[原创]**阅卷系统 V8.1 寻找暗桩-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]**阅卷系统 V8.1 寻找暗桩

发表于: 2008-8-4 18:24 6176

[原创]**阅卷系统 V8.1 寻找暗桩

wenglingok 活跃值

2008-8-4 18:24

6176

【文章标题】: **阅卷系统 V8.1
【文章作者】: rdsnow[BCG][PYG][D.4s]
【作者邮箱】: [email]rdsnow@163.com[/email]
【作者主页】: http://rdsnow.ys168.com
【作者QQ号】: 83757177
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------

终于放假了，好久不碰计算机了，找了个软件操作下，发现真的生疏了许多。一些网友发消息让我看看这个软件，不过我真的很少上QQ。感觉这个软件注册码的形成比较简单，应该说是分段明码的。不过验证也有以下特色：

1、注册码各部分的验证并不放在一处，而是散落在程序中的各个部分

2、有的验证随机进行，有的验证在程序执行莫个操作的时候进行，有的验证跟机器有关（让人感觉就像是奥运会上对运动员进行抽检一样）

如果没有找全所有的验证的代码，容易造成注册码在一些机器上注册成功，而一些电脑上有不能注册成功，就是程序中有暗桩啦。

3、一旦检测到注册码不合格，立即删除机器的注册信息（取消参加奥运会的资格），同时注销你的电脑（无语）

--------------------------------------------------------------------------------

一、注册码输入错误是有对话框的，所以很容易找到这里：

00455DF0 .  52          push edx
00455DF1 .  FF15 34104000 call dword ptr [<&MSVBVM60.__vbaLenBs>;  取注册码的长度
00455DF7 .  83F8 0A    cmp    eax, 0A                         ;  判断注册码的长度是不是等于 10
00455DFA .  0F84 C3000000 je    00455EC3

…………（错误对话框）

00455EC3 > \BE 01000000 mov    esi, 1                         ;  下面 i 从 1 到 8 循环
00455EC8 >  B8 08000000 mov    eax, 8                         ;  for i = 1 to 8
00455ECD .  66:3BF0    cmp    si, ax
00455ED0 .  0F8F B9000000 jg    00455F8F
00455ED6 .  8D45 AC    lea    eax, dword ptr [ebp-54]
00455ED9 .  50          push eax
00455EDA .  0FBFCE       movsx ecx, si
00455EDD .  8D55 D0    lea    edx, dword ptr [ebp-30]
00455EE0 .  8995 74FFFFFF mov    dword ptr [ebp-8C], edx
00455EE6 .  51          push ecx
00455EE7 .  8D95 6CFFFFFF lea    edx, dword ptr [ebp-94]
00455EED .  52          push edx
00455EEE .  8D45 9C    lea    eax, dword ptr [ebp-64]
00455EF1 .  50          push eax
00455EF2 .  C745 B4 01000>mov    dword ptr [ebp-4C], 1
00455EF9 .  C745 AC 02000>mov    dword ptr [ebp-54], 2
00455F00 .  C785 6CFFFFFF>mov    dword ptr [ebp-94], 4008
00455F0A .  FF15 14114000 call dword ptr [<&MSVBVM60.#632>]    ;  取得注册码的第 i 个字符 zhuce[i]
00455F10 .  8D4D 9C    lea    ecx, dword ptr [ebp-64]
00455F13 .  51          push ecx
00455F14 .  8D55 CC    lea    edx, dword ptr [ebp-34]
00455F17 .  52          push edx
00455F18 .  FF15 F4114000 call dword ptr [<&MSVBVM60.__vbaStrVa>;  MSVBVM60.__vbaStrVarVal
00455F1E .  50          push eax
00455F1F .  FF15 2C134000 call dword ptr [<&MSVBVM60.#581>]    ;  数据类型转换
00455F25 .  DD9D 2CFFFFFF fstp qword ptr [ebp-D4]
00455F2B .  0FBFC7       movsx eax, di
00455F2E .  8985 F8FEFFFF mov    dword ptr [ebp-108], eax
00455F34 .  DB85 F8FEFFFF fild dword ptr [ebp-108]
00455F3A .  DD9D F0FEFFFF fstp qword ptr [ebp-110]
00455F40 .  DD85 F0FEFFFF fld    qword ptr [ebp-110]
00455F46 .  DC85 2CFFFFFF fadd qword ptr [ebp-D4]             ;  NUM = NUM + zhuce[i]
00455F4C .  DFE0       fstsw ax
00455F4E .  A8 0D       test al, 0D
00455F50 .  0F85 B0060000 jnz    00456606
00455F56 .  FF15 A4124000 call dword ptr [<&MSVBVM60.__vbaFpI2>>;  MSVBVM60.__vbaFpI2
00455F5C .  8D4D CC    lea    ecx, dword ptr [ebp-34]
00455F5F .  8BF8       mov    edi, eax
00455F61 .  FF15 28134000 call dword ptr [<&MSVBVM60.__vbaFreeS>;  MSVBVM60.__vbaFreeStr
00455F67 .  8D4D 9C    lea    ecx, dword ptr [ebp-64]
00455F6A .  51          push ecx
00455F6B .  8D55 AC    lea    edx, dword ptr [ebp-54]
00455F6E .  52          push edx
00455F6F .  6A 02       push 2
00455F71 .  FF15 40104000 call dword ptr [<&MSVBVM60.__vbaFreeV>;  MSVBVM60.__vbaFreeVarList
00455F77 .  B8 01000000 mov    eax, 1
00455F7C .  83C4 0C    add    esp, 0C
00455F7F .  66:03C6    add    ax, si
00455F82 .  0F80 83060000 jo    0045660B
00455F88 .  8BF0       mov    esi, eax
00455F8A .^ E9 39FFFFFF jmp    00455EC8                      ;  end for
00455F8F >  B8 02000000 mov    eax, 2
00455F94 .  8D4D AC    lea    ecx, dword ptr [ebp-54]
00455F97 .  51          push ecx
00455F98 .  8945 B4    mov    dword ptr [ebp-4C], eax
00455F9B .  8945 AC    mov    dword ptr [ebp-54], eax
00455F9E .  8D45 D0    lea    eax, dword ptr [ebp-30]
00455FA1 .  6A 09       push 9
00455FA3 .  8D95 6CFFFFFF lea    edx, dword ptr [ebp-94]
00455FA9 .  8985 74FFFFFF mov    dword ptr [ebp-8C], eax
00455FAF .  52          push edx
00455FB0 .  8D45 9C    lea    eax, dword ptr [ebp-64]
00455FB3 .  50          push eax
00455FB4 .  C785 6CFFFFFF>mov    dword ptr [ebp-94], 4008
00455FBE .  FF15 14114000 call dword ptr [<&MSVBVM60.#632>]    ;  取得注册码的最后两位 "10"
00455FC4 .  8D4D 9C    lea    ecx, dword ptr [ebp-64]
00455FC7 .  51          push ecx
00455FC8 .  8D55 CC    lea    edx, dword ptr [ebp-34]
00455FCB .  52          push edx
00455FCC .  FF15 F4114000 call dword ptr [<&MSVBVM60.__vbaStrVa>;  MSVBVM60.__vbaStrVarVal
00455FD2 .  50          push eax
00455FD3 .  FF15 2C134000 call dword ptr [<&MSVBVM60.#581>]    ;  转为数值 10
00455FD9 .  DD9D 2CFFFFFF fstp qword ptr [ebp-D4]
00455FDF .  0FBFC7       movsx eax, di
00455FE2 .  8985 ECFEFFFF mov    dword ptr [ebp-114], eax
00455FE8 .  DB85 ECFEFFFF fild dword ptr [ebp-114]
00455FEE .  DD9D E4FEFFFF fstp qword ptr [ebp-11C]
00455FF4 .  DD85 2CFFFFFF fld    qword ptr [ebp-D4]
00455FFA .  FF15 FC104000 call dword ptr [<&MSVBVM60.__vbaFpR8>>;  MSVBVM60.__vbaFpR8
00456000 .  DC9D E4FEFFFF fcomp qword ptr [ebp-11C]
00456006 .  DFE0       fstsw ax
00456008 .  F6C4 40    test ah, 40
0045600B .  75 07       jnz    short 00456014
0045600D .  B8 01000000 mov    eax, 1
00456012 .  EB 02       jmp    short 00456016
00456014 >  33C0       xor    eax, eax
00456016 >  F7D8       neg    eax
00456018 .  8D4D CC    lea    ecx, dword ptr [ebp-34]
0045601B .  66:8BF0    mov    si, ax
0045601E .  FF15 28134000 call dword ptr [<&MSVBVM60.__vbaFreeS>;  MSVBVM60.__vbaFreeStr
00456024 .  8B3D 40104000 mov    edi, dword ptr [<&MSVBVM60.__vba>;  MSVBVM60.__vbaFreeVarList
0045602A .  8D4D 9C    lea    ecx, dword ptr [ebp-64]
0045602D .  51          push ecx
0045602E .  8D55 AC    lea    edx, dword ptr [ebp-54]
00456031 .  52          push edx
00456032 .  6A 02       push 2
00456034 .  FFD7       call edi                            ;  <&MSVBVM60.__vbaFreeVarList>
00456036 .  83C4 0C    add    esp, 0C
00456039 .  66:85F6    test si, si
0045603C .  0F84 C4000000 je    00456106                      ;  关键跳转

