系统 : Windows xp
程序 : BJCM10B
程序下载地址 :http://pan.baidu.com/s/1dFyXe29
要求 : 编写注册机
使用工具 : OD
可在看雪论坛中查找关于此程序的破文:传送门
这个小程序本身算法不难,就是vb的函数调用方式真的太奇葩了,容易看得一头雾水。
直接根据“good job, tell me how you do that!”字串找出关键算法:
. FFD3 call ebx ; (initial cpu selection); <&MSVBVM60.__vbaObjSet>
. 8B08 mov ecx, dword ptr [eax]
. 8D55 D4 lea edx, dword ptr [ebp-2C]
0040456A . push edx
0040456B . push eax
0040456C . 44FFFFFF mov dword ptr [ebp-BC], eax
. FF91 A0000000 call dword ptr [ecx+A0]
. 3BC7 cmp eax, edi
0040457A . DBE2 fclex
0040457C . 7D jge short
0040457E . 8B8D 44FFFFFF mov ecx, dword ptr [ebp-BC]
. A0000000 push 0A0
. push
0040458E . push ecx
0040458F . push eax
. FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheckOb>; MSVBVM60.__vbaHresultCheckObj
> 8B55 D4 mov edx, dword ptr [ebp-2C] ; 用户名字符串
. push edx ; /String
0040459A . FF15 call dword ptr [<&MSVBVM60.__vbaLenBstr>] ; \__vbaLenBstr
004045A0 . 33C9 xor ecx, ecx
004045A2 . 83F8 cmp eax, ; 是否是否不小于2?
004045A5 . 0F9CC1 setl cl
004045A8 . F7D9 neg ecx
004045AA . 898D 3CFFFFFF mov dword ptr [ebp-C4], ecx
004045B0 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
004045B3 . FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
004045B9 . 8D4D CC lea ecx, dword ptr [ebp-]
004045BC . FF15 D4104000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
004045C2 . :39BD 3CFFF>cmp word ptr [ebp-C4], di
004045C9 . 0F84 8B000000 je 0040465A ; 符合长度直接跳转
004045CF . 8B1D B0104000 mov ebx, dword ptr [<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
004045D5 . B9 mov ecx,
004045DA . 894D mov dword ptr [ebp-], ecx
004045DD . B8 0A000000 mov eax, 0A
004045E2 . 894D A0 mov dword ptr [ebp-], ecx
004045E5 . BE mov esi,
004045EA . 8D95 68FFFFFF lea edx, dword ptr [ebp-]
004045F0 . 8D4D A8 lea ecx, dword ptr [ebp-]
004045F3 . mov dword ptr [ebp-], eax
004045F6 . mov dword ptr [ebp-], eax
004045F9 . C785 70FFFFFF>mov dword ptr [ebp-], ; you have to enter your name!
. 89B5 68FFFFFF mov dword ptr [ebp-], esi
. FFD3 call ebx ; <&MSVBVM60.__vbaVarDup>
0040460B . 8D95 78FFFFFF lea edx, dword ptr [ebp-]
. 8D4D B8 lea ecx, dword ptr [ebp-]
. C745 >mov dword ptr [ebp-], ; name must be at least two characters long!
0040461B . 89B5 78FFFFFF mov dword ptr [ebp-], esi
. FFD3 call ebx
. 8D55 lea edx, dword ptr [ebp-]
. 8D45 lea eax, dword ptr [ebp-]
. push edx
0040462A . 8D4D A8 lea ecx, dword ptr [ebp-]
0040462D . push eax
0040462E . push ecx
0040462F . 8D55 B8 lea edx, dword ptr [ebp-]
. push edi
. push edx
. FF15 3C104000 call dword ptr [<&MSVBVM60.#>] ; MSVBVM60.rtcMsgBox
0040463A . 8D45 lea eax, dword ptr [ebp-]
0040463D . 8D4D lea ecx, dword ptr [ebp-]
. push eax
. 8D55 A8 lea edx, dword ptr [ebp-]
. push ecx
. 8D45 B8 lea eax, dword ptr [ebp-]
. push edx
. push eax
0040464A . 6A push
0040464C . FF15 call dword ptr [<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
. 83C4 add esp,
. E9 D4030000 jmp 00404A2E
0040465A > 8B0E mov ecx, dword ptr [esi]
0040465C . push esi
0040465D . FF91 0C030000 call dword ptr [ecx+30C]
. 8D55 CC lea edx, dword ptr [ebp-]
. push eax
. push edx
. FFD3 call ebx
0040466A . 8B06 mov eax, dword ptr [esi]
0040466C . push esi
0040466D . FF90 0C030000 call dword ptr [eax+30C]
. 8D4D C8 lea ecx, dword ptr [ebp-]
. push eax
. push ecx
. FFD3 call ebx
0040467A . 8B45 CC mov eax, dword ptr [ebp-]
0040467D . 8D55 B8 lea edx, dword ptr [ebp-]
. C0 mov dword ptr [ebp-], eax
. 6A push
. 8D45 A8 lea eax, dword ptr [ebp-]
. push edx
. push eax
0040468A . 897D CC mov dword ptr [ebp-], edi
0040468D . C745 B8 >mov dword ptr [ebp-],
. FF15 B4104000 call dword ptr [<&MSVBVM60.#>] ; MSVBVM60.rtcLeftCharVar
0040469A . 8B45 C8 mov eax, dword ptr [ebp-]
0040469D . 8D4D lea ecx, dword ptr [ebp-]
004046A0 . 6A push
004046A2 . 8D55 lea edx, dword ptr [ebp-]
004046A5 . push ecx
004046A6 . push edx
004046A7 . 897D C8 mov dword ptr [ebp-], edi
004046AA . A0 mov dword ptr [ebp-], eax
004046AD . C745 >mov dword ptr [ebp-],
004046B4 . FF15 C0104000 call dword ptr [<&MSVBVM60.#>] ; MSVBVM60.rtcRightCharVar
004046BA . 8B3D mov edi, dword ptr [<&MSVBVM60.__vbaStrVarVal>; MSVBVM60.__vbaStrVarVal
004046C0 . 8D45 lea eax, dword ptr [ebp-]
004046C3 . 8D4D D0 lea ecx, dword ptr [ebp-]
004046C6 . push eax ; /String8
004046C7 . push ecx ; |ARG2
004046C8 . FFD7 call edi ; \__vbaStrVarVal
004046CA . push eax ; /String
004046CB . FF15 call dword ptr [<&MSVBVM60.#>] ; \rtcAnsiValueBstr
004046D1 . :8BD0 mov dx, ax ; ↑传回字符码
004046D4 . 8D45 A8 lea eax, dword ptr [ebp-]
004046D7 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
004046DA . push eax ; /String8
004046DB . push ecx ; |ARG2
004046DC . : 26FFF>mov word ptr [ebp-DA], dx ; |
004046E3 . FFD7 call edi ; \__vbaStrVarVal
004046E5 . push eax ; /String
004046E6 . FF15 call dword ptr [<&MSVBVM60.#>] ; \rtcAnsiValueBstr
004046EC . :8B95 26FFF>mov dx, word ptr [ebp-DA]
004046F3 . 8D4D D8 lea ecx, dword ptr [ebp-]
004046F6 . :03D0 add dx, ax ; 首尾相加
004046F9 . C785 78FFFFFF>mov dword ptr [ebp-],
. 0F80 jo 00404A9D
. : mov word ptr [ebp-], dx ; 保存结果
0040470D . 8D95 78FFFFFF lea edx, dword ptr [ebp-]
. FF15 call dword ptr [<&MSVBVM60.__vbaVarMove>] ; MSVBVM60.__vbaVarMove
. 8D45 D0 lea eax, dword ptr [ebp-]
0040471C . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0040471F . push eax
. push ecx
. 6A push
. FF15 9C104000 call dword ptr [<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList
. 8D55 C8 lea edx, dword ptr [ebp-]
0040472C . 8D45 CC lea eax, dword ptr [ebp-]
0040472F . push edx
. push eax
. 6A push
. FF15 call dword ptr [<&MSVBVM60.__vbaFreeObjList>] ; MSVBVM60.__vbaFreeObjList
. 8D4D lea ecx, dword ptr [ebp-]
0040473C . 8D55 lea edx, dword ptr [ebp-]
0040473F . push ecx
. 8D45 A8 lea eax, dword ptr [ebp-]
. push edx
. 8D4D B8 lea ecx, dword ptr [ebp-]
. push eax
. push ecx
. 6A push
0040474B . FF15 call dword ptr [<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
. 83C4 2C add esp, 2C
. 8D55 D8 lea edx, dword ptr [ebp-]
. 8D85 78FFFFFF lea eax, dword ptr [ebp-]
0040475D . 8D4D B8 lea ecx, dword ptr [ebp-]
. push edx ; /var18
. push eax ; |var28
. push ecx ; |SaveTo8
. C745 3F420>mov dword ptr [ebp-], 0F423F ; |
0040476A . C785 78FFFFFF>mov dword ptr [ebp-], ; |
. FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaVarMul>] ; \__vbaVarMul
0040477A . push eax ; 相加结果 * 999999 = 序列号
0040477B . FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var
. 8B16 mov edx, dword ptr [esi]
. push esi
. E8 mov dword ptr [ebp-], eax ; 这里保存计算出的序列号
. FF92 FC020000 call dword ptr [edx+2FC]
0040478D . push eax
0040478E . 8D45 CC lea eax, dword ptr [ebp-]
. push eax
. FFD3 call ebx
. 8BF8 mov edi, eax
. 8D55 D4 lea edx, dword ptr [ebp-2C]
. push edx
0040479A . push edi
0040479B . 8B0F mov ecx, dword ptr [edi]
0040479D . FF91 A0000000 call dword ptr [ecx+A0]
004047A3 . 85C0 test eax, eax
004047A5 . DBE2 fclex
004047A7 . 7D jge short 004047BB
004047A9 . A0000000 push 0A0
004047AE . push
004047B3 . push edi
004047B4 . push eax
004047B5 . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheckOb>; MSVBVM60.__vbaHresultCheckObj
004047BB > 8B45 D4 mov eax, dword ptr [ebp-2C] ; 取出密码
004047BE . push eax
004047BF . B0304000 push 004030B0 ; 空串
004047C4 . FF15 call dword ptr [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
004047CA . 8BF8 mov edi, eax
004047CC . 8D4D D4 lea ecx, dword ptr [ebp-2C]
004047CF . F7DF neg edi
004047D1 . 1BFF sbb edi, edi
004047D3 . inc edi
004047D4 . F7DF neg edi
004047D6 . FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
004047DC . 8D4D CC lea ecx, dword ptr [ebp-]
004047DF . FF15 D4104000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
004047E5 . :85FF test di, di
004047E8 . 0F84 je 0040486F
004047EE . 8B3D B0104000 mov edi, dword ptr [<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
004047F4 . B9 mov ecx,
004047F9 . 894D mov dword ptr [ebp-], ecx
004047FC . B8 0A000000 mov eax, 0A
. 894D A0 mov dword ptr [ebp-], ecx
. BE mov esi,
. 8D95 68FFFFFF lea edx, dword ptr [ebp-]
0040480F . 8D4D A8 lea ecx, dword ptr [ebp-]
. mov dword ptr [ebp-], eax
. mov dword ptr [ebp-], eax
. C785 70FFFFFF>mov dword ptr [ebp-], 004030E0 ; wrong serial!
. 89B5 68FFFFFF mov dword ptr [ebp-], esi
. FFD7 call edi ; <&MSVBVM60.__vbaVarDup>
0040482A . 8D95 78FFFFFF lea edx, dword ptr [ebp-]
. 8D4D B8 lea ecx, dword ptr [ebp-]
. C745 B8304>mov dword ptr [ebp-], 004030B8 ; sorry, try again!
0040483A . 89B5 78FFFFFF mov dword ptr [ebp-], esi
. FFD7 call edi
. 8D4D lea ecx, dword ptr [ebp-]
. 8D55 lea edx, dword ptr [ebp-]
. push ecx
. 8D45 A8 lea eax, dword ptr [ebp-]
0040484C . push edx
0040484D . push eax
0040484E . 8D4D B8 lea ecx, dword ptr [ebp-]
. 6A push
. push ecx
. FF15 3C104000 call dword ptr [<&MSVBVM60.#>] ; MSVBVM60.rtcMsgBox
0040485A . 8D55 lea edx, dword ptr [ebp-]
0040485D . 8D45 lea eax, dword ptr [ebp-]
. push edx
. 8D4D A8 lea ecx, dword ptr [ebp-]
. push eax
. 8D55 B8 lea edx, dword ptr [ebp-]
. push ecx
. push edx
0040486A . E9 B2010000 jmp 00404A21
0040486F > 8B0E mov ecx, dword ptr [esi]
. 8D45 E8 lea eax, dword ptr [ebp-]
. push esi
. mov dword ptr [ebp-], eax
. C785 78FFFFFF>mov dword ptr [ebp-],
. FF91 FC020000 call dword ptr [ecx+2FC]
. 8D55 CC lea edx, dword ptr [ebp-]
0040488B . push eax
0040488C . push edx
0040488D . FFD3 call ebx
0040488F . 8BF0 mov esi, eax
. 8D4D D4 lea ecx, dword ptr [ebp-2C]
. push ecx
. push esi
. 8B06 mov eax, dword ptr [esi]
. FF90 A0000000 call dword ptr [eax+A0]
0040489E . 85C0 test eax, eax
004048A0 . DBE2 fclex
004048A2 . 7D jge short 004048B6
004048A4 . A0000000 push 0A0
004048A9 . push
004048AE . push esi
004048AF . push eax
004048B0 . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheckOb>; MSVBVM60.__vbaHresultCheckObj
004048B6 > 8D95 78FFFFFF lea edx, dword ptr [ebp-]
004048BC . push edx ; ↓返回str
004048BD . FF15 call dword ptr [<&MSVBVM60.#>] ; MSVBVM60.rtcStrFromVar
004048C3 . 8BD0 mov edx, eax
004048C5 . 8D4D D0 lea ecx, dword ptr [ebp-]
004048C8 . FF15 BC104000 call dword ptr [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
004048CE . push eax
004048CF . 8B45 D4 mov eax, dword ptr [ebp-2C]
004048D2 . push eax ; 对比密码和序列号
004048D3 . FF15 call dword ptr [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
就这么一段简单的功能MFC里可以这么写:
CString str;
GetDlgItemText( IDC_EDIT_NAME,str ); //获取用户名字串基本信息。
int len = str.GetLength(); if ( len >= ){ //格式控制。
unsigned int res = (str[] + str[len-]) * ; CString PassWord;
PassWord.Format( " %lu",res );
SetDlgItemText( IDC_EDIT_PASSWORD,PassWord );
}
else
MessageBox( "用户名格式错误!" );
再在OnInitDialog中添加此代码修改标题:SetWindowText(_T("Keygen"));
运行效果:
