中文內碼轉換巨匠1.2【VB簡單】註冊演算法
【破解作者】 mejy
【作者郵箱】 mejycracke@yeah.net
【作者主頁】 mejycrack.51.net
【使用工具】 mejyDbg1.09漢化版,WinHex
【破解平臺】 Win2000 ADS SP4
【軟體名稱】 中文內碼轉換巨匠1.2
【軟體簡介】 一個簡繁內碼的轉化工具!VB的咚咚!
【加殼方式】 PECompact V1.68-84
【破解宣告】 好久沒做過演算法分析了!找個軟柿子捏捏!本文面向未成年人:),高手不要浪費時間!!!否則後果不負責任!
--------------------------------------------------------------------------------
【破解內容】
【一】脫殼
0045B5A0 > EB 06 JMP SHORT 中文內碼.0045B5A8 載入後停在這裡!
0045B5A2 68 0C1F0000 PUSH 1F0C OEP的RVA 直接再401F0C處下記憶體訪問斷點!
0045B5A7 C3 RETN
××××××××××××××××經過幾次斷點之後。
00401F0C 68 50B54100 PUSH 中文內碼.0041B550 再這裡dump程式!然後importRec修復之!
00401F11 E8 F0FFFFFF CALL 中文內碼.00401F06 ; JMP to MSVBVM50.ThunRTMain
00401F16 0000 ADD BYTE PTR DS:[EAX],AL
【二】演算法分析!
(1)對於這種VB的程式,由於不是pCode的可以採用SmartCheck來分析!按部就班
檢視Command1Click事件,有一個vbaStrCmp的函式。這時輸入的假碼和真碼就能看見了!這種方法30S可以找到註冊碼!
(2)其實利用SmartCheck可以輔助我們分析註冊碼的比較方式(浮點數比較還是字串比較等)!但是找出具體細節,
還得靠OD等動態分析工具。幾種有關VB的破解方法可以參照下列文章http://ymmz.nease.net/Crack/ice1.htm
從上面分析可以看出程式是比較字串的,所以我們嘗試再__vbaStrCmp設定斷點
利用Od載入脫殼後的程式。Ctrl+N搜尋當前模組中的名稱,找到__vbaStrCmp查詢參考,然後設定斷點!
F9執行程式!呵呵,斷下來一堆。用你的火眼金睛把明顯沒用的斷點給去掉。你小心看的話,會發現中斷的過程中
正確的註冊碼已經出來了。正是好爛的保護!我們暫且不管,程式全部執行起來以後,我們點選註冊。輸入假碼試試。
怎麼樣,還是斷下來了,我們用滑鼠朝上翻,估計一下,有點像的地方,設個斷點,然後再次點選註冊!我選擇下面:
00421FEA > 8D5F 34 LEA EBX,DWORD PTR DS:[EDI+34]
00421FED . 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
00421FF0 . 8BCB MOV ECX,EBX
00421FF2 . FF15 80834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaStrCo>; 讀入機器碼 這裡設斷點
00421FF8 . 8B03 MOV EAX,DWORD PTR DS:[EBX]
00421FFA . 50 PUSH EAX ; 機器碼入棧
00421FFB . FF15 F8834300 CALL DWORD PTR DS:[<&msvbvm50.rtcR8ValFr>; 將字串轉化成十進位制實數
00422001 . D9E1 FABS ; 浮點運算指令
00422003 . DFE0 FSTSW AX ; 儲存狀態字的值到AX
00422005 . A8 0D TEST AL,0D
00422007 . 0F85 01080000 JNZ dumped_.0042280E
0042200D . FF15 AC824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaFpR8>>; msvbvm50.__vbaFpR8
00422013 . DC1D 30104000 FCOMP QWORD PTR DS:[401030] ; 和整數比較將st(0)和op比較 op(mem16/mem32)後;再執行一次出棧操作
00422019 . DFE0 FSTSW AX ; 儲存狀態字的值到AX
0042201B . F6C4 41 TEST AH,41
0042201E . 75 25 JNZ SHORT dumped_.00422045
00422020 . 6A 09 PUSH 9
【【【【省略程式碼N行】】】】
00422087 . 85C0 TEST EAX,EAX
00422089 . 7D 15 JGE SHORT dumped_.004220A0 ; 跳走
0042208B . 6A 50 PUSH 50
0042208D . 68 60EE4100 PUSH dumped_.0041EE60
00422092 . 8B8D 6CFFFFFF MOV ECX,DWORD PTR SS:[EBP-94]
00422098 . 51 PUSH ECX
00422099 . 50 PUSH EAX
0042209A . FF15 70824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj
004220A0 > 8B13 MOV EDX,DWORD PTR DS:[EBX] ; [EBX]中儲存著機器碼
004220A2 . 52 PUSH EDX ; 入棧
004220A3 . FF15 F8834300 CALL DWORD PTR DS:[<&msvbvm50.rtcR8ValFr>; msvbvm50.rtcR8ValFromBstr
004220A9 . DD9D 40FFFFFF FSTP QWORD PTR SS:[EBP-C0] ; 將st(0)以整數儲存到【ebp-c0】
004220AF . 8B45 B8 MOV EAX,DWORD PTR SS:[EBP-48] ; 將6669取道EAX中,這個數是哪裡來得那?
