【文章标题】: [入门算法]三维立体图像制作大师v3.15
【文章作者】: KuNgBiM
【作者邮箱】: kungbim@163.com
【作者主页】: http://www.crkcn.com
【软件名称】: 三维立体图像制作大师v3.15
【软件大小】: 2875 KB
【下载地址】: 自己搜索下载
【加壳方式】: tElock 0.98b1
【保护方式】: 序列号+水印
【编写语言】: Microsoft Visual Basic 5.0 / 6.0[Native]
【使用工具】: OD+untElock98(heXer)
【操作平台】: 盗版XPsp2
【软件介绍】: 三维立体画,看似平面却隐藏了奇妙的3D世界。欣赏立体画是一种奇妙的体验, 那么亲手制作这样的三维立体画呢? 事实上, 那也不是一件难事!使用《三维立体图像制作大师》,几分钟之内便可以制作出多层次立体感的精美作品!
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
一切从壳开始,我们查壳为tElock 0.98b1,用现成的脱壳机脱壳,感谢heXer大侠的作品。
再查,程序为Microsoft Visual Basic 5.0 / 6.0[Native]编译。
运行程序,注册它,有错误提示,OD载入再说。
载入后下函数断点:bpx rtcMsgBox
运行输入试炼信息,中断:
---------------------
机器码:-2013092884
试炼码:99999999999
---------------------
004D6EE0 > \55 push ebp ; 来到这里设断,F9运行
004D6EE1 . 8BEC mov ebp, esp
004D6EE3 . 83EC 0C sub esp, 0C
004D6EE6 . 68 362E4000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; SE 处理程序安装
004D6EEB . 64:A1 00000000 mov eax, dword ptr fs:[0]
004D6EF1 . 50 push eax
004D6EF2 . 64:8925 00000000 mov dword ptr fs:[0], esp
004D6EF9 . 81EC B8000000 sub esp, 0B8
004D6EFF . 53 push ebx
004D6F00 . 56 push esi
004D6F01 . 57 push edi
004D6F02 . 8965 F4 mov dword ptr [ebp-C], esp
004D6F05 . C745 F8 E01E4000 mov dword ptr [ebp-8], 00401EE0
004D6F0C . 8B75 08 mov esi, dword ptr [ebp+8]
004D6F0F . 8BC6 mov eax, esi
004D6F11 . 83E0 01 and eax, 1
004D6F14 . 8945 FC mov dword ptr [ebp-4], eax
004D6F17 . 83E6 FE and esi, FFFFFFFE
004D6F1A . 56 push esi
004D6F1B . 8975 08 mov dword ptr [ebp+8], esi
004D6F1E . 8B0E mov ecx, dword ptr [esi]
004D6F20 . FF51 04 call dword ptr [ecx+4]
004D6F23 . 8B16 mov edx, dword ptr [esi]
004D6F25 . 33DB xor ebx, ebx
004D6F27 . 56 push esi
004D6F28 . 895D DC mov dword ptr [ebp-24], ebx
004D6F2B . 895D D8 mov dword ptr [ebp-28], ebx
004D6F2E . 895D D4 mov dword ptr [ebp-2C], ebx
004D6F31 . 895D D0 mov dword ptr [ebp-30], ebx
004D6F34 . 895D CC mov dword ptr [ebp-34], ebx
004D6F37 . 895D BC mov dword ptr [ebp-44], ebx
004D6F3A . 895D AC mov dword ptr [ebp-54], ebx
004D6F3D . 895D 9C mov dword ptr [ebp-64], ebx
004D6F40 . 895D 8C mov dword ptr [ebp-74], ebx
004D6F43 . 899D 7CFFFFFF mov dword ptr [ebp-84], ebx
004D6F49 . 889D 68FFFFFF mov byte ptr [ebp-98], bl
004D6F4F . FF92 0C030000 call dword ptr [edx+30C]
004D6F55 . 50 push eax
004D6F56 . 8D45 CC lea eax, dword ptr [ebp-34]
004D6F59 . 50 push eax
004D6F5A . FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
004D6F60 . 8B45 CC mov eax, dword ptr [ebp-34]
004D6F63 . 8D4D BC lea ecx, dword ptr [ebp-44]
004D6F66 . 6A 04 push 4 ; 取4位带符号数
004D6F68 . 8D55 AC lea edx, dword ptr [ebp-54]
004D6F6B . 51 push ecx
004D6F6C . 52 push edx
004D6F6D . 895D CC mov dword ptr [ebp-34], ebx
004D6F70 . 8945 C4 mov dword ptr [ebp-3C], eax
