系统 : Windows xp
程序 : BJCM10B
程序下载地址 :http://pan.baidu.com/s/1dFyXe29
要求 : 编写注册机
使用工具 : OD
可在看雪论坛中查找关于此程序的破文:传送门
这个小程序本身算法不难,就是vb的函数调用方式真的太奇葩了,容易看得一头雾水。
直接根据“good job, tell me how you do that!”字串找出关键算法:
00404563 . FFD3 call ebx ; (initial cpu selection); <&MSVBVM60.__vbaObjSet>
00404565 . 8B08 mov ecx, dword ptr [eax]
00404567 . 8D55 D4 lea edx, dword ptr [ebp-2C]
0040456A . 52 push edx
0040456B . 50 push eax
0040456C . 8985 44FFFFFF mov dword ptr [ebp-BC], eax
00404572 . FF91 A0000000 call dword ptr [ecx+A0]
00404578 . 3BC7 cmp eax, edi
0040457A . DBE2 fclex
0040457C . 7D 18 jge short 00404596
0040457E . 8B8D 44FFFFFF mov ecx, dword ptr [ebp-BC]
00404584 . 68 A0000000 push 0A0
00404589 . 68 00304000 push 00403000
0040458E . 51 push ecx
0040458F . 50 push eax
00404590 . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheckOb>; MSVBVM60.__vbaHresultCheckObj
00404596 > 8B55 D4 mov edx, dword ptr [ebp-2C] ; 用户名字符串
00404599 . 52 push edx ; /String
0040459A . FF15 10104000 call dword ptr [<&MSVBVM60.__vbaLenBstr>] ; \__vbaLenBstr
004045A0 . 33C9 xor ecx, ecx
004045A2 . 83F8 02 cmp eax, 2 ; 是否是否不小于2?
004045A5 . 0F9CC1 setl cl
004045A8 . F7D9 neg ecx
004045AA . 898D 3CFFFFFF mov dword ptr [ebp-C4], ecx
004045B0 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
004045B3 . FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
004045B9 . 8D4D CC lea ecx, dword ptr [ebp-34]
004045BC . FF15 D4104000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
004045C2 . 66:39BD 3CFFF>cmp word ptr [ebp-C4], di
004045C9 . 0F84 8B000000 je 0040465A ; 符合长度直接跳转
004045CF . 8B1D B0104000 mov ebx, dword ptr [<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
004045D5 . B9 04000280 mov ecx, 80020004
004045DA . 894D 90 mov dword ptr [ebp-70], ecx
004045DD . B8 0A000000 mov eax, 0A
004045E2 . 894D A0 mov dword ptr [ebp-60], ecx
004045E5 . BE 08000000 mov esi, 8
004045EA . 8D95 68FFFFFF lea edx, dword ptr [ebp-98]
004045F0 . 8D4D A8 lea ecx, dword ptr [ebp-58]
004045F3 . 8945 88 mov dword ptr [ebp-78], eax
004045F6 . 8945 98 mov dword ptr [ebp-68], eax
004045F9 . C785 70FFFFFF>mov dword ptr [ebp-90], 00403070 ; you have to enter your name!
00404603 . 89B5 68FFFFFF mov dword ptr [ebp-98], esi
00404609 . FFD3 call ebx ; <&MSVBVM60.__vbaVarDup>
0040460B . 8D95 78FFFFFF lea edx, dword ptr [ebp-88]
00404611 . 8D4D B8 lea ecx, dword ptr [ebp-48]
00404614 . C745 80 14304>mov dword ptr [ebp-80], 00403014 ; name must be at least two characters long!
0040461B . 89B5 78FFFFFF mov dword ptr [ebp-88], esi
00404621 . FFD3 call ebx
00404623 . 8D55 88 lea edx, dword ptr [ebp-78]
00404626 . 8D45 98 lea eax, dword ptr [ebp-68]
00404629 . 52 push edx
0040462A . 8D4D A8 lea ecx, dword ptr [ebp-58]
0040462D . 50 push eax
0040462E . 51 push ecx
0040462F . 8D55 B8 lea edx, dword ptr [ebp-48]
00404632 . 57 push edi
00404633 . 52 push edx
00404634 . FF15 3C104000 call dword ptr [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
0040463A . 8D45 88 lea eax, dword ptr [ebp-78]
0040463D . 8D4D 98 lea ecx, dword ptr [ebp-68]
00404640 . 50 push eax
00404641 . 8D55 A8 lea edx, dword ptr [ebp-58]
00404644 . 51 push ecx
00404645 . 8D45 B8 lea eax, dword ptr [ebp-48]
00404648 . 52 push edx
00404649 . 50 push eax
0040464A . 6A 04 push 4
0040464C . FF15 14104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
00404652 . 83C4 14 add esp, 14
00404655 . E9 D4030000 jmp 00404A2E
0040465A > 8B0E mov ecx, dword ptr [esi]
0040465C . 56 push esi
0040465D . FF91 0C030000 call dword ptr [ecx+30C]
00404663 . 8D55 CC lea edx, dword ptr [ebp-34]
00404666 . 50 push eax
00404667 . 52 push edx
00404668 . FFD3 call ebx
0040466A . 8B06 mov eax, dword ptr [esi]
0040466C . 56 push esi
0040466D . FF90 0C030000 call dword ptr [eax+30C]
00404673 . 8D4D C8 lea ecx, dword ptr [ebp-38]
00404676 . 50 push eax
00404677 . 51 push ecx
00404678 . FFD3 call ebx
0040467A . 8B45 CC mov eax, dword ptr [ebp-34]
0040467D . 8D55 B8 lea edx, dword ptr [ebp-48]
00404680 . 8945 C0 mov dword ptr [ebp-40], eax
00404683 . 6A 01 push 1
00404685 . 8D45 A8 lea eax, dword ptr [ebp-58]
00404688 . 52 push edx
00404689 . 50 push eax
0040468A . 897D CC mov dword ptr [ebp-34], edi
0040468D . C745 B8 09000>mov dword ptr [ebp-48], 9
00404694 . FF15 B4104000 call dword ptr [<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar
0040469A . 8B45 C8 mov eax, dword ptr [ebp-38]
0040469D . 8D4D 98 lea ecx, dword ptr [ebp-68]
004046A0 . 6A 01 push 1
004046A2 . 8D55 88 lea edx, dword ptr [ebp-78]
004046A5 . 51 push ecx
004046A6 . 52 push edx
004046A7 . 897D C8 mov dword ptr [ebp-38], edi
004046AA . 8945 A0 mov dword ptr [ebp-60], eax
004046AD . C745 98 09000>mov dword ptr [ebp-68], 9
004046B4 . FF15 C0104000 call dword ptr [<&MSVBVM60.#619>] ; MSVBVM60.rtcRightCharVar
004046BA . 8B3D 80104000 mov edi, dword ptr [<&MSVBVM60.__vbaStrVarVal>; MSVBVM60.__vbaStrVarVal
004046C0 . 8D45 88 lea eax, dword ptr [ebp-78]
004046C3 . 8D4D D0 lea ecx, dword ptr [ebp-30]
004046C6 . 50 push eax ; /String8
004046C7 . 51 push ecx ; |ARG2
004046C8 . FFD7 call edi ; \__vbaStrVarVal
004046CA . 50 push eax ; /String
004046CB . FF15 24104000 call dword ptr [<&MSVBVM60.#516>] ;
tcAnsiValueBstr
004046D1 . 66:8BD0 mov dx, ax ; ↑传回字符码
004046D4 . 8D45 A8 lea eax, dword ptr [ebp-58]
004046D7 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
004046DA . 50 push eax ; /String8
004046DB . 51 push ecx ; |ARG2
004046DC . 66:8995 26FFF>mov word ptr [ebp-DA], dx ; |
004046E3 . FFD7 call edi ; \__vbaStrVarVal
004046E5 . 50 push eax ; /String
004046E6 . FF15 24104000 call dword ptr [<&MSVBVM60.#516>] ;
tcAnsiValueBstr
004046EC . 66:8B95 26FFF>mov dx, word ptr [ebp-DA]
004046F3 . 8D4D D8 lea ecx, dword ptr [ebp-28]
004046F6 . 66:03D0 add dx, ax ; 首尾相加
004046F9 . C785 78FFFFFF>mov dword ptr [ebp-88], 2
00404703 . 0F80 94030000 jo 00404A9D
00404709 . 66:8955 80 mov word ptr [ebp-80], dx ; 保存结果
0040470D . 8D95 78FFFFFF lea edx, dword ptr [ebp-88]
00404713 . FF15 08104000 call dword ptr [<&MSVBVM60.__vbaVarMove>] ; MSVBVM60.__vbaVarMove
