- UID
- 346
注册时间2005-3-21
阅读权限30
最后登录1970-1-1
龙战于野
TA的每日心情 | 奋斗
2016-10-21 20:30 |
|---|
签到天数: 1 天 [LV.1]初来乍到
|
【破文标题】CrackMe By [PYG]Zass算法分析+VB注册机源码
【破解作者】hrbx
【破解日期】2009-11-05
【软件简介】CrackMe By [PYG]Zass
【下载地址】https://www.chinapyg.com/viewthr ... &extra=page%3D1
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
-----------------------------------------------------------------------------------------------
【破解过程】
1.查壳。用Peid扫描,显示为:Microsoft Visual Basic 5.0 / 6.0,无壳。
2.查找程序控件事件地址。OD载入,Ctrl+B,在Hex栏输入:816C24,查找VB各控件事件地址:
==================================================================
00402C1C . 816C24 04 43000000 sub dword ptr [esp+4], 43
00402C24 . E9 E7010000 jmp 00402E10 ; 注册按钮_Click
00402C36 . 816C24 04 47000000 sub dword ptr [esp+4], 47
00402C3E E9 4D050000 jmp 00403190 ; 注册名_Change
00402C43 . 816C24 04 47000000 sub dword ptr [esp+4], 47
00402C4B . E9 00060000 jmp 00403250 ; 注册名_GotFocus
00402C50 . 816C24 04 4B000000 sub dword ptr [esp+4], 4B
00402C58 E9 B3060000 jmp 00403310 ; 注册码_Change
00402C84 . 816C24 04 4B000000 sub dword ptr [esp+4], 4B
00402C8C . E9 DF1D0000 jmp 00404A70 ; 注册码_GotFocus
==================================================================
3.暴破分析。OD载入,Ctrl+G,输入注册按钮_Click事件地址:00402E10,确定后F2下断:
00402E10 > \55 push ebp ; F2下断
00402E11 . 8BEC mov ebp, esp
00402E13 . 83EC 0C sub esp, 0C
00402E16 . 68 D6114000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; SE 处理程序安装
00402E1B . 64:A1 00000000 mov eax, dword ptr fs:[0]
00402E21 . 50 push eax
00402E22 . 64:8925 00000000 mov dword ptr fs:[0], esp
00402E29 . 83EC 2C sub esp, 2C
00402E2C . 53 push ebx
00402E2D . 56 push esi
00402E2E . 57 push edi
00402E2F . 8965 F4 mov dword ptr [ebp-C], esp
00402E32 . C745 F8 18114000 mov dword ptr [ebp-8], 00401118
00402E39 . 8B75 08 mov esi, dword ptr [ebp+8]
00402E3C . 8BC6 mov eax, esi
00402E3E . 83E0 01 and eax, 1
00402E41 . 8945 FC mov dword ptr [ebp-4], eax
00402E44 . 83E6 FE and esi, FFFFFFFE
00402E47 . 56 push esi
00402E48 . 8975 08 mov dword ptr [ebp+8], esi
00402E4B . 8B0E mov ecx, dword ptr [esi]
00402E4D . FF51 04 call dword ptr [ecx+4]
00402E50 . 8B16 mov edx, dword ptr [esi]
00402E52 . 33C0 xor eax, eax
00402E54 . 56 push esi
00402E55 . 8945 E8 mov dword ptr [ebp-18], eax
00402E58 . 8945 E4 mov dword ptr [ebp-1C], eax
00402E5B . 8945 E0 mov dword ptr [ebp-20], eax
00402E5E . 8945 DC mov dword ptr [ebp-24], eax
00402E61 . FF92 04030000 call dword ptr [edx+304]
00402E67 . 8B1D 44104000 mov ebx, dword ptr [<&MSVBVM60.__vbaObjS>
00402E6D . 50 push eax
00402E6E . 8D45 E0 lea eax, dword ptr [ebp-20]
00402E71 . 50 push eax
00402E72 . FFD3 call ebx
00402E74 . 8BF8 mov edi, eax
00402E76 . 8D55 E8 lea edx, dword ptr [ebp-18]
00402E79 . 52 push edx
00402E7A . 57 push edi
00402E7B . 8B0F mov ecx, dword ptr [edi]
00402E7D . FF91 A0000000 call dword ptr [ecx+A0]
00402E83 . 85C0 test eax, eax
00402E85 . DBE2 fclex
00402E87 . 7D 12 jge short 00402E9B
00402E89 . 68 A0000000 push 0A0
00402E8E . 68 D4234000 push 004023D4
00402E93 . 57 push edi
00402E94 . 50 push eax
00402E95 . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
00402E9B > 8B06 mov eax, dword ptr [esi]
00402E9D . 56 push esi
00402E9E . FF90 00030000 call dword ptr [eax+300]
00402EA4 . 8D4D DC lea ecx, dword ptr [ebp-24]
00402EA7 . 50 push eax
00402EA8 . 51 push ecx
00402EA9 . FFD3 call ebx
00402EAB . 8BF8 mov edi, eax
00402EAD . 8D45 E4 lea eax, dword ptr [ebp-1C]
00402EB0 . 50 push eax
00402EB1 . 57 push edi
00402EB2 . 8B17 mov edx, dword ptr [edi]
00402EB4 . FF92 A0000000 call dword ptr [edx+A0]
00402EBA . 85C0 test eax, eax
00402EBC . DBE2 fclex
00402EBE . 7D 12 jge short 00402ED2
00402EC0 . 68 A0000000 push 0A0
00402EC5 . 68 D4234000 push 004023D4
00402ECA . 57 push edi
00402ECB . 50 push eax
00402ECC . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
00402ED2 > 8B4D E4 mov ecx, dword ptr [ebp-1C] ; 注册码
00402ED5 . 51 push ecx
00402ED6 . 68 E8234000 push 004023E8
00402EDB . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaStrCmp>] ; 检测注册码是否为空
00402EE1 . 8B55 E8 mov edx, dword ptr [ebp-18] ; 注册名
00402EE4 . 8BF8 mov edi, eax
00402EE6 . F7DF neg edi
00402EE8 . 1BFF sbb edi, edi
00402EEA . 52 push edx
00402EEB . 47 inc edi
00402EEC . 68 E8234000 push 004023E8
00402EF1 . F7DF neg edi
00402EF3 . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaStrCmp>] ; 检测注册名是否为空
00402EF9 . F7D8 neg eax
00402EFB . 1BC0 sbb eax, eax
00402EFD . 8D4D E8 lea ecx, dword ptr [ebp-18]
00402F00 . 40 inc eax
00402F01 . F7D8 neg eax
00402F03 . 0BF8 or edi, eax
00402F05 . 8D45 E4 lea eax, dword ptr [ebp-1C]
00402F08 . 50 push eax
00402F09 . 51 push ecx
00402F0A . 6A 02 push 2
00402F0C . FF15 CC104000 call dword ptr [<&MSVBVM60.__vbaFreeStrLi>
00402F12 . 8D55 DC lea edx, dword ptr [ebp-24]
00402F15 . 8D45 E0 lea eax, dword ptr [ebp-20]
00402F18 . 52 push edx
00402F19 . 50 push eax
00402F1A . 6A 02 push 2
00402F1C . FF15 28104000 call dword ptr [<&MSVBVM60.__vbaFreeObjLi>
00402F22 . 83C4 18 add esp, 18
00402F25 . 66:85FF test di, di
00402F28 . 74 6C je short 00402F96 ; 注册名、注册码均不为空则跳
00402F2A . 8B0E mov ecx, dword ptr [esi]
00402F2C . 56 push esi
00402F2D . FF91 0C030000 call dword ptr [ecx+30C]
00402F33 . 8D55 E0 lea edx, dword ptr [ebp-20]
00402F36 . 50 push eax
00402F37 . 52 push edx
00402F38 . FFD3 call ebx
00402F3A . 8BF8 mov edi, eax
00402F3C . 6A FF push -1
00402F3E . 57 push edi
00402F3F . 8B07 mov eax, dword ptr [edi]
00402F41 . FF90 9C000000 call dword ptr [eax+9C]
00402F47 . 85C0 test eax, eax
00402F49 . DBE2 fclex
00402F4B . 7D 12 jge short 00402F5F
00402F4D . 68 9C000000 push 9C
00402F52 . 68 EC234000 push 004023EC
00402F57 . 57 push edi
00402F58 . 50 push eax
00402F59 . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
00402F5F > 8B3D 08114000 mov edi, dword ptr [<&MSVBVM60.__vbaFree>
00402F65 . 8D4D E0 lea ecx, dword ptr [ebp-20]
00402F68 . FFD7 call edi
00402F6A . 8B0E mov ecx, dword ptr [esi]
00402F6C . 56 push esi
00402F6D . FF91 0C030000 call dword ptr [ecx+30C]
00402F73 . 8D55 E0 lea edx, dword ptr [ebp-20]
00402F76 . 50 push eax
00402F77 . 52 push edx
00402F78 . FFD3 call ebx
00402F7A . 8BF0 mov esi, eax
00402F7C . 68 00244000 push 00402400
00402F81 . 56 push esi
00402F82 . 8B06 mov eax, dword ptr [esi]
00402F84 . FF50 54 call dword ptr [eax+54]
00402F87 . 85C0 test eax, eax
00402F89 . DBE2 fclex
00402F8B . 0F8D E3000000 jge 00403074
00402F91 . E9 CF000000 jmp 00403065
00402F96 > 66:833D 24604000 00 cmp word ptr [406024], 0 ; 检测地址[406024]的值是否为0,标志位
00402F9E . 8B0E mov ecx, dword ptr [esi]
00402FA0 . 56 push esi
00402FA1 . 75 62 jnz short 00403005 ; 暴破点1,Nop
00402FA3 . FF91 0C030000 call dword ptr [ecx+30C]
00402FA9 . 8D55 E0 lea edx, dword ptr [ebp-20]
00402FAC . 50 push eax
00402FAD . 52 push edx
00402FAE . FFD3 call ebx
00402FB0 . 8BF8 mov edi, eax
00402FB2 . 6A FF push -1
00402FB4 . 57 push edi
00402FB5 . 8B07 mov eax, dword ptr [edi]
00402FB7 . FF90 9C000000 call dword ptr [eax+9C]
4.算法分析。OD载入,Ctrl+G,输入注册码_Change事件地址:00403310,确定后F2下断,输入注册信息:
======================================
注册名:hrbx
注册码:9876543210
======================================
程序立即中断:
00403310 > \55 push ebp ; F2在此下断
00403311 . 8BEC mov ebp, esp
00403313 . 83EC 0C sub esp, 0C
00403316 . 68 D6114000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; SE 处理程序安装
0040331B . 64:A1 00000000 mov eax, dword ptr fs:[0]
00403321 . 50 push eax
00403322 . 64:8925 00000000 mov dword ptr fs:[0], esp
00403329 . 81EC 84020000 sub esp, 284
0040332F . 53 push ebx
00403330 . 56 push esi
00403331 . 57 push edi
00403332 . 8965 F4 mov dword ptr [ebp-C], esp
00403335 . C745 F8 68114000 mov dword ptr [ebp-8], 00401168
