首页 > 代码库 > vb小程序浅析
vb小程序浅析
系统 : Windows xp
程序 : BJCM10B
程序下载地址 :http://pan.baidu.com/s/1dFyXe29
要求 : 编写注册机
使用工具 : OD
可在看雪论坛中查找关于此程序的破文:传送门
这个小程序本身算法不难,就是vb的函数调用方式真的太奇葩了,容易看得一头雾水。
直接根据“good job, tell me how you do that!”字串找出关键算法:
00404563 . FFD3 call ebx ; (initial cpu selection); <&MSVBVM60.__vbaObjSet>00404565 . 8B08 mov ecx, dword ptr [eax]00404567 . 8D55 D4 lea edx, dword ptr [ebp-2C]0040456A . 52 push edx0040456B . 50 push eax0040456C . 8985 44FFFFFF mov dword ptr [ebp-BC], eax00404572 . FF91 A0000000 call dword ptr [ecx+A0]00404578 . 3BC7 cmp eax, edi0040457A . DBE2 fclex0040457C . 7D 18 jge short 004045960040457E . 8B8D 44FFFFFF mov ecx, dword ptr [ebp-BC]00404584 . 68 A0000000 push 0A000404589 . 68 00304000 push 004030000040458E . 51 push ecx0040458F . 50 push eax00404590 . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheckOb>; MSVBVM60.__vbaHresultCheckObj00404596 > 8B55 D4 mov edx, dword ptr [ebp-2C] ; 用户名字符串00404599 . 52 push edx ; /String0040459A . FF15 10104000 call dword ptr [<&MSVBVM60.__vbaLenBstr>] ; \__vbaLenBstr004045A0 . 33C9 xor ecx, ecx004045A2 . 83F8 02 cmp eax, 2 ; 是否是否不小于2?004045A5 . 0F9CC1 setl cl004045A8 . F7D9 neg ecx004045AA . 898D 3CFFFFFF mov dword ptr [ebp-C4], ecx004045B0 . 8D4D D4 lea ecx, dword ptr [ebp-2C]004045B3 . FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr004045B9 . 8D4D CC lea ecx, dword ptr [ebp-34]004045BC . FF15 D4104000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj004045C2 . 66:39BD 3CFFF>cmp word ptr [ebp-C4], di004045C9 . 0F84 8B000000 je 0040465A ; 符合长度直接跳转004045CF . 8B1D B0104000 mov ebx, dword ptr [<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup004045D5 . B9 04000280 mov ecx, 80020004004045DA . 894D 90 mov dword ptr [ebp-70], ecx004045DD . B8 0A000000 mov eax, 0A004045E2 . 894D A0 mov dword ptr [ebp-60], ecx004045E5 . BE 08000000 mov esi, 8004045EA . 8D95 68FFFFFF lea edx, dword ptr [ebp-98]004045F0 . 8D4D A8 lea ecx, dword ptr [ebp-58]004045F3 . 8945 88 mov dword ptr [ebp-78], eax004045F6 . 8945 98 mov dword ptr [ebp-68], eax004045F9 . C785 70FFFFFF>mov dword ptr [ebp-90], 00403070 ; you have to enter your name!00404603 . 89B5 68FFFFFF mov dword ptr [ebp-98], esi00404609 . FFD3 call ebx ; <&MSVBVM60.__vbaVarDup>0040460B . 8D95 78FFFFFF lea edx, dword ptr [ebp-88]00404611 . 8D4D B8 lea ecx, dword ptr [ebp-48]00404614 . C745 80 14304>mov dword ptr [ebp-80], 00403014 ; name must be at least two characters long!0040461B . 89B5 78FFFFFF mov dword ptr [ebp-88], esi00404621 . FFD3 call ebx00404623 . 8D55 88 lea edx, dword ptr [ebp-78]00404626 . 8D45 98 lea eax, dword ptr [ebp-68]00404629 . 52 push edx0040462A . 8D4D A8 lea ecx, dword ptr [ebp-58]0040462D . 50 push eax0040462E . 51 push ecx0040462F . 8D55 B8 lea edx, dword ptr [ebp-48]00404632 . 57 push edi00404633 . 52 push edx00404634 . FF15 3C104000 call dword ptr [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox0040463A . 8D45 88 lea eax, dword ptr [ebp-78]0040463D . 8D4D 98 lea ecx, dword ptr [ebp-68]00404640 . 50 push eax00404641 . 8D55 A8 lea edx, dword ptr [ebp-58]00404644 . 51 push ecx00404645 . 8D45 B8 lea eax, dword ptr [ebp-48]00404648 . 52 push edx00404649 . 50 push eax0040464A . 6A 04 push 40040464C . FF15 14104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList00404652 . 83C4 14 add esp, 1400404655 . E9 D4030000 jmp 00404A2E0040465A > 8B0E mov ecx, dword ptr [esi]0040465C . 56 push esi0040465D . FF91 0C030000 call dword ptr [ecx+30C]00404663 . 8D55 CC lea edx, dword ptr [ebp-34]00404666 . 50 push eax00404667 . 52 push edx00404668 . FFD3 call ebx0040466A . 8B06 mov eax, dword ptr [esi]0040466C . 56 push esi0040466D . FF90 0C030000 call dword ptr [eax+30C]00404673 . 8D4D C8 lea ecx, dword ptr [ebp-38]00404676 . 50 push eax00404677 . 51 push ecx00404678 . FFD3 call ebx0040467A . 8B45 CC mov eax, dword ptr [ebp-34]0040467D . 8D55 B8 lea edx, dword ptr [ebp-48]00404680 . 8945 C0 mov dword ptr [ebp-40], eax00404683 . 6A 01 push 100404685 . 8D45 A8 lea eax, dword ptr [ebp-58]00404688 . 52 push edx00404689 . 50 push eax0040468A . 897D CC mov dword ptr [ebp-34], edi0040468D . C745 B8 09000>mov dword ptr [ebp-48], 900404694 . FF15 B4104000 call dword ptr [<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar0040469A . 8B45 C8 mov eax, dword ptr [ebp-38]0040469D . 8D4D 98 lea ecx, dword ptr [ebp-68]004046A0 . 6A 01 push 1004046A2 . 8D55 88 lea edx, dword ptr [ebp-78]004046A5 . 51 push ecx004046A6 . 52 push edx004046A7 . 897D C8 mov dword ptr [ebp-38], edi004046AA . 8945 A0 mov dword ptr [ebp-60], eax004046AD . C745 98 09000>mov dword ptr [ebp-68], 9004046B4 . FF15 C0104000 call dword ptr [<&MSVBVM60.#619>] ; MSVBVM60.rtcRightCharVar004046BA . 8B3D 80104000 mov edi, dword ptr [<&MSVBVM60.__vbaStrVarVal>; MSVBVM60.__vbaStrVarVal004046C0 . 8D45 88 lea eax, dword ptr [ebp-78]004046C3 . 8D4D D0 lea ecx, dword ptr [ebp-30]004046C6 . 50 push eax ; /String8004046C7 . 51 push ecx ; |ARG2004046C8 . FFD7 call edi ; \__vbaStrVarVal004046CA . 50 push eax ; /String004046CB . FF15 24104000 call dword ptr [<&MSVBVM60.#516>] ; \rtcAnsiValueBstr004046D1 . 66:8BD0 mov dx, ax ; ↑传回字符码004046D4 . 8D45 A8 lea eax, dword ptr [ebp-58]004046D7 . 8D4D D4 lea ecx, dword ptr [ebp-2C]004046DA . 50 push eax ; /String8004046DB . 51 push ecx ; |ARG2004046DC . 66:8995 26FFF>mov word ptr [ebp-DA], dx ; |004046E3 . FFD7 call edi ; \__vbaStrVarVal004046E5 . 50 push eax ; /String004046E6 . FF15 24104000 call dword ptr [<&MSVBVM60.#516>] ; \rtcAnsiValueBstr004046EC . 66:8B95 26FFF>mov dx, word ptr [ebp-DA]004046F3 . 8D4D D8 lea ecx, dword ptr [ebp-28]004046F6 . 66:03D0 add dx, ax ; 首尾相加004046F9 . C785 78FFFFFF>mov dword ptr [ebp-88], 200404703 . 0F80 94030000 jo 00404A9D00404709 . 66:8955 80 mov word ptr [ebp-80], dx ; 保存结果0040470D . 8D95 78FFFFFF lea edx, dword ptr [ebp-88]00404713 . FF15 08104000 call dword ptr [<&MSVBVM60.__vbaVarMove>] ; MSVBVM60.__vbaVarMove00404719 . 8D45 D0 lea eax, dword ptr [ebp-30]0040471C . 8D4D D4 lea ecx, dword ptr [ebp-2C]0040471F . 50 push eax00404720 . 51 push ecx00404721 . 6A 02 push 200404723 . FF15 9C104000 call dword ptr [<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList00404729 . 