VB的代码太啰嗦了，省去一些次要代码，

看了这段代码，结论是：

注册码是有 10 个数字组成，只要注册码的前 8 个数字之和等于最后两个数字，就算注册成功

因为 9 + 8 + 7 + 6 + 5 + 4 + 3 + 2 = 44

所以下面输入注册码：9876543244，果然注册成功。

--------------------------------------------------------------------------------

心里还是不踏实，难道跟机器码无关，正想着，系统注销了。汗~~~

大致看了下程序代码，发现注册验证在程序中太分散了。试了好多断点，都没能找全所有的验证。最后总结了下，发现有两个调用值得利用

call 004A1220 删除注册信息

call 0040E5E8 注销系统

这两个call几乎都是成对出现的，有意思的是在注销系统前，作者都加了取随机值的函数（就算是再给你一次机会吧，死不死看你的人品了）

注销系统的那个调用在程序中出现了 5 次，全都加上断点，估计程序中应该有 5 个暗桩，也就是除了满足上述条件外，还要满足下面五个条件，下面一一列举：

--------------------------------------------------------------------------------

条件一：

…………（先是一些取随机数，并对随机数计算的代码，然后根据计算结果判断是否进行验证，相当于抽签吧，如果你想知道如果验证的，就应该修改下跳转，即能每次都抽中）

0049ECE0 . /0F85 D2030000 jnz    0049F0B8                      ;  随机跳去判断(条件一)
0049ECE6 . |8B15 9C104E00 mov    edx, dword ptr [4E109C]
0049ECEC . |8B35 50124000 mov    esi, dword ptr [<&MSVBVM60.__vba>;  MSVBVM60.__vbaStrCopy
0049ECF2 . |8D4D B8    lea    ecx, dword ptr [ebp-48]
0049ECF5 . |FFD6       call esi                            ;  <&MSVBVM60.__vbaStrCopy>
0049ECF7 . |8D85 48FFFFFF lea    eax, dword ptr [ebp-B8]
0049ECFD . |50          push eax
0049ECFE . |8D4D 88    lea    ecx, dword ptr [ebp-78]
0049ED01 . |8D55 B8    lea    edx, dword ptr [ebp-48]
0049ED04 . |51          push ecx
0049ED05 . |8995 50FFFFFF mov    dword ptr [ebp-B0], edx
0049ED0B . |C785 48FFFFFF>mov    dword ptr [ebp-B8], 4008
0049ED15 . |FF15 F0104000 call dword ptr [<&MSVBVM60.#520>]    ;  MSVBVM60.rtcTrimVar
0049ED1B . |8D55 88    lea    edx, dword ptr [ebp-78]
0049ED1E . |52          push edx
0049ED1F . |8D45 AC    lea    eax, dword ptr [ebp-54]
0049ED22 . |50          push eax
0049ED23 . |FF15 F4114000 call dword ptr [<&MSVBVM60.__vbaStrVa>;  MSVBVM60.__vbaStrVarVal
0049ED29 . |50          push eax
0049ED2A . |FF15 2C134000 call dword ptr [<&MSVBVM60.#581>]    ;  获取注册码的数值，得到 9876543244
0049ED30 . |833D 00104E00>cmp    dword ptr [4E1000], 0          ;  注册码不是 0 ，继续判断
0049ED37 . |75 08       jnz    short 0049ED41
0049ED39 . |DC35 38214000 fdiv qword ptr [402138]             ;  9876543244 / 10000
0049ED3F . |EB 11       jmp    short 0049ED52
0049ED41 > |FF35 3C214000 push dword ptr [40213C]
0049ED47 . |FF35 38214000 push dword ptr [402138]
0049ED4D . |E8 1245F6FF call <jmp.&MSVBVM60._adj_fdiv_m64>
0049ED52 > |DFE0       fstsw ax
0049ED54 . |A8 0D       test al, 0D
0049ED56 . |0F85 F2030000 jnz    0049F14E
0049ED5C . |FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>;  9876543244 / 10000 取整得 987654
0049ED62 . |DD5D B0    fstp qword ptr [ebp-50]
0049ED65 . |8B3D 28134000 mov    edi, dword ptr [<&MSVBVM60.__vba>;  MSVBVM60.__vbaFreeStr
0049ED6B . |8D4D AC    lea    ecx, dword ptr [ebp-54]
0049ED6E . |FFD7       call edi                            ;  <&MSVBVM60.__vbaFreeStr>
0049ED70 . |8D4D 88    lea    ecx, dword ptr [ebp-78]
0049ED73 . |FFD3       call ebx
0049ED75 . |DD45 B0    fld    qword ptr [ebp-50]
0049ED78 . |833D 00104E00>cmp    dword ptr [4E1000], 0
0049ED7F . |75 08       jnz    short 0049ED89
0049ED81 . |DC35 48154000 fdiv qword ptr [401548]             ;  987654 / 100
0049ED87 . |EB 11       jmp    short 0049ED9A
0049ED89 > |FF35 4C154000 push dword ptr [40154C]
0049ED8F . |FF35 48154000 push dword ptr [401548]
0049ED95 . |E8 CA44F6FF call <jmp.&MSVBVM60._adj_fdiv_m64>
0049ED9A > |DFE0       fstsw ax
0049ED9C . |A8 0D       test al, 0D
0049ED9E . |0F85 AA030000 jnz    0049F14E
0049EDA4 . |FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>;  987654 / 100 结果取整得  9876
0049EDAA . |DC0D 48154000 fmul qword ptr [401548]             ;  9876 * 100 = 987600
0049EDB0 . |DC6D B0    fsubr qword ptr [ebp-50]             ;  987654 - 987600 = 54
0049EDB3 . |DD5D B0    fstp qword ptr [ebp-50]             ;  上面代码简单说就是得注册码的五六两位
0049EDB6 . |DFE0       fstsw ax
0049EDB8 . |A8 0D       test al, 0D
0049EDBA . |0F85 8E030000 jnz    0049F14E
0049EDC0 . |E8 FBA50100 call 004B93C0                      ;  得到 "68"，不必跟进，应该是机器码的一部分
0049EDC5 . |8BD0       mov    edx, eax
0049EDC7 . |8D4D AC    lea    ecx, dword ptr [ebp-54]
0049EDCA . |FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>;  MSVBVM60.__vbaStrMove
0049EDD0 . |50          push eax
0049EDD1 . |FF15 2C134000 call dword ptr [<&MSVBVM60.#581>]    ;  MSVBVM60.rtcR8ValFromBstr
0049EDD7 . |DC0D F0144000 fmul qword ptr [4014F0]             ;  68 * 12 = 816
0049EDDD . |8D95 48FFFFFF lea    edx, dword ptr [ebp-B8]
0049EDE3 . |8D4D DC    lea    ecx, dword ptr [ebp-24]
0049EDE6 . |DC05 E8214000 fadd qword ptr [4021E8]             ;  816 + 121 = 937
0049EDEC . |C785 48FFFFFF>mov    dword ptr [ebp-B8], 5
0049EDF6 . |DD9D 50FFFFFF fstp qword ptr [ebp-B0]
0049EDFC . |DFE0       fstsw ax
0049EDFE . |A8 0D       test al, 0D
0049EE00 . |0F85 48030000 jnz    0049F14E
0049EE06 . |FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaVarMo>;  MSVBVM60.__vbaVarMove
0049EE0C . |8D4D AC    lea    ecx, dword ptr [ebp-54]
0049EE0F . |FFD7       call edi
0049EE11 . |E8 AAA50100 call 004B93C0
0049EE16 . |8B3D 1C104000 mov    edi, dword ptr [<&MSVBVM60.__vba>;  MSVBVM60.__vbaVarMove
0049EE1C . |8D55 88    lea    edx, dword ptr [ebp-78]
0049EE1F . |8D4D CC    lea    ecx, dword ptr [ebp-34]
0049EE22 . |8945 90    mov    dword ptr [ebp-70], eax
0049EE25 . |C745 88 08000>mov    dword ptr [ebp-78], 8
0049EE2C . |FFD7       call edi                            ;  <&MSVBVM60.__vbaVarMove>
0049EE2E . |B9 02000000 mov    ecx, 2
0049EE33 . |898D 48FFFFFF mov    dword ptr [ebp-B8], ecx
0049EE39 . |898D 38FFFFFF mov    dword ptr [ebp-C8], ecx
0049EE3F . |B8 64000000 mov    eax, 64
0049EE44 . |8D4D DC    lea    ecx, dword ptr [ebp-24]
0049EE47 . |51          push ecx
0049EE48 . |8D55 DC    lea    edx, dword ptr [ebp-24]
0049EE4B . |8985 50FFFFFF mov    dword ptr [ebp-B0], eax
0049EE51 . |8985 40FFFFFF mov    dword ptr [ebp-C0], eax
0049EE57 . |52          push edx
0049EE58 . |8D85 48FFFFFF lea    eax, dword ptr [ebp-B8]
0049EE5E . |50          push eax
0049EE5F . |8D4D 88    lea    ecx, dword ptr [ebp-78]
0049EE62 . |51          push ecx
0049EE63 . |FF15 D0114000 call dword ptr [<&MSVBVM60.__vbaVarDi>;  937 / 100
0049EE69 . |50          push eax
0049EE6A . |8D95 78FFFFFF lea    edx, dword ptr [ebp-88]
0049EE70 . |52          push edx
0049EE71 . |FF15 38124000 call dword ptr [<&MSVBVM60.__vbaVarIn>;  取整 = 9
0049EE77 . |50          push eax
0049EE78 . |8D85 38FFFFFF lea    eax, dword ptr [ebp-C8]
0049EE7E . |50          push eax
0049EE7F . |8D8D 68FFFFFF lea    ecx, dword ptr [ebp-98]
0049EE85 . |51          push ecx
0049EE86 . |FF15 AC114000 call dword ptr [<&MSVBVM60.__vbaVarMu>;  9 * 100 = 900
0049EE8C . |50          push eax
0049EE8D . |8D95 58FFFFFF lea    edx, dword ptr [ebp-A8]
0049EE93 . |52          push edx
0049EE94 . |FF15 04104000 call dword ptr [<&MSVBVM60.__vbaVarSu>;  937 - 900 = 37
0049EE9A . |8BD0       mov    edx, eax
0049EE9C . |8D4D DC    lea    ecx, dword ptr [ebp-24]
0049EE9F . |FFD7       call edi                            ;  <&MSVBVM60.__vbaVarMove>
0049EEA1 . |8B45 B0    mov    eax, dword ptr [ebp-50]
0049EEA4 . |8B4D B4    mov    ecx, dword ptr [ebp-4C]
0049EEA7 . |8D55 DC    lea    edx, dword ptr [ebp-24]
0049EEAA . |8985 50FFFFFF mov    dword ptr [ebp-B0], eax
0049EEB0 . |52          push edx
0049EEB1 . |8D85 48FFFFFF lea    eax, dword ptr [ebp-B8]
0049EEB7 . |50          push eax
0049EEB8 . |898D 54FFFFFF mov    dword ptr [ebp-AC], ecx
0049EEBE . |C785 48FFFFFF>mov    dword ptr [ebp-B8], 8005
0049EEC8 . |FF15 7C124000 call dword ptr [<&MSVBVM60.__vbaVarTs>;  37 不等于 54 注册不成功
0049EECE . |66:85C0    test ax, ax
0049EED1 . |0F84 DF010000 je    0049F0B6                      ;  条件一的关键跳转

