vb小程序淺析
系統 : Windows xpphp
程序 : BJCM10B
算法
程序下載地址 :http://pan.baidu.com/s/1dFyXe29小程序
要求 : 編寫註冊機
函數
使用工具 : OD
工具
可在看雪論壇中查找關於此程序的破文:傳送門spa
這個小程序自己算法不難,就是vb的函數調用方式真的太奇葩了,容易看得一頭霧水。code
直接根據「good job, tell me how you do that!」字串找出關鍵算法:orm
00404563 . FFD3 call ebx ; (initial cpu selection); <&MSVBVM60.__vbaObjSet>
00404565 . 8B08 mov ecx, dword ptr [eax] 00404567 . 8D55 D4 lea edx, dword ptr [ebp-2C] 0040456A . 52 push edx 0040456B . 50 push eax 0040456C . 8985 44FFFFFF mov dword ptr [ebp-BC], eax 00404572 . FF91 A0000000 call dword ptr [ecx+A0] 00404578 . 3BC7 cmp eax, edi 0040457A . DBE2 fclex
0040457C . 7D 18 jge short 00404596
0040457E . 8B8D 44FFFFFF mov ecx, dword ptr [ebp-BC] 00404584 . 68 A0000000 push 0A0
00404589 . 68 00304000 push 00403000
0040458E . 51 push ecx 0040458F . 50 push eax 00404590 . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheckOb>; MSVBVM60.__vbaHresultCheckObj
00404596 > 8B55 D4 mov edx, dword ptr [ebp-2C] ; 用戶名字符串
00404599 . 52 push edx ; /String
0040459A . FF15 10104000 call dword ptr [<&MSVBVM60.__vbaLenBstr>] ; \__vbaLenBstr
004045A0 . 33C9 xor ecx, ecx 004045A2 . 83F8 02 cmp eax, 2 ; 是不是否不小於2?
004045A5 . 0F9CC1 setl cl 004045A8 . F7D9 neg ecx 004045AA . 898D 3CFFFFFF mov dword ptr [ebp-C4], ecx 004045B0 . 8D4D D4 lea ecx, dword ptr [ebp-2C] 004045B3 . FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
004045B9 . 8D4D CC lea ecx, dword ptr [ebp-34] 004045BC . FF15 D4104000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
004045C2 . 66:39BD 3CFFF>cmp word ptr [ebp-C4], di 004045C9 . 0F84 8B000000 je 0040465A ; 符合長度直接跳轉
004045CF . 8B1D B0104000 mov ebx, dword ptr [<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
004045D5 . B9 04000280 mov ecx, 80020004
004045DA . 894D 90 mov dword ptr [ebp-70], ecx 004045DD . B8 0A000000 mov eax, 0A
004045E2 . 894D A0 mov dword ptr [ebp-60], ecx 004045E5 . BE 08000000 mov esi, 8
004045EA . 8D95 68FFFFFF lea edx, dword ptr [ebp-98] 004045F0 . 8D4D A8 lea ecx, dword ptr [ebp-58] 004045F3 . 8945 88 mov dword ptr [ebp-78], eax 004045F6 . 8945 98 mov dword ptr [ebp-68], eax 004045F9 . C785 70FFFFFF>mov dword ptr [ebp-90], 00403070 ; you have to enter your name!
00404603 . 89B5 68FFFFFF mov dword ptr [ebp-98], esi 00404609 . FFD3 call ebx ; <&MSVBVM60.__vbaVarDup>
0040460B . 8D95 78FFFFFF lea edx, dword ptr [ebp-88] 00404611 . 8D4D B8 lea ecx, dword ptr [ebp-48] 00404614 . C745 80 14304>mov dword ptr [ebp-80], 00403014 ; name must be at least two characters long!
