Ollydbg、WKTVBDE——瑞文图文书酷
XP V1.02.602(P-Code)
下载页面: http://www.skycn.com/soft/7882.html
软件大小: 3420 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 文档管理
应用平台: Win9x/NT/2000/XP
加入时间: 2003-06-15 16:45:47
下载次数: 4780
推荐等级: ****
开 发 商: http://realwind.yeah.net/
【软件简介】:欢迎您使用瑞文图文书酷,以下简称瑞文书酷,希望在本文的帮助下,你能够熟练使用此软件,为您的学习和工作带来帮助。瑞文书酷是集资料收集、档案整理、书籍的阅读等功能于一身的工具管理软件,
她是私人资料管理的最好解决方案。该软件界面友好,速度优秀,新颖实用的功能绝不输于其它的同类软件产品。最新支持打开网页后直接进行保存到私人书库,想保存什么就保存什么,一切的一切你只要在瑞文书酷中打开网上的网页,然后按保存即可。一、持多书库列表管理,方便、快捷。二、支持普通文本、RTF文本、超文本格式,最新'图文网页'支持在线保存网页中的图片、音乐、Flash等。三、BIG5,GB码互换功能。四、私人书库口令、书签管理、文档编辑、打印。五、支持用户自行创建私人书库。六、书库数据压缩。七、支持Email转发功能。八、支持外部文件拖拽到书库、拖拽任意节点。"瑞文图文书酷"将成为收藏文章、网页的专家!
【软件限制】:15天试用、NAG、功能限制
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:Ollydbg1.09、WKTVBdebugger、FI 2.5、ExDec
—————————————————————————————————
【过 程】:
sroom.exe 无壳。 VB 6.0 ,P-Code。
特征码:21100629
试炼码:13572468
—————————————————————————————————
可以下断点:MSVBVM60.rtcR8ValFromBstr
一、取程序的特征码
7348E60D FF37 PUSH DWORD
PTR DS:[EDI]
7348E60F 8907 MOV DWORD PTR
DS:[EDI],EAX
====>EAX=21100629
特征码
7348E611 E8 895FF1FF CALL <JMP.&OLEAUT32.#6>
7348E616 33C0 XOR EAX,EAX
7348E618 8A06 MOV AL,BYTE
PTR DS:[ESI]
7348E61A 46 INC ESI
7348E61B FF2485 58EA4873 JMP DWORD PTR DS:[EAX*4+7348EA58]
—————————————————————————————————
二、连接 &H 和特征码。不知道这是什么意思……
7348E996 E8 5067F2FF CALL MSVBVM60.__vbaStrCat
7348E99B 50 PUSH EAX
====>EAX=&H21100629
7348E99C 33C0
XOR EAX,EAX
7348E99E 8A06 MOV AL,BYTE
PTR DS:[ESI]
7348E9A0 46 INC ESI
7348E9A1 FF2485 58EA4873 JMP DWORD PTR DS:[EAX*4+7348EA58]
—————————————————————————————————
三、取特征码 21100629的10进制值554698281 并转换成浮点数!
7346C8A7 66:8901 MOV WORD PTR DS:[ECX],AX
7346C8AA 8D45 F0 LEA EAX,DWORD PTR
SS:[EBP-10]
7346C8AD 6A 05 PUSH 5
7346C8AF 50 PUSH
EAX
7346C8B0 897D F8 MOV DWORD PTR SS:[EBP-8],EDI
7346C8B3 66:C745 F0 0800 MOV WORD PTR SS:[EBP-10],8
7346C8B9 E8 2C030000 CALL MSVBVM60.7346CBEA
7346C8BE 57 PUSH
EDI
7346C8BF 8BF0 MOV ESI,EAX
7346C8C1 FF15 E0193973 CALL DWORD PTR DS:[<&OLEAUT32.#6>];OLEAUT32.SysFreeString
7346C8C7 85F6 TEST ESI,ESI
7346C8C9 7D 08 JGE SHORT MSVBVM60.7346C8D3
7346C8CB 6A 00 PUSH 0
7346C8CD 56 PUSH
ESI
7346C8CE E8 000AF4FF CALL MSVBVM60.733AD2D3
7346C8D3 DD45 F8 FLD QWORD PTR SS:[EBP-8]
====>[EBP-8]=554698281.00000000000
7346C8D6 5F POP
EDI
7346C8D7 ^ EB 8E JMP SHORT MSVBVM60.7346C867
—————————————————————————————————
四、取程序自给的一个固定值848832767
73493E31 0FBF06 MOVSX EAX,WORD
PTR DS:[ESI]
73493E34 DD0428 FLD QWORD PTR
DS:[EAX+EBP]
====>[EAX+EBP]=848832767.0000000
73493E37 33C0
XOR EAX,EAX
73493E39 8A46 02 MOV AL,BYTE PTR
DS:[ESI+2]
73493E3C 83C6 03 ADD ESI,3
73493E3F FF2485 58EA4873 JMP DWORD PTR DS:[EAX*4+7348EA58]
—————————————————————————————————
五、相加!
734951D9 DEC1 FADDP
ST(1),ST
====>ST=554698281.00000000000+ 848832767.00000000000=1403531048.0000000000
734951DB 33C0 XOR EAX,EAX
734951DD 8A06 MOV AL,BYTE
PTR DS:[ESI]
734951DF 46 INC
ESI
734951E0 FF2485 58EA4873 JMP DWORD PTR DS:[EAX*4+7348EA58]
—————————————————————————————————
六、调用 MSVBVM60.rtcHexVarFromVar 求1403531048的16进制值
7347582D > 55 PUSH
EBP
7347582E 8BEC MOV EBP,ESP
73475830 83EC 10 SUB ESP,10
73475833 8B45 0C MOV EAX,DWORD PTR
SS:[EBP+C]
73475836 56 PUSH
ESI
73475837 57 PUSH
EDI
73475838 66:8338 01 CMP WORD PTR DS:[EAX],1
7347583C 74 21 JE SHORT MSVBVM60.7347585F
7347583E 50 PUSH
EAX
7347583F E8 BB7AF4FF CALL MSVBVM60.rtcHexBstrFromVar
73475844 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
====>[EBP-8]=53A82F28(H)=1403531048(D)
73475847 66:C745 F0 0800 MOV WORD PTR SS:[EBP-10],8
7347584D 8B45 08 MOV EAX,DWORD PTR
SS:[EBP+8]
73475850 8D75 F0 LEA ESI,DWORD PTR
SS:[EBP-10]
73475853 8BF8 MOV EDI,EAX
73475855 A5 MOVS
DWORD PTR ES:[EDI],DWORD PTR DS:[ES>
73475856 A5 MOVS
DWORD PTR ES:[EDI],DWORD PTR DS:[ES>
73475857 A5 MOVS
DWORD PTR ES:[EDI],DWORD PTR DS:[ES>
73475858 A5 MOVS
DWORD PTR ES:[EDI],DWORD PTR DS:[ES>
73475859 5F POP
EDI
7347585A 5E POP
ESI
7347585B C9 LEAVE
7347585C C2 0800 RETN 8
—————————————————————————————————
七、还是调用 OLEAUT32.VarBstrCmp 进行明码比较!^O^ ^O^
7348E97B 6A 00 PUSH 0
7348E97D BB 26EA4873 MOV EBX,MSVBVM60.7348EA26
7348E982 E8 90160000 CALL MSVBVM60.73490017
====>比较CALL!
7348E987 FF3483 PUSH DWORD PTR DS:[EBX+EAX*4]
7348E98A 33C0 XOR EAX,EAX
7348E98C 8A06 MOV AL,BYTE
PTR DS:[ESI]
7348E98E 46 INC ESI
7348E98F FF2485 58EA4873 JMP DWORD PTR DS:[EAX*4+7348EA58]
——————————————————————
进入比较CALL:7348E982 CALL MSVBVM60.73490017
7716C2BF > 55 PUSH EBP
7716C2C0 8BEC MOV EBP,ESP
7716C2C2 83EC 18 SUB ESP,18
7716C2C5 8B45 08 MOV EAX,DWORD PTR
SS:[EBP+8]
7716C2C8 50 PUSH EAX
====>EAX=53A82F28
注册码!
7716C2C9 E8 09CDFFFF CALL OLEAUT32.77168FD7
7716C2CE 83C4 04 ADD ESP,4
7716C2D1 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
7716C2D4 8B4D 0C MOV ECX,DWORD PTR
SS:[EBP+C]
7716C2D7 51 PUSH ECX
====>EAX=13572468
试炼码!
7716C2D8 E8 FACCFFFF CALL OLEAUT32.77168FD7
7716C2DD 83C4 04 ADD ESP,4
7716C2E0 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
7716C2E3 8B55 F8 MOV EDX,DWORD PTR
SS:[EBP-8]
7716C2E6 3B55 F4 CMP EDX,DWORD PTR
SS:[EBP-C]
7716C2E9 73 08 JNB SHORT OLEAUT32.7716C2F3
7716C2EB 8B45 F8 MOV EAX,DWORD PTR
SS:[EBP-8]
7716C2EE 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
7716C2F1 EB 06 JMP SHORT OLEAUT32.7716C2F9
7716C2F3 8B4D F4 MOV ECX,DWORD PTR
SS:[EBP-C]
7716C2F6 894D E8 MOV DWORD PTR SS:[EBP-18],ECX
7716C2F9 8B55 E8 MOV EDX,DWORD PTR
SS:[EBP-18]
7716C2FC 8955 F0 MOV DWORD PTR SS:[EBP-10],EDX
7716C2FF 837D 10 00 CMP DWORD PTR SS:[EBP+10],0
…… ……省 略…… ……
—————————————————————————————————
八、最后的结局:成功或是失败!^O^ //pediy//emoticons/winks.gif>
7347218D E8 8DBDF9FF CALL MSVBVM60.7340DF1F
====>BAD BOY!
====>呵呵,胜利女神!
★★★★★★★★★☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆★★★★★★★★★
好了,Ollydbg 的跟踪已经结束了!正好趁着这个简单的东东学学 WKTVBdebugger!
★★★★★★★★★☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆★★★★★★★★★
先用 ExDec 反编译主程序,方便查看、复制代码。再用 WKTVBdebugger 载入程序,填入试炼码。通过上面的调试知道了一个好用的断点:MSVBVM60.rtcR8ValFromBstr,所以CTRL+B在API上下断:rtcR8ValFromBstr。返回程序点“注册”,砰——呵呵,断了下来!很多指令不明白,只能是边看边猜了……
—————————————————————————————————
4B66C8: 04 FLdRfVar local_008C
4B66CB: f4 LitI2_Byte: 0xff -1
(.)
4B66CD: 2b PopTmpLdAd2
4B66D0: f5 LitI4:
0x1 1 (....)
4B66D5: 59 PopTmpLdAdStr local_0088
4B66D8: 08 FLdPr
local_param_0008
4B66DB: 06 MemLdRfVar local_param_0034
4B66DE: 24 NewIfNullPr 4104d0 (Win32API)
4B66E1: 0d VCallHresult put_FONTSIZEform
4B66E6: f5 LitI4:
0x329828ff 848832767 (2.(.)
====>呵呵,看看这是什么呀!848832767 ^O^
^O^
4B66EB: Lead0/fe CStrI4
4B66ED: 23 FStStrNoPop local_00AC
4B66F0: 0a ImpAdCallFPR4:
====>断在这!看看堆栈5A57A0,正是程序给的固定值
4B66F5: 74 FStFPR8
local_0118
4B66F8: 1b LitStr:
&H
4B66FB: 21 FLdPrThis
4B66FC: 0f VCallAd
(object 6 )
4B66FF: 19 FStAdFunc local_0090
4B6702: 08 FLdPr
local_0090
4B6705: 61 LateIdLdVar
4B670C: 60 CStrVarTmp
4B670D: 23 FStStrNoPop local_00A4
====>21100629 呵呵,特征码!
4B6710: 2a ConcatStr
====>连接 &H 和特征码
4B6711: 23 FStStrNoPop local_00A8
====>&H21100269
4B6714: 0a ImpAdCallFPR4:
4B6719: 6f FLdFPR8
local_0118
4B671C: ab AddR8
====>这里应该就是相加了!
4B671D: Lead2/6b CVarR8
4B6721: 04 FLdRfVar local_00DC
4B6724: 0a ImpAdCallFPR4:
====>取相加结果的16进制值
4B6729: 04 FLdRfVar
local_00DC
4B672C: 21 FLdPrThis
4B672D: 0f VCallAd
(object 9 )
4B6730: 19 FStAdFunc local_00E0
4B6733: 08 FLdPr
local_00E0
4B6736: 61 LateIdLdVar
====>取试炼码
4B673D: 60 CStrVarTmp
4B673E: 46 CVarStr
local_0100
====>13572468
试炼码!
4B6741: 5d HardType
4B6742: Lead0/40 NeVarBool
====>这里是判断?
4B6744: 32 FFreeStr
4B674D: 29 FFreeAd:
4B6754: 36 FFreeVar
4B6761: 1c BranchF: 4B67B6
====>关键跳转!不跳则OVER!
4B6764: Lead1/67 LitVar_Empty
4B6768: 60 CStrVarTmp
4B6769: 46 CVarStr
local_00A0
4B676C: 25 PopAdLdVar
4B676D: 21 FLdPrThis
4B676E: 0f VCallAd
(object 9 )
4B6771: 19 FStAdFunc local_0090
4B6774: 08 FLdPr
local_0090
4B6777: 2c LateIdSt
4B677C: 1a FFree1Ad local_0090
4B677F: 35 FFree1Var local_00A0
4B6782: 27 LitVar_Missing
4B6785: 27 LitVar_Missing
4B6788: 3a LitVarStr: ( local_0128
) '注册失败'
4B678D: 4e FStVarCopyObj local_00CC
4B6790: 04 FLdRfVar local_00CC
4B6793: f5 LitI4:
0x30 48 (...0)
4B6798: 3a LitVarStr: ( local_00BC
) '注册码有误,请检查注册码!'
====>BAD BOY!
…… ……省 略…… ……
====>下面保存注册信息!
4B67E6: 1b LitStr:
Current PC Name
4B67E9: 1b LitStr:
Register Information
4B67EC: 6c ILdRf
local_00A4
4B67EF: 1b LitStr:
\Register.ini
4B67F2: 2a ConcatStr
4B67F3: Lead2/59 PopTmpLdAdStr local_00AC
4B67F7: 08 FLdPr
local_param_0008
4B67FA: 06 MemLdRfVar local_param_0034
4B67FD: 24 NewIfNullPr 4104d0 (Win32API)
4B6800: 0d VCallHresult get_FONTNAMEform
4B6805: 32 FFreeStr
4B680E: 1a FFree1Ad local_0090
4B6811: 04 FLdRfVar local_00A4
4B6814: 04 FLdRfVar local_0090
4B6817: 05 ImpAdLdRf: 4e75f8
4B681A: 24 NewIfNullPr 427ff4
4B681D: 0d VCallHresult CVBApplication::get_App
4B6822: 08 FLdPr
local_0090
4B6825: 0d VCallHresult CVBApplication::ge90$?(id
4B682A: 21 FLdPrThis
4B682B: 0f VCallAd
(object 6 )
4B682E: 19 FStAdFunc local_00E0
4B6831: 08 FLdPr
local_00E0
4B6834: 61 LateIdLdVar
4B683B: Lead1/8b PopAd
4B683D: 04 FLdRfVar local_008A
4B6840: 04 FLdRfVar local_00A0
4B6843: 60 CStrVarTmp
4B6844: 23 FStStrNoPop local_00AC
4B6847: 1b LitStr:
Current ID
4B684A: 1b LitStr:
Register Information
4B684D: 6c ILdRf
local_00A4
4B6850: 1b LitStr:
\Register.ini
4B6853: 2a ConcatStr
4B6854: Lead2/59 PopTmpLdAdStr local_00A8
4B6858: 08 FLdPr
local_param_0008
4B685B: 06 MemLdRfVar local_param_0034
4B685E: 24 NewIfNullPr 4104d0 (Win32API)
4B6861: 0d VCallHresult get_FONTNAMEform
4B6866: 32 FFreeStr
4B686F: 29 FFreeAd:
4B6876: 35 FFree1Var local_00A0
4B6879: 04 FLdRfVar local_00A4
4B687C: 04 FLdRfVar local_0090
4B687F: 05 ImpAdLdRf: 4e75f8
4B6882: 24 NewIfNullPr 427ff4
4B6885: 0d VCallHresult CVBApplication::get_App
4B688A: 08 FLdPr
local_0090
4B688D: 0d VCallHresult CVBApplication::ge90$?(id
4B6892: 21 FLdPrThis
4B6893: 0f VCallAd
(object 9 )
4B6896: 19 FStAdFunc local_00E0
4B6899: 08 FLdPr
local_00E0
4B689C: 61 LateIdLdVar
4B68A3: Lead1/8b PopAd
4B68A5: 04 FLdRfVar local_008A
4B68A8: 04 FLdRfVar local_00A0
4B68AB: 60 CStrVarTmp
4B68AC: 23 FStStrNoPop local_00AC
4B68AF: 1b LitStr:
Current REGKEY
4B68B2: 1b LitStr:
Register Information
4B68B5: 6c ILdRf
local_00A4
4B68B8: 1b LitStr:
\Register.ini
4B68BB: 2a ConcatStr
…… ……省 略…… ……
4B69C2: 3a LitVarStr:
( local_0128 ) '完成'
4B69C7: 4e FStVarCopyObj local_00CC
4B69CA: 04 FLdRfVar local_00CC
4B69CD: f5 LitI4:
0x40 64 (...@)
4B69D2: 3a LitVarStr: ( local_00BC
)'注册成功。感谢您的支持!'
====>呵呵,胜利女神!
4B69D7: 4e FStVarCopyObj
local_00A0
4B69DA: 04 FLdRfVar local_00A0
4B69DD: 0a ImpAdCallFPR4:
—————————————————————————————————
【算 法 总 结】:
哎,希望WKTVBDE这款P-Code分析利器能够更加人性化。期待能够有大侠把P-Code常用的指令涵义整理出来!
如此简单的一步加法运算也值得写?或许有朋友会不屑一顾了。的确,这个结果是非常简单的,过程也不复杂,但是P-Code的东东分析起来稍微麻烦点,多多练习会使我们更加熟悉这种编译方式的。所以还是整理了出来,希望能够给如我般的新手朋友一点点提示。 ^?^ ^v^
注册码=特征码21100629 + 329828FF=53A82F28
—————————————————————————————————
【C++ KeyGen】:
#include<iostream.h>
void main()
{
unsigned long int m,s;
cout<<"\n\n★★★★瑞文图文书酷 XP V1.02.602 KeyGen{15th}★★★★\n\n\n\n";
cout<<"请输入特征码:";
cin >>hex>>m;
s=m+0X329828FF;
cout<<"\n呵呵,注册码:"<<hex<<s<<endl;
cout<<"\n\n\nCracked By 巢水工作坊——fly [OCN][FCG] 2003-06-19 05:00
COMPILE";
cout<<"\n\n\n * * * 按回车退出!*
* *";cin.get();cin.get();
}
//呵呵,抱歉,输出的字母是小写的 ~Q~ ~Q~
—————————————————————————————————
【注册信息保存】:
同目录下的 Register.ini 文件中:
[Register Information]
Current PC Name=FLY
Current ID=21100629
Current REGKEY=53A82F28
—————————————————————————————————
【整 理】:
特征码:21100629
注册码:53A82F28
—————————————————————————————————
, _/
/| _.-~/ \_
, 青春都一饷
( /~ /
\~-._ |\
`\\ _/
\ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_
//'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-.
换了破解轻狂
`~ _( ,_..--\ ( ,;'' / ~-- /._`\
/~~//' /' `~\ ) /--.._, )_ `~
" `~" " `"
/~'`\ `\\~~\
" " "~' ""
Cracked By 巢水工作坊——fly [OCN][FCG]
2003-06-19 5:20