【标 题】:Ollydbg——轻松文本 2003 V6.13(VB)上
【关键字】:VB,20,2003,13,03,db,200,Ollydbg,2003,V6,13,VB
【来 源】:网络
下载页面: http://www.skycn.com/soft/5977.html<;br> 【软件限制】:NAG、功能限制
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:Ollydbg1.09、PEiD、AspackDie、W32Dasm 9.0白金版
—————————————————————————————————
【过 程】:
由于时间原因,很长一段时间才整理出来,作者也快升级了吧?
顺便看了一下同门的《英语音标大师 V1.02》,算法是一样的,就没必要写了。^O^ ^O^
easypad.exe 是ASPack 2.12壳,用AspackDie脱之。169K->732K。 VB 编写。
这个东东不算难,只是有些方面不好掌握。 ~Q~ ^Q^ ^v^ ^v^
序列号:FLYN649065455613
试炼码:fly-12345678-fly[OCN][FCG]-E
—————————————————————————————————
* Reference To: MSVBVM60.rtcInputBox, Ord:0254h
:004620D2 FF15FC104000 Call dword ptr [004010FC]
:004620D8 8BD0 mov edx, eax
====>EDX=fly-12345678-fly[OCN][FCG]-E 试炼码
:004620DA 8D4DA8 lea ecx, dword ptr [ebp-58]
:004620DD FFD6 call esi
:004620DF 8BD0 mov edx, eax
:004620E1 8B8D78FEFFFF mov ecx, dword ptr [ebp+FFFFFE78]
* Reference To: MSVBVM60.__vbaStrCopy, Ord:0000h
|
:004620E7 FF15D4124000 Call dword ptr [004012D4]
:004620ED 8D55A4 lea edx, dword ptr [ebp-5C]
:004620F0 52 push edx
.............................................
..............
* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:00462161 FF1544104000 Call dword ptr [00401044]
:00462167 83C45C add esp, 0000005C
:0046216A 8B0B mov ecx, dword ptr [ebx]
:0046216C 8D95C8FEFFFF lea edx, dword ptr [ebp+FFFFFEC8]
:00462172 52 push edx
:00462173 8B8578FEFFFF mov eax, dword ptr [ebp+FFFFFE78]
:00462179 50 push eax
:0046217A 53 push ebx
:0046217B FF9128070000 call dword ptr [ecx+00000728]
====>关键CALL!进入!
:00462181 85C0 test eax, eax
:00462183 7D12 jge 00462197
:00462185 6828070000 push 00000728
:0046218A 688C574200 push 0042578C
:0046218F 53 push ebx
:00462190 50 push eax
* Reference To: MSVBVM60.__vbaHresultCheckObj, Ord:0000h
|
:00462191 FF15A4104000 Call dword ptr [004010A4]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00462183(C)
|
:00462197 6683BDC8FEFFFF00 cmp word ptr [ebp+FFFFFEC8], 0000
:0046219F 0F84C3030000 je 00462568
====>跳则OVER!
:004621A5 8D4D8C lea ecx, dword ptr [ebp-74]
:004621A8 51 push ecx
* Reference To: MSVBVM60.rtcGetDateVar, Ord:0262h
|
:004621A9 FF1524134000 Call dword ptr [00401324]
:004621AF 6A00 push 00000000
:004621B1 8D558C lea edx, dword ptr [ebp-74]
:004621B4 52 push edx
:004621B5 8D857CFFFFFF lea eax, dword ptr [ebp+FFFFFF7C]
:004621BB 50 push eax
...................................
.........................
