?只有一个hyfy.idt文件,难道说“hyfy.idt”等于 “hyfy.exe”,改了下扩展名,确实如此!
载入脱壳:
0042A001 > 60 pushad ; EP(ASPack)
0042A002 E8 03000000 call hyfy.0042A00A
0042A007 - E9 EB045D45 jmp 459FA4F7
0042A00C 55 push ebp
0042A00D C3 retn
0042A00E E8 01000000 call hyfy.0042A014
0042A013 EB 5D jmp short hyfy.0042A072
0042A015 BB EDFFFFFF mov ebx,-13
0042A01A 03DD add ebx,ebp
-------------------------
ASPack脱壳小技巧:
Ctrl + S // 搜索命令
查找:
push 0
retn // 这里下断(返回OEP处)
-------------------------
根据上面的技巧,我们找到:
0042A3BA 68 00000000 push 0
0042A3BF C3 retn ; 这里下断,F9后中断,F8步入OEP
来到程序OEP处:
00402898 68 54454000 push hyfy.00404554 ; OEP,在这里脱壳吧~~~
0040289D E8 EEFFFFFF call hyfy.00402890 ; jmp to msvbvm60.ThunRTMain
004028A2 0000 add byte ptr ds:[eax],al
004028A4 0000 add byte ptr ds:[eax],al
004028A6 0000 add byte ptr ds:[eax],al
004028A8 3000 xor byte ptr ds:[eax],al
004028AA 0000 add byte ptr ds:[eax],al
004028AC 3800 cmp byte ptr ds:[eax],al
004028AE 0000 add byte ptr ds:[eax],al
004028B0 0000 add byte ptr ds:[eax],al
因为该程序是VB所编写,所以输入表函数指针只保留一个msvbvm60.dll,剩下的一个无效指针直接CUT掉!!
修复程序后运行脱壳后的程序,一闪而过~~~哟?这个程序还有自校验啊?看来不愧是“插件王子”的作品....
对于VB程序,程序退出,无非就是向系统发送一个End命令,而该程序也不过如此。
粗略的检查了一下,这个程序是使用Native编译方式,而没有使用P-CODE编译方式,这对我们来说真是不幸中的万幸啊。
提示:在VB中的结束程序所使用的函数“__vbaEnd”
命令下断:bpx __vbaEnd
00413181 85C0 test eax,eax
00413183 74 12 je short dumped_.00413197 ; ★这里跳过去,程序就不会强行结束了★
00413185 C745 FC 05000000 mov dword ptr ss:[ebp-4],5
0041318C FF15 34104000 call dword ptr ds:[<&msvbvm60.__vbaE>; msvbvm60.__vbaEnd // 中断在这里
00413192 E9 7A5C0000 jmp dumped_.00418E11
00413197 C745 FC 08000000 mov dword ptr ss:[ebp-4],8
0041319E 833D BC684200 00 cmp dword ptr ds:[4268BC],0
004131A5 75 1C jnz short dumped_.004131C3
★ 修改:00413183 74 12 je short dumped_.00413197 ; 修改为 jmp 00413197 ★
保存后看看,不错,程序再也不会不听话的自动退出了````
下面要解决的就是突破它的30次试用限制。
提示:在VB程序中,一般检测比较所最常用的函数就是“__vbaStrCmp”
命令下断:bpx __vbaStrCmp
在运行过程中,中断发现,该程序还有Anti-Debug的功能,不过还好,我用的是修改版的OD,它奈何不了我的继续分析。
为了大家看得更明白,我就列出来吧~
00420979 FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
0042097F 8BF0 mov esi,eax
00420981 F7DE neg esi
00420983 1BF6 sbb esi,esi
00420985 46 inc esi
00420986 F7DE neg esi
00420988 6A 0A push 0A
0042098A 8B55 C8 mov edx,dword ptr ss:[ebp-38]
0042098D 52 push edx
0042098E FF15 EC114000 call dword ptr ds:[<&msvbvm60.rtcLef>; msvbvm60.rtcLeftCharBstr
00420994 8BD0 mov edx,eax
00420996 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00420999 FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
0042099F 50 push eax
004209A0 68 FC9C4000 push dumped_.00409CFC ; UNICODE "procdump32" // 检测
004209A5 FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
004209AB F7D8 neg eax
004209AD 1BC0 sbb eax,eax
004209AF 40 inc eax
004209B0 F7D8 neg eax
004209B2 66:0BF0 or si,ax
004209B5 6A 06 push 6
004209B7 8B45 C0 mov eax,dword ptr ss:[ebp-40]
004209BA 50 push eax
004209BB FF15 EC114000 call dword ptr ds:[<&msvbvm60.rtcLef>; msvbvm60.rtcLeftCharBstr
004209C1 8BD0 mov edx,eax
004209C3 8D4D BC lea ecx,dword ptr ss:[ebp-44]
004209C6 FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
004209CC 50 push eax
004209CD 68 189D4000 push dumped_.00409D18
004209D2 FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
004209D8 F7D8 neg eax
004209DA 1BC0 sbb eax,eax
004209DC 40 inc eax
004209DD F7D8 neg eax
004209DF 66:0BF0 or si,ax
004209E2 6A 0D push 0D
004209E4 8B4D B8 mov ecx,dword ptr ss:[ebp-48]
004209E7 51 push ecx
004209E8 FF15 0C124000 call dword ptr ds:[<&msvbvm60.rtcRig>; msvbvm60.rtcRightCharBstr
004209EE 8BD0 mov edx,eax
004209F0 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
004209F3 FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
