单词背背佳1.0算法分析
[保护方式] 采用硬件序列号,一机注册码
[加入时间] 2005.1.9 ,2005.1.11
[下载初中版] http://www1.skycn.com/soft/21631.html
[下载大学六级版] :http://www1.skycn.com/soft/21659.html
[破解工具] olldbg1.10 、Peid0.92、aspackdie141、smartcheck6.2
破解过程(初中版):
1.先用Peid0.92侦壳信息为:ASPack 2.12 -> Alexey Solodovnikov
用aspackdie141脱掉它的aspack壳后发现为:Microsoft Visual Basic 5.0 / 6.0
2.Visual Basic 提供了一个标准的注册位置以存储创建于 Visual Basic 的应用程序的程序信息:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\appname\section\key
Visual Basic 也提供了四个语句或函数来处理存储在应用程序注册位置的程序设置值。
------------------------------------------------------------------
GetSetting函数, 检索注册表设置值。
SaveSetting语句, 保存或创建注册表设置值。
GetAllSettings函数, 返回一个包含多项注册表设置值的数组。
DeleteSetting语句, 删除注册表设置值。
------------------------------------------------------------------
我们破解的第一步先看一下程序注册信息是否是用上面的函数来保存。
我在程序中输入注册信息后到注册表得到如下信息:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\wordbbj]
[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\wordbbj\setting]
"machine"="495353"
"regSN"="12345"
"validate"="67890"
看来程序是用vb提供函数来保存注册信息,没有直接调用API来访问注册表。
GetSetting函数对应VB运行库MSVBVM60.DLL中的:rtcGetSetting。
3.用OD加载程序后,再ALT+E选择到MSVBVM60.dll模块,
按右键,选择“View Names ” 出现调用函数的窗口,
向下拉动找到rtcGetSetting并选择它,按下F2。
按F9执行,堤点击进入学习界面,按shit+F9跳过异常后, 被OllyDbg拦截住,
按CTRL+F9,再按F8返回程序领空后来到如下位置:
0042E680 > 55 PUSH EBP
0042E681 . 8BEC MOV EBP,ESP
0042E683 . 83EC 18 SUB ESP,18
0042E686 . 68 76274000 PUSH <JMP.&MSVBVM60.__vbaExceptHandler> ; SE handler installation
0042E68B . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0042E691 . 50 PUSH EAX
0042E692 . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
0042E699 . B8 38010000 MOV EAX,138
0042E69E . E8 CD40FDFF CALL <JMP.&MSVBVM60.__vbaChkstk>
0042E6A3 . 53 PUSH EBX
0042E6A4 . 56 PUSH ESI
0042E6A5 . 57 PUSH EDI
0042E6A6 . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
0042E6A9 . C745 EC 782540>MOV DWORD PTR SS:[EBP-14],unpacked.00402>
0042E6B0 . C745 F0 000000>MOV DWORD PTR SS:[EBP-10],0
0042E6B7 . C745 F4 000000>MOV DWORD PTR SS:[EBP-C],0
0042E6BE . C745 FC 010000>MOV DWORD PTR SS:[EBP-4],1
0042E6C5 . C745 FC 020000>MOV DWORD PTR SS:[EBP-4],2
0042E6CC . 6A FF PUSH -1
0042E6CE . FF15 84104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaOnErr>; MSVBVM60.__vbaOnError
0042E6D4 . C745 FC 030000>MOV DWORD PTR SS:[EBP-4],3
0042E6DB . C785 20FFFFFF >MOV DWORD PTR SS:[EBP-E0],1
0042E6E5 . C785 18FFFFFF >MOV DWORD PTR SS:[EBP-E8],2
0042E6EF . C785 10FFFFFF >MOV DWORD PTR SS:[EBP-F0],3
0042E6F9 . C785 08FFFFFF >MOV DWORD PTR SS:[EBP-F8],2
0042E703 . C785 00FFFFFF >MOV DWORD PTR SS:[EBP-100],1
