Anti-Hack2.0注册算法分析 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → Anti-Hack2.0注册算法分析

Anti-Hack2.0注册算法分析 时间：2004/10/15 1:03:00来源：本站整理作者：蓝点我要评论(0)

Mail:lordor@sina.com
目的：属技术交流，无其它目的，请不要任意散布或用用商业用途。初学破解,如有不对的地方欢迎批评指出。
工具：softice,w32Dasm,ollydbg

试炼码：
用户名：lordor[BCG]
注册码：9876543210

查找出错信息。

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042B252(U)
|
:0042B25A B904000280              mov ecx, 80020004
:0042B25F B80A000000              mov eax, 0000000A
:0042B264 894D88                  mov dword ptr [ebp-78], ecx
:0042B267 894D98                  mov dword ptr [ebp-68], ecx
:0042B26A BE08000000              mov esi, 00000008
:0042B26F 8D9560FFFFFF            lea edx, dword ptr [ebp+FFFFFF60]
:0042B275 8D4DA0                  lea ecx, dword ptr [ebp-60]
:0042B278 894580                  mov dword ptr [ebp-80], eax
:0042B27B 894590                  mov dword ptr [ebp-70], eax

* Possible StringData Ref from Code Obj ->"error"
                                 |
:0042B27E C78568FFFFFF48CE4000    mov dword ptr [ebp+FFFFFF68], 0040CE48
:0042B288 89B560FFFFFF            mov dword ptr [ebp+FFFFFF60], esi
:0042B28E FFD3                    call ebx
:0042B290 8D9570FFFFFF            lea edx, dword ptr [ebp+FFFFFF70]
:0042B296 8D4DB0                  lea ecx, dword ptr [ebp-50]

* Possible StringData Ref from Code Obj ->"Invalid serial number. Try Again"
                                 |
在od中查找出错信息

0042AE09   .  50            PUSH EAX
0042AE0A   .  FF15 90104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>;  MSVBVM60.__vbaObjSet
0042AE10   .  8BF8          MOV EDI,EAX
0042AE12   .  8D55 C4       LEA EDX,DWORD PTR SS:[EBP-3C]
0042AE15   .  52            PUSH EDX
0042AE16   .  57            PUSH EDI
0042AE17   .  8B0F          MOV ECX,DWORD PTR DS:[EDI]
0042AE19   .  FF91 A0000000 CALL DWORD PTR DS:[ECX+A0]               ;  取用户名
0042AE1F   .  3BC3          CMP EAX,EBX
0042AE21   .  DBE2          FCLEX
0042AE23   .  7D 12         JGE SHORT Anti-Hac.0042AE37
0042AE25   .  68 A0000000   PUSH 0A0
0042AE2A   .  68 38CF4000   PUSH Anti-Hac.0040CF38
0042AE2F   .  57            PUSH EDI
0042AE30   .  50            PUSH EAX
0042AE31   .  FF15 68104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>;  MSVBVM60.__vbaHresultCheckObj
0042AE37   >  8B45 C4       MOV EAX,DWORD PTR SS:[EBP-3C]            ;  用户名入eax
0042AE3A   .  50            PUSH EAX
0042AE3B   .  68 E0CD4000   PUSH Anti-Hac.0040CDE0
0042AE40   .  FF15 CC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>;  MSVBVM60.__vbaStrCmp
0042AE46   .  8BF8          MOV EDI,EAX
0042AE48   .  8D4D C4       LEA ECX,DWORD PTR SS:[EBP-3C]
0042AE4B   .  F7DF          NEG EDI
0042AE4D   .  1BFF          SBB EDI,EDI
0042AE4F   .  47            INC EDI
0042AE50   .  F7DF          NEG EDI
0042AE52   .  FF15 E4114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;  MSVBVM60.__vbaFreeStr
0042AE58   .  8D4D C0       LEA ECX,DWORD PTR SS:[EBP-40]
0042AE5B   .  FF15 E0114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>;  MSVBVM60.__vbaFreeObj
0042AE61   .  66:3BFB       CMP DI,BX
0042AE64   .  0F84 8C000000 JE Anti-Hac.0042AEF6                     ;  此为判断用户名是否为空
0042AE6A   .  8B1D 9C114000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaVa>;  MSVBVM60.__vbaVarDup
0042AE70   .  B9 04000280   MOV ECX,80020004
0042AE75   .  894D 88       MOV DWORD PTR SS:[EBP-78],ECX
0042AE78   .  B8 0A000000   MOV EAX,0A
0042AE7D   .  894D 98       MOV DWORD PTR SS:[EBP-68],ECX
0042AE80   .  BF 08000000   MOV EDI,8

................
............

