系统 : Windows xp

程序 : BJCM10B

程序下载地址 :http://pan.baidu.com/s/1dFyXe29

要求 : 编写注册机

使用工具 : OD

可在看雪论坛中查找关于此程序的破文:传送门

 

这个小程序本身算法不难,就是vb的函数调用方式真的太奇葩了,容易看得一头雾水。

直接根据“good job, tell me how you do that!”字串找出关键算法:

 

00404563   .  FFD3          call    ebx                                       ;  (initial cpu selection); <&MSVBVM60.__vbaObjSet>
00404565   .  8B08          mov     ecx, dword ptr [eax]
00404567   .  8D55 D4       lea     edx, dword ptr [ebp-2C]
0040456A   .  52            push    edx
0040456B   .  50            push    eax
0040456C   .  8985 44FFFFFF mov     dword ptr [ebp-BC], eax
00404572   .  FF91 A0000000 call    dword ptr [ecx+A0]
00404578   .  3BC7          cmp     eax, edi
0040457A   .  DBE2          fclex
0040457C   .  7D 18         jge     short 00404596
0040457E   .  8B8D 44FFFFFF mov     ecx, dword ptr [ebp-BC]
00404584   .  68 A0000000   push    0A0
00404589   .  68 00304000   push    00403000
0040458E   .  51            push    ecx
0040458F   .  50            push    eax
00404590   .  FF15 2C104000 call    dword ptr [<&MSVBVM60.__vbaHresultCheckOb>;  MSVBVM60.__vbaHresultCheckObj
00404596   >  8B55 D4       mov     edx, dword ptr [ebp-2C]                   ;  用户名字符串
00404599   .  52            push    edx                                       ; /String
0040459A   .  FF15 10104000 call    dword ptr [<&MSVBVM60.__vbaLenBstr>]      ; \__vbaLenBstr
004045A0   .  33C9          xor     ecx, ecx
004045A2   .  83F8 02       cmp     eax, 2                                    ;  是否是否不小于2?
004045A5   .  0F9CC1        setl    cl
004045A8   .  F7D9          neg     ecx
004045AA   .  898D 3CFFFFFF mov     dword ptr [ebp-C4], ecx
004045B0   .  8D4D D4       lea     ecx, dword ptr [ebp-2C]
004045B3   .  FF15 D0104000 call    dword ptr [<&MSVBVM60.__vbaFreeStr>]      ;  MSVBVM60.__vbaFreeStr
004045B9   .  8D4D CC       lea     ecx, dword ptr [ebp-34]
004045BC   .  FF15 D4104000 call    dword ptr [<&MSVBVM60.__vbaFreeObj>]      ;  MSVBVM60.__vbaFreeObj
004045C2   .  66:39BD 3CFFF>cmp     word ptr [ebp-C4], di
004045C9   .  0F84 8B000000 je      0040465A                                  ;  符合长度直接跳转
004045CF   .  8B1D B0104000 mov     ebx, dword ptr [<&MSVBVM60.__vbaVarDup>]  ;  MSVBVM60.__vbaVarDup
004045D5   .  B9 04000280   mov     ecx, 80020004
004045DA   .  894D 90       mov     dword ptr [ebp-70], ecx
004045DD   .  B8 0A000000   mov     eax, 0A
004045E2   .  894D A0       mov     dword ptr [ebp-60], ecx
004045E5   .  BE 08000000   mov     esi, 8
004045EA   .  8D95 68FFFFFF lea     edx, dword ptr [ebp-98]
004045F0   .  8D4D A8       lea     ecx, dword ptr [ebp-58]
004045F3   .  8945 88       mov     dword ptr [ebp-78], eax
004045F6   .  8945 98       mov     dword ptr [ebp-68], eax
004045F9   .  C785 70FFFFFF>mov     dword ptr [ebp-90], 00403070              ;  you have to enter your name!
00404603   .  89B5 68FFFFFF mov     dword ptr [ebp-98], esi
00404609   .  FFD3          call    ebx                                       ;  <&MSVBVM60.__vbaVarDup>
0040460B   .  8D95 78FFFFFF lea     edx, dword ptr [ebp-88]
00404611   .  8D4D B8       lea     ecx, dword ptr [ebp-48]
00404614   .  C745 80 14304>mov     dword ptr [ebp-80], 00403014              ;  name must be at least two characters long!
0040461B   .  89B5 78FFFFFF mov     dword ptr [ebp-88], esi
00404621   .  FFD3          call    ebx
00404623   .  8D55 88       lea     edx, dword ptr [ebp-78]