VB代码就是啰嗦，简单说就是：

机器码的其中两位 * 12 + 121 取结果的最后两个数字作为注册码的五六两位

我的机器码是：39945-68655

取机器码中的 68 * 12 + 121 = 937 ，我的注册码的五六两位就是 37

--------------------------------------------------------------------------------

条件二：

…………（仍然先是一些取随机数，并对随机数计算的代码）

0049F3B0 . /0F85 B9030000 jnz    0049F76F                      ;  随机跳走验证（条件二）
0049F3B6 . |8B15 9C104E00 mov    edx, dword ptr [4E109C]
0049F3BC . |8B35 50124000 mov    esi, dword ptr [<&MSVBVM60.__vba>;  MSVBVM60.__vbaStrCopy
0049F3C2 . |8D4D B8    lea    ecx, dword ptr [ebp-48]
0049F3C5 . |FFD6       call esi                            ;  <&MSVBVM60.__vbaStrCopy>
0049F3C7 . |8D85 48FFFFFF lea    eax, dword ptr [ebp-B8]
0049F3CD . |50          push eax
0049F3CE . |8D4D 88    lea    ecx, dword ptr [ebp-78]
0049F3D1 . |8D55 B8    lea    edx, dword ptr [ebp-48]
0049F3D4 . |51          push ecx
0049F3D5 . |8995 50FFFFFF mov    dword ptr [ebp-B0], edx
0049F3DB . |C785 48FFFFFF>mov    dword ptr [ebp-B8], 4008
0049F3E5 . |FF15 F0104000 call dword ptr [<&MSVBVM60.#520>]    ;  MSVBVM60.rtcTrimVar
0049F3EB . |8D55 88    lea    edx, dword ptr [ebp-78]
0049F3EE . |52          push edx
0049F3EF . |8D45 AC    lea    eax, dword ptr [ebp-54]
0049F3F2 . |50          push eax
0049F3F3 . |FF15 F4114000 call dword ptr [<&MSVBVM60.__vbaStrVa>;  MSVBVM60.__vbaStrVarVal
0049F3F9 . |50          push eax
0049F3FA . |FF15 2C134000 call dword ptr [<&MSVBVM60.#581>]    ;  取得注册码的数值 9876543244
0049F400 . |833D 00104E00>cmp    dword ptr [4E1000], 0          ;  注册码不空，继续判断
0049F407 . |75 08       jnz    short 0049F411
0049F409 . |DC35 10224000 fdiv qword ptr [402210]             ;  9876543244 / 1000000
0049F40F . |EB 11       jmp    short 0049F422
0049F411 > |FF35 14224000 push dword ptr [402214]
0049F417 . |FF35 10224000 push dword ptr [402210]
0049F41D . |E8 423EF6FF call <jmp.&MSVBVM60._adj_fdiv_m64>
0049F422 > |DFE0       fstsw ax
0049F424 . |A8 0D       test al, 0D
0049F426 . |0F85 D9030000 jnz    0049F805
0049F42C . |FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>;  98765432 / 1000000 取整得 9876
0049F432 . |DD5D B0    fstp qword ptr [ebp-50]
0049F435 . |8B3D 28134000 mov    edi, dword ptr [<&MSVBVM60.__vba>;  MSVBVM60.__vbaFreeStr
0049F43B . |8D4D AC    lea    ecx, dword ptr [ebp-54]
0049F43E . |FFD7       call edi                            ;  <&MSVBVM60.__vbaFreeStr>
0049F440 . |8D4D 88    lea    ecx, dword ptr [ebp-78]
0049F443 . |FFD3       call ebx
0049F445 . |DD45 B0    fld    qword ptr [ebp-50]
0049F448 . |833D 00104E00>cmp    dword ptr [4E1000], 0
0049F44F . |75 08       jnz    short 0049F459
0049F451 . |DC35 48154000 fdiv qword ptr [401548]             ;  9876 / 100
0049F457 . |EB 11       jmp    short 0049F46A
0049F459 > |FF35 4C154000 push dword ptr [40154C]
0049F45F . |FF35 48154000 push dword ptr [401548]
0049F465 . |E8 FA3DF6FF call <jmp.&MSVBVM60._adj_fdiv_m64>
0049F46A > |DFE0       fstsw ax
0049F46C . |A8 0D       test al, 0D
0049F46E . |0F85 91030000 jnz    0049F805
0049F474 . |FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>;  9876 / 100 取整得 98
0049F47A . |DC0D 48154000 fmul qword ptr [401548]             ;  98 * 100 = 9800
0049F480 . |DC6D B0    fsubr qword ptr [ebp-50]             ;  9876 - 9800 = 76
0049F483 . |DD5D B0    fstp qword ptr [ebp-50]             ;  以上就是得到注册码的第三四位 76
0049F486 . |DFE0       fstsw ax
0049F488 . |A8 0D       test al, 0D
0049F48A . |0F85 75030000 jnz    0049F805
0049F490 . |E8 1B930100 call 004B87B0                      ;  得到 "45",不必跟进，看看机器码就知道是机器码其中两位
0049F495 . |8BD0       mov    edx, eax
0049F497 . |8D4D AC    lea    ecx, dword ptr [ebp-54]
0049F49A . |FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>;  MSVBVM60.__vbaStrMove
0049F4A0 . |50          push eax
0049F4A1 . |FF15 2C134000 call dword ptr [<&MSVBVM60.#581>]    ;  MSVBVM60.rtcR8ValFromBstr
0049F4A7 . |DC0D 18154000 fmul qword ptr [401518]             ;  45 * 9 = 405
0049F4AD . |8D95 48FFFFFF lea    edx, dword ptr [ebp-B8]
0049F4B3 . |8D4D DC    lea    ecx, dword ptr [ebp-24]
0049F4B6 . |DC05 08224000 fadd qword ptr [402208]             ;  405 + 535 = 940
0049F4BC . |C785 48FFFFFF>mov    dword ptr [ebp-B8], 5
0049F4C6 . |DD9D 50FFFFFF fstp qword ptr [ebp-B0]
0049F4CC . |DFE0       fstsw ax
0049F4CE . |A8 0D       test al, 0D
0049F4D0 . |0F85 2F030000 jnz    0049F805
0049F4D6 . |FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaVarMo>;  MSVBVM60.__vbaVarMove
0049F4DC . |8D4D AC    lea    ecx, dword ptr [ebp-54]
0049F4DF . |FFD7       call edi
0049F4E1 . |B9 02000000 mov    ecx, 2
0049F4E6 . |898D 48FFFFFF mov    dword ptr [ebp-B8], ecx
0049F4EC . |898D 38FFFFFF mov    dword ptr [ebp-C8], ecx
0049F4F2 . |B8 64000000 mov    eax, 64
0049F4F7 . |8D4D DC    lea    ecx, dword ptr [ebp-24]
0049F4FA . |51          push ecx
0049F4FB . |8D55 DC    lea    edx, dword ptr [ebp-24]
0049F4FE . |8985 50FFFFFF mov    dword ptr [ebp-B0], eax
0049F504 . |8985 40FFFFFF mov    dword ptr [ebp-C0], eax
0049F50A . |52          push edx
0049F50B . |8D85 48FFFFFF lea    eax, dword ptr [ebp-B8]
0049F511 . |50          push eax
0049F512 . |8D4D 88    lea    ecx, dword ptr [ebp-78]
0049F515 . |51          push ecx
0049F516 . |FF15 D0114000 call dword ptr [<&MSVBVM60.__vbaVarDi>;  940 / 100 = 9.4
0049F51C . |50          push eax
0049F51D . |8D95 78FFFFFF lea    edx, dword ptr [ebp-88]
0049F523 . |52          push edx
0049F524 . |FF15 38124000 call dword ptr [<&MSVBVM60.__vbaVarIn>;  9.4 取得整数得到 9
0049F52A . |50          push eax
0049F52B . |8D85 38FFFFFF lea    eax, dword ptr [ebp-C8]
0049F531 . |50          push eax
0049F532 . |8D8D 68FFFFFF lea    ecx, dword ptr [ebp-98]
0049F538 . |51          push ecx
0049F539 . |FF15 AC114000 call dword ptr [<&MSVBVM60.__vbaVarMu>;  9 * 100 = 900
0049F53F . |50          push eax
0049F540 . |8D95 58FFFFFF lea    edx, dword ptr [ebp-A8]
0049F546 . |52          push edx
0049F547 . |FF15 04104000 call dword ptr [<&MSVBVM60.__vbaVarSu>;  940 - 900 = 40
0049F54D . |8BD0       mov    edx, eax
0049F54F . |8D4D DC    lea    ecx, dword ptr [ebp-24]
0049F552 . |FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaVarMo>;  MSVBVM60.__vbaVarMove
0049F558 . |8B45 B0    mov    eax, dword ptr [ebp-50]
0049F55B . |8B4D B4    mov    ecx, dword ptr [ebp-4C]
0049F55E . |8D55 DC    lea    edx, dword ptr [ebp-24]
0049F561 . |8985 50FFFFFF mov    dword ptr [ebp-B0], eax
0049F567 . |52          push edx
0049F568 . |8D85 48FFFFFF lea    eax, dword ptr [ebp-B8]
0049F56E . |50          push eax
0049F56F . |898D 54FFFFFF mov    dword ptr [ebp-AC], ecx
0049F575 . |C785 48FFFFFF>mov    dword ptr [ebp-B8], 8005
0049F57F . |FF15 7C124000 call dword ptr [<&MSVBVM60.__vbaVarTs>;  76 不等于 40 ，所以注册不成功
0049F585 . |66:85C0    test ax, ax
0049F588 . |0F84 DF010000 je    0049F76D                      ;  条件二的关键跳转