0042AF25   .  68 A0000000   PUSH 0A0
0042AF2A   .  68 38CF4000   PUSH Anti-Hac.0040CF38
0042AF2F   .  57            PUSH EDI
0042AF30   .  50            PUSH EAX
0042AF31   .  FF15 68104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>;  MSVBVM60.__vbaHresultCheckObj
0042AF37   >  8B4D C4       MOV ECX,DWORD PTR SS:[EBP-3C]            ;  用户名入ecx
0042AF3A   .  51            PUSH ECX
0042AF3B   .  68 E0CD4000   PUSH Anti-Hac.0040CDE0
0042AF40   .  FF15 CC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>;  MSVBVM60.__vbaStrCmp
0042AF46   .  8BF8          MOV EDI,EAX

.................
..............

0042AF93   .  68 A0000000   PUSH 0A0
0042AF98   .  68 38CF4000   PUSH Anti-Hac.0040CF38
0042AF9D   .  57            PUSH EDI
0042AF9E   .  50            PUSH EAX
0042AF9F   .  FF15 68104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>;  MSVBVM60.__vbaHresultCheckObj
0042AFA5   >  8B45 C4       MOV EAX,DWORD PTR SS:[EBP-3C]            ;  注册码入eax
0042AFA8   .  50            PUSH EAX
0042AFA9   .  68 E0CD4000   PUSH Anti-Hac.0040CDE0
0042AFAE   .  FF15 CC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>;  MSVBVM60.__vbaStrCmp
0042AFB4   .  8BF8          MOV EDI,EAX
0042AFB6   .  8D4D C4       LEA ECX,DWORD PTR SS:[EBP-3C]
0042AFB9   .  F7DF          NEG EDI
0042AFBB   .  1BFF          SBB EDI,EDI
0042AFBD   .  47            INC EDI
0042AFBE   .  F7DF          NEG EDI
0042AFC0   .  FF15 E4114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;  MSVBVM60.__vbaFreeStr
0042AFC6   .  8D4D C0       LEA ECX,DWORD PTR SS:[EBP-40]
0042AFC9   .  FF15 E0114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>;  MSVBVM60.__vbaFreeObj
0042AFCF   .  66:85FF       TEST DI,DI
0042AFD2   .  0F84 84000000 JE Anti-Hac.0042B05C                     ;  注册码是否为空
0042AFD8   .  B9 04000280   MOV ECX,80020004
0042AFDD   .  B8 0A000000   MOV EAX,0A
0042AFE2   .  894D 88       MOV DWORD PTR SS:[EBP-78],ECX
0042AFE5   .  894D 98       MOV DWORD PTR SS:[EBP-68],ECX
..................
.........

0042B085   .  68 A0000000   PUSH 0A0
0042B08A   .  68 38CF4000   PUSH Anti-Hac.0040CF38
0042B08F   .  57            PUSH EDI
0042B090   .  50            PUSH EAX
0042B091   .  FF15 68104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>;  MSVBVM60.__vbaHresultCheckObj
0042B097   >  8B4D C4       MOV ECX,DWORD PTR SS:[EBP-3C]            ;  注册码入ecx
0042B09A   .  51            PUSH ECX
0042B09B   .  68 E0CD4000   PUSH Anti-Hac.0040CDE0
0042B0A0   .  FF15 CC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>;  MSVBVM60.__vbaStrCmp
0042B0A6   .  8BF8          MOV EDI,EAX

...............
............

