进位专家算法分析 cracked by stasi-软件逆向-看雪-安全社区|安全招聘|kanxue.com

进位专家算法分析 cracked by stasi

发表于: 2004-7-30 09:40 6160

进位专家算法分析 cracked by stasi

zhlgame

2004-7-30 09:40

6160

这篇不是我本人写的，感谢stasi的破文，在此转贴过来
------------------------------------------------------
【破解作者】 stasi[FCG][DFCG][OCN][CZG][D.4s]
【作者邮箱】 [email]stasi@163.com[/email]
【作者主页】 stasi.126.com
【使用工具】 ollydbg peid0.92 Import REC
【破解平台】 Win9x/NT/2000/XP
【软件名称】进位专家
【下载地址】 746K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0g2V1j5h3W2Q4x3X3g2F1k6h3q4K6k6g2)9J5k6h3&6W2N6q4)9J5c8Y4y4G2k6Y4c8Q4x3V1k6%4j5h3W2Q4x3V1k6B7K9h3&6%4P5X3A6Q4x3X3g2J5j5i4t1`.

【软件简介】进位专家是配合WPE使用的绝佳搭档，WPE拦截的封包都是16进制的，看起来非常不方便，
         本程序可以直接翻译16进制到10进制，并且支持进制转换和直接16进制查字符。如果您
         要修改网络游戏，对于处理数据那是经常的事，所以，进位专家是必须具备的工具。科
         技极大地提高您的工作效率。

【软件大小】 600 K
【加壳方式】无
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享：）
------------------------------------------------------------------------------------------------
【破解内容】

刚加入[CZG]，论坛上走马观花，发现论坛的风气还是很好的，管理也是井井有条的：）
看能帮点什么忙，见有人破解进位专家，不能写注册机，只能爆破。随手down下看，算法不难，就写篇文章打发下午。

用Peid查壳，发现是用VB写的。
用VBDE这个软件打开“进位专家.exe”，选择Procedures，选择Form1,然后看到009330 cmdUP_Click。遇到VB程序，
VBDE可以说是很好用的，只要简单分析一下，就可以找到合适的断点位置。这里通过分析，Form1就是开头进入软件
要求注册的窗口，而cmd_Exit_Click应该是“退出”按钮，而cmdHelp_Click则是帮助按键，那么剩下的cmdUp_Click
就是登陆了。也就是我们要拦截的。可以看到Offset是009330，加上基地址400000，就是地址409330。

