<某VCD出租管理系统V4.3>
Win2k+sp4+Od1.10+Vc#2005
因为它是用VB写的,处理的都是宽字符,我原先用C写算号器,可就是不会处理Unicode,今天学了一天C#反而搞定了,
这真是个好东西,而且发布版本才20K,用DELPHI的话起码要100K以上,哈,唯一的缺点似乎就是我的机器太慢了,
跑C#时总像是死机一样,要考虑学用命令行编译了。
分析过程中肯定很多错.一定要指出来啊!
运行FHVcdHack.exe-->基本配置-->软件注册,输入“来龙去脉”,注册码框输入1212154545412121,点确定报错.
运行OD,附加FHVcdHack.exe,F12暂停,按两次Alt+F9即返回到用户模块:
00611B0F?? .??51????????????PUSH????ECX
00611B10?? .??FF15 A4104000 CALL????[<&MSVBVM60.#595>]?????????????? ;??MSVBVM60.rtcMsgBox
00611B16?? .??E9 80030000?? JMP???? 00611E9B????;中断在这一行
00611B1B?? >??68 D8DB4100?? PUSH????0041DBD8???????????????????????? ; /Arg1 = 0041DBD8
看到中断的下一行是一个跳转入口,往下看一看,有Company Name字样,有可能是注册成功的地方.往上拉滚动条几下可看到
00611AB2?? .??50????????????PUSH????EAX
00611AB3?? .??FF15 A0104000 CALL????[<&MSVBVM60.__vbaObjSet>]????????;??MSVBVM60.__vbaObjSet
00611AB9?? .??66:83FF FF????CMP???? DI, 0FFFF
00611ABD?? .??75 5C???????? JNZ???? SHORT 00611B1B
把这一句改为绝对跳EB 5C试一试,真的有注册成功的提示,那么就往上看DI的来源,找到几处:
第一处:
00611A98?? .??66:F7DF?????? NEG???? DI
00611A9B?? .??1BFF??????????SBB???? EDI, EDI
00611A9D?? .??F7DF??????????NEG???? EDI
00611A9F?? .??4F????????????DEC???? EDI
第二处
00611A4C?? > \33C0??????????XOR???? EAX, EAX
00611A4E?? .??66:83BD 0CFFF>CMP???? WORD PTR [EBP-F4], 0FFFF;就是说,要让注册成功,必须[ebp-f4]==0ffff
00611A56?? .??0F94C0????????SETE????AL
00611A59?? .??F7D8??????????NEG???? EAX
00611A5B?? .??8BF8??????????MOV???? EDI, EAX
再往上跟[ebp-f4]的来源:
00611A1C?? .??8B0F??????????MOV???? ECX, [EDI]??
00611A1E?? .??8D95 0CFFFFFF LEA???? EDX, [EBP-F4] ;这里作为参数给下面的CALL调用.
00611A24?? .??52????????????PUSH????EDX
00611A25?? .??8D45 C8?????? LEA???? EAX, [EBP-38] ;用户名地址.
00611A28?? .??50????????????PUSH????EAX
00611A29?? .??8D55 CC?????? LEA???? EDX, [EBP-34] ;假码地址
00611A2C?? .??52????????????PUSH????EDX
00611A2D?? .??57????????????PUSH????EDI?? ;DLL句柄吗?
00611A2E?? .??FF91 88000000 CALL????[ECX+88]??;重要CALL,按F7进入内部
我怎么知道哪是用户名,哪是假码?在CALL处F2下断,F9运行,再点一次确定让它再来一次就会中断在这里,一看堆栈,都在呢.
这个CALL是DHCopyright.dll模块中的.所以下面显示的地址每次运行都不大同,只有后面的四位相同,这由DLL重定位决定.
1AABABE0?? > \55???????????????? PUSH????EBP
1AABABE1?? .??8BEC?????????????? MOV???? EBP, ESP
1AABABE3?? .??83EC 18????????????SUB???? ESP, 18
......
1AABAC40?? .??C745 FC 03000000?? MOV???? DWORD PTR [EBP-4], 3??;这个东西是干什么用的我搞不明白,好像一直都有它,却又从不读过它
1AABAC47?? .??8B45 10????????????MOV???? EAX, [EBP+10]?? ;用户名地址
1AABAC4A?? .??8B08?????????????? MOV???? ECX, [EAX]
1AABAC4C?? .??51???????????????? PUSH????ECX
1AABAC4D?? .??FF15 1C10AA1A??????CALL????[<&MSVBVM60.__vbaLenBstr>]???? ;??MSVBVM60.__vbaLenBstr
1AABAC53?? .??8BC8?????????????? MOV???? ECX, EAX
1AABAC55?? .??FF15 9C10AA1A??????CALL????[<&MSVBVM60.__vbaI2I4>]????????;??MSVBVM60.__vbaI2I4
1AABAC5B?? .??66:8945 C8???????? MOV???? [EBP-38], AX?? ;用户名长度
1AABAC5F?? .??C745 FC 04000000?? MOV???? DWORD PTR [EBP-4], 4
1AABAC66?? .??66:837D C8 03??????CMP???? WORD PTR [EBP-38], 3
1AABAC6B?? .??7C 07??????????????JL??????SHORT 1AABAC74
1AABAC6D?? .??66:837D C8 1E??????CMP???? WORD PTR [EBP-38], 1E
1AABAC72?? .??7E 12??????????????JLE???? SHORT 1AABAC86?? ;长度必须在[3~1E]之间,其实要大于6,否则重启软件会现异常不能运行.
