-
-
mucki's crackme#3 注册算法 -VB程序
-
发表于: 2006-11-19 01:07 5391
-
【破文标题】mucki's crackme#3 注册算法
【破文作者】XXNB
【作者邮箱】支持PYG
【作者主页】http://free.ys168.com/?binbinbin7456
【破解工具】OD
【破解平台】xpsp2
【软件名称】mucki's crackme#3
【软件大小】
【原版下载】
【保护方式】
【软件简介】
【破解声明】向大侠们学习!!!只为学习!
------------------------------------------------------------------------
【破解过程】
------------------------------------------------------------------------
终于搞定
首先。如果要注册按钮有效的话,用VBexplorer来把那个timer2的属性改成0。原来是1。当然checkbutton的false首先要改成ture。
这个crackme反OD和反smartcheck。使用明码比较和没有加密字符串,我们可以搜索UNcode找到字符串下断点。用peid的插件感到MD5算法。但只是用于注册成功后的检验。
下面关键代码:
00406511 > \55 push ebp
00406512 . 8BEC mov ebp, esp
00406514 . 83EC 0C sub esp, 0C
00406517 . 68 86134000 push <jmp.&MSVBVM60.__vbaExceptHandle>; SE 处理程序安装
0040651C . 64:A1 0000000>mov eax, dword ptr fs:[0]
00406522 . 50 push eax
00406523 . 64:8925 00000>mov dword ptr fs:[0], esp
0040652A . 81EC D8000000 sub esp, 0D8
00406530 . 53 push ebx
00406531 . 56 push esi
00406532 . 57 push edi
00406533 . 8965 F4 mov dword ptr [ebp-C], esp
00406536 . C745 F8 90114>mov dword ptr [ebp-8], 00401190 ; 哦,原来这里就已经定死了esi的值。取那个地址看
0040653D . 8B75 08 mov esi, dword ptr [ebp+8]
00406540 . 8BC6 mov eax, esi
00406542 . 83E0 01 and eax, 1
00406545 . 8945 FC mov dword ptr [ebp-4], eax
00406548 . 83E6 FE and esi, FFFFFFFE ; 这里就得到了
0040654B . 56 push esi ; 入栈,一直留到最后使用哦
0040654C . 8975 08 mov dword ptr [ebp+8], esi
0040654F . 8B06 mov eax, dword ptr [esi]
00406551 . FF50 04 call dword ptr [eax+4]
00406554 . 8B06 mov eax, dword ptr [esi]
00406556 . 33DB xor ebx, ebx ; 清空注册标志位。原来是1
00406558 . 56 push esi
00406559 . 895D E8 mov dword ptr [ebp-18], ebx
0040655C . 895D E4 mov dword ptr [ebp-1C], ebx
0040655F . 895D DC mov dword ptr [ebp-24], ebx
00406562 . 895D D0 mov dword ptr [ebp-30], ebx
00406565 . 895D CC mov dword ptr [ebp-34], ebx
00406568 . 895D C4 mov dword ptr [ebp-3C], ebx
0040656B . 895D C0 mov dword ptr [ebp-40], ebx
0040656E . 895D B0 mov dword ptr [ebp-50], ebx
00406571 . 895D A0 mov dword ptr [ebp-60], ebx
00406574 . 895D 90 mov dword ptr [ebp-70], ebx
00406577 . 895D 80 mov dword ptr [ebp-80], ebx
0040657A . 899D 70FFFFFF mov dword ptr [ebp-90], ebx
00406580 . 899D 60FFFFFF mov dword ptr [ebp-A0], ebx
00406586 . FF90 14030000 call dword ptr [eax+314]
0040658C . 50 push eax
0040658D . 8D45 C0 lea eax, dword ptr [ebp-40]