004D6F73 . C745 BC 09000000 mov dword ptr [ebp-44], 9
004D6F7A . FF15 38124000 call dword ptr [<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar(从左开始取数)
004D6F80 . 8B3D 20104000 mov edi, dword ptr [<&MSVBVM60.__vbaVarMove>] ; MSVBVM60.__vbaVarMove
004D6F86 . 8D55 AC lea edx, dword ptr [ebp-54]
004D6F89 . 8D4D DC lea ecx, dword ptr [ebp-24]
004D6F8C . FFD7 call edi ; <&MSVBVM60.__vbaVarMove>
004D6F8E . 8D4D CC lea ecx, dword ptr [ebp-34]
004D6F91 . FF15 74124000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
004D6F97 . 8D4D BC lea ecx, dword ptr [ebp-44]
004D6F9A . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
004D6FA0 . 8D45 DC lea eax, dword ptr [ebp-24]
004D6FA3 . 8D8D 7CFFFFFF lea ecx, dword ptr [ebp-84]
004D6FA9 . 50 push eax
004D6FAA . 8D55 BC lea edx, dword ptr [ebp-44]
004D6FAD . 51 push ecx
004D6FAE . 52 push edx
004D6FAF . C745 84 674E0000 mov dword ptr [ebp-7C], 4E67 ; 关键值:4E67[十进制:20071]
004D6FB6 . C785 7CFFFFFF 0200>mov dword ptr [ebp-84], 2
004D6FC0 . FF15 6C114000 call dword ptr [<&MSVBVM60.__vbaVarMul>] ; 变量相乘,在eax中返回
004D6FC6 . 8BD0 mov edx, eax
004D6FC8 . 8D4D DC lea ecx, dword ptr [ebp-24]
004D6FCB . FFD7 call edi
004D6FCD . 8D45 DC lea eax, dword ptr [ebp-24]
004D6FD0 . 6A 08 push 8 ; 取8位带符号数
004D6FD2 . 8D4D BC lea ecx, dword ptr [ebp-44]
004D6FD5 . 50 push eax
004D6FD6 . 51 push ecx
004D6FD7 . FF15 38124000 call dword ptr [<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar(从左开始取数)
004D6FDD . 8D55 BC lea edx, dword ptr [ebp-44]
004D6FE0 . 8D4D DC lea ecx, dword ptr [ebp-24]
004D6FE3 . FFD7 call edi
004D6FE5 . 8B16 mov edx, dword ptr [esi]
004D6FE7 . 56 push esi
004D6FE8 . FF92 08030000 call dword ptr [edx+308]
004D6FEE . 50 push eax
004D6FEF . 8D45 CC lea eax, dword ptr [ebp-34]
004D6FF2 . 50 push eax
004D6FF3 . FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
004D6FF9 . 8BF8 mov edi, eax
004D6FFB . 8B0F mov ecx, dword ptr [edi]
004D6FFD . 8D55 D8 lea edx, dword ptr [ebp-28]
004D7000 . 52 push edx
004D7001 . 57 push edi
004D7002 . FF91 A0000000 call dword ptr [ecx+A0]
004D7008 . 3BC3 cmp eax, ebx
004D700A . DBE2 fclex
004D700C . 7D 12 jge short 004D7020
004D700E . 68 A0000000 push 0A0
004D7013 . 68 34E54000 push 0040E534
004D7018 . 57 push edi
004D7019 . 50 push eax
004D701A . FF15 70104000 call dword ptr [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj
004D7020 > 8B45 D8 mov eax, dword ptr [ebp-28] ; 假码,UNICODE "99999999999"
004D7023 . 8D4D DC lea ecx, dword ptr [ebp-24]
004D7026 . 8945 C4 mov dword ptr [ebp-3C], eax ; 真码,UNICODE "-4034271"
004D7029 . 8D45 BC lea eax, dword ptr [ebp-44]
004D702C . 50 push eax
004D702D . 51 push ecx
004D702E . 895D D8 mov dword ptr [ebp-28], ebx
