【文章标题】:一款VB程序的注册分析
【软件名称】: *******信息管理系统
【软件大小】: 37.00MB
【下载地址】: http://www.fjkl.gov.cn/fjrs/
【加壳方式】: 无
【保护方式】: 注册码
【编写语言】: vb6.0
【使用工具】: OD
【操作平台】: XPsp2
【软件介绍】: 是一款人事信息和工资管理的软件。
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
【详细过程】
下载安装后进行系统初始化既建立数据库后登陆,输入用户名:rsgl 密码:7853 后回车,出现试用版信息,点击系统维护的软件注册,输入8888-8888-8888-8888-8888-8888-8888-8888,点
击确认注册后系统重启。
用OD载入,程序停在入口点,按ALT+E,出现可执行模块,双击C:\WINDOWS\SYSTEM32\MSVBVM60.DLL进入MSVBVM60模块,右击搜索-单前模块中的名称,找_vbavartsteq后按F2下断后运行。
程序停在
7349BBE6 > FF7424 08 PUSH DWORD PTR SS:[ESP+8]
7349BBEA FF7424 08 PUSH DWORD PTR SS:[ESP+8]
7349BBEE 6A 00 PUSH 0
7349BBF0 E8 2254FFFF CALL MSVBVM60.73491017
7349BBF5 8B0485 E4F83B73 MOV EAX,DWORD PTR DS:[EAX*4+733BF8E4]
7349BBFC C2 0800 RETN 8
7349BBFF > FF7424 08 PUSH DWORD PTR SS:[ESP+8]
7349BC03 FF7424 08 PUSH DWORD PTR SS:[ESP+8]
7349BC07 6A 00 PUSH 0
7349BC09 E8 0954FFFF CALL MSVBVM60.73491017
7349BC0E 8B0485 04F93B73 MOV EAX,DWORD PTR DS:[EAX*4+733BF904]
7349BC15 C2 0800 RETN 8
7349BC18 > FF7424 08 PUSH DWORD PTR SS:[ESP+8]
7349BC1C FF7424 08 PUSH DWORD PTR SS:[ESP+8]
7349BC20 6A 00 PUSH 0
7349BC22 E8 F053FFFF CALL MSVBVM60.73491017
7349BC27 8B0485 F0F83B73 MOV EAX,DWORD PTR DS:[EAX*4+733BF8F0]
7349BC2E C2 0800 RETN 8
7349BC31 > FF7424 08 PUSH DWORD PTR SS:[ESP+8]
7349BC35 FF7424 08 PUSH DWORD PTR SS:[ESP+8]
7349BC39 6A 00 PUSH 0
7349BC3B E8 D753FFFF CALL MSVBVM60.73491017
7349BC40 8B0485 08F93B73 MOV EAX,DWORD PTR DS:[EAX*4+733BF908]
7349BC47 C2 0800 RETN 8
7349BC4A > FF7424 08 PUSH DWORD PTR SS:[ESP+8]
7349BC4E FF7424 08 PUSH DWORD PTR SS:[ESP+8]
7349BC52 6A 00 PUSH 0
7349BC54 E8 BE53FFFF CALL MSVBVM60.73491017
。。。。。。。
按ALT+F9返回程序领空。。。。
006A992E . 8B3D 48104000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeVarList
006A9934 . 8BF0 MOV ESI,EAX
006A9936 . 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38]
006A9939 . 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48]
006A993C . 52 PUSH EDX
006A993D . 50 PUSH EAX
006A993E . 6A 02 PUSH 2
006A9940 . FFD7 CALL EDI ; <&MSVBVM60.__vbaFreeVarList>
006A9942 . 83C4 0C ADD ESP,0C
006A9945 . 66:85F6 TEST SI,SI
006A9948 . 74 13 JE SHORT FJmis.006A995D 关键跳转处,相等为标准版,不等则跳(爆破点,改JNE也可成标准版)
006A994A . 66:C705 04F18>MOV WORD PTR DS:[84F104],0
006A9953 . BA 78B44300 MOV EDX,FJmis.0043B478
006A9958 . E9 A2010000 JMP FJmis.006A9AFF
006A995D > A1 E0198500 MOV EAX,DWORD PTR DS:[8519E0]
006A9962 . 85C0 TEST EAX,EAX
006A9964 . 75 10 JNZ SHORT FJmis.006A9976
006A9966 . 68 E0198500 PUSH FJmis.008519E0
006A996B . 68 DC8F4200 PUSH FJmis.00428FDC
006A9970 . FF15 8C124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
006A9976 > 8B35 E0198500 MOV ESI,DWORD PTR DS:[8519E0]
006A997C . 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
006A997F . 52 PUSH EDX
006A9980 . 56 PUSH ESI
006A9981 . 8B0E MOV ECX,DWORD PTR DS:[ESI]
006A9983 . FF51 14 CALL DWORD PTR DS:[ECX+14]
006A9986 . 85C0 TEST EAX,EAX
006A9988 . DBE2 FCLEX
006A998A . 7D 0B JGE SHORT FJmis.006A9997
006A998C . 6A 14 PUSH 14
006A998E . 68 CC8F4200 PUSH FJmis.00428FCC
006A9993 . 56 PUSH ESI
006A9994 . 50 PUSH EAX
006A9995 . FFD3 CALL EBX
006A9997 > 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
006A999A . 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
006A999D . 52 PUSH EDX
006A999E . 50 PUSH EAX
006A999F . 8B08 MOV ECX,DWORD PTR DS:[EAX]
006A99A1 . 8BF0 MOV ESI,EAX
006A99A3 . FF51 60 CALL DWORD PTR DS:[ECX+60]
006A99A6 . 85C0 TEST EAX,EAX
006A99A8 . DBE2 FCLEX
006A99AA . 7D 0B JGE SHORT FJmis.006A99B7
