【文章标题】: 一个VB程序的算法分析---算法很easy 高手飘过
【文章作者】: Eddy
【作者主页】: http://hi.baidu.com/cumt_sjh
【作者QQ号】: 860822214
【软件名称】: 非线性方程的数值解法 v1.1
【软件大小】: 2.92M
【下载地址】: 自己搜索下载
【加壳方式】: 无
【保护方式】: 序列号
【编写语言】: VB
【使用工具】: peid、OD
【操作平台】: XP
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
老规矩,先查壳
用F12暂停、字符串、api断点等均可定位到程序注册关键代码处,如下:
定位到注册关键代码处
引用:
00416210 55 push ebp
00416211 8BEC mov ebp,esp
00416213 83EC 0C sub esp,0C
............................
00416290 57 push edi
00416291 8B0F mov ecx,dword ptr ds:[edi]
00416293 FF91 A0000000 call dword ptr ds:[ecx+A0] ; 取假码
00416299 3BC3 cmp eax,ebx
0041629B DBE2 fclex
0041629D 7D 12 jge short NonLinea.004162B1
0041629F 68 A0000000 push 0A0
004162A4 68 48644000 push NonLinea.00406448
004162A9 57 push edi
004162AA 50 push eax
004162AB FF15 80104000 call dword ptr ds:[<&MSVBVM60.__vbaHresult>; MSVBVM60.__vbaHresultCheckObj
004162B1 8B55 E0 mov edx,dword ptr ss:[ebp-20]
004162B4 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
004162B7 895D E0 mov dword ptr ss:[ebp-20],ebx
004162BA FF15 20124000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>; MSVBVM60.__vbaStrMove
004162C0 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004162C3 FF15 4C124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>; MSVBVM60.__vbaFreeObj
004162C9 8B06 mov eax,dword ptr ds:[esi]
004162CB 56 push esi
004162CC FF90 04030000 call dword ptr ds:[eax+304]
004162D2 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004162D5 50 push eax
004162D6 51 push ecx
004162D7 FF15 A4104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>>; MSVBVM60.__vbaObjSet
004162DD 8BF8 mov edi,eax
004162DF 8D45 E0 lea eax,dword ptr ss:[ebp-20]
004162E2 50 push eax
004162E3 57 push edi
004162E4 8B17 mov edx,dword ptr ds:[edi]
004162E6 FF92 A0000000 call dword ptr ds:[edx+A0] ; 取机器码
004162EC 3BC3 cmp eax,ebx
004162EE DBE2 fclex
004162F0 7D 12 jge short NonLinea.00416304
004162F2 68 A0000000 push 0A0
004162F7 68 48644000 push NonLinea.00406448
004162FC 57 push edi
004162FD 50 push eax
004162FE FF15 80104000 call dword ptr ds:[<&MSVBVM60.__vbaHresult>; MSVBVM60.__vbaHresultCheckObj
00416304 8B55 E0 mov edx,dword ptr ss:[ebp-20]
00416307 8B3D 20124000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaStrM>; MSVBVM60.__vbaStrMove
0041630D 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
00416310 895D E0 mov dword ptr ss:[ebp-20],ebx
00416313 FFD7 call edi
00416315 8D4D DC lea ecx,dword ptr ss:[ebp-24]
00416318 FF15 4C124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>; MSVBVM60.__vbaFreeObj
0041631E 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
00416321 8D55 E8 lea edx,dword ptr ss:[ebp-18]
00416324 51 push ecx
00416325 52 push edx
00416326 E8 95EFFFFF call NonLinea.004152C0 ; 关键call
0041632B 66:3BC3 cmp ax,bx
0041632E 66:A3 B6704200 mov word ptr ds:[4270B6],ax
00416334 0F84 83010000 je NonLinea.004164BD ; 这里跳走就完蛋
0041633A 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
0041633D 50 push eax
0041633E E8 9DF4FFFF call NonLinea.004157E0
00416343 8BD0 mov edx,eax
00416345 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00416348 FFD7 call edi
