|
|
发表于 2010-1-14 11:54:39
|显示全部楼层
【文章标题】: 让程序自己显示注册码
【文章作者】: kangroo
【作者邮箱】: iknelen@163.com
【软件大小】: 400KB
【下载地址】: http://www.skycn.com/soft/2063.html
【加壳方式】: ASPack 2.11
【保护方式】: 重起验证
【编写语言】: VB
【使用工具】: OD PEID
【操作平台】: XP sp2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
先用PEID 查壳 是ASPack 2.11 就用自带的插件PEID Generic unpacker脱它,再查得是VB语言编写的。用OD 载入脱壳后的
程序 超级字符串参考找到RegCodeTrue 在汇编代码中跟随 来到 向下找关键跳转
0042D0C1 . 68 C89D4000 PUSH CODE_u.00409DC8 ; UNICODE "RegCodeTrue"
0042D0C6 . 68 BC9D4000 PUSH CODE_u.00409DBC ; UNICODE "Reg"
0042D0CB . 8908 MOV DWORD PTR DS:[EAX],ECX
0042D0CD . 8B8D 1CFFFFFF MOV ECX,DWORD PTR SS:[EBP-E4]
0042D0D3 . 68 849D4000 PUSH CODE_u.00409D84 ; UNICODE "Stock-Star-Website\Code41"
0042D0D8 . 8950 04 MOV DWORD PTR DS:[EAX+4],EDX
0042D0DB . 8B95 20FFFFFF MOV EDX,DWORD PTR SS:[EBP-E0]
0042D0E1 . 8948 08 MOV DWORD PTR DS:[EAX+8],ECX
0042D0E4 . 8950 0C MOV DWORD PTR DS:[EAX+C],EDX
0042D0E7 . FF15 CCF34300 CALL DWORD PTR DS:[<&MSVBVM50.#689>] ; MSVBVM50.rtcGetSetting
0042D0ED . 8BD0 MOV EDX,EAX
0042D0EF . 8D8D 38FFFFFF LEA ECX,DWORD PTR SS:[EBP-C8]
0042D0F5 . FF15 04F44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>; MSVBVM50.__vbaStrMove
0042D0FB . 50 PUSH EAX
0042D0FC . FF15 30F44300 CALL DWORD PTR DS:[<&MSVBVM50.#581>] ; MSVBVM50.rtcR8ValFromBstr
0042D102 . DD9D ECFEFFFF FSTP QWORD PTR SS:[EBP-114]
0042D108 . 8D95 E4FEFFFF LEA EDX,DWORD PTR SS:[EBP-11C]
0042D10E . 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
0042D111 . C785 E4FEFFFF >MOV DWORD PTR SS:[EBP-11C],5
0042D11B . FFD6 CALL ESI
0042D11D . 8D8D 38FFFFFF LEA ECX,DWORD PTR SS:[EBP-C8]
0042D123 . FF15 28F44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStr
0042D129 . 8D85 14FFFFFF LEA EAX,DWORD PTR SS:[EBP-EC]
0042D12F . 8D8D 24FFFFFF LEA ECX,DWORD PTR SS:[EBP-DC]
0042D135 . 50 PUSH EAX
0042D136 . 51 PUSH ECX
0042D137 . 6A 02 PUSH 2
0042D139 . FF15 64F24300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>; MSVBVM50.__vbaFreeVarList
0042D13F . 83C4 0C ADD ESP,0C
0042D142 . 8D95 3CFFFFFF LEA EDX,DWORD PTR SS:[EBP-C4]
0042D148 . 8D85 6CFFFFFF LEA EAX,DWORD PTR SS:[EBP-94]
0042D14E . 8D8D 24FFFFFF LEA ECX,DWORD PTR SS:[EBP-DC]
0042D154 . 52 PUSH EDX
0042D155 . 50 PUSH EAX
0042D156 . 51 PUSH ECX
0042D157 . FF15 D4F34300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarAd>; MSVBVM50.__vbaVarAdd
0042D15D . 50 PUSH EAX
0042D15E . 8D95 6CFFFFFF LEA EDX,DWORD PTR SS:[EBP-94]
0042D164 . 8D85 14FFFFFF LEA EAX,DWORD PTR SS:[EBP-EC]
