【破解日期】 2006年11月22日
【破解作者】 冷血书生
【作者邮箱】 meiyou
【作者主页】 hxxp://www.126sohu.com/
【使用工具】 OD
【破解平台】 Win9x/NT/2000/XP
【软件名称】 VB Crackme 2.0
【下载地址】 本地
【软件大小】 15.5k
【加壳方式】 无
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
------------------------------------------------------------------------
--------
【破解内容】
00402C2A push edx
00402C2B call dword ptr ds:[<&MSVBVM50.__vbaLenVar>] ; MSVBVM50.__vbaLenVar
00402C31 push eax
00402C32 call dword ptr ds:[<&MSVBVM50.__vbaI2Var>] ; MSVBVM50.__vbaI2Var
00402C38 mov esi,dword ptr ds:[<&MSVBVM50.#516>] ; MSVBVM50.rtcAnsiValueBstr
00402C3E mov edi,dword ptr ds:[<&MSVBVM50.__vbaStrVa>; MSVBVM50.__vbaStrVarVal
00402C44 mov dword ptr ss:[ebp-118],eax
00402C4A mov eax,1
00402C4F mov dword ptr ss:[ebp-3C],eax
00402C52 cmp ax,word ptr ss:[ebp-118]
00402C59 mov ebx,dword ptr ds:[<&MSVBVM50.#632>] ; MSVBVM50.rtcMidCharVar
00402C5F jg CM2.00402D54
00402C65 movsx edx,ax
00402C68 lea ecx,dword ptr ss:[ebp-68]
00402C6B lea eax,dword ptr ss:[ebp-28]
00402C6E push ecx
00402C6F push edx
00402C70 lea ecx,dword ptr ss:[ebp-78]
00402C73 push eax
00402C74 push ecx
00402C75 mov dword ptr ss:[ebp-60],1
00402C7C mov dword ptr ss:[ebp-68],2
00402C83 call ebx
00402C85 lea edx,dword ptr ss:[ebp-88]
00402C8B push 1
00402C8D lea eax,dword ptr ss:[ebp-98]
00402C93 push edx
00402C94 push eax
00402C95 mov dword ptr ss:[ebp-80],4
00402C9C mov dword ptr ss:[ebp-88],2
00402CA6 call dword ptr ds:[<&MSVBVM50.#617>] ; MSVBVM50.rtcLeftCharVar
00402CAC lea ecx,dword ptr ss:[ebp-98]
00402CB2 lea edx,dword ptr ss:[ebp-54]
00402CB5 push ecx
00402CB6 push edx
00402CB7 call edi
00402CB9 push eax
00402CBA call esi
00402CBC movsx ebx,ax
00402CBF lea eax,dword ptr ss:[ebp-78]
00402CC2 lea ecx,dword ptr ss:[ebp-50]
00402CC5 push eax
00402CC6 push ecx
00402CC7 call edi
00402CC9 push eax
00402CCA call esi
00402CCC movsx edx,ax ; 密码
00402CCF xor ebx,edx ; 密码 xor 34
00402CD1 lea eax,dword ptr ss:[ebp-A8]
00402CD7 push ebx
00402CD8 push eax
00402CD9 call dword ptr ds:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi
00402CDF lea ecx,dword ptr ss:[ebp-38]
00402CE2 lea edx,dword ptr ss:[ebp-A8]
00402CE8 push ecx
00402CE9 lea eax,dword ptr ss:[ebp-B8]
00402CEF push edx
00402CF0 push eax
00402CF1 call dword ptr ds:[<&MSVBVM50.__vbaVarCat>] ; MSVBVM50.__vbaVarCat
00402CF7 mov edx,eax
00402CF9 lea ecx,dword ptr ss:[ebp-38]
00402CFC call dword ptr ds:[<&MSVBVM50.__vbaVarMove>>; MSVBVM50.__vbaVarMove
00402D02 lea ecx,dword ptr ss:[ebp-54]
00402D05 lea edx,dword ptr ss:[ebp-50]
00402D08 push ecx
00402D09 push edx
00402D0A push 2
00402D0C call dword ptr ds:[<&MSVBVM50.__vbaFreeStrL>; MSVBVM50.__vbaFreeStrList
00402D12 add esp,0C
00402D15 lea eax,dword ptr ss:[ebp-A8]
00402D1B lea ecx,dword ptr ss:[ebp-98]
00402D21 lea edx,dword ptr ss:[ebp-88]
00402D27 push eax
00402D28 push ecx
00402D29 lea eax,dword ptr ss:[ebp-78]
00402D2C push edx
00402D2D lea ecx,dword ptr ss:[ebp-68]
00402D30 push eax
00402D31 push ecx
00402D32 push 5
00402D34 call dword ptr ds:[<&MSVBVM50.__vbaFreeVarL>; MSVBVM50.__vbaFreeVarList
00402D3A mov eax,1
00402D3F add esp,18
00402D42 add ax,word ptr ss:[ebp-3C]
00402D46 jo CM2.004030EC
00402D4C mov dword ptr ss:[ebp-3C],eax
00402D4F jmp CM2.00402C52
00402D54 lea edx,dword ptr ss:[ebp-38]
00402D57 lea eax,dword ptr ss:[ebp-68]
00402D5A push edx
00402D5B push eax
00402D5C mov dword ptr ss:[ebp-18],1
00402D63 call dword ptr ds:[<&MSVBVM50.__vbaLenVar>] ; MSVBVM50.__vbaLenVar
00402D69 push eax
00402D6A call dword ptr ds:[<&MSVBVM50.__vbaI2Var>] ; MSVBVM50.__vbaI2Var
00402D70 mov ecx,1
00402D75 mov dword ptr ss:[ebp-120],eax
00402D7B mov eax,ecx
00402D7D mov dword ptr ss:[ebp-3C],eax
00402D80 cmp ax,word ptr ss:[ebp-120]
