-
-
[原创]**阅卷系统 V8.1 寻找暗桩
-
发表于: 2008-8-4 18:24 6177
-
【文章标题】: **阅卷系统 V8.1
【文章作者】: rdsnow[BCG][PYG][D.4s]
【作者邮箱】: [email]rdsnow@163.com[/email]
【作者主页】: http://rdsnow.ys168.com
【作者QQ号】: 83757177
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
终于放假了,好久不碰计算机了,找了个软件操作下,发现真的生疏了许多。一些网友发消息让我看看这个软件,不过我真的很少上QQ。感觉这个软件注册码的形成比较简单,应该说是分段明码的。不过验证也有以下特色:
1、注册码各部分的验证并不放在一处,而是散落在程序中的各个部分
2、有的验证随机进行,有的验证在程序执行莫个操作的时候进行,有的验证跟机器有关(让人感觉就像是奥运会上对运动员进行抽检一样)
如果没有找全所有的验证的代码,容易造成注册码在一些机器上注册成功,而一些电脑上有不能注册成功,就是程序中有暗桩啦。
3、一旦检测到注册码不合格,立即删除机器的注册信息(取消参加奥运会的资格),同时注销你的电脑(无语)
--------------------------------------------------------------------------------
一、注册码输入错误是有对话框的,所以很容易找到这里:
00455DF0 . 52 push edx
00455DF1 . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaLenBs>; 取注册码的长度
00455DF7 . 83F8 0A cmp eax, 0A ; 判断注册码的长度是不是等于 10
00455DFA . 0F84 C3000000 je 00455EC3
…………(错误对话框)
00455EC3 > \BE 01000000 mov esi, 1 ; 下面 i 从 1 到 8 循环
00455EC8 > B8 08000000 mov eax, 8 ; for i = 1 to 8
00455ECD . 66:3BF0 cmp si, ax
00455ED0 . 0F8F B9000000 jg 00455F8F
00455ED6 . 8D45 AC lea eax, dword ptr [ebp-54]
00455ED9 . 50 push eax
00455EDA . 0FBFCE movsx ecx, si
00455EDD . 8D55 D0 lea edx, dword ptr [ebp-30]
00455EE0 . 8995 74FFFFFF mov dword ptr [ebp-8C], edx
00455EE6 . 51 push ecx
00455EE7 . 8D95 6CFFFFFF lea edx, dword ptr [ebp-94]
00455EED . 52 push edx
00455EEE . 8D45 9C lea eax, dword ptr [ebp-64]
00455EF1 . 50 push eax
00455EF2 . C745 B4 01000>mov dword ptr [ebp-4C], 1
00455EF9 . C745 AC 02000>mov dword ptr [ebp-54], 2
00455F00 . C785 6CFFFFFF>mov dword ptr [ebp-94], 4008
00455F0A . FF15 14114000 call dword ptr [<&MSVBVM60.#632>] ; 取得注册码的第 i 个字符 zhuce[i]
00455F10 . 8D4D 9C lea ecx, dword ptr [ebp-64]
00455F13 . 51 push ecx
00455F14 . 8D55 CC lea edx, dword ptr [ebp-34]
00455F17 . 52 push edx
00455F18 . FF15 F4114000 call dword ptr [<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
00455F1E . 50 push eax
00455F1F . FF15 2C134000 call dword ptr [<&MSVBVM60.#581>] ; 数据类型转换
00455F25 . DD9D 2CFFFFFF fstp qword ptr [ebp-D4]
00455F2B . 0FBFC7 movsx eax, di
00455F2E . 8985 F8FEFFFF mov dword ptr [ebp-108], eax
00455F34 . DB85 F8FEFFFF fild dword ptr [ebp-108]
00455F3A . DD9D F0FEFFFF fstp qword ptr [ebp-110]
00455F40 . DD85 F0FEFFFF fld qword ptr [ebp-110]
00455F46 . DC85 2CFFFFFF fadd qword ptr [ebp-D4] ; NUM = NUM + zhuce[i]
00455F4C . DFE0 fstsw ax
00455F4E . A8 0D test al, 0D
00455F50 . 0F85 B0060000 jnz 00456606
00455F56 . FF15 A4124000 call dword ptr [<&MSVBVM60.__vbaFpI2>>; MSVBVM60.__vbaFpI2
00455F5C . 8D4D CC lea ecx, dword ptr [ebp-34]
00455F5F . 8BF8 mov edi, eax
00455F61 . FF15 28134000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00455F67 . 8D4D 9C lea ecx, dword ptr [ebp-64]
00455F6A . 51 push ecx
00455F6B . 8D55 AC lea edx, dword ptr [ebp-54]
00455F6E . 52 push edx
00455F6F . 6A 02 push 2
00455F71 . FF15 40104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
00455F77 . B8 01000000 mov eax, 1
00455F7C . 83C4 0C add esp, 0C
00455F7F . 66:03C6 add ax, si
00455F82 . 0F80 83060000 jo 0045660B
00455F88 . 8BF0 mov esi, eax
00455F8A .^ E9 39FFFFFF jmp 00455EC8 ; end for
00455F8F > B8 02000000 mov eax, 2
00455F94 . 8D4D AC lea ecx, dword ptr [ebp-54]
00455F97 . 51 push ecx
00455F98 . 8945 B4 mov dword ptr [ebp-4C], eax
00455F9B . 8945 AC mov dword ptr [ebp-54], eax
00455F9E . 8D45 D0 lea eax, dword ptr [ebp-30]
00455FA1 . 6A 09 push 9
00455FA3 . 8D95 6CFFFFFF lea edx, dword ptr [ebp-94]
00455FA9 . 8985 74FFFFFF mov dword ptr [ebp-8C], eax
00455FAF . 52 push edx
00455FB0 . 8D45 9C lea eax, dword ptr [ebp-64]
00455FB3 . 50 push eax
00455FB4 . C785 6CFFFFFF>mov dword ptr [ebp-94], 4008
00455FBE . FF15 14114000 call dword ptr [<&MSVBVM60.#632>] ; 取得注册码的最后两位 "10"
00455FC4 . 8D4D 9C lea ecx, dword ptr [ebp-64]
00455FC7 . 51 push ecx
00455FC8 . 8D55 CC lea edx, dword ptr [ebp-34]
00455FCB . 52 push edx
00455FCC . FF15 F4114000 call dword ptr [<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
00455FD2 . 50 push eax
00455FD3 . FF15 2C134000 call dword ptr [<&MSVBVM60.#581>] ; 转为数值 10
00455FD9 . DD9D 2CFFFFFF fstp qword ptr [ebp-D4]
00455FDF . 0FBFC7 movsx eax, di
00455FE2 . 8985 ECFEFFFF mov dword ptr [ebp-114], eax
00455FE8 . DB85 ECFEFFFF fild dword ptr [ebp-114]
00455FEE . DD9D E4FEFFFF fstp qword ptr [ebp-11C]
00455FF4 . DD85 2CFFFFFF fld qword ptr [ebp-D4]
00455FFA . FF15 FC104000 call dword ptr [<&MSVBVM60.__vbaFpR8>>; MSVBVM60.__vbaFpR8
00456000 . DC9D E4FEFFFF fcomp qword ptr [ebp-11C]
00456006 . DFE0 fstsw ax
00456008 . F6C4 40 test ah, 40
0045600B . 75 07 jnz short 00456014
0045600D . B8 01000000 mov eax, 1
00456012 . EB 02 jmp short 00456016
00456014 > 33C0 xor eax, eax
00456016 > F7D8 neg eax
00456018 . 8D4D CC lea ecx, dword ptr [ebp-34]
0045601B . 66:8BF0 mov si, ax
0045601E . FF15 28134000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00456024 . 8B3D 40104000 mov edi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaFreeVarList
0045602A . 8D4D 9C lea ecx, dword ptr [ebp-64]
0045602D . 51 push ecx
0045602E . 8D55 AC lea edx, dword ptr [ebp-54]
00456031 . 52 push edx
00456032 . 6A 02 push 2
00456034 . FFD7 call edi ; <&MSVBVM60.__vbaFreeVarList>
00456036 . 83C4 0C add esp, 0C
00456039 . 66:85F6 test si, si
0045603C . 0F84 C4000000 je 00456106 ; 关键跳转
VB的代码太啰嗦了,省去一些次要代码,
看了这段代码,结论是:
注册码是有 10 个数字组成,只要注册码的前 8 个数字之和等于最后两个数字,就算注册成功
因为 9 + 8 + 7 + 6 + 5 + 4 + 3 + 2 = 44
所以下面输入注册码:9876543244,果然注册成功。
--------------------------------------------------------------------------------
心里还是不踏实,难道跟机器码无关,正想着,系统注销了。汗~~~
大致看了下程序代码,发现注册验证在程序中太分散了。试了好多断点,都没能找全所有的验证。最后总结了下,发现有两个调用值得利用
call 004A1220 删除注册信息
call 0040E5E8 注销系统
这两个call几乎都是成对出现的,有意思的是在注销系统前,作者都加了取随机值的函数(就算是再给你一次机会吧,死不死看你的人品了)
注销系统的那个调用在程序中出现了 5 次,全都加上断点,估计程序中应该有 5 个暗桩,也就是除了满足上述条件外,还要满足下面五个条件,下面一一列举:
--------------------------------------------------------------------------------
条件一:
…………(先是一些取随机数,并对随机数计算的代码,然后根据计算结果判断是否进行验证,相当于抽签吧,如果你想知道如果验证的,就应该修改下跳转,即能每次都抽中)
0049ECE0 . /0F85 D2030000 jnz 0049F0B8 ; 随机跳去判断(条件一)
0049ECE6 . |8B15 9C104E00 mov edx, dword ptr [4E109C]
0049ECEC . |8B35 50124000 mov esi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrCopy
0049ECF2 . |8D4D B8 lea ecx, dword ptr [ebp-48]
0049ECF5 . |FFD6 call esi ; <&MSVBVM60.__vbaStrCopy>
0049ECF7 . |8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
0049ECFD . |50 push eax
0049ECFE . |8D4D 88 lea ecx, dword ptr [ebp-78]
0049ED01 . |8D55 B8 lea edx, dword ptr [ebp-48]
0049ED04 . |51 push ecx
0049ED05 . |8995 50FFFFFF mov dword ptr [ebp-B0], edx
0049ED0B . |C785 48FFFFFF>mov dword ptr [ebp-B8], 4008
0049ED15 . |FF15 F0104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
0049ED1B . |8D55 88 lea edx, dword ptr [ebp-78]
0049ED1E . |52 push edx
0049ED1F . |8D45 AC lea eax, dword ptr [ebp-54]
0049ED22 . |50 push eax
0049ED23 . |FF15 F4114000 call dword ptr [<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
0049ED29 . |50 push eax
0049ED2A . |FF15 2C134000 call dword ptr [<&MSVBVM60.#581>] ; 获取注册码的数值,得到 9876543244
0049ED30 . |833D 00104E00>cmp dword ptr [4E1000], 0 ; 注册码不是 0 ,继续判断
0049ED37 . |75 08 jnz short 0049ED41
0049ED39 . |DC35 38214000 fdiv qword ptr [402138] ; 9876543244 / 10000
0049ED3F . |EB 11 jmp short 0049ED52
0049ED41 > |FF35 3C214000 push dword ptr [40213C]
0049ED47 . |FF35 38214000 push dword ptr [402138]
0049ED4D . |E8 1245F6FF call <jmp.&MSVBVM60._adj_fdiv_m64>
0049ED52 > |DFE0 fstsw ax
0049ED54 . |A8 0D test al, 0D
0049ED56 . |0F85 F2030000 jnz 0049F14E
0049ED5C . |FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>; 9876543244 / 10000 取整得 987654
0049ED62 . |DD5D B0 fstp qword ptr [ebp-50]
0049ED65 . |8B3D 28134000 mov edi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaFreeStr
0049ED6B . |8D4D AC lea ecx, dword ptr [ebp-54]
0049ED6E . |FFD7 call edi ; <&MSVBVM60.__vbaFreeStr>
0049ED70 . |8D4D 88 lea ecx, dword ptr [ebp-78]
0049ED73 . |FFD3 call ebx
0049ED75 . |DD45 B0 fld qword ptr [ebp-50]
0049ED78 . |833D 00104E00>cmp dword ptr [4E1000], 0
0049ED7F . |75 08 jnz short 0049ED89
0049ED81 . |DC35 48154000 fdiv qword ptr [401548] ; 987654 / 100
0049ED87 . |EB 11 jmp short 0049ED9A
0049ED89 > |FF35 4C154000 push dword ptr [40154C]
0049ED8F . |FF35 48154000 push dword ptr [401548]
0049ED95 . |E8 CA44F6FF call <jmp.&MSVBVM60._adj_fdiv_m64>
0049ED9A > |DFE0 fstsw ax
0049ED9C . |A8 0D test al, 0D
0049ED9E . |0F85 AA030000 jnz 0049F14E
0049EDA4 . |FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>; 987654 / 100 结果取整得 9876
0049EDAA . |DC0D 48154000 fmul qword ptr [401548] ; 9876 * 100 = 987600
0049EDB0 . |DC6D B0 fsubr qword ptr [ebp-50] ; 987654 - 987600 = 54
0049EDB3 . |DD5D B0 fstp qword ptr [ebp-50] ; 上面代码简单说就是得注册码的五六两位
0049EDB6 . |DFE0 fstsw ax
0049EDB8 . |A8 0D test al, 0D
0049EDBA . |0F85 8E030000 jnz 0049F14E
0049EDC0 . |E8 FBA50100 call 004B93C0 ; 得到 "68",不必跟进,应该是机器码的一部分
0049EDC5 . |8BD0 mov edx, eax
0049EDC7 . |8D4D AC lea ecx, dword ptr [ebp-54]