004209F9 50 push eax
004209FA 68 2C9D4000 push dumped_.00409D2C ; UNICODE "symbol loader" // 检测
004209FF FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
00420A05 F7D8 neg eax
00420A07 1BC0 sbb eax,eax
00420A09 40 inc eax
00420A0A F7D8 neg eax
00420A0C 66:0BF0 or si,ax
00420A0F 6A 06 push 6
00420A11 8B55 B0 mov edx,dword ptr ss:[ebp-50]
00420A14 52 push edx
00420A15 FF15 EC114000 call dword ptr ds:[<&msvbvm60.rtcLef>; msvbvm60.rtcLeftCharBstr
00420A1B 8BD0 mov edx,eax
00420A1D 8D4D AC lea ecx,dword ptr ss:[ebp-54]
00420A20 FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
00420A26 50 push eax
00420A27 68 4C9D4000 push dumped_.00409D4C ; UNICODE "-=chin" // 检测
00420A2C FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
00420A32 F7D8 neg eax
00420A34 1BC0 sbb eax,eax
00420A36 40 inc eax
00420A37 F7D8 neg eax
00420A39 66:0BF0 or si,ax
00420A3C 6A 08 push 8
00420A3E 8B45 A8 mov eax,dword ptr ss:[ebp-58]
00420A41 50 push eax
00420A42 FF15 0C124000 call dword ptr ds:[<&msvbvm60.rtcRig>; msvbvm60.rtcRightCharBstr
00420A48 8BD0 mov edx,eax
00420A4A 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
00420A4D FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
00420A53 50 push eax
00420A54 68 609D4000 push dumped_.00409D60 ; UNICODE "vbparser" // 检测
00420A59 FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
00420A5F F7D8 neg eax
00420A61 1BC0 sbb eax,eax
00420A63 40 inc eax
00420A64 F7D8 neg eax
00420A66 66:0BF0 or si,ax
00420A69 6A 06 push 6
00420A6B 8B4D A0 mov ecx,dword ptr ss:[ebp-60]
00420A6E 51 push ecx
00420A6F FF15 EC114000 call dword ptr ds:[<&msvbvm60.rtcLef>; msvbvm60.rtcLeftCharBstr
00420A75 8BD0 mov edx,eax
00420A77 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
00420A7A FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
00420A80 50 push eax
00420A81 68 789D4000 push dumped_.00409D78
00420A86 FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
00420A8C F7D8 neg eax
00420A8E 1BC0 sbb eax,eax
00420A90 40 inc eax
00420A91 F7D8 neg eax
00420A93 66:0BF0 or si,ax
00420A96 6A 08 push 8
00420A98 8B55 98 mov edx,dword ptr ss:[ebp-68]
00420A9B 52 push edx
00420A9C FF15 EC114000 call dword ptr ds:[<&msvbvm60.rtcLef>; msvbvm60.rtcLeftCharBstr
00420AA2 8BD0 mov edx,eax
00420AA4 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
00420AA7 FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
00420AAD 50 push eax
00420AAE 68 8C9D4000 push dumped_.00409D8C ; UNICODE "p-code l" // 检测
00420AB3 FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
00420AB9 F7D8 neg eax
00420ABB 1BC0 sbb eax,eax
00420ABD 40 inc eax
00420ABE F7D8 neg eax
00420AC0 66:0BF0 or si,ax
00420AC3 6A 06 push 6
00420AC5 8B45 90 mov eax,dword ptr ss:[ebp-70]
00420AC8 50 push eax
00420AC9 FF15 EC114000 call dword ptr ds:[<&msvbvm60.rtcLef>; msvbvm60.rtcLeftCharBstr
00420ACF 8BD0 mov edx,eax
00420AD1 8D4D 8C lea ecx,dword ptr ss:[ebp-74]
00420AD4 FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
00420ADA 50 push eax
00420ADB 68 A49D4000 push dumped_.00409DA4 ; UNICODE "resspy" // 检测
00420AE0 FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
00420AE6 F7D8 neg eax
00420AE8 1BC0 sbb eax,eax
00420AEA 40 inc eax
00420AEB F7D8 neg eax
00420AED 66:0BF0 or si,ax
00420AF0 6A 07 push 7
00420AF2 8B4D 88 mov ecx,dword ptr ss:[ebp-78]
00420AF5 51 push ecx
00420AF6 FF15 EC114000 call dword ptr ds:[<&msvbvm60.rtcLef>; msvbvm60.rtcLeftCharBstr
00420AFC 8BD0 mov edx,eax
00420AFE 8D4D 84 lea ecx,dword ptr ss:[ebp-7C]
00420B01 FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
00420B07 50 push eax
