第3个学习笔记~
研究这个确实花了点时候~主要是第一次接触密码表~再加上写注册机第一次写~所以老出错调试
现公布于下~
断点和前面两个一样
0040248B 6A 01 PUSH 1
0040248D FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaOnError>] ; MSVBVM60.__vbaOnError
00402493 BA 7C1C4000 MOV EDX,KeyGenMe.00401C7C ; UNICODE "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
00402498 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
0040249B FF15 90104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCopy>] ; MSVBVM60.__vbaStrCopy
004024A1 8B16 MOV EDX,DWORD PTR DS:[ESI]
004024A3 56 PUSH ESI
004024A4 FF92 14030000 CALL DWORD PTR DS:[EDX+314]
004024AA 50 PUSH EAX
004024AB 8D45 B4 LEA EAX,DWORD PTR SS:[EBP-4C]
004024AE 50 PUSH EAX
004024AF FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
004024B5 8BF8 MOV EDI,EAX
004024B7 8B0F MOV ECX,DWORD PTR DS:[EDI]
004024B9 8D55 B8 LEA EDX,DWORD PTR SS:[EBP-48]
004024BC 52 PUSH EDX
004024BD 57 PUSH EDI
004024BE FF91 A0000000 CALL DWORD PTR DS:[ECX+A0]
004024C4 DBE2 FCLEX
004024C6 3BC3 CMP EAX,EBX
004024C8 7D 12 JGE SHORT KeyGenMe.004024DC
004024CA 68 A0000000 PUSH 0A0
004024CF 68 C81C4000 PUSH KeyGenMe.00401CC8
004024D4 57 PUSH EDI
004024D5 50 PUSH EAX
004024D6 FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheck>; MSVBVM60.__vbaHresultCheckObj
004024DC 8B55 B8 MOV EDX,DWORD PTR SS:[EBP-48]
004024DF 895D B8 MOV DWORD PTR SS:[EBP-48],EBX
004024E2 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
004024E5 FF15 B0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
004024EB 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
004024EE 8B3D C0104000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
004024F4 FFD7 CALL EDI ; <&MSVBVM60.__vbaFreeObj>
004024F6 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44]
004024F9 50 PUSH EAX
004024FA FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBstr>] ; 取用户名位数
00402500 8BC8 MOV ECX,EAX
00402502 FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4
00402508 8945 C4 MOV DWORD PTR SS:[EBP-3C],EAX
0040250B 66:3D 0300 CMP AX,3 ; 用户名位数与3比较
0040250F 0F8C C2020000 JL KeyGenMe.004027D7 ; 小于就跳死
00402515 8B0E MOV ECX,DWORD PTR DS:[ESI]
00402517 56 PUSH ESI
00402518 FF91 0C030000 CALL DWORD PTR DS:[ECX+30C]
0040251E 50 PUSH EAX
0040251F 8D55 B4 LEA EDX,DWORD PTR SS:[EBP-4C]
00402522 52 PUSH EDX
00402523 FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00402529 8BF0 MOV ESI,EAX
0040252B 8B06 MOV EAX, ,DWORD PTR DS:[ESI]
0040252D 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
00402530 51 PUSH ECX
00402531 56 PUSH ESI
00402532 FF90 A0000000 CALL DWORD PTR DS:[EAX+A0]
00402538 DBE2 FCLEX
0040253A 3BC3 CMP EAX,EBX
0040253C 7D 12 JGE SHORT KeyGenMe.00402550
0040253E 68 A0000000 PUSH 0A0
00402543 68 C81C4000 PUSH KeyGenMe.00401CC8
00402548 56 PUSH ESI
00402549 50 PUSH EAX
0040254A FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheck>; MSVBVM60.__vbaHresultCheckObj
00402550 8B55 B8 MOV EDX,DWORD PTR SS:[EBP-48]
00402553 895D B8 MOV DWORD PTR SS:[EBP-48],EBX
00402556 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00402559 FF15 B0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0040255F 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
00402562 FFD7 CALL EDI
00402564 8B55 D4 MOV EDX,DWORD PTR SS:[EBP-2C]
00402567 52 PUSH EDX
00402568 FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBstr>] ; 取试验码位数
0040256E 8BC8 MOV ECX,EAX
00402570 FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4
00402576 66:3BC3 CMP AX,BX ; 检验试验码是否为空
00402579 0F84 58020000 JE KeyGenMe.004027D7
0040257F BF 01000000 MOV EDI,1
