- UID
- 41862
注册时间2007-12-18
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
【破文标题】电脑定时关机1.3.6 算法分析
【破文作者】pemet
【作者邮箱】pemet@163.com
【作者主页】
【破解工具】PEID,OD
【破解平台】WINDOWS XP SP3
【软件名称】电脑定时关机1.3.6
【软件大小】
【原版下载】自己找
【保护方式】注册杩
【软件简介】
【破解声明】本人菜鸟一个,第一次写算法破文,在这献丑了~~把学习过程拿出来,跟大家分享一下
------------------------------------------------------------------------
【破解过程】定时关机.exe 查壳 显示为:Microsoft Visual Basic 5.0 / 6.0 没有加壳
下消息断点 bp rtcMsgBox 直到程序领空
0043BCBD . C785 5CFFFFFF 0>mov dword ptr ss:[ebp-A4],定时关机.00409500
0043BCC7 . C785 54FFFFFF 0>mov dword ptr ss:[ebp-AC],8
0043BCD1 . 8D95 54FFFFFF lea edx,dword ptr ss:[ebp-AC]
0043BCD7 . 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
0043BCDA . FF15 F8114000 call dword ptr ds:[<&MSVBVM60.__vbaVarDup>>; MSVBVM60.__vbaVarDup
0043BCE0 . 8D95 64FFFFFF lea edx,dword ptr ss:[ebp-9C]
0043BCE6 . 52 push edx
0043BCE7 . 8D85 74FFFFFF lea eax,dword ptr ss:[ebp-8C]
0043BCED . 50 push eax
0043BCEE . 8D4D 84 lea ecx,dword ptr ss:[ebp-7C]
0043BCF1 . 51 push ecx
0043BCF2 . 6A 30 push 30
0043BCF4 . 8D55 94 lea edx,dword ptr ss:[ebp-6C]
0043BCF7 . 52 push edx
0043BCF8 . FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#595>] ; 提示错误
0043BCFE . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
0043BD01 . FF15 74124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>; MSVBVM60.__vbaFreeObj
==================================================================================================
向上翻
0043B9F3 . FF15 74124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>; MSVBVM60.__vbaFreeObj
0043B9F9 . 8D55 84 lea edx,dword ptr ss:[ebp-7C]
0043B9FC . 52 push edx
0043B9FD . 8D45 94 lea eax,dword ptr ss:[ebp-6C]
0043BA00 . 50 push eax
0043BA01 . 6A 02 push 2
0043BA03 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>; MSVBVM60.__vbaFreeVarList
0043BA09 . 83C4 0C add esp,0C
0043BA0C . C745 FC 0300000>mov dword ptr ss:[ebp-4],3
0043BA13 . 8B4D DC mov ecx,dword ptr ss:[ebp-24]
0043BA16 . 51 push ecx
0043BA17 . 68 04694000 push 定时关机.00406904
0043BA1C . FF15 04114000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>>; MSVBVM60.__vbaStrCmp
0043BA22 . 85C0 test eax,eax
0043BA24 . 75 15 jnz short 定时关机.0043BA3B
0043BA26 . C745 FC 0400000>mov dword ptr ss:[ebp-4],4
0043BA2D . BA 7C6B4000 mov edx,定时关机.00406B7C ; UNICODE "none"
0043BA32 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
0043BA35 . FF15 C4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>; MSVBVM60.__vbaStrCopy
0043BA3B > C745 FC 0600000>mov dword ptr ss:[ebp-4],6
0043BA42 . 8D55 DC lea edx,dword ptr ss:[ebp-24]
0043BA45 . 52 push edx
0043BA46 . E8 558EFEFF call 定时关机.004248A0 ; 这里就是算法CALL
0043BA4B . C745 FC 0700000>mov dword ptr ss:[ebp-4],7
0043BA52 . 833D D4F74300 0>cmp dword ptr ds:[43F7D4],0
0043BA59 . 75 1C jnz short 定时关机.0043BA77 关键跳转
==============================================================================================
F7 跟进0043BA46算法CALL
00424946 . E8 F519FEFF call 定时关机.00406340
0042494B . FF15 84104000 call dword ptr ds:[<&MSVBVM60.__vbaSetSyst>; 获取计算机名称MSVBVM60.__vbaSetSystemError
00424951 . 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
00424954 . 50 push eax
00424955 . 68 28F04300 push 定时关机.0043F028
0042495A . FF15 54114000 call dword ptr ds:[<&MSVBVM60.__vbaStrToUn>; MSVBVM60.__vbaStrToUnicode
00424960 . 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
00424963 . FF15 78124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>; MSVBVM60.__vbaFreeStr
00424969 . 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
0042496C . 68 FF000000 push 0FF
