英语会话精灵V1.0
上次贴出英语会话精灵V2.0版,是用delphi编写的,而1.0版是用VB编写,希望对大家跟VB程序有所体会。
工具:W32Dasm,ollydbg1.09
因为程序会把信息写入注册表,在w32Dasm中查找串“regist”,及"software\TopBar",regist只有两处,分别向上看是否有跳转的语句,在“0043CD93 . 0F84 53040000 JE TopBar.0043D1EC”处找到。
或在msvb6中以rtcStrFromVar
0043CC8B
. 8B53 34 MOV EDX,DWORD PTR DS:[EBX+34]
;注册码654321入edx
0043CC8E . 8B03
MOV EAX,DWORD PTR DS:[EBX]
0043CC90 . 53
PUSH EBX
0043CC91 . 8995 58FFFFFF MOV DWORD
PTR SS:[EBP-A8],EDX
0043CC97 . C785 50FFFFFF>MOV DWORD PTR
SS:[EBP-B0],8008
0043CCA1 . FF90 18030000 CALL DWORD PTR DS:[EAX+318]
0043CCA7
. 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
0043CCAA
. 50 PUSH EAX
0043CCAB
. 51 PUSH ECX
0043CCAC
. FFD6 CALL ESI
0043CCAE
. 8BD8 MOV EBX,EAX
0043CCB0
. 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
0043CCB3
. 50 PUSH EAX
0043CCB4
. 53 PUSH EBX
0043CCB5
. 8B13 MOV EDX,DWORD PTR DS:[EBX]
0043CCB7
. FF52 50 CALL DWORD PTR DS:[EDX+50]
0043CCBA
. 85C0 TEST EAX,EAX
0043CCBC
. DBE2 FCLEX
0043CCBE
. 7D 0F JGE SHORT TopBar.0043CCCF
0043CCC0
. 6A 50 PUSH 50
0043CCC2 .
68 68804000 PUSH TopBar.00408068
0043CCC7 . 53
PUSH EBX
0043CCC8 . 50
PUSH EAX
0043CCC9 . FF15 40104000
CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0043CCCF
> 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
;机器码入eax
0043CCD2 . 8B1D 70104000 MOV EBX,DWORD
PTR DS:[<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
0043CCD8
. 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
0043CCDB
. 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50]
0043CCDE
. 51 PUSH ECX
0043CCDF
. 52 PUSH EDX
0043CCE0
. C745 D8 00000>MOV DWORD PTR SS:[EBP-28],0
0043CCE7
. 8945 C8 MOV DWORD PTR SS:[EBP-38],EAX
0043CCEA
. C745 C0 08000>MOV DWORD PTR SS:[EBP-40],8
0043CCF1
. FFD3 CALL EBX
; <&MSVBVM60.#520>
0043CCF3 . 8D45 B0
LEA EAX,DWORD PTR SS:[EBP-50]
0043CCF6 . 8D4D D4
LEA ECX,DWORD PTR SS:[EBP-2C]
0043CCF9 . 50
PUSH EAX
0043CCFA . 51
PUSH ECX
0043CCFB . FF15
DC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
0043CD01
. 50 PUSH EAX
0043CD02
. FF15 70114000 CALL DWORD PTR DS:[<&MSVBVM60.#581>]
; MSVBVM60.rtcR8ValFromBstr
0043CD08 . DC0D A8134000
FMUL QWORD PTR DS:[4013A8]
0043CD0E . DFE0
FSTSW AX
0043CD10 . A8 0D
TEST AL,0D
0043CD12 . 0F85 CD050000 JNZ TopBar.0043D2E5
0043CD18
. FF15 60114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFPInt>;
MSVBVM60.__vbaFPInt
0043CD1E . DC05 A0134000 FADD QWORD
PTR DS:[4013A0]
0043CD24 . 8D55 A0 LEA EDX,DWORD
PTR SS:[EBP-60]
0043CD27 . C745 A0 05000>MOV DWORD PTR SS:[EBP-60],5
0043CD2E
. 52 PUSH EDX
0043CD2F
. DD5D A8 FSTP QWORD PTR SS:[EBP-58]
0043CD32
. DFE0 FSTSW AX
0043CD34
. A8 0D TEST AL,0D
0043CD36 . 0F85
A9050000 JNZ TopBar.0043D2E5
0043CD3C . 8D45 90
LEA EAX,DWORD PTR SS:[EBP-70]
0043CD3F . 50
PUSH EAX
----------------------------------------------------------------
0043CD40
. FF15 2C114000 CALL DWORD PTR DS:[<&MSVBVM60.#613>]
; MSVBVM60.rtcVarStrFromVar产生注册码
0043CD46 . 8D4D
90 LEA ECX,DWORD PTR SS:[EBP-70]
0043CD49 . 8D55
80 LEA EDX,DWORD PTR SS:[EBP-80]
0043CD4C . 51
PUSH ECX
0043CD4D . 52
PUSH EDX
0043CD4E . FFD3
CALL EBX
0043CD50 . 8D85 50FFFFFF
LEA EAX,DWORD PTR SS:[EBP-B0]
0043CD56 . 8D4D 80
LEA ECX,DWORD PTR SS:[EBP-80]
0043CD59 . 50
PUSH EAX
0043CD5A . 51
PUSH ECX
0043CD5B . FF15 94104000 CALL
DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>; MSVBVM60.__vbaVarTstEq
0043CD61
. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
0043CD64
. 8BD8 MOV EBX,EAX================>成功标志,入ebx
0043CD66
. FF15 6C114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;
MSVBVM60.__vbaFreeStr
0043CD6C . 8D4D D0
LEA ECX,DWORD PTR SS:[EBP-30]
0043CD6F . FFD7
CALL EDI
0043CD71 . 8D55 80
LEA EDX,DWORD PTR SS:[EBP-80]
0043CD74 . 8D45 90
LEA EAX,DWORD PTR SS:[EBP-70]
0043CD77 . 52
PUSH EDX
0043CD78 . 8D4D A0
LEA ECX,DWORD PTR SS:[EBP-60]
0043CD7B . 50
PUSH EAX
0043CD7C . 8D55 B0
LEA EDX,DWORD PTR SS:[EBP-50]
0043CD7F . 51
PUSH ECX
0043CD80 . 8D45
C0 LEA EAX,DWORD PTR SS:[EBP-40]
0043CD83 . 52
PUSH EDX
0043CD84 . 50
PUSH EAX
0043CD85 . 6A
05 PUSH 5
0043CD87 . FF15 20104000
CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0043CD8D
. 83C4 18 ADD ESP,18
0043CD90 . 66:85DB
TEST BX,BX
0043CD93 . 0F84 53040000 JE TopBar.0043D1EC=============>关键跳
0043CD99
. 8B1D 00114000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaSt>;
MSVBVM60.__vbaStrCopy
0043CD9F . BA 34834000 MOV
EDX,TopBar.00408334 ;
UNICODE "regist"
0043CDA4 . 8D4D D4
LEA ECX,DWORD PTR SS:[EBP-2C]
0043CDA7 . C785 2CFFFFFF>MOV
DWORD PTR SS:[EBP-D4],-1
0043CDB1 . FFD3
CALL EBX
; <&MSVBVM60.__vbaStrCopy>
0043CDB3
. BA C0804000 MOV EDX,TopBar.004080C0
; UNICODE "software\TopBar"
6A3639CD
E8 74FEFFFF CALL MSVBVM60.rtcStrFromVar过了这行后,在stack中会找到注册码的。
我的为:0012F600
0014894C UNICODE " 62176836"
整理:
用户编号:35419428
注册码:62176836