004D7031 . C745 BC 08800000 mov dword ptr [ebp-44], 8008 ; 特定值:8008[十进制:32776]
004D7038 . FF15 F0114000 call dword ptr [<&MSVBVM60.__vbaVarTstNe>] ; 变量比较(不用管,可能是上一版本的)
004D703E . 8D4D CC lea ecx, dword ptr [ebp-34]
004D7041 . 66:8BF8 mov di, ax ; ax=FFFF,di=7FDC(ax必须为0)
004D7044 . FF15 74124000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
004D704A . 8D4D BC lea ecx, dword ptr [ebp-44]
004D704D . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
004D7053 . 66:3BFB cmp di, bx ; 全部为0则通过
004D7056 . 0F84 29010000 je 004D7185 ; 如果相等则注册成功!
004D705C . B9 19000000 mov ecx, 19
004D7061 . 66:891D 34E04F00 mov word ptr [4FE034], bx
004D7068 . FF15 58114000 call dword ptr [<&MSVBVM60.__vbaUI1I2>] ; MSVBVM60.__vbaUI1I2
004D706E . BA B0BE4000 mov edx, 0040BEB0
004D7073 . 8D4D D8 lea ecx, dword ptr [ebp-28]
004D7076 . 8885 68FFFFFF mov byte ptr [ebp-98], al
004D707C . FF15 CC114000 call dword ptr [<&MSVBVM60.__vbaStrCopy>] ; MSVBVM60.__vbaStrCopy
004D7082 . 8D95 68FFFFFF lea edx, dword ptr [ebp-98]
004D7088 . 8D45 D8 lea eax, dword ptr [ebp-28]
004D708B . 52 push edx
004D708C . 50 push eax
004D708D . E8 3EBEFEFF call 004C2ED0
004D7092 . 8BD0 mov edx, eax
004D7094 . 8D4D D0 lea ecx, dword ptr [ebp-30]
004D7097 . FF15 48124000 call dword ptr [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
004D709D . 391D 88EA4F00 cmp dword ptr [4FEA88], ebx
004D70A3 . 75 10 jnz short 004D70B5
004D70A5 . 68 88EA4F00 push 004FEA88
004D70AA . 68 18C64000 push 0040C618
004D70AF . FF15 BC114000 call dword ptr [<&MSVBVM60.__vbaNew2>] ; MSVBVM60.__vbaNew2
004D70B5 > 8B35 88EA4F00 mov esi, dword ptr [4FEA88]
004D70BB . 8D55 CC lea edx, dword ptr [ebp-34]
004D70BE . 52 push edx
004D70BF . 56 push esi
004D70C0 . 8B0E mov ecx, dword ptr [esi]
004D70C2 . FF51 14 call dword ptr [ecx+14]
004D70C5 . 3BC3 cmp eax, ebx
004D70C7 . DBE2 fclex
004D70C9 . 7D 0F jge short 004D70DA
004D70CB . 6A 14 push 14
004D70CD . 68 08C64000 push 0040C608
004D70D2 . 56 push esi
004D70D3 . 50 push eax
004D70D4 . FF15 70104000 call dword ptr [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj
004D70DA > 8B45 CC mov eax, dword ptr [ebp-34]
004D70DD . 8D55 D4 lea edx, dword ptr [ebp-2C]
004D70E0 . 52 push edx
004D70E1 . 50 push eax
004D70E2 . 8B08 mov ecx, dword ptr [eax]
004D70E4 . 8BF0 mov esi, eax
004D70E6 . FF51 60 call dword ptr [ecx+60]
004D70E9 . 3BC3 cmp eax, ebx
004D70EB . DBE2 fclex
004D70ED . 7D 0F jge short 004D70FE
004D70EF . 6A 60 push 60
004D70F1 . 68 28C64000 push 0040C628
004D70F6 . 56 push esi
004D70F7 . 50 push eax
004D70F8 . FF15 70104000 call dword ptr [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj
004D70FE > B8 0A000000 mov eax, 0A
004D7103 . B9 04000280 mov ecx, 80020004
004D7108 . 8945 8C mov dword ptr [ebp-74], eax
