環(huán)境：

Windows xp sp3

這次的目標有兩個：

1.去除Nag窗口

2.找出Serial的算法

1.這次去除Nag窗口用了另外兩個程序：

（1）VBLocalize v1.1.0.0

（2）UltraEdit

（3）VBExplorer

因為是VB程序，所以用VBLocalize加載程序，

據(jù)偏移地址，在文件中找到timer的偏移地址：

用VBExplorer可以看到timer的屬性：

得知Nag窗口存在時間為7秒，Timer的位置是（2880,2160），轉(zhuǎn)為16進制為：（0x0B40,0x0870）

7000的16進制為1B58，于是可以的得知：

00005b75-00005b76的值為Nag窗口存在的時間，可以把這個兩個值改為 58 1B ->01 00，

如果改為0則Nag窗口一直存在。

2.找到Serial算法

和1一樣，輸入一個錯的，然后F12，Alt + F9回到程序領空。

0040865D . B8 0A000000 mov eax,0xA 00408662 . 894D 9C mov dword ptr ss:[ebp-0x64],ecx 00408665 . 66:85F6 test si,si 00408668 . 8945 94 mov dword ptr ss:[ebp-0x6C],eax 0040866B . 894D AC mov dword ptr ss:[ebp-0x54],ecx 0040866E . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax 00408671 . 894D BC mov dword ptr ss:[ebp-0x44],ecx 00408674 . 8945 B4 mov dword ptr ss:[ebp-0x4C],eax 00408677 . 74 62 je XAfKayAs_.004086DB ; 這個不能跳 00408679 . 8B35 14B14000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaSt>; MSVBVM50.__vbaStrCat 0040867F . 68 C06F4000 push AfKayAs_.00406FC0 ; UNICODE "You Get It" 00408684 . 68 DC6F4000 push AfKayAs_.00406FDC ; /String = "" 00408689 . FFD6 call esi ; \__vbaStrCat 0040868B . 8BD0 mov edx,eax 0040868D . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18] 00408690 . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>; MSVBVM50.__vbaStrMove 00408696 . 50 push eax 00408697 . 68 E86F4000 push AfKayAs_.00406FE8 ; UNICODE "KeyGen It Now" 0040869C . FFD6 call esi 0040869E . 8945 CC mov dword ptr ss:[ebp-0x34],eax 004086A1 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C] 004086A4 . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C] 004086A7 . 50 push eax 004086A8 . 8D55 B4 lea edx,dword ptr ss:[ebp-0x4C] 004086AB . 51 push ecx 004086AC . 52 push edx 004086AD . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C] 004086B0 . 6A 00 push 0x0 004086B2 . 50 push eax 004086B3 . C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8 004086BA . FF15 24B14000 call dword ptr ds:[<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox 004086C0 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18] 004086C3 . FF15 A8B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStr 004086C9 . 8D4D 94 lea ecx,dword ptr ss:[ebp-0x6C] 004086CC . 8D55 A4 lea edx,dword ptr ss:[ebp-0x5C] 004086CF . 51 push ecx 004086D0 . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C] 004086D3 . 52 push edx 004086D4 . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C] 004086D7 . 50 push eax 004086D8 . 51 push ecx 004086D9 . EB 60 jmp XAfKayAs_.0040873B ; 上面是正確的消息，下面是錯誤的消息 004086DB > 8B35 14B14000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaSt>; MSVBVM50.__vbaStrCat 004086E1 . 68 08704000 push AfKayAs_.00407008 ; UNICODE "You Get Wrong" 004086E6 . 68 DC6F4000 push AfKayAs_.00406FDC ; /String = "" 004086EB . FFD6 call esi ; \__vbaStrCat 004086ED . 8BD0 mov edx,eax 004086EF . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18] 004086F2 . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>; MSVBVM50.__vbaStrMove 004086F8 . 50 push eax 004086F9 . 68 28704000 push AfKayAs_.00407028 ; UNICODE "Try Again" 004086FE . FFD6 call esi 00408700 . 8945 CC mov dword ptr ss:[ebp-0x34],eax 00408703 . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C] 00408706 . 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C] 00408709 . 52 push edx 0040870A . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C] 0040870D . 50 push eax 0040870E . 51 push ecx 0040870F . 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C] 00408712 . 6A 00 push 0x0 00408714 . 52 push edx 00408715 . C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8 0040871C . FF15 24B14000 call dword ptr ds:[<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox 00408722 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18] ; Atl+F9后回到這里

再往上一點就看到了這個：

004081E9 > \8B95 50FFFFFF mov edx,dword ptr ss:[ebp-0xB0] 004081EF . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C] 004081F2 . 50 push eax ; /String 004081F3 . 8B1A mov ebx,dword ptr ds:[edx] ; | 004081F5 . FF15 F8B04000 call dword ptr ds:[<&MSVBVM50.__vbaLenBs>; \__vbaLenBstr 004081FB . 8BF8 mov edi,eax 004081FD . 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18] 00408200 . 69FF 385B0100 imul edi,edi,0x15B38 ; 這個東西不一樣了 00408206 . 51 push ecx ; /String 00408207 . 0F80 B7050000 jo AfKayAs_.004087C4 ; | 0040820D . FF15 0CB14000 call dword ptr ds:[<&MSVBVM50.#516>] ; \rtcAnsiValueBstr 00408213 . 0FBFD0 movsx edx,ax 00408216 . 03FA add edi,edx
這個是在1里面遇到的，就是乘數(shù)不一樣了。

設

Name長度為L

Name的首字母為c

當前計算結(jié)果為s

得到公式： s = L*88888+ascii(c)

繼續(xù)往下有：

004082E9 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>; MSVBVM50.__vbaR8Str 004082EF . D905 08104000 fld dword ptr ds:[0x401008] ; [401008]是10.0 004082F5 . 833D 00904000>cmp dword ptr ds:[0x409000],0x0 004082FC . 75 08 jnz XAfKayAs_.00408306 004082FE . D835 0C104000 fdiv dword ptr ds:[0x40100C] ; [40100c]是5.0，這里是10.0/5.0 = 2.0 00408304 . EB 0B jmp XAfKayAs_.00408311 00408306 > FF35 0C104000 push dword ptr ds:[0x40100C] 0040830C . E8 578DFFFF call <jmp.&MSVBVM50._adj_fdiv_m32> 00408311 > 83EC 08 sub esp,0x8 00408314 . DFE0 fstsw ax 00408316 . A8 0D test al,0xD 00408318 . 0F85 A1040000 jnz AfKayAs_.004087BF 0040831E . DEC1 faddp st(1),st ; s = s + 2.0 00408320 . DFE0 fstsw ax
得到：

s = s + 2

繼續(xù)往下：

004083F5 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>; MSVBVM50.__vbaR8Str 004083FB . DC0D 10104000 fmul qword ptr ds:[0x401010] ; [401010]是3，這里是s = s*3 00408401 . 83EC 08 sub esp,0x8 00408404 . DC25 18104000 fsub qword ptr ds:[0x401018] ; [401018]是2，這里是s = s-2 0040840A . DFE0 fstsw ax 0040840C . A8 0D test al,0xD 0040840E . 0F85 AB030000 jnz AfKayAs_.004087BF 00408414 . DD1C24 fstp qword ptr ss:[esp] 00408417 . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>; MSVBVM50.__vbaStrR8

得到：

s = s * 3 - 2

繼續(xù)往下：

004084DF . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>; MSVBVM50.__vbaR8Str 004084E5 . DC25 20104000 fsub qword ptr ds:[0x401020] ; [0x401020]是-15，于是這里是s = s + 15 004084EB . 83EC 08 sub esp,0x8 004084EE . DFE0 fstsw ax 004084F0 . A8 0D test al,0xD 004084F2 . 0F85 C7020000 jnz AfKayAs_.004087BF 004084F8 . DD1C24 fstp qword ptr ss:[esp] 004084FB . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>; MSVBVM50.__vbaStrR8 00408501 . 8BD0 mov edx,eax

得到：

s = s + 15

聯(lián)合起來就是:

s = (L*88888+ascii(c))*3+19

總結(jié)

以上是生活随笔為你收集整理的160 - 3 Afkayas.2的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。