00420B08 68 B89D4000 push dumped_.00409DB8 ; UNICODE "trw2000" // 检测
00420B0D FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
00420B13 F7D8 neg eax
00420B15 1BC0 sbb eax,eax
00420B17 40 inc eax
00420B18 F7D8 neg eax
00420B1A 66:0BF0 or si,ax
00420B1D 6A 0C push 0C
00420B1F 8B55 80 mov edx,dword ptr ss:[ebp-80]
00420B22 52 push edx
00420B23 FF15 EC114000 call dword ptr ds:[<&msvbvm60.rtcLef>; msvbvm60.rtcLeftCharBstr
00420B29 8BD0 mov edx,eax
00420B2B 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-84]
00420B31 FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
00420B37 50 push eax
00420B38 68 CC9D4000 push dumped_.00409DCC ; UNICODE "ursoft w32da" // 检测
00420B3D FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
00420B43 F7D8 neg eax
00420B45 1BC0 sbb eax,eax
00420B47 40 inc eax
00420B48 F7D8 neg eax
00420B4A 66:0BF0 or si,ax
00420B4D 6A 07 push 7
00420B4F 8B85 78FFFFFF mov eax,dword ptr ss:[ebp-88]
00420B55 50 push eax
00420B56 FF15 EC114000 call dword ptr ds:[<&msvbvm60.rtcLef>; msvbvm60.rtcLeftCharBstr
00420B5C 8BD0 mov edx,eax
00420B5E 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-8C]
00420B64 FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
00420B6A 50 push eax
00420B6B 68 EC9D4000 push dumped_.00409DEC ; UNICODE "numega " // 检测
00420B70 FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
00420B76 F7D8 neg eax
00420B78 1BC0 sbb eax,eax
00420B7A 40 inc eax
00420B7B F7D8 neg eax
00420B7D 66:0BF0 or si,ax
00420B80 6A 07 push 7
00420B82 8B8D 70FFFFFF mov ecx,dword ptr ss:[ebp-90]
00420B88 51 push ecx
00420B89 FF15 EC114000 call dword ptr ds:[<&msvbvm60.rtcLef>; msvbvm60.rtcLeftCharBstr
00420B8F 8BD0 mov edx,eax
00420B91 8D8D 6CFFFFFF lea ecx,dword ptr ss:[ebp-94]
00420B97 FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
00420B9D 50 push eax
00420B9E 68 009E4000 push dumped_.00409E00 ; UNICODE "smartch" // 检测
00420BA3 FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
00420BA9 F7D8 neg eax
00420BAB 1BC0 sbb eax,eax
00420BAD 40 inc eax
00420BAE F7D8 neg eax
00420BB0 66:0BF0 or si,ax
00420BB3 6A 06 push 6
00420BB5 8B95 68FFFFFF mov edx,dword ptr ss:[ebp-98]
00420BBB 52 push edx
00420BBC FF15 EC114000 call dword ptr ds:[<&msvbvm60.rtcLef>; msvbvm60.rtcLeftCharBstr
00420BC2 8BD0 mov edx,eax
00420BC4 8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-9C]
00420BCA FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
00420BD0 50 push eax
00420BD1 68 149E4000 push dumped_.00409E14 ; UNICODE "winhex" // 检测
00420BD6 FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
00420BDC F7D8 neg eax
00420BDE 1BC0 sbb eax,eax
00420BE0 40 inc eax
00420BE1 F7D8 neg eax
00420BE3 66:0BF0 or si,ax
00420BE6 6A 07 push 7
00420BE8 8B85 60FFFFFF mov eax,dword ptr ss:[ebp-A0]
00420BEE 50 push eax
00420BEF FF15 EC114000 call dword ptr ds:[<&msvbvm60.rtcLef>; msvbvm60.rtcLeftCharBstr
00420BF5 8BD0 mov edx,eax
00420BF7 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-A4]
00420BFD FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
00420C03 50 push eax
00420C04 68 289E4000 push dumped_.00409E28 ; UNICODE "ollydbg" // 检测
00420C09 FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
00420C0F F7D8 neg eax
00420C11 1BC0 sbb eax,eax
00420C13 40 inc eax
00420C14 F7D8 neg eax
00420C16 66:0BF0 or si,ax
00420C19 6A 05 push 5
00420C1B 8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-A8]
00420C21 51 push ecx
00420C22 FF15 EC114000 call dword ptr ds:[<&msvbvm60.rtcLef>; msvbvm60.rtcLeftCharBstr
00420C28 8BD0 mov edx,eax
00420C2A 8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-AC]
00420C30 FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
