單詞背背佳1.0演算法分析
單詞背背佳1.0演算法分析
[保護方式] 採用硬體序列號,一機註冊碼
[加入時間] 2005.1.9 ,2005.1.11
[下載初中版] http://www1.skycn.com/soft/21631.html
[下載大學六級版] :http://www1.skycn.com/soft/21659.html
[破解工具] olldbg1.10 、Peid0.92、aspackdie141、smartcheck6.2
破解過程(初中版):
1.先用Peid0.92偵殼資訊為:ASPack 2.12 -> Alexey Solodovnikov
用aspackdie141脫掉它的aspack殼後發現為:Microsoft Visual Basic 5.0 / 6.0
2.Visual Basic 提供了一個標準的註冊位置以儲存建立於 Visual Basic 的應用程式的程式資訊:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\appname\section\key
Visual Basic 也提供了四個語句或函式來處理儲存在應用程式註冊位置的程式設定值。
------------------------------------------------------------------
GetSetting函式, 檢索登錄檔設定值。
SaveSetting語句, 儲存或建立登錄檔設定值。
GetAllSettings函式, 返回一個包含多項登錄檔設定值的陣列。
DeleteSetting語句, 刪除登錄檔設定值。
------------------------------------------------------------------
我們破解的第一步先看一下程式註冊資訊是否是用上面的函式來儲存。
我在程式中輸入註冊資訊後到登錄檔得到如下資訊:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\wordbbj]
[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\wordbbj\setting]
"machine"="495353"
"regSN"="12345"
"validate"="67890"
看來程式是用vb提供函式來儲存註冊資訊,沒有直接呼叫API來訪問登錄檔。
GetSetting函式對應VB執行庫MSVBVM60.DLL中的:rtcGetSetting。
3.用OD載入程式後,再ALT+E選擇到MSVBVM60.dll模組,
按右鍵,選擇“View Names ” 出現呼叫函式的視窗,
向下拉動找到rtcGetSetting並選擇它,按下F2。
按F9執行,堤點選進入學習介面,按shit+F9跳過異常後, 被OllyDbg攔截住,
按CTRL+F9,再按F8返回程式領空後來到如下位置:
0042E680 > 55 PUSH EBP
0042E681 . 8BEC MOV EBP,ESP
0042E683 . 83EC 18 SUB ESP,18
0042E686 . 68 76274000 PUSH <JMP.&MSVBVM60.__vbaExceptHandler> ; SE handler installation
0042E68B . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0042E691 . 50 PUSH EAX
0042E692 . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
0042E699 . B8 38010000 MOV EAX,138
0042E69E . E8 CD40FDFF CALL <JMP.&MSVBVM60.__vbaChkstk>
0042E6A3 . 53 PUSH EBX
0042E6A4 . 56 PUSH ESI
0042E6A5 . 57 PUSH EDI
0042E6A6 . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
0042E6A9 . C745 EC 782540>MOV DWORD PTR SS:[EBP-14],unpacked.00402>
0042E6B0 . C745 F0 000000>MOV DWORD PTR SS:[EBP-10],0
0042E6B7 . C745 F4 000000>MOV DWORD PTR SS:[EBP-C],0
0042E6BE . C745 FC 010000>MOV DWORD PTR SS:[EBP-4],1
0042E6C5 . C745 FC 020000>MOV DWORD PTR SS:[EBP-4],2
0042E6CC . 6A FF PUSH -1
0042E6CE . FF15 84104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaOnErr>; MSVBVM60.__vbaOnError
0042E6D4 . C745 FC 030000>MOV DWORD PTR SS:[EBP-4],3
0042E6DB . C785 20FFFFFF >MOV DWORD PTR SS:[EBP-E0],1
0042E6E5 . C785 18FFFFFF >MOV DWORD PTR SS:[EBP-E8],2
0042E6EF . C785 10FFFFFF >MOV DWORD PTR SS:[EBP-F0],3
0042E6F9 . C785 08FFFFFF >MOV DWORD PTR SS:[EBP-F8],2
0042E703 . C785 00FFFFFF >MOV DWORD PTR SS:[EBP-100],1
0042E70D . C785 F8FEFFFF >MOV DWORD PTR SS:[EBP-108],2
0042E717 . 8D85 18FFFFFF LEA EAX,DWORD PTR SS:[EBP-E8]
0042E71D . 50 PUSH EAX
0042E71E . 8D8D 08FFFFFF LEA ECX,DWORD PTR SS:[EBP-F8]
0042E724 . 51 PUSH ECX
0042E725 . 8D95 F8FEFFFF LEA EDX,DWORD PTR SS:[EBP-108]
0042E72B . 52 PUSH EDX
0042E72C . 8D85 C4FEFFFF LEA EAX,DWORD PTR SS:[EBP-13C]
0042E732 . 50 PUSH EAX
0042E733 . 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-12C]
0042E739 . 51 PUSH ECX
0042E73A . 8D55 90 LEA EDX,DWORD PTR SS:[EBP-70]
0042E73D . 52 PUSH EDX
0042E73E . FF15 7C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarFo>; MSVBVM60.__vbaVarForInit
; 開始迴圈
0042E744 . 8985 ACFEFFFF MOV DWORD PTR SS:[EBP-154],EAX
0042E74A . E9 28010000 JMP unpacked.0042E877
0042E74F > C745 FC 040000>MOV DWORD PTR SS:[EBP-4],4
0042E756 . E8 15300000 CALL unpacked.00431770 ;求使用者碼子程式
0042E75B . 8985 F4FEFFFF MOV DWORD PTR SS:[EBP-10C],EAX ;儲存使用者碼到[EBP-10C]
0042E761 . C785 70FFFFFF >MOV DWORD PTR SS:[EBP-90],1
0042E76B . C785 68FFFFFF >MOV DWORD PTR SS:[EBP-98],2
0042E775 . 8D85 68FFFFFF LEA EAX,DWORD PTR SS:[EBP-98]
0042E77B . 50 PUSH EAX
0042E77C . 8D4D 90 LEA ECX,DWORD PTR SS:[EBP-70]
0042E77F . 51 PUSH ECX
0042E780 . FF15 64114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
;Variant 變數轉長整數
0042E786 . 50 PUSH EAX
0042E787 . 8B95 F4FEFFFF MOV EDX,DWORD PTR SS:[EBP-10C]
0042E78D . 52 PUSH EDX ;使用者碼入棧(十六進位制數)
0042E78E . FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrI4>; MSVBVM60.__vbaStrI4
;長整數轉字串
0042E794 . 8BD0 MOV EDX,EAX
0042E796 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0042E79C . FF15 A0114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
;變數移動
0042E7A2 . 50 PUSH EAX ;使用者碼字串入棧
0042E7A3 . FF15 A0104000 CALL DWORD PTR DS:[<&MSVBVM60.#631>] ; MSVBVM60.rtcMidCharBstr
;依次取使用者碼的一個字元
0042E7A9 . 8985 60FFFFFF MOV DWORD PTR SS:[EBP-A0],EAX
0042E7AF . C785 58FFFFFF >MOV DWORD PTR SS:[EBP-A8],8
0042E7B9 . 8D95 58FFFFFF LEA EDX,DWORD PTR SS:[EBP-A8]
0042E7BF . 8D4D 80 LEA ECX,DWORD PTR SS:[EBP-80]
0042E7C2 . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
0042E7C8 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0042E7CE . FF15 C8114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0042E7D4 . 8D8D 68FFFFFF LEA ECX,DWORD PTR SS:[EBP-98]
0042E7DA . FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
0042E7E0 . C745 FC 050000>MOV DWORD PTR SS:[EBP-4],5
