某水准测量工具 vb6 程序注册分析
某水准测量工具 vb6 程序注册分析
vb 程序,接触不多,仅作记录
文件信息
PE32
操作系统: Windows(95)[I386, 32 位, GUI]
链接程序: Microsoft Linker(6.0)
编译器: Microsoft Visual Basic(6.0)
编译器: Visual Basic(6.00.8041)[Native]
语言: BASIC
CompanyName:公路工程有限责任公司
ProductName:工程1
FileVersion:1.00
ProductVersion:1.00
InternalName:水准测量工具
OriginalFilename:水准测量工具.exe
VB Decompiler Pro
vb 反编译工具,直接分析出forms和代码
注册点击事件 Command1_Click
关键点RJZC.UncrypStr, 计算注册码与机器码进行比较。
Private Sub Command1_Click() '42B2A0
Dim var_48 As RJZC.Text2
Dim var_D0 As Variant
Dim var_DC As TextBox
Dim var_D8 As App
loc_0042B305: Dim var_24 As String * 256
loc_0042B314: Dim var_28 As String * 256
loc_0042B323: On Error Resume Next
loc_0042B363: var_3C = RJZC.Text2.Text
loc_0042B36B: var_D4 = var_3C
loc_0042B3E2: If (var_3C = global_0040858C) + 1 Then
loc_0042B46C: MsgBox("请联系作者获取注册码!", 64, "提示信息", 10, 10)
loc_0042B495: Else
loc_0042B4CF: var_3C = RJZC.Text2.Text
loc_0042B4D7: var_D4 = var_3C
loc_0042B52C: var_40 = RJZC.UncrypStr(var_3C, "wenzi")
loc_0042B532: var_D8 = var_40
loc_0042B5A1: var_44 = RJZC.Text1.Text
loc_0042B5A9: var_E0 = var_44
loc_0042B637: If (var_40 = var_44) + 1 Then
loc_0042B67B: var_D0 = var_10C
loc_0042B694: var_48 = Global.App
loc_0042B699: var_D4 = var_48
loc_0042B6F1: var_3C = var_48.Path
loc_0042B6F6: var_DC = var_3C
loc_0042B74F: Kill var_3C & "\注册文件勿删.ini"
loc_0042B7AE: var_D0 = var_118
loc_0042B7C7: var_48 = Global.App
loc_0042B7CC: var_D4 = var_48
loc_0042B824: var_3C = var_48.Path
loc_0042B829: var_DC = var_3C
loc_0042B886: Open var_3C & "\注册文件勿删.ini" For Output As #1 Len = -1
loc_0042B8E2: var_3C = RJZC.Text2.Text
loc_0042B8EA: var_D4 = var_3C
loc_0042B934: Print 1, var_3C
loc_0042B958: Close #1
loc_0042B9E2: MsgBox("软件注册成功,感谢使用!", 64, "提示信息", 10, 10)
loc_0042BA0B: Else
loc_0042BA8F: MsgBox("请联系作者获取注册码!", 64, "提示信息", 10, 10)
loc_0042BABA: End
loc_0042BAC0: End If
loc_0042BAC0: End If
loc_0042BACC: GoTo loc_0042BB17
loc_0042BB16: Exit Sub
loc_0042BB17: ' Referenced from: 0042BACC
End Sub
RJZC.UncrypStr
Public Function UncrypStr(Src, Key) '42C110
loc_0042C167: var_60 = Src
loc_0042C173: var_40 = Key
loc_0042C18B: On Error Resume Next
loc_0042C1AE: var_54 = Len(var_40)
loc_0042C207: var_68 = "&H" & Mid$(var_60, 1, 2)
loc_0042C223: var_4C = CInt(-1)
loc_0042C2A0: var_68 = "&H" & Mid$(var_60, CLng(0), 2)
loc_0042C2BC: var_5C = CInt(Me)
loc_0042C2FF: var_3C = (var_3C + 1)
loc_0042C30C: GoTo loc_0042C323
loc_0042C367: var_8028 = Asc(Mid$(var_40, CLng(0), 1))
loc_0042C37E: var_34 = CLng(var_5C) xor edx
loc_0042C3BA: var_34 = ((255 + var_34) - var_4C)
loc_0042C3C7: GoTo loc_0042C3E3
loc_0042C45B: var_4C = var_5C
loc_0042C461: var_48 = var_58
loc_0042C474: var_28 = (var_28 + 2)
loc_0042C49E: var_C8 = Len(var_60)
loc_0042C4B2: If Err.Number Then GoTo loc_0042C257
loc_0042C4C5: var_2C = var_44 + Chr(CLng((var_34 - var_4C)))
loc_0042C4D1: GoTo loc_0042C510
loc_0042C4DB: If (0 And 4) Then
loc_0042C4E6: End If
loc_0042C50F: Exit Function
loc_0042C510: ' Referenced from: 0042C4D1
End Function
反编译效果不好,还得对照汇编;还是上ida。
int __stdcall UncrypStr_42C110(void *a1, void *src, wchar_t *key, wchar_t *a4)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v49 = &v26;
