五笔打字练习软件
======================
sunrix, 2002-9-27
软件名称:XXXXX
软件版本:2.2
软件简介:五笔打字练习软件
保护方式:注册码,一机一码
开发语言:VB6,P-Code
破解工具:WKTVBDebugger 1.4e
主程序是<XXXXX.exe>,未压缩,用peid检测后报告是VB6。简单反汇编后
可知编译成p-code。用WKTVBDebugger 1.4e启动程序,在form manager的下拉框
中选择goumain这个form(它就是注册对话框的form拉,我怎么知道的?
goumai是什么的拼音,“购买”吗,就是要你出钱注册罗,呵呵,蒙对了),然后点
<command>按钮,在下拉框中选择<command2>,就是注册对话框上的<注册>按钮拉
(我试出来的),点中bpx设置断点。或者也可以直接在WKT的on execution里输入
地址:51AD8C下断点。按F5运行程序,进入注册对话框,随便输入一个注册码后
点<注册>按钮,WKT获得控制权:
Proc: 51c194
51AD8C: 00 LargeBos
;LargeBos表示是一行VB源代码的开头
;从当前LargeBos到下一个LargeBos之间的代码是从一行源代码编译过来的
51AD8E: 00 LargeBos
on error resume next
51AD90: 4b OnErrorGoto
=======================
干扰代码 begin ===========================================
local_008C = 3000
51AD93: 00 LargeBos
51AD95: f5 LitI4:
0xbb8 3000 (....) ;Lit
代表Literal,表示是装入立即数
51AD9A: 71 FStR4
local_008C ;local_008c代表[ebp-8c]
上面这2句的意思是:long [ebp-8c] = 3000
Randomize
51AD9D: 00 LargeBos
51AD9F: 27 LitVar_Missing
;LitVar_Missing表示可选参数未赋值
51ADA2: 0a ImpAdCallFPR4:
;rtcRandomize
51ADA7: 35 FFree1Var
local_00B0
dim local_0086 as integer
local_0086
= int(24*Rnd+1) ;1-24之间的一个随机数
51ADAA: 00 LargeBos
51ADAC: 27 LitVar_Missing
51ADAF: 0a ImpAdCallFPR4:
;rtcRandomNext
51ADB4: 73 FStFPR4
51ADB7: f4 LitI2_Byte:
0x18 24 (.) ;字节立即数
51ADB9: eb
CR8I2 ;转换成Double
51ADBA: 6e FLdFPR4
51ADBD: b3 MulR8
51ADBE: Lead0/e6 FnIntR8
51ADC0: f4 LitI2_Byte:
0x1 1 (.)
51ADC2: eb CR8I2
51ADC3: ab AddR8
51ADC4: e5 CI2R8
51ADC5: 70 FStI2
local_0086
51ADC8:
35 FFree1Var local_00B0
dim local_00B6 as integer
local_00B6 = local_0086
51ADCB: 00 LargeBos
51ADCD: 6b FLdI2
local_0086
51ADD0: 70 FStI2
local_00B6
select case local_00B6
case
1
51ADD3: 00 LargeBos
51ADD5: 6b FLdI2
local_00B6
51ADD8: f4 LitI2_Byte:
0x1 1 (.)
51ADDA: c6 EqI2
51ADDB: 1c BranchF:
51AE13
51ADDE: 00 LargeBos
51ADE0: 6c ILdRf
local_008C
51ADE3: 71 FStR4
local_0090
51ADE6: 00 LargeBos
51ADE8: 6c ILdRf
local_008C
51ADEB: f5 LitI4:
0x168 360 (...h)
51ADF0: aa AddI4
51ADF1: 71 FStR4
local_0090
51ADF4: 00 LargeBos
51ADF6: 6c ILdRf
local_008C
51ADF9: f5 LitI4:
0x2d0 720 (....)
51ADFE: aa AddI4
51ADFF: 71 FStR4
local_0090
51AE02: 00 LargeBos
51AE04: 6c ILdRf
local_008C
51AE07: f5 LitI4:
0x438 1080
(...8)
51AE0C: aa AddI4
51AE0D: 71 FStR4
local_0090
51AE10: 1e Branch:
51b3d0
case 2
51AE13: 00 LargeBos
51AE15: 6b FLdI2
local_00B6
51AE18: f4 LitI2_Byte:
0x2 2 (.)
51AE1A: c6 EqI2
51AE1B: 1c BranchF:
51AE53
51AE1E: 00 LargeBos
51AE20: 6c ILdRf
local_008C
51AE23: 71 FStR4
local_0090
51AE26: 00 LargeBos
51AE28: 6c ILdRf
local_008C
51AE2B: f5 LitI4:
0x168 360 (...h)
51AE30: aa AddI4
51AE31: 71 FStR4
local_0090
51AE34: 00 LargeBos
51AE36: 6c ILdRf
local_008C
51AE39: f5 LitI4:
0x2d0 720 (....)
