软件大小:
674 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 卸载清除
应用平台: Win9x/NT/2000/XP
加入时间:
2003-01-18 16:24:14
下载次数: 31495
软件下载: http://count.skycn.com/softdown.php?id=4502&url=http://on165-http.skycn.net/down/clean32.exe
破解工具:TRW1.22
软件说明:您的电脑里面有很多软件、游戏无法卸载?已经厌倦了WINDOWS控制面板那个功能很弱的“添加/删除程序”了吗?卸载精灵的智能卸载功能可以干净彻底地卸载软件,包括那些无法正常卸载的程序它都可以帮您卸载。2.0版新增加了清除垃圾文件的功能。2.1版的智能卸载更强大,可以卸载桌面快捷方式及菜单。这个软件特别适合网吧做系统维护,清除系统中的垃圾软件,优化系统的运行速度。它操作方便,界面友好,安全可靠。修正了不能自动刷新和其他一些BUG。3.0以上版本增加了IE浏览器修复功能。这个软件特别适合网吧做系统维护,清除系统中的垃圾软件,优化系统的运行速度。它操作方便,界面友好,安全可靠。
又碰上了VB程序!无壳!这个程序的下断有点麻烦,因为下BPX
HMEMCPY或BPX __VBASTRCOMP或BPX GETWINDOWTEXTA时,鼠标一动程序就被中断了,跟了半天也难跟到关键代码,索性用S搜索大法,注意查看各寄存器的值,抓得以下代码:
0167:0040C724
CALL `MSVBVM60!__vbaHresultCheckObj`
0167:0040C72A MOV
EDX,[EBP-24]
0167:0040C72D LEA ECX,[EBP-1C]
0167:0040C730
MOV [EBP-24],EBX
0167:0040C733 CALL
`MSVBVM60!__vbaStrMove`
0167:0040C739 LEA ECX,[EBP-2C]
0167:0040C73C
CALL `MSVBVM60!__vbaFreeObj`
0167:0040C742 LEA
ECX,[EBP-1C] <---[EBP-1C]中为我们输入的注册码
0167:0040C745
PUSH ECX
0167:0040C746 CALL 0040B9C0
<---关键的比对Call,跟进
0167:0040C74B TEST
AX,AX <---标志位判断
0167:0040C74E
JZ NEAR 0040C8E6 <---跳则Game Over!
0167:0040C754 MOV ESI,[0040111C]
0167:0040C75A
LEA EDX,[EBP-18]
0167:0040C75D PUSH
EDX
0167:0040C75E PUSH DWORD 000F003F
0167:0040C763
PUSH EBX
0167:0040C764 LEA EAX,[EBP-24]
0167:0040C767
PUSH DWORD 00404384
0167:0040C76C PUSH
EAX
0167:0040C76D CALL ESI
0167:0040C76F PUSH
EAX
0167:0040C770 PUSH DWORD 80000002
0167:0040C775
CALL 00403D38
0167:0040C77A MOV EBX,[00401038]
0167:0040C780
CALL EBX
0167:0040C782 LEA ECX,[EBP-24]
0167:0040C785
CALL `MSVBVM60!__vbaFreeStr`
0167:0040C78B MOV
ECX,[EBP-1C]
0167:0040C78E PUSH ECX
......(略去)
0167:0040C941
PUSH ECX
0167:0040C942 PUSH EDX
0167:0040C943
LEA EAX,[EBP-3C]
0167:0040C946 PUSH
EBX
0167:0040C947 PUSH EAX
0167:0040C948 CALL
`MSVBVM60!rtcMsgBox` <---出错对话框
0167:0040C94E LEA
ECX,[EBP-6C]
0167:0040C951 LEA EDX,[EBP-5C]
0167:0040C954
PUSH ECX
0167:0040C955 LEA EAX,[EBP-4C]
0167:0040C958
PUSH EDX
0167:0040C959 LEA ECX,[EBP-3C]
0167:0040C95C
PUSH EAX
0167:0040C95D PUSH ECX
跟进上面的那个关键Call,看到如下代码:
0167:0040B9C0
PUSH EBP
0167:0040B9C1 MOV EBP,ESP
0167:0040B9C3
SUB ESP,BYTE +08
0167:0040B9C6 PUSH
DWORD 004012F6
0167:0040B9CB MOV EAX,[FS:00]
0167:0040B9D1