1AABAC74?? >??C745 FC 05000000?? MOV???? DWORD PTR [EBP-4], 5
1AABAC7B?? .??66:C745 BC 0000????MOV???? WORD PTR [EBP-44], 0
1AABAC81?? .??E9 A0060000????????JMP???? 1AABB326
1AABAC86?? >??C745 FC 08000000?? MOV???? DWORD PTR [EBP-4], 8
1AABAC8D?? .??BA F043AA1A????????MOV???? EDX, 1AAA43F0??????????????????;??UNICODE "SiLong's"
1AABAC92?? .??8D4D D4????????????LEA???? ECX, [EBP-2C]
1AABAC95?? .??FF15 1C11AA1A??????CALL????[<&MSVBVM60.__vbaStrCopy>]???? ;??MSVBVM60.__vbaStrCopy
1AABAC9B?? .??C745 FC 09000000?? MOV???? DWORD PTR [EBP-4], 9
1AABACA2?? .??68 0844AA1A????????PUSH????1AAA4408?????????????????????? ; /Arg2 = 1AAA4408
1AABACA7?? .??8B55 D4????????????MOV???? EDX, [EBP-2C]??????????????????; |
1AABACAA?? .??52???????????????? PUSH????EDX????????????????????????????; |Arg1
1AABACAB?? .??FF15 3C10AA1A??????CALL????[<&MSVBVM60.__vbaStrCat>]??????; \__vbaStrCat
1AABACB1?? .??8BD0?????????????? MOV???? EDX, EAX
1AABACB3?? .??8D4D D4????????????LEA???? ECX, [EBP-2C]?? ;串连接,得"VB-CodeSiLong's",放于[ebp-2c]
1AABACB6?? .??FF15 7411AA1A??????CALL????[<&MSVBVM60.__vbaStrMove>]???? ;??MSVBVM60.__vbaStrMove
1AABACBC?? .??C745 FC 0A000000?? MOV???? DWORD PTR [EBP-4], 0A
1AABACC3?? .??8B45 D4????????????MOV???? EAX, [EBP-2C]
1AABACC6?? .??50???????????????? PUSH????EAX????????????????????????????; /Arg2
1AABACC7?? .??68 1C44AA1A????????PUSH????1AAA441C?????????????????????? ; |Arg1 = 1AAA441C
1AABACCC?? .??FF15 3C10AA1A??????CALL????[<&MSVBVM60.__vbaStrCat>]??????; \__vbaStrCat
1AABACD2?? .??8BD0?????????????? MOV???? EDX, EAX
1AABACD4?? .??8D4D D4????????????LEA???? ECX, [EBP-2C]?? ;串连接,得"VB-CodeSiLong'sMyMother",放于[ebp-2c]
1AABACD7?? .??FF15 7411AA1A??????CALL????[<&MSVBVM60.__vbaStrMove>]???? ;??MSVBVM60.__vbaStrMove
1AABACDD?? .??C745 FC 0B000000?? MOV???? DWORD PTR [EBP-4], 0B
1AABACE4?? .??68 3444AA1A????????PUSH????1AAA4434?????????????????????? ; /Arg2 = 1AAA4434
1AABACE9?? .??8B4D D4????????????MOV???? ECX, [EBP-2C]??????????????????; |
1AABACEC?? .??51???????????????? PUSH????ECX????????????????????????????; |Arg1
1AABACED?? .??FF15 3C10AA1A??????CALL????[<&MSVBVM60.__vbaStrCat>]??????; \__vbaStrCat
1AABACF3?? .??8BD0?????????????? MOV???? EDX, EAX
1AABACF5?? .??8D4D D4????????????LEA???? ECX, [EBP-2C]?? ;串连接,得UNICODE "MyFatherVB-CodeSiLong'sMyMother",放于[ebp-2c]
1AABACF8?? .??FF15 7411AA1A??????CALL????[<&MSVBVM60.__vbaStrMove>]???? ;??MSVBVM60.__vbaStrMove
1ABDACFE?? .??C745 FC 0C000> MOV???? DWORD PTR [EBP-4], 0C
1ABDAD05?? .??BA 4C44BC1A????MOV???? EDX, 1ABC444C
1ABDAD0A?? .??8D4D D8????????LEA???? ECX, [EBP-28]
1ABDAD0D?? .??FF15 1C11BC1A??CALL????[<&MSVBVM60.__vbaStrCopy>]?????????? ;??MSVBVM60.__vbaStrCopy
1ABDAD13?? .??C745 FC 0D000> MOV???? DWORD PTR [EBP-4], 0D
1ABDAD1A?? .??8B55 D8????????MOV???? EDX, [EBP-28]?? ;U("我爱你我的爱人为了咱们的将来努力吧奋斗吧好了就这些")
1ABDAD1D?? .??52???????????? PUSH????EDX??????????????????????????????????; /Arg2
1ABDAD1E?? .??68 8444BC1A????PUSH????1ABC4484???????????????????????????? ; |Arg1 = 1ABC4484
1ABDAD23?? .??FF15 3C10BC1A??CALL????[<&MSVBVM60.__vbaStrCat>]????????????; \__vbaStrCat
1ABDAD29?? .??8BD0?????????? MOV???? EDX, EAX
1ABDAD2B?? .??8D4D D8????????LEA???? ECX, [EBP-28]?? ;U("我爱你我的爱人为了咱们的将来努力吧奋斗吧好了就这些亲爱的爸爸,妈妈、哥哥、妹妹们好。")
1ABDAD2E?? .??FF15 7411BC1A??CALL????[<&MSVBVM60.__vbaStrMove>]?????????? ;??MSVBVM60.__vbaStrMove
1AABAD34?? .??C745 FC 0E000000?? MOV???? DWORD PTR [EBP-4], 0E
1AABAD3B?? .??66:C745 D0 0000????MOV???? WORD PTR [EBP-30], 0?????????? ;??循环次数奇偶标志
1AABAD41?? .??C745 FC 0F000000?? MOV???? DWORD PTR [EBP-4], 0F
1AABAD48?? .??66:8B45 C8???????? MOV???? AX, [EBP-38]?????????????????? ;??用户名长,作为循环次数.
1AABAD4C?? .??66:8985 4CFFFFFF?? MOV???? [EBP-B4], AX
1AABAD53?? .??66:C785 50FFFFFF 0>MOV???? WORD PTR [EBP-B0], 1
1AABAD5C?? .??66:C745 AC 0100????MOV???? WORD PTR [EBP-54], 1?????????? ;??循环变量I
1AABAD62?? .??EB 15??????????????JMP???? SHORT 1AABAD79
1AABAD64?? >??66:8B4D AC???????? MOV???? CX, [EBP-54]
1AABAD68?? .??66:038D 50FFFFFF?? ADD???? CX, [EBP-B0]
1AABAD6F?? .??0F80 4E060000??????JO??????1AABB3C3
1AABAD75?? .??66:894D AC???????? MOV???? [EBP-54], CX
1AABAD79?? >??66:8B55 AC???????? MOV???? DX, [EBP-54]
1AABAD7D?? .??66:3B95 4CFFFFFF?? CMP???? DX, [EBP-B4]
1AABAD84?? .??0F8F FE040000??????JG??????1AABB288?????????????????????? ;??跳出循环
1AABAD8A?? .??C745 FC 10000000?? MOV???? DWORD PTR [EBP-4], 10
1AABAD91?? .??C745 A0 01000000?? MOV???? DWORD PTR [EBP-60], 1
1AABAD98?? .??C745 98 02000000?? MOV???? DWORD PTR [EBP-68], 2
1AABAD9F?? .??8B45 10????????????MOV???? EAX, [EBP+10]
1AABADA2?? .??8985 70FFFFFF??????MOV???? [EBP-90], EAX??????????????????;??EAX为用户名的地址
1AABADA8?? .??C785 68FFFFFF 0840>MOV???? DWORD PTR [EBP-98], 4008
1AABADB2?? .??8D4D 98????????????LEA???? ECX, [EBP-68]??????????????????;??取两个字符(一个中文字)
1AABADB5?? .??51???????????????? PUSH????ECX????????????????????????????; /Arg4
1AABADB6?? .??0FBF55 AC??????????MOVSX?? EDX, WORD PTR [EBP-54]???????? ; |循环变量
1AABADBA?? .??52???????????????? PUSH????EDX????????????????????????????; |Arg3
1AABADBB?? .??8D85 68FFFFFF??????LEA???? EAX, [EBP-98]??????????????????; |串在[ebp-98+8]里.
1AABADC1?? .??50???????????????? PUSH????EAX????????????????????????????; |Arg2
1AABADC2?? .??8D4D 88????????????LEA???? ECX, [EBP-78]??????????????????; |把它放到[ebp-78+8]里头.
