标题: 来一篇VB的破解教程,看看作者的断点下到了什么地方,得好好消化消化了,嘿嘿,喜欢VB的和痛恨VB的都来看看哦。(转帖)
内容:
THE LESS ATTITUDE OF FISHING SERIAL NUMBER
Andy v2.17
A Piratical Tutes
by ASTAGA [CiA/TTM] - The Tutorial Machine
WHAT THE ROCK SAYS
Andy is a Windows Rename utility especially designed
for managing picture and music files.
Features:
o Rename Files or Folders in a Single Click
o Rename Files or Folders using Sequential
Numbering or Lettering
o Create New Names based on the Original Name
o Change the Case of File or Folder Names
o Word List support and user template for
Change Case
o Set the File Date and Time
o Set the File or Folder Attributes
o Move, Copy and Delete Files or Folders
o Rename Files and Folders with Search and
Replace
o Arrange Pictures for numbering via Thumbnail
Images
o Full size Picture Viewer linked to the Rename
List
o Edit MP3 Tags
o Subfolder Support for most Actions
o MS Office Style Toolbars
o Drag and Drop Support
o Favorites List
o Template support for saving and reusing
New Names
o Plus much More!
o
!!WARNING!!
Andy does exactly what you tell it. If you
rename, delete
or move system or software files... your computer
may stop
functioning.
SMELL THE ROCK
Realm Softwarre
http://www.realm-online.com/html/products/andyintro.htm
http://www.realm-online.com/html/products/andydown.htm
http://www.realm-online.com/ftp/Andy217.exe
(1.7Mb) - 2/6/2001
THE DUSTY ROADS
o Andy was developed using Visual Basic 6.0
(Service Pack 4).
Visual Basic 6.0 requires a one time installation
of the
VB6 runtime library. If your using other
Visual Basic 6.0
software you don't need to install the library
again.
It won't hurt to install the library again
if your unsure.
Download (vbrun60sp4.exe) :
http://www.realm-online.com/ftp/vbrun60sp4.exe
o When the program is VB then try SoftIce
first.
When the going gets tough try SmartCheck.
When the tough gets tough decompiled them.
When frustrated comes, buy the program!
( ASTAGA 7388:1050 HELL YEAH )
o This is my experiment on finding valid s/n
over VB6
based program.
All you have to do is break within MSVBVM60.DLL
function ( you can set breakpoint that may
posible
i.e __vbastrcopy ; __vbastrmove ; etc. -
please read
Eternal Bliss' essay ); then do a search
byte and
finally press F5 or F11 keys around 27 times.
And there lies your real code in EDI register.
o
THIS IS A SMELL OF THE ROCK
Run ANDY.EXE, in the registration dialog box type
these below informations :
User Name : Red Rackham
Reg Code : 73881050
Do not click OK button yet
Load SoftIce, set a breakpoint as follow :
: BPX HEAPFREE [enter]
F5 to return to the main program
Now, click OK button, you'll return back into SoftIce!
Within SoftIce press F5 2 times then F11 once, until
you see and break at these below snippet codes :
______________________________________________________________
015F:6602CB07 FF15C4100066 CALL
[KERNEL32!HeapFree]
015F:6602CB0D 8BC6
MOV EAX,ESI
015F:6602CB0F 5F
POP EDI
015F:6602CB10 5E
POP ESI
015F:6602CB11 5D
POP EBP
015F:6602CB12 C20C00
RET 000C ==> F10
...
015F:6605F1A3 E80FD9FCFF
CALL 6602CAB7
015F:6605F1A8 C20800
RET 0008 ==> F10
...
015F:004F653A FF92A0000000 CALL
[EDX+000000A0] <== bpx here
015F:004F6540 DBE2
FCLEX <== break
here
015F:004F6542 898514FFFFFF MOV
[EBP-00EC],EAX
015F:004F6548 83BD14FFFFFF00 CMP
DWORD PTR [EBP-00EC],00
015F:004F654F 7D26
JGE 004F6577
015F:004F6551 68A0000000
PUSH 000000A0
015F:004F6556 68C4EB4400
PUSH 0044EBC4
015F:004F655B 8B8D18FFFFFF MOV
ECX,[EBP-00E8]
015F:004F6561 51
PUSH ECX
015F:004F6562 8B9514FFFFFF MOV
EDX,[EBP-00EC]
015F:004F6568 52
PUSH EDX
015F:004F6569 FF1588104000 CALL
[MSVBVM60!__vbaHresultCheckObj]
015F:004F656F 8985D0FEFFFF MOV
[EBP-0130],EAX
015F:004F6575 EB0A
JMP 004F6581
015F:004F6577 C785D0FEFFFF00
000000 MOV DWORD PTR [EBP-0130],00000000
015F:004F6581 8B45D4
MOV EAX,[EBP-2C]
015F:004F6584 8985E8FEFFFF MOV
[EBP-0118],EAX
015F:004F658A C745D400000000 MOV
DWORD PTR [EBP-2C],00000000
015F:004F6591 8B8DE8FEFFFF MOV
ECX,[EBP-0118]
015F:004F6597 894DB4
MOV [EBP-4C],ECX
...