:004622C3 8D856CFFFFFF lea eax, dword ptr [ebp+FFFFFF6C]
:004622C9 50 push eax
:004622CA 8D8D7CFFFFFF lea ecx, dword ptr [ebp+FFFFFF7C]
:004622D0 51 push ecx
:004622D1 8D558C lea edx, dword ptr [ebp-74]
:004622D4 52 push edx
* Reference To: MSVBVM60.rtcInputBox, Ord:0254h
|
:004622D5 FF15FC104000 Call dword ptr [004010FC]
====>恭喜完成!输入确认号码!7055
:004622DB 8BD0 mov edx, eax
====>EDX=7055
:004622DD 8D4DC8 lea ecx, dword ptr [ebp-38]
:004622E0 FFD6 call esi
:004622E2 50 push eax
* Reference To: MSVBVM60.__vbaR8Str, Ord:0000h
|
:004622E3 FF15C0124000 Call dword ptr [004012C0]
:004622E9 DB437C fild dword ptr [ebx+7C]
:004622EC DD9D70FEFFFF fstp qword ptr [ebp+FFFFFE70]
:004622F2 DC9D70FEFFFF fcomp qword ptr [ebp+FFFFFE70]
====>比较 确认号码 是否是7055?
:004622F8 DFE0 fstsw ax
:004622FA F6C440 test ah, 40
:004622FD 7407 je 00462306
:004622FF B801000000 mov eax, 00000001
:00462304 EB02 jmp 00462308
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004622FD(C)
|
:00462306 33C0 xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00462304(U)
|
:00462308 F7D8 neg eax
:0046230A 668BF0 mov si, ax
:0046230D 8D45C8 lea eax, dword ptr [ebp-38]
:00462310 50 push eax
:00462311 8D4DCC lea ecx, dword ptr [ebp-34]
:00462314 51 push ecx
:00462315 6A02 push 00000002
* Reference To: MSVBVM60.__vbaFreeStrList, Ord:0000h
|
:00462317 FF15E4124000 Call dword ptr [004012E4]
:0046231D 8D952CFFFFFF lea edx, dword ptr [ebp+FFFFFF2C]
:00462323 52 push edx
:00462324 8D853CFFFFFF lea eax, dword ptr [ebp+FFFFFF3C]
:0046232A 50 push eax
:0046232B 8D8D4CFFFFFF lea ecx, dword ptr [ebp+FFFFFF4C]
:00462331 51 push ecx
:00462332 8D955CFFFFFF lea edx, dword ptr [ebp+FFFFFF5C]
:00462338 52 push edx
:00462339 8D856CFFFFFF lea eax, dword ptr [ebp+FFFFFF6C]
:0046233F 50 push eax
:00462340 8D8D7CFFFFFF lea ecx, dword ptr [ebp+FFFFFF7C]
:00462346 51 push ecx
:00462347 8D558C lea edx, dword ptr [ebp-74]
:0046234A 52 push edx
:0046234B 6A07 push 00000007
* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:0046234D FF1544104000 Call dword ptr [00401044]
:00462353 83C42C add esp, 0000002C
:00462356 6685F6 test si, si
:00462359 0F8409020000 je 00462568
:0046235F 8B8578FEFFFF mov eax, dword ptr [ebp+FFFFFE78]
:00462365 8B08 mov ecx, dword ptr [eax]
:00462367 51 push ecx
* Possible StringData Ref from Code Obj ->"rregnumber"
|
:00462368 6870684200 push 00426870
* Possible StringData Ref from Code Obj ->"rregist"
|
:0046236D 685C684200 push 0042685C
* Possible StringData Ref from Code Obj ->"eeasypad"
|
:00462372 68E8634200 push 004263E8
* Reference To: MSVBVM60.rtcSaveSetting, Ord:02B2h
|
:00462377 FF150C104000 Call dword ptr [0040100C]
====>保存注册信息!