00424A34 . FF15 58104000 call dword ptr ds:[<&MSVBVM60.#518>] ; 大小写转换
00424A3A . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00424A3D . 51 push ecx
00424A3E . FFD3 call ebx ; <&MSVBVM60.__vbaStrVarMove>
00424A40 . 8BD0 mov edx,eax
00424A42 . B9 28F04300 mov ecx,定时关机.0043F028
00424A47 . FFD6 call esi ; <&MSVBVM60.__vbaStrMove>
00424A49 . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00424A4C . FFD7 call edi ; <&MSVBVM60.__vbaFreeVar>
00424A4E . BA 247A4000 mov edx,定时关机.00407A24
00424A53 . 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
00424A56 . FF15 C4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>; MSVBVM60.__vbaStrCopy
00424A5C . 8B15 28F04300 mov edx,dword ptr ds:[43F028] ;
00424A62 . 52 push edx
00424A63 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>; 取得计算机名长度
00424A69 . 8BF8 mov edi,eax
00424A6B > 85FF test edi,edi
00424A6D . 0F8E 9F000000 jle 定时关机.00424B12
00424A73 . 8D45 D4 lea eax,dword ptr ss:[ebp-2C] ;
00424A76 . 8D4D B4 lea ecx,dword ptr ss:[ebp-4C] ;
00424A79 . 50 push eax
00424A7A . 57 push edi
00424A7B . 8D55 C4 lea edx,dword ptr ss:[ebp-3C] ;
00424A7E . 51 push ecx
00424A7F . 52 push edx
00424A80 . C745 DC 0100000>mov dword ptr ss:[ebp-24],1 ;
00424A87 . C745 D4 0200000>mov dword ptr ss:[ebp-2C],2 ;
00424A8E . C745 BC 28F0430>mov dword ptr ss:[ebp-44],定时关机.0043F028
00424A95 . C745 B4 0840000>mov dword ptr ss:[ebp-4C],4008 ;
00424A9C . FF15 E4104000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
00424AA2 . 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
00424AA5 . 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
00424AA8 . 50 push eax
00424AA9 . 51 push ecx
00424AAA . FF15 8C114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarV>; MSVBVM60.__vbaStrVarVal
00424AB0 . 50 push eax
00424AB1 . FF15 50104000 call dword ptr ds:[<&MSVBVM60.#516>] ; 反之取计算机名的ASCII值
00424AB7 . 8BC8 mov ecx,eax ; eax=110
00424AB9 . FF15 60104000 call dword ptr ds:[<&MSVBVM60.__vbaI2Abs>] ; MSVBVM60.__vbaI2Abs
00424ABF . 8B55 E8 mov edx,dword ptr ss:[ebp-18]
00424AC2 . 52 push edx
00424AC3 . 0FBFD8 movsx ebx,ax
00424AC6 . FF15 CC114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Str>] ; MSVBVM60.__vbaI4Str
00424ACC . 03D8 add ebx,eax ASCII值进行累加
00424ACE . 0F80 49010000 jo 定时关机.00424C1D
00424AD4 . 53 push ebx
00424AD5 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI4>] ; MSVBVM60.__vbaStrI4
00424ADB . 8BD0 mov edx,eax
00424ADD . 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
00424AE0 . FFD6 call esi
00424AE2 . 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
00424AE5 . FF15 78124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>; MSVBVM60.__vbaFreeStr
00424AEB . 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
00424AEE . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00424AF1 . 50 push eax
00424AF2 . 51 push ecx
00424AF3 . 6A 02 push 2
00424AF5 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>; MSVBVM60.__vbaFreeVarList
00424AFB . 8B1D 30104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaStrV>; MSVBVM60.__vbaStrVarMove
00424B01 . 83C4 0C add esp,0C
00424B04 . 83EF 01 sub edi,1
00424B07 . 0F80 10010000 jo 定时关机.00424C1D
00424B0D .^ E9 59FFFFFF jmp 定时关机.00424A6B
00424B12 > \8B55 E8 mov edx,dword ptr ss:[ebp-18] ;
00424B15 . 8B3D 6C104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaStrC>; MSVBVM60.__vbaStrCat
00424B1B . 52 push edx
00424B1C . 68 2C7A4000 push 定时关机.00407A2C ; UNICODE "081037"
00424B21 . FFD7 call edi ; 累加和与固定值“081037”相连
00424B23 . 8945 DC mov dword ptr ss:[ebp-24],eax ;
