先简单介绍一下这一款软件的注册原理:
这个软件在注册时,会同时在注册表中和自己的根目录中写下注册信息。
在启动时候会先判断注册表,然后判断根目录下的reg.ini文件看哪一个是成功的。只要有一个是成功的就不再继续判断了,也就是只要有一处是成功的,软件就算是注册成功版了。下面开始了:
-------------------------------------注册流程----------------------------------005D4B01ss:[ebp-F8],0005D4B08005D4B0A005D4B0F005D4B14005D4B1A005D4B1B005D4B21005D4B22005D4B28005D4B2E005D4B30
.7D26.68A0000000.
68B8454400.8B850CFFFFFF.50
.8B8D08FFFFFF.51
.
FF15B0104000.
83BD08FFFFFF00
;就先断在此处,开始往下调
jgeshortemu8086.005D4B30push0A0
pushemu8086.004445B8moveax,dwordptrss:[ebp-F4]pusheax
movecx,dwordptrss:[ebp-F8]pushecx
calldwordptr
movdwordptrss:[ebp-190],eaxjmpshortemu8086.005D4B3Amovdwordptrss:[ebp-190],0
cmpdwordptr
ds:[<&MSVBVM60.__vbaHresultChec>;MSVBVM60.__vbaHresultCheckObj
.898570FEFFFF.EB0A
>C78570FEFFFF00000000
005D4B3A005D4B3D005D4B3F005D4B42
>8B5508.8B02.
8B4D08.51
movedx,dwordptrss:[ebp+8]moveax,dwordptrds:[edx]movecx,dwordptrss:[ebp+8]pushecx
005D4B43005D4B49005D4B4A005D4B4D005D4B4E005D4B54005D4B5A005D4B5D005D4B5E005D4B64005D4B66005D4B6C005D4B6D005D4B73005D4B75005D4B7B005D4B82005D4B84005D4B89005D4B8E005D4B94005D4B95005D4B9B005D4B9C005D4BA2005D4BA8
.FF90FC020000.50.8D55C4.52
.
FF15FC104000
;
calldwordptrds:[eax+2FC]pusheax
leaedx,dwordptrss:[ebp-3C]pushedx
calldwordptr
movdwordptrss:[ebp-FC],eaxleaeax,dwordptrss:[ebp-2C]pusheax
movecx,dwordptrss:[ebp-FC]movedx,dwordptrds:[ecx]moveax,dwordptrss:[ebp-FC]pusheax
calldwordptrds:[edx+A0]fclex
movdwordptrss:[ebp-100],eaxcmpdwordptrss:[ebp-100],0jgeshortemu8086.005D4BAApush0A0
pushemu8086.004445B8movecx,dwordptrss:[ebp-FC]pushecx
movedx,dwordptrss:[ebp-100]pushedx
calldwordptr
movdwordptrss:[ebp-194],eaxjmpshortemu8086.005D4BB4
MSVBVM60.__vbaObjSet
ds:[<&MSVBVM60.__vbaObjSet>]
.898504FFFFFF.8D45D4.50
.8B8D04FFFFFF.8B11
.8B8504FFFFFF.50
.FF92A0000000.DBE2
.898500FFFFFF
.83BD00FFFFFF00.7D26.68A0000000.68B8454400.8B8D04FFFFFF.51
.8B9500FFFFFF.52
.
FF15B0104000
ds:[<&MSVBVM60.__vbaHresultChec>;MSVBVM60.__vbaHresultCheckObj
.89856CFEFFFF.EB0A
、005D6E88
.
>66:8B55DC
;
循环3开始
66:039540FFFFFF
;循环3当然是最后整理注册码了
joemu8086.005D6F9C
movdx,wordptradddx,wordptr
ss:[ebp-24]005D6E8Css:[ebp-C0]005D6E93005D6E99005D6E9D005D6EA1005D6EA8005D6EAA005D6EB1005D6EB4005D6EB5005D6EBA005D6EBC005D6EBF005D6EC5005D6ECC
.66:8955DC>66:8B45DC
.0F8003010000
movwordptrss:[ebp-24],dxmovax,wordptrss:[ebp-24]cmpax,wordptrss:[ebp-C4]jgshortemu8086.005D6ECEmovdwordptrss:[ebp-4],29leaecx,dwordptrss:[ebp-4C]pushecx
callemu8086.005D6FB0movedx,eax
leaecx,dwordptrss:[ebp-4C]
calldwordptr
movdwordptrss:[ebp-4],2A
jmpshort
;
MSVBVM60.__vbaStrMove
.66:3B853CFFFFFF.7F24.
C745FC29000000.8D4DB4.51
.E8F6000000..8BD08D4DB4.
FF15D0134000
ds:[<&MSVBVM60.__vbaStrMove>]
.^EBBA
.C745FC2A000000
emu8086.005D6E88005D6ECE005D6ED5005D6ED8005D6EDE005D6EE8005D6EEE005D6EF1005D6EF7005D6EFCemu8086.005D6F2C005D6EFE005D6F01005D6F04005D6F06005D6F08005D6F0B005D6F11005D6F17005D6F18005D6F1B005D6F1C005D6F1F005D6F20005D6F22005D6F28005D6F2B005D6F2Css:[ebp-28]005D6F2F005D6F35005D6F38005D6F3E
..8B45F0.83E004.85C0.7409.8D4DB8
.
FF1534104000
>C745FC2B000000.8B55B4.89956CFFFFFF..
;循环3结尾
movdwordptrss:[ebp-4],2Bmovedx,dwordptrss:[ebp-4C]movdwordptrss:[ebp-94],edxmovdwordptrss:[ebp-9C],8leaedx,dwordptrss:[ebp-9C]leaecx,dwordptrss:[ebp-48]
calldwordptr
pushemu8086.005D6F6C
jmpshort
C78564FFFFFF080000008D9564FFFFFF.
FF15B0134000
;
.8D4DB8
ds:[<&MSVBVM60.__vbaVarCopy>]
.686C6F5D00
.