用OD打开程序，在409330下断，F9运行
输入：
用户名：stasi@163.com
密码  ：9999999999999
按登陆，拦截到下面：

00409330    55                push ebp
00409331    8BEC                mov ebp,esp
00409333    83EC 0C             sub esp,0C
00409336    68 36124000       push
0040933B    64:A1 00000000    mov eax,dword ptr fs:[0]
00409341    50                push eax
00409342    64:8925 00000000    mov dword ptr fs:[0],esp
00409349    81EC BC000000       sub esp,0BC
0040934F    53                push ebx
00409350    56                push esi
00409351    57                push edi
00409352    8965 F4             mov dword ptr ss:[ebp-C],esp
00409355    C745 F8 10114000    mov dword ptr ss:[ebp-8],进位专家.00401110
0040935C    8B75 08             mov esi,dword ptr ss:[ebp+8]
0040935F    8BC6                mov eax,esi
00409361    83E0 01             and eax,1
00409364    8945 FC             mov dword ptr ss:[ebp-4],eax
00409367    83E6 FE             and esi,FFFFFFFE
0040936A    56                push esi
0040936B    8975 08             mov dword ptr ss:[ebp+8],esi
0040936E    8B0E                mov ecx,dword ptr ds:[esi]
00409370    FF51 04             call dword ptr ds:[ecx+4]
00409373    33FF                xor edi,edi
00409375    BA 2C554000       mov edx,进位专家.0040552C
0040937A    8D4D DC             lea ecx,dword ptr ss:[ebp-24]
0040937D    897D E4             mov dword ptr ss:[ebp-1C],edi
00409380    897D E0             mov dword ptr ss:[ebp-20],edi
00409383    897D DC             mov dword ptr ss:[ebp-24],edi
00409386    897D D8             mov dword ptr ss:[ebp-28],edi
00409389    897D D4             mov dword ptr ss:[ebp-2C],edi
0040938C    897D D0             mov dword ptr ss:[ebp-30],edi
0040938F    897D C0             mov dword ptr ss:[ebp-40],edi
00409392    897D B0             mov dword ptr ss:[ebp-50],edi
00409395    897D A0             mov dword ptr ss:[ebp-60],edi
00409398    897D 90             mov dword ptr ss:[ebp-70],edi
0040939B    897D 80             mov dword ptr ss:[ebp-80],edi
0040939E    89BD 70FFFFFF       mov dword ptr ss:[ebp-90],edi
004093A4    FF15 A4104000       call dword ptr ds:[<&MSVBVM60.__vbaStrC>; MSVBVM60.__vbaStrCopy
004093AA    8B16                mov edx,dword ptr ds:[esi]
004093AC    56                push esi
004093AD    FF92 10030000       call dword ptr ds:[edx+310]
004093B3    50                push eax
004093B4    8D45 D0             lea eax,dword ptr ss:[ebp-30]
004093B7    50                push eax
004093B8    FF15 3C104000       call dword ptr ds:[<&MSVBVM60.__vbaObjS>; MSVBVM60.__vbaObjSet
004093BE    8BD8                mov ebx,eax
004093C0    8D55 D4             lea edx,dword ptr ss:[ebp-2C]
004093C3    52                push edx
004093C4    53                push ebx
004093C5    8B0B                mov ecx,dword ptr ds:[ebx]
004093C7    FF91 A0000000       call dword ptr ds:[ecx+A0]
004093CD    3BC7                cmp eax,edi
004093CF    DBE2                fclex
004093D1    7D 12             jge short 进位专家.004093E5
004093D3    68 A0000000       push 0A0
004093D8    68 30554000       push 进位专家.00405530
004093DD    53                push ebx
004093DE    50                push eax
004093DF    FF15 34104000       call dword ptr ds:[<&MSVBVM60.__vbaHres>; MSVBVM60.__vbaHresultCheckObj
004093E5    8B55 D4             mov edx,dword ptr ss:[ebp-2C]          用户名装入edx
004093E8    8B1D D8104000       mov ebx,dword ptr ds:[<&MSVBVM60.__vbaS>; 变量转移
004093EE    8D4D D8             lea ecx,dword ptr ss:[ebp-28]
004093F1    897D D4             mov dword ptr ss:[ebp-2C],edi
004093F4    FFD3                call ebx                               用户名装入eax
004093F6    8D4D D0             lea ecx,dword ptr ss:[ebp-30]
004093F9    FF15 EC104000       call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeObj
004093FF    8B06                mov eax,dword ptr ds:[esi]
00409401    56                push esi
00409402    FF90 10030000       call dword ptr ds:[eax+310]
00409408    8D4D D0             lea ecx,dword ptr ss:[ebp-30]
0040940B    50                push eax
0040940C    51                push ecx
0040940D    FF15 3C104000       call dword ptr ds:[<&MSVBVM60.__vbaObjS>; MSVBVM60.__vbaObjSet
00409413    8B10                mov edx,dword ptr ds:[eax]
00409415    8D4D D4             lea ecx,dword ptr ss:[ebp-2C]
00409418    51                push ecx
00409419    50                push eax
0040941A    8985 4CFFFFFF       mov dword ptr ss:[ebp-B4],eax
00409420    FF92 A0000000       call dword ptr ds:[edx+A0]
00409426    3BC7                cmp eax,edi
00409428    DBE2                fclex
0040942A    7D 18             jge short 进位专家.00409444
0040942C    8B95 4CFFFFFF       mov edx,dword ptr ss:[ebp-B4]
00409432    68 A0000000       push 0A0
00409437    68 30554000       push 进位专家.00405530
0040943C    52                push edx
0040943D    50                push eax
0040943E    FF15 34104000       call dword ptr ds:[<&MSVBVM60.__vbaHres>; MSVBVM60.__vbaHresultCheckObj
00409444    8B45 D4             mov eax,dword ptr ss:[ebp-2C]
00409447    50                push eax                      用户名装入eax
