下载地址:
http://www.fixdown.com/fixdown/download.asp?id=438&free=lt-down
软件类型
国产软件 / 共享软件 / 个人管理
应用平台 Win9x/NT/ME/2000/XP
软件大小
528KB
软件评价 ***
更新时间 2003-4-11 15:07:16
开发网站
http://liyueqi.myetang.com/
【软件简介】:电脑影集亦称“电脑相册”,或“计算机图象管理系统”。本系统用于对计算机中的像片(或称照片)、各类图片、图标、图象等进行翻阅、浏览、播放等功能;用户新建一目录用于存放图片(包括照片),再将电脑中的图片分类存放到不同的子目录中,比如将用户的照片存放于某一目录,将电脑中的图象存放于另一目录中,这样利于管理、浏览、播放. 用户在“翻阅”照片或图象时可双击图片,这样可显示某一图片或照片文件所在的路径及文件名。一般的相册价格都较高,但是存储的像片数量有限,易磨损,难翻阅;但“电脑影集”对像片张数没有限制,易翻阅,不磨损,且能自动播放,价廉物美。
【软件限制】:功能限制。
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、PEiD、W32Dasm 10修改版
—————————————————————————————————
【过 程】:
PICSHOW.EXE
无壳。Visual Basic 6.0 编写。
呵呵,碰上这个VB的东东实在是让我扫兴。
略看了一下发现有不少的浮点运算,晕~~。静下心来细细跟踪了五遍,终于找到了一点头绪!
用户号:783009226
试炼码:13572468
—————————————————————————————————
* Reference To: MSVBVM60.__vbaHresultCheckObj, Ord:0000h
|
:004718A8 FF1548104000
Call dword ptr [00401048]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047189A(C)
|
:004718AE
8B55D8 mov edx,
dword ptr [ebp-28]
====>EDX=[ebp-28]=783009226
用户号!
* Reference
To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:004718B1
8B1D70114000 mov ebx, dword ptr [00401170]
:004718B7
8D4DD4 lea ecx,
dword ptr [ebp-2C]
:004718BA 897DD8
mov dword ptr [ebp-28], edi
====>EDX=[ebp-28]=783009226
:004718BD
FFD3 call
ebx
:004718BF 8B4DDC
mov ecx, dword ptr [ebp-24]
====>ECX=[ebp-24]=13572468
试炼码!
:004718C2
8D55D4 lea edx,
dword ptr [ebp-2C]
:004718C5 51
push ecx
:004718C6 52
push edx
:004718C7 E82437FEFF
call 00454FF0
====>算法CALL! 进入!
:004718CC
8BD0 mov
edx, eax
====>EDX=EAX=186232646
注册码!
:004718CE
8D4DD0 lea ecx,
dword ptr [ebp-30]
:004718D1 FFD3
call ebx
:004718D3 50
push eax
*
Reference To: MSVBVM60.__vbaStrCmp, Ord:0000h
|
:004718D4 FF15A0104000 Call
dword ptr [004010A0]
====>比较CALL!
:004718DA
8BF0 mov
esi, eax
:004718DC 8D45D0
lea eax, dword ptr [ebp-30]
:004718DF F7DE
neg esi
:004718E1 8D4DDC
lea ecx, dword ptr [ebp-24]
:004718E4
50 push
eax
:004718E5 1BF6
sbb esi, esi
====>爆破点!
:004718E7
8D55D4 lea edx,
dword ptr [ebp-2C]
:004718EA 51
push ecx
:004718EB 46
inc esi
:004718EC 52
push edx
:004718ED
6A03 push
00000003
:004718EF F7DE
neg esi
*
Reference To: MSVBVM60.__vbaFreeStrList, Ord:0000h
|
:004718F1 FF1538114000 Call
dword ptr [00401138]
:004718F7 8D45C8
lea eax, dword ptr [ebp-38]
:004718FA 8D4DCC
lea ecx, dword ptr [ebp-34]
:004718FD
50 push
eax
:004718FE 51
push ecx
:004718FF 6A02
push 00000002
*
Reference To: MSVBVM60.__vbaFreeObjList, Ord:0000h
|
:00471901 FF152C104000 Call
dword ptr [0040102C]
:00471907 83C41C
add esp, 0000001C
:0047190A 663BF7
cmp si, di
:0047190D 0F847C010000
je 00471A8F
====>跳则OVER!
:00471913
E80828FEFF call 00454120
:00471918
668B1572204800 mov dx, word ptr [00482072]
:0047191F
52 push
edx
:00471920 6A01
push 00000001
:00471922 6880204800
push 00482080
:00471927 687C9F4000
push 00409F7C
*
Reference To: MSVBVM60.__vbaRecDestruct, Ord:0000h
|
:0047192C FF1540104000 Call
dword ptr [00401040]
:00471932 50
push eax
:00471933 6848AF4000
push 0040AF48
*
Reference To: MSVBVM60.__vbaGetOwner4, Ord:0000h
|
:00471938 FF15FC104000 Call
dword ptr [004010FC]
:0047193E 8D8544FFFFFF
lea eax, dword ptr [ebp+FFFFFF44]
:00471944 C705EC204800CA546842
mov dword ptr [004820EC], 426854CA
:0047194E 50
push eax
:0047194F C78544FFFFFF12000000
mov dword ptr [ebp+FFFFFF44], 00000012
:00471959 E8F23AFEFF
call 00455450
:0047195E 8BD0
mov edx, eax
:00471960
8D4DE4 lea ecx,
dword ptr [ebp-1C]
:00471963 FFD3
call ebx
:00471965 8B4DE4
mov ecx, dword ptr [ebp-1C]
:00471968 51
push
ecx
====>下面写注册信息!
* Possible StringData Ref from Code Obj
->"Key02"
|
:00471969 68B8AF4000
push 0040AFB8
*
Possible StringData Ref from Code Obj ->"Section1"
|
:0047196E 68A0AF4000
push 0040AFA0
*
Possible StringData Ref from Code Obj ->"TspyxhtFigmnvfGlqnckt"
|
:00471973 685C9D4000
push 00409D5C
*
Reference To: MSVBVM60.rtcSaveSetting, Ord:02B2h
|
:00471978 FF1508104000 Call
dword ptr [00401008]
:0047197E 8D55E4
lea edx, dword ptr [ebp-1C]
:00471981 52
push edx
:00471982
E8493CFEFF call 004555D0
:00471987
8BD0 mov
edx, eax
:00471989 8D4DDC
lea ecx, dword ptr [ebp-24]
:0047198C FFD3
call ebx
:0047198E 50
push eax
:0047198F
68F0204800 push 004820F0
:00471994
6A12 push
00000012
* Reference
To: MSVBVM60.__vbaLsetFixstr, Ord:0000h
|
:00471996
FF153C104000 Call dword ptr [0040103C]
:0047199C
8D4DDC lea ecx,
dword ptr [ebp-24]
*
Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
|
:0047199F FF158C114000 Call
dword ptr [0040118C]
:004719A5 66A172204800
mov ax, word ptr [00482072]
:004719AB 50
push eax
:004719AC 6A01
push 00000001
:004719AE
6880204800 push 00482080
:004719B3
6848AF4000 push 0040AF48
*
Reference To: MSVBVM60.__vbaPutOwner4, Ord:0000h
|
:004719B8 FF15A8104000 Call
dword ptr [004010A8]
:004719BE 668B0D72204800 mov
cx, word ptr [00482072]
:004719C5 51
push ecx
*
Reference To: MSVBVM60.__vbaFileClose, Ord:0000h
|
:004719C6 FF1594104000 Call
dword ptr [00401094]
:004719CC B904000280
mov ecx, 80020004
:004719D1 B80A000000
mov eax, 0000000A
:004719D6 894D90
mov dword ptr [ebp-70], ecx
:004719D9
894DA0 mov dword
ptr [ebp-60], ecx
:004719DC 894DB0
mov dword ptr [ebp-50], ecx
:004719DF 8D9578FFFFFF
lea edx, dword ptr [ebp+FFFFFF78]
:004719E5
8D4DB8 lea ecx,
dword ptr [ebp-48]
:004719E8 894588
mov dword ptr [ebp-78], eax
:004719EB 894598
mov dword ptr [ebp-68], eax
:004719EE
8945A8 mov dword
ptr [ebp-58], eax
:004719F1 C74580C8AF4000 mov
[ebp-80], 0040AFC8
:004719F8 C78578FFFFFF08000000 mov dword ptr
[ebp+FFFFFF78], 00000008
*
Reference To: MSVBVM60.__vbaVarDup, Ord:0000h
|
:00471A02 FF1558114000 Call
dword ptr [00401158]
:00471A08 8D5588
lea edx, dword ptr [ebp-78]
:00471A0B 8D4598
lea eax, dword ptr [ebp-68]
:00471A0E
52 push
edx
:00471A0F 8D4DA8
lea ecx, dword ptr [ebp-58]
:00471A12 50
push eax
:00471A13 51
push ecx
:00471A14
8D55B8 lea edx,
dword ptr [ebp-48]
:00471A17 6A40
push 00000040
:00471A19 52
push edx
*
Reference To: MSVBVM60.rtcMsgBox, Ord:0253h
|
:00471A1A
FF1560104000 Call dword ptr [00401060]
====>呵呵,胜利女神!
:00471A20
8D4588 lea eax,
dword ptr [ebp-78]
:00471A23 8D4D98
lea ecx, dword ptr [ebp-68]
:00471A26 50
push eax
:00471A27
8D55A8 lea edx,
dword ptr [ebp-58]
:00471A2A 51
push ecx
:00471A2B 8D45B8
lea eax, dword ptr [ebp-48]
:00471A2E 52
push
edx
:00471A2F 50
push eax
:00471A30 6A04
push 00000004
*
Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:00471A32 FF1524104000 Call
dword ptr [00401024]
:00471A38 A170294800
mov eax, dword ptr [00482970]
:00471A3D 83C414
add esp, 00000014
:00471A40 3BC7
cmp eax, edi
:00471A42
7510 jne
00471A54
:00471A44 6870294800 push
00482970
:00471A49 68189F4000 push
00409F18
* Reference
To: MSVBVM60.__vbaNew2, Ord:0000h
|
:00471A4E
FF1528114000 Call dword ptr [00401128]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00471A42(C)
|
:00471A54
8B4D08 mov ecx,
dword ptr [ebp+08]
:00471A57 8B3570294800
mov esi, dword ptr [00482970]
:00471A5D 8D55CC
lea edx, dword ptr [ebp-34]
:00471A60 51
push
ecx
:00471A61 8B1E
mov ebx, dword ptr [esi]
:00471A63 52
push edx
*
Reference To: MSVBVM60.__vbaObjSetAddref, Ord:0000h
|
:00471A64 FF1570104000 Call
dword ptr [00401070]
:00471A6A 50
push eax
:00471A6B 56
push esi
:00471A6C FF5310
call [ebx+10]
:00471A6F
3BC7 cmp
eax, edi
:00471A71 DBE2
fclex
:00471A73 7D0F
jge 00471A84
:00471A75 6A10
push 00000010
:00471A77 68089F4000
push 00409F08
:00471A7C 56
push
esi
:00471A7D 50
push eax
*
Reference To: MSVBVM60.__vbaHresultCheckObj, Ord:0000h
|
:00471A7E FF1548104000 Call
dword ptr [00401048]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00471A73(C)
|
:00471A84
8D4DCC lea ecx,
dword ptr [ebp-34]
*
Reference To: MSVBVM60.__vbaFreeObj, Ord:0000h
|
:00471A87 FF1590114000 Call
dword ptr [00401190]
:00471A8D EB6F
jmp 00471AFE
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047190D(C)
|
:00471A8F
B904000280 mov ecx, 80020004
:00471A94
B80A000000 mov eax, 0000000A
:00471A99
894D90 mov dword
ptr [ebp-70], ecx
:00471A9C 894DA0
mov dword ptr [ebp-60], ecx
:00471A9F 894DB0
mov dword ptr [ebp-50], ecx
:00471AA2
8D9578FFFFFF lea edx, dword ptr [ebp+FFFFFF78]
:00471AA8
8D4DB8 lea ecx,
dword ptr [ebp-48]
:00471AAB 894588
mov dword ptr [ebp-78], eax
:00471AAE 894598
mov dword ptr [ebp-68], eax
:00471AB1
8945A8 mov dword
ptr [ebp-58], eax
:00471AB4 C74580D8AF4000 mov
[ebp-80], 0040AFD8
:00471ABB C78578FFFFFF08000000 mov dword ptr
[ebp+FFFFFF78], 00000008
*
Reference To: MSVBVM60.__vbaVarDup, Ord:0000h
|
:00471AC5 FF1558114000 Call
dword ptr [00401158]
:00471ACB 8D4588
lea eax, dword ptr [ebp-78]
:00471ACE 8D4D98
lea ecx, dword ptr [ebp-68]
:00471AD1
50 push
eax
:00471AD2 8D55A8
lea edx, dword ptr [ebp-58]
:00471AD5 51
push ecx
:00471AD6 52
push edx
:00471AD7
8D45B8 lea eax,
dword ptr [ebp-48]
:00471ADA 6A10
push 00000010
:00471ADC 50
push eax
*
Reference To: MSVBVM60.rtcMsgBox, Ord:0253h
|
:00471ADD
FF1560104000 Call dword ptr [00401060]
====>BAD BOY!
—————————————————————————————————
进入算法CALL:004718C7
call 00454FF0
*
Referenced by a CALL at Address:
|:004718C7
|
:00454FF0 55
push ebp
:00454FF1
8BEC mov
ebp, esp
:00454FF3 83EC0C
sub esp, 0000000C
:00454FF6 6806274000
push 00402706
:00454FFB 64A100000000
mov eax, dword ptr fs:[00000000]
:00455001 50
push eax
:00455002
64892500000000 mov dword ptr fs:[00000000],
esp
:00455009 81EC80010000 sub esp,
00000180
:0045500F 53
push ebx
:00455010 56
push esi
:00455011 57
push edi
:00455012
8965F4 mov dword
ptr [ebp-0C], esp
:00455015 C745F838144000 mov
[ebp-08], 00401438
:0045501C 8B7508
mov esi, dword ptr [ebp+08]
*
Reference To: MSVBVM60.rtcMidCharVar, Ord:0278h
|
:0045501F 8B1D8C104000 mov
ebx, dword ptr [0040108C]
:00455025 8D45B8
lea eax, dword ptr [ebp-48]
:00455028 8D8DF8FEFFFF
lea ecx, dword ptr [ebp+FFFFFEF8]
:0045502E
50 push
eax
:0045502F 6A04
push 00000004
:00455031 8D55A8
lea edx, dword ptr [ebp-58]
:00455034 33FF
xor edi, edi
:00455036
51 push
ecx
:00455037 52
push edx
:00455038 897DDC
mov dword ptr [ebp-24], edi
:0045503B 897DD4
mov dword ptr [ebp-2C], edi
:0045503E
897DD0 mov dword
ptr [ebp-30], edi
:00455041 897DCC
mov dword ptr [ebp-34], edi
:00455044 897DC8
mov dword ptr [ebp-38], edi
:00455047
897DA8 mov dword
ptr [ebp-58], edi
:0045504A 897D98
mov dword ptr [ebp-68], edi
:0045504D 897D88
mov dword ptr [ebp-78], edi
:00455050
89BD78FFFFFF mov dword ptr [ebp+FFFFFF78],
edi
:00455056 89BD68FFFFFF mov dword
ptr [ebp+FFFFFF68], edi
:0045505C 89BD58FFFFFF
mov dword ptr [ebp+FFFFFF58], edi
:00455062 89BD48FFFFFF
mov dword ptr [ebp+FFFFFF48], edi
:00455068
89BD38FFFFFF mov dword ptr [ebp+FFFFFF38],
edi
:0045506E 89BD28FFFFFF mov dword
ptr [ebp+FFFFFF28], edi
:00455074 89BD18FFFFFF
mov dword ptr [ebp+FFFFFF18], edi
:0045507A 89BD08FFFFFF
mov dword ptr [ebp+FFFFFF08], edi
:00455080
89BDE8FEFFFF mov dword ptr [ebp+FFFFFEE8],
edi
:00455086 89BDD8FEFFFF mov dword
ptr [ebp+FFFFFED8], edi
:0045508C 89BDB8FEFFFF
mov dword ptr [ebp+FFFFFEB8], edi
:00455092 89BD98FEFFFF
mov dword ptr [ebp+FFFFFE98], edi
:00455098
89BD88FEFFFF mov dword ptr [ebp+FFFFFE88],
edi
:0045509E 89BD78FEFFFF mov dword
ptr [ebp+FFFFFE78], edi
:004550A4 C745C004000280
mov [ebp-40], 80020004
:004550AB C745B80A000000
mov [ebp-48], 0000000A
:004550B2 89B500FFFFFF
mov dword ptr [ebp+FFFFFF00], esi
:004550B8 C785F8FEFFFF08400000
mov dword ptr [ebp+FFFFFEF8], 00004008
:004550C2 FFD3
call ebx
====>取字符!取用户号783009226的后6位:009226
:004550C4
89B5E0FEFFFF mov dword ptr [ebp+FFFFFEE0],
esi
:004550CA 8D4598
lea eax, dword ptr [ebp-68]
:004550CD BE01000000
mov esi, 00000001
:004550D2 50
push eax
:004550D3 8D8DD8FEFFFF
lea ecx, dword ptr [ebp+FFFFFED8]
:004550D9
56 push
esi
:004550DA 8D5588
lea edx, dword ptr [ebp-78]
:004550DD 51
push ecx
:004550DE 52
push edx
:004550DF
C745A003000000 mov [ebp-60], 00000003
:004550E6
C7459802000000 mov [ebp-68], 00000002
:004550ED
C785D8FEFFFF08400000 mov dword ptr [ebp+FFFFFED8], 00004008
:004550F7
FFD3 call
ebx
====>取字符!取用户号783009226的前3位:783
:004550F9
8D45A8 lea eax,
dword ptr [ebp-58]
:004550FC 8D4D88
lea ecx, dword ptr [ebp-78]
:004550FF 50
push eax
:00455100
8D9578FFFFFF lea edx, dword ptr [ebp+FFFFFF78]
:00455106
51 push
ecx
:00455107 52
push edx
*
Reference To: MSVBVM60.__vbaVarCat, Ord:0000h
|
:00455108 FF1500114000 Call
dword ptr [00401100]
:0045510E 50
push eax
*
Reference To: MSVBVM60.__vbaStrVarMove, Ord:0000h
|
:0045510F FF1518104000 Call
dword ptr [00401018]
:00455115 8BD0
mov edx, eax
====>移动前3位到末尾!EDX=EAX=009226783
:00455117 8D4DD4 lea ecx, dword ptr [ebp-2C]
*
Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:0045511A FF1570114000 Call
dword ptr [00401170]
:00455120 8D8578FFFFFF
lea eax, dword ptr [ebp+FFFFFF78]
:00455126 8D4D88
lea ecx, dword ptr [ebp-78]
:00455129
50 push
eax
:0045512A 8D55A8
lea edx, dword ptr [ebp-58]
:0045512D 51
push ecx
:0045512E 8D4598
lea eax, dword ptr [ebp-68]
:00455131
52 push
edx
:00455132 8D4DB8
lea ecx, dword ptr [ebp-48]
:00455135 50
push eax
:00455136 51
push ecx
:00455137
6A05 push
00000005
* Reference
To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:00455139
FF1524104000 Call dword ptr [00401024]
:0045513F
83C418 add esp,
00000018
:00455142 BA08AB4000 mov
edx, 0040AB08
:00455147 8D4DD0
lea ecx, dword ptr [ebp-30]
*
Reference To: MSVBVM60.__vbaStrCopy, Ord:0000h
|
:0045514A FF1534114000 Call
dword ptr [00401134]
:00455150 8B55D4
mov edx, dword ptr [ebp-2C]
====>EDX=[ebp-2C]=009226783
:00455153 52 push edx
* Reference To:
MSVBVM60.__vbaLenBstr, Ord:0000h
|
:00455154
FF151C104000 Call dword ptr [0040101C]
====>取009226783长度
:0045515A
8BC8 mov
ecx, eax
====>ECX=EAX=9
*
Reference To: MSVBVM60.__vbaUI1I4, Ord:0000h
|
:0045515C
FF15D4104000 Call dword ptr [004010D4]
:00455162
B902000000 mov ecx, 00000002
:00455167
8885F0FEFFFF mov byte ptr [ebp+FFFFFEF0],
al
:0045516D 898DF8FEFFFF mov dword
ptr [ebp+FFFFFEF8], ecx
:00455173 898DD8FEFFFF
mov dword ptr [ebp+FFFFFED8], ecx
:00455179 8D85F8FEFFFF
lea eax, dword ptr [ebp+FFFFFEF8]
:0045517F
8D8DE8FEFFFF lea ecx, dword ptr [ebp+FFFFFEE8]
:00455185
50 push
eax
:00455186 8D95D8FEFFFF lea edx,
dword ptr [ebp+FFFFFED8]
:0045518C 51
push ecx
:0045518D 8D8578FEFFFF
lea eax, dword ptr [ebp+FFFFFE78]
:00455193 52
push edx
:00455194
8D8D88FEFFFF lea ecx, dword ptr [ebp+FFFFFE88]
:0045519A
50 push
eax
:0045519B 8D55DC
lea edx, dword ptr [ebp-24]
:0045519E 51
push ecx
:0045519F 52
push edx
:004551A0
89B500FFFFFF mov dword ptr [ebp+FFFFFF00],
esi
:004551A6 C785E8FEFFFF11000000 mov dword ptr [ebp+FFFFFEE8],
00000011
:004551B0 89B5E0FEFFFF mov
dword ptr [ebp+FFFFFEE0], esi
* Reference To: MSVBVM60.__vbaVarForInit, Ord:0000h
|
:004551B6 FF1550104000
Call dword ptr [00401050]
*
Reference To: MSVBVM60.__vbaVarMul, Ord:0000h
|
:004551BC 8B35D8104000 mov
esi, dword ptr [004010D8]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00455379(U)
|
:004551C2
3BC7 cmp
eax, edi
:004551C4 0F84B4010000 je
0045537E
:004551CA 8D4DB8
lea ecx, dword ptr [ebp-48]
:004551CD 8D55DC
lea edx, dword ptr [ebp-24]
:004551D0
8D45D4 lea eax,
dword ptr [ebp-2C]
:004551D3 51
push ecx
:004551D4 52
push edx
:004551D5 C745C001000000
mov [ebp-40], 00000001
:004551DC C745B802000000
mov [ebp-48], 00000002
:004551E3 898500FFFFFF
mov dword ptr [ebp+FFFFFF00], eax
:004551E9
C785F8FEFFFF08400000 mov dword ptr [ebp+FFFFFEF8], 00004008
*
Reference To: MSVBVM60.__vbaI4Var, Ord:0000h
|
:004551F3
FF154C114000 Call dword ptr [0040114C]
:004551F9
50 push
eax
:004551FA 8D85F8FEFFFF lea eax,
dword ptr [ebp+FFFFFEF8]
:00455200 8D4DA8
lea ecx, dword ptr [ebp-58]
:00455203 50
push eax
:00455204
51 push
ecx
:00455205 FFD3
call ebx
====>依次取变化后的用户号009226783数字
1、 ====>取0
2、 ====>取0
3、 ====>取9
4、 ====>取2
5、 ====>取2
6、 ====>取6
7、 ====>取7
8、 ====>取8
9、 ====>取3
:00455207
8D4598 lea eax,
dword ptr [ebp-68]
:0045520A 8D4DDC
lea ecx, dword ptr [ebp-24]
:0045520D 8D55D4
lea edx, dword ptr [ebp-2C]
:00455210
50 push
eax
:00455211 51
push ecx
:00455212 C745A001000000
mov [ebp-60], 00000001
:00455219 C7459802000000
mov [ebp-68], 00000002
:00455220 8995E0FEFFFF
mov dword ptr [ebp+FFFFFEE0], edx
:00455226 C785D8FEFFFF08400000
mov dword ptr [ebp+FFFFFED8], 00004008
*
Reference To: MSVBVM60.__vbaI4Var, Ord:0000h
|
:00455230
FF154C114000 Call dword ptr [0040114C]
:00455236
50 push
eax
:00455237 8D95D8FEFFFF lea edx,
dword ptr [ebp+FFFFFED8]
:0045523D 8D4588
lea eax, dword ptr [ebp-78]
:00455240 52
push edx
:00455241
50 push
eax
:00455242 FFD3
call ebx
:00455244 8D9568FFFFFF
lea edx, dword ptr [ebp+FFFFFF68]
:0045524A 8D45DC
lea eax, dword ptr [ebp-24]
:0045524D
8D4DD4 lea ecx,
dword ptr [ebp-2C]
:00455250 52
push edx
:00455251 50
push eax
:00455252 C78570FFFFFF01000000
mov dword ptr [ebp+FFFFFF70], 00000001
:0045525C C78568FFFFFF02000000
mov dword ptr [ebp+FFFFFF68], 00000002
:00455266 898DC0FEFFFF
mov dword ptr [ebp+FFFFFEC0], ecx
:0045526C
C785B8FEFFFF08400000 mov dword ptr [ebp+FFFFFEB8], 00004008
*
Reference To: MSVBVM60.__vbaI4Var, Ord:0000h
|
:00455276
FF154C114000 Call dword ptr [0040114C]
:0045527C
8D8DB8FEFFFF lea ecx, dword ptr [ebp+FFFFFEB8]
:00455282
50 push
eax
:00455283 8D9558FFFFFF lea edx,
dword ptr [ebp+FFFFFF58]
:00455289 51
push ecx
:0045528A 52
push edx
:0045528B FFD3
call ebx
:0045528D
8D45A8 lea eax,
dword ptr [ebp-58]
:00455290 8D4D88
lea ecx, dword ptr [ebp-78]
:00455293 50
push eax
:00455294
8D9578FFFFFF lea edx, dword ptr [ebp+FFFFFF78]
:0045529A
51 push
ecx
:0045529B 52
push edx
:0045529C C785A0FEFFFF0A000000 mov dword
ptr [ebp+FFFFFEA0], 0000000A
:004552A6 C78598FEFFFF02000000 mov
dword ptr [ebp+FFFFFE98], 00000002
:004552B0 FFD6
call esi
====>第一次:求字符值的平方
1、 ====>0.0000000000000000000 * 0.0000000000000000000=0.0000000000000000000
2、 ====>0.0000000000000000000 * 0.0000000000000000000=0.0000000000000000000
3、 ====>9.0000000000000000000 * 9.0000000000000000000=81.000000000000000000
4、 ====>2.0000000000000000000 * 2.0000000000000000000=4.0000000000000000000
5、 ====>2.0000000000000000000 * 2.0000000000000000000=4.0000000000000000000
6、 ====>6.0000000000000000000 * 6.0000000000000000000=36.000000000000000000
7、 ====>7.0000000000000000000 * 7.0000000000000000000=49.000000000000000000
8、 ====>8.0000000000000000000 * 8.0000000000000000000=64.000000000000000000
9、 ====>3.0000000000000000000 * 3.0000000000000000000=9.0000000000000000000
:004552B2
50 push
eax
:004552B3 8D8558FFFFFF lea eax,
dword ptr [ebp+FFFFFF58]
:004552B9 8D8D48FFFFFF
lea ecx, dword ptr [ebp+FFFFFF48]
:004552BF 50
push eax
:004552C0 51
push
ecx
:004552C1 FFD6
call esi
====>第二次:字符值
与 字符值的平方 相乘!
其实这两步求 字符数字
的立方值!
1、 ====>0.0000000000000000000 * 0.0000000000000000000=0.0000000000000000000
2、 ====>0.0000000000000000000 * 0.0000000000000000000=0.0000000000000000000
3、 ====>9.0000000000000000000 * 81.000000000000000000=729.00000000000000000
4、 ====>2.0000000000000000000 * 4.0000000000000000000=8.0000000000000000000
5、 ====>2.0000000000000000000 * 4.0000000000000000000=8.0000000000000000000
6、 ====>6.0000000000000000000 * 36.000000000000000000=216.00000000000000000
7、 ====>7.0000000000000000000 * 49.000000000000000000=343.00000000000000000
8、 ====>8.0000000000000000000 * 64.000000000000000000=512.00000000000000000
9、 ====>3.0000000000000000000 * 9.0000000000000000000=27.000000000000000000
:004552C3
50 push
eax
:004552C4 8D55DC
lea edx, dword ptr [ebp-24]
:004552C7 8D45DC
lea eax, dword ptr [ebp-24]
:004552CA 52
push
edx
:004552CB 8D8D38FFFFFF lea ecx,
dword ptr [ebp+FFFFFF38]
:004552D1 50
push eax
:004552D2 51
push ecx
:004552D3 FFD6
call esi
====>第三次:求循环次数的平方
1、 ====>EAX=1 * 1=1 (H)
2、 ====>EAX=2
* 2=4 (H)
3、 ====>EAX=3 * 3=9 (H)
4、
====>EAX=4 * 4=10(H)
5、 ====>EAX=5 * 5=19(H)
6、 ====>EAX=6 * 6=24(H)
7、
====>EAX=7 * 7=31(H)
8、 ====>EAX=8 * 8=40(H)
9、 ====>EAX=9 * 9=51(H)
:004552D5
50 push
eax
:004552D6 8D55DC
lea edx, dword ptr [ebp-24]
:004552D9 8D8528FFFFFF
lea eax, dword ptr [ebp+FFFFFF28]
:004552DF 52
push edx
:004552E0
50 push
eax
:004552E1 FFD6
call esi
====>第四次:循环次数
和 循环次数的平方值 相乘!
其实这两步求 循环次数
的立方值!
1、
====>EAX=1 * 1 =1 (H)=1 (D)
2、
====>EAX=2 * 4 =8 (H)=8 (D)
3、 ====>EAX=3
* 9 =1B (H)=27 (D)
4、 ====>EAX=4 * 10=40 (H)=64
(D)
5、 ====>EAX=5 * 19=7D (H)=125(D)
6、 ====>EAX=6 * 24=D8 (H)=216(D)
7、
====>EAX=7 * 31=157(H)=343(D)
8、 ====>EAX=8
* 40=200(H)=512(D)
9、 ====>EAX=9 * 51=2D9(H)=729(D)
:004552E3
8D8D18FFFFFF lea ecx, dword ptr [ebp+FFFFFF18]
:004552E9
50 push
eax
:004552EA 51
push ecx
*
Reference To: MSVBVM60.__vbaVarAdd, Ord:0000h
|
:004552EB FF1554114000 Call
dword ptr [00401154]
====>循环次数的立方值
和 字符的立方值 相加!
1、 ====>1.0000000000000000000 + 0.0000000000000000000=1.0000000000000000000
2、 ====>8.0000000000000000000 + 0.0000000000000000000=8.0000000000000000000
3、 ====>729.00000000000000000 + 27.000000000000000000=756.00000000000000000
4、 ====>64.000000000000000000 + 8.0000000000000000000=72.000000000000000000
5、 ====>125.00000000000000000 + 8.0000000000000000000=133.00000000000000000
6、 ====>216.00000000000000000 + 216.00000000000000000=432.00000000000000000
7、 ====>343.00000000000000000 + 343.00000000000000000=686.00000000000000000
8、 ====>512.00000000000000000 + 512.00000000000000000=1024.0000000000000000
9、 ====>729.00000000000000000 + 27.000000000000000000=756.00000000000000000
:004552F1
50 push
eax
:004552F2 8D9598FEFFFF lea edx,
dword ptr [ebp+FFFFFE98]
:004552F8 8D8508FFFFFF
lea eax, dword ptr [ebp+FFFFFF08]
:004552FE 52
push edx
:004552FF 50
push
eax
* Reference To:
MSVBVM60.__vbaVarMod, Ord:0000h
|
:00455300
FF1560114000 Call dword ptr [00401160]
====>上面所得的值的16进制值 与 A 求模
1、 ====>EDX=1
% A=1
2、 ====>EDX=8 % A=8
3、 ====>EDX=2F4 % A=6
4、 ====>EDX=48
% A=2
5、 ====>EDX=85 % A=3
6、 ====>EDX=1B0 % A=2
7、 ====>EDX=2AE
% A=6
8、 ====>EDX=400 % A=4
9、
====>EDX=2F4 % A=6
====>九次循环运算得出:186232646
就是我的注册码了!
:00455306
50 push
eax
* Reference To: MSVBVM60.__vbaStrVarMove, Ord:0000h
|
:00455307 FF1518104000 Call
dword ptr [00401018]
:0045530D 8BD0
mov edx, eax
:0045530F 8D4DC8
lea ecx, dword ptr [ebp-38]
*
Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:00455312 FF1570114000 Call
dword ptr [00401170]
:00455318 8D8D18FFFFFF
lea ecx, dword ptr [ebp+FFFFFF18]
:0045531E 8D9558FFFFFF
lea edx, dword ptr [ebp+FFFFFF58]
:00455324 51
push ecx
:00455325
8D8568FFFFFF lea eax, dword ptr [ebp+FFFFFF68]
:0045532B
52 push
edx
:0045532C 8D4D88
lea ecx, dword ptr [ebp-78]
:0045532F 50
push eax
:00455330 8D55A8
lea edx, dword ptr [ebp-58]
:00455333
51 push
ecx
:00455334 8D4598
lea eax, dword ptr [ebp-68]
:00455337 52
push edx
:00455338 8D4DB8
lea ecx, dword ptr [ebp-48]
:0045533B
50 push
eax
:0045533C 51
push ecx
:0045533D 6A07
push 00000007
*
Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:0045533F FF1524104000 Call
dword ptr [00401024]
:00455345 8B55D0
mov edx, dword ptr [ebp-30]
:00455348 8B45C8
mov eax, dword ptr [ebp-38]
:0045534B
83C420 add esp,
00000020
:0045534E 52
push edx
:0045534F 50
push eax
*
Reference To: MSVBVM60.__vbaStrCat, Ord:0000h
|
:00455350 FF1538104000 Call
dword ptr [00401038]
:00455356 8BD0
mov edx, eax
最后保存的结果 ====>EDX=EAX=186232646
:00455358 8D4DD0 lea ecx, dword ptr [ebp-30]
*
Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:0045535B FF1570114000 Call
dword ptr [00401170]
:00455361 8D8D78FEFFFF
lea ecx, dword ptr [ebp+FFFFFE78]
:00455367 8D9588FEFFFF
lea edx, dword ptr [ebp+FFFFFE88]
:0045536D 51
push ecx
:0045536E
8D45DC lea eax,
dword ptr [ebp-24]
:00455371 52
push edx
:00455372 50
push eax
*
Reference To: MSVBVM60.__vbaVarForNext, Ord:0000h
|
:00455373 FF1584114000 Call
dword ptr [00401184]
:00455379 E944FEFFFF
jmp 004551C2
====>继续循环!共循环用户号位数次!
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004551C4(C)
|
:0045537E
8B55D0 mov edx,
dword ptr [ebp-30]
:00455381 8D4DCC
lea ecx, dword ptr [ebp-34]
*
Reference To: MSVBVM60.__vbaStrCopy, Ord:0000h
|
:00455384 FF1534114000 Call
dword ptr [00401134]
:0045538A 682C544500
push 0045542C
:0045538F EB63
jmp 004553F4
:00455391 F645FC04
test [ebp-04], 04
:00455395 7409
je 004553A0
:00455397
8D4DCC lea ecx,
dword ptr [ebp-34]
*
Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
|
:0045539A FF158C114000 Call
dword ptr [0040118C]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00455395(C)
|
:004553A0
8D8D08FFFFFF lea ecx, dword ptr [ebp+FFFFFF08]
:004553A6
8D9518FFFFFF lea edx, dword ptr [ebp+FFFFFF18]
:004553AC
51 push
ecx
:004553AD 8D8528FFFFFF lea eax,
dword ptr [ebp+FFFFFF28]
:004553B3 52
push edx
:004553B4 8D8D38FFFFFF
lea ecx, dword ptr [ebp+FFFFFF38]
:004553BA 50
push eax
:004553BB
8D9548FFFFFF lea edx, dword ptr [ebp+FFFFFF48]
:004553C1
51 push
ecx
:004553C2 8D8558FFFFFF lea eax,
dword ptr [ebp+FFFFFF58]
:004553C8 52
push edx
:004553C9 8D8D68FFFFFF
lea ecx, dword ptr [ebp+FFFFFF68]
:004553CF 50
push eax
:004553D0
8D9578FFFFFF lea edx, dword ptr [ebp+FFFFFF78]
:004553D6
51 push
ecx
:004553D7 8D4588
lea eax, dword ptr [ebp-78]
:004553DA 52
push edx
:004553DB 8D4D98
lea ecx, dword ptr [ebp-68]
:004553DE
50 push
eax
:004553DF 8D55A8
lea edx, dword ptr [ebp-58]
:004553E2 51
push ecx
:004553E3 8D45B8
lea eax, dword ptr [ebp-48]
:004553E6
52 push
edx
:004553E7 50
push eax
:004553E8 6A0C
push 0000000C
*
Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:004553EA FF1524104000 Call
dword ptr [00401024]
:004553F0 83C434
add esp, 00000034
:004553F3 C3
ret
—————————————————————————————————
【算
法 总 结】:
其实分析完了也就知道这个程序并不复杂,虽然用了浮点运算,好象没多大作用?算法如下:
一、取用户号,将前3位换到最后。如783009226 ->009226783
二、依次取变化后的用户号的数字,求其立方值
三、依次求循环次数的立方值
四、两者依次相加
五、相加之和 依次 与A求模!每次求模的结果就是注册码了!
—————————————————————————————————
【完 美 爆 破】:
004718E5 1BF6
sbb esi, esi
改为: 33F6
xor esi, esi
—————————————————————————————————
【KeyMake之{54th}内存注册机】:
中断地址:4718CC
中断次数:1
第一字节:8B
指令长度:2
内存方式:EAX
宽字符串
—————————————————————————————————
【注册信息保存】:
REGEDIT4
[HKEY_CURRENT_USER\Software\VB
and VBA Program Settings\TspyxhtFigmnvfGlqnckt\Section1]
"Key01"="7\"$,6/6\""
"Key02"="2'\r.18"
[HKEY_CURRENT_USER\Software\VB
and VBA Program Settings\TspyxhtFigmnvfGlqnckt\Section2]
"Key01"="247"
"Key02"="钞己由化"
—————————————————————————————————
【整 理】:
用户号:783009226
注册码:186232646
—————————————————————————————————
Cracked By 巢水工作坊——fly【OCN】
2003-4-12 16:06