【文章标题】: [PYG]CrackMe(成员认证试题)的破解及详细算法分析
【文章作者】: dewar
【软件名称】: PYG成员认证试题
【加壳方式】: 无
【保护方式】: 序列号
【编写语言】: VB
【使用工具】: OD
【操作平台】: WINXP
【软件介绍】: PYG成员认证试题
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
不知过期没有,应该过期了,希望[PYG]的大大们不要怪罪^_^
1.先试运行程序进行注册,不成功会弹出一个对话框"还要加油哦!",我们就从这个对话框下手^_^
2.首先OD载入,有个入口点警告(不知何故,并未加壳),选不分析.
3.由于程序注册不管成功与否都会弹出一个对话框,我们Alt+E打开模块窗口,双击MSVBVM60.DLL,Ctrl+N找到rtcMsgBox,按F2下断(这个函数是VB弹出对话框的函数).
4.F9,运行程序.输入注册信息(当然是假的^_^)
用户名:dewar
注册码:123456-234567-345678-456789
5.点"确定"后程序中断,看堆栈,栈顶指向0040851D,Ctrl+G到该处代码,这是程序判断注册码不对弹出出错提示对话框后的地方.由此我们知道程序比较注册码的地方一定在这一句的上面.我们向上找,经过反复观察找到00407D95处下F2断点.
下面是程序和算法分析:
......
00407D95 FF91 A0000000 CALL DWORD PTR DS:[ECX+A0] ; 取得注册名
00407D9B 3BC7 CMP EAX, EDI
00407D9D DBE2 FCLEX
00407D9F 7D 18 JGE SHORT [PYG]Cra.00407DB9
00407DA1 8B8D 70FEFFFF MOV ECX, DWORD PTR SS:[EBP-190]
00407DA7 68 A0000000 PUSH 0A0
00407DAC 68 205D4000 PUSH [PYG]Cra.00405D20
00407DB1 51 PUSH ECX
00407DB2 50 PUSH EAX
00407DB3 FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheckObj>] ; MSVBVM60.__vbaHresultCheckObj
00407DB9 8B85 30FFFFFF MOV EAX, DWORD PTR SS:[EBP-D0]
00407DBF 8D95 14FFFFFF LEA EDX, DWORD PTR SS:[EBP-EC]
00407DC5 8D4D DC LEA ECX, DWORD PTR SS:[EBP-24]
00407DC8 89BD 30FFFFFF MOV DWORD PTR SS:[EBP-D0], EDI
00407DCE 8985 1CFFFFFF MOV DWORD PTR SS:[EBP-E4], EAX
00407DD4 C785 14FFFFFF 0>MOV DWORD PTR SS:[EBP-EC], 8
00407DDE FFD6 CALL ESI
00407DE0 8D8D 24FFFFFF LEA ECX, DWORD PTR SS:[EBP-DC]
00407DE6 FF15 D0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00407DEC 8B13 MOV EDX, DWORD PTR DS:[EBX]
00407DEE 53 PUSH EBX
00407DEF FF92 0C030000 CALL DWORD PTR DS:[EDX+30C]
00407DF5 50 PUSH EAX
00407DF6 8D85 24FFFFFF LEA EAX, DWORD PTR SS:[EBP-DC]
00407DFC 50 PUSH EAX
00407DFD FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00407E03 8B08 MOV ECX, DWORD PTR DS:[EAX]
00407E05 8D95 30FFFFFF LEA EDX, DWORD PTR SS:[EBP-D0]
00407E0B 52 PUSH EDX
00407E0C 50 PUSH EAX
00407E0D 8985 70FEFFFF MOV DWORD PTR SS:[EBP-190], EAX
00407E13 FF91 A0000000 CALL DWORD PTR DS:[ECX+A0] ; 取得第一组注册码
00407E19 3BC7 CMP EAX, EDI
00407E1B DBE2 FCLEX
00407E1D 7D 18 JGE SHORT [PYG]Cra.00407E37
00407E1F 8B8D 70FEFFFF MOV ECX, DWORD PTR SS:[EBP-190]
00407E25 68 A0000000 PUSH 0A0
00407E2A 68 205D4000 PUSH [PYG]Cra.00405D20
00407E2F 51 PUSH ECX
00407E30 50 PUSH EAX
00407E31 FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheckObj>] ; MSVBVM60.__vbaHresultCheckObj
00407E37 8B85 30FFFFFF MOV EAX, DWORD PTR SS:[EBP-D0]
00407E3D 8D95 14FFFFFF LEA EDX, DWORD PTR SS:[EBP-EC]
00407E43 8D8D 7CFFFFFF LEA ECX, DWORD PTR SS:[EBP-84]
00407E49 89BD 30FFFFFF MOV DWORD PTR SS:[EBP-D0], EDI
00407E4F 8985 1CFFFFFF MOV DWORD PTR SS:[EBP-E4], EAX
00407E55 C785 14FFFFFF 0>MOV DWORD PTR SS:[EBP-EC], 8
00407E5F FFD6 CALL ESI
00407E61 8D8D 24FFFFFF LEA ECX, DWORD PTR SS:[EBP-DC]