004D710B . 8945 9C mov dword ptr [ebp-64], eax
004D710E . 8B45 D4 mov eax, dword ptr [ebp-2C]
004D7111 . 894D 94 mov dword ptr [ebp-6C], ecx
004D7114 . 8945 B4 mov dword ptr [ebp-4C], eax
004D7117 . 8B45 D0 mov eax, dword ptr [ebp-30]
004D711A . 894D A4 mov dword ptr [ebp-5C], ecx
004D711D . B9 08000000 mov ecx, 8
004D7122 . 8945 C4 mov dword ptr [ebp-3C], eax
004D7125 . 894D AC mov dword ptr [ebp-54], ecx
004D7128 . 894D BC mov dword ptr [ebp-44], ecx
004D712B . 8D45 8C lea eax, dword ptr [ebp-74]
004D712E . 8D4D 9C lea ecx, dword ptr [ebp-64]
004D7131 . 50 push eax
004D7132 . 8D55 AC lea edx, dword ptr [ebp-54]
004D7135 . 51 push ecx
004D7136 . 52 push edx
004D7137 . 8D45 BC lea eax, dword ptr [ebp-44]
004D713A . 6A 30 push 30
004D713C . 50 push eax
004D713D . 895D D4 mov dword ptr [ebp-2C], ebx
004D7140 . 895D D0 mov dword ptr [ebp-30], ebx
004D7143 . FF15 B0104000 call dword ptr [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox(注册失败提示)
004D7149 . 8D4D D0 lea ecx, dword ptr [ebp-30]
004D714C . 8D55 D8 lea edx, dword ptr [ebp-28]
004D714F . 51 push ecx
004D7150 . 52 push edx
004D7151 . 6A 02 push 2
004D7153 . FF15 DC114000 call dword ptr [<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList
004D7159 . 83C4 0C add esp, 0C
004D715C . 8D4D CC lea ecx, dword ptr [ebp-34]
004D715F . FF15 74124000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
004D7165 . 8D45 8C lea eax, dword ptr [ebp-74]
004D7168 . 8D4D 9C lea ecx, dword ptr [ebp-64]
004D716B . 50 push eax
004D716C . 8D55 AC lea edx, dword ptr [ebp-54]
004D716F . 51 push ecx
004D7170 . 8D45 BC lea eax, dword ptr [ebp-44]
004D7173 . 52 push edx
004D7174 . 50 push eax
004D7175 . 6A 04 push 4
004D7177 . FF15 48104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
004D717D . 83C4 14 add esp, 14
004D7180 . E9 E6010000 jmp 004D736B
004D7185 > 66:C705 34E04F00 F>mov word ptr [4FE034], 0FFFF
004D718E . 8B0E mov ecx, dword ptr [esi]
004D7190 . 56 push esi
004D7191 . FF91 08030000 call dword ptr [ecx+308]
004D7197 . 8D55 CC lea edx, dword ptr [ebp-34]
004D719A . 50 push eax
004D719B . 52 push edx
004D719C . FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
004D71A2 . 8BF8 mov edi, eax
004D71A4 . 8D4D D8 lea ecx, dword ptr [ebp-28]
004D71A7 . 51 push ecx
004D71A8 . 57 push edi
004D71A9 . 8B07 mov eax, dword ptr [edi]
004D71AB . FF90 A0000000 call dword ptr [eax+A0]
004D71B1 . 3BC3 cmp eax, ebx
004D71B3 . DBE2 fclex
004D71B5 . 7D 12 jge short 004D71C9
004D71B7 . 68 A0000000 push 0A0
004D71BC . 68 34E54000 push 0040E534
004D71C1 . 57 push edi
004D71C2 . 50 push eax
004D71C3 . FF15 70104000 call dword ptr [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj
004D71C9 > 8B55 D8 mov edx, dword ptr [ebp-28] ; 保存注册信息
