📄 chap7-2.htm.primary

📁 加密与解密,软件加密保护技术与解决方案,看雪文档!
💻 PRIMARY
📖 第 1 页 / 共 4 页
字号:
    <td> 
      <p><span class="p9">1、 __vbavartstne <br>
        <br>
        如是在VB5中CALL MSVBVM50!___vbavartstne </span></p>
      <p><span class="p9"> 进去后在0F04E351你将看到：<br>
        </span><span class="p9">push dword ptr [ebp+0c] ;Push address *真* serial 
        的地址<br>
        push dword ptr [ebp+10] ;Push address 你输入的serial地址</span></p>
      <p><span class="p9">下命令：d ebp+0c<br>
        你将在数据窗口看到 4字节地址倒序排列，你再次D 地址（己纠正顺序的）， 就可看到序列号了。</span></p>
    </td>
  </tr>
</table>
<br>
<table width="100%" cellspacing="0" align="center">
  <tr bgcolor="#F2FFFF"> 
    <td> 
      <p><span class="p9">2、 __vbaR8Str <br>
        <br>
        在 VB5中是如下情况：<br>
        </span><span class="p9">Push ebp-20<br>
        Call MSVBUM50.__vbaR8Str ;转换 string 到 Integer/Real<br>
        fcomp qword ptr [00401028] ;数据比较</span></p>
      <p><span class="p9">在这行fcomp qword ptr [00401028] Type: DL 00401028 将看到*real* 
        serial #.</span></p>
      <p><span class="p9">DL 是显示 Long/real 型，SOFTICE默认时是DB状态。</span><span class="p9"> 
        </span></p>
    </td>
  </tr>
</table>
<br>
<table width="100%" cellspacing="0" align="center">
  <tr bgcolor="#F2FFFF"> 
    <td> 
      <p><span class="p9">3、 __vbastrcmp <br>
        <br>
        例:<br>
        </span></p>
      <p><span class="p9">:005BDC32 CALL [MSVBVM50!__VbaFreeVar] <br>
        :005BDC38 MOV ESI,[EBP+08]<br>
        :005BDC3B PUSH ESI<br>
        :005BDC3E CALL [ECX+00000790] &lt;-- 值返回到 EDX.<br>
        :005BDC44 MOV EDX,[ESI+4C] &lt;-- 输入的号码，但倒转<br>
        :005BDC47 MOV EAX,[005E0078] &lt;-- 正确号码<br>
        :005BDC4C PUSH EDX<br>
        :005BDC4D PUSH EAX &lt;-- Push参数给 __vbaStrCmp.<br>
        :005BDC4E CALL [MSVBVM50!__vbaStrCmp] &lt;-- Visual Basic 字符串比较<br>
        :005BDC54 TEST EAX,EAX &lt;-- 测试比较结果<br>
        :005BDC56 JNZ 005BDC64 &lt;-- 不相等跳走 </span></p>
    </td>
  </tr>
</table>
<p><font color="#0000FF"><span class="p9"><font face="Times New Roman"><a name="22"></a>2</font> 
  <font face="宋体">、警告窗口</font><font color="#0000FF">函数</font> </span></font></p>
<p> </p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">rtcBeep,&nbsp;rtcGetPresentDate&nbsp;(time&nbsp;API),&nbsp;rtcMsgBox</font> 
  </span> </p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">--------------------------------------------------------------------------------</font> 
  </span><span class="p9"> </span></p>
<p> </p>
<p> </p>
<p> <u><font color="#000000"><b><span class="p9"><font face="Times New Roman" color="#FF3366"><a name="3"></a>三、VB字串格式</font> 
  </span></b></font></u></p>
<p> <span class="p9"><font face="宋体" color="#000000"><span class="p9">　在大部分</span></font> 
  <span class="p9"><font face="Times New Roman" color="#000000">VB</font> <font face="宋体" color="#000000">程序中，我们能用</font> 
  <font face="Times New Roman" color="#000000">bpx&nbsp;Hmemcpy</font> <font face="宋体" color="#000000">命令设断，但是你将发现自己不久进入</font> 
  <font face="Times New Roman" color="#000000">&nbsp;VBRUNxxx.DLL</font> <font face="宋体" color="#000000">运行库，很快陷入</font> 