00407E67 FF15 D0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00407E6D 8B13 MOV EDX, DWORD PTR DS:[EBX]
00407E6F 53 PUSH EBX
00407E70 FF92 08030000 CALL DWORD PTR DS:[EDX+308]
00407E76 50 PUSH EAX
00407E77 8D85 24FFFFFF LEA EAX, DWORD PTR SS:[EBP-DC]
00407E7D 50 PUSH EAX
00407E7E FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00407E84 8B08 MOV ECX, DWORD PTR DS:[EAX]
00407E86 8D95 30FFFFFF LEA EDX, DWORD PTR SS:[EBP-D0]
00407E8C 52 PUSH EDX
00407E8D 50 PUSH EAX
00407E8E 8985 70FEFFFF MOV DWORD PTR SS:[EBP-190], EAX
00407E94 FF91 A0000000 CALL DWORD PTR DS:[ECX+A0] ; 取得第二组注册码
00407E9A 3BC7 CMP EAX, EDI
00407E9C DBE2 FCLEX
00407E9E 7D 18 JGE SHORT [PYG]Cra.00407EB8
00407EA0 8B8D 70FEFFFF MOV ECX, DWORD PTR SS:[EBP-190]
00407EA6 68 A0000000 PUSH 0A0
00407EAB 68 205D4000 PUSH [PYG]Cra.00405D20
00407EB0 51 PUSH ECX
00407EB1 50 PUSH EAX
00407EB2 FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheckObj>] ; MSVBVM60.__vbaHresultCheckObj
00407EB8 8B85 30FFFFFF MOV EAX, DWORD PTR SS:[EBP-D0]
00407EBE 8D95 14FFFFFF LEA EDX, DWORD PTR SS:[EBP-EC]
00407EC4 8D8D 5CFFFFFF LEA ECX, DWORD PTR SS:[EBP-A4]
00407ECA 89BD 30FFFFFF MOV DWORD PTR SS:[EBP-D0], EDI
00407ED0 8985 1CFFFFFF MOV DWORD PTR SS:[EBP-E4], EAX
00407ED6 C785 14FFFFFF 0>MOV DWORD PTR SS:[EBP-EC], 8
00407EE0 FFD6 CALL ESI
00407EE2 8D8D 24FFFFFF LEA ECX, DWORD PTR SS:[EBP-DC]
00407EE8 FF15 D0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00407EEE 8B13 MOV EDX, DWORD PTR DS:[EBX]
00407EF0 53 PUSH EBX
00407EF1 FF92 04030000 CALL DWORD PTR DS:[EDX+304]
00407EF7 50 PUSH EAX
00407EF8 8D85 24FFFFFF LEA EAX, DWORD PTR SS:[EBP-DC]
00407EFE 50 PUSH EAX
00407EFF FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00407F05 8B08 MOV ECX, DWORD PTR DS:[EAX]
00407F07 8D95 30FFFFFF LEA EDX, DWORD PTR SS:[EBP-D0]
00407F0D 52 PUSH EDX
00407F0E 50 PUSH EAX
00407F0F 8985 70FEFFFF MOV DWORD PTR SS:[EBP-190], EAX
00407F15 FF91 A0000000 CALL DWORD PTR DS:[ECX+A0] ; 获取第三组注册码
00407F1B 3BC7 CMP EAX, EDI
00407F1D DBE2 FCLEX
00407F1F 7D 18 JGE SHORT [PYG]Cra.00407F39
00407F21 8B8D 70FEFFFF MOV ECX, DWORD PTR SS:[EBP-190]
00407F27 68 A0000000 PUSH 0A0
00407F2C 68 205D4000 PUSH [PYG]Cra.00405D20
00407F31 51 PUSH ECX
00407F32 50 PUSH EAX
00407F33 FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheckObj>] ; MSVBVM60.__vbaHresultCheckObj
00407F39 8B85 30FFFFFF MOV EAX, DWORD PTR SS:[EBP-D0]
00407F3F 8D95 14FFFFFF LEA EDX, DWORD PTR SS:[EBP-EC]
00407F45 8D8D 3CFFFFFF LEA ECX, DWORD PTR SS:[EBP-C4]
00407F4B 89BD 30FFFFFF MOV DWORD PTR SS:[EBP-D0], EDI
00407F51 8985 1CFFFFFF MOV DWORD PTR SS:[EBP-E4], EAX
00407F57 C785 14FFFFFF 0>MOV DWORD PTR SS:[EBP-EC], 8
00407F61 FFD6 CALL ESI
00407F63 8D8D 24FFFFFF LEA ECX, DWORD PTR SS:[EBP-DC]
00407F69 FF15 D0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00407F6F 8B13 MOV EDX, DWORD PTR DS:[EBX]