00404626   .  8D45 98       lea     eax, dword ptr [ebp-68]
00404629   .  52            push    edx
0040462A   .  8D4D A8       lea     ecx, dword ptr [ebp-58]
0040462D   .  50            push    eax
0040462E   .  51            push    ecx
0040462F   .  8D55 B8       lea     edx, dword ptr [ebp-48]
00404632   .  57            push    edi
00404633   .  52            push    edx
00404634   .  FF15 3C104000 call    dword ptr [<&MSVBVM60.#595>]              ;  MSVBVM60.rtcMsgBox
0040463A   .  8D45 88       lea     eax, dword ptr [ebp-78]
0040463D   .  8D4D 98       lea     ecx, dword ptr [ebp-68]
00404640   .  50            push    eax
00404641   .  8D55 A8       lea     edx, dword ptr [ebp-58]
00404644   .  51            push    ecx
00404645   .  8D45 B8       lea     eax, dword ptr [ebp-48]
00404648   .  52            push    edx
00404649   .  50            push    eax
0040464A   .  6A 04         push    4
0040464C   .  FF15 14104000 call    dword ptr [<&MSVBVM60.__vbaFreeVarList>]  ;  MSVBVM60.__vbaFreeVarList
00404652   .  83C4 14       add     esp, 14
00404655   .  E9 D4030000   jmp     00404A2E
0040465A   >  8B0E          mov     ecx, dword ptr [esi]
0040465C   .  56            push    esi
0040465D   .  FF91 0C030000 call    dword ptr [ecx+30C]
00404663   .  8D55 CC       lea     edx, dword ptr [ebp-34]
00404666   .  50            push    eax
00404667   .  52            push    edx
00404668   .  FFD3          call    ebx
0040466A   .  8B06          mov     eax, dword ptr [esi]
0040466C   .  56            push    esi
0040466D   .  FF90 0C030000 call    dword ptr [eax+30C]
00404673   .  8D4D C8       lea     ecx, dword ptr [ebp-38]
00404676   .  50            push    eax
00404677   .  51            push    ecx
00404678   .  FFD3          call    ebx
0040467A   .  8B45 CC       mov     eax, dword ptr [ebp-34]
0040467D   .  8D55 B8       lea     edx, dword ptr [ebp-48]
00404680   .  8945 C0       mov     dword ptr [ebp-40], eax
00404683   .  6A 01         push    1
00404685   .  8D45 A8       lea     eax, dword ptr [ebp-58]
00404688   .  52            push    edx
00404689   .  50            push    eax
0040468A   .  897D CC       mov     dword ptr [ebp-34], edi
0040468D   .  C745 B8 09000>mov     dword ptr [ebp-48], 9
00404694   .  FF15 B4104000 call    dword ptr [<&MSVBVM60.#617>]              ;  MSVBVM60.rtcLeftCharVar
0040469A   .  8B45 C8       mov     eax, dword ptr [ebp-38]
0040469D   .  8D4D 98       lea     ecx, dword ptr [ebp-68]
004046A0   .  6A 01         push    1
004046A2   .  8D55 88       lea     edx, dword ptr [ebp-78]
004046A5   .  51            push    ecx
004046A6   .  52            push    edx
004046A7   .  897D C8       mov     dword ptr [ebp-38], edi
004046AA   .  8945 A0       mov     dword ptr [ebp-60], eax
004046AD   .  C745 98 09000>mov     dword ptr [ebp-68], 9
004046B4   .  FF15 C0104000 call    dword ptr [<&MSVBVM60.#619>]              ;  MSVBVM60.rtcRightCharVar
004046BA   .  8B3D 80104000 mov     edi, dword ptr [<&MSVBVM60.__vbaStrVarVal>;  MSVBVM60.__vbaStrVarVal
004046C0   .  8D45 88       lea     eax, dword ptr [ebp-78]
004046C3   .  8D4D D0       lea     ecx, dword ptr [ebp-30]
004046C6   .  50            push    eax                                       ; /String8
004046C7   .  51            push    ecx                                       ; |ARG2
004046C8   .  FFD7          call    edi                                       ; \__vbaStrVarVal
