返回列表 发帖
yongmin 该用户已被删除
楼主 跳转到 » 倒序看帖
打印
tT
yongmin发表于 2006-12-24 23:07 | 只看该作者

[转帖]菜鸟算法练习破文五

【破文标题】菜鸟maomaoma的算法练习破文五 【破文作者】maomaoma 【作者邮箱】 【作者主页】无 【破解工具】OD、PEiD 【破解平台】winxp 【软件名称】**休闲五子棋 【软件大小】926K 【原版下载】 【保护方式】无 【软件简介】五子棋游戏 【破解声明】我是菜鸟,学写破文,还请大侠多多指教:) 【 关键词 】 VB VBExplorer 浮点运算 硬件写入(用关键词我觉得方便大家整理查阅) ------------------------------------------------------------------------ 【破解过程】 1、PEiD扫描该软件,为Microsoft Visual Basic 5.0 / 6.0编译 2、VBExplorer反编译,得注册过程起始地址00464FD0 3、OD载入,Ctrl+G,跟随至00464FD0,F2下断点,F9运行,OD断下 (1)真假码比较 00464FD0 55 push ebp ; OD断在此处 00464FD1 8BEC mov ebp, esp 00464FD3 83EC 0C sub esp, 0C 00464FD6 68 16164000 push 00464FDB 64:A1 00000000 mov eax, fs:[0] 00464FE1 50 push eax 00464FE2 64:8925 0000000>mov fs:[0], esp 00464FE9 81EC 1C010000 sub esp, 11C 00464FEF 53 push ebx 00464FF0 56 push esi 00464FF1 57 push edi 00464FF2 8965 F4 mov [ebp-C], esp 00464FF5 C745 F8 0016400>mov dword ptr [ebp-8], 00401600 00464FFC 8B75 08 mov esi, [ebp+8] 00464FFF 8BC6 mov eax, esi 00465001 83E0 01 and eax, 1 00465004 8945 FC mov [ebp-4], eax 00465007 83E6 FE and esi, FFFFFFFE 0046500A 56 push esi 0046500B 8975 08 mov [ebp+8], esi 0046500E 8B0E mov ecx, [esi] 00465010 FF51 04 call [ecx+4] 00465013 8B15 5C704600 mov edx, [46705C] 00465019 8B0D 58704600 mov ecx, [467058] ; 真注册码入ECX 0046501F 33C0 xor eax, eax 00465021 3BD1 cmp edx, ecx 00465023 8945 E8 mov [ebp-18], eax 00465026 8945 E4 mov [ebp-1C], eax 00465029 8945 E0 mov [ebp-20], eax 0046502C 8945 DC mov [ebp-24], eax 0046502F 8945 CC mov [ebp-34], eax 00465032 8945 BC mov [ebp-44], eax 00465035 8945 AC mov [ebp-54], eax 00465038 8945 9C mov [ebp-64], eax 0046503B 8945 8C mov [ebp-74], eax 0046503E 8985 7CFFFFFF mov [ebp-84], eax 00465044 8985 6CFFFFFF mov [ebp-94], eax 0046504A 8985 5CFFFFFF mov [ebp-A4], eax 00465050 8985 4CFFFFFF mov [ebp-B4], eax 00465056 8985 3CFFFFFF mov [ebp-C4], eax 0046505C 8985 2CFFFFFF mov [ebp-D4], eax 00465062 0F84 C8090000 je 00465A30 00465068 8B06 mov eax, [esi] 0046506A 56 push esi 0046506B FF90 00030000 call [eax+300] 00465071 8B1D 7C104000 mov ebx, [<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet 00465077 8D4D E0 lea ecx, [ebp-20] 0046507A 50 push eax 0046507B 51 push ecx 0046507C FFD3 call ebx 0046507E 8BF8 mov edi, eax 00465080 8D45 E8 lea eax, [ebp-18] 00465083 50 push eax 00465084 57 push edi 00465085 8B17 mov edx, [edi] 00465087 FF92 A0000000 call [edx+A0] ; 取假码 0046508D 85C0 test eax, eax 0046508F DBE2 fclex 00465091 7D 12 jge short 004650A5 00465093 68 A0000000 push 0A0 00465098 68 2C134500 push 0045132C 0046509D 57 push edi 0046509E 50 push eax 0046509F FF15 60104000 call [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj 004650A5 8B4D E8 mov ecx, [ebp-18] 004650A8 51 push ecx 004650A9 68 04064500 push 00450604 004650AE FF15 BC104000 call [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp 004650B4 8BF8 mov edi, eax 004650B6 8D4D E8 lea ecx, [ebp-18] 004650B9 F7DF neg edi 004650BB 1BFF sbb edi, edi 004650BD F7DF neg edi 004650BF F7DF neg edi 004650C1 FF15 BC114000 call [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr 004650C7 8D4D E0 lea ecx, [ebp-20] 004650CA FF15 B8114000 call [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj 004650D0 66:85FF test di, di 004650D3 0F84 22080000 je 004658FB 004650D9 8B16 mov edx, [esi] 004650DB 56 push esi 004650DC FF92 00030000 call [edx+300] 004650E2 50 push eax 004650E3 8D45 E0 lea eax, [ebp-20] 004650E6 50 push eax 004650E7 FFD3 call ebx 004650E9 8BF8 mov edi, eax 004650EB 8D55 E8 lea edx, [ebp-18] 004650EE 52 push edx 004650EF 57 push edi 004650F0 8B0F mov ecx, [edi] 004650F2 FF91 A0000000 call [ecx+A0] ; 取假码 004650F8 85C0 test eax, eax 004650FA DBE2 fclex 004650FC 7D 12 jge short 00465110 004650FE 68 A0000000 push 0A0 00465103 68 2C134500 push 0045132C 00465108 57 push edi 00465109 50 push eax 0046510A FF15 60104000 call [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj 00465110 8B45 E8 mov eax, [ebp-18] 00465113 C745 E8 0000000>mov dword ptr [ebp-18], 0 0046511A 8945 D4 mov [ebp-2C], eax 0046511D 8D45 CC lea eax, [ebp-34] 00465120 50 push eax 00465121 C745 CC 0800000>mov dword ptr [ebp-34], 8 00465128 FF15 C4104000 call [<&MSVBVM60.#561>] ; MSVBVM60.rtcIsNumeric 0046512E 66:8BF8 mov di, ax 00465131 8D4D E0 lea ecx, [ebp-20] 00465134 F7D7 not edi 00465136 FF15 B8114000 call [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj 0046513C 8D4D CC lea ecx, [ebp-34] 0046513F FF15 24104000 call [<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar 00465145 66:85FF test di, di 00465148 0F84 9D010000 je 004652EB 0046514E BF 0A000000 mov edi, 0A 00465153 B8 04000280 mov eax, 80020004 00465158 897D 9C mov [ebp-64], edi 0046515B 897D AC mov [ebp-54], edi 0046515E 8B3D 80114000 mov edi, [<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup 00465164 8D95 3CFFFFFF lea edx, [ebp-C4] 0046516A 8D4D BC lea ecx, [ebp-44] 0046516D 8945 A4 mov [ebp-5C], eax 00465170 8945 B4 mov [ebp-4C], eax 00465173 C785 44FFFFFF 3>mov dword ptr [ebp-BC], 0045093C 0046517D C785 3CFFFFFF 0>mov dword ptr [ebp-C4], 8 00465187 FFD7 call edi 00465189 8D95 4CFFFFFF lea edx, [ebp-B4] 0046518F 8D4D CC lea ecx, [ebp-34] 00465192 C785 54FFFFFF 4>mov dword ptr [ebp-AC], 00451340 0046519C C785 4CFFFFFF 0>mov dword ptr [ebp-B4], 8 004651A6 FFD7 call edi 004651A8 8D4D 9C lea ecx, [ebp-64] 004651AB 8D55 AC lea edx, [ebp-54] 004651AE 51 push ecx 004651AF 8D45 BC lea eax, [ebp-44] 004651B2 52 push edx 004651B3 50 push eax 004651B4 8D4D CC lea ecx, [ebp-34] 004651B7 6A 30 push 30 004651B9 51 push ecx 004651BA FF15 80104000 call [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox 004651C0 8D55 9C lea edx, [ebp-64] 004651C3 8D45 AC lea eax, [ebp-54] 004651C6 52 push edx 004651C7 8D4D BC lea ecx, [ebp-44] 004651CA 50 push eax 004651CB 8D55 CC lea edx, [ebp-34] 004651CE 51 push ecx 004651CF 52 push edx 004651D0 6A 04 push 4 004651D2 FF15 38104000 call [<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList 004651D8 8B06 mov eax, [esi] 004651DA 83C4 14 add esp, 14 004651DD 56 push esi 004651DE FF90 00030000 call [eax+300] 004651E4 8D4D E0 lea ecx, [ebp-20] 004651E7 50 push eax 004651E8 51 push ecx 004651E9 FFD3 call ebx 004651EB 8BF8 mov edi, eax 004651ED 57 push edi 004651EE 8B17 mov edx, [edi] 004651F0 FF92 04020000 call [edx+204] 004651F6 85C0 test eax, eax 004651F8 DBE2 fclex 004651FA 7D 12 jge short 0046520E 004651FC 68 04020000 push 204 00465201 68 2C134500 push 0045132C 00465206 57 push edi 00465207 50 push eax 00465208 FF15 60104000 call [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj 0046520E 8D4D E0 lea ecx, [ebp-20] 00465211 FF15 B8114000 call [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj 00465217 8B06 mov eax, [esi] 00465219 56 push esi 0046521A FF90 00030000 call [eax+300] 00465220 8D4D E0 lea ecx, [ebp-20] 00465223 50 push eax 00465224 51 push ecx 00465225 FFD3 call ebx 00465227 8BF8 mov edi, eax 00465229 6A 00 push 0 0046522B 57 push edi 0046522C 8B17 mov edx, [edi] 0046522E FF92 14010000 call [edx+114] 00465234 85C0 test eax, eax 00465236 DBE2 fclex 00465238 7D 12 jge short 0046524C 0046523A 68 14010000 push 114 0046523F 68 2C134500 push 0045132C 00465244 57 push edi 00465245 50 push eax 00465246 FF15 60104000 call [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj 0046524C 8D4D E0 lea ecx, [ebp-20] 0046524F FF15 B8114000 call [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj 00465255 8B06 mov eax, [esi] 00465257 56 push esi 00465258 FF90 00030000 call [eax+300] 0046525E 8D4D DC lea ecx, [ebp-24] 00465261 50 push eax 00465262 51 push ecx 00465263 FFD3 call ebx 00465265 8B16 mov edx, [esi] 00465267 56 push esi 00465268 8BF8 mov edi, eax 0046526A FF92 00030000 call [edx+300] 00465270 50 push eax 00465271 8D45 E0 lea eax, [ebp-20] 00465274 50 push eax 00465275 FFD3 call ebx 00465277 8BF0 mov esi, eax 00465279 8D55 E8 lea edx, [ebp-18] 0046527C 52 push edx 0046527D 56 push esi 0046527E 8B0E mov ecx, [esi] 00465280 FF91 A0000000 call [ecx+A0] 00465286 85C0 test eax, eax 00465288 DBE2 fclex 0046528A 7D 12 jge short 0046529E 0046528C 68 A0000000 push 0A0 00465291 68 2C134500 push 0045132C 00465296 56 push esi 00465297 50 push eax 00465298 FF15 60104000 call [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj 0046529E 8B45 E8 mov eax, [ebp-18] 004652A1 8B37 mov esi, [edi] 004652A3 50 push eax 004652A4 FF15 28104000 call [<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr 004652AA 50 push eax 004652AB 57 push edi 004652AC FF96 1C010000 call [esi+11C] 004652B2 85C0 test eax, eax 004652B4 DBE2 fclex 004652B6 7D 12 jge short 004652CA 004652B8 68 1C010000 push 11C 004652BD 68 2C134500 push 0045132C 004652C2 57 push edi 004652C3 50 push eax 004652C4 FF15 60104000 call [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj 004652CA 8D4D E8 lea ecx, [ebp-18] 004652CD FF15 BC114000 call [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr 004652D3 8D4D DC lea ecx, [ebp-24] 004652D6 8D55 E0 lea edx, [ebp-20] 004652D9 51 push ecx 004652DA 52 push edx 004652DB 6A 02 push 2 004652DD FF15 4C104000 call [<&MSVBVM60.__vbaFreeObjList>] ; MSVBVM60.__vbaFreeObjList 004652E3 83C4 0C add esp, 0C 004652E6 E9 43070000 jmp 00465A2E 004652EB 8B06 mov eax, [esi] 004652ED 56 push esi 004652EE FF90 00030000 call [eax+300] 004652F4 8D4D E0 lea ecx, [ebp-20] 004652F7 50 push eax 004652F8 51 push ecx 004652F9 FFD3 call ebx 004652FB 8BF8 mov edi, eax 004652FD 8D45 E8 lea eax, [ebp-18] 00465300 50 push eax 00465301 57 push edi 00465302 8B17 mov edx, [edi] 00465304 FF92 A0000000 call [edx+A0] ; 取假码 0046530A 85C0 test eax, eax 0046530C DBE2 fclex 0046530E 7D 12 jge short 00465322 00465310 68 A0000000 push 0A0 00465315 68 2C134500 push 0045132C 0046531A 57 push edi 0046531B 50 push eax 0046531C FF15 60104000 call [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj 00465322 8B4D E8 mov ecx, [ebp-18] 00465325 51 push ecx 00465326 FF15 40114000 call [<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str 0046532C DB05 58704600 fild dword ptr [467058] ; 真码装入st0 00465332 DD9D E0FEFFFF fstp qword ptr [ebp-120] ; 真码装入st7 00465338 DC9D E0FEFFFF fcomp qword ptr [ebp-120] ; 真假码比较 0046533E DFE0 fstsw ax ; 保存状态子到AX 00465340 F6C4 40 test ah, 40 00465343 74 07 je short 0046534C 00465345 BF 01000000 mov edi, 1 0046534A EB 02 jmp short 0046534E 0046534C 33FF xor edi, edi 0046534E 8D4D E8 lea ecx, [ebp-18] 00465351 FF15 BC114000 call [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr 00465357 8D4D E0 lea ecx, [ebp-20] 0046535A FF15 B8114000 call [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj 00465360 F7DF neg edi 00465362 66:85FF test di, di 00465365 0F84 71030000 je 004656DC 0046536B A1 68744600 mov eax, [467468] 00465370 85C0 test eax, eax 00465372 75 10 jnz short 00465384 00465374 68 68744600 push 00467468 ; ASCII ",沐" 00465379 68 F4084500 push 004508F4 0046537E FF15 44114000 call [<&MSVBVM60.__vbaNew2>] ; MSVBVM60.__vbaNew2 00465384 8B3D 68744600 mov edi, [467468] 0046538A 8D45 E0 lea eax, [ebp-20] 0046538D 50 push eax 0046538E 57 push edi 0046538F 8B17 mov edx, [edi] 00465391 FF52 14 call [edx+14] 00465394 85C0 test eax, eax 00465396 DBE2 fclex 00465398 7D 0F jge short 004653A9 0046539A 6A 14 push 14 0046539C 68 90054500 push 00450590 004653A1 57 push edi 004653A2 50 push eax 004653A3 FF15 60104000 call [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj 004653A9 8B45 E0 mov eax, [ebp-20] 004653AC 8D55 E8 lea edx, [ebp-18] 004653AF 52 push edx 004653B0 50 push eax 004653B1 8B08 mov ecx, [eax] 004653B3 8BF8 mov edi, eax 004653B5 FF51 58 call [ecx+58] 004653B8 85C0 test eax, eax 004653BA DBE2 fclex 004653BC 7D 0F jge short 004653CD 004653BE 6A 58 push 58 004653C0 68 04094500 push 00450904 004653C5 57 push edi 004653C6 50 push eax 004653C7 FF15 60104000 call [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj 004653CD 8B06 mov eax, [esi] 004653CF 56 push esi 004653D0 FF90 00030000 call [eax+300] 004653D6 8D4D DC lea ecx, [ebp-24] 004653D9 50 push eax 004653DA 51 push ecx 004653DB FFD3 call ebx 004653DD 8BF8 mov edi, eax 004653DF 8D45 E4 lea eax, [ebp-1C] 004653E2 50 push eax 004653E3 57 push edi 004653E4 8B17 mov edx, [edi] 004653E6 FF92 A0000000 call [edx+A0] 004653EC 85C0 test eax, eax 004653EE DBE2 fclex 004653F0 7D 12 jge short 00465404 004653F2 68 A0000000 push 0A0 004653F7 68 2C134500 push 0045132C 004653FC 57 push edi 004653FD 50 push eax 004653FE FF15 60104000 call [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj 00465404 8B4D E4 mov ecx, [ebp-1C] 00465407 8B55 E8 mov edx, [ebp-18] 0046540A 51 push ecx 0046540B 68 5C0A4500 push 00450A5C ; hawk wzq ma 00465410 68 500A4500 push 00450A50 ; zc 00465415 52 push edx 00465416 FF15 08104000 call [<&MSVBVM60.#690>] ; MSVBVM60.rtcSaveSetting 0046541C 8D45 E4 lea eax, [ebp-1C] 0046541F 8D4D E8 lea ecx, [ebp-18] 00465422 50 push eax 00465423 51 push ecx 00465424 6A 02 push 2 00465426 FF15 5C114000 call [<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList 0046542C 8D55 DC lea edx, [ebp-24] 0046542F 8D45 E0 lea eax, [ebp-20] 00465432 52 push edx 00465433 50 push eax 00465434 6A 02 push 2 00465436 FF15 4C104000 call [<&MSVBVM60.__vbaFreeObjList>] ; MSVBVM60.__vbaFreeObjList 0046543C 83C4 18 add esp, 18 0046543F BF 0A000000 mov edi, 0A 00465444 8D4D CC lea ecx, [ebp-34] 00465447 57 push edi 00465448 51 push ecx 00465449 FF15 18114000 call [<&MSVBVM60.#608>] ; MSVBVM60.rtcVarBstrFromAnsi 0046544F 8D55 AC lea edx, [ebp-54] 00465452 57 push edi 00465453 52 push edx 00465454 FF15 18114000 call [<&MSVBVM60.#608>] ; MSVBVM60.rtcVarBstrFromAnsi 0046545A 89BD 5CFFFFFF mov [ebp-A4], edi 00465460 89BD 6CFFFFFF mov [ebp-94], edi 00465466 B8 04000280 mov eax, 80020004 0046546B BF 08000000 mov edi, 8 00465470 8D95 2CFFFFFF lea edx, [ebp-D4] 00465476 8D8D 7CFFFFFF lea ecx, [ebp-84] 0046547C 8985 64FFFFFF mov [ebp-9C], eax 00465482 8985 74FFFFFF mov [ebp-8C], eax 00465488 C785 34FFFFFF C>mov dword ptr [ebp-CC], 004505C8 ; ASCII "衏:y" 00465492 89BD 2CFFFFFF mov [ebp-D4], edi 00465498 FF15 80114000 call [<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup 0046549E 8D85 5CFFFFFF lea eax, [ebp-A4] 004654A4 8D8D 6CFFFFFF lea ecx, [ebp-94] 004654AA 50 push eax 004654AB 8D95 7CFFFFFF lea edx, [ebp-84] 004654B1 51 push ecx 004654B2 52 push edx 004654B3 8D85 4CFFFFFF lea eax, [ebp-B4] 004654B9 6A 40 push 40 004654BB 8D4D CC lea ecx, [ebp-34] 004654BE 50 push eax 004654BF 8D55 BC lea edx, [ebp-44] 004654C2 89BD 4CFFFFFF mov [ebp-B4], edi 004654C8 89BD 3CFFFFFF mov [ebp-C4], edi 004654CE 8B3D 7C114000 mov edi, [<&MSVBVM60.__vbaVarAdd>] ; MSVBVM60.__vbaVarAdd 004654D4 51 push ecx 004654D5 52 push edx 004654D6 C785 54FFFFFF 6>mov dword ptr [ebp-AC], 00451368 004654E0 C785 44FFFFFF 7>mov dword ptr [ebp-BC], 00451378 004654EA FFD7 call edi 004654EC 50 push eax 004654ED 8D45 AC lea eax, [ebp-54] 004654F0 8D4D 9C lea ecx, [ebp-64] 004654F3 50 push eax 004654F4 51 push ecx 004654F5 FFD7 call edi 004654F7 50 push eax 004654F8 8D95 3CFFFFFF lea edx, [ebp-C4] 004654FE 8D45 8C lea eax, [ebp-74] 00465501 52 push edx 00465502 50 push eax 00465503 FFD7 call edi 00465505 50 push eax 00465506 FF15 80104000 call [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox 0046550C 8D8D 5CFFFFFF lea ecx, [ebp-A4] 00465512 8D95 6CFFFFFF lea edx, [ebp-94] 00465518 51 push ecx 00465519 8D85 7CFFFFFF lea eax, [ebp-84] 0046551F 52 push edx 00465520 8D4D 8C lea ecx, [ebp-74] 00465523 50 push eax 00465524 51 push ecx 00465525 8D55 9C lea edx, [ebp-64] 00465528 8D45 AC lea eax, [ebp-54] 0046552B 52 push edx 0046552C 8D4D BC lea ecx, [ebp-44] 0046552F 50 push eax 00465530 8D55 CC lea edx, [ebp-34] 00465533 51 push ecx 00465534 52 push edx 00465535 6A 08 push 8 00465537 FF15 38104000 call [<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList 0046553D A1 10704600 mov eax, [467010] 00465542 83C4 24 add esp, 24 00465545 85C0 test eax, eax 00465547 75 10 jnz short 00465559 00465549 68 10704600 push 00467010 0046554E 68 F4F04400 push 0044F0F4 00465553 FF15 44114000 call [<&MSVBVM60.__vbaNew2>] ; MSVBVM60.__vbaNew2 00465559 A1 10704600 mov eax, [467010] 0046555E 8985 F8FEFFFF mov [ebp-108], eax 00465564 A1 68744600 mov eax, [467468] 00465569 85C0 test eax, eax 0046556B 75 10 jnz short 0046557D 0046556D 68 68744600 push 00467468 ; ASCII ",沐" 00465572 68 F4084500 push 004508F4 00465577 FF15 44114000 call [<&MSVBVM60.__vbaNew2>] ; MSVBVM60.__vbaNew2 0046557D 8B3D 68744600 mov edi, [467468] 00465583 8D55 E0 lea edx, [ebp-20] 00465586 52 push edx 00465587 57 push edi 00465588 8B0F mov ecx, [edi] 0046558A FF51 14 call [ecx+14] 0046558D 85C0 test eax, eax 0046558F DBE2 fclex 00465591 7D 0F jge short 004655A2 00465593 6A 14 push 14 00465595 68 90054500 push 00450590 0046559A 57 push edi 0046559B 50 push eax 0046559C FF15 60104000 call [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj 004655A2 8B45 E0 mov eax, [ebp-20] 004655A5 8D55 E8 lea edx, [ebp-18] 004655A8 52 push edx 004655A9 50 push eax 004655AA 8B08 mov ecx, [eax] 004655AC 8BF8 mov edi, eax 004655AE FF51 60 call [ecx+60] 004655B1 85C0 test eax, eax 004655B3 DBE2 fclex 004655B5 7D 0F jge short 004655C6 004655B7 6A 60 push 60 004655B9 68 04094500 push 00450904 004655BE 57 push edi 004655BF 50 push eax 004655C0 FF15 60104000 call [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj 004655C6 8B4D E8 mov ecx, [ebp-18] 004655C9 8B85 F8FEFFFF mov eax, [ebp-108] 004655CF 51 push ecx 004655D0 68 800A4500 push 00450A80 ; UNICODE "========>" 004655D5 8B38 mov edi, [eax] 004655D7 FF15 58104000 call [<&MSVBVM60.__vbaStrCat>] ; MSVBVM60.__vbaStrCat 004655DD 8BD0 mov edx, eax 004655DF 8D4D E4 lea ecx, [ebp-1C] 004655E2 FF15 94114000 call [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove 004655E8 8BD7 mov edx, edi 004655EA 8BBD F8FEFFFF mov edi, [ebp-108] 004655F0 50 push eax 004655F1 57 push edi 004655F2 FF52 54 call [edx+54] 004655F5 85C0 test eax, eax 004655F7 DBE2 fclex 004655F9 7D 0F jge short 0046560A 004655FB 6A 54 push 54 004655FD 68 64014500 push 00450164 00465602 57 push edi 00465603 50 push eax 00465604 FF15 60104000 call [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj 0046560A 8D45 E4 lea eax, [ebp-1C] 0046560D 8D4D E8 lea ecx, [ebp-18] 00465610 50 push eax 00465611 51 push ecx 00465612 6A 02 push 2 00465614 FF15 5C114000 call [<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList 0046561A 83C4 0C add esp, 0C 0046561D 8D4D E0 lea ecx, [ebp-20] 00465620 FF15 B8114000 call [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj 00465626 8B16 mov edx, [esi] 00465628 56 push esi 00465629 FF92 00030000 call [edx+300] 0046562F 50 push eax 00465630 8D45 E0 lea eax, [ebp-20] 00465633 50 push eax 00465634 FFD3 call ebx 00465636 8BF8 mov edi, eax 00465638 8D55 E8 lea edx, [ebp-18] 0046563B 52 push edx 0046563C 57 push edi 0046563D 8B0F mov ecx, [edi] 0046563F FF91 A0000000 call [ecx+A0] 00465645 85C0 test eax, eax 00465647 DBE2 fclex 00465649 7D 12 jge short 0046565D 0046564B 68 A0000000 push 0A0 00465650 68 2C134500 push 0045132C 00465655 57 push edi 00465656 50 push eax 00465657 FF15 60104000 call [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj 0046565D 8B45 E8 mov eax, [ebp-18] 00465660 50 push eax 00465661 FF15 58114000 call [<&MSVBVM60.__vbaI4Str>] ; MSVBVM60.__vbaI4Str 00465667 8D4D E8 lea ecx, [ebp-18] 0046566A A3 5C704600 mov [46705C], eax 0046566F FF15 BC114000 call [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr 00465675 8B1D B8114000 mov ebx, [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj 0046567B 8D4D E0 lea ecx, [ebp-20] 0046567E FFD3 call ebx 00465680 A1 68744600 mov eax, [467468] 00465685 85C0 test eax, eax 00465687 75 10 jnz short 00465699 00465689 68 68744600 push 00467468 ; ASCII ",沐" 0046568E 68 F4084500 push 004508F4 00465693 FF15 44114000 call [<&MSVBVM60.__vbaNew2>] ; MSVBVM60.__vbaNew2 00465699 8B3D 68744600 mov edi, [467468] 0046569F 8D4D E0 lea ecx, [ebp-20] 004656A2 56 push esi 004656A3 51 push ecx 004656A4 8B17 mov edx, [edi] 004656A6 8995 D8FEFFFF mov [ebp-128], edx 004656AC FF15 88104000 call [<&MSVBVM60.__vbaObjSetAddref>] ; MSVBVM60.__vbaObjSetAddref 004656B2 8B95 D8FEFFFF mov edx, [ebp-128] 004656B8 50 push eax 004656B9 57 push edi 004656BA FF52 10 call [edx+10] 004656BD 85C0 test eax, eax 004656BF DBE2 fclex 004656C1 7D 0F jge short 004656D2 004656C3 6A 10 push 10 004656C5 68 90054500 push 00450590 004656CA 57 push edi 004656CB 50 push eax 004656CC FF15 60104000 call [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj 004656D2 8D4D E0 lea ecx, [ebp-20] 004656D5 FFD3 call ebx 004656D7 E9 52030000 jmp 00465A2E 004656DC 8B06 mov eax, [esi] 004656DE 56 push esi 004656DF FF90 00030000 call [eax+300] 004656E5 8D4D E0 lea ecx, [ebp-20] 004656E8 50 push eax 004656E9 51 push ecx 004656EA FFD3 call ebx 004656EC 8BF8 mov edi, eax 004656EE 8D45 E8 lea eax, [ebp-18] 004656F1 50 push eax 004656F2 57 push edi 004656F3 8B17 mov edx, [edi] 004656F5 FF92 A0000000 call [edx+A0] ; 取假码 004656FB 85C0 test eax, eax 004656FD DBE2 fclex 004656FF 7D 12 jge short 00465713 00465701 68 A0000000 push 0A0 00465706 68 2C134500 push 0045132C 0046570B 57 push edi 0046570C 50 push eax 0046570D FF15 60104000 call [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj 00465713 8B4D E8 mov ecx, [ebp-18] 00465716 51 push ecx 00465717 FF15 40114000 call [<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str 0046571D DB05 58704600 fild dword ptr [467058] ; 真码装入st0 00465723 DD9D D0FEFFFF fstp qword ptr [ebp-130] ; 真码装入st7 00465729 DC9D D0FEFFFF fcomp qword ptr [ebp-130] ; 真假码比较 0046572F DFE0 fstsw ax ; 保存状态子到AX 00465731 F6C4 40 test ah, 40 00465734 75 07 jnz short 0046573D 00465736 B8 01000000 mov eax, 1 0046573B EB 02 jmp short 0046573F 0046573D 33C0 xor eax, eax 0046573F F7D8 neg eax 00465741 8D4D E8 lea ecx, [ebp-18] 00465744 8BF8 mov edi, eax 00465746 FF15 BC114000 call [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr 0046574C 8D4D E0 lea ecx, [ebp-20] 0046574F FF15 B8114000 call [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj 00465755 66:85FF test di, di 00465758 0F84 D0020000 je 00465A2E 0046575E BF 0A000000 mov edi, 0A 00465763 B8 04000280 mov eax, 80020004 00465768 897D 9C mov [ebp-64], edi 0046576B 897D AC mov [ebp-54], edi 0046576E 8B3D 80114000 mov edi, [<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup 00465774 8D95 3CFFFFFF lea edx, [ebp-C4] 0046577A 8D4D BC lea ecx, [ebp-44] 0046577D 8945 A4 mov [ebp-5C], eax 00465780 8945 B4 mov [ebp-4C], eax 00465783 C785 44FFFFFF 3>mov dword ptr [ebp-BC], 0045093C 0046578D C785 3CFFFFFF 0>mov dword ptr [ebp-C4], 8 00465797 FFD7 call edi 00465799 8D95 4CFFFFFF lea edx, [ebp-B4] 0046579F 8D4D CC lea ecx, [ebp-34] 004657A2 C785 54FFFFFF 4>mov dword ptr [ebp-AC], 00451340 004657AC C785 4CFFFFFF 0>mov dword ptr [ebp-B4], 8 004657B6 FFD7 call edi 004657B8 8D55 9C lea edx, [ebp-64] 004657BB 8D45 AC lea eax, [ebp-54] 004657BE 52 push edx 004657BF 8D4D BC lea ecx, [ebp-44] 004657C2 50 push eax 004657C3 51 push ecx 004657C4 8D55 CC lea edx, [ebp-34] 004657C7 6A 30 push 30 004657C9 52 push edx 004657CA FF15 80104000 call [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox 004657D0 8D45 9C lea eax, [ebp-64] 004657D3 8D4D AC lea ecx, [ebp-54] 004657D6 50 push eax 004657D7 8D55 BC lea edx, [ebp-44] 004657DA 51 push ecx 004657DB 8D45 CC lea eax, [ebp-34] 004657DE 52 push edx 004657DF 50 push eax 004657E0 6A 04 push 4 (2)追踪真注册码来源 1、根据第一步,得知真码保存于内存[467058],ctrl+F2重新运行程序,在数据窗口,Ctrl+G跟随至00467058,下硬件写入断点 2、F9运行,程序断在系统领空,alt+F9,返回到程序领空如下位置处 0045614D A3 58704600 mov [467058], eax ; eax值(即真码十六进制值)保存于内存00467058处 00456152 FFD6 call esi 00456154 A1 68744600 mov eax, [467468] 00456159 85C0 test eax, eax 0045615B 75 10 jnz short 0045616D 3、向上查看,在 0045612D E8 0EEA0000 call 00464B40 ; 00456132 8BC8 mov ecx, eax 0045612D处下断点 4、重新运行程序,程序断下 0045612D E8 0EEA0000 call 00464B40 ; OD断在此处,此处为机器码计算call 00456132 8BC8 mov ecx, eax 00456134 FF15 74104000 call [<&MSVBVM60.__vbaI4Abs>] ; MSVBVM60.__vbaI4Abs 0045613A 99 cdq 0045613B 2BC2 sub eax, edx ; eax=eax-edx 0045613D 8D4D D4 lea ecx, [ebp-2C] 00456140 D1F8 sar eax, 1 ; eax算术右移 00456142 2D 0EFB2D01 sub eax, 12DFB0E ; eax=eax-12DFB0E 00456147 0F80 45150000 jo 00457692 ; 溢出则跳至程序出错处理部分 0045614D A3 58704600 mov [467058], eax ; eax值(即真码十六进制值)保存于内存00467058处备用 ------------------------------------------------------------------------ 【破解总结】 1、注册码在程序运行后由机器码计算而来,并保存于内存中; 2、真假码浮点运算比较; 3、注册码以明码形式保存于注册表中。 ------------------------------------------------------------------------ 【版权声明】本文系作者原创, 转载请注明作者并保持文章的完整, 谢谢!
收藏 分享

返回列表 回复 发帖