00407F71 53 PUSH EBX
00407F72 FF92 00030000 CALL DWORD PTR DS:[EDX+300]
00407F78 50 PUSH EAX
00407F79 8D85 24FFFFFF LEA EAX, DWORD PTR SS:[EBP-DC]
00407F7F 50 PUSH EAX
00407F80 FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00407F86 8BD8 MOV EBX, EAX
00407F88 8D95 30FFFFFF LEA EDX, DWORD PTR SS:[EBP-D0]
00407F8E 52 PUSH EDX
00407F8F 53 PUSH EBX
00407F90 8B0B MOV ECX, DWORD PTR DS:[EBX]
00407F92 FF91 A0000000 CALL DWORD PTR DS:[ECX+A0] ; 获取第四组注册码
00407F98 3BC7 CMP EAX, EDI
00407F9A DBE2 FCLEX
00407F9C 7D 12 JGE SHORT [PYG]Cra.00407FB0
00407F9E 68 A0000000 PUSH 0A0
00407FA3 68 205D4000 PUSH [PYG]Cra.00405D20
00407FA8 53 PUSH EBX
00407FA9 50 PUSH EAX
00407FAA FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheckObj>] ; MSVBVM60.__vbaHresultCheckObj
00407FB0 8B95 30FFFFFF MOV EDX, DWORD PTR SS:[EBP-D0]
00407FB6 8D8D 34FFFFFF LEA ECX, DWORD PTR SS:[EBP-CC]
00407FBC 89BD 30FFFFFF MOV DWORD PTR SS:[EBP-D0], EDI
00407FC2 FF15 C0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
00407FC8 8D8D 24FFFFFF LEA ECX, DWORD PTR SS:[EBP-DC]
00407FCE FF15 D0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00407FD4 8D45 DC LEA EAX, DWORD PTR SS:[EBP-24]
00407FD7 8D8D 14FFFFFF LEA ECX, DWORD PTR SS:[EBP-EC]
00407FDD 50 PUSH EAX
00407FDE 51 PUSH ECX
00407FDF 89BD ACFEFFFF MOV DWORD PTR SS:[EBP-154], EDI
00407FE5 C785 A4FEFFFF 0>MOV DWORD PTR SS:[EBP-15C], 8002
00407FEF FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; 取得注册名长度
00407FF5 8D95 A4FEFFFF LEA EDX, DWORD PTR SS:[EBP-15C]
00407FFB 50 PUSH EAX
00407FFC 52 PUSH EDX
00407FFD FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTstEq>] ; 注册名长度与0比较(检查有无输入注册名)
00408003 66:85C0 TEST AX, AX
00408006 74 5A JE SHORT [PYG]Cra.00408062 ; 有输入就跳
00408008 8B35 B8104000 MOV ESI, DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>] ; 无输入就向下到出错提示
0040800E B9 04000280 MOV ECX, 80020004
00408013 898D ECFEFFFF MOV DWORD PTR SS:[EBP-114], ECX
00408019 B8 0A000000 MOV EAX, 0A
0040801E 898D FCFEFFFF MOV DWORD PTR SS:[EBP-104], ECX
00408024 BB 08000000 MOV EBX, 8
00408029 8D95 94FEFFFF LEA EDX, DWORD PTR SS:[EBP-16C]
0040802F 8D8D 04FFFFFF LEA ECX, DWORD PTR SS:[EBP-FC]
00408035 8985 E4FEFFFF MOV DWORD PTR SS:[EBP-11C], EAX
0040803B 8985 F4FEFFFF MOV DWORD PTR SS:[EBP-10C], EAX
00408041 C785 9CFEFFFF 5>MOV DWORD PTR SS:[EBP-164], [PYG]Cra.00405D50 ; ASCII "秀:y"
0040804B 899D 94FEFFFF MOV DWORD PTR SS:[EBP-16C], EBX
00408051 FFD6 CALL ESI
00408053 C785 ACFEFFFF 3>MOV DWORD PTR SS:[EBP-154], [PYG]Cra.00405D34
0040805D E9 84040000 JMP [PYG]Cra.004084E6 ;跳去出错提示
00408062 8D95 F4FEFFFF LEA EDX, DWORD PTR SS:[EBP-10C]不 ;<----判断有输入注册名后跳到这里
00408068 8D45 DC LEA EAX, DWORD PTR SS:[EBP-24]
0040806B 52 PUSH EDX
0040806C 6A 01 PUSH 1
0040806E 8D8D E4FEFFFF LEA ECX, DWORD PTR SS:[EBP-11C]
00408074 50 PUSH EAX
00408075 51 PUSH ECX
00408076 C785 FCFEFFFF 0>MOV DWORD PTR SS:[EBP-104], 1
00408080 C785 F4FEFFFF 0>MOV DWORD PTR SS:[EBP-10C], 2
0040808A FF15 4C104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; 取注册名的第一个字符
00408090 8B1D 88104000 MOV EBX, DWORD PTR DS:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
00408096 8D95 E4FEFFFF LEA EDX, DWORD PTR SS:[EBP-11C]
0040809C 8D85 30FFFFFF LEA EAX, DWORD PTR SS:[EBP-D0]
004080A2 52 PUSH EDX
004080A3 50 PUSH EAX
004080A4 FFD3 CALL EBX
004080A6 50 PUSH EAX
004080A7 FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ; 取该字符的ASCII
004080AD 8D4D DC LEA ECX, DWORD PTR SS:[EBP-24]
004080B0 8D95 14FFFFFF LEA EDX, DWORD PTR SS:[EBP-EC]
004080B6 51 PUSH ECX
004080B7 52 PUSH EDX
004080B8 66:8985 9CFEFFF>MOV WORD PTR SS:[EBP-164], AX ; 将ASCII保存在堆栈中
004080BF C785 94FEFFFF 0>MOV DWORD PTR SS:[EBP-16C], 2
004080C9 FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; 取注册名长度
004080CF 50 PUSH EAX
004080D0 8D45 AC LEA EAX, DWORD PTR SS:[EBP-54]
004080D3 8D8D 04FFFFFF LEA ECX, DWORD PTR SS:[EBP-FC]
004080D9 50 PUSH EAX
004080DA 51 PUSH ECX
004080DB FF15 74104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMul>] ; 注册名长度*25F5得数x存入[[EBP-FC]+8]
004080E1 50 PUSH EAX
004080E2 8D95 94FEFFFF LEA EDX, DWORD PTR SS:[EBP-16C]
004080E8 8D85 6CFFFFFF LEA EAX, DWORD PTR SS:[EBP-94]
004080EE 52 PUSH EDX
004080EF 8D8D D4FEFFFF LEA ECX, DWORD PTR SS:[EBP-12C]
004080F5 50 PUSH EAX
004080F6 51 PUSH ECX
004080F7 FF15 74104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMul>] ; 该ASCII码*29得数y存入[[EBP-12C]+8]
004080FD 8D95 C4FEFFFF LEA EDX, DWORD PTR SS:[EBP-13C]
00408103 50 PUSH EAX
00408104 52 PUSH EDX
00408105 FF15 B0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>] ; 两数相加(x+y),得到第一个数A
0040810B 8BD0 MOV EDX, EAX
0040810D 8D4D CC LEA ECX, DWORD PTR SS:[EBP-34]
00408110 FFD6 CALL ESI
00408112 8D8D 30FFFFFF LEA ECX, DWORD PTR SS:[EBP-D0]
00408118 FF15 D4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
0040811E 8D85 E4FEFFFF LEA EAX, DWORD PTR SS:[EBP-11C]
00408124 8D8D F4FEFFFF LEA ECX, DWORD PTR SS:[EBP-10C]
0040812A 50 PUSH EAX
0040812B 51 PUSH ECX
0040812C 6A 02 PUSH 2
0040812E FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
00408134 83C4 0C ADD ESP, 0C
00408137 8D95 14FFFFFF LEA EDX, DWORD PTR SS:[EBP-EC]
0040813D 8D45 DC LEA EAX, DWORD PTR SS:[EBP-24]
00408140 8D8D 04FFFFFF LEA ECX, DWORD PTR SS:[EBP-FC]
00408146 52 PUSH EDX
00408147 6A 01 PUSH 1
00408149 50 PUSH EAX
0040814A 51 PUSH ECX
0040814B C785 1CFFFFFF 0>MOV DWORD PTR SS:[EBP-E4], 1
00408155 C785 14FFFFFF 0>MOV DWORD PTR SS:[EBP-EC], 2
0040815F FF15 4C104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; 取注册名的第一个字符
00408165 8D95 04FFFFFF LEA EDX, DWORD PTR SS:[EBP-FC]
0040816B 8D85 30FFFFFF LEA EAX, DWORD PTR SS:[EBP-D0]
00408171 52 PUSH EDX