我跟了半天沒發現它計算的地方,猜想是程式中固定的,這時利用WINHEX搜尋6669,可以看見Lable5的值就是它。
下面還有幾個固定的字串。
004220B2 . 50 PUSH EAX
004220B3 . FF15 68834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaR8Str>; 將字串轉化成實數
004220B9 . DC85 40FFFFFF FADD QWORD PTR SS:[EBP-C0] ; 和機器碼相加並壓入堆疊
004220BF . DFE0 FSTSW AX
004220C1 . A8 0D TEST AL,0D
004220C3 . 0F85 45070000 JNZ dumped_.0042280E
004220C9 . 83EC 08 SUB ESP,8
004220CC . DD1C24 FSTP QWORD PTR SS:[ESP] ; 壓入ST7
004220CF . FF15 FC824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaStrR8>; 將實數轉化成字串
004220D5 . 8BD0 MOV EDX,EAX ; 將字串"74744190"放到EDX
004220D7 . 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
004220DA . FFD6 CALL ESI ; __vbaStrMove
004220DC . 8BD0 MOV EDX,EAX
004220DE . 8BCB MOV ECX,EBX
004220E0 . FF15 80834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaStrCo>; msvbvm50.__vbaStrCopy
004220E6 . 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
004220E9 . 51 PUSH ECX
004220EA . 8D55 B8 LEA EDX,DWORD PTR SS:[EBP-48]
004220ED . 52 PUSH EDX
004220EE . 6A 02 PUSH 2
004220F0 . FF15 88834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaFreeS>; msvbvm50.__vbaFreeStrList
004220F6 . 83C4 0C ADD ESP,0C
004220F9 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
004220FC . FF15 F4834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaFreeO>; msvbvm50.__vbaFreeObj
00422102 . 8B07 MOV EAX,DWORD PTR DS:[EDI]
00422104 . 57 PUSH EDI
00422105 . FF90 18030000 CALL DWORD PTR DS:[EAX+318]
0042210B . 50 PUSH EAX
0042210C . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
0042210F . 51 PUSH ECX
00422110 . FF15 90824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaObjSe>; msvbvm50.__vbaObjSet
00422116 . 8BD8 MOV EBX,EAX
00422118 . 8B13 MOV EDX,DWORD PTR DS:[EBX]
0042211A . 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48]
0042211D . 50 PUSH EAX
0042211E . 53 PUSH EBX
0042211F . FF52 50 CALL DWORD PTR DS:[EDX+50]
00422122 . 85C0 TEST EAX,EAX
00422124 . 7D 0F JGE SHORT dumped_.00422135
00422126 . 6A 50 PUSH 50
00422128 . 68 60EE4100 PUSH dumped_.0041EE60
0042212D . 53 PUSH EBX
0042212E . 50 PUSH EAX
0042212F . FF15 70824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj
00422135 > 8B4F 34 MOV ECX,DWORD PTR DS:[EDI+34]
00422138 . 51 PUSH ECX ; 相加後的字串
00422139 . FF15 F8834300 CALL DWORD PTR DS:[<&msvbvm50.rtcR8ValFr>; msvbvm50.rtcR8ValFromBstr
0042213F . FF15 B4834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaFpI4>>; msvbvm50.__vbaFpI4
00422145 . 8BD8 MOV EBX,EAX
00422147 . 8B55 B8 MOV EDX,DWORD PTR SS:[EBP-48] ; 一個字串"73468482"
0042214A . 52 PUSH EDX
0042214B . FF15 84834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaI4Str>; msvbvm50.__vbaI4Str
00422151 . 33D8 XOR EBX,EAX ; 兩個字串轉換成整數進行異或
00422153 . 53 PUSH EBX ; 異或之後的值入棧
00422154 . FF15 2C824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaStrI4>; 將整數轉化成字串
0042215A . 8BD0 MOV EDX,EAX ; 字串1411900
