XX桌面日历2.53算法分析

135HACK · 发表于 2007-9-15 00:36:33

作者：dewar

【文章标题】: XX桌面日历2.53算法分析
【文章作者】: dewar
【作者主页】: 无
【软件名称】: XX桌面日历2.53
【下载地址】: 自己搜索下载
【加壳方式】: UPX
【编写语言】: VB
【操作平台】: WINXP
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
不久前分析过它的2.0版，前几天作者对软件进行了升级，算法也改了，只好重新分析一下。虽然算法改了，但有很多东西没改，有了2.0版的分析作基础，问题就好解决得多了。
1.脱壳＋去自检验
查壳，仍然是UPX的壳，脱壳后可看到是VB的程序，运行一下照样会关机，看来自校验和2.0版的没多大变化。还是下断rtcFileLen,F9运行，可找到如下几处自校验的地方：
......
0055CA22 BF 0A000000 MOV EDI, 0A                      ; EDI=0x0a
0055CA27 897D B4    MOV DWORD PTR SS:[EBP-4C], EDI
0055CA2A 8D4D B4    LEA ECX, DWORD PTR SS:[EBP-4C]
0055CA2D 51       PUSH ECX
0055CA47 FF15 DC104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcRandomNext>] ; 产生一个随机数
0055CA4D D80D 0C394000 FMUL DWORD PTR DS:[40390C]             ; ×10
0055CA53 FF15 7C134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFPInt>]    ; 取整
0055CA59 D805 48494000 FADD DWORD PTR DS:[404948]             ; +1
0055CA5F FF15 00134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFpI2>]    ; MSVBVM60.__vbaFpI2
0055CA65 8BF0       MOV ESI, EAX
0055CA67 8D4D B4    LEA ECX, DWORD PTR SS:[EBP-4C]
0055CA6A FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
0055CA70 0FBFC6    MOVSX EAX, SI
0055CA73 3BC7       CMP EAX, EDI                      ; 结果与0x0a比较（即与10比较）
0055CA75 0F87 33040000 JA    0055CEAE                      ; 这里改为JMP就可去除自校验
0055CA7B FF2485 30CF5500 JMP DWORD PTR DS:[EAX*4+55CF30]          ; 根据结果跳向不同的分支（功能相同）
0055CA82 8B45 E0    MOV EAX, DWORD PTR SS:[EBP-20]
0055CA85 50       PUSH EAX
0055CA86 FF15 CC124000 CALL DWORD PTR DS:[<&MSVBVM60.rtcFileLen>]    ; 得到文件大小
0055CA8C 8945 BC    MOV DWORD PTR SS:[EBP-44], EAX
0055CA8F BE 03000000 MOV ESI, 3
0055CA94 8975 B4    MOV DWORD PTR SS:[EBP-4C], ESI
0055CA97 56       PUSH ESI
0055CA98 8D4D B4    LEA ECX, DWORD PTR SS:[EBP-4C]
0055CA9B 51       PUSH ECX
0055CA9C 8D55 A4    LEA EDX, DWORD PTR SS:[EBP-5C]
0055CA9F 52       PUSH EDX
0055CAA0 FF15 28134000 CALL DWORD PTR DS:[<&MSVBVM60.rtcLeftCharVar>] ; 得到文件大小的左边3位数
0055CAA6 C785 6CFFFFFF B>MOV DWORD PTR SS:[EBP-94], 1B2
0055CAB0 89B5 64FFFFFF MOV DWORD PTR SS:[EBP-9C], ESI
0055CAB6 8D45 A4    LEA EAX, DWORD PTR SS:[EBP-5C]
0055CAB9 50       PUSH EAX
0055CABA 8D8D 64FFFFFF LEA ECX, DWORD PTR SS:[EBP-9C]
0055CAC0 51       PUSH ECX
0055CAC1 8D55 94    LEA EDX, DWORD PTR SS:[EBP-6C]
0055CAC4 52       PUSH EDX
0055CAC5 FF15 CC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarXor>]    ; 与0x1b2异或
0055CACB 50       PUSH EAX
0055CACC FF15 84104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaBoolErrVar>] ; MSVBVM60.__vbaBoolErrVar
0055CAD2 8BF0       MOV ESI, EAX
0055CAD4 8D45 A4    LEA EAX, DWORD PTR SS:[EBP-5C]
0055CAD7 50       PUSH EAX
0055CAD8 8D4D B4    LEA ECX, DWORD PTR SS:[EBP-4C]
0055CADB 51       PUSH ECX
0055CADC 6A 02    PUSH 2
0055CADE FF15 40104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
0055CAE4 83C4 0C    ADD ESP, 0C
0055CAE7 66:3BF3    CMP SI, BX
0055CAEA 0F84 BE030000 JE    0055CEAE                      ; 异或结果为0,这里就会跳
......
程序先产生一个1～10内的随机数，根据这个数的大小跳向不同的分支（但完成同样的功能：检验文件有无被脱壳）。这里0x1b2为未脱壳前文件大小的左边3个数字，就是说运行程序的大小与未脱壳文件的大小相等时就会跳走，不等就会继续执行到错误的分支。同样的还有0055CB73、0055CCC9 、0055CD76、0055CDFF四处，将这五处JE都改为JMP就可除去自校验（或改0055CA75处JA为JMP一处即可）。这时你就可以放心大胆地对它进行开刀了，想怎么玩就怎么玩：）
2.注册
通过在打开文件函数_vbaFileOpen上下断，可找到如下的地方
......
00561CBD FF51 28    CALL DWORD PTR DS:[ECX+28]             ; 判断是否脱壳，即为上面所述部分
00561CC0 3BC6       CMP EAX, ESI
00561CC2 7D 0F    JGE SHORT 00561CD3
00561CC4 6A 28    PUSH 28
00561CC6 68 98AE4100 PUSH 0041AE98
00561CCB 53       PUSH EBX
00561CCC 50       PUSH EAX
00561CCD FF15 B4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheckO>; MSVBVM60.__vbaHresultCheckObj
00561CD3 8B13       MOV EDX, DWORD PTR DS:[EBX]
00561CD5 8D85 D0FEFFFF LEA EAX, DWORD PTR SS:[EBP-130]
00561CDB 50       PUSH EAX
00561CDC 53       PUSH EBX
00561CDD FF52 38    CALL DWORD PTR DS:[EDX+38]             ; 计算机器码，并将其变形后写入注册表中，有兴趣的朋友可自己跟进看看
00561CE0 3BC6       CMP EAX, ESI
00561CE2 7D 0F    JGE SHORT 00561CF3
00561CE4 6A 38    PUSH 38
00561CE6 68 98AE4100 PUSH 0041AE98
00561CEB 53       PUSH EBX
00561CEC 50       PUSH EAX
00561CED FF15 B4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheckO>; MSVBVM60.__vbaHresultCheckObj
00561CF3 8B8D D0FEFFFF MOV ECX, DWORD PTR SS:[EBP-130]
00561CF9 894D 80    MOV DWORD PTR SS:[EBP-80], ECX
00561CFC B8 44144200 MOV EAX, 00421444
00561D01 8985 14FFFFFF MOV DWORD PTR SS:[EBP-EC], EAX
00561D07 B9 08000000 MOV ECX, 8
00561D0C 898D 0CFFFFFF MOV DWORD PTR SS:[EBP-F4], ECX
00561D12 8B13       MOV EDX, DWORD PTR DS:[EBX]
00561D14 8DBD 68FFFFFF LEA EDI, DWORD PTR SS:[EBP-98]
00561D1A 57       PUSH EDI
00561D1B 83EC 10    SUB ESP, 10
00561D1E 8BFC       MOV EDI, ESP
00561D20 890F       MOV DWORD PTR DS:[EDI], ECX
00561D22 8B8D 10FFFFFF MOV ECX, DWORD PTR SS:[EBP-F0]
00561D28 894F 04    MOV DWORD PTR DS:[EDI+4], ECX
00561D2B 8947 08    MOV DWORD PTR DS:[EDI+8], EAX
00561D2E 8B85 18FFFFFF MOV EAX, DWORD PTR SS:[EBP-E8]
00561D34 8947 0C    MOV DWORD PTR DS:[EDI+C], EAX
00561D37 56       PUSH ESI
00561D38 53       PUSH EBX
00561D39 FF52 20    CALL DWORD PTR DS:[EDX+20]
00561D3C DBE2       FCLEX
00561D3E 3BC6       CMP EAX, ESI
00561D40 7D 0F    JGE SHORT 00561D51
00561D42 6A 20    PUSH 20
00561D44 68 98AE4100 PUSH 0041AE98
00561D49 53       PUSH EBX
00561D4A 50       PUSH EAX
00561D4B FF15 B4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheckO>; MSVBVM60.__vbaHresultCheckObj
00561D51 8B0D 54B05600 MOV ECX, DWORD PTR DS:[56B054]          ; [56B054]中存着主程序所在的路径X
00561D57 51       PUSH ECX
00561D58 8B95 68FFFFFF MOV EDX, DWORD PTR SS:[EBP-98]          ; FXSYS\FXSYS
00561D5E 52       PUSH EDX
00561D5F 8B3D 7C104000 MOV EDI, DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>] ; 连接得X:\FXSYS\FXSYS
00561D65 FFD7       CALL EDI
00561D67 8BD0       MOV EDX, EAX
00561D69 8D4D DC    LEA ECX, DWORD PTR SS:[EBP-24]
00561D6C 8B35 34134000 MOV ESI, DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>>; MSVBVM60.__vbaStrMove
00561D72 FFD6       CALL ESI
00561D74 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
00561D7A FF15 98134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00561D80 8B45 DC    MOV EAX, DWORD PTR SS:[EBP-24]
00561D83 50       PUSH EAX
00561D84 68 C4144200 PUSH 004214C4                      ; UNICODE ".key"
00561D89 FFD7       CALL EDI                         ; 注册文件为X:\FXSYS\FXSYS.KEY
00561D8B 8985 54FFFFFF MOV DWORD PTR SS:[EBP-AC], EAX
00561D91 C785 4CFFFFFF 0>MOV DWORD PTR SS:[EBP-B4], 8
00561D9B 6A 07    PUSH 7
00561D9D 8D8D 4CFFFFFF LEA ECX, DWORD PTR SS:[EBP-B4]
00561DA3 51       PUSH ECX
00561DA4 FF15 70124000 CALL DWORD PTR DS:[<&MSVBVM60.rtcDir>]    ; MSVBVM60.rtcDir
00561DAA 8BD0       MOV EDX, EAX
00561DAC 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
00561DB2 FFD6       CALL ESI
00561DB4 50       PUSH EAX
00561DB5 68 58AA4100 PUSH 0041AA58                      ; NULL
00561DBA FF15 7C114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCmp>]    ; 比较看指定的文件在不在
00561DC0 8BF8       MOV EDI, EAX
00561DC2 F7DF       NEG EDI
00561DC4 1BFF       SBB EDI, EDI
00561DC6 47       INC EDI
00561DC7 F7DF       NEG EDI
00561DC9 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
00561DCF FF15 98134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00561DD5 8D8D 4CFFFFFF LEA ECX, DWORD PTR SS:[EBP-B4]
00561DDB FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
00561DE1 66:85FF    TEST DI, DI
00561DE4 0F85 DD1D0000 JNZ 00563BC7                      ; 没有指定的文件就跳（不能跳）
00561DEA 8B55 DC    MOV EDX, DWORD PTR SS:[EBP-24]
00561DED 52       PUSH EDX
00561DEE 68 98F44100 PUSH 0041F498                      ; UNICODE ".tmp"
00561DF3 8B3D 7C104000 MOV EDI, DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>] ; MSVBVM60.__vbaStrCat
00561DF9 FFD7       CALL EDI
00561DFB 8BD0       MOV EDX, EAX
00561DFD 8D8D 64FFFFFF LEA ECX, DWORD PTR SS:[EBP-9C]
00561E03 FFD6       CALL ESI
00561E05 8B45 DC    MOV EAX, DWORD PTR SS:[EBP-24]
00561E08 50       PUSH EAX
00561E09 68 C4144200 PUSH 004214C4                      ; UNICODE ".key"
00561E0E FFD7       CALL EDI
00561E10 8BD0       MOV EDX, EAX
00561E12 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
00561E18 FFD6       CALL ESI