004046CA   .  50            push    eax                                       ; /String
004046CB   .  FF15 24104000 call    dword ptr [<&MSVBVM60.#516>]              ; \rtcAnsiValueBstr
004046D1   .  66:8BD0       mov     dx, ax                                    ;  ↑传回字符码
004046D4   .  8D45 A8       lea     eax, dword ptr [ebp-58]
004046D7   .  8D4D D4       lea     ecx, dword ptr [ebp-2C]
004046DA   .  50            push    eax                                       ; /String8
004046DB   .  51            push    ecx                                       ; |ARG2
004046DC   .  66:8995 26FFF>mov     word ptr [ebp-DA], dx                     ; |
004046E3   .  FFD7          call    edi                                       ; \__vbaStrVarVal
004046E5   .  50            push    eax                                       ; /String
004046E6   .  FF15 24104000 call    dword ptr [<&MSVBVM60.#516>]              ; \rtcAnsiValueBstr
004046EC   .  66:8B95 26FFF>mov     dx, word ptr [ebp-DA]
004046F3   .  8D4D D8       lea     ecx, dword ptr [ebp-28]
004046F6   .  66:03D0       add     dx, ax                                    ;  首尾相加
004046F9   .  C785 78FFFFFF>mov     dword ptr [ebp-88], 2
00404703   .  0F80 94030000 jo      00404A9D
00404709   .  66:8955 80    mov     word ptr [ebp-80], dx                     ;  保存结果
0040470D   .  8D95 78FFFFFF lea     edx, dword ptr [ebp-88]
00404713   .  FF15 08104000 call    dword ptr [<&MSVBVM60.__vbaVarMove>]      ;  MSVBVM60.__vbaVarMove
00404719   .  8D45 D0       lea     eax, dword ptr [ebp-30]
0040471C   .  8D4D D4       lea     ecx, dword ptr [ebp-2C]
0040471F   .  50            push    eax
00404720   .  51            push    ecx
00404721   .  6A 02         push    2
00404723   .  FF15 9C104000 call    dword ptr [<&MSVBVM60.__vbaFreeStrList>]  ;  MSVBVM60.__vbaFreeStrList
00404729   .  8D55 C8       lea     edx, dword ptr [ebp-38]
0040472C   .  8D45 CC       lea     eax, dword ptr [ebp-34]
0040472F   .  52            push    edx
00404730   .  50            push    eax
00404731   .  6A 02         push    2
00404733   .  FF15 20104000 call    dword ptr [<&MSVBVM60.__vbaFreeObjList>]  ;  MSVBVM60.__vbaFreeObjList
00404739   .  8D4D 88       lea     ecx, dword ptr [ebp-78]
0040473C   .  8D55 98       lea     edx, dword ptr [ebp-68]
0040473F   .  51            push    ecx
00404740   .  8D45 A8       lea     eax, dword ptr [ebp-58]
00404743   .  52            push    edx
00404744   .  8D4D B8       lea     ecx, dword ptr [ebp-48]
00404747   .  50            push    eax
00404748   .  51            push    ecx
00404749   .  6A 04         push    4
0040474B   .  FF15 14104000 call    dword ptr [<&MSVBVM60.__vbaFreeVarList>]  ;  MSVBVM60.__vbaFreeVarList
00404751   .  83C4 2C       add     esp, 2C
00404754   .  8D55 D8       lea     edx, dword ptr [ebp-28]
00404757   .  8D85 78FFFFFF lea     eax, dword ptr [ebp-88]
0040475D   .  8D4D B8       lea     ecx, dword ptr [ebp-48]
00404760   .  52            push    edx                                       ; /var18
00404761   .  50            push    eax                                       ; |var28
00404762   .  51            push    ecx                                       ; |SaveTo8
00404763   .  C745 80 3F420>mov     dword ptr [ebp-80], 0F423F                ; |
0040476A   .  C785 78FFFFFF>mov     dword ptr [ebp-88], 3                     ; |
00404774   .  FF15 6C104000 call    dword ptr [<&MSVBVM60.__vbaVarMul>]       ; \__vbaVarMul
