Ollydbg——轻松文本 2003 V6.13(VB)
下载页面:
http://www.skycn.com/soft/5977.html<;br>【软件限制】:nag、功能限制<br>
【作者声明】:初学crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!<br>
【破解工具】:ollydbg1.09、peid、aspackdie、w32dasm 9.0白金版<br>
————————————————————————————————— <br>
【过 程】:<br>
<br>
其实这个东东数10天前就做了,因为太忙,今天才把笔记整理出来,呵呵,作者也快升级了吧?<br>
顺便看了一下同门的《英语音标大师 v1.02》,算法是一样的,就没必要写了。^o^ ^o^<br>
easypad.exe 是aspack 2.12壳,用aspackdie脱之。169k->732k。 vb 编写。<br>
这个东东不算难,只是有些方面不好掌握。 ~q~ ^q^ ^v^ ^v^<br>
<br>
序列号:flyn649065455613<br>
试炼码:fly-12345678-fly[ocn][fcg]-e<br>
—————————————————————————————————<br>
* reference to: msvbvm60.rtcinputbox, ord:0254h<br>
<br>
:004620d2 ff15fc104000 call dword ptr [004010fc]<br>
:004620d8 8bd0 mov edx, eax<br>
====>edx=fly-12345678-fly[ocn][fcg]-e 试炼码<br>
<br>
:004620da 8d4da8 lea ecx, dword ptr [ebp-58]<br>
:004620dd ffd6 call esi<br>
:004620df 8bd0 mov edx, eax<br>
:004620e1 8b8d78feffff mov ecx, dword ptr [ebp+fffffe78]<br>
<br>
* reference to: msvbvm60.__vbastrcopy, ord:0000h<br>
|<br>
:004620e7 ff15d4124000 call dword ptr [004012d4]<br>
:004620ed 8d55a4 lea edx, dword ptr [ebp-5c]<br>
:004620f0 52 push edx<br>
<br>
.............................................<br>
..............<br>
<br>
<br>
* reference to: msvbvm60.__vbafreevarlist, ord:0000h<br>
|<br>
:00462161 ff1544104000 call dword ptr [00401044]<br>
:00462167 83c45c add esp, 0000005c<br>
:0046216a 8b0b mov ecx, dword ptr [ebx]<br>
:0046216c 8d95c8feffff lea edx, dword ptr [ebp+fffffec8]<br>
:00462172 52 push edx<br>
:00462173 8b8578feffff mov eax, dword ptr [ebp+fffffe78]<br>
:00462179 50 push eax<br>
:0046217a 53 push ebx<br>
:0046217b ff9128070000 call dword ptr [ecx+00000728]<br>
====>关键call!进入!<br>
<br>
:00462181 85c0 test eax, eax<br>
:00462183 7d12 jge 00462197<br>
:00462185 6828070000 push 00000728<br>
:0046218a 688c574200 push 0042578c<br>
:0046218f 53 push ebx<br>
:00462190 50 push eax<br>
<br>
* reference to: msvbvm60.__vbahresultcheckobj, ord:0000h<br>
|<br>
:00462191 ff15a4104000 call dword ptr [004010a4]<br>
<br>
* referenced by a (u)nconditional or (c)onditional jump at address:<br>
|:00462183(c)<br>
|<br>
:00462197 6683bdc8feffff00 cmp word ptr [ebp+fffffec8], 0000<br>
:0046219f 0f84c3030000 je 00462568<br>
====>跳则over!<br>
<br>
:004621a5 8d4d8c lea ecx, dword ptr [ebp-74]<br>
:004621a8 51 push ecx<br>
<br>
* reference to: msvbvm60.rtcgetdatevar, ord:0262h<br>
|<br>
:004621a9 ff1524134000 call dword ptr [00401324]<br>
:004621af 6a00 push 00000000<br>
:004621b1 8d558c lea edx, dword ptr [ebp-74]<br>
:004621b4 52 push edx<br>
:004621b5 8d857cffffff lea eax, dword ptr [ebp+ffffff7c]<br>
:004621bb 50 push eax<br>
<br>
...................................<br>
.........................<br>
<br>
:004622c3 8d856cffffff lea eax, dword ptr [ebp+ffffff6c]<br>
:004622c9 50 push eax<br>
:004622ca 8d8d7cffffff lea ecx, dword ptr [ebp+ffffff7c]<br>
:004622d0 51 push ecx<br>