51AE3E: aa AddI4
51AE3F: 71 FStR4
local_0090
51AE42: 00 LargeBos
51AE44: 6c ILdRf
local_008C
51AE47: f5 LitI4:
0x438 1080
(...8)
51AE4C: aa AddI4
51AE4D: 71 FStR4
local_0090
51AE50: 1e Branch:
51b3d0
省略:case 3 - case
23
case 24
51B393: 00 LargeBos
51B395: 6b FLdI2
local_00B6
51B398: f4 LitI2_Byte:
0x18 24 (.)
51B39A: c6 EqI2
51B39B: 1c BranchF:
51B3D0
51B39E: 00 LargeBos
51B3A0: 6c ILdRf
local_008C
51B3A3: 71 FStR4
local_0090
51B3A6:
00 LargeBos
51B3A8: 6c ILdRf
local_008C
51B3AB:
f5 LitI4: 0x168
360 (...h)
51B3B0: aa AddI4
51B3B1: 71 FStR4
local_0090
51B3B4: 00 LargeBos
51B3B6: 6c ILdRf
local_008C
51B3B9: f5 LitI4:
0x2d0 720 (....)
51B3BE: aa
AddI4
51B3BF:
71 FStR4 local_0090
51B3C2: 00 LargeBos
51B3C4: 6c ILdRf
local_008C
51B3C7: f5 LitI4:
0x438 1080 (...8)
51B3CC: aa AddI4
51B3CD: 71 FStR4
local_0090
end select
=======================
干扰代码 end ===========================================
从51AD9D到此处是无意义的干扰代码,类似代码后面又出现了两次,将之删去
dim temp as variant
temp = StrReverse(CStr(CLng(Text5.Text)/1022)) ;真注册码
一开始我认为text5就是注册对话框上显示机器码的textbox,可是跟踪时发现
从text5取到的text和显示的机器码不同,觉得不能理解。后来用spy看了看
注册对话框上显示机器码的textbox,发现它的caption是text4,噢,可能
text5是一个隐藏的textbox,这一点通过wktvbdebugger的form manager得到
验证。打开wktvbdebugger的form
manager,选择goumai,然后点textbox,点上面的下拉框,哇,里面
有6个textbox,可是在注册对话框可以看到的只有2个,隐藏了这么多,背地里
干什么坏事:)
想一想就知道,text5.text是机器码变换得到的。在哪里变换,怎么变换先不管它。
51B3D0:
00 LargeBos
51B3D2: 00 LargeBos
51B3D4: 04 FLdRfVar
local_00D0
51B3D7: 21 FLdPrThis
51B3D8: 0f VCallAd
(object 8 ) ;text5
51B3DB: 19 FStAdFunc local_00CC
51B3DE: 08 FLdPr
local_00CC
51B3E1: 0d VCallHresult
51B3E6: 6c ILdRf
local_00D0
51B3E9: 50 CI4Str
51B3EA: f5 LitI4:
0x3fe 1022 (....)
51B3EF: c0 IDvI4
51B3F0: Lead0/fe CStrI4
51B3F2: 23 FStStrNoPop
local_00D4
51B3F5: 0b ImpAdCallI2
rtcStrReverse
51B3FA: 46 CVarStr
local_00B0
===== 执行完上面这条pcode后,WKT会在log窗口显示出真注册码,别犹豫了,赶紧记下来吧:)
====
51B3FD: Lead1/f6 FStVar
51B401: 32 FFreeStr
51B408: 1a FFree1Ad
local_00CC
if Left(Text1.Text,Len(StrReverse(CStr(CLng(Text5.Text)/1022)))
= StrReverse(CStr(CLng(Text5.Text)/1022))
51B40B: 00 LargeBos
51B40D: 04 FLdRfVar local_00D0
51B410: 21 FLdPrThis
51B411: 0f VCallAd (object
e ) ;text1
51B414: 19 FStAdFunc
local_00CC
51B417: 08 FLdPr
local_00CC
51B41A: 0d VCallHresult
51B41F: 04 FLdRfVar
local_00D4
51B422: 21 FLdPrThis
51B423: 0f VCallAd
(object 8 ) ;text5
51B426: 19 FStAdFunc local_00D8
51B429: 08 FLdPr
local_00D8
51B42C: 0d VCallHresult
51B431: 6c ILdRf
local_00D4
51B434: 50 CI4Str
51B435: f5 LitI4:
0x3fe 1022 (....)