EB2E
MSVBVM60.__vbaVarCopy
;跳向005D6F2C已经实现
moveax,dwordptrss:[ebp-10]andeax,4testeax,eax
jeshortemu8086.005D6F11leaecx,dwordptrss:[ebp-48]
calldwordptr
leaecx,dwordptrss:[ebp-8C]pushecx
leaedx,dwordptrss:[ebp-7C]pushedx
leaeax,dwordptrss:[ebp-6C]pusheaxpush3
FF1550104000
addesp,10retn
8D4DD8
;
跳转来自005D6EFC
calldwordptr
leaecx,dwordptrss:[ebp-2C]
calldwordptr
leaecx,dwordptrss:[ebp-38]
;
MSVBVM60.__vbaFreeStr;
MSVBVM60.__vbaFreeStr
FF153C144000
leaecx,dwordptrcalldwordptr
;MSVBVM60.__vbaFreeVar
ds:[<&MSVBVM60.__vbaFreeVar>]
>8D8D74FFFFFF.51.8D5584..528D4594
.50.6A03
.
ds:[<&MSVBVM60.__vbaFreeVarList>;MSVBVM60.__vbaFreeVarList
.83C410.C3>
ds:[<&MSVBVM60.__vbaFreeStr>]
.8D4DD4
.
FF153C144000
ds:[<&MSVBVM60.__vbaFreeStr>]
.8D4DC8
005D4BAA005D4BB4005D4BB7ss:[ebp-140],eax005D4BBD005D4BC4005D4BCA005D4BCD005D4BD3005D4BD6005D4BDC005D4BE3005D4BE9005D4BEC005D4BF2005D4BF7
>C7856CFEFFFF00000000>8B45D4
.
8985C0FEFFFF
;
.8B95C0FEFFFF.
8D4DCC.
FF15D0134000
;
movdwordptrss:[ebp-194],0moveax,dwordptrss:[ebp-2C]
movdwordptr
movdwordptrss:[ebp-2C],0movedx,dwordptrss:[ebp-140]leaecx,dwordptrss:[ebp-34]
calldwordptr
movecx,dwordptrss:[ebp-28]movdwordptrss:[ebp-144],ecxmovdwordptrss:[ebp-28],0movedx,dwordptrss:[ebp-144]leaecx,dwordptrss:[ebp-30]
calldwordptr
pushemu8086.0061D464
push
;d
leaedx,dwordptrss:[ebp-34]pushedx
leaeax,dwordptrss:[ebp-30]
运行至此,寄存器中已出现输入的假码
.C745D400000000
ds:[<&MSVBVM60.__vbaStrMove>]
.8B4DD8.898DBCFEFFFF
MSVBVM60.__vbaStrMove
.C745D800000000.8B95BCFEFFFF.8D4DD0
..
FF15D0134000
;
ds:[<&MSVBVM60.__vbaStrMove>]
6864D46100..8D55CC.52.8D45D0
MSVBVM60.__vbaStrMove
6884D46100
emu8086.0061D484005D4BFC005D4BFF005D4C00
005D4C03005D4C04005D4C09005D4C0C005D4C0D005D4C10005D4C11005D4C13005D4C19005D4C1C005D4C1F005D4C20005D4C23
.50
.E8E70F0000.8D4DCC.51.8D55D0.52.6A02.
FF1544134000
pusheax
callemu8086.005D5BF0leaecx,dwordptrss:[ebp-34]pushecx
leaedx,dwordptrss:[ebp-30]pushedxpush2
calldwordptr
addesp,0C
leaeax,dwordptrss:[ebp-3C]pusheax
leaecx,dwordptrss:[ebp-38]pushecx
ds:[<&MSVBVM60.__vbaFreeStrList>;MSVBVM60.__vbaFreeStrList
.83C40C.8D45C4.50.8D4DC8.51
005D4C24005D4C26005D4C2C005D4C2F005D4C36005D4C3F005D4C45005D4C46
.6A02
.
FF1560104000
push2
calldwordptr
addesp,0C
movdwordptrss:[ebp-4],21movwordptrss:[ebp-F0],0FFFFleaedx,dwordptrss:[ebp-F0]pushedx
call
;这个call按f8也能过去,就是算法call
MSVBVM60.__vbaFreeObjList
ds:[<&MSVBVM60.__vbaFreeObjList>;
.83C40C..
C745FC210000008D9510FFFFFF.
E8
.66:C78510FFFFFFFFFF.52
35130000
emu8086.005D5F80按f7多走路005D4C4Bss:[ebp-4],22005D4C52005D4C59005D4C5Bemu8086.005D51B4005D4C61005D4C68005D4C6D005D4C70005D4C72005D4C75005D4C76005D4C79005D4C7B005D4C81005D4C88005D4C8A005D4C8C005D4C91005D4C94005D4C95005D4C9B005D4C9C005D4CA2005D4CA8005D4CAA005D4CB4
.C745FC23000000.680000FF00.8B4D08.8B11.8B4508.50.FF5264.DBE2
.89850CFFFFFF.83BD0CFFFFFF007D20.6A64.6860B24400.8B4D08.51
.8B950CFFFFFF.52
.
FF15B0104000
.85C0
0F8453050000
.
C745FC22000000
;返回于此
.0FBF0570D46100
movdwordptr
movsxeax,wordptrds:[61D470]testeax,eax
je
;
关键的一跳,跳向失败处movdwordptrss:[ebp-4],23push0FF0000
movecx,dwordptrss:[ebp+8]movedx,dwordptrds:[ecx]moveax,dwordptrss:[ebp+8]pusheax
calldwordptrds:[edx+64]fclex
movdwordptrss:[ebp-F4],eaxcmpdwordptrss:[ebp-F4],0jgeshortemu8086.005D4CAApush64
pushemu8086.0044B260movecx,dwordptrss:[ebp+8]pushecx
movedx,dwordptrss:[ebp-F4]pushedx
calldwordptr
movdwordptrss:[ebp-198],eaxjmpshortemu8086.005D4CB4movdwordptrss:[ebp-198],0
movdwordptr
ds:[<&MSVBVM60.__vbaHresultChec>;MSVBVM60.__vbaHresultCheckObj
.898568FEFFFF.EB0A
>C78568FEFFFF00000000
>
C745FC24000000
ss:[ebp-4],24005D4CBBemu8086.00450718005D4CC0005D4CC3005D4CC5005D4CC8005D4CC9005D4CCC005D4CCE005D4CD4005D4CDB005D4CDD005D4CDF005D4CE4005D4CE7005D4CE8005D4CEE005D4CEF005D4CF5005D4CFB005D4CFD005D4D07005D4D0E005D4D11005D4D13005D4D16005D4D17005D4D1D005D4D1E005D4D21005D4D22005D4D28005D4D2E005D4D30005D4D36005D4D38005D4D3E
.....