0042E7E7 . 8D45 80 LEA EAX,DWORD PTR SS:[EBP-80]
0042E7EA . 50 PUSH EAX
0042E7EB . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0042E7F1 . 51 PUSH ECX
0042E7F2 . FF15 18114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
0042E7F8 . 50 PUSH EAX
0042E7F9 . FF15 44104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
;求戶碼的一個字元ASCII碼值
0042E7FF . 66:8985 20FFFF>MOV WORD PTR SS:[EBP-E0],AX
0042E806 . C785 18FFFFFF >MOV DWORD PTR SS:[EBP-E8],2
0042E810 . 8D95 18FFFFFF LEA EDX,DWORD PTR SS:[EBP-E8]
0042E816 . 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
0042E819 . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
0042E81F . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0042E825 . FF15 C8114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0042E82B . C745 FC 060000>MOV DWORD PTR SS:[EBP-4],6
0042E832 . 8D55 A0 LEA EDX,DWORD PTR SS:[EBP-60]
0042E835 . 52 PUSH EDX
0042E836 . 8D45 C0 LEA EAX,DWORD PTR SS:[EBP-40]
0042E839 . 50 PUSH EAX
0042E83A . 8D8D 68FFFFFF LEA ECX,DWORD PTR SS:[EBP-98] ;
0042E840 . 51 PUSH ECX
0042E841 . FF15 1C114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCa>; MSVBVM60.__vbaVarCat
;連線ASCII碼值組成的字串
0042E847 . 8BD0 MOV EDX,EAX
0042E849 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
0042E84C . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
0042E852 . C745 FC 070000>MOV DWORD PTR SS:[EBP-4],7
0042E859 . 8D95 C4FEFFFF LEA EDX,DWORD PTR SS:[EBP-13C]
0042E85F . 52 PUSH EDX
0042E860 . 8D85 D4FEFFFF LEA EAX,DWORD PTR SS:[EBP-12C]
0042E866 . 50 PUSH EAX
0042E867 . 8D4D 90 LEA ECX,DWORD PTR SS:[EBP-70]
0042E86A . 51 PUSH ECX
0042E86B . FF15 C0114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarFo>; MSVBVM60.__vbaVarForNext
0042E871 . 8985 ACFEFFFF MOV DWORD PTR SS:[EBP-154],EAX
0042E877 > 83BD ACFEFFFF >CMP DWORD PTR SS:[EBP-154],0
0042E87E .^0F85 CBFEFFFF JNZ unpacked.0042E74F ;跳向迴圈開頭
0042E884 . C745 FC 080000>MOV DWORD PTR SS:[EBP-4],8
0042E88B . C785 20FFFFFF >MOV DWORD PTR SS:[EBP-E0],80020004
0042E895 . C785 18FFFFFF >MOV DWORD PTR SS:[EBP-E8],0A
0042E89F . B8 10000000 MOV EAX,10
0042E8A4 . E8 C73EFDFF CALL <JMP.&MSVBVM60.__vbaChkstk>
0042E8A9 . 8BD4 MOV EDX,ESP
0042E8AB . 8B85 18FFFFFF MOV EAX,DWORD PTR SS:[EBP-E8]
0042E8B1 . 8902 MOV DWORD PTR DS:[EDX],EAX
0042E8B3 . 8B8D 1CFFFFFF MOV ECX,DWORD PTR SS:[EBP-E4]
0042E8B9 . 894A 04 MOV DWORD PTR DS:[EDX+4],ECX
0042E8BC . 8B85 20FFFFFF MOV EAX,DWORD PTR SS:[EBP-E0]
0042E8C2 . 8942 08 MOV DWORD PTR DS:[EDX+8],EAX
