记事本XP V2.78（VB6 native）

标题：记事本XP V2.78（VB6 native）
作者：fly
时间：2003/06/18 06:02pm
链接：http://bbs.pediy.com

下载页面： http://www.skycn.com/soft/1623.html
软件大小： 212 KB
软件语言：简体中文
软件类别：国产软件 / 免费版 / 文字处理
应用平台： Win9x/NT/2000/XP
加入时间： 2003-06-08 11:08:57
下载次数： 7387
推荐等级： ***
开发商： http://www.ypall.com/qswb/

【软件简介】：记事本XP是一款非常轻巧的文本文件编辑器，和Windows记事本相比，它具有如下特点：1、体积小巧，主文件仅有23KB。 2、可快速打开文件，同一目录内文件可通过F7和F8两个键快速打开查看，并可显示当前目录内文本文件总数和当前文件所处位置。 3、可以快速保存文件，编辑文件时，你只要选定一串具有代表性的文字时，文件菜单中就会增加一项另存为***.TXT文件的菜单，你只要点击此菜单，即可保存文件。 4、具有5项历史文档记录功能，打开文件更方便。 5、具有多步撤消和重做功能，如果你觉得本功能太浪费内存，还可禁止使用。 6、具有界面颜色可调功能。 7、具有字母大小写转换功能。 8、具有多选项查找替换功能以及快速删除所有同类字符功能。 9、具有段落重排功能、首行缩进设置功能以及文字左中右对齐方式设置功能。 10、具有自动监视剪贴板的功能。 11、具有定时自动保存文件功能。 12、具有自动向上翻页功能。 13、具有窗口总在最前功能。 14、具有快速插入段间分隔线、当前文件名、目录文件列表功能。

【软件限制】：NAG、30天试用

【作者声明】：初学Crack，只是感兴趣，没有其它目的。失误之处敬请诸位大侠赐教！

【破解工具】：TRW2000娃娃修改版、Ollydbg1.09、PEiD、AspackDie、W32Dasm 9.0白金版

—————————————————————————————————
【过程】：

其实这个东东前几天就做了，因为最近很忙，今天才抽空整理了笔记。记得 newlaos 兄曾做过 V2.3 的破解，得出“雪影无痕”的注册码，这次变了。

notepad.exe 是ASPack 2.12壳，用AspackDie脱之。54K->176K。 VB6 native 。

源码：131A4F8
试炼码：fly-13572468
—————————————————————————————————
* Reference To: MSVBVM60.rtcInputBox, Ord:0254h
|
:0041C56E FF15A4104000 Call dword ptr [004010A4]
:0041C574 8BD0 mov edx, eax
====>EAX=fly-13572468 试炼码

:0041C576 8D4DE0 lea ecx, dword ptr [ebp-20]
:0041C579 FFD3 call ebx
:0041C57B 8BD0 mov edx, eax
:0041C57D 8D5E54 lea ebx, dword ptr [esi+54]
:0041C580 8BCB mov ecx, ebx

* Reference To: MSVBVM60.__vbaStrCopy, Ord:0000h
|
:0041C582 FF15E0114000 Call dword ptr [004011E0]
:0041C588 8D55DC lea edx, dword ptr [ebp-24]
:0041C58B 52 push edx
:0041C58C 8D45E0 lea eax, dword ptr [ebp-20]
:0041C58F 50 push eax
:0041C590 6A02 push 00000002

* Reference To: MSVBVM60.__vbaFreeStrList, Ord:0000h
|
:0041C592 FF15F0114000 Call dword ptr [004011F0]
:0041C598 8D8D68FFFFFF lea ecx, dword ptr [ebp+FFFFFF68]
:0041C59E 51 push ecx
:0041C59F 8D9578FFFFFF lea edx, dword ptr [ebp+FFFFFF78]
:0041C5A5 52 push edx
:0041C5A6 8D4588 lea eax, dword ptr [ebp-78]
:0041C5A9 50 push eax
:0041C5AA 8D4D98 lea ecx, dword ptr [ebp-68]
:0041C5AD 51 push ecx
:0041C5AE 8D55A8 lea edx, dword ptr [ebp-58]
:0041C5B1 52 push edx
:0041C5B2 8D45B8 lea eax, dword ptr [ebp-48]
:0041C5B5 50 push eax
:0041C5B6 8D4DC8 lea ecx, dword ptr [ebp-38]
:0041C5B9 51 push ecx
:0041C5BA 6A07 push 00000007

* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:0041C5BC FF1530104000 Call dword ptr [00401030]
:0041C5C2 83C42C add esp, 0000002C
:0041C5C5 8B16 mov edx, dword ptr [esi]
:0041C5C7 8D45C8 lea eax, dword ptr [ebp-38]
:0041C5CA 50 push eax
:0041C5CB 56 push esi
:0041C5CC FF9210070000 call dword ptr [edx+00000710]
====>关键CALL！进入！

:0041C5D2 85C0 test eax, eax
:0041C5D4 7D12 jge 0041C5E8
:0041C5D6 6810070000 push 00000710
:0041C5DB 686C6E4000 push 00406E6C
:0041C5E0 56 push esi
:0041C5E1 50 push eax

* Reference To: MSVBVM60.__vbaHresultCheckObj, Ord:0000h
|
:0041C5E2 FF1568104000 Call dword ptr [00401068]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041C5D4(C)
|
:0041C5E8 8D4DC8 lea ecx, dword ptr [ebp-38]

* Reference To: MSVBVM60.__vbaFreeVar, Ord:0000h
|
:0041C5EB FF151C104000 Call dword ptr [0040101C]
:0041C5F1 8B0E mov ecx, dword ptr [esi]
:0041C5F3 56 push esi
:0041C5F4 FF9104040000 call dword ptr [ecx+00000404]
:0041C5FA 50 push eax
:0041C5FB 8D55D8 lea edx, dword ptr [ebp-28]
:0041C5FE 52 push edx

* Reference To: MSVBVM60.__vbaObjSet, Ord:0000h
|
:0041C5FF FF159C104000 Call dword ptr [0040109C]
:0041C605 8BF0 mov esi, eax
:0041C607 8B06 mov eax, dword ptr [esi]
:0041C609 8D8DF4FEFFFF lea ecx, dword ptr [ebp+FFFFFEF4]
:0041C60F 51 push ecx
:0041C610 56 push esi
:0041C611 FF5058 call [eax+58]
:0041C614 DBE2 fclex
:0041C616 85C0 test eax, eax
:0041C618 7D0F jge 0041C629
:0041C61A 6A58 push 00000058
:0041C61C 6804744000 push 00407404
:0041C621 56 push esi
:0041C622 50 push eax

* Reference To: MSVBVM60.__vbaHresultCheckObj, Ord:0000h
|
:0041C623 FF1568104000 Call dword ptr [00401068]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041C618(C)
|
:0041C629 33D2 xor edx, edx
:0041C62B 663995F4FEFFFF cmp word ptr [ebp+FFFFFEF4], dx
:0041C632 0F94C2 sete dl
:0041C635 F7DA neg edx
:0041C637 8BF2 mov esi, edx
:0041C639 8D4DD8 lea ecx, dword ptr [ebp-28]

* Reference To: MSVBVM60.__vbaFreeObj, Ord:0000h
|
:0041C63C FF1570124000 Call dword ptr [00401270]
:0041C642 6685F6 test si, si
:0041C645 741D je 0041C664
====>跳则OVER！

:0041C647 8B03 mov eax, dword ptr [ebx]
:0041C649 50 push eax

* Possible StringData Ref from Code Obj ->"regnumber"
|
:0041C64A 6840744000 push 00407440

* Possible StringData Ref from Code Obj ->"regist"
|
:0041C64F 682C744000 push 0040742C

* Possible StringData Ref from Code Obj ->"notepad"
|
:0041C654 6858744000 push 00407458

* Reference To: MSVBVM60.rtcSaveSetting, Ord:02B2h
|
:0041C659 FF1504104000 Call dword ptr [00401004]
====>保存注册信息！

