-
-
[原创]简单的 Skip Manager 1.79注册算法
-
发表于: 2006-11-24 11:53 5938
-
【破文标题】Skip Manager 1.79注册算法
【破文作者】XXNB
【作者邮箱】支持PYG
【作者主页】binbinbin7456.ys168.com
【破解工具】OD
【破解平台】XPsp2
【软件名称】Skip Manager 1.79
【软件大小】17834KB
【原版下载】http://www.newhua.com/soft/53764.htm
【保护方式】码
【软件简介】一款能让你在系统中设置你所要「忽略」项目的软件。经由设置为忽略的项目後,便会自动忽略此项目的存取动作,加快系统的
运行速度
【破解声明】菜鸟向高手学习!只为学习!
------------------------------------------------------------------------
【破解过程】
1、老罗的字符串查找Unicode“registered”可以轻松定位。
004FB250 > \55 push ebp
004FB251 . 8BEC mov ebp, esp
004FB253 . 83EC 0C sub esp, 0C
004FB256 . 68 F62E4000 push <jmp.&MSVBVM60.__vbaExceptHandle>; SE 处理程序安装
004FB25B . 64:A1 0000000>mov eax, dword ptr fs:[0]
004FB261 . 50 push eax
004FB262 . 64:8925 00000>mov dword ptr fs:[0], esp
004FB269 . 81EC B8000000 sub esp, 0B8
004FB26F . 53 push ebx
004FB270 . 56 push esi
004FB271 . 57 push edi
004FB272 . 8965 F4 mov dword ptr [ebp-C], esp
004FB275 . C745 F8 88284>mov dword ptr [ebp-8], 00402888
004FB27C . 8B75 08 mov esi, dword ptr [ebp+8]
004FB27F . 8BC6 mov eax, esi
004FB281 . 83E0 01 and eax, 1
004FB284 . 8945 FC mov dword ptr [ebp-4], eax
004FB287 . 83E6 FE and esi, FFFFFFFE
004FB28A . 8B0E mov ecx, dword ptr [esi]
004FB28C . 56 push esi
004FB28D . 8975 08 mov dword ptr [ebp+8], esi
004FB290 . FF51 04 call dword ptr [ecx+4]
004FB293 . 8B16 mov edx, dword ptr [esi]
004FB295 . 33FF xor edi, edi
004FB297 . 56 push esi
004FB298 . 897D E8 mov dword ptr [ebp-18], edi
004FB29B . 897D E4 mov dword ptr [ebp-1C], edi
004FB29E . 897D E0 mov dword ptr [ebp-20], edi
004FB2A1 . 897D DC mov dword ptr [ebp-24], edi
004FB2A4 . 897D CC mov dword ptr [ebp-34], edi
004FB2A7 . 897D BC mov dword ptr [ebp-44], edi
004FB2AA . 897D AC mov dword ptr [ebp-54], edi
004FB2AD . 897D 9C mov dword ptr [ebp-64], edi
004FB2B0 . 897D 8C mov dword ptr [ebp-74], edi
004FB2B3 . 89BD 7CFFFFFF mov dword ptr [ebp-84], edi
004FB2B9 . FF92 08030000 call dword ptr [edx+308]
004FB2BF . 8B1D B0104000 mov ebx, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaObjSet
004FB2C5 . 50 push eax
004FB2C6 . 8D45 E0 lea eax, dword ptr [ebp-20]
004FB2C9 . 50 push eax
004FB2CA . FFD3 call ebx ; <&MSVBVM60.__vbaObjSet>
004FB2CC . 8B08 mov ecx, dword ptr [eax]
004FB2CE . 8D55 E8 lea edx, dword ptr [ebp-18]
004FB2D1 . 52 push edx
004FB2D2 . 50 push eax
004FB2D3 . 8985 58FFFFFF mov dword ptr [ebp-A8], eax
004FB2D9 . FF91 A0000000 call dword ptr [ecx+A0]
004FB2DF . DBE2 fclex
004FB2E1 . 3BC7 cmp eax, edi
004FB2E3 . 7D 18 jge short 004FB2FD
004FB2E5 . 8B8D 58FFFFFF mov ecx, dword ptr [ebp-A8]
004FB2EB . 68 A0000000 push 0A0 ; /Arg4 = 000000A0
004FB2F0 . 68 48554200 push 00425548 ; |Arg3 = 00425548
004FB2F5 . 51 push ecx ; |Arg2
004FB2F6 . 50 push eax ; |Arg1
004FB2F7 . FF15 78104000 call dword ptr [<&MSVBVM60.__vbaHresu>; \__vbaHresultCheckObj
004FB2FD > 8B55 E8 mov edx, dword ptr [ebp-18] ; 照例,假码出现了
004FB300 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
004FB303 . 897D E8 mov dword ptr [ebp-18], edi
004FB306 . FF15 68124000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
004FB30C . 8D55 E4 lea edx, dword ptr [ebp-1C] ; 移动到eax
004FB30F . 52 push edx
004FB310 . 8D45 CC lea eax, dword ptr [ebp-34]
004FB313 . 50 push eax
004FB314 . E8 4780F9FF call 00493360 ; 这个放眼都猜到是算法call。跟进看看《《《《《----
004FB319 . 8D4D CC lea ecx, dword ptr [ebp-34]
004FB31C . 51 push ecx
004FB31D . FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaBoolV>; MSVBVM60.__vbaBoolVarNull
004FB323 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
004FB326 . 66:8985 50FFF>mov word ptr [ebp-B0], ax
004FB32D . FF15 98124000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
004FB333 . 8D4D E0 lea ecx, dword ptr [ebp-20]
004FB336 . FF15 94124000 call dword ptr [<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
004FB33C . 8D4D CC lea ecx, dword ptr [ebp-34]
004FB33F . FF15 24104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
004FB345 . 66:39BD 50FFF>cmp word ptr [ebp-B0], di
004FB34C . B9 04000280 mov ecx, 80020004
004FB351 . B8 0A000000 mov eax, 0A
004FB356 . 894D A4 mov dword ptr [ebp-5C], ecx
004FB359 . 8945 9C mov dword ptr [ebp-64], eax
004FB35C . 894D B4 mov dword ptr [ebp-4C], ecx
004FB35F . 8945 AC mov dword ptr [ebp-54], eax
004FB362 . 894D C4 mov dword ptr [ebp-3C], ecx
004FB365 . 8945 BC mov dword ptr [ebp-44], eax
004FB368 . 0F84 C1010000 je 004FB52F ; 关键跳转
004FB36E . 8D55 8C lea edx, dword ptr [ebp-74]
004FB371 . 8D4D CC lea ecx, dword ptr [ebp-34] ; 成功信息
004FB374 . C745 94 98F84>mov dword ptr [ebp-6C], 0042F898 ; thank you. your product is now registered.
004FB37B . C745 8C 08000>mov dword ptr [ebp-74], 8
004FB382 . FF15 34124000 call dword ptr [<&MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
004FB388 . 8D55 9C lea edx, dword ptr [ebp-64]
004FB38B . 52 push edx
004FB38C . 8D45 AC lea eax, dword ptr [ebp-54]
........
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2、
00493360 $ 55 push ebp
00493361 . 8BEC mov ebp, esp
00493363 . 83EC 0C sub esp, 0C
00493366 . 68 F62E4000 push <jmp.&MSVBVM60.__vbaExceptHandle>; SE 处理程序安装
0049336B . 64:A1 0000000>mov eax, dword ptr fs:[0]
00493371 . 50 push eax
00493372 . 64:8925 00000>mov dword ptr fs:[0], esp
00493379 . 81EC 00040000 sub esp, 400
0049337F . 53 push ebx
00493380 . 56 push esi
00493381 . 57 push edi
00493382 . 8965 F4 mov dword ptr [ebp-C], esp
00493385 . C745 F8 10144>mov dword ptr [ebp-8], 00401410
0049338C . 33F6 xor esi, esi
0049338E . 8D95 0CFDFFFF lea edx, dword ptr [ebp-2F4]
00493394 . 8D8D 7CFFFFFF lea ecx, dword ptr [ebp-84]
0049339A . 8975 DC mov dword ptr [ebp-24], esi
0049339D . 8975 CC mov dword ptr [ebp-34], esi
004933A0 . 8975 BC mov dword ptr [ebp-44], esi
004933A3 . 8975 B8 mov dword ptr [ebp-48], esi
004933A6 . 8975 B4 mov dword ptr [ebp-4C], esi
004933A9 . 8975 B0 mov dword ptr [ebp-50], esi
004933AC . 8975 AC mov dword ptr [ebp-54], esi
004933AF . 8975 A8 mov dword ptr [ebp-58], esi
004933B2 . 8975 A4 mov dword ptr [ebp-5C], esi
004933B5 . 8975 A0 mov dword ptr [ebp-60], esi
004933B8 . 8975 9C mov dword ptr [ebp-64], esi
004933BB . 8975 98 mov dword ptr [ebp-68], esi
004933BE . 8975 94 mov dword ptr [ebp-6C], esi
004933C1 . 8975 90 mov dword ptr [ebp-70], esi
004933C4 . 8975 8C mov dword ptr [ebp-74], esi
004933C7 . 89B5 7CFFFFFF mov dword ptr [ebp-84], esi
004933CD . 89B5 6CFFFFFF mov dword ptr [ebp-94], esi
004933D3 . 89B5 5CFFFFFF mov dword ptr [ebp-A4], esi