8D55 C8 lea edx, dword ptr [ebp-38]0040472C . 8D45 CC lea eax, dword ptr [ebp-34]0040472F . 52 push edx00404730 . 50 push eax00404731 . 6A 02 push 200404733 . FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeObjList>] ; MSVBVM60.__vbaFreeObjList00404739 . 8D4D 88 lea ecx, dword ptr [ebp-78]0040473C . 8D55 98 lea edx, dword ptr [ebp-68]0040473F . 51 push ecx00404740 . 8D45 A8 lea eax, dword ptr [ebp-58]00404743 . 52 push edx00404744 . 8D4D B8 lea ecx, dword ptr [ebp-48]00404747 . 50 push eax00404748 . 51 push ecx00404749 . 6A 04 push 40040474B . FF15 14104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList00404751 . 83C4 2C add esp, 2C00404754 . 8D55 D8 lea edx, dword ptr [ebp-28]00404757 . 8D85 78FFFFFF lea eax, dword ptr [ebp-88]0040475D . 8D4D B8 lea ecx, dword ptr [ebp-48]00404760 . 52 push edx ; /var1800404761 . 50 push eax ; |var2800404762 . 51 push ecx ; |SaveTo800404763 . C745 80 3F420>mov dword ptr [ebp-80], 0F423F ; |0040476A . C785 78FFFFFF>mov dword ptr [ebp-88], 3 ; |00404774 . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaVarMul>] ; \__vbaVarMul0040477A . 50 push eax ; 相加结果 * 999999 = 序列号0040477B . FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var00404781 . 8B16 mov edx, dword ptr [esi]00404783 . 56 push esi00404784 . 8945 E8 mov dword ptr [ebp-18], eax ; 这里保存计算出的序列号00404787 . FF92 FC020000 call dword ptr [edx+2FC]0040478D . 50 push eax0040478E . 8D45 CC lea eax, dword ptr [ebp-34]00404791 . 50 push eax00404792 . FFD3 call ebx00404794 . 8BF8 mov edi, eax00404796 . 8D55 D4 lea edx, dword ptr [ebp-2C]00404799 . 52 push edx0040479A . 57 push edi0040479B . 8B0F mov ecx, dword ptr [edi]0040479D . FF91 A0000000 call dword ptr [ecx+A0]004047A3 . 85C0 test eax, eax004047A5 . DBE2 fclex004047A7 . 7D 12 jge short 004047BB004047A9 . 68 A0000000 push 0A0004047AE . 68 00304000 push 00403000004047B3 . 57 push edi004047B4 . 50 push eax004047B5 . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheckOb>; MSVBVM60.__vbaHresultCheckObj004047BB > 8B45 D4 mov eax, dword ptr [ebp-2C] ; 取出密码004047BE . 50 push eax004047BF . 68 B0304000 push 004030B0 ; 空串004047C4 . FF15 58104000 call dword ptr [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp004047CA . 8BF8 mov edi, eax004047CC . 8D4D D4 lea ecx, dword ptr [ebp-2C]004047CF . F7DF neg edi004047D1 . 1BFF sbb edi, edi004047D3 . 47 inc edi004047D4 . F7DF neg edi004047D6 . FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr004047DC . 8D4D CC lea ecx, dword ptr [ebp-34]004047DF . FF15 D4104000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj004047E5 . 66:85FF test di, di004047E8 . 0F84 81000000 je 0040486F004047EE . 8B3D B0104000 mov edi, dword ptr [<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup004047F4 . B9 04000280 mov ecx, 80020004004047F9 . 894D 90 mov dword ptr [ebp-70], ecx004047FC . B8 0A000000 mov eax, 0A00404801 . 894D A0 mov dword ptr [ebp-60], ecx00404804 . BE 08000000 mov esi, 800404809 . 8D95 68FFFFFF lea edx, dword ptr [ebp-98]0040480F . 8D4D A8 lea ecx, dword ptr [ebp-58]00404812 . 