PUSH EAX
0167:0040B9D2 MOV [FS:00],ESP
0167:0040B9D9
SUB ESP,94
0167:0040B9DF PUSH
EBX
0167:0040B9E0 PUSH ESI
0167:0040B9E1 PUSH
EDI
0167:0040B9E2 MOV [EBP-08],ESP
0167:0040B9E5
MOV DWORD [EBP-04],00401218
0167:0040B9EC MOV
ESI,[EBP+08]
0167:0040B9EF XOR EDI,EDI
<---EDI=0
0167:0040B9F1 MOV
[EBP-24],EDI <---[EBP-24]=0
0167:0040B9F4 MOV
[EBP-34],EDI <---[EBP-34]=0
0167:0040B9F7 MOV
EAX,[ESI] <---取用户输入的注册码
0167:0040B9F9
MOV [EBP-44],EDI <---[EBP-44]=0
0167:0040B9FC
PUSH EAX
0167:0040B9FD MOV [EBP-54],EDI
<---[EBP-54]=0
0167:0040BA00 MOV [EBP-64],EDI
<---[EBP-64]=0
0167:0040BA03 MOV [EBP+FFFFFF7C],EDI
0167:0040BA09
CALL `MSVBVM60!__vbaLenBstr` <---取注册码长度
0167:0040BA0F
CMP EAX,BYTE +08 <---判断注册码长度是否为8
0167:0040BA12
JZ 0040BA21 <---相等则跳,不跳就死了!
0167:0040BA14
MOV [EBP-14],EDI
0167:0040BA17 PUSH
DWORD 0040BDFF
0167:0040BA1C JMP 0040BDFE
<---千万别走到这
-------------第1次判断---------------------
0167:0040BA21
MOV EDI,[0040107C]
0167:0040BA27 LEA
ECX,[EBP-24]
0167:0040BA2A PUSH ECX
0167:0040BA2B
LEA EDX,[EBP-64]
0167:0040BA2E PUSH
BYTE +01 <---参数入栈,决定取注册码的第几位
0167:0040BA30
LEA EAX,[EBP-34]
0167:0040BA33 MOV
EBX,4008
0167:0040BA38 PUSH EDX
0167:0040BA39
PUSH EAX
0167:0040BA3A MOV DWORD
[EBP-1C],01
0167:0040BA41 MOV DWORD [EBP-24],02
0167:0040BA48
MOV [EBP-5C],ESI
0167:0040BA4B MOV
[EBP-64],EBX
0167:0040BA4E CALL EDI
<---这个Call__rtcmidcharvar干什么的?
0167:0040BA50 LEA
ECX,[EBP-44]
0167:0040BA53 LEA EDX,[EBP+FFFFFF7C]
0167:0040BA59
PUSH ECX
0167:0040BA5A PUSH BYTE +03
<---参数入栈,决定取注册码的第几位
0167:0040BA5C LEA
EAX,[EBP-54]
0167:0040BA5F PUSH EDX
0167:0040BA60
PUSH EAX
0167:0040BA61 MOV DWORD
[EBP-3C],01
0167:0040BA68 MOV DWORD [EBP-44],02
0167:0040BA6F
MOV [EBP-7C],ESI
0167:0040BA72 MOV
[EBP+FFFFFF7C],EBX
0167:0040BA78 CALL EDI
<---同上
0167:0040BA7A MOV EBX,[00401130]
0167:0040BA80
LEA ECX,[EBP-54]
0167:0040BA83 PUSH
ECX
0167:0040BA84 CALL EBX
<---取注册码的第3位,返回值在AX中
0167:0040BA86 MOV DX,AX
<---值存入DX中
0167:0040BA89 LEA EAX,[EBP-34]
0167:0040BA8C
PUSH EAX
0167:0040BA8D MOV [EBP+FFFFFF62],DX
0167:0040BA94
CALL EBX <---取注册码的第1位,返回值在AX中
0167:0040BA96
MOV CX,[EBP+FFFFFF62]
0167:0040BA9D LEA
EDX,[EBP-54]
0167:0040BAA0 ADD CX,AX
<---CX=CX+AX,即前面取得的1、3位值相加
0167:0040BAA3 LEA
EAX,[EBP-54]
0167:0040BAA6 JO
NEAR 0040BE16
0167:0040BAAC XOR EBX,EBX
