宇佳倉庫管理系統 V1.6.1(VB6 native)

Ollydbg――宇佳倉庫管理系統 V1.6.1(VB6 native)

下載頁面： http://www.skycn.com/soft/12136.html
軟體大小： 9081 KB
軟體語言：簡體中文
軟體類別：國產軟體 / 共享版 / 商業貿易
應用平臺： Win9x/NT/2000/XP
加入時間： 2003-06-18 17:02:29
下載次數： 2356
推薦等級： ***

【軟體簡介】：通用倉庫及貨物管理軟體；支援多套帳簿(無限制)、多倉庫管理(無限制)、多種計量單位(無限制)及多達8種的數量進位制、可自定義多種入庫及出庫單據型別(無限制)；允許使用者自定義小數點位數(0-8位)；支援商品動態分類級次達五級。介面直觀、操作簡單，支援全鍵盤操作；支援網路，及多使用者；適合於各行各業的倉儲及貨物的計算機管理。共享軟體免費註冊。

【軟體限制】：NAG、功能限制

【作者宣告】：初學Crack，只是感興趣，沒有其它目的。失誤之處敬請諸位大俠賜教！

【破解工具】：TRW2000娃娃修改版、Ollydbg1.09、PEiD、AspackDie、UPXWin、Guw32、W32Dasm 9.0白金版

―――――――――――――――――――――――――――――――――
【過程】：

Waregoods.exe 無殼。 VB6 native 。暈倒，這個東東在我的WIN 98SE上居然無法正常執行，需要更新某某檔案……呵呵，幸好我還有第2作業系統XP，只好去XP下分析了。這是我第一次在XP下除錯。^O^ ^O^

序列號：IELKLKHIDP
單位：雨佳商業公司
試煉碼：1357 - 2468 （注意：-前後各有1個空格！）
―――――――――――――――――――――――――――――――――
可下MSVBVM60.rtcMidCharVar斷點，生成序列號後會來到下面：

:006629E9 FF90D4000000 call dword ptr [eax+000000D4]
====>生成程式顯示的序列號！

:006629EF 3BC3 cmp eax, ebx
:006629F1 7D11 jge 00662A04
:006629F3 68D4000000 push 000000D4

* Possible StringData Ref from Code Obj ->"om<)L5Q8A?"
|
:006629F8 6830544200 push 00425430
:006629FD 57 push edi
:006629FE 50 push eax

* Reference To: MSVBVM60.__vbaHresultCheckObj, Ord:0000h
|
:006629FF E83859DAFF Call 0040833C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006629F1(C)
|
:00662A04 8B55C8 mov edx, dword ptr [ebp-38]
====>EDX=IELKLKHIDP 序列號

:00662A07 895DC8 mov dword ptr [ebp-38], ebx
:00662A0A 8D4DD4 lea ecx, dword ptr [ebp-2C]

* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:00662A0D E83059DAFF Call 00408342
:00662A12 6A01 push 00000001
:00662A14 FF36 push dword ptr [esi]
====>[esi]=1357 - 2468 試煉碼

* Possible StringData Ref from Code Obj ->" - "
|
:00662A16 6820634300 push 00436320
:00662A1B 53 push ebx

* Reference To: MSVBVM60.__vbaInStr, Ord:0000h
|
:00662A1C E8775ADAFF Call 00408498
====>檢測輸入的試煉碼的格式是否是K1 - K2
====>暈倒 ~Q~ 為了這-前後的2個空格我在這兒看了15分鐘

:00662A21 8BC8 mov ecx, eax

* Reference To: MSVBVM60.__vbaI2I4, Ord:0000h
|
:00662A23 E81E58DAFF Call 00408246
:00662A28 8945DC mov dword ptr [ebp-24], eax
:00662A2B 663BC3 cmp ax, bx
:00662A2E 0F8E2B010000 jle 00662B5F
====>跳則OVER！

:00662A34 8975A8 mov dword ptr [ebp-58], esi
:00662A37 BB08400000 mov ebx, 00004008
:00662A3C 895DA0 mov dword ptr [ebp-60], ebx
:00662A3F 662D0100 sub ax, 0001
:00662A43 0F809C010000 jo 00662BE5
:00662A49 0FBFC0 movsx eax, ax
:00662A4C 50 push eax
:00662A4D 8D45A0 lea eax, dword ptr [ebp-60]
:00662A50 50 push eax
:00662A51 8D45B0 lea eax, dword ptr [ebp-50]
:00662A54 50 push eax

* Reference To: MSVBVM60.rtcLeftCharVar, Ord:0269h
|
:00662A55 E88459DAFF Call 004083DE
====>取試煉碼的前段