0042E8C5 . 8B8D 24FFFFFF MOV ECX,DWORD PTR SS:[EBP-DC]
0042E8CB . 894A 0C MOV DWORD PTR DS:[EDX+C],ECX
0042E8CE . 68 D0014100 PUSH unpacked.004101D0 ; UNICODE "machine"
0042E8D3 . 68 BC014100 PUSH unpacked.004101BC ; UNICODE "setting"
0042E8D8 . 68 A8014100 PUSH unpacked.004101A8 ; UNICODE "wordbbj"
0042E8DD . FF15 68114000 CALL DWORD PTR DS:[<&MSVBVM60.#689>] ; MSVBVM60.rtcGetSetting
042E8E3 . 8985 70FFFFFF MOV DWORD PTR SS:[EBP-90],EAX ;讀取機器碼
0042E8E9 . C785 68FFFFFF >MOV DWORD PTR SS:[EBP-98],8
0042E8F3 . 8D95 68FFFFFF LEA EDX,DWORD PTR SS:[EBP-98]
0042E8F9 . 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
0042E8FC . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
;變數移動
0042E902 . C745 FC 090000>MOV DWORD PTR SS:[EBP-4],9
0042E909 . 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30]
0042E90C . 52 PUSH EDX
0042E90D . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
0042E913 . 50 PUSH EAX
0042E914 . FF15 18114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
;變數轉字串
0042E91A . 50 PUSH EAX
0042E91B . FF15 D0114000 CALL DWORD PTR DS:[<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
;機器碼字串轉換為雙精度實數
0042E921 . DD9D ECFEFFFF FSTP QWORD PTR SS:[EBP-114] ;雙精度實數存入[EBP-114]
0042E927 . 68 5C8FEA3F PUSH 3FEA8F5C ; 雙精度浮點數高32位入棧(即指數高32位)
0042E92C . 68 8FC2F528 PUSH 28F5C28F ; 雙精度浮點數低32位入棧(即指數高32位)
(3FEA8F5C 28F5C28F 對應雙精度浮點數為0.83)
0042E931 . 8B8D F0FEFFFF MOV ECX,DWORD PTR SS:[EBP-110] ;雙精度浮點數高32位入棧(即指數高32位)
0042E937 . 51 PUSH ECX
0042E938 . 8B95 ECFEFFFF MOV EDX,DWORD PTR SS:[EBP-114] ; 雙精度浮點數低32位入棧(即底數高32位)
0042E93E . 52 PUSH EDX
0042E93F . FF15 54114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaPower>; MSVBVM60.__vbaPowerR8
;用來求一個數字的某次方
0042E945 . DC05 E0254000 FADD QWORD PTR DS:[4025E0] ;加上實數 546971.0000000000
0042E94B . DD9D 70FFFFFF FSTP QWORD PTR SS:[EBP-90]
0042E951 . DFE0 FSTSW AX
0042E953 . A8 0D TEST AL,0D
0042E955 . 0F85 83030000 JNZ unpacked.0042ECDE
0042E95B . C785 68FFFFFF >MOV DWORD PTR SS:[EBP-98],5
;對Variant變數的第一個位元組賦值5,表示儲存資料的實際型別為雙精度
0042E965 . 6A 06 PUSH 6
0042E967 . 8D85 68FFFFFF LEA EAX,DWORD PTR SS:[EBP-98]
0042E96D . 50 PUSH EAX
0042E96E . 8D8D 58FFFFFF LEA ECX,DWORD PTR SS:[EBP-A8]
0042E974 . 51 PUSH ECX
0042E975 . FF15 A4114000 CALL DWORD PTR DS:[<&MSVBVM60.#619>] ; MSVBVM60.rtcRightCharVar
; 求上面變數右邊六個字元
0042E97B . 8D95 58FFFFFF LEA EDX,DWORD PTR SS:[EBP-A8] ; 字串地址儲存到[EBP-A8]
0042E981 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0042E984 . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
0042E98A . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0042E990 . FF15 C8114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0042E996 . 8D8D 68FFFFFF LEA ECX,DWORD PTR SS:[EBP-98]
0042E99C . FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
0042E9A2 . C745 FC 0A0000>MOV DWORD PTR SS:[EBP-4],0A
0042E9A9 . C785 20FFFFFF >MOV DWORD PTR SS:[EBP-E0],80020004
0042E9B3 . C785 18FFFFFF >MOV DWORD PTR SS:[EBP-E8],0A
0042E9BD . B8 10000000 MOV EAX,10
0042E9C2 . E8 A93DFDFF CALL <JMP.&MSVBVM60.__vbaChkstk>
0042E9C7 . 8BD4 MOV EDX,ESP
0042E9C9 . 8B85 18FFFFFF MOV EAX,DWORD PTR SS:[EBP-E8]
0042E9CF . 8902 MOV DWORD PTR DS:[EDX],EAX
0042E9D1 . 8B8D 1CFFFFFF MOV ECX,DWORD PTR SS:[EBP-E4]
0042E9D7 . 894A 04 MOV DWORD PTR DS:[EDX+4],ECX
0042E9DA . 8B85 20FFFFFF MOV EAX,DWORD PTR SS:[EBP-E0]
0042E9E0 . 8942 08 MOV DWORD PTR DS:[EDX+8],EAX
0042E9E3 . 8B8D 24FFFFFF MOV ECX,DWORD PTR SS:[EBP-DC]
0042E9E9 . 894A 0C MOV DWORD PTR DS:[EDX+C],ECX
0042E9EC . 68 E4014100 PUSH unpacked.004101E4 ; UNICODE "regSN"
0042E9F1 . 68 BC014100 PUSH unpacked.004101BC ; UNICODE "setting"
0042E9F6 . 68 A8014100 PUSH unpacked.004101A8 ; UNICODE "wordbbj"
0042E9FB . FF15 68114000 CALL DWORD PTR DS:[<&MSVBVM60.#689>] ; MSVBVM60.rtcGetSetting
;讀取 "regSN"值
0042EA01 . 8985 70FFFFFF MOV DWORD PTR SS:[EBP-90],EAX ;儲存到[EBP-90]
0042EA07 . C785 68FFFFFF >MOV DWORD PTR SS:[EBP-98],8008
0042EA11 . C785 10FFFFFF >MOV DWORD PTR SS:[EBP-F0],80020004
0042EA1B . C785 08FFFFFF >MOV DWORD PTR SS:[EBP-F8],0A
0042EA25 . B8 10000000 MOV EAX,10
0042EA2A . E8 413DFDFF CALL <JMP.&MSVBVM60.__vbaChkstk>
0042EA2F . 8BD4 MOV EDX,ESP
0042EA31 . 8B85 08FFFFFF MOV EAX,DWORD PTR SS:[EBP-F8]
0042EA37 . 8902 MOV DWORD PTR DS:[EDX],EAX
0042EA39 . 8B8D 0CFFFFFF MOV ECX,DWORD PTR SS:[EBP-F4]
0042EA3F . 894A 04 MOV DWORD PTR DS:[EDX+4],ECX
0042EA42 . 8B85 10FFFFFF MOV EAX,DWORD PTR SS:[EBP-F0]
0042EA48 . 8942 08 MOV DWORD PTR DS:[EDX+8],EAX
0042EA4B . 8B8D 14FFFFFF MOV ECX,DWORD PTR SS:[EBP-EC]
0042EA51 . 894A 0C MOV DWORD PTR DS:[EDX+C],ECX
0042EA54 . 68 F4014100 PUSH unpacked.004101F4 ; UNICODE "validate"
0042EA59 . 68 BC014100 PUSH unpacked.004101BC ; UNICODE "setting"
0042EA5E . 68 A8014100 PUSH unpacked.004101A8 ; UNICODE "wordbbj"
0042EA63 . FF15 68114000 CALL DWORD PTR DS:[<&MSVBVM60.#689>] ; MSVBVM60.rtcGetSetting
;讀取"validate" 值
0042EA69 . 8985 50FFFFFF MOV DWORD PTR SS:[EBP-B0],EAX ;儲存到[EBP-B0]
