KingCopy2.5算法分析
减小字体
增大字体破解人:lchhome[DFCG]
一、用Language 2000侦得软件用VB5.0编写,无壳.用 GetVBRes 载入程序找到"你输入的注册名和注册号码不正确,请重新输入",修改为任意字符,如"happy new year"用W32asm载入程序,找到happy new year,如下:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463DFC(C) 以下句由这里跳来,按右键进入
|
* Reference To: MSVBVM50.__vbaVarDup, Ord:0000h
|
:004642E0 8B1D90D54600 mov ebx, dword ptr [0046D590]
:004642E6 B904000280 mov ecx, 80020004
:004642EB 894D90 mov dword ptr [ebp-70], ecx
:004642EE B80A000000 mov eax, 0000000A
:004642F3 894DA0 mov dword ptr [ebp-60], ecx
:004642F6 BE08000000 mov esi, 00000008
:004642FB 8D9568FFFFFF lea edx, dword ptr [ebp+FFFFFF68]
:00464301 8D4DA8 lea ecx, dword ptr [ebp-58]
:00464304 894588 mov dword ptr [ebp-78], eax
:00464307 894598 mov dword ptr [ebp-68], eax
* Possible StringData Ref from Code Obj ->"Register"
|
:0046430A C78570FFFFFF78144100 mov dword ptr [ebp+FFFFFF70], 00411478
:00464314 89B568FFFFFF mov dword ptr [ebp+FFFFFF68], esi
:0046431A FFD3 call ebx
:0046431C 8D9578FFFFFF lea edx, dword ptr [ebp+FFFFFF78]
:00464322 8D4DB8 lea ecx, dword ptr [ebp-48]
* Possible StringData Ref from Code Obj ->"happy new year "
|
:00464325 C745803C164100 mov [ebp-80], 0041163C
:0046432C 89B578FFFFFF mov dword ptr [ebp+FFFFFF78], esi
:00463DCE E83DBBFCFF call 0042F910 关键CALL,用OD跟进
:00463DD3 8BD0 mov edx, eax
:00463DD5 8D4DDC lea ecx, dword ptr [ebp-24]
* Reference To: MSVBVM50.__vbaStrMove, Ord:0000h
|
:00463DD8 FF15BCD54600 Call dword ptr [0046D5BC]
:00463DDE 8B55E0 mov edx, dword ptr [ebp-20]
:00463DE1 50 push eax
:00463DE2 52 push edx
:00463DE3 FFD6 call esi
* Reference To: MSVBVM50.__vbaFreeStr, Ord:0000h
|
:00463DE5 8B1DF8D54600 mov ebx, dword ptr [0046D5F8]
:00463DEB 8BF0 mov esi, eax
:00463DED F7DE neg esi
:00463DEF 1BF6 sbb esi, esi
:00463DF1 8D4DDC lea ecx, dword ptr [ebp-24]
:00463DF4 46 inc esi
:00463DF5 F7DE neg esi
:00463DF7 FFD3 call ebx
:00463DF9 6685F6 test si, si
:00463DFC 0F84DE040000 je 004642E0 由此往上找
用OD载入程序,在0042F910中断,出现注册框,任意输入注册名和注册码,点注册后,按F8跟进,如下:
0042F910 $ 55 PUSH EBP
0042F911 . 8BEC MOV EBP,ESP
0042F913 . 83EC 0C SUB ESP,0C
0042F916 . 68 762C4000 PUSH <JMP.&MSVBVM50.__vbaExceptHandler> ; SE handler installation
0042F91B . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0042F921 . 50 PUSH EAX
0042F922 . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
0042F929 . 81EC E4000000 SUB ESP,0E4
0042F92F . 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
0042F932 . 53 PUSH EBX
0042F933 . 56 PUSH ESI
0042F934 . 57 PUSH EDI
0042F935 . 33F6 XOR ESI,ESI
0042F937 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
0042F93A . 8965 F4 MOV DWORD PTR SS:[EBP-C],ESP