0040333C . 8B75 08 mov esi, dword ptr [ebp+8]
0040333F . 8BC6 mov eax, esi
00403341 . 83E0 01 and eax, 1
00403344 . 8945 FC mov dword ptr [ebp-4], eax
00403347 . 83E6 FE and esi, FFFFFFFE
0040334A . 56 push esi
0040334B . 8975 08 mov dword ptr [ebp+8], esi
0040334E . 8B0E mov ecx, dword ptr [esi]
00403350 . FF51 04 call dword ptr [ecx+4]
00403353 . 6A 08 push 8 ; /varType = String
00403355 . 8D55 80 lea edx, dword ptr [ebp-80] ; |定义字符串数组
00403358 . 33DB xor ebx, ebx ; |
0040335A . 68 70244000 push 00402470 ; |
0040335F . 52 push edx ; |
00403360 . 895D E8 mov dword ptr [ebp-18], ebx ; |
00403363 . 895D E4 mov dword ptr [ebp-1C], ebx ; |
00403366 . 895D D4 mov dword ptr [ebp-2C], ebx ; |
00403369 . 895D D0 mov dword ptr [ebp-30], ebx ; |
0040336C . 895D CC mov dword ptr [ebp-34], ebx ; |
0040336F . 895D C8 mov dword ptr [ebp-38], ebx ; |
00403372 . 895D B8 mov dword ptr [ebp-48], ebx ; |
00403375 . 895D A8 mov dword ptr [ebp-58], ebx ; |
00403378 . 895D 98 mov dword ptr [ebp-68], ebx ; |
0040337B . 899D 6CFFFFFF mov dword ptr [ebp-94], ebx ; |
00403381 . 899D 5CFFFFFF mov dword ptr [ebp-A4], ebx ; |
00403387 . 899D 4CFFFFFF mov dword ptr [ebp-B4], ebx ; |
0040338D . 899D 48FFFFFF mov dword ptr [ebp-B8], ebx ; |
00403393 . 899D 38FFFFFF mov dword ptr [ebp-C8], ebx ; |
00403399 . 899D 34FFFFFF mov dword ptr [ebp-CC], ebx ; |
0040339F . 899D 30FFFFFF mov dword ptr [ebp-D0], ebx ; |
004033A5 . 899D 2CFFFFFF mov dword ptr [ebp-D4], ebx ; |
004033AB . 899D 28FFFFFF mov dword ptr [ebp-D8], ebx ; |
004033B1 . 899D 24FFFFFF mov dword ptr [ebp-DC], ebx ; |
004033B7 . 899D 14FFFFFF mov dword ptr [ebp-EC], ebx ; |
004033BD . 899D 04FFFFFF mov dword ptr [ebp-FC], ebx ; |
004033C3 . 899D F4FEFFFF mov dword ptr [ebp-10C], ebx ; |
004033C9 . 899D E4FEFFFF mov dword ptr [ebp-11C], ebx ; |
004033CF . 899D D4FEFFFF mov dword ptr [ebp-12C], ebx ; |
004033D5 . 899D C4FEFFFF mov dword ptr [ebp-13C], ebx ; |
004033DB . 899D B4FEFFFF mov dword ptr [ebp-14C], ebx ; |
004033E1 . 899D A4FEFFFF mov dword ptr [ebp-15C], ebx ; |
004033E7 . 899D 94FEFFFF mov dword ptr [ebp-16C], ebx ; |
004033ED . 899D 84FEFFFF mov dword ptr [ebp-17C], ebx ; |
004033F3 . 899D 74FEFFFF mov dword ptr [ebp-18C], ebx ; |
004033F9 . 899D 64FEFFFF mov dword ptr [ebp-19C], ebx ; |
004033FF . 899D 60FEFFFF mov dword ptr [ebp-1A0], ebx ; |
00403405 . 899D 5CFEFFFF mov dword ptr [ebp-1A4], ebx ; |
0040340B . 899D 3CFEFFFF mov dword ptr [ebp-1C4], ebx ; |
00403411 . 899D 2CFEFFFF mov dword ptr [ebp-1D4], ebx ; |
00403417 . 899D 1CFEFFFF mov dword ptr [ebp-1E4], ebx ; |
0040341D . 899D 0CFEFFFF mov dword ptr [ebp-1F4], ebx ; |
00403423 . 899D FCFDFFFF mov dword ptr [ebp-204], ebx ; |
00403429 . 899D ECFDFFFF mov dword ptr [ebp-214], ebx ; |
0040342F . 899D DCFDFFFF mov dword ptr [ebp-224], ebx ; |
00403435 . 899D CCFDFFFF mov dword ptr [ebp-234], ebx ; |
0040343B . 899D BCFDFFFF mov dword ptr [ebp-244], ebx ; |
00403441 . 899D ACFDFFFF mov dword ptr [ebp-254], ebx ; |
00403447 . FF15 70104000 call dword ptr [<&MSVBVM60.__vbaAryConstr>; \__vbaAryConstruct2
0040344D . 66:891D 24604000 mov word ptr [406024], bx
00403454 . 8B06 mov eax, dword ptr [esi]
00403456 . 56 push esi
00403457 . FF90 04030000 call dword ptr [eax+304]
0040345D . 8D8D 24FFFFFF lea ecx, dword ptr [ebp-DC]
00403463 . 50 push eax
00403464 . 51 push ecx
00403465 . FF15 44104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
0040346B . 8BF8 mov edi, eax
0040346D . 8D85 34FFFFFF lea eax, dword ptr [ebp-CC]
00403473 . 50 push eax
00403474 . 57 push edi
00403475 . 8B17 mov edx, dword ptr [edi]
00403477 . FF92 A0000000 call dword ptr [edx+A0]
0040347D . 3BC3 cmp eax, ebx
0040347F . DBE2 fclex
00403481 . 7D 12 jge short 00403495
00403483 . 68 A0000000 push 0A0
00403488 . 68 D4234000 push 004023D4
0040348D . 57 push edi
0040348E . 50 push eax
0040348F . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
00403495 > 8B8D 34FFFFFF mov ecx, dword ptr [ebp-CC] ; 用户名"hrbx"
0040349B . 51 push ecx
0040349C . 68 E8234000 push 004023E8
004034A1 . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaStrCmp>] ; 比较用户名是否为空
004034A7 . 8BF8 mov edi, eax
004034A9 . 8D8D 34FFFFFF lea ecx, dword ptr [ebp-CC]
004034AF . F7DF neg edi
004034B1 . 1BFF sbb edi, edi
004034B3 . 47 inc edi
004034B4 . F7DF neg edi
004034B6 . FF15 0C114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
004034BC . 8D8D 24FFFFFF lea ecx, dword ptr [ebp-DC]
004034C2 . FF15 08114000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
004034C8 . 66:3BFB cmp di, bx
004034CB . 0F85 B10F0000 jnz 00404482 ; 用户名不为空则跳
004034D1 . 8B16 mov edx, dword ptr [esi]
004034D3 . 56 push esi
004034D4 . FF92 04030000 call dword ptr [edx+304]
004034DA . 50 push eax
004034DB . 8D85 24FFFFFF lea eax, dword ptr [ebp-DC]
004034E1 . 50 push eax
004034E2 . FF15 44104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
004034E8 . 8BF8 mov edi, eax
004034EA . 8D95 34FFFFFF lea edx, dword ptr [ebp-CC]
004034F0 . 52 push edx
004034F1 . 57 push edi
004034F2 . 8B0F mov ecx, dword ptr [edi]
004034F4 . FF91 A0000000 call dword ptr [ecx+A0]
004034FA . 3BC3 cmp eax, ebx
004034FC . DBE2 fclex
004034FE . 7D 12 jge short 00403512
00403500 . 68 A0000000 push 0A0
00403505 . 68 D4234000 push 004023D4
0040350A . 57 push edi
0040350B . 50 push eax
0040350C . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
00403512 > 8B85 34FFFFFF mov eax, dword ptr [ebp-CC] ; 用户名"hrbx"
00403518 . 53 push ebx ; lBoundn,数组下界
00403519 . 50 push eax
0040351A . FF15 18104000 call dword ptr [<&MSVBVM60.__vbaLenBstr>] ; __vbaLenBstr,获取用户名长度作为数组长度
00403520 . 50 push eax ; uBoundn,数组上界
00403521 . 6A 01 push 1
00403523 . 8D8D 48FFFFFF lea ecx, dword ptr [ebp-B8]
00403529 . 6A 08 push 8
0040352B . 51 push ecx
0040352C . 6A 04 push 4
0040352E . 68 80010000 push 180
00403533 . FF15 7C104000 call dword ptr [<&MSVBVM60.__vbaRedim>] ; __vbaRedim
00403539 . 83C4 1C add esp, 1C ; 重新定义数组长度
0040353C . 8D8D 34FFFFFF lea ecx, dword ptr [ebp-CC]
00403542 . FF15 0C114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
00403548 . 8D8D 24FFFFFF lea ecx, dword ptr [ebp-DC]
0040354E . FF15 08114000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
00403554 . 8B16 mov edx, dword ptr [esi]
00403556 . 56 push esi
00403557 . C785 ACFEFFFF 010000>mov dword ptr [ebp-154], 1
00403561 . C785 A4FEFFFF 020000>mov dword ptr [ebp-15C], 2
0040356B . FF92 04030000 call dword ptr [edx+304]
00403571 . 50 push eax
00403572 . 8D85 24FFFFFF lea eax, dword ptr [ebp-DC]
00403578 . 50 push eax
00403579 . FF15 44104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
0040357F . 8BF8 mov edi, eax
00403581 . 8D95 34FFFFFF lea edx, dword ptr [ebp-CC]
00403587 . 52 push edx
00403588 . 57 push edi
00403589 . 8B0F mov ecx, dword ptr [edi]
0040358B . FF91 A0000000 call dword ptr [ecx+A0]
00403591 . 3BC3 cmp eax, ebx
00403593 . DBE2 fclex
00403595 . 7D 12 jge short 004035A9
00403597 . 68 A0000000 push 0A0
0040359C . 68 D4234000 push 004023D4
004035A1 . 57 push edi
004035A2 . 50 push eax
004035A3 . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
004035A9 > 8B85 34FFFFFF mov eax, dword ptr [ebp-CC]
004035AF . 50 push eax ; 用户名"hrbx"
004035B0 . FF15 18104000 call dword ptr [<&MSVBVM60.__vbaLenBstr>] ; __vbaLenBstr
004035B6 . 8D8D A4FEFFFF lea ecx, dword ptr [ebp-15C] ; 获取用户名长度作为循环变量
004035BC . 8985 9CFEFFFF mov dword ptr [ebp-164], eax
004035C2 . 8D95 94FEFFFF lea edx, dword ptr [ebp-16C]
004035C8 . 51 push ecx ; /Step8
004035C9 . 8D85 84FEFFFF lea eax, dword ptr [ebp-17C] ; |
004035CF . 52 push edx ; |End8
004035D0 . 8D8D 2CFEFFFF lea ecx, dword ptr [ebp-1D4] ; |