00406590 . 50 push eax
00406591 . E8 40AFFFFF call <jmp.&MSVBVM60.__vbaObjSet>
00406596 . 8BF8 mov edi, eax
00406598 . 8D4D C4 lea ecx, dword ptr [ebp-3C]
0040659B . 51 push ecx
0040659C . 57 push edi
0040659D . 8B07 mov eax, dword ptr [edi]
0040659F . FF90 A0000000 call dword ptr [eax+A0]
004065A5 . 3BC3 cmp eax, ebx
004065A7 . DBE2 fclex
004065A9 . 7D 14 jge short 004065BF
004065AB . BB 24454000 mov ebx, 00404524
004065B0 . 68 A0000000 push 0A0
004065B5 . 53 push ebx
004065B6 . 57 push edi
004065B7 . 50 push eax
004065B8 . E8 F5AEFFFF call <jmp.&MSVBVM60.__vbaHresultCheck>
004065BD . EB 05 jmp short 004065C4
004065BF > BB 24454000 mov ebx, 00404524
004065C4 > FF75 C4 push dword ptr [ebp-3C] ; 用户名在这里出现
004065C7 . 68 38454000 push 00404538
004065CC . E8 D5AEFFFF call <jmp.&MSVBVM60.__vbaStrCmp>
004065D1 . 8BF8 mov edi, eax
004065D3 . 8D4D C4 lea ecx, dword ptr [ebp-3C]
004065D6 . F7DF neg edi
004065D8 . 1BFF sbb edi, edi
004065DA . 47 inc edi
004065DB . F7DF neg edi
004065DD . E8 BEAEFFFF call <jmp.&MSVBVM60.__vbaFreeStr>
004065E2 . 8D4D C0 lea ecx, dword ptr [ebp-40]
004065E5 . E8 E0AEFFFF call <jmp.&MSVBVM60.__vbaFreeObj>
004065EA . 66:85FF test di, di
004065ED . 74 66 je short 00406655
004065EF . 8B06 mov eax, dword ptr [esi]
004065F1 . 56 push esi
004065F2 . FF90 14030000 call dword ptr [eax+314]
004065F8 . 50 push eax
004065F9 . 8D45 C0 lea eax, dword ptr [ebp-40]
004065FC . 50 push eax
004065FD . E8 D4AEFFFF call <jmp.&MSVBVM60.__vbaObjSet>
00406602 . 8D4D C4 lea ecx, dword ptr [ebp-3C]
00406605 . 8BF8 mov edi, eax
00406607 . 8B06 mov eax, dword ptr [esi]
00406609 . 51 push ecx
0040660A . 56 push esi
0040660B . FF90 F8060000 call dword ptr [eax+6F8]
00406611 . 85C0 test eax, eax
00406613 . 7D 11 jge short 00406626
00406615 . 68 F8060000 push 6F8
0040661A . 68 343E4000 push 00403E34
0040661F . 56 push esi
00406620 . 50 push eax
00406621 . E8 8CAEFFFF call <jmp.&MSVBVM60.__vbaHresultCheck>
00406626 > FF75 C4 push dword ptr [ebp-3C]
00406629 . 8B07 mov eax, dword ptr [edi]
0040662B . 57 push edi
0040662C . FF90 A4000000 call dword ptr [eax+A4]
00406632 . 85C0 test eax, eax
00406634 . DBE2 fclex
00406636 . 7D 0D jge short 00406645
00406638 . 68 A4000000 push 0A4
0040663D . 53 push ebx
0040663E . 57 push edi
0040663F . 50 push eax
00406640 . E8 6DAEFFFF call <jmp.&MSVBVM60.__vbaHresultCheck>
00406645 > 8D4D C4 lea ecx, dword ptr [ebp-3C]
00406648 . E8 53AEFFFF call <jmp.&MSVBVM60.__vbaFreeStr>
0040664D . 8D4D C0 lea ecx, dword ptr [ebp-40]
00406650 . E8 75AEFFFF call <jmp.&MSVBVM60.__vbaFreeObj>
00406655 > 8B06 mov eax, dword ptr [esi] ; ++++++
00406657 . 56 push esi
00406658 . FF90 14030000 call dword ptr [eax+314]
0040665E . 50 push eax
0040665F . 8D45 C0 lea eax, dword ptr [ebp-40]
00406662 . 50 push eax
00406663 . E8 6EAEFFFF call <jmp.&MSVBVM60.__vbaObjSet>
00406668 . 8BF8 mov edi, eax
0040666A . 8D4D C4 lea ecx, dword ptr [ebp-3C]
0040666D . 51 push ecx
0040666E . 57 push edi
0040666F . 8B07 mov eax, dword ptr [edi]
00406671 . FF90 A0000000 call dword ptr [eax+A0]
00406677 . 85C0 test eax, eax
00406679 . DBE2 fclex
0040667B . 7D 0D jge short 0040668A
0040667D . 68 A0000000 push 0A0
00406682 . 53 push ebx
00406683 . 57 push edi
00406684 . 50 push eax
00406685 . E8 28AEFFFF call <jmp.&MSVBVM60.__vbaHresultCheck>
0040668A > FF75 C4 push dword ptr [ebp-3C] ; 用户名又出现
0040668D . E8 02AEFFFF call <jmp.&MSVBVM60.#527>
00406692 . 8BD0 mov edx, eax ; 变成大写了
00406694 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
00406697 . E8 FEADFFFF call <jmp.&MSVBVM60.__vbaStrMove>
0040669C . 8D4D C4 lea ecx, dword ptr [ebp-3C]
0040669F . E8 FCADFFFF call <jmp.&MSVBVM60.__vbaFreeStr>
004066A4 . 8D4D C0 lea ecx, dword ptr [ebp-40]
004066A7 . E8 1EAEFFFF call <jmp.&MSVBVM60.__vbaFreeObj>
004066AC . 8B06 mov eax, dword ptr [esi]
004066AE . 8D4D C4 lea ecx, dword ptr [ebp-3C]
004066B1 . 51 push ecx
004066B2 . 56 push esi ; +++++++++++++++
004066B3 . FF90 FC060000 call dword ptr [eax+6FC]
004066B9 . 85C0 test eax, eax
004066BB . 7D 11 jge short 004066CE
004066BD . 68 FC060000 push 6FC
004066C2 . 68 343E4000 push 00403E34
004066C7 . 56 push esi
004066C8 . 50 push eax
004066C9 . E8 E4ADFFFF call <jmp.&MSVBVM60.__vbaHresultCheck>
004066CE > 8B55 C4 mov edx, dword ptr [ebp-3C] ; "WWW-89B6817EDA1"。。居然取我的计算机名
004066D1 . 8365 C4 00 and dword ptr [ebp-3C], 0
004066D5 . 8D4D D0 lea ecx, dword ptr [ebp-30]
004066D8 . E8 BDADFFFF call <jmp.&MSVBVM60.__vbaStrMove>
004066DD . 8B06 mov eax, dword ptr [esi]
004066DF . 56 push esi
004066E0 . FF90 10030000 call dword ptr [eax+310]
004066E6 . 50 push eax
004066E7 . 8D45 C0 lea eax, dword ptr [ebp-40]
004066EA . 50 push eax
004066EB . E8 E6ADFFFF call <jmp.&MSVBVM60.__vbaObjSet>
004066F0 . 8BF8 mov edi, eax
004066F2 . 8D4D C4 lea ecx, dword ptr [ebp-3C]
004066F5 . 51 push ecx
004066F6 . 57 push edi
004066F7 . 8B07 mov eax, dword ptr [edi]
004066F9 . FF90 A0000000 call dword ptr [eax+A0]
004066FF . 85C0 test eax, eax
00406701 . DBE2 fclex
00406703 . 7D 0D jge short 00406712
00406705 . 68 A0000000 push 0A0
0040670A . 53 push ebx
0040670B . 57 push edi
0040670C . 50 push eax
0040670D . E8 A0ADFFFF call <jmp.&MSVBVM60.__vbaHresultCheck>
00406712 > FF75 C4 push dword ptr [ebp-3C] ; 假码出现了
00406715 . E8 7AADFFFF call <jmp.&MSVBVM60.#527>
0040671A . 8BD0 mov edx, eax
0040671C . 8D4D E8 lea ecx, dword ptr [ebp-18]
0040671F . E8 76ADFFFF call <jmp.&MSVBVM60.__vbaStrMove>
00406724 . 8D4D C4 lea ecx, dword ptr [ebp-3C]
00406727 . E8 74ADFFFF call <jmp.&MSVBVM60.__vbaFreeStr>
0040672C . 8D4D C0 lea ecx, dword ptr [ebp-40]
0040672F . E8 96ADFFFF call <jmp.&MSVBVM60.__vbaFreeObj>
00406734 . 8D45 C4 lea eax, dword ptr [ebp-3C]
00406737 . 68 40454000 push 00404540 ; algo starts here
0040673C . 50 push eax
0040673D . E8 4CADFFFF call <jmp.&MSVBVM60.__vbaStrToAnsi>
00406742 . 50 push eax
00406743 . E8 14D9FFFF call 0040405C
00406748 . E8 71ADFFFF call <jmp.&MSVBVM60.__vbaSetSystemErr>
0040674D . 8D4D C4 lea ecx, dword ptr [ebp-3C]
00406750 . E8 4BADFFFF call <jmp.&MSVBVM60.__vbaFreeStr>
00406755 . FF75 E4 push dword ptr [ebp-1C] ; 大写用户名
00406758 . E8 25ADFFFF call <jmp.&MSVBVM60.__vbaLenBstr>
0040675D . 8BC8 mov ecx, eax ; 得到位数
0040675F . E8 24ADFFFF call <jmp.&MSVBVM60.__vbaI2I4>
00406764 . 0FBFC0 movsx eax, ax
00406767 . 6A 01 push 1 ; 就这个1了
00406769 . 8985 2CFFFFFF mov dword ptr [ebp-D4], eax
0040676F . 5B pop ebx ; 这里注册标志位=1。注意哦
00406770 . 8BFB mov edi, ebx ; 计数器
00406772 > 3BBD 2CFFFFFF cmp edi, dword ptr [ebp-D4] ; 循环开始楼
00406778 . 7F 55 jg short 004067CF
0040677A . 8D45 B0 lea eax, dword ptr [ebp-50]
0040677D . 895D B8 mov dword ptr [ebp-48], ebx
00406780 . 50 push eax
00406781 . 57 push edi
00406782 . FF75 E4 push dword ptr [ebp-1C] ; 大写用户名
00406785 . C745 B0 02000>mov dword ptr [ebp-50], 2
0040678C . E8 E5ACFFFF call <jmp.&MSVBVM60.#631>
00406791 . 8BD0 mov edx, eax
00406793 . 8D4D C4 lea ecx, dword ptr [ebp-3C]
00406796 . E8 FFACFFFF call <jmp.&MSVBVM60.__vbaStrMove>
0040679B . 50 push eax
0040679C . E8 DBACFFFF call <jmp.&MSVBVM60.#516>
004067A1 . 0FBFC0 movsx eax, ax ; 逐个取得大写用户名的ascii
004067A4 . 0345 DC add eax, dword ptr [ebp-24] ; 累加
004067A7 . 8D4D C4 lea ecx, dword ptr [ebp-3C]
004067AA . 0F80 AC020000 jo 00406A5C
004067B0 . 8945 DC mov dword ptr [ebp-24], eax ; 存储循环一次的结果
004067B3 . E8 E8ACFFFF call <jmp.&MSVBVM60.__vbaFreeStr>
004067B8 . 8D4D B0 lea ecx, dword ptr [ebp-50]
004067BB . E8 04ADFFFF call <jmp.&MSVBVM60.__vbaFreeVar>
004067C0 . 6A 01 push 1
004067C2 . 58 pop eax
004067C3 . 03C7 add eax, edi ; 计数器+1
004067C5 . 0F80 91020000 jo 00406A5C
004067CB . 8BF8 mov edi, eax
004067CD .^ EB A3 jmp short 00406772 ; 往回循环去了
004067CF > FF75 D0 push dword ptr [ebp-30] ; "WWW-89B6817EDA1"又是计算机名
004067D2 . E8 ABACFFFF call <jmp.&MSVBVM60.__vbaLenBstr>
004067D7 . 8BC8 mov ecx, eax ; 得到计算机名位数
004067D9 . E8 AAACFFFF call <jmp.&MSVBVM60.__vbaI2I4>
004067DE . 0FBFC0 movsx eax, ax
004067E1 . 8985 24FFFFFF mov dword ptr [ebp-DC], eax
004067E7 . 8BFB mov edi, ebx ; 计数器
004067E9 > 3BBD 24FFFFFF cmp edi, dword ptr [ebp-DC] ; 循环开始~
004067EF . 7F 57 jg short 00406848
004067F1 . 8D45 B0 lea eax, dword ptr [ebp-50]
004067F4 . 895D B8 mov dword ptr [ebp-48], ebx
004067F7 . 50 push eax
004067F8 . 57 push edi
004067F9 . FF75 D0 push dword ptr [ebp-30] ; 计算机名"WWW-89B6817EDA1"
004067FC . C745 B0 02000>mov dword ptr [ebp-50], 2
00406803 . E8 6EACFFFF call <jmp.&MSVBVM60.#631>
00406808 . 8BD0 mov edx, eax
0040680A . 8D4D C4 lea ecx, dword ptr [ebp-3C]
0040680D . E8 88ACFFFF call <jmp.&MSVBVM60.__vbaStrMove>
00406812 . 50 push eax
00406813 . E8 64ACFFFF call <jmp.&MSVBVM60.#516>
00406818 . 8B4D DC mov ecx, dword ptr [ebp-24] ; 上面用户名累加的结果在这里出现了
0040681B . 0FBFC0 movsx eax, ax ; 逐个计算机名的Ascii码值
0040681E . 2BC8 sub ecx, eax ; 用户名累加值-计算机名值
00406820 . 0F80 36020000 jo 00406A5C
00406826 . 894D DC mov dword ptr [ebp-24], ecx ; 存储相减结果
00406829 . 8D4D C4 lea ecx, dword ptr [ebp-3C]
0040682C . E8 6FACFFFF call <jmp.&MSVBVM60.__vbaFreeStr>
00406831 . 8D4D B0 lea ecx, dword ptr [ebp-50]
00406834 . E8 8BACFFFF call <jmp.&MSVBVM60.__vbaFreeVar>
00406839 . 6A 01 push 1
0040683B . 58 pop eax
0040683C . 03C7 add eax, edi ; 计数器+1
0040683E . 0F80 18020000 jo 00406A5C
00406844 . 8BF8 mov edi, eax
00406846 .^ EB A1 jmp short 004067E9 ; 循环回去
00406848 > 8B45 DC mov eax, dword ptr [ebp-24] ; 哦哦,用户名不够长,减成负的了.
0040684B . C785 70FFFFFF>mov dword ptr [ebp-90], 4003 ; 常数,用于下面取相应地址的值
00406855 . 0FAFC0 imul eax, eax ; 自己乘自己。变成正数喽
00406858 . 0FBF4E 34 movsx ecx, word ptr [esi+34] ; 这个是注册标志位,初始为0。给ecx
0040685C . 0F80 FA010000 jo 00406A5C
00406862 . 8945 DC mov dword ptr [ebp-24], eax
00406865 . 35 DEC00000 xor eax, 0C0DE ; 又异或常数0C0DE。这里异或后的16进制就是注册码
0040686A . 0FAFC1 imul eax, ecx ; 乘以ecx。我这里ecx=0这个ecx是固定是0的
0040686D . 0F80 E9010000 jo 00406A5C
00406873 . 8945 DC mov dword ptr [ebp-24], eax
00406876 . 8D45 DC lea eax, dword ptr [ebp-24] ;
00406879 . 8985 78FFFFFF mov dword ptr [ebp-88], eax
0040687F . 8D85 70FFFFFF lea eax, dword ptr [ebp-90]
00406885 . 50 push eax
00406886 . E8 E5ABFFFF call <jmp.&MSVBVM60.#572>
0040688B . 8BD0 mov edx, eax
0040688D . 8D4D CC lea ecx, dword ptr [ebp-34]
00406890 . E8 05ACFFFF call <jmp.&MSVBVM60.__vbaStrMove>
00406895 . 66:395E 34 cmp word ptr [esi+34], bx ;
00406899 74 6B je short 00406906
0040689B . 8B46 38 mov eax, dword ptr [esi+38]
0040689E . 8D55 C4 lea edx, dword ptr [ebp-3C]
004068A1 . 52 push edx
004068A2 . 8D55 CC lea edx, dword ptr [ebp-34]
004068A5 . 8B08 mov ecx, dword ptr [eax]
004068A7 . 52 push edx
004068A8 . 50 push eax
004068A9 . FF51 30 call dword ptr [ecx+30] ;
004068AC . 85C0 test eax, eax
004068AE . DBE2 fclex
004068B0 . 7D 10 jge short 004068C2
004068B2 . 6A 30 push 30
004068B4 . 68 DC414000 push 004041DC
004068B9 . FF76 38 push dword ptr [esi+38]
004068BC . 50 push eax
004068BD . E8 F0ABFFFF call <jmp.&MSVBVM60.__vbaHresultCheck>
004068C2 > 8B45 C4 mov eax, dword ptr [ebp-3C] ;
004068C5 . 8365 C4 00 and dword ptr [ebp-3C], 0
004068C9 . 6A 08 push 8
004068CB . 8945 B8 mov dword ptr [ebp-48], eax
004068CE . 5E pop esi
004068CF . 8D45 B0 lea eax, dword ptr [ebp-50]
004068D2 . 50 push eax
004068D3 . 8D45 A0 lea eax, dword ptr [ebp-60]
004068D6 . 50 push eax
004068D7 . 8975 B0 mov dword ptr [ebp-50], esi
004068DA . E8 85ABFFFF call <jmp.&MSVBVM60.#518>
004068DF . 8D45 A0 lea eax, dword ptr [ebp-60]
004068E2 . 50 push eax
004068E3 E8 82ABFFFF call <jmp.&MSVBVM60.__vbaStrVarMove>
004068E8 . 8BD0 mov edx, eax
004068EA . 8D4D CC lea ecx, dword ptr [ebp-34]
004068ED . E8 A8ABFFFF call <jmp.&MSVBVM60.__vbaStrMove>
004068F2 . 8D45 A0 lea eax, dword ptr [ebp-60]
004068F5 . 50 push eax
004068F6 . 8D45 B0 lea eax, dword ptr [ebp-50]
004068F9 . 50 push eax
004068FA . 6A 02 push 2
004068FC . E8 5DABFFFF call <jmp.&MSVBVM60.__vbaFreeVarList>
00406901 . 83C4 0C add esp, 0C
00406904 . EB 03 jmp short 00406909
00406906 > 6A 08 push 8
00406908 . 5E pop esi
00406909 FF75 E8 push dword ptr [ebp-18] ;
0040690C . FF75 CC push dword ptr [ebp-34] ;
0040690F . E8 92ABFFFF call <jmp.&MSVBVM60.__vbaStrCmp>
00406914 . 6A 0A push 0A
00406916 . B9 04000280 mov ecx, 80020004
0040691B . 85C0 test eax, eax
0040691D 58 pop eax
0040691E . 894D 88 mov dword ptr [ebp-78], ecx
00406921 . 8945 80 mov dword ptr [ebp-80], eax
00406924 . 894D 98 mov dword ptr [ebp-68], ecx
00406927 . 8945 90 mov dword ptr [ebp-70], eax
0040692A 75 4C jnz short 00406978 ;0040692C . 8D95 60FFFFFF lea edx, dword ptr [ebp-A0]
00406932 . 8D4D A0 lea ecx, dword ptr [ebp-60]
00406935 . C785 68FFFFFF>mov dword ptr [ebp-98], 00404584 ; good cracker
0040693F . 89B5 60FFFFFF mov dword ptr [ebp-A0], esi
00406945 . E8 08ABFFFF call <jmp.&MSVBVM60.__vbaVarDup>
0040694A . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
00406950 . 8D4D B0 lea ecx, dword ptr [ebp-50]
00406953 . C785 78FFFFFF>mov dword ptr [ebp-88], 00404568 ; you did it!