0042F93D . C745 F8 701240>MOV DWORD PTR SS:[EBP-8],KINGCOPY.004012>
0042F944 . 8975 E4 MOV DWORD PTR SS:[EBP-1C],ESI
0042F947 . 8975 E0 MOV DWORD PTR SS:[EBP-20],ESI
0042F94A . 8975 DC MOV DWORD PTR SS:[EBP-24],ESI
0042F94D . 8975 D8 MOV DWORD PTR SS:[EBP-28],ESI
0042F950 . 8975 D4 MOV DWORD PTR SS:[EBP-2C],ESI
0042F953 . 8975 D0 MOV DWORD PTR SS:[EBP-30],ESI
0042F956 . 8975 CC MOV DWORD PTR SS:[EBP-34],ESI
0042F959 . 8975 C8 MOV DWORD PTR SS:[EBP-38],ESI
0042F95C . 8975 B8 MOV DWORD PTR SS:[EBP-48],ESI
0042F95F . 8975 A8 MOV DWORD PTR SS:[EBP-58],ESI
0042F962 . 8975 98 MOV DWORD PTR SS:[EBP-68],ESI
0042F965 . 8975 88 MOV DWORD PTR SS:[EBP-78],ESI
0042F968 . 89B5 78FFFFFF MOV DWORD PTR SS:[EBP-88],ESI
0042F96E . 89B5 68FFFFFF MOV DWORD PTR SS:[EBP-98],ESI
0042F974 . 89B5 58FFFFFF MOV DWORD PTR SS:[EBP-A8],ESI
0042F97A . 89B5 38FFFFFF MOV DWORD PTR SS:[EBP-C8],ESI
0042F980 . FF15 44D54600 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>; MSVBVM50.__vbaStrCopy
0042F986 . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
0042F989 . 50 PUSH EAX
0042F98A . FF15 28D44600 CALL DWORD PTR DS:[<&MSVBVM50.#527>] ; 把用户名换成大写
0042F990 . 8B3D BCD54600 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaSt>; MSVBVM50.__vbaStrMove
0042F996 . 8BD0 MOV EDX,EAX
0042F998 . 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
0042F99B . FFD7 CALL EDI ; <&MSVBVM50.__vbaStrMove>
0042F99D . 50 PUSH EAX
0042F99E . FF15 7CD34600 CALL DWORD PTR DS:[<&MSVBVM50.#519>] ; MSVBVM50.rtcTrimBstr
0042F9A4 . 8BD0 MOV EDX,EAX
0042F9A6 . 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
0042F9A9 . FFD7 CALL EDI
0042F9AB . 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34]
0042F9AE . 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
0042F9B1 . 68 80000000 PUSH 80
0042F9B6 . 8D55 A8 LEA EDX,DWORD PTR SS:[EBP-58]
0042F9B9 . 8975 CC MOV DWORD PTR SS:[EBP-34],ESI
0042F9BC . 8B35 6CD34600 MOV ESI,DWORD PTR DS:[<&MSVBVM50.#622>] ; MSVBVM50.rtcStrConvVar
0042F9C2 . 51 PUSH ECX
0042F9C3 . 52 PUSH EDX
0042F9C4 . 8945 C0 MOV DWORD PTR SS:[EBP-40],EAX
0042F9C7 . C745 B8 080000>MOV DWORD PTR SS:[EBP-48],8
0042F9CE . FFD6 CALL ESI ; <&MSVBVM50.#622>
0042F9D0 . 8D45 A8 LEA EAX,DWORD PTR SS:[EBP-58]
0042F9D3 . 50 PUSH EAX
0042F9D4 . FF15 50D34600 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrVa>; MSVBVM50.__vbaStrVarMove
0042F9DA . 8BD0 MOV EDX,EAX
0042F9DC . 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
0042F9DF . FFD7 CALL EDI
0042F9E1 . 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
0042F9E4 . 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30]
0042F9E7 . 51 PUSH ECX
0042F9E8 . 52 PUSH EDX
0042F9E9 . 6A 02 PUSH 2
004
