首页
社区
课程
招聘
如何修改VB P-code程序
发表于: 2007-4-4 15:10 7849

如何修改VB P-code程序

hud 活跃值
2
2007-4-4 15:10
7849
近日练习时调试飘云阁的CrackMe#1,它有2点要求:
1. 给1个注册码;
2. 去掉关闭时的Nag和飘云阁网站登录。

用WKTVBDE和VBExplorer,第1个任务已经完成了。

可是第2个任务,却是试来试去也不成功。在OD中修改N-code的VB程序或者其它语言的程序易如反掌,可在WKTVBDE中却是步步险滩,连简单地Nop掉一个字节都难,一有修改就运行出错(旧的NAG还没去,新的又来了),而且修改后图标也没有了,特发贴求助,希望知道的朋友能提供些资料和参考。

附上分析出来的算法:

算法总结:

1. 常数7BF(1983);
2. val1 = 2537h(9527);
3. val2 = Name各位相加的和(hud:0x141);
4. val1 %= val2;
5. val1 *= len(Name);
6. val1 *= Name[0];
7. val1 += 094D1159;
8. val1 = 094E1B09 (156113673);
9. 试练码取左边9位,化为数字,val2;
10.val1 / val2 < 2;
11.如果val1 % val2 =  7BF,就成功了。

VC注册机:

void CKeygenDlg::OnOK() 
{
  UpdateData(true);
  int nLen = m_szName.GetLength();
  if (nLen<1)
    return;

  DWORD a = 0;
  for (int i=0; i<nLen; ++i)
    a += m_szName[i];
  a = ( 0x2537 % a ) * nLen * m_szName[0] + 0x094D1159 + 0x7BF;
  char s[30];
  sprintf(s, "%lu", a);
  m_szSN = s;

  UpdateData(false);
}


由于WKTVBDE中调试不方便,以下反汇编代码是调试后用VBExplorer中的反汇编代码加上注释的,可能有些地方不完全相符。

[Command1.Click]
:004039D4  28DCFEBF07          LitVarI2             ;PushVarInteger 07BF  常数7BFh
:004039D9  FCF6FCFE            FStVar               ;
:004039DD  FEC1DCFE59114D09    LitVarI4             ;
:004039E5  FCF60CFF            FStVar               ;
:004039E9  28DCFE3725          LitVarI2             ;PushVarInteger 2537
  常数2357h
:004039EE  FCF61CFF            FStVar               ;
:004039F2  04D4FE              FLdRfVar             ;Push LOCAL_012C
:004039F5  21                  FLdPrThis            ;[SR]=[stack2]
:004039F6  0F0003              VCallAd              ;Return the control index 02
:004039F9  19D8FE              FStAdFunc            ;
:004039FC  08D8FE              FLdPr                ;[SR]=[LOCAL_0128]
***********Reference To:[propget]TextBox.Text 取得Name
:004039FF  0DA0000000          VCallHresult         ;Call ptr_004023A4
:00403A04  3ED4FE              FLdZeroAd            ;Push DWORD [LOCAL_012C]; [LOCAL_012C]=0
:00403A07  46C4FE              CVarStr              ;
:00403A0A  04B4FE              FLdRfVar             ;Push LOCAL_014C
**********Reference To->msvbvm60.rtcTrimVar  Trim用户名
:00403A0D  0A01000800          ImpAdCallFPR4        ;Call ptr_00401046; check stack 0008; Push EAX
:00403A12  04B4FE              FLdRfVar             ;Push LOCAL_014C
:00403A15  FCF66CFF            FStVar               ;
:00403A19  1AD8FE              FFree1Ad             ;Push [LOCAL_0128]; Call [[[LOCAL_0128]]+8]; [[LOCAL_0128]]=0 
:00403A1C  35C4FE              FFree1Var            ;Free LOCAL_013C
:00403A1F  04D4FE              FLdRfVar             ;Push LOCAL_012C
:00403A22  21                  FLdPrThis            ;[SR]=[stack2]
:00403A23  0F0403              VCallAd              ;Return the control index 03
:00403A26  19D8FE              FStAdFunc            ;
:00403A29  08D8FE              FLdPr                ;[SR]=[LOCAL_0128]
***********Reference To:[propget]TextBox.Text  取得试练码
:00403A2C  0DA0000000          VCallHresult         ;Call ptr_004023A4
:00403A31  3ED4FE              FLdZeroAd            ;Push DWORD [LOCAL_012C]; [LOCAL_012C]=0
:00403A34  46C4FE              CVarStr              ;
:00403A37  04B4FE              FLdRfVar             ;Push LOCAL_014C
**********Reference To->msvbvm60.rtcTrimVar    Trim试练码
:00403A3A  0A01000800          ImpAdCallFPR4        ;Call ptr_00401046; check stack 0008; Push EAX
:00403A3F  04B4FE              FLdRfVar             ;Push LOCAL_014C
:00403A42  FCF65CFF            FStVar               ;
:00403A46  1AD8FE              FFree1Ad             ;Push [LOCAL_0128]; Call [[[LOCAL_0128]]+8]; [[LOCAL_0128]]=0 
:00403A49  35C4FE              FFree1Var            ;Free LOCAL_013C
:00403A4C  046CFF              FLdRfVar             ;Push LOCAL_0094
******Possible String Ref To->""           Name不能为空
:00403A4F  3ADCFE0200          LitVarStr            ;PushVarString ptr_004023B8
:00403A54  5D                  HardType             ;
:00403A55  FB2FC4FE            EqVar                ;
:00403A59  045CFF              FLdRfVar             ;Push LOCAL_00A4
******Possible String Ref To->""          试练码不能为空
:00403A5C  3AA4FE0200          LitVarStr            ;PushVarString ptr_004023B8
:00403A61  5D                  HardType             ;
:00403A62  FB2FB4FE            EqVar                ;
:00403A66  FB1F94FE            OrVar                ;
:00403A6A  FF1B                CBoolVarNull         ;vbaBoolVarNull
:00403A6C  1CC300              BranchF              ;If Pop=0 then ESI=00403A97
:00403A6F  F4FF                LitI2_Byte           ;Push FF
:00403A71  21                  FLdPrThis            ;[SR]=[stack2]
:00403A72  0F2403              VCallAd              ;Return the control index 0b
:00403A75  19D8FE              FStAdFunc            ;
:00403A78  08D8FE              FLdPr                ;[SR]=[LOCAL_0128]
***********Reference To:[propput]Label.Visible  为空则Label可见,显示失败信息
:00403A7B  0D9C000300          VCallHresult         ;Call ptr_004023BC
:00403A80  1AD8FE              FFree1Ad             ;Push [LOCAL_0128]; Call [[[LOCAL_0128]]+8]; [[LOCAL_0128]]=0 
:00403A83  F400                LitI2_Byte           ;Push 00
:00403A85  21                  FLdPrThis            ;[SR]=[stack2]
:00403A86  0F2003              VCallAd              ;Return the control index 0a
:00403A89  19D8FE              FStAdFunc            ;
:00403A8C  08D8FE              FLdPr                ;[SR]=[LOCAL_0128]
***********Reference To:[propput]Label.Visible   为空则Label可见,显示失败信息
:00403A8F  0D9C000300          VCallHresult         ;Call ptr_004023BC
:00403A94  1AD8FE              FFree1Ad             ;Push [LOCAL_0128]; Call [[[LOCAL_0128]]+8]; [[LOCAL_0128]]=0 
:00403A97  046CFF              FLdRfVar             ;Push LOCAL_0094
******Possible String Ref To->""
                               |
:00403A9A  3ADCFE0200          LitVarStr            ;PushVarString ptr_004023B8
:00403A9F  5D                  HardType             ;
:00403AA0  FB3CC4FE            NeVar                ;
