饮羽公路造价V1.88破解分析
破解人:lchhome[OCN][DFCG]
一、此软件是用VB6.0编写,无壳。
二、因用W32dsm反汇编找到任何有用的字符串,用GetVBRes载入程序,找到“注册码错误”改为任意字符“happy new year”,再用W32dsm反汇编,这下可找到“happy new year”,双击,再往上找,可找到关键跳转句“0079063C 0F84 16010000 JE yglzj.00790758”,把JE改为JNE,可跳到“注册码成功”,但这不是完美爆破,仍然有功能限制,不管它,用OD载入程序,跳到0079063C句,然后往上找,如下:
007904AA . E8 93D2C7FF CALL <JMP.&MSVBVM60.__vbaStrCmp> 看见没有,比较函数,重要,按F2下断吧,然后按F9进入程 序,在注册框中填入“用户名:lchhome@163.com,注册码:1234567890” 后,按F8跟进
007904AF . 85C0 TEST EAX,EAX
007904B1 . 0F85 A2000000 JNZ yglzj.00790559 把假注册码比较后,继续往下跳到 00790559句 ,走
007904B7 . B8 04000280 MOV EAX,80020004
007904BC . 8985 58FFFFFF MOV DWORD PTR SS:[EBP-A8],EAX
007904C2 . 6A 0A PUSH 0A
007904C4 . 5F POP EDI
............................................................
中间一段省略
............................................................
00790531 . E8 E8D1C7FF CALL <JMP.&MSVBVM60.#595>
00790536 . 8985 B8FEFFFF MOV DWORD PTR SS:[EBP-148],EAX
0079053C . C785 B0FEFFFF >MOV DWORD PTR SS:[EBP-150],3
00790546 . 8D95 B0FEFFFF LEA EDX,DWORD PTR SS:[EBP-150]
0079054C . 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
0079054F . E8 42D2C7FF CALL <JMP.&MSVBVM60.__vbaVarMove>
00790554 . E9 9A010000 JMP yglzj.007906F3
00790559 > 8B03 MOV EAX,DWORD PTR DS:[EBX] 跳到此处,往下走
0079055B . 68 38B0A600 PUSH yglzj.00A6B038
00790560 . 68 48B0A600 PUSH yglzj.00A6B048
00790565 . 68 44B0A600 PUSH yglzj.00A6B044
0079056A . 68 40B0A600 PUSH yglzj.00A6B040
0079056F . 53 PUSH EBX
00790570 . FF90 F8060000 CALL DWORD PTR DS:[EAX+6F8] 这里有个CAll,按F7跟进
00790576 . 3BC7 CMP EAX,EDI
00790578 . 7D 11 JGE SHORT yglzj.0079058B
0079057A . 68 F8060000 PUSH 6F8
0079057F . 68 F0304500 PUSH yglzj.004530F0
00790584 . 53 PUSH EBX
00790585 . 50 PUSH EAX
............................................................
中间一段省略
............................................................
0079062D . E8 16D1C7FF CALL <JMP.&MSVBVM60.__vbaFreeVarList>
00790632 . 83C4 0C ADD ESP,0C
00790635 . 66:39BD A0FEFF>CMP WORD PTR SS:[EBP-160],DI
0079063C 0F84 16010000 JE yglzj.00790758 停在此处,往上找关键函数
00790642 . B8 04000280 MOV EAX,80020004
00790647 . 8985 58FFFFFF MOV DWORD PTR SS:[EBP-A8],EAX
0079064D . 6A 0A PUSH 0A
0079064F . 5F POP EDI
00790650 . 89BD 50FFFFFF MOV DWORD PTR SS:[EBP-B0],EDI
00790656 . 8985 68FFFFFF MOV DWORD PTR SS:[EBP-98],EAX
0079065C . 89BD 60FFFFFF MOV DWORD PTR SS:[EBP-A0],EDI
00790662 . C785 F8FEFFFF >MOV DWORD PTR SS:[EBP-108],yglzj.0044ED2>
0079066C . 89B5 F0FEFFFF MOV DWORD PTR SS:[EBP-110],ESI
00790672 . 8D95 F0FEFFFF LEA EDX,DWORD PTR SS:[EBP-110]
00790678 . 8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0079067E . E8 95D0C7FF CALL <JMP.&MSVBVM60.__vbaVarDup>
00790683 . 68 CCE94500 PUSH yglzj.0045E9CC ; UNICODE "happy new year" 看见没有,注册码错误提示
跟进00790570句,按F8继续走,会到如下:
00793118 > 55 PUSH EBP
00793119 . 8BEC MOV EBP,ESP
............................................................
中间一段省略
............................................................
007931C4 . 53 PUSH EBX
007931C5 . E8 E4A5C7FF CALL <JMP.&MSVBVM60.__vbaOnError>
007931CA . BA 14D84400 MOV EDX,yglzj.0044D814
007931CF . 8B4D 18 MOV ECX,DWORD PTR SS:[EBP+18]
007931D2 . E8 CFA4C7FF CALL <JMP.&MSVBVM60.__vbaStrCopy>
007931D7 . 8975 DC MOV DWORD PTR SS:[EBP-24],ESI
007931DA . 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C]
007931DD . FF37 PUSH DWORD PTR DS:[EDI]
007931DF . E8 AAA4C7FF CALL <JMP.&MSVBVM60.__vbaLenBstr>
007931E4 . 8BC8 MOV ECX,EAX
007931E6 . E8 09A5C7FF CALL <JMP.&MSVBVM60.__vbaI2I4>
007931EB . 8985 90FEFFFF MOV DWORD PTR SS:[EBP-170],EAX
007931F1 . 895D E0 MOV DWORD PTR SS:[EBP-20],EBX
007931F4 . 6A 02 PUSH 2 以下这一段把用户名“lchhome@163.com”每个字符的ASCII值进行累加
007931F6 . 5E POP ESI .........................................
007931F7 > 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
007931FA . 66:3B85 90FEFF>CMP AX,WORD PTR SS:[EBP-170]
00793201 . 7F 60 JG SHORT yglzj.00793263 循环完后跳
00793203 . 899D 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EBX
00793209 . 89B5 74FFFFFF MOV DWORD PTR SS:[EBP-8C],ESI
0079320F . 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]
00793215 . 51 PUSH ECX
00793216 . 0FBFC0 MOVSX EAX,AX
00793219 . 50 PUSH EAX
0079321A . FF37 PUSH DWORD PTR DS:[EDI] 用户名“lchhome@163.com”入栈
0079321C . E8 61A4C7FF CALL <JMP.&MSVBVM60.#631>
00793221 . 8BD0 MOV EDX,EAX
00793223 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
00793226 . E8 35A5C7FF CALL <JMP.&MSVBVM60.__vbaStrMove>
0079322B . 50 PUSH EAX
0079322C . E8 3DA3C7FF CALL <JMP.&MSVBVM60.#516>
00793231 . 66:0345 DC ADD AX,WORD PTR SS:[EBP-24] 每个字符的ASCII值逐个进行累加,我的最后累加值为“&H527”
00793235 . 0F80 99280000 JO yglzj.00795AD4
0079323B . 8945 DC MOV DWORD PTR SS:[EBP-24],EAX
0079323E . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
00793241 . E8 F6A4C7FF CALL <JMP.&MSVBVM60.__vbaFreeStr>
00793246 . 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]
0079324C . E8 21A5C7FF CALL <JMP.&MSVBVM60.__vbaFreeVar>
00793251 . 6A 01 PUSH 1
00793253 . 58 POP EAX
00793254 . 66:0345 E0 ADD AX,WORD PTR SS:[EBP-20] 计数器
00793258 . 0F80 76280000 JO yglzj.00795AD4
0079325E . 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
00793261 .^EB 94 JMP SHORT yglzj.007931F7 ...............................................
00793263 > 8B7D 14 MOV EDI,DWORD PTR SS:[EBP+14]
00793266 . FF37 PUSH DWORD PTR DS:[EDI]
00793268 . E8 21A4C7FF CALL <JMP.&MSVBVM60.__vbaLenBstr>
0079326D . 8BC8 MOV ECX,EAX
0079326F . E8 80A4C7FF CALL <JMP.&MSVBVM60.__vbaI2I4>
00793274 . 8985 88FEFFFF MOV DWORD PTR SS:[EBP-178],EAX 以下是把“&H527”与机器码“64640694”每个字符进行累加
0079327A . 895D E0 MOV DWORD PTR SS:[EBP-20],EBX
0079327D > 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] .....................................................
00793280 . 66:3B85 88FEFF>CMP AX,WORD PTR SS:[EBP-178]
00793287 . 0F8F 90000000 JG yglzj.0079331D
0079328D . 899D 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EBX
00793293 . 89B5 74FFFFFF MOV DWORD PTR SS:[EBP-8C],ESI
00793299 . 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]
0079329F . 51 PUSH ECX
007932A0 . 0FBFC0 MOVSX EAX,AX
007932A3 . 50 PUSH EAX
007932A4 . FF37 PUSH DWORD PTR DS:[EDI] 机器码“64640694”入栈
007932A6 . E8 D7A3C7FF CALL <JMP.&MSVBVM60.#631>
007932AB . 8BD0 MOV EDX,EAX
007932AD . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
007932B0 . E8 ABA4C7FF CALL <JMP.&MSVBVM60.__vbaStrMove>
007932B5 . 50 PUSH EAX
007932B6 . E8 ABA4C7FF CALL <JMP.&MSVBVM60.#581>
007932BB . DD9D 9CFEFFFF FSTP QWORD PTR SS:[EBP-164] 依次把机器码逐个字符出栈浮点寄存器
007932C1 . 0FBF45 DC MOVSX EAX,WORD PTR SS:[EBP-24] 提出用户名的累加值“&H527”
007932C5 . 8985 6CFEFFFF MOV DWORD PTR SS:[EBP-194],EAX
007932CB . DB85 6CFEFFFF FILD DWORD PTR SS:[EBP-194] 把它装入浮点寄存器
007932D1 . DD9D 64FEFFFF FSTP QWORD PTR SS:[EBP-19C] 它的十进制“1319”出栈
007932D7 . DD85 64FEFFFF FLD QWORD PTR SS:[EBP-19C]
007932DD . DC85 9CFEFFFF FADD QWORD PTR SS:[EBP-164] 把“1319”与机器码逐个字符的累加值相加,为&H54E
007932E3 . DFE0 FSTSW AX
007932E5 . A8 0D TEST AL,0D
007932E7 . 0F85 E2270000 JNZ yglzj.00795ACF
007932ED . E8 6CA3C7FF CALL <JMP.&MSVBVM60.__vbaFpI2>
007932F2 . 8945 DC MOV DWORD PTR SS:[EBP-24],EAX
007932F5 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
007932F8 . E8 3FA4C7FF CALL <JMP.&MSVBVM60.__vbaFreeStr>
007932FD . 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]
00793303 . E8 6AA4C7FF CALL <JMP.&MSVBVM60.__vbaFreeVar>
00793308 . 6A 01 PUSH 1
0079330A . 58 POP EAX
0079330B . 66:0345 E0 ADD AX,WORD PTR SS:[EBP-20]
0079330F . 0F80 BF270000 JO yglzj.00795AD4
00793315 . 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
00793318 .^E9 60FFFFFF JMP yglzj.0079327D ..................................................