:00662A5A 8D45B0 lea eax, dword ptr [ebp-50]
:00662A5D 50 push eax

* Reference To: MSVBVM60.__vbaStrVarMove, Ord:0000h
|
:00662A5E E81559DAFF Call 00408378
:00662A63 8BD0 mov edx, eax
====>EDX=1357 試煉碼的前段

:00662A65 8D4DD8 lea ecx, dword ptr [ebp-28]

* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:00662A68 E8D558DAFF Call 00408342
:00662A6D 8D4DB0 lea ecx, dword ptr [ebp-50]

* Reference To: MSVBVM60.__vbaFreeVar, Ord:0000h
|
:00662A70 E83D58DAFF Call 004082B2
:00662A75 8975A8 mov dword ptr [ebp-58], esi
:00662A78 895DA0 mov dword ptr [ebp-60], ebx
:00662A7B FF36 push dword ptr [esi]

* Reference To: MSVBVM60.__vbaLenBstr, Ord:0000h
|
:00662A7D E8E257DAFF Call 00408264
:00662A82 0FBF4DDC movsx ecx, word ptr [ebp-24]
:00662A86 2BC1 sub eax, ecx
:00662A88 0F8057010000 jo 00662BE5
:00662A8E 83E802 sub eax, 00000002
:00662A91 0F804E010000 jo 00662BE5
:00662A97 50 push eax
:00662A98 8D45A0 lea eax, dword ptr [ebp-60]
:00662A9B 50 push eax
:00662A9C 8D45B0 lea eax, dword ptr [ebp-50]
:00662A9F 50 push eax

* Reference To: MSVBVM60.rtcRightCharVar, Ord:026Bh
|
:00662AA0 E8B759DAFF Call 0040845C
====>取試煉碼的後段

:00662AA5 8D45B0 lea eax, dword ptr [ebp-50]
:00662AA8 50 push eax

* Reference To: MSVBVM60.__vbaStrVarMove, Ord:0000h
|
:00662AA9 E8CA58DAFF Call 00408378
:00662AAE 8BD0 mov edx, eax
====>EDX=2468 試煉碼的後段

:00662AB0 8D4DCC lea ecx, dword ptr [ebp-34]

* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:00662AB3 E88A58DAFF Call 00408342
:00662AB8 8D4DB0 lea ecx, dword ptr [ebp-50]

* Reference To: MSVBVM60.__vbaFreeVar, Ord:0000h
|
:00662ABB E8F257DAFF Call 004082B2
:00662AC0 8B07 mov eax, dword ptr [edi]
:00662AC2 8D4DC8 lea ecx, dword ptr [ebp-38]
====>[ebp-38]=IELKLKHIDP 序列號

:00662AC5 51 push ecx
:00662AC6 FF75D4 push [ebp-2C]
:00662AC9 57 push edi
:00662ACA FF90EC000000 call dword ptr [eax+000000EC]
====>演算法CALL①！進入！生成前段註冊碼

:00662AD0 85C0 test eax, eax
:00662AD2 7D11 jge 00662AE5
:00662AD4 68EC000000 push 000000EC

* Possible StringData Ref from Code Obj ->"om<)L5Q8A?"
|
:00662AD9 6830544200 push 00425430
:00662ADE 57 push edi
:00662ADF 50 push eax

* Reference To: MSVBVM60.__vbaHresultCheckObj, Ord:0000h
|
:00662AE0 E85758DAFF Call 0040833C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00662AD2(C)
|
:00662AE5 33D2 xor edx, edx
:00662AE7 8D4DC4 lea ecx, dword ptr [ebp-3C]

* Reference To: MSVBVM60.__vbaStrCopy, Ord:0000h
|
:00662AEA E8B157DAFF Call 004082A0
:00662AEF 8B07 mov eax, dword ptr [edi]
:00662AF1 8D4DC0 lea ecx, dword ptr [ebp-40]
:00662AF4 51 push ecx
:00662AF5 8D4DC4 lea ecx, dword ptr [ebp-3C]
:00662AF8 51 push ecx
:00662AF9 57 push edi
:00662AFA FF90D8000000 call dword ptr [eax+000000D8]
====>演算法CALL②！進入！生成後段註冊碼

:00662B00 85C0 test eax, eax
:00662B02 7D11 jge 00662B15
:00662B04 68D8000000 push 000000D8

* Possible StringData Ref from Code Obj ->"om<)L5Q8A?"
|
:00662B09 6830544200 push 00425430
:00662B0E 57 push edi
:00662B0F 50 push eax

* Reference To: MSVBVM60.__vbaHresultCheckObj, Ord:0000h
|
:00662B10 E82758DAFF Call 0040833C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00662B02(C)
|
:00662B15 FF75CC push [ebp-34]
====>[ebp-34]=2468