:004622d1 8d558c lea edx, dword ptr [ebp-74]<br>
:004622d4 52 push edx<br>
<br>
* reference to: msvbvm60.rtcinputbox, ord:0254h<br>
|<br>
:004622d5 ff15fc104000 call dword ptr [004010fc]<br>
====>恭喜完成!输入确认号码!7055<br>
<br>
:004622db 8bd0 mov edx, eax<br>
====>edx=7055<br>
<br>
:004622dd 8d4dc8 lea ecx, dword ptr [ebp-38]<br>
:004622e0 ffd6 call esi<br>
:004622e2 50 push eax<br>
<br>
* reference to: msvbvm60.__vbar8str, ord:0000h<br>
|<br>
:004622e3 ff15c0124000 call dword ptr [004012c0]<br>
:004622e9 db437c fild dword ptr [ebx+7c]<br>
:004622ec dd9d70feffff fstp qword ptr [ebp+fffffe70]<br>
:004622f2 dc9d70feffff fcomp qword ptr [ebp+fffffe70]<br>
====>比较 确认号码 是否是7055?<br>
<br>
:004622f8 dfe0 fstsw ax<br>
:004622fa f6c440 test ah, 40<br>
:004622fd 7407 je 00462306<br>
:004622ff b801000000 mov eax, 00000001<br>
:00462304 eb02 jmp 00462308<br>
<br>
* referenced by a (u)nconditional or (c)onditional jump at address:<br>
|:004622fd(c)<br>
|<br>
:00462306 33c0 xor eax, eax<br>
<br>
* referenced by a (u)nconditional or (c)onditional jump at address:<br>
|:00462304(u)<br>
|<br>
:00462308 f7d8 neg eax<br>
:0046230a 668bf0 mov si, ax<br>
:0046230d 8d45c8 lea eax, dword ptr [ebp-38]<br>
:00462310 50 push eax<br>
:00462311 8d4dcc lea ecx, dword ptr [ebp-34]<br>
:00462314 51 push ecx<br>
:00462315 6a02 push 00000002<br>
<br>
* reference to: msvbvm60.__vbafreestrlist, ord:0000h<br>
|<br>
:00462317 ff15e4124000 call dword ptr [004012e4]<br>
:0046231d 8d952cffffff lea edx, dword ptr [ebp+ffffff2c]<br>
:00462323 52 push edx<br>
:00462324 8d853cffffff lea eax, dword ptr [ebp+ffffff3c]<br>
:0046232a 50 push eax<br>
:0046232b 8d8d4cffffff lea ecx, dword ptr [ebp+ffffff4c]<br>
:00462331 51 push ecx<br>
:00462332 8d955cffffff lea edx, dword ptr [ebp+ffffff5c]<br>
:00462338 52 push edx<br>
:00462339 8d856cffffff lea eax, dword ptr [ebp+ffffff6c]<br>
:0046233f 50 push eax<br>
:00462340 8d8d7cffffff lea ecx, dword ptr [ebp+ffffff7c]<br>
:00462346 51 push ecx<br>
:00462347 8d558c lea edx, dword ptr [ebp-74]<br>
:0046234a 52 push edx<br>
:0046234b 6a07 push 00000007<br>
<br>
* reference to: msvbvm60.__vbafreevarlist, ord:0000h<br>
|<br>
:0046234d ff1544104000 call dword ptr [00401044]<br>
:00462353 83c42c add esp, 0000002c<br>
:00462356 6685f6 test si, si<br>
:00462359 0f8409020000 je 00462568<br>
:0046235f 8b8578feffff mov eax, dword ptr [ebp+fffffe78]<br>
:00462365 8b08 mov ecx, dword ptr [eax]<br>
:00462367 51 push ecx<br>
<br>
* possible stringdata ref from code obj ->"rregnumber"<br>
|<br>
:00462368 6870684200 push 00426870<br>
<br>
* possible stringdata ref from code obj ->"rregist"<br>
|<br>
:0046236d 685c684200 push 0042685c<br>
<br>
* possible stringdata ref from code obj ->"eeasypad"<br>
|<br>
:00462372 68e8634200 push 004263e8<br>
<br>
* reference to: msvbvm60.rtcsavesetting, ord:02b2h<br>
|<br>
:00462377 ff150c104000 call dword ptr [0040100c]<br>