:0041C65F E984000000 jmp 0041C6E8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041C645(C)
|
:0041C664 B904000280 mov ecx, 80020004
:0041C669 894DA0 mov dword ptr [ebp-60], ecx
:0041C66C B80A000000 mov eax, 0000000A
:0041C671 894598 mov dword ptr [ebp-68], eax
:0041C674 894DB0 mov dword ptr [ebp-50], ecx
:0041C677 8945A8 mov dword ptr [ebp-58], eax
:0041C67A C78550FFFFFF147A4000 mov dword ptr [ebp+FFFFFF50], 00407A14
:0041C684 BE08000000 mov esi, 00000008
:0041C689 89B548FFFFFF mov dword ptr [ebp+FFFFFF48], esi
:0041C68F 8D9548FFFFFF lea edx, dword ptr [ebp+FFFFFF48]
:0041C695 8D4DB8 lea ecx, dword ptr [ebp-48]
:0041C698 FFD7 call edi
:0041C69A C78560FFFFFF04844000 mov dword ptr [ebp+FFFFFF60], 00408404
:0041C6A4 89B558FFFFFF mov dword ptr [ebp+FFFFFF58], esi
:0041C6AA 8D9558FFFFFF lea edx, dword ptr [ebp+FFFFFF58]
:0041C6B0 8D4DC8 lea ecx, dword ptr [ebp-38]
:0041C6B3 FFD7 call edi
:0041C6B5 8D4D98 lea ecx, dword ptr [ebp-68]
:0041C6B8 51 push ecx
:0041C6B9 8D55A8 lea edx, dword ptr [ebp-58]
:0041C6BC 52 push edx
:0041C6BD 8D45B8 lea eax, dword ptr [ebp-48]
:0041C6C0 50 push eax
:0041C6C1 6A40 push 00000040
:0041C6C3 8D4DC8 lea ecx, dword ptr [ebp-38]
:0041C6C6 51 push ecx

* Reference To: MSVBVM60.rtcMsgBox, Ord:0253h
|
:0041C6C7 FF15A0104000 Call dword ptr [004010A0]
====>BAD BOY！

:0041C6CD 8D5598 lea edx, dword ptr [ebp-68]
:0041C6D0 52 push edx
:0041C6D1 8D45A8 lea eax, dword ptr [ebp-58]
:0041C6D4 50 push eax
:0041C6D5 8D4DB8 lea ecx, dword ptr [ebp-48]
:0041C6D8 51 push ecx
:0041C6D9 8D55C8 lea edx, dword ptr [ebp-38]
:0041C6DC 52 push edx
:0041C6DD 6A04 push 00000004

* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:0041C6DF FF1530104000 Call dword ptr [00401030]
:0041C6E5 83C414 add esp, 00000014

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041C65F(U)
|

* Reference To: MSVBVM60.__vbaExitProc, Ord:0000h
|
:0041C6E8 FF1588104000 Call dword ptr [00401088]
:0041C6EE 6840C74100 push 0041C740
:0041C6F3 EB4A jmp 0041C73F

—————————————————————————————————
进入关键CALL：0041C5CC call dword ptr [edx+00000710]

…… ……省略…… ……

* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:0041C841 8B3D40124000 mov edi, dword ptr [00401240]
:0041C847 FFD7 call edi
:0041C849 6A01 push 00000001
:0041C84B 6AFF push FFFFFFFF
:0041C84D 6A01 push 00000001
:0041C84F 68286E4000 push 00406E28
:0041C854 6824844000 push 00408424
:0041C859 8B4E54 mov ecx, dword ptr [esi+54]
:0041C85C 51 push ecx
====>ECX=fly-13572468 试炼码

* Reference To: MSVBVM60.rtcReplace, Ord:02C8h
|
:0041C85D FF158C114000 Call dword ptr [0040118C]
====>去除试炼码中的-

