环境:
Windows xp sp3
这次的目标有两个:
1.去除Nag窗口
2.找出Serial的算法
1.这次去除Nag窗口用了另外两个程序:
(1)VBLocalize v1.1.0.0
(2)UltraEdit
(3)VBExplorer
因为是VB程序,所以用VBLocalize加载程序,
据偏移地址,在文件中找到timer的偏移地址:
用VBExplorer可以看到timer的属性:
得知Nag窗口存在时间为7秒,Timer的位置是(2880,2160),转为16进制为:(0x0B40,0x0870)
7000的16进制为1B58,于是可以的得知:
00005b75-00005b76的值为Nag窗口存在的时间,可以把这个两个值改为 58 1B ->01 00,
如果改为0则Nag窗口一直存在。
2.找到Serial算法
和1一样,输入一个错的,然后F12,Alt + F9回到程序领空。
0040865D . B8 0A000000 mov eax,0xA
00408662 . 894D 9C mov dword ptr ss:[ebp-0x64],ecx
00408665 . 66:85F6 test si,si
00408668 . 8945 94 mov dword ptr ss:[ebp-0x6C],eax
0040866B . 894D AC mov dword ptr ss:[ebp-0x54],ecx
0040866E . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax
00408671 . 894D BC mov dword ptr ss:[ebp-0x44],ecx
00408674 . 8945 B4 mov dword ptr ss:[ebp-0x4C],eax
00408677 . 74 62 je XAfKayAs_.004086DB ; 这个不能跳
00408679 . 8B35 14B14000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaSt>; MSVBVM50.__vbaStrCat
0040867F . 68 C06F4000 push AfKayAs_.00406FC0 ; UNICODE "You Get It"
00408684 . 68 DC6F4000 push AfKayAs_.00406FDC ; /String = ""
00408689 . FFD6 call esi ; \__vbaStrCat
0040868B . 8BD0 mov edx,eax
0040868D . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
00408690 . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>; MSVBVM50.__vbaStrMove
00408696 . 50 push eax
00408697 . 68 E86F4000 push AfKayAs_.00406FE8 ; UNICODE "KeyGen It Now"
0040869C . FFD6 call esi
0040869E . 8945 CC mov dword ptr ss:[ebp-0x34],eax
004086A1 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C]
004086A4 . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]
004086A7 . 50 push eax
004086A8 . 8D55 B4 lea edx,dword ptr ss:[ebp-0x4C]
004086AB . 51 push ecx
004086AC . 52 push edx
004086AD . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]
004086B0 . 6A 00 push 0x0
004086B2 . 50 push eax
004086B3 . C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
004086BA . FF15 24B14000 call dword ptr ds:[<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox
004086C0 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
004086C3 . FF15 A8B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStr
004086C9 . 8D4D 94 lea ecx,dword ptr ss:[ebp-0x6C]
004086CC . 8D55 A4 lea edx,dword ptr ss:[ebp-0x5C]
004086CF . 51 push ecx
004086D0 . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
004086D3 . 52 push edx
004086D4 . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
004086D7 . 50 push eax
004086D8 . 51 push ecx
004086D9 . EB 60 jmp XAfKayAs_.0040873B ; 上面是正确的消息,下面是错误的消息
004086DB > 8B35 14B14000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaSt>; MSVBVM50.__vbaStrCat
004086E1 . 68 08704000 push AfKayAs_.00407008 ; UNICODE "You Get Wrong"
004086E6 . 68 DC6F4000 push AfKayAs_.00406FDC ; /String = ""
004086EB . FFD6 call esi ; \__vbaStrCat
004086ED . 8BD0 mov edx,eax
004086EF . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
004086F2 . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>; MSVBVM50.__vbaStrMove
004086F8 . 50 push eax
004086F9 . 68 28704000 push AfKayAs_.00407028 ; UNICODE "Try Again"
004086FE . FFD6 call esi
00408700 . 8945 CC mov dword ptr ss:[ebp-0x34],eax