00402584 8BF7 MOV ESI,EDI
00402586 8B1D 10104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarLi>; MSVBVM60.__vbaFreeVarList
0040258C 66:3B75 C4 CMP SI,WORD PTR SS:[EBP-3C]
00402590 0F8F 93000000 JG KeyGenMe.00402629
00402596 C745 AC 0100000>MOV DWORD PTR SS:[EBP-54],1
0040259D C745 A4 0200000>MOV DWORD PTR SS:[EBP-5C],2
004025A4 8D45 BC LEA EAX,DWORD PTR SS:[EBP-44]
004025A7 8985 6CFFFFFF MOV DWORD PTR SS:[EBP-94],EAX
004025AD C785 64FFFFFF 0>MOV DWORD PTR SS:[EBP-9C],4008
004025B7 8D4D A4 LEA ECX,DWORD PTR SS:[EBP-5C]
004025BA 51 PUSH ECX
004025BB 0FBFD6 MOVSX EDX,SI
004025BE 52 PUSH EDX
004025BF 8D85 64FFFFFF LEA EAX,DWORD PTR SS:[EBP-9C]
004025C5 50 PUSH EAX
004025C6 8D4D 94 LEA ECX,DWORD PTR SS:[EBP-6C]
004025C9 51 PUSH ECX
004025CA FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
004025D0 8D55 94 LEA EDX,DWORD PTR SS:[EBP-6C]
004025D3 52 PUSH EDX
004025D4 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48]
004025D7 50 PUSH EAX
004025D8 FF15 7C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
004025DE 50 PUSH EAX
004025DF FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ; 取用户名ASCII码
004025E5 66:0FAFC6 IMUL AX,SI ; 用户名ASCII码和相应位置相乘
004025E9 0F80 66020000 JO KeyGenMe.00402855
004025EF 0FBFC8 MOVSX ECX,AX
004025F2 03CF ADD ECX,EDI ; 累积和加初值一
004025F4 0F80 5B020000 JO KeyGenMe.00402855
004025FA 8BF9 MOV EDI,ECX ; 累积和还给EDI
004025FC 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
004025FF FF15 C4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00402605 8D55 94 LEA EDX,DWORD PTR SS:[EBP-6C]
00402608 52 PUSH EDX
00402609 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
0040260C 50 PUSH EAX
0040260D 6A 02 PUSH 2
0040260F FFD3 CALL EBX
00402611 83C4 0C ADD ESP,0C
00402614 B8 01000000 MOV EAX,1
00402619 66:03C6 ADD AX,SI
0040261C 0F80 33020000 JO KeyGenMe.00402855
00402622 8BF0 MOV ESI,EAX
00402624 ^ E9 63FFFFFF JMP KeyGenMe.0040258C
00402629 69FF D5470100 IMUL EDI,EDI,147D5 ; 累积和与固定值相乘
0040262F 0F80 20020000 JO KeyGenMe.00402855
00402635 8BF7 MOV ESI,EDI
00402637 8975 D0 MOV DWORD PTR SS:[EBP-30],ESI
0040263A BA DC1C4000 MOV EDX,KeyGenMe.00401CDC
0040263F 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
00402642 FF15 90104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCopy>] ; MSVBVM60.__vbaStrCopy
00402648 8B3D 0C104000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaStrVarMov>; MSVBVM60.__vbaStrVarMove
0040264E 8BC6 MOV EAX,ESI
00402650 99 CDQ
00402651 B9 24000000 MOV ECX,24 ; ECX得固定值24
00402656 F7F9 IDIV ECX ; 乘积除以固定值,商放EAX`余数放EDX
00402658 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40]
0040265B 8985 4CFFFFFF MOV DWORD PTR SS:[EBP-B4],EAX
00402661 C785 44FFFFFF 0>MOV DWORD PTR SS:[EBP-BC],8
0040266B C745 AC 0100000>MOV DWORD PTR SS:[EBP-54],1
00402672 C745 A4 0200000>MOV DWORD PTR SS:[EBP-5C],2
00402679 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
0040267C 898D 6CFFFFFF MOV DWORD PTR SS:[EBP-94],ECX
00402682 C785 64FFFFFF 0>MOV DWORD PTR SS:[EBP-9C],4008
0040268C 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
0040268F 50 PUSH EAX
00402690 83C2 01 ADD EDX,1 ; 余数加1
00402693 0F80 BC010000 JO KeyGenMe.00402855
00402699 52 PUSH EDX
0040269A 8D8D 64FFFFFF LEA ECX,DWORD PTR SS:[EBP-9C]
004026A0 51 PUSH ECX
004026A1 8D55 94 LEA EDX,DWORD PTR SS:[EBP-6C]
004026A4 52 PUSH EDX
004026A5 FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
004026AB 8D85 44FFFFFF LEA EAX,DWORD PTR SS:[EBP-BC]
004026B1 50 PUSH EAX
004026B2 8D4D 94 LEA ECX,DWORD PTR SS:[EBP-6C]
004026B5 51 PUSH ECX
