Ollydbg——轻松文本 2003 V6.13（VB）下_动网_社区论坛·开发者网络源动力

:00472590 51 push ecx
:00472591 8D5594 lea edx, dword ptr [ebp-6C]
:00472594 0F8020050000 jo 00472ABA
:0047259A 52 push edx
:0047259B C78554FFFFFF08000000 mov dword ptr [ebp+FFFFFF54], 00000008
:004725A5 8945AC mov dword ptr [ebp-54], eax
:004725A8 C745A403000000 mov [ebp-5C], 00000003

* Reference To: MSVBVM60.rtcHexVarFromVar, Ord:023Dh
|
:004725AF FF15D8124000 Call dword ptr [004012D8]
:004725B5 6A01 push 00000001
:004725B7 8D8554FFFFFF lea eax, dword ptr [ebp+FFFFFF54]
:004725BD 50 push eax
:004725BE 8D4D94 lea ecx, dword ptr [ebp-6C]
:004725C1 51 push ecx
:004725C2 6A01 push 00000001
:004725C4 8D5584 lea edx, dword ptr [ebp-7C]
:004725C7 52 push edx
:004725C8 89BD4CFFFFFF mov dword ptr [ebp+FFFFFF4C], edi
:004725CE C78544FFFFFF02800000 mov dword ptr [ebp+FFFFFF44], 00008002

* Reference To: MSVBVM60.__vbaInStrVar, Ord:0000h
|
:004725D8 FF1570124000 Call dword ptr [00401270]
====>比较CALL！进入！有点特别呀 ^O^ ^O^

:004725DE 50 push eax
:004725DF 8D8544FFFFFF lea eax, dword ptr [ebp+FFFFFF44]
:004725E5 50 push eax

* Reference To: MSVBVM60.__vbaVarTstGt, Ord:0000h
|
:004725E6 FF1504104000 Call dword ptr [00401004]
:004725EC 8D4D84 lea ecx, dword ptr [ebp-7C]
:004725EF 51 push ecx
:004725F0 8D5594 lea edx, dword ptr [ebp-6C]
:004725F3 668BD8 mov bx, ax
====>爆破点②！ ^O^ ^O^

:004725F6 52 push edx
:004725F7 8D45A4 lea eax, dword ptr [ebp-5C]
:004725FA 50 push eax
:004725FB 6A03 push 00000003

* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:004725FD FF1544104000 Call dword ptr [00401044]
:00472603 83C410 add esp, 00000010
:00472606 663BDF cmp bx, di
:00472609 0F84E3000000 je 004726F2
====>跳则OVER！

:0047260F 8B0E mov ecx, dword ptr [esi]
:00472611 56 push esi
:00472612 C745D0FFFFFFFF mov [ebp-30], FFFFFFFF
:00472619 FF912C060000 call dword ptr [ecx+0000062C]
:0047261F 50 push eax
:00472620 8D55B8 lea edx, dword ptr [ebp-48]
:00472623 52 push edx

* Reference To: MSVBVM60.__vbaObjSet, Ord:0000h
|
:00472624 FF15F4104000 Call dword ptr [004010F4]
:0047262A 8D4DB4 lea ecx, dword ptr [ebp-4C]
:0047262D 51 push ecx
:0047262E 8BF0 mov esi, eax
:00472630 8B06 mov eax, dword ptr [esi]
:00472632 6A03 push 00000003
:00472634 56 push esi
:00472635 FF5040 call [eax+40]
:00472638 DBE2 fclex
:0047263A 3BC7 cmp eax, edi
:0047263C 7D0F jge 0047264D
:0047263E 6A40 push 00000040
:00472640 68BC654200 push 004265BC
:00472645 56 push esi
:00472646 50 push eax

—————————————————————————————————
进入比较CALL：004725D8 Call dword ptr [00401270]
再进入：7347A9CC Call MSVBVM60.__vbaInStr

733A45A5 > 55 push ebp
733A45A6 8BEC mov ebp,esp
733A45A8 81EC BC000000 sub esp,0BC
733A45AE 8365 EC 00 and dword ptr ss:[ebp-14],0
733A45B2 53 push ebx
733A45B3 56 push esi
733A45B4 8B75 0C mov esi,dword ptr ss:[ebp+C]
====>ESI=20A0EA3A

733A45B7 57 push edi
733A45B8 8B7D 10 mov edi,dword ptr ss:[ebp+10]
====>EDI=fly12345678fly[OCN][FCG]E

733A45BB 8D85 44FFFFFF lea eax,dword ptr ss:[ebp-BC]
733A45C1 897D F8 mov dword ptr ss:[ebp-8],edi
733A45C4 85FF test edi,edi
733A45C6 8945 F4 mov dword ptr ss:[ebp-C],eax
733A45C9 8975 FC mov dword ptr ss:[ebp-4],esi
733A45CC 0F84 09350300 je MSVBVM60.733D7ADB
733A45D2 8B47 FC mov eax,dword ptr ds:[edi-4]
733A45D5 D1E8 shr eax,1
====>取fly12345678fly[OCN][FCG]E长度

733A45D7 8945 E4 mov dword ptr ss:[ebp-1C],eax
====>EAX=19

733A45DA 0F84 FB340300 je MSVBVM60.733D7ADB
733A45E0 85F6 test esi,esi
733A45E2 0F84 EB340300 je MSVBVM60.733D7AD3
733A45E8 8B46 FC mov eax,dword ptr ds:[esi-4]
733A45EB D1E8 shr eax,1
====>取20A0EA3A的长度

733A45ED 8945 E4 mov dword ptr ss:[ebp-1C],eax
====>EAX=8

733A45F0 0F84 DD340300 je MSVBVM60.733D7AD3
733A45F6 8B45 14 mov eax,dword ptr ss:[ebp+14]
733A45F9 8D58 FF lea ebx,dword ptr ds:[eax-1]
733A45FC 85DB test ebx,ebx
733A45FE 0F8C 33330300 jl MSVBVM60.733D7937
733A4604 81FB FFFFFF3F cmp ebx,3FFFFFFF
733A460A 0F87 27330300 ja MSVBVM60.733D7937
733A4610 8B45 08 mov eax,dword ptr ss:[ebp+8]
733A4613 895D E8 mov dword ptr ss:[ebp-18],ebx
733A4616 85C0 test eax,eax
733A4618 0F85 20330300 jnz MSVBVM60.733D793E
====>跳下去，转变大写字母为小写字母！

733A461E 8B45 F8 mov eax,dword ptr ss:[ebp-8]
====>转变完了再跳回来！

733A4621 85C0 test eax,eax
====>EAX=fly12345678fly[ocn][fcg]e

733A4623 0F84 06340300 je MSVBVM60.733D7A2F
733A4629 8B48 FC mov ecx,dword ptr ds:[eax-4]
733A462C D1E9 shr ecx,1
733A462E 85F6 test esi,esi
733A4630 0F84 00340300 je MSVBVM60.733D7A36
733A4636 8B56 FC mov edx,dword ptr ds:[esi-4]
733A4639 D1EA shr edx,1
733A463B 8B7D E8 mov edi,dword ptr ss:[ebp-18]
733A463E 3BF9 cmp edi,ecx
733A4640 73 74 jnb short MSVBVM60.733A46B6
733A4642 85D2 test edx,edx
733A4644 0F84 F3330300 je MSVBVM60.733D7A3D
733A464A 3BD1 cmp edx,ecx
733A464C 0F87 F6330300 ja MSVBVM60.733D7A48
733A4652 8D0478 lea eax,dword ptr ds:[eax+edi*2]
733A4655 8B7D F8 mov edi,dword ptr ss:[ebp-8]
733A4658 2BCA sub ecx,edx
733A465A 8D5C4F 02 lea ebx,dword ptr ds:[edi+ecx*2+2]
733A465E 0FB70E movzx ecx,word ptr ds:[esi]
733A4661 894D 14 mov dword ptr ss:[ebp+14],ecx
733A4664 8D4C12 FE lea ecx,dword ptr ds:[edx+edx-2]
733A4668 3BC3 cmp eax,ebx
733A466A 894D E4 mov dword ptr ss:[ebp-1C],ecx
733A466D 73 47 jnb short MSVBVM60.733A46B6
733A466F 8BCB mov ecx,ebx
733A4671 2BC8 sub ecx,eax
733A4673 D1F9 sar ecx,1
733A4675 51 push ecx
733A4676 FF75 14 push dword ptr ss:[ebp+14]
733A4679 50 push eax
733A467A E8 46000000 call MSVBVM60.733A46C5
====>循环取试炼码，比较第“1”位是否是2？

733A467F 85C0 test eax,eax
733A4681 74 33 je short MSVBVM60.733A46B6
733A4683 8B4D E4 mov ecx,dword ptr ss:[ebp-1C]
733A4686 40 inc eax
733A4687 40 inc eax
733A4688 8D7E 02 lea edi,dword ptr ds:[esi+2]
733A468B 8BF0 mov esi,eax
733A468D 33D2 xor edx,edx
733A468F F3:A6 repe cmps byte ptr es:[edi],byte ptr ds:[esi]
====>依次比较剩下的7位是否是0a0ea3a

733A4691 75 1A jnz short MSVBVM60.733A46AD
733A4693 8BC8 mov ecx,eax
733A4695 2B4D F8 sub ecx,dword ptr ss:[ebp-8]
733A4698 D1F9 sar ecx,1
733A469A 837D 08 00 cmp dword ptr ss:[ebp+8],0
733A469E 0F85 AD330300 jnz MSVBVM60.733D7A51
733A46A4 8BC1 mov eax,ecx
733A46A6 5F pop edi
733A46A7 5E pop esi
733A46A8 5B pop ebx
733A46A9 C9 leave
733A46AA C2 1000 retn 10

733A46AD 3BC3 cmp eax,ebx
733A46AF 73 05 jnb short MSVBVM60.733A46B6
733A46B1 8B75 FC mov esi,dword ptr ss:[ebp-4]
733A46B4 ^ EB B9 jmp short MSVBVM60.733A466F
====>循环比较！
====>其实就是循环比较试炼码中是否有8位是20a0ea3a

—————————————————
由733A4618跳到这里：

733D793E 83F8 01 cmp eax,1
733D7941 75 3D jnz short MSVBVM60.733D7980
733D7943 E8 818DFCFF call MSVBVM60.733A06C9
733D7948 8945 08 mov dword ptr ss:[ebp+8],eax
733D794B 8B45 08 mov eax,dword ptr ss:[ebp+8]
733D794E 3B05 2C1E4A73 cmp eax,dword ptr ds:[734A1E2C]
733D7954 74 06 je short MSVBVM60.733D795C
733D7956 50 push eax
733D7957 E8 D83B0A00 call MSVBVM60.7347B534
733D795C 8B45 F4 mov eax,dword ptr ss:[ebp-C]
733D795F 33F6 xor esi,esi
733D7961 56 push esi
733D7962 56 push esi
733D7963 56 push esi
733D7964 C700 FEFFFFFF mov dword ptr ds:[eax],-2
733D796A FF75 0C push dword ptr ss:[ebp+C]
733D796D E8 CA3D0A00 call MSVBVM60.7347B73C
====>将20A0EA3A中的大写字母转为小写字母！

733D7972 3BC6 cmp eax,esi
====>EAX=20a0ea3a

733D7974 8945 FC mov dword ptr ss:[ebp-4],eax
733D7977 75 1D jnz short MSVBVM60.733D7996
733D7979 6A 07 push 7
733D797B E8 D9D9FDFF call MSVBVM60.733B5359
733D7980 83F8 02 cmp eax,2
733D7983 74 0A je short MSVBVM60.733D798F
733D7985 50 push eax
733D7986 E8 69830900 call MSVBVM60.7346FCF4
733D798B 85C0 test eax,eax
733D798D ^ 75 BC jnz short MSVBVM60.733D794B
733D798F 6A 05 push 5
733D7991 E8 C3D9FDFF call MSVBVM60.733B5359
733D7996 56 push esi
733D7997 8D45 F4 lea eax,dword ptr ss:[ebp-C]
733D799A 56 push esi
733D799B 50 push eax
733D799C 57 push edi
====>EDI=fly12345678fly[OCN][FCG]E

733D799D E8 9A3D0A00 call MSVBVM60.7347B73C
====>将fly12345678fly[OCN][FCG]E中的大写字母转为小写字母！

733D79A2 8BF0 mov esi,eax
====>ESI=fly12345678fly[ocn][fcg]e

…… ……省略…… ……

733D7A1F E9 FACBFCFF jmp MSVBVM60.733A461E
====>转变完了再跳上去！

—————————————————————————————————
注册源码的生成：

:00461E75 FF15E4124000 Call dword ptr [004012E4]
:00461E7B 83C418 add esp, 00000018
:00461E7E 8B0D10804A00 mov ecx, dword ptr [004A8010]
====>ECX=211C1E09 C盘的硬盘序列号

:00461E84 81E957300E00 sub ecx, 000E3057
====>ECX=211C1E09 - 000E3057=210DEDB2

:00461E8A 0F80C1070000 jo 00462651
:00461E90 51 push ecx

* Reference To: MSVBVM60.__vbaStrI4, Ord:0000h
|
:00461E91 FF1520104000 Call dword ptr [00401020]
====>取210DEDB2的10进制值

:00461E97 8BD0 mov edx, eax
====>EDX=554560946

:00461E99 8D4DC4 lea ecx, dword ptr [ebp-3C]
:00461E9C FFD6 call esi
:00461E9E 50 push eax

* Reference To: MSVBVM60.rtcStrReverse, Ord:02C9h
|
:00461E9F FF153C124000 Call dword ptr [0040123C]
====>把554560946倒序排列

:00461EA5 8BD0 mov edx, eax
====>EDX=649065455

…… ……省略…… ……

:00461FCC 8B4344 mov eax, dword ptr [ebx+44]
====>EAX=FLY 计算机用户名

:00461FCF 50 push eax
:00461FD0 683C994200 push 0042993C
====>0042993C=N 这个应该是作者预设的固定值

* Reference To: MSVBVM60.__vbaStrCat, Ord:0000h
|
:00461FD5 8B3D80104000 mov edi, dword ptr [00401080]
:00461FDB FFD7 call edi
====>连接FLY和N

:00461FDD 8BD0 mov edx, eax
====>EDX=FLYN

:00461FDF 8D4DC0 lea ecx, dword ptr [ebp-40]
:00461FE2 FFD6 call esi
:00461FE4 50 push eax
:00461FE5 8B957CFEFFFF mov edx, dword ptr [ebp+FFFFFE7C]
====>EDX=649065455

:00461FEB 8D4DBC lea ecx, dword ptr [ebp-44]
:00461FEE FFD6 call esi
:00461FF0 50 push eax
:00461FF1 FFD7 call edi
====>连接FLYN和649065455

:00461FF3 8BD0 mov edx, eax
====>EDX=FLYN649065455 这就是程序显示的注册源码！

—————————————————————————————————
【算法总结】：

1、注册码要有-
2、去除-后还需要25位数字或字母
3、取C盘序列号211C1E09 - 007B33CF=20A0EA3A
4、25位字符中要有8位是20A0EA3A 其他任意

不清楚程序是否还有其他暗桩，有朋友发现的话，麻烦指出来！

—————————————————————————————————
【完美爆破】：

1、00472574 0F850C010000 jne 00472686
改为：909090909090 NOP掉！

2、004725F3 668BD8 mov bx, ax
改为：B301 mov bl, 01
—————————————————————————————————
【注册信息保存】：
REGEDIT4

[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\easypad\regist]
"regnumber"="fly-20A0EA3A-fly[OCN][FCG]-E"
—————————————————————————————————
【整理】：

序列号：FLYN649065455613
注册码：fly-20A0EA3A-fly[OCN][FCG]-E
—————————————————————————————————