0040461B . 89B5 78FFFFFF mov dword ptr [ebp-88], esi 00404621 . FFD3 call ebx 00404623 . 8D55 88 lea edx, dword ptr [ebp-78] 00404626 . 8D45 98 lea eax, dword ptr [ebp-68] 00404629 . 52 push edx 0040462A . 8D4D A8 lea ecx, dword ptr [ebp-58] 0040462D . 50 push eax 0040462E . 51 push ecx 0040462F . 8D55 B8 lea edx, dword ptr [ebp-48] 00404632 . 57 push edi 00404633 . 52 push edx 00404634 . FF15 3C104000 call dword ptr [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
0040463A . 8D45 88 lea eax, dword ptr [ebp-78] 0040463D . 8D4D 98 lea ecx, dword ptr [ebp-68] 00404640 . 50 push eax 00404641 . 8D55 A8 lea edx, dword ptr [ebp-58] 00404644 . 51 push ecx 00404645 . 8D45 B8 lea eax, dword ptr [ebp-48] 00404648 . 52 push edx 00404649 . 50 push eax 0040464A . 6A 04 push 4
0040464C . FF15 14104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
00404652 . 83C4 14 add esp, 14
00404655 . E9 D4030000 jmp 00404A2E
0040465A > 8B0E mov ecx, dword ptr [esi] 0040465C . 56 push esi 0040465D . FF91 0C030000 call dword ptr [ecx+30C] 00404663 . 8D55 CC lea edx, dword ptr [ebp-34] 00404666 . 50 push eax 00404667 . 52 push edx 00404668 . FFD3 call ebx 0040466A . 8B06 mov eax, dword ptr [esi] 0040466C . 56 push esi 0040466D . FF90 0C030000 call dword ptr [eax+30C] 00404673 . 8D4D C8 lea ecx, dword ptr [ebp-38] 00404676 . 50 push eax 00404677 . 51 push ecx 00404678 . FFD3 call ebx 0040467A . 8B45 CC mov eax, dword ptr [ebp-34] 0040467D . 8D55 B8 lea edx, dword ptr [ebp-48] 00404680 . 8945 C0 mov dword ptr [ebp-40], eax 00404683 . 6A 01 push 1
00404685 . 8D45 A8 lea eax, dword ptr [ebp-58] 00404688 . 52 push edx 00404689 . 50 push eax 0040468A . 897D CC mov dword ptr [ebp-34], edi 0040468D . C745 B8 09000>mov dword ptr [ebp-48], 9
00404694 . FF15 B4104000 call dword ptr [<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar
0040469A . 8B45 C8 mov eax, dword ptr [ebp-38] 0040469D . 8D4D 98 lea ecx, dword ptr [ebp-68] 004046A0 . 6A 01 push 1
004046A2 . 8D55 88 lea edx, dword ptr [ebp-78] 004046A5 . 51 push ecx 004046A6 . 52 push edx 004046A7 . 897D C8 mov dword ptr [ebp-38], edi 004046AA . 8945 A0 mov dword ptr [ebp-60], eax 004046AD . C745 98 09000>mov dword ptr [ebp-68], 9
004046B4 . FF15 C0104000 call dword ptr [<&MSVBVM60.#619>] ; MSVBVM60.rtcRightCharVar
004046BA . 8B3D 80104000 mov edi, dword ptr [<&MSVBVM60.__vbaStrVarVal>; MSVBVM60.__vbaStrVarVal
004046C0 . 8D45 88 lea eax, dword ptr [ebp-78] 004046C3 . 8D4D D0 lea ecx, dword ptr [ebp-30] 004046C6 . 50 push eax ; /String8
004046C7 . 51 push ecx ; |ARG2
004046C8 . FFD7 call edi ; \__vbaStrVarVal
004046CA . 50 push eax ; /String
004046CB . FF15 24104000 call dword ptr [<&MSVBVM60.#516>] ; \rtcAnsiValueBstr
004046D1 . 66:8BD0 mov dx, ax ; ↑傳回字符碼
004046D4 . 8D45 A8 lea eax, dword ptr [ebp-58] 004046D7 . 8D4D D4 lea ecx, dword ptr [ebp-2C] 004046DA . 50 push eax ; /String8
004046DB . 51 push ecx ; |ARG2
004046DC . 66:8995 26FFF>mov word ptr [ebp-DA], dx ; |
004046E3 . FFD7 call edi ; \__vbaStrVarVal
004046E5 . 50 push eax ; /String
004046E6 . FF15 24104000 call dword ptr [<&MSVBVM60.#516>] ; \rtcAnsiValueBstr
004046EC . 66:8B95 26FFF>mov dx, word ptr [ebp-DA] 004046F3 . 8D4D D8 lea ecx, dword ptr [ebp-28] 004046F6 . 66:03D0 add dx, ax ; 首尾相加
004046F9 . C785 78FFFFFF>mov dword ptr [ebp-88], 2
00404703 . 0F80 94030000 jo 00404A9D
00404709 . 66:8955 80 mov word ptr [ebp-80], dx ; 保存結果
0040470D . 8D95 78FFFFFF lea edx, dword ptr [ebp-88] 00404713 . FF15 08104000 call dword ptr [<&MSVBVM60.__vbaVarMove>] ; MSVBVM60.__vbaVarMove
00404719 . 8D45 D0 lea eax, dword ptr [ebp-30] 0040471C . 8D4D D4 lea ecx, dword ptr [ebp-2C] 0040471F . 50 push eax 00404720 . 51 push ecx 00404721 . 6A 02 push 2