004035D6 . 50 push eax ; |Start8
004035D7 . 8D95 3CFEFFFF lea edx, dword ptr [ebp-1C4] ; |
004035DD . 51 push ecx ; |TMPend8
004035DE . 8D85 38FFFFFF lea eax, dword ptr [ebp-C8] ; |
004035E4 . 52 push edx ; |TMPstep8
004035E5 . 50 push eax ; |Counter8
004035E6 . C785 94FEFFFF 030000>mov dword ptr [ebp-16C], 3 ; |
004035F0 . C785 8CFEFFFF 010000>mov dword ptr [ebp-174], 1 ; |
004035FA . C785 84FEFFFF 020000>mov dword ptr [ebp-17C], 2 ; |
00403604 . FF15 40104000 call dword ptr [<&MSVBVM60.__vbaVarForIni>; \__vbaVarForInit
0040360A . 8D8D 34FFFFFF lea ecx, dword ptr [ebp-CC]
00403610 . 8BF8 mov edi, eax
00403612 . FF15 0C114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
00403618 . 8D8D 24FFFFFF lea ecx, dword ptr [ebp-DC]
0040361E . FF15 08114000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
00403624 > 3BFB cmp edi, ebx
00403626 . 0F84 EB010000 je 00403817
0040362C . 8B0E mov ecx, dword ptr [esi]
0040362E . 56 push esi
0040362F . FF91 04030000 call dword ptr [ecx+304]
00403635 . 8D95 24FFFFFF lea edx, dword ptr [ebp-DC]
0040363B . 50 push eax
0040363C . 52 push edx
0040363D . FF15 44104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
00403643 . 8BF8 mov edi, eax
00403645 . 8D8D 34FFFFFF lea ecx, dword ptr [ebp-CC]
0040364B . 51 push ecx
0040364C . 57 push edi
0040364D . 8B07 mov eax, dword ptr [edi]
0040364F . FF90 A0000000 call dword ptr [eax+A0]
00403655 . 3BC3 cmp eax, ebx
00403657 . DBE2 fclex
00403659 . 7D 12 jge short 0040366D
0040365B . 68 A0000000 push 0A0
00403660 . 68 D4234000 push 004023D4
00403665 . 57 push edi
00403666 . 50 push eax
00403667 . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
0040366D > 8B85 34FFFFFF mov eax, dword ptr [ebp-CC] ; 用户名"hrbx"
00403673 . 8D95 04FFFFFF lea edx, dword ptr [ebp-FC]
00403679 . 8985 1CFFFFFF mov dword ptr [ebp-E4], eax
0040367F . 8D85 38FFFFFF lea eax, dword ptr [ebp-C8]
00403685 . 52 push edx
00403686 . 50 push eax
00403687 . C785 0CFFFFFF 010000>mov dword ptr [ebp-F4], 1
00403691 . C785 04FFFFFF 020000>mov dword ptr [ebp-FC], 2
0040369B . 899D 34FFFFFF mov dword ptr [ebp-CC], ebx
004036A1 . C785 14FFFFFF 080000>mov dword ptr [ebp-EC], 8
004036AB . FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
004036B1 . 8D8D 14FFFFFF lea ecx, dword ptr [ebp-EC]
004036B7 . 50 push eax
004036B8 . 8D95 F4FEFFFF lea edx, dword ptr [ebp-10C]
004036BE . 51 push ecx
004036BF . 52 push edx
004036C0 . FF15 58104000 call dword ptr [<&MSVBVM60.#632>] ; rtcMidCharVar,循环取用户名每个字符("h")
004036C6 . 8D85 F4FEFFFF lea eax, dword ptr [ebp-10C]
004036CC . 8D8D 30FFFFFF lea ecx, dword ptr [ebp-D0]
004036D2 . 50 push eax
004036D3 . 51 push ecx
004036D4 . FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaStrVarVal>
004036DA . 50 push eax
004036DB . FF15 2C104000 call dword ptr [<&MSVBVM60.#516>] ; rtcAnsiValueBstr,字符ASCII值
004036E1 . 8B3E mov edi, dword ptr [esi]
004036E3 . 8D95 28FFFFFF lea edx, dword ptr [ebp-D8]
004036E9 . 52 push edx
004036EA . 50 push eax
004036EB . 8985 60FEFFFF mov dword ptr [ebp-1A0], eax ; EAX=0x68("h")
004036F1 . FF15 04104000 call dword ptr [<&MSVBVM60.__vbaStrI2>] ; 整数转为字符串,0x68-->104-->"104"
004036F7 . 8BD0 mov edx, eax ; EAX="104"
004036F9 . 8D8D 2CFFFFFF lea ecx, dword ptr [ebp-D4] ;
004036FF . FF15 F0104000 call dword ptr [<&MSVBVM60.__vbaStrMove>] ;
00403705 . 50 push eax
00403706 . 56 push esi
00403707 . FF97 FC060000 call dword ptr [edi+6FC] ; CALL 00402C72,EAX大于90则减去32,104-32=72
0040370D . 3BC3 cmp eax, ebx ; 即用户名小写字母转为大写字母
0040370F . 7D 12 jge short 00403723
00403711 . 68 FC060000 push 6FC
00403716 . 68 B0224000 push 004022B0
0040371B . 56 push esi
0040371C . 50 push eax
0040371D . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>; MSVBVM60.__vbaHresultCheckObj
00403723 > 8B85 48FFFFFF mov eax, dword ptr [ebp-B8]
00403729 . 3BC3 cmp eax, ebx
0040372B . 74 5F je short 0040378C
0040372D . 66:8338 01 cmp word ptr [eax], 1
00403731 . 75 59 jnz short 0040378C
00403733 . 8D85 38FFFFFF lea eax, dword ptr [ebp-C8]
00403739 . 8D8D 94FEFFFF lea ecx, dword ptr [ebp-16C]
0040373F . 50 push eax
00403740 . 8D95 E4FEFFFF lea edx, dword ptr [ebp-11C]
00403746 . 51 push ecx
00403747 . 52 push edx
00403748 . C785 9CFEFFFF 010000>mov dword ptr [ebp-164], 1
00403752 . C785 94FEFFFF 020000>mov dword ptr [ebp-16C], 2
0040375C . FF15 00104000 call dword ptr [<&MSVBVM60.__vbaVarSub>]
00403762 . 50 push eax
00403763 . FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
00403769 . 8BF8 mov edi, eax
0040376B . 8B85 48FFFFFF mov eax, dword ptr [ebp-B8]
00403771 . 8B50 14 mov edx, dword ptr [eax+14]
00403774 . 8B48 10 mov ecx, dword ptr [eax+10]
00403777 . 2BFA sub edi, edx
00403779 . 3BF9 cmp edi, ecx
0040377B . 72 06 jb short 00403783
0040377D . FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
00403783 > 8D04BD 00000000 lea eax, dword ptr [edi*4]
0040378A . EB 06 jmp short 00403792
0040378C > FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
00403792 > 8B8D 48FFFFFF mov ecx, dword ptr [ebp-B8]
00403798 . 8B95 28FFFFFF mov edx, dword ptr [ebp-D8] ; EDX="72"
0040379E . 8B49 0C mov ecx, dword ptr [ecx+C]
004037A1 . 03C8 add ecx, eax
004037A3 . FF15 C8104000 call dword ptr [<&MSVBVM60.__vbaStrCopy>] ; MSVBVM60.__vbaStrCopy
004037A9 . 8D95 28FFFFFF lea edx, dword ptr [ebp-D8]
004037AF . 8D85 2CFFFFFF lea eax, dword ptr [ebp-D4]
004037B5 . 52 push edx
004037B6 . 8D8D 30FFFFFF lea ecx, dword ptr [ebp-D0]
004037BC . 50 push eax
004037BD . 51 push ecx
004037BE . 6A 03 push 3
004037C0 . FF15 CC104000 call dword ptr [<&MSVBVM60.__vbaFreeStrLi>
004037C6 . 83C4 10 add esp, 10
004037C9 . 8D8D 24FFFFFF lea ecx, dword ptr [ebp-DC]
004037CF . FF15 08114000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
004037D5 . 8D95 F4FEFFFF lea edx, dword ptr [ebp-10C]
004037DB . 8D85 04FFFFFF lea eax, dword ptr [ebp-FC]
004037E1 . 52 push edx
004037E2 . 8D8D 14FFFFFF lea ecx, dword ptr [ebp-EC]
004037E8 . 50 push eax
004037E9 . 51 push ecx
004037EA . 6A 03 push 3
004037EC . FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarLi>
004037F2 . 83C4 10 add esp, 10
004037F5 . 8D95 2CFEFFFF lea edx, dword ptr [ebp-1D4]
004037FB . 8D85 3CFEFFFF lea eax, dword ptr [ebp-1C4]
00403801 . 8D8D 38FFFFFF lea ecx, dword ptr [ebp-C8]
00403807 . 52 push edx
00403808 . 50 push eax
00403809 . 51 push ecx
0040380A . FF15 00114000 call dword ptr [<&MSVBVM60.__vbaVarForNex>
00403810 . 8BF8 mov edi, eax
00403812 .^ E9 0DFEFFFF jmp 00403624
00403817 > B8 02000000 mov eax, 2
0040381C . 8D95 A4FEFFFF lea edx, dword ptr [ebp-15C]
00403822 . 8985 A4FEFFFF mov dword ptr [ebp-15C], eax
00403828 . 8985 94FEFFFF mov dword ptr [ebp-16C], eax
0040382E . 8985 84FEFFFF mov dword ptr [ebp-17C], eax
00403834 . 8D85 94FEFFFF lea eax, dword ptr [ebp-16C]
0040383A . 52 push edx ; /Step8
0040383B . 8D8D 84FEFFFF lea ecx, dword ptr [ebp-17C] ; |
00403841 . 50 push eax ; |End8
00403842 . 8D95 0CFEFFFF lea edx, dword ptr [ebp-1F4] ; |
00403848 . 51 push ecx ; |Start8
00403849 . 8D85 1CFEFFFF lea eax, dword ptr [ebp-1E4] ; |
0040384F . 52 push edx ; |TMPend8
00403850 . 8D4D D4 lea ecx, dword ptr [ebp-2C] ; |
00403853 . 50 push eax ; |TMPstep8
00403854 . 51 push ecx ; |Counter8
00403855 . C785 ACFEFFFF 010000>mov dword ptr [ebp-154], 1 ; |
0040385F . C785 9CFEFFFF 190000>mov dword ptr [ebp-164], 19 ; |
00403869 . 899D 8CFEFFFF mov dword ptr [ebp-174], ebx ; |
0040386F . FF15 40104000 call dword ptr [<&MSVBVM60.__vbaVarForIni>; \__vbaVarForInit
00403875 > 3BC3 cmp eax, ebx
00403877 . 0F84 C1000000 je 0040393E
0040387D . 8D95 A4FEFFFF lea edx, dword ptr [ebp-15C]
00403883 . 8D45 D4 lea eax, dword ptr [ebp-2C]
00403886 . 52 push edx
00403887 . 8D8D 14FFFFFF lea ecx, dword ptr [ebp-EC]
0040388D . 50 push eax
0040388E . 51 push ecx
0040388F . C785 ACFEFFFF 410000>mov dword ptr [ebp-154], 41 ; 0x41("A")
00403899 . C785 A4FEFFFF 020000>mov dword ptr [ebp-15C], 2
004038A3 . FF15 E4104000 call dword ptr [<&MSVBVM60.__vbaVarAdd>] ; __vbaVarAdd
004038A9 . 8B3D E0104000 mov edi, dword ptr [<&MSVBVM60.__vbaI4Va>
004038AF . 50 push eax
004038B0 . FFD7 call edi ; <&MSVBVM60.__vbaI4Var>
004038B2 . 8D95 04FFFFFF lea edx, dword ptr [ebp-FC]
004038B8 . 50 push eax
004038B9 . 52 push edx
004038BA . FF15 A4104000 call dword ptr [<&MSVBVM60.#608>] ; MSVBVM60.rtcVarBstrFromAnsi,ASCII值转为字符
004038C0 . 8D45 D4 lea eax, dword ptr [ebp-2C]
004038C3 . 50 push eax
004038C4 . FFD7 call edi
004038C6 . 8BF8 mov edi, eax
004038C8 . 83FF 1A cmp edi, 1A ; EDI值与0x1A(26)比较,储存A-Z共26个字母
004038CB . 72 06 jb short 004038D3
004038CD . FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
004038D3 > 8D8D 04FFFFFF lea ecx, dword ptr [ebp-FC]
004038D9 . 51 push ecx
004038DA . FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaStrVarMov>
004038E0 . 8BD0 mov edx, eax
004038E2 . 8D8D 34FFFFFF lea ecx, dword ptr [ebp-CC]
004038E8 . FF15 F0104000 call dword ptr [<&MSVBVM60.__vbaStrMove>]
004038EE . 8BD0 mov edx, eax
004038F0 . 8B45 8C mov eax, dword ptr [ebp-74]
004038F3 . 8D0CB8 lea ecx, dword ptr [eax+edi*4]
004038F6 . FF15 C8104000 call dword ptr [<&MSVBVM60.__vbaStrCopy>]
004038FC . 8D8D 34FFFFFF lea ecx, dword ptr [ebp-CC]
00403902 . FF15 0C114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
00403908 . 8D8D 04FFFFFF lea ecx, dword ptr [ebp-FC]
0040390E . 8D95 14FFFFFF lea edx, dword ptr [ebp-EC]
00403914 . 51 push ecx
00403915 . 52 push edx
00403916 . 6A 02 push 2
00403918 . FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarLi>
0040391E . 83C4 0C add esp, 0C
00403921 . 8D85 0CFEFFFF lea eax, dword ptr [ebp-1F4]
00403927 . 8D8D 1CFEFFFF lea ecx, dword ptr [ebp-1E4]
0040392D . 8D55 D4 lea edx, dword ptr [ebp-2C]
00403930 . 50 push eax ; /TMPend8
00403931 . 51 push ecx ; |TMPstep8
00403932 . 52 push edx ; |Counter8
00403933 . FF15 00114000 call dword ptr [<&MSVBVM60.__vbaVarForNex>; \__vbaVarForNext
00403939 .^ E9 37FFFFFF jmp 00403875
0040393E > 8B06 mov eax, dword ptr [esi]
00403940 . 56 push esi
00403941 . FF90 00030000 call dword ptr [eax+300]
00403947 . 8D8D 24FFFFFF lea ecx, dword ptr [ebp-DC]
0040394D . 50 push eax
0040394E . 51 push ecx
0040394F . FF15 44104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
00403955 . 8BF8 mov edi, eax
00403957 . 8D85 34FFFFFF lea eax, dword ptr [ebp-CC]
0040395D . 50 push eax
0040395E . 57 push edi
0040395F . 8B17 mov edx, dword ptr [edi]
00403961 . FF92 A0000000 call dword ptr [edx+A0]
00403967 . 3BC3 cmp eax, ebx
00403969 . DBE2 fclex
0040396B . 7D 12 jge short 0040397F
0040396D . 68 A0000000 push 0A0
00403972 . 68 D4234000 push 004023D4
00403977 . 57 push edi
00403978 . 50 push eax
00403979 . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
0040397F > 8B8D 34FFFFFF mov ecx, dword ptr [ebp-CC] ; 注册码"9876543210"
00403985 . 51 push ecx ;
00403986 . FF15 18104000 call dword ptr [<&MSVBVM60.__vbaLenBstr>] ; __vbaLenBstr,获取注册码长度
0040398C . 8BF8 mov edi, eax
0040398E . 8D8D 34FFFFFF lea ecx, dword ptr [ebp-CC]
00403994 . F7DF neg edi
00403996 . 1BFF sbb edi, edi
00403998 . F7DF neg edi
0040399A . F7DF neg edi
0040399C . FF15 0C114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
004039A2 . 8D8D 24FFFFFF lea ecx, dword ptr [ebp-DC]
004039A8 . FF15 08114000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
004039AE . 66:3BFB cmp di, bx ; 注册码是否为空
004039B1 . 0F84 CB0A0000 je 00404482
004039B7 . 8B16 mov edx, dword ptr [esi]
004039B9 . 56 push esi
004039BA . FF92 00030000 call dword ptr [edx+300]
004039C0 . 50 push eax
004039C1 . 8D85 24FFFFFF lea eax, dword ptr [ebp-DC]
004039C7 . 50 push eax
004039C8 . FF15 44104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
004039CE . 8BF8 mov edi, eax
004039D0 . 8D95 34FFFFFF lea edx, dword ptr [ebp-CC]
004039D6 . 52 push edx
004039D7 . 57 push edi
004039D8 . 8B0F mov ecx, dword ptr [edi]
004039DA . FF91 A0000000 call dword ptr [ecx+A0]
004039E0 . 3BC3 cmp eax, ebx
004039E2 . DBE2 fclex
004039E4 . 7D 12 jge short 004039F8
004039E6 . 68 A0000000 push 0A0
004039EB . 68 D4234000 push 004023D4
004039F0 . 57 push edi
004039F1 . 50 push eax
004039F2 . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
004039F8 > 8B95 34FFFFFF mov edx, dword ptr [ebp-CC] ; 注册码"9876543210"
004039FE . 8B06 mov eax, dword ptr [esi]
00403A00 . 8D8D 60FEFFFF lea ecx, dword ptr [ebp-1A0]
00403A06 . 51 push ecx
00403A07 . 52 push edx
00403A08 . 56 push esi
00403A09 . FF90 F8060000 call dword ptr [eax+6F8] ; CALL 00402C65,检测注册码否为空
00403A0F . 3BC3 cmp eax, ebx
00403A11 . 7D 12 jge short 00403A25
00403A13 . 68 F8060000 push 6F8
00403A18 . 68 B0224000 push 004022B0
00403A1D . 56 push esi
00403A1E . 50 push eax
00403A1F . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
00403A25 > 33C0 xor eax, eax
00403A27 . 66:83BD 60FEFFFF FF cmp word ptr [ebp-1A0], 0FFFF
00403A2F . 8D8D 34FFFFFF lea ecx, dword ptr [ebp-CC]
00403A35 . 0F94C0 sete al
00403A38 . F7D8 neg eax
00403A3A . 8BF8 mov edi, eax
00403A3C . FF15 0C114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
00403A42 . 8D8D 24FFFFFF lea ecx, dword ptr [ebp-DC]
00403A48 . FF15 08114000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
00403A4E . 66:3BFB cmp di, bx
00403A51 . 0F84 2B0A0000 je 00404482 ; 注册码为空则跳
00403A57 . 8B0E mov ecx, dword ptr [esi]
00403A59 . 56 push esi
00403A5A . C785 ACFEFFFF 010000>mov dword ptr [ebp-154], 1
00403A64 . C785 A4FEFFFF 020000>mov dword ptr [ebp-15C], 2
00403A6E . FF91 00030000 call dword ptr [ecx+300]
00403A74 . 8D95 24FFFFFF lea edx, dword ptr [ebp-DC]
00403A7A . 50 push eax
00403A7B . 52 push edx
00403A7C . FF15 44104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
00403A82 . 8BF8 mov edi, eax
00403A84 . 8D8D 34FFFFFF lea ecx, dword ptr [ebp-CC]
00403A8A . 51 push ecx
00403A8B . 57 push edi
00403A8C . 8B07 mov eax, dword ptr [edi]
00403A8E . FF90 A0000000 call dword ptr [eax+A0]
00403A94 . 3BC3 cmp eax, ebx
00403A96 . DBE2 fclex
00403A98 . 7D 12 jge short 00403AAC
00403A9A . 68 A0000000 push 0A0
00403A9F . 68 D4234000 push 004023D4
00403AA4 . 57 push edi
00403AA5 . 50 push eax
00403AA6 . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
00403AAC > 8B95 34FFFFFF mov edx, dword ptr [ebp-CC]
00403AB2 . 52 push edx ; /String
00403AB3 . FF15 18104000 call dword ptr [<&MSVBVM60.__vbaLenBstr>] ; \__vbaLenBstr
00403AB9 . 8985 9CFEFFFF mov dword ptr [ebp-164], eax
00403ABF . 8D85 A4FEFFFF lea eax, dword ptr [ebp-15C]
00403AC5 . 8D8D 94FEFFFF lea ecx, dword ptr [ebp-16C]
00403ACB . 50 push eax ; /Step8
00403ACC . 8D95 84FEFFFF lea edx, dword ptr [ebp-17C] ; |
00403AD2 . 51 push ecx ; |End8
00403AD3 . 8D85 ECFDFFFF lea eax, dword ptr [ebp-214] ; |
00403AD9 . 52 push edx ; |Start8
00403ADA . 8D8D FCFDFFFF lea ecx, dword ptr [ebp-204] ; |
00403AE0 . 50 push eax ; |TMPend8
00403AE1 . 8D55 B8 lea edx, dword ptr [ebp-48] ; |
00403AE4 . 51 push ecx ; |TMPstep8
00403AE5 . 52 push edx ; |Counter8
00403AE6 . C785 94FEFFFF 030000>mov dword ptr [ebp-16C], 3 ; |
00403AF0 . C785 8CFEFFFF 010000>mov dword ptr [ebp-174], 1 ; |
00403AFA . C785 84FEFFFF 020000>mov dword ptr [ebp-17C], 2 ; |
00403B04 . FF15 40104000 call dword ptr [<&MSVBVM60.__vbaVarForIni>; \__vbaVarForInit
00403B0A . 8D8D 34FFFFFF lea ecx, dword ptr [ebp-CC]
00403B10 . 8BF8 mov edi, eax
00403B12 . FF15 0C114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
00403B18 . 8D8D 24FFFFFF lea ecx, dword ptr [ebp-DC]