004933D9 . 89B5 4CFFFFFF mov dword ptr [ebp-B4], esi
004933DF . 89B5 3CFFFFFF mov dword ptr [ebp-C4], esi
004933E5 . 89B5 2CFFFFFF mov dword ptr [ebp-D4], esi
004933EB . 89B5 1CFFFFFF mov dword ptr [ebp-E4], esi
004933F1 . 89B5 0CFFFFFF mov dword ptr [ebp-F4], esi
004933F7 . 89B5 FCFEFFFF mov dword ptr [ebp-104], esi
004933FD . 89B5 ECFEFFFF mov dword ptr [ebp-114], esi
00493403 . 89B5 DCFEFFFF mov dword ptr [ebp-124], esi
00493409 . 89B5 CCFEFFFF mov dword ptr [ebp-134], esi
0049340F . 89B5 BCFEFFFF mov dword ptr [ebp-144], esi
00493415 . 89B5 ACFEFFFF mov dword ptr [ebp-154], esi
0049341B . 89B5 9CFEFFFF mov dword ptr [ebp-164], esi
00493421 . 89B5 8CFEFFFF mov dword ptr [ebp-174], esi
00493427 . 89B5 7CFEFFFF mov dword ptr [ebp-184], esi
0049342D . 89B5 6CFEFFFF mov dword ptr [ebp-194], esi
00493433 . 89B5 5CFEFFFF mov dword ptr [ebp-1A4], esi
00493439 . 89B5 4CFEFFFF mov dword ptr [ebp-1B4], esi
0049343F . 89B5 3CFEFFFF mov dword ptr [ebp-1C4], esi
00493445 . 89B5 2CFEFFFF mov dword ptr [ebp-1D4], esi
0049344B . 89B5 1CFEFFFF mov dword ptr [ebp-1E4], esi
00493451 . 89B5 0CFEFFFF mov dword ptr [ebp-1F4], esi
00493457 . 89B5 FCFDFFFF mov dword ptr [ebp-204], esi
0049345D . 89B5 ECFDFFFF mov dword ptr [ebp-214], esi
00493463 . 89B5 DCFDFFFF mov dword ptr [ebp-224], esi
00493469 . 89B5 CCFDFFFF mov dword ptr [ebp-234], esi
0049346F . 89B5 BCFDFFFF mov dword ptr [ebp-244], esi
00493475 . 89B5 ACFDFFFF mov dword ptr [ebp-254], esi
0049347B . 89B5 9CFDFFFF mov dword ptr [ebp-264], esi
00493481 . 89B5 8CFDFFFF mov dword ptr [ebp-274], esi
00493487 . 89B5 7CFDFFFF mov dword ptr [ebp-284], esi
0049348D . 89B5 6CFDFFFF mov dword ptr [ebp-294], esi
00493493 . 89B5 5CFDFFFF mov dword ptr [ebp-2A4], esi
00493499 . 89B5 4CFDFFFF mov dword ptr [ebp-2B4], esi
0049349F . 89B5 3CFDFFFF mov dword ptr [ebp-2C4], esi
004934A5 . 89B5 2CFDFFFF mov dword ptr [ebp-2D4], esi
004934AB . 89B5 1CFDFFFF mov dword ptr [ebp-2E4], esi
004934B1 . C785 04FDFFFF>mov dword ptr [ebp-2FC], 1EE86000 ; 常数518545408
004934BB . C785 08FDFFFF>mov dword ptr [ebp-2F8], 426CBE99 ; 常数1114422937
004934C5 . C785 FCFCFFFF>mov dword ptr [ebp-304], 5 ; 常数
004934CF . C785 14FDFFFF>mov dword ptr [ebp-2EC], 00424C78 ; ssyynnddmmhh
004934D9 . C785 0CFDFFFF>mov dword ptr [ebp-2F4], 8 ; 常数
004934E3 . FF15 34124000 call dword ptr [<&MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
004934E9 . 6A 01 push 1
004934EB . 6A 01 push 1
004934ED . 8D85 7CFFFFFF lea eax, dword ptr [ebp-84]
004934F3 . 50 push eax
004934F4 . 8D8D 1CFDFFFF lea ecx, dword ptr [ebp-2E4]
004934FA . 51 push ecx
004934FB . 8D95 6CFFFFFF lea edx, dword ptr [ebp-94]
00493501 . 52 push edx
00493502 . C785 24FDFFFF>mov dword ptr [ebp-2DC], 00522084
0049350C . C785 1CFDFFFF>mov dword ptr [ebp-2E4], 4008
00493516 . FF15 60104000 call dword ptr [<&MSVBVM60.#660>] ; MSVBVM60.rtcVarFromFormatVar
0049351C . 8D85 FCFCFFFF lea eax, dword ptr [ebp-304]
00493522 . 50 push eax
00493523 . 8D8D 6CFFFFFF lea ecx, dword ptr [ebp-94]
00493529 . 51 push ecx
0049352A . 8D95 5CFFFFFF lea edx, dword ptr [ebp-A4]
00493530 . 52 push edx
00493531 . FF15 00104000 call dword ptr [<&MSVBVM60.__vbaVarSu>; MSVBVM60.__vbaVarSub
00493537 . 8BD0 mov edx, eax
