幸运66软体算法分析
软体1个月试用期破解序号及方法算法
636359786
CD第2,3,4,5,7,8,9位相加=1,6的和
(10进制如3+6+3+3+5+7+8+9+31(1F)=1,6和=69)
3,9位=程式代码(如66)
------------------------------------------------
使用时不要连线网路
不用等一个月 直接变动系统日期 让他过期
要与大家讨论的是1个月过后的永久使用
已知这软件序号是17位
假码:12345678901234567
软件无加密 破解先分析代码,载入od用vb函数断点vbaLenBstr
代码简略
-----------------------------------------------------------------------------------
算法代码
00515808 .8985 7CFAFFFF mov dword ptr ss:,eax
0051580E >8B85 34FCFFFF mov eax,dword ptr ss:
00515814 .8B8D 30FCFFFF mov ecx,dword ptr ss:
0051581A .8A90 54C15300 mov dl,byte ptr ds:
00515820 .0291 54C15300 add dl,byte ptr ds:
00515826 .0F82 22130000 jb 00516B4E
0051582C .8B85 2CFCFFFF mov eax,dword ptr ss:
00515832 .0290 54C15300 add dl,byte ptr ds:
00515838 .0F82 10130000 jb 00516B4E
0051583E .8B8D 28FCFFFF mov ecx,dword ptr ss:
00515844 .0291 54C15300 add dl,byte ptr ds:
0051584A .0F82 FE120000 jb 00516B4E
00515850 .8B85 24FCFFFF mov eax,dword ptr ss:
00515856 .0290 54C15300 add dl,byte ptr ds:
0051585C .0F82 EC120000 jb 00516B4E
00515862 .8B8D 20FCFFFF mov ecx,dword ptr ss:
00515868 .0291 54C15300 add dl,byte ptr ds:
0051586E .0F82 DA120000 jb 00516B4E
00515874 .8B85 1CFCFFFF mov eax,dword ptr ss:
0051587A .0290 54C15300 add dl,byte ptr ds:
00515880 .0F82 C8120000 jb 00516B4E
00515886 .8B8D 18FCFFFF mov ecx,dword ptr ss:
0051588C .0291 54C15300 add dl,byte ptr ds:
00515892 .0F82 B6120000 jb 00516B4E
00515898 .8B85 14FCFFFF mov eax,dword ptr ss:
0051589E .0290 54C15300 add dl,byte ptr ds:
005158A4 .0F82 A4120000 jb 00516B4E
005158AA .8B8D 10FCFFFF mov ecx,dword ptr ss:
005158B0 .0291 54C15300 add dl,byte ptr ds:
005158B6 .0F82 92120000 jb 00516B4E
005158BC .8B85 0CFCFFFF mov eax,dword ptr ss:
005158C2 .0290 54C15300 add dl,byte ptr ds:
005158C8 .0F82 80120000 jb 00516B4E
005158CE .8B8D 08FCFFFF mov ecx,dword ptr ss:
005158D4 .0291 54C15300 add dl,byte ptr ds:
005158DA .0F82 6E120000 jb 00516B4E
005158E0 .8B85 04FCFFFF mov eax,dword ptr ss:
005158E6 .0290 54C15300 add dl,byte ptr ds:
005158EC .0F82 5C120000 jb 00516B4E
005158F2 .8B8D 00FCFFFF mov ecx,dword ptr ss:
005158F8 .0291 54C15300 add dl,byte ptr ds:
005158FE .0F82 4A120000 jb 00516B4E
00515904 .8B85 FCFBFFFF mov eax,dword ptr ss:
0051590A .0290 54C15300 add dl,byte ptr ds:
00515910 .0F82 38120000 jb 00516B4E
00515916 .66:33C0 xor ax,ax
00515919 .8AC2 mov al,dl
0051591B .8B4D 08 mov ecx,dword ptr ss:
0051591E .66:0341 34 add ax,word ptr ds:
00515922 .0F80 26120000 jo 00516B4E
00515928 .66:99 cwd
0051592A .66:B9 6400 mov cx,64
0051592E .66:F7F9 idiv cx
00515931 .66:8995 58FDFFFF mov word ptr ss:,dx
00515938 .C785 50FDFFFF 02800000 mov dword ptr ss:,8002
00515942 .8D95 78FFFFFF lea edx,dword ptr ss:
00515948 .52 push edx
00515949 .8D85 50FDFFFF lea eax,dword ptr ss:
0051594F .50 push eax
00515950 .FF15 20114000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ;MSVBVM60.__vbaVarTstEq
00515956 .0FBFC8 movsx ecx,ax
00515959 .85C9 test ecx,ecx
0051595B 0F85 FF0F0000 jnz 00516960---------第1+2+3+5+6+7+8+9+10+11+12+13+14+16+17位+25/64---T3
00515961 .C745 FC 21000000 mov dword ptr ss:,21
00515968 .8D95 58FFFFFF lea edx,dword ptr ss:
0051596E .52 push edx
0051596F .8D45 A0 lea eax,dword ptr ss:
00515972 .50 push eax
00515973 .FF15 20114000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ;MSVBVM60.__vbaVarTstEq
00515979 .0FBFC8 movsx ecx,ax
0051597C .85C9 test ecx,ecx
0051597E 0F85 DC0F0000 jnz 00516960--
00515984 .C745 FC 22000000 mov dword ptr ss:,22
0051598B .8D55 88 lea edx,dword ptr ss:
0051598E .52 push edx
0051598F .8D85 44FFFFFF lea eax,dword ptr ss:
00515995 .50 push eax
00515996 .8D8D F0FEFFFF lea ecx,dword ptr ss:
0051599C .51 push ecx
0051599D .FF15 88104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCmpGe>] ;MSVBVM60.__vbaVarCmpGe
005159A3 .50 push eax
005159A4 .8D55 88 lea edx,dword ptr ss:
005159A7 .52 push edx
005159A8 .8D85 10FFFFFF lea eax,dword ptr ss:
005159AE .50 push eax
005159AF .8D8D E0FEFFFF lea ecx,dword ptr ss:
005159B5 .51 push ecx
005159B6 .FF15 9C114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCmpLe>] ;MSVBVM60.__vbaVarCmpLe
005159BC .50 push eax
005159BD .8D95 D0FEFFFF lea edx,dword ptr ss:
005159C3 .52 push edx
005159C4 .FF15 68114000 call dword ptr ds:[<&MSVBVM60.__vbaVarAnd>] ;MSVBVM60.__vbaVarAnd
005159CA .50 push eax
005159CB .FF15 E4104000 call dword ptr ds:[<&MSVBVM60.__vbaBoolVarNul>;MSVBVM60.__vbaBoolVarNull
005159D1 .0FBFC0 movsx eax,ax
005159D4 .85C0 test eax,eax
005159D6 0F85 840F0000 jnz 00516960---
005159DC .C745 FC 2>mov dword ptr ss:,23
005159E3 .C785 F8FE>mov dword ptr ss:,80020004
005159ED .C785 F0FE>mov dword ptr ss:,0A
005159F7 .8D8D F0FE>lea ecx,dword ptr ss:
005159FD .51 push ecx
005159FE .FF15 D011>call dword ptr ds:[<&MSVBVM60.#648>] ;MSVBVM60.rtcFreeFile
00515A04 .66:8985 4>mov word ptr ss:,ax
00515A0B .C785 40FD>mov dword ptr ss:,2
00515A15 .8D95 40FD>lea edx,dword ptr ss:
00515A1B .8D8D 68FF>lea ecx,dword ptr ss:
00515A21 .FF15 1410>call dword ptr ds:[<&MSVBVM60.__vbaVarMo>;MSVBVM60.__vbaVarMove
00515A27 .8D8D F0FE>lea ecx,dword ptr ss:
00515A2D .FF15 1C10>call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVar
00515A33 .C745 FC 2>mov dword ptr ss:,24
00515A3A .8B15 4CC0>mov edx,dword ptr ds:
00515A40 .52 push edx
00515A41 .68 C0F840>push 0040F8C0 ;\system32\
00515A46 .FF15 5C10>call dword ptr ds:[<&MSVBVM60.__vbaStrCa>;MSVBVM60.__vbaStrCat
00515A4C .8BD0 mov edx,eax
00515A4E .8D8D 0CFF>lea ecx,dword ptr ss:
00515A54 .FF15 5812>call dword ptr ds:[<&MSVBVM60.__vbaStrMo>;MSVBVM60.__vbaStrMove
00515A5A .50 push eax
00515A5B .A1 24C253>mov eax,dword ptr ds:
00515A60 .50 push eax
00515A61 .FF15 5C10>call dword ptr ds:[<&MSVBVM60.__vbaStrCa>;MSVBVM60.__vbaStrCat
00515A67 .8BD0 mov edx,eax
00515A69 .8D8D 08FF>lea ecx,dword ptr ss:
00515A6F .FF15 5812>call dword ptr ds:[<&MSVBVM60.__vbaStrMo>;MSVBVM60.__vbaStrMove
00515A75 .50 push eax
00515A76 .68 DCF840>push 0040F8DC ;.dll
00515A7B .FF15 5C10>call dword ptr ds:[<&MSVBVM60.__vbaStrCa>;MSVBVM60.__vbaStrCat
00515A81 .8BD0 mov edx,eax
00515A83 .8D8D 04FF>lea ecx,dword ptr ss:
00515A89 .FF15 5812>call dword ptr ds:[<&MSVBVM60.__vbaStrMo>;MSVBVM60.__vbaStrMove
00515A8F .50 push eax
00515A90 .8D8D 68FF>lea ecx,dword ptr ss:
00515A96 .51 push ecx
00515A97 .FF15 B811>call dword ptr ds:[<&MSVBVM60.__vbaI2Var>;MSVBVM60.__vbaI2Var
00515A9D .50 push eax
00515A9E .6A FF push -1
00515AA0 .6A 20 push 20
00515AA2 .FF15 C811>call dword ptr ds:[<&MSVBVM60.__vbaFileO>;MSVBVM60.__vbaFileOpen
00515AA8 .8D95 04FF>lea edx,dword ptr ss:
00515AAE .52 push edx
00515AAF .8D85 08FF>lea eax,dword ptr ss:
00515AB5 .50 push eax
00515AB6 .8D8D 0CFF>lea ecx,dword ptr ss:
00515ABC .51 push ecx
00515ABD .6A 03 push 3
00515ABF .FF15 F411>call dword ptr ds:[<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStrList
00515AC5 .83C4 10 add esp,10
00515AC8 .C745 FC 2>mov dword ptr ss:,25
00515ACF .C785 58FD>mov dword ptr ss:,64
00515AD9 .C785 50FD>mov dword ptr ss:,2
00515AE3 .C785 48FD>mov dword ptr ss:,64
00515AED .C785 40FD>mov dword ptr ss:,2
00515AF7 .8D95 68FF>lea edx,dword ptr ss:
00515AFD .52 push edx
00515AFE .FF15 B811>call dword ptr ds:[<&MSVBVM60.__vbaI2Var>;MSVBVM60.__vbaI2Var
00515B04 .50 push eax
00515B05 .8D45 A0 lea eax,dword ptr ss:
00515B08 .50 push eax
00515B09 .8D8D 50FD>lea ecx,dword ptr ss:
00515B0F .51 push ecx
00515B10 .8D95 F0FE>lea edx,dword ptr ss:
00515B16 .52 push edx
00515B17 .FF15 7411>call dword ptr ds:[<&MSVBVM60.__vbaVarMu>;MSVBVM60.__vbaVarMul
00515B1D .50 push eax
00515B1E .8D85 40FD>lea eax,dword ptr ss:
00515B24 .50 push eax
00515B25 .8D8D E0FE>lea ecx,dword ptr ss:
00515B2B .51 push ecx
00515B2C .FF15 2C12>call dword ptr ds:[<&MSVBVM60.__vbaVarAd>;MSVBVM60.__vbaVarAdd
00515B32 .50 push eax
00515B33 .FF15 2412>call dword ptr ds:[<&MSVBVM60.__vbaI4Var>;MSVBVM60.__vbaI4Var
00515B39 .50 push eax
00515B3A .68 B8C153>push 0053C1B8
00515B3F .6A 64 push 64
00515B41 .FF15 1C11>call dword ptr ds:[<&MSVBVM60.__vbaGet4>>;MSVBVM60.__vbaGet4
00515B47 .8D8D E0FE>lea ecx,dword ptr ss:
00515B4D .FF15 1C10>call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVar
00515B53 .C745 FC 2>mov dword ptr ss:,26
00515B5A .BA 9CDF40>mov edx,0040DF9C
00515B5F .8D4D 98 lea ecx,dword ptr ss:
00515B62 .FF15 F011>call dword ptr ds:[<&MSVBVM60.__vbaStrCo>;MSVBVM60.__vbaStrCopy
00515B68 .C745 FC 2>mov dword ptr ss:,27
00515B6F .C785 58FD>mov dword ptr ss:,1
00515B79 .C785 50FD>mov dword ptr ss:,2
00515B83 .C785 48FD>mov dword ptr ss:,27
00515B8D .C785 40FD>mov dword ptr ss:,2
00515B97 .C785 38FD>mov dword ptr ss:,1F
00515BA1 .C785 30FD>mov dword ptr ss:,2
00515BAB .8D95 50FD>lea edx,dword ptr ss:
00515BB1 .52 push edx
00515BB2 .8D85 40FD>lea eax,dword ptr ss:
00515BB8 .50 push eax
00515BB9 .8D8D 30FD>lea ecx,dword ptr ss:
00515BBF .51 push ecx
00515BC0 .8D95 BCFB>lea edx,dword ptr ss:
00515BC6 .52 push edx
00515BC7 .8D85 CCFB>lea eax,dword ptr ss:
00515BCD .50 push eax
00515BCE .8D4D B0 lea ecx,dword ptr ss:
00515BD1 .51 push ecx
00515BD2 .FF15 9410>call dword ptr ds:[<&MSVBVM60.__vbaVarFo>;MSVBVM60.__vbaVarForInit
00515BD8 .8985 38FB>mov dword ptr ss:,eax
00515BDE .E9 A80100>jmp 00515D8B
00515BE3 >C745 FC 2>mov dword ptr ss:,28
00515BEA .8B55 98 mov edx,dword ptr ss:
00515BED .8995 38FD>mov dword ptr ss:,edx
00515BF3 .C785 30FD>mov dword ptr ss:,8
00515BFD .C785 48FD>mov dword ptr ss:,0040DECC ;0
00515C07 .C785 40FD>mov dword ptr ss:,8
00515C11 .8D95 40FD>lea edx,dword ptr ss:
00515C17 .8D8D F0FE>lea ecx,dword ptr ss:
00515C1D .FF15 3412>call dword ptr ds:[<&MSVBVM60.__vbaVarDu>;MSVBVM60.__vbaVarDup
00515C23 .8D45 B0 lea eax,dword ptr ss:
00515C26 .50 push eax
00515C27 .FF15 2412>call dword ptr ds:[<&MSVBVM60.__vbaI4Var>;MSVBVM60.__vbaI4Var
00515C2D .83E8 01 sub eax,1
00515C30 .8985 34FC>mov dword ptr ss:,eax
00515C36 .83BD 34FC>cmp dword ptr ss:,64
00515C3D .73 0C jnb short 00515C4B
00515C3F .C785 78FA>mov dword ptr ss:,0
00515C49 .EB 0C jmp short 00515C57
00515C4B >FF15 1011>call dword ptr ds:[<&MSVBVM60.__vbaGener>;MSVBVM60.__vbaGenerateBoundsError
00515C51 .8985 78FA>mov dword ptr ss:,eax
00515C57 >8B8D 34FC>mov ecx,dword ptr ss:
00515C5D .81C1 B8C1>add ecx,0053C1B8
00515C63 .898D 58FD>mov dword ptr ss:,ecx
00515C69 .C785 50FD>mov dword ptr ss:,4011
00515C73 .6A 01 push 1
00515C75 .6A 01 push 1
00515C77 .8D95 F0FE>lea edx,dword ptr ss:
00515C7D .52 push edx
00515C7E .8D85 50FD>lea eax,dword ptr ss:
00515C84 .50 push eax
00515C85 .8D8D E0FE>lea ecx,dword ptr ss:
00515C8B .51 push ecx
00515C8C .FF15 6410>call dword ptr ds:[<&MSVBVM60.#660>] ;MSVBVM60.rtcVarFromFormatVar
00515C92 .8D95 30FD>lea edx,dword ptr ss:
00515C98 .52 push edx
00515C99 .8D85 E0FE>lea eax,dword ptr ss:
00515C9F .50 push eax
00515CA0 .8D8D D0FE>lea ecx,dword ptr ss:
00515CA6 .51 push ecx
00515CA7 .FF15 2C12>call dword ptr ds:[<&MSVBVM60.__vbaVarAd>;MSVBVM60.__vbaVarAdd
00515CAD .50 push eax
00515CAE .FF15 2810>call dword ptr ds:[<&MSVBVM60.__vbaStrVa>;MSVBVM60.__vbaStrVarMove
00515CB4 .8BD0 mov edx,eax
00515CB6 .8D4D 98 lea ecx,dword ptr ss:
00515CB9 .FF15 5812>call dword ptr ds:[<&MSVBVM60.__vbaStrMo>;MSVBVM60.__vbaStrMove
00515CBF .8D95 D0FE>lea edx,dword ptr ss:
00515CC5 .52 push edx
00515CC6 .8D85 E0FE>lea eax,dword ptr ss:
00515CCC .50 push eax
00515CCD .8D8D F0FE>lea ecx,dword ptr ss:
00515CD3 .51 push ecx
00515CD4 .6A 03 push 3
00515CD6 .FF15 3810>call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
00515CDC .83C4 10 add esp,10
00515CDF .C745 FC 2>mov dword ptr ss:,29
00515CE6 .8D55 B0 lea edx,dword ptr ss:
00515CE9 .52 push edx
00515CEA .FF15 2412>call dword ptr ds:[<&MSVBVM60.__vbaI4Var>;MSVBVM60.__vbaI4Var
00515CF0 .83E8 01 sub eax,1
00515CF3 .8985 30FC>mov dword ptr ss:,eax
00515CF9 .83BD 30FC>cmp dword ptr ss:,64
00515D00 .73 0C jnb short 00515D0E
00515D02 .C785 74FA>mov dword ptr ss:,0
00515D0C .EB 0C jmp short 00515D1A
00515D0E >FF15 1011>call dword ptr ds:[<&MSVBVM60.__vbaGener>;MSVBVM60.__vbaGenerateBoundsError
00515D14 .8985 74FA>mov dword ptr ss:,eax
00515D1A >8D45 B0 lea eax,dword ptr ss:
00515D1D .50 push eax
00515D1E .FF15 2412>call dword ptr ds:[<&MSVBVM60.__vbaI4Var>;MSVBVM60.__vbaI4Var
00515D24 .83E8 01 sub eax,1
00515D27 .8985 34FC>mov dword ptr ss:,eax
00515D2D .83BD 34FC>cmp dword ptr ss:,64
00515D34 .73 0C jnb short 00515D42
00515D36 .C785 70FA>mov dword ptr ss:,0
00515D40 .EB 0C jmp short 00515D4E
00515D42 >FF15 1011>call dword ptr ds:[<&MSVBVM60.__vbaGener>;MSVBVM60.__vbaGenerateBoundsError
00515D48 .8985 70FA>mov dword ptr ss:,eax
00515D4E >8B8D 34FC>mov ecx,dword ptr ss:
00515D54 .8B95 30FC>mov edx,dword ptr ss:
00515D5A .8A82 B8C1>mov al,byte ptr ds:
00515D60 .8881 54C1>mov byte ptr ds:,al
00515D66 .C745 FC 2>mov dword ptr ss:,2A
00515D6D .8D8D BCFB>lea ecx,dword ptr ss:
00515D73 .51 push ecx
00515D74 .8D95 CCFB>lea edx,dword ptr ss:
00515D7A .52 push edx
00515D7B .8D45 B0 lea eax,dword ptr ss:
00515D7E .50 push eax
00515D7F .FF15 8812>call dword ptr ds:[<&MSVBVM60.__vbaVarFo>;MSVBVM60.__vbaVarForNext
00515D85 .8985 38FB>mov dword ptr ss:,eax
00515D8B >83BD 38FB>cmp dword ptr ss:,0
00515D92 .^ 0F85 4BFE>jnz 00515BE3
00515D98 .C745 FC 2>mov dword ptr ss:,2B
00515D9F .8B8D 40FF>mov ecx,dword ptr ss:
00515DA5 .51 push ecx
00515DA6 .8B55 98 mov edx,dword ptr ss:
00515DA9 .52 push edx
00515DAA .FF15 1811>call dword ptr ds:[<&MSVBVM60.__vbaStrCm>;MSVBVM60.__vbaStrCmp
00515DB0 .85C0 test eax,eax
00515DB2 .0F85 9B0B>jnz 00516953---------------------------
00515DB8 .C745 FC 2>mov dword ptr ss:,2C
00515DBF .C785 58FD>mov dword ptr ss:,1
00515DC9 .C785 50FD>mov dword ptr ss:,2
00515DD3 .C785 48FD>mov dword ptr ss:,14
00515DDD .C785 40FD>mov dword ptr ss:,2
00515DE7 .C785 38FD>mov dword ptr ss:,1
00515DF1 .C785 30FD>mov dword ptr ss:,2
00515DFB .8D85 50FD>lea eax,dword ptr ss:
bpx__vbaVarTstEq
以下是软件验证处
位址 模组 启动 反组译 注解
00515A20 Luck66 始终 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>]
00515A43 Luck66 始终 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>]
00515A9B Luck66 始终 call dword ptr ds:[<&MSVBVM60.__vbaBoolVarNull>]
00515E7A Luck66 始终 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>]
0051605A Luck66 始终 call dword ptr ds:[<&MSVBVM60.__vbaVarTstGt>]
005166F5 Luck66 始终 call dword ptr ds:[<&MSVBVM60.__vbaVarTstGt>]
------------------------------------
假码 12345678901234567
取5,11位数相反...15--------?
取13,17位数......37---------?
取4,15位数......45--验证余数
取3,16位数相反...63--验证是否与程式代号相同
第1+2+3+5+6+7+8+9+10+11+12+13+14+16+17位+25/64---T3
取636359786(1个月试用期间的真序号)...设T4
取假码第12.10.16.2.6.7.9.14.3位合并成.....636359786----设为T2
---------------------------------------------------------------------
总结:
1.T3/64(100-10进制)余数与第4,15位相等
2.假码3,16位数相反与程式代号66(Luck66)相等
3.T4与T2字串比较
4-6的验证分析就要麻烦先进了
页:
[1]