00409448    68 44554000       push 进位专家.00405544
0040944D    FF15 5C104000       call dword ptr ds:[<&MSVBVM60.__vbaStrC>; MSVBVM60.__vbaStrCmp
00409453    8BF8                mov edi,eax                   eax=1
00409455    8D4D D4             lea ecx,dword ptr ss:[ebp-2C]
00409458    F7DF                neg edi                      edi=ffffffff
0040945A    1BFF                sbb edi,edi                   带借位的减法
0040945C    47                inc edi
0040945D    F7DF                neg edi                      edi=00000000
0040945F    FF15 F0104000       call dword ptr ds:[<&MSVBVM60.__vbaFree>;释放变量
00409465    8D4D D0             lea ecx,dword ptr ss:[ebp-30]
00409468    FF15 EC104000       call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeObj
0040946E    66:85FF             test di,di
00409471    74 48             je short 进位专家.004094BB
00409473    8B3D C0104000       mov edi,dword ptr ds:[<&MSVBVM60.__vbaV>; MSVBVM60.__vbaVarDup
00409479    B9 0A000000       mov ecx,0A
0040947E    B8 04000280       mov eax,80020004
00409483    894D 90             mov dword ptr ss:[ebp-70],ecx
00409486    894D A0             mov dword ptr ss:[ebp-60],ecx
00409489    BE 08000000       mov esi,8
0040948E    8D95 70FFFFFF       lea edx,dword ptr ss:[ebp-90]
00409494    8D4D B0             lea ecx,dword ptr ss:[ebp-50]
00409497    8945 98             mov dword ptr ss:[ebp-68],eax
0040949A    8945 A8             mov dword ptr ss:[ebp-58],eax
0040949D    C785 78FFFFFF 745540>mov dword ptr ss:[ebp-88],进位专家.00405574
004094A7    89B5 70FFFFFF       mov dword ptr ss:[ebp-90],esi
004094AD    FFD7                call edi
004094AF    C745 88 4C554000    mov dword ptr ss:[ebp-78],进位专家.0040554C
004094B6    E9 D1030000       jmp 进位专家.0040988C
004094BB    8B45 D8             mov eax,dword ptr ss:[ebp-28] [ebp-28]放的是用户名
004094BE    50                push eax                      eax压进去，为下面函数做准备
004094BF    FF15 10104000       call dword ptr ds:[<&MSVBVM60.__vbaLenB>; 标准的变量长度测算
004094C5    B9 0A000000       mov ecx,0A                      eax=10
004094CA    3BC1                cmp eax,ecx                   比较用户名是不是大于10
004094CC    7D 43             jge short 进位专家.00409511    这不明白？大于等于的转移指令，SF=OF
004094CE    8B3D C0104000       mov edi,dword ptr ds:[<&MSVBVM60.__vbaV>;
004094D4    B8 04000280       mov eax,80020004
004094D9    894D 90             mov dword ptr ss:[ebp-70],ecx
004094DC    894D A0             mov dword ptr ss:[ebp-60],ecx
004094DF    BE 08000000       mov esi,8
004094E4    8D95 70FFFFFF       lea edx,dword ptr ss:[ebp-90]
004094EA    8D4D B0             lea ecx,dword ptr ss:[ebp-50]
004094ED    8945 98             mov dword ptr ss:[ebp-68],eax
004094F0    8945 A8             mov dword ptr ss:[ebp-58],eax
004094F3    C785 78FFFFFF 745540>mov dword ptr ss:[ebp-88],进位专家.00405574
004094FD    89B5 70FFFFFF       mov dword ptr ss:[ebp-90],esi
00409503    FFD7                call edi
00409505    C745 88 80554000    mov dword ptr ss:[ebp-78],进位专家.00405580
0040950C    E9 7B030000       jmp 进位专家.0040988C
00409511    8B06                mov eax,dword ptr ds:[esi]
00409513    56                push esi
00409514    FF90 0C030000       call dword ptr ds:[eax+30C]
0040951A    8D4D D0             lea ecx,dword ptr ss:[ebp-30]
0040951D    50                push eax
0040951E    51                push ecx
0040951F    FF15 3C104000       call dword ptr ds:[<&MSVBVM60.__vbaObjS>; MSVBVM60.__vbaObjSet
00409525    8BF8                mov edi,eax
00409527    8D45 D4             lea eax,dword ptr ss:[ebp-2C]
0040952A    50                push eax
0040952B    57                push edi
0040952C    8B17                mov edx,dword ptr ds:[edi]
0040952E    FF92 A0000000       call dword ptr ds:[edx+A0]
00409534    85C0                test eax,eax
00409536    DBE2                fclex
00409538    7D 12             jge short 进位专家.0040954C
0040953A    68 A0000000       push 0A0
0040953F    68 30554000       push 进位专家.00405530
00409544    57                push edi
00409545    50                push eax
00409546    FF15 34104000       call dword ptr ds:[<&MSVBVM60.__vbaHres>; MSVBVM60.__vbaHresultCheckObj
0040954C    8B4D D4             mov ecx,dword ptr ss:[ebp-2C]
0040954F    51                push ecx                               试炼密码压进去
00409550    68 44554000       push 进位专家.00405544
00409555    FF15 5C104000       call dword ptr ds:[<&MSVBVM60.__vbaStrC>比较是否为空
0040955B    8BF8                mov edi,eax                            不为空eax=1
0040955D    8D4D D4             lea ecx,dword ptr ss:[ebp-2C]
00409560    F7DF                neg edi
00409562    1BFF                sbb edi,edi
00409564    47                inc edi
00409565    F7DF                neg edi
00409567    FF15 F0104000       call dword ptr ds:[<&MSVBVM60.__vbaFree>;借用完还是释放变量
0040956D    8D4D D0             lea ecx,dword ptr ss:[ebp-30]
00409570    FF15 EC104000       call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeObj
00409576    66:85FF             test di,di
00409579    74 7B             je short 进位专家.004095F6
0040957B    8B3D C0104000       mov edi,dword ptr ds:[<&MSVBVM60.__vbaV>; MSVBVM60.__vbaVarDup
00409581    B9 0A000000       mov ecx,0A
00409586    B8 04000280       mov eax,80020004
0040958B    894D 90             mov dword ptr ss:[ebp-70],ecx
0040958E    894D A0             mov dword ptr ss:[ebp-60],ecx
00409591    BE 08000000       mov esi,8
00409596    8D95 70FFFFFF       lea edx,dword ptr ss:[ebp-90]
0040959C    8D4D B0             lea ecx,dword ptr ss:[ebp-50]
0040959F    8945 98             mov dword ptr ss:[ebp-68],eax
004095A2    8945 A8             mov dword ptr ss:[ebp-58],eax
004095A5    C785 78FFFFFF 745540>mov dword ptr ss:[ebp-88],进位专家.00405574
004095AF    89B5 70FFFFFF       mov dword ptr ss:[ebp-90],esi
004095B5    FFD7                call edi
004095B7    8D55 80             lea edx,dword ptr ss:[ebp-80]
004095BA    8D4D C0             lea ecx,dword ptr ss:[ebp-40]
004095BD    C745 88 A4554000    mov dword ptr ss:[ebp-78],进位专家.004055A4
004095C4    8975 80             mov dword ptr ss:[ebp-80],esi
004095C7    FFD7                call edi
004095C9    8D55 90             lea edx,dword ptr ss:[ebp-70]
004095CC    8D45 A0             lea eax,dword ptr ss:[ebp-60]
004095CF    52                push edx
004095D0    8D4D B0             lea ecx,dword ptr ss:[ebp-50]
004095D3    50                push eax
004095D4    51                push ecx
004095D5    8D55 C0             lea edx,dword ptr ss:[ebp-40]
004095D8    6A 40             push 40
004095DA    52                push edx
004095DB    FF15 40104000       call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
004095E1    8D45 90             lea eax,dword ptr ss:[ebp-70]
004095E4    8D4D A0             lea ecx,dword ptr ss:[ebp-60]
004095E7    50                push eax
004095E8    8D55 B0             lea edx,dword ptr ss:[ebp-50]
004095EB    51                push ecx
004095EC    8D45 C0             lea eax,dword ptr ss:[ebp-40]
004095EF    52                push edx
004095F0    50                push eax
004095F1    E9 C9020000       jmp 进位专家.004098BF
004095F6    8B4D D8             mov ecx,dword ptr ss:[ebp-28]    [ebp-28]放的是试炼的用户名
004095F9    51                push ecx                         用户名压进去，为下面的函数做准备
004095FA    FF15 10104000       call dword ptr ds:[<&MSVBVM60.__vbaLenB>; 取变量字符长度
00409600    8BC8                mov ecx,eax                   [email]stasi@163.com[/email]共13个字符，所以eax=d
00409602    FF15 60104000       call dword ptr ds:[<&MSVBVM60.__vbaI2I4>; MSVBVM60.__vbaI2I4
00409608    8985 3CFFFFFF       mov dword ptr ss:[ebp-C4],eax
0040960E    BF 01000000       mov edi,1
00409613    66:3BBD 3CFFFFFF    cmp di,word ptr ss:[ebp-C4]
0040961A    0F8F 97000000       jg 进位专家.004096B7          字符依次取出，结束就跳出算法循环
00409620    0FBFC7             movsx eax,di
00409623    8D55 D8             lea edx,dword ptr ss:[ebp-28]
00409626    8D4D 80             lea ecx,dword ptr ss:[ebp-80]
00409629    8955 88             mov dword ptr ss:[ebp-78],edx
0040962C    50                push eax
0040962D    8D55 C0             lea edx,dword ptr ss:[ebp-40]
00409630    51                push ecx
00409631    52                push edx
00409632    C745 80 08400000    mov dword ptr ss:[ebp-80],4008
00409639    FF15 DC104000       call dword ptr ds:[<&MSVBVM60.#619>] ; MSVBVM60.rtcRightCharVar
0040963F    8D45 C0             lea eax,dword ptr ss:[ebp-40]
00409642    6A 01             push 1
00409644    8D4D B0             lea ecx,dword ptr ss:[ebp-50]
00409647    50                push eax
00409648    51                push ecx
00409649    FF15 D0104000       call dword ptr ds:[<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar
0040964F    8D55 B0             lea edx,dword ptr ss:[ebp-50]
00409652    52                push edx
00409653    FF15 14104000       call dword ptr ds:[<&MSVBVM60.__vbaStrV>; MSVBVM60.__vbaStrVarMove
00409659    8BD0                mov edx,eax
0040965B    8D4D E0             lea ecx,dword ptr ss:[ebp-20]
0040965E    FFD3                call ebx
00409660    8D45 B0             lea eax,dword ptr ss:[ebp-50]
00409663    8D4D C0             lea ecx,dword ptr ss:[ebp-40]
00409666    50                push eax
00409667    51                push ecx
00409668    6A 02             push 2
0040966A    FF15 1C104000       call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeVarList
00409670    8B16                mov edx,dword ptr ds:[esi]
00409672    83C4 0C             add esp,0C
00409675    8D45 D4             lea eax,dword ptr ss:[ebp-2C]
00409678    8D4D E0             lea ecx,dword ptr ss:[ebp-20]
0040967B    50                push eax
0040967C    51                push ecx
0040967D    56                push esi
0040967E    FF92 04070000       call dword ptr ds:[edx+704]    取出每次计算完的数值
00409684    8B55 D4             mov edx,dword ptr ss:[ebp-2C]
00409687    8B45 DC             mov eax,dword ptr ss:[ebp-24]
0040968A    52                push edx
0040968B    50                push eax
0040968C    FF15 30104000       call dword ptr ds:[<&MSVBVM60.__vbaStrC>; 算法跟进