====>保存注册信息!<br>
<br>
:0046237d e9e6010000 jmp 00462568<br>
<br>
<br>
—————————————————————————————————<br>
进入关键call:0046217b call dword ptr [ecx+00000728]<br>
<br>
…… ……省略…… ……<br>
<br>
:004724a8 ffd3 call ebx<br>
:004724aa 50 push eax<br>
<br>
* possible stringdata ref from code obj ->"cc:\"<br>
|<br>
:004724ab 68a4974200 push 004297a4<br>
:004724b0 8d45cc lea eax, dword ptr [ebp-34]<br>
:004724b3 50 push eax<br>
:004724b4 ffd3 call ebx<br>
:004724b6 50 push eax<br>
:004724b7 e8ec30fbff call 004255a8<br>
<br>
* reference to: msvbvm60.__vbasetsystemerror, ord:0000h<br>
|<br>
:004724bc ff1598104000 call dword ptr [00401098]<br>
:004724c2 8b4dc8 mov ecx, dword ptr [ebp-38]<br>
<br>
* reference to: msvbvm60.__vbastrtounicode, ord:0000h<br>
|<br>
:004724c5 8b1d38124000 mov ebx, dword ptr [00401238]<br>
:004724cb 51 push ecx<br>
:004724cc 8d55c4 lea edx, dword ptr [ebp-3c]<br>
:004724cf 52 push edx<br>
:004724d0 ffd3 call ebx<br>
:004724d2 50 push eax<br>
:004724d3 8b45dc mov eax, dword ptr [ebp-24]<br>
:004724d6 50 push eax<br>
:004724d7 57 push edi<br>
<br>
* reference to: msvbvm60.__vbalsetfixstr, ord:0000h<br>
|<br>
:004724d8 ff1594104000 call dword ptr [00401094]<br>
:004724de 8b4dc0 mov ecx, dword ptr [ebp-40]<br>
:004724e1 51 push ecx<br>
:004724e2 8d55bc lea edx, dword ptr [ebp-44]<br>
:004724e5 52 push edx<br>
:004724e6 ffd3 call ebx<br>
:004724e8 50 push eax<br>
:004724e9 8b45d8 mov eax, dword ptr [ebp-28]<br>
:004724ec 50 push eax<br>
:004724ed 57 push edi<br>
<br>
* reference to: msvbvm60.__vbalsetfixstr, ord:0000h<br>
|<br>
:004724ee ff1594104000 call dword ptr [00401094]<br>
:004724f4 8d4dbc lea ecx, dword ptr [ebp-44]<br>
:004724f7 51 push ecx<br>
:004724f8 8d55c0 lea edx, dword ptr [ebp-40]<br>
:004724fb 52 push edx<br>
:004724fc 8d45c4 lea eax, dword ptr [ebp-3c]<br>
:004724ff 50 push eax<br>
:00472500 8d4dc8 lea ecx, dword ptr [ebp-38]<br>
:00472503 51 push ecx<br>
:00472504 8d55cc lea edx, dword ptr [ebp-34]<br>
:00472507 52 push edx<br>
:00472508 6a05 push 00000005<br>
<br>
* reference to: msvbvm60.__vbafreestrlist, ord:0000h<br>
|<br>
:0047250a ff15e4124000 call dword ptr [004012e4]<br>
:00472510 8b5d0c mov ebx, dword ptr [ebp+0c]<br>
:00472513 8b03 mov eax, dword ptr [ebx]<br>
====>eax=fly-12345678-fly[ocn][fcg]-e 试炼码<br>
<br>
:00472515 83c418 add esp, 00000018<br>
:00472518 6a01 push 00000001<br>
:0047251a 6aff push ffffffff<br>
:0047251c 6a01 push 00000001<br>
:0047251e 68d0654200 push 004265d0<br>
:00472523 68cc754200 push 004275cc<br>
:00472528 50 push eax<br>
<br>
* reference to: msvbvm60.rtcreplace, ord:02c8h<br>
|<br>
:00472529 ff152c124000 call dword ptr [0040122c]<br>
====>去除试炼码中的-<br>
<br>
:0047252f 8bd0 mov edx, eax<br>
====>edx=fly12345678fly[ocn][fcg]e <br>
<br>
:00472531 8d4dd4 lea ecx, dword ptr [ebp-2c]<br>
<br>
* reference to: msvbvm60.__vbastrmove, ord:0000h<br>
|<br>
:00472534 ff1578134000 call dword ptr [00401378]<br>
:0047253a 8b0b mov ecx, dword ptr [ebx]<br>
<br>
* reference to: msvbvm60.__vbalenbstr, ord:0000h<br>
|<br>
:0047253c 8b1d34104000 mov ebx, dword ptr [00401034]<br>
:00472542 51 push ecx<br>
====>ecx=fly-12345678-fly[ocn][fcg]-e<br>
<br>
:00472543 ffd3 call ebx<br>
====>取fly-12345678-fly[ocn][fcg]-e的长度<br>
<br>
:00472545 8bd0 mov edx, eax<br>
====>edx=1c<br>
<br>
:00472547 8b45d4 mov eax, dword ptr [ebp-2c]<br>
:0047254a 50 push eax<br>
====>eax=fly12345678fly[ocn][fcg]e<br>
<br>
:0047254b 899528ffffff mov dword ptr [ebp+ffffff28], edx<br>
====>[ebp+ffffff28]=edx=1c<br>
<br>
:00472551 ffd3 call ebx<br>
====>取fly12345678fly[ocn][fcg]e的长度=19<br>
<br>
:00472553 8b8d28ffffff mov ecx, dword ptr [ebp+ffffff28]<br>
====>ecx=1c<br>
<br>
:00472559 8b55d4 mov edx, dword ptr [ebp-2c]<br>
:0047255c 33db xor ebx, ebx<br>
:0047255e 3bc1 cmp eax, ecx<br>
====>比较2者长度是否相同?既检测试炼码中是否有-<br>
<br>
:00472560 52 push edx<br>
:00472561 0f9dc3 setnl bl<br>
====>设置bl值!有-则长度不同则bl=0<br>
<br>
* reference to: msvbvm60.__vbalenbstr, ord:0000h<br>
|<br>
:00472564 ff1534104000 call dword ptr [00401034]<br>
====>取fly12345678fly[ocn][fcg]e的长度=19<br>
<br>
:0047256a 33c9 xor ecx, ecx<br>
:0047256c 83f819 cmp eax, 00000019<br>
====>去除试炼码中的-后是否是25位?<br>
<br>
:0047256f 0f9cc1 setl cl<br>
====>设置cl值!是25位则cl=0<br>
<br>
:00472572 0bd9 or ebx, ecx<br>
:00472574 0f850c010000 jne 00472686<br>
====>如果上面2个条件都符合则此处不跳!<br>
====>若此处跳就直接over了!爆破点①!<br>
<br>
:0047257a 8b55d4 mov edx, dword ptr [ebp-2c]<br>
====>edx=fly12345678fly[ocn][fcg]e<br>
<br>
:0047257d a110804a00 mov eax, dword ptr [004a8010]<br>
====>eax=211c1e09 c盘的硬盘序列号<br>
<br>
:00472582 8d4da4 lea ecx, dword ptr [ebp-5c]<br>
:00472585 89955cffffff mov dword ptr [ebp+ffffff5c], edx<br>
:0047258b 2dcf337b00 sub eax, 007b33cf<br>
====>eax=211c1e09 - 007b33cf=20a0ea3a<br>
<br>
:00472590 51 push ecx<br>
:00472591 8d5594 lea edx, dword ptr [ebp-6c]<br>
:00472594 0f8020050000 jo 00472aba<br>
:0047259a 52 push edx<br>
:0047259b c78554ffffff08000000 mov dword ptr [ebp+ffffff54], 00000008<br>
:004725a5 8945ac mov dword ptr [ebp-54], eax<br>
:004725a8 c745a403000000 mov [ebp-5c], 00000003<br>
<br>
* reference to: msvbvm60.rtchexvarfromvar, ord:023dh<br>
|<br>
:004725af ff15d8124000 call dword ptr [004012d8]<br>
:004725b5 6a01 push 00000001<br>
:004725b7 8d8554ffffff lea eax, dword ptr [ebp+ffffff54]<br>
:004725bd 50 push eax<br>
:004725be 8d4d94 lea ecx, dword ptr [ebp-6c]<br>
:004725c1 51 push ecx<br>
:004725c2 6a01 push 00000001<br>
:004725c4 8d5584 lea edx, dword ptr [ebp-7c]<br>
:004725c7 52 push edx<br>
:004725c8 89bd4cffffff mov dword ptr [ebp+ffffff4c], edi<br>
:004725ce c78544ffffff02800000 mov dword ptr [ebp+ffffff44], 00008002<br>
<br>
* reference to: msvbvm60.__vbainstrvar, ord:0000h<br>
|<br>
:004725d8 ff1570124000 call dword ptr [00401270]<br>
====>比较call!进入!有点特别呀 ^o^ ^o^<br>
<br>
:004725de 50 push eax<br>
:004725df 8d8544ffffff lea eax, dword ptr [ebp+ffffff44]<br>
:004725e5 50 push eax<br>
<br>
* reference to: msvbvm60.__vbavartstgt, ord:0000h<br>
|<br>
:004725e6 ff1504104000 call dword ptr [00401004]<br>
:004725ec 8d4d84 lea ecx, dword ptr [ebp-7c]<br>
:004725ef 51 push ecx<br>
:004725f0 8d5594 lea edx, dword ptr [ebp-6c]<br>
:004725f3 668bd8 mov bx, ax<br>
====>爆破点②! ^o^ ^o^<br>
<br>
:004725f6 52 push edx<br>
:004725f7 8d45a4 lea eax, dword ptr [ebp-5c]<br>
:004725fa 50 push eax<br>
:004725fb 6a03 push 00000003<br>
<br>
* reference to: msvbvm60.__vbafreevarlist, ord:0000h<br>
|<br>
:004725fd ff1544104000 call dword ptr [00401044]<br>
:00472603 83c410 add esp, 00000010<br>
:00472606 663bdf cmp bx, di<br>
:00472609 0f84e3000000 je 004726f2<br>
====>跳则over!<br>
<br>
:0047260f 8b0e mov ecx, dword ptr [esi]<br>
:00472611 56 push esi<br>
:00472612 c745d0ffffffff mov [ebp-30], ffffffff<br>
:00472619 ff912c060000 call dword ptr [ecx+0000062c]<br>
:0047261f 50 push eax<br>
:00472620 8d55b8 lea edx, dword ptr [ebp-48]<br>
:00472623 52 push edx<br>
<br>
* reference to: msvbvm60.__vbaobjset, ord:0000h<br>
|<br>
:00472624 ff15f4104000 call dword ptr [004010f4]<br>
:0047262a 8d4db4 lea ecx, dword ptr [ebp-4c]<br>
:0047262d 51 push ecx<br>
:0047262e 8bf0 mov esi, eax<br>
:00472630 8b06 mov eax, dword ptr [esi]<br>
:00472632 6a03 push 00000003<br>
:00472634 56 push esi<br>
:00472635 ff5040 call [eax+40]<br>
:00472638 dbe2 fclex<br>
:0047263a 3bc7 cmp eax, edi<br>
:0047263c 7d0f jge 0047264d<br>
:0047263e 6a40 push 00000040<br>
:00472640 68bc654200 push 004265bc<br>
:00472645 56 push esi<br>
:00472646 50 push eax<br>
<br>
—————————————————————————————————<br>
进入比较call:004725d8 call dword ptr [00401270]<br>
再进入:7347a9cc call msvbvm60.__vbainstr<br>
<br>
733a45a5 > 55 push ebp<br>
733a45a6 8bec mov ebp,esp<br>
733a45a8 81ec bc000000 sub esp,0bc<br>
733a45ae 8365 ec 00 and dword ptr ss:[ebp-14],0<br>
733a45b2 53 push ebx<br>
733a45b3 56 push esi<br>
733a45b4 8b75 0c mov esi,dword ptr ss:[ebp+c]<br>
====>esi=20a0ea3a<br>
<br>
733a45b7 57 push edi<br>
733a45b8 8b7d 10 mov edi,dword ptr ss:[ebp+10]<br>
====>edi=fly12345678fly[ocn][fcg]e<br>
<br>
733a45bb 8d85 44ffffff lea eax,dword ptr ss:[ebp-bc]<br>
733a45c1 897d f8 mov dword ptr ss:[ebp-8],edi<br>
733a45c4 85ff test edi,edi<br>
733a45c6 8945 f4 mov dword ptr ss:[ebp-c],eax<br>
733a45c9 8975 fc mov dword ptr ss:[ebp-4],esi<br>
733a45cc 0f84 09350300 je msvbvm60.733d7adb<br>
733a45d2 8b47 fc mov eax,dword ptr ds:[edi-4]<br>
733a45d5 d1e8 shr eax,1<br>
====>取fly12345678fly[ocn][fcg]e长度<br>
<br>
733a45d7 8945 e4 mov dword ptr ss:[ebp-1c],eax<br>
====>eax=19<br>
<br>
733a45da 0f84 fb340300 je msvbvm60.733d7adb<br>
733a45e0 85f6 test esi,esi<br>
733a45e2 0f84 eb340300 je msvbvm60.733d7ad3<br>
733a45e8 8b46 fc mov eax,dword ptr ds:[esi-4]<br>
733a45eb d1e8 shr eax,1<br>
====>取20a0ea3a的长度<br>