00404723 . FF15 9C104000 call dword ptr [<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList
00404729 . 8D55 C8 lea edx, dword ptr [ebp-38] 0040472C . 8D45 CC lea eax, dword ptr [ebp-34] 0040472F . 52 push edx 00404730 . 50 push eax 00404731 . 6A 02 push 2
00404733 . FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeObjList>] ; MSVBVM60.__vbaFreeObjList
00404739 . 8D4D 88 lea ecx, dword ptr [ebp-78] 0040473C . 8D55 98 lea edx, dword ptr [ebp-68] 0040473F . 51 push ecx 00404740 . 8D45 A8 lea eax, dword ptr [ebp-58] 00404743 . 52 push edx 00404744 . 8D4D B8 lea ecx, dword ptr [ebp-48] 00404747 . 50 push eax 00404748 . 51 push ecx 00404749 . 6A 04 push 4
0040474B . FF15 14104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
00404751 . 83C4 2C add esp, 2C 00404754 . 8D55 D8 lea edx, dword ptr [ebp-28] 00404757 . 8D85 78FFFFFF lea eax, dword ptr [ebp-88] 0040475D . 8D4D B8 lea ecx, dword ptr [ebp-48] 00404760 . 52 push edx ; /var18
00404761 . 50 push eax ; |var28
00404762 . 51 push ecx ; |SaveTo8
00404763 . C745 80 3F420>mov dword ptr [ebp-80], 0F423F ; |
0040476A . C785 78FFFFFF>mov dword ptr [ebp-88], 3 ; |
00404774 . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaVarMul>] ; \__vbaVarMul
0040477A . 50 push eax ; 相加結果 * 999999 = 序列號
0040477B . FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var
00404781 . 8B16 mov edx, dword ptr [esi] 00404783 . 56 push esi 00404784 . 8945 E8 mov dword ptr [ebp-18], eax ; 這裏保存計算出的序列號
00404787 . FF92 FC020000 call dword ptr [edx+2FC] 0040478D . 50 push eax 0040478E . 8D45 CC lea eax, dword ptr [ebp-34] 00404791 . 50 push eax 00404792 . FFD3 call ebx 00404794 . 8BF8 mov edi, eax 00404796 . 8D55 D4 lea edx, dword ptr [ebp-2C] 00404799 . 52 push edx 0040479A . 57 push edi 0040479B . 8B0F mov ecx, dword ptr [edi] 0040479D . FF91 A0000000 call dword ptr [ecx+A0] 004047A3 . 85C0 test eax, eax 004047A5 . DBE2 fclex
004047A7 . 7D 12 jge short 004047BB
004047A9 . 68 A0000000 push 0A0
004047AE . 68 00304000 push 00403000
004047B3 . 57 push edi 004047B4 . 50 push eax 004047B5 . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheckOb>; MSVBVM60.__vbaHresultCheckObj
004047BB > 8B45 D4 mov eax, dword ptr [ebp-2C] ; 取出密碼
004047BE . 50 push eax 004047BF . 68 B0304000 push 004030B0 ; 空串
004047C4 . FF15 58104000 call dword ptr [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
004047CA . 8BF8 mov edi, eax 004047CC . 8D4D D4 lea ecx, dword ptr [ebp-2C] 004047CF . F7DF neg edi 004047D1 . 1BFF sbb edi, edi 004047D3 . 47 inc edi 004047D4 . F7DF neg edi 004047D6 . FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
004047DC . 8D4D CC lea ecx, dword ptr [ebp-34] 004047DF . FF15 D4104000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
004047E5 . 66:85FF test di, di 004047E8 . 0F84 81000000 je 0040486F
004047EE . 8B3D B0104000 mov edi, dword ptr [<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
004047F4 . B9 04000280 mov ecx, 80020004
004047F9 . 894D 90 mov dword ptr [ebp-70], ecx 004047FC . B8 0A000000 mov eax, 0A
00404801 . 894D A0 mov dword ptr [ebp-60], ecx 00404804 . BE 08000000 mov esi, 8
00404809 . 8D95 68FFFFFF lea edx, dword ptr [ebp-98] 0040480F . 8D4D A8 lea ecx, dword ptr [ebp-58] 00404812 . 8945 88 mov dword ptr [ebp-78], eax 00404815 . 8945 98 mov dword ptr [ebp-68], eax 00404818 . C785 70FFFFFF>mov dword ptr [ebp-90], 004030E0 ; wrong serial!
00404822 . 89B5 68FFFFFF mov dword ptr [ebp-98], esi 00404828 . FFD7 call edi ; <&MSVBVM60.__vbaVarDup>
0040482A . 8D95 78FFFFFF lea edx, dword ptr [ebp-88] 00404830 . 8D4D B8 lea ecx, dword ptr [ebp-48] 00404833 . C745 80 B8304>mov dword ptr [ebp-80], 004030B8 ; sorry, try again!