0042B0F3   .  68 A0000000   PUSH 0A0
0042B0F8   .  68 38CF4000   PUSH Anti-Hac.0040CF38
0042B0FD   .  57            PUSH EDI
0042B0FE   .  50            PUSH EAX
0042B0FF   .  FF15 68104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>;  MSVBVM60.__vbaHresultCheckObj
0042B105   >  8B45 C4       MOV EAX,DWORD PTR SS:[EBP-3C]            ;  注册码入eax
0042B108   .  50            PUSH EAX
0042B109   .  FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>;  MSVBVM60.__vbaLenBstr
0042B10F   .  33C9          XOR ECX,ECX                              ;  取注册码长度
0042B111   .  83F8 0A       CMP EAX,0A                               ;  是否为大于10位
0042B114   .  0F9CC1        SETL CL
0042B117   .  F7D9          NEG ECX
0042B119   .  8BF9          MOV EDI,ECX
0042B11B   .  8D4D C4       LEA ECX,DWORD PTR SS:[EBP-3C]
.................
...........

0042B15E   .  52            PUSH EDX
0042B15F   .  50            PUSH EAX
0042B160   .  C785 78FFFFFF>MOV DWORD PTR SS:[EBP-88],-1
0042B16A   .  C785 70FFFFFF>MOV DWORD PTR SS:[EBP-90],800B
0042B174   .  FF15 D0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>;  MSVBVM60.__vbaVarTstEq
0042B17A   .  66:85C0       TEST AX,AX
0042B17D   .  0F85 D1000000 JNZ Anti-Hac.0042B254                    ;  注册码不为10位就跳往出错
0042B183   .  8B0E          MOV ECX,DWORD PTR DS:[ESI]
0042B185   .  56            PUSH ESI
0042B186   .  FF91 10030000 CALL DWORD PTR DS:[ECX+310]
0042B18C   .  8D55 C0       LEA EDX,DWORD PTR SS:[EBP-40]
0042B18F   .  50            PUSH EAX
0042B190   .  52            PUSH EDX
0042B191   .  FF15 90104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>;  MSVBVM60.__vbaObjSet
0042B197   .  8B45 C0       MOV EAX,DWORD PTR SS:[EBP-40]
0042B19A   .  6A 0A         PUSH 0A
0042B19C   .  8945 B8       MOV DWORD PTR SS:[EBP-48],EAX
0042B19F   .  8D45 B0       LEA EAX,DWORD PTR SS:[EBP-50]
0042B1A2   .  8D4D A0       LEA ECX,DWORD PTR SS:[EBP-60]
0042B1A5   .  50            PUSH EAX
0042B1A6   .  51            PUSH ECX
0042B1A7   .  C745 C0 00000>MOV DWORD PTR SS:[EBP-40],0
0042B1AE   .  C745 B0 09000>MOV DWORD PTR SS:[EBP-50],9
0042B1B5   .  FF15 B0114000 CALL DWORD PTR DS:[<&MSVBVM60.#617>]     ;  MSVBVM60.rtcLeftCharVar
0042B1BB   .  8D55 A0       LEA EDX,DWORD PTR SS:[EBP-60]            ;  从注册码中左边开始取10位
0042B1BE   .  52            PUSH EDX
0042B1BF   .  FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>;  MSVBVM60.__vbaStrVarMove
0042B1C5   .  8BD0          MOV EDX,EAX
0042B1C7   .  8D4D C8       LEA ECX,DWORD PTR SS:[EBP-38]
0042B1CA   .  FF15 B8114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>;  MSVBVM60.__vbaStrMove
0042B1D0   .  8D4D C0       LEA ECX,DWORD PTR SS:[EBP-40]
0042B1D3   .  FF15 E0114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>;  MSVBVM60.__vbaFreeObj
0042B1D9   .  8B3D 30104000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaFr>;  MSVBVM60.__vbaFreeVarList
0042B1DF   .  8D45 A0       LEA EAX,DWORD PTR SS:[EBP-60]
0042B1E2   .  8D4D B0       LEA ECX,DWORD PTR SS:[EBP-50]
0042B1E5   .  50            PUSH EAX
