BTW:这个软件在v2.3.? 的时候我就分析出了它的算法,不过,一直没有公开文章(只公开了它的keygen),但没想到过了那么久,它的算法依旧没有改变,所以,决定放出来和大家分享一下快乐!
【破文标题】 51汇编集成开发环境 2.4.2 - 算法分析
【破文作者】 KuNgBiM[DFCG]
【作者邮箱】 gb_1227@163.com
【软件名称】 51汇编集成开发环境 2.4.2
【软件大小】 6127KB
【软件类别】 国产软件/编程工具
【运行环境】 Win9x/Me/NT/2000/XP
【加入时间】 2005-4-3 16:32:50
【下载地址】 下载页面
【保护方式】 注册码+ 功能限制
【编译语言】 Microsoft Visual Basic 5.0 / 6.0
【调试环境】 Win2K、KDeAlls(Ollydbg个人修改版)、W32Dasm、PEiD、Visual Basic 6.0
【破解日期】 2005-04-07 12:46:33
【破解目的】 研究算法分析
【作者声明】 初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【破解内容】
用PEID查没有加壳,Microsoft Visual Basic 5.0 / 6.0编写的,启动软件后点击注册,填入用户名和注册码,点注册,注册窗关闭。
好,用KDeAlls载入,试着下断(VB程序的专用函数) bpx __vbaStrCmp,回车!F9运行4次,来到程序界面点击注册项,填入用户名KuNgBiM,注册码9876543210,点注册!
004C872F 8B45 A0 mov eax,dword ptr ss:[ebp-60] //取机器码(这里为:1289249510)
004C8732 50 push eax
004C8733 68 28554100 push MCS51.00415528
004C8738 FF15 FC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp //中断这里,继续F9!
004C873E 8BF8 mov edi,eax
004C8740 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
004C8743 F7DF neg edi //edi=1
004C8745 1BFF sbb edi,edi
004C8747 47 inc edi
004C8748 F7DF neg edi //edi=0
004C874A FF15 54124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>>; MSVBVM60.__vbaFreeStr
004C8750 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
004C8753 FF15 58124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>>; MSVBVM60.__vbaFreeObj
004C8759 66:3BFB cmp di,bx
004C875C 0F84 B9000000 je MCS51.004C881B
....................
004C8856 8B4D A0 mov ecx,dword ptr ss:[ebp-60] //取用户名(这里为:KuNgBiM)
004C8859 51 push ecx
004C885A 68 28554100 push MCS51.00415528
004C885F FF15 FC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp //中断这里,继续F9!
004C8865 8BF8 mov edi,eax
004C8867 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
004C886A F7DF neg edi //edi=1
004C886C 1BFF sbb edi,edi
004C886E 47 inc edi
004C886F F7DF neg edi //edi=1
004C8871 FF15 54124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>>; MSVBVM60.__vbaFreeStr
004C8877 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
004C887A FF15 58124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>>; MSVBVM60.__vbaFreeObj
004C8880 66:3BFB cmp di,bx
004C8883 0F84 B9000000 je MCS51.004C8942
....................
004C897D 8B55 A0 mov edx,dword ptr ss:[ebp-60] //取用户输入假码(这里为:9876543210)
004C8980 52 push edx
004C8981 68 28554100 push MCS51.00415528
004C8986 FF15 FC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp //中断这里,继续F9!
004C898C 8BF8 mov edi,eax
004C898E 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
004C8991 F7DF neg edi //edi=1
004C8993 1BFF sbb edi,edi
004C8995 47 inc edi
004C8996 F7DF neg edi //edi=1
004C8998 FF15 54124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>>; MSVBVM60.__vbaFreeStr
004C899E 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
004C89A1 FF15 58124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>>; MSVBVM60.__vbaFreeObj
004C89A7 66:3BFB cmp di,bx
004C89AA 0F84 B9000000 je MCS51.004C8A69
...................
004C8E82 8B1D 6C104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
004C8E88 8B55 B4 mov edx,dword ptr ss:[ebp-4C] //机器计算出的真码, UNICODE "GYAOAEFGQMTO"
004C8E8B 8B45 A0 mov eax,dword ptr ss:[ebp-60] //用户输入假码,UNICODE "9876543210"
004C8E8E 52 push edx
004C8E8F 50 push eax
004C8E90 FF15 FC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp //中断这里,真假码经典比较!
004C8E96 8BF8 mov edi,eax
004C8E98 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
004C8E9B F7DF neg edi //edi=1
004C8E9D 1BFF sbb edi,edi
004C8E9F 47 inc edi
004C8EA0 F7DF neg edi //edi=0
004C8EA2 FF15 54124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>>; MSVBVM60.__vbaFreeStr
004C8EA8 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
004C8EAB FF15 58124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>>; MSVBVM60.__vbaFreeObj
004C8EB1 66:85FF test di,di
004C8EB4 0F84 1C0A0000 je MCS51.004C98D6
=====================================================
小节:在004C8E90处可以制作内存注册机(代码设置如下)
////////////////////////////
中断地址:004C8E90
中断次数:1
第一字节:FF
指令长度:6
内存方式--->EDX--->宽字符串
////////////////////////////
=====================================================
BTW:本文的目的是研究算法,所以下面我们来研究它的算法:
004C8B2C 8B55 A0 mov edx,dword ptr ss:[ebp-60] //依次类推,寻找mov eax,dword ptr ss:[ebp-60] 我们可以来到这里
004C8B2F 52 push edx
004C8B30 FF15 5C124000 call dword ptr ds:[<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr //取机器码
004C8B36 DC05 98144000 fadd qword ptr ds:[401498] //转为浮点加法运算
--------------------------------------------------------------------------------------------------------------
st=1289249510.0000000000 // 机器码变换为浮点运算:1289249510
ds:[00401498]=340202550625.0000 // ??? 大胆猜想为某一个固定值:340202550625
// 机器码(1289249510)+常量(340202550625)=特征码(341491800135)
--------------------------------------------------------------------------------------------------------------
004C8B3C 8D8D 6CFFFFFF lea ecx,dword ptr ss:[ebp-94]
004C8B42 C785 7CFFFFFF 0>mov dword ptr ss:[ebp-84],5
004C8B4C DD5D 84 fstp qword ptr ss:[ebp-7C]
-------------------------------------------------------------------------------------------
st=3.4149180013500001280e+11 //把运算结果" 341491800135"存到变量[ebp-7C]中
堆栈 ss:[0012F53C]=4.031853397209806e-313
-------------------------------------------------------------------------------------------
004C8B4F DFE0 fstsw ax //ax=20
004C8B51 A8 0D test al,0D
004C8B53 0F85 AB0E0000 jnz MCS51.004C9A04
004C8B59 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
004C8B5F 50 push eax
004C8B60 51 push ecx
004C8B61 FF15 FC114000 call dword ptr ds:[<&MSVBVM60.#613>] ; MSVBVM60.rtcVarStrFromVar
004C8B67 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-94]
004C8B6D 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004C8B70 FFD7 call edi
004C8B72 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
004C8B75 FF15 54124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>>; MSVBVM60.__vbaFreeStr
004C8B7B 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
004C8B7E FF15 58124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>>; MSVBVM60.__vbaFreeObj
004C8B84 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-84]
004C8B8A FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>>; MSVBVM60.__vbaFreeVar
004C8B90 8D55 DC lea edx,dword ptr ss:[ebp-24]
004C8B93 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
004C8B99 52 push edx
004C8B9A 50 push eax
004C8B9B FF15 70104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
004C8BA1 50 push eax
004C8BA2 FF15 E4114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var
004C8BA8 8BF0 mov esi,eax //获得特征码" 341491800135"长度
004C8BAA 83FE 0C cmp esi,0C //比较特征码" 341491800135"长度=D
004C8BAD 0F8D C5000000 jge MCS51.004C8C78 //大于C就跳走
........................
004C8C78 8B1D F0114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarAd>; MSVBVM60.__vbaVarAdd
004C8C7E BA 28554100 mov edx,MCS51.00415528
004C8C83 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
004C8C86 FF15 B8114000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>>; MSVBVM60.__vbaStrCopy
004C8C8C B8 02000000 mov eax,2 //特征码转换为字符串" 341491800135"
004C8C91 B9 01000000 mov ecx,1
004C8C96 8985 3CFFFFFF mov dword ptr ss:[ebp-C4],eax
004C8C9C 8985 2CFFFFFF mov dword ptr ss:[ebp-D4],eax
004C8CA2 8985 1CFFFFFF mov dword ptr ss:[ebp-E4],eax
004C8CA8 8D95 3CFFFFFF lea edx,dword ptr ss:[ebp-C4]
004C8CAE 898D 44FFFFFF mov dword ptr ss:[ebp-BC],ecx
004C8CB4 898D 24FFFFFF mov dword ptr ss:[ebp-DC],ecx
004C8CBA 8D85 2CFFFFFF lea eax,dword ptr ss:[ebp-D4]
004C8CC0 52 push edx
004C8CC1 8D8D 1CFFFFFF lea ecx,dword ptr ss:[ebp-E4]
004C8CC7 50 push eax
004C8CC8 8D95 9CFEFFFF lea edx,dword ptr ss:[ebp-164]
004C8CCE 51 push ecx
004C8CCF 8D85 ACFEFFFF lea eax,dword ptr ss:[ebp-154]
004C8CD5 52 push edx
004C8CD6 8D4D CC lea ecx,dword ptr ss:[ebp-34]
004C8CD9 50 push eax
004C8CDA 51 push ecx
004C8CDB C785 34FFFFFF 0>mov dword ptr ss:[ebp-CC],0C
004C8CE5 FF15 80104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForIn>; MSVBVM60.__vbaVarForInit //变量初始化,循环开始了
004C8CEB 85C0 test eax,eax
004C8CED 0F84 4D010000 je MCS51.004C8E40
004C8CF3 8D55 DC lea edx,dword ptr ss:[ebp-24] //取特征码" 341491800135"
004C8CF6 8D45 A0 lea eax,dword ptr ss:[ebp-60] //取特征码第一位
004C8CF9 52 push edx
004C8CFA 50 push eax
004C8CFB FF15 80114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVa>; MSVBVM60.__vbaStrVarVal
004C8D01 50 push eax //特征码压栈
004C8D02 FF15 54104000 call dword ptr ds:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
004C8D08 66:8985 44FFFFF>mov word ptr ss:[ebp-BC],ax //特征码初始值为空 ax=20
004C8D0F B8 02000000 mov eax,2
004C8D14 8D8D 3CFFFFFF lea ecx,dword ptr ss:[ebp-C4]
004C8D1A 8985 3CFFFFFF mov dword ptr ss:[ebp-C4],eax
004C8D20 8985 2CFFFFFF mov dword ptr ss:[ebp-D4],eax
004C8D26 8985 1CFFFFFF mov dword ptr ss:[ebp-E4],eax
004C8D2C 8D55 CC lea edx,dword ptr ss:[ebp-34]
004C8D2F 51 push ecx
004C8D30 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
004C8D36 52 push edx
004C8D37 50 push eax
004C8D38 C785 34FFFFFF 1>mov dword ptr ss:[ebp-CC],1A //常量26
004C8D42 C785 24FFFFFF 4>mov dword ptr ss:[ebp-DC],41 //常量65
004C8D4C FF15 54114000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; MSVBVM60.__vbaVarMul //循环次数与首位字ASC相乘
004C8D52 8D8D 2CFFFFFF lea ecx,dword ptr ss:[ebp-D4]
004C8D58 50 push eax
004C8D59 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-94]
004C8D5F 51 push ecx
004C8D60 52 push edx
004C8D61 FF15 04124000 call dword ptr ds:[<&MSVBVM60.__vbaVarMod>] ; MSVBVM60.__vbaVarMod //乘法结果 与 常量26 求余
004C8D67 50 push eax
004C8D68 8D85 1CFFFFFF lea eax,dword ptr ss:[ebp-E4]
004C8D6E 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-A4]
004C8D74 50 push eax
004C8D75 51 push ecx
004C8D76 FFD3 call ebx //余数+常量65,即 6+65=71
004C8D78 50 push eax
004C8D79 FF15 E4114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var //把ASC(71)转换为字符串"G" //第首位注册码字符
004C8D7F 8D95 4CFFFFFF lea edx,dword ptr ss:[ebp-B4]
004C8D85 50 push eax
004C8D86 52 push edx
004C8D87 FF15 78114000 call dword ptr ds:[<&MSVBVM60.#608>] ; MSVBVM60.rtcVarBstrFromAnsi
004C8D8D 8D95 4CFFFFFF lea edx,dword ptr ss:[ebp-B4]
004C8D93 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
004C8D96 FFD7 call edi
004C8D98 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
004C8D9B FF15 54124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>>; MSVBVM60.__vbaFreeStr
004C8DA1 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-A4]
004C8DA7 FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>>; MSVBVM60.__vbaFreeVar
004C8DAD 8BC6 mov eax,esi
004C8DAF 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004C8DB2 83E8 01 sub eax,1 //计数器减1
004C8DB5 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-84]
004C8DBB 0F80 480C0000 jo MCS51.004C9A09
004C8DC1 50 push eax
004C8DC2 51 push ecx
004C8DC3 52 push edx
004C8DC4 FF15 30124000 call dword ptr ds:[<&MSVBVM60.#619>] ; MSVBVM60.rtcRightCharVar //逐次取特征码单个字符
004C8DCA 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-84]
004C8DD0 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004C8DD3 FFD7 call edi
004C8DD5 8B45 B4 mov eax,dword ptr ss:[ebp-4C]
004C8DD8 8D8D 3CFFFFFF lea ecx,dword ptr ss:[ebp-C4]
004C8DDE 8985 44FFFFFF mov dword ptr ss:[ebp-BC],eax
004C8DE4 8D55 A4 lea edx,dword ptr ss:[ebp-5C]
004C8DE7 51 push ecx
004C8DE8 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
004C8DEE 83EE 01 sub esi,1 //计数器自减1
004C8DF1 52 push edx
004C8DF2 50 push eax
004C8DF3 C785 3CFFFFFF 0>mov dword ptr ss:[ebp-C4],8
004C8DFD 0F80 060C0000 jo MCS51.004C9A09
004C8E03 FFD3 call ebx //注册码=第首位注册码字符"G"+注册码
004C8E05 50 push eax
004C8E06 FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMo>; MSVBVM60.__vbaStrVarMove
004C8E0C 8BD0 mov edx,eax
004C8E0E 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
004C8E11 FF15 28124000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>>; MSVBVM60.__vbaStrMove
004C8E17 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-84]
004C8E1D FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>>; MSVBVM60.__vbaFreeVar
004C8E23 8D8D 9CFEFFFF lea ecx,dword ptr ss:[ebp-164]
004C8E29 8D95 ACFEFFFF lea edx,dword ptr ss:[ebp-154]
004C8E2F 51 push ecx
004C8E30 52 push edx
004C8E31 8D45 CC lea eax,dword ptr ss:[ebp-34]
004C8E34 50 push eax
004C8E35 FF15 4C124000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNe>; MSVBVM60.__vbaVarForNext
004C8E3B ^ E9 ABFEFFFF jmp MCS51.004C8CEB //逐次取特征码变换,由此向上做循环运算
反复循环了N次,就得到了真注册码“GYAOAEFGQMTO”
由此也可以分析出注册码计算过程了!!
=========================================
总结:
(注册码与用户名无关!)
第一步:机器码 + 常量 = 特征码
第二步:运算码 = 特征码转换为字符串后,前加上一个空格
第三步:运算码循环运算12次,得到12位的注册码
=========================================
VB算法注册机原代码:
============= WindowsXP sp1+VB6.0下编译通过 ================
Private Sub Text1_Change()
Dim tzm As String
Dim zcm As String
Dim i As Integer
tzm = " " & Val(Text1.Text) + 340202550625#
For i = 1 To 12
zcm = zcm & Chr((Asc(Mid(tzm, i, 1)) * i Mod 26) + 65)
Next
Text2.Text = zcm
End Sub
======== 收工,吃饭咯~ =========
Cracked By KuNgBiM[DFCG]
2005-04-07 12:46:33
学校运动会