结论：

机器码的其中两位 * 9 + 535 取结果的最后两个数字作为注册码的三四两位

我的机器码是：39945-68655

取机器码中的 45 * 9 + 535 = 940 ，我的注册码的三四两位就是 40

--------------------------------------------------------------------------------

条件三：

…………（仍然先是一些取随机数，并对随机数计算的代码）

0049E0DD . /0F85 2A020000 jnz    0049E30D                      ;  随机跳走验证（条件三）
0049E0E3 . |8D95 64FFFFFF lea    edx, dword ptr [ebp-9C]
0049E0E9 . |52          push edx
0049E0EA . |8D45 A4    lea    eax, dword ptr [ebp-5C]
0049E0ED . |50          push eax
0049E0EE . |C785 6CFFFFFF>mov    dword ptr [ebp-94], 004E109C    ;  d{4
0049E0F8 . |C785 64FFFFFF>mov    dword ptr [ebp-9C], 4008
0049E102 . |FF15 F0104000 call dword ptr [<&MSVBVM60.#520>]    ;  MSVBVM60.rtcTrimVar
0049E108 . |33C9       xor    ecx, ecx
0049E10A . |66:3935 90104>cmp    word ptr [4E1090], si
0049E111 . |8D55 A4    lea    edx, dword ptr [ebp-5C]
0049E114 . |0F94C1       sete cl
0049E117 . |52          push edx
0049E118 . |8D45 94    lea    eax, dword ptr [ebp-6C]
0049E11B . |50          push eax
0049E11C . |C785 5CFFFFFF>mov    dword ptr [ebp-A4], 3
0049E126 . |C785 54FFFFFF>mov    dword ptr [ebp-AC], 8002
0049E130 . |C785 44FFFFFF>mov    dword ptr [ebp-BC], 0B
0049E13A . |F7D9       neg    ecx
0049E13C . |66:898D 4CFFF>mov    word ptr [ebp-B4], cx
0049E143 . |FF15 90104000 call dword ptr [<&MSVBVM60.__vbaLenVa>;  取得注册码的长度
0049E149 . |50          push eax
0049E14A . |8D8D 54FFFFFF lea    ecx, dword ptr [ebp-AC]
0049E150 . |51          push ecx
0049E151 . |8D55 84    lea    edx, dword ptr [ebp-7C]
0049E154 . |52          push edx
0049E155 . |FF15 10114000 call dword ptr [<&MSVBVM60.__vbaVarCm>;  MSVBVM60.__vbaVarCmpGt
0049E15B . |50          push eax
0049E15C . |8D85 44FFFFFF lea    eax, dword ptr [ebp-BC]
0049E162 . |50          push eax
0049E163 . |8D8D 74FFFFFF lea    ecx, dword ptr [ebp-8C]
0049E169 . |51          push ecx
0049E16A . |FF15 9C114000 call dword ptr [<&MSVBVM60.__vbaVarAn>;  MSVBVM60.__vbaVarAnd
0049E170 . |50          push eax
0049E171 . |FF15 F4104000 call dword ptr [<&MSVBVM60.__vbaBoolV>;  MSVBVM60.__vbaBoolVarNull
0049E177 . |8D95 44FFFFFF lea    edx, dword ptr [ebp-BC]
0049E17D . |66:8BF8    mov    di, ax
0049E180 . |52          push edx
0049E181 . |8D45 A4    lea    eax, dword ptr [ebp-5C]
0049E184 . |50          push eax
0049E185 . |6A 02       push 2
0049E187 . |FF15 40104000 call dword ptr [<&MSVBVM60.__vbaFreeV>;  MSVBVM60.__vbaFreeVarList
0049E18D . |83C4 0C    add    esp, 0C
0049E190 . |66:3BFE    cmp    di, si
0049E193 . |0F84 74010000 je    0049E30D