0041634A 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0041634D FF15 48124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>; MSVBVM60.__vbaFreeStr
00416353 8B3D F0114000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaVarD>; MSVBVM60.__vbaVarDup
00416359 B9 04000280 mov ecx,80020004
0041635E 894D A4 mov dword ptr ss:[ebp-5C],ecx
00416361 B8 0A000000 mov eax,0A
00416366 894D B4 mov dword ptr ss:[ebp-4C],ecx
00416369 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-84]
0041636F 8D4D BC lea ecx,dword ptr ss:[ebp-44]
00416372 66:C705 B6704200 F>mov word ptr ds:[4270B6],0FFFF
0041637B 8945 9C mov dword ptr ss:[ebp-64],eax
0041637E 8945 AC mov dword ptr ss:[ebp-54],eax
00416381 C745 84 E8764000 mov dword ptr ss:[ebp-7C],NonLinea.004076E>
00416388 C785 7CFFFFFF 0800>mov dword ptr ss:[ebp-84],8
00416392 FFD7 call edi
00416394 8D55 8C lea edx,dword ptr ss:[ebp-74]
00416397 8D4D CC lea ecx,dword ptr ss:[ebp-34]
0041639A C745 94 BC764000 mov dword ptr ss:[ebp-6C],NonLinea.004076B>
004163A1 C745 8C 08000000 mov dword ptr ss:[ebp-74],8
004163A8 FFD7 call edi
004163AA 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
004163AD 8D55 AC lea edx,dword ptr ss:[ebp-54]
004163B0 51 push ecx
004163B1 8D45 BC lea eax,dword ptr ss:[ebp-44]
004163B4 52 push edx
004163B5 50 push eax
004163B6 8D4D CC lea ecx,dword ptr ss:[ebp-34]
004163B9 53 push ebx
004163BA 51 push ecx
004163BB FF15 A0104000 call dword ptr ds:[<&MSVBVM60.#595>] ; 注册成功提示
004163C1 8D55 9C lea edx,dword ptr ss:[ebp-64]
004163C4 8D45 AC lea eax,dword ptr ss:[ebp-54]
.......................
0041651A 53 push ebx
0041651B 50 push eax
0041651C FF15 A0104000 call dword ptr ds:[<&MSVBVM60.#595>] ; 注册错误提示
进入00416326处的call
引用:
004152C0 55 push ebp
004152C1 8BEC mov ebp,esp
004152C3 83EC 08 sub esp,8
004152C6 68 26244000 push <jmp.&MSVBVM60.__vbaExceptHandler>
004152CB 64:A1 00000000 mov eax,dword ptr fs:[0]
004152D1 50 push eax
004152D2 64:8925 00000000 mov dword ptr fs:[0],esp
004152D9 83EC 0C sub esp,0C
004152DC 53 push ebx
004152DD 56 push esi
004152DE 57 push edi
004152DF 8965 F8 mov dword ptr ss:[ebp-8],esp
004152E2 C745 FC B8194000 mov dword ptr ss:[ebp-4],NonLinea.004019B8
004152E9 8B45 08 mov eax,dword ptr ss:[ebp+8]
004152EC C745 E8 00000000 mov dword ptr ss:[ebp-18],0
004152F3 50 push eax
004152F4 E8 57000000 call NonLinea.00415350 ; 关键call
004152F9 8BD0 mov edx,eax
004152FB 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
004152FE FF15 20124000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>; MSVBVM60.__vbaStrMove
00415304 8B55 0C mov edx,dword ptr ss:[ebp+C]
00415307 8B4D E8 mov ecx,dword ptr ss:[ebp-18]
0041530A 51 push ecx
0041530B 8B02 mov eax,dword ptr ds:[edx]
0041530D 50 push eax
0041530E FF15 FC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>>; 真假注册码进行比较
00415314 F7D8 neg eax
00415316 1BC0 sbb eax,eax
00415318 68 2D534100 push NonLinea.0041532D
0041531D F7D8 neg eax
0041531F 48 dec eax
00415320 8945 EC mov dword ptr ss:[ebp-14],eax
00415323 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
00415326 FF15 48124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>; MSVBVM60.__vbaFreeStr
0041532C C3 retn
0041532D 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
00415330 66:8B45 EC mov ax,word ptr ss:[ebp-14]
00415334 5F pop edi
00415335 5E pop esi
00415336 64:890D 00000000 mov dword ptr fs:[0],ecx
0041533D 5B pop ebx
0041533E 8BE5 mov esp,ebp
00415340 5D pop ebp
00415341 C2 0800 retn 8
进入004152F4处的call
引用:
00415350 55 push ebp
00415351 8BEC mov ebp,esp
00415353 83EC 08 sub esp,8
00415356 68 26244000 push <jmp.&MSVBVM60.__vbaExceptHandler>
0041535B 64:A1 00000000 mov eax,dword ptr fs:[0]
00415361 50 push eax
00415362 64:8925 00000000 mov dword ptr fs:[0],esp
00415369 83EC 0C sub esp,0C
0041536C 53 push ebx
0041536D 56 push esi
0041536E 57 push edi
0041536F 8965 F8 mov dword ptr ss:[ebp-8],esp
00415372 C745 FC C8194000 mov dword ptr ss:[ebp-4],NonLinea.004019C8
00415379 33C0 xor eax,eax
0041537B 8945 EC mov dword ptr ss:[ebp-14],eax
0041537E 8945 E8 mov dword ptr ss:[ebp-18],eax
00415381 8B45 08 mov eax,dword ptr ss:[ebp+8]
00415384 50 push eax
00415385 E8 56000000 call NonLinea.004153E0 ; 由机器码生成待加密的字符串
0041538A 8B35 20124000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaStrM>; MSVBVM60.__vbaStrMove
00415390 8BD0 mov edx,eax
00415392 8D4D EC lea ecx,dword ptr ss:[ebp-14]
00415395 FFD6 call esi
00415397 8D4D EC lea ecx,dword ptr ss:[ebp-14]
0041539A 51 push ecx
0041539B E8 90D9FFFF call NonLinea.00412D30 ; 关键call-产生注册码
004153A0 8BD0 mov edx,eax
004153A2 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
004153A5 FFD6 call esi
004153A7 68 C2534100 push NonLinea.004153C2
004153AC EB 0A jmp short NonLinea.004153B8
004153AE 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
004153B1 FF15 48124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>; MSVBVM60.__vbaFreeStr
004153B7 C3 retn
004153B8 8D4D EC lea ecx,dword ptr ss:[ebp-14]
004153BB FF15 48124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>; MSVBVM60.__vbaFreeStr
004153C1 C3 retn
004153C2 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
004153C5 8B45 E8 mov eax,dword ptr ss:[ebp-18]
004153C8 5F pop edi
004153C9 5E pop esi
004153CA 64:890D 00000000 mov dword ptr fs:[0],ecx
004153D1 5B pop ebx
004153D2 8BE5 mov esp,ebp
004153D4 5D pop ebp
004153D5 C2 0400 retn 4
进入00415385处的call
引用:
004153E0 55 push ebp
004153E1 8BEC mov ebp,esp
004153E3 83EC 0C sub esp,0C
004153E6 68 26244000 push <jmp.&MSVBVM60.__vbaExceptHandler>
004153EB 64:A1 00000000 mov eax,dword ptr fs:[0]
004153F1 50 push eax
004153F2 64:8925 00000000 mov dword ptr fs:[0],esp
004153F9 83EC 14 sub esp,14
004153FC 53 push ebx
004153FD 56 push esi
004153FE 57 push edi
004153FF 8965 F4 mov dword ptr ss:[ebp-C],esp
00415402 C745 F8 D8194000 mov dword ptr ss:[ebp-8],NonLinea.004019D8
00415409 33C0 xor eax,eax
0041540B 8B35 6C104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaStrC>; MSVBVM60.__vbaStrCat
00415411 8945 E8 mov dword ptr ss:[ebp-18],eax
00415414 8945 E4 mov dword ptr ss:[ebp-1C],eax
00415417 8945 E0 mov dword ptr ss:[ebp-20],eax
0041541A 8B45 08 mov eax,dword ptr ss:[ebp+8]
0041541D 8B08 mov ecx,dword ptr ds:[eax]
0041541F 51 push ecx
00415420 68 605F4000 push NonLinea.00405F60 ; UNICODE "Ultra"