00420C36 50 push eax
00420C37 68 3C9E4000 push dumped_.00409E3C ; UNICODE "wktvb" // 检测
00420C3C FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
00420C42 F7D8 neg eax
00420C44 1BC0 sbb eax,eax
00420C46 40 inc eax
00420C47 F7D8 neg eax
00420C49 66:0BF0 or si,ax
00420C4C 6A 09 push 9
00420C4E 8B95 50FFFFFF mov edx,dword ptr ss:[ebp-B0]
00420C54 52 push edx
00420C55 FF15 EC114000 call dword ptr ds:[<&msvbvm60.rtcLef>; msvbvm60.rtcLeftCharBstr
00420C5B 8BD0 mov edx,eax
00420C5D 8D8D 4CFFFFFF lea ecx,dword ptr ss:[ebp-B4]
00420C63 FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
00420C69 50 push eax
00420C6A 68 4C9E4000 push dumped_.00409E4C ; UNICODE "vb p-code" // 检测
00420C6F FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
00420C75 F7D8 neg eax
00420C77 1BC0 sbb eax,eax
00420C79 40 inc eax
00420C7A F7D8 neg eax
00420C7C 66:0BF0 or si,ax
00420C7F 6A 07 push 7
00420C81 8B85 48FFFFFF mov eax,dword ptr ss:[ebp-B8]
00420C87 50 push eax
00420C88 FF15 EC114000 call dword ptr ds:[<&msvbvm60.rtcLef>; msvbvm60.rtcLeftCharBstr
00420C8E 8BD0 mov edx,eax
00420C90 8D8D 44FFFFFF lea ecx,dword ptr ss:[ebp-BC]
00420C96 FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
00420C9C 50 push eax
00420C9D 68 B89C4000 push dumped_.00409CB8 ; UNICODE "regsnap" // 检测
00420CA2 FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
00420CA8 F7D8 neg eax
00420CAA 1BC0 sbb eax,eax
00420CAC 40 inc eax
00420CAD F7D8 neg eax
00420CAF 66:0BF0 or si,ax
00420CB2 6A 07 push 7
00420CB4 8B8D 40FFFFFF mov ecx,dword ptr ss:[ebp-C0]
00420CBA 51 push ecx
00420CBB FF15 EC114000 call dword ptr ds:[<&msvbvm60.rtcLef>; msvbvm60.rtcLeftCharBstr
00420CC1 8BD0 mov edx,eax
00420CC3 8D8D 3CFFFFFF lea ecx,dword ptr ss:[ebp-C4]
00420CC9 FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
00420CCF 50 push eax
00420CD0 68 CC9C4000 push dumped_.00409CCC ; UNICODE "regshot" // 检测
00420CD5 FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
00420CDB F7D8 neg eax
00420CDD 1BC0 sbb eax,eax
00420CDF 40 inc eax
00420CE0 F7D8 neg eax
00420CE2 66:0BF0 or si,ax
00420CE5 6A 0B push 0B
00420CE7 8B95 38FFFFFF mov edx,dword ptr ss:[ebp-C8]
00420CED 52 push edx
00420CEE FF15 EC114000 call dword ptr ds:[<&msvbvm60.rtcLef>; msvbvm60.rtcLeftCharBstr
00420CF4 8BD0 mov edx,eax
00420CF6 8D8D 34FFFFFF lea ecx,dword ptr ss:[ebp-CC]
00420CFC FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
00420D02 50 push eax
00420D03 68 649E4000 push dumped_.00409E64 ; UNICODE "registry sh" // 检测
00420D08 FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
00420D0E F7D8 neg eax
00420D10 1BC0 sbb eax,eax
00420D12 40 inc eax
00420D13 F7D8 neg eax
00420D15 66:0BF0 or si,ax
00420D18 6A 06 push 6
00420D1A 8B85 30FFFFFF mov eax,dword ptr ss:[ebp-D0]
00420D20 50 push eax
00420D21 FF15 EC114000 call dword ptr ds:[<&msvbvm60.rtcLef>; msvbvm60.rtcLeftCharBstr
00420D27 8BD0 mov edx,eax
00420D29 8D8D 2CFFFFFF lea ecx,dword ptr ss:[ebp-D4]
00420D2F FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
00420D35 50 push eax
00420D36 68 809E4000 push dumped_.00409E80 ; UNICODE "vbrezq" // 检测
00420D3B FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
00420D41 F7D8 neg eax
00420D43 1BC0 sbb eax,eax
00420D45 40 inc eax
00420D46 F7D8 neg eax
00420D48 66:0BF0 or si,ax
00420D4B 6A 0A push 0A
00420D4D 8B8D 28FFFFFF mov ecx,dword ptr ss:[ebp-D8]
00420D53 51 push ecx
00420D54 FF15 EC114000 call dword ptr ds:[<&msvbvm60.rtcLef>; msvbvm60.rtcLeftCharBstr
00420D5A 8BD0 mov edx,eax
00420D5C 8D8D 24FFFFFF lea ecx,dword ptr ss:[ebp-DC]
00420D62 FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
00420D68 50 push eax
00420D69 68 949E4000 push dumped_.00409E94 ; UNICODE "vbexplorer" // 检测
00420D6E FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
00420D74 F7D8 neg eax
00420D76 1BC0 sbb eax,eax
00420D78 40 inc eax
00420D79 F7D8 neg eax
00420D7B 66:0BF0 or si,ax
00420D7E 6A 04 push 4
00420D80 8B95 20FFFFFF mov edx,dword ptr ss:[ebp-E0]
00420D86 52 push edx
00420D87 FF15 EC114000 call dword ptr ds:[<&msvbvm60.rtcLef>; msvbvm60.rtcLeftCharBstr
00420D8D 8BD0 mov edx,eax
00420D8F 8D8D 1CFFFFFF lea ecx,dword ptr ss:[ebp-E4]
00420D95 FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
00420D9B 50 push eax
00420D9C 68 B09E4000 push dumped_.00409EB0 ; UNICODE "wpe " // 检测
00420DA1 FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
00420DA7 F7D8 neg eax
00420DA9 1BC0 sbb eax,eax
00420DAB 40 inc eax
00420DAC F7D8 neg eax
00420DAE 66:0BF0 or si,ax
00420DB1 6A 06 push 6
00420DB3 8B85 18FFFFFF mov eax,dword ptr ss:[ebp-E8]
00420DB9 50 push eax
00420DBA FF15 EC114000 call dword ptr ds:[<&msvbvm60.rtcLef>; msvbvm60.rtcLeftCharBstr
00420DC0 8BD0 mov edx,eax
00420DC2 8D8D 14FFFFFF lea ecx,dword ptr ss:[ebp-EC]
00420DC8 FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
00420DCE 50 push eax
00420DCF 68 C09E4000 push dumped_.00409EC0
00420DD4 FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
以上所例举的都是程序中所针对的目标程序的检测,一旦检测到后....嘿嘿....关机睡觉吧~~~
提示:
因为事先我们检测到程序的次数限制是靠检测注册表中一项的值,来判断程序是否注册的,所以我也不卖关子,给大家说说。有兴趣的话,大家可以看看注册表“HKEY_LOCAL_MACHINE\Software\Microsoft\QQPP”中“jiv1”值的变化。
接着上面来:
00417D15 51 push ecx
00417D16 68 288C4000 push dumped_.00408C28
00417D1B FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCmp
00417D21 85C0 test eax,eax
00417D23 0F85 51010000 jnz dumped_.00417E7A ; ★这里跳向检测上述所说注册表中的值★
00417D29 C745 FC 7E000000 mov dword ptr ss:[ebp-4],7E
00417D30 8B55 08 mov edx,dword ptr ss:[ebp+8]
00417D33 8B02 mov eax,dword ptr ds:[edx]
00417D35 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
00417D38 51 push ecx
00417D39 FF90 2C030000 call dword ptr ds:[eax+32C]
00417D3F 50 push eax
00417D40 8D55 90 lea edx,dword ptr ss:[ebp-70]
00417D43 52 push edx
00417D44 FF15 90104000 call dword ptr ds:[<&msvbvm60.__vbaO>; msvbvm60.__vbaObjSet
00417D4A 8985 ACFEFFFF mov dword ptr ss:[ebp-154],eax
00417D50 68 187D4000 push dumped_.00407D18 ; UNICODE "89"
00417D55 8B85 ACFEFFFF mov eax,dword ptr ss:[ebp-154]
00417D5B 8B08 mov ecx,dword ptr ds:[eax]
00417D5D 8B95 ACFEFFFF mov edx,dword ptr ss:[ebp-154]
00417D63 52 push edx
00417D64 FF51 54 call dword ptr ds:[ecx+54]
00417D67 DBE2 fclex
00417D69 8985 A8FEFFFF mov dword ptr ss:[ebp-158],eax
00417D6F 83BD A8FEFFFF 00 cmp dword ptr ss:[ebp-158],0
00417D76 7D 23 jge short dumped_.00417D9B
00417D78 6A 54 push 54
00417D7A 68 4C7B4000 push dumped_.00407B4C
00417D7F 8B85 ACFEFFFF mov eax,dword ptr ss:[ebp-154]
00417D85 50 push eax
00417D86 8B8D A8FEFFFF mov ecx,dword ptr ss:[ebp-158]
00417D8C 51 push ecx
00417D8D FF15 70104000 call dword ptr ds:[<&msvbvm60.__vbaH>; msvbvm60.__vbaHresultCheckObj
00417D93 8985 70FBFFFF mov dword ptr ss:[ebp-490],eax
00417D99 EB 0A jmp short dumped_.00417DA5
00417D9B C785 70FBFFFF 00>mov dword ptr ss:[ebp-490],0
00417DA5 8D4D 90 lea ecx,dword ptr ss:[ebp-70]
00417DA8 FF15 38124000 call dword ptr ds:[<&msvbvm60.__vbaF>; msvbvm60.__vbaFreeObj
00417DAE C745 FC 7F000000 mov dword ptr ss:[ebp-4],7F
00417DB5 8D55 A4 lea edx,dword ptr ss:[ebp-5C]
00417DB8 52 push edx
00417DB9 8B45 08 mov eax,dword ptr ss:[ebp+8]
00417DBC 8B08 mov ecx,dword ptr ds:[eax]
00417DBE 8B55 08 mov edx,dword ptr ss:[ebp+8]
00417DC1 52 push edx
00417DC2 FF51 50 call dword ptr ds:[ecx+50]