1AABADC5?? .??51???????????????? PUSH????ECX????????????????????????????; |Arg1
1AABADC6?? .??FF15 7C10AA1A??????CALL????[<&MSVBVM60.#632>]???????????? ; \rtcMidCharVar
1AABADCC?? .??8D55 88????????????LEA???? EDX, [EBP-78]??????????????????;??取得循环次数所指的用户名字符
1AABADCF?? .??52???????????????? PUSH????EDX
1AABADD0?? .??FF15 2010AA1A??????CALL????[<&MSVBVM60.__vbaStrVarMove>]??;??MSVBVM60.__vbaStrVarMove
1AABADD6?? .??8BD0?????????????? MOV???? EDX, EAX
1AABADD8?? .??8D4D B8????????????LEA???? ECX, [EBP-48]??????????????????;??结果放到[ebp-48]
1AABADDB?? .??FF15 7411AA1A??????CALL????[<&MSVBVM60.__vbaStrMove>]???? ;??MSVBVM60.__vbaStrMove
1AABADE1?? .??8D45 88????????????LEA???? EAX, [EBP-78]
1AABADE4?? .??50???????????????? PUSH????EAX
1AABADE5?? .??8D4D 98????????????LEA???? ECX, [EBP-68]
1AABADE8?? .??51???????????????? PUSH????ECX
1AABADE9?? .??6A 02??????????????PUSH????2
1AABADEB?? .??FF15 2410AA1A??????CALL????[<&MSVBVM60.__vbaFreeVarList>] ;??MSVBVM60.__vbaFreeVarList
1AABADF1?? .??83C4 0C????????????ADD???? ESP, 0C
1AABADF4?? .??C745 FC 11000000?? MOV???? DWORD PTR [EBP-4], 11
1AABADFB?? .??8B55 B8????????????MOV???? EDX, [EBP-48]
1AABADFE?? .??52???????????????? PUSH????EDX????????????????????????????; /Arg1
1AABADFF?? .??FF15 3010AA1A??????CALL????[<&MSVBVM60.#516>]???????????? ; \rtcAnsiValueBstr
1AABAE05?? .??66:85C0????????????TEST????AX, AX???????????????????????? ;??wctomb,Unicode转Ansi
1AABAE08?? .??7D 6C??????????????JGE???? SHORT 1AABAE76?? ;原结果为英文字符时跳转
1AABAE0A?? .??C745 FC 12000000?? MOV???? DWORD PTR [EBP-4], 12
1AABAE11?? .??C745 A0 01000000?? MOV???? DWORD PTR [EBP-60], 1
1AABAE18?? .??C745 98 02000000?? MOV???? DWORD PTR [EBP-68], 2
1AABAE1F?? .??8D45 D4????????????LEA???? EAX, [EBP-2C]
1AABAE22?? .??8985 70FFFFFF??????MOV???? [EBP-90], EAX??????????????????;??原常量串
1AABAE28?? .??C785 68FFFFFF 0840>MOV???? DWORD PTR [EBP-98], 4008
1AABAE32?? .??8D4D 98????????????LEA???? ECX, [EBP-68]??????????????????;??割两位(1位Unicode)
1AABAE35?? .??51???????????????? PUSH????ECX????????????????????????????; /Arg4
1AABAE36?? .??0FBF55 AC??????????MOVSX?? EDX, WORD PTR [EBP-54]???????? ; |也是从第I个开始
1AABAE3A?? .??52???????????????? PUSH????EDX????????????????????????????; |Arg3
1AABAE3B?? .??8D85 68FFFFFF??????LEA???? EAX, [EBP-98]??????????????????; |割常量串
1AABAE41?? .??50???????????????? PUSH????EAX????????????????????????????; |Arg2
1AABAE42?? .??8D4D 88????????????LEA???? ECX, [EBP-78]??????????????????; |放到[ebp-78+8]
1AABAE45?? .??51???????????????? PUSH????ECX????????????????????????????; |Arg1
1AABAE46?? .??FF15 7C10AA1A??????CALL????[<&MSVBVM60.#632>]???????????? ; \rtcMidCharVar
1AABAE4C?? .??8D55 88????????????LEA???? EDX, [EBP-78]
1AABAE4F?? .??52???????????????? PUSH????EDX
1AABAE50?? .??FF15 2010AA1A??????CALL????[<&MSVBVM60.__vbaStrVarMove>]??;??MSVBVM60.__vbaStrVarMove
1AABAE56?? .??8BD0?????????????? MOV???? EDX, EAX
1AABAE58?? .??8D4D DC????????????LEA???? ECX, [EBP-24]??????????????????;??结果存到[ebp-24]
1AABAE5B?? .??FF15 7411AA1A??????CALL????[<&MSVBVM60.__vbaStrMove>]???? ;??MSVBVM60.__vbaStrMove
1AABAE61?? .??8D45 88????????????LEA???? EAX, [EBP-78]
1AABAE64?? .??50???????????????? PUSH????EAX
1AABAE65?? .??8D4D 98????????????LEA???? ECX, [EBP-68]
1AABAE68?? .??51???????????????? PUSH????ECX
1AABAE69?? .??6A 02??????????????PUSH????2
1AABAE6B?? .??FF15 2410AA1A??????CALL????[<&MSVBVM60.__vbaFreeVarList>] ;??MSVBVM60.__vbaFreeVarList
1AABAE71?? .??83C4 0C????????????ADD???? ESP, 0C
1AABAE74?? .??EB 6A??????????????JMP???? SHORT 1AABAEE0
1AABAE76?? >??C745 FC 14000000?? MOV???? DWORD PTR [EBP-4], 14
1AABAE7D?? .??C745 A0 01000000?? MOV???? DWORD PTR [EBP-60], 1
1AABAE84?? .??C745 98 02000000?? MOV???? DWORD PTR [EBP-68], 2
1AABAE8B?? .??8D55 D8????????????LEA???? EDX, [EBP-28]
1AABAE8E?? .??8995 70FFFFFF??????MOV???? [EBP-90], EDX
1AABAE94?? .??C785 68FFFFFF 0840>MOV???? DWORD PTR [EBP-98], 4008
1AABAE9E?? .??8D45 98????????????LEA???? EAX, [EBP-68]
1AABAEA1?? .??50???????????????? PUSH????EAX????????????????????????????; /Arg4
1AABAEA2?? .??0FBF4D AC??????????MOVSX?? ECX, WORD PTR [EBP-54]???????? ; |
1AABAEA6?? .??51???????????????? PUSH????ECX????????????????????????????; |Arg3
1AABAEA7?? .??8D95 68FFFFFF??????LEA???? EDX, [EBP-98]??????????????????; |
1AABAEAD?? .??52???????????????? PUSH????EDX????????????????????????????; |Arg2
1AABAEAE?? .??8D45 88????????????LEA???? EAX, [EBP-78]??????????????????; |
1AABAEB1?? .??50???????????????? PUSH????EAX????????????????????????????; |Arg1
1AABAEB2?? .??FF15 7C10AA1A??????CALL????[<&MSVBVM60.#632>]???????????? ; \rtcMidCharVar
1AABAEB8?? .??8D4D 88????????????LEA???? ECX, [EBP-78]
1AABAEBB?? .??51???????????????? PUSH????ECX
1AABAEBC?? .??FF15 2010AA1A??????CALL????[<&MSVBVM60.__vbaStrVarMove>]??;??MSVBVM60.__vbaStrVarMove
1AABAEC2?? .??8BD0?????????????? MOV???? EDX, EAX
1AABAEC4?? .??8D4D DC????????????LEA???? ECX, [EBP-24]?? ;取那堆爱的宣言的第I个字到[ebp-24]
1AABAEC7?? .??FF15 7411AA1A??????CALL????[<&MSVBVM60.__vbaStrMove>]???? ;??MSVBVM60.__vbaStrMove
1AABAECD?? .??8D55 88????????????LEA???? EDX, [EBP-78]
1AABAED0?? .??52???????????????? PUSH????EDX
1AABAED1?? .??8D45 98????????????LEA???? EAX, [EBP-68]
1AABAED4?? .??50???????????????? PUSH????EAX
1AABAED5?? .??6A 02??????????????PUSH????2
1AABAED7?? .??FF15 2410AA1A??????CALL????[<&MSVBVM60.__vbaFreeVarList>] ;??MSVBVM60.__vbaFreeVarList
1AABAEDD?? .??83C4 0C????????????ADD???? ESP, 0C
1AABAEE0?? >??C745 FC 16000000?? MOV???? DWORD PTR [EBP-4], 16
1AABAEE7?? .??8B4D B8????????????MOV???? ECX, [EBP-48]
1AABAEEA?? .??51???????????????? PUSH????ECX????????????????????????????; /Arg1
1AABAEEB?? .??FF15 3010AA1A??????CALL????[<&MSVBVM60.#516>]???????????? ; \rtcAnsiValueBstr
1AABAEF1?? .??66:8BF0????????????MOV???? SI, AX???????????????????????? ;??用户名第I宽字符转Ansi?
