【破解作者】 mejy
【作者邮箱】 mejycracke@yeah.net
【作者主页】 mejycrack.51.net
【使用工具】 mejyDbg1.09汉化版,WinHex
【破解平台】 Win2000 ADS SP4
【软件名称】 中文内码转换巨匠1.2
【软件简介】 一个简繁内码的转化工具!VB的咚咚!
【加壳方式】 PECompact V1.68-84
【破解声明】 好久没做过算法分析了!找个软柿子捏捏!本文面向未成年人:),高手不要浪费时间!!!否则后果不负责任!
--------------------------------------------------------------------------------
【破解内容】
【一】脱壳
0045B5A0 > EB 06 JMP SHORT 中文内码.0045B5A8 载入后停在这里!
0045B5A2 68 0C1F0000 PUSH 1F0C OEP的RVA 直接再401F0C处下内存访问断点!
0045B5A7 C3 RETN
××××××××××××××××经过几次断点之后。
00401F0C 68 50B54100 PUSH 中文内码.0041B550 再这里dump程序!然后importRec修复之!
00401F11 E8 F0FFFFFF CALL 中文内码.00401F06 ; JMP to MSVBVM50.ThunRTMain
00401F16 0000 ADD BYTE PTR DS:[EAX],AL
【二】算法分析!
(1)对于这种VB的程序,由于不是pCode的可以采用SmartCheck来分析!按部就班
查看Command1Click事件,有一个vbaStrCmp的函数。这时输入的假码和真码就能看见了!这种方法30S可以找到注册码!
(2)其实利用SmartCheck可以辅助我们分析注册码的比较方式(浮点数比较还是字符串比较等)!但是找出具体细节,
还得靠OD等动态分析工具。几种有关VB的破解方法可以参照下列文章http://ymmz.nease.net/Crack/ice1.htm
从上面分析可以看出程序是比较字符串的,所以我们尝试再__vbaStrCmp设置断点
利用Od载入脱壳后的程序。Ctrl+N搜索当前模块中的名称,找到__vbaStrCmp查找参考,然后设置断点!
F9运行程序!呵呵,断下来一堆。用你的火眼金睛把明显没用的断点给去掉。你小心看的话,会发现中断的过程中
正确的注册码已经出来了。正是好烂的保护!我们暂且不管,程序全部运行起来以后,我们点击注册。输入假码试试。
怎么样,还是断下来了,我们用鼠标朝上翻,估计一下,有点像的地方,设个断点,然后再次点击注册!我选择下面:
00421FEA > 8D5F 34 LEA EBX,DWORD PTR DS:[EDI+34]
00421FED . 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
00421FF0 . 8BCB MOV ECX,EBX
00421FF2 . FF15 80834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaStrCo>; 读入机器码 这里设断点
00421FF8 . 8B03 MOV EAX,DWORD PTR DS:[EBX]
00421FFA . 50 PUSH EAX ; 机器码入栈
00421FFB . FF15 F8834300 CALL DWORD PTR DS:[<&msvbvm50.rtcR8ValFr>; 将字符串转化成十进制实数
00422001 . D9E1 FABS ; 浮点运算指令
00422003 . DFE0 FSTSW AX ; 保存状态字的值到AX
00422005 . A8 0D TEST AL,0D
00422007 . 0F85 01080000 JNZ dumped_.0042280E
0042200D . FF15 AC824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaFpR8>>; msvbvm50.__vbaFpR8
00422013 . DC1D 30104000 FCOMP QWORD PTR DS:[401030] ; 和整数比较将st(0)和op比较 op(mem16/mem32)后;再执行一次出栈操作
00422019 . DFE0 FSTSW AX ; 保存状态字的值到AX
0042201B . F6C4 41 TEST AH,41
0042201E . 75 25 JNZ SHORT dumped_.00422045
00422020 . 6A 09 PUSH 9
【【【【省略代码N行】】】】
00422087 . 85C0 TEST EAX,EAX
00422089 . 7D 15 JGE SHORT dumped_.004220A0 ; 跳走
0042208B . 6A 50 PUSH 50
0042208D . 68 60EE4100 PUSH dumped_.0041EE60
00422092 . 8B8D 6CFFFFFF MOV ECX,DWORD PTR SS:[EBP-94]
00422098 . 51 PUSH ECX
00422099 . 50 PUSH EAX
0042209A . FF15 70824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj
004220A0 > 8B13 MOV EDX,DWORD PTR DS:[EBX] ; [EBX]中保存着机器码
004220A2 . 52 PUSH EDX ; 入栈
004220A3 . FF15 F8834300 CALL DWORD PTR DS:[<&msvbvm50.rtcR8ValFr>; msvbvm50.rtcR8ValFromBstr
004220A9 . DD9D 40FFFFFF FSTP QWORD PTR SS:[EBP-C0] ; 将st(0)以整数保存到【ebp-c0】
004220AF . 8B45 B8 MOV EAX,DWORD PTR SS:[EBP-48] ; 将6669取道EAX中,这个数是哪里来得那?
