破解PdSafe

yijun · 发表于 2005-4-14 17:55:54

日期：2005年4月14日　　　破解人：yijun[PYG]
———————————————————————————————————————————

【软件名称】：口令保管　　
【软件大小】： 188KB
【下载地址】：internet
【软件简介】：保存口令
【破解声明】：初学Crack，只是感兴趣，没有其它目的。失误之处敬请诸位大侠赐教！
【破解工具】：OD，VBExplorer，peid

———————————————————————————————————————————
　
【破解过程】：

peid侦察知道是“Microsoft Visual Basic 5.0 / 6.0”编写，无壳。VBExplorer替换关键字可以知道该软件玄机在以下代码处~~~~~~

00429930 55             push ebp //下断
00429931 8BEC          mov ebp,esp
00429933 83EC 0C       sub esp,0C
00429936 68 C6154000    push <jmp.&MSVBVM60.__vbaExceptHandler>
0042993B 64:A1 00000000  mov eax,dword ptr fs:[0]
00429941 50             push eax
00429942 64:8925 0000000>mov dword ptr fs:[0],esp
00429949 81EC C8000000 sub esp,0C8
0042994F 53             push ebx
00429950 56             push esi
00429951 57             push edi
00429952 8965 F4       mov dword ptr ss:[ebp-C],esp
00429955 C745 F8 D814400>mov dword ptr ss:[ebp-8],PdSafe.004014D8
0042995C 8B75 08       mov esi,dword ptr ss:[ebp+8]
0042995F 8BC6          mov eax,esi
00429961 83E0 01       and eax,1
00429964 8945 FC       mov dword ptr ss:[ebp-4],eax
00429967 83E6 FE       and esi,FFFFFFFE
0042996A 56             push esi
0042996B 8975 08       mov dword ptr ss:[ebp+8],esi
0042996E 8B0E          mov ecx,dword ptr ds:[esi]
00429970 FF51 04       call dword ptr ds:[ecx+4]
00429973 8B16          mov edx,dword ptr ds:[esi]
00429975 33FF          xor edi,edi
00429977 56             push esi
00429978 897D E8       mov dword ptr ss:[ebp-18],edi
0042997B 897D E4       mov dword ptr ss:[ebp-1C],edi
0042997E 897D E0       mov dword ptr ss:[ebp-20],edi
00429981 897D DC       mov dword ptr ss:[ebp-24],edi
00429984 897D D8       mov dword ptr ss:[ebp-28],edi
00429987 897D D4       mov dword ptr ss:[ebp-2C],edi
0042998A 897D D0       mov dword ptr ss:[ebp-30],edi
0042998D 897D CC       mov dword ptr ss:[ebp-34],edi
00429990 897D C8       mov dword ptr ss:[ebp-38],edi
00429993 897D B8       mov dword ptr ss:[ebp-48],edi
00429996 897D A8       mov dword ptr ss:[ebp-58],edi
00429999 897D 98       mov dword ptr ss:[ebp-68],edi
0042999C 897D 88       mov dword ptr ss:[ebp-78],edi
0042999F 89BD 78FFFFFF mov dword ptr ss:[ebp-88],edi
004299A5 89BD 44FFFFFF mov dword ptr ss:[ebp-BC],edi
004299AB FF92 04030000 call dword ptr ds:[edx+304]
004299B1 50             push eax
004299B2 8D45 CC       lea eax,dword ptr ss:[ebp-34]
004299B5 50             push eax
004299B6 FF15 64104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
004299BC 8BD8          mov ebx,eax
004299BE 8D55 DC       lea edx,dword ptr ss:[ebp-24]
004299C1 52             push edx
004299C2 53             push ebx
004299C3 8B0B          mov ecx,dword ptr ds:[ebx]
004299C5 FF91 A0000000 call dword ptr ds:[ecx+A0]
004299CB 3BC7          cmp eax,edi
004299CD DBE2          fclex
004299CF 7D 12          jge short PdSafe.004299E3
004299D1 68 A0000000    push 0A0
004299D6 68 DC624000    push PdSafe.004062DC
004299DB 53             push ebx
004299DC 50             push eax
004299DD FF15 4C104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