结论：

这里什么也没做，就验证下注册码的长度，程序在其他地方检验不通过，删除了注册信息，也会被这段代码检验到

--------------------------------------------------------------------------------

还有两个条件验证，我开着程序，等好久都没停到这里，也就是在我的电脑上并不进行条件四和条件五的沿着验证。

于是，重新定位 eip 的数值，来到这里：

条件四：

0049E568 > \8D45 88    lea    eax, dword ptr [ebp-78]       ;  条件四：
0049E56B .  50          push eax
0049E56C .  C745 90 04000>mov    dword ptr [ebp-70], 80020004
0049E573 .  C745 88 0A000>mov    dword ptr [ebp-78], 0A
0049E57A .  FF15 BC104000 call dword ptr [<&MSVBVM60.#594>]    ;  MSVBVM60.rtcRandomize
0049E580 .  8B1D 28104000 mov    ebx, dword ptr [<&MSVBVM60.__vba>;  MSVBVM60.__vbaFreeVar
0049E586 .  8D4D 88    lea    ecx, dword ptr [ebp-78]
0049E589 .  FFD3       call ebx                            ;  <&MSVBVM60.__vbaFreeVar>
0049E58B .  8B15 9C104E00 mov    edx, dword ptr [4E109C]
0049E591 .  8B35 50124000 mov    esi, dword ptr [<&MSVBVM60.__vba>;  MSVBVM60.__vbaStrCopy
0049E597 .  8D4D B8    lea    ecx, dword ptr [ebp-48]
0049E59A .  FFD6       call esi                            ;  <&MSVBVM60.__vbaStrCopy>
0049E59C .  8D95 48FFFFFF lea    edx, dword ptr [ebp-B8]
0049E5A2 .  52          push edx
0049E5A3 .  8D45 88    lea    eax, dword ptr [ebp-78]
0049E5A6 .  8D4D B8    lea    ecx, dword ptr [ebp-48]
0049E5A9 .  50          push eax
0049E5AA .  898D 50FFFFFF mov    dword ptr [ebp-B0], ecx
0049E5B0 .  C785 48FFFFFF>mov    dword ptr [ebp-B8], 4008
0049E5BA .  FF15 F0104000 call dword ptr [<&MSVBVM60.#520>]    ;  MSVBVM60.rtcTrimVar
0049E5C0 .  8D4D 88    lea    ecx, dword ptr [ebp-78]
0049E5C3 .  51          push ecx
0049E5C4 .  8D55 AC    lea    edx, dword ptr [ebp-54]
0049E5C7 .  52          push edx
0049E5C8 .  FF15 F4114000 call dword ptr [<&MSVBVM60.__vbaStrVa>;  MSVBVM60.__vbaStrVarVal
0049E5CE .  50          push eax
0049E5CF .  FF15 2C134000 call dword ptr [<&MSVBVM60.#581>]    ;  取得注册码的数值 9876543244
0049E5D5 .  833D 00104E00>cmp    dword ptr [4E1000], 0          ;  判断注册码是否为空
0049E5DC .  75 08       jnz    short 0049E5E6
0049E5DE .  DC35 D0214000 fdiv qword ptr [4021D0]             ;  9876543244 / 100000000
0049E5E4 .  EB 11       jmp    short 0049E5F7
0049E5E6 >  FF35 D4214000 push dword ptr [4021D4]
0049E5EC .  FF35 D0214000 push dword ptr [4021D0]
0049E5F2 .  E8 6D4CF6FF call <jmp.&MSVBVM60._adj_fdiv_m64>
0049E5F7 >  DFE0       fstsw ax
0049E5F9 .  A8 0D       test al, 0D
0049E5FB .  0F85 7E040000 jnz    0049EA7F
0049E601 .  FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>;  9876543244 / 100000000 取整得 98
0049E607 .  DD5D B0    fstp qword ptr [ebp-50]
0049E60A .  8B3D 28134000 mov    edi, dword ptr [<&MSVBVM60.__vba>;  MSVBVM60.__vbaFreeStr
0049E610 .  8D4D AC    lea    ecx, dword ptr [ebp-54]
0049E613 .  FFD7       call edi                            ;  <&MSVBVM60.__vbaFreeStr>
0049E615 .  8D4D 88    lea    ecx, dword ptr [ebp-78]
0049E618 .  FFD3       call ebx
0049E61A .  DD45 B0    fld    qword ptr [ebp-50]
0049E61D .  833D 00104E00>cmp    dword ptr [4E1000], 0
0049E624 .  75 08       jnz    short 0049E62E
0049E626 .  DC35 48154000 fdiv qword ptr [401548]             ;  98 / 100
0049E62C .  EB 11       jmp    short 0049E63F
0049E62E >  FF35 4C154000 push dword ptr [40154C]
0049E634 .  FF35 48154000 push dword ptr [401548]
0049E63A .  E8 254CF6FF call <jmp.&MSVBVM60._adj_fdiv_m64>
0049E63F >  DFE0       fstsw ax
0049E641 .  A8 0D       test al, 0D
0049E643 .  0F85 36040000 jnz    0049EA7F
0049E649 .  FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>;  98 / 100 取整得 0
0049E64F .  DC0D 48154000 fmul qword ptr [401548]             ;  0 * 100 = 0
0049E655 .  DC6D B0    fsubr qword ptr [ebp-50]             ;  98 -0 = 98
0049E658 .  DD5D B0    fstp qword ptr [ebp-50]             ;  跟过上面的就知道其实就是得到注册码的一二两位 98
0049E65B .  DFE0       fstsw ax
0049E65D .  A8 0D       test al, 0D
0049E65F .  0F85 1A040000 jnz    0049EA7F
0049E665 .  8B5D B0    mov    ebx, dword ptr [ebp-50]
0049E668 .  85DB       test ebx, ebx
0049E66A .  75 0D       jnz    short 0049E679
0049E66C .  817D B4 00004>cmp    dword ptr [ebp-4C], 404B0000
0049E673    0F84 6E030000 je    0049E9E7
0049E679 >  E8 52AA0100 call 004B90D0                      ;  得"99"，不跟进，应该就是机器码的其中两位
0049E67E .  8BD0       mov    edx, eax
0049E680 .  8D4D AC    lea    ecx, dword ptr [ebp-54]
0049E683 .  FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>;  MSVBVM60.__vbaStrMove
0049E689 .  50          push eax
0049E68A .  FF15 2C134000 call dword ptr [<&MSVBVM60.#581>]    ;  MSVBVM60.rtcR8ValFromBstr
0049E690 .  FF15 FC104000 call dword ptr [<&MSVBVM60.__vbaFpR8>>;  MSVBVM60.__vbaFpR8
0049E696 .  DC1D C8214000 fcomp qword ptr [4021C8]             ;  判断机器码的这两位是不是"99"
0049E69C .  DFE0       fstsw ax
0049E69E .  F6C4 40    test ah, 40                         ;  如果等于 99，就跳走，不进行条件四的验证
0049E6A1 .  74 07       je    short 0049E6AA                ;  很奇怪，我的机器码那两位正好是"99"