:00403AA4  045CFF              FLdRfVar             ;Push LOCAL_00A4
******Possible String Ref To->""
                               |
:00403AA7  3AA4FE0200          LitVarStr            ;PushVarString ptr_004023B8
:00403AAC  5D                  HardType             ;
:00403AAD  FB3CB4FE            NeVar                ;
:00403AB1  FB2794FE            AndVar               ;
:00403AB5  FF1B                CBoolVarNull         ;vbaBoolVarNull
:00403AB7  1C7202              BranchF              ;If Pop=0 then ESI=00403C46
:00403ABA  28DCFE0000          LitVarI2             ;PushVarInteger 0000
:00403ABF  FCF62CFF            FStVar               ;
:00403AC3  28A4FE0100          LitVarI2             ;PushVarInteger 0001  常数1
:00403AC8  043CFF              FLdRfVar             ;Push LOCAL_00C4
:00403ACB  046CFF              FLdRfVar             ;Push LOCAL_0094
:00403ACE  FBEBC4FE            FnLenVar             ;vbaLenVar
:00403AD2  FE6874FE4601        ForVar               ;
相当于For i = 1 To Len(Name)
:00403AD8  042CFF              FLdRfVar             ;Push LOCAL_00D4
:00403ADB  28C4FE0100          LitVarI2             ;PushVarInteger 0001
:00403AE0  043CFF              FLdRfVar             ;Push LOCAL_00C4
:00403AE3  FC22                CI4Var               ;vbaI4Var
:00403AE5  046CFF              FLdRfVar             ;Push LOCAL_0094
:00403AE8  04B4FE              FLdRfVar             ;Push LOCAL_014C
**********Reference To->msvbvm60.rtcMidCharVar  相当于c = Mid(Name, i, 1)
:00403AEB  0A04001000          ImpAdCallFPR4        ;Call ptr_0040104C; check stack 0010; Push EAX
:00403AF0  04B4FE              FLdRfVar             ;Push LOCAL_014C
:00403AF3  FDFED4FE            CStrVarVal           ;
**********Reference To->msvbvm60.rtcAnsiValueBstr val = Asc(c)
:00403AF7  0B05000400          ImpAdCallI2          ;Call ptr_00401052; check stack 0004; Push EAX
:00403AFC  44A4FE              CVarI2               ;
:00403AFF  FB9494FE            AddVar               ; val累加
:00403B03  FCF62CFF            FStVar               ;
:00403B07  2FD4FE              FFree1Str            ;SysFreeString [LOCAL_012C]; [LOCAL_012C]=0
:00403B0A  360400C4FEB4FE      FFreeVar             ;Free 0004/2 variants
:00403B11  043CFF              FLdRfVar             ;Push LOCAL_00C4
:00403B14  FE7E74FE0401        NextStepVar          ; 循环回去
:00403B1A  041CFF              FLdRfVar             ;Push LOCAL_00E4 val1 = 2537h(9527)
:00403B1D  042CFF              FLdRfVar             ;Push LOCAL_00D4 val2 = Name各位和
:00403B20  FBA4C4FE            ModVar               ; val3 = val1 Mod val2
:00403B24  046CFF              FLdRfVar             ;Push LOCAL_0094
:00403B27  FBEBB4FE            FnLenVar             ;vbaLenVar Len(Name)
:00403B2B  FBB494FE            MulVar               ; val3 = val3 * Len(Name)
:00403B2F  046CFF              FLdRfVar             ;Push LOCAL_0094 Mid(Name, 1, 1)
:00403B32  FDFED4FE            CStrVarVal           ;
**********Reference To->msvbvm60.rtcAnsiValueBstr Asc( Mid(Name, 1, 1) )
:00403B36  0B05000400          ImpAdCallI2          ;Call ptr_00401052; check stack 0004; Push EAX
:00403B3B  44DCFE              CVarI2               ;
:00403B3E  FBB464FE            MulVar               ; val3 = val3 * Asc( Mid(Name, 1, 1) )
:00403B42  040CFF              FLdRfVar             ;Push LOCAL_00F4
:00403B45  FB9454FE            AddVar               ; val3 = val3 + &H094D1159
:00403B49  FCF6ECFE            FStVar               ;
:00403B4D  2FD4FE              FFree1Str            ;SysFreeString [LOCAL_012C]; [LOCAL_012C]=0
:00403B50  04D4FE              FLdRfVar             ;Push LOCAL_012C
:00403B53  21                  FLdPrThis            ;[SR]=[stack2]
:00403B54  0F0403              VCallAd              ;Return the control index 03
:00403B57  19D8FE              FStAdFunc            ;
:00403B5A  08D8FE              FLdPr                ;[SR]=[LOCAL_0128]
***********Reference To:[propget]TextBox.Text 取得试练码
:00403B5D  0DA0000000          VCallHresult         ;Call ptr_004023A4
:00403B62  F509000000          LitI4                ;Push 00000009 常数9
:00403B67  3ED4FE              FLdZeroAd            ;Push DWORD [LOCAL_012C]; [LOCAL_012C]=0
:00403B6A  46C4FE              CVarStr              ;
:00403B6D  04B4FE              FLdRfVar             ;Push LOCAL_014C
**********Reference To->msvbvm60.rtcLeftCharVar str = Left(SN, 9)
:00403B70  0A06000C00          ImpAdCallFPR4        ;Call ptr_00401058; check stack 000C; Push EAX
:00403B75  04B4FE              FLdRfVar             ;Push LOCAL_014C
:00403B78  FDFE50FE            CStrVarVal           ;
**********Reference To->msvbvm60.rtcR8ValFromBstr val4 = CDbl(str)
:00403B7C  0A07000400          ImpAdCallFPR4        ;Call ptr_0040105E; check stack 0004; Push EAX
:00403B81  FD6BDCFE            CVarR8               ;
:00403B85  FCF64CFF            FStVar               ;
:00403B89  2F50FE              FFree1Str            ;SysFreeString [LOCAL_01B0]; [LOCAL_01B0]=0
:00403B8C  1AD8FE              FFree1Ad             ;Push [LOCAL_0128]; Call [[[LOCAL_0128]]+8]; [[LOCAL_0128]]=0 