0049EDCA . |FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0049EDD0 . |50 push eax
0049EDD1 . |FF15 2C134000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
0049EDD7 . |DC0D F0144000 fmul qword ptr [4014F0] ; 68 * 12 = 816
0049EDDD . |8D95 48FFFFFF lea edx, dword ptr [ebp-B8]
0049EDE3 . |8D4D DC lea ecx, dword ptr [ebp-24]
0049EDE6 . |DC05 E8214000 fadd qword ptr [4021E8] ; 816 + 121 = 937
0049EDEC . |C785 48FFFFFF>mov dword ptr [ebp-B8], 5
0049EDF6 . |DD9D 50FFFFFF fstp qword ptr [ebp-B0]
0049EDFC . |DFE0 fstsw ax
0049EDFE . |A8 0D test al, 0D
0049EE00 . |0F85 48030000 jnz 0049F14E
0049EE06 . |FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
0049EE0C . |8D4D AC lea ecx, dword ptr [ebp-54]
0049EE0F . |FFD7 call edi
0049EE11 . |E8 AAA50100 call 004B93C0
0049EE16 . |8B3D 1C104000 mov edi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaVarMove
0049EE1C . |8D55 88 lea edx, dword ptr [ebp-78]
0049EE1F . |8D4D CC lea ecx, dword ptr [ebp-34]
0049EE22 . |8945 90 mov dword ptr [ebp-70], eax
0049EE25 . |C745 88 08000>mov dword ptr [ebp-78], 8
0049EE2C . |FFD7 call edi ; <&MSVBVM60.__vbaVarMove>
0049EE2E . |B9 02000000 mov ecx, 2
0049EE33 . |898D 48FFFFFF mov dword ptr [ebp-B8], ecx
0049EE39 . |898D 38FFFFFF mov dword ptr [ebp-C8], ecx
0049EE3F . |B8 64000000 mov eax, 64
0049EE44 . |8D4D DC lea ecx, dword ptr [ebp-24]
0049EE47 . |51 push ecx
0049EE48 . |8D55 DC lea edx, dword ptr [ebp-24]
0049EE4B . |8985 50FFFFFF mov dword ptr [ebp-B0], eax
0049EE51 . |8985 40FFFFFF mov dword ptr [ebp-C0], eax
0049EE57 . |52 push edx
0049EE58 . |8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
0049EE5E . |50 push eax
0049EE5F . |8D4D 88 lea ecx, dword ptr [ebp-78]
0049EE62 . |51 push ecx
0049EE63 . |FF15 D0114000 call dword ptr [<&MSVBVM60.__vbaVarDi>; 937 / 100
0049EE69 . |50 push eax
0049EE6A . |8D95 78FFFFFF lea edx, dword ptr [ebp-88]
0049EE70 . |52 push edx
0049EE71 . |FF15 38124000 call dword ptr [<&MSVBVM60.__vbaVarIn>; 取整 = 9
0049EE77 . |50 push eax
0049EE78 . |8D85 38FFFFFF lea eax, dword ptr [ebp-C8]
0049EE7E . |50 push eax
0049EE7F . |8D8D 68FFFFFF lea ecx, dword ptr [ebp-98]
0049EE85 . |51 push ecx
0049EE86 . |FF15 AC114000 call dword ptr [<&MSVBVM60.__vbaVarMu>; 9 * 100 = 900
0049EE8C . |50 push eax
0049EE8D . |8D95 58FFFFFF lea edx, dword ptr [ebp-A8]
0049EE93 . |52 push edx
0049EE94 . |FF15 04104000 call dword ptr [<&MSVBVM60.__vbaVarSu>; 937 - 900 = 37
0049EE9A . |8BD0 mov edx, eax
0049EE9C . |8D4D DC lea ecx, dword ptr [ebp-24]
0049EE9F . |FFD7 call edi ; <&MSVBVM60.__vbaVarMove>
0049EEA1 . |8B45 B0 mov eax, dword ptr [ebp-50]
0049EEA4 . |8B4D B4 mov ecx, dword ptr [ebp-4C]
0049EEA7 . |8D55 DC lea edx, dword ptr [ebp-24]
0049EEAA . |8985 50FFFFFF mov dword ptr [ebp-B0], eax
0049EEB0 . |52 push edx
0049EEB1 . |8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
0049EEB7 . |50 push eax
0049EEB8 . |898D 54FFFFFF mov dword ptr [ebp-AC], ecx
0049EEBE . |C785 48FFFFFF>mov dword ptr [ebp-B8], 8005
0049EEC8 . |FF15 7C124000 call dword ptr [<&MSVBVM60.__vbaVarTs>; 37 不等于 54 注册不成功
0049EECE . |66:85C0 test ax, ax
0049EED1 . |0F84 DF010000 je 0049F0B6 ; 条件一的关键跳转
VB代码就是啰嗦,简单说就是:
机器码的其中两位 * 12 + 121 取结果的最后两个数字作为注册码的五六两位
我的机器码是:39945-68655
取机器码中的 68 * 12 + 121 = 937 ,我的注册码的五六两位就是 37
--------------------------------------------------------------------------------
条件二:
…………(仍然先是一些取随机数,并对随机数计算的代码)
0049F3B0 . /0F85 B9030000 jnz 0049F76F ; 随机跳走验证(条件二)
0049F3B6 . |8B15 9C104E00 mov edx, dword ptr [4E109C]
0049F3BC . |8B35 50124000 mov esi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrCopy
0049F3C2 . |8D4D B8 lea ecx, dword ptr [ebp-48]
0049F3C5 . |FFD6 call esi ; <&MSVBVM60.__vbaStrCopy>
0049F3C7 . |8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
0049F3CD . |50 push eax
0049F3CE . |8D4D 88 lea ecx, dword ptr [ebp-78]
0049F3D1 . |8D55 B8 lea edx, dword ptr [ebp-48]
0049F3D4 . |51 push ecx
0049F3D5 . |8995 50FFFFFF mov dword ptr [ebp-B0], edx
0049F3DB . |C785 48FFFFFF>mov dword ptr [ebp-B8], 4008
0049F3E5 . |FF15 F0104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
0049F3EB . |8D55 88 lea edx, dword ptr [ebp-78]
0049F3EE . |52 push edx
0049F3EF . |8D45 AC lea eax, dword ptr [ebp-54]
0049F3F2 . |50 push eax
0049F3F3 . |FF15 F4114000 call dword ptr [<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
0049F3F9 . |50 push eax
0049F3FA . |FF15 2C134000 call dword ptr [<&MSVBVM60.#581>] ; 取得注册码的数值 9876543244
0049F400 . |833D 00104E00>cmp dword ptr [4E1000], 0 ; 注册码不空,继续判断
0049F407 . |75 08 jnz short 0049F411
0049F409 . |DC35 10224000 fdiv qword ptr [402210] ; 9876543244 / 1000000
0049F40F . |EB 11 jmp short 0049F422
0049F411 > |FF35 14224000 push dword ptr [402214]
0049F417 . |FF35 10224000 push dword ptr [402210]
0049F41D . |E8 423EF6FF call <jmp.&MSVBVM60._adj_fdiv_m64>
0049F422 > |DFE0 fstsw ax
0049F424 . |A8 0D test al, 0D
0049F426 . |0F85 D9030000 jnz 0049F805
0049F42C . |FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>; 98765432 / 1000000 取整得 9876
0049F432 . |DD5D B0 fstp qword ptr [ebp-50]
0049F435 . |8B3D 28134000 mov edi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaFreeStr
0049F43B . |8D4D AC lea ecx, dword ptr [ebp-54]
0049F43E . |FFD7 call edi ; <&MSVBVM60.__vbaFreeStr>
0049F440 . |8D4D 88 lea ecx, dword ptr [ebp-78]
0049F443 . |FFD3 call ebx
0049F445 . |DD45 B0 fld qword ptr [ebp-50]
0049F448 . |833D 00104E00>cmp dword ptr [4E1000], 0
0049F44F . |75 08 jnz short 0049F459
0049F451 . |DC35 48154000 fdiv qword ptr [401548] ; 9876 / 100
0049F457 . |EB 11 jmp short 0049F46A
0049F459 > |FF35 4C154000 push dword ptr [40154C]
0049F45F . |FF35 48154000 push dword ptr [401548]
0049F465 . |E8 FA3DF6FF call <jmp.&MSVBVM60._adj_fdiv_m64>
0049F46A > |DFE0 fstsw ax
0049F46C . |A8 0D test al, 0D
0049F46E . |0F85 91030000 jnz 0049F805
0049F474 . |FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>; 9876 / 100 取整得 98
0049F47A . |DC0D 48154000 fmul qword ptr [401548] ; 98 * 100 = 9800
0049F480 . |DC6D B0 fsubr qword ptr [ebp-50] ; 9876 - 9800 = 76
0049F483 . |DD5D B0 fstp qword ptr [ebp-50] ; 以上就是得到注册码的第三四位 76
0049F486 . |DFE0 fstsw ax
0049F488 . |A8 0D test al, 0D
0049F48A . |0F85 75030000 jnz 0049F805
0049F490 . |E8 1B930100 call 004B87B0 ; 得到 "45",不必跟进,看看机器码就知道是机器码其中两位
0049F495 . |8BD0 mov edx, eax
0049F497 . |8D4D AC lea ecx, dword ptr [ebp-54]
0049F49A . |FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0049F4A0 . |50 push eax
0049F4A1 . |FF15 2C134000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
0049F4A7 . |DC0D 18154000 fmul qword ptr [401518] ; 45 * 9 = 405
0049F4AD . |8D95 48FFFFFF lea edx, dword ptr [ebp-B8]
0049F4B3 . |8D4D DC lea ecx, dword ptr [ebp-24]
0049F4B6 . |DC05 08224000 fadd qword ptr [402208] ; 405 + 535 = 940
0049F4BC . |C785 48FFFFFF>mov dword ptr [ebp-B8], 5
0049F4C6 . |DD9D 50FFFFFF fstp qword ptr [ebp-B0]
0049F4CC . |DFE0 fstsw ax
0049F4CE . |A8 0D test al, 0D
0049F4D0 . |0F85 2F030000 jnz 0049F805
0049F4D6 . |FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
0049F4DC . |8D4D AC lea ecx, dword ptr [ebp-54]
0049F4DF . |FFD7 call edi
0049F4E1 . |B9 02000000 mov ecx, 2
0049F4E6 . |898D 48FFFFFF mov dword ptr [ebp-B8], ecx
0049F4EC . |898D 38FFFFFF mov dword ptr [ebp-C8], ecx
0049F4F2 . |B8 64000000 mov eax, 64
0049F4F7 . |8D4D DC lea ecx, dword ptr [ebp-24]
0049F4FA . |51 push ecx
0049F4FB . |8D55 DC lea edx, dword ptr [ebp-24]
0049F4FE . |8985 50FFFFFF mov dword ptr [ebp-B0], eax
0049F504 . |8985 40FFFFFF mov dword ptr [ebp-C0], eax
0049F50A . |52 push edx
0049F50B . |8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
0049F511 . |50 push eax
0049F512 . |8D4D 88 lea ecx, dword ptr [ebp-78]
0049F515 . |51 push ecx
0049F516 . |FF15 D0114000 call dword ptr [<&MSVBVM60.__vbaVarDi>; 940 / 100 = 9.4
0049F51C . |50 push eax
0049F51D . |8D95 78FFFFFF lea edx, dword ptr [ebp-88]
0049F523 . |52 push edx
0049F524 . |FF15 38124000 call dword ptr [<&MSVBVM60.__vbaVarIn>; 9.4 取得整数得到 9
0049F52A . |50 push eax
0049F52B . |8D85 38FFFFFF lea eax, dword ptr [ebp-C8]
0049F531 . |50 push eax
0049F532 . |8D8D 68FFFFFF lea ecx, dword ptr [ebp-98]
0049F538 . |51 push ecx
0049F539 . |FF15 AC114000 call dword ptr [<&MSVBVM60.__vbaVarMu>; 9 * 100 = 900
0049F53F . |50 push eax
0049F540 . |8D95 58FFFFFF lea edx, dword ptr [ebp-A8]
0049F546 . |52 push edx
0049F547 . |FF15 04104000 call dword ptr [<&MSVBVM60.__vbaVarSu>; 940 - 900 = 40
0049F54D . |8BD0 mov edx, eax
0049F54F . |8D4D DC lea ecx, dword ptr [ebp-24]
0049F552 . |FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
0049F558 . |8B45 B0 mov eax, dword ptr [ebp-50]
0049F55B . |8B4D B4 mov ecx, dword ptr [ebp-4C]
0049F55E . |8D55 DC lea edx, dword ptr [ebp-24]
0049F561 . |8985 50FFFFFF mov dword ptr [ebp-B0], eax
0049F567 . |52 push edx
0049F568 . |8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
0049F56E . |50 push eax
0049F56F . |898D 54FFFFFF mov dword ptr [ebp-AC], ecx
0049F575 . |C785 48FFFFFF>mov dword ptr [ebp-B8], 8005
