【破解平台】Windows XP
【软件大小】2.40 MB
【破解声明】一点心得,愿与大家分享。 版权所有,转载注明来自看雪论坛!
这个控件的使用也比较简单,它带有一个针对VB的帮助文档,告诉用户如何在VB中使用该控件。按理说,因为这个Active X控件不仅仅能在VB使用,也能在VC中使用,所以不仅要提供对VB的帮助文档也要提供对VC的使用文档的。但是它没提供针对VC的帮助文档,我想这可能是因为这个控件是用VB写的吧。
RegisterecGraph3D Procedure (Sub)
Public Sub RegisterecGraph3D(S$)
Attempts to register this implementation of ecGraph using a registration key that can be obtained from www.encoreconsulting.com.au
If successful, this converts ecGraph from a demo version to a registered version, removing the demo message printed on each graph.
Parameter Type Description
S$ String S
See Also..
Call ecGraph3D1.RegisterecGraph3D(s)
Const ecGraph3DRegistrationKey$="98765-,3210-ABCDE-01234-56789"
Private Sub Form_Load()
Dim k As Integer, KeyWords$
'*** Register all ecGraph3D controls on your form with your registration key obtained
'*** from http://www.encoreconsulting.com.au,?otherwise?it?will?function?in?Demo?mode
'in this demo program there are two ecGraph3D controls on the form: ecGraph3D1
Call ecGraph3D1.RegisterecGraph3D(ecGraph3DRegistrationKey$)
Me.Caption = "ecGraph3D - Simple demo"
Call Command1_Click(1)
End Sub
Registered Property
Property Registered() As Boolean 'Read only
Returns True if this implementation of ecGraph has been successfully registered.
See Also..
RegisterecGraph3D Version
x = ecGraph3D1.Registered
看到这里,控件有一个属性Registered ,猜想控件有一个变量用于保存是否注册了的信息,要想验证是不是这样,可以通过跟踪来证实,如果真是这样的话,那么修改这个变量让这个变量恒为true就可以实现爆破了。而跟踪RegisterecGraph3D方法就可以得到它的注册算法了,思路就是这简单,下面进行操作。
由于本人不会用VB,就用VC写了一个小程序来访问控件的Registered属性和调用它的RegisterecGraph3D方法。先用VC创建一个基于对话框的MFC工程,然后依次点“Project”菜单 、“Add To Project”子菜单、“Components And Controls”命令,在弹出的对话框里选择ecGraph3D_ocx.ecGraph3D.lnk,如图3所示,再点“Insert”,这样便把该控件增加到工程中了,之后工程中多了一个C_ecGraph3D类,而在类中的函数声明中有下面两语句:
BOOL GetRegistered();
void RegisterecGraph3D(BSTR* S);
这两个成员函数就分别对应着控件的Registered属性和它的RegisterecGraph3D方法,原来VB的Active X控件中的属性和方法是通过类的成员函数来实现的,题外话。呵呵。
对于我写的这个程序也是一样,用OD载入生成的.exe文件,在DispCallFunc下断,然后,运行程序,断下来后,往下面看,执行到call ecx,如下图:
.text:1103D7C7 mov cx, [esi+ecGraph3D.Registered]
.text:1103D7D1 mov [ebp+var_18], ecx
.text:1103D7DD mov eax, [ebp+pblRegistered]
.text:1103D7E0 mov cx, word ptr [ebp+var_18]
.text:1103D7E4 mov [eax], cx
.text:11041760 RegisterecGraph3D proc near ; CODE XREF: .text:loc_110071F1 j
.text:11041760 var_CC = dword ptr -0CCh
.text:11041760 var_C8 = dword ptr -0C8h
.text:11041760 var_C4 = dword ptr -0C4h
.text:11041760 var_C0 = dword ptr -0C0h
.text:11041760 var_BC = dword ptr -0BCh
.text:11041760 var_A8 = word ptr -0A8h
.text:11041760 var_90 = qword ptr -90h
.text:11041760 var_88 = dword ptr -88h
.text:11041760 var_84 = dword ptr -84h
.text:11041760 var_70 = dword ptr -70h
.text:11041760 var_68 = dword ptr -68h
.text:11041760 var_60 = dword ptr -60h
.text:11041760 var_50 = dword ptr -50h
.text:11041760 var_48 = dword ptr -48h
.text:11041760 var_40 = dword ptr -40h
.text:11041760 var_3C = dword ptr -3Ch
.text:11041760 var_38 = dword ptr -38h
.text:11041760 var_34 = dword ptr -34h
.text:11041760 var_30 = dword ptr -30h
.text:11041760 var_2C = dword ptr -2Ch
.text:11041760 v_short = dword ptr -28h
.text:11041760 v_str2 = dword ptr -24h
.text:11041760 v_str = dword ptr -20h
.text:11041760 var_1C = dword ptr -1Ch
.text:11041760 var_14 = dword ptr -14h
.text:11041760 var_10 = dword ptr -10h
.text:11041760 var_C = dword ptr -0Ch
.text:11041760 var_8 = dword ptr -8
.text:11041760 this = dword ptr 8
.text:11041760 pStrcode= dword ptr 0Ch ;这让我不明白了,
.text:11041760 arg_8 = dword ptr 10h ;返回明明是.text:110418CE retn 8
.text:11041760 arg_C = dword ptr 14h ;按理说不外就是两个参数吗
.text:11041760 arg_10 = dword ptr 18h ;为什么IDA分析出来有这么多参数的
.text:11041760 arg_14 = dword ptr 1Ch
.text:11041760 arg_18 = dword ptr 20h
.text:11041760 arg_1C = dword ptr 24h
.text:11041760 arg_20 = dword ptr 28h
.text:11041760 push ebp
.text:11041761 mov ebp, esp
.text:11041763 sub esp, 14h
.text:11041766 push offset __vbaExceptHandler
.text:1104176B mov eax, large fs:0
.text:11041771 push eax
.text:11041772 mov large fs:0, esp
.text:11041779 sub esp, 24h
.text:1104177C push ebx
.text:1104177D push esi
.text:1104177E push edi
.text:1104177F mov [ebp+var_14], esp
.text:11041782 mov [ebp+var_10], offset dword_11003600
.text:11041789 xor edi, edi
.text:1104178B mov [ebp+var_C], edi
.text:1104178E mov [ebp+var_8], edi
.text:11041791 mov esi, [ebp+this]
.text:11041794 mov eax, [esi]
.text:11041796 push esi
.text:11041797 call dword ptr [eax+4] ; MSVBVM60.Zombie_AddRef
.text:1104179A mov [ebp+v_str], edi
.text:1104179D mov [ebp+v_str2], edi
.text:110417A0 mov [ebp+v_short], edi
.text:110417A3 push 1
.text:110417A5 call ds:__vbaOnError
.text:110417AB mov edx, offset aEcgraph3d ; "ecGraph3D"
.text:110417B0 lea ecx, [ebp+v_str]
.text:110417B3 mov ebx, ds:__vbaStrCopy
.text:110417B9 call ebx ; __vbaStrCopy
.text:110417BB mov ecx, [esi]
.text:110417BD lea edx, [ebp+v_short] ; 0 or -1
.text:110417C0 push edx
.text:110417C1 lea eax, [ebp+v_str]
.text:110417C4 push eax
.text:110417C5 mov edx, [ebp+pStrcode]
.text:110417C8 push edx
.text:110417C9 push esi
.text:110417CA call dword ptr [ecx+0A7Ch] ; sub_11072170
.text:110417D0 mov ax, word ptr [ebp+v_short]
.text:110417D4 mov [esi+ecGraph3D.Registered], ax
.text:110417DB lea ecx, [ebp+v_str]
.text:110417DE call ds:__vbaFreeStr
.text:110417E4 lea edi, [esi+ecGraph3D.m_strRegCode]
.text:110417EA mov ecx, [ebp+pStrcode]
.text:110417ED mov edx, [ecx]
.text:110417EF mov ecx, edi ; ecx=m_strRegCode
.text:110417F1 call ebx ; __vbaStrCopy
.text:110417F3 mov edx, [esi]
.text:110417F5 lea eax, [ebp+v_str]
.text:110417F8 push eax
.text:110417F9 push esi
.text:110417FA call dword ptr [edx+0A84h] ; sub_11072BB0
.text:11041800 mov edx, [ebp+v_str]
.text:11041803 mov [ebp+v_str], 0
.text:1104180A lea ecx, [ebp+v_str2]
.text:1104180D call ds:__vbaStrMove
.text:11041813 mov ecx, [esi]
.text:11041815 lea edx, [ebp+v_short]
.text:11041818 push edx
.text:11041819 lea eax, [ebp+v_str2]
.text:1104181C push eax
.text:1104181D mov edx, [edi]
.text:1104181F push edx
.text:11041820 push esi
.text:11041821 call dword ptr [ecx+0AB0h] ; sub_11075780
.text:11041827 mov ax, word ptr [ebp+v_short]
.text:1104182B mov [esi+ecGraph3D.m_dw_180], ax
.text:11041832 lea ecx, [ebp+v_str2]
.text:11041835 call ds:__vbaFreeStr
.text:1104183B mov ecx, [esi]
.text:1104183D push esi
.text:1104183E call dword ptr [ecx+9C4h] ; sub_1104B620
.text:11041844 test eax, eax
.text:11041846 jge short loc_11041890
.text:11041848 push 9C4h
.text:1104184D push offset nullsub_1
.text:11041852 push esi
.text:11041853 push eax
.text:11041854 call ds:__vbaHresultCheckObj
.text:1104185A jmp short loc_11041890
.text:1104185C ; ---------------------------------------------------------------------------
.text:1104185C loc_1104185C: ; DATA XREF: .text:11003620 o
.text:1104185C push (offset dword_110080FC+4)
.text:11041861 push (offset dword_1100C2F4+4)
.text:11041866 call ds:__vbaStrCat
.text:1104186C mov edx, eax
.text:1104186E lea ecx, [ebp+v_str]
.text:11041871 call ds:__vbaStrMove
.text:11041877 mov eax, [ebp+this]
.text:1104187A mov edx, [eax]
.text:1104187C lea ecx, [ebp+v_str]
.text:1104187F push ecx
.text:11041880 push eax
.text:11041881 call dword ptr [edx+984h]
.text:11041887 lea ecx, [ebp+v_str]
.text:1104188A call ds:__vbaFreeStr
.text:11041890 loc_11041890: ; CODE XREF: RegisterecGraph3D+E6 j
.text:11041890 ; RegisterecGraph3D+FA j
.text:11041890 call ds:__vbaExitProc
.text:11041896 loc_11041896: ; DATA XREF: .text:11003604 o
.text:11041896 push offset loc_110418B2
.text:1104189B jmp short locret_110418B1
.text:1104189D ; ---------------------------------------------------------------------------
.text:1104189D loc_1104189D: ; DATA XREF: .text:1100360C o
.text:1104189D lea edx, [ebp+v_str2]
.text:110418A0 push edx
.text:110418A1 lea eax, [ebp+v_str]
.text:110418A4 push eax
.text:110418A5 push 2
.text:110418A7 call ds:__vbaFreeStrList
.text:110418AD add esp, 0Ch
.text:110418B0 retn
.text:110418B1 ; ---------------------------------------------------------------------------
.text:110418B1 locret_110418B1: ; CODE XREF: RegisterecGraph3D+13B j
.text:110418B1 retn
.text:110418B2 ; ---------------------------------------------------------------------------
.text:110418B2 loc_110418B2: ; DATA XREF: RegisterecGraph3D:loc_11041896 o
.text:110418B2 mov eax, [ebp+this]
.text:110418B5 mov ecx, [eax]
.text:110418B7 push eax
.text:110418B8 call dword ptr [ecx+8]
.text:110418BB mov eax, [ebp+var_C]
.text:110418BE mov ecx, [ebp+var_1C]
.text:110418C1 mov large fs:0, ecx
.text:110418C8 pop edi
.text:110418C9 pop esi
.text:110418CA pop ebx
.text:110418CB mov esp, ebp
.text:110418CD pop ebp
.text:110418CE retn 8
.text:110418CE RegisterecGraph3D endp ; sp-analysis failed
RegisterecGraph3D(CObject* this,char *pstrcode)
char* v_str; //v_str和v_str2应该都是像CString类的对象
char* v_str2; //对象只有一个成员,为指向字符串的指针
short v_short;
sub_11072170(this,pstrcode,&v_str,&v_short);//call dword ptr [ecx+0A7Ch]
sub_11072BB0(this,&v_str);//call dword ptr [edx+0A84h]
sub_11075780(this,&this->m_strRegCode,&v_str2,&v_short);//call dword ptr [ecx+0AB0h]
if (sub_1104B620(this)<0)
sub_11072170(this,pstrcode,&v_str,&v_short);//call dword ptr [ecx+0A7Ch]
sub_11075780(this,&this->m_strRegCode,&v_str2,&v_short);//call dword ptr [ecx+0AB0h]