0040483A . 89B5 78FFFFFF mov dword ptr [ebp-88], esi 00404840 . FFD7 call edi 00404842 . 8D4D 88 lea ecx, dword ptr [ebp-78] 00404845 . 8D55 98 lea edx, dword ptr [ebp-68] 00404848 . 51 push ecx 00404849 . 8D45 A8 lea eax, dword ptr [ebp-58] 0040484C . 52 push edx 0040484D . 50 push eax 0040484E . 8D4D B8 lea ecx, dword ptr [ebp-48] 00404851 . 6A 00 push 0
00404853 . 51 push ecx 00404854 . FF15 3C104000 call dword ptr [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
0040485A . 8D55 88 lea edx, dword ptr [ebp-78] 0040485D . 8D45 98 lea eax, dword ptr [ebp-68] 00404860 . 52 push edx 00404861 . 8D4D A8 lea ecx, dword ptr [ebp-58] 00404864 . 50 push eax 00404865 . 8D55 B8 lea edx, dword ptr [ebp-48] 00404868 . 51 push ecx 00404869 . 52 push edx 0040486A . E9 B2010000 jmp 00404A21
0040486F > 8B0E mov ecx, dword ptr [esi] 00404871 . 8D45 E8 lea eax, dword ptr [ebp-18] 00404874 . 56 push esi 00404875 . 8945 80 mov dword ptr [ebp-80], eax 00404878 . C785 78FFFFFF>mov dword ptr [ebp-88], 4003
00404882 . FF91 FC020000 call dword ptr [ecx+2FC] 00404888 . 8D55 CC lea edx, dword ptr [ebp-34] 0040488B . 50 push eax 0040488C . 52 push edx 0040488D . FFD3 call ebx 0040488F . 8BF0 mov esi, eax 00404891 . 8D4D D4 lea ecx, dword ptr [ebp-2C] 00404894 . 51 push ecx 00404895 . 56 push esi 00404896 . 8B06 mov eax, dword ptr [esi] 00404898 . FF90 A0000000 call dword ptr [eax+A0] 0040489E . 85C0 test eax, eax 004048A0 . DBE2 fclex
004048A2 . 7D 12 jge short 004048B6
004048A4 . 68 A0000000 push 0A0
004048A9 . 68 00304000 push 00403000
004048AE . 56 push esi 004048AF . 50 push eax 004048B0 . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaHresultCheckOb>; MSVBVM60.__vbaHresultCheckObj
004048B6 > 8D95 78FFFFFF lea edx, dword ptr [ebp-88] 004048BC . 52 push edx ; ↓返回str
004048BD . FF15 84104000 call dword ptr [<&MSVBVM60.#536>] ; MSVBVM60.rtcStrFromVar
004048C3 . 8BD0 mov edx, eax 004048C5 . 8D4D D0 lea ecx, dword ptr [ebp-30] 004048C8 . FF15 BC104000 call dword ptr [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
004048CE . 50 push eax 004048CF . 8B45 D4 mov eax, dword ptr [ebp-2C] 004048D2 . 50 push eax ; 對比密碼和序列號
004048D3 . FF15 58104000 call dword ptr [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
就這麼一段簡單的功能MFC裏能夠這麼寫:blog
CString str; GetDlgItemText( IDC_EDIT_NAME,str ); //獲取用戶名字串基本信息。
int len = str.GetLength(); if ( len >= 2 ){ //格式控制。
unsigned int res = (str[0] + str[len-1]) * 999999; CString PassWord; PassWord.Format( " %lu",res ); SetDlgItemText( IDC_EDIT_PASSWORD,PassWord ); } else MessageBox( "用戶名格式錯誤!" );
再在OnInitDialog中添加此代碼修改標題:SetWindowText(_T("Keygen"));字符串
運行效果:
相關文章
- 1. VB程序架構分析
- 2. [轉]微信小程序安全淺析
- 3. 微信小程序rpx單位淺析
- 4. 淺看小程序
- 5. 用VB編程序
- 6. VB程序調試
- 7. 淺談微信小程序
- 8. 整人程序源碼(VB)
- 9. vb 五位抽獎程序
- 10. VB程序設計總結
- 更多相關文章...
- • W3C 程序 - W3C 教程
- • ASP 子程序 - ASP 教程
- • 算法總結-歸併排序
- • Java 8 Stream 教程
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. VB程序架構分析
- 2. [轉]微信小程序安全淺析
- 3. 微信小程序rpx單位淺析
- 4. 淺看小程序
- 5. 用VB編程序
- 6. VB程序調試
- 7. 淺談微信小程序
- 8. 整人程序源碼(VB)
- 9. vb 五位抽獎程序
- 10. VB程序設計總結