0042B1E6   .  51            PUSH ECX
0042B1E7   .  6A 02         PUSH 2
0042B1E9   .  FFD7          CALL EDI                                 ;  <&MSVBVM60.__vbaFreeVarList>
0042B1EB   .  8B55 C8       MOV EDX,DWORD PTR SS:[EBP-38]            ;  取得的十位注册码入edx
0042B1EE   .  83C4 0C       ADD ESP,0C
0042B1F1   .  52            PUSH EDX
0042B1F2   .  68 F4F54000   PUSH Anti-Hac.0040F5F4                   ;  UNICODE "s81d-9adf-"
0042B1F7   .  FF15 CC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>;  MSVBVM60.__vbaStrCmp
0042B1FD   .  85C0          TEST EAX,EAX                             ;  比较与s81d-9adf-是否相等
0042B1FF   .  75 23         JNZ SHORT Anti-Hac.0042B224              ;  不等则跳
0042B201   .  8D95 70FFFFFF LEA EDX,DWORD PTR SS:[EBP-90]
0042B207   .  8D4D CC       LEA ECX,DWORD PTR SS:[EBP-34]
0042B20A   .  C785 78FFFFFF>MOV DWORD PTR SS:[EBP-88],-1
0042B214   .  C785 70FFFFFF>MOV DWORD PTR SS:[EBP-90],0B
0042B21E   .  FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>;  MSVBVM60.__vbaVarMove
0042B224   >  8D45 CC       LEA EAX,DWORD PTR SS:[EBP-34]
0042B227   .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0042B22D   .  50            PUSH EAX
0042B22E   .  51            PUSH ECX
0042B22F   .  C785 78FFFFFF>MOV DWORD PTR SS:[EBP-88],0
0042B239   .  C785 70FFFFFF>MOV DWORD PTR SS:[EBP-90],800B
0042B243   .  FF15 D0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>;  MSVBVM60.__vbaVarTstEq
0042B249   .  66:85C0       TEST AX,AX
0042B24C   .  0F84 8D000000 JE Anti-Hac.0042B2DF
0042B252   .  EB 06         JMP SHORT Anti-Hac.0042B25A
0042B254   >  8B3D 30104000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaFr>;  MSVBVM60.__vbaFreeVarList
0042B25A   >  B9 04000280   MOV ECX,80020004
0042B25F   .  B8 0A000000   MOV EAX,0A
0042B264   .  894D 88       MOV DWORD PTR SS:[EBP-78],ECX
0042B267   .  894D 98       MOV DWORD PTR SS:[EBP-68],ECX
0042B26A   .  BE 08000000   MOV ESI,8
0042B26F   .  8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0]
0042B275   .  8D4D A0       LEA ECX,DWORD PTR SS:[EBP-60]
0042B278   .  8945 80       MOV DWORD PTR SS:[EBP-80],EAX
0042B27B   .  8945 90       MOV DWORD PTR SS:[EBP-70],EAX
0042B27E   .  C785 68FFFFFF>MOV DWORD PTR SS:[EBP-98],Anti-Hac.0040C>;  UNICODE "error"
0042B288   .  89B5 60FFFFFF MOV DWORD PTR SS:[EBP-A0],ESI
0042B28E   .  FFD3          CALL EBX
0042B290   .  8D95 70FFFFFF LEA EDX,DWORD PTR SS:[EBP-90]
0042B296   .  8D4D B0       LEA ECX,DWORD PTR SS:[EBP-50]
0042B299   .  C785 78FFFFFF>MOV DWORD PTR SS:[EBP-88],Anti-Hac.0040F>;  UNICODE "Invalid serial number. Try Again"
0042B2A3   .  89B5 70FFFFFF MOV DWORD PTR SS:[EBP-90],ESI
----------------------------------------
注册码左边必须是s81d-9adf-，后面是任意

总结：
用户名：lordor[BCG]
注册码：s81d-9adf-987654321

注册信息保存在：

[HKEY_USERS\S-1-5-21-1275210071-764733703-842925246-1003\Software\VB and VBA Program Settings\Anti-Hack\Register]
"loaded"="1"
"Registered?"="(2k)-(2000)-Carbosoft :)"
"Owner"="lordor[BCG]"
"SerialNumber"="s81d-9adf-987654321"

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法