【破文标题】第二课CM V5.66
【破文作者】lvcaolhx
【作者邮箱】
【作者主页】
【破解工具】OD/PEID
【破解平台】XPsp2
【软件名称】第二课CM
【软件大小】
【原版下载】
【保护方式】
【软件简介】
【破解声明】菜鸟破解，无技术可言!
------------------------------------------------------------------------
【破解过程】
一、查壳。UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo。
00410E50 >  60              PUSHAD
00410E51    BE 00D04000     MOV ESI,PYG_5_4_.0040D000//用ESP定律
00410E56    8DBE 0040FFFF   LEA EDI,DWORD PTR DS:[ESI+FFFF4000]
到这里00410FD7    8D4424 80       LEA EAX,DWORD PTR SS:[ESP-80]
00410FDB    6A 00           PUSH 0
00410FDD    39C4            CMP ESP,EAX
00410FDF  ^ 75 FA           JNZ SHORT PYG_5_4_.00410FDB//F4跳过
00410FE1    83EC 80         SUB ESP,-80
00410FE4  - E9 EF04FFFF     JMP PYG_5_4_.004014D8//跳向OEP
004014D8    68 48474000     PUSH PYG_5_4_.00404748                   ; ASCII "VB5!6&vb6chs.dll"//跳到这里，VB的OEP
用OD插件DUMP，运行，成功!
004014DD    E8 F0FFFFFF     CALL PYG_5_4_.004014D2                   ; JMP 到 MSVBVM60.ThunRTMain

二、下断点MSVBVM60.__vbaVarTstEq，F9运行，ALT+F4返回

004065ED    52                   push edx
004065EE    50                   push eax
004065EF    FF15 9C104000        call dword ptr ds:[<&MSVBVM60.__vba>; MSVBVM60.__vbaVarTstEq
004065F5    66:85C0              test ax,ax//返回到这里
004065F8    B9 04000280          mov ecx,80020004
004065FD    B8 0A000000          mov eax,0A
00406602    898D 24FFFFFF        mov dword ptr ss:[ebp-DC],ecx//真码，可做注册机
00406608    8985 1CFFFFFF        mov dword ptr ss:[ebp-E4],eax
0040660E    898D 34FFFFFF        mov dword ptr ss:[ebp-CC],ecx
00406614    8985 2CFFFFFF        mov dword ptr ss:[ebp-D4],eax
0040661A    74 5A                je short unpack.00406676//NOP此处实行爆破
0040661C    8D95 0CFFFFFF        lea edx,dword ptr ss:[ebp-F4]
00406622    8D8D 3CFFFFFF        lea ecx,dword ptr ss:[ebp-C4]
00406628    C785 14FFFFFF B45440>mov dword ptr ss:[ebp-EC],unpack.00>
00406632    899D 0CFFFFFF        mov dword ptr ss:[ebp-F4],ebx
00406638    FF15 50114000        call dword ptr ds:[<&MSVBVM60.__vba>; MSVBVM60.__vbaVarDup
0040663E    8D8D 1CFFFFFF        lea ecx,dword ptr ss:[ebp-E4]
00406644    8D95 2CFFFFFF        lea edx,dword ptr ss:[ebp-D4]
0040664A    51                   push ecx
0040664B    8D85 3CFFFFFF        lea eax,dword ptr ss:[ebp-C4]
00406651    52                   push edx
00406652    50                   push eax
00406653    8D4D DC              lea ecx,dword ptr ss:[ebp-24]
00406656    6A 40                push 40
00406658    51                   push ecx
00406659    FF15 64104000        call dword ptr ds:[<&MSVBVM60.rtcMs>; MSVBVM60.rtcMsgBox
0040665F    8D95 1CFFFFFF        lea edx,dword ptr ss:[ebp-E4]
00406665    8D85 2CFFFFFF        lea eax,dword ptr ss:[ebp-D4]
0040666B    52                   push edx
0040666C    8D8D 3CFFFFFF        lea ecx,dword ptr ss:[ebp-C4]
00406672    50                   push eax
00406673    51                   push ecx
00406674    EB 58                jmp short unpack.004066CE
00406676    8D95 0CFFFFFF        lea edx,dword ptr ss:[ebp-F4]
0040667C    8D8D 3CFFFFFF        lea ecx,dword ptr ss:[ebp-C4]
00406682    C785 14FFFFFF 105440>mov dword ptr ss:[ebp-EC],unpack.00>
0040668C    899D 0CFFFFFF        mov dword ptr ss:[ebp-F4],ebx
00406692    FF15 50114000        call dword ptr ds:[<&MSVBVM60.__vba>; MSVBVM60.__vbaVarDup
00406698    8D95 1CFFFFFF        lea edx,dword ptr ss:[ebp-E4]
0040669E    8D85 2CFFFFFF        lea eax,dword ptr ss:[ebp-D4]
004066A4    52                   push edx
004066A5    8D8D 3CFFFFFF        lea ecx,dword ptr ss:[ebp-C4]
004066AB    50                   push eax
004066AC    51                   push ecx
004066AD    8D55 CC              lea edx,dword ptr ss:[ebp-34]
004066B0    6A 10                push 10
004066B2    52                   push edx
004066B3    FF15 64104000        call dword ptr ds:[<&MSVBVM60.rtcMs>; MSVBVM60.rtcMsgBox
004066B9    8D85 1CFFFFFF        lea eax,dword ptr ss:[ebp-E4]
004066BF    8D8D 2CFFFFFF        lea ecx,dword ptr ss:[ebp-D4]

【版权声明】本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! 版权归PYG所有