00404719 . 8D45 D0 lea eax, dword ptr [ebp-30]
0040471C . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0040471F . 50 push eax
00404720 . 51 push ecx
00404721 . 6A 02 push 2
00404723 . FF15 9C104000 call dword ptr [<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList
00404729 . 8D55 C8 lea edx, dword ptr [ebp-38]
0040472C . 8D45 CC lea eax, dword ptr [ebp-34]
0040472F . 52 push edx
00404730 . 50 push eax
00404731 . 6A 02 push 2
00404733 . FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeObjList>] ; MSVBVM60.__vbaFreeObjList
00404739 . 8D4D 88 lea ecx, dword ptr [ebp-78]
0040473C . 8D55 98 lea edx, dword ptr [ebp-68]
0040473F . 51 push ecx
00404740 . 8D45 A8 lea eax, dword ptr [ebp-58]
00404743 . 52 push edx
00404744 . 8D4D B8 lea ecx, dword ptr [ebp-48]
00404747 . 50 push eax
00404748 . 51 push ecx
00404749 . 6A 04 push 4
0040474B . FF15 14104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
00404751 . 83C4 2C add esp, 2C
00404754 . 8D55 D8 lea edx, dword ptr [ebp-28]
00404757 . 8D85 78FFFFFF lea eax, dword ptr [ebp-88]
0040475D . 8D4D B8 lea ecx, dword ptr [ebp-48]
00404760 . 52 push edx ; /var18
00404761 . 50 push eax ; |var28
00404762 . 51 push ecx ; |SaveTo8
00404763 . C745 80 3F420>mov dword ptr [ebp-80], 0F423F ; |
0040476A . C785 78FFFFFF>mov dword ptr [ebp-88], 3 ; |
00404774 . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaVarMul>] ; \__vbaVarMul
0040477A . 50 push eax ; 相加结果 * 999999 = 序列号
0040477B . FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var
00404781 . 8B16 mov edx, dword ptr [esi]
00404783 . 56 push esi
00404784 . 8945 E8 mov dword ptr [ebp-18], eax ; 这里保存计算出的序列号
00404787 . FF92 FC020000 call dword ptr [edx+2FC]
0040478D . 50 push eax
0040478E . 8D45 CC lea eax, dword ptr [ebp-34]
00404791 . 50 push eax
00404792 . FFD3 call ebx
00404794 . 8BF8 mov edi, eax
00404796 . 8D55 D4 lea edx, dword ptr [ebp-2C]
00404799 . 52 push edx
0040479A . 57 push edi
0040479B . 8B0F mov ecx, dword ptr [edi]
0040479D . FF91 A0000000 call dword ptr [ecx+A0]
004047A3 . 85C0 test eax, eax
004047A5 . DBE2 fclex
004047A7 . 7D 12 jge short 004047BB
004047A9 . 68 A0000000 push 0A0
004047AE . 68 00304000 push 00403000
004047B3 . 57 push edi
004047B4 . 50 push eax
004047B5 . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheckOb>; MSVBVM60.__vbaHresultCheckObj
004047BB > 8B45 D4 mov eax, dword ptr [ebp-2C] ; 取出密码
004047BE . 50 push eax
004047BF . 68 B0304000 push 004030B0 ; 空串
004047C4 . FF15 58104000 call dword ptr [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
004047CA . 8BF8 mov edi, eax
004047CC . 8D4D D4 lea ecx, dword ptr [ebp-2C]
004047CF . F7DF neg edi
004047D1 . 1BFF sbb edi, edi
004047D3 . 47 inc edi
004047D4 . F7DF neg edi
004047D6 . FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
004047DC . 8D4D CC lea ecx, dword ptr [ebp-34]
004047DF . FF15 D4104000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
004047E5 . 66:85FF test di, di
004047E8 . 0F84 81000000 je 0040486F
004047EE . 8B3D B0104000 mov edi, dword ptr [<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
004047F4 . B9 04000280 mov ecx, 80020004
004047F9 . 894D 90 mov dword ptr [ebp-70], ecx
004047FC . B8 0A000000 mov eax, 0A
00404801 . 894D A0 mov dword ptr [ebp-60], ecx
00404804 . BE 08000000 mov esi, 8
00404809 . 8D95 68FFFFFF lea edx, dword ptr [ebp-98]
0040480F . 8D4D A8 lea ecx, dword ptr [ebp-58]
00404812 . 8945 88 mov dword ptr [ebp-78], eax
00404815 . 8945 98 mov dword ptr [ebp-68], eax
00404818 . C785 70FFFFFF>mov dword ptr [ebp-90], 004030E0 ; wrong serial!
