我不是大神,只是一個(gè)菜鳥(niǎo),所以文章中有哪里不對(duì)的地方還請(qǐng)各位大佬們指出。
0x0 尋找驗(yàn)證函數(shù)
仔細(xì)看一下CM 發(fā)現(xiàn)沒(méi)有任何驗(yàn)證的地方,于是我猜測(cè)應(yīng)該有個(gè)時(shí)鐘或者線程在一直驗(yàn)證注冊(cè)碼是否正確。
直接給SetWindowTextA下斷點(diǎn),然后點(diǎn)擊按鈕1即可斷下。
返回到0x004035A1處,向上滾動(dòng)滾輪找到函數(shù)頭0x004034E0處,下斷點(diǎn)然后F9
再點(diǎn)擊剛才的按鈕即可斷下。
這段函數(shù)中 有點(diǎn)用的代碼就幾個(gè) 主要就是獲取編輯框中的注冊(cè)碼然后加上按鈕的標(biāo)題最后設(shè)置回去。
00403558 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18] ; lpBuffer 0040355B . 51 push ecx 0040355C . 56 push esi 0040355D . 8B06 mov eax,dword ptr ds:[esi] ; msvbvm60.6603475B 0040355F . FF90 A0000000 call dword ptr ds:[eax+0xA0] ; 獲取注冊(cè)碼的內(nèi)容然后保存到lpBuffer處 00403565 . 85C0 test eax,eax 00403567 . DBE2 fclex 00403569 . 7D 12 jge short Andréna.0040357D 0040356B . 68 A0000000 push 0xA0 00403570 . 68 B81D4000 push Andréna.00401DB8 00403575 . 56 push esi 00403576 . 50 push eax 00403577 . FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj 0040357D > 8B55 E8 mov edx,dword ptr ss:[ebp-0x18] ; 注冊(cè)碼 00403580 . 8B37 mov esi,dword ptr ds:[edi] 00403582 . 52 push edx ; /Arg2 = 00000010 00403583 . 68 CC1D4000 push Andréna.00401DCC ; |1 00403588 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCa>; \__vbaStrCat 0040358E . 8BD0 mov edx,eax 00403590 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C] 00403593 . FF15 BC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMo>; msvbvm60.__vbaStrMove 00403599 . 50 push eax 0040359A . 57 push edi 0040359B . FF96 A4000000 call dword ptr ds:[esi+0xA4] ; 設(shè)置回去
其他幾個(gè)按鈕干的事情幾乎一樣 不過(guò)如果要尋找驗(yàn)證函數(shù)的地址,可以嘗試一下這個(gè)辦法。因?yàn)槌绦蛞欢ㄒ@取編輯框的內(nèi)容來(lái)判斷,只需要給VB中獲取編輯框內(nèi)容的函數(shù)下斷點(diǎn)就可以了。
00403558 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18] ; lpBuffer 0040355B . 51 push ecx 0040355C . 56 push esi 0040355D . 8B06 mov eax,dword ptr ds:[esi] ; msvbvm60.6603475B 0040355F . FF90 A0000000 call dword ptr ds:[eax+0xA0] ; 獲取注冊(cè)碼的內(nèi)容然后保存到lpBuffer處
只要能知道這個(gè)call轉(zhuǎn)移到的地址即可。
給這里下斷點(diǎn)再來(lái)一次。
從圖中可以得知:函數(shù)的地址是0x6603BCA3。
給這個(gè)函數(shù)下斷點(diǎn) 如果一直F9的話可以一直斷下來(lái)。
那這個(gè)應(yīng)該就是驗(yàn)證函數(shù)調(diào)用的了。
保險(xiǎn)起見(jiàn) 我這里直接將程序重新載入一遍再F9。
斷下來(lái)以后 返回到0x004047A5處,找到函數(shù)頭0x00404650。
這個(gè)驗(yàn)證地址應(yīng)該就在0x00404650處了。
0x1 分析算法
算法比較簡(jiǎn)單,大概就是取出注冊(cè)碼的前兩個(gè)字符 轉(zhuǎn)換成整數(shù)(記為a1),然后進(jìn)行如下操作:
a的取值范圍我就不標(biāo)記了,只是一個(gè)表達(dá)大致功能的代碼段而已。
現(xiàn)在在OD中調(diào)試。
004048D1 . B8 01000000 mov eax,0x1 004048D6 . 8D95 4CFFFFFF lea edx,dword ptr ss:[ebp-0xB4] 004048DC . 8985 54FFFFFF mov dword ptr ss:[ebp-0xAC],eax 004048E2 . 8985 44FFFFFF mov dword ptr ss:[ebp-0xBC],eax 004048E8 . 8D45 BC lea eax,dword ptr ss:[ebp-0x44] ; Serial 004048EB . 52 push edx 004048EC . 8D4D 9C lea ecx,dword ptr ss:[ebp-0x64] 004048EF . 50 push eax ; /Arg2 = 0019FA40 004048F0 . 51 push ecx ; |Arg1 = 0000000C 004048F1 . 89B5 4CFFFFFF mov dword ptr ss:[ebp-0xB4],esi ; |msvbvm60.__vbaStrVarVal 004048F7 . 89B5 3CFFFFFF mov dword ptr ss:[ebp-0xC4],esi ; |msvbvm60.__vbaStrVarVal 004048FD . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVar>] ; \__vbaLenVar 00404903 . 50 push eax ; 循環(huán)次數(shù):Serial長(zhǎng)度 00404904 . 8D95 3CFFFFFF lea edx,dword ptr ss:[ebp-0xC4] 0040490A . 8D85 08FFFFFF lea eax,dword ptr ss:[ebp-0xF8] 00404910 . 52 push edx 00404911 . 8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-0xE8] 00404917 . 50 push eax 00404918 . 8D55 DC lea edx,dword ptr ss:[ebp-0x24] 0040491B . 51 push ecx 0040491C . 52 push edx 0040491D . FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>] ; msvbvm60.__vbaVarForInit 00404923 . 8B35 80104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal 00404929 . 8B1D B4104000 mov ebx,dword ptr ds:[<&MSVBVM60.#rtcLeftCharVar_617>] ; msvbvm60.rtcLeftCharVar 0040492F > 85C0 test eax,eax 00404931 . 0F84 29010000 je Andréna.00404A60 00404937 . 8D45 BC lea eax,dword ptr ss:[ebp-0x44] 0040493A . 6A 01 push 0x1 0040493C . 8D4D 8C lea ecx,dword ptr ss:[ebp-0x74] ; 注冊(cè)碼的第一個(gè)字節(jié) 0040493F . 50 push eax 00404940 . 51 push ecx 00404941 . FFD3 call ebx ; msvbvm60.rtcLeftCharVar 00404943 . 8D55 8C lea edx,dword ptr ss:[ebp-0x74] 00404946 . 8D45 B0 lea eax,dword ptr ss:[ebp-0x50] 00404949 . 52 push edx 0040494A . 50 push eax 0040494B . FFD6 call esi ; msvbvm60.__vbaStrVarVal 0040494D . 50 push eax 0040494E . FF15 D8104000 call dword ptr ds:[<&MSVBVM60.#rtcR8ValFromBstr_581>] ; 轉(zhuǎn)換成十進(jìn)制整數(shù)(記為a1) 00404954 . DD9D 34FFFFFF fstp qword ptr ss:[ebp-0xCC] 0040495A . 8D4D 9C lea ecx,dword ptr ss:[ebp-0x64] 0040495D . 8D55 DC lea edx,dword ptr ss:[ebp-0x24] 00404960 . 51 push ecx 00404961 . 52 push edx 00404962 . C745 A4 01000>mov dword ptr ss:[ebp-0x5C],0x1 00404969 . C745 9C 02000>mov dword ptr ss:[ebp-0x64],0x2 00404970 . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>] ; msvbvm60.__vbaI4Var 00404976 . 50 push eax 00404977 . 8D45 BC lea eax,dword ptr ss:[ebp-0x44] 0040497A . 8D4D B8 lea ecx,dword ptr ss:[ebp-0x48] 0040497D . 50 push eax 0040497E . 51 push ecx 0040497F . FFD6 call esi ; msvbvm60.__vbaStrVarVal 00404981 . 50 push eax 00404982 . FF15 4C104000 call dword ptr ds:[<&MSVBVM60.#rtcMidCharBstr_631>] ; msvbvm60.rtcMidCharBstr 00404988 . 8BD0 mov edx,eax 0040498A . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C] 0040498D . FF15 BC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; msvbvm60.__vbaStrMove 00404993 . 50 push eax 00404994 . FF15 20104000 call dword ptr ds:[<&MSVBVM60.#rtcAnsiValueBstr_516>] ; msvbvm60.rtcAnsiValueBstr 0040499A . 0FBFD0 movsx edx,ax 0040499D . 8995 FCFCFFFF mov dword ptr ss:[ebp-0x304],edx 004049A3 . C785 7CFFFFFF>mov dword ptr ss:[ebp-0x84],0x5 004049AD . DB85 FCFCFFFF fild dword ptr ss:[ebp-0x304] 004049B3 . DD9D F4FCFFFF fstp qword ptr ss:[ebp-0x30C] 004049B9 . DD85 F4FCFFFF fld qword ptr ss:[ebp-0x30C] 004049BF . DC85 34FFFFFF fadd qword ptr ss:[ebp-0xCC] ; 注冊(cè)碼的一個(gè)字節(jié) + a1 004049C5 . DD5D 84 fstp qword ptr ss:[ebp-0x7C] 004049C8 . DFE0 fstsw ax 004049CA . A8 0D test al,0xD 004049CC . 0F85 FA1F0000 jnz Andréna.004069CC 004049D2 . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84] ; 然后轉(zhuǎn)換成十六進(jìn)制文本 004049D8 . 50 push eax 004049D9 . FF15 94104000 call dword ptr ds:[<&MSVBVM60.#rtcHexBstrFromVar_572>] ; msvbvm60.rtcHexBstrFromVar 004049DF . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34] 004049E2 . 8985 74FFFFFF mov dword ptr ss:[ebp-0x8C],eax 004049E8 . 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-0x94] 004049EE . 51 push ecx ; /Arg3 = 0000000C 004049EF . 8D85 5CFFFFFF lea eax,dword ptr ss:[ebp-0xA4] ; | 004049F5 . 52 push edx ; |Arg2 = 0019FAC0 004049F6 . 50 push eax ; |Arg1 = 0019FA40 004049F7 . C785 6CFFFFFF>mov dword ptr ss:[ebp-0x94],0x8 ; | 00404A01 . FF15 84104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; \__vbaVarCat 00404A07 . 8BD0 mov edx,eax ; str1 = str1 + 轉(zhuǎn)換成十六進(jìn)制后的文本 00404A09 . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34] 00404A0C . FFD7 call edi ; msvbvm60.__vbaVarMove 00404A0E . 8D4D B0 lea ecx,dword ptr ss:[ebp-0x50] 00404A11 . 8D55 B4 lea edx,dword ptr ss:[ebp-0x4C] 00404A14 . 51 push ecx 00404A15 . 8D45 B8 lea eax,dword ptr ss:[ebp-0x48] 00404A18 . 52 push edx 00404A19 . 50 push eax 00404A1A . 6A 03 push 0x3 00404A1C . FF15 9C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList 00404A22 . 8D8D 6CFFFFFF lea ecx,dword ptr ss:[ebp-0x94] 00404A28 . 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-0x84] 00404A2E . 51 push ecx 00404A2F . 8D45 8C lea eax,dword ptr ss:[ebp-0x74] 00404A32 . 52 push edx 00404A33 . 8D4D 9C lea ecx,dword ptr ss:[ebp-0x64] 00404A36 . 50 push eax 00404A37 . 51 push ecx 00404A38 . 6A 04 push 0x4 00404A3A . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList 00404A40 . 83C4 24 add esp,0x24 00404A43 . 8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8] 00404A49 . 52 push edx 00404A4A . 8D85 18FFFFFF lea eax,dword ptr ss:[ebp-0xE8] 00404A50 . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24] 00404A53 . 50 push eax 00404A54 . 51 push ecx 00404A55 . FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>] ; msvbvm60.__vbaVarForNext 00404A5B .^ E9 CFFEFFFF jmp Andréna.0040492F 00404A60 > 8D55 CC lea edx,dword ptr ss:[ebp-0x34] 00404A63 . 8D85 4CFFFFFF lea eax,dword ptr ss:[ebp-0xB4] 00404A69 . 52 push edx ; str1 00404A6A . 50 push eax ; 固定的字符串 00404A6B . C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],Andréna.00401E50 ; 0817E747D7AFF7C7F82836D74RR7A7F7E7B7C7D826D81KE7B7C 00404A75 . C785 4CFFFFFF>mov dword ptr ss:[ebp-0xB4],0x8008 00404A7F . FF15 5C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; str1和固定的字符串比較 相等則成功 00404A85 . 66:85C0 test ax,ax 00404A88 . 74 4C je short Andréna.00404AD6 ; 如果轉(zhuǎn)移則繼續(xù)比較
看一下這段代碼預(yù)定好的字符串。
0817E747D7AFF7C7F82836D74RR7A7F7E7B7C7D826D81KE7B7C
可以發(fā)現(xiàn)有一個(gè)RR和K。16進(jìn)制中并不存在這兩個(gè)字母,因此這段不是我們找的。
結(jié)果繼續(xù)跟蹤發(fā)現(xiàn)后面還有一堆類似的代碼 算法都是一樣的,只是比較的字符串不一樣。
搜索一下字符串。
可以發(fā)現(xiàn)一個(gè)符合條件的字符串:
0817E747D7A7D7C7F82836D74747A7F7E7B7C7D826D817E7B7C
來(lái)到0x004065E4處,向上尋找距離這個(gè)最近的__vbaVarForInit函數(shù),再向上一段距離,來(lái)到0x00406451處,下斷點(diǎn)。
這時(shí)就能在這里斷下。
00406451 . B8 02000000 mov eax,0x2 00406456 . B9 01000000 mov ecx,0x1 0040645B . 8985 4CFFFFFF mov dword ptr ss:[ebp-0xB4],eax 00406461 . 8985 3CFFFFFF mov dword ptr ss:[ebp-0xC4],eax 00406467 . 898D 54FFFFFF mov dword ptr ss:[ebp-0xAC],ecx 0040646D . 898D 44FFFFFF mov dword ptr ss:[ebp-0xBC],ecx 00406473 . 8D85 4CFFFFFF lea eax,dword ptr ss:[ebp-0xB4] 00406479 . 8D4D BC lea ecx,dword ptr ss:[ebp-0x44] ; Serial 0040647C . 50 push eax 0040647D . 8D55 9C lea edx,dword ptr ss:[ebp-0x64] 00406480 . 51 push ecx ; /Arg2 = 0019FA40 00406481 . 52 push edx ; |Arg1 = 80000000 00406482 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVar>] ; \__vbaLenVar 00406488 . 50 push eax ; 循環(huán)次數(shù):Serial長(zhǎng)度 00406489 . 8D85 3CFFFFFF lea eax,dword ptr ss:[ebp-0xC4] 0040648F . 8D8D 68FDFFFF lea ecx,dword ptr ss:[ebp-0x298] 00406495 . 50 push eax 00406496 . 8D95 78FDFFFF lea edx,dword ptr ss:[ebp-0x288] 0040649C . 51 push ecx 0040649D . 8D45 DC lea eax,dword ptr ss:[ebp-0x24] 004064A0 . 52 push edx 004064A1 . 50 push eax 004064A2 . FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>] ; msvbvm60.__vbaVarForInit 004064A8 > 85C0 test eax,eax 004064AA . 0F84 29010000 je Andréna.004065D9 004064B0 . 8D4D BC lea ecx,dword ptr ss:[ebp-0x44] 004064B3 . 6A 02 push 0x2 004064B5 . 8D55 8C lea edx,dword ptr ss:[ebp-0x74] 004064B8 . 51 push ecx 004064B9 . 52 push edx 004064BA . FFD3 call ebx ; msvbvm60.rtcLeftCharVar 004064BC . 8D45 8C lea eax,dword ptr ss:[ebp-0x74] 004064BF . 8D4D B0 lea ecx,dword ptr ss:[ebp-0x50] 004064C2 . 50 push eax 004064C3 . 51 push ecx 004064C4 . FFD6 call esi ; msvbvm60.__vbaStrVarVal 004064C6 . 