0049F57F . |FF15 7C124000 call dword ptr [<&MSVBVM60.__vbaVarTs>; 76 不等于 40 ,所以注册不成功
0049F585 . |66:85C0 test ax, ax
0049F588 . |0F84 DF010000 je 0049F76D ; 条件二的关键跳转
结论:
机器码的其中两位 * 9 + 535 取结果的最后两个数字作为注册码的三四两位
我的机器码是:39945-68655
取机器码中的 45 * 9 + 535 = 940 ,我的注册码的三四两位就是 40
--------------------------------------------------------------------------------
条件三:
…………(仍然先是一些取随机数,并对随机数计算的代码)
0049E0DD . /0F85 2A020000 jnz 0049E30D ; 随机跳走验证(条件三)
0049E0E3 . |8D95 64FFFFFF lea edx, dword ptr [ebp-9C]
0049E0E9 . |52 push edx
0049E0EA . |8D45 A4 lea eax, dword ptr [ebp-5C]
0049E0ED . |50 push eax
0049E0EE . |C785 6CFFFFFF>mov dword ptr [ebp-94], 004E109C ; d{4
0049E0F8 . |C785 64FFFFFF>mov dword ptr [ebp-9C], 4008
0049E102 . |FF15 F0104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
0049E108 . |33C9 xor ecx, ecx
0049E10A . |66:3935 90104>cmp word ptr [4E1090], si
0049E111 . |8D55 A4 lea edx, dword ptr [ebp-5C]
0049E114 . |0F94C1 sete cl
0049E117 . |52 push edx
0049E118 . |8D45 94 lea eax, dword ptr [ebp-6C]
0049E11B . |50 push eax
0049E11C . |C785 5CFFFFFF>mov dword ptr [ebp-A4], 3
0049E126 . |C785 54FFFFFF>mov dword ptr [ebp-AC], 8002
0049E130 . |C785 44FFFFFF>mov dword ptr [ebp-BC], 0B
0049E13A . |F7D9 neg ecx
0049E13C . |66:898D 4CFFF>mov word ptr [ebp-B4], cx
0049E143 . |FF15 90104000 call dword ptr [<&MSVBVM60.__vbaLenVa>; 取得注册码的长度
0049E149 . |50 push eax
0049E14A . |8D8D 54FFFFFF lea ecx, dword ptr [ebp-AC]
0049E150 . |51 push ecx
0049E151 . |8D55 84 lea edx, dword ptr [ebp-7C]
0049E154 . |52 push edx
0049E155 . |FF15 10114000 call dword ptr [<&MSVBVM60.__vbaVarCm>; MSVBVM60.__vbaVarCmpGt
0049E15B . |50 push eax
0049E15C . |8D85 44FFFFFF lea eax, dword ptr [ebp-BC]
0049E162 . |50 push eax
0049E163 . |8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
0049E169 . |51 push ecx
0049E16A . |FF15 9C114000 call dword ptr [<&MSVBVM60.__vbaVarAn>; MSVBVM60.__vbaVarAnd
0049E170 . |50 push eax
0049E171 . |FF15 F4104000 call dword ptr [<&MSVBVM60.__vbaBoolV>; MSVBVM60.__vbaBoolVarNull
0049E177 . |8D95 44FFFFFF lea edx, dword ptr [ebp-BC]
0049E17D . |66:8BF8 mov di, ax
0049E180 . |52 push edx
0049E181 . |8D45 A4 lea eax, dword ptr [ebp-5C]
0049E184 . |50 push eax
0049E185 . |6A 02 push 2
0049E187 . |FF15 40104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0049E18D . |83C4 0C add esp, 0C
0049E190 . |66:3BFE cmp di, si
0049E193 . |0F84 74010000 je 0049E30D
结论:
这里什么也没做,就验证下注册码的长度,程序在其他地方检验不通过,删除了注册信息,也会被这段代码检验到
--------------------------------------------------------------------------------
还有两个条件验证,我开着程序,等好久都没停到这里,也就是在我的电脑上并不进行条件四和条件五的沿着验证。
于是,重新定位 eip 的数值,来到这里:
条件四:
0049E568 > \8D45 88 lea eax, dword ptr [ebp-78] ; 条件四:
0049E56B . 50 push eax
0049E56C . C745 90 04000>mov dword ptr [ebp-70], 80020004
0049E573 . C745 88 0A000>mov dword ptr [ebp-78], 0A
0049E57A . FF15 BC104000 call dword ptr [<&MSVBVM60.#594>] ; MSVBVM60.rtcRandomize
0049E580 . 8B1D 28104000 mov ebx, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaFreeVar
0049E586 . 8D4D 88 lea ecx, dword ptr [ebp-78]
0049E589 . FFD3 call ebx ; <&MSVBVM60.__vbaFreeVar>
0049E58B . 8B15 9C104E00 mov edx, dword ptr [4E109C]
0049E591 . 8B35 50124000 mov esi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrCopy
0049E597 . 8D4D B8 lea ecx, dword ptr [ebp-48]
0049E59A . FFD6 call esi ; <&MSVBVM60.__vbaStrCopy>
0049E59C . 8D95 48FFFFFF lea edx, dword ptr [ebp-B8]
0049E5A2 . 52 push edx
0049E5A3 . 8D45 88 lea eax, dword ptr [ebp-78]
0049E5A6 . 8D4D B8 lea ecx, dword ptr [ebp-48]
0049E5A9 . 50 push eax
0049E5AA . 898D 50FFFFFF mov dword ptr [ebp-B0], ecx
0049E5B0 . C785 48FFFFFF>mov dword ptr [ebp-B8], 4008
0049E5BA . FF15 F0104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
0049E5C0 . 8D4D 88 lea ecx, dword ptr [ebp-78]
0049E5C3 . 51 push ecx
0049E5C4 . 8D55 AC lea edx, dword ptr [ebp-54]
0049E5C7 . 52 push edx
0049E5C8 . FF15 F4114000 call dword ptr [<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
0049E5CE . 50 push eax
0049E5CF . FF15 2C134000 call dword ptr [<&MSVBVM60.#581>] ; 取得注册码的数值 9876543244
0049E5D5 . 833D 00104E00>cmp dword ptr [4E1000], 0 ; 判断注册码是否为空
0049E5DC . 75 08 jnz short 0049E5E6
0049E5DE . DC35 D0214000 fdiv qword ptr [4021D0] ; 9876543244 / 100000000
0049E5E4 . EB 11 jmp short 0049E5F7
0049E5E6 > FF35 D4214000 push dword ptr [4021D4]
0049E5EC . FF35 D0214000 push dword ptr [4021D0]
0049E5F2 . E8 6D4CF6FF call <jmp.&MSVBVM60._adj_fdiv_m64>
0049E5F7 > DFE0 fstsw ax
0049E5F9 . A8 0D test al, 0D
0049E5FB . 0F85 7E040000 jnz 0049EA7F
0049E601 . FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>; 9876543244 / 100000000 取整得 98
0049E607 . DD5D B0 fstp qword ptr [ebp-50]
0049E60A . 8B3D 28134000 mov edi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaFreeStr
0049E610 . 8D4D AC lea ecx, dword ptr [ebp-54]
0049E613 . FFD7 call edi ; <&MSVBVM60.__vbaFreeStr>
0049E615 . 8D4D 88 lea ecx, dword ptr [ebp-78]
0049E618 . FFD3 call ebx
0049E61A . DD45 B0 fld qword ptr [ebp-50]
0049E61D . 833D 00104E00>cmp dword ptr [4E1000], 0
0049E624 . 75 08 jnz short 0049E62E
0049E626 . DC35 48154000 fdiv qword ptr [401548] ; 98 / 100
0049E62C . EB 11 jmp short 0049E63F
0049E62E > FF35 4C154000 push dword ptr [40154C]
0049E634 . FF35 48154000 push dword ptr [401548]
0049E63A . E8 254CF6FF call <jmp.&MSVBVM60._adj_fdiv_m64>
0049E63F > DFE0 fstsw ax
0049E641 . A8 0D test al, 0D
0049E643 . 0F85 36040000 jnz 0049EA7F
0049E649 . FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>; 98 / 100 取整得 0
0049E64F . DC0D 48154000 fmul qword ptr [401548] ; 0 * 100 = 0
0049E655 . DC6D B0 fsubr qword ptr [ebp-50] ; 98 -0 = 98
0049E658 . DD5D B0 fstp qword ptr [ebp-50] ; 跟过上面的就知道其实就是得到注册码的一二两位 98
0049E65B . DFE0 fstsw ax
0049E65D . A8 0D test al, 0D
0049E65F . 0F85 1A040000 jnz 0049EA7F
0049E665 . 8B5D B0 mov ebx, dword ptr [ebp-50]
0049E668 . 85DB test ebx, ebx
0049E66A . 75 0D jnz short 0049E679
0049E66C . 817D B4 00004>cmp dword ptr [ebp-4C], 404B0000
0049E673 0F84 6E030000 je 0049E9E7
0049E679 > E8 52AA0100 call 004B90D0 ; 得"99",不跟进,应该就是机器码的其中两位
0049E67E . 8BD0 mov edx, eax
0049E680 . 8D4D AC lea ecx, dword ptr [ebp-54]
0049E683 . FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0049E689 . 50 push eax
0049E68A . FF15 2C134000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
0049E690 . FF15 FC104000 call dword ptr [<&MSVBVM60.__vbaFpR8>>; MSVBVM60.__vbaFpR8
0049E696 . DC1D C8214000 fcomp qword ptr [4021C8] ; 判断机器码的这两位是不是"99"
0049E69C . DFE0 fstsw ax
0049E69E . F6C4 40 test ah, 40 ; 如果等于 99,就跳走,不进行条件四的验证
0049E6A1 . 74 07 je short 0049E6AA ; 很奇怪,我的机器码那两位正好是"99"
0049E6A3 . B8 01000000 mov eax, 1
0049E6A8 . EB 02 jmp short 0049E6AC
0049E6AA > 33C0 xor eax, eax
0049E6AC > F7D8 neg eax
0049E6AE . 8D4D AC lea ecx, dword ptr [ebp-54]
0049E6B1 . 8985 30FFFFFF mov dword ptr [ebp-D0], eax
0049E6B7 . FFD7 call edi
0049E6B9 . 66:83BD 30FFF>cmp word ptr [ebp-D0], 0
0049E6C1 . 74 44 je short 0049E707
0049E6C3 . 8B45 08 mov eax, dword ptr [ebp+8]
0049E6C6 . 8B08 mov ecx, dword ptr [eax]
0049E6C8 . 50 push eax
0049E6C9 . FF91 F0030000 call dword ptr [ecx+3F0]
0049E6CF . 50 push eax
0049E6D0 . 8D55 98 lea edx, dword ptr [ebp-68]
0049E6D3 . 52 push edx
0049E6D4 . FF15 C4104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
0049E6DA . 8BF0 mov esi, eax
0049E6DC . 8B06 mov eax, dword ptr [esi]
0049E6DE . 6A 00 push 0
0049E6E0 . 56 push esi
0049E6E1 . FF50 5C call dword ptr [eax+5C]
0049E6E4 . DBE2 fclex
0049E6E6 . 85C0 test eax, eax
0049E6E8 . 7D 0F jge short 0049E6F9
0049E6EA . 6A 5C push 5C
0049E6EC . 68 38004100 push 00410038
0049E6F1 . 56 push esi
0049E6F2 . 50 push eax
0049E6F3 . FF15 88104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0049E6F9 > 8D4D 98 lea ecx, dword ptr [ebp-68]
0049E6FC . FF15 24134000 call dword ptr [<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
0049E702 . E9 E0020000 jmp 0049E9E7
0049E707 > E8 C4A90100 call 004B90D0
0049E70C . 8BD0 mov edx, eax
0049E70E . 8D4D AC lea ecx, dword ptr [ebp-54]
0049E711 . FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0049E717 . 50 push eax
0049E718 . FF15 2C134000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
0049E71E . DC0D C0214000 fmul qword ptr [4021C0] ; 99 * 83 = 8217
0049E724 . 8D95 48FFFFFF lea edx, dword ptr [ebp-B8]
0049E72A . 8D4D DC lea ecx, dword ptr [ebp-24]
0049E72D . DC05 B8214000 fadd qword ptr [4021B8] ; 8217 + 737 = 8954
0049E733 . C785 48FFFFFF>mov dword ptr [ebp-B8], 5
0049E73D . DD9D 50FFFFFF fstp qword ptr [ebp-B0]
0049E743 . DFE0 fstsw ax
0049E745 . A8 0D test al, 0D
0049E747 . 0F85 32030000 jnz 0049EA7F
0049E74D . FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
0049E753 . 8D4D AC lea ecx, dword ptr [ebp-54]
0049E756 . FFD7 call edi
0049E758 . B9 02000000 mov ecx, 2
0049E75D . 898D 48FFFFFF mov dword ptr [ebp-B8], ecx
0049E763 . 898D 38FFFFFF mov dword ptr [ebp-C8], ecx
0049E769 . B8 64000000 mov eax, 64
0049E76E . 8D4D DC lea ecx, dword ptr [ebp-24]
0049E771 . 51 push ecx
0049E772 . 8D55 DC lea edx, dword ptr [ebp-24]