0167:0040BAAE
CMP CX,BYTE +07 <---是否等于7
0167:0040BAB2 PUSH
EDX
0167:0040BAB3 LEA ECX,[EBP-44]
0167:0040BAB6
PUSH EAX
0167:0040BAB7 LEA EDX,[EBP-34]
0167:0040BABA
PUSH ECX
0167:0040BABB LEA EAX,[EBP-34]
0167:0040BABE
PUSH EDX
0167:0040BABF LEA ECX,[EBP-24]
0167:0040BAC2
PUSH EAX
0167:0040BAC3 PUSH ECX
0167:0040BAC4
SETNZ BL <---根据前面的CMP结果置BL的值
0167:0040BAC7
PUSH BYTE +06
0167:0040BAC9 NEG EBX
<---EBX=0-EBX
0167:0040BACB CALL
`MSVBVM60!__vbaFreeVarList`
0167:0040BAD1 ADD ESP,BYTE
+1C
0167:0040BAD4 TEST BX,BX
0167:0040BAD7 JZ
0040BAEA <---不跳则完
0167:0040BAD9 MOV
DWORD [EBP-14],00
0167:0040BAE0 PUSH
DWORD 0040BDFF
0167:0040BAE5 JMP 0040BDFE
<---不要走到这
此后后面对注册码还有4次判断,操作同第1次判断,不再啰嗦了
---------第二次判断,同上------------------
0167:0040BAEA
LEA EDX,[EBP-24]
0167:0040BAED LEA
EAX,[EBP-64]
0167:0040BAF0 PUSH EDX
0167:0040BAF1
PUSH BYTE +02
0167:0040BAF3 LEA
ECX,[EBP-34]
0167:0040BAF6 MOV EBX,4008
0167:0040BAFB
PUSH EAX
0167:0040BAFC PUSH ECX
0167:0040BAFD
MOV DWORD [EBP-1C],01
0167:0040BB04 MOV
DWORD [EBP-24],02
0167:0040BB0B MOV [EBP-5C],ESI
0167:0040BB0E
MOV [EBP-64],EBX
0167:0040BB11 CALL
EDI
0167:0040BB13 LEA
EDX,[EBP-44]
0167:0040BB16 LEA EAX,[EBP+FFFFFF7C]
0167:0040BB1C PUSH EDX
0167:0040BB1D
PUSH BYTE +04
0167:0040BB1F LEA ECX,[EBP-54]
0167:0040BB22
PUSH EAX
0167:0040BB23 PUSH
ECX
0167:0040BB24 MOV DWORD [EBP-3C],01
0167:0040BB2B MOV
DWORD [EBP-44],02
0167:0040BB32
MOV [EBP-7C],ESI
0167:0040BB35 MOV [EBP+FFFFFF7C],EBX
0167:0040BB3B CALL
EDI <---
0167:0040BB3D MOV EBX,[00401130]
0167:0040BB43 LEA EDX,[EBP-54]
0167:0040BB46
PUSH EDX
0167:0040BB47 CALL
EBX <---
0167:0040BB49 MOV DX,AX
0167:0040BB4C
LEA EAX,[EBP-34]
0167:0040BB4F PUSH EAX
0167:0040BB50
MOV [EBP+FFFFFF60],DX
0167:0040BB57 CALL EBX
0167:0040BB59
MOV CX,[EBP+FFFFFF60]
0167:0040BB60 LEA EDX,[EBP-54]
0167:0040BB63 ADD
CX,AX
0167:0040BB66 LEA EAX,[EBP-54]
0167:0040BB69 JO
NEAR 0040BE16
0167:0040BB6F
XOR EBX,EBX
0167:0040BB71 CMP CX,BYTE
+08
0167:0040BB75
PUSH EDX
0167:0040BB76 LEA
ECX,[EBP-44]
0167:0040BB79
PUSH EAX
0167:0040BB7A LEA
EDX,[EBP-34]
0167:0040BB7D
PUSH ECX
0167:0040BB7E LEA
EAX,[EBP-34]
0167:0040BB81
PUSH EDX
0167:0040BB82 LEA
ECX,[EBP-24]
0167:0040BB85
PUSH EAX
0167:0040BB86 PUSH
ECX
0167:0040BB87 SETNZ BL
0167:0040BB8A
PUSH BYTE +06
0167:0040BB8C NEG EBX
0167:0040BB8E
CALL `MSVBVM60!__vbaFreeVarList`
0167:0040BB94 ADD
ESP,BYTE +1C
0167:0040BB97 TEST BX,BX
0167:0040BB9A
JZ 0040BBAD
0167:0040BB9C MOV DWORD
[EBP-14],00
0167:0040BBA3 PUSH
DWORD 0040BDFF
0167:0040BBA8 JMP 0040BDFE
-----------------------------------------
---------第三次判断,同上------------------
0167:0040BBAD
LEA EDX,[EBP-24]
0167:0040BBB0 LEA
EAX,[EBP-64]
0167:0040BBB3 PUSH EDX
0167:0040BBB4
PUSH BYTE +05
0167:0040BBB6 LEA ECX,[EBP-34]
0167:0040BBB9 MOV
EBX,4008
0167:0040BBBE PUSH EAX
0167:0040BBBF
PUSH ECX
0167:0040BBC0 MOV
DWORD [EBP-1C],01
0167:0040BBC7
MOV DWORD [EBP-24],02
0167:0040BBCE MOV [EBP-5C],ESI
0167:0040BBD1
MOV [EBP-64],EBX
0167:0040BBD4 CALL
EDI
0167:0040BBD6 LEA EDX,[EBP-44]
0167:0040BBD9
LEA EAX,[EBP+FFFFFF7C]
0167:0040BBDF PUSH
EDX
0167:0040BBE0 PUSH BYTE +07
0167:0040BBE2
LEA ECX,[EBP-54]
0167:0040BBE5 PUSH
EAX
0167:0040BBE6 PUSH ECX
0167:0040BBE7 MOV
DWORD [EBP-3C],01
0167:0040BBEE MOV
DWORD [EBP-44],02
0167:0040BBF5 MOV [EBP-7C],ESI
0167:0040BBF8
MOV [EBP+FFFFFF7C],EBX
0167:0040BBFE CALL
EDI
0167:0040BC00 MOV EBX,[00401130]
0167:0040BC06
LEA EDX,[EBP-54]
0167:0040BC09 PUSH
EDX
0167:0040BC0A CALL EBX
0167:0040BC0C MOV
DX,AX
0167:0040BC0F LEA EAX,[EBP-34]
0167:0040BC12
PUSH EAX
0167:0040BC13 MOV [EBP+FFFFFF5E],DX
0167:0040BC1A
CALL EBX
0167:0040BC1C MOV CX,[EBP+FFFFFF5E]
0167:0040BC23
LEA EDX,[EBP-54]
0167:0040BC26 ADD
CX,AX
0167:0040BC29 LEA EAX,[EBP-54]
0167:0040BC2C
JO NEAR 0040BE16
0167:0040BC32 XOR
EBX,EBX
0167:0040BC34 CMP CX,BYTE +09
0167:0040BC38
PUSH EDX
0167:0040BC39 LEA ECX,[EBP-44]
0167:0040BC3C
PUSH EAX
0167:0040BC3D LEA EDX,[EBP-34]
0167:0040BC40
PUSH ECX
0167:0040BC41 LEA EAX,[EBP-34]
0167:0040BC44
PUSH EDX
0167:0040BC45 LEA ECX,[EBP-24]
0167:0040BC48
PUSH EAX
0167:0040BC49 PUSH ECX
0167:0040BC4A
SETNZ BL
0167:0040BC4D PUSH BYTE +06
0167:0040BC4F
NEG EBX
0167:0040BC51 CALL `MSVBVM60!__vbaFreeVarList`
0167:0040BC57
ADD ESP,BYTE +1C
0167:0040BC5A TEST
BX,BX
0167:0040BC5D JZ 0040BC70
0167:0040BC5F
MOV DWORD [EBP-14],00
0167:0040BC66 PUSH
DWORD 0040BDFF
0167:0040BC6B JMP 0040BDFE
-----------------------------------------------
---------第四次判断,同上------------------
0167:0040BC70
LEA EDX,[EBP-24]
0167:0040BC73 LEA
EAX,[EBP-64]
0167:0040BC76 PUSH EDX
