鹏跃俄罗斯方块游戏 1.0
软件大小:111KB
软件语言:简体中文
软件类别:国产软件/共享版/方块游戏
运行环境:Win9x/Me/NT/2000/XP
加入时间:2003-10-9 6:38:19
软件介绍:十分好玩的小游戏程序,支持单人游戏和双人对打,可设置多种速度、多种级别、多种颜色,快来试用吧!未注册的共享版在功能上有一定限制,注册后自动解除
破解作者:acacia
破解目的:初学crack,本文仅为学习之用,无其他目的
软件保护:未注册的共享版在功能上有一定限制,注册后自动解除
破解环境:Windows 2000 professional + sp3
破解工具:FI, SmartCheck v6.20(Dragon汉化版), VBExplore v1.01, Ollydbg v1.09c(聆风听雨汉化)
破解感觉:首次接触p-code代码,最初直接使用W32Dasm10和Ollydbg直接跟踪,以至于
绕了很多弯路,只跟到了长度比较。后来参考前天virtualspace的《有关VB程序
P-CODE代码逆向工程入门浅说》才顿时眼前一亮。要学的还太多太多,加油!
破解过程:
1. 首先使用FI侦测主程序 pyfk.exe ,发现是VB6.0编译,无壳;
2. 使用SmartCheck加载,提示说此程序为 p-code ,不能调试;
3. 使用 VBExplore 打开程序,找到注册窗体 frmTip,打开对应代码,找到cmdOK的click代码
4. 对 p-code 代码初步分析,其中引用字符串部分为乱码,结合 VBExplore 的字符串察看窗口,
替换为正确的字符串;初步流程确认为:取得注册码,比较长度是否为8,之后取出注册码
中的第3/5/7位,进行运算之后同数值 30(1E)比较;
5. 由于对 p-code 代码不熟悉,所以使用 Ollydbg 动态跟踪,从而精确分析出其注册算法。
------------------------------------------------------------------------
:0041759D 0DA0000600 VCallHresult ;Call ptr_00408784
:004175A2 6C74FF ILdRf ;Push DWORD [LOCAL_008C]
:004175A5 4A FnLenStr ;vbaLenBstr
:004175A6 F508000000 LitI4 ;Push 00000008 //判断输入注册码长度是否为 8
:004175AB CC NeI4 ;
:004175AC 2F74FF FFree1Str ;SysFreeString [LOCAL_008C]; [LOCAL_008C]=0
:004175AF 1A78FF FFree1Ad ;Push [LOCAL_0088]; Call [[[LOCAL_0088]]+8]; [[LOCAL_0088]]=0
:004175B2 1C8000 BranchF ;If Pop=0 then ESI=00417610 //注册码长度 == 8 则跳转
:004175B5 27F4FE LitVar ;PushVar LOCAL_010C
:004175B8 2714FF LitVar ;PushVar LOCAL_00EC
******Possible String Ref To->"输入错误"
|
:004175BB 3A44FF0700 LitVarStr ;PushVarString ptr_004087C4
:004175C0 4E34FF FStVarCopyObj ;[LOCAL_00CC]=vbaVarDup(Pop)
:004175C3 0434FF FLdRfVar ;Push LOCAL_00CC
:004175C6 F500000000 LitI4 ;Push 00000000
******Possible String Ref To->"没有输入注册码或位数不对,请重新输入"
|
:004175CB 3A64FF0800 LitVarStr ;PushVarString ptr_00408798
:004175D0 4E54FF FStVarCopyObj ;[LOCAL_00AC]=vbaVarDup(Pop)
:004175D3 0454FF FLdRfVar ;Push LOCAL_00AC
**********Reference To->msvbvm60.rtcMsgBox //长度不为 8 ,提示错误
|
:004175D6 0A09001400 ImpAdCallFPR4 ;Call ptr_004010A0; check stack 0014; Push EAX
:004175DB 36080054FF34FF14 FFreeVar ;Free 0008/2 variants
******Possible String Ref To->""
|
:004175E6 1B0A00 LitStr ;Push ptr_004084E8
:004175E9 21 FLdPrThis ;[SR]=[stack2]
:004175EA 0F0803 VCallAd ;Return the control index 04
:004175ED 1978FF FStAdFunc ;
:004175F0 0878FF FLdPr ;[SR]=[LOCAL_0088]
***********Reference To:[propput]TextBox.Text
|
:004175F3 0DA4000600 VCallHresult ;Call ptr_00408784
:004175F8 1A78FF FFree1Ad ;Push [LOCAL_0088]; Call [[[LOCAL_0088]]+8]; [[LOCAL_0088]]=0