:00662B18 FF75C0 push [ebp-40]
====>[ebp-40]=CNSZNOG 後段註冊碼

* Reference To: MSVBVM60.__vbaStrCmp, Ord:0000h
|
:00662B1B E81658DAFF Call 00408336
====>比較後段註冊碼！

:00662B20 8BF0 mov esi, eax
:00662B22 F7DE neg esi
:00662B24 1BF6 sbb esi, esi
:00662B26 46 inc esi
:00662B27 F7DE neg esi
:00662B29 FF75D8 push [ebp-28]
====>[ebp-28]=1357

:00662B2C FF75C8 push [ebp-38]
====>[ebp-38]=WAYAAYYQTU 前段註冊碼

* Reference To: MSVBVM60.__vbaStrCmp, Ord:0000h
|
:00662B2F E80258DAFF Call 00408336
====>比較前段註冊碼！

:00662B34 F7D8 neg eax
:00662B36 1BC0 sbb eax, eax
:00662B38 40 inc eax
:00662B39 F7D8 neg eax
:00662B3B 23F0 and esi, eax
:00662B3D 8D45C0 lea eax, dword ptr [ebp-40]
:00662B40 50 push eax
:00662B41 8D45C4 lea eax, dword ptr [ebp-3C]
:00662B44 50 push eax
:00662B45 8D45C8 lea eax, dword ptr [ebp-38]
:00662B48 50 push eax
:00662B49 6A03 push 00000003
* Reference To: MSVBVM60.__vbaFreeStrList, Ord:0000h
|
:00662B4B E8A457DAFF Call 004082F4
:00662B50 83C410 add esp, 00000010
:00662B53 6685F6 test si, si
:00662B56 7407 je 00662B5F
====>跳則OVER！

:00662B58 C745D001000000 mov [ebp-30], 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:006629B0(U), :006629C6(C), :00662A2E(C), :00662B56(C)
|
:00662B5F 668B45D0 mov ax, word ptr [ebp-30]
:00662B63 66898784000000 mov word ptr [edi+00000084], ax
:00662B6A EB0E jmp 00662B7A

…… ……省略…… ……

:0068E139 E892A1D7FF Call 004082D0
====>BAD BOY！

―――――――――――――――――――――――――――――――――
進入演算法CALL①：00662ACA call dword ptr [eax+000000EC]

…… ……省略…… ……

* Reference To: MSVBVM60.__vbaLenBstr, Ord:0000h
|
:00663176 E8E950DAFF Call 00408264
:0066317B 6A01 push 00000001
:0066317D 5B pop ebx
:0066317E 2BC3 sub eax, ebx
:00663180 0F806F020000 jo 006633F5
:00663186 50 push eax
:00663187 8D459C lea eax, dword ptr [ebp-64]
:0066318A 50 push eax
:0066318B 8D45BC lea eax, dword ptr [ebp-44]
:0066318E 50 push eax

* Reference To: MSVBVM60.rtcLeftCharVar, Ord:0269h
|
:0066318F E84A52DAFF Call 004083DE
====>取序列號左邊的幾位。其實就是E盤序列號的變形

:00663194 8D45BC lea eax, dword ptr [ebp-44]
:00663197 50 push eax

* Reference To: MSVBVM60.__vbaStrVarMove, Ord:0000h
|
:00663198 E8DB51DAFF Call 00408378
:0066319D 8BD0 mov edx, eax
====>[ebp-38]=IELKLKHID

:0066319F 8D4DDC lea ecx, dword ptr [ebp-24]

* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:006631A2 E89B51DAFF Call 00408342
:006631A7 8D4DBC lea ecx, dword ptr [ebp-44]

* Reference To: MSVBVM60.__vbaFreeVar, Ord:0000h
|
:006631AA E80351DAFF Call 004082B2
:006631AF 8D45E4 lea eax, dword ptr [ebp-1C]
:006631B2 53 push ebx
:006631B3 8945A4 mov dword ptr [ebp-5C], eax
:006631B6 8D459C lea eax, dword ptr [ebp-64]
:006631B9 50 push eax
:006631BA 8D45BC lea eax, dword ptr [ebp-44]
:006631BD 50 push eax
:006631BE 89759C mov dword ptr [ebp-64], esi

* Reference To: MSVBVM60.rtcRightCharVar, Ord:026Bh
|
:006631C1 E89652DAFF Call 0040845C
:006631C6 8D45BC lea eax, dword ptr [ebp-44]
:006631C9 50 push eax