00404822 . 89B5 68FFFFFF mov dword ptr [ebp-98], esi
00404828 . FFD7 call edi ; <&MSVBVM60.__vbaVarDup>
0040482A . 8D95 78FFFFFF lea edx, dword ptr [ebp-88]
00404830 . 8D4D B8 lea ecx, dword ptr [ebp-48]
00404833 . C745 80 B8304>mov dword ptr [ebp-80], 004030B8 ; sorry, try again!
0040483A . 89B5 78FFFFFF mov dword ptr [ebp-88], esi
00404840 . FFD7 call edi
00404842 . 8D4D 88 lea ecx, dword ptr [ebp-78]
00404845 . 8D55 98 lea edx, dword ptr [ebp-68]
00404848 . 51 push ecx
00404849 . 8D45 A8 lea eax, dword ptr [ebp-58]
0040484C . 52 push edx
0040484D . 50 push eax
0040484E . 8D4D B8 lea ecx, dword ptr [ebp-48]
00404851 . 6A 00 push 0
00404853 . 51 push ecx
00404854 . FF15 3C104000 call dword ptr [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
0040485A . 8D55 88 lea edx, dword ptr [ebp-78]
0040485D . 8D45 98 lea eax, dword ptr [ebp-68]
00404860 . 52 push edx
00404861 . 8D4D A8 lea ecx, dword ptr [ebp-58]
00404864 . 50 push eax
00404865 . 8D55 B8 lea edx, dword ptr [ebp-48]
00404868 . 51 push ecx
00404869 . 52 push edx
0040486A . E9 B2010000 jmp 00404A21
0040486F > 8B0E mov ecx, dword ptr [esi]
00404871 . 8D45 E8 lea eax, dword ptr [ebp-18]
00404874 . 56 push esi
00404875 . 8945 80 mov dword ptr [ebp-80], eax
00404878 . C785 78FFFFFF>mov dword ptr [ebp-88], 4003
00404882 . FF91 FC020000 call dword ptr [ecx+2FC]
00404888 . 8D55 CC lea edx, dword ptr [ebp-34]
0040488B . 50 push eax
0040488C . 52 push edx
0040488D . FFD3 call ebx
0040488F . 8BF0 mov esi, eax
00404891 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00404894 . 51 push ecx
00404895 . 56 push esi
00404896 . 8B06 mov eax, dword ptr [esi]
00404898 . FF90 A0000000 call dword ptr [eax+A0]
0040489E . 85C0 test eax, eax
004048A0 . DBE2 fclex
004048A2 . 7D 12 jge short 004048B6
004048A4 . 68 A0000000 push 0A0
004048A9 . 68 00304000 push 00403000
004048AE . 56 push esi
004048AF . 50 push eax
004048B0 . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheckOb>; MSVBVM60.__vbaHresultCheckObj
004048B6 > 8D95 78FFFFFF lea edx, dword ptr [ebp-88]
004048BC . 52 push edx ; ↓返回str
004048BD . FF15 84104000 call dword ptr [<&MSVBVM60.#536>] ; MSVBVM60.rtcStrFromVar
004048C3 . 8BD0 mov edx, eax
004048C5 . 8D4D D0 lea ecx, dword ptr [ebp-30]
004048C8 . FF15 BC104000 call dword ptr [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
004048CE . 50 push eax
004048CF . 8B45 D4 mov eax, dword ptr [ebp-2C]
004048D2 . 50 push eax ; 对比密码和序列号
004048D3 . FF15 58104000 call dword ptr [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
就这么一段简单的功能MFC里可以这么写:
CString str;
GetDlgItemText( IDC_EDIT_NAME,str ); //获取用户名字串基本信息。
int len = str.GetLength();
if ( len >= 2 ){ //格式控制。
unsigned int res = (str[0] + str[len-1]) * 999999;
CString PassWord;
PassWord.Format( " %lu",res );
SetDlgItemText( IDC_EDIT_PASSWORD,PassWord );
}
else
MessageBox( "用户名格式错误!" );
再在OnInitDialog中添加此代码修改标题:SetWindowText(_T("Keygen"));
运行效果:
