Ollydbg——宇佳仓库管理系统
V1.6.1(VB6 native)
下载页面: http://www.skycn.com/soft/12136.html
软件大小: 9081 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 商业贸易
应用平台: Win9x/NT/2000/XP
加入时间: 2003-06-18 17:02:29
下载次数: 2356
推荐等级: ***
【软件简介】:通用仓库及货物管理软件;支持多套帐簿(无限制)、多仓库管理(无限制)、多种计量单位(无限制)及多达8种的数量进制、可自定义多种入库及出库单据类型(无限制);允许用户自定义小数点位数(0-8位);支持商品动态分类级次达五级。界面直观、操作简单,支持全键盘操作;支持网络,及多用户;适合于各行各业的仓储及货物的计算机管理。 共享软件 免费注册。
【软件限制】:NAG、功能限制
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、PEiD、AspackDie、UPXWin、Guw32、W32Dasm 9.0白金版
—————————————————————————————————
【过 程】:
Waregoods.exe 无壳。 VB6 native 。晕倒,这个东东在我的WIN 98SE上居然无法正常运行,需要更新某某文件……呵呵,幸好我还有第2操作系统XP,只好去XP下分析了。这是我第一次在XP下调试。^O^
^O^
序列号:IELKLKHIDP
单 位:雨佳商业公司
试炼码:1357 - 2468 (注意:-前后各有1个空格!)
—————————————————————————————————
可下MSVBVM60.rtcMidCharVar断点,生成序列号后会来到下面:
:006629E9 FF90D4000000 call dword
ptr [eax+000000D4]
====>生成程序显示的序列号!
:006629EF 3BC3
cmp eax, ebx
:006629F1 7D11
jge 00662A04
:006629F3 68D4000000 push
000000D4
* Possible StringData Ref from
Code Obj ->"o晧m<)獿焹5Q8A?"
|
:006629F8 6830544200 push
00425430
:006629FD 57
push edi
:006629FE 50
push eax
* Reference To: MSVBVM60.__vbaHresultCheckObj,
Ord:0000h
|
:006629FF E83859DAFF Call
0040833C
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:006629F1(C)
|
:00662A04 8B55C8 mov
edx, dword ptr [ebp-38]
====>EDX=IELKLKHIDP
序列号
:00662A07 895DC8
mov dword ptr [ebp-38], ebx
:00662A0A 8D4DD4 lea
ecx, dword ptr [ebp-2C]
* Reference To: MSVBVM60.__vbaStrMove,
Ord:0000h
|
:00662A0D E83059DAFF Call
00408342
:00662A12 6A01
push 00000001
:00662A14 FF36
push dword ptr [esi]
====>[esi]=1357 - 2468
试炼码
* Possible StringData Ref from
Code Obj ->" - "
|
:00662A16 6820634300 push
00436320
:00662A1B 53
push ebx
* Reference To: MSVBVM60.__vbaInStr,
Ord:0000h
|
:00662A1C E8775ADAFF Call
00408498
====>检测输入的试炼码的格式是否是K1 - K2
====>晕倒 ~Q~ 为了这-前后的2个空格我在这儿看了15分钟
:00662A21 8BC8 mov ecx, eax
* Reference To: MSVBVM60.__vbaI2I4,
Ord:0000h
|
:00662A23 E81E58DAFF Call
00408246
:00662A28 8945DC mov
dword ptr [ebp-24], eax
:00662A2B 663BC3 cmp
ax, bx
:00662A2E 0F8E2B010000 jle 00662B5F
====>跳则OVER!
:00662A34 8975A8
mov dword ptr [ebp-58], esi
:00662A37 BB08400000 mov ebx,
00004008
:00662A3C 895DA0 mov
dword ptr [ebp-60], ebx
:00662A3F 662D0100 sub
ax, 0001
:00662A43 0F809C010000 jo 00662BE5
:00662A49 0FBFC0 movsx
eax, ax
:00662A4C 50
push eax
:00662A4D 8D45A0 lea
eax, dword ptr [ebp-60]
:00662A50 50
push eax
:00662A51 8D45B0 lea
eax, dword ptr [ebp-50]
:00662A54 50
push eax
* Reference To: MSVBVM60.rtcLeftCharVar,
Ord:0269h
|
:00662A55 E88459DAFF Call
004083DE
====>取试炼码的前段
:00662A5A 8D45B0
lea eax, dword ptr [ebp-50]
:00662A5D 50
push eax
* Reference To: MSVBVM60.__vbaStrVarMove,
Ord:0000h
|
:00662A5E E81559DAFF Call
00408378
:00662A63 8BD0
mov edx, eax
====>EDX=1357 试炼码的前段
:00662A65 8D4DD8 lea ecx, dword ptr [ebp-28]
* Reference To: MSVBVM60.__vbaStrMove,
Ord:0000h
|
:00662A68 E8D558DAFF Call
00408342
:00662A6D 8D4DB0 lea
ecx, dword ptr [ebp-50]
* Reference To: MSVBVM60.__vbaFreeVar,
Ord:0000h
|
:00662A70 E83D58DAFF Call
004082B2
:00662A75 8975A8 mov
dword ptr [ebp-58], esi
:00662A78 895DA0 mov
dword ptr [ebp-60], ebx
:00662A7B FF36
push dword ptr [esi]
* Reference To: MSVBVM60.__vbaLenBstr,
Ord:0000h
|
:00662A7D E8E257DAFF Call
00408264
:00662A82 0FBF4DDC movsx
ecx, word ptr [ebp-24]
:00662A86 2BC1
sub eax, ecx
:00662A88 0F8057010000 jo 00662BE5
:00662A8E 83E802 sub
eax, 00000002
:00662A91 0F804E010000 jo 00662BE5
:00662A97 50
push eax
:00662A98 8D45A0 lea
eax, dword ptr [ebp-60]
:00662A9B 50
push eax
:00662A9C 8D45B0 lea
eax, dword ptr [ebp-50]
:00662A9F 50
push eax
* Reference To: MSVBVM60.rtcRightCharVar,
Ord:026Bh
|
:00662AA0 E8B759DAFF Call
0040845C
====>取试炼码的后段
:00662AA5 8D45B0
lea eax, dword ptr [ebp-50]
:00662AA8 50
push eax
* Reference To: MSVBVM60.__vbaStrVarMove,
Ord:0000h
|
:00662AA9 E8CA58DAFF Call
00408378
:00662AAE 8BD0
mov edx, eax
====>EDX=2468 试炼码的后段
:00662AB0 8D4DCC lea ecx, dword ptr [ebp-34]
* Reference To: MSVBVM60.__vbaStrMove,
Ord:0000h
|
:00662AB3 E88A58DAFF Call
00408342
:00662AB8 8D4DB0 lea
ecx, dword ptr [ebp-50]
* Reference To: MSVBVM60.__vbaFreeVar,
Ord:0000h
|
:00662ABB E8F257DAFF Call
004082B2
:00662AC0 8B07
mov eax, dword ptr [edi]
:00662AC2 8D4DC8 lea
ecx, dword ptr [ebp-38]
====>[ebp-38]=IELKLKHIDP
序列号
:00662AC5 51
push ecx
:00662AC6 FF75D4 push
[ebp-2C]
:00662AC9 57
push edi
:00662ACA FF90EC000000 call dword
ptr [eax+000000EC]
====>算法CALL①!进入!生成前段注册码
:00662AD0 85C0
test eax, eax
:00662AD2 7D11
jge 00662AE5
:00662AD4 68EC000000 push
000000EC
* Possible StringData Ref from
Code Obj ->"o晧m<)獿焹5Q8A?"
|
:00662AD9 6830544200 push
00425430
:00662ADE 57
push edi
:00662ADF 50
push eax
* Reference To: MSVBVM60.__vbaHresultCheckObj,
Ord:0000h
|
:00662AE0 E85758DAFF Call
0040833C
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00662AD2(C)
|
:00662AE5 33D2
xor edx, edx
:00662AE7 8D4DC4 lea
ecx, dword ptr [ebp-3C]
* Reference To: MSVBVM60.__vbaStrCopy,
Ord:0000h
|
:00662AEA E8B157DAFF Call
004082A0
:00662AEF 8B07
mov eax, dword ptr [edi]
:00662AF1 8D4DC0 lea
ecx, dword ptr [ebp-40]
:00662AF4 51
push ecx
:00662AF5 8D4DC4 lea
ecx, dword ptr [ebp-3C]
:00662AF8 51
push ecx
:00662AF9 57
push edi
:00662AFA FF90D8000000 call dword
ptr [eax+000000D8]
====>算法CALL②!进入!生成后段注册码
:00662B00 85C0
test eax, eax
:00662B02 7D11
jge 00662B15
:00662B04 68D8000000 push
000000D8
* Possible StringData Ref from
Code Obj ->"o晧m<)獿焹5Q8A?"
|
:00662B09 6830544200 push
00425430
:00662B0E 57
push edi
:00662B0F 50
push eax
* Reference To: MSVBVM60.__vbaHresultCheckObj,
Ord:0000h
|
:00662B10 E82758DAFF Call
0040833C
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00662B02(C)
|
:00662B15 FF75CC push
[ebp-34]
====>[ebp-34]=2468
:00662B18 FF75C0
push [ebp-40]
====>[ebp-40]=CNSZNOG 后段注册码
* Reference To: MSVBVM60.__vbaStrCmp,
Ord:0000h
|
:00662B1B E81658DAFF Call
00408336
====>比较后段注册码!
:00662B20 8BF0
mov esi, eax
:00662B22 F7DE
neg esi
:00662B24 1BF6
sbb esi, esi
:00662B26 46
inc esi
:00662B27 F7DE
neg esi
:00662B29 FF75D8 push
[ebp-28]
====>[ebp-28]=1357
:00662B2C FF75C8
push [ebp-38]
====>[ebp-38]=WAYAAYYQTU 前段注册码
* Reference To: MSVBVM60.__vbaStrCmp,
Ord:0000h
|
:00662B2F E80258DAFF Call
00408336
====>比较前段注册码!
:00662B34 F7D8
neg eax
:00662B36 1BC0
sbb eax, eax
:00662B38 40
inc eax
:00662B39 F7D8
neg eax
:00662B3B 23F0
and esi, eax
:00662B3D 8D45C0 lea
eax, dword ptr [ebp-40]
:00662B40 50
push eax
:00662B41 8D45C4 lea
eax, dword ptr [ebp-3C]
:00662B44 50
push eax
:00662B45 8D45C8 lea
eax, dword ptr [ebp-38]
:00662B48 50
push eax
:00662B49 6A03
push 00000003
* Reference To: MSVBVM60.__vbaFreeStrList, Ord:0000h
|
:00662B4B E8A457DAFF Call
004082F4
:00662B50 83C410 add
esp, 00000010
:00662B53 6685F6 test
si, si
:00662B56 7407
je 00662B5F
====>跳则OVER!
:00662B58 C745D001000000 mov [ebp-30], 00000001
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:006629B0(U), :006629C6(C), :00662A2E(C), :00662B56(C)
|
:00662B5F 668B45D0 mov
ax, word ptr [ebp-30]
:00662B63 66898784000000 mov word ptr [edi+00000084],
ax
:00662B6A EB0E
jmp 00662B7A
…… ……省 略…… ……
:0068E139 E892A1D7FF
Call 004082D0
====>BAD BOY!
—————————————————————————————————
进入算法CALL①:00662ACA call dword ptr [eax+000000EC]
…… ……省 略…… ……
* Reference To: MSVBVM60.__vbaLenBstr,
Ord:0000h
|
:00663176 E8E950DAFF Call
00408264
:0066317B 6A01
push 00000001
:0066317D 5B
pop ebx
:0066317E 2BC3
sub eax, ebx
:00663180 0F806F020000 jo 006633F5
:00663186 50
push eax
:00663187 8D459C lea
eax, dword ptr [ebp-64]
:0066318A 50
push eax
:0066318B 8D45BC lea
eax, dword ptr [ebp-44]
:0066318E 50
push eax
* Reference To: MSVBVM60.rtcLeftCharVar,
Ord:0269h
|
:0066318F E84A52DAFF Call
004083DE
====>取序列号左边的几位。其实就是E盘序列号的变形
:00663194 8D45BC
lea eax, dword ptr [ebp-44]
:00663197 50
push eax
* Reference To: MSVBVM60.__vbaStrVarMove,
Ord:0000h
|
:00663198 E8DB51DAFF Call
00408378
:0066319D 8BD0
mov edx, eax
====>[ebp-38]=IELKLKHID
:0066319F 8D4DDC lea ecx, dword ptr [ebp-24]
* Reference To: MSVBVM60.__vbaStrMove,
Ord:0000h
|
:006631A2 E89B51DAFF Call
00408342
:006631A7 8D4DBC lea
ecx, dword ptr [ebp-44]
* Reference To: MSVBVM60.__vbaFreeVar,
Ord:0000h
|
:006631AA E80351DAFF Call
004082B2
:006631AF 8D45E4 lea
eax, dword ptr [ebp-1C]
:006631B2 53
push ebx
:006631B3 8945A4 mov
dword ptr [ebp-5C], eax
:006631B6 8D459C lea
eax, dword ptr [ebp-64]
:006631B9 50
push eax
:006631BA 8D45BC lea
eax, dword ptr [ebp-44]
:006631BD 50
push eax
:006631BE 89759C mov
dword ptr [ebp-64], esi
* Reference To: MSVBVM60.rtcRightCharVar,
Ord:026Bh
|
:006631C1 E89652DAFF Call
0040845C
:006631C6 8D45BC lea
eax, dword ptr [ebp-44]
:006631C9 50
push eax
* Reference To: MSVBVM60.__vbaStrVarMove,
Ord:0000h
|
:006631CA E8A951DAFF Call
00408378
:006631CF 8BD0
mov edx, eax
:006631D1 8D4DD0 lea
ecx, dword ptr [ebp-30]
* Reference To: MSVBVM60.__vbaStrMove,
Ord:0000h
|
:006631D4 E86951DAFF Call
00408342
:006631D9 8D4DBC lea
ecx, dword ptr [ebp-44]
* Reference To: MSVBVM60.__vbaFreeVar,
Ord:0000h
|
:006631DC E8D150DAFF Call
004082B2
:006631E1 8BD7
mov edx, edi
:006631E3 8D4DE0 lea
ecx, dword ptr [ebp-20]
* Reference To: MSVBVM60.__vbaStrCopy,
Ord:0000h
|
:006631E6 E8B550DAFF Call
004082A0
:006631EB FF75DC push
[ebp-24]
* Reference To: MSVBVM60.__vbaLenBstr,
Ord:0000h
|
:006631EE E87150DAFF Call
00408264
====>取IELKLKHID的长度
:006631F3 8BC8
mov ecx, eax
====>ECX=9
* Reference To: MSVBVM60.__vbaI2I4,
Ord:0000h
|
:006631F5 E84C50DAFF Call
00408246
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:006632DC(U)
|
:006631FA 6A01
push 00000001
:006631FC 8BF8
mov edi, eax
:006631FE 58
pop eax
:006631FF 663BF8 cmp
di, ax
:00663202 0F8CD9000000 jl 006632E1
:00663208 8D45DC lea
eax, dword ptr [ebp-24]
:0066320B 895DC4 mov
dword ptr [ebp-3C], ebx
:0066320E 8945A4 mov
dword ptr [ebp-5C], eax
:00663211 8D45BC lea
eax, dword ptr [ebp-44]
:00663214 50
push eax
:00663215 C745BC02000000 mov [ebp-44], 00000002
:0066321C 0FBFC7 movsx
eax, di
:0066321F 50
push eax
:00663220 8D459C lea
eax, dword ptr [ebp-64]
:00663223 50
push eax
:00663224 8D45AC lea
eax, dword ptr [ebp-54]
:00663227 50
push eax
:00663228 89759C mov
dword ptr [ebp-64], esi
* Reference To: MSVBVM60.rtcMidCharVar,
Ord:0278h
|
:0066322B E88451DAFF Call
004083B4
====>倒序取IELKLKHID字符
:00663230 8D45AC
lea eax, dword ptr [ebp-54]
:00663233 50
push eax
* Reference To: MSVBVM60.__vbaStrVarMove,
Ord:0000h
|
:00663234 E83F51DAFF Call
00408378
:00663239 8BD0
mov edx, eax
:0066323B 8D4DD4 lea
ecx, dword ptr [ebp-2C]
* Reference To: MSVBVM60.__vbaStrMove,
Ord:0000h
|
:0066323E E8FF50DAFF Call
00408342
:00663243 8D45AC lea
eax, dword ptr [ebp-54]
:00663246 50
push eax
:00663247 8D45BC lea
eax, dword ptr [ebp-44]
:0066324A 50
push eax
:0066324B 6A02
push 00000002
* Reference To: MSVBVM60.__vbaFreeVarList,
Ord:0000h
|
:0066324D E8B450DAFF Call
00408306
:00663252 8B45E0 mov
eax, dword ptr [ebp-20]
:00663255 83C40C add
esp, 0000000C
:00663258 8945A4 mov
dword ptr [ebp-5C], eax
:0066325B C7459C08000000 mov [ebp-64], 00000008
:00663262 FF75D4 push
[ebp-2C]
* Reference To: MSVBVM60.rtcAnsivalueBstr,
Ord:0204h
|
:00663265 E85051DAFF Call
004083BA
====>依次取字符所对应的HEX值
:0066326A 6603C7
add ax, di
====>依次加上9、8、7、……、1 递减位数
:0066326D 66B91A00
mov cx, 001A
====>CX=1A
:00663271 0F807E010000
jo 006633F5
:00663277 66051700 add
ax, 0017
====>AX再加上17
:0066327B 0F8074010000
jo 006633F5
:00663281 6699
cwd
:00663283 66F7F9 idiv
cx
====>DX=AX % 1A
:00663286 6683C241
add dx, 0041
====>余数再加41
:0066328A 0F8065010000
jo 006633F5
:00663290 0FBFC2 movsx
eax, dx
:00663293 50
push eax
:00663294 8D45BC lea
eax, dword ptr [ebp-44]
:00663297 50
push eax
* Reference To: MSVBVM60.rtcVarBstrFromAnsi,
Ord:0260h
|
:00663298 E82F51DAFF Call
004083CC
====>依次把上面所得的HEX值转变为所对应的字符
:0066329D 8D459C
lea eax, dword ptr [ebp-64]
:006632A0 50
push eax
:006632A1 8D45BC lea
eax, dword ptr [ebp-44]
:006632A4 50
push eax
:006632A5 8D45AC lea
eax, dword ptr [ebp-54]
:006632A8 50
push eax
* Reference To: MSVBVM60.__vbaVarCat,
Ord:0000h
|
:006632A9 E81650DAFF Call
004082C4
====>依次连接所得的字符
:006632AE 50 push eax
* Reference To: MSVBVM60.__vbaStrVarMove,
Ord:0000h
|
:006632AF E8C450DAFF Call
00408378
:006632B4 8BD0
mov edx, eax
====>最后得出:WAYAAYYQT
:006632B6 8D4DE0 lea ecx, dword ptr [ebp-20]
* Reference To: MSVBVM60.__vbaStrMove,
Ord:0000h
|
:006632B9 E88450DAFF Call
00408342
:006632BE 8D45AC lea
eax, dword ptr [ebp-54]
:006632C1 50
push eax
:006632C2 8D45BC lea
eax, dword ptr [ebp-44]
:006632C5 50
push eax
:006632C6 6A02
push 00000002
* Reference To: MSVBVM60.__vbaFreeVarList,
Ord:0000h
|
:006632C8 E83950DAFF Call
00408306
:006632CD 83C8FF or
eax, FFFFFFFF
:006632D0 83C40C add
esp, 0000000C
:006632D3 6603C7 add
ax, di
:006632D6 0F8019010000 jo 006633F5
:006632DC E919FFFFFF jmp 006631FA
====>循环!
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00663202(C)
|
:006632E1 8B7508 mov
esi, dword ptr [ebp+08]
:006632E4 8D4DCC lea
ecx, dword ptr [ebp-34]
:006632E7 51
push ecx
:006632E8 FF75E0 push
[ebp-20]
====>[ebp-20]=WAYAAYYQT
:006632EB 8B06
mov eax, dword ptr [esi]
:006632ED 56
push esi
:006632EE FF90DC000000 call dword
ptr [eax+000000DC]
====>生成前段注册码K1的最后1位:U
:006632F4 85C0
test eax, eax
:006632F6 7D11
jge 00663309
:006632F8 68DC000000 push
000000DC
* Possible StringData Ref from
Code Obj ->"o晧m<)獿焹5Q8A?"
|
:006632FD 6830544200 push
00425430
:00663302 56
push esi
:00663303 50
push eax
* Reference To: MSVBVM60.__vbaHresultCheckObj,
Ord:0000h
|
:00663304 E83350DAFF Call
0040833C
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:006632F6(C)
|
:00663309 FF75E0 push
[ebp-20]
====>[ebp-20]=WAYAAYYQT
:0066330C FF75CC
push [ebp-34]
====>[ebp-34]=U 前段注册码K1的最后1位
* Reference To: MSVBVM60.__vbaStrCat,
Ord:0000h
|
:0066330F E8EC4FDAFF Call
00408300
====>连接上面2组字符
:00663314 8BD0
mov edx, eax
====>EDX=WAYAAYYQTU 这就是前段注册码K1
—————————————————————————————————
生成前几位注册码K1的最后1位:006632EE call dword ptr [eax+000000DC]
…… ……省 略…… ……
* Reference To: MSVBVM60.rtcMidCharVar,
Ord:0278h
|
:00662828 E8875BDAFF Call
004083B4
====>依次取WAYAAYYQT的字符
:0066282D 8D45B4
lea eax, dword ptr [ebp-4C]
:00662830 50
push eax
* Reference To: MSVBVM60.__vbaStrVarMove,
Ord:0000h
|
:00662831 E8425BDAFF Call
00408378
:00662836 8BD0
mov edx, eax
:00662838 8D4DD8 lea
ecx, dword ptr [ebp-28]
* Reference To: MSVBVM60.__vbaStrMove,
Ord:0000h
|
:0066283B E8025BDAFF Call
00408342
:00662840 8D45B4 lea
eax, dword ptr [ebp-4C]
:00662843 50
push eax
:00662844 8D45C4 lea
eax, dword ptr [ebp-3C]
:00662847 50
push eax
:00662848 53
push ebx
* Reference To: MSVBVM60.__vbaFreeVarList,
Ord:0000h
|
:00662849 E8B85ADAFF Call
00408306
:0066284E 83C40C add
esp, 0000000C
:00662851 FF75D8 push
[ebp-28]
* Reference To: MSVBVM60.rtcAnsivalueBstr,
Ord:0204h
|
:00662854 E8615BDAFF Call
004083BA
====>依次取对应的HEX值
:00662859 660345E4
add ax, word ptr [ebp-1C]
①、 ====>AX=57 + 00=57
②、 ====>AX=41 + 55=96
③、 ====>AX=59 + 94=ED
…… ……省 略…… ……
⑨、 ====>AX=54 + 266=2BA
:0066285D 6A01
push 00000001
:0066285F 0F80B7000000 jo 0066291C
:00662865 662BC3 sub
ax, bx
①、 ====>AX=57 - 02=55
②、 ====>AX=96 - 02=94
③、 ====>AX=ED - 02=EB
…… ……省 略…… ……
⑨、 ====>AX=2BA - 02=2B8
:00662868 0F80AE000000 jo 0066291C
:0066286E 8945E4 mov
dword ptr [ebp-1C], eax
====>[ebp-1C]=EAX
:00662871 58
pop eax
:00662872 6603C7 add
ax, di
:00662875 0F80A1000000 jo 0066291C
:0066287B 8BF8
mov edi, eax
:0066287D EB80
jmp 006627FF
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00662803(C)
|
:0066287F 668B45E4 mov
ax, word ptr [ebp-1C]
====>AX=2B8 上面的累加运算之和
:00662883 66B91A00
mov cx, 001A
:00662887 6699
cwd
:00662889 66F7F9 idiv
cx
====>DX=2B8 % 1A=14
:0066288C 6683C241
add dx, 0041
====>DX=14 + 41=55
:00662890 0F8086000000
jo 0066291C
:00662896 0FBFC2 movsx
eax, dx
:00662899 50
push eax
:0066289A 8D45C4 lea
eax, dword ptr [ebp-3C]
:0066289D 50
push eax
* Reference To: MSVBVM60.rtcVarBstrFromAnsi,
Ord:0260h
|
:0066289E E8295BDAFF Call
004083CC
====>把上面所得的45转变成字符
:006628A3 8D45C4
lea eax, dword ptr [ebp-3C]
:006628A6 50
push eax
* Reference To: MSVBVM60.__vbaStrVarMove,
Ord:0000h
|
:006628A7 E8CC5ADAFF Call
00408378
:006628AC 8BD0
mov edx, eax
====>EDX=U
这就是K1的最后1位
————————————————
注:生成程序显示的序列号的最后1位:
对IELKLKHID运算得出:27F % 1A=F F + 41=50 即:P
—————————————————————————————————
进入算法CALL②:00662AFA call dword ptr [eax+000000D8]
我改变E盘序列号测试了几次,发现后段注册码是相同的,或许这是根据单位名来运算的。但是在我机子上安装后的程序单位名是无法改变的,有朋友做的话麻烦验证一下!
…… ……省 略…… ……
:00662669 50
push eax
:0066266A 895DA8 mov
dword ptr [ebp-58], ebx
* Reference To: MSVBVM60.rtcMidCharVar,
Ord:0278h
|
:0066266D E8425DDAFF Call
004083B4
====>依次取E8 96 73 4F 46 55 1A 4E
6C 51 F8 53 20 00
:00662672 8D45B8
lea eax, dword ptr [ebp-48]
:00662675 50
push eax
* Reference To: MSVBVM60.__vbaStrVarMove,
Ord:0000h
|
:00662676 E8FD5CDAFF Call
00408378
:0066267B 8BD0
mov edx, eax
:0066267D 8D4DDC lea
ecx, dword ptr [ebp-24]
* Reference To: MSVBVM60.__vbaStrMove,
Ord:0000h
|
:00662680 E8BD5CDAFF Call
00408342
:00662685 8D45B8 lea
eax, dword ptr [ebp-48]
:00662688 50
push eax
:00662689 8D45C8 lea
eax, dword ptr [ebp-38]
:0066268C 50
push eax
:0066268D 56
push esi
* Reference To: MSVBVM60.__vbaFreeVarList,
Ord:0000h
|
:0066268E E8735CDAFF Call
00408306
:00662693 8B45E0 mov
eax, dword ptr [ebp-20]
:00662696 83C40C add
esp, 0000000C
:00662699 8945B0 mov
dword ptr [ebp-50], eax
:0066269C C745A808000000 mov [ebp-58], 00000008
:006626A3 FF75DC push
[ebp-24]
* Reference To: MSVBVM60.rtcAnsivalueBstr,
Ord:0204h
|
:006626A6 E80F5DDAFF Call
004083BA
:006626AB 8BC8
mov ecx, eax
* Reference To: MSVBVM60.__vbaI2Abs,
Ord:0000h
|
:006626AD E87E5FDAFF Call
00408630
:006626B2 6699
cwd
:006626B4 66B91A00 mov
cx, 001A
:006626B8 66F7F9 idiv
cx
:006626BB 6683C241 add
dx, 0041
:006626BF 0F80BF000000 jo 00662784
====>上面是求模、相加运算
:006626C5 0FBFC2
movsx eax, dx
:006626C8 50
push eax
:006626C9 8D45C8 lea
eax, dword ptr [ebp-38]
:006626CC 50
push eax
* Reference To: MSVBVM60.rtcVarBstrFromAnsi,
Ord:0260h
|
:006626CD E8FA5CDAFF Call
004083CC
====>依次把上面所得的HEX值转变为所对应的字符
:006626D2 8D45A8
lea eax, dword ptr [ebp-58]
:006626D5 50
push eax
:006626D6 8D45C8 lea
eax, dword ptr [ebp-38]
:006626D9 50
push eax
:006626DA 8D45B8 lea
eax, dword ptr [ebp-48]
:006626DD 50
push eax
* Reference To: MSVBVM60.__vbaVarCat,
Ord:0000h
|
:006626DE E8E15BDAFF Call
004082C4
====>依次连接所得的字符
:006626E3 50 push eax
* Reference To: MSVBVM60.__vbaStrVarMove,
Ord:0000h
|
:006626E4 E88F5CDAFF Call
00408378
:006626E9 8BD0
mov edx, eax
====>最后得出:EDX=CNSZNOG 这就是后段注册码K2
:006626EB 8D4DE0 lea ecx, dword ptr [ebp-20]
* Reference To: MSVBVM60.__vbaStrMove,
Ord:0000h
|
:006626EE E84F5CDAFF Call
00408342
:006626F3 8D45B8 lea
eax, dword ptr [ebp-48]