<br>
733a45ed 8945 e4 mov dword ptr ss:[ebp-1c],eax<br>
====>eax=8<br>
<br>
733a45f0 0f84 dd340300 je msvbvm60.733d7ad3<br>
733a45f6 8b45 14 mov eax,dword ptr ss:[ebp+14]<br>
733a45f9 8d58 ff lea ebx,dword ptr ds:[eax-1]<br>
733a45fc 85db test ebx,ebx<br>
733a45fe 0f8c 33330300 jl msvbvm60.733d7937<br>
733a4604 81fb ffffff3f cmp ebx,3fffffff<br>
733a460a 0f87 27330300 ja msvbvm60.733d7937<br>
733a4610 8b45 08 mov eax,dword ptr ss:[ebp+8]<br>
733a4613 895d e8 mov dword ptr ss:[ebp-18],ebx<br>
733a4616 85c0 test eax,eax<br>
733a4618 0f85 20330300 jnz msvbvm60.733d793e<br>
====>跳下去,转变大写字母为小写字母!<br>
<br>
733a461e 8b45 f8 mov eax,dword ptr ss:[ebp-8]<br>
====>转变完了再跳回来!<br>
<br>
733a4621 85c0 test eax,eax<br>
====>eax=fly12345678fly[ocn][fcg]e<br>
<br>
733a4623 0f84 06340300 je msvbvm60.733d7a2f<br>
733a4629 8b48 fc mov ecx,dword ptr ds:[eax-4]<br>
733a462c d1e9 shr ecx,1<br>
733a462e 85f6 test esi,esi<br>
733a4630 0f84 00340300 je msvbvm60.733d7a36<br>
733a4636 8b56 fc mov edx,dword ptr ds:[esi-4]<br>
733a4639 d1ea shr edx,1<br>
733a463b 8b7d e8 mov edi,dword ptr ss:[ebp-18]<br>
733a463e 3bf9 cmp edi,ecx<br>
733a4640 73 74 jnb short msvbvm60.733a46b6<br>
733a4642 85d2 test edx,edx<br>
733a4644 0f84 f3330300 je msvbvm60.733d7a3d<br>
733a464a 3bd1 cmp edx,ecx<br>
733a464c 0f87 f6330300 ja msvbvm60.733d7a48<br>
733a4652 8d0478 lea eax,dword ptr ds:[eax+edi*2]<br>
733a4655 8b7d f8 mov edi,dword ptr ss:[ebp-8]<br>
733a4658 2bca sub ecx,edx<br>
733a465a 8d5c4f 02 lea ebx,dword ptr ds:[edi+ecx*2+2]<br>
733a465e 0fb70e movzx ecx,word ptr ds:[esi]<br>
733a4661 894d 14 mov dword ptr ss:[ebp+14],ecx<br>
733a4664 8d4c12 fe lea ecx,dword ptr ds:[edx+edx-2]<br>
733a4668 3bc3 cmp eax,ebx<br>
733a466a 894d e4 mov dword ptr ss:[ebp-1c],ecx<br>
733a466d 73 47 jnb short msvbvm60.733a46b6<br>
733a466f 8bcb mov ecx,ebx<br>
733a4671 2bc8 sub ecx,eax<br>
733a4673 d1f9 sar ecx,1<br>
733a4675 51 push ecx<br>
733a4676 ff75 14 push dword ptr ss:[ebp+14]<br>
733a4679 50 push eax<br>
733a467a e8 46000000 call msvbvm60.733a46c5<br>
====>循环取试炼码,比较第“1”位是否是2?<br>
<br>
733a467f 85c0 test eax,eax<br>
733a4681 74 33 je short msvbvm60.733a46b6<br>
733a4683 8b4d e4 mov ecx,dword ptr ss:[ebp-1c]<br>
733a4686 40 inc eax<br>
733a4687 40 inc eax<br>
733a4688 8d7e 02 lea edi,dword ptr ds:[esi+2]<br>
733a468b 8bf0 mov esi,eax<br>
733a468d 33d2 xor edx,edx<br>
733a468f f3:a6 repe cmps byte ptr es:[edi],byte ptr ds:[esi]<br>
====>依次比较剩下的7位是否是0a0ea3a<br>
<br>
733a4691 75 1a jnz short msvbvm60.733a46ad<br>
733a4693 8bc8 mov ecx,eax<br>
733a4695 2b4d f8 sub ecx,dword ptr ss:[ebp-8]<br>
733a4698 d1f9 sar ecx,1<br>
733a469a 837d 08 00 cmp dword ptr ss:[ebp+8],0<br>
733a469e 0f85 ad330300 jnz msvbvm60.733d7a51<br>
733a46a4 8bc1 mov eax,ecx<br>
733a46a6 5f pop edi<br>
733a46a7 5e pop esi<br>
733a46a8 5b pop ebx<br>
733a46a9 c9 leave<br>
733a46aa c2 1000 retn 10<br>
<br>