  <font face="Times New Roman" color="#000000">Vb&nbsp;dll</font> <font face="宋体" color="#000000">中，在大多数情况下，你很难到达其</font> 
  <font face="Times New Roman" color="#000000">EXE</font> <font face="宋体" color="#000000">文件中的真正比较核心。你通常是依靠字符串的线索来跟踪程序，你们还应记得</font> 
  <font face="Times New Roman" color="#000000">VB</font> <font face="宋体" color="#000000">（</font> 
  <font face="Times New Roman" color="#000000">VB4</font> <font face="宋体" color="#000000">以上）</font> 
  <font face="Times New Roman" color="#000000">&nbsp;</font> <font face="宋体" color="#000000">程序储存和比较字符是用</font> 
  <font face="Times New Roman" color="#000000">wide&nbsp;character</font> <font face="宋体" color="#000000">格式（本质是中在各字符间填</font> 
  0x00<font face="宋体" color="#000000">）。</font> </span></span><span class="p9"><br>
  The MultiByteToWideChar( ) function maps a character string to a wide-character 
  (Unicode) string. The character string mapped by this function is not necessarily 
  from a multibyte character set. </span></p>
<p><span class="p9">int MultiByteToWideChar( <br>
  UINT CodePage, // code page <br>
  DWORD dwFlags, // character-type options <br>
  LPCSTR lpMultiByteStr, // string to map <br>
  int cbMultiByte, // number of bytes in string <br>
  LPWSTR lpWideCharStr, // wide-character buffer <br>
  int cchWideChar // size of buffer <br>
  ); </span></p>
<p><span class="p9"><span class="p9"><font face="宋体" color="#000000">如：</font></span></span></p>
<p> </p>
<p> <span class="p9"><span class="p9"><font face="宋体" color="#000000">原来字符串</font> 
  <font face="Times New Roman" color="#000000">:&nbsp;CRACKZ&nbsp;(43h&nbsp;52h&nbsp;41h&nbsp;43h&nbsp;4Bh&nbsp;5Ah).</font> 
  </span></span></p>
<p> <span class="p9"><span class="p9"><font face="Times New Roman" color="#000000">Wide</font> 
  <font face="宋体" color="#000000">字符串格式</font> <font face="Times New Roman" color="#000000">:&nbsp;C&nbsp;R&nbsp;A&nbsp;C&nbsp;K&nbsp;Z&nbsp;(43h&nbsp;00h&nbsp;52h&nbsp;00h&nbsp;41h&nbsp;00h&nbsp;43h&nbsp;00h&nbsp;4Bh&nbsp;00h&nbsp;5Ah).</font> 
  </span></span></p>
<p> </p>
<p> <span class="p9"><span class="p9"><font face="宋体" color="#000000">这时在</font> 
  <font face="Times New Roman" color="#000000">SOFTICE</font> <font face="宋体" color="#000000">下查看内存中的字符串时看到情况有可能是：</font> 
  <font face="Times New Roman" color="#000000">&nbsp;C&nbsp;R&nbsp;A&nbsp;C&nbsp;K&nbsp;Z</font> 
  </span></span></p>
<p> <span class="p9"><span class="p9"><font face="宋体" color="#000000">有些情况下应该用</font> 
  <font face="Times New Roman" color="#000000">DL</font> <font face="宋体" color="#000000">（长实型）命令，才能看到正确数字序号。（</font> 
  <font face="Times New Roman" color="#000000">SOFTICE</font> <font face="宋体" color="#000000">默认时为</font> 
  <font face="Times New Roman" color="#000000">DB</font> <font face="宋体" color="#000000">（字节型））</font></span> 
  </span></p>
<p> <span class="p9"><span class="p9"><font face="宋体" color="#000000">　在多数情况下，在</font> 
  <font face="Times New Roman" color="#000000">VB</font> <font face="宋体" color="#000000">中设置正确断点是较困难的。断点设置好后，尝试输入序列号，运行后，应返回</font> 