.8B4508.8B08.8B5508.52.FF5154..DBE2.
;下面一句不用我多说了吧,注册成功了6818074500
;thesoftwareissuccessfullyregisteredmoveax,dwordptrss:[ebp+8]movecx,dwordptrds:[eax]movedx,dwordptrss:[ebp+8]pushedx
calldwordptrds:[ecx+54]fclex
movdwordptrss:[ebp-F4],eaxcmpdwordptrss:[ebp-F4],0jgeshortemu8086.005D4CFDpush54
pushemu8086.0044B260moveax,dwordptrss:[ebp+8]pusheax
movecx,dwordptrss:[ebp-F4]pushecx
FF15B0104000
calldwordptr
movdwordptrss:[ebp-19C],eaxjmpshortemu8086.005D4D07movdwordptrss:[ebp-19C],0movdwordptrss:[ebp-4],25movedx,dwordptrss:[ebp+8]moveax,dwordptrds:[edx]movecx,dwordptrss:[ebp+8]pushecx
calldwordptrds:[eax+30C]pusheax
leaedx,dwordptrss:[ebp-38]pushedx
FF15FC104000
;
MSVBVM60.__vbaObjSet
movdwordptrss:[ebp-F4],eaxpush0
moveax,dwordptrss:[ebp-F4]movecx,dwordptrds:[eax]movedx,dwordptrss:[ebp-F4]pushedx
calldwordptr
push
89850CFFFFFF
.83BD0CFFFFFF00.7D20.6A54.
6860B24400.8B4508.50
.8B8D0CFFFFFF.51
.
ds:[<&MSVBVM60.__vbaHresultChec>;MSVBVM60.__vbaHresultCheckObj
898564FEFFFF.EB0A
>C78564FEFFFF00000000>C745FC25000000.8B5508......8B028B4D0851
FF900C0300005052.
.8D55C8
ds:[<&MSVBVM60.__vbaObjSet>]
89850CFFFFFF8B850CFFFFFF8B08
8B950CFFFFFF.6A00
.52
005D4D3F005D4D45005D4D47005D4D4D005D4D54005D4D56005D4D5B005D4D60005D4D66005D4D67005D4D6D005D4D6E005D4D74
.FF9194000000.........DBE2
898508FFFFFF83BD08FFFFFF007D2668940000008B850CFFFFFF50
8B8D08FFFFFF51..
FF15B0104000
calldwordptrds:[ecx+94]fclex
movdwordptrss:[ebp-F8],eaxcmpdwordptrss:[ebp-F8],0jgeshortemu8086.005D4D7Cpush94
pushemu8086.0043B580moveax,dwordptrss:[ebp-F4]pusheax
movecx,dwordptrss:[ebp-F8]pushecx
calldwordptr
movdwordptrss:[ebp-1A0],eax
.6880B54300
ds:[<&MSVBVM60.__vbaHresultChec>;MSVBVM60.__vbaHresultCheckObj
898560FEFFFF
005D4D7A005D4D7C
.EB0A
>C78560FEFFFF00000000
jmpshortemu8086.005D4D86movdwordptrss:[ebp-1A0],0
005D4D86005D4D89005D4D8F005D4D96005D4D99005D4D9B005D4D9E005D4D9F005D4DA5005D4DA6005D4DA9005D4DAA005D4DB0005D4DB6005D4DB8005D4DBE005D4DC0005D4DC6005D4DC7005D4DCD005D4DCF005D4DD5005D4DDC005D4DDE005D4DE3005D4DE8005D4DEE005D4DEF005D4DF5005D4DF6005D4DFC005D4E02005D4E04005D4E0E005D4E11005D4E17
>8D4DC8
.
FF1538144000
;
leaecx,dwordptrss:[ebp-38]
calldwordptr
movdwordptrss:[ebp-4],26movedx,dwordptrss:[ebp+8]moveax,dwordptrds:[edx]movecx,dwordptrss:[ebp+8]pushecx
calldwordptrds:[eax+304]pusheax
leaedx,dwordptrss:[ebp-38]pushedx
calldwordptr
movdwordptrss:[ebp-F4],eaxpush0
moveax,dwordptrss:[ebp-F4]movecx,dwordptrds:[eax]movedx,dwordptrss:[ebp-F4]pushedx
calldwordptrds:[ecx+94]fclex
movdwordptrss:[ebp-F8],eaxcmpdwordptrss:[ebp-F8],0jgeshortemu8086.005D4E04push94
pushemu8086.0043B580moveax,dwordptrss:[ebp-F4]pusheax
movecx,dwordptrss:[ebp-F8]pushecx
calldwordptr
movdwordptrss:[ebp-1A4],eaxjmpshortemu8086.005D4E0Emovdwordptrss:[ebp-1A4],0leaecx,dwordptrss:[ebp-38]
calldwordptr
movdwordptrss:[ebp-4],27
;
MSVBVM60.__vbaFreeObjMSVBVM60.__vbaFreeObj
ds:[<&MSVBVM60.__vbaFreeObj>]
.C745FC26000000..
8B55088B02
.8B4D08.51
.FF9004030000...508D55C852.
FF15FC104000
;
ds:[<&MSVBVM60.__vbaObjSet>]
.89850CFFFFFF.6A00
.8B850CFFFFFF.8B08
.8B950CFFFFFF.52
.FF9194000000.DBE2..
898508FFFFFF
MSVBVM60.__vbaObjSet
83BD08FFFFFF00
.7D26.6894000000.6880B54300.8B850CFFFFFF.50
.8B8D08FFFFFF.51
..