00561E1A 8B0B       MOV ECX, DWORD PTR DS:[EBX]
00561E1C 8D95 D8FEFFFF LEA EDX, DWORD PTR SS:[EBP-128]
00561E22 52       PUSH EDX
00561E23 8D85 64FFFFFF LEA EAX, DWORD PTR SS:[EBP-9C]
00561E29 50       PUSH EAX
00561E2A 8D95 68FFFFFF LEA EDX, DWORD PTR SS:[EBP-98]
00561E30 52       PUSH EDX
00561E31 53       PUSH EBX
00561E32 FF51 34    CALL DWORD PTR DS:[ECX+34]             ; 解密注册文件并存入临时文件FXSYS.TMP中
解密很简单，只是将文件各字节取出与0xFB异或后再写回
00561E35 85C0       TEST EAX, EAX
00561E37 7D 0F    JGE SHORT 00561E48
00561E39 6A 34    PUSH 34
00561E3B 68 98AE4100 PUSH 0041AE98
00561E40 53       PUSH EBX
00561E41 50       PUSH EAX
00561E42 FF15 B4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheckO>; MSVBVM60.__vbaHresultCheckObj
00561E48 8D85 64FFFFFF LEA EAX, DWORD PTR SS:[EBP-9C]
00561E4E 50       PUSH EAX
00561E4F 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
00561E55 51       PUSH ECX
00561E56 6A 02    PUSH 2
00561E58 FF15 B4124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList
00561E5E 83C4 0C    ADD ESP, 0C
00561E61 C785 54FFFFFF 0>MOV DWORD PTR SS:[EBP-AC], 80020004
00561E6B C785 4CFFFFFF 0>MOV DWORD PTR SS:[EBP-B4], 0A
00561E75 8D95 4CFFFFFF LEA EDX, DWORD PTR SS:[EBP-B4]
00561E7B 52       PUSH EDX
00561E7C FF15 8C124000 CALL DWORD PTR DS:[<&MSVBVM60.rtcFreeFile>]    ; MSVBVM60.rtcFreeFile
00561E82 8845 A8    MOV BYTE PTR SS:[EBP-58], AL
00561E85 8D8D 4CFFFFFF LEA ECX, DWORD PTR SS:[EBP-B4]
00561E8B FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
00561E91 66:0FB67D A8 MOVZX DI, BYTE PTR SS:[EBP-58]
00561E96 8B45 DC    MOV EAX, DWORD PTR SS:[EBP-24]
00561E99 50       PUSH EAX
00561E9A 68 98F44100 PUSH 0041F498                      ; UNICODE ".tmp"
00561E9F FF15 7C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>]    ; MSVBVM60.__vbaStrCat
00561EA5 8BD0       MOV EDX, EAX
00561EA7 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
00561EAD FFD6       CALL ESI
00561EAF 50       PUSH EAX
00561EB0 57       PUSH EDI
00561EB1 6A FF    PUSH -1
00561EB3 6A 01    PUSH 1
00561EB5 FF15 7C124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFileOpen>] ; 打开解密后的文件FXSYS.TMP
00561EBB 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
00561EC1 FF15 98134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00561EC7 57       PUSH EDI
00561EC8 8D4D 84    LEA ECX, DWORD PTR SS:[EBP-7C]
00561ECB 51       PUSH ECX
00561ECC FF15 4C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLineInputVar>>; 读取第1行
00561ED2 C785 14FFFFFF 6>MOV DWORD PTR SS:[EBP-EC], 00421460
00561EDC B8 08000000 MOV EAX, 8
00561EE1 8985 0CFFFFFF MOV DWORD PTR SS:[EBP-F4], EAX
00561EE7 8B13       MOV EDX, DWORD PTR DS:[EBX]
00561EE9 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
00561EEF 51       PUSH ECX
00561EF0 83EC 10    SUB ESP, 10
00561EF3 8BCC       MOV ECX, ESP
00561EF5 8901       MOV DWORD PTR DS:[ECX], EAX
00561EF7 8B85 10FFFFFF MOV EAX, DWORD PTR SS:[EBP-F0]
00561EFD 8941 04    MOV DWORD PTR DS:[ECX+4], EAX
00561F00 8B85 14FFFFFF MOV EAX, DWORD PTR SS:[EBP-EC]
00561F06 8941 08    MOV DWORD PTR DS:[ECX+8], EAX
00561F09 8B85 18FFFFFF MOV EAX, DWORD PTR SS:[EBP-E8]
00561F0F 8941 0C    MOV DWORD PTR DS:[ECX+C], EAX
00561F12 6A 00    PUSH 0
00561F14 53       PUSH EBX
00561F15 FF52 20    CALL DWORD PTR DS:[EDX+20]
00561F18 85C0       TEST EAX, EAX
00561F1A 7D 0F    JGE SHORT 00561F2B
00561F1C 6A 20    PUSH 20
00561F1E 68 98AE4100 PUSH 0041AE98
00561F23 53       PUSH EBX
00561F24 50       PUSH EAX
00561F25 FF15 B4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheckO>; MSVBVM60.__vbaHresultCheckObj
00561F2B 8B85 68FFFFFF MOV EAX, DWORD PTR SS:[EBP-98]          ; 读取的第1行
00561F31 C785 68FFFFFF 0>MOV DWORD PTR SS:[EBP-98], 0
00561F3B 8985 54FFFFFF MOV DWORD PTR SS:[EBP-AC], EAX
00561F41 C785 4CFFFFFF 0>MOV DWORD PTR SS:[EBP-B4], 8008
00561F4B 8D4D 84    LEA ECX, DWORD PTR SS:[EBP-7C]          ; [FXV25]
00561F4E 51       PUSH ECX
00561F4F 8D95 4CFFFFFF LEA EDX, DWORD PTR SS:[EBP-B4]          ; 读取的第1行
00561F55 52       PUSH EDX
00561F56 FF15 84114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTstEq>] ; 第1行是否为［FXV25］
00561F5C 66:8BD8    MOV BX, AX
00561F5F 8D8D 4CFFFFFF LEA ECX, DWORD PTR SS:[EBP-B4]
00561F65 FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
00561F6B 66:85DB    TEST BX, BX
00561F6E 74 1B    JE    SHORT 00561F8B                   ; 不能跳（不等会跳）
00561F70 57       PUSH EDI
00561F71 8D45 A0    LEA EAX, DWORD PTR SS:[EBP-60]
00561F74 50       PUSH EAX
00561F75 8B1D 30104000 MOV EBX, DWORD PTR DS:[<&MSVBVM60.__vbaLineInpu>; MSVBVM60.__vbaLineInputStr
00561F7B FFD3       CALL EBX                         ; 读取第2行
00561F7D 57       PUSH EDI
00561F7E 8D4D E0    LEA ECX, DWORD PTR SS:[EBP-20]
00561F81 51       PUSH ECX
00561F82 FFD3       CALL EBX                         ; 读取第3行
00561F84 57       PUSH EDI
00561F85 8D55 A4    LEA EDX, DWORD PTR SS:[EBP-5C]
00561F88 52       PUSH EDX
00561F89 FFD3       CALL EBX                         ; 读取第4行
00561F8B 57       PUSH EDI
00561F8C FF15 60114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFileClose>] ; 关闭文件
00561F92 8B85 6CFFFFFF MOV EAX, DWORD PTR SS:[EBP-94]
00561F98 85C0       TEST EAX, EAX
00561F9A 75 12    JNZ SHORT 00561FAE
00561F9C 8D85 6CFFFFFF LEA EAX, DWORD PTR SS:[EBP-94]
00561FA2 50       PUSH EAX
00561FA3 68 EC814000 PUSH 004081EC
00561FA8 FF15 88124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNew2>]    ; MSVBVM60.__vbaNew2
00561FAE 8BBD 6CFFFFFF MOV EDI, DWORD PTR SS:[EBP-94]
00561FB4 C785 D8FEFFFF 0>MOV DWORD PTR SS:[EBP-128], 0
00561FBE 8B4D DC    MOV ECX, DWORD PTR SS:[EBP-24]
00561FC1 51       PUSH ECX
00561FC2 68 98F44100 PUSH 0041F498                      ; UNICODE ".tmp"
00561FC7 FF15 7C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>]    ; MSVBVM60.__vbaStrCat
00561FCD 8BD0       MOV EDX, EAX
00561FCF 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
00561FD5 FFD6       CALL ESI
00561FD7 8B17       MOV EDX, DWORD PTR DS:[EDI]
00561FD9 8D85 D4FEFFFF LEA EAX, DWORD PTR SS:[EBP-12C]
00561FDF 50       PUSH EAX
00561FE0 8D8D D8FEFFFF LEA ECX, DWORD PTR SS:[EBP-128]
00561FE6 51       PUSH ECX
00561FE7 8D85 68FFFFFF LEA EAX, DWORD PTR SS:[EBP-98]
00561FED 50       PUSH EAX
00561FEE 57       PUSH EDI
00561FEF FF52 24    CALL DWORD PTR DS:[EDX+24]             ; 删除临时文件
00561FF2 DBE2       FCLEX
00561FF4 85C0       TEST EAX, EAX
00561FF6 7D 13    JGE SHORT 0056200B
00561FF8 6A 24    PUSH 24
00561FFA 68 7CAC4100 PUSH 0041AC7C
00561FFF 57       PUSH EDI
00562000 50       PUSH EAX
00562001 8B1D B4104000 MOV EBX, DWORD PTR DS:[<&MSVBVM60.__vbaHresultC>; MSVBVM60.__vbaHresultCheckObj
00562007 FFD3       CALL EBX
00562009 EB 06    JMP SHORT 00562011
0056200B 8B1D B4104000 MOV EBX, DWORD PTR DS:[<&MSVBVM60.__vbaHresultC>; MSVBVM60.__vbaHresultCheckObj
00562011 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
00562017 FF15 98134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
0056201D 8B4D A0    MOV ECX, DWORD PTR SS:[EBP-60]          ; 读取的第2行（机器码）
00562020 51       PUSH ECX
00562021 FF15 A0134000 CALL DWORD PTR DS:[<&MSVBVM60.rtcR8ValFromBstr>] ; 转为浮点数
00562027 FF15 18134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFpI4>]    ; 转为整数
0056202D 3345 80    XOR EAX, DWORD PTR SS:[EBP-80]
00562030 74 65    JE    SHORT 00562097                   ; 与机器码是否相等？等就跳
00562032 8B85 6CFFFFFF MOV EAX, DWORD PTR SS:[EBP-94]
00562038 85C0       TEST EAX, EAX
0056203A 75 12    JNZ SHORT 0056204E
0056203C 8D95 6CFFFFFF LEA EDX, DWORD PTR SS:[EBP-94]
00562042 52       PUSH EDX
00562043 68 EC814000 PUSH 004081EC
00562048 FF15 88124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNew2>]    ; MSVBVM60.__vbaNew2
0056204E 8BBD 6CFFFFFF MOV EDI, DWORD PTR SS:[EBP-94]
00562054 C785 D8FEFFFF 0>MOV DWORD PTR SS:[EBP-128], 0
0056205E 8B45 DC    MOV EAX, DWORD PTR SS:[EBP-24]
00562061 50       PUSH EAX
00562062 68 C4144200 PUSH 004214C4                      ; UNICODE ".key"
00562067 FF15 7C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>]    ; MSVBVM60.__vbaStrCat
0056206D 8BD0       MOV EDX, EAX
0056206F 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
00562075 FFD6       CALL ESI
00562077 8B0F       MOV ECX, DWORD PTR DS:[EDI]
00562079 8D95 D4FEFFFF LEA EDX, DWORD PTR SS:[EBP-12C]