0042215C . 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
0042215F . FFD6 CALL ESI
00422161 . 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
00422164 . FF15 F0834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaFreeS>; msvbvm50.__vbaFreeStr
0042216A . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
0042216D . FF15 F4834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaFreeO>; msvbvm50.__vbaFreeObj
00422173 . 8B07 MOV EAX,DWORD PTR DS:[EDI]
00422175 . 57 PUSH EDI
00422176 . FF90 1C030000 CALL DWORD PTR DS:[EAX+31C]
0042217C . 50 PUSH EAX
0042217D . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
00422180 . 51 PUSH ECX
00422181 . FF15 90824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaObjSe>; msvbvm50.__vbaObjSet
00422187 . 8BD8 MOV EBX,EAX
00422189 . 8B13 MOV EDX,DWORD PTR DS:[EBX]
0042218B . 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48]
0042218E . 50 PUSH EAX
0042218F . 53 PUSH EBX
00422190 . FF52 50 CALL DWORD PTR DS:[EDX+50]
00422193 . 85C0 TEST EAX,EAX
00422195 . 7D 0F JGE SHORT dumped_.004221A6
00422197 . 6A 50 PUSH 50
00422199 . 68 60EE4100 PUSH dumped_.0041EE60
0042219E . 53 PUSH EBX
0042219F . 50 PUSH EAX
004221A0 . FF15 70824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj
004221A6 > 8B4D D4 MOV ECX,DWORD PTR SS:[EBP-2C] ; 上面的字串141190
004221A9 . 51 PUSH ECX
004221AA . 8B1D 84834300 MOV EBX,DWORD PTR DS:[<&msvbvm50.__vbaI4>; msvbvm50.__vbaI4Str
004221B0 . FFD3 CALL EBX ; <&msvbvm50.__vbaI4Str>
004221B2 . 8BD0 MOV EDX,EAX
004221B4 . 8B45 B8 MOV EAX,DWORD PTR SS:[EBP-48] ; 字串23479853 程式中固定的lable16的值
004221B7 . 50 PUSH EAX
004221B8 . 8995 3CFFFFFF MOV DWORD PTR SS:[EBP-C4],EDX
004221BE . FFD3 CALL EBX
004221C0 . 8B8D 3CFFFFFF MOV ECX,DWORD PTR SS:[EBP-C4]
004221C6 . 33C8 XOR ECX,EAX ; 異或計算
004221C8 . 51 PUSH ECX
004221C9 . 8B1D 2C824300 MOV EBX,DWORD PTR DS:[<&msvbvm50.__vbaSt>; msvbvm50.__vbaStrI4
004221CF . FFD3 CALL EBX ; <&msvbvm50.__vbaStrI4>
004221D1 . 8BD0 MOV EDX,EAX ; “24366353”
004221D3 . 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
004221D6 . FFD6 CALL ESI
004221D8 . 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
004221DB . FF15 F0834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaFreeS>; msvbvm50.__vbaFreeStr
004221E1 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
004221E4 . FF15 F4834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaFreeO>; msvbvm50.__vbaFreeObj
004221EA . 6A 05 PUSH 5 ; 取左邊5個字元
004221EC . 8B55 D4 MOV EDX,DWORD PTR SS:[EBP-2C]
004221EF . 52 PUSH EDX
004221F0 . FF15 B8834300 CALL DWORD PTR DS:[<&msvbvm50.rtcLeftCha>; msvbvm50.rtcLeftCharBstr
004221F6 . 8BD0 MOV EDX,EAX ; 取左邊字元
004221F8 . 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
004221FB . FFD6 CALL ESI
004221FD . 50 PUSH EAX
004221FE . FF15 84834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaI4Str>; 將上面的字串轉化成16進位制數字
00422204 . 35 15030000 XOR EAX,315 ; 將上面轉化的結果和315異或