51B43A: c0 IDvI4
51B43B: Lead0/fe CStrI4
51B43D: 23 FStStrNoPop
local_00DC
51B440: 0b ImpAdCallI2
rtcStrReverse
51B445: 23 FStStrNoPop
local_00E0
51B448: 4a FnLenStr
51B449: 3e FLdZeroAd
local_00D0
51B44C: 46 CVarStr
local_00B0 ;->输入的注册码
51B44F: 04 FLdRfVar
local_00F0
51B452: 0a ImpAdCallFPR4:
;rtcLeftCharVar
51B457: 04 FLdRfVar
local_00F0
51B45A: 04 FLdRfVar
local_00F8
51B45D: 21 FLdPrThis
51B45E: 0f VCallAd
(object 8 ) ;Text5
51B461: 19 FStAdFunc local_00F4
51B464: 08 FLdPr
local_00F4
51B467: 0d VCallHresult
51B46C: 6c ILdRf
local_00F8
51B46F: 50 CI4Str
51B470: f5 LitI4:
0x3fe 1022 (....)
51B475: c0 IDvI4
51B476: Lead0/fe CStrI4
51B478: 23 FStStrNoPop
local_00FC
51B47B: 0b ImpAdCallI2
rtcStrReverse
51B480: 46 CVarStr
local_010C
51B483: 5d HardType
51B484: Lead0/33 EqVarBool
;比较真注册码与输入的注册码!
51B486: 32 FFreeStr
51B493:
29 FFreeAd:
51B49C: 36 FFreeVar
51B4A5: 1c BranchF:
51C179
无意义的干扰代码,同上,删去
SaveSetting "wbreg","wbregfile","wbregfilename",注册码
在注册表中保存注册码:
[HKEY_CURRENT_USER\Software\VB
and VBA Program Settings\wbreg\wbregfile]
"wbregfilename"=注册码
51BAE5: 00 LargeBos
51BAE7:
00 LargeBos
51BAE9: 04 FLdRfVar
local_00D0
51BAEC: 21 FLdPrThis
51BAED: 0f VCallAd
(object e )
51BAF0: 19 FStAdFunc
local_00CC
51BAF3: 08 FLdPr
local_00CC
51BAF6:
0d VCallHresult
51BAFB: 6c ILdRf
local_00D0
51BAFE:
0b ImpAdCallI2
51BB03: 23 FStStrNoPop
local_00D4
51BB06: 1b LitStr:
"wbregfilename"
51BB09:
1b LitStr: "wbregfile"
51BB0C: 1b LitStr:
"wbreg"
51BB0F: 0a ImpAdCallFPR4: rtcSaveSetting
51BB14: 32 FFreeStr
51BB1B: 1a FFree1Ad
local_00CC
提示注册成功
51BB1E: 00 LargeBos
51BB20: 27 LitVar_Missing
51BB23: 27 LitVar_Missing
51BB26: 3a LitVarStr:
( local_0130 ) "XXXXX"
51BB2B: 4e FStVarCopyObj
local_00F0
51BB2E: 04 FLdRfVar
local_00F0
51BB31: f5 LitI4:
0x40 64 (...@)
51BB36:
3a LitVarStr: ( local_00A0 ) "注册成功"
51BB3B: 4e FStVarCopyObj local_00B0
51BB3E: 04 FLdRfVar local_00B0
51BB41: 0a ImpAdCallFPR4: rtcMsgBox
51BB46: 36 FFreeVar
无意义的干扰代码,同上,删去
51C177: 00 LargeBos
51C179: 00 LargeBos
51C17B: 00 LargeBos
51C17D:
21 FLdPrThis
51C17E: 0f VCallAd
(object e )
51C181: 19 FStAdFunc
local_00CC
51C184: 08 FLdPr
local_00CC
51C187:
0d VCallHresult
51C18C: 1a FFree1Ad
local_00CC
51C18F: 00 LargeBos
51C191: 13 ExitProcHresult
也许有人手头上没有WKT,那我们来看看怎么用softice跟踪来得到注册码:
用symbol loader装入程序,设置断点:bpm 51B484,51b484就是比较注册码
的pcode的地址。G,从帮助菜单调出注册对话框,随便输一个注册码,点<注册>
按钮,softice拦下。
001B:7348E239
MOV AL,[ESI]
001B:7348E23B INC
ESI <=== softice中断在这儿
001B:7348E23C
JMP [EAX*4+7348EA58]
这是在msvbvm60.dll的代码空间中,你的机器上中断的地址可能和我的不一样。
输入命令:d *(*esp+8),即可得到注册码,注意是unicode格式的。
懒得找注册算法了,关键是找到对text.text赋值的地方,哪位大虾
有兴趣可以试试。我的想法用exdec反编译程序,搜索字符串object 8
,在找到的地方上下断点。唉,比较麻烦。