00417DC5 DBE2 fclex
00417DC7 8985 ACFEFFFF mov dword ptr ss:[ebp-154],eax
00417DCD 83BD ACFEFFFF 00 cmp dword ptr ss:[ebp-154],0
00417DD4 7D 20 jge short dumped_.00417DF6
00417DD6 6A 50 push 50
00417DD8 68 24714000 push dumped_.00407124
00417DDD 8B45 08 mov eax,dword ptr ss:[ebp+8]
00417DE0 50 push eax
00417DE1 8B8D ACFEFFFF mov ecx,dword ptr ss:[ebp-154]
00417DE7 51 push ecx
00417DE8 FF15 70104000 call dword ptr ds:[<&msvbvm60.__vbaH>; msvbvm60.__vbaHresultCheckObj
00417DEE 8985 6CFBFFFF mov dword ptr ss:[ebp-494],eax
00417DF4 EB 0A jmp short dumped_.00417E00
00417DF6 C785 6CFBFFFF 00>mov dword ptr ss:[ebp-494],0
00417E00 8B55 A4 mov edx,dword ptr ss:[ebp-5C]
00417E03 52 push edx
00417E04 68 588A4000 push dumped_.00408A58
00417E09 FF15 5C104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCat
00417E0F 8BD0 mov edx,eax
00417E11 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
00417E14 FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
00417E1A 50 push eax
00417E1B 8B45 08 mov eax,dword ptr ss:[ebp+8]
00417E1E 8B08 mov ecx,dword ptr ds:[eax]
00417E20 8B55 08 mov edx,dword ptr ss:[ebp+8]
00417E23 52 push edx
00417E24 FF51 54 call dword ptr ds:[ecx+54]
00417E27 DBE2 fclex
00417E29 8985 A8FEFFFF mov dword ptr ss:[ebp-158],eax
00417E2F 83BD A8FEFFFF 00 cmp dword ptr ss:[ebp-158],0
00417E36 7D 20 jge short dumped_.00417E58
00417E38 6A 54 push 54
00417E3A 68 24714000 push dumped_.00407124
00417E3F 8B45 08 mov eax,dword ptr ss:[ebp+8]
00417E42 50 push eax
00417E43 8B8D A8FEFFFF mov ecx,dword ptr ss:[ebp-158]
00417E49 51 push ecx
00417E4A FF15 70104000 call dword ptr ds:[<&msvbvm60.__vbaH>; msvbvm60.__vbaHresultCheckObj
00417E50 8985 68FBFFFF mov dword ptr ss:[ebp-498],eax
00417E56 EB 0A jmp short dumped_.00417E62
00417E58 C785 68FBFFFF 00>mov dword ptr ss:[ebp-498],0
00417E62 8D55 A0 lea edx,dword ptr ss:[ebp-60]
00417E65 52 push edx
00417E66 8D45 A4 lea eax,dword ptr ss:[ebp-5C]
00417E69 50 push eax
00417E6A 6A 02 push 2
00417E6C FF15 A0114000 call dword ptr ds:[<&msvbvm60.__vbaF>; msvbvm60.__vbaFreeStrList
00417E72 83C4 0C add esp,0C
00417E75 E9 59080000 jmp dumped_.004186D3
00417E7A C745 FC 81000000 mov dword ptr ss:[ebp-4],81
00417E81 BA 50794000 mov edx,dumped_.00407950
00417E86 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00417E89 FF15 94114000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCopy // 检测注册表是否存在这项值
00417E8F C745 FC 82000000 mov dword ptr ss:[ebp-4],82
00417E96 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00417E99 898D F8FEFFFF mov dword ptr ss:[ebp-108],ecx
00417E9F C785 F0FEFFFF 08>mov dword ptr ss:[ebp-110],4008
00417EA9 BA A0884000 mov edx,dumped_.004088A0 ; UNICODE "jiv1"
00417EAE 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
00417EB1 FF15 94114000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCopy
00417EB7 BA A48F4000 mov edx,dumped_.00408FA4 ; UNICODE "Software\Microsoft\QQPP"
00417EBC 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
00417EBF FF15 94114000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCopy
00417EC5 C785 B8FEFFFF 02>mov dword ptr ss:[ebp-148],80000002
00417ECF 8D95 F0FEFFFF lea edx,dword ptr ss:[ebp-110]
00417ED5 52 push edx
00417ED6 8D45 A0 lea eax,dword ptr ss:[ebp-60]
00417ED9 50 push eax
00417EDA 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
00417EDD 51 push ecx
00417EDE 8D95 B8FEFFFF lea edx,dword ptr ss:[ebp-148]
00417EE4 52 push edx
00417EE5 E8 66BC0000 call dumped_.00423B50
00417EEA 8D45 A0 lea eax,dword ptr ss:[ebp-60]
00417EED 50 push eax
00417EEE 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