0056207F 52       PUSH EDX
00562080 8D85 D8FEFFFF LEA EAX, DWORD PTR SS:[EBP-128]
00562086 50       PUSH EAX
00562087 8D95 68FFFFFF LEA EDX, DWORD PTR SS:[EBP-98]
0056208D 52       PUSH EDX
0056208E 57       PUSH EDI
0056208F FF51 24    CALL DWORD PTR DS:[ECX+24]
00562092 E9 60010000 JMP 005621F7
00562097 8B45 E0    MOV EAX, DWORD PTR SS:[EBP-20]          ; 读取的第3行（用户名）
0056209A 50       PUSH EAX
0056209B FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBstr>] ; 算长度
005620A1 83F8 02    CMP EAX, 2                      ; 与2比较
005620A4 8B85 6CFFFFFF MOV EAX, DWORD PTR SS:[EBP-94]
005620AA 7D 0D    JGE SHORT 005620B9                   ; 大于等于就跳，要跳
005620AC 85C0       TEST EAX, EAX
005620AE 0F85 FF000000 JNZ 005621B3
005620B4 E9 E8000000 JMP 005621A1
005620B9 85C0       TEST EAX, EAX
005620BB 75 18    JNZ SHORT 005620D5
005620BD 8D95 6CFFFFFF LEA EDX, DWORD PTR SS:[EBP-94]
005620C3 52       PUSH EDX
005620C4 68 EC814000 PUSH 004081EC
005620C9 FF15 88124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNew2>]    ; MSVBVM60.__vbaNew2
005620CF 8B85 6CFFFFFF MOV EAX, DWORD PTR SS:[EBP-94]
005620D5 8BF8       MOV EDI, EAX
005620D7 8B08       MOV ECX, DWORD PTR DS:[EAX]
005620D9 8D95 68FFFFFF LEA EDX, DWORD PTR SS:[EBP-98]
005620DF 52       PUSH EDX
005620E0 68 60B14100 PUSH 0041B160                      ; 0
005620E5 68 B49E4200 PUSH 00429EB4                      ; H
005620EA 8B55 A4    MOV EDX, DWORD PTR SS:[EBP-5C]          ; 读取的第4行（注册码）
005620ED 52       PUSH EDX
005620EE 50       PUSH EAX
005620EF FF51 34    CALL DWORD PTR DS:[ECX+34]             ; 处理注册码：将其中的H(h)用0代替
005620F2 DBE2       FCLEX
005620F4 85C0       TEST EAX, EAX
005620F6 7D 0B    JGE SHORT 00562103
005620F8 6A 34    PUSH 34
005620FA 68 7CAC4100 PUSH 0041AC7C
005620FF 57       PUSH EDI
00562100 50       PUSH EAX
00562101 FFD3       CALL EBX
00562103 8B95 68FFFFFF MOV EDX, DWORD PTR SS:[EBP-98]          ; 处理后的注册码
00562109 C785 68FFFFFF 0>MOV DWORD PTR SS:[EBP-98], 0
00562113 8D4D A4    LEA ECX, DWORD PTR SS:[EBP-5C]
00562116 FFD6       CALL ESI
00562118 8B85 6CFFFFFF MOV EAX, DWORD PTR SS:[EBP-94]
0056211E 85C0       TEST EAX, EAX
00562120 75 18    JNZ SHORT 0056213A
00562122 8D85 6CFFFFFF LEA EAX, DWORD PTR SS:[EBP-94]
00562128 50       PUSH EAX
00562129 68 EC814000 PUSH 004081EC
0056212E FF15 88124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNew2>]    ; MSVBVM60.__vbaNew2
00562134 8B85 6CFFFFFF MOV EAX, DWORD PTR SS:[EBP-94]
0056213A 8BF8       MOV EDI, EAX
0056213C 8B08       MOV ECX, DWORD PTR DS:[EAX]
0056213E 8D95 68FFFFFF LEA EDX, DWORD PTR SS:[EBP-98]
00562144 52       PUSH EDX
00562145 68 18BF4100 PUSH 0041BF18                      ; 1
0056214A 68 BC9E4200 PUSH 00429EBC                      ; X
0056214F 8B55 A4    MOV EDX, DWORD PTR SS:[EBP-5C]
00562152 52       PUSH EDX
00562153 50       PUSH EAX
00562154 FF51 34    CALL DWORD PTR DS:[ECX+34]             ; 将注册码中的X(x)用1代替
00562157 DBE2       FCLEX
00562159 85C0       TEST EAX, EAX
0056215B 7D 0B    JGE SHORT 00562168
0056215D 6A 34    PUSH 34
0056215F 68 7CAC4100 PUSH 0041AC7C
00562164 57       PUSH EDI
00562165 50       PUSH EAX
00562166 FFD3       CALL EBX
00562168 8B95 68FFFFFF MOV EDX, DWORD PTR SS:[EBP-98]
0056216E C785 68FFFFFF 0>MOV DWORD PTR SS:[EBP-98], 0
00562178 8D4D A4    LEA ECX, DWORD PTR SS:[EBP-5C]
0056217B FFD6       CALL ESI
0056217D 6A 00    PUSH 0
0056217F 6A FF    PUSH -1
00562181 68 84AE4100 PUSH 0041AE84                      ; -
00562186 8B45 A4    MOV EAX, DWORD PTR SS:[EBP-5C]
00562189 50       PUSH EAX
0056218A FF15 34114000 CALL DWORD PTR DS:[<&MSVBVM60.rtcInStrRev>]    ; 查找“－”在注册码中的位置
00562190 8BF8       MOV EDI, EAX
00562192 83FF 05    CMP EDI, 5                      ; 与5比较
00562195 7D 7A    JGE SHORT 00562211                   ; 大于等于就跳，要跳（注册码第1部分要4位或4位以上）
00562197 8B85 6CFFFFFF MOV EAX, DWORD PTR SS:[EBP-94]
0056219D 85C0       TEST EAX, EAX
0056219F 75 12    JNZ SHORT 005621B3
005621A1 8D8D 6CFFFFFF LEA ECX, DWORD PTR SS:[EBP-94]
005621A7 51       PUSH ECX
005621A8 68 EC814000 PUSH 004081EC
005621AD FF15 88124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNew2>]    ; MSVBVM60.__vbaNew2
005621B3 8BBD 6CFFFFFF MOV EDI, DWORD PTR SS:[EBP-94]
005621B9 C785 D8FEFFFF 0>MOV DWORD PTR SS:[EBP-128], 0
005621C3 8B55 DC    MOV EDX, DWORD PTR SS:[EBP-24]
005621C6 52       PUSH EDX
005621C7 68 C4144200 PUSH 004214C4                      ; UNICODE ".key"
005621CC FF15 7C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>]    ; MSVBVM60.__vbaStrCat
005621D2 8BD0       MOV EDX, EAX
005621D4 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
005621DA FFD6       CALL ESI
005621DC 8B07       MOV EAX, DWORD PTR DS:[EDI]
005621DE 8D8D D4FEFFFF LEA ECX, DWORD PTR SS:[EBP-12C]
005621E4 51       PUSH ECX
005621E5 8D95 D8FEFFFF LEA EDX, DWORD PTR SS:[EBP-128]
005621EB 52       PUSH EDX
005621EC 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
005621F2 51       PUSH ECX
005621F3 57       PUSH EDI
005621F4 FF50 24    CALL DWORD PTR DS:[EAX+24]
005621F7 DBE2       FCLEX
005621F9 85C0       TEST EAX, EAX
005621FB 0F8D BA190000 JGE 00563BBB
00562201 6A 24    PUSH 24
00562203 68 7CAC4100 PUSH 0041AC7C
00562208 57       PUSH EDI
00562209 50       PUSH EAX
0056220A FFD3       CALL EBX
0056220C E9 AA190000 JMP 00563BBB
00562211 C785 F4FEFFFF 1>MOV DWORD PTR SS:[EBP-10C], 00422C14       ; <====注册码第1部分（从右至左）
0056221B BB 08000000 MOV EBX, 8
00562220 899D ECFEFFFF MOV DWORD PTR SS:[EBP-114], EBX
00562226 C785 54FFFFFF 0>MOV DWORD PTR SS:[EBP-AC], 80020004
00562230 C785 4CFFFFFF 0>MOV DWORD PTR SS:[EBP-B4], 0A
0056223A 8D55 A4    LEA EDX, DWORD PTR SS:[EBP-5C]
0056223D 8995 14FFFFFF MOV DWORD PTR SS:[EBP-EC], EDX
00562243 C785 0CFFFFFF 0>MOV DWORD PTR SS:[EBP-F4], 4008
0056224D 8D85 4CFFFFFF LEA EAX, DWORD PTR SS:[EBP-B4]
00562253 50       PUSH EAX                         ; 取10位
00562254 8D4F 01    LEA ECX, DWORD PTR DS:[EDI+1]
00562257 51       PUSH ECX                         ; 从第EDI+1位取起
00562258 8D95 0CFFFFFF LEA EDX, DWORD PTR SS:[EBP-F4]
0056225E 52       PUSH EDX                         ; 从注册码中取
0056225F 8D85 3CFFFFFF LEA EAX, DWORD PTR SS:[EBP-C4]
00562265 50       PUSH EAX                         ; 放在这里
00562266 FF15 4C114000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMidCharVar>] ; 取注册码从右到左第1部分
0056226C C785 E4FEFFFF C>MOV DWORD PTR SS:[EBP-11C], 00429EC4       ; ＆
00562276 899D DCFEFFFF MOV DWORD PTR SS:[EBP-124], EBX
0056227C 8D8D ECFEFFFF LEA ECX, DWORD PTR SS:[EBP-114]
00562282 51       PUSH ECX
00562283 8D95 3CFFFFFF LEA EDX, DWORD PTR SS:[EBP-C4]
00562289 52       PUSH EDX
0056228A 8D85 2CFFFFFF LEA EAX, DWORD PTR SS:[EBP-D4]
00562290 50       PUSH EAX
00562291 8B1D 58124000 MOV EBX, DWORD PTR DS:[<&MSVBVM60.__vbaVarCat>] ; MSVBVM60.__vbaVarCat
00562297 FFD3       CALL EBX                         ; “＆H”与其连接
00562299 50       PUSH EAX
0056229A 8D8D DCFEFFFF LEA ECX, DWORD PTR SS:[EBP-124]
005622A0 51       PUSH ECX
005622A1 8D95 1CFFFFFF LEA EDX, DWORD PTR SS:[EBP-E4]
005622A7 52       PUSH EDX
005622A8 FFD3       CALL EBX                         ; 再与“＆”连接
005622AA 50       PUSH EAX
005622AB 8D85 68FFFFFF LEA EAX, DWORD PTR SS:[EBP-98]
005622B1 50       PUSH EAX
005622B2 FF15 4C124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
005622B8 50       PUSH EAX
005622B9 FF15 A0134000 CALL DWORD PTR DS:[<&MSVBVM60.rtcR8ValFromBstr>] ; 转为浮点数
005622BF 83EC 08    SUB ESP, 8
005622C2 DD1C24    FSTP QWORD PTR SS:[ESP]
005622C5 FF15 C8114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrR8>]    ; MSVBVM60.__vbaStrR8
005622CB 8BD0       MOV EDX, EAX
005622CD 8D4D 98    LEA ECX, DWORD PTR SS:[EBP-68]
005622D0 FFD6       CALL ESI
005622D2 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
005622D8 FF15 98134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
005622DE 8D8D 1CFFFFFF LEA ECX, DWORD PTR SS:[EBP-E4]
005622E4 51       PUSH ECX
005622E5 8D95 2CFFFFFF LEA EDX, DWORD PTR SS:[EBP-D4]
005622EB 52       PUSH EDX
005622EC 8D85 3CFFFFFF LEA EAX, DWORD PTR SS:[EBP-C4]
005622F2 50       PUSH EAX
005622F3 8D8D 4CFFFFFF LEA ECX, DWORD PTR SS:[EBP-B4]
005622F9 51       PUSH ECX
005622FA 6A 04    PUSH 4
005622FC FF15 40104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
