运行一下程序
程序的界面还是很简单的,用按钮输入serial,在旁边的status栏则可以看到serial是否正确。
然后用die查一下:
还是VB,无壳。
尽然是vb,那我们还是使用一下VB的静态工具:
这里我们看到这个控件还是蛮多的,但是大概浏览一下我们可以发现,有重要信息的只有那四个事件控件:
点进这四个控件分别查看,可以发现其中的一些规律:
每一段代码都是相似的,除了这个一长串的字符串,看来这些字符串就是密钥了,那么这么多字符串,怎么才能判断哪个才是密钥呢?
我们看到上面代码的逻辑:
这里表示,我们输入的码,要变成十六进制,那么我们看到下面的密钥,必须也是十六进制呀,所以这样我么就可以排除一些了。
最后我们找到了一个满足十六进制的密钥:
然后我们进入OD查看详细的serial注册过程:
00406EDC > /85C0 test eax,eax
00406EDE . |0F84 29010000 je Andréna.0040700D
00406EE4 . |8D4D BC lea ecx,dword ptr ss:[ebp-0x44]
00406EE7 . |6A 02 push 0x2
00406EE9 . |8D55 8C lea edx,dword ptr ss:[ebp-0x74]
00406EEC . |51 push ecx
00406EED . |52 push edx
00406EEE . |FFD3 call ebx ; msvbvm60.rtcLeftCharVar
00406EF0 . |8D45 8C lea eax,dword ptr ss:[ebp-0x74]
00406EF3 . |8D4D B0 lea ecx,dword ptr ss:[ebp-0x50]
00406EF6 . |50 push eax
00406EF7 . |51 push ecx
00406EF8 . |FFD6 call esi ; 取假码的前两位
00406EFA . |50 push eax
00406EFB . |FF15 D8104000 call dword ptr ds:[<&MSVBVM60.#rtcR8ValFrom>; 变为浮点型
00406F01 . |DD9D 34FFFFFF fstp qword ptr ss:[ebp-0xCC]
00406F07 . |8D55 9C lea edx,dword ptr ss:[ebp-0x64]
00406F0A . |8D45 DC lea eax,dword ptr ss:[ebp-0x24]
00406F0D . |52 push edx
00406F0E . |50 push eax
00406F0F . |C745 A4 01000>mov dword ptr ss:[ebp-0x5C],0x1
00406F16 . |C745 9C 02000>mov dword ptr ss:[ebp-0x64],0x2
00406F1D . |FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>] ; msvbvm60.__vbaI4Var
00406F23 . |8D4D BC lea ecx,dword ptr ss:[ebp-0x44]
00406F26 . |50 push eax
00406F27 . |8D55 B8 lea edx,dword ptr ss:[ebp-0x48]
00406F2A . |51 push ecx
00406F2B . |52 push edx
00406F2C . |FFD6 call esi ; msvbvm60.__vbaStrVarVal
00406F2E . |50 push eax
00406F2F . |FF15 4C104000 call dword ptr ds:[<&MSVBVM60.#rtcMidCharBs>; 取第i位
00406F35 . |8BD0 mov edx,eax
00406F37 . |8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
00406F3A . |FF15 BC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>>; msvbvm60.__vbaStrMove
00406F40 . |50 push eax ; /String = 00000001 ???
00406F41 . |FF15 20104000 call dword ptr ds:[<&MSVBVM60.#rtcAnsiValue>; 取ascii码
00406F47 . |0FBFC0 movsx eax,ax ; 将ascii码当做十六进制储存
00406F4A . |8985 F0FCFFFF mov dword ptr ss:[ebp-0x310],eax
00406F50 . |8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
00406F56 . |DB85 F0FCFFFF fild dword ptr ss:[ebp-0x310] ; 变为十进制
00406F5C . |51 push ecx
00406F5D . |C785 7CFFFFFF>mov dword ptr ss:[ebp-0x84],0x5
00406F67 . |DD9D E8FCFFFF fstp qword ptr ss:[ebp-0x318]
00406F6D . |DD85 E8FCFFFF fld qword ptr ss:[ebp-0x318]
00406F73 . |DC85 34FFFFFF fadd qword ptr ss:[ebp-0xCC] ; 第i位加上前两位
00406F79 . |DD5D 84 fstp qword ptr ss:[ebp-0x7C]
00406F7C . |DFE0 fstsw ax
00406F7E . |A8 0D test al,0xD
00406F80 . |0F85 D61D0000 jnz Andréna.00408D5C
00406F86 . |FF15 94104000 call dword ptr ds:[<&MSVBVM60.#rtcHexBstrFr>; 变为十六进制
00406F8C . |8985 74FFFFFF mov dword ptr ss:[ebp-0x8C],eax
00406F92 . |8D55 CC lea edx,dword ptr ss:[ebp-0x34]
00406F95 . |8D85 6CFFFFFF lea eax,dword ptr ss:[ebp-0x94]
00406F9B . |52 push edx
00406F9C . |8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
00406FA2 . |50 push eax
00406FA3 . |51 push ecx
00406FA4 . |C785 6CFFFFFF>mov dword ptr ss:[ebp-0x94],0x8
00406FAE . |FF15 84104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 链接字符串
00406FB4 . |8BD0 mov edx,eax
00406FB6 . |8D4D CC lea ecx,dword ptr ss:[ebp-0x34]
00406FB9 . |FFD7 call edi ; msvbvm60.__vbaVarMove
00406FBB . |8D55 B0 lea edx,dword ptr ss:[ebp-0x50]
00406FBE . |8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
00406FC1 . |52 push edx
00406FC2 . |8D4D B8 lea ecx,dword ptr ss:[ebp-0x48]
00406FC5 . |50 push eax
00406FC6 . |51 push ecx
00406FC7 . |6A 03 push 0x3
00406FC9 . |FF15 9C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrL>; msvbvm60.__vbaFreeStrList
00406FCF . |8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-0x94]
00406FD5 . |8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84]
00406FDB . |52 push edx
00406FDC . |8D4D 8C lea ecx,dword ptr ss:[ebp-0x74]
00406FDF . |50 push eax
00406FE0 . |8D55 9C lea edx,dword ptr ss:[ebp-0x64]
00406FE3 . |51 push ecx
00406FE4 . |52 push edx
00406FE5 . |6A 04 push 0x4
00406FE7 . |FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarL>; msvbvm60.__vbaFreeVarList
00406FED . |83C4 24 add esp,0x24
00406FF0 . |8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-0x118]
00406FF6 . |50 push eax ; /TMPend8 = 00000001
00406FF7 . |8D8D F8FEFFFF lea ecx,dword ptr ss:[ebp-0x108] ; |
00406FFD . |8D55 DC lea edx,dword ptr ss:[ebp-0x24] ; |
00407000 . |51 push ecx ; |TMPstep8 = 00000003
00407001 . |52 push edx ; |Counter8 = 00000006
00407002 . |FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNe>; \__vbaVarForNext
00407008 .^E9 CFFEFFFF jmp Andréna.00406EDC
这个注册机大概的流程就是:
先取输入的字符串的前两位组成一个数字,然后把输入的字符串的每一位的ascii码当作十六进制转化为十进制,然后加上这个数字,把最后的结果转化为十六进制,最后拼接到一起后,在最前面加上0.
比如我输入的(123456789),然后程序会取前两位(12),然后取第一位(1)的ascii当作十六进制存储(0x31),然后再变为十进制(0x31=49),加上前两位变为十六进制(49+12=61=0x3D),然后进行循环,最后把十六进制组成一个新的字符串,再和
0817E747D7A7D7C7F82836D74747A7F7E7G7C7D826D817E7B7
进行比较。
#include <iostream>
#include <sstream>
using namespace std;
string kb = "0123456789*#";
int kb_dec[] = { 48,49,50,51,52,53,54,55,56,57,42,35 };
int kb_hex[] = { 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 };
string hexlist = "0123456789ABCDEF";
int key_num = 2;
string key = "0817E747D7A7D7C7F82836D74747A7F7E7B7C7D826D817E7B7C";
int hexstr_to_dec(const string s) //转16进制两位字符到十进制数
{
int a, b;
a = hexlist.find(s[0]);
b = hexlist.find(s[1]);
return a * 16 + b;
}
void main()
{
int key_value;
int base_value;
string psword;
char p;
string key_str = key.substr(1, 2); //取Key的二、三位
key_value = hexstr_to_dec(key_str);
for (int x = 1; x <= 9; x++) //确定公共值base_value
{
for (int y = 0; y <= 9; y++)
{
if (y + x * 10 + kb_dec[x] == key_value)
{
base_value = x * 10 + y;
break;
}
}
}
cout << "公共值:" << base_value << endl;
for (int x = 1; x < key.length(); x += 2) /*计算 注册码 部分*/
{
key_str = key.substr(x, 2);
key_value = hexstr_to_dec(key_str);
p = (char)(key_value - base_value);
psword = psword + p;
}
cout << "password:" << psword << endl;
system("pause");
}
这是一个大佬的代码,咱就偷偷懒直接拿来用了0v0