00408172 50 PUSH EAX
00408173 FFD3 CALL EBX
00408175 50 PUSH EAX
00408176 FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ; 取字符的ASCII
0040817C 8D8D 94FEFFFF LEA ECX, DWORD PTR SS:[EBP-16C]
00408182 66:8985 9CFEFFF>MOV WORD PTR SS:[EBP-164], AX
00408189 8D55 AC LEA EDX, DWORD PTR SS:[EBP-54]
0040818C 51 PUSH ECX
0040818D 8D85 F4FEFFFF LEA EAX, DWORD PTR SS:[EBP-10C]
00408193 52 PUSH EDX
00408194 50 PUSH EAX
00408195 C785 94FEFFFF 0>MOV DWORD PTR SS:[EBP-16C], 2
0040819F FF15 74104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMul>] ; ASCII*25F5存入[[EBP-10C]+8]
004081A5 8D8D 4CFFFFFF LEA ECX, DWORD PTR SS:[EBP-B4]
004081AB 50 PUSH EAX
004081AC 8D95 E4FEFFFF LEA EDX, DWORD PTR SS:[EBP-11C]
004081B2 51 PUSH ECX
004081B3 52 PUSH EDX
004081B4 FF15 74104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMul>] ; 再*7B存入[[EBP-11C]+8],得第二个数B
004081BA 8BD0 MOV EDX, EAX
004081BC 8D4D BC LEA ECX, DWORD PTR SS:[EBP-44]
004081BF FFD6 CALL ESI
004081C1 8D8D 30FFFFFF LEA ECX, DWORD PTR SS:[EBP-D0]
004081C7 FF15 D4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
004081CD 8D85 04FFFFFF LEA EAX, DWORD PTR SS:[EBP-FC]
004081D3 8D8D 14FFFFFF LEA ECX, DWORD PTR SS:[EBP-EC]
004081D9 50 PUSH EAX
004081DA 51 PUSH ECX
004081DB 6A 02 PUSH 2
004081DD FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
004081E3 83C4 0C ADD ESP, 0C
004081E6 8D95 04FFFFFF LEA EDX, DWORD PTR SS:[EBP-FC]
004081EC 8D45 DC LEA EAX, DWORD PTR SS:[EBP-24]
004081EF 8D8D F4FEFFFF LEA ECX, DWORD PTR SS:[EBP-10C]
004081F5 52 PUSH EDX
004081F6 6A 01 PUSH 1
004081F8 50 PUSH EAX
004081F9 51 PUSH ECX
004081FA C785 0CFFFFFF 0>MOV DWORD PTR SS:[EBP-F4], 1
00408204 C785 04FFFFFF 0>MOV DWORD PTR SS:[EBP-FC], 2
0040820E FF15 4C104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; 取注册名的第一位字符
00408214 8D95 F4FEFFFF LEA EDX, DWORD PTR SS:[EBP-10C]
0040821A 8D85 30FFFFFF LEA EAX, DWORD PTR SS:[EBP-D0]
00408220 52 PUSH EDX
00408221 50 PUSH EAX
00408222 FFD3 CALL EBX
00408224 50 PUSH EAX
00408225 FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ; 取字符的ASCII
0040822B 8D4D DC LEA ECX, DWORD PTR SS:[EBP-24]
0040822E 66:8985 9CFEFFF>MOV WORD PTR SS:[EBP-164], AX
00408235 8D95 14FFFFFF LEA EDX, DWORD PTR SS:[EBP-EC]
0040823B B8 02000000 MOV EAX, 2
00408240 51 PUSH ECX
00408241 52 PUSH EDX
00408242 8985 94FEFFFF MOV DWORD PTR SS:[EBP-16C], EAX
00408248 66:C785 8CFEFFF>MOV WORD PTR SS:[EBP-174], 19D5
00408251 8985 84FEFFFF MOV DWORD PTR SS:[EBP-17C], EAX
00408257 FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; 取得注册名的长度
0040825D 50 PUSH EAX
0040825E 8D85 94FEFFFF LEA EAX, DWORD PTR SS:[EBP-16C]
00408264 8D8D E4FEFFFF LEA ECX, DWORD PTR SS:[EBP-11C]
0040826A 50 PUSH EAX
0040826B 51 PUSH ECX
0040826C FF15 74104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMul>] ; 注册名长度*ASCII码
00408272 50 PUSH EAX
00408273 8D95 84FEFFFF LEA EDX, DWORD PTR SS:[EBP-17C]
00408279 8D85 D4FEFFFF LEA EAX, DWORD PTR SS:[EBP-12C]
0040827F 52 PUSH EDX
00408280 50 PUSH EAX
00408281 FF15 74104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMul>] ; 再乘19D5,得到第三个数C
00408287 8BD0 MOV EDX, EAX
00408289 8D4D 9C LEA ECX, DWORD PTR SS:[EBP-64]
0040828C FFD6 CALL ESI
0040828E 8D8D 30FFFFFF LEA ECX, DWORD PTR SS:[EBP-D0]
00408294 FF15 D4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
0040829A 8D8D F4FEFFFF LEA ECX, DWORD PTR SS:[EBP-10C]
004082A0 8D95 04FFFFFF LEA EDX, DWORD PTR SS:[EBP-FC]
004082A6 51 PUSH ECX
004082A7 52 PUSH EDX
004082A8 6A 02 PUSH 2
004082AA FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
004082B0 83C4 0C ADD ESP, 0C
004082B3 8D45 9C LEA EAX, DWORD PTR SS:[EBP-64]
004082B6 8D4D AC LEA ECX, DWORD PTR SS:[EBP-54]
004082B9 8D95 14FFFFFF LEA EDX, DWORD PTR SS:[EBP-EC]
004082BF 50 PUSH EAX
004082C0 51 PUSH ECX
004082C1 52 PUSH EDX
004082C2 FF15 B0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>] ; 第三个数C再加上25F5,得第四个数D
004082C8 8BD0 MOV EDX, EAX
004082CA 8D4D 8C LEA ECX, DWORD PTR SS:[EBP-74]
004082CD FFD6 CALL ESI
004082CF 8D85 7CFFFFFF LEA EAX, DWORD PTR SS:[EBP-84]
004082D5 50 PUSH EAX
004082D6 8D8D 30FFFFFF LEA ECX, DWORD PTR SS:[EBP-D0]
004082DC 51 PUSH ECX
004082DD FFD3 CALL EBX ; 取得第一组注册码
004082DF 50 PUSH EAX
004082E0 FF15 D8104000 CALL DWORD PTR DS:[<&MSVBVM60.#581>] ; 第一组注册码字串转为浮点数
004082E6 DD9D ACFEFFFF FSTP QWORD PTR SS:[EBP-154]
004082EC 8D95 5CFFFFFF LEA EDX, DWORD PTR SS:[EBP-A4]
004082F2 8D85 2CFFFFFF LEA EAX, DWORD PTR SS:[EBP-D4]
004082F8 BE 05800000 MOV ESI, 8005
004082FD 52 PUSH EDX
004082FE 50 PUSH EAX
004082FF 89B5 A4FEFFFF MOV DWORD PTR SS:[EBP-15C], ESI
00408305 FFD3 CALL EBX ; 取得第二组注册码
00408307 50 PUSH EAX
00408308 FF15 D8104000 CALL DWORD PTR DS:[<&MSVBVM60.#581>] ; 第二组注册码字串转为浮点数
0040830E DD9D 9CFEFFFF FSTP QWORD PTR SS:[EBP-164]
00408314 8D8D 3CFFFFFF LEA ECX, DWORD PTR SS:[EBP-C4]
0040831A 8D95 28FFFFFF LEA EDX, DWORD PTR SS:[EBP-D8]
00408320 51 PUSH ECX
00408321 52 PUSH EDX
00408322 89B5 94FEFFFF MOV DWORD PTR SS:[EBP-16C], ESI
00408328 FFD3 CALL EBX ; 取得第三组注册码
0040832A 50 PUSH EAX
0040832B FF15 D8104000 CALL DWORD PTR DS:[<&MSVBVM60.#581>] ; 第三组注册码转字串为浮点数
00408331 8B85 34FFFFFF MOV EAX, DWORD PTR SS:[EBP-CC] ; 取第四组注册码
00408337 89B5 84FEFFFF MOV DWORD PTR SS:[EBP-17C], ESI
0040833D DD9D 8CFEFFFF FSTP QWORD PTR SS:[EBP-174]
00408343 50 PUSH EAX
00408344 FF15 D8104000 CALL DWORD PTR DS:[<&MSVBVM60.#581>] ; 第四组注册码字串转为浮点数
0040834A DD9D 7CFEFFFF FSTP QWORD PTR SS:[EBP-184]
00408350 8D8D A4FEFFFF LEA ECX, DWORD PTR SS:[EBP-15C]
00408356 8D55 CC LEA EDX, DWORD PTR SS:[EBP-34]
00408359 51 PUSH ECX
0040835A 8D85 14FFFFFF LEA EAX, DWORD PTR SS:[EBP-EC]
00408360 89B5 74FEFFFF MOV DWORD PTR SS:[EBP-18C], ESI