004299E3 8B06          mov eax,dword ptr ds:[esi]
004299E5 56             push esi
004299E6 FF90 00030000 call dword ptr ds:[eax+300]
004299EC 8D4D C8       lea ecx,dword ptr ss:[ebp-38]
004299EF 50             push eax
004299F0 51             push ecx
004299F1 FF15 64104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
004299F7 8BF0          mov esi,eax
004299F9 8D45 D8       lea eax,dword ptr ss:[ebp-28]
004299FC 50             push eax
004299FD 56             push esi
004299FE 8B16          mov edx,dword ptr ds:[esi]
00429A00 FF92 A0000000 call dword ptr ds:[edx+A0]
00429A06 3BC7          cmp eax,edi
00429A08 DBE2          fclex
00429A0A 7D 12          jge short PdSafe.00429A1E
00429A0C 68 A0000000    push 0A0
00429A11 68 DC624000    push PdSafe.004062DC
00429A16 56             push esi
00429A17 50             push eax
00429A18 FF15 4C104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00429A1E 8B55 D8       mov edx,dword ptr ss:[ebp-28]          ; 取机器码（016432652）->EDX
00429A21 8B1D 88114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrMove
00429A27 8D4D D4       lea ecx,dword ptr ss:[ebp-2C]
00429A2A 897D D8       mov dword ptr ss:[ebp-28],edi
00429A2D FFD3          call ebx
00429A2F 8B4D DC       mov ecx,dword ptr ss:[ebp-24]          ; 取假码->ECX
00429A32 8D55 D4       lea edx,dword ptr ss:[ebp-2C]
00429A35 51             push ecx                               ; 假码入栈
00429A36 52             push edx
00429A37 E8 D49FFFFF    call PdSafe.00423A10 //跟进
00429A3C 8BD0          mov edx,eax                            ; EAX（103525702（注册码））->EDX
00429A3E 8D4D D0       lea ecx,dword ptr ss:[ebp-30]
00429A41 FFD3          call ebx
00429A43 50             push eax
00429A44 FF15 A4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
00429A4A 8BF0          mov esi,eax
00429A4C 8D45 D0       lea eax,dword ptr ss:[ebp-30]
00429A4F F7DE          neg esi
00429A51 8D4D DC       lea ecx,dword ptr ss:[ebp-24]
00429A54 50             push eax
00429A55 1BF6          sbb esi,esi
00429A57 8D55 D4       lea edx,dword ptr ss:[ebp-2C]
00429A5A 51             push ecx
00429A5B 46             inc esi
00429A5C 52             push edx
00429A5D 6A 03          push 3
00429A5F F7DE          neg esi
00429A61 FF15 44114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
00429A67 8D45 C8       lea eax,dword ptr ss:[ebp-38]
00429A6A 8D4D CC       lea ecx,dword ptr ss:[ebp-34]
00429A6D 50             push eax
00429A6E 51             push ecx
00429A6F 6A 02          push 2
00429A71 FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObjList
00429A77 83C4 1C       add esp,1C
00429A7A 66:3BF7       cmp si,di
00429A7D 0F84 7C010000 je PdSafe.00429BFF                      ; 关键跳
00429A83 E8 C88AFFFF    call PdSafe.00422550
00429A88 66:8B15 28D0420>mov dx,word ptr ds:[42D028]
00429A8F 52             push edx
00429A90 6A 01          push 1
00429A92 68 74D14200    push PdSafe.0042D174
00429A97 68 90634000    push PdSafe.00406390
00429A9C FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaRecDe>; MSVBVM60.__vbaRecDestruct