0049E775 . 8985 50FFFFFF mov dword ptr [ebp-B0], eax
0049E77B . 8985 40FFFFFF mov dword ptr [ebp-C0], eax
0049E781 . 52 push edx
0049E782 . 8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
0049E788 . 50 push eax
0049E789 . 8D4D 88 lea ecx, dword ptr [ebp-78]
0049E78C . 51 push ecx
0049E78D . FF15 D0114000 call dword ptr [<&MSVBVM60.__vbaVarDi>; 8954 / 100
0049E793 . 50 push eax
0049E794 . 8D95 78FFFFFF lea edx, dword ptr [ebp-88]
0049E79A . 52 push edx
0049E79B . FF15 38124000 call dword ptr [<&MSVBVM60.__vbaVarIn>; 8954 / 100 取整得 89
0049E7A1 . 50 push eax
0049E7A2 . 8D85 38FFFFFF lea eax, dword ptr [ebp-C8]
0049E7A8 . 50 push eax
0049E7A9 . 8D8D 68FFFFFF lea ecx, dword ptr [ebp-98]
0049E7AF . 51 push ecx
0049E7B0 . FF15 AC114000 call dword ptr [<&MSVBVM60.__vbaVarMu>; 89 * 100 = 8900
0049E7B6 . 50 push eax
0049E7B7 . 8D95 58FFFFFF lea edx, dword ptr [ebp-A8]
0049E7BD . 52 push edx
0049E7BE . FF15 04104000 call dword ptr [<&MSVBVM60.__vbaVarSu>; 8954 - 8900 = 54
0049E7C4 . 8BD0 mov edx, eax
0049E7C6 . 8D4D DC lea ecx, dword ptr [ebp-24]
0049E7C9 . FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
0049E7CF . 8B45 B4 mov eax, dword ptr [ebp-4C]
0049E7D2 . 8D4D DC lea ecx, dword ptr [ebp-24]
0049E7D5 . 51 push ecx
0049E7D6 . 8D95 48FFFFFF lea edx, dword ptr [ebp-B8]
0049E7DC . 52 push edx
0049E7DD . 899D 50FFFFFF mov dword ptr [ebp-B0], ebx
0049E7E3 . 8985 54FFFFFF mov dword ptr [ebp-AC], eax
0049E7E9 . C785 48FFFFFF>mov dword ptr [ebp-B8], 8005
0049E7F3 . FF15 7C124000 call dword ptr [<&MSVBVM60.__vbaVarTs>; 54 不等于 98,注册不成功
0049E7F9 . 66:85C0 test ax, ax
0049E7FC . 0F84 E5010000 je 0049E9E7 ; 条件四的关键跳转
结论:
机器码的其中两位 * 83 + 737 取结果的最后两个数字作为注册码的一二两位
我的机器码是:39945-68655
取机器码中的 99 * 83 + 737 = 8954 ,我的注册码的一二两位就是 54
--------------------------------------------------------------------------------
004C3FEF . /0F85 B9030000 jnz 004C43AE ; 随机跳走判断(条件五)
004C3FF5 . |8B15 9C104E00 mov edx, dword ptr [4E109C]
004C3FFB . |8B35 50124000 mov esi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrCopy
004C4001 . |8D4D B8 lea ecx, dword ptr [ebp-48]
004C4004 . |FFD6 call esi ; <&MSVBVM60.__vbaStrCopy>
004C4006 . |8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
004C400C . |50 push eax
004C400D . |8D4D 88 lea ecx, dword ptr [ebp-78]
004C4010 . |8D55 B8 lea edx, dword ptr [ebp-48]
004C4013 . |51 push ecx
004C4014 . |8995 50FFFFFF mov dword ptr [ebp-B0], edx
004C401A . |C785 48FFFFFF>mov dword ptr [ebp-B8], 4008
004C4024 . |FF15 F0104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
004C402A . |8D55 88 lea edx, dword ptr [ebp-78]
004C402D . |52 push edx
004C402E . |8D45 AC lea eax, dword ptr [ebp-54]
004C4031 . |50 push eax
004C4032 . |FF15 F4114000 call dword ptr [<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
004C4038 . |50 push eax
004C4039 . |FF15 2C134000 call dword ptr [<&MSVBVM60.#581>] ; 取得注册码数值 9876543244
004C403F . |833D 00104E00>cmp dword ptr [4E1000], 0 ; 注册码是否为空
004C4046 . |75 08 jnz short 004C4050
004C4048 . |DC35 48154000 fdiv qword ptr [401548] ; 9876543244 / 100
004C404E . |EB 11 jmp short 004C4061
004C4050 > |FF35 4C154000 push dword ptr [40154C]
004C4056 . |FF35 48154000 push dword ptr [401548]
004C405C . |E8 03F2F3FF call <jmp.&MSVBVM60._adj_fdiv_m64>
004C4061 > |DFE0 fstsw ax
004C4063 . |A8 0D test al, 0D
004C4065 . |0F85 D9030000 jnz 004C4444
004C406B . |FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>; 9876543244 / 100 取整得 98765432
004C4071 . |DD5D B0 fstp qword ptr [ebp-50]
004C4074 . |8B3D 28134000 mov edi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaFreeStr
004C407A . |8D4D AC lea ecx, dword ptr [ebp-54]
004C407D . |FFD7 call edi ; <&MSVBVM60.__vbaFreeStr>
004C407F . |8D4D 88 lea ecx, dword ptr [ebp-78]
004C4082 . |FFD3 call ebx
004C4084 . |DD45 B0 fld qword ptr [ebp-50]
004C4087 . |833D 00104E00>cmp dword ptr [4E1000], 0
004C408E . |75 08 jnz short 004C4098
004C4090 . |DC35 48154000 fdiv qword ptr [401548] ; 98765432 / 100
004C4096 . |EB 11 jmp short 004C40A9
004C4098 > |FF35 4C154000 push dword ptr [40154C]
004C409E . |FF35 48154000 push dword ptr [401548]
004C40A4 . |E8 BBF1F3FF call <jmp.&MSVBVM60._adj_fdiv_m64>
004C40A9 > |DFE0 fstsw ax
004C40AB . |A8 0D test al, 0D
004C40AD . |0F85 91030000 jnz 004C4444
004C40B3 . |FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>; 98765432 / 100 取整得 987654
004C40B9 . |DC0D 48154000 fmul qword ptr [401548] ; 987654 * 100 = 98765400
004C40BF . |DC6D B0 fsubr qword ptr [ebp-50] ; 98765432 - 98765400 = 32
004C40C2 . |DD5D B0 fstp qword ptr [ebp-50] ; 上面得到注册码的七八两位 32
004C40C5 . |DFE0 fstsw ax
004C40C7 . |A8 0D test al, 0D
004C40C9 . |0F85 75030000 jnz 004C4444
004C40CF . |E8 3C4BFFFF call 004B8C10 ; 得"65",不跟进,很容易想到是机器码的其中两位
004C40D4 . |8BD0 mov edx, eax
004C40D6 . |8D4D AC lea ecx, dword ptr [ebp-54]
004C40D9 . |FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
004C40DF . |50 push eax
004C40E0 . |FF15 2C134000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
004C40E6 . |DC0D 101D4000 fmul qword ptr [401D10] ; 65 * 74 = 4810
004C40EC . |8D95 48FFFFFF lea edx, dword ptr [ebp-B8]
004C40F2 . |8D4D DC lea ecx, dword ptr [ebp-24]
004C40F5 . |DC05 482B4000 fadd qword ptr [402B48] ; 4810 + 126 = 4936
004C40FB . |C785 48FFFFFF>mov dword ptr [ebp-B8], 5
004C4105 . |DD9D 50FFFFFF fstp qword ptr [ebp-B0]
004C410B . |DFE0 fstsw ax
004C410D . |A8 0D test al, 0D
004C410F . |0F85 2F030000 jnz 004C4444
004C4115 . |FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
004C411B . |8D4D AC lea ecx, dword ptr [ebp-54]
004C411E . |FFD7 call edi
004C4120 . |B9 02000000 mov ecx, 2
004C4125 . |898D 48FFFFFF mov dword ptr [ebp-B8], ecx
004C412B . |898D 38FFFFFF mov dword ptr [ebp-C8], ecx
004C4131 . |B8 64000000 mov eax, 64
004C4136 . |8D4D DC lea ecx, dword ptr [ebp-24]
004C4139 . |51 push ecx
004C413A . |8D55 DC lea edx, dword ptr [ebp-24]
004C413D . |8985 50FFFFFF mov dword ptr [ebp-B0], eax
004C4143 . |8985 40FFFFFF mov dword ptr [ebp-C0], eax
004C4149 . |52 push edx
004C414A . |8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
004C4150 . |50 push eax
004C4151 . |8D4D 88 lea ecx, dword ptr [ebp-78]
004C4154 . |51 push ecx
004C4155 . |FF15 D0114000 call dword ptr [<&MSVBVM60.__vbaVarDi>; 4936 / 100
004C415B . |50 push eax
004C415C . |8D95 78FFFFFF lea edx, dword ptr [ebp-88]
004C4162 . |52 push edx
004C4163 . |FF15 38124000 call dword ptr [<&MSVBVM60.__vbaVarIn>; 4936 / 100 取整得 49
004C4169 . |50 push eax
004C416A . |8D85 38FFFFFF lea eax, dword ptr [ebp-C8]
004C4170 . |50 push eax
004C4171 . |8D8D 68FFFFFF lea ecx, dword ptr [ebp-98]
004C4177 . |51 push ecx
004C4178 . |FF15 AC114000 call dword ptr [<&MSVBVM60.__vbaVarMu>; 49 * 100 = 4900
004C417E . |50 push eax
004C417F . |8D95 58FFFFFF lea edx, dword ptr [ebp-A8]
004C4185 . |52 push edx
004C4186 . |FF15 04104000 call dword ptr [<&MSVBVM60.__vbaVarSu>; 4936 - 4900 = 36
004C418C . |8BD0 mov edx, eax
004C418E . |8D4D DC lea ecx, dword ptr [ebp-24]
004C4191 . |FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
004C4197 . |8B45 B0 mov eax, dword ptr [ebp-50]
004C419A . |8B4D B4 mov ecx, dword ptr [ebp-4C]
004C419D . |8D55 DC lea edx, dword ptr [ebp-24]
004C41A0 . |8985 50FFFFFF mov dword ptr [ebp-B0], eax
004C41A6 . |52 push edx
004C41A7 . |8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
004C41AD . |50 push eax
004C41AE . |898D 54FFFFFF mov dword ptr [ebp-AC], ecx
004C41B4 . |C785 48FFFFFF>mov dword ptr [ebp-B8], 8005
004C41BE . |FF15 7C124000 call dword ptr [<&MSVBVM60.__vbaVarTs>; 36 不等于 32 注册不成功
004C41C4 . |66:85C0 test ax, ax
004C41C7 . |0F84 DF010000 je 004C43AC ; 条件五的关键跳转
结论:
机器码的其中两位 * 74 + 126 取结果的最后两个数字作为注册码的七八两位
我的机器码是:39945-68655
取机器码中的 65 * 74 + 126 = 4936 ,我的注册码的七八两位就是 36
--------------------------------------------------------------------------------
对作者的建议:
既然将暗桩分散到了程序各个部分,但验证不通过尽量不要采取同一个处理函数,否则处理函数会成为寻找暗桩的捷径。另外,注销系统的方法会用户的一些未保存数据,不建议采用。
--------------------------------------------------------------------------------
找到所有验证就可以写注册机啦:
找到所有验证就可以写注册机啦:
bool Keygen ( ){
TCHAR cJiqiCode[16],cRegCode[12],cReg5[3];
int reg1,reg2,reg3,reg4,reg5;
//检查机器码的输入
GetWindowText ( hEdit1 ,cJiqiCode ,16);
if ( lstrlen( cJiqiCode ) != 11 || cJiqiCode[5] != '-' )
return false;
//机器码有除了第六位外都是由数字组成
cJiqiCode[5] = '0';
for ( byte i=0;i<11;i++){
if ( cJiqiCode[i]<'0' || cJiqiCode[i]>'9')
return false;
}
reg1 = (((cJiqiCode[1]-0x30)*10+(cJiqiCode[2]-0x30))*83+737)%100;
reg2 = (((cJiqiCode[3]-0x30)*10+(cJiqiCode[4]-0x30))*9+535)%100;
reg3 = (((cJiqiCode[6]-0x30)*10+(cJiqiCode[7]-0x30))*12+121)%100;
reg4 = (((cJiqiCode[8]-0x30)*10+(cJiqiCode[9]-0x30))*74+126)%100;
wsprintf( cRegCode ,TEXT("%02d%02d%02d%02d"),reg1,reg2,reg3,reg4);
reg5 = 0;
for(byte i=0;i<8;i++)
reg5 = reg5 + cRegCode[i] - 0x30;
wsprintf (cReg5 ,TEXT("%02d") ,reg5);
lstrcat ( cRegCode ,cReg5);
SetWindowText ( hEdit2 ,cRegCode );
return true;
}
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2008年08月3日 22:19:55
【文章作者】: rdsnow[BCG][PYG][D.4s]