0040477A   .  50            push    eax                                       ;  相加结果 * 999999 = 序列号
0040477B   .  FF15 AC104000 call    dword ptr [<&MSVBVM60.__vbaI4Var>]        ;  MSVBVM60.__vbaI4Var
00404781   .  8B16          mov     edx, dword ptr [esi]
00404783   .  56            push    esi
00404784   .  8945 E8       mov     dword ptr [ebp-18], eax                   ;  这里保存计算出的序列号
00404787   .  FF92 FC020000 call    dword ptr [edx+2FC]
0040478D   .  50            push    eax
0040478E   .  8D45 CC       lea     eax, dword ptr [ebp-34]
00404791   .  50            push    eax
00404792   .  FFD3          call    ebx
00404794   .  8BF8          mov     edi, eax
00404796   .  8D55 D4       lea     edx, dword ptr [ebp-2C]
00404799   .  52            push    edx
0040479A   .  57            push    edi
0040479B   .  8B0F          mov     ecx, dword ptr [edi]
0040479D   .  FF91 A0000000 call    dword ptr [ecx+A0]
004047A3   .  85C0          test    eax, eax
004047A5   .  DBE2          fclex
004047A7   .  7D 12         jge     short 004047BB
004047A9   .  68 A0000000   push    0A0
004047AE   .  68 00304000   push    00403000
004047B3   .  57            push    edi
004047B4   .  50            push    eax
004047B5   .  FF15 2C104000 call    dword ptr [<&MSVBVM60.__vbaHresultCheckOb>;  MSVBVM60.__vbaHresultCheckObj
004047BB   >  8B45 D4       mov     eax, dword ptr [ebp-2C]                   ;  取出密码
004047BE   .  50            push    eax
004047BF   .  68 B0304000   push    004030B0                                  ;  空串
004047C4   .  FF15 58104000 call    dword ptr [<&MSVBVM60.__vbaStrCmp>]       ;  MSVBVM60.__vbaStrCmp
004047CA   .  8BF8          mov     edi, eax
004047CC   .  8D4D D4       lea     ecx, dword ptr [ebp-2C]
004047CF   .  F7DF          neg     edi
004047D1   .  1BFF          sbb     edi, edi
004047D3   .  47            inc     edi
004047D4   .  F7DF          neg     edi
004047D6   .  FF15 D0104000 call    dword ptr [<&MSVBVM60.__vbaFreeStr>]      ;  MSVBVM60.__vbaFreeStr
004047DC   .  8D4D CC       lea     ecx, dword ptr [ebp-34]
004047DF   .  FF15 D4104000 call    dword ptr [<&MSVBVM60.__vbaFreeObj>]      ;  MSVBVM60.__vbaFreeObj
004047E5   .  66:85FF       test    di, di
004047E8   .  0F84 81000000 je      0040486F
004047EE   .  8B3D B0104000 mov     edi, dword ptr [<&MSVBVM60.__vbaVarDup>]  ;  MSVBVM60.__vbaVarDup
004047F4   .  B9 04000280   mov     ecx, 80020004
004047F9   .  894D 90       mov     dword ptr [ebp-70], ecx
004047FC   .  B8 0A000000   mov     eax, 0A
00404801   .  894D A0       mov     dword ptr [ebp-60], ecx
00404804   .  BE 08000000   mov     esi, 8
00404809   .  8D95 68FFFFFF lea     edx, dword ptr [ebp-98]
0040480F   .  8D4D A8       lea     ecx, dword ptr [ebp-58]
00404812   .  8945 88       mov     dword ptr [ebp-78], eax
00404815   .  8945 98       mov     dword ptr [ebp-68], eax
00404818   .  C785 70FFFFFF>mov     dword ptr [ebp-90], 004030E0              ;  wrong serial!
00404822   .  89B5 68FFFFFF mov     dword ptr [ebp-98], esi
00404828   .  FFD7          call    edi                                       ;  <&MSVBVM60.__vbaVarDup>
0040482A   .  8D95 78FFFFFF lea     edx, dword ptr [ebp-88]
00404830   .  8D4D B8       lea     ecx, dword ptr [ebp-48]
00404833   .  C745 80 B8304>mov     dword ptr [ebp-80], 004030B8              ;  sorry, try again!
0040483A   .  89B5 78FFFFFF mov     dword ptr [ebp-88], esi
00404840   .  FFD7          call    edi