v50 = sub_402918;
v51 = 0;
v52 = 0;
(*(void (__stdcall **)(void *))(*(_DWORD *)a1 + 4))(a1);
v53 = 1;
_vbaStrCopy(&src_1, src);
_vbaStrCopy(&key_1, key);
*(_DWORD *)a4 = 0;
v53 = 2;
_vbaOnError(0xFFFFFFFF);
v53 = 3;
v32 = _vbaLenBstr(key_1);
key_len = (double)v32;
key_index = 0.0;
v53 = 5;
v36 = 2;
v35[0] = 2;
v4 = rtcMidCharBstr(src_1, 1, v35); // first index starts at 1
v5 = _vbaStrMove(v38, v4, L"&H");
v6 = _vbaStrCat(v5);
v7 = _vbaStrMove(v37, v6, v26);
v31 = (__int16)_vbaI2Str(v7);
pre = (double)v31;
_vbaFreeStrList(2, v38, v37);
_vbaFreeVar(v35);
v53 = 6;
src_index = 3.0;
do
{
v53 = 8;
v36 = 2;
v35[0] = 2;
v8 = _vbaFpI4(v35, src_index);
v9 = rtcMidCharBstr(src_1, v8, L"&H");
v10 = _vbaStrMove(v38, v9, v26);
v11 = _vbaStrCat(v10);
v12 = _vbaStrMove(v37, v11, v26);
v30 = (__int16)_vbaI2Str(v12);
temp_src = (double)v30;
_vbaFreeStrList(2, v38, v37);
_vbaFreeVar(v35);
v53 = 9;
if ( key_index >= key_len )
{
v53 = 0xC;
key_index = 1.0;
}
else
{
v53 = 0xA;
key_index = key_index + 1.0;
if ( (v13 & 0xD) != 0 )
goto LABEL_13;
}
v53 = 0xE;
v36 = 1;
v35[0] = 2;
v14 = _vbaFpI4(v26, temp_src);
v15 = _vbaFpI4(v35, key_index);
tmp_k = rtcMidCharBstr(key_1, v15, v25);
v17 = _vbaStrMove(v38, tmp_k, v26);
v29 = (__int16)rtcAnsiValueBstr(v17) ^ v14;
temp_xor = (double)v29;
_vbaFreeStr(v38);
_vbaFreeVar(v35);
v53 = 0xF;
if ( temp_xor > pre )
{
v53 = 0x12;
temp_xor = temp_xor - pre;
if ( (v19 & 0xD) != 0 )
goto LABEL_13;
}
else
{
v53 = 0x10;
temp_xor = temp_xor + 255.0 - pre;
if ( (v18 & 0xD) != 0 )
goto LABEL_13;
}
v53 = 0x14;
v33[2] = v43;
v33[0] = 8;
v20 = _vbaFpI4(v26, temp_xor);
rtcVarBstrFromAnsi(v35, v20);
v21 = _vbaVarAdd(v34, v35, v33);
v22 = _vbaStrVarMove(v21);
_vbaStrMove(&v43, v22, v26);
_vbaFreeVarList(2, v35, v34);
pre = temp_src;
v53 = 0x16;
src_index = src_index + 2.0;
if ( (v23 & 0xD) != 0 )
LABEL_13:
_vbaFPException(a1, src);
v53 = 0x17;
v28 = _vbaLenBstr(src_1);
src_len = (double)v28;
}
while ( src_index < src_len );
v53 = 0x18;
_vbaStrCopy(v47, v43);
v26 = sub_42C52C;
_vbaFreeStr(&key_1);
_vbaFreeStr(&v43);
return _vbaFreeStr(&src_1);
py
对照uncryp_str 反推
def encryp_str(input_str:bytes, key='wenzi')->bytes:
if isinstance(input_str,str):
input_str=input_str.encode('utf-8')
key_len = len(key)
output_bytes=bytearray()
prev_value = 0 # Arbitrary starting value
output_bytes.append(prev_value)
for i, c in enumerate(input_str):
prev_value=output_bytes[i]
key_char = ord(key[i % key_len])
enc=((c+prev_value)^ key_char)&0xff
xor_result =enc^key_char
if xor_result < prev_value:
enc=((c+prev_value-255)^ key_char)&0xff
output_bytes.append(enc)
return output_bytes
def uncryp_str(hex_src:str, key='wenzi'):
bs=bytes.fromhex(hex_src)
key_len = len(key)
output_str = ""
prev_value =bs[0]
for i,c in enumerate(bs[1:]):
key_char = ord(key[i%key_len])
xor_result =c^key_char
if xor_result > prev_value:
xor_result -= prev_value
else:
xor_result = (xor_result+255-prev_value)&0xff
prev_value = c
output_str += chr(xor_result)
return output_str
def test():
print('input your machine_id:')
m_id=input()
key=encryp_str(m_id)
y=uncryp_str(key.hex())
print('[-]uncryp_str:',y)
print('[-]check:',m_id==y)
print('[#]key:',key.hex().upper())
ps