【作者邮箱】: [email]rdsnow@163.com[/email]
【作者主页】: http://rdsnow.ys168.com
【作者QQ号】: 83757177
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
终于放假了,好久不碰计算机了,找了个软件操作下,发现真的生疏了许多。一些网友发消息让我看看这个软件,不过我真的很少上QQ。感觉这个软件注册码的形成比较简单,应该说是分段明码的。不过验证也有以下特色:
1、注册码各部分的验证并不放在一处,而是散落在程序中的各个部分
2、有的验证随机进行,有的验证在程序执行莫个操作的时候进行,有的验证跟机器有关(让人感觉就像是奥运会上对运动员进行抽检一样)
如果没有找全所有的验证的代码,容易造成注册码在一些机器上注册成功,而一些电脑上有不能注册成功,就是程序中有暗桩啦。
3、一旦检测到注册码不合格,立即删除机器的注册信息(取消参加奥运会的资格),同时注销你的电脑(无语)
--------------------------------------------------------------------------------
一、注册码输入错误是有对话框的,所以很容易找到这里:
00455DF0 . 52 push edx
00455DF1 . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaLenBs>; 取注册码的长度
00455DF7 . 83F8 0A cmp eax, 0A ; 判断注册码的长度是不是等于 10
00455DFA . 0F84 C3000000 je 00455EC3
…………(错误对话框)
00455EC3 > \BE 01000000 mov esi, 1 ; 下面 i 从 1 到 8 循环
00455EC8 > B8 08000000 mov eax, 8 ; for i = 1 to 8
00455ECD . 66:3BF0 cmp si, ax
00455ED0 . 0F8F B9000000 jg 00455F8F
00455ED6 . 8D45 AC lea eax, dword ptr [ebp-54]
00455ED9 . 50 push eax
00455EDA . 0FBFCE movsx ecx, si
00455EDD . 8D55 D0 lea edx, dword ptr [ebp-30]
00455EE0 . 8995 74FFFFFF mov dword ptr [ebp-8C], edx
00455EE6 . 51 push ecx
00455EE7 . 8D95 6CFFFFFF lea edx, dword ptr [ebp-94]
00455EED . 52 push edx
00455EEE . 8D45 9C lea eax, dword ptr [ebp-64]
00455EF1 . 50 push eax
00455EF2 . C745 B4 01000>mov dword ptr [ebp-4C], 1
00455EF9 . C745 AC 02000>mov dword ptr [ebp-54], 2
00455F00 . C785 6CFFFFFF>mov dword ptr [ebp-94], 4008
00455F0A . FF15 14114000 call dword ptr [<&MSVBVM60.#632>] ; 取得注册码的第 i 个字符 zhuce[i]
00455F10 . 8D4D 9C lea ecx, dword ptr [ebp-64]
00455F13 . 51 push ecx
00455F14 . 8D55 CC lea edx, dword ptr [ebp-34]
00455F17 . 52 push edx
00455F18 . FF15 F4114000 call dword ptr [<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
00455F1E . 50 push eax
00455F1F . FF15 2C134000 call dword ptr [<&MSVBVM60.#581>] ; 数据类型转换
00455F25 . DD9D 2CFFFFFF fstp qword ptr [ebp-D4]
00455F2B . 0FBFC7 movsx eax, di
00455F2E . 8985 F8FEFFFF mov dword ptr [ebp-108], eax
00455F34 . DB85 F8FEFFFF fild dword ptr [ebp-108]
00455F3A . DD9D F0FEFFFF fstp qword ptr [ebp-110]
00455F40 . DD85 F0FEFFFF fld qword ptr [ebp-110]
00455F46 . DC85 2CFFFFFF fadd qword ptr [ebp-D4] ; NUM = NUM + zhuce[i]
00455F4C . DFE0 fstsw ax
00455F4E . A8 0D test al, 0D
00455F50 . 0F85 B0060000 jnz 00456606
00455F56 . FF15 A4124000 call dword ptr [<&MSVBVM60.__vbaFpI2>>; MSVBVM60.__vbaFpI2
00455F5C . 8D4D CC lea ecx, dword ptr [ebp-34]
00455F5F . 8BF8 mov edi, eax
00455F61 . FF15 28134000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00455F67 . 8D4D 9C lea ecx, dword ptr [ebp-64]
00455F6A . 51 push ecx
00455F6B . 8D55 AC lea edx, dword ptr [ebp-54]
00455F6E . 52 push edx
00455F6F . 6A 02 push 2
00455F71 . FF15 40104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
00455F77 . B8 01000000 mov eax, 1
00455F7C . 83C4 0C add esp, 0C
00455F7F . 66:03C6 add ax, si
00455F82 . 0F80 83060000 jo 0045660B
00455F88 . 8BF0 mov esi, eax
00455F8A .^ E9 39FFFFFF jmp 00455EC8 ; end for
00455F8F > B8 02000000 mov eax, 2
00455F94 . 8D4D AC lea ecx, dword ptr [ebp-54]
00455F97 . 51 push ecx
00455F98 . 8945 B4 mov dword ptr [ebp-4C], eax
00455F9B . 8945 AC mov dword ptr [ebp-54], eax
00455F9E . 8D45 D0 lea eax, dword ptr [ebp-30]
00455FA1 . 6A 09 push 9
00455FA3 . 8D95 6CFFFFFF lea edx, dword ptr [ebp-94]
00455FA9 . 8985 74FFFFFF mov dword ptr [ebp-8C], eax
00455FAF . 52 push edx
00455FB0 . 8D45 9C lea eax, dword ptr [ebp-64]
00455FB3 . 50 push eax
00455FB4 . C785 6CFFFFFF>mov dword ptr [ebp-94], 4008
00455FBE . FF15 14114000 call dword ptr [<&MSVBVM60.#632>] ; 取得注册码的最后两位 "10"
00455FC4 . 8D4D 9C lea ecx, dword ptr [ebp-64]
00455FC7 . 51 push ecx
00455FC8 . 8D55 CC lea edx, dword ptr [ebp-34]
00455FCB . 52 push edx
00455FCC . FF15 F4114000 call dword ptr [<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
00455FD2 . 50 push eax
00455FD3 . FF15 2C134000 call dword ptr [<&MSVBVM60.#581>] ; 转为数值 10
00455FD9 . DD9D 2CFFFFFF fstp qword ptr [ebp-D4]
00455FDF . 0FBFC7 movsx eax, di
00455FE2 . 8985 ECFEFFFF mov dword ptr [ebp-114], eax
00455FE8 . DB85 ECFEFFFF fild dword ptr [ebp-114]
00455FEE . DD9D E4FEFFFF fstp qword ptr [ebp-11C]
00455FF4 . DD85 2CFFFFFF fld qword ptr [ebp-D4]
00455FFA . FF15 FC104000 call dword ptr [<&MSVBVM60.__vbaFpR8>>; MSVBVM60.__vbaFpR8
00456000 . DC9D E4FEFFFF fcomp qword ptr [ebp-11C]
00456006 . DFE0 fstsw ax
00456008 . F6C4 40 test ah, 40
0045600B . 75 07 jnz short 00456014
0045600D . B8 01000000 mov eax, 1
00456012 . EB 02 jmp short 00456016
00456014 > 33C0 xor eax, eax
00456016 > F7D8 neg eax
00456018 . 8D4D CC lea ecx, dword ptr [ebp-34]
0045601B . 66:8BF0 mov si, ax
0045601E . FF15 28134000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00456024 . 8B3D 40104000 mov edi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaFreeVarList
0045602A . 8D4D 9C lea ecx, dword ptr [ebp-64]
0045602D . 51 push ecx
0045602E . 8D55 AC lea edx, dword ptr [ebp-54]
00456031 . 52 push edx
00456032 . 6A 02 push 2
00456034 . FFD7 call edi ; <&MSVBVM60.__vbaFreeVarList>
00456036 . 83C4 0C add esp, 0C
00456039 . 66:85F6 test si, si
0045603C . 0F84 C4000000 je 00456106 ; 关键跳转
VB的代码太啰嗦了,省去一些次要代码,
看了这段代码,结论是:
注册码是有 10 个数字组成,只要注册码的前 8 个数字之和等于最后两个数字,就算注册成功
因为 9 + 8 + 7 + 6 + 5 + 4 + 3 + 2 = 44
所以下面输入注册码:9876543244,果然注册成功。
--------------------------------------------------------------------------------
心里还是不踏实,难道跟机器码无关,正想着,系统注销了。汗~~~
大致看了下程序代码,发现注册验证在程序中太分散了。试了好多断点,都没能找全所有的验证。最后总结了下,发现有两个调用值得利用
call 004A1220 删除注册信息
call 0040E5E8 注销系统
这两个call几乎都是成对出现的,有意思的是在注销系统前,作者都加了取随机值的函数(就算是再给你一次机会吧,死不死看你的人品了)
注销系统的那个调用在程序中出现了 5 次,全都加上断点,估计程序中应该有 5 个暗桩,也就是除了满足上述条件外,还要满足下面五个条件,下面一一列举:
--------------------------------------------------------------------------------
条件一:
…………(先是一些取随机数,并对随机数计算的代码,然后根据计算结果判断是否进行验证,相当于抽签吧,如果你想知道如果验证的,就应该修改下跳转,即能每次都抽中)
0049ECE0 . /0F85 D2030000 jnz 0049F0B8 ; 随机跳去判断(条件一)
0049ECE6 . |8B15 9C104E00 mov edx, dword ptr [4E109C]
0049ECEC . |8B35 50124000 mov esi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrCopy
0049ECF2 . |8D4D B8 lea ecx, dword ptr [ebp-48]
0049ECF5 . |FFD6 call esi ; <&MSVBVM60.__vbaStrCopy>
0049ECF7 . |8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
0049ECFD . |50 push eax
0049ECFE . |8D4D 88 lea ecx, dword ptr [ebp-78]
0049ED01 . |8D55 B8 lea edx, dword ptr [ebp-48]
0049ED04 . |51 push ecx
0049ED05 . |8995 50FFFFFF mov dword ptr [ebp-B0], edx
0049ED0B . |C785 48FFFFFF>mov dword ptr [ebp-B8], 4008
0049ED15 . |FF15 F0104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
0049ED1B . |8D55 88 lea edx, dword ptr [ebp-78]
0049ED1E . |52 push edx
0049ED1F . |8D45 AC lea eax, dword ptr [ebp-54]
0049ED22 . |50 push eax
0049ED23 . |FF15 F4114000 call dword ptr [<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
0049ED29 . |50 push eax
0049ED2A . |FF15 2C134000 call dword ptr [<&MSVBVM60.#581>] ; 获取注册码的数值,得到 9876543244
0049ED30 . |833D 00104E00>cmp dword ptr [4E1000], 0 ; 注册码不是 0 ,继续判断
0049ED37 . |75 08 jnz short 0049ED41
0049ED39 . |DC35 38214000 fdiv qword ptr [402138] ; 9876543244 / 10000
0049ED3F . |EB 11 jmp short 0049ED52
0049ED41 > |FF35 3C214000 push dword ptr [40213C]
0049ED47 . |FF35 38214000 push dword ptr [402138]
0049ED4D . |E8 1245F6FF call <jmp.&MSVBVM60._adj_fdiv_m64>
0049ED52 > |DFE0 fstsw ax
0049ED54 . |A8 0D test al, 0D
0049ED56 . |0F85 F2030000 jnz 0049F14E
0049ED5C . |FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>; 9876543244 / 10000 取整得 987654
0049ED62 . |DD5D B0 fstp qword ptr [ebp-50]
0049ED65 . |8B3D 28134000 mov edi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaFreeStr
0049ED6B . |8D4D AC lea ecx, dword ptr [ebp-54]
0049ED6E . |FFD7 call edi ; <&MSVBVM60.__vbaFreeStr>
0049ED70 . |8D4D 88 lea ecx, dword ptr [ebp-78]
0049ED73 . |FFD3 call ebx
0049ED75 . |DD45 B0 fld qword ptr [ebp-50]
0049ED78 . |833D 00104E00>cmp dword ptr [4E1000], 0
0049ED7F . |75 08 jnz short 0049ED89
0049ED81 . |DC35 48154000 fdiv qword ptr [401548] ; 987654 / 100
0049ED87 . |EB 11 jmp short 0049ED9A
0049ED89 > |FF35 4C154000 push dword ptr [40154C]
0049ED8F . |FF35 48154000 push dword ptr [401548]
0049ED95 . |E8 CA44F6FF call <jmp.&MSVBVM60._adj_fdiv_m64>
0049ED9A > |DFE0 fstsw ax
0049ED9C . |A8 0D test al, 0D
0049ED9E . |0F85 AA030000 jnz 0049F14E
0049EDA4 . |FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>; 987654 / 100 结果取整得 9876
0049EDAA . |DC0D 48154000 fmul qword ptr [401548] ; 9876 * 100 = 987600
0049EDB0 . |DC6D B0 fsubr qword ptr [ebp-50] ; 987654 - 987600 = 54
0049EDB3 . |DD5D B0 fstp qword ptr [ebp-50] ; 上面代码简单说就是得注册码的五六两位
0049EDB6 . |DFE0 fstsw ax
0049EDB8 . |A8 0D test al, 0D
0049EDBA . |0F85 8E030000 jnz 0049F14E
0049EDC0 . |E8 FBA50100 call 004B93C0 ; 得到 "68",不必跟进,应该是机器码的一部分
0049EDC5 . |8BD0 mov edx, eax
0049EDC7 . |8D4D AC lea ecx, dword ptr [ebp-54]
0049EDCA . |FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0049EDD0 . |50 push eax
0049EDD1 . |FF15 2C134000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