00422209 . 50 PUSH EAX
0042220A . FFD3 CALL EBX ; 將上面的十六進位制轉化成十進位制的字串
0042220C . 8BD0 MOV EDX,EAX
0042220E . 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
00422211 . FFD6 CALL ESI
00422213 . 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
00422216 . FF15 F0834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaFreeS>; msvbvm50.__vbaFreeStr
0042221C . 8B47 40 MOV EAX,DWORD PTR DS:[EDI+40]
0042221F . 83C0 01 ADD EAX,1
00422222 . 0F80 EB050000 JO dumped_.00422813
00422228 . 8947 40 MOV DWORD PTR DS:[EDI+40],EAX
0042222B . 8D5F 38 LEA EBX,DWORD PTR DS:[EDI+38]
0042222E . 68 74EE4100 PUSH dumped_.0041EE74 ; UNICODE "NMZH"
00422233 . 8B4D BC MOV ECX,DWORD PTR SS:[EBP-44]
00422236 . 51 PUSH ECX
00422237 . FF15 60824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaStrCa>; 將13362和NMZH連線,作為註冊碼的第一部分
0042223D . 8BD0 MOV EDX,EAX
0042223F . 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
00422242 . FFD6 CALL ESI
00422244 . 50 PUSH EAX
00422245 . 68 84EE4100 PUSH dumped_.0041EE84
0042224A . FF15 60824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaStrCa>; 將上面連線之後的字串和-連線
00422250 . 8BD0 MOV EDX,EAX
00422252 . 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
00422255 . FFD6 CALL ESI
00422257 . 50 PUSH EAX
00422258 . 8B55 C4 MOV EDX,DWORD PTR SS:[EBP-3C]
0042225B . 52 PUSH EDX
0042225C . FF15 60824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaStrCa>; 再次連線形成正確的註冊碼
00422262 . 8BD0 MOV EDX,EAX
00422264 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
00422267 . FFD6 CALL ESI
【【【省略N行】】】
0042231A . 50 PUSH EAX
0042231B . FF15 C8824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaStrCm>; 將正確地註冊碼和輸入的假碼進行比較
00422321 . F7D8 NEG EAX
00422323 . 1BC0 SBB EAX,EAX
省略
00422366 . 8D47 4C LEA EAX,DWORD PTR DS:[EDI+4C]
00422369 . 50 PUSH EAX
0042236A . 68 8CEE4100 PUSH dumped_.0041EE8C ; SOFTWARE\SoftNM\DATA如果註冊碼相等,則寫入登錄檔
0042236F . 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
00422372 . 51 PUSH ECX
00422373 . 8B35 AC834300 MOV ESI,DWORD PTR DS:[<&msvbvm50.__vbaSt>; msvbvm50.__vbaStrToAnsi
00422379 . FFD6 CALL ESI ; <&msvbvm50.__vbaStrToAnsi>
【至此完】
【三】序號產生器 VC6.0+Win2000Sp4除錯透過
void CMyDlg::OnYes()
{
// TODO: Add your control notification handler code here
int jqm;
CString s1,s2 ;
UpdateData(TRUE);
jqm = atoi(m_jqm);
int label5 = 6669;
int label15 = 73468482;
int label16 = 23479853 ;
int sum = 0;
int temp = 0;
sum = jqm + label5; //和
sum = sum ^ label15; //異或
temp = sum ^ label16;
s1.Format("%d",sum);
s1 = s1.Left(5); //取左邊5個字元
s2.Format("%d",temp); //註冊碼的第二步分
sum = atoi(s1);
sum = sum ^ 0x315;
m_zcm.Format("NMZH%d-%s",sum,s2);
UpdateData(FALSE);
}
--------------------------------------------------------------------------------
【破解總結】
一個簡單的VB咚咚!呵呵,算練練手!你看完了嗎?沒笑掉大牙吧!:)
--------------------------------------------------------------------------------
【版權宣告】 本文純屬技術交流, 轉載請註明作者並保持文章的完整, 謝謝!