1AABAEF4?? .??8B55 DC????????????MOV???? EDX, [EBP-24]
1AABAEF7?? .??52???????????????? PUSH????EDX????????????????????????????; /Arg1
1AABAEF8?? .??FF15 3010AA1A??????CALL????[<&MSVBVM60.#516>]???????????? ; \rtcAnsiValueBstr
1AABAEFE?? .??66:33F0????????????XOR???? SI, AX???????????????????????? ;??异或常量串第I宽字符的ansi?
1AABAF01?? .??8BCE?????????????? MOV???? ECX, ESI
1AABAF03?? .??FF15 3810AA1A??????CALL????[<&MSVBVM60.__vbaI2Abs>]?????? ;??MSVBVM60.__vbaI2Abs
1AABAF09?? .??0FBFC0???????????? MOVSX?? EAX, AX
1AABAF0C?? .??8985 34FFFFFF??????MOV???? [EBP-CC], EAX??????????????????;??结果求补存到[ebp-cc]
1AABAF12?? .??DB85 34FFFFFF??????FILD????DWORD PTR [EBP-CC]
1AABAF18?? .??DD5D C0????????????FSTP????QWORD PTR [EBP-40]???????????? ;??存为浮点格式到[ebp-40]
1AABAF1B?? .??C745 FC 17000000?? MOV???? DWORD PTR [EBP-4], 17
1AABAF22?? .??0FBF4D D0??????????MOVSX?? ECX, WORD PTR [EBP-30]
1AABAF26?? .??85C9?????????????? TEST????ECX, ECX
1AABAF28?? .??75 2C??????????????JNZ???? SHORT 1AABAF56???????????????? ;??循环次数为奇数([ebp-30]==1)时跳
1AABAF2A?? .??C745 FC 18000000?? MOV???? DWORD PTR [EBP-4], 18
1AABAF31?? .??66:C745 D0 0100????MOV???? WORD PTR [EBP-30], 1?????????? ;??奇偶标志取反
1AABAF37?? .??C745 FC 19000000?? MOV???? DWORD PTR [EBP-4], 19
1AABAF3E?? .??DD45 C0????????????FLD???? QWORD PTR [EBP-40]
1AABAF41?? .??DC05 9814AA1A??????FADD????QWORD PTR [1AAA1498]?????????? ;??加上浮点常数719.0(浮点都是十进制表示)
1AABAF47?? .??DD5D C0????????????FSTP????QWORD PTR [EBP-40]
1AABAF4A?? .??DFE0?????????????? FSTSW?? AX
1AABAF4C?? .??A8 0D??????????????TEST????AL, 0D
1AABAF4E?? .??0F85 6A040000??????JNZ???? 1AABB3BE?????????????????????? ;??到异常处理
1AABAF54?? .??EB 2A??????????????JMP???? SHORT 1AABAF80
1AABAF56?? >??C745 FC 1B000000?? MOV???? DWORD PTR [EBP-4], 1B
1AABAF5D?? .??66:C745 D0 0000????MOV???? WORD PTR [EBP-30], 0?????????? ;??奇偶标志取反
1AABAF63?? .??C745 FC 1C000000?? MOV???? DWORD PTR [EBP-4], 1C
1AABAF6A?? .??DD45 C0????????????FLD???? QWORD PTR [EBP-40]
1AABAF6D?? .??DC0D 9014AA1A??????FMUL????QWORD PTR [1AAA1490]?????????? ;??乘上浮点常数9?
1AABAF73?? .??DD5D C0????????????FSTP????QWORD PTR [EBP-40]
1AABAF76?? .??DFE0?????????????? FSTSW?? AX
1AABAF78?? .??A8 0D??????????????TEST????AL, 0D
1AABAF7A?? .??0F85 3E040000??????JNZ???? 1AABB3BE?????????????????????? ;??到异常处理
1AABAF80?? >??C745 FC 1E000000?? MOV???? DWORD PTR [EBP-4], 1E
1AABAF87?? .??DD45 C0????????????FLD???? QWORD PTR [EBP-40]
1AABAF8A?? .??DC1D 8814AA1A??????FCOMP?? QWORD PTR [1AAA1488]?????????? ;??与浮点常数10,000.0比较.
1AABAF90?? .??DFE0?????????????? FSTSW?? AX
1AABAF92?? .??F6C4 41????????????TEST????AH, 41???????????????????????? ;??判断ZF,CF,即大于等于
1AABAF95?? .??74 0C??????????????JE??????SHORT 1AABAFA3
1AABAF97?? .??C785 30FFFFFF 0100>MOV???? DWORD PTR [EBP-D0], 1??????????;??小于10000.0时[ebp-0d0]=1
1AABAFA1?? .??EB 0A??????????????JMP???? SHORT 1AABAFAD
1AABAFA3?? >??C785 30FFFFFF 0000>MOV???? DWORD PTR [EBP-D0], 0??????????;??否则=0
1AABAFAD?? >??DD45 C0????????????FLD???? QWORD PTR [EBP-40]
1AABAFB0?? .??DC1D 8014AA1A??????FCOMP?? QWORD PTR [1AAA1480]?????????? ;??与浮点常数100,000.0比较.
1AABAFB6?? .??DFE0?????????????? FSTSW?? AX
1AABAFB8?? .??F6C4 01????????????TEST????AH, 1??????????????????????????;??CF,是否大于
1AABAFBB?? .??75 0C??????????????JNZ???? SHORT 1AABAFC9???????????????? ;??不大于则跳
1AABAFBD?? .??C785 2CFFFFFF 0100>MOV???? DWORD PTR [EBP-D4], 1??????????;??大于100,000.0时[ebp-0d4]=1
1AABAFC7?? .??EB 0A??????????????JMP???? SHORT 1AABAFD3
1AABAFC9?? >??C785 2CFFFFFF 0000>MOV???? DWORD PTR [EBP-D4], 0??????????;??否则=0
1AABAFD3?? >??8B95 30FFFFFF??????MOV???? EDX, [EBP-D0]
1AABAFD9?? .??0B95 2CFFFFFF??????OR??????EDX, [EBP-D4]
1AABAFDF?? .??85D2?????????????? TEST????EDX, EDX
1AABAFE1?? .??0F85 E5000000??????JNZ???? 1AABB0CC?????????????????????? ;??不在[10,000~100,000]则跳走
1AABAFE7?? .??C745 FC 1F000000?? MOV???? DWORD PTR [EBP-4], 1F
1AABAFEE?? .??8D45 C0????????????LEA???? EAX, [EBP-40]
1AABAFF1?? .??8985 70FFFFFF??????MOV???? [EBP-90], EAX
1AABAFF7?? .??C785 68FFFFFF 0540>MOV???? DWORD PTR [EBP-98], 4005
1AABB001?? .??6A 03??????????????PUSH????3??????????????????????????????; /Arg3 = 00000003
1AABB003?? .??8D8D 68FFFFFF??????LEA???? ECX, [EBP-98]??????????????????; |浮点结果(十进制数作为字符串)
1AABB009?? .??51???????????????? PUSH????ECX????????????????????????????; |Arg2
1AABB00A?? .??8D55 98????????????LEA???? EDX, [EBP-68]??????????????????; |左割3位存到[ebp-60]
1AABB00D?? .??52???????????????? PUSH????EDX????????????????????????????; |Arg1
1AABB00E?? .??FF15 6411AA1A??????CALL????[<&MSVBVM60.#617>]???????????? ; \rtcLeftCharVar
1AABB014?? .??8D45 98????????????LEA???? EAX, [EBP-68]
1AABB017?? .??50???????????????? PUSH????EAX
1AABB018?? .??FF15 2010AA1A??????CALL????[<&MSVBVM60.__vbaStrVarMove>]??;??MSVBVM60.__vbaStrVarMove
1AABB01E?? .??8BD0?????????????? MOV???? EDX, EAX
1AABB020?? .??8D4D B4????????????LEA???? ECX, [EBP-4C]??????????????????;??结果再存到[ebp-4c]
1AABB023?? .??FF15 7411AA1A??????CALL????[<&MSVBVM60.__vbaStrMove>]???? ;??MSVBVM60.__vbaStrMove
1AABB029?? .??8D4D 98????????????LEA???? ECX, [EBP-68]
1AABB02C?? .??FF15 1410AA1A??????CALL????[<&MSVBVM60.__vbaFreeVar>]???? ;??MSVBVM60.__vbaFreeVar
1AABB032?? .??C745 FC 20000000?? MOV???? DWORD PTR [EBP-4], 20
1AABB039?? .??8D4D C0????????????LEA???? ECX, [EBP-40]
1AABB03C?? .??898D 70FFFFFF??????MOV???? [EBP-90], ECX??????????????????;??浮点结果保存到[ebp-90]
1AABB042?? .??C785 68FFFFFF 0540>MOV???? DWORD PTR [EBP-98], 4005
1AABB04C?? .??6A 02??????????????PUSH????2??????????????????????????????; /Arg3 = 00000002
1AABB04E?? .??8D95 68FFFFFF??????LEA???? EDX, [EBP-98]??????????????????; |
1AABB054?? .??52???????????????? PUSH????EDX????????????????????????????; |Arg2
1AABB055?? .??8D45 98????????????LEA???? EAX, [EBP-68]??????????????????; |右割2位保存到[ebp-60]
1AABB058?? .??50???????????????? PUSH????EAX????????????????????????????; |Arg1
1AABB059?? .??FF15 7811AA1A??????CALL????[<&MSVBVM60.#619>]???????????? ; \rtcRightCharVar
1AABB05F?? .??8D4D 98????????????LEA???? ECX, [EBP-68]
1AABB062?? .??51???????????????? PUSH????ECX
1AABB063?? .??FF15 2010AA1A??????CALL????[<&MSVBVM60.__vbaStrVarMove>]??;??MSVBVM60.__vbaStrVarMove
1AABB069?? .??8BD0?????????????? MOV???? EDX, EAX
1AABB06B?? .??8D4D B0????????????LEA???? ECX, [EBP-50]??????????????????;??结果再存到[ebp-50]
1AABB06E?? .??FF15 7411AA1A??????CALL????[<&MSVBVM60.__vbaStrMove>]???? ;??MSVBVM60.__vbaStrMove
1AABB074?? .??8D4D 98????????????LEA???? ECX, [EBP-68]
1AABB077?? .??FF15 1410AA1A??????CALL????[<&MSVBVM60.__vbaFreeVar>]???? ;??MSVBVM60.__vbaFreeVar
1AABB07D?? .??C745 FC 21000000?? MOV???? DWORD PTR [EBP-4], 21
1AABB084?? .??8B55 B0????????????MOV???? EDX, [EBP-50]??????????????????;??浮点结果的右2位再作为浮点
1AABB087?? .??52???????????????? PUSH????EDX????????????????????????????; /Arg1
1AABB088?? .??FF15 9811AA1A??????CALL????[<&MSVBVM60.#581>]???????????? ; \rtcR8ValFromBstr
1AABB08E?? .??FF15 7410AA1A??????CALL????[<&MSVBVM60.__vbaFpR8>]????????;??MSVBVM60.__vbaFpR8
1AABB094?? .??DC1D 7814AA1A??????FCOMP?? QWORD PTR [1AAA1478]?????????? ;??浮点常数0
1AABB09A?? .??DFE0?????????????? FSTSW?? AX
1AABB09C?? .??F6C4 40????????????TEST????AH, 40???????????????????????? ;??测试ZF
1AABB09F?? .??75 26??????????????JNZ???? SHORT 1AABB0C7???????????????? ;??与常数相等则跳转
1AABB0A1?? .??C745 FC 22000000?? MOV???? DWORD PTR [EBP-4], 22
1AABB0A8?? .??DD45 C0????????????FLD???? QWORD PTR [EBP-40]???????????? ;??原浮点数转整数到EAX
1AABB0AB?? .??FF15 5C11AA1A??????CALL????[<&MSVBVM60.__vbaFpI4>]????????;??MSVBVM60.__vbaFpI4
1AABB0B1?? .??0FBF4D AC??????????MOVSX?? ECX, WORD PTR [EBP-54]???????? ;??循环变量I
1AABB0B5?? .??99???????????????? CDQ
1AABB0B6?? .??F7F9?????????????? IDIV????ECX????????????????????????????;??整数结果除以I
1AABB0B8?? .??8985 28FFFFFF??????MOV???? [EBP-D8], EAX
1AABB0BE?? .??DB85 28FFFFFF??????FILD????DWORD PTR [EBP-D8]
1AABB0C4?? .??DD5D C0????????????FSTP????QWORD PTR [EBP-40]???????????? ;??结果再变为浮点格式存到[ebp-40]
1AABB0C7?? >??E9 21010000????????JMP???? 1AABB1ED
1AABB0CC?? >??C745 FC 24000000?? MOV???? DWORD PTR [EBP-4], 24
1AABB0D3?? .??DD45 C0????????????FLD???? QWORD PTR [EBP-40]
1AABB0D6?? .??DC1D 8014AA1A??????FCOMP?? QWORD PTR [1AAA1480]
1AABB0DC?? .??DFE0?????????????? FSTSW?? AX
1AABB0DE?? .??F6C4 41????????????TEST????AH, 41
1AABB0E1?? .??0F85 06010000??????JNZ???? 1AABB1ED
1AABB0E7?? .??C745 FC 25000000?? MOV???? DWORD PTR [EBP-4], 25
1AABB0EE?? .??8D55 C0????????????LEA???? EDX, [EBP-40]
1AABB0F1?? .??8995 70FFFFFF??????MOV???? [EBP-90], EDX
1AABB0F7?? .??C785 68FFFFFF 0540>MOV???? DWORD PTR [EBP-98], 4005
1AABB101?? .??6A 04??????????????PUSH????4??????????????????????????????; /Arg3 = 00000004
1AABB103?? .??8D85 68FFFFFF??????LEA???? EAX, [EBP-98]??????????????????; |
1AABB109?? .??50???????????????? PUSH????EAX????????????????????????????; |Arg2
1AABB10A?? .??8D4D 98????????????LEA???? ECX, [EBP-68]??????????????????; |
1AABB10D?? .??51???????????????? PUSH????ECX????????????????????????????; |Arg1
1AABB10E?? .??FF15 6411AA1A??????CALL????[<&MSVBVM60.#617>]???????????? ; \rtcLeftCharVar
1AABB114?? .??8D55 98????????????LEA???? EDX, [EBP-68]??????????????????;??左割4位
1AABB117?? .??52???????????????? PUSH????EDX
1AABB118?? .??FF15 2010AA1A??????CALL????[<&MSVBVM60.__vbaStrVarMove>]??;??MSVBVM60.__vbaStrVarMove
1AABB11E?? .??8BD0?????????????? MOV???? EDX, EAX
1AABB120?? .??8D4D B4????????????LEA???? ECX, [EBP-4C]??????????????????;??保存到[ebp-4c]
1AABB123?? .??FF15 7411AA1A??????CALL????[<&MSVBVM60.__vbaStrMove>]???? ;??MSVBVM60.__vbaStrMove
1AABB129?? .??8D4D 98????????????LEA???? ECX, [EBP-68]
1AABB12C?? .??FF15 1410AA1A??????CALL????[<&MSVBVM60.__vbaFreeVar>]???? ;??MSVBVM60.__vbaFreeVar
1AABB132?? .??C745 FC 26000000?? MOV???? DWORD PTR [EBP-4], 26
1AABB139?? .??8D45 C0????????????LEA???? EAX, [EBP-40]
1AABB13C?? .??8985 70FFFFFF??????MOV???? [EBP-90], EAX
1AABB142?? .??C785 68FFFFFF 0540>MOV???? DWORD PTR [EBP-98], 4005
1AABB14C?? .??6A 02??????????????PUSH????2??????????????????????????????; /Arg3 = 00000002
1AABB14E?? .??8D8D 68FFFFFF??????LEA???? ECX, [EBP-98]??????????????????; |
1AABB154?? .??51???????????????? PUSH????ECX????????????????????????????; |Arg2
1AABB155?? .??8D55 98????????????LEA???? EDX, [EBP-68]??????????????????; |
1AABB158?? .??52???????????????? PUSH????EDX????????????????????????????; |Arg1
1AABB159?? .??FF15 7811AA1A??????CALL????[<&MSVBVM60.#619>]???????????? ; \rtcRightCharVar
1AABB15F?? .??8D45 98????????????LEA???? EAX, [EBP-68]??????????????????;??右割两位
1AABB162?? .??50???????????????? PUSH????EAX
1AABB163?? .??FF15 2010AA1A??????CALL????[<&MSVBVM60.__vbaStrVarMove>]??;??MSVBVM60.__vbaStrVarMove
1AABB169?? .??8BD0?????????????? MOV???? EDX, EAX
1AABB16B?? .??8D4D B0????????????LEA???? ECX, [EBP-50]??????????????????;??保存到[ebp-50]
1AABB16E?? .??FF15 7411AA1A??????CALL????[<&MSVBVM60.__vbaStrMove>]???? ;??MSVBVM60.__vbaStrMove
1AABB174?? .??8D4D 98????????????LEA???? ECX, [EBP-68]
1AABB177?? .??FF15 1410AA1A??????CALL????[<&MSVBVM60.__vbaFreeVar>]???? ;??MSVBVM60.__vbaFreeVar
1AABB17D?? .??C745 FC 27000000?? MOV???? DWORD PTR [EBP-4], 27
1AABB184?? .??8B4D B0????????????MOV???? ECX, [EBP-50]??????????????????;??这两位再作为浮点.
1AABB187?? .??51???????????????? PUSH????ECX????????????????????????????; /Arg1
1AABB188?? .??FF15 9811AA1A??????CALL????[<&MSVBVM60.#581>]???????????? ; \rtcR8ValFromBstr
1AABB18E?? .??FF15 7410AA1A??????CALL????[<&MSVBVM60.__vbaFpR8>]????????;??MSVBVM60.__vbaFpR8
1AABB194?? .??DC1D 7814AA1A??????FCOMP?? QWORD PTR [1AAA1478]?????????? ;??与常数0比较
1AABB19A?? .??DFE0?????????????? FSTSW?? AX
1AABB19C?? .??F6C4 40????????????TEST????AH, 40
1AABB19F?? .??75 4C??????????????JNZ???? SHORT 1AABB1ED???????????????? ;??相等(为0)则跳走.
1AABB1A1?? .??C745 FC 28000000?? MOV???? DWORD PTR [EBP-4], 28??????????;??后两位不为0时.
1AABB1A8?? .??8B55 B4????????????MOV???? EDX, [EBP-4C]
1AABB1AB?? .??52???????????????? PUSH????EDX????????????????????????????; /Arg1
1AABB1AC?? .??FF15 9811AA1A??????CALL????[<&MSVBVM60.#581>]???????????? ; \rtcR8ValFromBstr
1AABB1B2?? .??FF15 5C11AA1A??????CALL????[<&MSVBVM60.__vbaFpI4>]????????;??MSVBVM60.__vbaFpI4
1AABB1B8?? .??8BF0?????????????? MOV???? ESI, EAX?????????????????????? ;??把左4位变成整数
1AABB1BA?? .??8B45 B0????????????MOV???? EAX, [EBP-50]
1AABB1BD?? .??50???????????????? PUSH????EAX????????????????????????????; /Arg1
1AABB1BE?? .??FF15 9811AA1A??????CALL????[<&MSVBVM60.#581>]???????????? ; \rtcR8ValFromBstr
1AABB1C4?? .??FF15 5C11AA1A??????CALL????[<&MSVBVM60.__vbaFpI4>]????????;??MSVBVM60.__vbaFpI4
1AABB1CA?? .??8BC8?????????????? MOV???? ECX, EAX?????????????????????? ;??再把右两位变成整数
1AABB1CC?? .??8BC6?????????????? MOV???? EAX, ESI
1AABB1CE?? .??99???????????????? CDQ
1AABB1CF?? .??F7F9?????????????? IDIV????ECX????????????????????????????;??左4位除以右2位
1AABB1D1?? .??0FBF55 AC??????????MOVSX?? EDX, WORD PTR [EBP-54]
1AABB1D5?? .??0FAFC2???????????? IMUL????EAX, EDX?????????????????????? ;??再乘以循环变量I
1AABB1D8?? .??0F80 E5010000??????JO??????1AABB3C3
1AABB1DE?? .??8985 24FFFFFF??????MOV???? [EBP-DC], EAX
1AABB1E4?? .??DB85 24FFFFFF??????FILD????DWORD PTR [EBP-DC]
1AABB1EA?? .??DD5D C0????????????FSTP????QWORD PTR [EBP-40]???????????? ;??化为浮点保存到[ebp-40]
1AABB1ED?? >??C745 FC 2B000000?? MOV???? DWORD PTR [EBP-4], 2B
1AABB1F4?? .??0FBF45 D0??????????MOVSX?? EAX, WORD PTR [EBP-30]
1AABB1F8?? .??85C0?????????????? TEST????EAX, EAX
1AABB1FA?? .??75 41??????????????JNZ???? SHORT 1AABB23D???????????????? ;??循环次数为偶数([ebp-30]==1)时跳
1AABB1FC?? .??C745 FC 2C000000?? MOV???? DWORD PTR [EBP-4], 2C
1AABB203?? .??8B4D CC????????????MOV???? ECX, [EBP-34]??????????????????;??[ebp-34]为上一次循环结果串
1AABB206?? .??51???????????????? PUSH????ECX????????????????????????????;??这个是StrCat的第二个参数
1AABB207?? .??8B55 C4????????????MOV???? EDX, [EBP-3C]
1AABB20A?? .??52???????????????? PUSH????EDX
1AABB20B?? .??8B45 C0????????????MOV???? EAX, [EBP-40]
1AABB20E?? .??50???????????????? PUSH????EAX
1AABB20F?? .??FF15 BC10AA1A??????CALL????[<&MSVBVM60.__vbaStrR8>]?????? ;??MSVBVM60.__vbaStrR8
1AABB215?? .??8BD0?????????????? MOV???? EDX, EAX?????????????????????? ;??浮点结果转为串存至[ebp-58]
1AABB217?? .??8D4D A8????????????LEA???? ECX, [EBP-58]
1AABB21A?? .??FF15 7411AA1A??????CALL????[<&MSVBVM60.__vbaStrMove>]???? ;??MSVBVM60.__vbaStrMove
1AABB220?? .??50???????????????? PUSH????EAX????????????????????????????; |Arg1
1AABB221?? .??FF15 3C10AA1A??????CALL????[<&MSVBVM60.__vbaStrCat>]??????; \__vbaStrCat
1AABB227?? .??8BD0?????????????? MOV???? EDX, EAX
1AABB229?? .??8D4D CC????????????LEA???? ECX, [EBP-34]??????????????????;??把上一次结果和本次结果连起来,存至[ebp-34]
1AABB22C?? .??FF15 7411AA1A??????CALL????[<&MSVBVM60.__vbaStrMove>]???? ;??MSVBVM60.__vbaStrMove
1AABB232?? .??8D4D A8????????????LEA???? ECX, [EBP-58]
1AABB235?? .??FF15 9011AA1A??????CALL????[<&MSVBVM60.__vbaFreeStr>]???? ;??MSVBVM60.__vbaFreeStr
1AABB23B?? .??EB 3F??????????????JMP???? SHORT 1AABB27C
1AABB23D?? >??C745 FC 2E000000?? MOV???? DWORD PTR [EBP-4], 2E
1AABB244?? .??8B4D C4????????????MOV???? ECX, [EBP-3C]
1AABB247?? .??51???????????????? PUSH????ECX
1AABB248?? .??8B55 C0????????????MOV???? EDX, [EBP-40]
1AABB24B?? .??52???????????????? PUSH????EDX
1AABB24C?? .??FF15 BC10AA1A??????CALL????[<&MSVBVM60.__vbaStrR8>]?????? ;??MSVBVM60.__vbaStrR8
1AABB252?? .??8BD0?????????????? MOV???? EDX, EAX?????????????????????? ;??浮点结果转为串
1AABB254?? .??8D4D A8????????????LEA???? ECX, [EBP-58]??????????????????;??放到[ebp-58]
1AABB257?? .??FF15 7411AA1A??????CALL????[<&MSVBVM60.__vbaStrMove>]???? ;??MSVBVM60.__vbaStrMove
1AABB25D?? .??50???????????????? PUSH????EAX????????????????????????????; /Arg2
1AABB25E?? .??8B45 CC????????????MOV???? EAX, [EBP-34]??????????????????; |
1AABB261?? .??50???????????????? PUSH????EAX????????????????????????????; |Arg1
1AABB262?? .??FF15 3C10AA1A??????CALL????[<&MSVBVM60.__vbaStrCat>]??????; \__vbaStrCat
1AABB268?? .??8BD0?????????????? MOV???? EDX, EAX?????????????????????? ;??把本次结果串和上一结果串连起来
1AABB26A?? .??8D4D CC????????????LEA???? ECX, [EBP-34]??????????????????;??放到[ebp-34]
1AABB26D?? .??FF15 7411AA1A??????CALL????[<&MSVBVM60.__vbaStrMove>]???? ;??MSVBVM60.__vbaStrMove
1AABB273?? .??8D4D A8????????????LEA???? ECX, [EBP-58]
1AABB276?? .??FF15 9011AA1A??????CALL????[<&MSVBVM60.__vbaFreeStr>]???? ;??MSVBVM60.__vbaFreeStr
1AABB27C?? >??C745 FC 30000000?? MOV???? DWORD PTR [EBP-4], 30
1AABB283?? .^ E9 DCFAFFFF????????JMP???? 1AABAD64
1AABB288?? >??C745 FC 31000000?? MOV???? DWORD PTR [EBP-4], 31
1AABB28F?? .??8B4D 0C????????????MOV???? ECX, [EBP+C]?????????????????? ;??假注册码放到[ebp-90]
1AABB292?? .??898D 70FFFFFF??????MOV???? [EBP-90], ECX
1AABB298?? .??C785 68FFFFFF 0840>MOV???? DWORD PTR [EBP-98], 4008
1AABB2A2?? .??8D95 68FFFFFF??????LEA???? EDX, [EBP-98]
1AABB2A8?? .??52???????????????? PUSH????EDX????????????????????????????; /Arg2
1AABB2A9?? .??8D45 98????????????LEA???? EAX, [EBP-68]??????????????????; |
1AABB2AC?? .??50???????????????? PUSH????EAX????????????????????????????; |Arg1
1AABB2AD?? .??FF15 7010AA1A??????CALL????[<&MSVBVM60.#520>]???????????? ; \rtcTrimVar
1AABB2B3?? .??8D4D CC????????????LEA???? ECX, [EBP-34]??????????????????;??真注册码放到[ebp-a0]
1AABB2B6?? .??898D 60FFFFFF??????MOV???? [EBP-A0], ECX
1AABB2BC?? .??C785 58FFFFFF 0840>MOV???? DWORD PTR [EBP-A8], 4008
1AABB2C6?? .??8D95 58FFFFFF??????LEA???? EDX, [EBP-A8]
1AABB2CC?? .??52???????????????? PUSH????EDX????????????????????????????; /Arg2
1AABB2CD?? .??8D45 88????????????LEA???? EAX, [EBP-78]??????????????????; |
1AABB2D0?? .??50???????????????? PUSH????EAX????????????????????????????; |Arg1
1AABB2D1?? .??FF15 7010AA1A??????CALL????[<&MSVBVM60.#520>]???????????? ; \rtcTrimVar
1AABB2D7?? .??8D4D 98????????????LEA???? ECX, [EBP-68]??????????????????;??判断注册码是否相等
1AABB2DA?? .??51???????????????? PUSH????ECX
1AABB2DB??????8D55 88????????????LEA???? EDX, [EBP-78]
1AABB2DE?? .??52???????????????? PUSH????EDX
1AABB2DF?? .??FF15 9410AA1A??????CALL????[<&MSVBVM60.__vbaVarTstEq>]????;??MSVBVM60.__vbaVarTstEq
1AABB2E5?? .??66:8985 54FFFFFF?? MOV???? [EBP-AC], AX?????????????????? ;??若相等为0FFFF否则为0,保存到[ebp-ac]
1AABB2EC?? .??8D45 88????????????LEA???? EAX, [EBP-78]
1AABB2EF?? .??50???????????????? PUSH????EAX
1AABB2F0?? .??8D4D 98????????????LEA???? ECX, [EBP-68]
1AABB2F3?? .??51???????????????? PUSH????ECX
1AABB2F4?? .??6A 02??????????????PUSH????2
1AABB2F6?? .??FF15 2410AA1A??????CALL????[<&MSVBVM60.__vbaFreeVarList>] ;??MSVBVM60.__vbaFreeVarList
1AABB2FC?? .??83C4 0C????????????ADD???? ESP, 0C
1AABB2FF?? .??0FBF95 54FFFFFF????MOVSX?? EDX, WORD PTR [EBP-AC]
1AABB306?? .??85D2?????????????? TEST????EDX, EDX
1AABB308?? .??74 0F??????????????JE??????SHORT 1AABB319???????????????? ;??爆破的好地方,把它NOP掉就行了.
1AABB30A?? .??C745 FC 32000000?? MOV???? DWORD PTR [EBP-4], 32
1AABB311?? .??66:C745 BC FFFF????MOV???? WORD PTR [EBP-44], 0FFFF?????? ;??若[EBP-AC]不为0则设[EBP-44]为FFFF
1AABB317?? .??EB 0D??????????????JMP???? SHORT 1AABB326
1AABB319?? >??C745 FC 34000000?? MOV???? DWORD PTR [EBP-4], 34
1AABB320?? .??66:C745 BC 0000????MOV???? WORD PTR [EBP-44], 0?????????? ;??否则设它为0
1AABB326?? >??9B???????????????? WAIT
1AABB327?? .??68 92B3AB1A????????PUSH????1AABB392
1AABB32C?? .??EB 24??????????????JMP???? SHORT 1AABB352
1AABB32E?? .??8D4D A8????????????LEA???? ECX, [EBP-58]
1AABB331?? .??FF15 9011AA1A??????CALL????[<&MSVBVM60.__vbaFreeStr>]???? ;??MSVBVM60.__vbaFreeStr
1AABB337?? .??8D85 78FFFFFF??????LEA???? EAX, [EBP-88]
1AABB33D?? .??50???????????????? PUSH????EAX
1AABB33E?? .??8D4D 88????????????LEA???? ECX, [EBP-78]
1AABB341?? .??51???????????????? PUSH????ECX
1AABB342?? .??8D55 98????????????LEA???? EDX, [EBP-68]
1AABB345?? .??52???????????????? PUSH????EDX
1AABB346?? .??6A 03??????????????PUSH????3
1AABB348?? .??FF15 2410AA1A??????CALL????[<&MSVBVM60.__vbaFreeVarList>] ;??MSVBVM60.__vbaFreeVarList
1AABB34E?? .??83C4 10????????????ADD???? ESP, 10
1AABB351?? .??C3???????????????? RETN
1AABB352?? >??8D4D DC????????????LEA???? ECX, [EBP-24]
......
1AABB391?? .??C3???????????????? RETN
......
1AABB39E?? .??8B45 14????????????MOV???? EAX, [EBP+14]
1AABB3A1?? .??66:8B4D BC???????? MOV???? CX, [EBP-44]?? ;这里和下一句改mov word ptr[eax],0ffff可注册成功.
1AABB3A5?? .??66:8908????????????MOV???? [EAX], CX?? ;我习惯上就是这样做爆破的.
1AABB3A8?? .??8B45 F0????????????MOV???? EAX, [EBP-10]
1AABB3AB?? .??8B4D E0????????????MOV???? ECX, [EBP-20]
1AABB3AE?? .??64:890D 00000000?? MOV???? FS:[0], ECX????????????????????;??恢复异常链
1AABB3B5?? .??5F???????????????? POP???? EDI
1AABB3B6?? .??5E???????????????? POP???? ESI
1AABB3B7?? .??5B???????????????? POP???? EBX
1AABB3B8?? .??8BE5?????????????? MOV???? ESP, EBP
1AABB3BA?? .??5D???????????????? POP???? EBP
1AABB3BB?? .??C2 1000????????????RETN????10
1AABB3BE?? >^ E9 9963FEFF????????JMP????
1AABB3C3?? >??FF15 0411AA1A??????CALL????[<&MSVBVM60.__vbaErrorOverflow>;??MSVBVM60.__vbaErrorOverflow
?
算号器用C#实现:
const string s1 = "MyFatherVB-CodeSiLong'sMyMother";
const string s2 = "我爱你我的爱人为了咱们的将来努力吧奋斗吧好了就这些亲爱的爸爸,妈妈、哥哥、妹妹们好。";
const short ftemp1 = 719;
const short ftemp2 = 9;
byte[] tmp = new byte[100];
int tmp1, tmp2, tmp3, f1, f2, count1 = 0,mark = 0,i=0;
string username = textBox1.Text, result = "";
while (i < username.Length)
{
?? tmp = Encoding.Default.GetBytes(username);
?? if ((tmp.Length < 6) || (tmp.Length > 20))
?? {
??????MessageBox.Show("用户名长度要适中!");
??????return;
?? }
?? if (username[i] < 0xff)//在ASCII集内
?? {
??????tmp1 = username[i];
??????tmp = Encoding.Default.GetBytes(s2);
??????tmp2 = (tmp[i * 2] << 8) + tmp[i * 2 + 1];
??????count1++;
?? }
?? else
?? {
??????tmp1 = (tmp[count1] << 8) + tmp[count1 + 1];
??????tmp = Encoding.Default.GetBytes(s1);
??????tmp2 = tmp[i];
??????count1 += 2;
?? }
?? tmp3 = (~(tmp1 ^ tmp2) + 1)&0xffff;
?? if (mark == 0)
?? {
??????mark = 1;
??????tmp3 += ftemp1;
?? }
?? else
?? {
??????mark = 0;
??????tmp3 *= ftemp2;
?? }
?? if ((tmp3 >= 10000) && (tmp3 <= 100000))
?? {
??????f1 = tmp3 / 100;
??????f2 = tmp3 - tmp3 / 100 * 100;
??????if (f2 != 0)
??????tmp3 /= i+1;
?? }
?? else if(tmp3 >100000)
?? {
??????f1 = tmp3 / 100;
??????f2 = tmp3 - tmp3 / 100 * 100;
??????if (f2 != 0)
???????? tmp3 = f1 / f2 * (i+1);
?? }
?? if (mark == 0)
??????result = result + tmp3.ToString();
?? else
??????result = tmp3.ToString() + result;
?? i++;
}
textBox2.Text = result;
MessageBox.Show(result); 
|
本类阅读TOP10