00424B26 . 8D45 D4 lea eax,dword ptr ss:[ebp-2C] ;
00424B29 . 6A 06 push 6 ;
00424B2B . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C] ;
00424B2E . 50 push eax
00424B2F . 51 push ecx
00424B30 . C745 D4 0800000>mov dword ptr ss:[ebp-2C],8
00424B37 . FF15 1C124000 call dword ptr ds:[<&MSVBVM60.#617>] ; 取相连后的前6个字节
00424B3D . 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
00424B40 . 52 push edx
00424B41 . FFD3 call ebx
00424B43 . 8BD0 mov edx,eax
00424B45 . 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
00424B48 . FFD6 call esi
00424B4A . 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
00424B4D . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00424B50 . 50 push eax
00424B51 . 51 push ecx
00424B52 . 6A 02 push 2
00424B54 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>; MSVBVM60.__vbaFreeVarList
00424B5A . 8B55 E8 mov edx,dword ptr ss:[ebp-18]
00424B5D . 83C4 0C add esp,0C
00424B60 . 52 push edx
00424B61 . FF15 CC114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Str>] ; MSVBVM60.__vbaI4Str
00424B67 . 8945 DC mov dword ptr ss:[ebp-24],eax
00424B6A . 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
00424B6D . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00424B70 . 50 push eax
00424B71 . 51 push ecx
00424B72 . C745 D4 0300000>mov dword ptr ss:[ebp-2C],3
00424B79 . FF15 C0114000 call dword ptr ds:[<&MSVBVM60.#573>] ; 把前6个字节转成十六进制
00424B7F . 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
00424B82 . 52 push edx
00424B83 . FFD3 call ebx
00424B85 . 8BD0 mov edx,eax
00424B87 . 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
00424B8A . FFD6 call esi
00424B8C . 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
00424B8F . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00424B92 . 50 push eax
00424B93 . 51 push ecx
00424B94 . 6A 02 push 2
00424B96 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>; MSVBVM60.__vbaFreeVarList
00424B9C . 8B55 E8 mov edx,dword ptr ss:[ebp-18]
00424B9F . 83C4 0C add esp,0C
00424BA2 . 68 407A4000 push 定时关机.00407A40 ; UNICODE "DG"
00424BA7 . 52 push edx
00424BA8 . FFD7 call edi 取得固定值"DG"与前6个字节十六十进相连得到注册码
00424BAA . 8BD0 mov edx,eax
00424BAC . 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
00424BAF . FFD6 call esi
00424BB1 . 8B45 08 mov eax,dword ptr ss:[ebp+8]
00424BB4 . 8B55 E8 mov edx,dword ptr ss:[ebp-18]
00424BB7 . 8B08 mov ecx,dword ptr ds:[eax]
00424BB9 . 51 push ecx
00424BBA . 52 push edx
00424BBB . FF15 04114000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>>; MSVBVM60.__vbaStrCmp
00424BC1 . 85C0 test eax,eax
00424BC3 . 75 17 jnz short 定时关机.00424BDC
【算法总结】
1.取得计算机名称转成小写
2.累加计算机名称ASCII值
3.累加值与固定值081037相连
4 取得相连前6个字节,再转成十六进制
5、最后固定值"DG"与前6个字节十六进制相连得到注册码
偷懒的写一下注册机 哈哈~~
Private Sub Command1_Click()
On Error Resume Next
a = Text1.Text
n = Mid(a, 1, 1)
If a = "" Then
MsgBox "请输入计算机名", 16, "错误提示"
Else
If Asc(n) < 97 Or Asc(n) > 122 Then
MsgBox "请于小写输入!", 16, "错误提示"
Else
b = Len(a)
For i = 1 To b
c = c + Asc(Mid(a, i, 1))
Next i
c = c & "0" & 81037
c = Mid(c, 1, 6)
c = "DG" & Hex(c)
Text2.Text = c
End If
End If
End Sub
【注册信息】
保存在[HKEY_CURRENT_USER\SOFTWARE\VB AND VBA PROGRAM SETTINGS\电脑定时关机\SETLOG]
------------------------------------------------------------------------
【破解总结】
------------------------------------------------------------------------
【版权声明】破文是学习的手记,兴趣是成功的源泉;本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 pemet 于 2009-1-21 16:34 编辑 ] |
评分
-
查看全部评分
|
IP卡
发表于 2009-1-21 16:32:33
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2009-1-21 19:11:16