0167:0040BC77
PUSH BYTE +06
0167:0040BC79 LEA ECX,[EBP-34]
0167:0040BC7C
MOV EBX,4008
0167:0040BC81 PUSH
EAX
0167:0040BC82 PUSH ECX
0167:0040BC83 MOV
DWORD [EBP-1C],01
0167:0040BC8A MOV DWORD
[EBP-24],02
0167:0040BC91 MOV [EBP-5C],ESI
0167:0040BC94
MOV [EBP-64],EBX
0167:0040BC97 CALL
EDI
0167:0040BC99 LEA EDX,[EBP-44]
0167:0040BC9C
LEA EAX,[EBP+FFFFFF7C]
0167:0040BCA2 PUSH
EDX
0167:0040BCA3 PUSH BYTE +08
0167:0040BCA5
LEA ECX,[EBP-54]
0167:0040BCA8 PUSH
EAX
0167:0040BCA9 PUSH ECX
0167:0040BCAA MOV
DWORD [EBP-3C],01
0167:0040BCB1 MOV
DWORD [EBP-44],02
0167:0040BCB8 MOV [EBP-7C],ESI
0167:0040BCBB
MOV [EBP+FFFFFF7C],EBX
0167:0040BCC1 CALL
EDI
0167:0040BCC3 MOV EBX,[00401130]
0167:0040BCC9
LEA EDX,[EBP-54]
0167:0040BCCC PUSH
EDX
0167:0040BCCD CALL EBX
0167:0040BCCF MOV
DX,AX
0167:0040BCD2 LEA EAX,[EBP-34]
0167:0040BCD5
PUSH EAX
0167:0040BCD6 MOV [EBP+FFFFFF5C],DX
0167:0040BCDD
CALL EBX
0167:0040BCDF MOV CX,[EBP+FFFFFF5C]
0167:0040BCE6
LEA EDX,[EBP-54]
0167:0040BCE9 ADD
CX,AX
0167:0040BCEC LEA EAX,[EBP-54]
0167:0040BCEF
JO NEAR 0040BE16
0167:0040BCF5 XOR
EBX,EBX
0167:0040BCF7 CMP CX,BYTE +0A
0167:0040BCFB
PUSH EDX
0167:0040BCFC LEA ECX,[EBP-44]
0167:0040BCFF
PUSH EAX
0167:0040BD00 LEA EDX,[EBP-34]
0167:0040BD03
PUSH ECX
0167:0040BD04 LEA EAX,[EBP-34]
0167:0040BD07
PUSH EDX
0167:0040BD08 LEA ECX,[EBP-24]
0167:0040BD0B
PUSH EAX
0167:0040BD0C PUSH ECX
0167:0040BD0D
SETNZ BL
0167:0040BD10 PUSH BYTE +06
0167:0040BD12
NEG EBX
0167:0040BD14 CALL `MSVBVM60!__vbaFreeVarList`
0167:0040BD1A
ADD ESP,BYTE +1C
0167:0040BD1D TEST
BX,BX
0167:0040BD20 JZ 0040BD33
0167:0040BD22
MOV DWORD [EBP-14],00
0167:0040BD29 PUSH
DWORD 0040BDFF
0167:0040BD2E JMP 0040BDFE
-------------------------------------------
---------第五次判断,同上------------------
0167:0040BD33
LEA EDX,[EBP-24]
0167:0040BD36 LEA
EAX,[EBP-64]
0167:0040BD39 PUSH EDX
0167:0040BD3A
PUSH BYTE +01
0167:0040BD3C LEA ECX,[EBP-34]
0167:0040BD3F
MOV EBX,4008
0167:0040BD44 PUSH
EAX
0167:0040BD45 PUSH ECX
0167:0040BD46 MOV
DWORD [EBP-1C],01
0167:0040BD4D MOV DWORD
[EBP-24],02
0167:0040BD54 MOV [EBP-5C],ESI
0167:0040BD57
MOV [EBP-64],EBX
0167:0040BD5A CALL
EDI
0167:0040BD5C LEA EDX,[EBP-44]
0167:0040BD5F
LEA EAX,[EBP+FFFFFF7C]
0167:0040BD65 PUSH
EDX
0167:0040BD66 PUSH BYTE +08