0049E6A3 .  B8 01000000 mov    eax, 1
0049E6A8 .  EB 02       jmp    short 0049E6AC
0049E6AA >  33C0       xor    eax, eax
0049E6AC >  F7D8       neg    eax
0049E6AE .  8D4D AC    lea    ecx, dword ptr [ebp-54]
0049E6B1 .  8985 30FFFFFF mov    dword ptr [ebp-D0], eax
0049E6B7 .  FFD7       call edi
0049E6B9 .  66:83BD 30FFF>cmp    word ptr [ebp-D0], 0
0049E6C1 .  74 44       je    short 0049E707
0049E6C3 .  8B45 08    mov    eax, dword ptr [ebp+8]
0049E6C6 .  8B08       mov    ecx, dword ptr [eax]
0049E6C8 .  50          push eax
0049E6C9 .  FF91 F0030000 call dword ptr [ecx+3F0]
0049E6CF .  50          push eax
0049E6D0 .  8D55 98    lea    edx, dword ptr [ebp-68]
0049E6D3 .  52          push edx
0049E6D4 .  FF15 C4104000 call dword ptr [<&MSVBVM60.__vbaObjSe>;  MSVBVM60.__vbaObjSet
0049E6DA .  8BF0       mov    esi, eax
0049E6DC .  8B06       mov    eax, dword ptr [esi]
0049E6DE .  6A 00       push 0
0049E6E0 .  56          push esi
0049E6E1 .  FF50 5C    call dword ptr [eax+5C]
0049E6E4 .  DBE2       fclex
0049E6E6 .  85C0       test eax, eax
0049E6E8 .  7D 0F       jge    short 0049E6F9
0049E6EA .  6A 5C       push 5C
0049E6EC .  68 38004100 push 00410038
0049E6F1 .  56          push esi
0049E6F2 .  50          push eax
0049E6F3 .  FF15 88104000 call dword ptr [<&MSVBVM60.__vbaHresu>;  MSVBVM60.__vbaHresultCheckObj
0049E6F9 >  8D4D 98    lea    ecx, dword ptr [ebp-68]
0049E6FC .  FF15 24134000 call dword ptr [<&MSVBVM60.__vbaFreeO>;  MSVBVM60.__vbaFreeObj
0049E702 .  E9 E0020000 jmp    0049E9E7
0049E707 >  E8 C4A90100 call 004B90D0
0049E70C .  8BD0       mov    edx, eax
0049E70E .  8D4D AC    lea    ecx, dword ptr [ebp-54]
0049E711 .  FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>;  MSVBVM60.__vbaStrMove
0049E717 .  50          push eax
0049E718 .  FF15 2C134000 call dword ptr [<&MSVBVM60.#581>]    ;  MSVBVM60.rtcR8ValFromBstr
0049E71E .  DC0D C0214000 fmul qword ptr [4021C0]             ;  99 *  83 = 8217
0049E724 .  8D95 48FFFFFF lea    edx, dword ptr [ebp-B8]
0049E72A .  8D4D DC    lea    ecx, dword ptr [ebp-24]
0049E72D .  DC05 B8214000 fadd qword ptr [4021B8]             ;  8217 + 737 = 8954
0049E733 .  C785 48FFFFFF>mov    dword ptr [ebp-B8], 5
0049E73D .  DD9D 50FFFFFF fstp qword ptr [ebp-B0]
0049E743 .  DFE0       fstsw ax
0049E745 .  A8 0D       test al, 0D
0049E747 .  0F85 32030000 jnz    0049EA7F
0049E74D .  FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaVarMo>;  MSVBVM60.__vbaVarMove
0049E753 .  8D4D AC    lea    ecx, dword ptr [ebp-54]
0049E756 .  FFD7       call edi
0049E758 .  B9 02000000 mov    ecx, 2
0049E75D .  898D 48FFFFFF mov    dword ptr [ebp-B8], ecx
0049E763 .  898D 38FFFFFF mov    dword ptr [ebp-C8], ecx
0049E769 .  B8 64000000 mov    eax, 64
0049E76E .  8D4D DC    lea    ecx, dword ptr [ebp-24]
0049E771 .  51          push ecx
0049E772 .  8D55 DC    lea    edx, dword ptr [ebp-24]
0049E775 .  8985 50FFFFFF mov    dword ptr [ebp-B0], eax
0049E77B .  8985 40FFFFFF mov    dword ptr [ebp-C0], eax
0049E781 .  52          push edx
0049E782 .  8D85 48FFFFFF lea    eax, dword ptr [ebp-B8]
0049E788 .  50          push eax
0049E789 .  8D4D 88    lea    ecx, dword ptr [ebp-78]
0049E78C .  51          push ecx
0049E78D .  FF15 D0114000 call dword ptr [<&MSVBVM60.__vbaVarDi>;  8954 / 100
0049E793 .  50          push eax
0049E794 .  8D95 78FFFFFF lea    edx, dword ptr [ebp-88]
0049E79A .  52          push edx
0049E79B .  FF15 38124000 call dword ptr [<&MSVBVM60.__vbaVarIn>;  8954 / 100 取整得 89
0049E7A1 .  50          push eax
0049E7A2 .  8D85 38FFFFFF lea    eax, dword ptr [ebp-C8]
0049E7A8 .  50          push eax
0049E7A9 .  8D8D 68FFFFFF lea    ecx, dword ptr [ebp-98]
0049E7AF .  51          push ecx
0049E7B0 .  FF15 AC114000 call dword ptr [<&MSVBVM60.__vbaVarMu>;  89 * 100 = 8900
0049E7B6 .  50          push eax
0049E7B7 .  8D95 58FFFFFF lea    edx, dword ptr [ebp-A8]
0049E7BD .  52          push edx
0049E7BE .  FF15 04104000 call dword ptr [<&MSVBVM60.__vbaVarSu>;  8954 - 8900 = 54
0049E7C4 .  8BD0       mov    edx, eax
0049E7C6 .  8D4D DC    lea    ecx, dword ptr [ebp-24]
0049E7C9 .  FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaVarMo>;  MSVBVM60.__vbaVarMove
0049E7CF .  8B45 B4    mov    eax, dword ptr [ebp-4C]
0049E7D2 .  8D4D DC    lea    ecx, dword ptr [ebp-24]
0049E7D5 .  51          push ecx
0049E7D6 .  8D95 48FFFFFF lea    edx, dword ptr [ebp-B8]
0049E7DC .  52          push edx
0049E7DD .  899D 50FFFFFF mov    dword ptr [ebp-B0], ebx
0049E7E3 .  8985 54FFFFFF mov    dword ptr [ebp-AC], eax
0049E7E9 .  C785 48FFFFFF>mov    dword ptr [ebp-B8], 8005
0049E7F3 .  FF15 7C124000 call dword ptr [<&MSVBVM60.__vbaVarTs>;  54 不等于 98，注册不成功
0049E7F9 .  66:85C0    test ax, ax
0049E7FC .  0F84 E5010000 je    0049E9E7                      ;  条件四的关键跳转