0040695D . 89B5 70FFFFFF mov dword ptr [ebp-90], esi
00406963 . E8 EAAAFFFF call <jmp.&MSVBVM60.__vbaVarDup>
00406968 . 8D45 80 lea eax, dword ptr [ebp-80]
0040696B . 50 push eax
0040696C . 8D45 90 lea eax, dword ptr [ebp-70]
0040696F . 50 push eax
00406970 . 8D45 A0 lea eax, dword ptr [ebp-60]
00406973 . 50 push eax
00406974 . 6A 40 push 40
00406976 . EB 4A jmp short 004069C2
00406978 > 8D95 60FFFFFF lea edx, dword ptr [ebp-A0]
0040697E . 8D4D A0 lea ecx, dword ptr [ebp-60]
00406981 . C785 68FFFFFF>mov dword ptr [ebp-98], 004045D8 ; bad cracker!
0040698B . 89B5 60FFFFFF mov dword ptr [ebp-A0], esi
00406991 . E8 BCAAFFFF call <jmp.&MSVBVM60.__vbaVarDup>
00406996 . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
0040699C . 8D4D B0 lea ecx, dword ptr [ebp-50]
0040699F . C785 78FFFFFF>mov dword ptr [ebp-88], 004045A4 ; try harder!
首先,用户名装成大写,然后循环累加取得用户名的Ascii码累加值。然后又一个循环,逐个用上面的累加后的值减计算机名的Ascii码值。即
是如果你输入的用户名是计算机名的大写的话,这两个循环后的结果就是0。
然后,把减的结果自己乘以自己。
最后,异或常数CODE。得到的结果的16进制就是注册码。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
|
|
|---|---|
|
|
引用一个VB注册机源码:
Private Declare Function GetComputerName Lib "kernel32" Alias "GetComputerNameA" (ByVal lpBuffer As String, nSize As Long) As Long Dim CName As String Private Sub Command1_Click() Dim X, Final As Long Dim Name, Char As String CName = Space(255) X = GetComputerName(CName, Len(CName)) CName = Trim(CName) Name = Text1.Text Name = UCase(Name) For i = 1 To Len(Name) Char = Asc(Mid(Name, i, 1)) Final = Final + Int(Char) Next i For i = 1 To Len(CName) Char = Asc(Mid(CName, i, 1)) Final = Final - Int(Char) Next i Final = Final * Final Final = Final Xor 49374 Text2.Text = Hex(Final) End Sub |
|
|
- 寻求TMD壳带壳调试下断点的办法。 5505
- 求目标进程嗲用某DLL的基地址?? 3926
- 如何断下VB调用的Shell命令函数???请进 4115
- [求助]脱一个ASPR壳的DLL 遇到的问题,菜鸟求助啊 3847
- 已经运行成功的程序,如何从内存完美的Dump出来? 4863