:00403B8F  360400C4FEB4FE      FFreeVar             ;Free 0004/2 variants
:00403B96  044CFF              FLdRfVar             ;Push LOCAL_00B4 val3
:00403B99  04ECFE              FLdRfVar             ;Push LOCAL_0114 val4
:00403B9C  FB67                LtVarBool            ;Push (Pop1 < Pop2) If val4 < val3 Then Continue
:00403B9E  1CF801              BranchF              ;If Pop=0 then ESI=00403BCC
:00403BA1  F400                LitI2_Byte           ;Push 00
:00403BA3  21                  FLdPrThis            ;[SR]=[stack2]
:00403BA4  0F2003              VCallAd              ;Return the control index 0a
:00403BA7  19D8FE              FStAdFunc            ;
:00403BAA  08D8FE              FLdPr                ;[SR]=[LOCAL_0128]
***********Reference To:[propput]Label.Visible 显示失败信息
:00403BAD  0D9C000300          VCallHresult         ;Call ptr_004023BC
:00403BB2  1AD8FE              FFree1Ad             ;Push [LOCAL_0128]; Call [[[LOCAL_0128]]+8]; [[LOCAL_0128]]=0 
:00403BB5  F4FF                LitI2_Byte           ;Push FF
:00403BB7  21                  FLdPrThis            ;[SR]=[stack2]
:00403BB8  0F2403              VCallAd              ;Return the control index 0b
:00403BBB  19D8FE              FStAdFunc            ;
:00403BBE  08D8FE              FLdPr                ;[SR]=[LOCAL_0128]
***********Reference To:[propput]Label.Visible
                              |
:00403BC1  0D9C000300          VCallHresult         ;Call ptr_004023BC
:00403BC6  1AD8FE              FFree1Ad             ;Push [LOCAL_0128]; Call [[[LOCAL_0128]]+8]; [[LOCAL_0128]]=0 
:00403BC9  1E7202              Branch               ;ESI=00403C46 如果跳到这里则继续
:00403BCC  044CFF              FLdRfVar             ;Push LOCAL_00B4 val3
:00403BCF  04ECFE              FLdRfVar             ;Push LOCAL_0114 val4
:00403BD2  FBACC4FE            IDvVar               ; val3 / val4
:00403BD6  28DCFE0200          LitVarI2             ;PushVarInteger 0002
:00403BDB  5D                  HardType             ;
:00403BDC  FB5A                GeVarBool            ; If val3 / val4 >=2 Then GameOver
:00403BDE  1C3802              BranchF              ;If Pop=0 then ESI=00403C0C
:00403BE1  F400                LitI2_Byte           ;Push 00
:00403BE3  21                  FLdPrThis            ;[SR]=[stack2]
:00403BE4  0F2003              VCallAd              ;Return the control index 0a
:00403BE7  19D8FE              FStAdFunc            ;
:00403BEA  08D8FE              FLdPr                ;[SR]=[LOCAL_0128]
***********Reference To:[propput]Label.Visible 显示失败信息
:00403BED  0D9C000300          VCallHresult         ;Call ptr_004023BC
:00403BF2  1AD8FE              FFree1Ad             ;Push [LOCAL_0128]; Call [[[LOCAL_0128]]+8]; [[LOCAL_0128]]=0 
:00403BF5  F4FF                LitI2_Byte           ;Push FF
:00403BF7  21                  FLdPrThis            ;[SR]=[stack2]
:00403BF8  0F2403              VCallAd              ;Return the control index 0b
:00403BFB  19D8FE              FStAdFunc            ;
:00403BFE  08D8FE              FLdPr                ;[SR]=[LOCAL_0128]
***********Reference To:[propput]Label.Visible
                              |
:00403C01  0D9C000300          VCallHresult         ;Call ptr_004023BC
:00403C06  1AD8FE              FFree1Ad             ;Push [LOCAL_0128]; Call [[[LOCAL_0128]]+8]; [[LOCAL_0128]]=0 
:00403C09  1E7202              Branch               ;ESI=00403C46 跳到这里继续
:00403C0C  044CFF              FLdRfVar             ;Push LOCAL_00B4 val3
:00403C0F  04ECFE              FLdRfVar             ;Push LOCAL_0114 val4
:00403C12  FBA4C4FE            ModVar               ; val3 Mod val4
:00403C16  04FCFE              FLdRfVar             ;Push LOCAL_0104 常数7BF
:00403C19  FB33                EqVarBool            ;
:00403C1B  1C7202              BranchF              ;If Pop=0 then ESI=00403C46 If val3 Mod val4 = 7BF Then NoJump And Success!
:00403C1E  F4FF                LitI2_Byte           ;Push FF
:00403C20  21                  FLdPrThis            ;[SR]=[stack2]
:00403C21  0F2003              VCallAd              ;Return the control index 0a
:00403C24  19D8FE              FStAdFunc            ;
:00403C27  08D8FE              FLdPr                ;[SR]=[LOCAL_0128]
***********Reference To:[propput]Label.Visible 显示成功
:00403C2A  0D9C000300          VCallHresult         ;Call ptr_004023BC
:00403C2F  1AD8FE              FFree1Ad             ;Push [LOCAL_0128]; Call [[[LOCAL_0128]]+8]; [[LOCAL_0128]]=0 
:00403C32  F400                LitI2_Byte           ;Push 00
:00403C34  21                  FLdPrThis            ;[SR]=[stack2]
:00403C35  0F2403              VCallAd              ;Return the control index 0b
:00403C38  19D8FE              FStAdFunc            ;
:00403C3B  08D8FE              FLdPr                ;[SR]=[LOCAL_0128]
***********Reference To:[propput]Label.Visible
                              |
:00403C3E  0D9C000300          VCallHresult         ;Call ptr_004023BC
:00403C43  1AD8FE              FFree1Ad             ;Push [LOCAL_0128]; Call [[[LOCAL_0128]]+8]; [[LOCAL_0128]]=0 
:00403C46  13                  ExitProcHresult      ;

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (6)
雪    币: 221
活跃值: (161)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
2
忘记加附件:
上传的附件:
2007-4-4 15:24
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
P-code的啊~
2007-7-31 13:00
0
雪    币: 151
活跃值: (10)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
4
Form1.Form_Unload事件,入口改成13可以去掉nag
403710 proc_403784 size(74):
403710              08 0800                   mov SR,arg_8

Form1.Form_QueryUnload事情,入口处会调用下面的函数登录网页,所以可以直接在这里改13返回
403160 proc_403168 size(8):
403160              10 18070800               ThisVCallHresult  ???
403165              13                        ret
403166              00 00                     LargeBos  ???

4032E4 proc_403308 size(24):
4032E4              F5 00000000               push 00000000
4032E9              3A 6CFF1800               LitVarStr const(24) 'explorer http://luowei.mireene.com/bbs/index.php
4032EE              4E 5CFF                   FStVarCopyObj  ???
4032F1              04 5CFF                   push var_A4
4032F4              0A 19000800               call Shell()(arg_8)
4032F9              74 54FF                   FStFPR8  ???
4032FC              35 5CFF                   FFree1Var  ???
4032FF              08 0800                   mov SR,arg_8
403302              0D A8020B00               VCallHresult  ???=7CB8(unk_402160)
403307              13                        ret

要求就完成了
2007-7-31 15:43
0
雪    币: 221
活跃值: (161)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
5
非常感谢,改得很好!
2007-8-23 13:22
0
雪    币: 1478
活跃值: (4012)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
6
在WKTVBDebugger中没找到如何修改:(
2007-8-23 14:00
0
雪    币: 151
活跃值: (10)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
7
WKTVBDebugger不太会用,还是用OD修改的
2007-8-23 15:51
0
游客
登录 | 注册 方可回帖
返回
//