-
-
[原创]用OD结合SmartCheck破解VB程序(含浮点指令讲解)
-
发表于:
2006-11-24 22:04
8922
-
[原创]用OD结合SmartCheck破解VB程序(含浮点指令讲解)
根据SmartCheck很快找到关键位置:
004024A2 . BF 01000000 MOV EDI,1
004024A7 . 8BF7 MOV ESI,EDI
004024A9 . 8B1D 0C104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
004024AF > 66:3B75 D0 CMP SI,WORD PTR SS:[EBP-30]
004024B3 . 0F8F 93000000 JG KeyGenMe.0040254C
004024B9 . C745 BC 01000>MOV DWORD PTR SS:[EBP-44],1
004024C0 . C745 B4 02000>MOV DWORD PTR SS:[EBP-4C],2
004024C7 . 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
004024CA . 8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EAX
004024D0 . C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],4008
004024DA . 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
004024DD . 51 PUSH ECX
004024DE . 0FBFD6 MOVSX EDX,SI
004024E1 . 52 PUSH EDX
004024E2 . 8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
004024E8 . 50 PUSH EAX
004024E9 . 8D4D A4 LEA ECX,DWORD PTR SS:[EBP-5C]
004024EC . 51 PUSH ECX
004024ED . FF15 44104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
004024F3 . 8D55 A4 LEA EDX,DWORD PTR SS:[EBP-5C]
004024F6 . 52 PUSH EDX
004024F7 . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
004024FA . 50 PUSH EAX
004024FB . FF15 74104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
00402501 . 50 PUSH EAX
00402502 . FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
00402508 . 66:0FAFC6 IMUL AX,SI ; 将用户名的每一个字符的ASCII码*它所在的位数
0040250C . 0F80 5F010000 JO KeyGenMe.00402671 ; 溢出则完蛋
00402512 . 0FBFC8 MOVSX ECX,AX
00402515 . 03CF ADD ECX,EDI
00402517 . 0F80 54010000 JO KeyGenMe.00402671
0040251D . 8BF9 MOV EDI,ECX
0040251F . 8D4D C8 LEA ECX,DWORD PTR SS:[EBP-38]
00402522 . FF15 B4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00402528 . 8D55 A4 LEA EDX,DWORD PTR SS:[EBP-5C]
0040252B . 52 PUSH EDX
0040252C . 8D45 B4 LEA EAX,DWORD PTR SS:[EBP-4C]
0040252F . 50 PUSH EAX
00402530 . 6A 02 PUSH 2
00402532 . FFD3 CALL EBX
00402534 . 83C4 0C ADD ESP,0C
00402537 . B8 01000000 MOV EAX,1
0040253C . 66:03C6 ADD AX,SI
0040253F . 0F80 2C010000 JO KeyGenMe.00402671
00402545 . 8BF0 MOV ESI,EAX
00402547 .^ E9 63FFFFFF JMP KeyGenMe.004024AF ; 循环处理用户名的每个字符,结果放在EDI里
0040254C > 69FF 96740100 IMUL EDI,EDI,17496 ; EDI乘一个常量,结果在放在EDI里
00402552 . 0F80 19010000 JO KeyGenMe.00402671
00402558 . 897D D8 MOV DWORD PTR SS:[EBP-28],EDI
0040255B . DB45 D8 FILD DWORD PTR SS:[EBP-28] ; EDI的内容放在ST(0)
0040255E . DD9D 14FFFFFF FSTP QWORD PTR SS:[EBP-EC] ; 再放到[EBP-EC],此值记为A
00402564 . 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24] ; 取你输入的序列号
00402567 . 51 PUSH ECX
00402568 . FF15 80104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8Str>] ; 将你输入的序列号格式化,此值记为B
0040256E . DC9D 14FFFFFF FCOMP QWORD PTR SS:[EBP-EC] ; 比较A,B,比较的结果将影响FST的相应的状态位
00402574 . DFE0 FSTSW AX ; 将状态字存放到AX
00402576 . F6C4 40 TEST AH,40 ; 测试状态字是否=4000,也就是测试A,B是否相等
00402579 . 0F84 86000000 JE KeyGenMe.00402605 ; 相等则破解成功,不等则跳走,GAMEOVER
举例:比如输入用户名:xxfire,则序列号为:X=120*1+120*2+102*3+105*4+114*5+101*6,Y=X*17496,则序列号为Y。
给出一组有用的注册码:用户名:xxfire 序列号:215849466
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!