:006626F6 50
push eax
:006626F7 8D45C8 lea
eax, dword ptr [ebp-38]
:006626FA 50
push eax
:006626FB 56
push esi
* Reference To: MSVBVM60.__vbaFreeVarList,
Ord:0000h
|
:006626FC E8055CDAFF Call
00408306
:00662701 83C40C add
esp, 0000000C
:00662704 6A01
push 00000001
:00662706 58
pop eax
:00662707 6603C7 add
ax, di
:0066270A 7078
jo 00662784
:0066270C 8BF8
mov edi, eax
:0066270E E92DFFFFFF jmp 00662640
====>循环!
★★★★★★★★☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆★★★★★★★★
取E盘的序列号生成程序显示的序列号:006629E9 call dword ptr [eax+000000D4]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00662484(U)
|
:006623A4 8B45E8 mov
eax, dword ptr [ebp-18]
:006623A7 663B4588 cmp
ax, word ptr [ebp-78]
:006623AB 0F8FD8000000 jg 00662489
:006623B1 8D4DDC lea
ecx, dword ptr [ebp-24]
:006623B4 895DCC mov
dword ptr [ebp-34], ebx
:006623B7 894DAC mov
dword ptr [ebp-54], ecx
:006623BA 8D4DC4 lea
ecx, dword ptr [ebp-3C]
:006623BD 0FBFC0 movsx
eax, ax
:006623C0 51
push ecx
:006623C1 50
push eax
:006623C2 8D45A4 lea
eax, dword ptr [ebp-5C]
:006623C5 C745C402000000 mov [ebp-3C], 00000002
:006623CC 50
push eax
:006623CD 8D45B4 lea
eax, dword ptr [ebp-4C]
:006623D0 50
push eax
:006623D1 C745A408400000 mov [ebp-5C], 00004008
* Reference To: MSVBVM60.rtcMidCharVar,
Ord:0278h
|
:006623D8 E8D75FDAFF Call
004083B4
====>依次取518787450 E盘序列号的10进制值
:006623DD 8D45B4
lea eax, dword ptr [ebp-4C]
:006623E0 50
push eax
* Reference To: MSVBVM60.__vbaStrVarMove,
Ord:0000h
|
:006623E1 E8925FDAFF Call
00408378
:006623E6 8BD0
mov edx, eax
:006623E8 8D4DE0 lea
ecx, dword ptr [ebp-20]
* Reference To: MSVBVM60.__vbaStrMove,
Ord:0000h
|
:006623EB E8525FDAFF Call
00408342
:006623F0 8D45B4 lea
eax, dword ptr [ebp-4C]
:006623F3 50
push eax
:006623F4 8D45C4 lea
eax, dword ptr [ebp-3C]
:006623F7 50
push eax
:006623F8 6A02
push 00000002
* Reference To: MSVBVM60.__vbaFreeVarList,
Ord:0000h
|
:006623FA E8075FDAFF Call
00408306
:006623FF 8B45E4 mov
eax, dword ptr [ebp-1C]
:00662402 83C40C add
esp, 0000000C
:00662405 8945AC mov
dword ptr [ebp-54], eax
:00662408 C745A408000000 mov [ebp-5C], 00000008
:0066240F FF75E0 push
[ebp-20]
* Reference To: MSVBVM60.rtcAnsivalueBstr,
Ord:0204h
|
:00662412 E8A35FDAFF Call
004083BA
====>取其字符对应的HEX值
:00662417 66053F00
add ax, 003F
====>依次+3F
:0066241B 66B91B00
mov cx, 001B
:0066241F 0F8014010000 jo 00662539
:00662425 6699
cwd
:00662427 66F7F9 idiv
cx
====>依次模1B
:0066242A 6683C241
add dx, 0041
====>余数+41
:0066242E 0F8005010000
jo 00662539
:00662434 0FBFC2 movsx
eax, dx
:00662437 50
push eax
:00662438 8D45C4 lea
eax, dword ptr [ebp-3C]
:0066243B 50
push eax
* Reference To: MSVBVM60.rtcVarBstrFromAnsi,
Ord:0260h
|
:0066243C E88B5FDAFF Call
004083CC
====>取上面的HEX值对应的字符
:00662441 8D45A4
lea eax, dword ptr [ebp-5C]
:00662444 50
push eax
:00662445 8D45C4 lea
eax, dword ptr [ebp-3C]
:00662448 50
push eax
:00662449 8D45B4 lea
eax, dword ptr [ebp-4C]
:0066244C 50
push eax
* Reference To: MSVBVM60.__vbaVarCat,
Ord:0000h
|
:0066244D E8725EDAFF Call
004082C4
====>依次连接所得字符
:00662452 50 push eax
* Reference To: MSVBVM60.__vbaStrVarMove,
Ord:0000h
|
:00662453 E8205FDAFF Call
00408378
:00662458 8BD0
mov edx, eax
====>最后得出:EDX=IELKLKHID
:0066245A 8D4DE4 lea ecx, dword ptr [ebp-1C]
* Reference To: MSVBVM60.__vbaStrMove,
Ord:0000h
|
:0066245D E8E05EDAFF Call
00408342
:00662462 8D45B4 lea
eax, dword ptr [ebp-4C]
:00662465 50
push eax
:00662466 8D45C4 lea
eax, dword ptr [ebp-3C]
:00662469 50
push eax
:0066246A 6A02
push 00000002
* Reference To: MSVBVM60.__vbaFreeVarList,
Ord:0000h
|
:0066246C E8955EDAFF Call
00408306
:00662471 83C40C add
esp, 0000000C
:00662474 6A01
push 00000001
:00662476 58
pop eax
:00662477 660345E8 add
ax, word ptr [ebp-18]
:0066247B 0F80B8000000 jo 00662539
:00662481 8945E8 mov
dword ptr [ebp-18], eax
:00662484 E91BFFFFFF jmp 006623A4
====>循环!
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:006623AB(C)
|
:00662489 8B07
mov eax, dword ptr [edi]
:0066248B 8D4DD4 lea
ecx, dword ptr [ebp-2C]
:0066248E 51
push ecx
:0066248F FF75E4 push
[ebp-1C]
:00662492 57
push edi
:00662493 FF90DC000000 call dword
ptr [eax+000000DC]
====>对IELKLKHID运算 生成序列号最后1位
====>详见:生成前几位注册码K1的最后1位
:00662499 3BC6
cmp eax, esi
:0066249B 7D11
jge 006624AE
:0066249D 68DC000000 push
000000DC
* Possible StringData Ref from
Code Obj ->"o晧m<)獿焹5Q8A?"
|
:006624A2 6830544200 push
00425430
:006624A7 57
push edi
:006624A8 50
push eax
* Reference To: MSVBVM60.__vbaHresultCheckObj,
Ord:0000h
|
:006624A9 E88E5EDAFF Call
0040833C
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0066249B(C)
|
:006624AE FF75E4 push
[ebp-1C]
====>[ebp-1C]=IELKLKHID
:006624B1 FF75D4
push [ebp-2C]
====>[ebp-2C]=P
序列号最后1位
* Reference To: MSVBVM60.__vbaStrCat,
Ord:0000h
|
:006624B4 E8475EDAFF Call
00408300
====>连接以上2组字符
:006624B9 8BD0
mov edx, eax
====>EDX=IELKLKHIDP 这就是序列号
★★★★★★★★☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆★★★★★★★★
程序启动时的比较:
:0052692A FF91E0000000 call dword
ptr [ecx+000000E0]
====>进入运算比较CALL!
:00526930 85C0
test eax, eax
:00526932 DBE2
fclex
:00526934 7D12
jge 00526948
====>跳则OVER!
—————————————————————————————————
【完 美 爆 破】:
想做完美爆破还是有点麻烦的。呵 呵 ~@~ ~@~
—————————————————————————————————
【注册信息保存】:
Windows Registry Editor Version 5.00
[HKEY_USERS\S-1-5-21-1614895754-436374069-1957994488-1003\Software\VB
and VBA Program Settings\Account\RegisterCode]
"RegisterCode"="WAYAAYYQTU - CNSZNOG"
—————————————————————————————————
【整 理】:
序列号:IELKLKHIDP
单 位:雨佳商业公司
注册码:WAYAAYYQTU - CNSZNOG
—————————————————————————————————
, _/
/| _.-~/ \_
, 青春都一饷
( /~ /
\~-._ |\
`\\ _/
\ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_
//'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-.
换了破解轻狂
`~ _( ,_..--\ ( ,;'' / ~-- /._`\
/~~//' /' `~\ ) /--.._, )_ `~
" `~" " `"
/~'`\ `\\~~\
" " "~' ""
Cracked By 巢水工作坊——fly [OCN][FCG]
2003-06-23 2:00