00417EF1 51 push ecx
00417EF2 6A 02 push 2
00417EF4 FF15 A0114000 call dword ptr ds:[<&msvbvm60.__vbaF>; msvbvm60.__vbaFreeStrList
00417EFA 83C4 0C add esp,0C
00417EFD C745 FC 83000000 mov dword ptr ss:[ebp-4],83
00417F04 8B55 C0 mov edx,dword ptr ss:[ebp-40]
00417F07 52 push edx
00417F08 FF15 40124000 call dword ptr ds:[<&msvbvm60.rtcR8V>; msvbvm60.rtcR8ValFromBstr
00417F0E FF15 F0114000 call dword ptr ds:[<&msvbvm60.__vbaF>; msvbvm60.__vbaFpI4
00417F14 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
00417F17 8941 58 mov dword ptr ds:[ecx+58],eax
00417F1A C745 FC 84000000 mov dword ptr ss:[ebp-4],84
00417F21 8B55 C0 mov edx,dword ptr ss:[ebp-40]
00417F24 52 push edx
00417F25 FF15 80114000 call dword ptr ds:[<&msvbvm60.__vbaR>; msvbvm60.__vbaR8Str
00417F2B DC1D F01A4000 fcomp qword ptr ds:[401AF0]
00417F31 DFE0 fstsw ax
00417F33 F6C4 41 test ah,41
00417F36 0F84 36020000 je dumped_.00418172
00417F3C C745 FC 85000000 mov dword ptr ss:[ebp-4],85
00417F43 8B45 08 mov eax,dword ptr ss:[ebp+8]
00417F46 8B48 58 mov ecx,dword ptr ds:[eax+58]
00417F49 83C1 01 add ecx,1 ; 每使用一次,注册表中的值就增加一次
00417F4C 0F80 BC0F0000 jo dumped_.00418F0E
00417F52 FF15 E0104000 call dword ptr ds:[<&msvbvm60.__vbaI>; msvbvm60.__vbaI2I4
00417F58 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
00417F5B 66:8941 5C mov word ptr ds:[ecx+5C],ax
00417F5F C745 FC 86000000 mov dword ptr ss:[ebp-4],86
00417F66 8B55 08 mov edx,dword ptr ss:[ebp+8]
00417F69 83C2 5C add edx,5C
00417F6C 8995 F8FEFFFF mov dword ptr ss:[ebp-108],edx
00417F72 C785 F0FEFFFF 02>mov dword ptr ss:[ebp-110],4002
00417F7C 8D85 F0FEFFFF lea eax,dword ptr ss:[ebp-110]
00417F82 50 push eax
00417F83 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-90]
00417F89 51 push ecx
00417F8A FF15 E4114000 call dword ptr ds:[<&msvbvm60.rtcVar>; msvbvm60.rtcVarStrFromVar
00417F90 8D95 70FFFFFF lea edx,dword ptr ss:[ebp-90]
00417F96 52 push edx
00417F97 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-A0]
00417F9D 50 push eax
00417F9E FF15 A4104000 call dword ptr ds:[<&msvbvm60.rtcTri>; msvbvm60.rtcTrimVar
00417FA4 8D8D 60FFFFFF lea ecx,dword ptr ss:[ebp-A0]
00417FAA 51 push ecx
00417FAB FF15 24104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrVarMove
00417FB1 8BD0 mov edx,eax
00417FB3 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
00417FB6 FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
00417FBC BA A0884000 mov edx,dumped_.004088A0 ; UNICODE "jiv1"
00417FC1 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
00417FC4 FF15 94114000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCopy
00417FCA BA 948D4000 mov edx,dumped_.00408D94 ; UNICODE "HKEY_LOCAL_MACHINE\Software\Microsoft\QQPP"
00417FCF 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
00417FD2 FF15 94114000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCopy
00417FD8 8D55 9C lea edx,dword ptr ss:[ebp-64]
00417FDB 52 push edx
00417FDC 8D45 A0 lea eax,dword ptr ss:[ebp-60]
00417FDF 50 push eax
00417FE0 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
00417FE3 51 push ecx
00417FE4 8D95 50FFFFFF lea edx,dword ptr ss:[ebp-B0]
00417FEA 52 push edx
00417FEB E8 00C70000 call dumped_.004246F0
00417FF0 8D45 9C lea eax,dword ptr ss:[ebp-64]
00417FF3 50 push eax
00417FF4 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
00417FF7 51 push ecx
00417FF8 8D55 A4 lea edx,dword ptr ss:[ebp-5C]
00417FFB 52 push edx
00417FFC 6A 03 push 3
00417FFE FF15 A0114000 call dword ptr ds:[<&msvbvm60.__vbaF>; msvbvm60.__vbaFreeStrList
00418004 83C4 10 add esp,10
00418007 8D85 50FFFFFF lea eax,dword ptr ss:[ebp-B0]
0041800D 50 push eax