FF15B0104000
ds:[<&MSVBVM60.__vbaHresultChec>;MSVBVM60.__vbaHresultCheckObj
89855CFEFFFF.EB0A
>C7855CFEFFFF00000000>8D4DC8
.
FF1538144000
ds:[<&MSVBVM60.__vbaFreeObj>]
.C745FC27000000
005D4E1E005D4E21005D4E23005D4E26005D4E27005D4E2D005D4E2E005D4E31005D4E32005D4E38005D4E3E005D4E40005D4E46005D4E48005D4E4E005D4E4F005D4E55005D4E57005D4E5D005D4E64005D4E66005D4E6B005D4E70005D4E76005D4E77005D4E7D005D4E7E005D4E84005D4E8A005D4E8C005D4E96005D4E99005D4E9F005D4EA6005D4EA9005D4EAB005D4EAE
.8B5508movedx,dwordptrss:[ebp+8]moveax,dwordptrds:[edx]movecx,dwordptrss:[ebp+8]pushecx
calldwordptrds:[eax+308]pusheax
leaedx,dwordptrss:[ebp-38]pushedx
calldwordptr
movdwordptrss:[ebp-F4],eaxpush0
moveax,dwordptrss:[ebp-F4]movecx,dwordptrds:[eax]movedx,dwordptrss:[ebp-F4]pushedx
calldwordptrds:[ecx+94]fclex
movdwordptrss:[ebp-F8],eaxcmpdwordptrss:[ebp-F8],0jgeshortemu8086.005D4E8Cpush94
pushemu8086.0043B580moveax,dwordptrss:[ebp-F4]pusheax
movecx,dwordptrss:[ebp-F8]pushecx
calldwordptr
movdwordptrss:[ebp-1A8],eaxjmpshortemu8086.005D4E96movdwordptrss:[ebp-1A8],0leaecx,dwordptrss:[ebp-38]
calldwordptr
movdwordptrss:[ebp-4],28movedx,dwordptrss:[ebp+8]moveax,dwordptrds:[edx]movecx,dwordptrss:[ebp+8]pushecx
;
MSVBVM60.__vbaFreeObj
.8B02.8B4D08.51
.FF9008030000.50.
8D55C8.
FF15FC104000
;
.52
ds:[<&MSVBVM60.__vbaObjSet>]
.89850CFFFFFF.6A00
.8B850CFFFFFF.8B08
.8B950CFFFFFF.52
.FF9194000000.DBE2
.898508FFFFFF
MSVBVM60.__vbaObjSet
.83BD08FFFFFF00.7D26.6894000000.6880B54300.8B850CFFFFFF.50
.8B8D08FFFFFF.51
.
FF15B0104000
ds:[<&MSVBVM60.__vbaHresultChec>;MSVBVM60.__vbaHresultCheckObj
.898558FEFFFF.EB0A
>C78558FEFFFF00000000>8D4DC8
.
FF1538144000
ds:[<&MSVBVM60.__vbaFreeObj>]
.C745FC28000000.8B5508.8B02..
8B4D0851
005D4EAF005D4EB5005D4EB6005D4EB9005D4EBA005D4EC0005D4EC6005D4EC8005D4ECE005D4ED0005D4ED6
.FF9000030000.50.8D55C8.52
.
FF15FC104000
;
calldwordptrds:[eax+300]pusheax
leaedx,dwordptrss:[ebp-38]pushedx
calldwordptr
movdwordptrss:[ebp-F4],eaxpush0
moveax,dwordptrss:[ebp-F4]movecx,dwordptrds:[eax]movedx,dwordptrss:[ebp-F4]pushedx
MSVBVM60.__vbaObjSet
ds:[<&MSVBVM60.__vbaObjSet>]
.89850CFFFFFF.6A00
.8B850CFFFFFF.8B08
.8B950CFFFFFF.52
005D4ED7005D4EDD005D4EDF005D4EE5
.FF9194000000.DBE2.898508FFFFFF.
83BD08FFFFFF00
calldwordptrds:[ecx+94]fclex
movdwordptrss:[ebp-F8],eaxcmpdwordptrss:[ebp-F8],0
005D4EEC005D4EEE005D4EF3005D4EF8005D4EFE005D4EFF005D4F05005D4F06005D4F0C005D4F12005D4F14005D4F1E005D4F21005D4F27005D4F2E005D4F31005D4F33005D4F36005D4F37005D4F3D005D4F3E005D4F41005D4F42005D4F48005D4F4E005D4F50005D4F56005D4F58005D4F5E005D4F5F005D4F65005D4F67005D4F6D005D4F74005D4F76005D4F7B005D4F80
.7D26.6894000000.68B8454400.8B850CFFFFFF.50.
8B8D08FFFFFF..
FF15B0104000
.51
jgeshortemu8086.005D4F14push94
pushemu8086.004445B8moveax,dwordptrss:[ebp-F4]pusheax
movecx,dwordptrss:[ebp-F8]pushecx
calldwordptr
movdwordptrss:[ebp-1AC],eaxjmpshortemu8086.005D4F1Emovdwordptrss:[ebp-1AC],0leaecx,dwordptrss:[ebp-38]
calldwordptr
movdwordptrss:[ebp-4],29movedx,dwordptrss:[ebp+8]moveax,dwordptrds:[edx]movecx,dwordptrss:[ebp+8]pushecx
calldwordptrds:[eax+2FC]pusheax
leaedx,dwordptrss:[ebp-38]pushedx
FF15FC104000
;
MSVBVM60.__vbaObjSet
movdwordptrss:[ebp-F4],eaxpush0
moveax,dwordptrss:[ebp-F4]movecx,dwordptrds:[eax]movedx,dwordptrss:[ebp-F4]pushedx
calldwordptrds:[ecx+94]fclex
movdwordptrss:[ebp-F8],eaxcmpdwordptrss:[ebp-F8],0jgeshortemu8086.005D4F9Cpush94
pushemu8086.004445B8moveax,dwordptrss:[ebp-F4]
calldwordptr
;
MSVBVM60.__vbaFreeObj
ds:[<&MSVBVM60.__vbaHresultChec>;MSVBVM60.__vbaHresultCheckObj
898554FEFFFF.EB0A
>C78554FEFFFF00000000>8D4DC8
.