0049EDD7 . |DC0D F0144000 fmul qword ptr [4014F0] ; 68 * 12 = 816
0049EDDD . |8D95 48FFFFFF lea edx, dword ptr [ebp-B8]
0049EDE3 . |8D4D DC lea ecx, dword ptr [ebp-24]
0049EDE6 . |DC05 E8214000 fadd qword ptr [4021E8] ; 816 + 121 = 937
0049EDEC . |C785 48FFFFFF>mov dword ptr [ebp-B8], 5
0049EDF6 . |DD9D 50FFFFFF fstp qword ptr [ebp-B0]
0049EDFC . |DFE0 fstsw ax
0049EDFE . |A8 0D test al, 0D
0049EE00 . |0F85 48030000 jnz 0049F14E
0049EE06 . |FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
0049EE0C . |8D4D AC lea ecx, dword ptr [ebp-54]
0049EE0F . |FFD7 call edi
0049EE11 . |E8 AAA50100 call 004B93C0
0049EE16 . |8B3D 1C104000 mov edi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaVarMove
0049EE1C . |8D55 88 lea edx, dword ptr [ebp-78]
0049EE1F . |8D4D CC lea ecx, dword ptr [ebp-34]
0049EE22 . |8945 90 mov dword ptr [ebp-70], eax
0049EE25 . |C745 88 08000>mov dword ptr [ebp-78], 8
0049EE2C . |FFD7 call edi ; <&MSVBVM60.__vbaVarMove>
0049EE2E . |B9 02000000 mov ecx, 2
0049EE33 . |898D 48FFFFFF mov dword ptr [ebp-B8], ecx
0049EE39 . |898D 38FFFFFF mov dword ptr [ebp-C8], ecx
0049EE3F . |B8 64000000 mov eax, 64
0049EE44 . |8D4D DC lea ecx, dword ptr [ebp-24]
0049EE47 . |51 push ecx
0049EE48 . |8D55 DC lea edx, dword ptr [ebp-24]
0049EE4B . |8985 50FFFFFF mov dword ptr [ebp-B0], eax
0049EE51 . |8985 40FFFFFF mov dword ptr [ebp-C0], eax
0049EE57 . |52 push edx
0049EE58 . |8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
0049EE5E . |50 push eax
0049EE5F . |8D4D 88 lea ecx, dword ptr [ebp-78]
0049EE62 . |51 push ecx
0049EE63 . |FF15 D0114000 call dword ptr [<&MSVBVM60.__vbaVarDi>; 937 / 100
0049EE69 . |50 push eax
0049EE6A . |8D95 78FFFFFF lea edx, dword ptr [ebp-88]
0049EE70 . |52 push edx
0049EE71 . |FF15 38124000 call dword ptr [<&MSVBVM60.__vbaVarIn>; 取整 = 9
0049EE77 . |50 push eax
0049EE78 . |8D85 38FFFFFF lea eax, dword ptr [ebp-C8]
0049EE7E . |50 push eax
0049EE7F . |8D8D 68FFFFFF lea ecx, dword ptr [ebp-98]
0049EE85 . |51 push ecx
0049EE86 . |FF15 AC114000 call dword ptr [<&MSVBVM60.__vbaVarMu>; 9 * 100 = 900
0049EE8C . |50 push eax
0049EE8D . |8D95 58FFFFFF lea edx, dword ptr [ebp-A8]
0049EE93 . |52 push edx
0049EE94 . |FF15 04104000 call dword ptr [<&MSVBVM60.__vbaVarSu>; 937 - 900 = 37
0049EE9A . |8BD0 mov edx, eax
0049EE9C . |8D4D DC lea ecx, dword ptr [ebp-24]
0049EE9F . |FFD7 call edi ; <&MSVBVM60.__vbaVarMove>
0049EEA1 . |8B45 B0 mov eax, dword ptr [ebp-50]
0049EEA4 . |8B4D B4 mov ecx, dword ptr [ebp-4C]
0049EEA7 . |8D55 DC lea edx, dword ptr [ebp-24]
0049EEAA . |8985 50FFFFFF mov dword ptr [ebp-B0], eax
0049EEB0 . |52 push edx
0049EEB1 . |8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
0049EEB7 . |50 push eax
0049EEB8 . |898D 54FFFFFF mov dword ptr [ebp-AC], ecx
0049EEBE . |C785 48FFFFFF>mov dword ptr [ebp-B8], 8005
0049EEC8 . |FF15 7C124000 call dword ptr [<&MSVBVM60.__vbaVarTs>; 37 不等于 54 注册不成功
0049EECE . |66:85C0 test ax, ax
0049EED1 . |0F84 DF010000 je 0049F0B6 ; 条件一的关键跳转
VB代码就是啰嗦,简单说就是:
机器码的其中两位 * 12 + 121 取结果的最后两个数字作为注册码的五六两位
我的机器码是:39945-68655
取机器码中的 68 * 12 + 121 = 937 ,我的注册码的五六两位就是 37
--------------------------------------------------------------------------------
条件二:
…………(仍然先是一些取随机数,并对随机数计算的代码)
0049F3B0 . /0F85 B9030000 jnz 0049F76F ; 随机跳走验证(条件二)
0049F3B6 . |8B15 9C104E00 mov edx, dword ptr [4E109C]
0049F3BC . |8B35 50124000 mov esi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrCopy
0049F3C2 . |8D4D B8 lea ecx, dword ptr [ebp-48]
0049F3C5 . |FFD6 call esi ; <&MSVBVM60.__vbaStrCopy>
0049F3C7 . |8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
0049F3CD . |50 push eax
0049F3CE . |8D4D 88 lea ecx, dword ptr [ebp-78]
0049F3D1 . |8D55 B8 lea edx, dword ptr [ebp-48]
0049F3D4 . |51 push ecx
0049F3D5 . |8995 50FFFFFF mov dword ptr [ebp-B0], edx
0049F3DB . |C785 48FFFFFF>mov dword ptr [ebp-B8], 4008
0049F3E5 . |FF15 F0104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
0049F3EB . |8D55 88 lea edx, dword ptr [ebp-78]
0049F3EE . |52 push edx
0049F3EF . |8D45 AC lea eax, dword ptr [ebp-54]
0049F3F2 . |50 push eax
0049F3F3 . |FF15 F4114000 call dword ptr [<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
0049F3F9 . |50 push eax
0049F3FA . |FF15 2C134000 call dword ptr [<&MSVBVM60.#581>] ; 取得注册码的数值 9876543244
0049F400 . |833D 00104E00>cmp dword ptr [4E1000], 0 ; 注册码不空,继续判断
0049F407 . |75 08 jnz short 0049F411
0049F409 . |DC35 10224000 fdiv qword ptr [402210] ; 9876543244 / 1000000
0049F40F . |EB 11 jmp short 0049F422
0049F411 > |FF35 14224000 push dword ptr [402214]
0049F417 . |FF35 10224000 push dword ptr [402210]
0049F41D . |E8 423EF6FF call <jmp.&MSVBVM60._adj_fdiv_m64>
0049F422 > |DFE0 fstsw ax
0049F424 . |A8 0D test al, 0D
0049F426 . |0F85 D9030000 jnz 0049F805
0049F42C . |FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>; 98765432 / 1000000 取整得 9876
0049F432 . |DD5D B0 fstp qword ptr [ebp-50]
0049F435 . |8B3D 28134000 mov edi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaFreeStr
0049F43B . |8D4D AC lea ecx, dword ptr [ebp-54]
0049F43E . |FFD7 call edi ; <&MSVBVM60.__vbaFreeStr>
0049F440 . |8D4D 88 lea ecx, dword ptr [ebp-78]
0049F443 . |FFD3 call ebx
0049F445 . |DD45 B0 fld qword ptr [ebp-50]
0049F448 . |833D 00104E00>cmp dword ptr [4E1000], 0
0049F44F . |75 08 jnz short 0049F459
0049F451 . |DC35 48154000 fdiv qword ptr [401548] ; 9876 / 100
0049F457 . |EB 11 jmp short 0049F46A
0049F459 > |FF35 4C154000 push dword ptr [40154C]
0049F45F . |FF35 48154000 push dword ptr [401548]
0049F465 . |E8 FA3DF6FF call <jmp.&MSVBVM60._adj_fdiv_m64>
0049F46A > |DFE0 fstsw ax
0049F46C . |A8 0D test al, 0D
0049F46E . |0F85 91030000 jnz 0049F805
0049F474 . |FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>; 9876 / 100 取整得 98
0049F47A . |DC0D 48154000 fmul qword ptr [401548] ; 98 * 100 = 9800
0049F480 . |DC6D B0 fsubr qword ptr [ebp-50] ; 9876 - 9800 = 76
0049F483 . |DD5D B0 fstp qword ptr [ebp-50] ; 以上就是得到注册码的第三四位 76
0049F486 . |DFE0 fstsw ax
0049F488 . |A8 0D test al, 0D
0049F48A . |0F85 75030000 jnz 0049F805
0049F490 . |E8 1B930100 call 004B87B0 ; 得到 "45",不必跟进,看看机器码就知道是机器码其中两位
0049F495 . |8BD0 mov edx, eax
0049F497 . |8D4D AC lea ecx, dword ptr [ebp-54]
0049F49A . |FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0049F4A0 . |50 push eax
0049F4A1 . |FF15 2C134000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
0049F4A7 . |DC0D 18154000 fmul qword ptr [401518] ; 45 * 9 = 405
0049F4AD . |8D95 48FFFFFF lea edx, dword ptr [ebp-B8]
0049F4B3 . |8D4D DC lea ecx, dword ptr [ebp-24]
0049F4B6 . |DC05 08224000 fadd qword ptr [402208] ; 405 + 535 = 940
0049F4BC . |C785 48FFFFFF>mov dword ptr [ebp-B8], 5
0049F4C6 . |DD9D 50FFFFFF fstp qword ptr [ebp-B0]
0049F4CC . |DFE0 fstsw ax
0049F4CE . |A8 0D test al, 0D
0049F4D0 . |0F85 2F030000 jnz 0049F805
0049F4D6 . |FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
0049F4DC . |8D4D AC lea ecx, dword ptr [ebp-54]
0049F4DF . |FFD7 call edi
0049F4E1 . |B9 02000000 mov ecx, 2
0049F4E6 . |898D 48FFFFFF mov dword ptr [ebp-B8], ecx
0049F4EC . |898D 38FFFFFF mov dword ptr [ebp-C8], ecx
0049F4F2 . |B8 64000000 mov eax, 64
0049F4F7 . |8D4D DC lea ecx, dword ptr [ebp-24]
0049F4FA . |51 push ecx
0049F4FB . |8D55 DC lea edx, dword ptr [ebp-24]
0049F4FE . |8985 50FFFFFF mov dword ptr [ebp-B0], eax
0049F504 . |8985 40FFFFFF mov dword ptr [ebp-C0], eax
0049F50A . |52 push edx
0049F50B . |8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
0049F511 . |50 push eax
0049F512 . |8D4D 88 lea ecx, dword ptr [ebp-78]
0049F515 . |51 push ecx
0049F516 . |FF15 D0114000 call dword ptr [<&MSVBVM60.__vbaVarDi>; 940 / 100 = 9.4
0049F51C . |50 push eax
0049F51D . |8D95 78FFFFFF lea edx, dword ptr [ebp-88]
0049F523 . |52 push edx
0049F524 . |FF15 38124000 call dword ptr [<&MSVBVM60.__vbaVarIn>; 9.4 取得整数得到 9
0049F52A . |50 push eax
0049F52B . |8D85 38FFFFFF lea eax, dword ptr [ebp-C8]
0049F531 . |50 push eax
0049F532 . |8D8D 68FFFFFF lea ecx, dword ptr [ebp-98]
0049F538 . |51 push ecx
0049F539 . |FF15 AC114000 call dword ptr [<&MSVBVM60.__vbaVarMu>; 9 * 100 = 900
0049F53F . |50 push eax
0049F540 . |8D95 58FFFFFF lea edx, dword ptr [ebp-A8]
0049F546 . |52 push edx
0049F547 . |FF15 04104000 call dword ptr [<&MSVBVM60.__vbaVarSu>; 940 - 900 = 40
0049F54D . |8BD0 mov edx, eax
0049F54F . |8D4D DC lea ecx, dword ptr [ebp-24]
0049F552 . |FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
0049F558 . |8B45 B0 mov eax, dword ptr [ebp-50]
0049F55B . |8B4D B4 mov ecx, dword ptr [ebp-4C]
0049F55E . |8D55 DC lea edx, dword ptr [ebp-24]
0049F561 . |8985 50FFFFFF mov dword ptr [ebp-B0], eax
0049F567 . |52 push edx
0049F568 . |8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
0049F56E . |50 push eax
0049F56F . |898D 54FFFFFF mov dword ptr [ebp-AC], ecx
0049F575 . |C785 48FFFFFF>mov dword ptr [ebp-B8], 8005
0049F57F . |FF15 7C124000 call dword ptr [<&MSVBVM60.__vbaVarTs>; 76 不等于 40 ,所以注册不成功
0049F585 . |66:85C0 test ax, ax