_____________________________________________________________________
When you break on HEAPFREE just step pass those
2 RET commands
and set a new breakpoint as follows :
: bd * [enter]
: bpx 015F:004F653A
Start tracing by pressing F10 - stop at 015F:004F6584
- dump
EAX register :
: d eax [enter] ==> your name appear
at virtual
address 0167:0058A590.
Still at 015F:004F6584, do a search byte and type
in the
Command Line as follows :
: S 0 L FFFFFFFFFFFFFFF F3 66 A7 74 05 1B C0
[enter]
Pattern found at 0167:653C2E2E (653C2E2E)
: bd * [enter]
: bpx 0167:653C2E2E [enter]
Press F5 to let SoftIce break into new location
If nothing goes wrong you'll break at these below
snippet
codes :
EAX=00000000 EBX=00000010 ECX=00000008
ESI=0058A0F8
EDI=110085EC EBP=0077D96C ESP=0077D95C
o d I s Z a P c
CS=015F DS=0167 SS=0167 ES=0167
FS=391F GS=0000
------------------------------dword-------------PROT---(0)--
0167:653C2E2E 74A766F3 83C01B05 167D457F
.f.t........E}.
0167:653C2E3E 5E5FC033 10C2C95B EBFC4589
3._^[.....F..E..
0167:653C2E4E FC598BAF C2F6B3EB 4D8B0845
..Y......t#.E..M
...
...
------------------------------------------------------------
015F:653C2E2C 33C0 XOR
EAX,EAX
015F:653C2E2E F366A7 REPZ CMPSW
<=== break here
015F:653C2E31 7405 JZ
653C2E38
...
____________________________________________________________
Break due to BPX #0167:653C2E2E
While break at 015F:653C2E2E, press F5 or F11 keys
around
27 TIMES (!!!), during this action you'll see that
value
in EDI register were changed.
At the 27th of pressing F5 key you'll see EDI=0057A638.
Now, it's time to check what is inside EDI and ESI
registers :
: d edi [enter] ==> did you see 1.2.5.1.-.2.2.1.1.-.6.9.2.1
at virtual address 0167:0057A638 ?
Write it down.
: d esi [enter] ==> your fake
7.3.8.8.1.0.5.0. at virtual
address 0167:0058BDF0
Upto this step I have no intention to continue tracing
the
rest codes.
The above facts is too obvious that your fake code
is
(being) compared with the real one.
It's your turn to check JZ instruction at 015F:653C2E31
whether brings you to beggar-off message or not.
Further, iam not sure whether the above REPZ CMPSW
at
015F:653C2E2E is similar to Razzia's (VB3/4)
comparison
address.
GIVE ME THE HELL YEAH
Let's register this program by keyed-in 1251-2211-6921
as your reg.code.
Click OK button .... there you're registered.
THE ROCK BASE HOUSE
The correct registration code is stored in the registry
as follows :
REGEDIT14
[HKEY_LOCAL_MACHINE\Software\Software.pair.com\Soft-Guard1.10
\=E 29}swj?S-$Fp.";7 2%P?";P$0]Xm5PTS`8"`_HI(PL$&%^\
LicensedUsers]
"User1"="Red Rackham"
"Code1"=",{{m,I{,I{$&{," <== 1251-2211-6921
"User2"="Virtual Realm"
"Code2"=",{{N{I{mI{w${7" <== 1231-1511-9801
Your registration code will also saved in the REGISTER.TXT
as follows :
Your Andy Registration Code is Listed Below.
You may Delete or Move this File.
Name: Red Rackham
Key: 1251-2211-6921
THE BONG HITS
00) * BPX HEAPFREE
01) * BPX 015F:004F653A
02) BPX 015F:653C2E2E
THERE IS NOTHING HINTS SO CLEAN & CLEAR AS IT
AS HELL 'ASTAGA' YEAH.
HELL YEAH GAME is OVER
Respect the Author and do not attempt to register
this
program by using your own user name, unless you
pay
US$20.00 for official licensing.
DON'T BE A LAMER BY DISTRIBUTING YOUR CRACK RELEASE
BASED ON THIS TUTORIAL.
============== D I S C L A I M E R =============
THIS PAPER IS NOT INTENDED TO VIOLATE COPYRIGHTS
LAW BUT EDUCATIONAL PURPOSES ONLY. I HOLD NO RES
PONSIBILITY ( IN ANY SHAPE WHATSOEVER ) OF THE
MIS-USE OF THIS MATERIAL. NO PARTS OF THIS PAPER
IS SOLD/RENT FOR COMMERCIAL NOR PERSONAL BENEFIT.
ASTAGA [CIA/TTM] tute-andy217.zip
[E0F] 8/30/01 12:30 AM
Tute Layout FREE VERSION C
- 标 题:来一篇VB的破解教程,看看作者的断点下到了什么地方,得好好消化消化了,嘿嘿,喜欢VB的和痛恨VB的都来看看... (9千字)
- 作 者:CrackerABC[BCG]
- 时 间:2001-12-30 8:34:15
- 链 接:http://bbs.pediy.com