结论：

机器码的其中两位 * 83 + 737 取结果的最后两个数字作为注册码的一二两位

我的机器码是：39945-68655

取机器码中的 99 * 83 + 737 = 8954 ，我的注册码的一二两位就是 54

--------------------------------------------------------------------------------

004C3FEF . /0F85 B9030000 jnz    004C43AE                      ;  随机跳走判断(条件五)
004C3FF5 . |8B15 9C104E00 mov    edx, dword ptr [4E109C]
004C3FFB . |8B35 50124000 mov    esi, dword ptr [<&MSVBVM60.__vba>;  MSVBVM60.__vbaStrCopy
004C4001 . |8D4D B8    lea    ecx, dword ptr [ebp-48]
004C4004 . |FFD6       call esi                            ;  <&MSVBVM60.__vbaStrCopy>
004C4006 . |8D85 48FFFFFF lea    eax, dword ptr [ebp-B8]
004C400C . |50          push eax
004C400D . |8D4D 88    lea    ecx, dword ptr [ebp-78]
004C4010 . |8D55 B8    lea    edx, dword ptr [ebp-48]
004C4013 . |51          push ecx
004C4014 . |8995 50FFFFFF mov    dword ptr [ebp-B0], edx
004C401A . |C785 48FFFFFF>mov    dword ptr [ebp-B8], 4008
004C4024 . |FF15 F0104000 call dword ptr [<&MSVBVM60.#520>]    ;  MSVBVM60.rtcTrimVar
004C402A . |8D55 88    lea    edx, dword ptr [ebp-78]
004C402D . |52          push edx
004C402E . |8D45 AC    lea    eax, dword ptr [ebp-54]
004C4031 . |50          push eax
004C4032 . |FF15 F4114000 call dword ptr [<&MSVBVM60.__vbaStrVa>;  MSVBVM60.__vbaStrVarVal
004C4038 . |50          push eax
004C4039 . |FF15 2C134000 call dword ptr [<&MSVBVM60.#581>]    ;  取得注册码数值 9876543244
004C403F . |833D 00104E00>cmp    dword ptr [4E1000], 0          ;  注册码是否为空
004C4046 . |75 08       jnz    short 004C4050
004C4048 . |DC35 48154000 fdiv qword ptr [401548]             ;  9876543244 / 100
004C404E . |EB 11       jmp    short 004C4061
004C4050 > |FF35 4C154000 push dword ptr [40154C]
004C4056 . |FF35 48154000 push dword ptr [401548]
004C405C . |E8 03F2F3FF call <jmp.&MSVBVM60._adj_fdiv_m64>
004C4061 > |DFE0       fstsw ax
004C4063 . |A8 0D       test al, 0D
004C4065 . |0F85 D9030000 jnz    004C4444
004C406B . |FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>;  9876543244 / 100 取整得 98765432
004C4071 . |DD5D B0    fstp qword ptr [ebp-50]
004C4074 . |8B3D 28134000 mov    edi, dword ptr [<&MSVBVM60.__vba>;  MSVBVM60.__vbaFreeStr
004C407A . |8D4D AC    lea    ecx, dword ptr [ebp-54]
004C407D . |FFD7       call edi                            ;  <&MSVBVM60.__vbaFreeStr>
004C407F . |8D4D 88    lea    ecx, dword ptr [ebp-78]
004C4082 . |FFD3       call ebx
004C4084 . |DD45 B0    fld    qword ptr [ebp-50]
004C4087 . |833D 00104E00>cmp    dword ptr [4E1000], 0
004C408E . |75 08       jnz    short 004C4098
004C4090 . |DC35 48154000 fdiv qword ptr [401548]             ;  98765432 / 100
004C4096 . |EB 11       jmp    short 004C40A9
004C4098 > |FF35 4C154000 push dword ptr [40154C]
004C409E . |FF35 48154000 push dword ptr [401548]
004C40A4 . |E8 BBF1F3FF call <jmp.&MSVBVM60._adj_fdiv_m64>
004C40A9 > |DFE0       fstsw ax
004C40AB . |A8 0D       test al, 0D
004C40AD . |0F85 91030000 jnz    004C4444
004C40B3 . |FF15 10134000 call dword ptr [<&MSVBVM60.__vbaFPInt>;  98765432 / 100 取整得 987654
004C40B9 . |DC0D 48154000 fmul qword ptr [401548]             ;  987654 * 100 = 98765400
004C40BF . |DC6D B0    fsubr qword ptr [ebp-50]             ;  98765432 - 98765400 = 32
004C40C2 . |DD5D B0    fstp qword ptr [ebp-50]             ;  上面得到注册码的七八两位 32
004C40C5 . |DFE0       fstsw ax
004C40C7 . |A8 0D       test al, 0D
004C40C9 . |0F85 75030000 jnz    004C4444
004C40CF . |E8 3C4BFFFF call 004B8C10                      ;  得"65"，不跟进，很容易想到是机器码的其中两位
004C40D4 . |8BD0       mov    edx, eax
004C40D6 . |8D4D AC    lea    ecx, dword ptr [ebp-54]
004C40D9 . |FF15 E4124000 call dword ptr [<&MSVBVM60.__vbaStrMo>;  MSVBVM60.__vbaStrMove
004C40DF . |50          push eax
004C40E0 . |FF15 2C134000 call dword ptr [<&MSVBVM60.#581>]    ;  MSVBVM60.rtcR8ValFromBstr
004C40E6 . |DC0D 101D4000 fmul qword ptr [401D10]             ;  65 * 74 = 4810
004C40EC . |8D95 48FFFFFF lea    edx, dword ptr [ebp-B8]
004C40F2 . |8D4D DC    lea    ecx, dword ptr [ebp-24]
004C40F5 . |DC05 482B4000 fadd qword ptr [402B48]             ;  4810 + 126 = 4936
004C40FB . |C785 48FFFFFF>mov    dword ptr [ebp-B8], 5
004C4105 . |DD9D 50FFFFFF fstp qword ptr [ebp-B0]
004C410B . |DFE0       fstsw ax
004C410D . |A8 0D       test al, 0D
004C410F . |0F85 2F030000 jnz    004C4444
004C4115 . |FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaVarMo>;  MSVBVM60.__vbaVarMove
004C411B . |8D4D AC    lea    ecx, dword ptr [ebp-54]
004C411E . |FFD7       call edi
004C4120 . |B9 02000000 mov    ecx, 2
004C4125 . |898D 48FFFFFF mov    dword ptr [ebp-B8], ecx
004C412B . |898D 38FFFFFF mov    dword ptr [ebp-C8], ecx
004C4131 . |B8 64000000 mov    eax, 64
004C4136 . |8D4D DC    lea    ecx, dword ptr [ebp-24]
004C4139 . |51          push ecx
004C413A . |8D55 DC    lea    edx, dword ptr [ebp-24]
004C413D . |8985 50FFFFFF mov    dword ptr [ebp-B0], eax
004C4143 . |8985 40FFFFFF mov    dword ptr [ebp-C0], eax
004C4149 . |52          push edx
004C414A . |8D85 48FFFFFF lea    eax, dword ptr [ebp-B8]
004C4150 . |50          push eax
004C4151 . |8D4D 88    lea    ecx, dword ptr [ebp-78]
004C4154 . |51          push ecx
004C4155 . |FF15 D0114000 call dword ptr [<&MSVBVM60.__vbaVarDi>;  4936 / 100
004C415B . |50          push eax
004C415C . |8D95 78FFFFFF lea    edx, dword ptr [ebp-88]
004C4162 . |52          push edx
004C4163 . |FF15 38124000 call dword ptr [<&MSVBVM60.__vbaVarIn>;  4936 / 100 取整得 49
004C4169 . |50          push eax
004C416A . |8D85 38FFFFFF lea    eax, dword ptr [ebp-C8]
004C4170 . |50          push eax
004C4171 . |8D8D 68FFFFFF lea    ecx, dword ptr [ebp-98]
004C4177 . |51          push ecx
004C4178 . |FF15 AC114000 call dword ptr [<&MSVBVM60.__vbaVarMu>;  49 * 100 = 4900
004C417E . |50          push eax
004C417F . |8D95 58FFFFFF lea    edx, dword ptr [ebp-A8]
004C4185 . |52          push edx
004C4186 . |FF15 04104000 call dword ptr [<&MSVBVM60.__vbaVarSu>;  4936 - 4900 = 36
004C418C . |8BD0       mov    edx, eax
004C418E . |8D4D DC    lea    ecx, dword ptr [ebp-24]
004C4191 . |FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaVarMo>;  MSVBVM60.__vbaVarMove
004C4197 . |8B45 B0    mov    eax, dword ptr [ebp-50]
004C419A . |8B4D B4    mov    ecx, dword ptr [ebp-4C]
004C419D . |8D55 DC    lea    edx, dword ptr [ebp-24]
004C41A0 . |8985 50FFFFFF mov    dword ptr [ebp-B0], eax
004C41A6 . |52          push edx
004C41A7 . |8D85 48FFFFFF lea    eax, dword ptr [ebp-B8]
004C41AD . |50          push eax
004C41AE . |898D 54FFFFFF mov    dword ptr [ebp-AC], ecx
004C41B4 . |C785 48FFFFFF>mov    dword ptr [ebp-B8], 8005
004C41BE . |FF15 7C124000 call dword ptr [<&MSVBVM60.__vbaVarTs>;  36 不等于 32 注册不成功
004C41C4 . |66:85C0    test ax, ax
004C41C7 . |0F84 DF010000 je    004C43AC                      ;  条件五的关键跳转