:004175FB 21 FLdPrThis ;[SR]=[stack2]
:004175FC 0F0803 VCallAd ;Return the control index 04
:004175FF 1978FF FStAdFunc ;
:00417602 0878FF FLdPr ;[SR]=[LOCAL_0088]
***********Reference To:TextBox.SetFocus
|
:00417605 0D04020600 VCallHresult ;Call ptr_00408784
:0041760A 1A78FF FFree1Ad ;Push [LOCAL_0088]; Call [[[LOCAL_0088]]+8]; [[LOCAL_0088]]=0
:0041760D 1E8F02 Branch ;ESI=0041781F
:00417610 0474FF FLdRfVar ;Push LOCAL_008C //长度 = 8 时
:00417613 21 FLdPrThis ;[SR]=[stack2]
:00417614 0F0803 VCallAd ;Return the control index 04
:00417617 1978FF FStAdFunc ;
:0041761A 0878FF FLdPr ;[SR]=[LOCAL_0088]
***********Reference To:[propget]TextBox.Text
|
:0041761D 0DA0000600 VCallHresult ;Call ptr_00408784
:00417622 04E8FE FLdRfVar ;Push LOCAL_0118
:00417625 21 FLdPrThis ;[SR]=[stack2]
:00417626 0F0803 VCallAd ;Return the control index 04
:00417629 19ECFE FStAdFunc ;
:0041762C 08ECFE FLdPr ;[SR]=[LOCAL_0114]
***********Reference To:[propget]TextBox.Text
|
:0041762F 0DA0000600 VCallHresult ;Call ptr_00408784
:00417634 28D8FE0100 LitVarI2 ;PushVarInteger 0001
:00417639 F505000000 LitI4 ;Push 00000005
:0041763E 3EE8FE FLdZeroAd ;Push DWORD [LOCAL_0118]; [LOCAL_0118]=0 //试验码:"12345678"
:00417641 46F4FE CVarStr ;
:00417644 04C8FE FLdRfVar ;Push LOCAL_0138
**********Reference To->msvbvm60.rtcMidCharVar //mid(5,1)
|
:00417647 0A0B001000 ImpAdCallFPR4 ;Call ptr_004010BE; check stack 0010; Push EAX
:0041764C 04C8FE FLdRfVar ;Push LOCAL_0138
:0041764F FDFEC4FE CStrVarVal ;
**********Reference To->msvbvm60.rtcR8ValFromBstr //string to int : p5
|
:00417653 0A0C000400 ImpAdCallFPR4 ;Call ptr_004010A6; check stack 0004; Push EAX
:00417658 7480FE FStFPR8 ;Fstp#8 [LOCAL_0180]
:0041765B 04BCFE FLdRfVar ;Push LOCAL_0144
:0041765E 21 FLdPrThis ;[SR]=[stack2]
:0041765F 0F0803 VCallAd ;Return the control index 04
:00417662 19C0FE FStAdFunc ;
:00417665 08C0FE FLdPr ;[SR]=[LOCAL_0140]
***********Reference To:[propget]TextBox.Text
|
:00417668 0DA0000600 VCallHresult ;Call ptr_00408784
:0041766D 289CFE0100 LitVarI2 ;PushVarInteger 0001
:00417672 F507000000 LitI4 ;Push 00000007
:00417677 3EBCFE FLdZeroAd ;Push DWORD [LOCAL_0144]; [LOCAL_0144]=0 //试验码:"12345678"
:0041767A 46ACFE CVarStr ;
:0041767D 048CFE FLdRfVar ;Push LOCAL_0174
**********Reference To->msvbvm60.rtcMidCharVar //mid(7,1)
|
:00417680 0A0B001000 ImpAdCallFPR4 ;Call ptr_004010BE; check stack 0010; Push EAX
:00417685 048CFE FLdRfVar ;Push LOCAL_0174
:00417688 FDFE88FE CStrVarVal ;
**********Reference To->msvbvm60.rtcR8ValFromBstr //string to int : p7
|