FF1538144000
ds:[<&MSVBVM60.__vbaFreeObj>]
.C745FC29000000.8B5508.8B02.8B4D08.51
.FF90FC020000.50.8D55C8.52
.
ds:[<&MSVBVM60.__vbaObjSet>]
.89850CFFFFFF.6A00
.8B850CFFFFFF.8B08
.8B950CFFFFFF.52
.FF9194000000.DBE2
.898508FFFFFF
.83BD08FFFFFF00.7D26.6894000000.
68B8454400.8B850CFFFFFF
005D4F86005D4F87005D4F8D005D4F8E005D4F94005D4F9A005D4F9C005D4FA6005D4FA9005D4FAF005D4FB6005D4FB9005D4FBB005D4FBE005D4FBF005D4FC5005D4FC6005D4FC9005D4FCA005D4FD0005D4FD6005D4FD8005D4FDE005D4FE0005D4FE6005D4FE7005D4FED005D4FEF005D4FF5005D4FFC005D4FFE005D5003005D5008005D500E005D500F005D5015005D5016
.50
.8B8D08FFFFFF.51
.
FF15B0104000
pusheax
movecx,dwordptrss:[ebp-F8]pushecx
calldwordptr
movdwordptrss:[ebp-1B0],eaxjmpshortemu8086.005D4FA6movdwordptrss:[ebp-1B0],0leaecx,dwordptrss:[ebp-38]
calldwordptr
movdwordptrss:[ebp-4],2Amovedx,dwordptrss:[ebp+8]moveax,dwordptrds:[edx]movecx,dwordptrss:[ebp+8]pushecx
calldwordptrds:[eax+314]pusheax
leaedx,dwordptrss:[ebp-38]pushedx
FF15FC104000
;
MSVBVM60.__vbaObjSet
movdwordptrss:[ebp-F4],eaxpush0
moveax,dwordptrss:[ebp-F4]movecx,dwordptrds:[eax]movedx,dwordptrss:[ebp-F4]pushedx
calldwordptrds:[ecx+9C]fclex
movdwordptrss:[ebp-F8],eaxcmpdwordptrss:[ebp-F8],0jgeshortemu8086.005D5024push9C
pushemu8086.0043B75Cmoveax,dwordptrss:[ebp-F4]pusheax
movecx,dwordptrss:[ebp-F8]pushecx
FF15B0104000
calldwordptrcalldwordptr
;
MSVBVM60.__vbaFreeObj
ds:[<&MSVBVM60.__vbaHresultChec>;MSVBVM60.__vbaHresultCheckObj
.898550FEFFFF.EB0A
>C78550FEFFFF00000000>8D4DC8
.
FF1538144000
ds:[<&MSVBVM60.__vbaFreeObj>]
..
8B55088B02
.C745FC2A000000
.8B4D08.51
.FF9014030000...508D55C852.
ds:[<&MSVBVM60.__vbaObjSet>]
.89850CFFFFFF.6A00
.8B850CFFFFFF.8B08
.8B950CFFFFFF.52
.FF919C000000.DBE2.
898508FFFFFF
.83BD08FFFFFF00.7D26...
689C000000685CB743008B850CFFFFFF
.50
.8B8D08FFFFFF.51.
ds:[<&MSVBVM60.__vbaHresultChec>;MSVBVM60.__vbaHresultCheckObj005D501C005D5022005D5024
.89854CFEFFFF.>EB0A
C7854CFEFFFF00000000
movdwordptrss:[ebp-1B4],eaxjmpshortemu8086.005D502Emovdwordptrss:[ebp-1B4],0
005D502E005D5031005D5037005D503E005D5041005D5043005D5046005D5047005D504D005D504E005D5051005D5052005D5058
>8D4DC8
........
FF1538144000
;
leaecx,dwordptrss:[ebp-38]
calldwordptr
movdwordptrss:[ebp-4],2Bmovedx,dwordptrss:[ebp+8]moveax,dwordptrds:[edx]movecx,dwordptrss:[ebp+8]pushecx
calldwordptrds:[eax+310]pusheax
leaedx,dwordptrss:[ebp-38]pushedx
calldwordptr
movdwordptrss:[ebp-F4],eax
MSVBVM60.__vbaFreeObj
ds:[<&MSVBVM60.__vbaFreeObj>]
C745FC2B0000008B028B4D0851
FF90100300005052..
.8B5508
.8D55C8
FF15FC104000
;
ds:[<&MSVBVM60.__vbaObjSet>]
89850CFFFFFF
MSVBVM60.__vbaObjSet
005D505E005D5060005D5066005D5068005D506E005D506F005D5075005D5077005D507D005D5084005D5086005D508B005D5090005D5096005D5097005D509D005D509E005D50A4005D50AA005D50AC005D50B6005D50B9005D50BF005D50C6005D50CD005D50D4005D50DB005D50E2005D50EC005D50F6005D50FC005D50FF005D5105005D510F005D5119
.6A00...
8B850CFFFFFF8B08
8B950CFFFFFF
push0
moveax,dwordptrss:[ebp-F4]movecx,dwordptrds:[eax]movedx,dwordptrss:[ebp-F4]pushedx
calldwordptrds:[ecx+9C]fclex
movdwordptrss:[ebp-F8],eaxcmpdwordptrss:[ebp-F8],0jgeshortemu8086.005D50ACpush9C
pushemu8086.0043B75Cmoveax,dwordptrss:[ebp-F4]pusheax
movecx,dwordptrss:[ebp-F8]pushecx
FF15B0104000
calldwordptr
movdwordptrss:[ebp-1B8],eaxjmpshortemu8086.005D50B6movdwordptrss:[ebp-1B8],0leaecx,dwordptrss:[ebp-38]
calldwordptr
movdwordptrss:[ebp-4],2Cmovdwordptrss:[ebp-74],80020004movdwordptrss:[ebp-7C],0Amovdwordptrss:[ebp-64],80020004movdwordptrss:[ebp-6C],0A
mov
dword
ptr
;
MSVBVM60.__vbaFreeObj
.52
.FF919C000000.........DBE2
898508FFFFFF83BD08FFFFFF007D26689C0000008B850CFFFFFF50
8B8D08FFFFFF51..