我跟了半天没发现它计算的地方,猜想是程序中固定的,这时利用WINHEX搜索6669,可以看见Lable5的值就是它。
下面还有几个固定的字串。
004220B2 . 50 PUSH EAX
004220B3 . FF15 68834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaR8Str>; 将字符串转化成实数
004220B9 . DC85 40FFFFFF FADD QWORD PTR SS:[EBP-C0] ; 和机器码相加并压入堆栈
004220BF . DFE0 FSTSW AX
004220C1 . A8 0D TEST AL,0D
004220C3 . 0F85 45070000 JNZ dumped_.0042280E
004220C9 . 83EC 08 SUB ESP,8
004220CC . DD1C24 FSTP QWORD PTR SS:[ESP] ; 压入ST7
004220CF . FF15 FC824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaStrR8>; 将实数转化成字符串
004220D5 . 8BD0 MOV EDX,EAX ; 将字符串"74744190"放到EDX
004220D7 . 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
004220DA . FFD6 CALL ESI ; __vbaStrMove
004220DC . 8BD0 MOV EDX,EAX
004220DE . 8BCB MOV ECX,EBX
004220E0 . FF15 80834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaStrCo>; msvbvm50.__vbaStrCopy
004220E6 . 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
004220E9 . 51 PUSH ECX
004220EA . 8D55 B8 LEA EDX,DWORD PTR SS:[EBP-48]
004220ED . 52 PUSH EDX
004220EE . 6A 02 PUSH 2
004220F0 . FF15 88834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaFreeS>; msvbvm50.__vbaFreeStrList
004220F6 . 83C4 0C ADD ESP,0C
004220F9 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
004220FC . FF15 F4834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaFreeO>; msvbvm50.__vbaFreeObj
00422102 . 8B07 MOV EAX,DWORD PTR DS:[EDI]
00422104 . 57 PUSH EDI
00422105 . FF90 18030000 CALL DWORD PTR DS:[EAX+318]
0042210B . 50 PUSH EAX
0042210C . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
0042210F . 51 PUSH ECX
00422110 . FF15 90824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaObjSe>; msvbvm50.__vbaObjSet
00422116 . 8BD8 MOV EBX,EAX
00422118 . 8B13 MOV EDX,DWORD PTR DS:[EBX]
0042211A . 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48]
0042211D . 50 PUSH EAX
0042211E . 53 PUSH EBX
0042211F . FF52 50 CALL DWORD PTR DS:[EDX+50]
00422122 . 85C0 TEST EAX,EAX
00422124 . 7D 0F JGE SHORT dumped_.00422135
00422126 . 6A 50 PUSH 50
00422128 . 68 60EE4100 PUSH dumped_.0041EE60
0042212D . 53 PUSH EBX
0042212E . 50 PUSH EAX
0042212F . FF15 70824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj
00422135 > 8B4F 34 MOV ECX,DWORD PTR DS:[EDI+34]
00422138 . 51 PUSH ECX ; 相加后的字符串
00422139 . FF15 F8834300 CALL DWORD PTR DS:[<&msvbvm50.rtcR8ValFr>; msvbvm50.rtcR8ValFromBstr
0042213F . FF15 B4834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaFpI4>>; msvbvm50.__vbaFpI4
00422145 . 8BD8 MOV EBX,EAX
00422147 . 8B55 B8 MOV EDX,DWORD PTR SS:[EBP-48] ; 一个字符串"73468482"
0042214A . 52 PUSH EDX
0042214B . FF15 84834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaI4Str>; msvbvm50.__vbaI4Str
00422151 . 33D8 XOR EBX,EAX ; 两个字符串转换成整数进行异或
00422153 . 53 PUSH EBX ; 异或之后的值入栈
00422154 . FF15 2C824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaStrI4>; 将整数转化成字符串
0042215A . 8BD0 MOV EDX,EAX ; 字符串1411900
0042215C . 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
0042215F . FFD6 CALL ESI
00422161 . 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
00422164 . FF15 F0834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaFreeS>; msvbvm50.__vbaFreeStr
0042216A . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
0042216D . FF15 F4834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaFreeO>; msvbvm50.__vbaFreeObj
00422173 . 8B07 MOV EAX,DWORD PTR DS:[EDI]
00422175 . 57 PUSH EDI
00422176 . FF90 1C030000 CALL DWORD PTR DS:[EAX+31C]
0042217C . 50 PUSH EAX
0042217D . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
00422180 . 51 PUSH ECX
00422181 . FF15 90824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaObjSe>; msvbvm50.__vbaObjSet
00422187 . 8BD8 MOV EBX,EAX
00422189 . 8B13 MOV EDX,DWORD PTR DS:[EBX]
0042218B . 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48]
0042218E . 50 PUSH EAX
0042218F . 53 PUSH EBX
00422190 . FF52 50 CALL DWORD PTR DS:[EDX+50]
00422193 . 85C0 TEST EAX,EAX
00422195 . 7D 0F JGE SHORT dumped_.004221A6
00422197 . 6A 50 PUSH 50
00422199 . 68 60EE4100 PUSH dumped_.0041EE60
0042219E . 53 PUSH EBX
0042219F . 50 PUSH EAX
004221A0 . FF15 70824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj
004221A6 > 8B4D D4 MOV ECX,DWORD PTR SS:[EBP-2C] ; 上面的字符串141190
004221A9 . 51 PUSH ECX
004221AA . 8B1D 84834300 MOV EBX,DWORD PTR DS:[<&msvbvm50.__vbaI4>; msvbvm50.__vbaI4Str
004221B0 . FFD3 CALL EBX ; <&msvbvm50.__vbaI4Str>
004221B2 . 8BD0 MOV EDX,EAX
004221B4 . 8B45 B8 MOV EAX,DWORD PTR SS:[EBP-48] ; 字符串23479853 程序中固定的lable16的值
004221B7 . 50 PUSH EAX
004221B8 . 8995 3CFFFFFF MOV DWORD PTR SS:[EBP-C4],EDX
004221BE . FFD3 CALL EBX
004221C0 . 8B8D 3CFFFFFF MOV ECX,DWORD PTR SS:[EBP-C4]
004221C6 . 33C8 XOR ECX,EAX ; 异或计算
004221C8 . 51 PUSH ECX
004221C9 . 8B1D 2C824300 MOV EBX,DWORD PTR DS:[<&msvbvm50.__vbaSt>; msvbvm50.__vbaStrI4
004221CF . FFD3 CALL EBX ; <&msvbvm50.__vbaStrI4>
004221D1 . 8BD0 MOV EDX,EAX ; “24366353”
004221D3 . 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
004221D6 . FFD6 CALL ESI
004221D8 . 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
004221DB . FF15 F0834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaFreeS>; msvbvm50.__vbaFreeStr
004221E1 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
004221E4 . FF15 F4834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaFreeO>; msvbvm50.__vbaFreeObj
004221EA . 6A 05 PUSH 5 ; 取左边5个字符
004221EC . 8B55 D4 MOV EDX,DWORD PTR SS:[EBP-2C]
004221EF . 52 PUSH EDX
004221F0 . FF15 B8834300 CALL DWORD PTR DS:[<&msvbvm50.rtcLeftCha>; msvbvm50.rtcLeftCharBstr
004221F6 . 8BD0 MOV EDX,EAX ; 取左边字符
004221F8 . 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
004221FB . FFD6 CALL ESI
004221FD . 50 PUSH EAX
004221FE . FF15 84834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaI4Str>; 将上面的字符串转化成16进制数字