006A99AC . 6A 60 PUSH 60
006A99AE . 68 EC8F4200 PUSH FJmis.00428FEC
006A99B3 . 56 PUSH ESI
006A99B4 . 50 PUSH EAX
006A99B5 . FFD3 CALL EBX
006A99B7 > 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
006A99BA . 50 PUSH EAX
006A99BB . FF15 F4124000 CALL DWORD PTR DS:[<&MSVBVM60.#610>] ; MSVBVM60.rtcGetDateVar
006A99C1 . 8D55 98 LEA EDX,DWORD PTR SS:[EBP-68]
006A99C4 . 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
006A99C7 . C745 A0 94C34>MOV DWORD PTR SS:[EBP-60],FJmis.0042C394 ; UNICODE "yyyymm"
006A99CE . C745 98 08000>MOV DWORD PTR SS:[EBP-68],8
006A99D5 . FF15 08134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
006A99DB . 6A 01 PUSH 1
006A99DD . 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
006A99E0 . 6A 01 PUSH 1
006A99E2 . 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38]
006A99E5 . 51 PUSH ECX
006A99E6 . 8D45 A8 LEA EAX,DWORD PTR SS:[EBP-58]
006A99E9 . 52 PUSH EDX
006A99EA . 50 PUSH EAX
006A99EB . FF15 84104000 CALL DWORD PTR DS:[<&MSVBVM60.#660>] ; MSVBVM60.rtcVarFromFormatVar
006A99F1 . 8B4D 80 MOV ECX,DWORD PTR SS:[EBP-80]
006A99F4 . 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
006A99F7 . 52 PUSH EDX
006A99F8 . 8D45 A8 LEA EAX,DWORD PTR SS:[EBP-58]
006A99FB . 8B31 MOV ESI,DWORD PTR DS:[ECX]
006A99FD . 6A 14 PUSH 14
006A99FF . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
006A9A02 . 50 PUSH EAX
006A9A03 . 51 PUSH ECX
006A9A04 . FF15 54124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
006A9A0A . 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
006A9A0D . 50 PUSH EAX
006A9A0E . 8B45 80 MOV EAX,DWORD PTR SS:[EBP-80]
006A9A11 . 52 PUSH EDX
006A9A12 . 50 PUSH EAX
006A9A13 . FF56 4C CALL DWORD PTR DS:[ESI+4C]
006A9A16 . 33F6 XOR ESI,ESI
006A9A18 . 3BC6 CMP EAX,ESI
006A9A1A . DBE2 FCLEX
006A9A1C . 7D 0E JGE SHORT FJmis.006A9A2C
006A9A1E . 8B4D 80 MOV ECX,DWORD PTR SS:[EBP-80]
006A9A21 . 6A 4C PUSH 4C
006A9A23 . 68 24C64200 PUSH FJmis.0042C624
006A9A28 . 51 PUSH ECX
006A9A29 . 50 PUSH EAX
006A9A2A . FFD3 CALL EBX
006A9A2C > 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
006A9A2F . 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
006A9A32 . 8975 DC MOV DWORD PTR SS:[EBP-24],ESI
006A9A35 . FF15 4C134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
006A9A3B . 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
006A9A3E . 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
006A9A41 . 52 PUSH EDX
006A9A42 . 50 PUSH EAX
006A9A43 . 6A 02 PUSH 2
006A9A45 . FF15 B8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
006A9A4B . 83C4 0C ADD ESP,0C
006A9A4E . 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
006A9A51 . FF15 9C134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
006A9A57 . 8D4D A8 LEA ECX,DWORD PTR SS:[EBP-58]
006A9A5A . 8D55 B8 LEA EDX,DWORD PTR SS:[EBP-48]
006A9A5D . 51 PUSH ECX
006A9A5E . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
006A9A61 . 52 PUSH EDX
006A9A62 . 50 PUSH EAX
006A9A63 . 6A 03 PUSH 3
006A9A65 . FFD7 CALL EDI
006A9A67 . 8B45 80 MOV EAX,DWORD PTR SS:[EBP-80]
006A9A6A . 83C4 10 ADD ESP,10
006A9A6D . 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
006A9A70 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
006A9A72 . 52 PUSH EDX
006A9A73 . 68 D88E4300 PUSH FJmis.00438ED8 ; UNICODE "ZC0"
006A9A78 . 50 PUSH EAX
006A9A79 . FF51 40 CALL DWORD PTR DS:[ECX+40]
006A9A7C . 3BC6 CMP EAX,ESI
006A9A7E . DBE2 FCLEX
006A9A80 . 7D 0E JGE SHORT FJmis.006A9A90
006A9A82 . 8B4D 80 MOV ECX,DWORD PTR SS:[EBP-80]
006A9A85 . 6A 40 PUSH 40
006A9A87 . 68 24C64200 PUSH FJmis.0042C624
006A9A8C . 51 PUSH ECX
006A9A8D . 50 PUSH EAX
006A9A8E . FFD3 CALL EBX
006A9A90 > 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
006A9A93 . 6A 20 PUSH 20
006A9A95 . 8945 C0 MOV DWORD PTR SS:[EBP-40],EAX
006A9A98 . 8D45 98 LEA EAX,DWORD PTR SS:[EBP-68]
006A9A9B . 8D4D C8 LEA ECX,DWORD PTR SS:[EBP-38]
006A9A9E . 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
006A9AA1 . 50 PUSH EAX
006A9AA2 . 51 PUSH ECX
006A9AA3 . 8975 E4 MOV DWORD PTR SS:[EBP-1C],ESI
006A9AA6 . C745 B8 08800>MOV DWORD PTR SS:[EBP-48],8008
006A9AAD . 8955 A0 MOV DWORD PTR SS:[EBP-60],EDX
006A9AB0 . C745 98 08400>MOV DWORD PTR SS:[EBP-68],4008
006A9AB7 . FF15 38134000 CALL DWORD PTR DS:[<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar
006A9ABD . 8D55 B8 LEA EDX,DWORD PTR SS:[EBP-48]
006A9AC0 . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
006A9AC3 . 52 PUSH EDX
006A9AC4 . 50 PUSH EAX
006A9AC5 . FF15 78114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>; MSVBVM60.__vbaVarTstEq
006A9ACB . 8D4D C8 LEA ECX,DWORD PTR SS:[EBP-38]
006A9ACE . 8D55 B8 LEA EDX,DWORD PTR SS:[EBP-48]
006A9AD1 . 51 PUSH ECX
006A9AD2 . 52 PUSH EDX
006A9AD3 . 6A 02 PUSH 2
006A9AD5 . 8BF0 MOV ESI,EAX
006A9AD7 . FFD7 CALL EDI
006A9AD9 . 83C4 0C ADD ESP,0C
006A9ADC . 66:85F6 TEST SI,SI
006A9ADF . 74 10 JE SHORT FJmis.006A9AF1
006A9AE1 . 66:C705 04F18>MOV WORD PTR DS:[84F104],1
006A9AEA . BA 84B44300 MOV EDX,FJmis.0043B484
006A9AEF . EB 0E JMP SHORT FJmis.006A9AFF
006A9AF1 > 66:C705 04F18>MOV WORD PTR DS:[84F104],2
006A9AFA . BA 90B44300 MOV EDX,FJmis.0043B490
006A9AFF > B9 08F18400 MOV ECX,FJmis.0084F108
006A9B04 . FF15 AC124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
006A9B0A . 8D45 80 LEA EAX,DWORD PTR SS:[EBP-80]
006A9B0D . 6A 00 PUSH 0
006A9B0F . 50 PUSH EAX
006A9B10 . FF15 EC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSetAddref
006A9B16 . 68 689B6A00 PUSH FJmis.006A9B68
006A9B1B . EB 38 JMP SHORT FJmis.006A9B55
006A9B1D . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
006A9B20 . 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
006A9B23 . 51 PUSH ECX
006A9B24 . 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
006A9B27 . 52 PUSH EDX
006A9B28 . 50 PUSH EAX
006A9B29 . 6A 03 PUSH 3
006A9B2B . FF15 B8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
006A9B31 . 83C4 10 ADD ESP,10
006A9B34 . 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
006A9B37 . FF15 9C134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
006A9B3D . 8D4D A8 LEA ECX,DWORD PTR SS:[EBP-58]
006A9B40 . 8D55 B8 LEA EDX,DWORD PTR SS:[EBP-48]
006A9B43 . 51 PUSH ECX
006A9B44 . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
006A9B47 . 52 PUSH EDX
006A9B48 . 50 PUSH EAX
006A9B49 . 6A 03 PUSH 3
006A9B4B . FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
006A9B51 . 83C4 10 ADD ESP,10
006A9B54 . C3 RETN
006A9B55 > 8D4D 80 LEA ECX,DWORD PTR SS:[EBP-80]
006A9B58 . FF15 9C134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
006A9B5E . 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
006A9B61 . FF15 A0134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
在内存堆贱处可见0012F964 假码和 0012F974 注册码。
因此可写内存注册机
中断地址:6A992E
中断次数:1
第一字节:8B
指令长度:6
保存信息选内存方式。
内存地址填:12F974
勾选宽字符串,地址指针为1层。
初次练习找注册码,但无法找到真正的注册算法,哪位高手帮忙分析一下具体的注册算法,并如何编写算法注册机源码,
小弟不胜感激!!
[课程]Android-CTF解题方法汇总!