733a46ad 3bc3 cmp eax,ebx<br>
733a46af 73 05 jnb short msvbvm60.733a46b6<br>
733a46b1 8b75 fc mov esi,dword ptr ss:[ebp-4]<br>
733a46b4 ^ eb b9 jmp short msvbvm60.733a466f<br>
====>循环比较!<br>
====>其实就是循环比较试炼码中是否有8位是20a0ea3a<br>
<br>
—————————————————<br>
由733a4618跳到这里:<br>
<br>
733d793e 83f8 01 cmp eax,1<br>
733d7941 75 3d jnz short msvbvm60.733d7980<br>
733d7943 e8 818dfcff call msvbvm60.733a06c9<br>
733d7948 8945 08 mov dword ptr ss:[ebp+8],eax<br>
733d794b 8b45 08 mov eax,dword ptr ss:[ebp+8]<br>
733d794e 3b05 2c1e4a73 cmp eax,dword ptr ds:[734a1e2c]<br>
733d7954 74 06 je short msvbvm60.733d795c<br>
733d7956 50 push eax<br>
733d7957 e8 d83b0a00 call msvbvm60.7347b534<br>
733d795c 8b45 f4 mov eax,dword ptr ss:[ebp-c]<br>
733d795f 33f6 xor esi,esi<br>
733d7961 56 push esi<br>
733d7962 56 push esi<br>
733d7963 56 push esi<br>
733d7964 c700 feffffff mov dword ptr ds:[eax],-2<br>
733d796a ff75 0c push dword ptr ss:[ebp+c]<br>
733d796d e8 ca3d0a00 call msvbvm60.7347b73c<br>
====>将20a0ea3a中的大写字母转为小写字母!<br>
<br>
733d7972 3bc6 cmp eax,esi<br>
====>eax=20a0ea3a<br>
<br>
733d7974 8945 fc mov dword ptr ss:[ebp-4],eax<br>
733d7977 75 1d jnz short msvbvm60.733d7996<br>
733d7979 6a 07 push 7<br>
733d797b e8 d9d9fdff call msvbvm60.733b5359<br>
733d7980 83f8 02 cmp eax,2<br>
733d7983 74 0a je short msvbvm60.733d798f<br>
733d7985 50 push eax<br>
733d7986 e8 69830900 call msvbvm60.7346fcf4<br>
733d798b 85c0 test eax,eax<br>
733d798d ^ 75 bc jnz short msvbvm60.733d794b<br>
733d798f 6a 05 push 5<br>
733d7991 e8 c3d9fdff call msvbvm60.733b5359<br>
733d7996 56 push esi<br>
733d7997 8d45 f4 lea eax,dword ptr ss:[ebp-c]<br>
733d799a 56 push esi<br>
733d799b 50 push eax<br>
733d799c 57 push edi<br>
====>edi=fly12345678fly[ocn][fcg]e<br>
<br>
733d799d e8 9a3d0a00 call msvbvm60.7347b73c<br>
====>将fly12345678fly[ocn][fcg]e中的大写字母转为小写字母!<br>
<br>
733d79a2 8bf0 mov esi,eax<br>
====>esi=fly12345678fly[ocn][fcg]e<br>
<br>
…… ……省 略…… ……<br>
<br>
733d7a1f e9 facbfcff jmp msvbvm60.733a461e<br>
====>转变完了再跳上去!<br>
<br>
————————————————————————————————— <br>
注册源码的生成:<br>
<br>
<br>
:00461e75 ff15e4124000 call dword ptr [004012e4]<br>
:00461e7b 83c418 add esp, 00000018<br>
:00461e7e 8b0d10804a00 mov ecx, dword ptr [004a8010]<br>
====>ecx=211c1e09 c盘的硬盘序列号<br>
<br>
:00461e84 81e957300e00 sub ecx, 000e3057<br>
====>ecx=211c1e09 - 000e3057=210dedb2<br>
<br>
:00461e8a 0f80c1070000 jo 00462651<br>
:00461e90 51 push ecx<br>
<br>
* reference to: msvbvm60.__vbastri4, ord:0000h<br>
|<br>
:00461e91 ff1520104000 call dword ptr [00401020]<br>
====>取210dedb2的10进制值<br>
<br>
:00461e97 8bd0 mov edx, eax<br>
====>edx=554560946<br>
<br>
:00461e99 8d4dc4 lea ecx, dword ptr [ebp-3c]<br>
:00461e9c ffd6 call esi<br>
:00461e9e 50 push eax<br>
<br>
* reference to: msvbvm60.rtcstrreverse, ord:02c9h<br>
|<br>
:00461e9f ff153c124000 call dword ptr [0040123c]<br>
====>把554560946倒序排列<br>
<br>
:00461ea5 8bd0 mov edx, eax<br>