00493539 . 8D4D BC lea ecx, dword ptr [ebp-44]
0049353C . FF15 18104000 call dword ptr [<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
00493542 . 8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
00493548 . 50 push eax
00493549 . 8D8D 7CFFFFFF lea ecx, dword ptr [ebp-84]
0049354F . 51 push ecx
00493550 . 6A 02 push 2
00493552 . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
00493558 . 8B3D E8104000 mov edi, dword ptr [<&MSVBVM60.#632>>; MSVBVM60.rtcMidCharVar
0049355E . 83C4 0C add esp, 0C ; 上面把 rtcMidChar函数赋给了edi,
00493561 . 8D95 5CFFFFFF lea edx, dword ptr [ebp-A4] ; 以后的call edi就是取字符了
00493567 . 52 push edx
00493568 . 6A 08 push 8 ; 取第八位
0049356A . 8D45 BC lea eax, dword ptr [ebp-44] ; 当然是取机器码的第八位了。下面就省略了
0049356D . 50 push eax
0049356E . 8D8D 4CFFFFFF lea ecx, dword ptr [ebp-B4]
00493574 . 51 push ecx
00493575 . C785 64FFFFFF>mov dword ptr [ebp-9C], 1
0049357F . C785 5CFFFFFF>mov dword ptr [ebp-A4], 2 ; 哪,下面这个call是取字符了,
00493589 . FFD7 call edi ; <&MSVBVM60.#632>
0049358B . 8B1D A8114000 mov ebx, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrVarVal
00493591 . 8D95 4CFFFFFF lea edx, dword ptr [ebp-B4]
00493597 . 52 push edx
00493598 . 8D45 B4 lea eax, dword ptr [ebp-4C]
0049359B . 50 push eax
0049359C . FFD3 call ebx ; <&MSVBVM60.__vbaStrVarVal>
0049359E . 50 push eax
0049359F . FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
004935A5 . DD9D 34FCFFFF fstp qword ptr [ebp-3CC] ; “8”。这个是上面取得的字符转成实数,准备计算好用
004935AB . 8D8D 3CFFFFFF lea ecx, dword ptr [ebp-C4]
004935B1 . 51 push ecx
004935B2 . B8 02000000 mov eax, 2 ; 不过这里显示要取两个字符.
004935B7 . 6A 0A push 0A ; 同理,取第10位
004935B9 . 8D55 BC lea edx, dword ptr [ebp-44]
004935BC . 8985 44FFFFFF mov dword ptr [ebp-BC], eax
004935C2 . 8985 3CFFFFFF mov dword ptr [ebp-C4], eax
004935C8 . 52 push edx
004935C9 . 8D85 2CFFFFFF lea eax, dword ptr [ebp-D4]
004935CF . 50 push eax
004935D0 . FFD7 call edi ; 这里是Mid()
004935D2 . 8D8D 2CFFFFFF lea ecx, dword ptr [ebp-D4]
004935D8 . 51 push ecx
004935D9 . 8D55 B0 lea edx, dword ptr [ebp-50]
004935DC . 52 push edx
004935DD . FFD3 call ebx
004935DF . 50 push eax ; 这里就得到了。“87”
004935E0 . FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
004935E6 . DD9D 2CFCFFFF fstp qword ptr [ebp-3D4] ; 87
004935EC . 8D85 1CFFFFFF lea eax, dword ptr [ebp-E4]
004935F2 . 50 push eax
004935F3 . 6A 0B push 0B ; 取第11位数
004935F5 . 8D4D BC lea ecx, dword ptr [ebp-44]
004935F8 . 51 push ecx
004935F9 . 8D95 0CFFFFFF lea edx, dword ptr [ebp-F4]
004935FF . 52 push edx
00493600 . C785 24FFFFFF>mov dword ptr [ebp-DC], 1
0049360A . C785 1CFFFFFF>mov dword ptr [ebp-E4], 2
00493614 . FFD7 call edi
00493616 . 8D85 0CFFFFFF lea eax, dword ptr [ebp-F4]
0049361C . 50 push eax
0049361D . 8D4D AC lea ecx, dword ptr [ebp-54]
00493620 . 51 push ecx
00493621 . FFD3 call ebx
00493623 . 50 push eax
00493624 . FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
0049362A . DD9D 24FCFFFF fstp qword ptr [ebp-3DC] ; “7”
00493630 . 8D95 9CFEFFFF lea edx, dword ptr [ebp-164]
00493636 . 52 push edx
00493637 . 6A 01 push 1 ; 取第一位
00493639 . 8D45 BC lea eax, dword ptr [ebp-44]
0049363C . 50 push eax
0049363D . 8D8D 8CFEFFFF lea ecx, dword ptr [ebp-174]