  <font face="Times New Roman" color="#000000">VBRUNxxx.DLL</font> <font face="宋体" color="#000000">里，现在查找寄存器</font> 
  <font face="Times New Roman" color="#000000">(EAX&nbsp;&amp;&nbsp;EBX)</font> 
  <font face="宋体" color="#000000">中的值，那里放有你输入字符串长度，如果没发现什么，你应按</font> <font face="Times New Roman" color="#000000">ctrl+D</font> 
  <font face="宋体" color="#000000">再次返回到</font> <font face="Times New Roman" color="#000000">VB&nbsp;dll</font> 
  <font face="宋体" color="#000000">中另一处</font> <font face="Times New Roman" color="#000000">&nbsp;</font> 
  <font face="宋体" color="#000000">，继续查看，一直重复。</font> </span></span></p>
<p> <span class="p9"><span class="p9"><font face="宋体" color="#000000">　一但当你在寄存器中发现字符串长度时，你应一步一步注意观察，如果你幸运的话，你会发现输入字符串躺在寄存器或其显示附近内存里。这时你在</font> 
  <font face="Times New Roman" color="#000000">SOFTICE</font> <font face="宋体" color="#000000">里的数据窗口中用</font> 
  <font face="Times New Roman" color="#000000">ALT+</font> <font face="宋体" color="#000000">光标键滚动查找，说不定会发现正确序列号懒洋洋躺在那附近。</font> 
  </span></span><span class="p9"> </span> </p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">--------------------------------------------------------------------------------</font> 
  </span></p>
<p><span class="p9"><b><font color="#FF3366"><u><a name="4"></a>四、oleaut32.dll<span class="p9">简介</span></u></font><span class="p9"> 
  </span></b><span class="p9">（作者：dr0)</span></span></p>
<p><span class="p9">破解VB程序时，对vbrun*.dll（VB4、VB3版本）和msvbvm*.dll（VB5、VB6）强调得比较多，实际上VB程序的很多运算是在oleaut32.dll中完成的，这个dll提供了很多对VB中的Variant类型的变量进行操作的函数，主要是一系列VarXXX( 
  )，其中有几个是用来比较字符串和数值的，如下： <br>
  <br>
  Addr:77A11AAE Ord: 176 (00B0h) Name: VarCmp <br>
  Addr:77A0E5D1 Ord: 311 (0137h) Name: VarCyCmp <br>
  Addr:77A0E5F8 Ord: 312 (0138h) Name: VarCyCmpR8 <br>
  Addr:77A129CD Ord: 314 (013Ah) Name: VarBstrCmp <br>
  Addr:77A12958 Ord: 316 (013Ch) Name: VarR4CmpR8 <br>
  Addr:77A13697 Ord: 204 (00CCh) Name: VarDecCmp <br>
  Addr:77A1298B Ord: 298 (012Ah) Name: VarDecCmpR8 <br>
  <br>
  这里有个小程序RAMQuota（www.stepnet.com.au），是用VB6写的，它使用上述函数中的VarBstrCmp( )比较注册码。该函数的关键指令如下： 
  <br>
  <br>
  :77A12A03 8B7D0C&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  mov edi, dword ptr [ebp+0C] <br>
  :77A12A06 8B7508&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  mov esi, dword ptr [ebp+08] <br>
  :77A12A09 8B4D10&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  mov ecx, dword ptr [ebp+10] <br>
  :77A12A0C 33C0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; xor eax, eax <br>
  :77A12A0E F3&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; repz <br>
  :77A12A0F 66A7&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; cmpsw <br>
  :77A12A11 7405&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; je 77A12A18 <br>
  :77A12A13 1BC0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; sbb eax, eax <br>
  :77A12A15 83D8FF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
💿 文件大小 4408 K
👤 上传用户 ilovexzhu
📂 所属分类其他
🏷️ 相关标签

#加密 #保护技术 #解密 #方案
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -