电脑阅卷王5.2算法分析。
到共享软件注册中心看了看,专门找了一个注册费高的,本来认为会是场硬仗,却只用了w32Dasm便解决了,真扫兴。
目标:电脑阅卷王
语言:vb6.0
工具:w32Dasm
破解者:wangshq397 of [SCG] http://422123232.91x.net
下面是反汇编结果:
* Reference To: MSVBVM60.__vbaFreeObj, Ord:0000h
|
:004278F4 FF15D8124000 Call dword ptr [004012D8]
* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:004278FA 8B3D3C104000 mov edi, dword ptr [0040103C]
:00427900 8D459C lea eax, dword ptr [ebp-64]
:00427903 50 push eax
:00427904 8D4DAC lea ecx, dword ptr [ebp-54]
:00427907 51 push ecx
:00427908 6A02 push 00000002
:0042790A FFD7 call edi
:0042790C 8B55D0 mov edx, dword ptr [ebp-30]
:0042790F 83C40C add esp, 0000000C
:00427912 52 push edx
* Reference To: MSVBVM60.__vbaLenBstr, Ord:0000h
|
:00427913 FF1534104000 Call dword ptr [00401034]
:00427919 83F80A cmp eax, 0000000A 比较位数,是否为10位。
:0042791C 0F84C1000000 je 004279E3 如果是10位就跳到算法比较处。
* Possible StringData Ref from Code Obj ->"SHURUYOUWUQINGCHONGXINSHURU" 汉语拼音:输入有误请重新输入,哈哈!
|
:00427922 BA40B94000 mov edx, 0040B940
:00427927 8D4DC8 lea ecx, dword ptr [ebp-38]
算法:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042791C(C)
|
:004279E3 BE01000000 mov esi, 00000001 取1位
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00427AA6(U)
|
:004279E8 B808000000 mov eax, 00000008 最多取8位
:004279ED 663BF0 cmp si, ax 取够了吗?
:004279F0 0F8FB5000000 jg 00427AAB 够8位就跳走
:004279F6 8D45AC lea eax, dword ptr [ebp-54]
:004279F9 50 push eax
:004279FA 0FBFCE movsx ecx, si
:004279FD 8D55D0 lea edx, dword ptr [ebp-30]
:00427A00 899574FFFFFF mov dword ptr [ebp+FFFFFF74], edx
:00427A06 51 push ecx
:00427A07 8D956CFFFFFF lea edx, dword ptr [ebp+FFFFFF6C]
:00427A0D 52 push edx
:00427A0E 8D459C lea eax, dword ptr [ebp-64]
:00427A11 50 push eax
:00427A12 C745B401000000 mov [ebp-4C], 00000001
:00427A19 C745AC02000000 mov [ebp-54], 00000002
:00427A20 C7856CFFFFFF08400000 mov dword ptr [ebp+FFFFFF6C], 00004008
* Reference To: MSVBVM60.rtcMidCharVar, Ord:0278h
|
:00427A2A FF15F8104000 Call dword ptr [004010F8]
:00427A30 8D4D9C lea ecx, dword ptr [ebp-64]
:00427A33 51 push ecx
:00427A34 8D55CC lea edx, dword ptr [ebp-34]
:00427A37 52 push edx
* Reference To: MSVBVM60.__vbaStrVarVal, Ord:0000h
|
:00427A38 FF15BC114000 Call dword ptr [004011BC]
:00427A3E 50 push eax 1位注册码入栈
* Reference To: MSVBVM60.rtcR8ValFromBstr, Ord:0245h
|
:00427A3F FF15E0124000 Call dword ptr [004012E0]
:00427A45 DD9D2CFFFFFF fstp qword ptr [ebp+FFFFFF2C]
:00427A4B 0FBFC3 movsx eax, bx
:00427A4E 898500FFFFFF mov dword ptr [ebp+FFFFFF00], eax
:00427A54 DB8500FFFFFF fild dword ptr [ebp+FFFFFF00] 装入整数,是相加得到的和,初始为0
:00427A5A DD9DF8FEFFFF fstp qword ptr [ebp+FFFFFEF8]
:00427A60 DD85F8FEFFFF fld qword ptr [ebp+FFFFFEF8]
:00427A66 DC852CFFFFFF fadd qword ptr [ebp+FFFFFF2C] 相加
:00427A6C DFE0 fstsw ax 保存
:00427A6E A80D test al, 0D
:00427A70 0F85B9040000 jne 00427F2F
* Reference To: MSVBVM60.__vbaFpI2, Ord:0000h
|
:00427A76 FF155C124000 Call dword ptr [0040125C]
:00427A7C 8D4DCC lea ecx, dword ptr [ebp-34]
:00427A7F 8BD8 mov ebx, eax
* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
|
:00427A81 FF15DC124000 Call dword ptr [004012DC]
:00427A87 8D4D9C lea ecx, dword ptr [ebp-64]
:00427A8A 51 push ecx
:00427A8B 8D55AC lea edx, dword ptr [ebp-54]
:00427A8E 52 push edx
:00427A8F 6A02 push 00000002
:00427A91 FFD7 call edi
:00427A93 B801000000 mov eax, 00000001
:00427A98 83C40C add esp, 0000000C
:00427A9B 6603C6 add ax, si
:00427A9E 0F8090040000 jo 00427F34
:00427AA4 8BF0 mov esi, eax
:00427AA6 E93DFFFFFF jmp 004279E8 跳回
够8位时的运算:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004279F0(C)
|
:00427AAB B802000000 mov eax, 00000002 一次取2位
:00427AB0 8D4DAC lea ecx, dword ptr [ebp-54]
:00427AB3 51 push ecx
:00427AB4 8945B4 mov dword ptr [ebp-4C], eax
:00427AB7 8945AC mov dword ptr [ebp-54], eax
:00427ABA 8D45D0 lea eax, dword ptr [ebp-30]
:00427ABD 6A09 push 00000009
:00427ABF 8D956CFFFFFF lea edx, dword ptr [ebp+FFFFFF6C]
:00427AC5 898574FFFFFF mov dword ptr [ebp+FFFFFF74], eax
:00427ACB 52 push edx
:00427ACC 8D459C lea eax, dword ptr [ebp-64]
:00427ACF BE08400000 mov esi, 00004008
:00427AD4 50 push eax
:00427AD5 89B56CFFFFFF mov dword ptr [ebp+FFFFFF6C], esi
* Reference To: MSVBVM60.rtcMidCharVar, Ord:0278h
|
:00427ADB FF15F8104000 Call dword ptr [004010F8]
:00427AE1 8D4D9C lea ecx, dword ptr [ebp-64]
:00427AE4 51 push ecx
:00427AE5 8D55CC lea edx, dword ptr [ebp-34]
:00427AE8 52 push edx
* Reference To: MSVBVM60.__vbaStrVarVal, Ord:0000h
|
:00427AE9 FF15BC114000 Call dword ptr [004011BC]
:00427AEF 50 push eax 最后2位注册码入栈
以下代码有点眼熟,和上面几乎一样
* Reference To: MSVBVM60.rtcR8ValFromBstr, Ord:0245h
|
:00427AF0 FF15E0124000 Call dword ptr [004012E0]
:00427AF6 DD9D2CFFFFFF fstp qword ptr [ebp+FFFFFF2C]
:00427AFC 0FBFC3 movsx eax, bx
:00427AFF 8985F4FEFFFF mov dword ptr [ebp+FFFFFEF4], eax
:00427B05 DB85F4FEFFFF fild dword ptr [ebp+FFFFFEF4] 上面8位相加得到的和
:00427B0B DD9DECFEFFFF fstp qword ptr [ebp+FFFFFEEC]
:00427B11 DD85ECFEFFFF fld qword ptr [ebp+FFFFFEEC]
:00427B17 DC852CFFFFFF fadd qword ptr [ebp+FFFFFF2C] 最后2位再上加上面8位相加得到的和
:00427B1D DFE0 fstsw ax 保存
:00427B1F A80D test al, 0D
:00427B21 0F8508040000 jne 00427F2F
* Reference To: MSVBVM60.__vbaFpI2, Ord:0000h
|
:00427B27 FF155C124000 Call dword ptr [0040125C]
:00427B2D 8D4DCC lea ecx, dword ptr [ebp-34]
:00427B30 8BD8 mov ebx, eax 传到EBX
* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
|
:00427B32 FF15DC124000 Call dword ptr [004012DC]
:00427B38 8D4D9C lea ecx, dword ptr [ebp-64]
:00427B3B 51 push ecx
:00427B3C 8D55AC lea edx, dword ptr [ebp-54]
:00427B3F 52 push edx
:00427B40 6A02 push 00000002
:00427B42 FFD7 call edi
:00427B44 83C40C add esp, 0000000C
:00427B47 6683FB64 cmp bx, 0064 和64比较
:00427B4B 0F84CA000000 je 00427C1B 是否相等,等就跳,跳则成功。
* Reference To: MSVBVM60.__vbaStrCopy, Ord:0000h
|
:00427B51 8B3510124000 mov esi, dword ptr [00401210]
* Possible StringData Ref from Code Obj ->"SHURUYOUWUQINGCHONGXINSHURU" 汉语拼音:输入有误请重新输入。^_^
|
:00427B57 BA40B94000 mov edx, 0040B940
:00427B5C 8D4DC8 lea ecx, dword ptr [ebp-38]
:00427B5F FFD6 call esi
* Possible StringData Ref from Code Obj ->"FRM_REG"
|
:00427B61 BAF8B74000 mov edx, 0040B7F8
:00427B66 8D4DCC lea ecx, dword ptr [ebp-34]
:00427B69 FFD6 call esi
:00427B6B 8D45C8 lea eax, dword ptr [ebp-38]
:00427B6E 50 push eax
:00427B6F 8D4DCC lea ecx, dword ptr [ebp-34]
:00427B72 51 push ecx
:00427B73 E848E80400 call 004763C0
保存注册码:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00427B4B(C)
|
:00427C1B 8D55D0 lea edx, dword ptr [ebp-30]
:00427C1E 899574FFFFFF mov dword ptr [ebp+FFFFFF74], edx
:00427C24 89B56CFFFFFF mov dword ptr [ebp+FFFFFF6C], esi
* Reference To: MSVBVM60.__vbaStrCopy, Ord:0000h
|
:00427C2A 8B3510124000 mov esi, dword ptr [00401210]
* Possible StringData Ref from Code Obj ->"zhuce" 写键值 保存注册码
|
:00427C30 BA0CB84000 mov edx, 0040B80C
:00427C35 8D4DC8 lea ecx, dword ptr [ebp-38]
:00427C38 C78534FFFFFF01000000 mov dword ptr [ebp+FFFFFF34], 00000001
:00427C42 FFD6 call esi
* Possible StringData Ref from Code Obj ->"Software\SiQiSoft\pcomr40\"
|
:00427C44 BA9CB74000 mov edx, 0040B79C
:00427C49 8D4DCC lea ecx, dword ptr [ebp-34]
:00427C4C FFD6 call esi
:00427C4E 8D8534FFFFFF lea eax, dword ptr [ebp+FFFFFF34]
:00427C54 50 push eax
:00427C55 8D8D6CFFFFFF lea ecx, dword ptr [ebp+FFFFFF6C]
:00427C5B 51 push ecx
:00427C5C 8D55C8 lea edx, dword ptr [ebp-38]
:00427C5F 52 push edx
:00427C60 8D45CC lea eax, dword ptr [ebp-34]
:00427C63 50 push eax
:00427C64 8D8D38FFFFFF lea ecx, dword ptr [ebp+FFFFFF38]
:00427C6A 51 push ecx
:00427C6B 8D55AC lea edx, dword ptr [ebp-54]
:00427C6E 52 push edx
:00427C6F C78538FFFFFF01000080 mov dword ptr [ebp+FFFFFF38], 80000001
:00427C79 E852AE0300 call 00462AD0
* Reference To: MSVBVM60.__vbaFreeStrList, Ord:0000h
|
:00427C7E 8B1D1C124000 mov ebx, dword ptr [0040121C]
:00427C84 8D45C8 lea eax, dword ptr [ebp-38]
:00427C87 50 push eax
:00427C88 8D4DCC lea ecx, dword ptr [ebp-34]
:00427C8B 51 push ecx
:00427C8C 6A02 push 00000002
:00427C8E FFD3 call ebx
:00427C90 83C40C add esp, 0000000C
:00427C93 8D4DAC lea ecx, dword ptr [ebp-54]
* Reference To: MSVBVM60.__vbaFreeVar, Ord:0000h
|
:00427C96 FF1524104000 Call dword ptr [00401024]
* Possible StringData Ref from Code Obj ->"feifa" 写键值 注册方式非法?
|
:00427C9C BA7CB94000 mov edx, 0040B97C
:00427CA1 8D4DC8 lea ecx, dword ptr [ebp-38]
:00427CA4 FFD6 call esi
* Possible StringData Ref from Code Obj ->"Software\SiQiSoft\pcomr40\"
|
:00427CA6 BA9CB74000 mov edx, 0040B79C
:00427CAB 8D4DCC lea ecx, dword ptr [ebp-34]
:00427CAE FFD6 call esi
:00427CB0 8D55C8 lea edx, dword ptr [ebp-38]
:00427CB3 52 push edx
:00427CB4 8D45CC lea eax, dword ptr [ebp-34]
:00427CB7 50 push eax
:00427CB8 8D8D38FFFFFF lea ecx, dword ptr [ebp+FFFFFF38]
:00427CBE 51 push ecx
:00427CBF 8D55AC lea edx, dword ptr [ebp-54]
:00427CC2 52 push edx
:00427CC3 C78538FFFFFF01000080 mov dword ptr [ebp+FFFFFF38], 80000001
:00427CCD E81EA80300 call 004624F0
:00427CD2 8D45C8 lea eax, dword ptr [ebp-38]
:00427CD5 50 push eax
:00427CD6 8D4DCC lea ecx, dword ptr [ebp-34]
:00427CD9 51 push ecx
:00427CDA 6A02 push 00000002
:00427CDC FFD3 call ebx
:00427CDE 83C40C add esp, 0000000C
:00427CE1 8D4DAC lea ecx, dword ptr [ebp-54]
* Reference To: MSVBVM60.__vbaFreeVar, Ord:0000h
|
:00427CE4 FF1524104000 Call dword ptr [00401024]
:00427CEA 8B4508 mov eax, dword ptr [ebp+08]
:00427CED 8B10 mov edx, dword ptr [eax]
:00427CEF 50 push eax
:00427CF0 FF9204030000 call dword ptr [edx+00000304]
:00427CF6 8945B4 mov dword ptr [ebp-4C], eax
:00427CF9 8D45AC lea eax, dword ptr [ebp-54]
:00427CFC 50 push eax
:00427CFD 8D4D9C lea ecx, dword ptr [ebp-64]
:00427D00 51 push ecx
:00427D01 C745AC09000000 mov [ebp-54], 00000009
* Reference To: MSVBVM60.rtcTrimVar, Ord:0208h
|
:00427D08 FF15DC104000 Call dword ptr [004010DC]
* Possible StringData Ref from Code Obj ->"USERNAME" 写键值 保存姓名
|
:00427D0E BA8CB94000 mov edx, 0040B98C
:00427D13 8D4DC8 lea ecx, dword ptr [ebp-38]
:00427D16 C78534FFFFFF01000000 mov dword ptr [ebp+FFFFFF34], 00000001
:00427D20 FFD6 call esi
* Possible StringData Ref from Code Obj ->"Software\SiQiSoft\pcomr40\"
|
:00427D22 BA9CB74000 mov edx, 0040B79C
:00427D27 8D4DCC lea ecx, dword ptr [ebp-34]
:00427D2A FFD6 call esi
:00427D2C 8D9534FFFFFF lea edx, dword ptr [ebp+FFFFFF34]
:00427D32 C78538FFFFFF01000080 mov dword ptr [ebp+FFFFFF38], 80000001
:00427D3C 52 push edx
:00427D3D 8D459C lea eax, dword ptr [ebp-64]
:00427D40 50 push eax
:00427D41 8D4DC8 lea ecx, dword ptr [ebp-38]
:00427D44 51 push ecx
:00427D45 8D55CC lea edx, dword ptr [ebp-34]
:00427D48 52 push edx
:00427D49 8D8538FFFFFF lea eax, dword ptr [ebp+FFFFFF38]
:00427D4F 50 push eax
:00427D50 8D4D8C lea ecx, dword ptr [ebp-74]
:00427D53 51 push ecx
:00427D54 E877AD0300 call 00462AD0
:00427D59 8D55C8 lea edx, dword ptr [ebp-38]
:00427D5C 52 push edx
:00427D5D 8D45CC lea eax, dword ptr [ebp-34]
:00427D60 50 push eax
:00427D61 6A02 push 00000002
:00427D63 FFD3 call ebx
:00427D65 8D4D8C lea ecx, dword ptr [ebp-74]
:00427D68 51 push ecx
:00427D69 8D559C lea edx, dword ptr [ebp-64]
:00427D6C 52 push edx
:00427D6D 8D45AC lea eax, dword ptr [ebp-54]
:00427D70 50 push eax
:00427D71 6A03 push 00000003
:00427D73 FFD7 call edi
:00427D75 83C41C add esp, 0000001C
* Possible StringData Ref from Code Obj ->"ZHUCECHENGGONGQINGCHONGXINQIDONG" 汉语拼音:注册成功请重新启动。^_^
|
:00427D78 BAA4B94000 mov edx, 0040B9A4
:00427D7D 8D4DC8 lea ecx, dword ptr [ebp-38]
:00427D80 FFD6 call esi
* Possible StringData Ref from Code Obj ->"FRM_REG"
|
:00427D82 BAF8B74000 mov edx, 0040B7F8
:00427D87 8D4DCC lea ecx, dword ptr [ebp-34]
:00427D8A FFD6 call esi
:00427D8C 8D4DC8 lea ecx, dword ptr [ebp-38]
:00427D8F 51 push ecx
:00427D90 8D55CC lea edx, dword ptr [ebp-34]
:00427D93 52 push edx
:00427D94 E827E60400 call 004763C0
总结:注册码和机器码以及姓名无关,注册码为10位,前8位逐位相加的和,再加上后2位的必须是16进制的64,即10进制的100。举例:假设注册码前8位为88888888,则相加后是8*8=64,则后2位就是36(36+64=100)。完整 的注册码就是8888888836。
转载保持完整。谢谢阅读。