00493643 . C785 A4FEFFFF>mov dword ptr [ebp-15C], 1
0049364D . C785 9CFEFFFF>mov dword ptr [ebp-164], 2
00493657 . 51 push ecx
00493658 . FFD7 call edi
0049365A . 8D95 8CFEFFFF lea edx, dword ptr [ebp-174]
00493660 . 52 push edx
00493661 . 8D45 A4 lea eax, dword ptr [ebp-5C]
00493664 . 50 push eax
00493665 . FFD3 call ebx
00493667 . 50 push eax
00493668 . FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
0049366E . DD9D 1CFCFFFF fstp qword ptr [ebp-3E4] ; “5”
00493674 . 8D8D 7CFEFFFF lea ecx, dword ptr [ebp-184]
0049367A . 51 push ecx
0049367B . B8 02000000 mov eax, 2 ; 这里又显示要取两位了。
00493680 . 6A 07 push 7 ; 从第7位开始取
00493682 . 8D55 BC lea edx, dword ptr [ebp-44]
00493685 . 8985 84FEFFFF mov dword ptr [ebp-17C], eax
0049368B . 8985 7CFEFFFF mov dword ptr [ebp-184], eax
00493691 . 52 push edx
00493692 . 8D85 6CFEFFFF lea eax, dword ptr [ebp-194]
00493698 . 50 push eax
00493699 . FFD7 call edi
0049369B . 8D8D 6CFEFFFF lea ecx, dword ptr [ebp-194]
004936A1 . 51 push ecx
004936A2 . 8D55 A0 lea edx, dword ptr [ebp-60]
004936A5 . 52 push edx
004936A6 . FFD3 call ebx
004936A8 . 50 push eax ; 取得“08”
004936A9 . FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
004936AF . DD9D 14FCFFFF fstp qword ptr [ebp-3EC] ; “8”转成实数当然去掉0
004936B5 . 8D85 5CFEFFFF lea eax, dword ptr [ebp-1A4]
004936BB . 50 push eax
004936BC . 6A 0C push 0C ; 取第12位
004936BE . 8D4D BC lea ecx, dword ptr [ebp-44]
004936C1 . 51 push ecx
004936C2 . 8D95 4CFEFFFF lea edx, dword ptr [ebp-1B4]
004936C8 . 52 push edx
004936C9 . C785 64FEFFFF>mov dword ptr [ebp-19C], 1
004936D3 . C785 5CFEFFFF>mov dword ptr [ebp-1A4], 2
004936DD . FFD7 call edi
004936DF . 8D85 4CFEFFFF lea eax, dword ptr [ebp-1B4]
004936E5 . 50 push eax
004936E6 . 8D4D 9C lea ecx, dword ptr [ebp-64]
004936E9 . 51 push ecx
004936EA . FFD3 call ebx
004936EC . 50 push eax
004936ED . FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
004936F3 . DD9D 0CFCFFFF fstp qword ptr [ebp-3F4] ; 7
004936F9 . 8D95 CCFDFFFF lea edx, dword ptr [ebp-234]
004936FF . 52 push edx
00493700 . 6A 01 push 1 ; 取第一位
00493702 . 8D45 BC lea eax, dword ptr [ebp-44]
00493705 . 50 push eax
00493706 . 8D8D BCFDFFFF lea ecx, dword ptr [ebp-244]
0049370C . 51 push ecx
0049370D . C785 D4FDFFFF>mov dword ptr [ebp-22C], 1
00493717 . C785 CCFDFFFF>mov dword ptr [ebp-234], 2
00493721 . FFD7 call edi
00493723 . 8D95 BCFDFFFF lea edx, dword ptr [ebp-244]
00493729 . 52 push edx
0049372A . 8D45 94 lea eax, dword ptr [ebp-6C]
0049372D . 50 push eax
0049372E . FFD3 call ebx
00493730 . 50 push eax
00493731 . FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
00493737 . DD9D 04FCFFFF fstp qword ptr [ebp-3FC] ; 5
0049373D . 8D8D ACFDFFFF lea ecx, dword ptr [ebp-254]
00493743 . 51 push ecx
00493744 . B8 02000000 mov eax, 2 ; 又取两位
00493749 . 6A 04 push 4 ; 从第四位开始
0049374B . 8D55 BC lea edx, dword ptr [ebp-44]
0049374E . 8985 B4FDFFFF mov dword ptr [ebp-24C], eax
00493754 . 8985 ACFDFFFF mov dword ptr [ebp-254], eax
0049375A . 52 push edx
0049375B . 8D85 9CFDFFFF lea eax, dword ptr [ebp-264]
00493761 . 50 push eax
00493762 . FFD7 call edi
00493764 . 8D8D 9CFDFFFF lea ecx, dword ptr [ebp-264]
0049376A . 51 push ecx
0049376B . 8D55 90 lea edx, dword ptr [ebp-70]