* Reference To: MSVBVM60.__vbaStrVarMove, Ord:0000h
|
:006631CA E8A951DAFF Call 00408378
:006631CF 8BD0 mov edx, eax
:006631D1 8D4DD0 lea ecx, dword ptr [ebp-30]

* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:006631D4 E86951DAFF Call 00408342
:006631D9 8D4DBC lea ecx, dword ptr [ebp-44]

* Reference To: MSVBVM60.__vbaFreeVar, Ord:0000h
|
:006631DC E8D150DAFF Call 004082B2
:006631E1 8BD7 mov edx, edi
:006631E3 8D4DE0 lea ecx, dword ptr [ebp-20]

* Reference To: MSVBVM60.__vbaStrCopy, Ord:0000h
|
:006631E6 E8B550DAFF Call 004082A0
:006631EB FF75DC push [ebp-24]

* Reference To: MSVBVM60.__vbaLenBstr, Ord:0000h
|
:006631EE E87150DAFF Call 00408264
====>取IELKLKHID的長度

:006631F3 8BC8 mov ecx, eax
====>ECX=9

* Reference To: MSVBVM60.__vbaI2I4, Ord:0000h
|
:006631F5 E84C50DAFF Call 00408246

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006632DC(U)
|
:006631FA 6A01 push 00000001
:006631FC 8BF8 mov edi, eax
:006631FE 58 pop eax
:006631FF 663BF8 cmp di, ax
:00663202 0F8CD9000000 jl 006632E1
:00663208 8D45DC lea eax, dword ptr [ebp-24]
:0066320B 895DC4 mov dword ptr [ebp-3C], ebx
:0066320E 8945A4 mov dword ptr [ebp-5C], eax
:00663211 8D45BC lea eax, dword ptr [ebp-44]
:00663214 50 push eax
:00663215 C745BC02000000 mov [ebp-44], 00000002
:0066321C 0FBFC7 movsx eax, di
:0066321F 50 push eax
:00663220 8D459C lea eax, dword ptr [ebp-64]
:00663223 50 push eax
:00663224 8D45AC lea eax, dword ptr [ebp-54]
:00663227 50 push eax
:00663228 89759C mov dword ptr [ebp-64], esi

* Reference To: MSVBVM60.rtcMidCharVar, Ord:0278h
|
:0066322B E88451DAFF Call 004083B4
====>倒序取IELKLKHID字元

:00663230 8D45AC lea eax, dword ptr [ebp-54]
:00663233 50 push eax

* Reference To: MSVBVM60.__vbaStrVarMove, Ord:0000h
|
:00663234 E83F51DAFF Call 00408378
:00663239 8BD0 mov edx, eax
:0066323B 8D4DD4 lea ecx, dword ptr [ebp-2C]

* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:0066323E E8FF50DAFF Call 00408342
:00663243 8D45AC lea eax, dword ptr [ebp-54]
:00663246 50 push eax
:00663247 8D45BC lea eax, dword ptr [ebp-44]
:0066324A 50 push eax
:0066324B 6A02 push 00000002

* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:0066324D E8B450DAFF Call 00408306
:00663252 8B45E0 mov eax, dword ptr [ebp-20]
:00663255 83C40C add esp, 0000000C
:00663258 8945A4 mov dword ptr [ebp-5C], eax
:0066325B C7459C08000000 mov [ebp-64], 00000008
:00663262 FF75D4 push [ebp-2C]

* Reference To: MSVBVM60.rtcAnsivalueBstr, Ord:0204h
|
:00663265 E85051DAFF Call 004083BA
====>依次取字元所對應的HEX值

:0066326A 6603C7 add ax, di
====>依次加上9、8、7、……、1 遞減位數

:0066326D 66B91A00 mov cx, 001A
====>CX=1A

:00663271 0F807E010000 jo 006633F5
:00663277 66051700 add ax, 0017
====>AX再加上17

:0066327B 0F8074010000 jo 006633F5
:00663281 6699 cwd
:00663283 66F7F9 idiv cx
====>DX=AX % 1A

:00663286 6683C241 add dx, 0041
====>餘數再加41

:0066328A 0F8065010000 jo 006633F5
:00663290 0FBFC2 movsx eax, dx
:00663293 50 push eax
:00663294 8D45BC lea eax, dword ptr [ebp-44]
:00663297 50 push eax

* Reference To: MSVBVM60.rtcVarBstrFromAnsi, Ord:0260h
|
:00663298 E82F51DAFF Call 004083CC
====>依次把上面所得的HEX值轉變為所對應的字元

:0066329D 8D459C lea eax, dword ptr [ebp-64]
:006632A0 50 push eax
:006632A1 8D45BC lea eax, dword ptr [ebp-44]
:006632A4 50 push eax
:006632A5 8D45AC lea eax, dword ptr [ebp-54]
:006632A8 50 push eax