00403B1E . FF15 08114000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
00403B24 . 8B1D 8C104000 mov ebx, dword ptr [<&MSVBVM60.__vbaVarA>
00403B2A > 85FF test edi, edi
00403B2C . 0F84 0B030000 je 00403E3D
00403B32 . 8B06 mov eax, dword ptr [esi]
00403B34 . 56 push esi
00403B35 . FF90 00030000 call dword ptr [eax+300]
00403B3B . 8D8D 24FFFFFF lea ecx, dword ptr [ebp-DC]
00403B41 . 50 push eax
00403B42 . 51 push ecx
00403B43 . FF15 44104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
00403B49 . 8BF8 mov edi, eax
00403B4B . 8D85 34FFFFFF lea eax, dword ptr [ebp-CC]
00403B51 . 50 push eax
00403B52 . 57 push edi
00403B53 . 8B17 mov edx, dword ptr [edi]
00403B55 . FF92 A0000000 call dword ptr [edx+A0]
00403B5B . 85C0 test eax, eax
00403B5D . DBE2 fclex
00403B5F . 7D 12 jge short 00403B73
00403B61 . 68 A0000000 push 0A0
00403B66 . 68 D4234000 push 004023D4
00403B6B . 57 push edi
00403B6C . 50 push eax
00403B6D . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
00403B73 > 8B85 34FFFFFF mov eax, dword ptr [ebp-CC] ; 注册码"9876543210"
00403B79 . 8D8D 04FFFFFF lea ecx, dword ptr [ebp-FC]
00403B7F . 8D55 B8 lea edx, dword ptr [ebp-48]
00403B82 . 51 push ecx
00403B83 . 52 push edx
00403B84 . C785 0CFFFFFF 010000>mov dword ptr [ebp-F4], 1
00403B8E . C785 04FFFFFF 020000>mov dword ptr [ebp-FC], 2
00403B98 . C785 34FFFFFF 000000>mov dword ptr [ebp-CC], 0
00403BA2 . 8985 1CFFFFFF mov dword ptr [ebp-E4], eax
00403BA8 . C785 14FFFFFF 080000>mov dword ptr [ebp-EC], 8
00403BB2 . FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
00403BB8 . 50 push eax
00403BB9 . 8D85 14FFFFFF lea eax, dword ptr [ebp-EC]
00403BBF . 8D8D F4FEFFFF lea ecx, dword ptr [ebp-10C]
00403BC5 . 50 push eax
00403BC6 . 51 push ecx
00403BC7 . FF15 58104000 call dword ptr [<&MSVBVM60.#632>] ; rtcMidCharVar,循环取注册码每个字符("9")
00403BCD . 8D95 F4FEFFFF lea edx, dword ptr [ebp-10C]
00403BD3 . 8D85 30FFFFFF lea eax, dword ptr [ebp-D0]
00403BD9 . 52 push edx
00403BDA . 50 push eax
00403BDB . FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaStrVarVal>
00403BE1 . 50 push eax
00403BE2 . FF15 2C104000 call dword ptr [<&MSVBVM60.#516>] ; rtcAnsiValueBstr,字符ASCII值
00403BE8 . 8B3E mov edi, dword ptr [esi]
00403BEA . 8D8D 28FFFFFF lea ecx, dword ptr [ebp-D8]
00403BF0 . 51 push ecx
00403BF1 . 50 push eax
00403BF2 . 8985 60FEFFFF mov dword ptr [ebp-1A0], eax ; EAX=0x39("9")
00403BF8 . FF15 04104000 call dword ptr [<&MSVBVM60.__vbaStrI2>] ; 整数转为字符串,0x39-->39-->"39"
00403BFE . 8BD0 mov edx, eax
00403C00 . 8D8D 2CFFFFFF lea ecx, dword ptr [ebp-D4]
00403C06 . FF15 F0104000 call dword ptr [<&MSVBVM60.__vbaStrMove>]
00403C0C . 50 push eax
00403C0D . 56 push esi
00403C0E . FF97 FC060000 call dword ptr [edi+6FC] ; CALL 00402C72,EAX大于90则减去32,EAX=0x39(57)
00403C14 . 85C0 test eax, eax
00403C16 . 7D 12 jge short 00403C2A
00403C18 . 68 FC060000 push 6FC
00403C1D . 68 B0224000 push 004022B0
00403C22 . 56 push esi
00403C23 . 50 push eax
00403C24 . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
00403C2A > 8B85 28FFFFFF mov eax, dword ptr [ebp-D8] ; "57"
00403C30 . 8D95 E4FEFFFF lea edx, dword ptr [ebp-11C]
00403C36 . 8D8D 4CFFFFFF lea ecx, dword ptr [ebp-B4]
00403C3C . C785 28FFFFFF 000000>mov dword ptr [ebp-D8], 0
00403C46 . 8985 ECFEFFFF mov dword ptr [ebp-114], eax
00403C4C . C785 E4FEFFFF 080000>mov dword ptr [ebp-11C], 8
00403C56 . FF15 10104000 call dword ptr [<&MSVBVM60.__vbaVarMove>]
00403C5C . 8D95 2CFFFFFF lea edx, dword ptr [ebp-D4]
00403C62 . 8D85 30FFFFFF lea eax, dword ptr [ebp-D0]
00403C68 . 52 push edx
00403C69 . 50 push eax
00403C6A . 6A 02 push 2
00403C6C . FF15 CC104000 call dword ptr [<&MSVBVM60.__vbaFreeStrLi>
00403C72 . 83C4 0C add esp, 0C
00403C75 . 8D8D 24FFFFFF lea ecx, dword ptr [ebp-DC]
00403C7B . FF15 08114000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
00403C81 . 8D8D F4FEFFFF lea ecx, dword ptr [ebp-10C]
00403C87 . 8D95 04FFFFFF lea edx, dword ptr [ebp-FC]
00403C8D . 51 push ecx
00403C8E . 8D85 14FFFFFF lea eax, dword ptr [ebp-EC]
00403C94 . 52 push edx
00403C95 . 50 push eax
00403C96 . 6A 03 push 3
00403C98 . FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarLi>
00403C9E . 8B3D 5C104000 mov edi, dword ptr [<&MSVBVM60.__vbaVarC>; MSVBVM60.__vbaVarCmpGt
00403CA4 . 83C4 10 add esp, 10
00403CA7 . B8 02800000 mov eax, 8002
00403CAC . 8D8D 4CFFFFFF lea ecx, dword ptr [ebp-B4]
00403CB2 . 8985 A4FEFFFF mov dword ptr [ebp-15C], eax
00403CB8 . 8985 94FEFFFF mov dword ptr [ebp-16C], eax
00403CBE . 8985 84FEFFFF mov dword ptr [ebp-17C], eax
00403CC4 . 8985 74FEFFFF mov dword ptr [ebp-18C], eax
00403CCA . 8D95 A4FEFFFF lea edx, dword ptr [ebp-15C]
00403CD0 . 51 push ecx
00403CD1 . 8D85 14FFFFFF lea eax, dword ptr [ebp-EC]
00403CD7 . 52 push edx
00403CD8 . 50 push eax
00403CD9 . C785 ACFEFFFF 2F0000>mov dword ptr [ebp-154], 2F ; "/"
00403CE3 . C785 9CFEFFFF 3A0000>mov dword ptr [ebp-164], 3A ; ":"
00403CED . C785 8CFEFFFF 400000>mov dword ptr [ebp-174], 40 ; "@"
00403CF7 . C785 7CFEFFFF 470000>mov dword ptr [ebp-184], 47 ; "G"
00403D01 . FFD7 call edi ; /__vbaVarCmpGt
00403D03 . 8D8D 4CFFFFFF lea ecx, dword ptr [ebp-B4] ; |
00403D09 . 50 push eax ; |
00403D0A . 8D95 94FEFFFF lea edx, dword ptr [ebp-16C] ; |
00403D10 . 51 push ecx ; |比较注册码是否介于0x2F~0x3A,即是否为数字
00403D11 . 8D85 04FFFFFF lea eax, dword ptr [ebp-FC] ; |
00403D17 . 52 push edx ; |
00403D18 . 50 push eax ; |
00403D19 . FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaVarCmpLt>>; \__vbaVarCmpLt
00403D1F . 8D8D F4FEFFFF lea ecx, dword ptr [ebp-10C]
00403D25 . 50 push eax
00403D26 . 51 push ecx
00403D27 . FFD3 call ebx
00403D29 . 50 push eax
00403D2A . 8D95 4CFFFFFF lea edx, dword ptr [ebp-B4]
00403D30 . 8D85 84FEFFFF lea eax, dword ptr [ebp-17C]
00403D36 . 52 push edx
00403D37 . 8D8D E4FEFFFF lea ecx, dword ptr [ebp-11C]
00403D3D . 50 push eax
00403D3E . 51 push ecx
00403D3F . FFD7 call edi ; /__vbaVarCmpGt
00403D41 . 50 push eax ; |
00403D42 . 8D95 4CFFFFFF lea edx, dword ptr [ebp-B4] ; |
00403D48 . 8D85 74FEFFFF lea eax, dword ptr [ebp-18C] ; |
00403D4E . 52 push edx ; |比较注册码是否介于0x40~0x4F,即是否为A~F
00403D4F . 8D8D D4FEFFFF lea ecx, dword ptr [ebp-12C] ; |
00403D55 . 50 push eax ; |
00403D56 . 51 push ecx ; |
00403D57 . FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaVarCmpLt>>; \__vbaVarCmpLt
00403D5D . 8D95 C4FEFFFF lea edx, dword ptr [ebp-13C]
00403D63 . 50 push eax
00403D64 . 52 push edx
00403D65 . FFD3 call ebx
00403D67 . 50 push eax
00403D68 . 8D85 B4FEFFFF lea eax, dword ptr [ebp-14C]
00403D6E . 50 push eax
00403D6F . FF15 74104000 call dword ptr [<&MSVBVM60.__vbaVarOr>]
00403D75 . 50 push eax
00403D76 . FF15 50104000 call dword ptr [<&MSVBVM60.__vbaBoolVarNu>
00403D7C . 66:85C0 test ax, ax
00403D7F . 0F84 A1000000 je 00403E26 ; 注册码不为0-9,A-Z则跳
00403D85 . 8D8D 4CFFFFFF lea ecx, dword ptr [ebp-B4]
00403D8B . 51 push ecx
00403D8C . FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
00403D92 . 8D95 14FFFFFF lea edx, dword ptr [ebp-EC]
00403D98 . 50 push eax
00403D99 . 52 push edx
00403D9A . FF15 A4104000 call dword ptr [<&MSVBVM60.#608>]
00403DA0 . 8D95 14FFFFFF lea edx, dword ptr [ebp-EC]
00403DA6 . 8D8D 6CFFFFFF lea ecx, dword ptr [ebp-94]
00403DAC . FF15 10104000 call dword ptr [<&MSVBVM60.__vbaVarMove>]
00403DB2 . 8B45 E4 mov eax, dword ptr [ebp-1C]
00403DB5 . 8D8D A4FEFFFF lea ecx, dword ptr [ebp-15C]
00403DBB . 8985 ACFEFFFF mov dword ptr [ebp-154], eax
00403DC1 . 8D95 6CFFFFFF lea edx, dword ptr [ebp-94]
00403DC7 . 51 push ecx
00403DC8 . 8D85 14FFFFFF lea eax, dword ptr [ebp-EC]
00403DCE . 52 push edx
00403DCF . 50 push eax
00403DD0 . 66:C705 24604000 000>mov word ptr [406024], 0
00403DD9 . C785 A4FEFFFF 080000>mov dword ptr [ebp-15C], 8
00403DE3 . FF15 B0104000 call dword ptr [<&MSVBVM60.__vbaVarCat>]
00403DE9 . 50 push eax
00403DEA . FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaStrVarMov>
00403DF0 . 8BD0 mov edx, eax
00403DF2 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
00403DF5 . FF15 F0104000 call dword ptr [<&MSVBVM60.__vbaStrMove>]
00403DFB . 8D8D 14FFFFFF lea ecx, dword ptr [ebp-EC]
00403E01 . FF15 14104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>]
00403E07 . 8D8D ECFDFFFF lea ecx, dword ptr [ebp-214]
00403E0D . 8D95 FCFDFFFF lea edx, dword ptr [ebp-204]
00403E13 . 51 push ecx
00403E14 . 8D45 B8 lea eax, dword ptr [ebp-48]
00403E17 . 52 push edx
00403E18 . 50 push eax
00403E19 . FF15 00114000 call dword ptr [<&MSVBVM60.__vbaVarForNex>
00403E1F . 8BF8 mov edi, eax
00403E21 .^ E9 04FDFFFF jmp 00403B2A
00403E26 > BA E8234000 mov edx, 004023E8
00403E2B . 8D4D E4 lea ecx, dword ptr [ebp-1C]
00403E2E . FF15 C8104000 call dword ptr [<&MSVBVM60.__vbaStrCopy>]
00403E34 . 66:C705 24604000 FFF>mov word ptr [406024], 0FFFF
00403E3D > 8B45 E4 mov eax, dword ptr [ebp-1C]
00403E40 . 8B0E mov ecx, dword ptr [esi]
00403E42 . 8D95 60FEFFFF lea edx, dword ptr [ebp-1A0]
00403E48 . 52 push edx
00403E49 . 50 push eax
00403E4A . 56 push esi
00403E4B . FF91 F8060000 call dword ptr [ecx+6F8]
00403E51 . 85C0 test eax, eax
00403E53 . 7D 12 jge short 00403E67
00403E55 . 68 F8060000 push 6F8
00403E5A . 68 B0224000 push 004022B0
00403E5F . 56 push esi
00403E60 . 50 push eax
00403E61 . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
00403E67 > 66:83BD 60FEFFFF 00 cmp word ptr [ebp-1A0], 0
00403E6F . 75 09 jnz short 00403E7A
00403E71 . 66:C705 24604000 FFF>mov word ptr [406024], 0FFFF
00403E7A > 8B45 E4 mov eax, dword ptr [ebp-1C] ; 注册码"9876543210"
00403E7D . 8B0E mov ecx, dword ptr [esi]
00403E7F . 8D95 34FFFFFF lea edx, dword ptr [ebp-CC]
00403E85 . 52 push edx
00403E86 . 50 push eax
00403E87 . 56 push esi
00403E88 . FF91 00070000 call dword ptr [ecx+700] ; CALL 00402C7F,注册码每2位一组逆序连接
00403E8E . 85C0 test eax, eax
00403E90 . 7D 12 jge short 00403EA4
00403E92 . 68 00070000 push 700
00403E97 . 68 B0224000 push 004022B0
00403E9C . 56 push esi
00403E9D . 50 push eax
00403E9E . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
00403EA4 > 8B95 34FFFFFF mov edx, dword ptr [ebp-CC] ; 变换后的注册码"1032547698"
00403EAA . 8D4D E4 lea ecx, dword ptr [ebp-1C]
00403EAD . C785 34FFFFFF 000000>mov dword ptr [ebp-CC], 0
00403EB7 . FF15 F0104000 call dword ptr [<&MSVBVM60.__vbaStrMove>]
00403EBD . 8B4D E4 mov ecx, dword ptr [ebp-1C]
00403EC0 . 8B35 18104000 mov esi, dword ptr [<&MSVBVM60.__vbaLenB>; __vbaLenBstr
00403EC6 . 51 push ecx
00403EC7 . FFD6 call esi ; 获取变换后的注册码长度,记为Length
00403EC9 . 8985 7CFDFFFF mov dword ptr [ebp-284], eax
00403ECF . 8D95 A4FEFFFF lea edx, dword ptr [ebp-15C]
00403ED5 . DB85 7CFDFFFF fild dword ptr [ebp-284]
00403EDB . 8D4D 98 lea ecx, dword ptr [ebp-68]
00403EDE . C785 A4FEFFFF 050000>mov dword ptr [ebp-15C], 5
00403EE8 . DD9D 74FDFFFF fstp qword ptr [ebp-28C]
00403EEE . DD85 74FDFFFF fld qword ptr [ebp-28C]
00403EF4 . 833D 00604000 00 cmp dword ptr [406000], 0
00403EFB . 75 08 jnz short 00403F05
00403EFD . DC35 60114000 fdiv qword ptr [401160] ; 注册码长度除以2,[401160]=2,Length=Length/2
00403F03 . EB 11 jmp short 00403F16
00403F05 > FF35 64114000 push dword ptr [401164]
00403F0B . FF35 60114000 push dword ptr [401160]
00403F11 . E8 DED2FFFF call <jmp.&MSVBVM60._adj_fdiv_m64>
00403F16 > DC25 58114000 fsub qword ptr [401158] ; 结果减1,[401158]=1,Length=Length/2-1
00403F1C . DD9D ACFEFFFF fstp qword ptr [ebp-154]
00403F22 . DFE0 fstsw ax
00403F24 . A8 0D test al, 0D
00403F26 . 0F85 D6060000 jnz 00404602
00403F2C . FF15 10104000 call dword ptr [<&MSVBVM60.__vbaVarMove>]
00403F32 . 8B55 E4 mov edx, dword ptr [ebp-1C]
00403F35 . 6A 00 push 0
00403F37 . 52 push edx
00403F38 . FFD6 call esi
00403F3A . 8B3D 7C104000 mov edi, dword ptr [<&MSVBVM60.__vbaRedi>
00403F40 . 50 push eax
00403F41 . 6A 01 push 1
00403F43 . 8D45 D0 lea eax, dword ptr [ebp-30]
00403F46 . 6A 08 push 8
00403F48 . 50 push eax
00403F49 . 6A 04 push 4
00403F4B . 68 80010000 push 180
00403F50 . FFD7 call edi
00403F52 . 8B4D E4 mov ecx, dword ptr [ebp-1C]
00403F55 . 83C4 1C add esp, 1C
00403F58 . 6A 00 push 0
00403F5A . 51 push ecx
00403F5B . FFD6 call esi
00403F5D . 50 push eax
00403F5E . BB 02000000 mov ebx, 2
00403F63 . 6A 01 push 1
00403F65 . 8D55 C8 lea edx, dword ptr [ebp-38]
00403F68 . 53 push ebx
00403F69 . 52 push edx
00403F6A . 53 push ebx
00403F6B . 68 80000000 push 80
00403F70 . FFD7 call edi
00403F72 . 8B45 E4 mov eax, dword ptr [ebp-1C]
00403F75 . 83C4 1C add esp, 1C
00403F78 . 6A 00 push 0
00403F7A . 50 push eax
00403F7B . FFD6 call esi
00403F7D . 50 push eax
00403F7E . 6A 01 push 1
00403F80 . 8D4D CC lea ecx, dword ptr [ebp-34]
00403F83 . 53 push ebx
00403F84 . 51 push ecx
00403F85 . 53 push ebx
00403F86 . 68 80000000 push 80
00403F8B . FFD7 call edi
00403F8D . 83C4 1C add esp, 1C
00403F90 . 8D95 A4FEFFFF lea edx, dword ptr [ebp-15C]
00403F96 . 8D45 98 lea eax, dword ptr [ebp-68]
00403F99 . 8D8D 94FEFFFF lea ecx, dword ptr [ebp-16C]
00403F9F . 52 push edx
00403FA0 . 50 push eax
00403FA1 . 8D95 CCFDFFFF lea edx, dword ptr [ebp-234]
00403FA7 . 51 push ecx
00403FA8 . 8D85 DCFDFFFF lea eax, dword ptr [ebp-224]
00403FAE . 52 push edx
00403FAF . 8D4D A8 lea ecx, dword ptr [ebp-58]
00403FB2 . 50 push eax
00403FB3 . 51 push ecx
00403FB4 . C785 ACFEFFFF 010000>mov dword ptr [ebp-154], 1
00403FBE . 899D A4FEFFFF mov dword ptr [ebp-15C], ebx
00403FC4 . C785 9CFEFFFF 000000>mov dword ptr [ebp-164], 0
00403FCE . 899D 94FEFFFF mov dword ptr [ebp-16C], ebx
00403FD4 . FF15 40104000 call dword ptr [<&MSVBVM60.__vbaVarForIni>
00403FDA > 8B3D E0104000 mov edi, dword ptr [<&MSVBVM60.__vbaI4Va>
00403FE0 . 85C0 test eax, eax
00403FE2 . 0F84 4F030000 je 00404337
00403FE8 . 8D55 E4 lea edx, dword ptr [ebp-1C]
00403FEB . 8D85 F4FEFFFF lea eax, dword ptr [ebp-10C]
00403FF1 . 8995 8CFEFFFF mov dword ptr [ebp-174], edx
00403FF7 . 8D8D A4FEFFFF lea ecx, dword ptr [ebp-15C]
00403FFD . 50 push eax
00403FFE . 8D55 A8 lea edx, dword ptr [ebp-58]
00404001 . 51 push ecx
00404002 . 8D85 14FFFFFF lea eax, dword ptr [ebp-EC]
00404008 . 52 push edx
00404009 . 50 push eax
0040400A . C785 6CFEFFFF 642440>mov dword ptr [ebp-194], 00402464 ; UNICODE "&h"
00404014 . C785 64FEFFFF 080000>mov dword ptr [ebp-19C], 8
0040401E . 899D FCFEFFFF mov dword ptr [ebp-104], ebx
00404024 . 899D F4FEFFFF mov dword ptr [ebp-10C], ebx
0040402A . 899D ACFEFFFF mov dword ptr [ebp-154], ebx
00404030 . 899D A4FEFFFF mov dword ptr [ebp-15C], ebx
00404036 . C785 9CFEFFFF 010000>mov dword ptr [ebp-164], 1
00404040 . 899D 94FEFFFF mov dword ptr [ebp-16C], ebx
00404046 . C785 84FEFFFF 084000>mov dword ptr [ebp-17C], 4008
00404050 . FF15 94104000 call dword ptr [<&MSVBVM60.__vbaVarMul>]
00404056 . 8D8D 94FEFFFF lea ecx, dword ptr [ebp-16C]
0040405C . 50 push eax
0040405D . 8D95 04FFFFFF lea edx, dword ptr [ebp-FC]
00404063 . 51 push ecx
00404064 . 52 push edx
00404065 . FF15 E4104000 call dword ptr [<&MSVBVM60.__vbaVarAdd>]
0040406B . 50 push eax
0040406C . FFD7 call edi
0040406E . 50 push eax
0040406F . 8D85 84FEFFFF lea eax, dword ptr [ebp-17C]
00404075 . 8D8D E4FEFFFF lea ecx, dword ptr [ebp-11C]
0040407B . 50 push eax
0040407C . 51 push ecx
0040407D . FF15 58104000 call dword ptr [<&MSVBVM60.#632>] ; rtcMidCharVar,循环取变换后的注册码字符串,"10"
00404083 . 8B45 C8 mov eax, dword ptr [ebp-38] ; 每次取2位字符,设循环变量为I
00404086 . 85C0 test eax, eax
00404088 . 74 27 je short 004040B1
0040408A . 66:8338 01 cmp word ptr [eax], 1
0040408E . 75 21 jnz short 004040B1
00404090 . 8D55 A8 lea edx, dword ptr [ebp-58]
00404093 . 52 push edx
00404094 . FFD7 call edi
00404096 . 8BF0 mov esi, eax
00404098 . 8B45 C8 mov eax, dword ptr [ebp-38]
0040409B . 8B50 14 mov edx, dword ptr [eax+14]
0040409E . 8B48 10 mov ecx, dword ptr [eax+10]
004040A1 . 2BF2 sub esi, edx
004040A3 . 3BF1 cmp esi, ecx
004040A5 . 72 06 jb short 004040AD
004040A7 . FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
004040AD > 03F6 add esi, esi
004040AF . EB 08 jmp short 004040B9
004040B1 > FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
004040B7 . 8BF0 mov esi, eax
004040B9 > 8D85 64FEFFFF lea eax, dword ptr [ebp-19C]
004040BF . 8D8D E4FEFFFF lea ecx, dword ptr [ebp-11C]
004040C5 . 50 push eax
004040C6 . 8D95 D4FEFFFF lea edx, dword ptr [ebp-12C]
004040CC . 51 push ecx
004040CD . 52 push edx
004040CE . FF15 B0104000 call dword ptr [<&MSVBVM60.__vbaVarCat>] ; __vbaVarCat,连接"&h"与取出的字符串,即转为16进制数
004040D4 . 50 push eax
004040D5 . 8D85 34FFFFFF lea eax, dword ptr [ebp-CC]
004040DB . 50 push eax
004040DC . FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaStrVarVal>
004040E2 . 50 push eax ; EAX="&h10"
004040E3 . FF15 10114000 call dword ptr [<&MSVBVM60.#581>] ; rtcR8ValFromBstr,字符串转为数值
004040E9 . FF15 E8104000 call dword ptr [<&MSVBVM60.__vbaFpI2>]
004040EF . 8B4D C8 mov ecx, dword ptr [ebp-38]
004040F2 . 8B51 0C mov edx, dword ptr [ecx+C]
004040F5 . 8D8D 34FFFFFF lea ecx, dword ptr [ebp-CC]
004040FB . 66:890432 mov word ptr [edx+esi], ax ; EAX=0X10,记为TmpNum1
004040FF . FF15 0C114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
00404105 . 8D85 D4FEFFFF lea eax, dword ptr [ebp-12C]
0040410B . 8D8D E4FEFFFF lea ecx, dword ptr [ebp-11C]
00404111 . 50 push eax
00404112 . 8D95 F4FEFFFF lea edx, dword ptr [ebp-10C]
00404118 . 51 push ecx
00404119 . 8D85 04FFFFFF lea eax, dword ptr [ebp-FC]
0040411F . 52 push edx
00404120 . 50 push eax
00404121 . 6A 04 push 4
00404123 . FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarLi>
00404129 . 8B45 CC mov eax, dword ptr [ebp-34]
0040412C . 83C4 14 add esp, 14
0040412F . 85C0 test eax, eax
00404131 . C785 ACFEFFFF 5F0000>mov dword ptr [ebp-154], 5F ; 常数0x5F
0040413B . 899D A4FEFFFF mov dword ptr [ebp-15C], ebx
00404141 . 74 27 je short 0040416A
00404143 . 66:8338 01 cmp word ptr [eax], 1
00404147 . 75 21 jnz short 0040416A
00404149 . 8D4D A8 lea ecx, dword ptr [ebp-58]
0040414C . 51 push ecx
0040414D . FFD7 call edi
0040414F . 8BF0 mov esi, eax
00404151 . 8B45 CC mov eax, dword ptr [ebp-34]
00404154 . 8B50 14 mov edx, dword ptr [eax+14]
00404157 . 8B48 10 mov ecx, dword ptr [eax+10]
0040415A . 2BF2 sub esi, edx
0040415C . 3BF1 cmp esi, ecx
0040415E . 72 06 jb short 00404166
00404160 . FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
00404166 > 03F6 add esi, esi
00404168 . EB 08 jmp short 00404172
0040416A > FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
00404170 . 8BF0 mov esi, eax
00404172 > 8B1D 00104000 mov ebx, dword ptr [<&MSVBVM60.__vbaVarS>
00404178 . 8D95 A4FEFFFF lea edx, dword ptr [ebp-15C]
0040417E . 8D45 98 lea eax, dword ptr [ebp-68]
00404181 . 52 push edx
00404182 . 8D4D A8 lea ecx, dword ptr [ebp-58]
00404185 . 50 push eax
00404186 . 8D95 14FFFFFF lea edx, dword ptr [ebp-EC]
0040418C . 51 push ecx
0040418D . 52 push edx
0040418E . FFD3 call ebx ; __vbaVarSub,(Length-I)
00404190 . 50 push eax
00404191 . 8D85 04FFFFFF lea eax, dword ptr [ebp-FC]
00404197 . 50 push eax
00404198 . FFD3 call ebx ; __vbaVarSub,常数0x5F-(Length-I)
0040419A . 50 push eax
0040419B . FF15 B4104000 call dword ptr [<&MSVBVM60.__vbaI2Var>]
004041A1 . 8B4D CC mov ecx, dword ptr [ebp-34]
004041A4 . 8B51 0C mov edx, dword ptr [ecx+C]
004041A7 . 66:890432 mov word ptr [edx+esi], ax ; AX=0x5F-(Length-I),记为TmpNum2
004041AB . 8B45 C8 mov eax, dword ptr [ebp-38]
004041AE . 85C0 test eax, eax
004041B0 . 74 28 je short 004041DA
004041B2 . 66:8338 01 cmp word ptr [eax], 1
004041B6 . 75 22 jnz short 004041DA
004041B8 . 8D45 A8 lea eax, dword ptr [ebp-58]
004041BB . 50 push eax
004041BC . FFD7 call edi
004041BE . 8BF0 mov esi, eax
004041C0 . 8B45 C8 mov eax, dword ptr [ebp-38]
004041C3 . 8B50 14 mov edx, dword ptr [eax+14]
004041C6 . 8B48 10 mov ecx, dword ptr [eax+10]
004041C9 . 2BF2 sub esi, edx
004041CB . 3BF1 cmp esi, ecx
004041CD . 72 06 jb short 004041D5
004041CF . FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
004041D5 > 8D1C36 lea ebx, dword ptr [esi+esi]
004041D8 . EB 08 jmp short 004041E2
004041DA > FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
004041E0 . 8BD8 mov ebx, eax
004041E2 > 8B45 CC mov eax, dword ptr [ebp-34]
004041E5 . 85C0 test eax, eax
004041E7 . 74 2C je short 00404215
004041E9 . 66:8338 01 cmp word ptr [eax], 1
004041ED . 75 26 jnz short 00404215
004041EF . 8D4D A8 lea ecx, dword ptr [ebp-58]
004041F2 . 51 push ecx
004041F3 . FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
004041F9 . 8BF0 mov esi, eax
004041FB . 8B45 CC mov eax, dword ptr [ebp-34]
004041FE . 8B50 14 mov edx, dword ptr [eax+14]
00404201 . 8B48 10 mov ecx, dword ptr [eax+10]
00404204 . 2BF2 sub esi, edx
00404206 . 3BF1 cmp esi, ecx
00404208 . 72 06 jb short 00404210
0040420A . FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
00404210 > 8D3C36 lea edi, dword ptr [esi+esi]
00404213 . EB 08 jmp short 0040421D
00404215 > FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
0040421B . 8BF8 mov edi, eax
0040421D > 8B45 C8 mov eax, dword ptr [ebp-38]
00404220 . 85C0 test eax, eax
00404222 . 74 2C je short 00404250
00404224 . 66:8338 01 cmp word ptr [eax], 1
00404228 . 75 26 jnz short 00404250
0040422A . 8D55 A8 lea edx, dword ptr [ebp-58]
0040422D . 52 push edx
0040422E . FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
00404234 . 8BF0 mov esi, eax
00404236 . 8B45 C8 mov eax, dword ptr [ebp-38]
00404239 . 8B50 14 mov edx, dword ptr [eax+14]
0040423C . 8B48 10 mov ecx, dword ptr [eax+10]
0040423F . 2BF2 sub esi, edx
00404241 . 3BF1 cmp esi, ecx
00404243 . 72 06 jb short 0040424B
00404245 . FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
0040424B > 8D0436 lea eax, dword ptr [esi+esi]
0040424E . EB 06 jmp short 00404256
00404250 > FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
00404256 > 8B55 CC mov edx, dword ptr [ebp-34]
00404259 . 8B4D C8 mov ecx, dword ptr [ebp-38]
0040425C . 8B52 0C mov edx, dword ptr [edx+C]
0040425F . 8B49 0C mov ecx, dword ptr [ecx+C]
00404262 . 66:8B143A mov dx, word ptr [edx+edi] ; DX=TmpNum1,[ebx+ecx]=TmpNum2
00404266 . 66:33140B xor dx, word ptr [ebx+ecx] ; xor运算
0040426A . 66:891408 mov word ptr [eax+ecx], dx ; xor运算结果保存
0040426E . 8B45 C8 mov eax, dword ptr [ebp-38]
00404271 . 85C0 test eax, eax
00404273 . 74 2E je short 004042A3
00404275 . 66:8338 01 cmp word ptr [eax], 1
00404279 . 75 28 jnz short 004042A3
0040427B . 8D45 A8 lea eax, dword ptr [ebp-58]
0040427E . 50 push eax
0040427F . FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
00404285 . 8BF0 mov esi, eax
00404287 . 8B45 C8 mov eax, dword ptr [ebp-38]
0040428A . 8B1D 68104000 mov ebx, dword ptr [<&MSVBVM60.__vbaGene>
00404290 . 8B50 14 mov edx, dword ptr [eax+14]
00404293 . 8B48 10 mov ecx, dword ptr [eax+10]
00404296 . 2BF2 sub esi, edx
00404298 . 3BF1 cmp esi, ecx
0040429A . 72 02 jb short 0040429E
0040429C . FFD3 call ebx
0040429E > 8D0436 lea eax, dword ptr [esi+esi]
004042A1 . EB 0C jmp short 004042AF
004042A3 > FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
004042A9 . 8B1D 68104000 mov ebx, dword ptr [<&MSVBVM60.__vbaGene>
004042AF > 8B4D C8 mov ecx, dword ptr [ebp-38]