00422204 . 35 15030000 XOR EAX,315 ; 将上面转化的结果和315异或
00422209 . 50 PUSH EAX
0042220A . FFD3 CALL EBX ; 将上面的十六进制转化成十进制的字符串
0042220C . 8BD0 MOV EDX,EAX
0042220E . 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
00422211 . FFD6 CALL ESI
00422213 . 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
00422216 . FF15 F0834300 CALL DWORD PTR DS:[<&msvbvm50.__vbaFreeS>; msvbvm50.__vbaFreeStr
0042221C . 8B47 40 MOV EAX,DWORD PTR DS:[EDI+40]
0042221F . 83C0 01 ADD EAX,1
00422222 . 0F80 EB050000 JO dumped_.00422813
00422228 . 8947 40 MOV DWORD PTR DS:[EDI+40],EAX
0042222B . 8D5F 38 LEA EBX,DWORD PTR DS:[EDI+38]
0042222E . 68 74EE4100 PUSH dumped_.0041EE74 ; UNICODE "NMZH"
00422233 . 8B4D BC MOV ECX,DWORD PTR SS:[EBP-44]
00422236 . 51 PUSH ECX
00422237 . FF15 60824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaStrCa>; 将13362和NMZH连接,作为注册码的第一部分
0042223D . 8BD0 MOV EDX,EAX
0042223F . 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
00422242 . FFD6 CALL ESI
00422244 . 50 PUSH EAX
00422245 . 68 84EE4100 PUSH dumped_.0041EE84
0042224A . FF15 60824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaStrCa>; 将上面连接之后的字符串和-连接
00422250 . 8BD0 MOV EDX,EAX
00422252 . 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
00422255 . FFD6 CALL ESI
00422257 . 50 PUSH EAX
00422258 . 8B55 C4 MOV EDX,DWORD PTR SS:[EBP-3C]
0042225B . 52 PUSH EDX
0042225C . FF15 60824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaStrCa>; 再次连接形成正确的注册码
00422262 . 8BD0 MOV EDX,EAX
00422264 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
00422267 . FFD6 CALL ESI
【【【省略N行】】】
0042231A . 50 PUSH EAX
0042231B . FF15 C8824300 CALL DWORD PTR DS:[<&msvbvm50.__vbaStrCm>; 将正确地注册码和输入的假码进行比较
00422321 . F7D8 NEG EAX
00422323 . 1BC0 SBB EAX,EAX
省略
00422366 . 8D47 4C LEA EAX,DWORD PTR DS:[EDI+4C]
00422369 . 50 PUSH EAX
0042236A . 68 8CEE4100 PUSH dumped_.0041EE8C ; SOFTWARE\SoftNM\DATA如果注册码相等,则写入注册表
0042236F . 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
00422372 . 51 PUSH ECX
00422373 . 8B35 AC834300 MOV ESI,DWORD PTR DS:[<&msvbvm50.__vbaSt>; msvbvm50.__vbaStrToAnsi
00422379 . FFD6 CALL ESI ; <&msvbvm50.__vbaStrToAnsi>
【至此完】
【三】注册机 VC6.0+Win2000Sp4调试通过
void CMyDlg::OnYes()
{
// TODO: Add your control notification handler code here
int jqm;
CString s1,s2 ;
UpdateData(TRUE);
jqm = atoi(m_jqm);
int label5 = 6669;
int label15 = 73468482;
int label16 = 23479853 ;
int sum = 0;
int temp = 0;
sum = jqm + label5; //和
sum = sum ^ label15; //异或
temp = sum ^ label16;
s1.Format("%d",sum);
s1 = s1.Left(5); //取左边5个字符
s2.Format("%d",temp); //注册码的第二步分
sum = atoi(s1);
sum = sum ^ 0x315;
m_zcm.Format("NMZH%d-%s",sum,s2);
UpdateData(FALSE);
}
--------------------------------------------------------------------------------
【破解总结】
一个简单的VB咚咚!呵呵,算练练手!你看完了吗?没笑掉大牙吧!:)
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!