====>edx=649065455<br>
<br>
…… ……省 略…… ……<br>
<br>
:00461fcc 8b4344 mov eax, dword ptr [ebx+44]<br>
====>eax=fly 计算机用户名<br>
<br>
:00461fcf 50 push eax<br>
:00461fd0 683c994200 push 0042993c<br>
====>0042993c=n 这个应该是作者预设的固定值<br>
<br>
* reference to: msvbvm60.__vbastrcat, ord:0000h<br>
|<br>
:00461fd5 8b3d80104000 mov edi, dword ptr [00401080]<br>
:00461fdb ffd7 call edi<br>
====>连接fly和n<br>
<br>
:00461fdd 8bd0 mov edx, eax<br>
====>edx=flyn<br>
<br>
:00461fdf 8d4dc0 lea ecx, dword ptr [ebp-40]<br>
:00461fe2 ffd6 call esi<br>
:00461fe4 50 push eax<br>
:00461fe5 8b957cfeffff mov edx, dword ptr [ebp+fffffe7c]<br>
====>edx=649065455<br>
<br>
:00461feb 8d4dbc lea ecx, dword ptr [ebp-44]<br>
:00461fee ffd6 call esi<br>
:00461ff0 50 push eax<br>
:00461ff1 ffd7 call edi<br>
====>连接flyn和649065455<br>
<br>
:00461ff3 8bd0 mov edx, eax<br>
====>edx=flyn649065455 这就是程序显示的注册源码!<br>
<br>
—————————————————————————————————<br>
【算 法 总 结】:<br>
<br>
1、注册码要有-<br>
2、去除-后还需要25位数字或字母<br>
3、取c盘序列号211c1e09 - 007b33cf=20a0ea3a<br>
4、25位字符中要有8位是20a0ea3a 其他任意<br>
<br>
不清楚程序是否还有其他暗桩,有朋友发现的话,麻烦指出来!<br>
<br>
————————————————————————————————— <br>
【完 美 爆 破】:<br>
<br>
1、00472574 0f850c010000 jne 00472686<br>
改为:909090909090 nop掉!<br>
<br>
2、004725f3 668bd8 mov bx, ax<br>
改为:b301 mov bl, 01 <br>
————————————————————————————————— <br>
【注册信息保存】:<br>
regedit4<br>
<br>
[hkey_current_user\software\vb and vba program settings\easypad\regist]<br>
"regnumber"="fly-20a0ea3a-fly[ocn][fcg]-e"<br>
————————————————————————————————— <br>
【整 理】:<br>
<br>
序列号:flyn649065455613<br>
注册码:fly-20a0ea3a-fly[ocn][fcg]-e<br>
—————————————————————————————————
↓相关文章:
- · 应用程序图标更换器 (非明码比较)
- · CheckFiles V1.8破解
- · 极光超级信息发布破解全过程
- · java程序-JPTXXXXXXX1.91
- · 简单算法 GIF Movie Gear 3.0
- · 宽带Web服务器(ADSLWebServer) V1.2
- · “QQ尾巴病毒”核心技术的实现
- · 无线网络技术特点简明分析
- · 宽带路由器选择全攻略
- · 二三层交换技术与路由技术对比
- · 用低档PC机+红旗Linux打造稳定高效的服务器软路由
- · 用低档PC机+红旗Linux打造稳定高效的服务器软路由(下)
- · 家用交换机选购指南
- · 宽带路由器的两个烦恼
- · 变废为宝:路由器也DIY
- · 开启路由器的TCP拦截
- · 机房管理四大悬案
- · 快速确定特定端口的使用程序
- · 网管必备!平息环路造成的广播风暴
- · 让路由器管理更安全
- · 命令显身手:PXE工作站巧还原
- · 从黑客帝国到红色警戒-LanTrust规范企业上网
- · 独乐乐不如众乐乐:优秀网管心得三则
- · 网管,你的防火墙上也有“洞”吗?
- · 网上安家步步高;ADSL建站初探
- · 实战小区宽带共享
- · 多功能DIY:联到哪都用一根网线
- · 10元打造三机互联方案
- · 网络组建基础必备:网线制作
- · 集线器的几个重要概念解析
- · 无线技术术语 A 到 Z
- · 备忘录:实战恶意网站
- · 在中毒环境下如何查杀震荡波
- · 安全七招之设置用户权限
- · 安全七招之设置用户权限
- · 安全七招之文件夹设置审核
- · 两招彻底杜绝JPEG图片病毒
- · 对付恶意网站有绝招
- · ASP漏洞全接触-高级篇
- · 巧破NTFS下的Win2000口令
- · 揭开面纱看看黑客用什么工具(1)
- · 揭开面纱看看黑客用哪些工具(2)
- · 设防自己的网络
- · 剖析"拒绝服务"攻击-SYN拒绝服务
- · 剖析"拒绝服务"攻击之报文洪水攻击
- · 剖析"拒绝服务"攻击-反射式拒绝服务
- · 病毒分析:W32.Spybot.FBG蠕虫
- · 疯狂盗取游戏CDKEY:Spybot新变种分析
- · 病毒高唱:俺的眼里只有你--杀毒厂商
- · “就不让你用google”Netsky变种分析
- · 攻击Google和微软:W32.Erekez病毒分析
- · 2004病毒和反病毒技术发展综述
- · 布什大选获胜 拉丹化身病毒起哄
- · 蠕虫已满16岁 网络安全今非昔比
- · 傻龙学电脑-认识屏幕保护
- · 加速启动Adobe Reader 6.0
- · 雅虎桌面搜索精灵火热试用
- · Flashfxp八大技巧
- · 一同踏上wallop之旅
- · MSN官方音乐P2P共享软件threedegrees 3度全攻略