  6A2A4D6E M>  55                push ebp                      以下注意几个标准函数的计算
  6A2A4D6F    8BEC                mov ebp,esp
  6A2A4D71    8D45 08             lea eax,dword ptr ss:[ebp+8]
  6A2A4D74    50                push eax
  6A2A4D75    FF75 08             push dword ptr ss:[ebp+8]    变量准备
  6A2A4D78    FF75 0C             push dword ptr ss:[ebp+C]    同上
  6A2A4D7B    FF15 50EE386A       call dword ptr ds:[6A38EE50] call进

   77A10F48 O>  55                push ebp
   77A10F49    8BEC                mov ebp,esp
   77A10F4B    53                push ebx
   77A10F4C    56                push esi
   77A10F4D    8B75 08             mov esi,dword ptr ss:[ebp+8]
   77A10F50    57                push edi
   77A10F51    85F6                test esi,esi
   77A10F53    75 04             jnz short OLEAUT32.77A10F59
   77A10F55    33DB                xor ebx,ebx
   77A10F57    EB 03             jmp short OLEAUT32.77A10F5C
   77A10F59    8B5E FC             mov ebx,dword ptr ds:[esi-4]
   77A10F5C    8B45 0C             mov eax,dword ptr ss:[ebp+C] 先前计算所得数放进eax
   77A10F5F    85C0                test eax,eax                eax=0？
   77A10F61    75 05             jnz short OLEAUT32.77A10F68 这里有两种情况：
                                                                     1）第一次过这里，先前没有计算值
                                                                        则短跳，直接运算
                                                                     2）不是第一次过，则不跳
   77A10F63    2145 08             and dword ptr ss:[ebp+8],eax
   77A10F66    EB 06             jmp short OLEAUT32.77A10F6E
   77A10F68    8B40 FC             mov eax,dword ptr ds:[eax-4]
   77A10F6B    8945 08             mov dword ptr ss:[ebp+8],eax
   77A10F6E    8B45 08             mov eax,dword ptr ss:[ebp+8]
   77A10F71    03C3                add eax,ebx
   77A10F73    50                push eax
   77A10F74    6A 00             push 0
   77A10F76    E8 D585FAFF       call OLEAUT32.SysAllocStringByteLe> 取字符的ASCII的十进制数
   77A10F7B    8B4D 10             mov ecx,dword ptr ss:[ebp+10]    把取得的ascii码放到ecx
   77A10F7E    85C0                test eax,eax
   77A10F80    8901                mov dword ptr ds:[ecx],eax
   77A10F82    75 07             jnz short OLEAUT32.77A10F8B
   77A10F84    B8 0E000780       mov eax,8007000E
   77A10F89    EB 2B             jmp short OLEAUT32.77A10FB6
   77A10F8B    8BCB                mov ecx,ebx
   77A10F8D    8BF8                mov edi,eax
   77A10F8F    8BD1                mov edx,ecx
   77A10F91    C1E9 02             shr ecx,2                         ecx清空
   77A10F94    F3:A5             rep movs dword ptr es:[edi],dword >
   77A10F96    8BCA                mov ecx,edx
   77A10F98    83E1 03             and ecx,3
   77A10F9B    F3:A4             rep movs byte ptr es:[edi],byte pt>  取最后一位
   77A10F9D    8B4D 08             mov ecx,dword ptr ss:[ebp+8]
   77A10FA0    8B75 0C             mov esi,dword ptr ss:[ebp+C]       esi放的是上次计算所得数
   77A10FA3    8D3C18             lea edi,dword ptr ds:[eax+ebx]
   77A10FA6    8BC1                mov eax,ecx
   77A10FA8    C1E9 02             shr ecx,2
   77A10FAB    F3:A5             rep movs dword ptr es:[edi],dword >
   77A10FAD    8BC8                mov ecx,eax
   77A10FAF    83E1 03             and ecx,3
   77A10FB2    33C0                xor eax,eax
   77A10FB4    F3:A4             rep movs byte ptr es:[edi],byte pt>
   77A10FB6    5F                pop edi
   77A10FB7    5E                pop esi
   77A10FB8    5B                pop ebx
   77A10FB9    5D                pop ebp
   77A10FBA    C2 0C00             retn 0C