结论：

机器码的其中两位 * 74 + 126 取结果的最后两个数字作为注册码的七八两位

我的机器码是：39945-68655

取机器码中的 65 * 74 + 126 = 4936 ，我的注册码的七八两位就是 36

--------------------------------------------------------------------------------

对作者的建议：

既然将暗桩分散到了程序各个部分，但验证不通过尽量不要采取同一个处理函数，否则处理函数会成为寻找暗桩的捷径。另外，注销系统的方法会用户的一些未保存数据，不建议采用。

--------------------------------------------------------------------------------

找到所有验证就可以写注册机啦：

找到所有验证就可以写注册机啦：

bool Keygen ( ){
TCHAR cJiqiCode[16],cRegCode[12],cReg5[3];
int reg1,reg2,reg3,reg4,reg5;

//检查机器码的输入

GetWindowText ( hEdit1 ,cJiqiCode ,16);
if ( lstrlen( cJiqiCode ) != 11 || cJiqiCode[5] != '-' )
return false;

//机器码有除了第六位外都是由数字组成
cJiqiCode[5] = '0';
for ( byte i=0;i<11;i++){
if ( cJiqiCode[i]<'0' || cJiqiCode[i]>'9')
return false;
}
reg1 = (((cJiqiCode[1]-0x30)*10+(cJiqiCode[2]-0x30))*83+737)%100;
reg2 = (((cJiqiCode[3]-0x30)*10+(cJiqiCode[4]-0x30))*9+535)%100;
reg3 = (((cJiqiCode[6]-0x30)*10+(cJiqiCode[7]-0x30))*12+121)%100;
reg4 = (((cJiqiCode[8]-0x30)*10+(cJiqiCode[9]-0x30))*74+126)%100;
wsprintf( cRegCode ,TEXT("%02d%02d%02d%02d"),reg1,reg2,reg3,reg4);
reg5 = 0;
for(byte i=0;i<8;i++)
reg5 = reg5 + cRegCode[i] - 0x30;
wsprintf (cReg5 ,TEXT("%02d") ,reg5);
lstrcat ( cRegCode ,cReg5);
SetWindowText ( hEdit2 ,cRegCode );
return true;
}

--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!

                                                   2008年08月3日 22:19:55

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

#调试逆向

收藏・0

免费・0

支持

最新回复 (3)
linhanshi 雪币： 97697 活跃值： (200824) 能力值： (RANK：10 ) 在线值：发帖 9249 回帖 27947 粉丝 452 关注私信	linhanshi 2 楼 support. 2008-8-4 18:36 0
stalker 雪币： 399 活跃值： (38) 能力值： (RANK：350 ) 在线值：发帖 70 回帖 1064 粉丝 3 关注私信	stalker 8 3 楼看文章末尾的时间,难道是bug? 2008-8-4 18:40 0
wenglingok 雪币： 671 活跃值： (723) 能力值： ( LV9，RANK：1060 ) 在线值：发帖 52 回帖 679 粉丝 1 关注私信	wenglingok 26 4 楼时间是复制过来的，忘记改了。 2008-8-4 23:23 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

wenglingok

发帖

679

回帖

1060

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (3)
linhanshi 雪币： 97697 活跃值： (200824) 能力值： (RANK：10 ) 在线值：发帖 9249 回帖 27947 粉丝 452 关注私信	linhanshi 2 楼 support. 2008-8-4 18:36 0
stalker 雪币： 399 活跃值： (38) 能力值： (RANK：350 ) 在线值：发帖 70 回帖 1064 粉丝 3 关注私信	stalker 8 3 楼看文章末尾的时间,难道是bug? 2008-8-4 18:40 0
wenglingok 雪币： 671 活跃值： (723) 能力值： ( LV9，RANK：1060 ) 在线值：发帖 52 回帖 679 粉丝 1 关注私信	wenglingok 26 4 楼时间是复制过来的，忘记改了。 2008-8-4 23:23 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复