00562302 83C4 14    ADD ESP, 14
00562305 8B55 98    MOV EDX, DWORD PTR SS:[EBP-68]          ; 注册码第1部分
00562308 52       PUSH EDX
00562309 FF15 84124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8Str>]    ; MSVBVM60.__vbaR8Str
0056230F DC1D 406C4000 FCOMP QWORD PTR DS:[406C40]             ; 与8889比较
00562315 DFE0       FSTSW AX
00562317 F6C4 01    TEST AH, 1
0056231A 74 13    JE    SHORT 0056232F                   ; 大于等于就跳（要跳）
0056231C 8B85 6CFFFFFF MOV EAX, DWORD PTR SS:[EBP-94]
00562322 85C0       TEST EAX, EAX
00562324 0F85 E8110000 JNZ 00563512
0056232A E9 D1110000 JMP 00563500
0056232F 8D4D A4    LEA ECX, DWORD PTR SS:[EBP-5C]          ; <====注册码第2部分
00562332 898D 14FFFFFF MOV DWORD PTR SS:[EBP-EC], ECX
00562338 C785 0CFFFFFF 0>MOV DWORD PTR SS:[EBP-F4], 4008
00562342 4F       DEC EDI
00562343 57       PUSH EDI                         ; 从第EDI-1位取起
00562344 8D95 0CFFFFFF LEA EDX, DWORD PTR SS:[EBP-F4]
0056234A 52       PUSH EDX                         ; 注册码
0056234B 8D85 4CFFFFFF LEA EAX, DWORD PTR SS:[EBP-B4]
00562351 50       PUSH EAX                         ; 放这里
00562352 FF15 28134000 CALL DWORD PTR DS:[<&MSVBVM60.rtcLeftCharVar>] ; 取左边的子串（注册码从右至左第1部分）
00562358 8D8D 4CFFFFFF LEA ECX, DWORD PTR SS:[EBP-B4]
0056235E 51       PUSH ECX
0056235F FF15 2C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVarMove>] ; MSVBVM60.__vbaStrVarMove
00562365 8BD0       MOV EDX, EAX
00562367 8D4D A4    LEA ECX, DWORD PTR SS:[EBP-5C]
0056236A FFD6       CALL ESI
0056236C 8D8D 4CFFFFFF LEA ECX, DWORD PTR SS:[EBP-B4]
00562372 FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
00562378 6A 00    PUSH 0
0056237A 6A FF    PUSH -1
0056237C 68 84AE4100 PUSH 0041AE84                      ; －
00562381 8B55 A4    MOV EDX, DWORD PTR SS:[EBP-5C]
00562384 52       PUSH EDX
00562385 FF15 34114000 CALL DWORD PTR DS:[<&MSVBVM60.rtcInStrRev>]    ; 查找“—”在子串中的位置
0056238B 8BF8       MOV EDI, EAX
0056238D 83FF 05    CMP EDI, 5
00562390 7D 13    JGE SHORT 005623A5
00562392 8B85 6CFFFFFF MOV EAX, DWORD PTR SS:[EBP-94]
00562398 85C0       TEST EAX, EAX
0056239A 0F85 72110000 JNZ 00563512
005623A0 E9 5B110000 JMP 00563500
005623A5 C785 F4FEFFFF 1>MOV DWORD PTR SS:[EBP-10C], 00422C14       ; UNICODE "&H"
005623AF C785 ECFEFFFF 0>MOV DWORD PTR SS:[EBP-114], 8
005623B9 C785 54FFFFFF 0>MOV DWORD PTR SS:[EBP-AC], 80020004
005623C3 C785 4CFFFFFF 0>MOV DWORD PTR SS:[EBP-B4], 0A
005623CD 8D4D A4    LEA ECX, DWORD PTR SS:[EBP-5C]
005623D0 898D 14FFFFFF MOV DWORD PTR SS:[EBP-EC], ECX
005623D6 C785 0CFFFFFF 0>MOV DWORD PTR SS:[EBP-F4], 4008
005623E0 8D95 4CFFFFFF LEA EDX, DWORD PTR SS:[EBP-B4]
005623E6 52       PUSH EDX
005623E7 8D47 01    LEA EAX, DWORD PTR DS:[EDI+1]
005623EA 50       PUSH EAX
005623EB 8D8D 0CFFFFFF LEA ECX, DWORD PTR SS:[EBP-F4]
005623F1 51       PUSH ECX
005623F2 8D95 3CFFFFFF LEA EDX, DWORD PTR SS:[EBP-C4]
005623F8 52       PUSH EDX
005623F9 FF15 4C114000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMidCharVar>] ; 取注册码从右往左第2部分
005623FF C785 E4FEFFFF C>MOV DWORD PTR SS:[EBP-11C], 00429EC4
00562409 C785 DCFEFFFF 0>MOV DWORD PTR SS:[EBP-124], 8
00562413 8D85 ECFEFFFF LEA EAX, DWORD PTR SS:[EBP-114]
00562419 50       PUSH EAX
0056241A 8D8D 3CFFFFFF LEA ECX, DWORD PTR SS:[EBP-C4]
00562420 51       PUSH ECX
00562421 8D95 2CFFFFFF LEA EDX, DWORD PTR SS:[EBP-D4]
00562427 52       PUSH EDX
00562428 FFD3       CALL EBX
0056242A 50       PUSH EAX
0056242B 8D85 DCFEFFFF LEA EAX, DWORD PTR SS:[EBP-124]
00562431 50       PUSH EAX
00562432 8D8D 1CFFFFFF LEA ECX, DWORD PTR SS:[EBP-E4]
00562438 51       PUSH ECX
00562439 FFD3       CALL EBX
0056243B 50       PUSH EAX
0056243C 8D95 68FFFFFF LEA EDX, DWORD PTR SS:[EBP-98]
00562442 52       PUSH EDX
00562443 FF15 4C124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
00562449 50       PUSH EAX
0056244A FF15 A0134000 CALL DWORD PTR DS:[<&MSVBVM60.rtcR8ValFromBstr>] ; MSVBVM60.rtcR8ValFromBstr
00562450 83EC 08    SUB ESP, 8
00562453 DD1C24    FSTP QWORD PTR SS:[ESP]
00562456 FF15 C8114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrR8>]    ; MSVBVM60.__vbaStrR8
0056245C 8BD0       MOV EDX, EAX
0056245E 8D4D AC    LEA ECX, DWORD PTR SS:[EBP-54]
00562461 FFD6       CALL ESI
00562463 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
00562469 FF15 98134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
0056246F 8D85 1CFFFFFF LEA EAX, DWORD PTR SS:[EBP-E4]
00562475 50       PUSH EAX
00562476 8D8D 2CFFFFFF LEA ECX, DWORD PTR SS:[EBP-D4]
0056247C 51       PUSH ECX
0056247D 8D95 3CFFFFFF LEA EDX, DWORD PTR SS:[EBP-C4]
00562483 52       PUSH EDX
00562484 8D85 4CFFFFFF LEA EAX, DWORD PTR SS:[EBP-B4]
0056248A 50       PUSH EAX
0056248B 6A 04    PUSH 4
0056248D FF15 40104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
00562493 83C4 14    ADD ESP, 14
00562496 8B4D AC    MOV ECX, DWORD PTR SS:[EBP-54]          ; 第2部分
00562499 51       PUSH ECX
0056249A FF15 84124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8Str>]    ; MSVBVM60.__vbaR8Str
005624A0 DC1D 386C4000 FCOMP QWORD PTR DS:[406C38]             ; 与51001比较
005624A6 DFE0       FSTSW AX
005624A8 F6C4 01    TEST AH, 1
005624AB 74 65    JE    SHORT 00562512                   ; 大于等于就跳（要跳）
005624AD 8B85 6CFFFFFF MOV EAX, DWORD PTR SS:[EBP-94]
005624B3 85C0       TEST EAX, EAX
005624B5 75 12    JNZ SHORT 005624C9
005624B7 8D95 6CFFFFFF LEA EDX, DWORD PTR SS:[EBP-94]
005624BD 52       PUSH EDX
005624BE 68 EC814000 PUSH 004081EC
005624C3 FF15 88124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNew2>]    ; MSVBVM60.__vbaNew2
005624C9 8BBD 6CFFFFFF MOV EDI, DWORD PTR SS:[EBP-94]
005624CF C785 D8FEFFFF 0>MOV DWORD PTR SS:[EBP-128], 0
005624D9 8B45 DC    MOV EAX, DWORD PTR SS:[EBP-24]
005624DC 50       PUSH EAX
005624DD 68 C4144200 PUSH 004214C4                      ; UNICODE ".key"
005624E2 FF15 7C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>]    ; MSVBVM60.__vbaStrCat
005624E8 8BD0       MOV EDX, EAX
005624EA 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
005624F0 FFD6       CALL ESI
005624F2 8B0F       MOV ECX, DWORD PTR DS:[EDI]
005624F4 8D95 D4FEFFFF LEA EDX, DWORD PTR SS:[EBP-12C]
005624FA 52       PUSH EDX
005624FB 8D85 D8FEFFFF LEA EAX, DWORD PTR SS:[EBP-128]
00562501 50       PUSH EAX
00562502 8D95 68FFFFFF LEA EDX, DWORD PTR SS:[EBP-98]
00562508 52       PUSH EDX
00562509 57       PUSH EDI
0056250A FF51 24    CALL DWORD PTR DS:[ECX+24]
0056250D E9 44100000 JMP 00563556
00562512 8D45 A4    LEA EAX, DWORD PTR SS:[EBP-5C]
00562515 8985 14FFFFFF MOV DWORD PTR SS:[EBP-EC], EAX
0056251B C785 0CFFFFFF 0>MOV DWORD PTR SS:[EBP-F4], 4008
00562525 4F       DEC EDI
00562526 57       PUSH EDI
00562527 8D8D 0CFFFFFF LEA ECX, DWORD PTR SS:[EBP-F4]
0056252D 51       PUSH ECX
0056252E 8D95 4CFFFFFF LEA EDX, DWORD PTR SS:[EBP-B4]
00562534 52       PUSH EDX
00562535 FF15 28134000 CALL DWORD PTR DS:[<&MSVBVM60.rtcLeftCharVar>] ; MSVBVM60.rtcLeftCharVar
0056253B 8D85 4CFFFFFF LEA EAX, DWORD PTR SS:[EBP-B4]
00562541 50       PUSH EAX
00562542 8B1D 2C104000 MOV EBX, DWORD PTR DS:[<&MSVBVM60.__vbaStrVarMo>; MSVBVM60.__vbaStrVarMove
00562548 FFD3       CALL EBX
0056254A 8BD0       MOV EDX, EAX
0056254C 8D4D A4    LEA ECX, DWORD PTR SS:[EBP-5C]
0056254F FFD6       CALL ESI
00562551 8D8D 4CFFFFFF LEA ECX, DWORD PTR SS:[EBP-B4]
00562557 FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
0056255D 6A 00    PUSH 0
0056255F 6A FF    PUSH -1
00562561 68 84AE4100 PUSH 0041AE84
00562566 8B4D A4    MOV ECX, DWORD PTR SS:[EBP-5C]
00562569 51       PUSH ECX
0056256A FF15 34114000 CALL DWORD PTR DS:[<&MSVBVM60.rtcInStrRev>]    ; 在子串中找“－”位置
00562570 8BF8       MOV EDI, EAX
00562572 C785 54FFFFFF 0>MOV DWORD PTR SS:[EBP-AC], 80020004
0056257C C785 4CFFFFFF 0>MOV DWORD PTR SS:[EBP-B4], 0A
00562586 8D55 A4    LEA EDX, DWORD PTR SS:[EBP-5C]
00562589 8995 14FFFFFF MOV DWORD PTR SS:[EBP-EC], EDX
0056258F C785 0CFFFFFF 0>MOV DWORD PTR SS:[EBP-F4], 4008
00562599 8D85 4CFFFFFF LEA EAX, DWORD PTR SS:[EBP-B4]
0056259F 50       PUSH EAX
005625A0 8D4F 01    LEA ECX, DWORD PTR DS:[EDI+1]
005625A3 51       PUSH ECX
005625A4 8D95 0CFFFFFF LEA EDX, DWORD PTR SS:[EBP-F4]
005625AA 52       PUSH EDX
005625AB 8D85 3CFFFFFF LEA EAX, DWORD PTR SS:[EBP-C4]
005625B1 50       PUSH EAX
005625B2 FF15 4C114000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMidCharVar>] ; 注册码从右至左第3部分
005625B8 8D8D 3CFFFFFF LEA ECX, DWORD PTR SS:[EBP-C4]
005625BE 51       PUSH ECX
005625BF FFD3       CALL EBX
005625C1 8BD0       MOV EDX, EAX
005625C3 8D4D 94    LEA ECX, DWORD PTR SS:[EBP-6C]
005625C6 FFD6       CALL ESI
005625C8 8D95 3CFFFFFF LEA EDX, DWORD PTR SS:[EBP-C4]
005625CE 52       PUSH EDX
005625CF 8D85 4CFFFFFF LEA EAX, DWORD PTR SS:[EBP-B4]
005625D5 50       PUSH EAX
005625D6 6A 02    PUSH 2
005625D8 FF15 40104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
005625DE 83C4 0C    ADD ESP, 0C
005625E1 83FF 05    CMP EDI, 5
005625E4 7D 65    JGE SHORT 0056264B
005625E6 8B85 6CFFFFFF MOV EAX, DWORD PTR SS:[EBP-94]
005625EC 85C0       TEST EAX, EAX
005625EE 75 12    JNZ SHORT 00562602
005625F0 8D8D 6CFFFFFF LEA ECX, DWORD PTR SS:[EBP-94]
005625F6 51       PUSH ECX
005625F7 68 EC814000 PUSH 004081EC
005625FC FF15 88124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNew2>]    ; MSVBVM60.__vbaNew2
00562602 8BBD 6CFFFFFF MOV EDI, DWORD PTR SS:[EBP-94]
00562608 C785 D8FEFFFF 0>MOV DWORD PTR SS:[EBP-128], 0
00562612 8B55 DC    MOV EDX, DWORD PTR SS:[EBP-24]
00562615 52       PUSH EDX
00562616 68 C4144200 PUSH 004214C4                      ; UNICODE ".key"
0056261B FF15 7C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>]    ; MSVBVM60.__vbaStrCat
00562621 8BD0       MOV EDX, EAX
00562623 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
00562629 FFD6       CALL ESI
0056262B 8B07       MOV EAX, DWORD PTR DS:[EDI]
0056262D 8D8D D4FEFFFF LEA ECX, DWORD PTR SS:[EBP-12C]
00562633 51       PUSH ECX
00562634 8D95 D8FEFFFF LEA EDX, DWORD PTR SS:[EBP-128]
0056263A 52       PUSH EDX
0056263B 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
00562641 51       PUSH ECX
00562642 57       PUSH EDI
00562643 FF50 24    CALL DWORD PTR DS:[EAX+24]
00562646 E9 0B0F0000 JMP 00563556
0056264B 8D55 A4    LEA EDX, DWORD PTR SS:[EBP-5C]
0056264E 8995 14FFFFFF MOV DWORD PTR SS:[EBP-EC], EDX
00562654 C785 0CFFFFFF 0>MOV DWORD PTR SS:[EBP-F4], 4008
0056265E 4F       DEC EDI
0056265F 57       PUSH EDI
00562660 8D85 0CFFFFFF LEA EAX, DWORD PTR SS:[EBP-F4]
00562666 50       PUSH EAX
00562667 8D8D 4CFFFFFF LEA ECX, DWORD PTR SS:[EBP-B4]
0056266D 51       PUSH ECX
0056266E FF15 28134000 CALL DWORD PTR DS:[<&MSVBVM60.rtcLeftCharVar>] ; 取左边子串（第4部分）
00562674 8D95 4CFFFFFF LEA EDX, DWORD PTR SS:[EBP-B4]
0056267A 52       PUSH EDX
0056267B FFD3       CALL EBX
0056267D 8BD0       MOV EDX, EAX
0056267F 8D4D A4    LEA ECX, DWORD PTR SS:[EBP-5C]
00562682 FFD6       CALL ESI
00562684 8D8D 4CFFFFFF LEA ECX, DWORD PTR SS:[EBP-B4]
0056268A FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar

135HACK · 发表于 2007-9-15 00:37:28

00562690 8B45 AC    MOV EAX, DWORD PTR SS:[EBP-54]          ; 第2部分
00562693 50       PUSH EAX
00562694 FF15 A0134000 CALL DWORD PTR DS:[<&MSVBVM60.rtcR8ValFromBstr>] ; MSVBVM60.rtcR8ValFromBstr
0056269A FF15 28114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFpR8>]    ; MSVBVM60.__vbaFpR8
005626A0 DC1D 386C4000 FCOMP QWORD PTR DS:[406C38]             ; 与51001比较
005626A6 DFE0       FSTSW AX
005626A8 F6C4 41    TEST AH, 41
005626AB C785 2CFEFFFF 0>MOV DWORD PTR SS:[EBP-1D4], 1
005626B5 75 0A    JNZ SHORT 005626C1                   ; 大于就不跳（不跳）
005626B7 C785 2CFEFFFF 0>MOV DWORD PTR SS:[EBP-1D4], 0
005626C1 8B4D A4    MOV ECX, DWORD PTR SS:[EBP-5C]          ; 第4部分
005626C4 51       PUSH ECX
005626C5 8B3D 34104000 MOV EDI, DWORD PTR DS:[<&MSVBVM60.__vbaLenBstr>>; MSVBVM60.__vbaLenBstr
005626CB FFD7       CALL EDI                         ; 算第4部分长度
005626CD 33DB       XOR EBX, EBX
005626CF 83F8 04    CMP EAX, 4                      ; 与4比较
005626D2 0F9CC3    SETL BL                            ; 比4小则BL=1,否则＝0
005626D5 8B55 E0    MOV EDX, DWORD PTR SS:[EBP-20]          ; 用户名
005626D8 52       PUSH EDX
005626D9 FFD7       CALL EDI                         ; 算用户名长度
005626DB 33C9       XOR ECX, ECX
005626DD 83F8 02    CMP EAX, 2                      ; 与2比较
005626E0 0F9CC1    SETL CL                            ; 比2小则CL=1,否则CL=0
005626E3 0BD9       OR    EBX, ECX
005626E5 F7DB       NEG EBX
005626E7 1BDB       SBB EBX, EBX
005626E9 F7DB       NEG EBX
005626EB 8B55 A0    MOV EDX, DWORD PTR SS:[EBP-60]          ; 机器码
005626EE 52       PUSH EDX
005626EF FFD7       CALL EDI                         ; 算机器码长度
005626F1 33C9       XOR ECX, ECX
005626F3 83F8 05    CMP EAX, 5                      ; 与5比较
005626F6 0F9CC1    SETL CL                            ; 比5小则CL=1,否则CL=0
005626F9 0BD9       OR    EBX, ECX
005626FB F7DB       NEG EBX
005626FD 1BDB       SBB EBX, EBX
005626FF F7DB       NEG EBX
00562701 0B9D 2CFEFFFF OR    EBX, DWORD PTR SS:[EBP-1D4]
00562707 0F85 BA140000 JNZ 00563BC7                      ; 不跳
0056270D BF 01000000 MOV EDI, 1
00562712 89BD 14FFFFFF MOV DWORD PTR SS:[EBP-EC], EDI
00562718 C785 0CFFFFFF 0>MOV DWORD PTR SS:[EBP-F4], 2
00562722 8D95 0CFFFFFF LEA EDX, DWORD PTR SS:[EBP-F4]
00562728 8D4D 84    LEA ECX, DWORD PTR SS:[EBP-7C]
0056272B 8B1D 14104000 MOV EBX, DWORD PTR DS:[<&MSVBVM60.__vbaVarMove>>; MSVBVM60.__vbaVarMove
00562731 FFD3       CALL EBX
00562733 B8 03000000 MOV EAX, 3
00562738 3BF8       CMP EDI, EAX
0056273A 0F8F 8B000000 JG    005627CB
00562740 C785 54FFFFFF 0>MOV DWORD PTR SS:[EBP-AC], 1
0056274A C785 4CFFFFFF 0>MOV DWORD PTR SS:[EBP-B4], 2
00562754 8D95 4CFFFFFF LEA EDX, DWORD PTR SS:[EBP-B4]
0056275A 52       PUSH EDX
0056275B 57       PUSH EDI
0056275C 8B45 A0    MOV EAX, DWORD PTR SS:[EBP-60]          ; 机器码
0056275F 50       PUSH EAX
00562760 FF15 38114000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMidCharBstr>] ; 机器码前3位各字符
00562766 8BD0       MOV EDX, EAX
00562768 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
0056276E FFD6       CALL ESI
00562770 50       PUSH EAX
00562771 FF15 54104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcAnsiValueBstr>] ; ASIIC
00562777 66:8985 04FFFFF>MOV WORD PTR SS:[EBP-FC], AX
0056277E C785 FCFEFFFF 0>MOV DWORD PTR SS:[EBP-104], 2
00562788 8D4D 84    LEA ECX, DWORD PTR SS:[EBP-7C]
0056278B 51       PUSH ECX
0056278C 8D95 FCFEFFFF LEA EDX, DWORD PTR SS:[EBP-104]
00562792 52       PUSH EDX
00562793 8D85 3CFFFFFF LEA EAX, DWORD PTR SS:[EBP-C4]
00562799 50       PUSH EAX
0056279A FF15 EC124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>]    ; 累加
005627A0 8BD0       MOV EDX, EAX
005627A2 8D4D 84    LEA ECX, DWORD PTR SS:[EBP-7C]
005627A5 FFD3       CALL EBX
005627A7 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
005627AD FF15 98134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
005627B3 8D8D 4CFFFFFF LEA ECX, DWORD PTR SS:[EBP-B4]
005627B9 FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
005627BF B8 01000000 MOV EAX, 1
005627C4 03F8       ADD EDI, EAX
005627C6 ^ E9 68FFFFFF JMP 00562733                      ; 以上循环将机器码前3位的ASIIC码累加＋1
005627CB 8B4D A0    MOV ECX, DWORD PTR SS:[EBP-60]
005627CE 51       PUSH ECX
005627CF FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
005627D5 8985 94FEFFFF MOV DWORD PTR SS:[EBP-16C], EAX
005627DB BF 04000000 MOV EDI, 4
005627E0 3BBD 94FEFFFF CMP EDI, DWORD PTR SS:[EBP-16C]
005627E6 0F8F 8B000000 JG    00562877
005627EC C785 54FFFFFF 0>MOV DWORD PTR SS:[EBP-AC], 1
005627F6 C785 4CFFFFFF 0>MOV DWORD PTR SS:[EBP-B4], 2
00562800 8D95 4CFFFFFF LEA EDX, DWORD PTR SS:[EBP-B4]
00562806 52       PUSH EDX
00562807 57       PUSH EDI
00562808 8B45 A0    MOV EAX, DWORD PTR SS:[EBP-60]
0056280B 50       PUSH EAX
0056280C FF15 38114000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMidCharBstr>] ; 后几位各字符
00562812 8BD0       MOV EDX, EAX
00562814 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
0056281A FFD6       CALL ESI
0056281C 50       PUSH EAX
0056281D FF15 54104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcAnsiValueBstr>] ; ASIIC码
00562823 66:8985 04FFFFF>MOV WORD PTR SS:[EBP-FC], AX
0056282A C785 FCFEFFFF 0>MOV DWORD PTR SS:[EBP-104], 2
00562834 8D4D 84    LEA ECX, DWORD PTR SS:[EBP-7C]
00562837 51       PUSH ECX
00562838 8D95 FCFEFFFF LEA EDX, DWORD PTR SS:[EBP-104]
0056283E 52       PUSH EDX
0056283F 8D85 3CFFFFFF LEA EAX, DWORD PTR SS:[EBP-C4]
00562845 50       PUSH EAX
00562846 FF15 EC114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMul>]    ; 与上面的和累乘得A
0056284C 8BD0       MOV EDX, EAX
0056284E 8D4D 84    LEA ECX, DWORD PTR SS:[EBP-7C]
00562851 FFD3       CALL EBX
00562853 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
00562859 FF15 98134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
0056285F 8D8D 4CFFFFFF LEA ECX, DWORD PTR SS:[EBP-B4]
00562865 FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
0056286B B8 01000000 MOV EAX, 1
00562870 03F8       ADD EDI, EAX
00562872 ^ E9 69FFFFFF JMP 005627E0
00562877 8D4D 84    LEA ECX, DWORD PTR SS:[EBP-7C]
0056287A 51       PUSH ECX
0056287B FF15 C4124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8Var>]    ; MSVBVM60.__vbaR8Var
00562881 E8 6847EAFF CALL                ; A开方
00562886 DD9D C8FEFFFF FSTP QWORD PTR SS:[EBP-138]
0056288C 6A 05    PUSH 5
0056288E 8B95 CCFEFFFF MOV EDX, DWORD PTR SS:[EBP-134]
00562894 52       PUSH EDX
00562895 8B85 C8FEFFFF MOV EAX, DWORD PTR SS:[EBP-138]
0056289B 50       PUSH EAX
0056289C FF15 C8114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrR8>]    ; 转为字串
005628A2 8BD0       MOV EDX, EAX
005628A4 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
005628AA FFD6       CALL ESI
005628AC 50       PUSH EAX
005628AD FF15 38134000 CALL DWORD PTR DS:[<&MSVBVM60.rtcRightCharBstr>] ; 取右边5位
005628B3 8BD0       MOV EDX, EAX
005628B5 8D8D 64FFFFFF LEA ECX, DWORD PTR SS:[EBP-9C]
005628BB FFD6       CALL ESI
005628BD 50       PUSH EAX
005628BE FF15 A0134000 CALL DWORD PTR DS:[<&MSVBVM60.rtcR8ValFromBstr>] ; MSVBVM60.rtcR8ValFromBstr
005628C4 FF15 18134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFpI4>]    ; 转为整数得B
005628CA 8BF8       MOV EDI, EAX
005628CC 8D4D 84    LEA ECX, DWORD PTR SS:[EBP-7C]          ; A
005628CF 51       PUSH ECX
005628D0 FF15 C4124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8Var>]    ; MSVBVM60.__vbaR8Var
005628D6 E8 1347EAFF CALL                ; 开方
005628DB DC0D 306C4000 FMUL QWORD PTR DS:[406C30]             ; ×11001
005628E1 FF15 44134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8IntI4>] ; 取整得C
005628E7 33F8       XOR EDI, EAX                      ; B 、 C 异或
005628E9 8B55 AC    MOV EDX, DWORD PTR SS:[EBP-54]          ; 注册码从右到左第2部分
005628EC 52       PUSH EDX
005628ED FF15 AC124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Str>]    ; MSVBVM60.__vbaI4Str
005628F3 33F8       XOR EDI, EAX                      ; 再异或
005628F5 89BD 28FEFFFF MOV DWORD PTR SS:[EBP-1D8], EDI
005628FB DB85 28FEFFFF FILD DWORD PTR SS:[EBP-1D8]
00562901 DD9D 20FEFFFF FSTP QWORD PTR SS:[EBP-1E0]
00562907 8B45 AC    MOV EAX, DWORD PTR SS:[EBP-54]
0056290A 50       PUSH EAX
0056290B FF15 84124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8Str>]    ; MSVBVM60.__vbaR8Str
00562911 DCAD 20FEFFFF FSUBR QWORD PTR SS:[EBP-1E0]             ; 减去“第2部分”，得D
00562917 DD9D 14FFFFFF FSTP QWORD PTR SS:[EBP-EC]
0056291D C785 0CFFFFFF 0>MOV DWORD PTR SS:[EBP-F4], 5
00562927 8D95 0CFFFFFF LEA EDX, DWORD PTR SS:[EBP-F4]
0056292D 8D4D 84    LEA ECX, DWORD PTR SS:[EBP-7C]
00562930 FFD3       CALL EBX
00562932 8D8D 64FFFFFF LEA ECX, DWORD PTR SS:[EBP-9C]
00562938 51       PUSH ECX
00562939 8D95 68FFFFFF LEA EDX, DWORD PTR SS:[EBP-98]
0056293F 52       PUSH EDX
00562940 6A 02    PUSH 2
00562942 FF15 B4124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList
00562948 83C4 0C    ADD ESP, 0C
0056294B 8B45 E0    MOV EAX, DWORD PTR SS:[EBP-20]          ; <====注册码第3部分／／用户名
0056294E 50       PUSH EAX
0056294F FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBstr>] ; 长度
00562955 8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84], EAX          ; ［EBP-84］初值为用户名长度
0056295B 8985 8CFEFFFF MOV DWORD PTR SS:[EBP-174], EAX
00562961 B8 01000000 MOV EAX, 1                      ; 循环变量置1
00562966 8945 9C    MOV DWORD PTR SS:[EBP-64], EAX
00562969 3B85 8CFEFFFF CMP EAX, DWORD PTR SS:[EBP-174]          ; 循环变量与长度比较
0056296F 0F8F DB000000 JG    00562A50
00562975 C785 54FFFFFF 0>MOV DWORD PTR SS:[EBP-AC], 1
0056297F C785 4CFFFFFF 0>MOV DWORD PTR SS:[EBP-B4], 2
00562989 8D8D 4CFFFFFF LEA ECX, DWORD PTR SS:[EBP-B4]
0056298F 51       PUSH ECX
00562990 50       PUSH EAX
00562991 8B55 E0    MOV EDX, DWORD PTR SS:[EBP-20]
00562994 52       PUSH EDX
00562995 FF15 38114000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMidCharBstr>] ; 用户名各字符
0056299B 8BD0       MOV EDX, EAX
0056299D 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
005629A3 FFD6       CALL ESI
005629A5 50       PUSH EAX
005629A6 FF15 54104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcAnsiValueBstr>] ; ASIIC
005629AC 8985 D8FEFFFF MOV DWORD PTR SS:[EBP-128], EAX
005629B2 68 00000040 PUSH 40000000
005629B7 6A 00    PUSH 0
005629B9 DB45 9C    FILD DWORD PTR SS:[EBP-64]             ; 循环变量
005629BC DD9D 18FEFFFF FSTP QWORD PTR SS:[EBP-1E8]
005629C2 8B85 1CFEFFFF MOV EAX, DWORD PTR SS:[EBP-1E4]
005629C8 50       PUSH EAX
005629C9 8B8D 18FEFFFF MOV ECX, DWORD PTR SS:[EBP-1E8]
005629CF 51       PUSH ECX
005629D0 FF15 C0124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaPowerR8>] ; 循环变量的平方
005629D6 0FBF85 D8FEFFFF MOVSX EAX, WORD PTR SS:[EBP-128]
005629DD 99       CDQ
005629DE 33C2       XOR EAX, EDX
005629E0 2BC2       SUB EAX, EDX
005629E2 0FBFD0    MOVSX EDX, AX                      ; EDX=ASIIC的绝对值
005629E5 8995 14FEFFFF MOV DWORD PTR SS:[EBP-1EC], EDX
005629EB DB85 14FEFFFF FILD DWORD PTR SS:[EBP-1EC]             ; ASIIC的绝对值
005629F1 DD9D 0CFEFFFF FSTP QWORD PTR SS:[EBP-1F4]
005629F7 DC8D 0CFEFFFF FMUL QWORD PTR SS:[EBP-1F4]             ; ×所在位数的平方
005629FD DB85 7CFFFFFF FILD DWORD PTR SS:[EBP-84]
00562A03 DD9D 04FEFFFF FSTP QWORD PTR SS:[EBP-1FC]
00562A09 DC85 04FEFFFF FADD QWORD PTR SS:[EBP-1FC]             ; ＋［EBP-84］
00562A0F FF15 18134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFpI4>]    ; MSVBVM60.__vbaFpI4
00562A15 8BF8       MOV EDI, EAX
00562A17 8B45 AC    MOV EAX, DWORD PTR SS:[EBP-54]          ; 第2部分
00562A1A 50       PUSH EAX
00562A1B FF15 AC124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Str>]    ; MSVBVM60.__vbaI4Str
00562A21 33F8       XOR EDI, EAX                      ; 上面的结果异或第2部分
00562A23 89BD 7CFFFFFF MOV DWORD PTR SS:[EBP-84], EDI          ; 异或结果存入［EBP-84］
00562A29 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
00562A2F FF15 98134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00562A35 8D8D 4CFFFFFF LEA ECX, DWORD PTR SS:[EBP-B4]
00562A3B FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
00562A41 B9 01000000 MOV ECX, 1
00562A46 8B45 9C    MOV EAX, DWORD PTR SS:[EBP-64]
00562A49 03C1       ADD EAX, ECX
00562A4B ^ E9 16FFFFFF JMP 00562966                      ; 对用户名循环处理，得结果E
00562A50 68 142C4200 PUSH 00422C14                      ; UNICODE "&H"
00562A55 8B4D 94    MOV ECX, DWORD PTR SS:[EBP-6C]          ; 第3部分
00562A58 51       PUSH ECX
00562A59 FF15 04124000 CALL DWORD PTR DS:[<&MSVBVM60.rtcStrReverse>] ; 注册码第3部分反转
00562A5F 8BD0       MOV EDX, EAX
00562A61 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
00562A67 FFD6       CALL ESI
00562A69 50       PUSH EAX
00562A6A 8B3D 7C104000 MOV EDI, DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>] ; MSVBVM60.__vbaStrCat
00562A70 FFD7       CALL EDI
00562A72 8BD0       MOV EDX, EAX
00562A74 8D8D 64FFFFFF LEA ECX, DWORD PTR SS:[EBP-9C]
00562A7A FFD6       CALL ESI
00562A7C 50       PUSH EAX
00562A7D 68 C49E4200 PUSH 00429EC4
00562A82 FFD7       CALL EDI
00562A84 8BD0       MOV EDX, EAX
00562A86 8D8D 60FFFFFF LEA ECX, DWORD PTR SS:[EBP-A0]
00562A8C FFD6       CALL ESI
00562A8E 50       PUSH EAX
00562A8F FF15 A0134000 CALL DWORD PTR DS:[<&MSVBVM60.rtcR8ValFromBstr>] ; MSVBVM60.rtcR8ValFromBstr
00562A95 DC35 30194000 FDIV QWORD PTR DS:[401930]             ; 除以2
00562A9B FF15 18134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFpI4>]    ; 取整
00562AA1 8BF8       MOV EDI, EAX
00562AA3 33BD 7CFFFFFF XOR EDI, DWORD PTR SS:[EBP-84]          ; 异或E
00562AA9 F7DF       NEG EDI
00562AAB 1BFF       SBB EDI, EDI
00562AAD F7DF       NEG EDI
00562AAF F7DF       NEG EDI
00562AB1 8D95 60FFFFFF LEA EDX, DWORD PTR SS:[EBP-A0]
00562AB7 52       PUSH EDX
00562AB8 8D85 64FFFFFF LEA EAX, DWORD PTR SS:[EBP-9C]
00562ABE 50       PUSH EAX
00562ABF 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
00562AC5 51       PUSH ECX
00562AC6 6A 03    PUSH 3
00562AC8 FF15 B4124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList
00562ACE 83C4 10    ADD ESP, 10
00562AD1 66:85FF    TEST DI, DI
00562AD4 0F84 EB010000 JE    00562CC5                      ; 异或结果为0就跳，要跳
00562ADA C785 7CFFFFFF 0>MOV DWORD PTR SS:[EBP-84], 1
00562AE4 8B55 E0    MOV EDX, DWORD PTR SS:[EBP-20]
00562AE7 52       PUSH EDX                         ;
00562AE8 FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBstr>] ; 算用户名长度
00562AEE BA 01000000 MOV EDX, 1
00562AF3 8BCA       MOV ECX, EDX
00562AF5 8BBD 7CFFFFFF MOV EDI, DWORD PTR SS:[EBP-84]
00562AFB 3BC8       CMP ECX, EAX
00562AFD 7F 0C    JG    SHORT 00562B0B
00562AFF 03F9       ADD EDI, ECX
00562B01 89BD 7CFFFFFF MOV DWORD PTR SS:[EBP-84], EDI
00562B07 03CA       ADD ECX, EDX
00562B09 ^ EB F0    JMP SHORT 00562AFB                   ; 从1起累加至用户名位数＋1
00562B0B DB85 7CFFFFFF FILD DWORD PTR SS:[EBP-84]
00562B11 DD9D FCFDFFFF FSTP QWORD PTR SS:[EBP-204]
00562B17 DD85 FCFDFFFF FLD QWORD PTR SS:[EBP-204]
00562B1D E8 CC44EAFF CALL                ; 开方
00562B22 DC0D 286C4000 FMUL QWORD PTR DS:[406C28]             ; ×21110
00562B28 D9E1       FABS                               ; 取绝对值
00562B2A FF15 44134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8IntI4>] ; MSVBVM60.__vbaR8IntI4
00562B30 8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84], EAX
00562B36 8B45 E0    MOV EAX, DWORD PTR SS:[EBP-20]
00562B39 50       PUSH EAX
00562B3A FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
00562B40 B9 01000000 MOV ECX, 1
00562B45 8BF9       MOV EDI, ECX
00562B47 8B95 7CFFFFFF MOV EDX, DWORD PTR SS:[EBP-84]
00562B4D 3BF8       CMP EDI, EAX
00562B4F 7F 0C    JG    SHORT 00562B5D
00562B51 33D7       XOR EDX, EDI
00562B53 8995 7CFFFFFF MOV DWORD PTR SS:[EBP-84], EDX
00562B59 03F9       ADD EDI, ECX
00562B5B ^ EB F0    JMP SHORT 00562B4D                   ; 循环异或（从1至用户名长度）
00562B5D C785 54FFFFFF 0>MOV DWORD PTR SS:[EBP-AC], 80020004
00562B67 C785 4CFFFFFF 0>MOV DWORD PTR SS:[EBP-B4], 0A
00562B71 8D8D 7CFFFFFF LEA ECX, DWORD PTR SS:[EBP-84]
00562B77 898D 14FFFFFF MOV DWORD PTR SS:[EBP-EC], ECX
00562B7D C785 0CFFFFFF 0>MOV DWORD PTR SS:[EBP-F4], 4003
00562B87 8D95 4CFFFFFF LEA EDX, DWORD PTR SS:[EBP-B4]
00562B8D 52       PUSH EDX                         ; 10
00562B8E 6A 01    PUSH 1
00562B90 8D85 0CFFFFFF LEA EAX, DWORD PTR SS:[EBP-F4]
00562B96 50       PUSH EAX
00562B97 8D8D 3CFFFFFF LEA ECX, DWORD PTR SS:[EBP-C4]
00562B9D 51       PUSH ECX
00562B9E FF15 4C114000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMidCharVar>] ; 转为字串
00562BA4 8D55 84    LEA EDX, DWORD PTR SS:[EBP-7C]
00562BA7 52       PUSH EDX
00562BA8 8D85 3CFFFFFF LEA EAX, DWORD PTR SS:[EBP-C4]
00562BAE 50       PUSH EAX
00562BAF 8D8D 2CFFFFFF LEA ECX, DWORD PTR SS:[EBP-D4]
00562BB5 51       PUSH ECX
00562BB6 FF15 CC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarXor>]    ; MSVBVM60.__vbaVarXor
00562BBC 8BD0       MOV EDX, EAX
00562BBE 8D4D 84    LEA ECX, DWORD PTR SS:[EBP-7C]
00562BC1 FFD3       CALL EBX
00562BC3 8D95 3CFFFFFF LEA EDX, DWORD PTR SS:[EBP-C4]
00562BC9 52       PUSH EDX
00562BCA 8D85 4CFFFFFF LEA EAX, DWORD PTR SS:[EBP-B4]
00562BD0 50       PUSH EAX
00562BD1 6A 02    PUSH 2
00562BD3 FF15 40104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
00562BD9 83C4 0C    ADD ESP, 0C
00562BDC 83FF 0A    CMP EDI, 0A
00562BDF 0F85 CD000000 JNZ 00562CB2
00562BE5 89BD 14FFFFFF MOV DWORD PTR SS:[EBP-EC], EDI
00562BEB C785 0CFFFFFF 0>MOV DWORD PTR SS:[EBP-F4], 3
00562BF5 8D4D 84    LEA ECX, DWORD PTR SS:[EBP-7C]
00562BF8 51       PUSH ECX
00562BF9 8D95 0CFFFFFF LEA EDX, DWORD PTR SS:[EBP-F4]
00562BFF 52       PUSH EDX
00562C00 8D85 4CFFFFFF LEA EAX, DWORD PTR SS:[EBP-B4]
00562C06 50       PUSH EAX
00562C07 FF15 CC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarXor>]    ; MSVBVM60.__vbaVarXor
00562C0D 8BD0       MOV EDX, EAX
00562C0F 8D4D 84    LEA ECX, DWORD PTR SS:[EBP-7C]
00562C12 FFD3       CALL EBX
00562C14 C785 78FEFFFF 0>MOV DWORD PTR SS:[EBP-188], 1
00562C1E 33FF       XOR EDI, EDI
00562C20 B8 0F000000 MOV EAX, 0F
00562C25 3BF8       CMP EDI, EAX
00562C27 7F 37    JG    SHORT 00562C60
00562C29 89BD 14FFFFFF MOV DWORD PTR SS:[EBP-EC], EDI
00562C2F C785 0CFFFFFF 0>MOV DWORD PTR SS:[EBP-F4], 3
00562C39 8D4D 84    LEA ECX, DWORD PTR SS:[EBP-7C]
00562C3C 51       PUSH ECX
00562C3D 8D95 0CFFFFFF LEA EDX, DWORD PTR SS:[EBP-F4]
00562C43 52       PUSH EDX
00562C44 8D85 4CFFFFFF LEA EAX, DWORD PTR SS:[EBP-B4]
00562C4A 50       PUSH EAX
00562C4B FF15 CC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarXor>]    ; MSVBVM60.__vbaVarXor
00562C51 8BD0       MOV EDX, EAX
00562C53 8D4D 84    LEA ECX, DWORD PTR SS:[EBP-7C]
00562C56 FFD3       CALL EBX
00562C58 03BD 78FEFFFF ADD EDI, DWORD PTR SS:[EBP-188]
00562C5E ^ EB C0    JMP SHORT 00562C20
00562C60 C785 14FFFFFF 5>MOV DWORD PTR SS:[EBP-EC], 10C958
00562C6A C785 0CFFFFFF 0>MOV DWORD PTR SS:[EBP-F4], 8003
00562C74 8D4D 84    LEA ECX, DWORD PTR SS:[EBP-7C]
00562C77 51       PUSH ECX
00562C78 8D95 0CFFFFFF LEA EDX, DWORD PTR SS:[EBP-F4]
00562C7E 52       PUSH EDX
00562C7F FF15 84114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTstEq>] ; MSVBVM60.__vbaVarTstEq
00562C85 66:85C0    TEST AX, AX
00562C88 74 15    JE    SHORT 00562C9F
00562C8A 8D45 84    LEA EAX, DWORD PTR SS:[EBP-7C]
00562C8D 50       PUSH EAX
00562C8E FF15 C4124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8Var>]    ; MSVBVM60.__vbaR8Var
00562C94 DD9D 70FFFFFF FSTP QWORD PTR SS:[EBP-90]
00562C9A E9 280F0000 JMP 00563BC7
00562C9F 8B85 6CFFFFFF MOV EAX, DWORD PTR SS:[EBP-94]
00562CA5 85C0       TEST EAX, EAX
00562CA7 ^ 0F85 55F9FFFF JNZ 00562602
00562CAD ^ E9 3EF9FFFF JMP 005625F0
00562CB2 8B85 6CFFFFFF MOV EAX, DWORD PTR SS:[EBP-94]
00562CB8 85C0       TEST EAX, EAX
00562CBA ^ 0F85 09F8FFFF JNZ 005624C9
00562CC0 ^ E9 F2F7FFFF JMP 005624B7
00562CC5 BF 01000000 MOV EDI, 1                      ; <====第4部分算法
00562CCA 89BD 7CFFFFFF MOV DWORD PTR SS:[EBP-84], EDI          ; [EBP-84]初值为1
00562CD0 8B45 E0    MOV EAX, DWORD PTR SS:[EBP-20]
00562CD3 50       PUSH EAX
00562CD4 FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
00562CDA 8985 6CFEFFFF MOV DWORD PTR SS:[EBP-194], EAX
00562CE0 897D 9C    MOV DWORD PTR SS:[EBP-64], EDI          ; 循环变量
00562CE3 3BBD 6CFEFFFF CMP EDI, DWORD PTR SS:[EBP-194]
00562CE9 0F8F 9F000000 JG    00562D8E
00562CEF C785 54FFFFFF 0>MOV DWORD PTR SS:[EBP-AC], 1
00562CF9 C785 4CFFFFFF 0>MOV DWORD PTR SS:[EBP-B4], 2
00562D03 8D8D 4CFFFFFF LEA ECX, DWORD PTR SS:[EBP-B4]
00562D09 51       PUSH ECX
00562D0A 57       PUSH EDI
00562D0B 8B55 E0    MOV EDX, DWORD PTR SS:[EBP-20]
00562D0E 52       PUSH EDX
00562D0F FF15 38114000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMidCharBstr>] ; 用户名各字符ASIIC
00562D15 8BD0       MOV EDX, EAX
00562D17 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
00562D1D FFD6       CALL ESI
00562D1F 50       PUSH EAX
00562D20 FF15 54104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcAnsiValueBstr>] ; MSVBVM60.rtcAnsiValueBstr
00562D26 0FBFC0    MOVSX EAX, AX
00562D29 99       CDQ
00562D2A 33C2       XOR EAX, EDX
00562D2C 2BC2       SUB EAX, EDX
00562D2E 0FBFF8    MOVSX EDI, AX
00562D31 8B45 E0    MOV EAX, DWORD PTR SS:[EBP-20]
00562D34 50       PUSH EAX
00562D35 FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
00562D3B 0FAFF8    IMUL EDI, EAX                      ; ×长度
00562D3E 8BCF       MOV ECX, EDI
00562D40 8B7D 9C    MOV EDI, DWORD PTR SS:[EBP-64]
00562D43 0FAFCF    IMUL ECX, EDI                      ; ×循环变量
00562D46 8B95 7CFFFFFF MOV EDX, DWORD PTR SS:[EBP-84]
00562D4C 03CA       ADD ECX, EDX                      ; ＋［EBP-84］
00562D4E 898D F4FDFFFF MOV DWORD PTR SS:[EBP-20C], ECX
00562D54 8B45 AC    MOV EAX, DWORD PTR SS:[EBP-54]          ; 第2部分
00562D57 50       PUSH EAX
00562D58 FF15 AC124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Str>]    ; MSVBVM60.__vbaI4Str
00562D5E 3385 F4FDFFFF XOR EAX, DWORD PTR SS:[EBP-20C]          ; 第2部分异或上面结果
00562D64 8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84], EAX          ; 异或结果存入［EBP-84］
00562D6A 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