相關文章
- 簡單聊聊( 內網,公網 和 NAT 轉換 )2020-11-07內網
- Mac電腦簡單實用的防火牆軟體:Radio Silence 註冊碼中文版2023-10-27Mac防火牆
- 視訊格式轉換Wondershare UniConverter for Mac13.2.0.12中文註冊啟用版2021-11-09Mac
- YouTube音樂轉MP3轉換器:MediaHuman YouTube to MP3 Converter mac 中文註冊版2023-11-16Mac
- python hex轉ascii轉換Python程式碼的簡單方法2023-11-23PythonASCII
- Wondershare UniConverter for Mac(萬興全能格式轉換器) v12.5.3.11中文註冊版2020-12-30Mac
- pdf轉換word,超簡單!2022-03-17
- 簡單使用spring cloud 服務註冊做一個請求轉發中心2023-04-08SpringCloud
- 蘋果專用解壓縮:BetterZip 5 中文註冊安裝版(含註冊碼)2024-11-10蘋果
- 簡單實用的Mac影片轉換軟體:UniConverter mac中文版2020-08-19Mac
- 全網最簡單的ChatGPT註冊使用攻略!2023-02-21ChatGPT
- NodeJs 建立一個簡單的登陸註冊2019-02-16NodeJS
- 手機號碼簡訊驗證註冊2020-12-20
- Laravel——簡訊註冊2018-05-28Laravel
- SecureCRT中文啟用安裝包+SecureCRT可用註冊碼2023-12-20Securecrt
- Python 編碼轉換與中文處理2021-09-09Python
- node+express+mongDB實現簡單登入註冊2019-02-16Express
- PhpStorm註冊碼2020-04-07PHPORM
- VMware註冊碼2018-10-18
- 簡單程式碼:將回歸特徵轉換為分類特徵2021-09-09特徵
- Macs Fan Control Pro for mac1.5.16中文註冊碼2023-11-14Mac
- jQuery Validate表單驗證(使用者註冊簡單應用)2018-04-16jQuery
- win10系統下提示無法註冊VB指令碼DLL檔案的解決方法2018-08-02Win10指令碼
- java 中文繁簡體轉換工具 opencc4j2021-09-09JavaOpencc4j
- 前端程式碼編輯神器:Sublime Text 4 Dev中文註冊版2023-05-11前端dev
- go練手:簡單的單詞格式轉換工具2020-09-26Go
- ShadowDefender 註冊碼 分析2024-08-17
- Viscosity for Mac 註冊碼:2019-09-19Mac
- Navicat for MySQL註冊碼2020-04-07MySql
- 成品直播原始碼推薦,登入和註冊兩個頁面的簡單實現2022-04-01原始碼
- 將 Visual Studio .net 程式碼註釋 英文轉為中文2024-06-13
- 從零開始實現簡單 RPC 框架 4:註冊中心2021-08-24RPC框架
- 簡單登入註冊實現(Java物件導向複習)2019-03-28Java物件
- 使用C#,VB和Java將PDF轉換為DOC / DOCX2021-03-11Java
- 註冊中心 Eureka 原始碼解析 —— 應用例項註冊發現(一)之註冊2019-03-03原始碼
- TP5 實現簡訊驗證碼註冊功能2020-11-05
- 蘋果Mac電腦簡單好用的防火牆:Radio Silence註冊碼破解版最新2023-12-29蘋果Mac防火牆
- mybatis原始碼解析(五) --- typehandler註冊和處理的查詢結果物件的型別轉換2018-05-17MyBatis原始碼物件型別
- 直播app系統原始碼,簡單的登入介面(登入、註冊、記住密碼等按鍵)2022-05-04APP原始碼密碼