* Reference To: MSVBVM60.__vbaVarCat, Ord:0000h
|
:006632A9 E81650DAFF Call 004082C4
====>依次連線所得的字元

:006632AE 50 push eax

* Reference To: MSVBVM60.__vbaStrVarMove, Ord:0000h
|
:006632AF E8C450DAFF Call 00408378
:006632B4 8BD0 mov edx, eax
====>最後得出：WAYAAYYQT

:006632B6 8D4DE0 lea ecx, dword ptr [ebp-20]

* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:006632B9 E88450DAFF Call 00408342
:006632BE 8D45AC lea eax, dword ptr [ebp-54]
:006632C1 50 push eax
:006632C2 8D45BC lea eax, dword ptr [ebp-44]
:006632C5 50 push eax
:006632C6 6A02 push 00000002

* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:006632C8 E83950DAFF Call 00408306
:006632CD 83C8FF or eax, FFFFFFFF
:006632D0 83C40C add esp, 0000000C
:006632D3 6603C7 add ax, di
:006632D6 0F8019010000 jo 006633F5
:006632DC E919FFFFFF jmp 006631FA
====>迴圈！

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00663202(C)
|
:006632E1 8B7508 mov esi, dword ptr [ebp+08]
:006632E4 8D4DCC lea ecx, dword ptr [ebp-34]
:006632E7 51 push ecx
:006632E8 FF75E0 push [ebp-20]
====>[ebp-20]=WAYAAYYQT

:006632EB 8B06 mov eax, dword ptr [esi]
:006632ED 56 push esi
:006632EE FF90DC000000 call dword ptr [eax+000000DC]
====>生成前段註冊碼K1的最後1位：U

:006632F4 85C0 test eax, eax
:006632F6 7D11 jge 00663309
:006632F8 68DC000000 push 000000DC

* Possible StringData Ref from Code Obj ->"om<)L5Q8A?"
|
:006632FD 6830544200 push 00425430
:00663302 56 push esi
:00663303 50 push eax

* Reference To: MSVBVM60.__vbaHresultCheckObj, Ord:0000h
|
:00663304 E83350DAFF Call 0040833C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006632F6(C)
|
:00663309 FF75E0 push [ebp-20]
====>[ebp-20]=WAYAAYYQT

:0066330C FF75CC push [ebp-34]
====>[ebp-34]=U 前段註冊碼K1的最後1位

* Reference To: MSVBVM60.__vbaStrCat, Ord:0000h
|
:0066330F E8EC4FDAFF Call 00408300
====>連線上面2組字元

:00663314 8BD0 mov edx, eax
====>EDX=WAYAAYYQTU 這就是前段註冊碼K1

―――――――――――――――――――――――――――――――――
生成前幾位註冊碼K1的最後1位：006632EE call dword ptr [eax+000000DC]

…… ……省略…… ……

* Reference To: MSVBVM60.rtcMidCharVar, Ord:0278h
|
:00662828 E8875BDAFF Call 004083B4
====>依次取WAYAAYYQT的字元

:0066282D 8D45B4 lea eax, dword ptr [ebp-4C]
:00662830 50 push eax

* Reference To: MSVBVM60.__vbaStrVarMove, Ord:0000h
|
:00662831 E8425BDAFF Call 00408378
:00662836 8BD0 mov edx, eax
:00662838 8D4DD8 lea ecx, dword ptr [ebp-28]

* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:0066283B E8025BDAFF Call 00408342
:00662840 8D45B4 lea eax, dword ptr [ebp-4C]
:00662843 50 push eax
:00662844 8D45C4 lea eax, dword ptr [ebp-3C]
:00662847 50 push eax
:00662848 53 push ebx

* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:00662849 E8B85ADAFF Call 00408306
:0066284E 83C40C add esp, 0000000C
:00662851 FF75D8 push [ebp-28]

* Reference To: MSVBVM60.rtcAnsivalueBstr, Ord:0204h
|
:00662854 E8615BDAFF Call 004083BA
====>依次取對應的HEX值

:00662859 660345E4 add ax, word ptr [ebp-1C]
①、 ====>AX=57 + 00=57
②、 ====>AX=41 + 55=96
③、 ====>AX=59 + 94=ED
…… ……省略…… ……
⑨、 ====>AX=54 + 266=2BA

:0066285D 6A01 push 00000001
:0066285F 0F80B7000000 jo 0066291C
:00662865 662BC3 sub ax, bx
①、 ====>AX=57 - 02=55
②、 ====>AX=96 - 02=94
③、 ====>AX=ED - 02=EB
…… ……省略…… ……
⑨、 ====>AX=2BA - 02=2B8

