• 标 题:来一篇VB的破解教程,看看作者的断点下到了什么地方,得好好消化消化了,嘿嘿,喜欢VB的和痛恨VB的都来看看... (9千字)
  • 作 者:CrackerABC[BCG]
  • 时 间:2001-12-30 8:34:15
  • 链 接:http://bbs.pediy.com

标题: 来一篇VB的破解教程,看看作者的断点下到了什么地方,得好好消化消化了,嘿嘿,喜欢VB的和痛恨VB的都来看看哦。(转帖)

内容:

THE LESS ATTITUDE OF FISHING SERIAL NUMBER



Andy v2.17
A Piratical Tutes
by ASTAGA [CiA/TTM] - The Tutorial Machine




WHAT THE ROCK SAYS



        Andy is a Windows Rename utility especially designed
        for managing picture and music files.

        Features:

        o  Rename Files or Folders in a Single Click
        o  Rename Files or Folders using Sequential Numbering or Lettering
        o  Create New Names based on the Original Name
        o  Change the Case of File or Folder Names
        o  Word List support and user template for Change Case
        o  Set the File Date and Time
        o  Set the File or Folder Attributes
        o  Move, Copy and Delete Files or Folders
        o  Rename Files and Folders with Search and Replace
        o  Arrange Pictures for numbering via Thumbnail Images
        o  Full size Picture Viewer linked to the Rename List
        o  Edit MP3 Tags
        o  Subfolder Support for most Actions
        o  MS Office Style Toolbars
        o  Drag and Drop Support
        o  Favorites List
        o  Template support for saving and reusing New Names
        o  Plus much More!

        o 

        !!WARNING!!
        Andy does exactly what you tell it.  If you rename, delete
        or move system or software files... your computer may stop
        functioning.



SMELL THE ROCK



        Realm Softwarre
        http://www.realm-online.com/html/products/andyintro.htm
        http://www.realm-online.com/html/products/andydown.htm
        http://www.realm-online.com/ftp/Andy217.exe
        (1.7Mb) - 2/6/2001




THE DUSTY ROADS



        o  Andy was developed using Visual Basic 6.0 (Service Pack 4).
          Visual Basic 6.0 requires a one time installation of the
          VB6 runtime library. If your using other Visual Basic 6.0
          software you don't need to install the library again.
          It won't hurt to install the library again if your unsure.
          Download (vbrun60sp4.exe) :
          http://www.realm-online.com/ftp/vbrun60sp4.exe

        o  When the program is VB then try SoftIce first.
          When the going gets tough try SmartCheck.
          When the tough gets tough decompiled them.
          When frustrated comes, buy the program!
          ( ASTAGA 7388:1050 HELL YEAH )

        o  This is my experiment on finding valid s/n over VB6
          based program.
          All you have to do is break within MSVBVM60.DLL
          function ( you can set breakpoint that may posible
          i.e __vbastrcopy ; __vbastrmove ; etc. - please read
          Eternal Bliss' essay ); then do a search byte and
          finally press F5 or F11 keys around 27 times.
          And there lies your real code in EDI register.

        o 



THIS IS A SMELL OF THE ROCK




        Run ANDY.EXE, in the registration dialog box type
        these below informations :

        User Name : Red Rackham
        Reg Code  : 73881050

        Do not click OK button yet


        Load SoftIce, set a breakpoint as follow :

        : BPX HEAPFREE  [enter]
        F5  to return to the main program


        Now, click OK button, you'll return back into SoftIce!
        Within SoftIce press F5 2 times then F11 once, until
        you see and break at these below snippet codes :
       
        ______________________________________________________________
       
       
        015F:6602CB07  FF15C4100066    CALL  [KERNEL32!HeapFree]
        015F:6602CB0D  8BC6            MOV  EAX,ESI
        015F:6602CB0F  5F              POP  EDI
        015F:6602CB10  5E              POP  ESI
        015F:6602CB11  5D              POP  EBP
        015F:6602CB12  C20C00          RET  000C ==> F10
        ...
        015F:6605F1A3  E80FD9FCFF      CALL  6602CAB7
        015F:6605F1A8  C20800          RET  0008 ==> F10
        ...
        015F:004F653A  FF92A0000000    CALL  [EDX+000000A0] <== bpx here
        015F:004F6540  DBE2            FCLEX              <== break here
        015F:004F6542  898514FFFFFF    MOV  [EBP-00EC],EAX
        015F:004F6548  83BD14FFFFFF00  CMP  DWORD PTR [EBP-00EC],00
        015F:004F654F  7D26            JGE  004F6577
        015F:004F6551  68A0000000      PUSH  000000A0
        015F:004F6556  68C4EB4400      PUSH  0044EBC4
        015F:004F655B  8B8D18FFFFFF    MOV  ECX,[EBP-00E8]
        015F:004F6561  51              PUSH  ECX
        015F:004F6562  8B9514FFFFFF    MOV  EDX,[EBP-00EC]
        015F:004F6568  52              PUSH  EDX
        015F:004F6569  FF1588104000    CALL  [MSVBVM60!__vbaHresultCheckObj]
        015F:004F656F  8985D0FEFFFF    MOV  [EBP-0130],EAX
        015F:004F6575  EB0A            JMP  004F6581
        015F:004F6577  C785D0FEFFFF00
                      000000          MOV  DWORD PTR [EBP-0130],00000000
        015F:004F6581  8B45D4          MOV  EAX,[EBP-2C]
        015F:004F6584  8985E8FEFFFF    MOV  [EBP-0118],EAX
        015F:004F658A  C745D400000000  MOV  DWORD PTR [EBP-2C],00000000
        015F:004F6591  8B8DE8FEFFFF    MOV  ECX,[EBP-0118]
        015F:004F6597  894DB4          MOV  [EBP-4C],ECX
        ...
        _____________________________________________________________________

        When you break on HEAPFREE just step pass those 2 RET commands
        and set a new breakpoint as follows :

        : bd *  [enter]
        : bpx 015F:004F653A

        Start tracing by pressing F10 - stop at 015F:004F6584 - dump
        EAX register :

        : d eax  [enter]  ==> your name appear at virtual
                              address 0167:0058A590.

        Still at 015F:004F6584, do a search byte and type in the
        Command Line as follows :

        : S 0 L FFFFFFFFFFFFFFF F3 66 A7 74 05 1B C0  [enter]
        Pattern found at 0167:653C2E2E (653C2E2E)

        : bd *  [enter]
        : bpx 0167:653C2E2E  [enter]
        Press F5  to let SoftIce break into new location

        If nothing goes wrong you'll break at these below snippet
        codes :

        EAX=00000000  EBX=00000010  ECX=00000008  ESI=0058A0F8
        EDI=110085EC  EBP=0077D96C  ESP=0077D95C  o d I s Z a P c
        CS=015F  DS=0167  SS=0167  ES=0167  FS=391F  GS=0000
        ------------------------------dword-------------PROT---(0)--

        0167:653C2E2E 74A766F3  83C01B05  167D457F  .f.t........E}.
        0167:653C2E3E 5E5FC033  10C2C95B  EBFC4589  3._^[.....F..E..
        0167:653C2E4E FC598BAF  C2F6B3EB  4D8B0845  ..Y......t#.E..M
        ...
        ...
        ------------------------------------------------------------
        015F:653C2E2C  33C0    XOR          EAX,EAX
        015F:653C2E2E  F366A7  REPZ CMPSW  <=== break here
        015F:653C2E31  7405    JZ          653C2E38
        ...
        ____________________________________________________________
        Break due to BPX #0167:653C2E2E

        While break at 015F:653C2E2E, press F5 or F11 keys around
        27 TIMES (!!!), during this action you'll see that value
        in EDI register were changed.
        At the 27th of pressing F5 key you'll see EDI=0057A638.
        Now, it's time to check what is inside EDI and ESI
        registers :

        : d edi  [enter]  ==> did you see 1.2.5.1.-.2.2.1.1.-.6.9.2.1
                              at virtual address 0167:0057A638 ?
                              Write it down.

        : d esi  [enter]  ==> your fake  7.3.8.8.1.0.5.0. at virtual
                              address 0167:0058BDF0

        Upto this step I have no intention to continue tracing the
        rest codes.
        The above facts is too obvious that your fake code is
        (being) compared with the real one.
        It's your turn to check JZ instruction at 015F:653C2E31
        whether brings you to beggar-off message or not.
        Further, iam not sure whether the above REPZ CMPSW at
        015F:653C2E2E  is similar to Razzia's (VB3/4) comparison
        address.





GIVE ME THE HELL YEAH



        Let's register this program by keyed-in 1251-2211-6921
        as your reg.code.
        Click OK button .... there you're registered.



THE ROCK BASE HOUSE


        The correct registration code is stored in the registry
        as follows :
        REGEDIT14
        [HKEY_LOCAL_MACHINE\Software\Software.pair.com\Soft-Guard1.10
        \=E 29}swj?S-$Fp.";7 2%P?";P$0]Xm5PTS`8"`_HI(PL$&%^\
        LicensedUsers]
        "User1"="Red Rackham"
        "Code1"=",{{m,I{,I{$&{," <== 1251-2211-6921
        "User2"="Virtual Realm"
        "Code2"=",{{N{I{mI{w${7" <== 1231-1511-9801

        Your registration code will also saved in the REGISTER.TXT
        as follows :
        Your Andy Registration Code is Listed Below.
        You may Delete or Move this File.

        Name: Red Rackham
        Key: 1251-2211-6921



THE BONG HITS


        00) * BPX HEAPFREE
        01) * BPX 015F:004F653A
        02)  BPX 015F:653C2E2E
       
        THERE IS NOTHING HINTS SO CLEAN & CLEAR AS IT
        AS HELL 'ASTAGA' YEAH.



HELL YEAH GAME is OVER


        Respect the Author and do not attempt to register this
        program by using your own user name, unless you pay
        US$20.00 for official licensing.


        DON'T BE A LAMER BY DISTRIBUTING YOUR CRACK RELEASE
                      BASED ON THIS TUTORIAL.

        ============== D I S C L A I M E R =============
        THIS PAPER IS NOT INTENDED TO VIOLATE COPYRIGHTS
        LAW BUT EDUCATIONAL PURPOSES ONLY. I HOLD NO RES
        PONSIBILITY ( IN ANY SHAPE WHATSOEVER ) OF THE
        MIS-USE OF THIS MATERIAL. NO PARTS OF THIS PAPER
        IS SOLD/RENT FOR COMMERCIAL NOR PERSONAL BENEFIT.



ASTAGA [CIA/TTM] tute-andy217.zip
[E0F] 8/30/01 12:30 AM
Tute Layout FREE VERSION C