  6A2A4D81    85C0                test eax,eax                比较eax是不是为零
  6A2A4D83    0F8C 73220200       jl MSVBVM60.6A2C6FFC
  6A2A4D89    8B45 08             mov eax,dword ptr ss:[ebp+8]
  6A2A4D8C    5D                pop ebp
  6A2A4D8D    C2 0800             retn 8

00409692    8BD0                mov edx,eax
00409694    8D4D DC             lea ecx,dword ptr ss:[ebp-24]  把每次取出的数连接起来放
00409697    FFD3                call ebx
00409699    8D4D D4             lea ecx,dword ptr ss:[ebp-2C]
0040969C    FF15 F0104000       call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeStr
004096A2    B8 01000000       mov eax,1
004096A7    66:03C7             add ax,di
004096AA    0F80 90020000       jo 进位专家.00409940    看是不是计算溢出
004096B0    8BF8                mov edi,eax
004096B2 ^ E9 5CFFFFFF       jmp 进位专家.00409613    没有取完就接下一个循环
004096B7    8B55 DC             mov edx,dword ptr ss:[ebp-24]
004096BA    8D4D DC             lea ecx,dword ptr ss:[ebp-24]
004096BD    52                push edx
004096BE    894D 88             mov dword ptr ss:[ebp-78],ecx
004096C1    C745 80 08400000    mov dword ptr ss:[ebp-80],4008
004096C8    FF15 10104000       call dword ptr ds:[<&MSVBVM60.__vbaLenB>; MSVBVM60.__vbaLenBstr
004096CE    83E8 01             sub eax,1
004096D1    8D4D C0             lea ecx,dword ptr ss:[ebp-40]
004096D4    0F80 66020000       jo 进位专家.00409940                查看eax的值
004096DA    50                push eax
004096DB    8D45 80             lea eax,dword ptr ss:[ebp-80]
004096DE    50                push eax
004096DF    51                push ecx
004096E0    FF15 D0104000       call dword ptr ds:[<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar
004096E6    8D55 C0             lea edx,dword ptr ss:[ebp-40]
004096E9    52                push edx
004096EA    FF15 14104000       call dword ptr ds:[<&MSVBVM60.__vbaStrV>; MSVBVM60.__vbaStrVarMove
004096F0    8BD0                mov edx,eax
004096F2    8D4D E4             lea ecx,dword ptr ss:[ebp-1C]
004096F5    FFD3                call ebx
004096F7    8D4D C0             lea ecx,dword ptr ss:[ebp-40]
004096FA    FF15 0C104000       call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeVar
00409700    8B06                mov eax,dword ptr ds:[esi]
00409702    56                push esi
00409703    FF90 0C030000       call dword ptr ds:[eax+30C]
00409709    8D4D D0             lea ecx,dword ptr ss:[ebp-30]
0040970C    50                push eax
0040970D    51                push ecx
0040970E    FF15 3C104000       call dword ptr ds:[<&MSVBVM60.__vbaObjS>; MSVBVM60.__vbaObjSet
00409714    8BF0                mov esi,eax
00409716    8D45 D4             lea eax,dword ptr ss:[ebp-2C]
00409719    50                push eax
0040971A    56                push esi
0040971B    8B16                mov edx,dword ptr ds:[esi]
0040971D    FF92 A0000000       call dword ptr ds:[edx+A0]
00409723    85C0                test eax,eax
00409725    DBE2                fclex
00409727    7D 12             jge short 进位专家.0040973B
00409729    68 A0000000       push 0A0
0040972E    68 30554000       push 进位专家.00405530
00409733    56                push esi
00409734    50                push eax
00409735    FF15 34104000       call dword ptr ds:[<&MSVBVM60.__vbaHres>; MSVBVM60.__vbaHresultCheckObj
0040973B    8B4D D4             mov ecx,dword ptr ss:[ebp-2C] ecx见试炼密码
0040973E    8B55 E4             mov edx,dword ptr ss:[ebp-1C] edx见真密码
00409741    51                push ecx
00409742    52                push edx                      压入为比较做准备
00409743    FF15 5C104000       call dword ptr ds:[<&MSVBVM60.__vbaStrC>; vbaStrCmp比较
                                                                        先前用vbaStrCmp下断点更好！
00409749    8BF0                mov esi,eax
0040974B    8D4D D4             lea ecx,dword ptr ss:[ebp-2C]
0040974E    F7DE                neg esi
00409750    1BF6                sbb esi,esi
00409752    46                inc esi
00409753    F7DE                neg esi
00409755    FF15 F0104000       call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeStr
0040975B    8D4D D0             lea ecx,dword ptr ss:[ebp-30]
0040975E    FF15 EC104000       call dword ptr ds:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeObj
00409764    66:85F6             test si,si
00409767    0F84 DC000000       je 进位专家.00409849
0040976D    A1 38D04000       mov eax,dword ptr ds:[40D038]
00409772    85C0                test eax,eax
00409774    75 10             jnz short 进位专家.00409786
00409776    68 38D04000       push 进位专家.0040D038
0040977B    68 D0444000       push 进位专家.004044D0
00409780    FF15 98104000       call dword ptr ds:[<&MSVBVM60.__vbaNew2>; MSVBVM60.__vbaNew2