0042EA6F . C785 48FFFFFF >MOV DWORD PTR SS:[EBP-B8],8008 ;[EBP-B8]為指標
0042EA79 . 8D55 A0 LEA EDX,DWORD PTR SS:[EBP-60]
0042EA7C . 52 PUSH EDX
0042EA7D . 8D85 68FFFFFF LEA EAX,DWORD PTR SS:[EBP-98]
0042EA83 . 50 PUSH EAX ;"regSN"值入棧
0042EA84 . 8D8D 58FFFFFF LEA ECX,DWORD PTR SS:[EBP-A8] ;前面求得使用者碼變換的字串地址入棧
0042EA8A . 51 PUSH ECX
0042EA8B . FF15 4C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCm>; MSVBVM60.__vbaVarCmpNe
;比較
0042EA91 . 50 PUSH EAX
0042EA92 . 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50]
0042EA95 . 52 PUSH EDX
0042EA96 . 8D85 48FFFFFF LEA EAX,DWORD PTR SS:[EBP-B8]
0042EA9C . 50 PUSH EAX ;"validate" 值地址入棧
0042EA9D . 8D8D 38FFFFFF LEA ECX,DWORD PTR SS:[EBP-C8] ;上面求得6個字元的字串地址入棧
0042EAA3 . 51 PUSH ECX
0042EAA4 . FF15 4C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCm>; MSVBVM60.__vbaVarCmpNe
;比較
0042EAAA . 50 PUSH EAX
0042EAAB . 8D95 28FFFFFF LEA EDX,DWORD PTR SS:[EBP-D8]
0042EAB1 . 52 PUSH EDX
0042EAB2 . FF15 C0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarOr>; MSVBVM60.__vbaVarOr
;對上面兩個比較結果作邏輯或運算
0042EAB8 . 50 PUSH EAX
0042EAB9 . FF15 98104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaBoolV>; MSVBVM60.__vbaBoolVarNull
; 求Boolean 值
0042EABF . 66:8985 E8FEFF>MOV WORD PTR SS:[EBP-118],AX ; 對註冊標誌變數[EBP-118]賦值
0042EAC6 . 8D85 48FFFFFF LEA EAX,DWORD PTR SS:[EBP-B8]
0042EACC . 50 PUSH EAX
0042EACD . 8D8D 68FFFFFF LEA ECX,DWORD PTR SS:[EBP-98]
0042EAD3 . 51 PUSH ECX
0042EAD4 . 6A 02 PUSH 2
0042EAD6 . FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0042EADC . 83C4 0C ADD ESP,0C
0042EADF . 0FBF95 E8FEFFF>MOVSX EDX,WORD PTR SS:[EBP-118] ; 註冊標誌變數[EBP-118]值送EDX
0042EAE6 . 85D2 TEST EDX,EDX ; 判斷是否註冊
0042EAE8 . 0F84 3C010000 JE unpacked.0042EC2A ; edx為零就跳向已註冊
0042EAEE . C745 FC 0B0000>MOV DWORD PTR SS:[EBP-4],0B
0042EAF5 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0042EAF8 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
0042EAFA . 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
4.演算法總結:
以我機器為例,
---------------------------------------------
使用者碼: 240
機器碼: 495353
----------------------------------------------
2………………ASCII值 50
4………………ASCII值 52
0………………ASCII值 48
連線成字串“505248”
機器碼的0.83次方即 495353 ^0.83=53306.39117961 (雙精度數)
53306.39117961+547961=601267.39117961
取"601267.39117961"右邊的六位得: “117961”
---------------------------------------------------------------
比較下面的兩項是否相同
[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\wordbbj\setting]
"regSN"鍵值是否等於"505248"
"validate"鍵值是否等於"117961"
都相同就註冊成功!
------------------------------------------------------------------------
注:它的所有版本註冊碼都是一樣的!!!
5.VB序號產生器:
Private Sub Command1_Click()
On Error Resume Next
Dim l As Integer, i As Integer
Dim s1 As String, s2 As String
If Text1.Text = "" Or Text1.Text = "" Then Exit Sub
l = Len(Trim(Text1.Text))
For i = 1 To l
s1 = s1 + CStr(Asc(Mid(Text1.Text, i, 1)))
Next
s2 = Right(CDbl(Text2.Text) ^ 0.83 + CDbl(546971), 6)
Text3.Text = s1
Text4.Text = s2
SaveSetting "wordbbj", "setting", "regSN", s1
SaveSetting "wordbbj", "setting", "validate", s2
MsgBox "謝謝使用!!註冊資訊已儲存到登錄檔。", vbInformation, "CrackerWu[BCG]"
End Sub
相關文章
- 文字分析——分配單詞權重2019-03-04
- C++原始碼單詞掃描程式(詞法分析)2020-10-16C++原始碼詞法分析
- Fabric 1.0原始碼分析(15)gossip(流言演算法)2018-05-20原始碼Go演算法
- 瘋狂登錄檔v1.0演算法分析2015-11-15演算法
- FlashSnap 1.0的簡單脫殼與演算法探析2015-11-15演算法
- 中文詞法分析的簡單程式 (轉)2007-12-29詞法分析
- HanLP 關鍵詞提取演算法分析詳解2018-11-05HanLP演算法
- paip.語義分析--分詞--常見的單音節字詞 2_deDuli 單字詞 774個2013-11-14AI分詞
- 分析日記中的單詞的含義2017-03-25
- 單詞2024-10-12
- 演算法電話號碼對應英文單詞2014-04-19演算法
- 單詞小卡片 -- 從單詞、例句收集到命令式背單詞2017-12-19
- 熱詞分析2020-11-11
- 簡單演算法――飄雪PXQQ
V1.0(Softsentry保護)2015-11-15演算法
- 資料結構與演算法——單詞查詢樹2017-11-30資料結構演算法
- webpack單詞2020-12-31Web
- 單詞拆分2024-04-25
- 單詞遊戲2024-09-01遊戲
- Teleport
pro 演算法簡單分析2004-07-15演算法
- 漢諾塔演算法演示1.02014-07-10演算法
- Java 實現《編譯原理》簡單詞法分析功能2019-06-13Java編譯原理詞法分析
- 分詞演算法2008-06-16分詞演算法
- 蒼鷹象棋1.0
註冊演算法分析和序號產生器2004-05-16演算法
- 詞法分析程式2015-09-21詞法分析
- 詞法分析心得2015-10-22詞法分析
- 10:單詞排序2017-03-21排序
- android 單詞2016-12-22Android
- Fabric 1.0原始碼分析(16)gossip(流言演算法) #GossipServer(Gossip服務端)2018-05-20原始碼Go演算法Server服務端
- 簡單演算法――暴風共享軟體管理器I V1.02015-11-15演算法
- 機械設計系統1.0破解實錄------------演算法簡單,破解過程一2015-11-15演算法
- Fabric 1.0原始碼分析(25) Orderer2018-05-20原始碼
- Fabric 1.0原始碼分析(31) Peer2018-05-20原始碼
- PesPin
1.0外殼簡略分析2004-09-25
- Fabric 1.0原始碼分析(17)gossip(流言演算法) #deliverclient(deliver客戶端)2018-05-20原始碼Go演算法client客戶端
- Fabric 1.0原始碼分析(46)ECDSA(橢圓曲線數字簽名演算法)2018-05-21原始碼演算法
- 詞法分析器2021-05-08詞法分析
- vue之詞法分析2018-09-18Vue詞法分析
- 熱詞統計分析2020-11-11