*************************************************************
00429A37处CALL

00423A10 55             push ebp
00423A11 8BEC          mov ebp,esp
00423A13 83EC 0C       sub esp,0C
00423A16 68 C6154000    push <jmp.&MSVBVM60.__vbaExceptHandler>
00423A1B 64:A1 00000000  mov eax,dword ptr fs:[0]
00423A21 50             push eax
00423A22 64:8925 0000000>mov dword ptr fs:[0],esp
00423A29 81EC BC000000 sub esp,0BC
00423A2F 53             push ebx
00423A30 56             push esi
00423A31 57             push edi
00423A32 8965 F4       mov dword ptr ss:[ebp-C],esp
00423A35 C745 F8 D013400>mov dword ptr ss:[ebp-8],PdSafe.004013D0
00423A3C 8B75 08       mov esi,dword ptr ss:[ebp+8]
00423A3F 33C0          xor eax,eax
00423A41 8945 E8       mov dword ptr ss:[ebp-18],eax
00423A44 8945 D8       mov dword ptr ss:[ebp-28],eax
00423A47 8945 C8       mov dword ptr ss:[ebp-38],eax
00423A4A 8945 B8       mov dword ptr ss:[ebp-48],eax
00423A4D 8945 A8       mov dword ptr ss:[ebp-58],eax
00423A50 8945 98       mov dword ptr ss:[ebp-68],eax
00423A53 8945 88       mov dword ptr ss:[ebp-78],eax
00423A56 8985 78FFFFFF mov dword ptr ss:[ebp-88],eax
00423A5C 8985 68FFFFFF mov dword ptr ss:[ebp-98],eax
00423A62 8985 38FFFFFF mov dword ptr ss:[ebp-C8],eax
00423A68 8B06          mov eax,dword ptr ds:[esi]
00423A6A 50             push eax
00423A6B FF15 28114000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>; MSVBVM60.__vbaR8Str
00423A71 DC0D C8134000 fmul qword ptr ds:[4013C8]             ; ST=16432652，DS=7（相乘得115028564）
00423A77 8D4D D8       lea ecx,dword ptr ss:[ebp-28]
00423A7A 8D55 C8       lea edx,dword ptr ss:[ebp-38]
00423A7D 51             push ecx
00423A7E 52             push edx
00423A7F DC25 C0134000 fsub qword ptr ds:[4013C0]             ; st=115028564  ，ds=6（相减得115028558）
00423A85 C745 D8 0500000>mov dword ptr ss:[ebp-28],5
00423A8C DC0D B8134000 fmul qword ptr ds:[4013B8]             ; st=115028558，ds=9（相乘得1035257022）
00423A92 DC05 B0134000 fadd qword ptr ds:[4013B0]             ; st=1035257022，DS=2（相加得1035257024）
00423A98 DD5D E0       fstp qword ptr ss:[ebp-20]             ; st=1035257024
00423A9B DFE0          fstsw ax                               ; AX=0
00423A9D A8 0D          test al,0D
00423A9F 0F85 39010000 jnz PdSafe.00423BDE
00423AA5 FF15 6C114000 call dword ptr ds:[<&MSVBVM60.#613>]    ; MSVBVM60.rtcVarStrFromVar
00423AAB 8D45 C8       lea eax,dword ptr ss:[ebp-38]
00423AAE 8D4D B8       lea ecx,dword ptr ss:[ebp-48]
00423AB1 50             push eax
00423AB2 51             push ecx
00423AB3 FF15 84104000 call dword ptr ds:[<&MSVBVM60.#520>]    ; MSVBVM60.rtcTrimVar
00423AB9 8D55 A8       lea edx,dword ptr ss:[ebp-58]
00423ABC 8D45 B8       lea eax,dword ptr ss:[ebp-48]
00423ABF 52             push edx
00423AC0 6A 01          push 1
00423AC2 8D4D 98       lea ecx,dword ptr ss:[ebp-68]
00423AC5 50             push eax
00423AC6 51             push ecx
00423AC7 C745 B0 0900000>mov dword ptr ss:[ebp-50],9
00423ACE C745 A8 0200000>mov dword ptr ss:[ebp-58],2
00423AD5 FF15 90104000 call dword ptr ds:[<&MSVBVM60.#632>]    ; MSVBVM60.rtcMidCharVar
00423ADB 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-C8]
00423AE1 8D4D 88       lea ecx,dword ptr ss:[ebp-78]
00423AE4 C785 40FFFFFF 7>mov dword ptr ss:[ebp-C0],PdSafe.00406C7>
00423AEE C785 38FFFFFF 0>mov dword ptr ss:[ebp-C8],8
00423AF8 FF15 68114000 call dword ptr ds:[<&MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
00423AFE 8B06          mov eax,dword ptr ds:[esi]             ; 机器码->EAX
00423B00 8D55 88       lea edx,dword ptr ss:[ebp-78]
00423B03 52             push edx
00423B04 50             push eax                               ; 机器码入栈
00423B05 FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBs>; 计算机器码长度保存到EAX
00423B0B 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
00423B11 50             push eax
00423B12 51             push ecx
00423B13 FF15 F0104000 call dword ptr ds:[<&MSVBVM60.#607>]    ; MSVBVM60.rtcStringVar
00423B19 6A 01          push 1
00423B1B 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88]
00423B21 6A 01          push 1
00423B23 8D45 98       lea eax,dword ptr ss:[ebp-68]
00423B26 52             push edx
00423B27 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-98]
00423B2D 50             push eax
00423B2E 51             push ecx
00423B2F FF15 40104000 call dword ptr ds:[<&MSVBVM60.#660>]    ; MSVBVM60.rtcVarFromFormatVar
00423B35 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
00423B3B 52             push edx
00423B3C FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVa>; 去掉ST最后一位得103525702
00423B42 8BD0          mov edx,eax                            ; EAX=103525702
00423B44 8D4D E8       lea ecx,dword ptr ss:[ebp-18]          ; EDX=103525702
00423B47 FF15 88114000 call dword ptr ds:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
00423B4D 8D85 68FFFFFF lea eax,dword ptr ss:[ebp-98]
00423B53 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
00423B59 50             push eax
00423B5A 8D55 98       lea edx,dword ptr ss:[ebp-68]
00423B5D 51             push ecx
00423B5E 8D45 88       lea eax,dword ptr ss:[ebp-78]
00423B61 52             push edx
00423B62 8D4D A8       lea ecx,dword ptr ss:[ebp-58]
00423B65 50             push eax
00423B66 8D55 B8       lea edx,dword ptr ss:[ebp-48]
00423B69 51             push ecx
00423B6A 8D45 C8       lea eax,dword ptr ss:[ebp-38]
00423B6D 52             push edx
00423B6E 8D4D D8       lea ecx,dword ptr ss:[ebp-28]
00423B71 50             push eax
00423B72 51             push ecx
00423B73 6A 08          push 8
00423B75 FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
00423B7B 83C4 24       add esp,24
00423B7E 9B             wait
00423B7F 68 C83B4200    push PdSafe.00423BC8
00423B84 EB 41          jmp short PdSafe.00423BC7
00423B86 F645 FC 04    test byte ptr ss:[ebp-4],4
00423B8A 74 09          je short PdSafe.00423B95

~~~~~~~~~~~省略~~~~~~~~~~~~~~~

———————————————————————————————————————————

【Crack＿总结】：

机器码：016432652
注册码：103525702

		自动登录	找回密码
密码			加入我们

破解PdSafe

相关帖子