0079331D > 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24]
00793320 . E8 07A5C7FF CALL <JMP.&MSVBVM60.__vbaI2Abs>
00793325 . 0FBFC0 MOVSX EAX,AX 把“&H54E”放入EAX
00793328 . 69C0 40800000 IMUL EAX,EAX,8040 EAX=EAX * &H8040=&H2A85380
0079332E . 0F80 A0270000 JO yglzj.00795AD4
00793334 . 83C0 29 ADD EAX,29 EAX=EAX+&H29=&H2A853A9(44585897)
00793337 . 0F80 97270000 JO yglzj.00795AD4
0079333D . 8985 60FEFFFF MOV DWORD PTR SS:[EBP-1A0],EAX
00793343 . DB85 60FEFFFF FILD DWORD PTR SS:[EBP-1A0]
00793349 . DD5D C8 FSTP QWORD PTR SS:[EBP-38]
0079334C . D9E8 FLD1
0079334E . 833D 00B0A600 >CMP DWORD PTR DS:[A6B000],0
00793355 75 08 JNZ SHORT yglzj.0079335F
00793357 . DC35 B8174000 FDIV QWORD PTR DS:[4017B8]
0079335D . EB 11 JMP SHORT yglzj.00793370
0079335F > FF35 BC174000 PUSH DWORD PTR DS:[4017BC]
00793365 . FF35 B8174000 PUSH DWORD PTR DS:[4017B8]
0079336B . E8 E4A0C7FF CALL <JMP.&MSVBVM60._adj_fdiv_m64>
00793370 > DFE0 FSTSW AX
00793372 . A8 0D TEST AL,0D
00793374 . 0F85 55270000 JNZ yglzj.00795ACF
0079337A . 51 PUSH ECX
0079337B . 51 PUSH ECX
0079337C . DD1C24 FSTP QWORD PTR SS:[ESP]
0079337F . DD45 C8 FLD QWORD PTR SS:[EBP-38]
00793382 . 51 PUSH ECX
00793383 . 51 PUSH ECX
00793384 . DD1C24 FSTP QWORD PTR SS:[ESP]
00793387 . E8 3AA1C7FF CALL <JMP.&MSVBVM60.__vbaPowerR8>
0079338C . E8 DFA2C7FF CALL <JMP.&MSVBVM60.__vbaFPInt>
00793391 . DD5D B8 FSTP QWORD PTR SS:[EBP-48] 装入实数“81” ST1
00793394 . D9E8 FLD1
00793396 . 833D 00B0A600 >CMP DWORD PTR DS:[A6B000],0
0079339D . 75 08 JNZ SHORT yglzj.007933A7
0079339F . DC35 C0174000 FDIV QWORD PTR DS:[4017C0]
007933A5 . EB 11 JMP SHORT yglzj.007933B8
007933A7 > FF35 C4174000 PUSH DWORD PTR DS:[4017C4]
007933AD . FF35 C0174000 PUSH DWORD PTR DS:[4017C0]
007933B3 . E8 9CA0C7FF CALL <JMP.&MSVBVM60._adj_fdiv_m64>
007933B8 > DFE0 FSTSW AX
007933BA . A8 0D TEST AL,0D
007933BC . 0F85 0D270000 JNZ yglzj.00795ACF
007933C2 . 51 PUSH ECX
007933C3 . 51 PUSH ECX
007933C4 . DD1C24 FSTP QWORD PTR SS:[ESP]
007933C7 . DD45 C8 FLD QWORD PTR SS:[EBP-38]
007933CA . 51 PUSH ECX
007933CB . 51 PUSH ECX
007933CC . DD1C24 FSTP QWORD PTR SS:[ESP]
007933CF . E8 F2A0C7FF CALL <JMP.&MSVBVM60.__vbaPowerR8>
007933D4 . E8 97A2C7FF CALL <JMP.&MSVBVM60.__vbaFPInt>
007933D9 . DD5D B0 FSTP QWORD PTR SS:[EBP-50] 装入实数“354” ST2
007933DC . D9E8 FLD1
007933DE . 833D 00B0A600 >CMP DWORD PTR DS:[A6B000],0
007933E5 . 75 08 JNZ SHORT yglzj.007933EF
007933E7 . DC35 C0134000 FDIV QWORD PTR DS:[4013C0]
007933ED . EB 11 JMP SHORT yglzj.00793400
007933EF > FF35 C4134000 PUSH DWORD PTR DS:[4013C4]
007933F5 . FF35 C0134000 PUSH DWORD PTR DS:[4013C0]
007933FB . E8 54A0C7FF CALL <JMP.&MSVBVM60._adj_fdiv_m64>
00793400 > DFE0 FSTSW AX
00793402 . A8 0D TEST AL,0D
00793404 . 0F85 C5260000 JNZ yglzj.00795ACF
0079340A . 51 PUSH ECX
0079340B . 51 PUSH ECX