:0041C863 8BD0 mov edx, eax
====>EDX=fly13572468

:0041C865 8D4DCC lea ecx, dword ptr [ebp-34]
:0041C868 FFD7 call edi
:0041C86A 8B55CC mov edx, dword ptr [ebp-34]
:0041C86D 52 push edx
:0041C86E 8B4654 mov eax, dword ptr [esi+54]
:0041C871 50 push eax

* Reference To: MSVBVM60.__vbaStrCmp, Ord:0000h
|
:0041C872 FF1524114000 Call dword ptr [00401124]
====>其实这段就是检测试炼码中有无-

:0041C878 8BD8 mov ebx, eax
====>返回值。有 - 则EAX=1

:0041C87A F7DB neg ebx
:0041C87C 1BDB sbb ebx, ebx
:0041C87E 43 inc ebx
====>EBX=0

:0041C87F 8B4DCC mov ecx, dword ptr [ebp-34]
====>ECX=fly13572468

:0041C882 51 push ecx

* Reference To: MSVBVM60.__vbaLenBstr, Ord:0000h
|
:0041C883 8B3D28104000 mov edi, dword ptr [00401028]
:0041C889 FFD7 call edi
====>取fly13572468的长度 EAX=B

:0041C88B 33D2 xor edx, edx
:0041C88D 83F808 cmp eax, 00000008
====>和8位比较

:0041C890 0F9EC2 setle dl
====>设置DL值

:0041C893 0BDA or ebx, edx
:0041C895 0F8540010000 jne 0041C9DB
====>跳则OVER！爆破点①！

:0041C89B 8B45CC mov eax, dword ptr [ebp-34]
====>EAX=fly13572468

:0041C89E 50 push eax
:0041C89F FFD7 call edi
====>取fly13572468的长度

:0041C8A1 8985FCFEFFFF mov dword ptr [ebp+FFFFFEFC], eax
====>[ebp+FFFFFEFC]=B

:0041C8A7 C7465801000000 mov [esi+58], 00000001

* Reference To: MSVBVM60.__vbaVarTstEq, Ord:0000h
|
:0041C8AE 8B1D2C114000 mov ebx, dword ptr [0040112C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041C996(U)
|
:0041C8B4 8B4658 mov eax, dword ptr [esi+58]
:0041C8B7 3B85FCFEFFFF cmp eax, dword ptr [ebp+FFFFFEFC]
:0041C8BD 0F8F18010000 jg 0041C9DB
:0041C8C3 C745BC08000000 mov [ebp-44], 00000008
:0041C8CA C745B402000000 mov [ebp-4C], 00000002
:0041C8D1 8D4DCC lea ecx, dword ptr [ebp-34]
:0041C8D4 898D4CFFFFFF mov dword ptr [ebp+FFFFFF4C], ecx
:0041C8DA C78544FFFFFF08400000 mov dword ptr [ebp+FFFFFF44], 00004008
:0041C8E4 8D55B4 lea edx, dword ptr [ebp-4C]
:0041C8E7 52 push edx
:0041C8E8 50 push eax
:0041C8E9 8D8544FFFFFF lea eax, dword ptr [ebp+FFFFFF44]
:0041C8EF 50 push eax
:0041C8F0 8D4DA4 lea ecx, dword ptr [ebp-5C]
:0041C8F3 51 push ecx

* Reference To: MSVBVM60.rtcMidCharVar, Ord:0278h
|
:0041C8F4 FF15FC104000 Call dword ptr [004010FC]
====>依次8位取fly13572468
====>fly13572
…… ……省略…… ……
====>13572468

:0041C8FA 8D55A4 lea edx, dword ptr [ebp-5C]
:0041C8FD 52 push edx
:0041C8FE 8D45C8 lea eax, dword ptr [ebp-38]
:0041C901 50 push eax

* Reference To: MSVBVM60.__vbaStrVarVal, Ord:0000h
|
:0041C902 FF15B0114000 Call dword ptr [004011B0]
:0041C908 50 push eax

* Reference To: MSVBVM60.rtcR8ValFromBstr, Ord:0245h
|
:0041C909 FF1578124000 Call dword ptr [00401278]
:0041C90F DC25581D4000 fsub qword ptr [00401D58]
…… ……省略…… ……
====>13572468 - 8072353=5500115.0000000000000