00415425 FFD6 call esi ; 机器码与固定字符串“Ultra”相连
00415427 8B3D 20124000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaStrM>; MSVBVM60.__vbaStrMove
0041542D 8BD0 mov edx,eax
0041542F 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
00415432 FFD7 call edi
00415434 50 push eax
00415435 68 705F4000 push NonLinea.00405F70 ; UNICODE "1.1.0.0"
0041543A FFD6 call esi ; 机器码与固定字符串“1.1.0.0”相连
0041543C 8BD0 mov edx,eax
0041543E 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00415441 FFD7 call edi
00415443 50 push eax
00415444 68 845F4000 push NonLinea.00405F84 ; UNICODE "SuffixCT"
00415449 FFD6 call esi ; 机器码与固定字符串“SuffixCT”相连
0041544B 8BD0 mov edx,eax ; 得到待加密字符串
0041544D 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
00415450 FFD7 call edi
00415452 8D55 E0 lea edx,dword ptr ss:[ebp-20]
00415455 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
00415458 52 push edx
00415459 50 push eax
0041545A 6A 02 push 2
0041545C FF15 CC114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>; MSVBVM60.__vbaFreeStrList
00415462 83C4 0C add esp,0C
00415465 68 90544100 push NonLinea.00415490
0041546A EB 23 jmp short NonLinea.0041548F
0041546C F645 FC 04 test byte ptr ss:[ebp-4],4
00415470 74 09 je short NonLinea.0041547B
00415472 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
00415475 FF15 48124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>; MSVBVM60.__vbaFreeStr
0041547B 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0041547E 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
00415481 51 push ecx
00415482 52 push edx
00415483 6A 02 push 2
00415485 FF15 CC114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>; MSVBVM60.__vbaFreeStrList
0041548B 83C4 0C add esp,0C
0041548E C3 retn
0041548F C3 retn
00415490 8B4D EC mov ecx,dword ptr ss:[ebp-14]
00415493 8B45 E8 mov eax,dword ptr ss:[ebp-18]
00415496 5F pop edi
00415497 5E pop esi
00415498 64:890D 00000000 mov dword ptr fs:[0],ecx
0041549F 5B pop ebx
004154A0 8BE5 mov esp,ebp
004154A2 5D pop ebp
004154A3 C2 0400 retn 4
进入0041539B处的call
引用:
00412D30 55 push ebp
00412D31 8BEC mov ebp,esp
00412D33 83EC 0C sub esp,0C
00412D36 68 26244000 push <jmp.&MSVBVM60.__vbaExceptHandler>
00412D3B 64:A1 00000000 mov eax,dword ptr fs:[0]
00412D41 50 push eax
00412D42 64:8925 00000000 mov dword ptr fs:[0],esp
00412D49 83EC 20 sub esp,20
00412D4C 53 push ebx
00412D4D 56 push esi
00412D4E 57 push edi
00412D4F 8965 F4 mov dword ptr ss:[ebp-C],esp
00412D52 C745 F8 00194000 mov dword ptr ss:[ebp-8],NonLinea.00401900
00412D59 33F6 xor esi,esi
00412D5B 8975 E8 mov dword ptr ss:[ebp-18],esi
00412D5E 8975 E4 mov dword ptr ss:[ebp-1C],esi
00412D61 8975 E0 mov dword ptr ss:[ebp-20],esi
00412D64 8975 DC mov dword ptr ss:[ebp-24],esi
00412D67 8975 D8 mov dword ptr ss:[ebp-28],esi
00412D6A 8975 D4 mov dword ptr ss:[ebp-2C],esi
00412D6D E8 AE070000 call NonLinea.00413520
00412D72 8B7D 08 mov edi,dword ptr ss:[ebp+8]
00412D75 57 push edi
00412D76 E8 B5000000 call NonLinea.00412E30
00412D7B 8945 DC mov dword ptr ss:[ebp-24],eax
00412D7E 8D45 DC lea eax,dword ptr ss:[ebp-24]
00412D81 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00412D84 50 push eax
00412D85 51 push ecx
00412D86 FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaAryMove>; MSVBVM60.__vbaAryMove
00412D8C 8B17 mov edx,dword ptr ds:[edi]
00412D8E 52 push edx
00412D8F FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>; 取加密字符串的长
00412D95 8945 E0 mov dword ptr ss:[ebp-20],eax
00412D98 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
00412D9B 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00412D9E 50 push eax
00412D9F 51 push ecx
00412DA0 E8 FB090000 call NonLinea.004137A0
00412DA5 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
00412DA8 52 push edx
00412DA9 56 push esi
00412DAA FF15 DC104000 call dword ptr ds:[<&MSVBVM60.__vbaErase>] ; MSVBVM60.__vbaErase
00412DB0 E8 1B080000 call NonLinea.004135D0
00412DB5 E8 36020000 call NonLinea.00412FF0 ; 对字符串进行32位MD5加密
00412DBA 8B35 20124000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaStrM>; MSVBVM60.__vbaStrMove
00412DC0 8BD0 mov edx,eax
00412DC2 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
00412DC5 FFD6 call esi
00412DC7 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
00412DCA 50 push eax
00412DCB E8 F01F0000 call NonLinea.00414DC0 ; 对MD5加密结果每隔两位用“-”连接
00412DD0 8BD0 mov edx,eax
00412DD2 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
00412DD5 FFD6 call esi
00412DD7 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
00412DDA FF15 48124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>; MSVBVM60.__vbaFreeStr
00412DE0 68 172E4100 push NonLinea.00412E17
00412DE5 EB 19 jmp short NonLinea.00412E00
00412DE7 F645 FC 04 test byte ptr ss:[ebp-4],4
00412DEB 74 09 je short NonLinea.00412DF6
00412DED 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
00412DF0 FF15 48124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>; MSVBVM60.__vbaFreeStr
00412DF6 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
00412DF9 FF15 48124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>; MSVBVM60.__vbaFreeStr
00412DFF C3 retn
00412E00 8B3D 8C104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaAryD>; MSVBVM60.__vbaAryDestruct
00412E06 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
00412E09 33F6 xor esi,esi
00412E0B 51 push ecx
00412E0C 56 push esi
00412E0D FFD7 call edi
00412E0F 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
00412E12 52 push edx
00412E13 56 push esi
00412E14 FFD7 call edi
00412E16 C3 retn
--------------------------------------------------------------------------------
算法总结:
机器码与三个固定字符串连接,然后对连接后的字符串进行32位MD5加密,最后对加密结果每隔两位用“-”连接即可得到注册码
附上注册机源码(VB)
引用:
Private Sub Command1_Click()
Dim md5code As String, regcode As String, str1 As String
Dim i As Integer
str1 = Text1.Text & "Ultra" & "1.1.0.0" & "SuffixCT"
md5code = md5(str1)
md5code = UCase(md5code)
For i = 1 To 31 Step 2
If i = 31 Then
regcode = regcode & Mid(md5code, i, 2)
Else
regcode = regcode & Mid(md5code, i, 2) & "-"
End If
Next i
Text2.Text = regcode
End Sub
--------------------------------------------------------------------------------
【版权声明】: 本文原创于Eddy, 转载请注明作者并保持文章的完整, 谢谢!
2009年06月08日 AM 11:24:12
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课