0079340C . DD1C24 FSTP QWORD PTR SS:[ESP]
0079340F . DD45 C8 FLD QWORD PTR SS:[EBP-38]
00793412 . 51 PUSH ECX
00793413 . 51 PUSH ECX
00793414 . DD1C24 FSTP QWORD PTR SS:[ESP]
00793417 . E8 AAA0C7FF CALL <JMP.&MSVBVM60.__vbaPowerR8>
0079341C . E8 4FA2C7FF CALL <JMP.&MSVBVM60.__vbaFPInt>
00793421 . DD5D A8 FSTP QWORD PTR SS:[EBP-58] 装入实数“6677” ST3
00793424 . DD45 C8 FLD QWORD PTR SS:[EBP-38]
00793427 . 833D 00B0A600 >CMP DWORD PTR DS:[A6B000],0
0079342E . 75 08 JNZ SHORT yglzj.00793438
00793430 . DC35 90854000 FDIV QWORD PTR DS:[408590] 把上面的EAX值(44585897)/固定实数“18633”=2392(取整数)
00793436 . EB 11 JMP SHORT yglzj.00793449
00793438 > FF35 94854000 PUSH DWORD PTR DS:[408594]
0079343E . FF35 90854000 PUSH DWORD PTR DS:[408590]
00793444 . E8 0BA0C7FF CALL <JMP.&MSVBVM60._adj_fdiv_m64>
00793449 > DFE0 FSTSW AX
0079344B . A8 0D TEST AL,0D
0079344D . 0F85 7C260000 JNZ yglzj.00795ACF
00793453 . E8 18A2C7FF CALL <JMP.&MSVBVM60.__vbaFPInt>
00793458 . DD5D D0 FSTP QWORD PTR SS:[EBP-30]
0079345B . DD45 D0 FLD QWORD PTR SS:[EBP-30]
0079345E . DC1D 501B4000 FCOMP QWORD PTR DS:[401B50]
00793464 . DFE0 FSTSW AX
00793466 . 9E SAHF
00793467 . 76 60 JBE SHORT yglzj.007934C9
............................................................
中间一段省略
............................................................
0079349F . E8 BCA2C7FF CALL <JMP.&MSVBVM60.__vbaStrMove>
007934A4 . 50 PUSH EAX
007934A5 . E8 BCA2C7FF CALL <JMP.&MSVBVM60.#581>
007934AA . DD5D D0 FSTP QWORD PTR SS:[EBP-30]
007934AD . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
007934B0 . 50 PUSH EAX
007934B1 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
007934B4 . 50 PUSH EAX
007934B5 . 56 PUSH ESI
007934B6 . E8 99A2C7FF CALL <JMP.&MSVBVM60.__vbaFreeStrList>
007934BB . 83C4 0C ADD ESP,0C
007934BE . 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]
007934C4 . E8 A9A2C7FF CALL <JMP.&MSVBVM60.__vbaFreeVar>
007934C9 > DD45 B8 FLD QWORD PTR SS:[EBP-48] 取“2392”的前两位“23”装入浮点寄位器
007934CC . DC4D D0 FMUL QWORD PTR SS:[EBP-30] ST1(81)*23=a1
007934CF . DC4D D0 FMUL QWORD PTR SS:[EBP-30] a1*23=a2
007934D2 . DC4D D0 FMUL QWORD PTR SS:[EBP-30] a2*23=a3="985527"
007934D5 . DD45 B0 FLD QWORD PTR SS:[EBP-50] 把ST2“354”装入浮点寄位器
007934D8 . DC4D D0 FMUL QWORD PTR SS:[EBP-30] ST2*23=b1
007934DB . DC4D D0 FMUL QWORD PTR SS:[EBP-30] b1*23=b2
007934DE . DEC1 FADDP ST(1),ST b2+a3=c1(1172793)
007934E0 . DD45 A8 FLD QWORD PTR SS:[EBP-58] 把ST3“6677”装入浮点寄位器
007934E3 . DC4D D0 FMUL QWORD PTR SS:[EBP-30] ST3*23=d1
007934E6 . DEC1 FADDP ST(1),ST d1+c1=e1(1326364)
007934E8 . DD5D C0 FSTP QWORD PTR SS:[EBP-40]
007934EB . DFE0 FSTSW AX
007934ED . A8 0D TEST AL,0D
007934EF 0F85 DA250000 JNZ yglzj.00795ACF
............................................................
中间一段省略
............................................................
0079354B . 8D85 64FFFFFF LEA EAX,DWORD PTR SS:[EBP-9C]
00793551 . 50 PUSH EAX
00793552 . 8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
00793558 . 50 PUSH EAX
00793559 . 56 PUSH ESI
0079355A . E8 E9A1C7FF CALL <JMP.&MSVBVM60.__vbaFreeVarList>
0079355F . 83C4 0C ADD ESP,0C
00793562 . 66:395D A4 CMP WORD PTR SS:[EBP-5C],BX
00793566 0F85 9D000000 JNZ yglzj.00793609
经过一连串跳转后来这里:
0079396A > 66:837D A4 07 CMP WORD PTR SS:[EBP-5C],7
0079396F . 0F85 A5000000 JNZ yglzj.00793A1A
00793975 . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
00793978 . 8985 FCFEFFFF MOV DWORD PTR SS:[EBP-104],EAX
0079397E . C785 F4FEFFFF >MOV DWORD PTR SS:[EBP-10C],4005
00793988 . 8D85 F4FEFFFF LEA EAX,DWORD PTR SS:[EBP-10C]
0079398E . 50 PUSH EAX
0079398F . 8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
00793995 . 50 PUSH EAX
00793996 . E8 119DC7FF CALL <JMP.&MSVBVM60.#613>
0079399B . C785 6CFFFFFF >MOV DWORD PTR SS:[EBP-94],7
007939A5 . 89B5 64FFFFFF MOV DWORD PTR SS:[EBP-9C],ESI
007939AB . 8D85 64FFFFFF LEA EAX,DWORD PTR SS:[EBP-9C]
007939B1 . 50 PUSH EAX
007939B2 . 53 PUSH EBX
007939B3 . 8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
007939B9 . 50 PUSH EAX
007939BA . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
007939BD . 50 PUSH EAX
007939BE . E8 119CC7FF CALL <JMP.&MSVBVM60.__vbaStrVarVal>
007939C3 . 50 PUSH EAX
007939C4 . E8 B99CC7FF CALL <JMP.&MSVBVM60.#631>
007939C9 . 8BD0 MOV EDX,EAX
007939CB . 8D4D 9C LEA ECX,DWORD PTR SS:[EBP-64]
007939CE . E8 8D9DC7FF CALL <JMP.&MSVBVM60.__vbaStrMove>
007939D3 . 50 PUSH EAX
007939D4 . E8 8D9DC7FF CALL <JMP.&MSVBVM60.#581>
007939D9 . DD9D 9CFEFFFF FSTP QWORD PTR SS:[EBP-164] 把(44585897)的前六位“445858”出栈浮点寄位器
007939DF . DD85 9CFEFFFF FLD QWORD PTR SS:[EBP-164]
007939E5 . DC45 C0 FADD QWORD PTR SS:[EBP-40] “445858”+e1(1326364)=f1(1772222)
007939E8 . DD5D C0 FSTP QWORD PTR SS:[EBP-40]
007939EB . DFE0 FSTSW AX
007939ED . A8 0D TEST AL,0D
007939EF . 0F85 DA200000 JNZ yglzj.00795ACF
007939F5 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
007939F8 . 50 PUSH EAX
007939F9 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
007939FC . 50 PUSH EAX
007939FD . 56 PUSH ESI
007939FE . E8 519DC7FF CALL <JMP.&MSVBVM60.__vbaFreeStrList>
00793A03 . 8D85 64FFFFFF LEA EAX,DWORD PTR SS:[EBP-9C]
00793A09 . 50 PUSH EAX
00793A0A . 8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
00793A10 . 50 PUSH EAX
00793A11 . 56 PUSH ESI
00793A12 . E8 319DC7FF CALL <JMP.&MSVBVM60.__vbaFreeVarList>
00793A17 . 83C4 18 ADD ESP,18
00793A1A > 6A 08 PUSH 8
00793A1C . 5B POP EBX
00793A1D . 66:395D A4 CMP WORD PTR SS:[EBP-5C],BX
00793A21 . 7D 1A JGE SHORT yglzj.00793A3D
00793A23 . DD45 C0 FLD QWORD PTR SS:[EBP-40] 把f1装入浮点寄位器
00793A26 . DC05 88854000 FADD QWORD PTR DS:[408588] f1+固定实数“78266315”=g1(80038537)
00793A2C . DD5D C0 FSTP QWORD PTR SS:[EBP-40]
00793A2F . DFE0 FSTSW AX
00793A31 . A8 0D TEST AL,0D
00793A33 0F85 96200000 JNZ yglzj.00795ACF
00793A39 . 66:395D A4 CMP WORD PTR SS:[EBP-5C],BX
00793A3D > 0F85 A2000000 JNZ yglzj.00793AE5
00793AE5 > 66:837D A4 09 CMP WORD PTR SS:[EBP-5C],9
00793AEA 7C 13 JL SHORT yglzj.00793AFF
00793AEC . DD45 C0 FLD QWORD PTR SS:[EBP-40]
00793AEF . DC45 C8 FADD QWORD PTR SS:[EBP-38]
00793AF2 . DD5D C0 FSTP QWORD PTR SS:[EBP-40]
00793AF5 . DFE0 FSTSW AX
00793AF7 . A8 0D TEST AL,0D
00793AF9 . 0F85 D01F0000 JNZ yglzj.00795ACF
00793AFF > 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
00793B02 . FF30 PUSH DWORD PTR DS:[EAX]
00793B04 . E8 859BC7FF CALL <JMP.&MSVBVM60.__vbaLenBstr>
00793B09 . 8BC8 MOV ECX,EAX
00793B0B . E8 E49BC7FF CALL <JMP.&MSVBVM60.__vbaI2I4>
00793B10 . 66:3D 0900 CMP AX,9 注册码位小于9位跳走,(不能跳走,否则完了)
00793B14 . 0F8C 1F1F0000 JL yglzj.00795A39
00793B1A . 66:3D 0B00 CMP AX,0B 注册码位大于11位跳走,(不能跳走,否则完了)
00793B1E . 0F8F 151F0000 JG yglzj.00795A39
00793B24 . 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
00793B27 . 8985 FCFEFFFF MOV DWORD PTR SS:[EBP-104],EAX
00793B2D . C785 F4FEFFFF >MOV DWORD PTR SS:[EBP-10C],4008
00793B37 . 8D85 F4FEFFFF LEA EAX,DWORD PTR SS:[EBP-10C]
00793B3D . 50 PUSH EAX
00793B3E . 8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
00793B44 . 50 PUSH EAX
00793B45 . E8 689BC7FF CALL <JMP.&MSVBVM60.#520>
00793B4A . C785 ECFEFFFF >MOV DWORD PTR SS:[EBP-114],yglzj.0045EE1>; UNICODE "blroad@com"
00793B54 . C785 E4FEFFFF >MOV DWORD PTR SS:[EBP-11C],8008
00793B5E . 8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
00793B64 . 50 PUSH EAX
00793B65 . 8D85 E4FEFFFF LEA EAX,DWORD PTR SS:[EBP-11C]
00793B6B . 50 PUSH EAX
00793B6C . E8 719BC7FF CALL <JMP.&MSVBVM60.__vbaVarTstEq>
00793B71 . 8985 98FEFFFF MOV DWORD PTR SS:[EBP-168],EAX
00793B77 . 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]
00793B7D . E8 F09BC7FF CALL <JMP.&MSVBVM60.__vbaFreeVar>
00793B82 . 66:83BD 98FEFF>CMP WORD PTR SS:[EBP-168],0
00793B8A . 74 12 JE SHORT yglzj.00793B9E
00793B8C . BA 30EE4500 MOV EDX,yglzj.0045EE30 ; UNICODE "8684253736" 00793B91 . 8B4D 18 MOV ECX,DWORD PTR SS:[EBP+18]
00793B94 . E8 0D9BC7FF CALL <JMP.&MSVBVM60.__vbaStrCopy>
00793B99 . E9 9B1E0000 JMP yglzj.00795A39
00793B9E > 8D45 C0 LEA EAX,DWORD PTR SS:[EBP-40]
0............................................................
中间一段省略
............................................................
00793BEE . 6A 01 PUSH 1
00793BF0 . 8D85 54FFFFFF LEA EAX,DWORD PTR SS:[EBP-AC]
00793BF6 . 50 PUSH EAX
00793BF7 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
00793BFA . 50 PUSH EAX
00793BFB . E8 D499C7FF CALL <JMP.&MSVBVM60.__vbaStrVarVal>
00793C00 . 50 PUSH EAX 把g1(80038537)压入堆栈
00793C01 . E8 7C9AC7FF CALL <JMP.&MSVBVM60.#631>
00793C06 . 8BD0 MOV EDX,EAX “800”
00793C08 . 8D4D 88 LEA ECX,DWORD PTR SS:[EBP-78]
00793C0B . E8 509BC7FF CALL <JMP.&MSVBVM60.__vbaStrMove>
............................................................
中间一段省略
............................................................
00793C5F . 50 PUSH EAX
00793C60 . 6A 05 PUSH 5
00793C62 . 8D85 14FFFFFF LEA EAX,DWORD PTR SS:[EBP-EC]
00793C68 . 50 PUSH EAX
00793C69 . 8D45 90 LEA EAX,DWORD PTR SS:[EBP-70]
00793C6C . 50 PUSH EAX
00793C6D . E8 6299C7FF CALL <JMP.&MSVBVM60.__vbaStrVarVal>
00793C72 . 50 PUSH EAX
00793C73 . E8 0A9AC7FF CALL <JMP.&MSVBVM60.#631>
00793C78 . 8BD0 MOV EDX,EAX “853”
00793C7A . 8D4D 84 LEA ECX,DWORD PTR SS:[EBP-7C]
00793C7D . E8 DE9AC7FF CALL <JMP.&MSVBVM60.__vbaStrMove>
00793C82 . C785 7CFFFFFF >MOV DWORD PTR SS:[EBP-84],3
00793C8C . 89B5 74FFFFFF MOV DWORD PTR SS:[EBP-8C],ESI
00793C92 . 8B45 88 MOV EAX,DWORD PTR SS:[EBP-78]
00793C95 . 8985 74FEFFFF MOV DWORD PTR SS:[EBP-18C],EAX
00793C9B . 8365 88 00 AND DWORD PTR SS:[EBP-78],0
00793C9F . 8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
00793CA5 . 50 PUSH EAX
00793CA6 . 6A 01 PUSH 1
00793CA8 . 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
00793CAB . FF30 PUSH DWORD PTR DS:[EAX] 假码“1234567890”
00793CAD . E8 D099C7FF CALL <JMP.&MSVBVM60.#631>
00793CB2 . 8BD0 MOV EDX,EAX “123”
00793CB4 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
00793CB7 . E8 A49AC7FF CALL <JMP.&MSVBVM60.__vbaStrMove>
00793CBC . 50 PUSH EAX
00793CBD . E8 A49AC7FF CALL <JMP.&MSVBVM60.#581>
00793CC2 . E8 A59AC7FF CALL <JMP.&MSVBVM60.__vbaFpR8>
00793CC7 . DD9D 58FEFFFF FSTP QWORD PTR SS:[EBP-1A8]
00793CCD . 8B95 74FEFFFF MOV EDX,DWORD PTR SS:[EBP-18C]
00793CD3 . 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68]
00793CD6 . E8 859AC7FF CALL <JMP.&MSVBVM60.__vbaStrMove>
00793CDB . 50 PUSH EAX
00793CDC . E8 1B98C7FF CALL <JMP.&MSVBVM60.__vbaR8Str>
00793CE1 . DC9D 58FEFFFF FCOMP QWORD PTR SS:[EBP-1A8] 把“800”与“123”比较
00793CE7 . DFE0 FSTSW AX
00793CE9 . 9E SAHF
00793CEA . 74 0C JE SHORT yglzj.00793CF8
00793CEC . C785 54FEFFFF >MOV DWORD PTR SS:[EBP-1AC],1
00793CF6 . EB 07 JMP SHORT yglzj.00793CFF
00793CF8 > 83A5 54FEFFFF >AND DWORD PTR SS:[EBP-1AC],0
00793CFF > C785 3CFFFFFF >MOV DWORD PTR SS:[EBP-C4],3
00793D09 . 89B5 34FFFFFF MOV DWORD PTR SS:[EBP-CC],ESI
00793D0F . 8B45 84 MOV EAX,DWORD PTR SS:[EBP-7C] “853”
00793D12 . 8985 70FEFFFF MOV DWORD PTR SS:[EBP-190],EAX
00793D18 . 8365 84 00 AND DWORD PTR SS:[EBP-7C],0
00793D1C . 8D85 34FFFFFF LEA EAX,DWORD PTR SS:[EBP-CC]
00793D22 . 50 PUSH EAX
00793D23 . 53 PUSH EBX
00793D24 . 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
00793D27 . FF30 PUSH DWORD PTR DS:[EAX]
00793D29 . E8 5499C7FF CALL <JMP.&MSVBVM60.#631>
00793D2E . 8BD0 MOV EDX,EAX 假码最后三位数“890”
00793D30 . 8D4D 94 LEA ECX,DWORD PTR SS:[EBP-6C]
00793D33 . E8 289AC7FF CALL <JMP.&MSVBVM60.__vbaStrMove>
00793D38 . 50 PUSH EAX
00793D39 . E8 289AC7FF CALL <JMP.&MSVBVM60.#581>
00793D3E . E8 299AC7FF CALL <JMP.&MSVBVM60.__vbaFpR8>
00793D43 . DD9D 4CFEFFFF FSTP QWORD PTR SS:[EBP-1B4]
00793D49 . 8B95 70FEFFFF MOV EDX,DWORD PTR SS:[EBP-190]
00793D4F . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
00793D52 . E8 099AC7FF CALL <JMP.&MSVBVM60.__vbaStrMove>
00793D57 . 50 PUSH EAX
00793D58 . E8 9F97C7FF CALL <JMP.&MSVBVM60.__vbaR8Str>
00793D5D . DC9D 4CFEFFFF FCOMP QWORD PTR SS:[EBP-1B4] 把“853”与“890”比较
00793D63 . DFE0 FSTSW AX
00793D65 . 9E SAHF
00793D66 . 74 05 JE SHORT yglzj.00793D6D
............................................................
中间一段省略
............................................................
00793DC2 . 50 PUSH EAX
00793DC3 . 8D85 44FFFFFF LEA EAX,DWORD PTR SS:[EBP-BC]
00793DC9 . 50 PUSH EAX
00793DCA . 8D85 54FFFFFF LEA EAX,DWORD PTR SS:[EBP-AC]
00793DD0 . 50 PUSH EAX
00793DD1 . 8D85 64FFFFFF LEA EAX,DWORD PTR SS:[EBP-9C]
00793DD7 . 50 PUSH EAX
00793DD8 . 8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
00793DDE . 50 PUSH EAX
00793DDF . 53 PUSH EBX
00793DE0 . E8 6399C7FF CALL <JMP.&MSVBVM60.__vbaFreeVarList> 这里把g1值“80038537”的前三位“800”和第五至第七位“853” 与注册码“1234567890”的前三位“123”和后三位“890”比较,
00793DE5 . 83C4 48 ADD ESP,48
00793DE8 . 66:83BD 98FEFF>CMP WORD PTR SS:[EBP-168],0 比较
00793DF0 . 0F85 431C0000 JNZ yglzj.00795A39 若都相等则不跳,否则完了(千万不能跳),这说明真注册码的前三位g1 值的前三位,后三位则为g1值的第五至第七位
00793DF6 . 8D45 C0 LEA EAX,DWORD PTR SS:[EBP-40]
00793DF9 . 8985 FCFEFFFF MOV DWORD PTR SS:[EBP-104],EAX
............................................................
中间一段省略
............................................................
00793F2D . 50 PUSH EAX
00793F2E . 8D85 54FFFFFF LEA EAX,DWORD PTR SS:[EBP-AC]
00793F34 . 50 PUSH EAX
00793F35 . 8D85 64FFFFFF LEA EAX,DWORD PTR SS:[EBP-9C]
00793F3B . 50 PUSH EAX
00793F3C . 8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
00793F42 . 50 PUSH EAX
00793F43 . 6A 06 PUSH 6
00793F45 . E8 FE97C7FF CALL <JMP.&MSVBVM60.__vbaFreeVarList>
00793F4A . 83C4 30 ADD ESP,30
00793F4D . 66:837D DC 00 CMP WORD PTR SS:[EBP-24],0
00793F52 . 0F85 5E010000 JNZ yglzj.007940B6
007940B6 > 66:837D DC 01 CMP WORD PTR SS:[EBP-24],1
007940BB . 0F85 5E010000 JNZ yglzj.0079421F
00794ECD > 66:837D DC 0B CMP WORD PTR SS:[EBP-24],0B
00794ED2 . 0F85 5E010000 JNZ yglzj.00795036
00794ED8 . 89BD 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EDI
00794EDE . 89B5 74FFFFFF MOV DWORD PTR SS:[EBP-8C],ESI
00794EE4 . 8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
............................................................
中间一段省略
............................................................
00794F3C . 57 PUSH EDI
00794F3D . DD45 C0 FLD QWORD PTR SS:[EBP-40]
00794F40 . 51 PUSH ECX
00794F41 . 51 PUSH ECX
00794F42 . DD1C24 FSTP QWORD PTR SS:[ESP]
00794F45 . E8 D886C7FF CALL <JMP.&MSVBVM60.__vbaStrR8>
00794F4A . 8BD0 MOV EDX,EAX
00794F4C . 8D4D 94 LEA ECX,DWORD PTR SS:[EBP-6C]
00794F4F . E8 0C88C7FF CALL <JMP.&MSVBVM60.__vbaStrMove>
00794F54 . 50 PUSH EAX
00794F55 . E8 2887C7FF CALL <JMP.&MSVBVM60.#631>
00794F5A . 8985 3CFFFFFF MOV DWORD PTR SS:[EBP-C4],EAX 取g1值(80038537)的第四位至第七位“3853”
00794F60 . 899D 34FFFFFF MOV DWORD PTR SS:[EBP-CC],EBX
00794F66 . 8D85 34FFFFFF LEA EAX,DWORD PTR SS:[EBP-CC]
00794F6C . 50 PUSH EAX
00794F6D . 8D85 24FFFFFF LEA EAX,DWORD PTR SS:[EBP-DC]
00794F73 . 50 PUSH EAX
00794F74 . E8 3387C7FF CALL <JMP.&MSVBVM60.#613>
00794F79 . 8D85 54FFFFFF LEA EAX,DWORD PTR SS:[EBP-AC]
00794F7F . 50 PUSH EAX
00794F80 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
00794F83 . 50 PUSH EAX
00794F84 . E8 4B86C7FF CALL <JMP.&MSVBVM60.__vbaStrVarVal>
00794F89 . 50 PUSH EAX 取g1值(80038537)的前四位(8003)
00794F8A . E8 E786C7FF CALL <JMP.&MSVBVM60.#519>
00794F8F . 8BD0 MOV EDX,EAX
00794F91 . 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68]
00794F94 . E8 C787C7FF CALL <JMP.&MSVBVM60.__vbaStrMove>
00794F99 . 50 PUSH EAX
00794F9A . 68 58EE4500 PUSH yglzj.0045EE58 ; UNICODE "95"
00794F9F . E8 6887C7FF CALL <JMP.&MSVBVM60.__vbaStrCat>
00794FA4 . 8BD0 MOV EDX,EAX 把“8003”与“95”连起来=“800395”
00794FA6 . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
00794FA9 . E8 B287C7FF CALL <JMP.&MSVBVM60.__vbaStrMove>
00794FAE . 50 PUSH EAX
00794FAF . 8D85 24FFFFFF LEA EAX,DWORD PTR SS:[EBP-DC]
00794FB5 . 50 PUSH EAX
00794FB6 . 8D45 90 LEA EAX,DWORD PTR SS:[EBP-70]
00794FB9 . 50 PUSH EAX
00794FBA . E8 1586C7FF CALL <JMP.&MSVBVM60.__vbaStrVarVal>
00794FBF . 50 PUSH EAX 取g1值(80038537)的第四位至第七位“3853”
00794FC0 . E8 B186C7FF CALL <JMP.&MSVBVM60.#519>
00794FC5 . 8BD0 MOV EDX,EAX
00794FC7 . 8D4D 88 LEA ECX,DWORD PTR SS:[EBP-78]
00794FCA . E8 9187C7FF CALL <JMP.&MSVBVM60.__vbaStrMove>
00794FCF . 50 PUSH EAX
00794FD0 . E8 3787C7FF CALL <JMP.&MSVBVM60.__vbaStrCat>
00794FD5 . 8BD0 MOV EDX,EAX 把“800395”与“3853”连起来=“8003953853”这就是真注册码
00794FD7 . 8B4D 18 MOV ECX,DWORD PTR SS:[EBP+18]
00794FDA . E8 8187C7FF CALL <JMP.&MSVBVM60.__vbaStrMove>
三、算法总结
1、把用户名每个字符的ASCII值逐个进行累加 值设为A;
2、A+机器码的累加值=B
3、B×&H8040=C
4、C+&H29=D
5、D的十进值/0x18633=E
6、ST1×E的十进值的前两位(F)×F=G
7、ST2×F×F+G=J
8、ST3×F+J=K
9、比较注册码的位数是否大于9并小于11位,否则结束。
10、把K的前三位和第五位至第七位分别与注册码的前三位和后三位比较,相等则继续往下走,否则结束。
11、把K值的前四位+一个固定值W+K值的第四位至第七位=真注册码
我电脑的注册码
机器码:64640694
用户名:lchhome@163.com
注册码:8003953853