0049F588 . |0F84 DF010000 je 0049F76D ; 条件二的关键跳转
结论:
机器码的其中两位 * 9 + 535 取结果的最后两个数字作为注册码的三四两位
我的机器码是:39945-68655
取机器码中的 45 * 9 + 535 = 940 ,我的注册码的三四两位就是 40
--------------------------------------------------------------------------------
条件三:
…………(仍然先是一些取随机数,并对随机数计算的代码)
0049E0DD . /0F85 2A020000 jnz 0049E30D ; 随机跳走验证(条件三)
0049E0E3 . |8D95 64FFFFFF lea edx, dword ptr [ebp-9C]
0049E0E9 . |52 push edx
0049E0EA . |8D45 A4 lea eax, dword ptr [ebp-5C]
0049E0ED . |50 push eax
0049E0EE . |C785 6CFFFFFF>mov dword ptr [ebp-94], 004E109C ; d{4
0049E0F8 . |C785 64FFFFFF>mov dword ptr [ebp-9C], 4008
0049E102 . |FF15 F0104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
0049E108 . |33C9 xor ecx, ecx
0049E10A . |66:3935 90104>cmp word ptr [4E1090], si
0049E111 . |8D55 A4 lea edx, dword ptr [ebp-5C]
0049E114 . |0F94C1 sete cl
0049E117 . |52 push edx
0049E118 . |8D45 94 lea eax, dword ptr [ebp-6C]
0049E11B . |50 push eax
0049E11C . |C785 5CFFFFFF>mov dword ptr [ebp-A4], 3
0049E126 . |C785 54FFFFFF>mov dword ptr [ebp-AC], 8002
0049E130 . |C785 44FFFFFF>mov dword ptr [ebp-BC], 0B
0049E13A . |F7D9 neg ecx
0049E13C . |66:898D 4CFFF>mov word ptr [ebp-B4], cx
0049E143 . |FF15 90104000 call dword ptr [<&MSVBVM60.__vbaLenVa>; 取得注册码的长度
0049E149 . |50 push eax
0049E14A . |8D8D 54FFFFFF lea ecx, dword ptr [ebp-AC]
0049E150 . |51 push ecx
0049E151 . |8D55 84 lea edx, dword ptr [ebp-7C]
0049E154 . |52 push edx
0049E155 . |FF15 10114000 call dword ptr [<&MSVBVM60.__vbaVarCm>; MSVBVM60.__vbaVarCmpGt
0049E15B . |50 push eax
0049E15C . |8D85 44FFFFFF lea eax, dword ptr [ebp-BC]
0049E162 . |50 push eax
0049E163 . |8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
0049E169 . |51 push ecx
0049E16A . |FF15 9C114000 call dword ptr [<&MSVBVM60.__vbaVarAn>; MSVBVM60.__vbaVarAnd
0049E170 . |50 push eax
0049E171 . |FF15 F4104000 call dword ptr [<&MSVBVM60.__vbaBoolV>; MSVBVM60.__vbaBoolVarNull
0049E177 . |8D95 44FFFFFF lea edx, dword ptr [ebp-BC]
0049E17D . |66:8BF8 mov di, ax
0049E180 . |52 push edx
0049E181 . |8D45 A4 lea eax, dword ptr [ebp-5C]
0049E184 . |50 push eax
0049E185 . |6A 02 push 2
0049E187 . |FF15 40104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0049E18D . |83C4 0C add esp, 0C
0049E190 . |66:3BFE cmp di, si
0049E193 . |0F84 74010000 je 0049E30D
结论:
这里什么也没做,就验证下注册码的长度,程序在其他地方检验不通过,删除了注册信息,也会被这段代码检验到
--------------------------------------------------------------------------------
还有两个条件验证,我开着程序,等好久都没停到这里,也就是在我的电脑上并不进行条件四和条件五的沿着验证。
于是,重新定位 eip 的数值,来到这里:
条件四:
0049E568 > \8D45 88 lea eax, dword ptr [ebp-78] ; 条件四:
0049E56B . 50 push eax
0049E56C . C745 90 04000>mov dword ptr [ebp-70], 80020004
0049E573 . C745 88 0A000>mov dword ptr [ebp-78], 0A
0049E57A . FF15 BC104000 call dword ptr [<&MSVBVM60.#594>] ; MSVBVM60.rtcRandomize
0049E580 . 8B1D 28104000 mov ebx, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaFreeVar
0049E586 . 8D4D 88 lea ecx, dword ptr [ebp-78]
0049E589 . FFD3 call ebx ; <&MSVBVM60.__vbaFreeVar>
0049E58B . 8B15 9C104E00 mov edx, dword ptr [4E109C]
0049E591 . 8B35 50124000 mov esi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrCopy
0049E597 . 8D4D B8 lea ecx, dword ptr [ebp-48]
0049E59A . FFD6 call esi ; <&MSVBVM60.__vbaStrCopy>
0049E59C . 8D95 48FFFFFF lea edx, dword ptr [ebp-B8]
0049E5A2 . 52 push edx
0049E5A3 . 8D45 88 lea eax, dword ptr [ebp-78]
0049E5A6 . 8D4D B8 lea ecx, dword ptr [ebp-48]
0049E5A9 . 50 push eax
0049E5AA . 898D 50FFFFFF mov dword ptr [ebp-B0], ecx
0049E5B0 . C785 48FFFFFF>mov dword ptr [ebp-B8], 4008
0049E5BA . FF15 F0104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
0049E5C0 . 8D4D 88 lea ecx, dword ptr [ebp-78]
0049E5C3 . 51 push ecx
0049E5C4 . 8D55 AC lea edx, dword ptr [ebp-54]
0049E5C7 . 52 push edx
0049E5C8 . FF15 F4114000 call dword ptr [<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
0049E5CE . 50 push eax
0049E5CF . FF15 2C134000 call dword ptr [<&MSVBVM60.#581>] ; 取得注册码的数值 9876543244
0049E5D5 . 833D 00104E00>cmp dword ptr [4E1000], 0 ; 判断注册码是否为空
0049E5DC . 75 08 jnz short 0049E5E6
0049E5DE . DC35 D0214000 fdiv qword ptr [4021D0] ; 9876543244 / 100000000
0049E5E4 . EB 11 jmp short 0049E5F7
0049E5E6 > FF35 D4214000 push dword ptr [4021D4]
0049E5EC . FF35 D0214000 push dword ptr [4021D0]
0049E5F2 . E8 6D4CF6FF call <jmp.&MSVBVM60._adj_fdiv_m64>
0049E5F7 > DFE0 fstsw ax
0049E5F9 . A8 0D test al, 0D
0049E5FB . 0F85 7E040000 jnz 0049EA7F
0049E601 . FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>; 9876543244 / 100000000 取整得 98
0049E607 . DD5D B0 fstp qword ptr [ebp-50]
0049E60A . 8B3D 28134000 mov edi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaFreeStr
0049E610 . 8D4D AC lea ecx, dword ptr [ebp-54]
0049E613 . FFD7 call edi ; <&MSVBVM60.__vbaFreeStr>
0049E615 . 8D4D 88 lea ecx, dword ptr [ebp-78]
0049E618 . FFD3 call ebx
0049E61A . DD45 B0 fld qword ptr [ebp-50]
0049E61D . 833D 00104E00>cmp dword ptr [4E1000], 0
0049E624 . 75 08 jnz short 0049E62E
0049E626 . DC35 48154000 fdiv qword ptr [401548] ; 98 / 100
0049E62C . EB 11 jmp short 0049E63F
0049E62E > FF35 4C154000 push dword ptr [40154C]
0049E634 . FF35 48154000 push dword ptr [401548]
0049E63A . E8 254CF6FF call <jmp.&MSVBVM60._adj_fdiv_m64>
0049E63F > DFE0 fstsw ax
0049E641 . A8 0D test al, 0D
0049E643 . 0F85 36040000 jnz 0049EA7F
0049E649 . FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>; 98 / 100 取整得 0
0049E64F . DC0D 48154000 fmul qword ptr [401548] ; 0 * 100 = 0
0049E655 . DC6D B0 fsubr qword ptr [ebp-50] ; 98 -0 = 98
0049E658 . DD5D B0 fstp qword ptr [ebp-50] ; 跟过上面的就知道其实就是得到注册码的一二两位 98
0049E65B . DFE0 fstsw ax
0049E65D . A8 0D test al, 0D
0049E65F . 0F85 1A040000 jnz 0049EA7F
0049E665 . 8B5D B0 mov ebx, dword ptr [ebp-50]
0049E668 . 85DB test ebx, ebx
0049E66A . 75 0D jnz short 0049E679
0049E66C . 817D B4 00004>cmp dword ptr [ebp-4C], 404B0000
0049E673 0F84 6E030000 je 0049E9E7
0049E679 > E8 52AA0100 call 004B90D0 ; 得"99",不跟进,应该就是机器码的其中两位
0049E67E . 8BD0 mov edx, eax
0049E680 . 8D4D AC lea ecx, dword ptr [ebp-54]
0049E683 . FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0049E689 . 50 push eax
0049E68A . FF15 2C134000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
0049E690 . FF15 FC104000 call dword ptr [<&MSVBVM60.__vbaFpR8>>; MSVBVM60.__vbaFpR8
0049E696 . DC1D C8214000 fcomp qword ptr [4021C8] ; 判断机器码的这两位是不是"99"
0049E69C . DFE0 fstsw ax
0049E69E . F6C4 40 test ah, 40 ; 如果等于 99,就跳走,不进行条件四的验证
0049E6A1 . 74 07 je short 0049E6AA ; 很奇怪,我的机器码那两位正好是"99"
0049E6A3 . B8 01000000 mov eax, 1
0049E6A8 . EB 02 jmp short 0049E6AC
0049E6AA > 33C0 xor eax, eax
0049E6AC > F7D8 neg eax
0049E6AE . 8D4D AC lea ecx, dword ptr [ebp-54]
0049E6B1 . 8985 30FFFFFF mov dword ptr [ebp-D0], eax
0049E6B7 . FFD7 call edi
0049E6B9 . 66:83BD 30FFF>cmp word ptr [ebp-D0], 0
0049E6C1 . 74 44 je short 0049E707
0049E6C3 . 8B45 08 mov eax, dword ptr [ebp+8]
0049E6C6 . 8B08 mov ecx, dword ptr [eax]
0049E6C8 . 50 push eax
0049E6C9 . FF91 F0030000 call dword ptr [ecx+3F0]
0049E6CF . 50 push eax
0049E6D0 . 8D55 98 lea edx, dword ptr [ebp-68]
0049E6D3 . 52 push edx
0049E6D4 . FF15 C4104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
0049E6DA . 8BF0 mov esi, eax
0049E6DC . 8B06 mov eax, dword ptr [esi]
0049E6DE . 6A 00 push 0
0049E6E0 . 56 push esi
0049E6E1 . FF50 5C call dword ptr [eax+5C]
0049E6E4 . DBE2 fclex
0049E6E6 . 85C0 test eax, eax
0049E6E8 . 7D 0F jge short 0049E6F9
0049E6EA . 6A 5C push 5C
0049E6EC . 68 38004100 push 00410038
0049E6F1 . 56 push esi
0049E6F2 . 50 push eax
0049E6F3 . FF15 88104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0049E6F9 > 8D4D 98 lea ecx, dword ptr [ebp-68]
0049E6FC . FF15 24134000 call dword ptr [<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
0049E702 . E9 E0020000 jmp 0049E9E7
0049E707 > E8 C4A90100 call 004B90D0
0049E70C . 8BD0 mov edx, eax
0049E70E . 8D4D AC lea ecx, dword ptr [ebp-54]
0049E711 . FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0049E717 . 50 push eax
0049E718 . FF15 2C134000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
0049E71E . DC0D C0214000 fmul qword ptr [4021C0] ; 99 * 83 = 8217
0049E724 . 8D95 48FFFFFF lea edx, dword ptr [ebp-B8]
0049E72A . 8D4D DC lea ecx, dword ptr [ebp-24]
0049E72D . DC05 B8214000 fadd qword ptr [4021B8] ; 8217 + 737 = 8954
0049E733 . C785 48FFFFFF>mov dword ptr [ebp-B8], 5
0049E73D . DD9D 50FFFFFF fstp qword ptr [ebp-B0]
0049E743 . DFE0 fstsw ax
0049E745 . A8 0D test al, 0D
0049E747 . 0F85 32030000 jnz 0049EA7F
0049E74D . FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
0049E753 . 8D4D AC lea ecx, dword ptr [ebp-54]
0049E756 . FFD7 call edi
0049E758 . B9 02000000 mov ecx, 2
0049E75D . 898D 48FFFFFF mov dword ptr [ebp-B8], ecx
0049E763 . 898D 38FFFFFF mov dword ptr [ebp-C8], ecx
0049E769 . B8 64000000 mov eax, 64
0049E76E . 8D4D DC lea ecx, dword ptr [ebp-24]
0049E771 . 51 push ecx
0049E772 . 8D55 DC lea edx, dword ptr [ebp-24]
0049E775 . 8985 50FFFFFF mov dword ptr [ebp-B0], eax
0049E77B . 8985 40FFFFFF mov dword ptr [ebp-C0], eax