.685CB74300
ds:[<&MSVBVM60.__vbaHresultChec>;MSVBVM60.__vbaHresultCheckObj
898548FEFFFF.EB0A
>C78548FEFFFF00000000>8D4DC8
..
FF1538144000
ds:[<&MSVBVM60.__vbaFreeObj>]
.C7458C04000280
C745FC2C000000
.C745840A000000.
C7459C04000280
.
.C745940A000000
C7853CFFFFFF4C744300
ss:[ebp-C4],emu8086.0043744C
.C78534FFFFFF08000000.8D9534FFFFFF.
8D4DA4..
FF1594134000
;MSVBVM60.__vbaVarDup4CFFFFFF6C074500;
THANKYOUmovdwordptrss:[ebp-BC],8leaedx,dwordptrss:[ebp-BC]
mov
dword
ptr
C785
movdwordptrss:[ebp-CC],8leaedx,dwordptrss:[ebp-CC]leaecx,dwordptrss:[ebp-5C]
calldwordptr
ds:[<&MSVBVM60.__vbaVarDup>]ss:[ebp-B4],emu8086.0045076C
.8D9544FFFFFF
.C78544FFFFFF08000000
005D511F005D5122005D5128005D512B005D512C005D512F005D5130005D5133005D5134005D5136005D5139005D513A005D5140005D5143005D5144005D5147005D5148005D514B005D514C005D514F005D5150005D5152005D5158005D515B005D5162005D5165005D5167005D516A005D516B005D5171005D5173005D5179005D5180005D5182005D5187005D518C005D518F
.8D4DB4
..
FF1594134000
leaecx,dwordptrss:[ebp-4C]
calldwordptr
leaedx,dwordptrss:[ebp-7C]pushedx
leaeax,dwordptrss:[ebp-6C]pusheax
leaecx,dwordptrss:[ebp-5C]pushecxpush0
leaedx,dwordptrss:[ebp-4C]pushedx
calldwordptr
leaeax,dwordptrss:[ebp-7C]pusheax
leaecx,dwordptrss:[ebp-6C]pushecx
leaedx,dwordptrss:[ebp-5C]pushedx
leaeax,dwordptrss:[ebp-4C]pusheaxpush4
;MSVBVM60.__vbaVarDup
ds:[<&MSVBVM60.__vbaVarDup>]
8D5584.52.8D4594.50.....
8D4DA4516A008D55B452......
FF1500114000
;
MSVBVM60.rtcMsgBox
ds:[<&MSVBVM60.#595>]
8D4584508D4D94518D55A4
.52.8D45B4.50.6A04.....
FF1550104000
calldwordptr
addesp,14
movdwordptrss:[ebp-4],2Dmovecx,dwordptrss:[ebp+8]movedx,dwordptrds:[ecx]moveax,dwordptrss:[ebp+8]pusheax
calldwordptrds:[edx+2B4]fclex
movdwordptrss:[ebp-F4],eaxcmpdwordptrss:[ebp-F4],0jgeshortemu8086.005D51A5push2B4
pushemu8086.0044B260movecx,dwordptrss:[ebp+8]pushecx
ds:[<&MSVBVM60.__vbaFreeVarList>;MSVBVM60.__vbaFreeVarList
83C4148B4D088B118B4508
.C745FC2D000000
.50
.FF92B4020000.....DBE2
89850CFFFFFF83BD0CFFFFFF007D2368B40200006860B24400
.8B4D08.51
005D5190005D5196005D5197005D519D005D51A3005D51A5005D51AF005D51B4ss:[ebp-4],2F005D51BB
..
8B950CFFFFFF52.
FF15B0104000
movedx,dwordptrss:[ebp-F4]pushedx
calldwordptr
movdwordptrss:[ebp-1BC],eaxjmpshortemu8086.005D51AFmovdwordptrss:[ebp-1BC],0jmpemu8086.005D52A9
movdwordptr
mov
;wrongregistrationkey.leaecx,dwordptrss:[ebp-28]
calldwordptr
leaeax,dwordptrss:[ebp-28]pusheax
callemu8086.005EE1A0movedx,eax
leaecx,dwordptrss:[ebp-30]
calldwordptr
mov
;error!
leaecx,dwordptrss:[ebp-2C]
calldwordptr
leaecx,dwordptrss:[ebp-2C]pushecx
callemu8086.005EE1A0movedx,eax
leaecx,dwordptrss:[ebp-34]
calldwordptr
movdwordptrss:[ebp-74],80020004movdwordptrss:[ebp-7C],0Amovdwordptrss:[ebp-64],80020004movdwordptrss:[ebp-6C],0Amovedx,dwordptrss:[ebp-34]movdwordptrss:[ebp-148],edx
;
MSVBVM60.__vbaStrMove;MSVBVM60.__vbaStrCopy;
MSVBVM60.__vbaStrMove;MSVBVM60.__vbaStrCopy
ds:[<&MSVBVM60.__vbaHresultChec>;MSVBVM60.__vbaHresultCheckObj
..
898544FEFFFFEB0A
>C78544FEFFFF00000000>E9F5000000
>..8D4DD8
.
FF1528134000C745FC2F000000
;跳到这里,即错误提示处BAC0074500
edx,emu8086.004507C0005D51C0005D51C3005D51C9005D51CC005D51CD005D51D2005D51D4005D51D7005D51DD
edx,emu8086.00440E0C005D51E2005D51E5005D51EB005D51EE005D51EF005D51F4005D51F6005D51F9005D51FF005D5206005D520D005D5214005D521B005D521E
.8D4DD4
.
FF1528134000
ds:[<&MSVBVM60.__vbaStrCopy>]
.8D45D8.50
.E8CE8F0100..8BD08D4DD0..