0049376E . 52 push edx
0049376F . FFD3 call ebx
00493771 . 50 push eax ; 得到“02”
00493772 . FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
00493778 . DD9D FCFBFFFF fstp qword ptr [ebp-404] ; "2"转成实数,02就是2
0049377E . 8D85 8CFDFFFF lea eax, dword ptr [ebp-274]
00493784 . 50 push eax
00493785 . 6A 0A push 0A ; 又取第十位
00493787 . 8D4D BC lea ecx, dword ptr [ebp-44]
0049378A . 51 push ecx
0049378B . 8D95 7CFDFFFF lea edx, dword ptr [ebp-284]
00493791 . 52 push edx
00493792 . C785 94FDFFFF>mov dword ptr [ebp-26C], 1
0049379C . C785 8CFDFFFF>mov dword ptr [ebp-274], 2
004937A6 . FFD7 call edi
004937A8 . 8D85 7CFDFFFF lea eax, dword ptr [ebp-284]
004937AE . 50 push eax
004937AF . 8D4D 8C lea ecx, dword ptr [ebp-74]
004937B2 . 51 push ecx
004937B3 . FFD3 call ebx
004937B5 . 50 push eax
004937B6 . FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
004937BC . DD9D F4FBFFFF fstp qword ptr [ebp-40C] ; “8”
004937C2 . 8D95 7CFFFFFF lea edx, dword ptr [ebp-84] ; 终于取完了。
004937C8 . 52 push edx ; 下面开始对取出来的数进行运算
004937C9 . 6A 05 push 5 ; 注意啊,这里还要取第五位。
004937CB . 8D45 BC lea eax, dword ptr [ebp-44]
004937CE . 50 push eax
004937CF . 8D8D 6CFFFFFF lea ecx, dword ptr [ebp-94]
004937D5 . 51 push ecx
004937D6 . C745 84 01000>mov dword ptr [ebp-7C], 1
004937DD . C785 7CFFFFFF>mov dword ptr [ebp-84], 2
004937E7 . FFD7 call edi
004937E9 . 8D95 6CFFFFFF lea edx, dword ptr [ebp-94]
004937EF . 52 push edx
004937F0 . 8D45 B8 lea eax, dword ptr [ebp-48]
004937F3 . 50 push eax
004937F4 . FFD3 call ebx ; 我的机器码:577020080877
004937F6 . 50 push eax ; 下面是取得的第五位直接参与运算。
004937F7 . FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
004937FD . DC8D 34FCFFFF fmul qword ptr [ebp-3CC] ; 2*8
00493803 . DC8D 2CFCFFFF fmul qword ptr [ebp-3D4] ; 16*87
00493809 . DCA5 24FCFFFF fsub qword ptr [ebp-3DC] ; 1392-7
0049380F . DFE0 fstsw ax
00493811 . A8 0D test al, 0D
00493813 . 0F85 FC040000 jnz 00493D15
00493819 . FF15 88124000 call dword ptr [<&MSVBVM60.__vbaFPInt>; MSVBVM60.__vbaFPInt
0049381F . DD9D 04FFFFFF fstp qword ptr [ebp-FC] ; 1385。运算结果
00493825 . 8D8D FCFEFFFF lea ecx, dword ptr [ebp-104]
0049382B . 51 push ecx
0049382C . 8D95 ECFEFFFF lea edx, dword ptr [ebp-114]
00493832 . 52 push edx
00493833 . C785 FCFEFFFF>mov dword ptr [ebp-104], 5
0049383D . FF15 3C124000 call dword ptr [<&MSVBVM60.#613>] ; MSVBVM60.rtcVarStrFromVar
00493843 . 8D85 ECFEFFFF lea eax, dword ptr [ebp-114]
00493849 . 50 push eax
0049384A . 8D8D DCFEFFFF lea ecx, dword ptr [ebp-124]
00493850 . 51 push ecx
00493851 . FF15 D4104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
00493857 . 8D95 BCFEFFFF lea edx, dword ptr [ebp-144]
0049385D . 52 push edx
0049385E . 6A 03 push 3 ; 取第三位,然后直接运算
00493860 . 8D45 BC lea eax, dword ptr [ebp-44]
00493863 . 50 push eax
00493864 . 8D8D ACFEFFFF lea ecx, dword ptr [ebp-154]
0049386A . 51 push ecx
0049386B . C785 C4FEFFFF>mov dword ptr [ebp-13C], 1
00493875 . C785 BCFEFFFF>mov dword ptr [ebp-144], 2
0049387F . FFD7 call edi
00493881 . 8D95 ACFEFFFF lea edx, dword ptr [ebp-154]
00493887 . 52 push edx
00493888 . 8D45 A8 lea eax, dword ptr [ebp-58]
0049388B . 50 push eax
0049388C . FFD3 call ebx
0049388E . 50 push eax ; 我的第三位是7。所以..