0049E781 . 52 push edx
0049E782 . 8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
0049E788 . 50 push eax
0049E789 . 8D4D 88 lea ecx, dword ptr [ebp-78]
0049E78C . 51 push ecx
0049E78D . FF15 D0114000 call dword ptr [<&MSVBVM60.__vbaVarDi>; 8954 / 100
0049E793 . 50 push eax
0049E794 . 8D95 78FFFFFF lea edx, dword ptr [ebp-88]
0049E79A . 52 push edx
0049E79B . FF15 38124000 call dword ptr [<&MSVBVM60.__vbaVarIn>; 8954 / 100 取整得 89
0049E7A1 . 50 push eax
0049E7A2 . 8D85 38FFFFFF lea eax, dword ptr [ebp-C8]
0049E7A8 . 50 push eax
0049E7A9 . 8D8D 68FFFFFF lea ecx, dword ptr [ebp-98]
0049E7AF . 51 push ecx
0049E7B0 . FF15 AC114000 call dword ptr [<&MSVBVM60.__vbaVarMu>; 89 * 100 = 8900
0049E7B6 . 50 push eax
0049E7B7 . 8D95 58FFFFFF lea edx, dword ptr [ebp-A8]
0049E7BD . 52 push edx
0049E7BE . FF15 04104000 call dword ptr [<&MSVBVM60.__vbaVarSu>; 8954 - 8900 = 54
0049E7C4 . 8BD0 mov edx, eax
0049E7C6 . 8D4D DC lea ecx, dword ptr [ebp-24]
0049E7C9 . FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
0049E7CF . 8B45 B4 mov eax, dword ptr [ebp-4C]
0049E7D2 . 8D4D DC lea ecx, dword ptr [ebp-24]
0049E7D5 . 51 push ecx
0049E7D6 . 8D95 48FFFFFF lea edx, dword ptr [ebp-B8]
0049E7DC . 52 push edx
0049E7DD . 899D 50FFFFFF mov dword ptr [ebp-B0], ebx
0049E7E3 . 8985 54FFFFFF mov dword ptr [ebp-AC], eax
0049E7E9 . C785 48FFFFFF>mov dword ptr [ebp-B8], 8005
0049E7F3 . FF15 7C124000 call dword ptr [<&MSVBVM60.__vbaVarTs>; 54 不等于 98,注册不成功
0049E7F9 . 66:85C0 test ax, ax
0049E7FC . 0F84 E5010000 je 0049E9E7 ; 条件四的关键跳转
结论:
机器码的其中两位 * 83 + 737 取结果的最后两个数字作为注册码的一二两位
我的机器码是:39945-68655
取机器码中的 99 * 83 + 737 = 8954 ,我的注册码的一二两位就是 54
--------------------------------------------------------------------------------
004C3FEF . /0F85 B9030000 jnz 004C43AE ; 随机跳走判断(条件五)
004C3FF5 . |8B15 9C104E00 mov edx, dword ptr [4E109C]
004C3FFB . |8B35 50124000 mov esi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrCopy
004C4001 . |8D4D B8 lea ecx, dword ptr [ebp-48]
004C4004 . |FFD6 call esi ; <&MSVBVM60.__vbaStrCopy>
004C4006 . |8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
004C400C . |50 push eax
004C400D . |8D4D 88 lea ecx, dword ptr [ebp-78]
004C4010 . |8D55 B8 lea edx, dword ptr [ebp-48]
004C4013 . |51 push ecx
004C4014 . |8995 50FFFFFF mov dword ptr [ebp-B0], edx
004C401A . |C785 48FFFFFF>mov dword ptr [ebp-B8], 4008
004C4024 . |FF15 F0104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
004C402A . |8D55 88 lea edx, dword ptr [ebp-78]
004C402D . |52 push edx
004C402E . |8D45 AC lea eax, dword ptr [ebp-54]
004C4031 . |50 push eax
004C4032 . |FF15 F4114000 call dword ptr [<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
004C4038 . |50 push eax
004C4039 . |FF15 2C134000 call dword ptr [<&MSVBVM60.#581>] ; 取得注册码数值 9876543244
004C403F . |833D 00104E00>cmp dword ptr [4E1000], 0 ; 注册码是否为空
004C4046 . |75 08 jnz short 004C4050
004C4048 . |DC35 48154000 fdiv qword ptr [401548] ; 9876543244 / 100
004C404E . |EB 11 jmp short 004C4061
004C4050 > |FF35 4C154000 push dword ptr [40154C]
004C4056 . |FF35 48154000 push dword ptr [401548]
004C405C . |E8 03F2F3FF call <jmp.&MSVBVM60._adj_fdiv_m64>
004C4061 > |DFE0 fstsw ax
004C4063 . |A8 0D test al, 0D
004C4065 . |0F85 D9030000 jnz 004C4444
004C406B . |FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>; 9876543244 / 100 取整得 98765432
004C4071 . |DD5D B0 fstp qword ptr [ebp-50]
004C4074 . |8B3D 28134000 mov edi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaFreeStr
004C407A . |8D4D AC lea ecx, dword ptr [ebp-54]
004C407D . |FFD7 call edi ; <&MSVBVM60.__vbaFreeStr>
004C407F . |8D4D 88 lea ecx, dword ptr [ebp-78]
004C4082 . |FFD3 call ebx
004C4084 . |DD45 B0 fld qword ptr [ebp-50]
004C4087 . |833D 00104E00>cmp dword ptr [4E1000], 0
004C408E . |75 08 jnz short 004C4098
004C4090 . |DC35 48154000 fdiv qword ptr [401548] ; 98765432 / 100
004C4096 . |EB 11 jmp short 004C40A9
004C4098 > |FF35 4C154000 push dword ptr [40154C]
004C409E . |FF35 48154000 push dword ptr [401548]
004C40A4 . |E8 BBF1F3FF call <jmp.&MSVBVM60._adj_fdiv_m64>
004C40A9 > |DFE0 fstsw ax
004C40AB . |A8 0D test al, 0D
004C40AD . |0F85 91030000 jnz 004C4444
004C40B3 . |FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>; 98765432 / 100 取整得 987654
004C40B9 . |DC0D 48154000 fmul qword ptr [401548] ; 987654 * 100 = 98765400
004C40BF . |DC6D B0 fsubr qword ptr [ebp-50] ; 98765432 - 98765400 = 32
004C40C2 . |DD5D B0 fstp qword ptr [ebp-50] ; 上面得到注册码的七八两位 32
004C40C5 . |DFE0 fstsw ax
004C40C7 . |A8 0D test al, 0D
004C40C9 . |0F85 75030000 jnz 004C4444
004C40CF . |E8 3C4BFFFF call 004B8C10 ; 得"65",不跟进,很容易想到是机器码的其中两位
004C40D4 . |8BD0 mov edx, eax
004C40D6 . |8D4D AC lea ecx, dword ptr [ebp-54]
004C40D9 . |FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
004C40DF . |50 push eax
004C40E0 . |FF15 2C134000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
004C40E6 . |DC0D 101D4000 fmul qword ptr [401D10] ; 65 * 74 = 4810
004C40EC . |8D95 48FFFFFF lea edx, dword ptr [ebp-B8]
004C40F2 . |8D4D DC lea ecx, dword ptr [ebp-24]
004C40F5 . |DC05 482B4000 fadd qword ptr [402B48] ; 4810 + 126 = 4936
004C40FB . |C785 48FFFFFF>mov dword ptr [ebp-B8], 5
004C4105 . |DD9D 50FFFFFF fstp qword ptr [ebp-B0]
004C410B . |DFE0 fstsw ax
004C410D . |A8 0D test al, 0D
004C410F . |0F85 2F030000 jnz 004C4444
004C4115 . |FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
004C411B . |8D4D AC lea ecx, dword ptr [ebp-54]
004C411E . |FFD7 call edi
004C4120 . |B9 02000000 mov ecx, 2
004C4125 . |898D 48FFFFFF mov dword ptr [ebp-B8], ecx
004C412B . |898D 38FFFFFF mov dword ptr [ebp-C8], ecx
004C4131 . |B8 64000000 mov eax, 64
004C4136 . |8D4D DC lea ecx, dword ptr [ebp-24]
004C4139 . |51 push ecx
004C413A . |8D55 DC lea edx, dword ptr [ebp-24]
004C413D . |8985 50FFFFFF mov dword ptr [ebp-B0], eax
004C4143 . |8985 40FFFFFF mov dword ptr [ebp-C0], eax
004C4149 . |52 push edx
004C414A . |8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
004C4150 . |50 push eax
004C4151 . |8D4D 88 lea ecx, dword ptr [ebp-78]
004C4154 . |51 push ecx
004C4155 . |FF15 D0114000 call dword ptr [<&MSVBVM60.__vbaVarDi>; 4936 / 100
004C415B . |50 push eax
004C415C . |8D95 78FFFFFF lea edx, dword ptr [ebp-88]
004C4162 . |52 push edx
004C4163 . |FF15 38124000 call dword ptr [<&MSVBVM60.__vbaVarIn>; 4936 / 100 取整得 49
004C4169 . |50 push eax
004C416A . |8D85 38FFFFFF lea eax, dword ptr [ebp-C8]
004C4170 . |50 push eax
004C4171 . |8D8D 68FFFFFF lea ecx, dword ptr [ebp-98]
004C4177 . |51 push ecx
004C4178 . |FF15 AC114000 call dword ptr [<&MSVBVM60.__vbaVarMu>; 49 * 100 = 4900
004C417E . |50 push eax
004C417F . |8D95 58FFFFFF lea edx, dword ptr [ebp-A8]
004C4185 . |52 push edx
004C4186 . |FF15 04104000 call dword ptr [<&MSVBVM60.__vbaVarSu>; 4936 - 4900 = 36
004C418C . |8BD0 mov edx, eax
004C418E . |8D4D DC lea ecx, dword ptr [ebp-24]
004C4191 . |FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
004C4197 . |8B45 B0 mov eax, dword ptr [ebp-50]
004C419A . |8B4D B4 mov ecx, dword ptr [ebp-4C]
004C419D . |8D55 DC lea edx, dword ptr [ebp-24]
004C41A0 . |8985 50FFFFFF mov dword ptr [ebp-B0], eax
004C41A6 . |52 push edx
004C41A7 . |8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
004C41AD . |50 push eax
004C41AE . |898D 54FFFFFF mov dword ptr [ebp-AC], ecx
004C41B4 . |C785 48FFFFFF>mov dword ptr [ebp-B8], 8005
004C41BE . |FF15 7C124000 call dword ptr [<&MSVBVM60.__vbaVarTs>; 36 不等于 32 注册不成功
004C41C4 . |66:85C0 test ax, ax
004C41C7 . |0F84 DF010000 je 004C43AC ; 条件五的关键跳转
结论:
机器码的其中两位 * 74 + 126 取结果的最后两个数字作为注册码的七八两位
我的机器码是:39945-68655
取机器码中的 65 * 74 + 126 = 4936 ,我的注册码的七八两位就是 36
--------------------------------------------------------------------------------
对作者的建议:
既然将暗桩分散到了程序各个部分,但验证不通过尽量不要采取同一个处理函数,否则处理函数会成为寻找暗桩的捷径。另外,注销系统的方法会用户的一些未保存数据,不建议采用。
--------------------------------------------------------------------------------
找到所有验证就可以写注册机啦:
找到所有验证就可以写注册机啦:
bool Keygen ( ){
TCHAR cJiqiCode[16],cRegCode[12],cReg5[3];
int reg1,reg2,reg3,reg4,reg5;
//检查机器码的输入
GetWindowText ( hEdit1 ,cJiqiCode ,16);
if ( lstrlen( cJiqiCode ) != 11 || cJiqiCode[5] != '-' )
return false;
//机器码有除了第六位外都是由数字组成
cJiqiCode[5] = '0';
for ( byte i=0;i<11;i++){
if ( cJiqiCode[i]<'0' || cJiqiCode[i]>'9')
return false;
}
reg1 = (((cJiqiCode[1]-0x30)*10+(cJiqiCode[2]-0x30))*83+737)%100;
reg2 = (((cJiqiCode[3]-0x30)*10+(cJiqiCode[4]-0x30))*9+535)%100;
reg3 = (((cJiqiCode[6]-0x30)*10+(cJiqiCode[7]-0x30))*12+121)%100;
reg4 = (((cJiqiCode[8]-0x30)*10+(cJiqiCode[9]-0x30))*74+126)%100;
wsprintf( cRegCode ,TEXT("%02d%02d%02d%02d"),reg1,reg2,reg3,reg4);
reg5 = 0;
for(byte i=0;i<8;i++)
reg5 = reg5 + cRegCode[i] - 0x30;
wsprintf (cReg5 ,TEXT("%02d") ,reg5);
lstrcat ( cRegCode ,cReg5);
SetWindowText ( hEdit2 ,cRegCode );
return true;
}
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2008年08月3日 22:19:55
赞赏
他的文章
- [原创]Python模拟登陆某网教师教育网 7131
- [原创]**阅卷系统 V8.1 寻找暗桩 6178
- [原创]Vista 的扫雷 22260
- [原创]简单RSA128的笔记 11717
看原图
赞赏
雪币:
留言: