标题:HAPPYDOWN的CM入门系列分析到DELPHI算发机
链接:http://www.unpack.cn/viewthread.php?tid=19516
贴者:奈落
日期:2007-11-25 10:14
第一个学习笔记
下断点 MSVBVM60.__vbaStrMove
取消断点返回到反汇编窗口~往上找到这里下断点
004023BC 6A 01 PUSH 1
004023BE FF15 2C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaOnEr>; MSVBVM60.__vbaOnError
004023C4 8B16 MOV EDX,DWORD PTR DS:[ESI]
004023C6 56 PUSH ESI
004023C7 FF92 04030000 CALL DWORD PTR DS:[EDX+304]
004023CD 50 PUSH EAX
004023CE 8D45 C4 LEA EAX,DWORD PTR SS:[EBP-3C]
004023D1 50 PUSH EAX
004023D2 FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjS>; MSVBVM60.__vbaObjSet
004023D8 8BF8 MOV EDI,EAX
004023DA 8B0F MOV ECX,DWORD PTR DS:[EDI]
004023DC 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38]
004023DF 52 PUSH EDX
004023E0 57 PUSH EDI
004023E1 FF91 A0000000 CALL DWORD PTR DS:[ECX+A0]
004023E7 DBE2 FCLEX
004023E9 3BC3 CMP EAX,EBX
004023EB 7D 12 JGE SHORT KeyGenMe.004023FF
004023ED 68 A0000000 PUSH 0A0
004023F2 68 401C4000 PUSH KeyGenMe.00401C40
004023F7 57 PUSH EDI
004023F8 50 PUSH EAX
004023F9 FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHres>; MSVBVM60.__vbaHresultCheckObj
004023FF 8B55 C8 MOV EDX,DWORD PTR SS:[EBP-38]
00402402 895D C8 MOV DWORD PTR SS:[EBP-38],EBX
00402405 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
00402408 8B3D A0104000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaS>; MSVBVM60.__vbaStrMove
0040240E FFD7 CALL EDI ; <&MSVBVM60.__vbaStrMove>
00402410 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
00402413 FF15 B0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeObj
00402419 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34]
0040241C 50 PUSH EAX
0040241D FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenB>; 取用户名长度
00402423 8BC8 MOV ECX,EAX
00402425 FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>; MSVBVM60.__vbaI2I4
0040242B 8945 D0 MOV DWORD PTR SS:[EBP-30],EAX
0040242E 66:3D 0300 CMP AX,3
00402432 0F8C CD010000 JL KeyGenMe.00402605 ; 跳就死`用户名要大于3
00402438 8B0E MOV ECX,DWORD PTR DS:[ESI]
0040243A 56 PUSH ESI
0040243B FF91 0C030000 CALL DWORD PTR DS:[ECX+30C]
00402441 50 PUSH EAX
00402442 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C]
00402445 52 PUSH EDX
00402446 FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjS>; MSVBVM60.__vbaObjSet
0040244C 8BF0 MOV ESI,EAX
0040244E 8B06 MOV EAX,DWORD PTR DS:[ESI]
00402450 8D4D C8 LEA ECX,DWORD PTR SS:[EBP-38]
00402453 51 PUSH ECX
00402454 56 PUSH ESI
00402455 FF90 A0000000 CALL DWORD PTR DS:[EAX+A0]
0040245B DBE2 FCLEX
0040245D 3BC3 CMP EAX,EBX
0040245F 7D 12 JGE SHORT KeyGenMe.00402473
00402461 68 A0000000 PUSH 0A0
00402466 68 401C4000 PUSH KeyGenMe.00401C40
0040246B 56 PUSH ESI
0040246C 50 PUSH EAX
0040246D FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHres>; MSVBVM60.__vbaHresultCheckObj
00402473 8B55 C8 MOV EDX,DWORD PTR SS:[EBP-38]
00402476 895D C8 MOV DWORD PTR SS:[EBP-38],EBX
00402479 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
0040247C FFD7 CALL EDI
0040247E 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
00402481 FF15 B0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeObj
00402487 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
0040248A 52 PUSH EDX
0040248B FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenB>; 去试验码位数
00402491 8BC8 MOV ECX,EAX
00402493 FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>; MSVBVM60.__vbaI2I4
00402499 66:3BC3 CMP AX,BX ; 判断实验码是否为空
0040249C 0F84 63010000 JE KeyGenMe.00402605
004024A2 BF 01000000 MOV EDI,1
004024A7 8BF7 MOV ESI,EDI
004024A9 8B1D 0C104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeVarList
004024AF 66:3B75 D0 CMP SI,WORD PTR SS:[EBP-30]
004024B3 0F8F 93000000 JG KeyGenMe.0040254C
004024B9 C745 BC 0100000>MOV DWORD PTR SS:[EBP-44],1
004024C0 C745 B4 0200000>MOV DWORD PTR SS:[EBP-4C],2
004024C7 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
004024CA 8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EAX
004024D0 C785 74FFFFFF 0>MOV DWORD PTR SS:[EBP-8C],4008
004024DA 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
004024DD 51 PUSH ECX
004024DE 0FBFD6 MOVSX EDX,SI
004024E1 52 PUSH EDX
004024E2 8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
004024E8 50 PUSH EAX
004024E9 8D4D A4 LEA ECX,DWORD PTR SS:[EBP-5C]
004024EC 51 PUSH ECX
004024ED FF15 44104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
004024F3 8D55 A4 LEA EDX,DWORD PTR SS:[EBP-5C]
004024F6 52 PUSH EDX
004024F7 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
004024FA 50 PUSH EAX
004024FB FF15 74104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrV>; MSVBVM60.__vbaStrVarVal
00402501 50 PUSH EAX
00402502 FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ; 取用户名ASCII码
00402508 66:0FAFC6 IMUL AX,SI ; 用户名ASCII码与相应的位数相乘
0040250C 0F80 5F010000 JO KeyGenMe.00402671
00402512 0FBFC8 MOVSX ECX,AX
00402515 03CF ADD ECX,EDI ; 用户名ASCII累积和放ECX,EDX初为1
00402517 0F80 54010000 JO KeyGenMe.00402671
0040251D 8BF9 MOV EDI,ECX ; 最终累积和放EDI
0040251F 8D4D C8 LEA ECX,DWORD PTR SS:[EBP-38]
00402522 FF15 B4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFree>; MSVBVM60.__vbaFreeStr
00402528 8D55 A4 LEA EDX,DWORD PTR SS:[EBP-5C]
0040252B 52 PUSH EDX
0040252C 8D45 B4 LEA EAX,DWORD PTR SS:[EBP-4C]
0040252F 50 PUSH EAX
00402530 6A 02 PUSH 2
00402532 FFD3 CALL EBX
00402534 83C4 0C ADD ESP,0C
00402537 B8 01000000 MOV EAX,1
0040253C 66:03C6 ADD AX,SI
0040253F 0F80 2C010000 JO KeyGenMe.00402671
00402545 8BF0 MOV ESI,EAX
00402547 ^ E9 63FFFFFF JMP KeyGenMe.004024AF
0040254C 69FF 96740100 IMUL EDI,EDI,17496 ; 累积和与十六进制17496相成放EDI为真码的十六进制
00402552 0F80 19010000 JO KeyGenMe.00402671
00402558 897D D8 MOV DWORD PTR SS:[EBP-28],EDI
0040255B DB45 D8 FILD DWORD PTR SS:[EBP-28]
0040255E DD9D 14FFFFFF FSTP QWORD PTR SS:[EBP-EC]
00402564 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24]
00402567 51 PUSH ECX
00402568 FF15 80104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8St>; MSVBVM60.__vbaR8Str
0040256E DC9D 14FFFFFF FCOMP QWORD PTR SS:[EBP-EC] 真码比较
00402574 DFE0 FSTSW AX
00402576 F6C4 40 TEST AH,40
00402579 0F84 86000000 JE KeyGenMe.00402605 ; 关键跳~此处可以爆破
0040257F B9 04000280 MOV ECX,80020004
00402584 894D 8C MOV DWORD PTR SS:[EBP-74],ECX
00402587 B8 0A000000 MOV EAX,0A
算法总结:1,取用户名ASCII累加~再加初始值一
2,与十六进制17496十进制相乘就是注册码
我们再来做算法注册机
var
name:string;
s2:longword;
i:integer;
begin
name:=edit1.text;
s2:=1;
for i:=1 to length(name) do
s2:=ord(name) * i + s2;
s2:=s2 * 95382;
edit2.text:=inttostr(s2);
end;
第二篇学习笔记
下断点 MSVBVM60.__vbaStrMove
取消断点返回到反汇编窗口~往上找到这里下断点
004023DC 6A 01 PUSH 1
004023DE FF15 2C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaOnErr>; MSVBVM60.__vbaOnError
004023E4 8B16 MOV EDX,DWORD PTR DS:[ESI]
004023E6 56 PUSH ESI
004023E7 FF92 14030000 CALL DWORD PTR DS:[EDX+314]
004023ED 50 PUSH EAX
004023EE 8D45 C4 LEA EAX,DWORD PTR SS:[EBP-3C]
004023F1 50 PUSH EAX
004023F2 FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
004023F8 8BF8 MOV EDI,EAX
004023FA 8B0F MOV ECX,DWORD PTR DS:[EDI]
004023FC 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38]
004023FF 52 PUSH EDX
00402400 57 PUSH EDI
00402401 FF91 A0000000 CALL DWORD PTR DS:[ECX+A0]
00402407 DBE2 FCLEX
00402409 3BC3 CMP EAX,EBX
0040240B 7D 12 JGE SHORT KeyGenMe.0040241F
0040240D 68 A0000000 PUSH 0A0
00402412 68 581C4000 PUSH KeyGenMe.00401C58
00402417 57 PUSH EDI
00402418 50 PUSH EAX
00402419 FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0040241F 8B55 C8 MOV EDX,DWORD PTR SS:[EBP-38]
00402422 895D C8 MOV DWORD PTR SS:[EBP-38],EBX
00402425 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
00402428 8B3D A4104000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrMove
0040242E FFD7 CALL EDI ; 取用户名; <&MSVBVM60.__vbaStrMove>
00402430 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
00402433 FF15 B4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
00402439 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34]
0040243C 50 PUSH EAX
0040243D FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; 取用户名位数
00402443 8BC8 MOV ECX,EAX
00402445 FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>>; MSVBVM60.__vbaI2I4
0040244B 8945 D0 MOV DWORD PTR SS:[EBP-30],EAX
0040244E 66:3D 0200 CMP AX,2 ; 用户名位数与2比较
00402452 0F8C D1010000 JL KeyGenMe.00402629 ; 小于就跳死
00402458 8B0E MOV ECX,DWORD PTR DS:[ESI]
0040245A 56 PUSH ESI
0040245B FF91 0C030000 CALL DWORD PTR DS:[ECX+30C]
00402461 50 PUSH EAX
00402462 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C]
00402465 52 PUSH EDX
00402466 FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
0040246C 8BF0 MOV ESI,EAX
0040246E 8B06 MOV EAX,DWORD PTR DS:[ESI]
00402470 8D4D C8 LEA ECX,DWORD PTR SS:[EBP-38]
00402473 51 PUSH ECX
00402474 56 PUSH ESI
00402475 FF90 A0000000 CALL DWORD PTR DS:[EAX+A0]
0040247B DBE2 FCLEX
0040247D 3BC3 CMP EAX,EBX
0040247F 7D 12 JGE SHORT KeyGenMe.00402493
00402481 68 A0000000 PUSH 0A0
00402486 68 581C4000 PUSH KeyGenMe.00401C58
0040248B 56 PUSH ESI
0040248C 50 PUSH EAX
0040248D FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00402493 8B55 C8 MOV EDX,DWORD PTR SS:[EBP-38]
00402496 895D C8 MOV DWORD PTR SS:[EBP-38],EBX
00402499 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
0040249C FFD7 CALL EDI ; 取试验码
0040249E 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
004024A1 FF15 B4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
004024A7 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
004024AA 52 PUSH EDX
004024AB FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
004024B1 8BC8 MOV ECX,EAX ; 取试验码位数
004024B3 FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>>; MSVBVM60.__vbaI2I4
004024B9 66:3BC3 CMP AX,BX
004024BC 0F84 67010000 JE KeyGenMe.00402629
004024C2 BF 01000000 MOV EDI,1
004024C7 8BF7 MOV ESI,EDI
004024C9 8B1D 0C104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeVarList
004024CF 66:3B75 D0 CMP SI,WORD PTR SS:[EBP-30]
004024D3 0F8F 89000000 JG KeyGenMe.00402562
004024D9 C745 BC 0100000>MOV DWORD PTR SS:[EBP-44],1
004024E0 C745 B4 0200000>MOV DWORD PTR SS:[EBP-4C],2
004024E7 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
004024EA 8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EAX
004024F0 C785 74FFFFFF 0>MOV DWORD PTR SS:[EBP-8C],4008
004024FA 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
004024FD 51 PUSH ECX
004024FE 0FBFD6 MOVSX EDX,SI
00402501 52 PUSH EDX
00402502 8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
00402508 50 PUSH EAX
00402509 8D4D A4 LEA ECX,DWORD PTR SS:[EBP-5C]
0040250C 51 PUSH ECX
0040250D FF15 44104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
00402513 8D55 A4 LEA EDX,DWORD PTR SS:[EBP-5C]
00402516 52 PUSH EDX
00402517 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
0040251A 50 PUSH EAX
0040251B FF15 74104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
00402521 50 PUSH EAX
00402522 FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ; 取用户名ASCII码
00402528 0FBFC8 MOVSX ECX,AX
0040252B 03CF ADD ECX,EDI ; 累积用户名ASCII放ECX~加初值一
0040252D 0F80 62010000 JO KeyGenMe.00402695
00402533 8BF9 MOV EDI,ECX ; 累积和还给EDI
00402535 8D4D C8 LEA ECX,DWORD PTR SS:[EBP-38]
00402538 FF15 B8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0040253E 8D55 A4 LEA EDX,DWORD PTR SS:[EBP-5C]
00402541 52 PUSH EDX
00402542 8D45 B4 LEA EAX,DWORD PTR SS:[EBP-4C]
00402545 50 PUSH EAX
00402546 6A 02 PUSH 2
00402548 FFD3 CALL EBX
0040254A 83C4 0C ADD ESP,0C
0040254D B8 01000000 MOV EAX,1
00402552 66:03C6 ADD AX,SI
00402555 0F80 3A010000 JO KeyGenMe.00402695
0040255B 8BF0 MOV ESI,EAX
0040255D ^ E9 6DFFFFFF JMP KeyGenMe.004024CF
00402562 69FF 10030000 IMUL EDI,EDI,310 ; 累积和与310相乘
00402568 0F80 27010000 JO KeyGenMe.00402695
0040256E DD05 E8104000 FLD QWORD PTR DS:[4010E8] ; 固定值26A2F285