00408703 . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
00408706 . 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C]
00408709 . 52 push edx
0040870A . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
0040870D . 50 push eax
0040870E . 51 push ecx
0040870F . 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C]
00408712 . 6A 00 push 0x0
00408714 . 52 push edx
00408715 . C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
0040871C . FF15 24B14000 call dword ptr ds:[<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox
00408722 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18] ; Atl+F9后回到这里
再往上一点就看到了这个:
004081E9 > \8B95 50FFFFFF mov edx,dword ptr ss:[ebp-0xB0]
004081EF . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]
004081F2 . 50 push eax ; /String
004081F3 . 8B1A mov ebx,dword ptr ds:[edx] ; |
004081F5 . FF15 F8B04000 call dword ptr ds:[<&MSVBVM50.__vbaLenBs>; \__vbaLenBstr
004081FB . 8BF8 mov edi,eax
004081FD . 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18]
00408200 . 69FF 385B0100 imul edi,edi,0x15B38 ; 这个东西不一样了
00408206 . 51 push ecx ; /String
00408207 . 0F80 B7050000 jo AfKayAs_.004087C4 ; |
0040820D . FF15 0CB14000 call dword ptr ds:[<&MSVBVM50.#516>] ; \rtcAnsiValueBstr
00408213 . 0FBFD0 movsx edx,ax
00408216 . 03FA add edi,edx
这个是在1里面遇到的,就是乘数不一样了。
设
Name长度为L
Name的首字母为c
当前计算结果为s
得到公式: s = L*88888+ascii(c)
继续往下有:
004082E9 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>; MSVBVM50.__vbaR8Str
004082EF . D905 08104000 fld dword ptr ds:[0x401008] ; [401008]是10.0
004082F5 . 833D 00904000>cmp dword ptr ds:[0x409000],0x0
004082FC . 75 08 jnz XAfKayAs_.00408306
004082FE . D835 0C104000 fdiv dword ptr ds:[0x40100C] ; [40100c]是5.0,这里是10.0/5.0 = 2.0
00408304 . EB 0B jmp XAfKayAs_.00408311
00408306 > FF35 0C104000 push dword ptr ds:[0x40100C]
0040830C . E8 578DFFFF call <jmp.&MSVBVM50._adj_fdiv_m32>
00408311 > 83EC 08 sub esp,0x8
00408314 . DFE0 fstsw ax
00408316 . A8 0D test al,0xD
00408318 . 0F85 A1040000 jnz AfKayAs_.004087BF
0040831E . DEC1 faddp st(1),st ; s = s + 2.0
00408320 . DFE0 fstsw ax
得到:
s = s + 2
继续往下:
004083F5 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>; MSVBVM50.__vbaR8Str
004083FB . DC0D 10104000 fmul qword ptr ds:[0x401010] ; [401010]是3,这里是s = s*3
00408401 . 83EC 08 sub esp,0x8
00408404 . DC25 18104000 fsub qword ptr ds:[0x401018] ; [401018]是2,这里是s = s-2
0040840A . DFE0 fstsw ax
0040840C . A8 0D test al,0xD
0040840E . 0F85 AB030000 jnz AfKayAs_.004087BF
00408414 . DD1C24 fstp qword ptr ss:[esp]
00408417 . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>; MSVBVM50.__vbaStrR8
得到:
s = s * 3 - 2
继续往下:
004084DF . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>; MSVBVM50.__vbaR8Str
004084E5 . DC25 20104000 fsub qword ptr ds:[0x401020] ; [0x401020]是-15,于是这里是s = s + 15
004084EB . 83EC 08 sub esp,0x8
004084EE . DFE0 fstsw ax
004084F0 . A8 0D test al,0xD
004084F2 . 0F85 C7020000 jnz AfKayAs_.004087BF
004084F8 . DD1C24 fstp qword ptr ss:[esp]
004084FB . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>; MSVBVM50.__vbaStrR8
00408501 . 8BD0 mov edx,eax
s = s + 15
联合起来就是:
s = (L*88888+ascii(c))*3+19