:00662868 0F80AE000000 jo 0066291C
:0066286E 8945E4 mov dword ptr [ebp-1C], eax
====>[ebp-1C]=EAX

:00662871 58 pop eax
:00662872 6603C7 add ax, di
:00662875 0F80A1000000 jo 0066291C
:0066287B 8BF8 mov edi, eax
:0066287D EB80 jmp 006627FF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00662803(C)
|
:0066287F 668B45E4 mov ax, word ptr [ebp-1C]
====>AX=2B8 上面的累加運算之和

:00662883 66B91A00 mov cx, 001A
:00662887 6699 cwd
:00662889 66F7F9 idiv cx
====>DX=2B8 % 1A=14

:0066288C 6683C241 add dx, 0041
====>DX=14 + 41=55

:00662890 0F8086000000 jo 0066291C
:00662896 0FBFC2 movsx eax, dx
:00662899 50 push eax
:0066289A 8D45C4 lea eax, dword ptr [ebp-3C]
:0066289D 50 push eax

* Reference To: MSVBVM60.rtcVarBstrFromAnsi, Ord:0260h
|
:0066289E E8295BDAFF Call 004083CC
====>把上面所得的45轉變成字元

:006628A3 8D45C4 lea eax, dword ptr [ebp-3C]
:006628A6 50 push eax

* Reference To: MSVBVM60.__vbaStrVarMove, Ord:0000h
|
:006628A7 E8CC5ADAFF Call 00408378
:006628AC 8BD0 mov edx, eax
====>EDX=U 這就是K1的最後1位

――――――――――――――――
注：生成程式顯示的序列號的最後1位：

對IELKLKHID運算得出：27F % 1A=F F + 41=50 即：P

―――――――――――――――――――――――――――――――――
進入演算法CALL②：00662AFA call dword ptr [eax+000000D8]

我改變E盤序列號測試了幾次，發現後段註冊碼是相同的，或許這是根據單位名來運算的。但是在我機子上安裝後的程式單位名是無法改變的，有朋友做的話麻煩驗證一下！

…… ……省略…… ……

:00662669 50 push eax
:0066266A 895DA8 mov dword ptr [ebp-58], ebx

* Reference To: MSVBVM60.rtcMidCharVar, Ord:0278h
|
:0066266D E8425DDAFF Call 004083B4
====>依次取E8 96 73 4F 46 55 1A 4E 6C 51 F8 53 20 00

:00662672 8D45B8 lea eax, dword ptr [ebp-48]
:00662675 50 push eax

* Reference To: MSVBVM60.__vbaStrVarMove, Ord:0000h
|
:00662676 E8FD5CDAFF Call 00408378
:0066267B 8BD0 mov edx, eax
:0066267D 8D4DDC lea ecx, dword ptr [ebp-24]

* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:00662680 E8BD5CDAFF Call 00408342
:00662685 8D45B8 lea eax, dword ptr [ebp-48]
:00662688 50 push eax
:00662689 8D45C8 lea eax, dword ptr [ebp-38]
:0066268C 50 push eax
:0066268D 56 push esi

* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:0066268E E8735CDAFF Call 00408306
:00662693 8B45E0 mov eax, dword ptr [ebp-20]
:00662696 83C40C add esp, 0000000C
:00662699 8945B0 mov dword ptr [ebp-50], eax
:0066269C C745A808000000 mov [ebp-58], 00000008
:006626A3 FF75DC push [ebp-24]

* Reference To: MSVBVM60.rtcAnsivalueBstr, Ord:0204h
|
:006626A6 E80F5DDAFF Call 004083BA
:006626AB 8BC8 mov ecx, eax

* Reference To: MSVBVM60.__vbaI2Abs, Ord:0000h
|
:006626AD E87E5FDAFF Call 00408630
:006626B2 6699 cwd
:006626B4 66B91A00 mov cx, 001A
:006626B8 66F7F9 idiv cx
:006626BB 6683C241 add dx, 0041
:006626BF 0F80BF000000 jo 00662784
====>上面是求模、相加運算

:006626C5 0FBFC2 movsx eax, dx
:006626C8 50 push eax
:006626C9 8D45C8 lea eax, dword ptr [ebp-38]
:006626CC 50 push eax

* Reference To: MSVBVM60.rtcVarBstrFromAnsi, Ord:0260h
|
:006626CD E8FA5CDAFF Call 004083CC
====>依次把上面所得的HEX值轉變為所對應的字元