00404842   .  8D4D 88       lea     ecx, dword ptr [ebp-78]
00404845   .  8D55 98       lea     edx, dword ptr [ebp-68]
00404848   .  51            push    ecx
00404849   .  8D45 A8       lea     eax, dword ptr [ebp-58]
0040484C   .  52            push    edx
0040484D   .  50            push    eax
0040484E   .  8D4D B8       lea     ecx, dword ptr [ebp-48]
00404851   .  6A 00         push    0
00404853   .  51            push    ecx
00404854   .  FF15 3C104000 call    dword ptr [<&MSVBVM60.#595>]              ;  MSVBVM60.rtcMsgBox
0040485A   .  8D55 88       lea     edx, dword ptr [ebp-78]
0040485D   .  8D45 98       lea     eax, dword ptr [ebp-68]
00404860   .  52            push    edx
00404861   .  8D4D A8       lea     ecx, dword ptr [ebp-58]
00404864   .  50            push    eax
00404865   .  8D55 B8       lea     edx, dword ptr [ebp-48]
00404868   .  51            push    ecx
00404869   .  52            push    edx
0040486A   .  E9 B2010000   jmp     00404A21
0040486F   >  8B0E          mov     ecx, dword ptr [esi]
00404871   .  8D45 E8       lea     eax, dword ptr [ebp-18]
00404874   .  56            push    esi
00404875   .  8945 80       mov     dword ptr [ebp-80], eax
00404878   .  C785 78FFFFFF>mov     dword ptr [ebp-88], 4003
00404882   .  FF91 FC020000 call    dword ptr [ecx+2FC]
00404888   .  8D55 CC       lea     edx, dword ptr [ebp-34]
0040488B   .  50            push    eax
0040488C   .  52            push    edx
0040488D   .  FFD3          call    ebx
0040488F   .  8BF0          mov     esi, eax
00404891   .  8D4D D4       lea     ecx, dword ptr [ebp-2C]
00404894   .  51            push    ecx
00404895   .  56            push    esi
00404896   .  8B06          mov     eax, dword ptr [esi]
00404898   .  FF90 A0000000 call    dword ptr [eax+A0]
0040489E   .  85C0          test    eax, eax
004048A0   .  DBE2          fclex
004048A2   .  7D 12         jge     short 004048B6
004048A4   .  68 A0000000   push    0A0
004048A9   .  68 00304000   push    00403000
004048AE   .  56            push    esi
004048AF   .  50            push    eax
004048B0   .  FF15 2C104000 call    dword ptr [<&MSVBVM60.__vbaHresultCheckOb>;  MSVBVM60.__vbaHresultCheckObj
004048B6   >  8D95 78FFFFFF lea     edx, dword ptr [ebp-88]
004048BC   .  52            push    edx                                       ;  ↓返回str
004048BD   .  FF15 84104000 call    dword ptr [<&MSVBVM60.#536>]              ;  MSVBVM60.rtcStrFromVar
004048C3   .  8BD0          mov     edx, eax
004048C5   .  8D4D D0       lea     ecx, dword ptr [ebp-30]
004048C8   .  FF15 BC104000 call    dword ptr [<&MSVBVM60.__vbaStrMove>]      ;  MSVBVM60.__vbaStrMove
004048CE   .  50            push    eax
004048CF   .  8B45 D4       mov     eax, dword ptr [ebp-2C]
004048D2   .  50            push    eax                                       ;  对比密码和序列号
004048D3   .  FF15 58104000 call    dword ptr [<&MSVBVM60.__vbaStrCmp>]       ;  MSVBVM60.__vbaStrCmp

 

就这么一段简单的功能MFC里可以这么写:

    CString str;
    GetDlgItemText( IDC_EDIT_NAME,str );                    //获取用户名字串基本信息。
    int len = str.GetLength();

    if ( len >= 2 ){                                        //格式控制。
        unsigned int res = (str[0] + str[len-1]) * 999999;

        CString PassWord;
        PassWord.Format( " %lu",res );
        SetDlgItemText( IDC_EDIT_PASSWORD,PassWord );
    }
    else
        MessageBox( "用户名格式错误!" );

再在OnInitDialog中添加此代码修改标题:SetWindowText(_T("Keygen"));

运行效果: