一篇vb p-code 的破解

[psac]

XXXXX2.2 破解筆記
======================
sunrix, 2002-9-27

軟體名稱：XXXXX
軟體版本：2.2
軟體簡介：五筆打字練習軟體
保護方式：註冊碼，一機一碼
開發語言：VB6,P-Code
破解工具：WKTVBDebugger 1.4e

主程序是<XXXXX.exe>，未壓縮，用peid檢測後報告是VB6。簡單反彙編後
可知編譯成p-code。用WKTVBDebugger 1.4e啟動程序，在form manager的下拉框
中選項goumain這個form(它就是註冊對話視窗的form拉，我怎麼知道的？
goumai是什麼的拼音，「購買」嗎，就是要你出錢註冊羅，呵呵，蒙對了),然後點
<command>按鈕，在下拉框中選項<command2>,就是註冊對話視窗上的<註冊>按鈕拉
(我試出來的)，點中bpx設定斷點。或者也可以直接在WKT的on execution裡輸入
位址：51AD8C下斷點。按F5執行程序，進入註冊對話視窗，隨便輸入一個註冊碼後
點<註冊>按鈕，WKT獲得控制權：

Proc: 51c194

51AD8C: 00 LargeBos ;LargeBos表示是一行VB來源碼的開頭
;從當前LargeBos到下一個LargeBos之間的程式碼是從一行來源碼編譯過來的
51AD8E: 00 LargeBos

on error resume next

51AD90: 4b OnErrorGoto

======================= 干擾程式碼 begin ===========================================
local_008C = 3000

51AD93: 00 LargeBos
51AD95: f5 LitI4: 0xbb8 3000 (....) ;Lit 代表Literal，表示是裝入立即數
51AD9A: 71 FStR4 local_008C ;local_008c代表[ebp-8c]
上面這2句的意思是：long [ebp-8c] = 3000

Randomize
51AD9D: 00 LargeBos
51AD9F: 27 LitVar_Missing ;LitVar_Missing表示可選參數未賦值
51ADA2: 0a ImpAdCallFPR4: ;rtcRandomize
51ADA7: 35 FFree1Var local_00B0

dim local_0086 as integer
local_0086 = int(24*Rnd+1) ;1-24之間的一個隨機數
51ADAA: 00 LargeBos
51ADAC: 27 LitVar_Missing
51ADAF: 0a ImpAdCallFPR4: ;rtcRandomNext
51ADB4: 73 FStFPR4

51ADB7: f4 LitI2_Byte: 0x18 24 (.) ;字元立即數
51ADB9: eb CR8I2 ;轉換成Double
51ADBA: 6e FLdFPR4
51ADBD: b3 MulR8
51ADBE: Lead0/e6 FnIntR8

51ADC0: f4 LitI2_Byte: 0x1 1 (.)
51ADC2: eb CR8I2
51ADC3: ab AddR8
51ADC4: e5 CI2R8
51ADC5: 70 FStI2 local_0086
51ADC8: 35 FFree1Var local_00B0

dim local_00B6 as integer
local_00B6 = local_0086

51ADCB: 00 LargeBos
51ADCD: 6b FLdI2 local_0086
51ADD0: 70 FStI2 local_00B6

select case local_00B6
case 1

51ADD3: 00 LargeBos
51ADD5: 6b FLdI2 local_00B6
51ADD8: f4 LitI2_Byte: 0x1 1 (.)
51ADDA: c6 EqI2
51ADDB: 1c BranchF: 51AE13
51ADDE: 00 LargeBos
51ADE0: 6c ILdRf local_008C
51ADE3: 71 FStR4 local_0090
51ADE6: 00 LargeBos
51ADE8: 6c ILdRf local_008C
51ADEB: f5 LitI4: 0x168 360 (...h)
51ADF0: aa AddI4
51ADF1: 71 FStR4 local_0090
51ADF4: 00 LargeBos
51ADF6: 6c ILdRf local_008C
51ADF9: f5 LitI4: 0x2d0 720 (....)
51ADFE: aa AddI4
51ADFF: 71 FStR4 local_0090
51AE02: 00 LargeBos
51AE04: 6c ILdRf local_008C
51AE07: f5 LitI4: 0x438 1080 (...8)
51AE0C: aa AddI4
51AE0D: 71 FStR4 local_0090
51AE10: 1e Branch: 51b3d0

case 2

51AE13: 00 LargeBos
51AE15: 6b FLdI2 local_00B6
51AE18: f4 LitI2_Byte: 0x2 2 (.)
51AE1A: c6 EqI2
51AE1B: 1c BranchF: 51AE53
51AE1E: 00 LargeBos
51AE20: 6c ILdRf local_008C
51AE23: 71 FStR4 local_0090
51AE26: 00 LargeBos
51AE28: 6c ILdRf local_008C
51AE2B: f5 LitI4: 0x168 360 (...h)
51AE30: aa AddI4
51AE31: 71 FStR4 local_0090
51AE34: 00 LargeBos
51AE36: 6c ILdRf local_008C
51AE39: f5 LitI4: 0x2d0 720 (....)
51AE3E: aa AddI4
51AE3F: 71 FStR4 local_0090
51AE42: 00 LargeBos
51AE44: 6c ILdRf local_008C
51AE47: f5 LitI4: 0x438 1080 (...8)
51AE4C: aa AddI4
51AE4D: 71 FStR4 local_0090
51AE50: 1e Branch: 51b3d0
省略：case 3 - case 23

case 24
51B393: 00 LargeBos
51B395: 6b FLdI2 local_00B6
51B398: f4 LitI2_Byte: 0x18 24 (.)
51B39A: c6 EqI2
51B39B: 1c BranchF: 51B3D0
51B39E: 00 LargeBos
51B3A0: 6c ILdRf local_008C
51B3A3: 71 FStR4 local_0090
51B3A6: 00 LargeBos
51B3A8: 6c ILdRf local_008C
51B3AB: f5 LitI4: 0x168 360 (...h)
51B3B0: aa AddI4
51B3B1: 71 FStR4 local_0090
51B3B4: 00 LargeBos
51B3B6: 6c ILdRf local_008C
51B3B9: f5 LitI4: 0x2d0 720 (....)
51B3BE: aa AddI4
51B3BF: 71 FStR4 local_0090
51B3C2: 00 LargeBos
51B3C4: 6c ILdRf local_008C
51B3C7: f5 LitI4: 0x438 1080 (...8)
51B3CC: aa AddI4
51B3CD: 71 FStR4 local_0090

end select
======================= 干擾程式碼 end ===========================================

從51AD9D到此處是無意義的干擾程式碼，類似程式碼後面又出現了兩次，將之刪去

dim temp as variant
temp = StrReverse(CStr(CLng(Text5.Text)/1022)) ;真註冊碼

一開始我認為text5就是註冊對話視窗上顯示機器碼的textbox，可是跟蹤時發現
從text5取到的text和顯示的機器碼不同，覺得不能理解。後來用spy看了看
註冊對話視窗上顯示機器碼的textbox，發現它的caption是text4，噢，可能
text5是一個隱藏的textbox，這一點通過wktvbdebugger的form manager得到
驗證。開啟wktvbdebugger的form manager，選項goumai，然後點textbox，點上面的下拉框，哇，裡面
有6個textbox,可是在註冊對話視窗可以看到的只有2個，隱藏了這麼多，背地裡
幹什麼壞事：)

想一想就知道，text5.text是機器碼變換得到的。在哪裡變換，怎麼變換先不管它。

51B3D0: 00 LargeBos
51B3D2: 00 LargeBos
51B3D4: 04 FLdRfVar local_00D0
51B3D7: 21 FLdPrThis
51B3D8: 0f VCallAd (object 8 ) ;text5
51B3DB: 19 FStAdFunc local_00CC
51B3DE: 08 FLdPr local_00CC
51B3E1: 0d VCallHresult
51B3E6: 6c ILdRf local_00D0
51B3E9: 50 CI4Str
51B3EA: f5 LitI4: 0x3fe 1022 (....)
51B3EF: c0 IDvI4
51B3F0: Lead0/fe CStrI4
51B3F2: 23 FStStrNoPop local_00D4
51B3F5: 0b ImpAdCallI2 rtcStrReverse
51B3FA: 46 CVarStr local_00B0

===== 執行完上面這條pcode後，WKT會在log視窗顯示出真註冊碼,別猶豫了，趕緊記下來吧：) ====

51B3FD: Lead1/f6 FStVar
51B401: 32 FFreeStr
51B408: 1a FFree1Ad local_00CC

if Left(Text1.Text,Len(StrReverse(CStr(CLng(Text5.Text)/1022)))
= StrReverse(CStr(CLng(Text5.Text)/1022))

51B40B: 00 LargeBos
51B40D: 04 FLdRfVar local_00D0
51B410: 21 FLdPrThis
51B411: 0f VCallAd (object e ) ;text1
51B414: 19 FStAdFunc local_00CC
51B417: 08 FLdPr local_00CC
51B41A: 0d VCallHresult
51B41F: 04 FLdRfVar local_00D4
51B422: 21 FLdPrThis
51B423: 0f VCallAd (object 8 ) ;text5
51B426: 19 FStAdFunc local_00D8
51B429: 08 FLdPr local_00D8
51B42C: 0d VCallHresult
51B431: 6c ILdRf local_00D4
51B434: 50 CI4Str
51B435: f5 LitI4: 0x3fe 1022 (....)
51B43A: c0 IDvI4
51B43B: Lead0/fe CStrI4
51B43D: 23 FStStrNoPop local_00DC
51B440: 0b ImpAdCallI2 rtcStrReverse
51B445: 23 FStStrNoPop local_00E0
51B448: 4a FnLenStr

51B449: 3e FLdZeroAd local_00D0
51B44C: 46 CVarStr local_00B0 ;->輸入的註冊碼
51B44F: 04 FLdRfVar local_00F0
51B452: 0a ImpAdCallFPR4: ;rtcLeftCharVar

51B457: 04 FLdRfVar local_00F0
51B45A: 04 FLdRfVar local_00F8
51B45D: 21 FLdPrThis
51B45E: 0f VCallAd (object 8 ) ;Text5
51B461: 19 FStAdFunc local_00F4
51B464: 08 FLdPr local_00F4
51B467: 0d VCallHresult
51B46C: 6c ILdRf local_00F8
51B46F: 50 CI4Str
51B470: f5 LitI4: 0x3fe 1022 (....)
51B475: c0 IDvI4
51B476: Lead0/fe CStrI4
51B478: 23 FStStrNoPop local_00FC
51B47B: 0b ImpAdCallI2 rtcStrReverse
51B480: 46 CVarStr local_010C
51B483: 5d HardType
51B484: Lead0/33 EqVarBool ;比較真註冊碼與輸入的註冊碼!
51B486: 32 FFreeStr
51B493: 29 FFreeAd:
51B49C: 36 FFreeVar
51B4A5: 1c BranchF: 51C179

無意義的干擾程式碼,同上，刪去

SaveSetting "wbreg","wbregfile","wbregfilename",註冊碼

在註冊表中儲存註冊碼：
[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\wbreg\wbregfile]
"wbregfilename"=註冊碼


51BAE5: 00 LargeBos
51BAE7: 00 LargeBos
51BAE9: 04 FLdRfVar local_00D0
51BAEC: 21 FLdPrThis
51BAED: 0f VCallAd (object e )
51BAF0: 19 FStAdFunc local_00CC
51BAF3: 08 FLdPr local_00CC
51BAF6: 0d VCallHresult
51BAFB: 6c ILdRf local_00D0
51BAFE: 0b ImpAdCallI2
51BB03: 23 FStStrNoPop local_00D4

51BB06: 1b LitStr: "wbregfilename"
51BB09: 1b LitStr: "wbregfile"
51BB0C: 1b LitStr: "wbreg"
51BB0F: 0a ImpAdCallFPR4: rtcSaveSetting
51BB14: 32 FFreeStr
51BB1B: 1a FFree1Ad local_00CC

提示註冊成功

51BB1E: 00 LargeBos
51BB20: 27 LitVar_Missing
51BB23: 27 LitVar_Missing
51BB26: 3a LitVarStr: ( local_0130 ) "XXXXX"
51BB2B: 4e FStVarCopyObj local_00F0
51BB2E: 04 FLdRfVar local_00F0
51BB31: f5 LitI4: 0x40 64 (...@)
51BB36: 3a LitVarStr: ( local_00A0 ) "註冊成功"
51BB3B: 4e FStVarCopyObj local_00B0
51BB3E: 04 FLdRfVar local_00B0
51BB41: 0a ImpAdCallFPR4: rtcMsgBox
51BB46: 36 FFreeVar

無意義的干擾程式碼,同上，刪去

51C177: 00 LargeBos
51C179: 00 LargeBos
51C17B: 00 LargeBos
51C17D: 21 FLdPrThis
51C17E: 0f VCallAd (object e )
51C181: 19 FStAdFunc local_00CC
51C184: 08 FLdPr local_00CC
51C187: 0d VCallHresult
51C18C: 1a FFree1Ad local_00CC
51C18F: 00 LargeBos
51C191: 13 ExitProcHresult

也許有人手頭上沒有WKT，那我們來看看怎麼用softice跟蹤來得到註冊碼：
用symbol loader裝入程序，設定斷點：bpm 51B484，51b484就是比較註冊碼
的pcode的位址。G，從說明 功能表調出註冊對話視窗，隨便輸一個註冊碼，點<註冊>
按鈕，softice攔下。

001B:7348E239 MOV AL,[ESI]
001B:7348E23B INC ESI <=== softice中斷在這兒
001B:7348E23C JMP [EAX*4+7348EA58]

這是在msvbvm60.dll的程式碼空間中，你的電腦上中斷的位址可能和我的不一樣。
輸入指令：d *(*esp+8)，即可得到註冊碼，注意是unicode格式的。

懶得找註冊算法了，關鍵是找到對text.text賦值的地方，哪位大俠
有興趣可以試試。我的想法用exdec反編譯程序，搜尋字串串object 8
，在找到的地方上下斷點。唉，比較麻煩。