:006626D2 8D45A8 lea eax, dword ptr [ebp-58]
:006626D5 50 push eax
:006626D6 8D45C8 lea eax, dword ptr [ebp-38]
:006626D9 50 push eax
:006626DA 8D45B8 lea eax, dword ptr [ebp-48]
:006626DD 50 push eax

* Reference To: MSVBVM60.__vbaVarCat, Ord:0000h
|
:006626DE E8E15BDAFF Call 004082C4
====>依次連線所得的字元

:006626E3 50 push eax

* Reference To: MSVBVM60.__vbaStrVarMove, Ord:0000h
|
:006626E4 E88F5CDAFF Call 00408378
:006626E9 8BD0 mov edx, eax
====>最後得出：EDX=CNSZNOG 這就是後段註冊碼K2

:006626EB 8D4DE0 lea ecx, dword ptr [ebp-20]

* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:006626EE E84F5CDAFF Call 00408342
:006626F3 8D45B8 lea eax, dword ptr [ebp-48]
:006626F6 50 push eax
:006626F7 8D45C8 lea eax, dword ptr [ebp-38]
:006626FA 50 push eax
:006626FB 56 push esi

* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:006626FC E8055CDAFF Call 00408306
:00662701 83C40C add esp, 0000000C
:00662704 6A01 push 00000001
:00662706 58 pop eax
:00662707 6603C7 add ax, di
:0066270A 7078 jo 00662784
:0066270C 8BF8 mov edi, eax
:0066270E E92DFFFFFF jmp 00662640
====>迴圈！

★★★★★★★★☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆★★★★★★★★

取E盤的序列號生成程式顯示的序列號：006629E9 call dword ptr [eax+000000D4]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00662484(U)
|
:006623A4 8B45E8 mov eax, dword ptr [ebp-18]
:006623A7 663B4588 cmp ax, word ptr [ebp-78]
:006623AB 0F8FD8000000 jg 00662489
:006623B1 8D4DDC lea ecx, dword ptr [ebp-24]
:006623B4 895DCC mov dword ptr [ebp-34], ebx
:006623B7 894DAC mov dword ptr [ebp-54], ecx
:006623BA 8D4DC4 lea ecx, dword ptr [ebp-3C]
:006623BD 0FBFC0 movsx eax, ax
:006623C0 51 push ecx
:006623C1 50 push eax
:006623C2 8D45A4 lea eax, dword ptr [ebp-5C]
:006623C5 C745C402000000 mov [ebp-3C], 00000002
:006623CC 50 push eax
:006623CD 8D45B4 lea eax, dword ptr [ebp-4C]
:006623D0 50 push eax
:006623D1 C745A408400000 mov [ebp-5C], 00004008

* Reference To: MSVBVM60.rtcMidCharVar, Ord:0278h
|
:006623D8 E8D75FDAFF Call 004083B4
====>依次取518787450 E盤序列號的10進位制值

:006623DD 8D45B4 lea eax, dword ptr [ebp-4C]
:006623E0 50 push eax

* Reference To: MSVBVM60.__vbaStrVarMove, Ord:0000h
|
:006623E1 E8925FDAFF Call 00408378
:006623E6 8BD0 mov edx, eax
:006623E8 8D4DE0 lea ecx, dword ptr [ebp-20]

* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:006623EB E8525FDAFF Call 00408342
:006623F0 8D45B4 lea eax, dword ptr [ebp-4C]
:006623F3 50 push eax
:006623F4 8D45C4 lea eax, dword ptr [ebp-3C]
:006623F7 50 push eax
:006623F8 6A02 push 00000002

* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:006623FA E8075FDAFF Call 00408306
:006623FF 8B45E4 mov eax, dword ptr [ebp-1C]
:00662402 83C40C add esp, 0000000C
:00662405 8945AC mov dword ptr [ebp-54], eax
:00662408 C745A408000000 mov [ebp-5C], 00000008
:0066240F FF75E0 push [ebp-20]

* Reference To: MSVBVM60.rtcAnsivalueBstr, Ord:0204h
|
:00662412 E8A35FDAFF Call 004083BA
====>取其字元對應的HEX值

:00662417 66053F00 add ax, 003F
====>依次+3F

:0066241B 66B91B00 mov cx, 001B
:0066241F 0F8014010000 jo 00662539
:00662425 6699 cwd
:00662427 66F7F9 idiv cx
====>依次模1B

:0066242A 6683C241 add dx, 0041
====>餘數+41

:0066242E 0F8005010000 jo 00662539
:00662434 0FBFC2 movsx eax, dx
:00662437 50 push eax
:00662438 8D45C4 lea eax, dword ptr [ebp-3C]
:0066243B 50 push eax

* Reference To: MSVBVM60.rtcVarBstrFromAnsi, Ord:0260h
|
:0066243C E88B5FDAFF Call 004083CC
====>取上面的HEX值對應的字元