:0046237D E9E6010000 jmp 00462568
—————————————————————————————————
进入关键CALL:0046217B call dword ptr [ecx+00000728]
…… ……省略…… ……
:004724A8 FFD3 call ebx
:004724AA 50 push eax
* Possible StringData Ref from Code Obj ->"CC:\"
|
:004724AB 68A4974200 push 004297A4
:004724B0 8D45CC lea eax, dword ptr [ebp-34]
:004724B3 50 push eax
:004724B4 FFD3 call ebx
:004724B6 50 push eax
:004724B7 E8EC30FBFF call 004255A8
* Reference To: MSVBVM60.__vbaSetSystemError, Ord:0000h
|
:004724BC FF1598104000 Call dword ptr [00401098]
:004724C2 8B4DC8 mov ecx, dword ptr [ebp-38]
* Reference To: MSVBVM60.__vbaStrToUnicode, Ord:0000h
|
:004724C5 8B1D38124000 mov ebx, dword ptr [00401238]
:004724CB 51 push ecx
:004724CC 8D55C4 lea edx, dword ptr [ebp-3C]
:004724CF 52 push edx
:004724D0 FFD3 call ebx
:004724D2 50 push eax
:004724D3 8B45DC mov eax, dword ptr [ebp-24]
:004724D6 50 push eax
:004724D7 57 push edi
* Reference To: MSVBVM60.__vbaLsetFixstr, Ord:0000h
|
:004724D8 FF1594104000 Call dword ptr [00401094]
:004724DE 8B4DC0 mov ecx, dword ptr [ebp-40]
:004724E1 51 push ecx
:004724E2 8D55BC lea edx, dword ptr [ebp-44]
:004724E5 52 push edx
:004724E6 FFD3 call ebx
:004724E8 50 push eax
:004724E9 8B45D8 mov eax, dword ptr [ebp-28]
:004724EC 50 push eax
:004724ED 57 push edi
* Reference To: MSVBVM60.__vbaLsetFixstr, Ord:0000h
|
:004724EE FF1594104000 Call dword ptr [00401094]
:004724F4 8D4DBC lea ecx, dword ptr [ebp-44]
:004724F7 51 push ecx
:004724F8 8D55C0 lea edx, dword ptr [ebp-40]
:004724FB 52 push edx
:004724FC 8D45C4 lea eax, dword ptr [ebp-3C]
:004724FF 50 push eax
:00472500 8D4DC8 lea ecx, dword ptr [ebp-38]
:00472503 51 push ecx
:00472504 8D55CC lea edx, dword ptr [ebp-34]
:00472507 52 push edx
:00472508 6A05 push 00000005
* Reference To: MSVBVM60.__vbaFreeStrList, Ord:0000h
|
:0047250A FF15E4124000 Call dword ptr [004012E4]
:00472510 8B5D0C mov ebx, dword ptr [ebp+0C]
:00472513 8B03 mov eax, dword ptr [ebx]
====>EAX=fly-12345678-fly[OCN][FCG]-E 试炼码
:00472515 83C418 add esp, 00000018
:00472518 6A01 push 00000001
:0047251A 6AFF push FFFFFFFF
:0047251C 6A01 push 00000001
:0047251E 68D0654200 push 004265D0
:00472523 68CC754200 push 004275CC
:00472528 50 push eax
* Reference To: MSVBVM60.rtcReplace, Ord:02C8h
|
:00472529 FF152C124000 Call dword ptr [0040122C]
====>去除试炼码中的-
:0047252F 8BD0 mov edx, eax
====>EDX=fly12345678fly[OCN][FCG]E
:00472531 8D4DD4 lea ecx, dword ptr [ebp-2C]
* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:00472534 FF1578134000 Call dword ptr [00401378]
:0047253A 8B0B mov ecx, dword ptr [ebx]
* Reference To: MSVBVM60.__vbaLenBstr, Ord:0000h
|
:0047253C 8B1D34104000 mov ebx, dword ptr [00401034]
:00472542 51 push ecx
====>ECX=fly-12345678-fly[OCN][FCG]-E
:00472543 FFD3 call ebx
====>取fly-12345678-fly[OCN][FCG]-E的长度
:00472545 8BD0 mov edx, eax
====>EDX=1C
:00472547 8B45D4 mov eax, dword ptr [ebp-2C]
:0047254A 50 push eax
====>EAX=fly12345678fly[OCN][FCG]E
:0047254B 899528FFFFFF mov dword ptr [ebp+FFFFFF28], edx
====>[ebp+FFFFFF28]=EDX=1C
:00472551 FFD3 call ebx
====>取fly12345678fly[OCN][FCG]E的长度=19
:00472553 8B8D28FFFFFF mov ecx, dword ptr [ebp+FFFFFF28]
====>ECX=1C
:00472559 8B55D4 mov edx, dword ptr [ebp-2C]
:0047255C 33DB xor ebx, ebx
:0047255E 3BC1 cmp eax, ecx
====>比较2者长度是否相同?既检测试炼码中是否有-
:00472560 52 push edx
:00472561 0F9DC3 setnl bl
====>设置BL值!有-则长度不同则BL=0
* Reference To: MSVBVM60.__vbaLenBstr, Ord:0000h
|
:00472564 FF1534104000 Call dword ptr [00401034]
====>取fly12345678fly[OCN][FCG]E的长度=19
:0047256A 33C9 xor ecx, ecx
:0047256C 83F819 cmp eax, 00000019
====>去除试炼码中的-后是否是25位?