50 push eax ; Serial的前兩個(gè)字節(jié) 004064C7 . FF15 D8104000 call dword ptr ds:[<&MSVBVM60.#rtcR8ValFromBstr_581>] ; 轉(zhuǎn)換成整數(shù)(記為a1) 004064CD . DD9D 34FFFFFF fstp qword ptr ss:[ebp-0xCC] 004064D3 . 8D55 9C lea edx,dword ptr ss:[ebp-0x64] 004064D6 . 8D45 DC lea eax,dword ptr ss:[ebp-0x24] 004064D9 . 52 push edx 004064DA . 50 push eax 004064DB . C745 A4 01000>mov dword ptr ss:[ebp-0x5C],0x1 004064E2 . C745 9C 02000>mov dword ptr ss:[ebp-0x64],0x2 004064E9 . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>] ; msvbvm60.__vbaI4Var 004064EF . 8D4D BC lea ecx,dword ptr ss:[ebp-0x44] 004064F2 . 50 push eax 004064F3 . 8D55 B8 lea edx,dword ptr ss:[ebp-0x48] 004064F6 . 51 push ecx 004064F7 . 52 push edx 004064F8 . FFD6 call esi ; msvbvm60.__vbaStrVarVal 004064FA . 50 push eax 004064FB . FF15 4C104000 call dword ptr ds:[<&MSVBVM60.#rtcMidCharBstr_631>] ; Serial的一個(gè)字節(jié) 00406501 . 8BD0 mov edx,eax 00406503 . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C] 00406506 . FF15 BC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; msvbvm60.__vbaStrMove 0040650C . 50 push eax 0040650D . FF15 20104000 call dword ptr ds:[<&MSVBVM60.#rtcAnsiValueBstr_516>] ; 取出其ASCII碼 00406513 . 0FBFC0 movsx eax,ax 00406516 . 8985 60FCFFFF mov dword ptr ss:[ebp-0x3A0],eax 0040651C . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84] 00406522 . DB85 60FCFFFF fild dword ptr ss:[ebp-0x3A0] 00406528 . 51 push ecx 00406529 . C785 7CFFFFFF>mov dword ptr ss:[ebp-0x84],0x5 00406533 . DD9D 58FCFFFF fstp qword ptr ss:[ebp-0x3A8] 00406539 . DD85 58FCFFFF fld qword ptr ss:[ebp-0x3A8] 0040653F . DC85 34FFFFFF fadd qword ptr ss:[ebp-0xCC] ; Serial的一個(gè)字節(jié) + a1 00406545 . DD5D 84 fstp qword ptr ss:[ebp-0x7C] 00406548 . DFE0 fstsw ax 0040654A . A8 0D test al,0xD 0040654C . 0F85 7A040000 jnz Andréna.004069CC 00406552 . FF15 94104000 call dword ptr ds:[<&MSVBVM60.#rtcHexBstrFromVar_572>] ; 轉(zhuǎn)換成十六進(jìn)制字符串 00406558 . 8985 74FFFFFF mov dword ptr ss:[ebp-0x8C],eax 0040655E . 8D55 CC lea edx,dword ptr ss:[ebp-0x34] 00406561 . 8D85 6CFFFFFF lea eax,dword ptr ss:[ebp-0x94] 00406567 . 52 push edx ; /Arg3 = 80000000 00406568 . 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4] ; | 0040656E . 50 push eax ; |Arg2 = 0019FAC0 0040656F . 51 push ecx ; |Arg1 = 0019FA40 00406570 . C785 6CFFFFFF>mov dword ptr ss:[ebp-0x94],0x8 ; | 0040657A . FF15 84104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; \__vbaVarCat 00406580 . 8BD0 mov edx,eax ; str1 = str1 + 轉(zhuǎn)換后的十六進(jìn)制字符串 00406582 . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34] 00406585 . FFD7 call edi ; msvbvm60.__vbaVarMove 00406587 . 8D55 B0 lea edx,dword ptr ss:[ebp-0x50] 0040658A . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C] 0040658D . 52 push edx 0040658E . 8D4D B8 lea ecx,dword ptr ss:[ebp-0x48] 00406591 . 50 push eax 00406592 . 51 push ecx 00406593 . 6A 03 push 0x3 00406595 . FF15 9C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList 0040659B . 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-0x94] 004065A1 . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84] 004065A7 . 52 push edx 004065A8 . 8D4D 8C lea ecx,dword ptr ss:[ebp-0x74] 004065AB . 50 push eax 004065AC . 8D55 9C lea edx,dword ptr ss:[ebp-0x64] 004065AF . 51 push ecx 004065B0 . 52 push edx 004065B1 . 6A 04 push 0x4 004065B3 . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList 004065B9 . 83C4 24 add esp,0x24 004065BC . 8D85 68FDFFFF lea eax,dword ptr ss:[ebp-0x298] 004065C2 . 50 push eax 004065C3 . 8D8D 78FDFFFF lea ecx,dword ptr ss:[ebp-0x288] 004065C9 . 8D55 DC lea edx,dword ptr ss:[ebp-0x24] 004065CC . 51 push ecx 004065CD . 52 push edx 004065CE . FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>] ; msvbvm60.__vbaVarForNext 004065D4 .^ E9 CFFEFFFF jmp Andréna.004064A8 004065D9 > 8D45 CC lea eax,dword ptr ss:[ebp-0x34] 004065DC . 8D8D 4CFFFFFF lea ecx,dword ptr ss:[ebp-0xB4] 004065E2 . 50 push eax ; 轉(zhuǎn)換后的十六進(jìn)制字符串 004065E3 . 51 push ecx ; 預(yù)設(shè)的字符串 004065E4 . C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],Andréna.00402390 ; 0817E747D7A7D7C7F82836D74747A7F7E7B7C7D826D817E7B7C 004065EE . C785 4CFFFFFF>mov dword ptr ss:[ebp-0xB4],0x8008 004065F8 . FF15 5C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比較 相等則成功 004065FE . 66:85C0 test ax,ax 00406601 . 74 4C je short Andréna.0040664F ; 不相等則轉(zhuǎn)移
0x2 計(jì)算注冊(cè)碼
在這個(gè)字符串("0817E747D7A7D7C7F82836D74747A7F7E7B7C7D826D817E7B7C")中,'0'是系統(tǒng)自己加上去的,我們不需要注意它,只需要注意后面幾個(gè)即可,即"817E747D7A7D7C7F82836D74747A7F7E7B7C7D826D817E7B7C"
首先將這個(gè)字符串每隔兩個(gè)字符就用空格分開(kāi)。
得到字符串:"81 7E 74 7D 7A 7D 7C 7F 82 83 6D 74 74 7A 7F 7E 7B 7C 7D 82 6D 81 7E 7B 7C"
根據(jù)注冊(cè)碼的驗(yàn)證方式可以得知:我們只要知道了注冊(cè)碼的前兩個(gè)字符,就可以用減法來(lái)推算出注冊(cè)碼的剩下的字節(jié)了。
問(wèn)題就在于如何推算注冊(cè)碼的前兩個(gè)字符。如果仔細(xì)想想的話,其實(shí)很簡(jiǎn)單的,就是一個(gè)很簡(jiǎn)單的三元一次方程組的應(yīng)用。
設(shè):注冊(cè)碼的前兩個(gè)字節(jié)的整數(shù)形式為a,注冊(cè)碼的第一個(gè)字節(jié)為b,注冊(cè)碼的第二個(gè)字節(jié)為c
則有:
a = 10(b - 48) + c - 48(1)
a + b = 0x81(2)
a + c = 0x7E(3).
化簡(jiǎn)(1),得a = 10b + c - 528(4)
將(4)帶入(2)(3)中,得:
10b + c - 528 + b = 0x81(5)
10b + c - 528 + c = 0x7E(6)
解方程組(5)(6),得:b = 55('7'),c = 52('4')
將b = 55,c = 52帶入(1),得a = 74
則該方程組的解為:a = 74,b = 55,c = 52
這樣就可以得知注冊(cè)碼的前兩個(gè)字節(jié)為'7'和'4',連接在一起就是"74"。
這樣就可以寫(xiě)一個(gè)程序來(lái)幫我計(jì)算注冊(cè)碼了。
運(yùn)行效果如圖:
得到注冊(cè)碼:74*3032589#**0541238#7412
放到CM中測(cè)試一下,可以通過(guò)。
全文完。