0042E70D . C785 F8FEFFFF >MOV DWORD PTR SS:[EBP-108],2
0042E717 . 8D85 18FFFFFF LEA EAX,DWORD PTR SS:[EBP-E8]
0042E71D . 50 PUSH EAX
0042E71E . 8D8D 08FFFFFF LEA ECX,DWORD PTR SS:[EBP-F8]
0042E724 . 51 PUSH ECX
0042E725 . 8D95 F8FEFFFF LEA EDX,DWORD PTR SS:[EBP-108]
0042E72B . 52 PUSH EDX
0042E72C . 8D85 C4FEFFFF LEA EAX,DWORD PTR SS:[EBP-13C]
0042E732 . 50 PUSH EAX
0042E733 . 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-12C]
0042E739 . 51 PUSH ECX
0042E73A . 8D55 90 LEA EDX,DWORD PTR SS:[EBP-70]
0042E73D . 52 PUSH EDX
0042E73E . FF15 7C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarFo>; MSVBVM60.__vbaVarForInit
; 开始循环
0042E744 . 8985 ACFEFFFF MOV DWORD PTR SS:[EBP-154],EAX
0042E74A . E9 28010000 JMP unpacked.0042E877
0042E74F > C745 FC 040000>MOV DWORD PTR SS:[EBP-4],4
0042E756 . E8 15300000 CALL unpacked.00431770 ;求用户码子程序
0042E75B . 8985 F4FEFFFF MOV DWORD PTR SS:[EBP-10C],EAX ;保存用户码到[EBP-10C]
0042E761 . C785 70FFFFFF >MOV DWORD PTR SS:[EBP-90],1
0042E76B . C785 68FFFFFF >MOV DWORD PTR SS:[EBP-98],2
0042E775 . 8D85 68FFFFFF LEA EAX,DWORD PTR SS:[EBP-98]
0042E77B . 50 PUSH EAX
0042E77C . 8D4D 90 LEA ECX,DWORD PTR SS:[EBP-70]
0042E77F . 51 PUSH ECX
0042E780 . FF15 64114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
;Variant 变量转长整数
0042E786 . 50 PUSH EAX
0042E787 . 8B95 F4FEFFFF MOV EDX,DWORD PTR SS:[EBP-10C]
0042E78D . 52 PUSH EDX ;用户码入栈(十六进制数)
0042E78E . FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrI4>; MSVBVM60.__vbaStrI4
;长整数转字符串
0042E794 . 8BD0 MOV EDX,EAX
0042E796 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0042E79C . FF15 A0114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
;变量移动
0042E7A2 . 50 PUSH EAX ;用户码字符串入栈
0042E7A3 . FF15 A0104000 CALL DWORD PTR DS:[<&MSVBVM60.#631>] ; MSVBVM60.rtcMidCharBstr
;依次取用户码的一个字符
0042E7A9 . 8985 60FFFFFF MOV DWORD PTR SS:[EBP-A0],EAX
0042E7AF . C785 58FFFFFF >MOV DWORD PTR SS:[EBP-A8],8
0042E7B9 . 8D95 58FFFFFF LEA EDX,DWORD PTR SS:[EBP-A8]
0042E7BF . 8D4D 80 LEA ECX,DWORD PTR SS:[EBP-80]
0042E7C2 . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
0042E7C8 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0042E7CE . FF15 C8114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0042E7D4 . 8D8D 68FFFFFF LEA ECX,DWORD PTR SS:[EBP-98]
0042E7DA . FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
0042E7E0 . C745 FC 050000>MOV DWORD PTR SS:[EBP-4],5
0042E7E7 . 8D45 80 LEA EAX,DWORD PTR SS:[EBP-80]
0042E7EA . 50 PUSH EAX
0042E7EB . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0042E7F1 . 51 PUSH ECX
0042E7F2 . FF15 18114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