:0047256F 0F9CC1 setl cl
====>设置CL值!是25位则CL=0
:00472572 0BD9 or ebx, ecx
:00472574 0F850C010000 jne 00472686
====>如果上面2个条件都符合则此处不跳!
====>若此处跳就直接OVER了!爆破点①!
:0047257A 8B55D4 mov edx, dword ptr [ebp-2C]
====>EDX=fly12345678fly[OCN][FCG]E
:0047257D A110804A00 mov eax, dword ptr [004A8010]
====>EAX=211C1E09 C盘的硬盘序列号
:00472582 8D4DA4 lea ecx, dword ptr [ebp-5C]
:00472585 89955CFFFFFF mov dword ptr [ebp+FFFFFF5C], edx
:0047258B 2DCF337B00 sub eax, 007B33CF
====>EAX=211C1E09 - 007B33CF=20A0EA3A
【关键字】:VB,20,2003,13,03,db,200,Ollydbg,2003,V6,13,VB
【来 源】:网络
Ollydbg——轻松文本 2003 V6.13(VB)上
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:Ollydbg1.09、PEiD、AspackDie、W32Dasm 9.0白金版
—————————————————————————————————
【过 程】:
由于时间原因,很长一段时间才整理出来,作者也快升级了吧?
顺便看了一下同门的《英语音标大师 V1.02》,算法是一样的,就没必要写了。^O^ ^O^
easypad.exe 是ASPack 2.12壳,用AspackDie脱之。169K->732K。 VB 编写。
这个东东不算难,只是有些方面不好掌握。 ~Q~ ^Q^ ^v^ ^v^
序列号:FLYN649065455613
试炼码:fly-12345678-fly[OCN][FCG]-E
—————————————————————————————————
* Reference To: MSVBVM60.rtcInputBox, Ord:0254h
:004620D2 FF15FC104000 Call dword ptr [004010FC]
:004620D8 8BD0 mov edx, eax
====>EDX=fly-12345678-fly[OCN][FCG]-E 试炼码
:004620DA 8D4DA8 lea ecx, dword ptr [ebp-58]
:004620DD FFD6 call esi
:004620DF 8BD0 mov edx, eax
:004620E1 8B8D78FEFFFF mov ecx, dword ptr [ebp+FFFFFE78]
* Reference To: MSVBVM60.__vbaStrCopy, Ord:0000h
|
:004620E7 FF15D4124000 Call dword ptr [004012D4]
:004620ED 8D55A4 lea edx, dword ptr [ebp-5C]
:004620F0 52 push edx
.............................................
..............
* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:00462161 FF1544104000 Call dword ptr [00401044]
:00462167 83C45C add esp, 0000005C
:0046216A 8B0B mov ecx, dword ptr [ebx]
:0046216C 8D95C8FEFFFF lea edx, dword ptr [ebp+FFFFFEC8]
:00462172 52 push edx
:00462173 8B8578FEFFFF mov eax, dword ptr [ebp+FFFFFE78]
:00462179 50 push eax
:0046217A 53 push ebx
:0046217B FF9128070000 call dword ptr [ecx+00000728]
====>关键CALL!进入!