:0041C915 DD5D9C fstp qword ptr [ebp-64]
:0041C918 DFE0 fstsw ax
:0041C91A A80D test al, 0D
:0041C91C 0F8514040000 jne 0041CD36
:0041C922 C7459405000000 mov [ebp-6C], 00000005
:0041C929 8D4D94 lea ecx, dword ptr [ebp-6C]
:0041C92C 51 push ecx
:0041C92D 8D5584 lea edx, dword ptr [ebp-7C]
:0041C930 52 push edx

* Reference To: MSVBVM60.rtcHexVarFromVar, Ord:023Dh
|
:0041C931 FF15E4114000 Call dword ptr [004011E4]
…… ……省略…… ……
====>取5500115的16进制值=53ECD3

:0041C937 8B45E0 mov eax, dword ptr [ebp-20]
====>EAX=131A4F8 程序给的注册源码

:0041C93A 89851CFFFFFF mov dword ptr [ebp+FFFFFF1C], eax
:0041C940 C78514FFFFFF08800000 mov dword ptr [ebp+FFFFFF14], 00008008
:0041C94A 8D4D84 lea ecx, dword ptr [ebp-7C]
:0041C94D 51 push ecx
:0041C94E 8D9514FFFFFF lea edx, dword ptr [ebp+FFFFFF14]
:0041C954 52 push edx
:0041C955 FFD3 call ebx
====>比较CALL！53ECD3和131A4F8比较！相等则OK！

:0041C957 668BF8 mov di, ax
:0041C95A 8D4DC8 lea ecx, dword ptr [ebp-38]

* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
|
:0041C95D FF1574124000 Call dword ptr [00401274]
:0041C963 8D4584 lea eax, dword ptr [ebp-7C]
:0041C966 50 push eax
:0041C967 8D4D94 lea ecx, dword ptr [ebp-6C]
:0041C96A 51 push ecx
:0041C96B 8D55A4 lea edx, dword ptr [ebp-5C]
:0041C96E 52 push edx
:0041C96F 8D45B4 lea eax, dword ptr [ebp-4C]
:0041C972 50 push eax
:0041C973 6A04 push 00000004

* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:0041C975 FF1530104000 Call dword ptr [00401030]
:0041C97B 83C414 add esp, 00000014
:0041C97E 6685FF test di, di
:0041C981 7518 jne 0041C99B
====>爆破点②！

:0041C983 8B4E58 mov ecx, dword ptr [esi+58]
:0041C986 B801000000 mov eax, 00000001
:0041C98B 03C8 add ecx, eax
:0041C98D 0F80A8030000 jo 0041CD3B
:0041C993 894E58 mov dword ptr [esi+58], ecx
:0041C996 E919FFFFFF jmp 0041C8B4
====>循环，直至取完试炼码！

—————————————————————————————————
【算法总结】：

1、注册码格式为：N-K

2、N是注册名，可以为任意字符

3、K的最后8位数字=注册源码131A4F8 + 7B2CA1结果的10进制值

—————————————————————————————————
【完美爆破】：

1、0041C895 0F8540010000 jne 0041C9DB
改为： 909090909090 NOP掉！

2、0041C981 7518 jne 0041C99B
改为： EB18 JMP 0041C99B

—————————————————————————————————
【注册信息保存】：

[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\notepad\regist]
"regnumber"="fly-28103065"

—————————————————————————————————
【整理】：

源码：131A4F8
注册码：fly-28103065

—————————————————————————————————

, _/
/| _.-~/ \_ , 青春都一饷
( /~ / \~-._ |\
`\\ _/ \ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_ //'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 换了破解轻狂
`~ _( ,_..--\ ( ,;'' / ~-- /._`\
/~~//' /' `~\ ) /--.._, )_ `~
" `~" " `" /~'`\ `\\~~\
" " "~' ""

Cracked By 巢水工作坊——fly [OCN][FCG]

2003-06-18 17:40