:0041768C 0A0C000400 ImpAdCallFPR4 ;Call ptr_004010A6; check stack 0004; Push EAX
:00417691 7478FE FStFPR8 ;Fstp#8 [LOCAL_0188]
:00417694 2834FF0100 LitVarI2 ;PushVarInteger 0001
:00417699 F503000000 LitI4 ;Push 00000003
:0041769E 3E74FF FLdZeroAd ;Push DWORD [LOCAL_008C]; [LOCAL_008C]=0 //试验码:"12345678"
:004176A1 4654FF CVarStr ;
:004176A4 0414FF FLdRfVar ;Push LOCAL_00EC
**********Reference To->msvbvm60.rtcMidCharVar //mid(3,1)
|
:004176A7 0A0B001000 ImpAdCallFPR4 ;Call ptr_004010BE; check stack 0010; Push EAX
:004176AC 0414FF FLdRfVar ;Push LOCAL_00EC
:004176AF FDFEF0FE CStrVarVal ;
**********Reference To->msvbvm60.rtcR8ValFromBstr //string to int : p3
|
:004176B3 0A0C000400 ImpAdCallFPR4 ;Call ptr_004010A6; check stack 0004; Push EAX
:004176B8 6F80FE FLdFPR8 ;Fld#8 [LOCAL_0180] //p5
:004176BB B3 MulR8 ; //t1 = p3*p5
:004176BC 6F78FE FLdFPR8 ;Fld#8 [LOCAL_0188] //p7
:004176BF AB AddR8 ; //t2 = t1 + p7
:004176C0 ED CR8R8 ;
:004176C1 F41E LitI2_Byte ;Push 1E //push 30
:004176C3 EB CR8I2 ;
:004176C4 C8 EqR4 ; //30 == t2 ?
:004176C5 320600F0FEC4FE88 FFreeStr ;Do SysFreeString [arg_n]; [arg_n]=0 0006/2 times ~ arg
:004176CE 29060078FFECFEC0 FFreeAd ;
:004176D7 36120054FF34FF14 FFreeVar ;Free 0012/2 variants
:004176EC 1C2D02 BranchF ;If Pop=0 then ESI=004177BD //如果不相等,跳转到错误分支
******Possible String Ref To->"y" //注册表中的数据值 "y"
|
:004176EF 1B0D00 LitStr ;Push ptr_00407F90
:004176F2 080800 FLdPr ;[SR]=[STACK_0008]
:004176F5 FD913800 MemStStrCopy ;[SR]+0038=SysAllocStringByteLen(Pop, [Pop-4]); SysFreeString Pop
:004176F9 0474FF FLdRfVar ;Push LOCAL_008C
:004176FC 0478FF FLdRfVar ;Push LOCAL_0088
:004176FF 050000 ImpAdLdRf ;Push ptr
:00417702 240100 NewIfNullPr ;[Pop] [SR]
***********Reference To:Global.App
|
:00417705 0D14000200 VCallHresult ;Call ptr_00407CCC
:0041770A 0878FF FLdPr ;[SR]=[LOCAL_0088]
***********Reference To:[propget]App.EXEName //注册表项: "pyfk" --程序名称
|
:0041770D 0D58000E00 VCallHresult ;Call ptr_00407F5C
:00417712 080800 FLdPr ;[SR]=[STACK_0008]
:00417715 8A3800 MemLdStr ;Push DWORD [[SR]+0038]
******Possible String Ref To->"zcf" //注册表中的数据值 "zcf"
|
:00417718 1B0F00 LitStr ;Push ptr_00407F84
******Possible String Ref To->"Options" //注册表项: "Options"
|
:0041771B 1B1000 LitStr ;Push ptr_00407F70
:0041771E 6C74FF ILdRf ;Push DWORD [LOCAL_008C]
**********Reference To->msvbvm60.rtcSaveSetting //写入注册表
|
:00417721 0A11001000 ImpAdCallFPR4 ;Call ptr_004010DC; check stack 0010; Push EAX
:00417726 2F74FF FFree1Str ;SysFreeString [LOCAL_008C]; [LOCAL_008C]=0
:00417729 1A78FF FFree1Ad ;Push [LOCAL_0088]; Call [[[LOCAL_0088]]+8]; [[LOCAL_0088]]=0
:0041772C 6C0800 ILdRf ;Push DWORD [STACK_0008]
:0041772F FD9C78FF FStAdNoPop ;
:00417733 050000 ImpAdLdRf ;Push ptr
:00417736 240100 NewIfNullPr ;[Pop] [SR]
***********Reference To:Global.UnLoad
|
:00417739 0D10000200 VCallHresult ;Call ptr_00407CCC
:0041773E 1A78FF FFree1Ad ;Push [LOCAL_0088]; Call [[[LOCAL_0088]]+8]; [[LOCAL_0088]]=0
:00417741 27F4FE LitVar ;PushVar LOCAL_010C
:00417744 2714FF LitVar ;PushVar LOCAL_00EC
******Possible String Ref To->"功能限制解除"
|
:00417747 3A44FF1200 LitVarStr ;PushVarString ptr_004087F8
:0041774C 4E34FF FStVarCopyObj ;[LOCAL_00CC]=vbaVarDup(Pop)
:0041774F 0434FF FLdRfVar ;Push LOCAL_00CC
:00417752 F500000000 LitI4 ;Push 00000000
******Possible String Ref To->"谢谢您的支持,您已经成功注册"
|
:00417757 3A64FF1300 LitVarStr ;PushVarString ptr_004087D4
:0041775C 4E54FF FStVarCopyObj ;[LOCAL_00AC]=vbaVarDup(Pop)
:0041775F 0454FF FLdRfVar ;Push LOCAL_00AC
**********Reference To->msvbvm60.rtcMsgBox //提示注册成功
|
:00417762 0A09001400 ImpAdCallFPR4 ;Call ptr_004010A0; check stack 0014; Push EAX
:00417767 36080054FF34FF14 FFreeVar ;Free 0008/2 variants
:00417772 2744FF LitVar ;PushVar LOCAL_00BC
:00417775 25 PopAdLdVar ;
:00417776 2764FF LitVar ;PushVar LOCAL_009C
:00417779 25 PopAdLdVar ;
:0041777A 050300 ImpAdLdRf ;Push ptr
:0041777D 240400 NewIfNullPr ;[Pop] [SR]
:00417780 0DB0020500 VCallHresult ;Call ptr_0040759C
******Possible String Ref To->"鹏跃俄罗斯方块(已注册)/单人游戏"
|
:00417785 1B1400 LitStr ;Push ptr_0040880C
:00417788 050300 ImpAdLdRf ;Push ptr
:0041778B 240400 NewIfNullPr ;[Pop] [SR]
:0041778E 0D54000500 VCallHresult ;Call ptr_0040759C
:00417793 F400 LitI2_Byte ;Push 00
:00417795 050300 ImpAdLdRf ;Push ptr
:00417798 240400 NewIfNullPr ;[Pop] [SR]
:0041779B 0F6803 VCallAd ;Return the control index 1c
:0041779E 1978FF FStAdFunc ;
:004177A1 0878FF FLdPr ;[SR]=[LOCAL_0088]
***********Reference To:[propput]Menu.Visible
|
:004177A4 0D5C001500 VCallHresult ;Call ptr_00407CAC
:004177A9 1A78FF FFree1Ad ;Push [LOCAL_0088]; Call [[[LOCAL_0088]]+8]; [[LOCAL_0088]]=0
******Possible String Ref To->"鹏跃俄罗斯方块(已注册)/双人游戏"
|
:004177AC 1B1600 LitStr ;Push ptr_00408838
:004177AF 051700 ImpAdLdRf ;Push ptr
:004177B2 241800 NewIfNullPr ;[Pop] [SR]
:004177B5 0D54001900 VCallHresult ;Call ptr_00407CFC
:004177BA 1E8F02 Branch ;ESI=0041781F
******Possible String Ref To->"n"
|
:004177BD 1B1A00 LitStr ;Push ptr_00408780
:004177C0 080800 FLdPr ;[SR]=[STACK_0008]
:004177C3 FD913800 MemStStrCopy ;[SR]+0038=SysAllocStringByteLen(Pop, [Pop-4]); SysFreeString Pop
:004177C7 27F4FE LitVar ;PushVar LOCAL_010C
:004177CA 2714FF LitVar ;PushVar LOCAL_00EC
******Possible String Ref To->"注册码有误"
|
:004177CD 3A44FF1B00 LitVarStr ;PushVarString ptr_00408884
:004177D2 4E34FF FStVarCopyObj ;[LOCAL_00CC]=vbaVarDup(Pop)
:004177D5 0434FF FLdRfVar ;Push LOCAL_00CC
:004177D8 F500000000 LitI4 ;Push 00000000
******Possible String Ref To->"注册码输入错误,请核对再输"
|
:004177DD 3A64FF1C00 LitVarStr ;PushVarString ptr_00408864
:004177E2 4E54FF FStVarCopyObj ;[LOCAL_00AC]=vbaVarDup(Pop)
:004177E5 0454FF FLdRfVar ;Push LOCAL_00AC
**********Reference To->msvbvm60.rtcMsgBox
|
:004177E8 0A09001400 ImpAdCallFPR4 ;Call ptr_004010A0; check stack 0014; Push EAX
:004177ED 36080054FF34FF14 FFreeVar ;Free 0008/2 variants
:004177F8 21 FLdPrThis ;[SR]=[stack2]
:004177F9 0F0803 VCallAd ;Return the control index 04
:004177FC 1978FF FStAdFunc ;
:004177FF 0878FF FLdPr ;[SR]=[LOCAL_0088]
***********Reference To:TextBox.SetFocus
|
:00417802 0D04020600 VCallHresult ;Call ptr_00408784
:00417807 1A78FF FFree1Ad ;Push [LOCAL_0088]; Call [[[LOCAL_0088]]+8]; [[LOCAL_0088]]=0
******Possible String Ref To->""
|
:0041780A 1B0A00 LitStr ;Push ptr_004084E8
:0041780D 21 FLdPrThis ;[SR]=[stack2]
:0041780E 0F0803 VCallAd ;Return the control index 04
:00417811 1978FF FStAdFunc ;
:00417814 0878FF FLdPr ;[SR]=[LOCAL_0088]
***********Reference To:[propput]TextBox.Text
|
:00417817 0DA4000600 VCallHresult ;Call ptr_00408784
:0041781C 1A78FF FFree1Ad ;Push [LOCAL_0088]; Call [[[LOCAL_0088]]+8]; [[LOCAL_0088]]=0
:0041781F 13 ExitProcHresult ;
[cmdlate.Click]
:0040FD9C 6C0800 ILdRf ;Push DWORD [STACK_0008]
:0040FD9F FD9C78FF FStAdNoPop ;
:0040FDA3 050000 ImpAdLdRf ;Push ptr
:0040FDA6 240100 NewIfNullPr ;[Pop] [SR]
***********Reference To:Global.UnLoad
|
:0040FDA9 0D10000200 VCallHresult ;Call ptr_00407CCC
:0040FDAE 1A78FF FFree1Ad ;Push [LOCAL_0088]; Call [[[LOCAL_0088]]+8]; [[LOCAL_0088]]=0
:0040FDB1 2758FF LitVar ;PushVar LOCAL_00A8
:0040FDB4 25 PopAdLdVar ;
:0040FDB5 2768FF LitVar ;PushVar LOCAL_0098
:0040FDB8 25 PopAdLdVar ;
:0040FDB9 050300 ImpAdLdRf ;Push ptr
:0040FDBC 240400 NewIfNullPr ;[Pop] [SR]
:0040FDBF 0DB0020500 VCallHresult ;Call ptr_0040759C
:0040FDC4 13 ExitProcHresult ;
:0040FDC5 0000 LargeBos ;IDE beginning of line with 00 byte codes
[cmdclose.Click]
:0040FCB0 6C0800 ILdRf ;Push DWORD [STACK_0008]
:0040FCB3 FD9C78FF FStAdNoPop ;
:0040FCB7 050000 ImpAdLdRf ;Push ptr
:0040FCBA 240100 NewIfNullPr ;[Pop] [SR]
***********Reference To:Global.UnLoad
|
:0040FCBD 0D10000200 VCallHresult ;Call ptr_00407CCC
:0040FCC2 1A78FF FFree1Ad ;Push [LOCAL_0088]; Call [[[LOCAL_0088]]+8]; [[LOCAL_0088]]=0
:0040FCC5 13 ExitProcHresult ;
:0040FCC6 0000 LargeBos ;IDE beginning of line with 00 byte codes
[Form.Load]
:00410538 0470FF FLdRfVar ;Push LOCAL_0090
:0041053B 0474FF FLdRfVar ;Push LOCAL_008C
:0041053E 050000 ImpAdLdRf ;Push ptr
:00410541 240100 NewIfNullPr ;[Pop] [SR]
***********Reference To:Global.App
|
:00410544 0D14000200 VCallHresult ;Call ptr_00407CCC
:00410549 0874FF FLdPr ;[SR]=[LOCAL_008C]
***********Reference To:[propget]App.EXEName
|
:0041054C 0D58000E00 VCallHresult ;Call ptr_00407F5C
:00410551 2860FF0100 LitVarI2 ;PushVarInteger 0001
:00410556 25 PopAdLdVar ;
******Possible String Ref To->"zcf"
|
:00410557 1B0F00 LitStr ;Push ptr_00407F84
******Possible String Ref To->"Options"
|
:0041055A 1B1000 LitStr ;Push ptr_00407F70
:0041055D 6C70FF ILdRf ;Push DWORD [LOCAL_0090]
**********Reference To->msvbvm60.rtcGetSetting
|
:00410560 0B1D001C00 ImpAdCallI2 ;Call ptr_0040107C; check stack 001C; Push EAX
:00410565 3178FF FStStr ;SysFreeString [LOCAL_0088]; [LOCAL_0088]=Pop
:00410568 2F70FF FFree1Str ;SysFreeString [LOCAL_0090]; [LOCAL_0090]=0
:0041056B 1A74FF FFree1Ad ;Push [LOCAL_008C]; Call [[[LOCAL_008C]]+8]; [[LOCAL_008C]]=0
:0041056E 6C78FF ILdRf ;Push DWORD [LOCAL_0088]
******Possible String Ref To->"y"
|
:00410571 1B0D00 LitStr ;Push ptr_00407F90
:00410574 FB30 EqStr ;
:00410576 1C6A00 BranchF ;If Pop=0 then ESI=004105A2
:00410579 6C0800 ILdRf ;Push DWORD [STACK_0008]
:0041057C FD9C74FF FStAdNoPop ;
:00410580 050000 ImpAdLdRf ;Push ptr
:00410583 240100 NewIfNullPr ;[Pop] [SR]
***********Reference To:Global.UnLoad
|
:00410586 0D10000200 VCallHresult ;Call ptr_00407CCC
:0041058B 1A74FF FFree1Ad ;Push [LOCAL_008C]; Call [[[LOCAL_008C]]+8]; [[LOCAL_008C]]=0
:0041058E 2750FF LitVar ;PushVar LOCAL_00B0
:00410591 25 PopAdLdVar ;
:00410592 2760FF LitVar ;PushVar LOCAL_00A0
:00410595 25 PopAdLdVar ;
:00410596 050300 ImpAdLdRf ;Push ptr
:00410599 240400 NewIfNullPr ;[Pop] [SR]
:0041059C 0DB0020500 VCallHresult ;Call ptr_0040759C
:004105A1 13 ExitProcHresult ;
:004105A2 13 ExitProcHresult ;
------------------------------------------------------------------------
整理总结:
1. 注册码必须长度为 8 ;
2. 注册码中的第3/5/7位,必须满足:p3*p5+p7=30 ;(例:可用注册码 ==3*8+6= )
3. 注册成功后,程序会在注册表中做标记:
项目: HKEY_CURRENT_USERSoftwareVB and VBA Program SettingspyfkOptions
名称: zcf
数据: y
因此,可以直接修改注册表进行注册;
4. 如果注册成功后想再注册,只需要改动注册表中的名称或数据即可。
注册机:
本程序注册比较简单,略。
by acacia
2003-10-17