00402D87 jg CM2.00402EBA
00402D8D cmp word ptr ss:[ebp-18],4
00402D92 jle short CM2.00402D97
00402D94 mov dword ptr ss:[ebp-18],ecx
00402D97 mov dword ptr ss:[ebp-60],ecx
00402D9A lea ecx,dword ptr ss:[ebp-68]
00402D9D movsx edx,ax
00402DA0 push ecx
00402DA1 lea eax,dword ptr ss:[ebp-38]
00402DA4 push edx
00402DA5 lea ecx,dword ptr ss:[ebp-78]
00402DA8 push eax
00402DA9 push ecx
00402DAA mov dword ptr ss:[ebp-68],2
00402DB1 call ebx
00402DB3 mov eax,2
00402DB8 lea edx,dword ptr ss:[ebp-98]
00402DBE mov dword ptr ss:[ebp-98],eax
00402DC4 mov dword ptr ss:[ebp-88],eax
00402DCA movsx eax,word ptr ss:[ebp-18]
00402DCE push edx
00402DCF lea ecx,dword ptr ss:[ebp-88]
00402DD5 push eax
00402DD6 lea edx,dword ptr ss:[ebp-A8]
00402DDC push ecx
00402DDD push edx
00402DDE mov dword ptr ss:[ebp-90],1
00402DE8 mov dword ptr ss:[ebp-80],7D0 ; 7D0(2000D
00402DEF call ebx
00402DF1 lea eax,dword ptr ss:[ebp-A8]
00402DF7 lea ecx,dword ptr ss:[ebp-54]
00402DFA push eax
00402DFB push ecx
00402DFC call edi
00402DFE push eax
00402DFF call esi
00402E01 movsx ebx,ax
00402E04 lea edx,dword ptr ss:[ebp-78]
00402E07 lea eax,dword ptr ss:[ebp-50]
00402E0A push edx
00402E0B push eax
00402E0C call edi
00402E0E push eax
00402E0F call esi
00402E11 movsx ecx,ax
00402E14 xor ebx,ecx ; ebx xor ecx
00402E16 lea edx,dword ptr ss:[ebp-B8]
00402E1C push ebx
00402E1D push edx
00402E1E call dword ptr ds:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi
00402E24 lea eax,dword ptr ss:[ebp-4C]
00402E27 lea ecx,dword ptr ss:[ebp-B8]
00402E2D push eax
00402E2E lea edx,dword ptr ss:[ebp-C8]
00402E34 push ecx
00402E35 push edx
00402E36 call dword ptr ds:[<&MSVBVM50.__vbaVarCat>] ; MSVBVM50.__vbaVarCat
00402E3C mov edx,eax
00402E3E lea ecx,dword ptr ss:[ebp-4C]
00402E41 call dword ptr ds:[<&MSVBVM50.__vbaVarMove>>; MSVBVM50.__vbaVarMove
00402E47 lea eax,dword ptr ss:[ebp-54]
00402E4A lea ecx,dword ptr ss:[ebp-50]
00402E4D push eax
00402E4E push ecx
00402E4F push 2
00402E51 call dword ptr ds:[<&MSVBVM50.__vbaFreeStrL>; MSVBVM50.__vbaFreeStrList
00402E57 add esp,0C
00402E5A lea edx,dword ptr ss:[ebp-B8]
00402E60 lea eax,dword ptr ss:[ebp-A8]
00402E66 lea ecx,dword ptr ss:[ebp-98]
00402E6C push edx
00402E6D push eax
00402E6E lea edx,dword ptr ss:[ebp-88]
00402E74 push ecx
00402E75 lea eax,dword ptr ss:[ebp-78]
00402E78 push edx
00402E79 lea ecx,dword ptr ss:[ebp-68]
00402E7C push eax
00402E7D push ecx
00402E7E push 6
00402E80 call dword ptr ds:[<&MSVBVM50.__vbaFreeVarL>; MSVBVM50.__vbaFreeVarList
00402E86 mov dx,word ptr ss:[ebp-18]
00402E8A add esp,1C
00402E8D inc dx
00402E8F jo CM2.004030EC
00402E95 mov ebx,dword ptr ds:[<&MSVBVM50.#632>] ; MSVBVM50.rtcMidCharVar
00402E9B mov eax,1
00402EA0 add ax,word ptr ss:[ebp-3C]
00402EA4 mov dword ptr ss:[ebp-18],edx
00402EA7 mov ecx,1
00402EAC jo CM2.004030EC
00402EB2 mov dword ptr ss:[ebp-3C],eax
00402EB5 jmp CM2.00402D80
00402EBA lea eax,dword ptr ss:[ebp-4C]
00402EBD lea ecx,dword ptr ss:[ebp-D8]
00402EC3 push eax
00402EC4 push ecx
00402EC5 mov dword ptr ss:[ebp-D0],CM2.0040259C ; UNICODE "VeiajeEjbavwij"
00402ECF mov dword ptr ss:[ebp-D8],8008
00402ED9 call dword ptr ds:[<&MSVBVM50.__vbaVarTstNe>; MSVBVM50.__vbaVarTstNe
00402EDF test ax,ax
00402EE2 je CM2.00402F89 ; 爆破点
00402EE8 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVarDu>; MSVBVM50.__vbaVarDup
00402EEE mov eax,80020004
/////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////
1, 密码 XOR 34 = A
2, A XOR 2000(每一位的16进制,不足就复制一次补足) =B
3, B与固定字符串"VeiajeEjbavwij"比较,相等就注册成功
/////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////
------------------------------------------------------------------------
--------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