00409786    83EC 10             sub esp,10
00409789    B9 0A000000       mov ecx,0A
0040978E    8BDC                mov ebx,esp
00409790    898D 70FFFFFF       mov dword ptr ss:[ebp-90],ecx
00409796    894D 80             mov dword ptr ss:[ebp-80],ecx
00409799    B8 04000280       mov eax,80020004
0040979E    890B                mov dword ptr ds:[ebx],ecx
004097A0    8B8D 74FFFFFF       mov ecx,dword ptr ss:[ebp-8C]
004097A6    8985 78FFFFFF       mov dword ptr ss:[ebp-88],eax
004097AC    8BD0                mov edx,eax
004097AE    894B 04             mov dword ptr ds:[ebx+4],ecx
004097B1    83EC 10             sub esp,10
004097B4    8B35 38D04000       mov esi,dword ptr ds:[40D038]
004097BA    8BCC                mov ecx,esp
004097BC    8943 08             mov dword ptr ds:[ebx+8],eax
004097BF    8B85 7CFFFFFF       mov eax,dword ptr ss:[ebp-84]
004097C5    8955 88             mov dword ptr ss:[ebp-78],edx
004097C8    8B3E                mov edi,dword ptr ds:[esi]
004097CA    8943 0C             mov dword ptr ds:[ebx+C],eax
004097CD    8B45 80             mov eax,dword ptr ss:[ebp-80]
004097D0    8901                mov dword ptr ds:[ecx],eax
004097D2    8B45 84             mov eax,dword ptr ss:[ebp-7C]
004097D5    56                push esi
004097D6    8941 04             mov dword ptr ds:[ecx+4],eax
004097D9    8951 08             mov dword ptr ds:[ecx+8],edx
004097DC    8B55 8C             mov edx,dword ptr ss:[ebp-74]
004097DF    8951 0C             mov dword ptr ds:[ecx+C],edx
004097E2    FF97 B0020000       call dword ptr ds:[edi+2B0]
004097E8    85C0                test eax,eax
004097EA    DBE2                fclex
004097EC    7D 12             jge short 进位专家.00409800
004097EE    68 B0020000       push 2B0
004097F3    68 EC554000       push 进位专家.004055EC
004097F8    56                push esi
004097F9    50                push eax
004097FA    FF15 34104000       call dword ptr ds:[<&MSVBVM60.__vbaHres>; MSVBVM60.__vbaHresultCheckObj
00409800    A1 10D04000       mov eax,dword ptr ds:[40D010]
00409805    85C0                test eax,eax
00409807    75 10             jnz short 进位专家.00409819
00409809    68 10D04000       push 进位专家.0040D010
0040980E    68 7C304000       push 进位专家.0040307C
00409813    FF15 98104000       call dword ptr ds:[<&MSVBVM60.__vbaNew2>; MSVBVM60.__vbaNew2
00409819    8B35 10D04000       mov esi,dword ptr ds:[40D010]
0040981F    56                push esi
00409820    8B06                mov eax,dword ptr ds:[esi]
00409822    FF90 B4020000       call dword ptr ds:[eax+2B4]
00409828    85C0                test eax,eax
0040982A    DBE2                fclex
0040982C    0F8D 98000000       jge 进位专家.004098CA
00409832    68 B4020000       push 2B4
00409837    68 24534000       push 进位专家.00405324
0040983C    56                push esi
0040983D    50                push eax
0040983E    FF15 34104000       call dword ptr ds:[<&MSVBVM60.__vbaHres>; MSVBVM60.__vbaHresultCheckObj
00409844    E9 81000000       jmp 进位专家.004098CA
00409849    8B3D C0104000       mov edi,dword ptr ds:[<&MSVBVM60.__vbaV>; MSVBVM60.__vbaVarDup
0040984F    B9 0A000000       mov ecx,0A
00409854    B8 04000280       mov eax,80020004
00409859    894D 90             mov dword ptr ss:[ebp-70],ecx
0040985C    894D A0             mov dword ptr ss:[ebp-60],ecx
0040985F    BE 08000000       mov esi,8
00409864    8D95 70FFFFFF       lea edx,dword ptr ss:[ebp-90]
0040986A    8D4D B0             lea ecx,dword ptr ss:[ebp-50]
0040986D    8945 98             mov dword ptr ss:[ebp-68],eax
00409870    8945 A8             mov dword ptr ss:[ebp-58],eax
00409873    C785 78FFFFFF 745540>mov dword ptr ss:[ebp-88],进位专家.00405574
0040987D    89B5 70FFFFFF       mov dword ptr ss:[ebp-90],esi
00409883    FFD7                call edi
00409885    C745 88 D0564000    mov dword ptr ss:[ebp-78],进位专家.004056D0
0040988C    8D55 80             lea edx,dword ptr ss:[ebp-80]
0040988F    8D4D C0             lea ecx,dword ptr ss:[ebp-40]
00409892    8975 80             mov dword ptr ss:[ebp-80],esi
00409895    FFD7                call edi
00409897    8D4D 90             lea ecx,dword ptr ss:[ebp-70]
0040989A    8D55 A0             lea edx,dword ptr ss:[ebp-60]
0040989D    51                push ecx
0040989E    8D45 B0             lea eax,dword ptr ss:[ebp-50]
004098A1    52                push edx
004098A2    50                push eax
004098A3    8D4D C0             lea ecx,dword ptr ss:[ebp-40]
004098A6    6A 40             push 40
004098A8    51                push ecx
004098A9    FF15 40104000       call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
                                                                        出现错误Msg