00408366 8B35 AC104000 MOV ESI, DWORD PTR DS:[<&MSVBVM60.__vbaVarCmpEq>] ; MSVBVM60.__vbaVarCmpEq
0040836C 52 PUSH EDX
0040836D 50 PUSH EAX
0040836E FFD6 CALL ESI ; A与第一组注册码(浮点数)比较结果存在[EBP-EC]
00408370 8D8D 94FEFFFF LEA ECX, DWORD PTR SS:[EBP-16C]
00408376 50 PUSH EAX
00408377 8D55 BC LEA EDX, DWORD PTR SS:[EBP-44]
0040837A 51 PUSH ECX
0040837B 8D85 04FFFFFF LEA EAX, DWORD PTR SS:[EBP-FC]
00408381 52 PUSH EDX
00408382 50 PUSH EAX
00408383 FFD6 CALL ESI ; B与第二组注册码(浮点数)比较结果存在[EBP-FC]
00408385 8B1D 6C104000 MOV EBX, DWORD PTR DS:[<&MSVBVM60.__vbaVarAnd>] ; MSVBVM60.__vbaVarAnd
0040838B 8D8D F4FEFFFF LEA ECX, DWORD PTR SS:[EBP-10C]
00408391 50 PUSH EAX
00408392 51 PUSH ECX
00408393 FFD3 CALL EBX ; [EBP-EC]和[EBP-FC]相与的结果存在[EBP-10C]
00408395 50 PUSH EAX
00408396 8D95 84FEFFFF LEA EDX, DWORD PTR SS:[EBP-17C]
0040839C 8D45 9C LEA EAX, DWORD PTR SS:[EBP-64]
0040839F 52 PUSH EDX
004083A0 8D8D E4FEFFFF LEA ECX, DWORD PTR SS:[EBP-11C]
004083A6 50 PUSH EAX
004083A7 51 PUSH ECX
004083A8 FFD6 CALL ESI ; C与第三组注册码(浮点数)比较结果存在[EBP-11C]
004083AA 8D95 D4FEFFFF LEA EDX, DWORD PTR SS:[EBP-12C]
004083B0 50 PUSH EAX
004083B1 52 PUSH EDX
004083B2 FFD3 CALL EBX ; [EBP-10C]和[EBP-11C]相与的结果存入[EBP-12C]
004083B4 50 PUSH EAX
004083B5 8D85 74FEFFFF LEA EAX, DWORD PTR SS:[EBP-18C]
004083BB 8D4D 8C LEA ECX, DWORD PTR SS:[EBP-74]
004083BE 50 PUSH EAX
004083BF 8D95 C4FEFFFF LEA EDX, DWORD PTR SS:[EBP-13C]
004083C5 51 PUSH ECX
004083C6 52 PUSH EDX
004083C7 FFD6 CALL ESI ; D与第四组注册码(浮点数)比较的结果存入[EBP-13C]
004083C9 50 PUSH EAX
004083CA 8D85 B4FEFFFF LEA EAX, DWORD PTR SS:[EBP-14C]
004083D0 50 PUSH EAX
004083D1 FFD3 CALL EBX ; [EBP-12C]和[EBP-13C]相与的结果存入[EBP-14C]
004083D3 50 PUSH EAX
004083D4 FF15 44104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaBoolVarNull>] ; 以上每次结果都为真,结果才正确,即正确的注册码分别为A、B、C、D表示的整数
004083DA 8D8D 28FFFFFF LEA ECX, DWORD PTR SS:[EBP-D8]
004083E0 8BF0 MOV ESI, EAX
004083E2 51 PUSH ECX
004083E3 8D95 2CFFFFFF LEA EDX, DWORD PTR SS:[EBP-D4]
004083E9 8D85 30FFFFFF LEA EAX, DWORD PTR SS:[EBP-D0]
004083EF 52 PUSH EDX
004083F0 50 PUSH EAX
004083F1 6A 03 PUSH 3
004083F3 FF15 9C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList
004083F9 83C4 10 ADD ESP, 10
004083FC B9 04000280 MOV ECX, 80020004
00408401 B8 0A000000 MOV EAX, 0A
00408406 66:3BF7 CMP SI, DI ;最后结果是否为真
00408409 898D ECFEFFFF MOV DWORD PTR SS:[EBP-114], ECX
0040840F 8985 E4FEFFFF MOV DWORD PTR SS:[EBP-11C], EAX
00408415 898D FCFEFFFF MOV DWORD PTR SS:[EBP-104], ECX
0040841B 8985 F4FEFFFF MOV DWORD PTR SS:[EBP-10C], EAX
00408421 0F84 8C000000 JE [PYG]Cra.004084B3 ; 为假就跳到出错(爆破点)
00408427 8B35 B8104000 MOV ESI, DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>] ; 为真就向下到正确提示
0040842D BB 08000000 MOV EBX, 8
00408432 8D95 94FEFFFF LEA EDX, DWORD PTR SS:[EBP-16C]
00408438 8D8D 04FFFFFF LEA ECX, DWORD PTR SS:[EBP-FC]
0040843E C785 9CFEFFFF 7>MOV DWORD PTR SS:[EBP-164], [PYG]Cra.00405D74
00408448 899D 94FEFFFF MOV DWORD PTR SS:[EBP-16C], EBX
0040844E FFD6 CALL ESI
00408450 8D95 A4FEFFFF LEA EDX, DWORD PTR SS:[EBP-15C]
00408456 8D8D 14FFFFFF LEA ECX, DWORD PTR SS:[EBP-EC]
0040845C C785 ACFEFFFF 5>MOV DWORD PTR SS:[EBP-154], [PYG]Cra.00405D5C
00408466 899D A4FEFFFF MOV DWORD PTR SS:[EBP-15C], EBX
0040846C FFD6 CALL ESI
0040846E 8D8D E4FEFFFF LEA ECX, DWORD PTR SS:[EBP-11C]
00408474 8D95 F4FEFFFF LEA EDX, DWORD PTR SS:[EBP-10C]
0040847A 51 PUSH ECX
0040847B 8D85 04FFFFFF LEA EAX, DWORD PTR SS:[EBP-FC]
00408481 52 PUSH EDX
00408482 50 PUSH EAX
00408483 8D8D 14FFFFFF LEA ECX, DWORD PTR SS:[EBP-EC]
00408489 6A 40 PUSH 40
0040848B 51 PUSH ECX ; 成功
0040848C FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
00408492 8D95 E4FEFFFF LEA EDX, DWORD PTR SS:[EBP-11C]
00408498 8D85 F4FEFFFF LEA EAX, DWORD PTR SS:[EBP-10C]
0040849E 52 PUSH EDX
0040849F 8D8D 04FFFFFF LEA ECX, DWORD PTR SS:[EBP-FC]
004084A5 50 PUSH EAX
004084A6 8D95 14FFFFFF LEA EDX, DWORD PTR SS:[EBP-EC]
004084AC 51 PUSH ECX
004084AD 52 PUSH EDX
004084AE E9 86000000 JMP [PYG]Cra.00408539
004084B3 8B35 B8104000 MOV ESI, DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
004084B9 BB 08000000 MOV EBX, 8
004084BE 8D95 94FEFFFF LEA EDX, DWORD PTR SS:[EBP-16C]
004084C4 8D8D 04FFFFFF LEA ECX, DWORD PTR SS:[EBP-FC]
004084CA C785 9CFEFFFF 9>MOV DWORD PTR SS:[EBP-164], [PYG]Cra.00405D94 ; ASCII "1Y%?
004084D4 899D 94FEFFFF MOV DWORD PTR SS:[EBP-16C], EBX
004084DA FFD6 CALL ESI
004084DC C785 ACFEFFFF 8>MOV DWORD PTR SS:[EBP-154], [PYG]Cra.00405D80
004084E6 8D95 A4FEFFFF LEA EDX, DWORD PTR SS:[EBP-15C]
004084EC 8D8D 14FFFFFF LEA ECX, DWORD PTR SS:[EBP-EC]
004084F2 899D A4FEFFFF MOV DWORD PTR SS:[EBP-15C], EBX
004084F8 FFD6 CALL ESI
004084FA 8D85 E4FEFFFF LEA EAX, DWORD PTR SS:[EBP-11C]
00408500 8D8D F4FEFFFF LEA ECX, DWORD PTR SS:[EBP-10C]
00408506 50 PUSH EAX
00408507 8D95 04FFFFFF LEA EDX, DWORD PTR SS:[EBP-FC]
0040850D 51 PUSH ECX
0040850E 52 PUSH EDX
0040850F 8D85 14FFFFFF LEA EAX, DWORD PTR SS:[EBP-EC]
00408515 57 PUSH EDI
00408516 50 PUSH EAX ; 未成功
00408517 FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
0040851D 8D8D E4FEFFFF LEA ECX, DWORD PTR SS:[EBP-11C] ;<-----栈顶指向这里,向上找
......
6.算法分析
(1)注册码的第一部分:
A=注册名长度*25F5+注册名的第一个字符的ASCII码*29
(2)注册码的第二部分:
B=注册名的第一个字符的ASCII*25F5*7B
(3)注册码的第三部分:
C=注册名的长度*注册名的第一个字符的ASCII*19D5
(4)注册码的第四部分:
D=C+25F5
由此可见,注册码只与注册名的第一个字符及注册码的长度有关。
以注册名dewar为例,来计算注册码(第一个字符d的ASCII码为64,注册名长度为5):
A=5*25F5+64*29=0CDCD(H)=52685(D)
B=64*25F5*7B=71FB77C(H)=119519100(D)
C=5*64*19D5=327404(H)=3306500(D)
D=327404(H)+25F5(H)=3299F9(H)=3316217(D)
算法分析到此结束,得出一组正确的注册码。
注册名:dewar
注册码:52685-119519100-3306500-3316217
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年12月26日 19:16:48
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
但不能发啊 
