起名向导5.1
我是几个月前破解的这个软件,当时没有没写破文,有些细节地方现在一时也想不起来了
因有人需要,今天用WDASM反汇编了以下,把其中一些相关代码列出,以供参考.
说明部分比较简要,请多包涵
用TRW2000装入QMXD.EXE
BPX getvolumeinformationa
F5
F12
一直按F10便可到此处
:00446720 8D45D0
lea eax, dword ptr [ebp-30]
:00446723 8D4D98
lea ecx, dword ptr [ebp-68]
:00446726 898510FFFFFF mov dword ptr
[ebp+FFFFFF10], eax
:0044672C 51
push ecx
:0044672D 8D9508FFFFFF lea edx, dword
ptr [ebp+FFFFFF08]
:00446733 6A01
push 00000001
:00446735 8D4588
lea eax, dword ptr [ebp-78]
:00446738 BB08400000 mov ebx,
00004008
:0044673D 52
push edx
:0044673E 50
push eax
:0044673F C745A00A000000 mov [ebp-60], 0000000A
:00446746 C7459802000000 mov [ebp-68], 00000002
:0044674D 899D08FFFFFF mov dword ptr
[ebp+FFFFFF08], ebx
:00446753 FFD7
call edi
:00446755 8D4D88
lea ecx, dword ptr [ebp-78]
:00446758 51
push ecx
* Reference To: MSVBVM60.__vbaStrVarMove, Ord:0000h
|
:00446759 FF1534104000 Call dword ptr
[00401034]
:0044675F 8BD0
mov edx, eax
;缺少第5位的正确注册码
;此处共10位,在第4位后插入'1'既得到11位的正确注册码
:00446761 8D4DD0
lea ecx, dword ptr [ebp-30]
:00446764 FFD6
call esi
:00446766 8D5588
lea edx, dword ptr [ebp-78]
:00446769 8D4598
lea eax, dword ptr [ebp-68]
:0044676C 52
push edx
:0044676D 50
push eax
:0044676E 6A02
push 00000002
* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:00446770 FF1538104000 Call dword ptr
[00401038]
:00446776 A110B24B00 mov eax,
dword ptr [004BB210]
:0044677B 83C40C
add esp, 0000000C
:0044677E 8D55B4
lea edx, dword ptr [ebp-4C]
:00446781 8B08
mov ecx, dword ptr [eax]
:00446783 52
push edx
:00446784 8D55D0
lea edx, dword ptr [ebp-30]
:00446787 52
push edx
:00446788 50
push eax
:00446789 FF5120
call [ecx+20]
:0044678C 85C0
test eax, eax
:0044678E DBE2
fclex
:00446790 7D15
jge 004467A7
:00446792 8B0D10B24B00 mov ecx, dword
ptr [004BB210]
:00446798 6A20
push 00000020
:0044679A 6890464100 push 00414690
:0044679F 51
push ecx
:004467A0 50
push eax
* Reference To: MSVBVM60.__vbaHresultCheckObj, Ord:0000h
|
:004467A1 FF1560104000 Call dword ptr
[00401060]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00446790(C)
|
:004467A7 8B55B4
mov edx, dword ptr [ebp-4C]
:004467AA 8D4DD0
lea ecx, dword ptr [ebp-30]
:004467AD C745B400000000 mov [ebp-4C], 00000000
:004467B4 FFD6
call esi
:004467B6 8B15BCB04B00 mov edx, dword
ptr [004BB0BC]
:004467BC 52
push edx
* Possible StringData Ref from Code Obj ->"\\msys.zban"
|
:004467BD 68C0494100 push 004149C0
* Reference To: MSVBVM60.__vbaStrCat, Ord:0000h
|
:004467C2 FF1550104000 Call dword ptr
[00401050]
:004467C8 8BD0
mov edx, eax
:004467CA 8D4DB8
lea ecx, dword ptr [ebp-48]
:004467CD FFD6
call esi
:004467CF 8D45D0
lea eax, dword ptr [ebp-30]
:004467D2 899D08FFFFFF mov dword ptr
[ebp+FFFFFF08], ebx
:004467D8 898510FFFFFF mov dword ptr
[ebp+FFFFFF10], eax
:004467DE A134B24B00 mov eax,
dword ptr [004BB234]
:004467E3 85C0
test eax, eax
:004467E5 7515
jne 004467FC
注册码第5字符必须为'1',否则不能起双字名
下段代码只有要退出程序是才会执行
注册正确程序正常退出,否则我想跟踪过的人应该知道有什麽现象.
:0048D561 6A00
push 00000000
:0048D563 68FBFDFFFF push FFFFFDFB
:0048D568 8B08
mov ecx, dword ptr [eax]
:0048D56A 50
push eax
:0048D56B FF9118030000 call dword ptr
[ecx+00000318]
:0048D571 50
push eax
:0048D572 8D559C
lea edx, dword ptr [ebp-64]
:0048D575 52
push edx
:0048D576 FFD3
call ebx
:0048D578 50
push eax
:0048D579 8D458C
lea eax, dword ptr [ebp-74]
:0048D57C 50
push eax
* Reference To: MSVBVM60.__vbaLateIdCallLd, Ord:0000h
|
:0048D57D FF1514114000 Call dword ptr
[00401114]
:0048D583 83C410
add esp, 00000010
:0048D586 50
push eax
* Reference To: MSVBVM60.__vbaStrVarMove, Ord:0000h
|
:0048D587 8B1D34104000 mov ebx, dword
ptr [00401034]
:0048D58D FFD3
call ebx
:0048D58F 8BD0
mov edx, eax
:0048D591 8D4DE0
lea ecx, dword ptr [ebp-20]
:0048D594 FFD6
call esi
:0048D596 8D4D9C
lea ecx, dword ptr [ebp-64]
:0048D599 FFD7
call edi
:0048D59B 8D4D8C
lea ecx, dword ptr [ebp-74]
* Reference To: MSVBVM60.__vbaFreeVar, Ord:0000h
|
:0048D59E FF1524104000 Call dword ptr
[00401024]
:0048D5A4 8D4DBC
lea ecx, dword ptr [ebp-44]
:0048D5A7 898D64FFFFFF mov dword ptr
[ebp+FFFFFF64], ecx
:0048D5AD BF08400000 mov edi,
00004008
:0048D5B2 89BD5CFFFFFF mov dword ptr
[ebp+FFFFFF5C], edi
:0048D5B8 8D955CFFFFFF lea edx, dword
ptr [ebp+FFFFFF5C]
:0048D5BE 52
push edx
* Reference To: MSVBVM60.rtcKillFiles, Ord:0211h
|
:0048D5BF FF15D8104000 Call dword ptr
[004010D8]
:0048D5C5 8B45D4
mov eax, dword ptr [ebp-2C]
:0048D5C8 8B08
mov ecx, dword ptr [eax]
:0048D5CA 8D55A4
lea edx, dword ptr [ebp-5C]
:0048D5CD 52
push edx
:0048D5CE 8D55E0
lea edx, dword ptr [ebp-20]
:0048D5D1 52
push edx
:0048D5D2 50
push eax
:0048D5D3 FF5120
call [ecx+20]
:0048D5D6 DBE2
fclex
:0048D5D8 85C0
test eax, eax
:0048D5DA 7D12
jge 0048D5EE
:0048D5DC 6A20
push 00000020
:0048D5DE 6890464100 push 00414690
:0048D5E3 8B4DD4
mov ecx, dword ptr [ebp-2C]
:0048D5E6 51
push ecx
:0048D5E7 50
push eax
* Reference To: MSVBVM60.__vbaHresultCheckObj, Ord:0000h
|
:0048D5E8 FF1560104000 Call dword ptr
[00401060]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048D5DA(C)
|
:0048D5EE 8B55A4
mov edx, dword ptr [ebp-5C] ;输入假注册码的指针
:0048D5F1 C745A400000000 mov [ebp-5C], 00000000
:0048D5F8 8D4DE0
lea ecx, dword ptr [ebp-20]
:0048D5FB FFD6
call esi
:0048D5FD C745940F000000 mov [ebp-6C], 0000000F
:0048D604 C7458C02000000 mov [ebp-74], 00000002
:0048D60B 8D55E0
lea edx, dword ptr [ebp-20]
:0048D60E 899564FFFFFF mov dword ptr
[ebp+FFFFFF64], edx
:0048D614 89BD5CFFFFFF mov dword ptr
[ebp+FFFFFF5C], edi
:0048D61A 8D458C
lea eax, dword ptr [ebp-74]
:0048D61D 50
push eax
:0048D61E 6A01
push 00000001
:0048D620 8D8D5CFFFFFF lea ecx, dword
ptr [ebp+FFFFFF5C]
:0048D626 51
push ecx
:0048D627 8D957CFFFFFF lea edx, dword
ptr [ebp+FFFFFF7C]
:0048D62D 52
push edx
* Reference To: MSVBVM60.rtcMidCharVar, Ord:0278h
|
:0048D62E 8B3DC0104000 mov edi, dword
ptr [004010C0]
:0048D634 FFD7
call edi
:0048D636 8D857CFFFFFF lea eax, dword
ptr [ebp+FFFFFF7C]
:0048D63C 50
push eax
:0048D63D FFD3
call ebx
:0048D63F 8BD0
mov edx, eax
:0048D641 8D4DE0
lea ecx, dword ptr [ebp-20]
:0048D644 FFD6
call esi
:0048D646 8D8D7CFFFFFF lea ecx, dword
ptr [ebp+FFFFFF7C]
:0048D64C 51
push ecx
:0048D64D 8D558C
lea edx, dword ptr [ebp-74]
:0048D650 52
push edx
:0048D651 6A02
push 00000002
* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:0048D653 FF1538104000 Call dword ptr
[00401038]
:0048D659 83C40C
add esp, 0000000C
:0048D65C C7459401000000 mov [ebp-6C], 00000001
:0048D663 C7458C02000000 mov [ebp-74], 00000002
:0048D66A 8D45E0
lea eax, dword ptr [ebp-20]
;输入假注册码的指针
:0048D66D 898564FFFFFF mov dword ptr
[ebp+FFFFFF64], eax
:0048D673 C7855CFFFFFF08400000 mov dword ptr [ebp+FFFFFF5C], 00004008
:0048D67D 8D4D8C
lea ecx, dword ptr [ebp-74]
:0048D680 51
push ecx
:0048D681 6A05
push 00000005
;取输入假注册码的第5字符
:0048D683 8D955CFFFFFF lea edx, dword
ptr [ebp+FFFFFF5C]
:0048D689 52
push edx
:0048D68A 8D857CFFFFFF lea eax, dword
ptr [ebp+FFFFFF7C] ;存储指针到该地址+8
:0048D690 50
push eax
:0048D691 FFD7
call edi
:0048D693 C78544FFFFFF386D4100 mov dword ptr [ebp+FFFFFF44], 00416D38
;存储'1'
:0048D69D C7853CFFFFFF08800000 mov dword ptr [ebp+FFFFFF3C], 00008008
:0048D6A7 8D8D7CFFFFFF lea ecx, dword
ptr [ebp+FFFFFF7C]
:0048D6AD 51
push ecx
;*[ECX+8]
;与
:0048D6AE 8D953CFFFFFF lea edx, dword
ptr [ebp+FFFFFF3C] ;
:0048D6B4 52
push edx
;*[EDX+8]
* Reference To: MSVBVM60.__vbaVarTstEq, Ord:0000h
|
:0048D6B5 FF15E4104000 Call dword ptr
[004010E4]
;比较?
:0048D6BB 8BF8
mov edi, eax
;相等返回EAX=-1
:0048D6BD 8D857CFFFFFF lea eax, dword
ptr [ebp+FFFFFF7C]
:0048D6C3 50
push eax
:0048D6C4 8D4D8C
lea ecx, dword ptr [ebp-74]
:0048D6C7 51
push ecx
:0048D6C8 6A02
push 00000002
* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:0048D6CA FF1538104000 Call dword ptr
[00401038]
:0048D6D0 83C40C
add esp, 0000000C
:0048D6D3 6685FF
test di, di
:0048D6D6 0F84AC000000 je 0048D788
:0048D6DC 8B55E0
mov edx, dword ptr [ebp-20]
;;输入假注册码的5位='1'则来到此处
:0048D6DF 52
push edx
* Reference To: MSVBVM60.__vbaLenBstr, Ord:0000h
|
:0048D6E0 FF1530104000 Call dword ptr
[00401030]
:0048D6E6 8BC8
mov ecx, eax
:0048D6E8 83C105
add ecx, 00000005
:0048D6EB 0F80A5050000 jo 0048DC96
* Reference To: MSVBVM60.__vbaI2I4, Ord:0000h
|
:0048D6F1 FF15F4104000 Call dword ptr
[004010F4]
:0048D6F7 898534FFFFFF mov dword ptr
[ebp+FFFFFF34], eax
:0048D6FD C78538FFFFFF79090000 mov dword ptr [ebp+FFFFFF38], 00000979
:0048D707 8D8534FFFFFF lea eax, dword
ptr [ebp+FFFFFF34]
:0048D70D 50
push eax
:0048D70E 8D8D38FFFFFF lea ecx, dword
ptr [ebp+FFFFFF38]
:0048D714 51
push ecx
:0048D715 E84635FFFF call 00480C60
:0048D71A 8B45D4
mov eax, dword ptr [ebp-2C]
:0048D71D 8B10
mov edx, dword ptr [eax]
:0048D71F 8D4DA4
lea ecx, dword ptr [ebp-5C]
:0048D722 51
push ecx
:0048D723 8D4DE0
lea ecx, dword ptr [ebp-20]
:0048D726 51
push ecx
:0048D727 50
push eax
:0048D728 FF5220
call [edx+20]
:0048D72B DBE2
fclex
:0048D72D 85C0
test eax, eax
:0048D72F 7D12
jge 0048D743
:0048D731 6A20
push 00000020
:0048D733 6890464100 push 00414690
:0048D738 8B55D4
mov edx, dword ptr [ebp-2C]
:0048D73B 52
push edx
:0048D73C 50
push eax
* Reference To: MSVBVM60.__vbaHresultCheckObj, Ord:0000h
|
:0048D73D FF1560104000 Call dword ptr
[00401060]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048D72F(C)
|
:0048D743 8B55A4
mov edx, dword ptr [ebp-5C]
:0048D746 C745A400000000 mov [ebp-5C], 00000000
:0048D74D 8D4DE0
lea ecx, dword ptr [ebp-20]
:0048D750 FFD6
call esi
:0048D752 6A01
push 00000001
* Reference To: MSVBVM60.__vbaStrI2, Ord:0000h
|
:0048D754 FF1508104000 Call dword ptr
[00401008]
:0048D75A 8BD0
mov edx, eax
:0048D75C 8D4DA4
lea ecx, dword ptr [ebp-5C]
:0048D75F FFD6
call esi
:0048D761 50
push eax
;[EAX]='1'
* Possible StringData Ref from Code Obj ->"Fstart"
;允许取双字名
|
:0048D762 68246E4100 push 00416E24
* Possible StringData Ref from Code Obj ->"Settings"
|
:0048D767 68B04A4100 push 00414AB0
* Possible StringData Ref from Code Obj ->"myqinamexiangdaodd"
|
:0048D76C 68844A4100 push 00414A84
* Reference To: MSVBVM60.rtcSaveSetting, Ord:02B2h
|
:0048D771 FF150C104000 Call dword ptr
[0040100C]
:0048D777 8D4DA4
lea ecx, dword ptr [ebp-5C]
* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
|
:0048D77A FF1544124000 Call dword ptr
[00401244]
:0048D780 EB06
jmp 0048D788
关于注册码的比较可从此处继续向后看
在WINDOWS\SYSTEM目录下有两个文件"insys.zban"和"msys.zban"
输入假注册码和正确注册码经加密后分别存储在这两个文件中
具体细节请感性趣者自行分析,总之VB的代码是很烦琐的.
keyboy 于2002年3月1日
- 标 题:起名向导5.1注册码 (15千字)
- 作 者:keyboy
- 时 间:2002-3-2 0:39:55
- 链 接:http://bbs.pediy.com