004D71CC . 52 push edx
004D71CD . 68 ECCD4000 push 0040CDEC ; P(UNICODE "PCode")
004D71D2 . 68 CCCD4000 push 0040CDCC ; R(UNICODE "Registration")
004D71D7 . 68 B8CD4000 push 0040CDB8 ; 3(UNICODE "3DMaker")
004D71DC . FF15 0C104000 call dword ptr [<&MSVBVM60.#690>] ; MSVBVM60.rtcSaveSetting
004D71E2 . 8D4D D8 lea ecx, dword ptr [ebp-28]
004D71E5 . FF15 78124000 call dword ptr [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
004D71EB . 8D4D CC lea ecx, dword ptr [ebp-34]
004D71EE . FF15 74124000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
004D71F4 . B9 19000000 mov ecx, 19
004D71F9 . FF15 58114000 call dword ptr [<&MSVBVM60.__vbaUI1I2>] ; MSVBVM60.__vbaUI1I2
004D71FF . BA 98BD4000 mov edx, 0040BD98
004D7204 . 8D4D D8 lea ecx, dword ptr [ebp-28]
004D7207 . 8885 68FFFFFF mov byte ptr [ebp-98], al
004D720D . FF15 CC114000 call dword ptr [<&MSVBVM60.__vbaStrCopy>] ; MSVBVM60.__vbaStrCopy
004D7213 . 8D85 68FFFFFF lea eax, dword ptr [ebp-98]
004D7219 . 8D4D D8 lea ecx, dword ptr [ebp-28]
004D721C . 50 push eax
004D721D . 51 push ecx
004D721E . E8 ADBCFEFF call 004C2ED0
004D7223 . 8BD0 mov edx, eax
004D7225 . 8D4D D0 lea ecx, dword ptr [ebp-30]
004D7228 . FF15 48124000 call dword ptr [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
004D722E . 391D 88EA4F00 cmp dword ptr [4FEA88], ebx
004D7234 . 75 10 jnz short 004D7246
004D7236 . 68 88EA4F00 push 004FEA88
004D723B . 68 18C64000 push 0040C618
004D7240 . FF15 BC114000 call dword ptr [<&MSVBVM60.__vbaNew2>] ; MSVBVM60.__vbaNew2
004D7246 > 8B3D 88EA4F00 mov edi, dword ptr [4FEA88]
004D724C . 8D45 CC lea eax, dword ptr [ebp-34]
004D724F . 50 push eax
004D7250 . 57 push edi
004D7251 . 8B17 mov edx, dword ptr [edi]
004D7253 . FF52 14 call dword ptr [edx+14]
004D7256 . 3BC3 cmp eax, ebx
004D7258 . DBE2 fclex
004D725A . 7D 0F jge short 004D726B
004D725C . 6A 14 push 14
004D725E . 68 08C64000 push 0040C608
004D7263 . 57 push edi
004D7264 . 50 push eax
004D7265 . FF15 70104000 call dword ptr [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj
004D726B > 8B45 CC mov eax, dword ptr [ebp-34]
004D726E . 8D55 D4 lea edx, dword ptr [ebp-2C]
004D7271 . 52 push edx
004D7272 . 50 push eax
004D7273 . 8B08 mov ecx, dword ptr [eax]
004D7275 . 8BF8 mov edi, eax
004D7277 . FF51 60 call dword ptr [ecx+60]
004D727A . 3BC3 cmp eax, ebx
004D727C . DBE2 fclex
004D727E . 7D 0F jge short 004D728F
004D7280 . 6A 60 push 60
004D7282 . 68 28C64000 push 0040C628
004D7287 . 57 push edi
004D7288 . 50 push eax
004D7289 . FF15 70104000 call dword ptr [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj
004D728F > B8 0A000000 mov eax, 0A
004D7294 . B9 04000280 mov ecx, 80020004
004D7299 . 8945 8C mov dword ptr [ebp-74], eax
004D729C . 8945 9C mov dword ptr [ebp-64], eax
004D729F . 8B45 D4 mov eax, dword ptr [ebp-2C]
004D72A2 . 894D 94 mov dword ptr [ebp-6C], ecx
004D72A5 . 8945 B4 mov dword ptr [ebp-4C], eax
004D72A8 . 8B45 D0 mov eax, dword ptr [ebp-30]
004D72AB . 894D A4 mov dword ptr [ebp-5C], ecx
004D72AE . B9 08000000 mov ecx, 8
004D72B3 . 8945 C4 mov dword ptr [ebp-3C], eax
004D72B6 . 894D AC mov dword ptr [ebp-54], ecx
004D72B9 . 894D BC mov dword ptr [ebp-44], ecx
004D72BC . 8D45 8C lea eax, dword ptr [ebp-74]
004D72BF . 8D4D 9C lea ecx, dword ptr [ebp-64]
004D72C2 . 50 push eax
004D72C3 . 8D55 AC lea edx, dword ptr [ebp-54]
004D72C6 . 51 push ecx
004D72C7 . 52 push edx
004D72C8 . 8D45 BC lea eax, dword ptr [ebp-44]
004D72CB . 53 push ebx
004D72CC . 50 push eax
004D72CD . 895D D4 mov dword ptr [ebp-2C], ebx
004D72D0 . 895D D0 mov dword ptr [ebp-30], ebx
004D72D3 . FF15 B0104000 call dword ptr [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox(注册成功)
004D72D9 . 8D4D D0 lea ecx, dword ptr [ebp-30]
004D72DC . 8D55 D8 lea edx, dword ptr [ebp-28]
004D72DF . 51 push ecx
004D72E0 . 52 push edx
004D72E1 . 6A 02 push 2
004D72E3 . FF15 DC114000 call dword ptr [<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList
004D72E9 . 83C4 0C add esp, 0C
004D72EC . 8D4D CC lea ecx, dword ptr [ebp-34]
004D72EF . FF15 74124000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
004D72F5 . 8D45 8C lea eax, dword ptr [ebp-74]
004D72F8 . 8D4D 9C lea ecx, dword ptr [ebp-64]
004D72FB . 50 push eax
004D72FC . 8D55 AC lea edx, dword ptr [ebp-54]
004D72FF . 51 push ecx
004D7300 . 8D45 BC lea eax, dword ptr [ebp-44]
004D7303 . 52 push edx
004D7304 . 50 push eax
004D7305 . 6A 04 push 4
004D7307 . FF15 48104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
004D730D . A1 88EA4F00 mov eax, dword ptr [4FEA88]
004D7312 . 83C4 14 add esp, 14
004D7315 . 3BC3 cmp eax, ebx
004D7317 . 75 10 jnz short 004D7329
004D7319 . 68 88EA4F00 push 004FEA88
004D731E . 68 18C64000 push 0040C618
004D7323 . FF15 BC114000 call dword ptr [<&MSVBVM60.__vbaNew2>] ; MSVBVM60.__vbaNew2
004D7329 > 8B3D 88EA4F00 mov edi, dword ptr [4FEA88]
004D732F . 8D4D CC lea ecx, dword ptr [ebp-34]
004D7332 . 56 push esi
004D7333 . 51 push ecx
004D7334 . 8B17 mov edx, dword ptr [edi]
004D7336 . 8995 34FFFFFF mov dword ptr [ebp-CC], edx
004D733C . FF15 BC104000 call dword ptr [<&MSVBVM60.__vbaObjSetAddref>] ; MSVBVM60.__vbaObjSetAddref
004D7342 . 8B95 34FFFFFF mov edx, dword ptr [ebp-CC]
004D7348 . 50 push eax
004D7349 . 57 push edi
004D734A . FF52 10 call dword ptr [edx+10]
004D734D . 3BC3 cmp eax, ebx
004D734F . DBE2 fclex
004D7351 . 7D 0F jge short 004D7362
004D7353 . 6A 10 push 10
004D7355 . 68 08C64000 push 0040C608
004D735A . 57 push edi
004D735B . 50 push eax
004D735C . FF15 70104000 call dword ptr [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj
004D7362 > 8D4D CC lea ecx, dword ptr [ebp-34]
004D7365 . FF15 74124000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
004D736B > 895D FC mov dword ptr [ebp-4], ebx
004D736E . 68 BB734D00 push 004D73BB
004D7373 . EB 3C jmp short 004D73B1
004D7375 . 8D45 D0 lea eax, dword ptr [ebp-30]
004D7378 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
004D737B . 50 push eax
004D737C . 8D55 D8 lea edx, dword ptr [ebp-28]
004D737F . 51 push ecx
004D7380 . 52 push edx
004D7381 . 6A 03 push 3
004D7383 . FF15 DC114000 call dword ptr [<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList
004D7389 . 83C4 10 add esp, 10
004D738C . 8D4D CC lea ecx, dword ptr [ebp-34]
004D738F . FF15 74124000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
004D7395 . 8D45 8C lea eax, dword ptr [ebp-74]
004D7398 . 8D4D 9C lea ecx, dword ptr [ebp-64]
004D739B . 50 push eax
004D739C . 8D55 AC lea edx, dword ptr [ebp-54]
004D739F . 51 push ecx
004D73A0 . 8D45 BC lea eax, dword ptr [ebp-44]
004D73A3 . 52 push edx
004D73A4 . 50 push eax
004D73A5 . 6A 04 push 4
004D73A7 . FF15 48104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
004D73AD . 83C4 14 add esp, 14
004D73B0 . C3 retn
004D73B1 > 8D4D DC lea ecx, dword ptr [ebp-24]
004D73B4 . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
004D73BA . C3 retn
004D73BB . 8B45 08 mov eax, dword ptr [ebp+8]
004D73BE . 50 push eax
004D73BF . 8B08 mov ecx, dword ptr [eax]
004D73C1 . FF51 08 call dword ptr [ecx+8]
004D73C4 . 8B45 FC mov eax, dword ptr [ebp-4]
004D73C7 . 8B4D EC mov ecx, dword ptr [ebp-14]
004D73CA . 5F pop edi
004D73CB . 5E pop esi
004D73CC . 64:890D 00000000 mov dword ptr fs:[0], ecx
004D73D3 . 5B pop ebx
004D73D4 . 8BE5 mov esp, ebp
004D73D6 . 5D pop ebp
004D73D7 . C2 0400 retn 4 ; 返回程序
注册机代码:
============ 以下程序在盗版XPsp2、VB6.0下编译测试通过 ============
Private Sub Text1_Change()
Dim MacID, SN As Long
Const X = 20071
MacID = Text1.Text
If Len(MacID) <= 0 Then
Else
SN = Left(Left(MacID, 4) * X, 8)
End If
Text2.Text = SN
End Sub
============ 以下程序在盗版XPsp2、Delphi 6.0下编译测试通过 ============
procedure TForm1.Edit1Change(Sender: TObject);
const
X = 20071;
var
MacID : Variant;
SN : Longint;
begin
MacID := Edit1.Text;
if sizeof(MacID)<=0 then begin
end else begin
SN := LeftStr( LeftStr(MacID, 4)*X, 8);
end;
Edit2.Text := SN;
end;
end.
--------------------------------------------------------------------------------
【经验总结】
1.取机器码取前4位作为运算码(带符号)
2.运算码乘以固定变量4E67[十进制:20071]
3.计算结果取8位作为注册码(带符号)
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年02月23日 16:44:13
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!