0042E7F8 . 50 PUSH EAX
0042E7F9 . FF15 44104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
;求户码的一个字符ASCII码值
0042E7FF . 66:8985 20FFFF>MOV WORD PTR SS:[EBP-E0],AX
0042E806 . C785 18FFFFFF >MOV DWORD PTR SS:[EBP-E8],2
0042E810 . 8D95 18FFFFFF LEA EDX,DWORD PTR SS:[EBP-E8]
0042E816 . 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
0042E819 . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
0042E81F . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0042E825 . FF15 C8114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0042E82B . C745 FC 060000>MOV DWORD PTR SS:[EBP-4],6
0042E832 . 8D55 A0 LEA EDX,DWORD PTR SS:[EBP-60]
0042E835 . 52 PUSH EDX
0042E836 . 8D45 C0 LEA EAX,DWORD PTR SS:[EBP-40]
0042E839 . 50 PUSH EAX
0042E83A . 8D8D 68FFFFFF LEA ECX,DWORD PTR SS:[EBP-98] ;
0042E840 . 51 PUSH ECX
0042E841 . FF15 1C114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCa>; MSVBVM60.__vbaVarCat
;连接ASCII码值组成的字符串
0042E847 . 8BD0 MOV EDX,EAX
0042E849 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
0042E84C . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
0042E852 . C745 FC 070000>MOV DWORD PTR SS:[EBP-4],7
0042E859 . 8D95 C4FEFFFF LEA EDX,DWORD PTR SS:[EBP-13C]
0042E85F . 52 PUSH EDX
0042E860 . 8D85 D4FEFFFF LEA EAX,DWORD PTR SS:[EBP-12C]
0042E866 . 50 PUSH EAX
0042E867 . 8D4D 90 LEA ECX,DWORD PTR SS:[EBP-70]
0042E86A . 51 PUSH ECX
0042E86B . FF15 C0114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarFo>; MSVBVM60.__vbaVarForNext
0042E871 . 8985 ACFEFFFF MOV DWORD PTR SS:[EBP-154],EAX
0042E877 > 83BD ACFEFFFF >CMP DWORD PTR SS:[EBP-154],0
0042E87E .^0F85 CBFEFFFF JNZ unpacked.0042E74F ;跳向循环开头
0042E884 . C745 FC 080000>MOV DWORD PTR SS:[EBP-4],8
0042E88B . C785 20FFFFFF >MOV DWORD PTR SS:[EBP-E0],80020004
0042E895 . C785 18FFFFFF >MOV DWORD PTR SS:[EBP-E8],0A
0042E89F . B8 10000000 MOV EAX,10
0042E8A4 . E8 C73EFDFF CALL <JMP.&MSVBVM60.__vbaChkstk>
0042E8A9 . 8BD4 MOV EDX,ESP
0042E8AB . 8B85 18FFFFFF MOV EAX,DWORD PTR SS:[EBP-E8]
0042E8B1 . 8902 MOV DWORD PTR DS:[EDX],EAX
0042E8B3 . 8B8D 1CFFFFFF MOV ECX,DWORD PTR SS:[EBP-E4]
0042E8B9 . 894A 04 MOV DWORD PTR DS:[EDX+4],ECX
0042E8BC . 8B85 20FFFFFF MOV EAX,DWORD PTR SS:[EBP-E0]
0042E8C2 . 8942 08 MOV DWORD PTR DS:[EDX+8],EAX
0042E8C5 . 8B8D 24FFFFFF MOV ECX,DWORD PTR SS:[EBP-DC]
0042E8CB . 894A 0C MOV DWORD PTR DS:[EDX+C],ECX
0042E8CE . 68 D0014100 PUSH unpacked.004101D0 ; UNICODE "machine"
0042E8D3 . 68 BC014100 PUSH unpacked.004101BC ; UNICODE "setting"
0042E8D8 . 68 A8014100 PUSH unpacked.004101A8 ; UNICODE "wordbbj"
0042E8DD . FF15 68114000 CALL DWORD PTR DS:[<&MSVBVM60.#689>] ; MSVBVM60.rtcGetSetting
042E8E3 . 8985 70FFFFFF MOV DWORD PTR SS:[EBP-90],EAX ;读取机器码
0042E8E9 . C785 68FFFFFF >MOV DWORD PTR SS:[EBP-98],8
0042E8F3 . 8D95 68FFFFFF LEA EDX,DWORD PTR SS:[EBP-98]
0042E8F9 . 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
0042E8FC . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
;变量移动
0042E902 . C745 FC 090000>MOV DWORD PTR SS:[EBP-4],9
0042E909 . 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30]
0042E90C . 52 PUSH EDX
0042E90D . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
0042E913 . 50 PUSH EAX
0042E914 . FF15 18114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
;变量转字符串
0042E91A . 50 PUSH EAX
0042E91B . FF15 D0114000 CALL DWORD PTR DS:[<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
;机器码字符串转换为双精度实数
0042E921 . DD9D ECFEFFFF FSTP QWORD PTR SS:[EBP-114] ;双精度实数存入[EBP-114]
0042E927 . 68 5C8FEA3F PUSH 3FEA8F5C ; 双精度浮点数高32位入栈(即指数高32位)
0042E92C . 68 8FC2F528 PUSH 28F5C28F ; 双精度浮点数低32位入栈(即指数高32位)
(3FEA8F5C 28F5C28F 对应双精度浮点数为0.83)
0042E931 . 8B8D F0FEFFFF MOV ECX,DWORD PTR SS:[EBP-110] ;双精度浮点数高32位入栈(即指数高32位)
0042E937 . 51 PUSH ECX
0042E938 . 8B95 ECFEFFFF MOV EDX,DWORD PTR SS:[EBP-114] ; 双精度浮点数低32位入栈(即底数高32位)
0042E93E . 52 PUSH EDX
0042E93F . FF15 54114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaPower>; MSVBVM60.__vbaPowerR8
;用来求一个数字的某次方
0042E945 . DC05 E0254000 FADD QWORD PTR DS:[4025E0] ;加上实数 546971.0000000000
0042E94B . DD9D 70FFFFFF FSTP QWORD PTR SS:[EBP-90]
0042E951 . DFE0 FSTSW AX
0042E953 . A8 0D TEST AL,0D
0042E955 . 0F85 83030000 JNZ unpacked.0042ECDE
0042E95B . C785 68FFFFFF >MOV DWORD PTR SS:[EBP-98],5
;对Variant变量的第一个字节赋值5,表示存储数据的实际类型为双精度
0042E965 . 6A 06 PUSH 6
0042E967 . 8D85 68FFFFFF LEA EAX,DWORD PTR SS:[EBP-98]
0042E96D . 50 PUSH EAX
0042E96E . 8D8D 58FFFFFF LEA ECX,DWORD PTR SS:[EBP-A8]
0042E974 . 51 PUSH ECX
0042E975 . FF15 A4114000 CALL DWORD PTR DS:[<&MSVBVM60.#619>] ; MSVBVM60.rtcRightCharVar
; 求上面变量右边六个字符
0042E97B . 8D95 58FFFFFF LEA EDX,DWORD PTR SS:[EBP-A8] ; 字符串地址保存到[EBP-A8]
0042E981 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0042E984 . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
0042E98A . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0042E990 . FF15 C8114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0042E996 . 8D8D 68FFFFFF LEA ECX,DWORD PTR SS:[EBP-98]
0042E99C . FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
0042E9A2 . C745 FC 0A0000>MOV DWORD PTR SS:[EBP-4],0A
0042E9A9 . C785 20FFFFFF >MOV DWORD PTR SS:[EBP-E0],80020004