00562D70 FF15 98134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00562D76 8D8D 4CFFFFFF LEA ECX, DWORD PTR SS:[EBP-B4]
00562D7C FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
00562D82 B8 01000000 MOV EAX, 1
00562D87 03F8       ADD EDI, EAX
00562D89 ^ E9 52FFFFFF JMP 00562CE0                      ; 循环，得结果F
00562D8E 8B8D 7CFFFFFF MOV ECX, DWORD PTR SS:[EBP-84]
00562D94 898D 14FFFFFF MOV DWORD PTR SS:[EBP-EC], ECX
00562D9A C785 0CFFFFFF 0>MOV DWORD PTR SS:[EBP-F4], 3
00562DA4 8D55 84    LEA EDX, DWORD PTR SS:[EBP-7C]
00562DA7 52       PUSH EDX
00562DA8 8D85 0CFFFFFF LEA EAX, DWORD PTR SS:[EBP-F4]
00562DAE 50       PUSH EAX
00562DAF 8D8D 4CFFFFFF LEA ECX, DWORD PTR SS:[EBP-B4]
00562DB5 51       PUSH ECX
00562DB6 FF15 CC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarXor>]    ; F与前所得结果D异或
00562DBC 8BD0       MOV EDX, EAX
00562DBE 8D4D 84    LEA ECX, DWORD PTR SS:[EBP-7C]
00562DC1 FFD3       CALL EBX
00562DC3 C785 54FFFFFF 0>MOV DWORD PTR SS:[EBP-AC], 80020004
00562DCD C785 4CFFFFFF 0>MOV DWORD PTR SS:[EBP-B4], 0A
00562DD7 8D95 7CFFFFFF LEA EDX, DWORD PTR SS:[EBP-84]
00562DDD 8995 14FFFFFF MOV DWORD PTR SS:[EBP-EC], EDX
00562DE3 C785 0CFFFFFF 0>MOV DWORD PTR SS:[EBP-F4], 4003
00562DED 8D85 4CFFFFFF LEA EAX, DWORD PTR SS:[EBP-B4]
00562DF3 50       PUSH EAX
00562DF4 6A 02    PUSH 2
00562DF6 8D8D 0CFFFFFF LEA ECX, DWORD PTR SS:[EBP-F4]
00562DFC 51       PUSH ECX
00562DFD 8D95 3CFFFFFF LEA EDX, DWORD PTR SS:[EBP-C4]          ; F
00562E03 52       PUSH EDX
00562E04 8B3D 4C114000 MOV EDI, DWORD PTR DS:[<&MSVBVM60.rtcMidCharVar>; 从第2位起取10位,得G
00562E0A FFD7       CALL EDI
00562E0C 8D45 84    LEA EAX, DWORD PTR SS:[EBP-7C]
00562E0F 50       PUSH EAX
00562E10 8D8D 3CFFFFFF LEA ECX, DWORD PTR SS:[EBP-C4]
00562E16 51       PUSH ECX
00562E17 8D95 2CFFFFFF LEA EDX, DWORD PTR SS:[EBP-D4]
00562E1D 52       PUSH EDX
00562E1E FF15 CC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarXor>]    ; 再与前面结果异或
00562E24 8BD0       MOV EDX, EAX
00562E26 8D4D 84    LEA ECX, DWORD PTR SS:[EBP-7C]
00562E29 FFD3       CALL EBX
00562E2B 8D85 3CFFFFFF LEA EAX, DWORD PTR SS:[EBP-C4]
00562E31 50       PUSH EAX
00562E32 8D8D 4CFFFFFF LEA ECX, DWORD PTR SS:[EBP-B4]
00562E38 51       PUSH ECX
00562E39 6A 02    PUSH 2
00562E3B FF15 40104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
00562E41 83C4 0C    ADD ESP, 0C
00562E44 C785 54FFFFFF 0>MOV DWORD PTR SS:[EBP-AC], 80020004
00562E4E C785 4CFFFFFF 0>MOV DWORD PTR SS:[EBP-B4], 0A
00562E58 8D95 7CFFFFFF LEA EDX, DWORD PTR SS:[EBP-84]
00562E5E 8995 14FFFFFF MOV DWORD PTR SS:[EBP-EC], EDX
00562E64 C785 0CFFFFFF 0>MOV DWORD PTR SS:[EBP-F4], 4003
00562E6E 8D85 4CFFFFFF LEA EAX, DWORD PTR SS:[EBP-B4]
00562E74 50       PUSH EAX
00562E75 6A 03    PUSH 3
00562E77 8D8D 0CFFFFFF LEA ECX, DWORD PTR SS:[EBP-F4]
00562E7D 51       PUSH ECX
00562E7E 8D95 3CFFFFFF LEA EDX, DWORD PTR SS:[EBP-C4]
00562E84 52       PUSH EDX
00562E85 FFD7       CALL EDI                         ; F从第3位起取10位
00562E87 8D45 84    LEA EAX, DWORD PTR SS:[EBP-7C]
00562E8A 50       PUSH EAX
00562E8B 8D8D 3CFFFFFF LEA ECX, DWORD PTR SS:[EBP-C4]
00562E91 51       PUSH ECX
00562E92 8D95 2CFFFFFF LEA EDX, DWORD PTR SS:[EBP-D4]
00562E98 52       PUSH EDX
00562E99 FF15 CC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarXor>]    ; 异或
00562E9F 8BD0       MOV EDX, EAX
00562EA1 8D4D 84    LEA ECX, DWORD PTR SS:[EBP-7C]
00562EA4 FFD3       CALL EBX
00562EA6 8D85 3CFFFFFF LEA EAX, DWORD PTR SS:[EBP-C4]
00562EAC 50       PUSH EAX
00562EAD 8D8D 4CFFFFFF LEA ECX, DWORD PTR SS:[EBP-B4]
00562EB3 51       PUSH ECX
00562EB4 6A 02    PUSH 2
00562EB6 FF15 40104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
00562EBC 83C4 0C    ADD ESP, 0C
00562EBF C785 54FFFFFF 0>MOV DWORD PTR SS:[EBP-AC], 1
00562EC9 C785 4CFFFFFF 0>MOV DWORD PTR SS:[EBP-B4], 2
00562ED3 8D95 7CFFFFFF LEA EDX, DWORD PTR SS:[EBP-84]
00562ED9 8995 14FFFFFF MOV DWORD PTR SS:[EBP-EC], EDX
00562EDF C785 0CFFFFFF 0>MOV DWORD PTR SS:[EBP-F4], 4003
00562EE9 8D85 4CFFFFFF LEA EAX, DWORD PTR SS:[EBP-B4]
00562EEF 50       PUSH EAX
00562EF0 6A 01    PUSH 1
00562EF2 8D8D 0CFFFFFF LEA ECX, DWORD PTR SS:[EBP-F4]
00562EF8 51       PUSH ECX
00562EF9 8D95 3CFFFFFF LEA EDX, DWORD PTR SS:[EBP-C4]
00562EFF 52       PUSH EDX
00562F00 FFD7       CALL EDI                         ; F从第1位起取1位
00562F02 8D45 84    LEA EAX, DWORD PTR SS:[EBP-7C]
00562F05 50       PUSH EAX
00562F06 8D8D 3CFFFFFF LEA ECX, DWORD PTR SS:[EBP-C4]
00562F0C 51       PUSH ECX
00562F0D 8D95 2CFFFFFF LEA EDX, DWORD PTR SS:[EBP-D4]
00562F13 52       PUSH EDX
00562F14 FF15 CC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarXor>]    ; 异或
00562F1A 8BD0       MOV EDX, EAX
00562F1C 8D4D 84    LEA ECX, DWORD PTR SS:[EBP-7C]
00562F1F FFD3       CALL EBX
00562F21 8D85 3CFFFFFF LEA EAX, DWORD PTR SS:[EBP-C4]
00562F27 50       PUSH EAX
00562F28 8D8D 4CFFFFFF LEA ECX, DWORD PTR SS:[EBP-B4]
00562F2E 51       PUSH ECX
00562F2F 6A 02    PUSH 2
00562F31 FF15 40104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
00562F37 83C4 0C    ADD ESP, 0C
00562F3A 68 142C4200 PUSH 00422C14                      ; UNICODE "&H"
00562F3F 8B55 A4    MOV EDX, DWORD PTR SS:[EBP-5C]          ; 注册码第4部分
00562F42 52       PUSH EDX
00562F43 FF15 04124000 CALL DWORD PTR DS:[<&MSVBVM60.rtcStrReverse>] ; 反转
00562F49 8BD0       MOV EDX, EAX
00562F4B 8D8D 68FFFFFF LEA ECX, DWORD PTR SS:[EBP-98]
00562F51 FFD6       CALL ESI
00562F53 50       PUSH EAX
00562F54 8B1D 7C104000 MOV EBX, DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>] ; MSVBVM60.__vbaStrCat
00562F5A FFD3       CALL EBX
00562F5C 8BD0       MOV EDX, EAX
00562F5E 8D8D 64FFFFFF LEA ECX, DWORD PTR SS:[EBP-9C]
00562F64 FFD6       CALL ESI
00562F66 50       PUSH EAX
00562F67 68 C49E4200 PUSH 00429EC4
00562F6C FFD3       CALL EBX
00562F6E 8BD0       MOV EDX, EAX
00562F70 8D8D 60FFFFFF LEA ECX, DWORD PTR SS:[EBP-A0]
00562F76 FFD6       CALL ESI
00562F78 50       PUSH EAX
00562F79 FF15 A0134000 CALL DWORD PTR DS:[<&MSVBVM60.rtcR8ValFromBstr>] ; MSVBVM60.rtcR8ValFromBstr
00562F7F FF15 18134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFpI4>]    ; MSVBVM60.__vbaFpI4
00562F85 3385 7CFFFFFF XOR EAX, DWORD PTR SS:[EBP-84]          ; 与F异或
00562F8B 8985 14FFFFFF MOV DWORD PTR SS:[EBP-EC], EAX
00562F91 C785 0CFFFFFF 0>MOV DWORD PTR SS:[EBP-F4], 3
00562F9B 8D85 0CFFFFFF LEA EAX, DWORD PTR SS:[EBP-F4]
00562FA1 50       PUSH EAX
00562FA2 8D4D 84    LEA ECX, DWORD PTR SS:[EBP-7C]
00562FA5 51       PUSH ECX
00562FA6 8D95 4CFFFFFF LEA EDX, DWORD PTR SS:[EBP-B4]
00562FAC 52       PUSH EDX
00562FAD FF15 CC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarXor>]    ; MSVBVM60.__vbaVarXor
00562FB3 50       PUSH EAX
00562FB4 FF15 24114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaBoolVarNull>] ; MSVBVM60.__vbaBoolVarNull
00562FBA 66:8BD8    MOV BX, AX
00562FBD 8D85 60FFFFFF LEA EAX, DWORD PTR SS:[EBP-A0]
00562FC3 50       PUSH EAX
00562FC4 8D8D 64FFFFFF LEA ECX, DWORD PTR SS:[EBP-9C]
00562FCA 51       PUSH ECX
00562FCB 8D95 68FFFFFF LEA EDX, DWORD PTR SS:[EBP-98]
00562FD1 52       PUSH EDX
00562FD2 6A 03    PUSH 3
00562FD4 FF15 B4124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList
00562FDA 83C4 10    ADD ESP, 10
00562FDD 66:85DB    TEST BX, BX
00562FE0 0F84 87050000 JE    0056356D                      ; 异或结果为0就跳，要跳
......
4.小结
从上面这段程序可看出，运行程序后它先判断自己有没有被脱壳，被脱壳就调用“快速关机”功能（这本身是该软件的一个功能），然后再计算机器码，并将其变形后写入注册表中，然后查找有没有注册文件X:\FXSYS\FXSYS.KEY，有就对其进行解密（xor 0xfb)并将解密结果存入临时文件X:\FXSYS\FXSYS.TMP中，然后打开FXSYS.TMP文件，将其中的4行内容读出分别进行判断：
第1行＝[FXV25]
第2行＝机器码
第3行＝用户名
第4行＝注册码
5.算法总结
注册码格式：第4部分－第3部分－第2部分－第1部分
1）第1部分与0x22b9（十进制数8889）比较大于等于就行,即第1部分>=22B9
2）第2部分要同时满足005624AB和005626B5两处就必须是大于0xC379（十进制数51001）的数
3）机器码前3字符的ASIIC码累加再加1后与机器码从第4位起后的各位字符ASIIC码累乘，得数A
4）A开方取结果右边5位（注意精度，好象是LONG）得数B，A开方结果×11001取整得数C
5）（C XOR D XOR 第2部分）－第2部分，得数D
6）（用户名各字符ASIIC码×所在位数的平方＋用户名长度）XOR 第2部分，结果替换“用户名长度”后循环，直到用户名所有字符取完，得结果E
7）E×2转为十六进制数后反转即为注册码第3部分
8）（用户名各字符ASIIC码×用户名长度×所在位数＋1）XOR 第2部分，结果替换“1”后循环，直到用户名所有字符取完，得结果F
9）D与F第2位起的10位数异或，再与F第3位起的10位数异或，再与F的第1位数异或，结果转为十六进制数后反转即为注册码的第4部分

hmily · 发表于 2007-9-19 08:45:20

好详细。。。。。。。。。。。

kiss-you · 发表于 2007-9-19 09:49:12

楼主直接写个注册机就好了。

路过人间 · 发表于 2008-2-15 21:35:54

分析得很清楚啊现在新版的算法又变了我怎么总是跟到死循环里啊帮忙指点一下谢谢了

		自动登录	找回密码
密码			加入我们

[原创] XX桌面日历2.53算法分析