004026B6 8D55 84 LEA EDX,DWORD PTR SS:[EBP-7C]
004026B9 52 PUSH EDX
004026BA FF15 A0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>] ; MSVBVM60.__vbaVarAdd
004026C0 50 PUSH EAX
004026C1 FFD7 CALL EDI ; 出真码的关键CALL
004026C3 8BD0 MOV EDX,EAX
004026C5 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
004026C8 FF15 B0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
004026CE 8D45 84 LEA EAX,DWORD PTR SS:[EBP-7C]
004026D1 50 PUSH EAX
004026D2 8D4D 94 LEA ECX,DWORD PTR SS:[EBP-6C]
004026D5 51 PUSH ECX
004026D6 8D55 A4 LEA EDX,DWORD PTR SS:[EBP-5C]
004026D9 52 PUSH EDX
004026DA 6A 03 PUSH 3
004026DC FFD3 CALL EBX
004026DE 83C4 10 ADD ESP,10
004026E1 DB45 D0 FILD DWORD PTR SS:[EBP-30] ; 乘积换成浮点数
004026E4 DD9D 04FFFFFF FSTP QWORD PTR SS:[EBP-FC]
004026EA DD85 04FFFFFF FLD QWORD PTR SS:[EBP-FC]
004026F0 833D 00304000 0>CMP DWORD PTR DS:[403000],0
004026F7 75 08 JNZ SHORT KeyGenMe.00402701
004026F9 DC35 F8104000 FDIV QWORD PTR DS:[4010F8] ; 浮点数除以3
004026FF EB 11 JMP SHORT KeyGenMe.00402712
00402701 FF35 FC104000 PUSH DWORD PTR DS:[4010FC]
00402707 FF35 F8104000 PUSH DWORD PTR DS:[4010F8]
0040270D E8 22EAFFFF CALL <JMP.&MSVBVM60._adj_fdiv_m64>
00402712 DFE0 FSTSW AX
00402714 A8 0D TEST AL,0D
00402716 0F85 34010000 JNZ KeyGenMe.00402850
0040271C FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFpI4>] ; 再转换成十六进制
00402722 8BF0 MOV ESI,EAX
00402724 8975 D0 MOV DWORD PTR SS:[EBP-30],ESI
00402727 85F6 TEST ESI,ESI
00402729 ^ 0F8F 1FFFFFFF JG KeyGenMe.0040264E
0040272F 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40] ; 得到真码
00402732 50 PUSH EAX
00402733 8B4D D4 MOV ECX,DWORD PTR SS:[EBP-2C]
00402736 51 PUSH ECX
00402737 FF15 54104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
0040273D 85C0 TEST EAX,EAX
0040273F 0F85 92000000 JNZ KeyGenMe.004027D7
00402745 B9 04000280 MOV ECX,80020004
0040274A 898D 7CFFFFFF MOV DWORD PTR SS:[EBP-84],ECX
00402750 B8 0A000000 MOV EAX,0A
00402755 8985 74FFFFFF MOV DWORD PTR SS:[EBP-8C],EAX
0040275B 894D 8C MOV DWORD PTR SS:[EBP-74],ECX
0040275E 8945 84 MOV DWORD PTR SS:[EBP-7C],EAX
00402761 C785 5CFFFFFF 0>MOV DWORD PTR SS:[EBP-A4],KeyGenMe.00401D04 ; UNICODE "Congratulations"
0040276B BF 08000000 MOV EDI,8
00402770 89BD 54FFFFFF MOV DWORD PTR SS:[EBP-AC],EDI
00402776 8D95 54FFFFFF LEA EDX,DWORD PTR SS:[EBP-AC]
0040277C 8D4D 94 LEA ECX,DWORD PTR SS:[EBP-6C]
0040277F 8B35 A4104000 MOV ESI,DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
00402785 FFD6 CALL ESI ; <&MSVBVM60.__vbaVarDup>
00402787 C785 6CFFFFFF E>MOV DWORD PTR SS:[EBP-94],KeyGenMe.00401CE4 ; UNICODE "Good job,man!"
00402791 89BD 64FFFFFF MOV DWORD PTR SS:[EBP-9C],EDI
算法总结:1,第一个循环
依次取用户名ASCII码
ASCII码与相应位置乘积累积和为S1加初值1
S1=S1*$147D5
2。第2个循环
S1初值=循环前那个与147D5的乘积~
然后取S1除以24的余数加一为N,根据N的值找到密码表的位置~我弄的数组~
然后round(s1/$3)为下一个S1~`这里为四舍五入~记住要再单元里添家Math单元
再就是循环S1除以24的余数加一为N~~~
值到S1为0
算法注册机:
procedure TForm1.Button1Click(Sender: TObject);
var i,n:integer;
s1:longword;
name,serial:string;
const
z:array[1..36] of string=(’A’,’B’,’C’,’D’,’E’,’F’,’G’,’H’,’I’,’J’,’K’,’L’,’M’,’N’,’O’,’P’,’Q’,’R’,’S’,’T’,’U’,’V’,’W’,’X’,’Y’,’Z’,’0’,’1’,’2’,’3’,’4’,’5’,’6’,’7’,’8’,’9’);
begin
name:=edit1.Text;
s1:=1;
if length(name)<3 then exit;
for i:=1 to length(name) do
s1:=s1+ord(name[i])*i;
s1:=s1*$147D5;
while s1<>0 do
for i:=1 to length(inttostr(s1)) do
begin
n:=(S1 mod $24)+1;
serial:=serial+z[n];
s1:=round(s1/$3);
end;
edit2.Text:=serial;
end;
procedure TForm1.Button2Click(Sender: TObject);
begin
close;
end;
end.
上一页 1 2 3 4 5 6 下一页 |
安全中国首页 > 文章中心 > 补丁技术