0041800E 8D8D 60FFFFFF lea ecx,dword ptr ss:[ebp-A0]
00418014 51 push ecx
00418015 8D95 70FFFFFF lea edx,dword ptr ss:[ebp-90]
0041801B 52 push edx
0041801C 6A 03 push 3
0041801E FF15 30104000 call dword ptr ds:[<&msvbvm60.__vbaF>; msvbvm60.__vbaFreeVarList
00418024 83C4 10 add esp,10
00418027 C745 FC 87000000 mov dword ptr ss:[ebp-4],87
0041802E C785 48FFFFFF 04>mov dword ptr ss:[ebp-B8],80020004
00418038 C785 40FFFFFF 0A>mov dword ptr ss:[ebp-C0],0A
00418042 C785 58FFFFFF 04>mov dword ptr ss:[ebp-A8],80020004
0041804C C785 50FFFFFF 0A>mov dword ptr ss:[ebp-B0],0A
00418056 C785 68FFFFFF 04>mov dword ptr ss:[ebp-98],80020004
00418060 C785 60FFFFFF 0A>mov dword ptr ss:[ebp-A0],0A
0041806A 68 DC8F4000 push dumped_.00408FDC
0041806F 8B45 08 mov eax,dword ptr ss:[ebp+8]
00418072 66:8B48 5C mov cx,word ptr ds:[eax+5C]
00418076 51 push ecx
00418077 FF15 08104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrI2
0041807D 8BD0 mov edx,eax
0041807F 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
00418082 FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
00418088 50 push eax
00418089 FF15 5C104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCat
0041808F 8BD0 mov edx,eax
00418091 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
00418094 FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
0041809A 50 push eax
0041809B 68 04904000 push dumped_.00409004
004180A0 FF15 5C104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCat
004180A6 8BD0 mov edx,eax
004180A8 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
004180AB FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
004180B1 50 push eax
004180B2 8B55 08 mov edx,dword ptr ss:[ebp+8]
004180B5 66:B8 1E00 mov ax,1E ; 30次试用
004180B9 66:2B42 5C sub ax,word ptr ds:[edx+5C]
004180BD 0F80 4B0E0000 jo dumped_.00418F0E ; 一定要跳走
004180C3 50 push eax
004180C4 FF15 08104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrI2
004180CA 8BD0 mov edx,eax
004180CC 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
004180CF FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
004180D5 50 push eax
004180D6 FF15 5C104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCat
004180DC 8BD0 mov edx,eax
004180DE 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
004180E1 FF15 08124000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrMove
004180E7 50 push eax
004180E8 68 14904000 push dumped_.00409014
004180ED FF15 5C104000 call dword ptr ds:[<&msvbvm60.__vbaS>; msvbvm60.__vbaStrCat
004180F3 8985 78FFFFFF mov dword ptr ss:[ebp-88],eax
004180F9 C785 70FFFFFF 08>mov dword ptr ss:[ebp-90],8
00418103 8D8D 40FFFFFF lea ecx,dword ptr ss:[ebp-C0]
00418109 51 push ecx
0041810A 8D95 50FFFFFF lea edx,dword ptr ss:[ebp-B0]
00418110 52 push edx
00418111 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-A0]
00418117 50 push eax
00418118 6A 40 push 40
0041811A 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-90]
00418120 51 push ecx
00418121 FF15 94104000 call dword ptr ds:[<&msvbvm60.rtcMsg>; msvbvm60.rtcMsgBox // 这里就是提示你试用次数还剩....
00418127 8D55 94 lea edx,dword ptr ss:[ebp-6C]
0041812A 52 push edx
0041812B 8D45 98 lea eax,dword ptr ss:[ebp-68]
★ 修改:00417D23 0F85 51010000 jnz dumped_.00417E7A ; 修改时直接NOP掉 ★
再次保存后看看,不错,程序已经是注册版了```看来它的30次试用限制已经被我突破了。
文章就写到这里,能看懂的就看吧`````
瞌睡来了....这次就不写总结了....马上又是繁忙的一天(周末一样)...
失眠了.....
---------------------------------------------------------------
Copyright (C) 2006 KuNgBiM{BCG}{DFCG}{DCM}{DCT}{SLT}
---------------------------------------------------------------
Cracked By KuNgBiM[DFCG]
2006-06-17
5:20:21 AM
[课程]FART 脱壳王!加量不加价!FART作者讲授!