:00462181 85C0 test eax, eax
:00462183 7D12 jge 00462197
:00462185 6828070000 push 00000728
:0046218A 688C574200 push 0042578C
:0046218F 53 push ebx
:00462190 50 push eax
* Reference To: MSVBVM60.__vbaHresultCheckObj, Ord:0000h
|
:00462191 FF15A4104000 Call dword ptr [004010A4]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00462183(C)
|
:00462197 6683BDC8FEFFFF00 cmp word ptr [ebp+FFFFFEC8], 0000
:0046219F 0F84C3030000 je 00462568
====>跳则OVER!
:004621A5 8D4D8C lea ecx, dword ptr [ebp-74]
:004621A8 51 push ecx
* Reference To: MSVBVM60.rtcGetDateVar, Ord:0262h
|
:004621A9 FF1524134000 Call dword ptr [00401324]
:004621AF 6A00 push 00000000
:004621B1 8D558C lea edx, dword ptr [ebp-74]
:004621B4 52 push edx
:004621B5 8D857CFFFFFF lea eax, dword ptr [ebp+FFFFFF7C]
:004621BB 50 push eax
...................................
.........................
:004622C3 8D856CFFFFFF lea eax, dword ptr [ebp+FFFFFF6C]
:004622C9 50 push eax
:004622CA 8D8D7CFFFFFF lea ecx, dword ptr [ebp+FFFFFF7C]
:004622D0 51 push ecx
:004622D1 8D558C lea edx, dword ptr [ebp-74]
:004622D4 52 push edx
* Reference To: MSVBVM60.rtcInputBox, Ord:0254h
|
:004622D5 FF15FC104000 Call dword ptr [004010FC]
====>恭喜完成!输入确认号码!7055
:004622DB 8BD0 mov edx, eax
====>EDX=7055
:004622DD 8D4DC8 lea ecx, dword ptr [ebp-38]
:004622E0 FFD6 call esi
:004622E2 50 push eax
* Reference To: MSVBVM60.__vbaR8Str, Ord:0000h
|
:004622E3 FF15C0124000 Call dword ptr [004012C0]
:004622E9 DB437C fild dword ptr [ebx+7C]
:004622EC DD9D70FEFFFF fstp qword ptr [ebp+FFFFFE70]
:004622F2 DC9D70FEFFFF fcomp qword ptr [ebp+FFFFFE70]
====>比较 确认号码 是否是7055?
:004622F8 DFE0 fstsw ax
:004622FA F6C440 test ah, 40
:004622FD 7407 je 00462306
:004622FF B801000000 mov eax, 00000001
:00462304 EB02 jmp 00462308
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004622FD(C)
|
:00462306 33C0 xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00462304(U)
|
:00462308 F7D8 neg eax
:0046230A 668BF0 mov si, ax
:0046230D 8D45C8 lea eax, dword ptr [ebp-38]
:00462310 50 push eax
:00462311 8D4DCC lea ecx, dword ptr [ebp-34]
:00462314 51 push ecx
:00462315 6A02 push 00000002
* Reference To: MSVBVM60.__vbaFreeStrList, Ord:0000h
|
:00462317 FF15E4124000 Call dword ptr [004012E4]
:0046231D 8D952CFFFFFF lea edx, dword ptr [ebp+FFFFFF2C]
:00462323 52 push edx
:00462324 8D853CFFFFFF lea eax, dword ptr [ebp+FFFFFF3C]
:0046232A 50 push eax
:0046232B 8D8D4CFFFFFF lea ecx, dword ptr [ebp+FFFFFF4C]
:00462331 51 push ecx
:00462332 8D955CFFFFFF lea edx, dword ptr [ebp+FFFFFF5C]
:00462338 52 push edx
:00462339 8D856CFFFFFF lea eax, dword ptr [ebp+FFFFFF6C]
:0046233F 50 push eax
:00462340 8D8D7CFFFFFF lea ecx, dword ptr [ebp+FFFFFF7C]
:00462346 51 push ecx
:00462347 8D558C lea edx, dword ptr [ebp-74]
:0046234A 52 push edx
:0046234B 6A07 push 00000007
* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:0046234D FF1544104000 Call dword ptr [00401044]
:00462353 83C42C add esp, 0000002C
:00462356 6685F6 test si, si
:00462359 0F8409020000 je 00462568
:0046235F 8B8578FEFFFF mov eax, dword ptr [ebp+FFFFFE78]
:00462365 8B08 mov ecx, dword ptr [eax]
:00462367 51 push ecx
* Possible StringData Ref from Code Obj ->"rregnumber"
|
:00462368 6870684200 push 00426870
* Possible StringData Ref from Code Obj ->"rregist"
|
:0046236D 685C684200 push 0042685C
* Possible StringData Ref from Code Obj ->"eeasypad"
|
:00462372 68E8634200 push 004263E8
* Reference To: MSVBVM60.rtcSaveSetting, Ord:02B2h
|
:00462377 FF150C104000 Call dword ptr [0040100C]
====>保存注册信息!
:0046237D E9E6010000 jmp 00462568
—————————————————————————————————
进入关键CALL:0046217B call dword ptr [ecx+00000728]
…… ……省略…… ……
:004724A8 FFD3 call ebx
:004724AA 50 push eax
* Possible StringData Ref from Code Obj ->"CC:\"
|
:004724AB 68A4974200 push 004297A4
:004724B0 8D45CC lea eax, dword ptr [ebp-34]
:004724B3 50 push eax
:004724B4 FFD3 call ebx
:004724B6 50 push eax
:004724B7 E8EC30FBFF call 004255A8
* Reference To: MSVBVM60.__vbaSetSystemError, Ord:0000h
|
:004724BC FF1598104000 Call dword ptr [00401098]
:004724C2 8B4DC8 mov ecx, dword ptr [ebp-38]
* Reference To: MSVBVM60.__vbaStrToUnicode, Ord:0000h
|
:004724C5 8B1D38124000 mov ebx, dword ptr [00401238]
:004724CB 51 push ecx
:004724CC 8D55C4 lea edx, dword ptr [ebp-3C]
:004724CF 52 push edx
:004724D0 FFD3 call ebx
:004724D2 50 push eax
:004724D3 8B45DC mov eax, dword ptr [ebp-24]
:004724D6 50 push eax
:004724D7 57 push edi
* Reference To: MSVBVM60.__vbaLsetFixstr, Ord:0000h
|
:004724D8 FF1594104000 Call dword ptr [00401094]
:004724DE 8B4DC0 mov ecx, dword ptr [ebp-40]
:004724E1 51 push ecx
:004724E2 8D55BC lea edx, dword ptr [ebp-44]
:004724E5 52 push edx
:004724E6 FFD3 call ebx
:004724E8 50 push eax
:004724E9 8B45D8 mov eax, dword ptr [ebp-28]
:004724EC 50 push eax
:004724ED 57 push edi
* Reference To: MSVBVM60.__vbaLsetFixstr, Ord:0000h
|
:004724EE FF1594104000 Call dword ptr [00401094]
:004724F4 8D4DBC lea ecx, dword ptr [ebp-44]
:004724F7 51 push ecx
:004724F8 8D55C0 lea edx, dword ptr [ebp-40]
:004724FB 52 push edx
:004724FC 8D45C4 lea eax, dword ptr [ebp-3C]
:004724FF 50 push eax
:00472500 8D4DC8 lea ecx, dword ptr [ebp-38]
:00472503 51 push ecx
:00472504 8D55CC lea edx, dword ptr [ebp-34]
:00472507 52 push edx
:00472508 6A05 push 00000005
* Reference To: MSVBVM60.__vbaFreeStrList, Ord:0000h
|
:0047250A FF15E4124000 Call dword ptr [004012E4]
:00472510 8B5D0C mov ebx, dword ptr [ebp+0C]
:00472513 8B03 mov eax, dword ptr [ebx]
====>EAX=fly-12345678-fly[OCN][FCG]-E 试炼码
:00472515 83C418 add esp, 00000018
:00472518 6A01 push 00000001
:0047251A 6AFF push FFFFFFFF
:0047251C 6A01 push 00000001
:0047251E 68D0654200 push 004265D0
:00472523 68CC754200 push 004275CC
:00472528 50 push eax
* Reference To: MSVBVM60.rtcReplace, Ord:02C8h
|
:00472529 FF152C124000 Call dword ptr [0040122C]
====>去除试炼码中的-
:0047252F 8BD0 mov edx, eax
====>EDX=fly12345678fly[OCN][FCG]E
:00472531 8D4DD4 lea ecx, dword ptr [ebp-2C]
* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:00472534 FF1578134000 Call dword ptr [00401378]
:0047253A 8B0B mov ecx, dword ptr [ebx]
* Reference To: MSVBVM60.__vbaLenBstr, Ord:0000h
|
:0047253C 8B1D34104000 mov ebx, dword ptr [00401034]
:00472542 51 push ecx
====>ECX=fly-12345678-fly[OCN][FCG]-E
:00472543 FFD3 call ebx
====>取fly-12345678-fly[OCN][FCG]-E的长度
:00472545 8BD0 mov edx, eax
====>EDX=1C
:00472547 8B45D4 mov eax, dword ptr [ebp-2C]
:0047254A 50 push eax
====>EAX=fly12345678fly[OCN][FCG]E
:0047254B 899528FFFFFF mov dword ptr [ebp+FFFFFF28], edx
====>[ebp+FFFFFF28]=EDX=1C
:00472551 FFD3 call ebx
====>取fly12345678fly[OCN][FCG]E的长度=19
:00472553 8B8D28FFFFFF mov ecx, dword ptr [ebp+FFFFFF28]
====>ECX=1C
:00472559 8B55D4 mov edx, dword ptr [ebp-2C]
:0047255C 33DB xor ebx, ebx
:0047255E 3BC1 cmp eax, ecx
====>比较2者长度是否相同?既检测试炼码中是否有-
:00472560 52 push edx
:00472561 0F9DC3 setnl bl
====>设置BL值!有-则长度不同则BL=0
* Reference To: MSVBVM60.__vbaLenBstr, Ord:0000h
|
:00472564 FF1534104000 Call dword ptr [00401034]
====>取fly12345678fly[OCN][FCG]E的长度=19
:0047256A 33C9 xor ecx, ecx
:0047256C 83F819 cmp eax, 00000019
====>去除试炼码中的-后是否是25位?
:0047256F 0F9CC1 setl cl
====>设置CL值!是25位则CL=0
:00472572 0BD9 or ebx, ecx
:00472574 0F850C010000 jne 00472686
====>如果上面2个条件都符合则此处不跳!
====>若此处跳就直接OVER了!爆破点①!
:0047257A 8B55D4 mov edx, dword ptr [ebp-2C]
====>EDX=fly12345678fly[OCN][FCG]E
:0047257D A110804A00 mov eax, dword ptr [004A8010]
====>EAX=211C1E09 C盘的硬盘序列号
:00472582 8D4DA4 lea ecx, dword ptr [ebp-5C]
:00472585 89955CFFFFFF mov dword ptr [ebp+FFFFFF5C], edx
:0047258B 2DCF337B00 sub eax, 007B33CF
====>EAX=211C1E09 - 007B33CF=20A0EA3A
【相关文章】
Ollydbg——轻松文本 2003 V6.13(VB)下
初学者(13)
DB Commander 2000 PRO(简称DBC_2000)笔记
OllyDbg破解CoolTabs快速攻略
Tutor13 How to crack Drag And View v4.50
去掉vb5.0或6.0软件的NAG
破解 Windows 2000 RC3 的时间限制
“破解”Outlook 2002安全策略
让您全面了解“基于139端口”的攻击与防范
Windows 2000的安全维护及出错解决一例
【随机文章】
供应链铸剑
理解 DB2 Universal Database的字符转换
请教linux下面怎么用c获得文件的大小等信息 ?
“汉芯造假案”系列调查之六、七
代码评审流程
经典监控源代码灰鸽子 v1.2
Flash MX 2004 支持的 css
Linux进程管理及作业控制(1)
J2EE是什么?
制作扇形效果
【相关评论】
没有相关评论
【发表评论】
|