8945 88 mov dword ptr [ebp-78], eax00404815 . 8945 98 mov dword ptr [ebp-68], eax00404818 . C785 70FFFFFF>mov dword ptr [ebp-90], 004030E0 ; wrong serial!00404822 . 89B5 68FFFFFF mov dword ptr [ebp-98], esi00404828 . FFD7 call edi ; <&MSVBVM60.__vbaVarDup>0040482A . 8D95 78FFFFFF lea edx, dword ptr [ebp-88]00404830 . 8D4D B8 lea ecx, dword ptr [ebp-48]00404833 . C745 80 B8304>mov dword ptr [ebp-80], 004030B8 ; sorry, try again!0040483A . 89B5 78FFFFFF mov dword ptr [ebp-88], esi00404840 . FFD7 call edi00404842 . 8D4D 88 lea ecx, dword ptr [ebp-78]00404845 . 8D55 98 lea edx, dword ptr [ebp-68]00404848 . 51 push ecx00404849 . 8D45 A8 lea eax, dword ptr [ebp-58]0040484C . 52 push edx0040484D . 50 push eax0040484E . 8D4D B8 lea ecx, dword ptr [ebp-48]00404851 . 6A 00 push 000404853 . 51 push ecx00404854 . FF15 3C104000 call dword ptr [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox0040485A . 8D55 88 lea edx, dword ptr [ebp-78]0040485D . 8D45 98 lea eax, dword ptr [ebp-68]00404860 . 52 push edx00404861 . 8D4D A8 lea ecx, dword ptr [ebp-58]00404864 . 50 push eax00404865 . 8D55 B8 lea edx, dword ptr [ebp-48]00404868 . 51 push ecx00404869 . 52 push edx0040486A . E9 B2010000 jmp 00404A210040486F > 8B0E mov ecx, dword ptr [esi]00404871 . 8D45 E8 lea eax, dword ptr [ebp-18]00404874 . 56 push esi00404875 . 8945 80 mov dword ptr [ebp-80], eax00404878 . C785 78FFFFFF>mov dword ptr [ebp-88], 400300404882 . FF91 FC020000 call dword ptr [ecx+2FC]00404888 . 8D55 CC lea edx, dword ptr [ebp-34]0040488B . 50 push eax0040488C . 52 push edx0040488D . FFD3 call ebx0040488F . 8BF0 mov esi, eax00404891 . 8D4D D4 lea ecx, dword ptr [ebp-2C]00404894 . 51 push ecx00404895 . 56 push esi00404896 . 8B06 mov eax, dword ptr [esi]00404898 . FF90 A0000000 call dword ptr [eax+A0]0040489E . 85C0 test eax, eax004048A0 . DBE2 fclex004048A2 . 7D 12 jge short 004048B6004048A4 . 68 A0000000 push 0A0004048A9 . 68 00304000 push 00403000004048AE . 56 push esi004048AF . 50 push eax004048B0 . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheckOb>; MSVBVM60.__vbaHresultCheckObj004048B6 > 8D95 78FFFFFF lea edx, dword ptr [ebp-88]004048BC . 52 push edx ; ↓返回str004048BD . FF15 84104000 call dword ptr [<&MSVBVM60.#536>] ; MSVBVM60.rtcStrFromVar004048C3 . 8BD0 mov edx, eax004048C5 . 8D4D D0 lea ecx, dword ptr [ebp-30]004048C8 . FF15 BC104000 call dword ptr [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove004048CE . 50 push eax004048CF . 8B45 D4 mov eax, dword ptr [ebp-2C]004048D2 . 50 push eax ; 对比密码和序列号004048D3 . FF15 58104000 call dword ptr [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
就这么一段简单的功能MFC里可以这么写:
CString str; GetDlgItemText( IDC_EDIT_NAME,str ); //获取用户名字串基本信息。 int len = str.GetLength(); if ( len >= 2 ){ //格式控制。 unsigned int res = (str[0] + str[len-1]) * 999999; CString PassWord; PassWord.Format( " %lu",res ); SetDlgItemText( IDC_EDIT_PASSWORD,PassWord ); } else MessageBox( "用户名格式错误!" );再在OnInitDialog中添加此代码修改标题:SetWindowText(_T("Keygen"));
运行效果:
vb小程序浅析
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。