--------------------------------------------------------------------------------------------
【破解总结】

自己和二哥比起来，要懒很多了。程序好些日子不写了，就发现vb的语句都要查书了，赶紧要补一下，
免得让人笑话。
psFCG最近人气不错，但又要搬家了，欢迎到时光临论坛。
--------------------------------------------------------------------------------------------
【算法注册机】

--------------VB6.0在WIN2000 sp4下编译通过--------------

Dim regcode As String '定义变量
Dim regname As String
Dim reglen As String
Dim i As Integer
Dim l As Integer

Private Sub Command1_Click()
regname = Text1.Text '获取输入的用户名
reglen = Len(regname) '获取输入的用户名字符长度
If reglen < 10 Then    '用户名长度不能小于10
  MsgBox ("请输入长度大于十位的用户名"
Else
End If
regcode = "You are so lucky today!stasi tells you what the code here is :"
For i = 1 To reglen
l = AscB(Mid(regname, i, 1)) '取用户名每位字符的ASCII的十进制数
l = l Mod 10
regcode = regcode & l       '字符顺次连接
Next i
Text2.Text = regcode
End Sub

------------------------------------------------------------------------------------------
【爆破地址】

   00409767 0F84 DC000000
改为 00409767 0F85 DC000000       就OK

不过软件采用登入方式，不形成注册码保留，所以最好爆破注册的NAG，方便使用：）

------------------------------------------------------------------------------------------
【用户名、密码】

用户名：stasi@163.com
密码  ：5675549416919

------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
                                             2004-7-29

[培训]科锐逆向工程师培训第53期2025年7月8日开班！

收藏・0

免费・2

支持

最新回复 (2)
stasi 雪币： 298 活跃值： (512) 能力值： ( LV12，RANK：490 ) 在线值：发帖 21 回帖 127 粉丝 2 关注私信	stasi 12 2 楼 psFCG最近人气不错，但又要搬家了，欢迎到时光临论坛。改一下原来是ps:DFCG最近。。。。。。转贴注意保持原样！ 2004-7-30 10:12 0
aqtata 雪币： 319 活跃值： (1531) 能力值： ( LV7，RANK：100 ) 在线值：发帖 76 回帖 358 粉丝 2 关注私信	aqtata 2 3 楼 psFCG 呵呵，这是怎么复制的 2004-7-30 10:42 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

zhlgame

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (2)
stasi 雪币： 298 活跃值： (512) 能力值： ( LV12，RANK：490 ) 在线值：发帖 21 回帖 127 粉丝 2 关注私信	stasi 12 2 楼 psFCG最近人气不错，但又要搬家了，欢迎到时光临论坛。改一下原来是ps:DFCG最近。。。。。。转贴注意保持原样！ 2004-7-30 10:12 0
aqtata 雪币： 319 活跃值： (1531) 能力值： ( LV7，RANK：100 ) 在线值：发帖 76 回帖 358 粉丝 2 关注私信	aqtata 2 3 楼 psFCG 呵呵，这是怎么复制的 2004-7-30 10:42 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复