0167:0040BD68
LEA ECX,[EBP-54]
0167:0040BD6B PUSH
EAX
0167:0040BD6C PUSH ECX
0167:0040BD6D MOV
DWORD [EBP-3C],01
0167:0040BD74 MOV
DWORD [EBP-44],02
0167:0040BD7B MOV [EBP-7C],ESI
0167:0040BD7E
MOV [EBP+FFFFFF7C],EBX
0167:0040BD84 CALL
EDI
0167:0040BD86 MOV ESI,[00401130]
0167:0040BD8C
LEA EDX,[EBP-54]
0167:0040BD8F PUSH
EDX
0167:0040BD90 CALL ESI
0167:0040BD92 MOV
DI,AX
0167:0040BD95 LEA EAX,[EBP-34]
0167:0040BD98
PUSH EAX
0167:0040BD99 CALL ESI
0167:0040BD9B
ADD DI,AX
0167:0040BD9E LEA EDX,[EBP-54]
0167:0040BDA1
JO 0040BE16
0167:0040BDA3 XOR
ECX,ECX
0167:0040BDA5 CMP DI,BYTE +08
0167:0040BDA9 SETNZ CL
<---若DI=08,则CL=0
------------------------------------------
0167:0040BDAC
NEG ECX <---ECX=0
0167:0040BDAE MOV ESI,ECX
<---ESI=ECX
0167:0040BDB0 LEA EAX,[EBP-54]
0167:0040BDB3
PUSH EDX
0167:0040BDB4 LEA ECX,[EBP-44]
0167:0040BDB7
PUSH EAX
0167:0040BDB8 LEA EDX,[EBP-34]
0167:0040BDBB
PUSH ECX
0167:0040BDBC LEA EAX,[EBP-34]
0167:0040BDBF
PUSH EDX
0167:0040BDC0 LEA ECX,[EBP-24]
0167:0040BDC3
PUSH EAX
0167:0040BDC4 PUSH ECX
0167:0040BDC5
PUSH BYTE +06
0167:0040BDC7 CALL `MSVBVM60!__vbaFreeVarList`
0167:0040BDCD
ADD ESP,BYTE +1C
0167:0040BDD0 NEG
SI <---SI=0-SI
0167:0040BDD3 SBB
ESI,ESI <---ESI=ESI-ESI-CF(CF为进位标志)
0167:0040BDD5
PUSH DWORD 0040BDFF
0167:0040BDDA NEG
ESI <---ESI=0-ESI
0167:0040BDDC DEC
ESI <---ESI=ESI-1
0167:0040BDDD
MOV [EBP-14],ESI<---[EBP-14]=ESI
0167:0040BDE0
JMP SHORT 0040BDFE
0167:0040BDE2 LEA
EDX,[EBP-54]
0167:0040BDE5 LEA EAX,[EBP-44]
0167:0040BDE8
PUSH EDX
0167:0040BDE9 LEA ECX,[EBP-34]
0167:0040BDEC
PUSH EAX
0167:0040BDED LEA EDX,[EBP-24]
0167:0040BDF0
PUSH ECX
0167:0040BDF1 PUSH EDX
0167:0040BDF2
PUSH BYTE +04
0167:0040BDF4 CALL `MSVBVM60!__vbaFreeVarList`
0167:0040BDFA
ADD ESP,BYTE +14
0167:0040BDFD RET
0167:0040BDFE RET
0167:0040BDFF MOV
ECX,[EBP-10]
0167:0040BE02 MOV AX,[EBP-14]
<---AX=[EBP-14]置标志位值
0167:0040BE06 POP EDI
0167:0040BE07
POP ESI
0167:0040BE08 MOV [FS:00],ECX
0167:0040BE0F
POP EBX
0167:0040BE10 MOV ESP,EBP
0167:0040BE12
POP EBP
0167:0040BE13 RET 04
这个程序的算法并不复杂,只是VB程序看起来有点麻烦。注册码与用户名无关,要求位数为8位,且只要满足第1、3位相加等于7,第2、4位相加等于8,第5、7位相加等于9,第6、8位相加等于10,第1、8位相加等于8就可以了。满足这个条件的数太多了,我是用14645347注册的。
--------------------------------------ShenGe------------------------------------