FF15D0134000BA0C0E4400
ds:[<&MSVBVM60.__vbaStrMove>]
ds:[<&MSVBVM60.__vbaStrCopy>]
.8D4DD4.51
.E8AC8F0100.8BD0.8D4DCC
.
FF15D0134000
ds:[<&MSVBVM60.__vbaStrMove>]
.C7458C04000280...
C745840A000000C7459C04000280C745940A000000
.8B55CC.8995B8FEFFFF
005D5224005D522B005D5231005D5234005D523B005D523E005D5244005D524B005D5251005D5254005D525B005D525E005D525F005D5262005D5263005D5266005D5267005D5269005D526Ceax
005D526D
...
C745CC000000008945AC
C745A408000000
movdwordptrss:[ebp-34],0moveax,dwordptrss:[ebp-148]movdwordptrss:[ebp-54],eaxmovdwordptrss:[ebp-5C],8movecx,dwordptrss:[ebp-30]movdwordptrss:[ebp-14C],ecxmovdwordptrss:[ebp-30],0movedx,dwordptrss:[ebp-14C]movdwordptrss:[ebp-44],edxmovdwordptrss:[ebp-4C],8leaeax,dwordptrss:[ebp-7C]pusheax
leaecx,dwordptrss:[ebp-6C]pushecx
leaedx,dwordptrss:[ebp-5C]pushedxpush0
leaeax,dwordptrss:[ebp-4C]
push
;下面的call就弹出错误提示框了
calldwordptr
.8B85B8FEFFFF
.8B4DD0.898DB4FEFFFF...
C745D0000000008955BC
C745B408000000.8B95B4FEFFFF
.8D4584.50.8D4D94.....518D55A4526A008D45B4..
50
FF1500114000
;
ds:[<&MSVBVM60.#595>]MSVBVM60.rtcMsgBox
-----------------------------进入关键call后的流程-----------------------------------005D5F80ebp005D5F81005D5F83005D5F86005D5F8B005D5F91005D5F92
..8BEC.83EC14
.
6816974100
;SE处理程序安装moveax,dwordptrfs:[0]pusheax
movdwordptrfs:[0],esp
$
55
;
按f7后到此处。。。movebp,espsubesp,14
pushpush
64:A100000000.50 .64:892500000000 005D6F41005D6F47005D6F4A005D6F50005D6F53005D6F59005D6F5C005D6F62005D6F65005D6F6B005D6F6C005D6F6F005D6F72005D6F74 .. .FF153C144000 ; MSVBVM60.__vbaFreeStr calldwordptr leaecx,dwordptrss:[ebp-4C] calldwordptr leaecx,dwordptrss:[ebp-50] calldwordptr leaecx,dwordptrss:[ebp-58] calldwordptr leaecx,dwordptrss:[ebp-5C] calldwordptr retn movecx,dwordptrss:[ebp+8]movedx,dwordptrss:[ebp-48]movdwordptrds:[ecx],edxmoveax,dwordptrss:[ebp-44] ds:[<&MSVBVM60.__vbaFreeStr>] .8D4DB4 . FF153C144000 ; MSVBVM60.__vbaFreeStr ds:[<&MSVBVM60.__vbaFreeStr>] .8D4DB0 . FF153C144000 ; MSVBVM60.__vbaFreeStr ds:[<&MSVBVM60.__vbaFreeStr>] .8D4DA8 . FF153C144000 ; MSVBVM60.__vbaFreeStr ds:[<&MSVBVM60.__vbaFreeStr>] .8D4DA4 .C38B4D08 FF153C144000 ; MSVBVM60.__vbaFreeStr ds:[<&MSVBVM60.__vbaFreeStr>] .8B55B8.8911.8B45BC 005D6F77005D6F7A005D6F7D005D6F80005D6F83005D6F86005D6F89005D6F8C005D6F93005D6F94005D6F95005D6F96esp,ebp了 005D6F98005D6F990C .894104. 8B55C0.895108.8B45C4.89410C.8B4508.8B4DE0. 64:890D00000000.5F.5E.5B . 8BE5 movdwordptrds:[ecx+4],eaxmovedx,dwordptrss:[ebp-40]movdwordptrds:[ecx+8],edxmoveax,dwordptrss:[ebp-3C]movdwordptrds:[ecx+C],eaxmoveax,dwordptrss:[ebp+8]movecx,dwordptrss:[ebp-20]movdwordptrfs:[0],ecxpopedipopesipopebx mov ; 最终EDX中出现的就是真正的注册码popebp C20C00 ; 算法call结束,返回调用处 retn .5D . ----------------------------所用断点信息-------------------------------------------Breakpoints地址注释005D4B01005D4C46005D6590005D6910 emu8086emu8086emu8086emu8086 始终始终始终始终 cmpdwordptrss:[ebp-F8],0callemu8086.005D5F80 pushebppushebp 就先断在此处,开始往下调 这个call按f8也能过去,就是算法call开始时也要较验两次,看是否注册成功 开始时候判断是否注册,检查注册表和reg.ini文件,算法就在这儿了 模块 激活 反汇编 005D602A005D602F005D6035edi005D6037005D603A005D603B005D603E005D603F005D6041005D6047005D604C005D6051005D6052005D6054 .B974D46100 ... 8B3DD0134000 movecx,emu8086.0061D474 movedi,dwordptr call ; <&MSVBVM60.__vbaStrMove>leaeax,dwordptrss:[ebp-54]pusheax leaecx,dwordptrss:[ebp-44]pushecxpush2 MSVBVM60.__vbaStrMove ds:[<&MSVBVM60.__vbaStrMove>>; FFD7 8D45AC .50.8D4DBC.51.6A02 ..... FF1550104000 calldwordptr moveax,emu8086.0043744Cmovecx,8pushecxmovedx,esp movdwordptrds:[edx],ecx ds:[<&MSVBVM60.__vbaFreeVarList>;MSVBVM60.__vbaFreeVarList B84C744300518BD4890A.B908000000 005D6056005D6059005D605C005D605F .. 897204894208 .... 