004042B2 . 8B51 0C mov edx, dword ptr [ecx+C]
004042B5 . 66:B9 1A00 mov cx, 1A ; CX=0x1A(26)
004042B9 . 66:8B0402 mov ax, word ptr [edx+eax] ; AX=(TmpNum1 xorTmpNum2)
004042BD . 66:99 cwd
004042BF . 66:F7F9 idiv cx ; AX/CX,商给DX
004042C2 . 0FBFFA movsx edi, dx ; EDI=DX=余数
004042C5 . 83FF 1A cmp edi, 1A
004042C8 . 72 02 jb short 004042CC
004042CA . FFD3 call ebx
004042CC > 8B45 D0 mov eax, dword ptr [ebp-30]
004042CF . 85C0 test eax, eax
004042D1 . 74 2C je short 004042FF
004042D3 . 66:8338 01 cmp word ptr [eax], 1
004042D7 . 75 26 jnz short 004042FF
004042D9 . 8D55 A8 lea edx, dword ptr [ebp-58]
004042DC . 52 push edx
004042DD . FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
004042E3 . 8BF0 mov esi, eax
004042E5 . 8B45 D0 mov eax, dword ptr [ebp-30]
004042E8 . 8B50 14 mov edx, dword ptr [eax+14]
004042EB . 8B48 10 mov ecx, dword ptr [eax+10]
004042EE . 2BF2 sub esi, edx
004042F0 . 3BF1 cmp esi, ecx
004042F2 . 72 02 jb short 004042F6
004042F4 . FFD3 call ebx
004042F6 > 8D04B5 00000000 lea eax, dword ptr [esi*4]
004042FD . EB 02 jmp short 00404301
004042FF > FFD3 call ebx
00404301 > 8B4D 8C mov ecx, dword ptr [ebp-74] ; 地址[ebp-74],保存A-Z共26个字母的地址
00404304 . 8B14B9 mov edx, dword ptr [ecx+edi*4] ; 根据EDI值取字符A-Z,EDX=[ecx+edi*4]
00404307 . 8B4D D0 mov ecx, dword ptr [ebp-30]
0040430A . 8B49 0C mov ecx, dword ptr [ecx+C]
0040430D . 03C8 add ecx, eax
0040430F . FF15 C8104000 call dword ptr [<&MSVBVM60.__vbaStrCopy>]
00404315 . 8D95 CCFDFFFF lea edx, dword ptr [ebp-234]
0040431B . 8D85 DCFDFFFF lea eax, dword ptr [ebp-224]
00404321 . 52 push edx
00404322 . 8D4D A8 lea ecx, dword ptr [ebp-58]
00404325 . 50 push eax
00404326 . 51 push ecx
00404327 . FF15 00114000 call dword ptr [<&MSVBVM60.__vbaVarForNex>
0040432D . BB 02000000 mov ebx, 2
00404332 .^ E9 A3FCFFFF jmp 00403FDA
00404337 > 8D95 A4FEFFFF lea edx, dword ptr [ebp-15C]
0040433D . 8D45 98 lea eax, dword ptr [ebp-68]
00404340 . 52 push edx
00404341 . 8D8D 94FEFFFF lea ecx, dword ptr [ebp-16C]
00404347 . 50 push eax
00404348 . 8D95 ACFDFFFF lea edx, dword ptr [ebp-254]
0040434E . 51 push ecx
0040434F . 8D85 BCFDFFFF lea eax, dword ptr [ebp-244]
00404355 . 52 push edx
00404356 . 8D8D 5CFFFFFF lea ecx, dword ptr [ebp-A4]
0040435C . 50 push eax
0040435D . 51 push ecx
0040435E . C785 ACFEFFFF 010000>mov dword ptr [ebp-154], 1
00404368 . 899D A4FEFFFF mov dword ptr [ebp-15C], ebx
0040436E . C785 9CFEFFFF 000000>mov dword ptr [ebp-164], 0
00404378 . 899D 94FEFFFF mov dword ptr [ebp-16C], ebx
0040437E . FF15 40104000 call dword ptr [<&MSVBVM60.__vbaVarForI>
00404384 . 8B1D 2C104000 mov ebx, dword ptr [<&MSVBVM60.#516>] ; rtcAnsiValueBstr
0040438A > 85C0 test eax, eax
0040438C . 0F84 F9000000 je 0040448B
00404392 . 8B45 D0 mov eax, dword ptr [ebp-30]
00404395 . 85C0 test eax, eax
00404397 . 74 33 je short 004043CC
00404399 . 66:8338 01 cmp word ptr [eax], 1
0040439D . 75 2D jnz short 004043CC
0040439F . 8D95 5CFFFFFF lea edx, dword ptr [ebp-A4]
004043A5 . 52 push edx
004043A6 . FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
004043AC . 8BF0 mov esi, eax
004043AE . 8B45 D0 mov eax, dword ptr [ebp-30]
004043B1 . 8B50 14 mov edx, dword ptr [eax+14]
004043B4 . 8B48 10 mov ecx, dword ptr [eax+10]
004043B7 . 2BF2 sub esi, edx
004043B9 . 3BF1 cmp esi, ecx
004043BB . 72 06 jb short 004043C3
004043BD . FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerat>
004043C3 > 8D3CB5 00000000 lea edi, dword ptr [esi*4]
004043CA . EB 08 jmp short 004043D4
004043CC > FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerat>
004043D2 . 8BF8 mov edi, eax
004043D4 > 8B85 48FFFFFF mov eax, dword ptr [ebp-B8]
004043DA . 85C0 test eax, eax
004043DC . 74 32 je short 00404410
004043DE . 66:8338 01 cmp word ptr [eax], 1
004043E2 . 75 2C jnz short 00404410
004043E4 . 8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
004043EA . 50 push eax
004043EB . FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
004043F1 . 8BF0 mov esi, eax
004043F3 . 8B85 48FFFFFF mov eax, dword ptr [ebp-B8]
004043F9 . 8B50 14 mov edx, dword ptr [eax+14]
004043FC . 8B48 10 mov ecx, dword ptr [eax+10]
004043FF . 2BF2 sub esi, edx
00404401 . 3BF1 cmp esi, ecx
00404403 . 72 06 jb short 0040440B
00404405 . FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerat>
0040440B > C1E6 02 shl esi, 2
0040440E . EB 08 jmp short 00404418
00404410 > FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerat>
00404416 . 8BF0 mov esi, eax
00404418 > 8B4D D0 mov ecx, dword ptr [ebp-30]
0040441B . 8B51 0C mov edx, dword ptr [ecx+C]
0040441E . 8B043A mov eax, dword ptr [edx+edi]
00404421 . 50 push eax
00404422 . FFD3 call ebx
00404424 . 8B95 48FFFFFF mov edx, dword ptr [ebp-B8] ; rtcAnsiValueBstr
0040442A . 0FBFC8 movsx ecx, ax
0040442D . 8B42 0C mov eax, dword ptr [edx+C]
00404430 . 898D 70FDFFFF mov dword ptr [ebp-290], ecx
00404436 . DB85 70FDFFFF fild dword ptr [ebp-290]
0040443C . 8B0C30 mov ecx, dword ptr [eax+esi]
0040443F . 51 push ecx
00404440 . DD9D 68FDFFFF fstp qword ptr [ebp-298]
00404446 . FF15 BC104000 call dword ptr [<&MSVBVM60.__vbaR8Str>] ; __vbaR8Str
0040444C . DC9D 68FDFFFF fcomp qword ptr [ebp-298] ; 注册码运算结果与转为大写的用户名比较
00404452 . DFE0 fstsw ax
00404454 . F6C4 40 test ah, 40
00404457 . 74 29 je short 00404482 ; 暴破点2,Nop
00404459 . 8D95 ACFDFFFF lea edx, dword ptr [ebp-254]
0040445F . 8D85 BCFDFFFF lea eax, dword ptr [ebp-244]
00404465 . 52 push edx
00404466 . 8D8D 5CFFFFFF lea ecx, dword ptr [ebp-A4]
0040446C . 50 push eax
0040446D . 51 push ecx
0040446E . 66:C705 24604000 000>mov word ptr [406024], 0
00404477 . FF15 00114000 call dword ptr [<&MSVBVM60.__vbaVarForN>
0040447D .^ E9 08FFFFFF jmp 0040438A
00404482 > 66:C705 24604000 FFF>mov word ptr [406024], 0FFFF ; 标志位[406024]赋值0FFFF
0040448B > C745 FC 00000000 mov dword ptr [ebp-4], 0
00404492 . 9B wait
00404493 . 68 E3454000 push 004045E3
00404498 . EB 70 jmp short 0040450A
0040449A . 8D95 28FFFFFF lea edx, dword ptr [ebp-D8]
004044A0 . 8D85 2CFFFFFF lea eax, dword ptr [ebp-D4]
-----------------------------------------------------------------------------------------------
【破解总结】
1.注册码文本框输入时进行注册验证,并对[406024]进行赋值。
2.点击注册按钮时对标志位[406024]进行比较,[406024]=0则注册成功。
3.循环取用户名每一位字符,将小写字母转为大写字母后保存。
4.注册码只能为0-9,A-Z,注册码同用户名进行相同的处理,即小写字母转为大写字母。
5.注册码每2位一组逆序连接。设变换后的注册码长度为Length,Length=Length/2-1。
6.循环取变换后的用户名字符串,每次取2位字符转为16进制数,记为TmpNum1,循环变量记为I。
7.常数0x5F,0x5F-(Length-I),记为TmpNum2。
8.TmpNum3=(TmpNum1 xor TmpNum2)/0x1A,根据EDI值从字母A-Z取字符。
9.比较根据EDI值取出字符和变换后的用户名,相等则注册成功。
10.由第9步知道,用户名只能为英文字母,大小写注册码相同。
一组可用注册信息:
==========================================
注册名:hrbx
注册码:485F4C5B
==========================================
暴破更改以下任意一处位置:
00402FA1 jnz short 00403005 ; jnz====>NOP
00404457 je short 00404482 ; je====>NOP
【VB注册机源码】
Private Sub Generate_Click()
On Error Resume Next
Dim UserName As String
Dim RegCode As String
Dim TmpStr As String
Dim Length As Integer
Dim i As Integer
Dim TmpNum1 As Integer
Dim TmpNum2 As Integer
Dim TmpNum3 As Integer
For i = 1 To Len(Text1.Text)
TmpStr = Mid(Text1.Text, i, 1)
If Asc(TmpStr) > 90 Then TmpStr = Chr(Asc(TmpStr) - 32)
UserName = UserName & TmpStr
Next
TmpStr = ""
Length = Len(UserName)
For i = 1 To Length
TmpNum1 = &H5F - (Length - i)
TmpNum2 = Asc(Mid(UserName, i, 1)) - &H41
TmpNum3 = (TmpNum1 Xor TmpNum2)
TmpStr = TmpStr & Hex(TmpNum3)
Next
Length = Len(TmpStr)
For i = 1 To Length / 2
RegCode = RegCode & Mid(TmpStr, Length - i * 2 + 1, 2)
Next i
Text2.Text = RegCode
End Sub
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 hrbx 于 2009-11-6 16:51 编辑 ] |
|
IP卡
发表于 2009-11-6 16:24:47
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2009-11-8 09:20:37
发表于 2009-11-22 08:51:57