0042E9B3 . C785 18FFFFFF >MOV DWORD PTR SS:[EBP-E8],0A
0042E9BD . B8 10000000 MOV EAX,10
0042E9C2 . E8 A93DFDFF CALL <JMP.&MSVBVM60.__vbaChkstk>
0042E9C7 . 8BD4 MOV EDX,ESP
0042E9C9 . 8B85 18FFFFFF MOV EAX,DWORD PTR SS:[EBP-E8]
0042E9CF . 8902 MOV DWORD PTR DS:[EDX],EAX
0042E9D1 . 8B8D 1CFFFFFF MOV ECX,DWORD PTR SS:[EBP-E4]
0042E9D7 . 894A 04 MOV DWORD PTR DS:[EDX+4],ECX
0042E9DA . 8B85 20FFFFFF MOV EAX,DWORD PTR SS:[EBP-E0]
0042E9E0 . 8942 08 MOV DWORD PTR DS:[EDX+8],EAX
0042E9E3 . 8B8D 24FFFFFF MOV ECX,DWORD PTR SS:[EBP-DC]
0042E9E9 . 894A 0C MOV DWORD PTR DS:[EDX+C],ECX
0042E9EC . 68 E4014100 PUSH unpacked.004101E4 ; UNICODE "regSN"
0042E9F1 . 68 BC014100 PUSH unpacked.004101BC ; UNICODE "setting"
0042E9F6 . 68 A8014100 PUSH unpacked.004101A8 ; UNICODE "wordbbj"
0042E9FB . FF15 68114000 CALL DWORD PTR DS:[<&MSVBVM60.#689>] ; MSVBVM60.rtcGetSetting
;读取 "regSN"值
0042EA01 . 8985 70FFFFFF MOV DWORD PTR SS:[EBP-90],EAX ;保存到[EBP-90]
0042EA07 . C785 68FFFFFF >MOV DWORD PTR SS:[EBP-98],8008
0042EA11 . C785 10FFFFFF >MOV DWORD PTR SS:[EBP-F0],80020004
0042EA1B . C785 08FFFFFF >MOV DWORD PTR SS:[EBP-F8],0A
0042EA25 . B8 10000000 MOV EAX,10
0042EA2A . E8 413DFDFF CALL <JMP.&MSVBVM60.__vbaChkstk>
0042EA2F . 8BD4 MOV EDX,ESP
0042EA31 . 8B85 08FFFFFF MOV EAX,DWORD PTR SS:[EBP-F8]
0042EA37 . 8902 MOV DWORD PTR DS:[EDX],EAX
0042EA39 . 8B8D 0CFFFFFF MOV ECX,DWORD PTR SS:[EBP-F4]
0042EA3F . 894A 04 MOV DWORD PTR DS:[EDX+4],ECX
0042EA42 . 8B85 10FFFFFF MOV EAX,DWORD PTR SS:[EBP-F0]
0042EA48 . 8942 08 MOV DWORD PTR DS:[EDX+8],EAX
0042EA4B . 8B8D 14FFFFFF MOV ECX,DWORD PTR SS:[EBP-EC]
0042EA51 . 894A 0C MOV DWORD PTR DS:[EDX+C],ECX
0042EA54 . 68 F4014100 PUSH unpacked.004101F4 ; UNICODE "validate"
0042EA59 . 68 BC014100 PUSH unpacked.004101BC ; UNICODE "setting"
0042EA5E . 68 A8014100 PUSH unpacked.004101A8 ; UNICODE "wordbbj"
0042EA63 . FF15 68114000 CALL DWORD PTR DS:[<&MSVBVM60.#689>] ; MSVBVM60.rtcGetSetting
;读取"validate" 值
0042EA69 . 8985 50FFFFFF MOV DWORD PTR SS:[EBP-B0],EAX ;保存到[EBP-B0]
0042EA6F . C785 48FFFFFF >MOV DWORD PTR SS:[EBP-B8],8008 ;[EBP-B8]为指针
0042EA79 . 8D55 A0 LEA EDX,DWORD PTR SS:[EBP-60]
0042EA7C . 52 PUSH EDX
0042EA7D . 8D85 68FFFFFF LEA EAX,DWORD PTR SS:[EBP-98]
0042EA83 . 50 PUSH EAX ;"regSN"值入栈
0042EA84 . 8D8D 58FFFFFF LEA ECX,DWORD PTR SS:[EBP-A8] ;前面求得用户码变换的字符串地址入栈
0042EA8A . 51 PUSH ECX
0042EA8B . FF15 4C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCm>; MSVBVM60.__vbaVarCmpNe
;比较
0042EA91 . 50 PUSH EAX
0042EA92 . 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50]
0042EA95 . 52 PUSH EDX
0042EA96 . 8D85 48FFFFFF LEA EAX,DWORD PTR SS:[EBP-B8]
0042EA9C . 50 PUSH EAX ;"validate" 值地址入栈
0042EA9D . 8D8D 38FFFFFF LEA ECX,DWORD PTR SS:[EBP-C8] ;上面求得6个字符的字符串地址入栈
0042EAA3 . 51 PUSH ECX
0042EAA4 . FF15 4C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCm>; MSVBVM60.__vbaVarCmpNe
;比较
0042EAAA . 50 PUSH EAX
0042EAAB . 8D95 28FFFFFF LEA EDX,DWORD PTR SS:[EBP-D8]
0042EAB1 . 52 PUSH EDX
0042EAB2 . FF15 C0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarOr>; MSVBVM60.__vbaVarOr
;对上面两个比较结果作逻辑或运算
0042EAB8 . 50 PUSH EAX
0042EAB9 . FF15 98104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaBoolV>; MSVBVM60.__vbaBoolVarNull
; 求Boolean 值
0042EABF . 66:8985 E8FEFF>MOV WORD PTR SS:[EBP-118],AX ; 对注册标志变量[EBP-118]赋值
0042EAC6 . 8D85 48FFFFFF LEA EAX,DWORD PTR SS:[EBP-B8]
0042EACC . 50 PUSH EAX
0042EACD . 8D8D 68FFFFFF LEA ECX,DWORD PTR SS:[EBP-98]
0042EAD3 . 51 PUSH ECX
0042EAD4 . 6A 02 PUSH 2
0042EAD6 . FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0042EADC . 83C4 0C ADD ESP,0C
0042EADF . 0FBF95 E8FEFFF>MOVSX EDX,WORD PTR SS:[EBP-118] ; 注册标志变量[EBP-118]值送EDX
0042EAE6 . 85D2 TEST EDX,EDX ; 判断是否注册
0042EAE8 . 0F84 3C010000 JE unpacked.0042EC2A ; edx为零就跳向已注册
0042EAEE . C745 FC 0B0000>MOV DWORD PTR SS:[EBP-4],0B
0042EAF5 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0042EAF8 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
0042EAFA . 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
4.算法总结:
以我机器为例,
---------------------------------------------
用户码: 240
机器码: 495353
----------------------------------------------
2………………ASCII值 50
4………………ASCII值 52
0………………ASCII值 48
连接成字符串“505248”
机器码的0.83次方即 495353 ^0.83=53306.39117961 (双精度数)
53306.39117961+547961=601267.39117961
取"601267.39117961"右边的六位得: “117961”
---------------------------------------------------------------
比较下面的两项是否相同
[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\wordbbj\setting]
"regSN"键值是否等于"505248"
"validate"键值是否等于"117961"
都相同就注册成功!
------------------------------------------------------------------------
注:它的所有版本注册码都是一样的!!!
5.VB注册机:
Private Sub Command1_Click()
On Error Resume Next
Dim l As Integer, i As Integer
Dim s1 As String, s2 As String
If Text1.Text = "" Or Text1.Text = "" Then Exit Sub
l = Len(Trim(Text1.Text))
For i = 1 To l
s1 = s1 + CStr(Asc(Mid(Text1.Text, i, 1)))
Next
s2 = Right(CDbl(Text2.Text) ^ 0.83 + CDbl(546971), 6)
Text3.Text = s1
Text4.Text = s2
SaveSetting "wordbbj", "setting", "regSN", s1
SaveSetting "wordbbj", "setting", "validate", s2
MsgBox "谢谢使用!!注册信息已保存到注册表。", vbInformation, "CrackerWu[BCG]"
End Sub