:00662441 8D45A4 lea eax, dword ptr [ebp-5C]
:00662444 50 push eax
:00662445 8D45C4 lea eax, dword ptr [ebp-3C]
:00662448 50 push eax
:00662449 8D45B4 lea eax, dword ptr [ebp-4C]
:0066244C 50 push eax

* Reference To: MSVBVM60.__vbaVarCat, Ord:0000h
|
:0066244D E8725EDAFF Call 004082C4
====>依次連線所得字元

:00662452 50 push eax

* Reference To: MSVBVM60.__vbaStrVarMove, Ord:0000h
|
:00662453 E8205FDAFF Call 00408378
:00662458 8BD0 mov edx, eax
====>最後得出：EDX=IELKLKHID

:0066245A 8D4DE4 lea ecx, dword ptr [ebp-1C]

* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:0066245D E8E05EDAFF Call 00408342
:00662462 8D45B4 lea eax, dword ptr [ebp-4C]
:00662465 50 push eax
:00662466 8D45C4 lea eax, dword ptr [ebp-3C]
:00662469 50 push eax
:0066246A 6A02 push 00000002

* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:0066246C E8955EDAFF Call 00408306
:00662471 83C40C add esp, 0000000C
:00662474 6A01 push 00000001
:00662476 58 pop eax
:00662477 660345E8 add ax, word ptr [ebp-18]
:0066247B 0F80B8000000 jo 00662539
:00662481 8945E8 mov dword ptr [ebp-18], eax
:00662484 E91BFFFFFF jmp 006623A4
====>迴圈！

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006623AB(C)
|
:00662489 8B07 mov eax, dword ptr [edi]
:0066248B 8D4DD4 lea ecx, dword ptr [ebp-2C]
:0066248E 51 push ecx
:0066248F FF75E4 push [ebp-1C]
:00662492 57 push edi
:00662493 FF90DC000000 call dword ptr [eax+000000DC]
====>對IELKLKHID運算生成序列號最後1位
====>詳見：生成前幾位註冊碼K1的最後1位

:00662499 3BC6 cmp eax, esi
:0066249B 7D11 jge 006624AE
:0066249D 68DC000000 push 000000DC

* Possible StringData Ref from Code Obj ->"om<)L5Q8A?"
|
:006624A2 6830544200 push 00425430
:006624A7 57 push edi
:006624A8 50 push eax

* Reference To: MSVBVM60.__vbaHresultCheckObj, Ord:0000h
|
:006624A9 E88E5EDAFF Call 0040833C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0066249B(C)
|
:006624AE FF75E4 push [ebp-1C]
====>[ebp-1C]=IELKLKHID

:006624B1 FF75D4 push [ebp-2C]
====>[ebp-2C]=P 序列號最後1位

* Reference To: MSVBVM60.__vbaStrCat, Ord:0000h
|
:006624B4 E8475EDAFF Call 00408300
====>連線以上2組字元

:006624B9 8BD0 mov edx, eax
====>EDX=IELKLKHIDP 這就是序列號

★★★★★★★★☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆★★★★★★★★

程式啟動時的比較：

:0052692A FF91E0000000 call dword ptr [ecx+000000E0]
====>進入運算比較CALL！

:00526930 85C0 test eax, eax
:00526932 DBE2 fclex
:00526934 7D12 jge 00526948
====>跳則OVER！

―――――――――――――――――――――――――――――――――
【完美爆破】：

想做完美爆破還是有點麻煩的。呵呵 ~@~ ~@~

―――――――――――――――――――――――――――――――――
【註冊資訊儲存】：

Windows Registry Editor Version 5.00

[HKEY_USERS\S-1-5-21-1614895754-436374069-1957994488-1003\Software\VB and VBA Program Settings\Account\RegisterCode]
"RegisterCode"="WAYAAYYQTU - CNSZNOG"

―――――――――――――――――――――――――――――――――
【整理】：

序列號：IELKLKHIDP
單位：雨佳商業公司
註冊碼：WAYAAYYQTU - CNSZNOG

―――――――――――――――――――――――――――――――――

, _/
/| _.-~/ \_ , 青春都一餉
( /~ / \~-._ |\
`\\ _/ \ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_ //'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 換了破解輕狂
`~ _( ,_..--\ ( ,;'' / ~-- /._`\
/~~//' /' `~\ ) /--.._, )_ `~
" `~" " `" /~'`\ `\\~~\
" " "~' ""

Cracked By 巢水工作坊――fly [OCN][FCG]

2003-06-23 2:00

宇佳倉庫管理系統 V1.6.1(VB6 native)

相關文章