lgjxj 发表于 2011-1-16 19:14 https://www.chinapyg.com/images/common/back.gif
哈哈,是要骂人,哈哈 是啊,给她繁化了,很郁闷的,幸好现在很小见到他了,现在见到VM反而方便些,一个 H 一条指令
并且有成就感些 哈,程序不支持中文,用户名超过12位退出。。我当初学VB的时候,也不能处理这些问题慢慢就会了,支持,加油!
文件名校验:
//===============================================================
004126F0PUSH EBP
004126F1MOV EBP,ESP
004126F3SUB ESP,8
004126F6PUSH <JMP.&msvbvm60.__vbaExceptHandler>
004126FBMOV EAX,DWORD PTR FS:
00412701PUSH EAX
.
.
.
.
.
00412799PUSH EDX
0041279APUSH EAX
0041279BCALL DWORD PTR DS:[<&msvbvm60.__vbaStrCm>; 比较名称是否为 “CrackMe.exe”
004127A1MOV ESI,EAX
004127A3LEA ECX,DWORD PTR SS:
004127A6NEG ESI
004127A8SBB ESI,ESI
004127AANEG ESI
004127ACNEG ESI
004127AECALL DWORD PTR DS:[<&msvbvm60.__vbaFreeS>; msvbvm60.__vbaFreeStr
004127B4LEA ECX,DWORD PTR SS:
004127B7CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeO>; msvbvm60.__vbaFreeObj
004127BDCMP SI,DI
004127C0JE SHORT dumped_.004127C8 ; ★JMP 跳过★
004127C2CALL DWORD PTR DS:[<&msvbvm60.__vbaEnd>] ; msvbvm60.__vbaEnd
004127C8PUSH dumped_.004127EC
004127CDJMP SHORT dumped_.004127E2
.
.
.
.
004127FAPOP EBX
004127FBMOV ESP,EBP
004127FDPOP EBP
004127FERETN 4
//===============================================================
//===============================================================
//算法开始
0041229ECALL DWORD PTR DS: ; 进入for循环
004122A4MOV ESI,DWORD PTR DS: ; msvbvm60.__vbaVarAdd
004122AAMOV EDI,DWORD PTR DS: ; msvbvm60.__vbaI4Var
004122B0TEST EAX,EAX
004122B2JE Crackme.00412381 ; 是否循环结束?
004122B8LEA EAX,DWORD PTR SS:
004122BBLEA ECX,DWORD PTR SS:
004122BEPUSH EAX
004122BFPUSH ECX
004122C0MOV DWORD PTR SS:,1
004122C7MOV DWORD PTR SS:,2
004122CECALL EDI
004122D0PUSH EAX
004122D1LEA EDX,DWORD PTR SS:
004122D4LEA EAX,DWORD PTR SS:
004122DAPUSH EDX
004122DBPUSH EAX
004122DCCALL DWORD PTR DS: ; 逐位取用户名
004122E2LEA ECX,DWORD PTR SS:
004122E8LEA EDX,DWORD PTR SS:
004122EBPUSH ECX
004122ECPUSH EDX
004122EDCALL DWORD PTR DS: ; 字符到数值
004122F3PUSH EAX
004122F4CALL DWORD PTR DS: ; 转ascii
004122FAPUSH EAX
004122FBCALL DWORD PTR DS: ; msvbvm60.__vbaStrI2
00412301MOV EDX,EAX
00412303LEA ECX,DWORD PTR SS:
00412306CALL DWORD PTR DS: ; msvbvm60.__vbaStrMove
0041230CPUSH EAX
0041230DCALL DWORD PTR DS: ; msvbvm60.rtcR8ValFromBstr
00412313FSTP QWORD PTR SS:
00412319LEA EAX,DWORD PTR SS:
0041231CLEA ECX,DWORD PTR SS:
00412322PUSH EAX
00412323LEA EDX,DWORD PTR SS:
00412329PUSH ECX
0041232APUSH EDX
0041232BMOV DWORD PTR SS:,5
00412335CALL ESI ; 加法
00412337MOV EDX,EAX
00412339LEA ECX,DWORD PTR SS:
0041233CCALL EBX
0041233ELEA EAX,DWORD PTR SS:
00412341LEA ECX,DWORD PTR SS:
00412344PUSH EAX
00412345PUSH ECX
00412346PUSH 2
00412348CALL DWORD PTR DS: ; msvbvm60.__vbaFreeStrList
0041234ELEA EDX,DWORD PTR SS:
00412354LEA EAX,DWORD PTR SS:
00412357PUSH EDX
00412358PUSH EAX
00412359PUSH 2
0041235BCALL DWORD PTR DS: ; msvbvm60.__vbaFreeVarList
00412361ADD ESP,18
00412364LEA ECX,DWORD PTR SS:
0041236ALEA EDX,DWORD PTR SS:
00412370LEA EAX,DWORD PTR SS:
00412373PUSH ECX
00412374PUSH EDX
00412375PUSH EAX
00412376CALL DWORD PTR DS: ; msvbvm60.__vbaVarForNext
0041237CJMP Crackme.004122B0 ; 继续循环 上面累加结果记为 dwSumName
00412381MOV EBX,DWORD PTR DS: ; msvbvm60.__vbaVarMul
00412387MOV EAX,2
0041238CLEA ECX,DWORD PTR SS:
0041238FMOV DWORD PTR SS:,EAX
00412395MOV DWORD PTR SS:,EAX
0041239BLEA EDX,DWORD PTR SS:
0041239EPUSH ECX
0041239FLEA EAX,DWORD PTR SS:
004123A2PUSH EDX
004123A3PUSH EAX
004123A4MOV DWORD PTR SS:,7C5 ; 1989 年轻小伙
004123AEMOV DWORD PTR SS:,7DA ; 2010 在PYG的活跃年份,哈
004123B8CALL EBX ; dwSumName * dwSumName
004123BALEA ECX,DWORD PTR SS:
004123C0PUSH EAX
004123C1LEA EDX,DWORD PTR SS:
004123C7PUSH ECX
004123C8PUSH EDX
004123C9CALL ESI ; dwSumName * dwSumName + 1989
004123CBPUSH EAX
004123CCLEA EAX,DWORD PTR SS:
004123D2LEA ECX,DWORD PTR SS:
004123D8PUSH EAX
004123D9PUSH ECX
004123DACALL EBX ; (dwSumName * dwSumName + 1989) * 2010
004123DCPUSH EAX
004123DDCALL EDI ; 经过这个CALL后,EAX里面的值转换成十进制就是注册码了,,内存注册机处!
004123DFLEA ECX,DWORD PTR SS:
004123E5MOV ESI,EAX
004123E7CALL DWORD PTR DS: ; msvbvm60.__vbaFreeVar
004123EDLEA EDX,DWORD PTR SS:
004123F0LEA EAX,DWORD PTR SS:
004123F6PUSH EDX
004123F7PUSH EAX
004123F8MOV DWORD PTR SS:,ESI
004123FEMOV DWORD PTR SS:,8003
00412408CALL DWORD PTR DS: ; 比较!
0041240ETEST AX,AX
00412411JE Crackme.004124C2 ; //爆破点
00412417MOV ESI,DWORD PTR DS: ; msvbvm60.__vbaVarDup
0041241DMOV ECX,80020004
00412422MOV DWORD PTR SS:,ECX
00412428MOV EAX,0A
0041242DMOV DWORD PTR SS:,ECX
00412433MOV EDI,8
00412438LEA EDX,DWORD PTR SS:
0041243ELEA ECX,DWORD PTR SS:
00412444MOV DWORD PTR SS:,EAX
0041244AMOV DWORD PTR SS:,EAX
00412450MOV DWORD PTR SS:,Crackme.004118>; 恭喜你!
0041245AMOV DWORD PTR SS:,EDI
00412460CALL ESI
00412462LEA EDX,DWORD PTR SS:
00412468LEA ECX,DWORD PTR SS:
0041246BMOV DWORD PTR SS:,Crackme.004118>; Good job , congratulations
00412475MOV DWORD PTR SS:,EDI
0041247BCALL ESI
0041247DLEA ECX,DWORD PTR SS:
00412483LEA EDX,DWORD PTR SS:
00412489PUSH ECX
0041248ALEA EAX,DWORD PTR SS:
00412490PUSH EDX
00412491PUSH EAX
00412492LEA ECX,DWORD PTR SS:
00412495PUSH 40
00412497PUSH ECX
00412498CALL DWORD PTR DS: ; msvbvm60.rtcMsgBox
0041249ELEA EDX,DWORD PTR SS:
004124A4LEA EAX,DWORD PTR SS:
.
.
.
.
.
00412506CALL DWORD PTR DS: ; msvbvm60.__vbaFreeVarList
0041250CADD ESP,14
0041250FRETN
KeyGen:#include <iostream.h>
#include <stdio.h>
#include <windows.h>
void main()
{
cout<<"**************************\n";
cout<<"* Code By PiaoYun *\n";
cout<<"* web:www.chinapyg.com *\n";
cout<<"* date:2011-1-18 *\n";
cout<<"**************************\n";
cout<<"请输入用户名:\n";
char szName = {0};
char szSn = {0};
int dwSum = 0;
int dwTemp = 0;
cin>>szName;
int dwLen = strlen(szName);
for (int i=0; i<dwLen;i++)
{
dwSum += szName;
}
dwTemp = ((dwSum * dwSum) + 1989) * 2010;
sprintf(szSn,"%d",dwTemp);
cout<<"您的注册码为:\n"<<szSn<<endl;
} 膜拜楼上高手....... 回复 13# 飘云
哈哈,惊动了老飘哈哈
的確不難......,算是給新手熟悉VB判斷的....
页:
1
[2]