0042D16A . 52 PUSH EDX
0042D16B . 50 PUSH EAX
0042D16C . FF15 A4F24300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarXo>; MSVBVM50.__vbaVarXor
0042D172 . 8BD0 MOV EDX,EAX
0042D174 . 8D8D 4CFFFFFF LEA ECX,DWORD PTR SS:[EBP-B4]
0042D17A . FFD6 CALL ESI
0042D17C . 8D8D 24FFFFFF LEA ECX,DWORD PTR SS:[EBP-DC]
0042D182 . FF15 50F24300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>; MSVBVM50.__vbaFreeVar
0042D188 . 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
0042D18B . 8D95 4CFFFFFF LEA EDX,DWORD PTR SS:[EBP-B4]
0042D191 . 51 PUSH ECX
0042D192 . 52 PUSH EDX
0042D193 . FF15 0CF34300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarTs>; MSVBVM50.__vbaVarTstEq
0042D199 . 66:85C0 TEST AX,AX
0042D19C . 0F84 C8000000 JE CODE_u.0042D26A / /将此处NOP 掉 保存就可以在注册窗口显示注册码
0042D1A2 . 8B85 CCFEFFFF MOV EAX,DWORD PTR SS:[EBP-134]
0042D1A8 . 53 PUSH EBX
0042D1A9 . FF90 18030000 CALL DWORD PTR DS:[EAX+318]
0042D1AF . 8D8D 34FFFFFF LEA ECX,DWORD PTR SS:[EBP-CC]
0042D1B5 . 50 PUSH EAX
0042D1B6 . 51 PUSH ECX
0042D1B7 . FF15 B4F24300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaObjSe>; MSVBVM50.__vbaObjSet
0042D1BD . 8B30 MOV ESI,DWORD PTR DS:[EAX]
0042D1BF . 8985 DCFEFFFF MOV DWORD PTR SS:[EBP-124],EAX
0042D1C5 . 8D95 4CFFFFFF LEA EDX,DWORD PTR SS:[EBP-B4]
0042D1CB . 8D85 38FFFFFF LEA EAX,DWORD PTR SS:[EBP-C8]
0042D1D1 . 52 PUSH EDX
0042D1D2 . 50 PUSH EAX
0042D1D3 . FF15 74F34300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrVa>; MSVBVM50.__vbaStrVarVal
0042D1D9 . 89B5 C4FEFFFF MOV DWORD PTR SS:[EBP-13C],ESI
0042D1DF . 8BB5 DCFEFFFF MOV ESI,DWORD PTR SS:[EBP-124]
0042D1E5 . 8B8D C4FEFFFF MOV ECX,DWORD PTR SS:[EBP-13C]
0042D1EB . 50 PUSH EAX
0042D1EC . 56 PUSH ESI
0042D1ED . FF91 A4000000 CALL DWORD PTR DS:[ECX+A4]
0042D1F3 . 3BC7 CMP EAX,EDI
0042D1F5 . 7D 12 JGE SHORT CODE_u.0042D209
0042D1F7 . 68 A4000000 PUSH 0A4
0042D1FC . 68 F4994000 PUSH CODE_u.004099F4
0042D201 . 56 PUSH ESI
0042D202 . 50 PUSH EAX
0042D203 . FF15 8CF24300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;MSVBVM50.__vbaHresultCheckObj
0042D209 > 8D8D 38FFFFFF LEA ECX,DWORD PTR SS:[EBP-C8]
0042D20F . FF15 28F44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStr
0042D215 . 8D8D 34FFFFFF LEA ECX,DWORD PTR SS:[EBP-CC]
0042D21B . FF15 2CF44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>; MSVBVM50.__vbaFreeObj
0042D221 . 8B95 CCFEFFFF MOV EDX,DWORD PTR SS:[EBP-134]
0042D227 . 53 PUSH EBX
0042D228 . FF92 24030000 CALL DWORD PTR DS:[EDX+324]
0042D22E . 50 PUSH EAX
0042D22F . 8D85 34FFFFFF LEA EAX,DWORD PTR SS:[EBP-CC]
0042D235 . 50 PUSH EAX
0042D236 . FF15 B4F24300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaObjSe>; MSVBVM50.__vbaObjSet
0042D23C . 8BF0 MOV ESI,EAX
0042D23E . 57 PUSH EDI
0042D23F . 56 PUSH ESI
0042D240 . 8B0E MOV ECX,DWORD PTR DS:[ESI]
0042D242 . FF91 8C000000 CALL DWORD PTR DS:[ECX+8C]
0042D248 . 3BC7 CMP EAX,EDI
0042D24A . 7D 12 JGE SHORT CODE_u.0042D25E
0042D24C . 68 8C000000 PUSH 8C
0042D251 . 68 28A24000 PUSH CODE_u.0040A228
0042D256 . 56 PUSH ESI
0042D257 . 50 PUSH EAX
0042D258 . FF15 8CF24300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;MSVBVM50.__vbaHresultCheckObj
0042D25E > 8D8D 34FFFFFF LEA ECX,DWORD PTR SS:[EBP-CC]
0042D264 . FF15 2CF44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>; MSVBVM50.__vbaFreeObj
0042D26A > 8B95 CCFEFFFF MOV EDX,DWORD PTR SS:[EBP-134]
0042D270 . 53 PUSH EBX
0042D271 . FF92 20030000 CALL DWORD PTR DS:[EDX+320]
0042D277 . 50 PUSH EAX
0042D278 . 8D85 34FFFFFF LEA EAX,DWORD PTR SS:[EBP-CC]
0042D27E . 50 PUSH EAX
0042D27F . FF15 B4F24300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaObjSe>; MSVBVM50.__vbaObjSet
0042D285 . 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
0042D28B . 8BF0 MOV ESI,EAX
0042D28D . 8D95 38FFFFFF LEA EDX,DWORD PTR SS:[EBP-C8]
0042D293 . 51 PUSH ECX
0042D327 . 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
0042D32A . FFD6 CALL ESI
0042D32C . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
0042D32F . FFD6 CALL ESI
0042D331 . 8D4D 9C LEA ECX,DWORD PTR SS:[EBP-64]
0042D334 . FFD6 CALL ESI
0042D336 . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
0042D339 . FFD6 CALL ESI
0042D33B . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0042D341 . FFD6 CALL ESI
0042D343 . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
0042D349 . FFD6 CALL ESI
0042D34B . 8D8D 5CFFFFFF LEA ECX,DWORD PTR SS:[EBP-A4]
0042D351 . FFD6 CALL ESI
0042D353 . 8D8D 4CFFFFFF LEA ECX,DWORD PTR SS:[EBP-B4]
0042D359 . FFD6 CALL ESI
0042D35B . 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
0042D361 . FFE6 JMP ESI
0042D363 . C3 RETN
--------------------------------------------------------------------------------
【经验总结】
软件是重起验证 类型,保护比较简单,我偷懒 直接把地址0042D19C 处代码NOP掉,让它直接显示注册码,省去了分析算法
的时间。运行修改后的程序,点击注册后 ,在注册窗口就会出现注册码了,再运行未修改过的原程序填入刚才的注册码,重起后程序就变成注册的了 ,其实修改后的程序就相当于注册机了。如果有哪位高手有空分析出算法,那我就非常感谢了。 |
|
狗仔卡
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