68A8084500 movdwordptrds:[edx+4],esimovdwordptrds:[edx+8],eaxmovdwordptrds:[edx+C],ebx push ;RegKey 68CC054500 ; 68F8724300 ;emu8086 FF1574134000 ; MSVBVM60.rtcGetSetting movdwordptrss:[ebp-3C],eaxmovdwordptrss:[ebp-44],8leaeax,dwordptrss:[ebp-44]pusheax leaecx,dwordptrss:[ebp-54]pushecx calldwordptr leaedx,dwordptrss:[ebp-54]pushedx calldwordptr movedx,eax movecx,emu8086.0061D478 call ; <&MSVBVM60.__vbaStrMove>leaeax,dwordptrss:[ebp-54]pusheax leaecx,dwordptrss:[ebp-44]pushecxpush2 FF1550104000 calldwordptr mov ;1movecx,8pushecxmovedx,esp movdwordptrds:[edx],ecx FFD7 calldwordptr Reg pushpush .895A0C emu8086.004508A8005D6064emu8086.004505CC005D6069emu8086.004372F8005D606E005D6074005D6077005D607E005D6081005D6082005D6085005D6086005D608C005D608F005D6090005D6096005D6098005D609Dedi 005D609F005D60A2005D60A3005D60A6005D60A7005D60A9005D60AF eax,emu8086.0043A0D0005D60B4005D60B9005D60BA005D60BC .B908000000.51.8BD4.890A.8D45AC....508D4DBC516A02......... ds:[<&MSVBVM60.#689>] 8945C4 C745BC08000000508D4DAC51. FF1530114000 ; .8D45BC ds:[<&MSVBVM60.#520>] .8D55AC.52 .8BD0B978D46100. MSVBVM60.rtcTrimVar FF1538104000 ds:[<&MSVBVM60.__vbaStrVarMove>>;MSVBVM60.__vbaStrVarMove ds:[<&MSVBVM60.__vbaFreeVarList>;MSVBVM60.__vbaFreeVarList B8D0A04300 005D60BE005D60C1005D60C4005D60C7 .897204.894208.895A0C .... 68BC084500 ; 68CC054500 ; 68F8724300 movdwordptrds:[edx+4],esimovdwordptrds:[edx+8],eaxmovdwordptrds:[edx+C],ebx push LicCount push Reg push ;emu8086 calldwordptr movdwordptrss:[ebp-3C],eaxmovdwordptrss:[ebp-44],8leaeax,dwordptrss:[ebp-44]pusheax leaecx,dwordptrss:[ebp-54]pushecx calldwordptr leaedx,dwordptrss:[ebp-54]pushedx leaeax,dwordptrss:[ebp-28]pusheax calldwordptr pusheax emu8086.004508BC005D60CCemu8086.004505CC005D60D1emu8086.004372F8005D60D6005D60DC005D60DF005D60E6005D60E9005D60EA005D60ED005D60EE005D60F4005D60F7005D60F8005D60FB005D60FC005D6102005D6103005D6109005D610F005D6115005D6118005D611E005D6121005D6122005D6125005D6126005D6128 . FF1574134000 ; ds:[<&MSVBVM60.#689>] .8945C4 .C745BC08000000.8D45BC.50.8D4DAC.51 . FF1530114000 ; MSVBVM60.rtcGetSetting ds:[<&MSVBVM60.#520>] .8D55AC.52.8D45D8.50.50.. MSVBVM60.rtcTrimVar FF15C4124000 MSVBVM60.__vbaStrVarVal ds:[<&MSVBVM60.__vbaStrVarVal>]; FF1540144000 ; MSVBVM60.rtcR8ValFromBstr FF159C134000 ;MSVBVM60.__vbaFpI2 calldwordptrcalldwordptr movwordptrds:[61D47C],axleaecx,dwordptrss:[ebp-28] calldwordptr leaecx,dwordptrss:[ebp-54]pushecx leaedx,dwordptrss:[ebp-44]pushedxpush2 ds:[<&MSVBVM60.#581>]ds:[<&MSVBVM60.__vbaFpI2>] .66:A37CD46100.8D4DD8 . FF153C144000 ; MSVBVM60.__vbaFreeStr ds:[<&MSVBVM60.__vbaFreeStr>] .8D4DAC....518D55BC526A02. FF1550104000calldwordptr ds:[<&MSVBVM60.__vbaFreeVarList>;MSVBVM60.__vbaFreeVarList005D612E eax,emu8086.00439E74005D6133005D6138005D6139005D613B005D613D005D6140005D6143005D6146emu8086.004505D8005D614Bemu8086.004505CC . 68CC054500 ;Reg ...... B908000000518BD4897204894208895A0C. 68D8054500 ;NCHK push . B8749E4300 ;0movecx,8pushecxmovedx,esp movdwordptrds:[edx],ecxmovdwordptrds:[edx+4],esimovdwordptrds:[edx+8],eaxmovdwordptrds:[edx+C],ebx pushmov .890A Breakpoints地址注释005D4B01005D4C46005D6590005D6910 emu8086emu8086emu8086emu8086 始终始终始终始终 cmpdwordptrss:[ebp-F8],0callemu8086.005D5F80 pushebppushebp 就先断在此处,开始往下调 这个call按f8也能过去,就是算法call开始时也要较验两次,看是否注册成功 开始时候判断是否注册,检查注册表和reg.ini文件,算法就在这儿了-----------------------------reg.ini中所写数据---------------------------------------username=冰河之刃 regkey=3FRTQZXJKASERKKN837Cq=100 --------------------------------------------------------------------------------------谨以此教程送给那些一直关心我,帮助过我的人。是你们的帮助才让我的生活更加的轻松快乐。 愿你们天天都有一份好的心情。^_^2009年12月27日16时56分23秒【总结】 VB的程序其实也并不是太难破。只要找准位置下好断点,再加一点儿耐心,就没有做不到的事。 愚蠢的人总是人云亦云,别人说VB程序难破,他就也跟着说难破,你破了吗?亲自做过才有发言权。 神,其实也是人!只不过他做了别人做不到的事,所以他就成了神!如果还是不明白,请看视频教程: 模块 激活 反汇编 本篇教程视频版>> 因篇幅问题不能全部显示,请点此查看更多更全内容