00402574 FF15 9C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFpI4>>; 固定值转换成十六进制
0040257A 33F8 XOR EDI,EAX ; 累积和与固定值XOR
0040257C 897D D8 MOV DWORD PTR SS:[EBP-28],EDI
0040257F DB45 D8 FILD DWORD PTR SS:[EBP-28]
00402582 DD9D 14FFFFFF FSTP QWORD PTR SS:[EBP-EC]
00402588 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24]
0040258B 51 PUSH ECX
0040258C FF15 80104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8Str>; MSVBVM60.__vbaR8Str
00402592 DC9D 14FFFFFF FCOMP QWORD PTR SS:[EBP-EC] ; 真假码比较
00402598 DFE0 FSTSW AX
0040259A F6C4 40 TEST AH,40
0040259D 0F84 86000000 JE KeyGenMe.00402629 ; 关键挑
004025A3 B9 04000280 MOV ECX,80020004
004025A8 894D 8C MOV DWORD PTR SS:[EBP-74],ECX
004025AB B8 0A000000 MOV EAX,0A
004025B0 8945 84 MOV DWORD PTR SS:[EBP-7C],EAX
004025B3 894D 9C MOV DWORD PTR SS:[EBP-64],ECX
004025B6 8945 94 MOV DWORD PTR SS:[EBP-6C],EAX
004025B9 C785 6CFFFFFF 8>MOV DWORD PTR SS:[EBP-94],KeyGenMe.00401>; UNICODE "Congratulations"
算法总结:1,用户名ASCII累积和加初值一
2,累积和与310相乘
3,再与固定值XOR 26A2F285
4,结果要为十进制
写算法注册机 var name:string;
i:integer;
s1,s2,s3:longword;
begin
name:=edit1.Text;
s1:=1;
if length(name)<2 then exit;
for i:=1 to length(name) do
s1:=s1+ord(name);
s2:=s1*$310;
s3:=S2 Xor $26A2F285;
edit2.text:=inttostr(s3);
end;
第3个学习笔记~
研究这个确实花了点时候~主要是第一次接触密码表~再加上写注册机第一次写~所以老出错调试
现公布于下~
断点和前面两个一样
0040248B 6A 01 PUSH 1
0040248D FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaOnError>] ; MSVBVM60.__vbaOnError
00402493 BA 7C1C4000 MOV EDX,KeyGenMe.00401C7C ; UNICODE "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
00402498 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
0040249B FF15 90104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCopy>] ; MSVBVM60.__vbaStrCopy
004024A1 8B16 MOV EDX,DWORD PTR DS:[ESI]
004024A3 56 PUSH ESI
004024A4 FF92 14030000 CALL DWORD PTR DS:[EDX+314]
004024AA 50 PUSH EAX
004024AB 8D45 B4 LEA EAX,DWORD PTR SS:[EBP-4C]
004024AE 50 PUSH EAX
004024AF FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
004024B5 8BF8 MOV EDI,EAX
004024B7 8B0F MOV ECX,DWORD PTR DS:[EDI]
004024B9 8D55 B8 LEA EDX,DWORD PTR SS:[EBP-48]
004024BC 52 PUSH EDX
004024BD 57 PUSH EDI
004024BE FF91 A0000000 CALL DWORD PTR DS:[ECX+A0]
004024C4 DBE2 FCLEX
004024C6 3BC3 CMP EAX,EBX
004024C8 7D 12 JGE SHORT KeyGenMe.004024DC
004024CA 68 A0000000 PUSH 0A0
004024CF 68 C81C4000 PUSH KeyGenMe.00401CC8
004024D4 57 PUSH EDI
004024D5 50 PUSH EAX
004024D6 FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheck>; MSVBVM60.__vbaHresultCheckObj
004024DC 8B55 B8 MOV EDX,DWORD PTR SS:[EBP-48]
004024DF 895D B8 MOV DWORD PTR SS:[EBP-48],EBX
004024E2 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
004024E5 FF15 B0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
004024EB 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
004024EE 8B3D C0104000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
004024F4 FFD7 CALL EDI ; <&MSVBVM60.__vbaFreeObj>
004024F6 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44]
004024F9 50 PUSH EAX
004024FA FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBstr>] ; 取用户名位数
00402500 8BC8 MOV ECX,EAX
00402502 FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4
00402508 8945 C4 MOV DWORD PTR SS:[EBP-3C],EAX
0040250B 66:3D 0300 CMP AX,3 ; 用户名位数与3比较
0040250F 0F8C C2020000 JL KeyGenMe.004027D7 ; 小于就跳死
00402515 8B0E MOV ECX,DWORD PTR DS:[ESI]
00402517 56 PUSH ESI
00402518 FF91 0C030000 CALL DWORD PTR DS:[ECX+30C]
0040251E 50 PUSH EAX
0040251F 8D55 B4 LEA EDX,DWORD PTR SS:[EBP-4C]
00402522 52 PUSH EDX
00402523 FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00402529 8BF0 MOV ESI,EAX
0040252B 8B06 MOV EAX,DWORD PTR DS:[ESI]
0040252D 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
00402530 51 PUSH ECX
00402531 56 PUSH ESI
00402532 FF90 A0000000 CALL DWORD PTR DS:[EAX+A0]
00402538 DBE2 FCLEX
0040253A 3BC3 CMP EAX,EBX
0040253C 7D 12 JGE SHORT KeyGenMe.00402550
0040253E 68 A0000000 PUSH 0A0
00402543 68 C81C4000 PUSH KeyGenMe.00401CC8
00402548 56 PUSH ESI
00402549 50 PUSH EAX
0040254A FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheck>; MSVBVM60.__vbaHresultCheckObj
00402550 8B55 B8 MOV EDX,DWORD PTR SS:[EBP-48]
00402553 895D B8 MOV DWORD PTR SS:[EBP-48],EBX
00402556 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00402559 FF15 B0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0040255F 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
00402562 FFD7 CALL EDI
00402564 8B55 D4 MOV EDX,DWORD PTR SS:[EBP-2C]
00402567 52 PUSH EDX
00402568 FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBstr>] ; 取试验码位数
0040256E 8BC8 MOV ECX,EAX
00402570 FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4
00402576 66:3BC3 CMP AX,BX ; 检验试验码是否为空
00402579 0F84 58020000 JE KeyGenMe.004027D7
0040257F BF 01000000 MOV EDI,1
00402584 8BF7 MOV ESI,EDI
00402586 8B1D 10104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarLi>; MSVBVM60.__vbaFreeVarList
0040258C 66:3B75 C4 CMP SI,WORD PTR SS:[EBP-3C]
00402590 0F8F 93000000 JG KeyGenMe.00402629
00402596 C745 AC 0100000>MOV DWORD PTR SS:[EBP-54],1
0040259D C745 A4 0200000>MOV DWORD PTR SS:[EBP-5C],2
004025A4 8D45 BC LEA EAX,DWORD PTR SS:[EBP-44]
004025A7 8985 6CFFFFFF MOV DWORD PTR SS:[EBP-94],EAX
004025AD C785 64FFFFFF 0>MOV DWORD PTR SS:[EBP-9C],4008
004025B7 8D4D A4 LEA ECX,DWORD PTR SS:[EBP-5C]
004025BA 51 PUSH ECX
004025BB 0FBFD6 MOVSX EDX,SI
004025BE 52 PUSH EDX
004025BF 8D85 64FFFFFF LEA EAX,DWORD PTR SS:[EBP-9C]
004025C5 50 PUSH EAX
004025C6 8D4D 94 LEA ECX,DWORD PTR SS:[EBP-6C]
004025C9 51 PUSH ECX
004025CA FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
004025D0 8D55 94 LEA EDX,DWORD PTR SS:[EBP-6C]
004025D3 52 PUSH EDX
004025D4 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48]
004025D7 50 PUSH EAX
004025D8 FF15 7C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
004025DE 50 PUSH EAX
004025DF FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ; 取用户名ASCII码
004025E5 66:0FAFC6 IMUL AX,SI ; 用户名ASCII码和相应位置相乘
004025E9 0F80 66020000 JO KeyGenMe.00402855
004025EF 0FBFC8 MOVSX ECX,AX
004025F2 03CF ADD ECX,EDI ; 累积和加初值一
004025F4 0F80 5B020000 JO KeyGenMe.00402855
004025FA 8BF9 MOV EDI,ECX ; 累积和还给EDI
004025FC 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
004025FF FF15 C4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00402605 8D55 94 LEA EDX,DWORD PTR SS:[EBP-6C]
00402608 52 PUSH EDX
00402609 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
0040260C 50 PUSH EAX
0040260D 6A 02 PUSH 2
0040260F FFD3 CALL EBX
00402611 83C4 0C ADD ESP,0C
00402614 B8 01000000 MOV EAX,1
00402619 66:03C6 ADD AX,SI
0040261C 0F80 33020000 JO KeyGenMe.00402855
00402622 8BF0 MOV ESI,EAX
00402624 ^ E9 63FFFFFF JMP KeyGenMe.0040258C
00402629 69FF D5470100 IMUL EDI,EDI,147D5 ; 累积和与固定值相乘
0040262F 0F80 20020000 JO KeyGenMe.00402855
00402635 8BF7 MOV ESI,EDI
00402637 8975 D0 MOV DWORD PTR SS:[EBP-30],ESI
0040263A BA DC1C4000 MOV EDX,KeyGenMe.00401CDC
0040263F 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
00402642 FF15 90104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCopy>] ; MSVBVM60.__vbaStrCopy
00402648 8B3D 0C104000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaStrVarMov>; MSVBVM60.__vbaStrVarMove
0040264E 8BC6 MOV EAX,ESI
00402650 99 CDQ
00402651 B9 24000000 MOV ECX,24 ; ECX得固定值24
00402656 F7F9 IDIV ECX ; 乘积除以固定值,商放EAX`余数放EDX
00402658 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40]
0040265B 8985 4CFFFFFF MOV DWORD PTR SS:[EBP-B4],EAX
00402661 C785 44FFFFFF 0>MOV DWORD PTR SS:[EBP-BC],8
0040266B C745 AC 0100000>MOV DWORD PTR SS:[EBP-54],1
00402672 C745 A4 0200000>MOV DWORD PTR SS:[EBP-5C],2
00402679 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
0040267C 898D 6CFFFFFF MOV DWORD PTR SS:[EBP-94],ECX
00402682 C785 64FFFFFF 0>MOV DWORD PTR SS:[EBP-9C],4008
0040268C 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
0040268F 50 PUSH EAX
00402690 83C2 01 ADD EDX,1 ; 余数加1
00402693 0F80 BC010000 JO KeyGenMe.00402855
00402699 52 PUSH EDX
0040269A 8D8D 64FFFFFF LEA ECX,DWORD PTR SS:[EBP-9C]
004026A0 51 PUSH ECX
004026A1 8D55 94 LEA EDX,DWORD PTR SS:[EBP-6C]
004026A4 52 PUSH EDX
004026A5 FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
004026AB 8D85 44FFFFFF LEA EAX,DWORD PTR SS:[EBP-BC]
004026B1 50 PUSH EAX
004026B2 8D4D 94 LEA ECX,DWORD PTR SS:[EBP-6C]
004026B5 51 PUSH ECX
004026B6 8D55 84 LEA EDX,DWORD PTR SS:[EBP-7C]
004026B9 52 PUSH EDX
004026BA FF15 A0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>] ; MSVBVM60.__vbaVarAdd
004026C0 50 PUSH EAX
004026C1 FFD7 CALL EDI ; 出真码的关键CALL
004026C3 8BD0 MOV EDX,EAX
004026C5 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
004026C8 FF15 B0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
004026CE 8D45 84 LEA EAX,DWORD PTR SS:[EBP-7C]
004026D1 50 PUSH EAX
004026D2 8D4D 94 LEA ECX,DWORD PTR SS:[EBP-6C]
004026D5 51 PUSH ECX
004026D6 8D55 A4 LEA EDX,DWORD PTR SS:[EBP-5C]
004026D9 52 PUSH EDX
004026DA 6A 03 PUSH 3
004026DC FFD3 CALL EBX
004026DE 83C4 10 ADD ESP,10
004026E1 DB45 D0 FILD DWORD PTR SS:[EBP-30] ; 乘积换成浮点数
004026E4 DD9D 04FFFFFF FSTP QWORD PTR SS:[EBP-FC]
004026EA DD85 04FFFFFF FLD QWORD PTR SS:[EBP-FC]
004026F0 833D 00304000 0>CMP DWORD PTR DS:[403000],0
004026F7 75 08 JNZ SHORT KeyGenMe.00402701
004026F9 DC35 F8104000 FDIV QWORD PTR DS:[4010F8] ; 浮点数除以3
004026FF EB 11 JMP SHORT KeyGenMe.00402712
00402701 FF35 FC104000 PUSH DWORD PTR DS:[4010FC]
00402707 FF35 F8104000 PUSH DWORD PTR DS:[4010F8]
0040270D E8 22EAFFFF CALL
00402712 DFE0 FSTSW AX
00402714 A8 0D TEST AL,0D
00402716 0F85 34010000 JNZ KeyGenMe.00402850
0040271C FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFpI4>] ; 再转换成十六进制
00402722 8BF0 MOV ESI,EAX
00402724 8975 D0 MOV DWORD PTR SS:[EBP-30],ESI
00402727 85F6 TEST ESI,ESI
00402729 ^ 0F8F 1FFFFFFF JG KeyGenMe.0040264E
0040272F 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40] ; 得到真码
00402732 50 PUSH EAX
00402733 8B4D D4 MOV ECX,DWORD PTR SS:[EBP-2C]
00402736 51 PUSH ECX
00402737 FF15 54104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
0040273D 85C0 TEST EAX,EAX
0040273F 0F85 92000000 JNZ KeyGenMe.004027D7
00402745 B9 04000280 MOV ECX,80020004
0040274A 898D 7CFFFFFF MOV DWORD PTR SS:[EBP-84],ECX
00402750 B8 0A000000 MOV EAX,0A
00402755 8985 74FFFFFF MOV DWORD PTR SS:[EBP-8C],EAX
0040275B 894D 8C MOV DWORD PTR SS:[EBP-74],ECX
0040275E 8945 84 MOV DWORD PTR SS:[EBP-7C],EAX
00402761 C785 5CFFFFFF 0>MOV DWORD PTR SS:[EBP-A4],KeyGenMe.00401D04 ; UNICODE "Congratulations"
0040276B BF 08000000 MOV EDI,8
00402770 89BD 54FFFFFF MOV DWORD PTR SS:[EBP-AC],EDI
00402776 8D95 54FFFFFF LEA EDX,DWORD PTR SS:[EBP-AC]
0040277C 8D4D 94 LEA ECX,DWORD PTR SS:[EBP-6C]
0040277F 8B35 A4104000 MOV ESI,DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
00402785 FFD6 CALL ESI ; <&MSVBVM60.__vbaVarDup>
00402787 C785 6CFFFFFF E>MOV DWORD PTR SS:[EBP-94],KeyGenMe.00401CE4 ; UNICODE "Good job,man!"
00402791 89BD 64FFFFFF MOV DWORD PTR SS:[EBP-9C],EDI
算法总结:1,第一个循环
依次取用户名ASCII码
ASCII码与相应位置乘积累积和为S1加初值1
S1=S1*$147D5
2。第2个循环
S1初值=循环前那个与147D5的乘积~
然后取S1除以24的余数加一为N,根据N的值找到密码表的位置~我弄的数组~
然后round(s1/$3)为下一个S1~`这里为四舍五入~记住要再单元里添家Math单元
再就是循环S1除以24的余数加一为N~~~
值到S1为0
算法注册机:
procedure TForm1.Button1Click(Sender: TObject);
var i,n:integer;
s1:longword;
name,serial:string;
const
z:array[1..36] of string=('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9');
begin
name:=edit1.Text;
s1:=1;
if length(name)<3 then exit;
for i:=1 to length(name) do
s1:=s1+ord(name)*i;
s1:=s1*$147D5;
while s1<>0 do
for i:=1 to length(inttostr(s1)) do
begin
n:=(S1 mod $24)+1;
serial:=serial+z[n];
s1:=round(s1/$3);
end;
edit2.Text:=serial;
end;
procedure TForm1.Button2Click(Sender: TObject);
begin
close;
end;
end.
|