0049388F . FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
00493895 . DC8D 1CFCFFFF fmul qword ptr [ebp-3E4] ; 7*5
0049389B . DC8D 14FCFFFF fmul qword ptr [ebp-3EC] ; 35*8
004938A1 . DCA5 0CFCFFFF fsub qword ptr [ebp-3F4] ; 280-7
004938A7 . DFE0 fstsw ax
004938A9 . A8 0D test al, 0D
004938AB . 0F85 64040000 jnz 00493D15
004938B1 . FF15 88124000 call dword ptr [<&MSVBVM60.__vbaFPInt>; MSVBVM60.__vbaFPInt
004938B7 . DD9D 44FEFFFF fstp qword ptr [ebp-1BC] ; 273 运算结果
004938BD . 8D8D 3CFEFFFF lea ecx, dword ptr [ebp-1C4]
004938C3 . 51 push ecx
004938C4 . 8D95 2CFEFFFF lea edx, dword ptr [ebp-1D4]
004938CA . 52 push edx
004938CB . C785 3CFEFFFF>mov dword ptr [ebp-1C4], 5
004938D5 . FF15 3C124000 call dword ptr [<&MSVBVM60.#613>] ; MSVBVM60.rtcVarStrFromVar
004938DB . 8D85 2CFEFFFF lea eax, dword ptr [ebp-1D4]
004938E1 . 50 push eax
004938E2 . 8D8D 1CFEFFFF lea ecx, dword ptr [ebp-1E4]
004938E8 . 51 push ecx
004938E9 . FF15 D4104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
004938EF . 8D95 ECFDFFFF lea edx, dword ptr [ebp-214]
004938F5 . 52 push edx
004938F6 . 6A 01 push 1 ; 取第一位直接运算
004938F8 . 8D45 BC lea eax, dword ptr [ebp-44]
004938FB . 50 push eax
004938FC . 8D8D DCFDFFFF lea ecx, dword ptr [ebp-224]
00493902 . 51 push ecx
00493903 . C785 F4FDFFFF>mov dword ptr [ebp-20C], 1
0049390D . C785 ECFDFFFF>mov dword ptr [ebp-214], 2
00493917 . FFD7 call edi
00493919 . 8D95 DCFDFFFF lea edx, dword ptr [ebp-224]
0049391F . 52 push edx
00493920 . 8D45 98 lea eax, dword ptr [ebp-68]
00493923 . 50 push eax
00493924 . FFD3 call ebx
00493926 . 50 push eax ; 我的第一位是5
00493927 . FF15 9C124000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
0049392D . DC8D 04FCFFFF fmul qword ptr [ebp-3FC] ; 5*5
00493933 . DC8D FCFBFFFF fmul qword ptr [ebp-404] ; 25*2
00493939 . DCA5 F4FBFFFF fsub qword ptr [ebp-40C] ; 50-8
0049393F . DFE0 fstsw ax
00493941 . A8 0D test al, 0D
00493943 . 0F85 CC030000 jnz 00493D15
00493949 . FF15 88124000 call dword ptr [<&MSVBVM60.__vbaFPInt>; MSVBVM60.__vbaFPInt
0049394F . DD9D 74FDFFFF fstp qword ptr [ebp-28C] ; 42 运算结果
00493955 . 8D8D 6CFDFFFF lea ecx, dword ptr [ebp-294]
0049395B . 51 push ecx
0049395C . 8D95 5CFDFFFF lea edx, dword ptr [ebp-2A4]
00493962 . 52 push edx
00493963 . C785 6CFDFFFF>mov dword ptr [ebp-294], 5
0049396D . FF15 3C124000 call dword ptr [<&MSVBVM60.#613>] ; MSVBVM60.rtcVarStrFromVar
00493973 . 8D85 5CFDFFFF lea eax, dword ptr [ebp-2A4]
00493979 . 50 push eax
0049397A . 8D8D 4CFDFFFF lea ecx, dword ptr [ebp-2B4]
00493980 . 51 push ecx
00493981 . FF15 D4104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
00493987 . 8B3D 04114000 mov edi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaVarAbs
0049398D . 8D95 DCFEFFFF lea edx, dword ptr [ebp-124]
00493993 . 52 push edx
00493994 . 8D85 CCFEFFFF lea eax, dword ptr [ebp-134]
0049399A . 50 push eax
0049399B . FFD7 call edi ; <&MSVBVM60.__vbaVarAbs>
0049399D . 50 push eax
0049399E . 8D8D 1CFEFFFF lea ecx, dword ptr [ebp-1E4]
004939A4 . 51 push ecx
004939A5 . 8D95 0CFEFFFF lea edx, dword ptr [ebp-1F4]
004939AB . 52 push edx
004939AC . FFD7 call edi ; 下面那堆vbaVarCat一看就知道要连接字符串
004939AE . 8B1D AC114000 mov ebx, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaVarCat
004939B4 . 50 push eax ; 结果,track后发现是连接上面的那三个结果。
004939B5 . 8D85 FCFDFFFF lea eax, dword ptr [ebp-204]
004939BB . 50 push eax ; 连接后就是真注册码了。
004939BC . FFD3 call ebx ; <&MSVBVM60.__vbaVarCat>
004939BE . 50 push eax
004939BF . 8D8D 4CFDFFFF lea ecx, dword ptr [ebp-2B4]
004939C5 . 51 push ecx
004939C6 . 8D95 3CFDFFFF lea edx, dword ptr [ebp-2C4]
004939CC . 52 push edx
004939CD . FFD7 call edi
004939CF . 50 push eax
004939D0 . 8D85 2CFDFFFF lea eax, dword ptr [ebp-2D4]
004939D6 . 50 push eax
004939D7 . FFD3 call ebx
004939D9 . 8B3D 18104000 mov edi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaVarMove
...........省略一点代码.....
00493B0C . 6A 22 push 22
00493B0E . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
00493B14 . 8B55 0C mov edx, dword ptr [ebp+C]
00493B17 . 8B02 mov eax, dword ptr [edx] ; 假码出现了
00493B19 . 81C4 C0000000 add esp, 0C0
00493B1F . 8D8D 1CFDFFFF lea ecx, dword ptr [ebp-2E4]
00493B25 . 51 push ecx ; /Arg2
00493B26 . 8D55 DC lea edx, dword ptr [ebp-24] ; |
00493B29 . 52 push edx ; |Arg1
00493B2A . 8985 24FDFFFF mov dword ptr [ebp-2DC], eax ; |
00493B30 . C785 1CFDFFFF>mov dword ptr [ebp-2E4], 8008 ; |和上面计算的结果比较。变量比较
00493B3A . FF15 18114000 call dword ptr [<&MSVBVM60.__vbaVarTs>; \__vbaVarTstEq
00493B40 . 66:85C0 test ax, ax ; 标志位,不为0就注册成功
00493B43 . C785 24FDFFFF>mov dword ptr [ebp-2DC], -1
00493B4D 75 06 jnz short 00493B55 爆破点这里。
00493B4F . 89B5 24FDFFFF mov dword ptr [ebp-2DC], esi
00493B55 > 8D95 1CFDFFFF lea edx, dword ptr [ebp-2E4]
00493B5B . 8D4D CC lea ecx, dword ptr [ebp-34]
00493B5E . C785 1CFDFFFF>mov dword ptr [ebp-2E4], 0B
00493B68 . FFD7 call edi
00493B6A . 9B wait
------------------------------------------------------------------------
【破解总结】
比如我的机器码为:577020080877
1、整个算法就是对机器码的运算,而得到真注册码。
2、首先分别取出机器码的第8位、 10位、 11位 、 1位 、7位 、12位、 1 位 、4 位 、10位得到(有些取两位,具体看注释)。得到下面
第一组 8 87 7
第二组 5 08 7
第三组 5 02 8
3、对应第一组取第五位和他们运算。得到1385
对应第二组取第三位和他们运算。得到273
对应第三组取第一位和他们运算。得到42
4、连接结果得到138527342就是最终注册码了。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
- 寻求TMD壳带壳调试下断点的办法。 5528
- 求目标进程嗲用某DLL的基地址?? 3943
- 如何断下VB调用的Shell命令函数???请进 4137
- [求助]脱一个ASPR壳的DLL 遇到的问题,菜鸟求助啊 3870
- 已经运行成功的程序,如何从内存完美的Dump出来? 4877
