XX桌面日历的算法分析
【文章标题】: 飞雪桌面日历的算法分析【文章作者】: dewar
【作者主页】: 无
【软件名称】: 飞雪桌面日历2.0
【下载地址】: 自己搜索下载
【加壳方式】: UPX
【保护方式】: 注册码重启验证
【编写语言】: VB
【使用工具】: OD
【操作平台】: WINXP
【软件介绍】: 集合了:万年历、时钟、定时运行、定时关机等
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
该软件小巧而强大!集合了以下超多功能:万年历、时钟、定时运行、定时关机(2000/XP关机仅需3秒!)、限时用机、休息提醒(可锁定系统)、备忘录、系统热键、世界时间、光驱控制、定期清理电脑、语音报时、整点/半点报时等,并支持自定义软件皮肤,能以四种界面存在,即:日历、挂历、时钟、迷你栏。但其是共享版,动不动就弹出“您还未注册”的提示,让人看着就烦~~于是只好将它搬上手术台^_^
1.先试用该程序,发现注册码的验证为重启验证。
2.PEID查壳,原来是UPX的壳,这个壳很基本,三下五除二脱了,脱了之后再查壳,无壳了是VB编写的程序,试运行,轰的一声,电脑关机了。我晕,好恶劣的行径,看来是非破不可了,重启电脑再来。
3.既然会关机,就说明有暗桩,多半是检查文件的大小,OD载入脱壳之后的程序,在所有对模块MSVBVM60.DLL的输出函数rtcFileLen的调用上下断(一共8处)。F9运行,中断在如下的地方:
........
00531B57 .FF15 C8104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcRand>;产生一个随机数
00531B5D .D80D 0C394000 FMUL DWORD PTR DS: ;×10
00531B63 .FF15 F0124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8>;转为整数
00531B69 .8BF8 MOV EDI, EAX
00531B6B .8D4D B8 LEA ECX, DWORD PTR SS:
00531B6E .FFD6 CALL ESI
00531B70 .0FBFC7 MOVSX EAX, DI
00531B73 .83F8 09 CMP EAX, 9 ;Switch (cases 0..9)
00531B76 .0F87 A5020000 JA 00531E21
00531B7C .FF2485 8C1E53>JMP DWORD PTR DS:
00531B83 >8B4D E0 MOV ECX, DWORD PTR SS: ;Case 1 of switch 00531B73
00531B86 .51 PUSH ECX
00531B87 .E9 3C010000 JMP 00531CC8
00531B8C >8B55 E0 MOV EDX, DWORD PTR SS: ;Case 2 of switch 00531B73
00531B8F .52 PUSH EDX
00531B90 .FF15 9C124000 CALL DWORD PTR DS:[<&MSVBVM60.rtcFile>;检查运行程序的大小,下同
00531B96 .3D 004E0500 CMP EAX, 54E00 ;与0x54e00比较,下同
00531B9B .0F84 80020000 JE 00531E21 ;相等就跳向正确的代码,下同//改JE为JMP
00531BA1 .8B45 D8 MOV EAX, DWORD PTR SS:
00531BA4 .85C0 TEST EAX, EAX
00531BA6 .75 12 JNZ SHORT 00531BBA
00531BA8 .8D45 D8 LEA EAX, DWORD PTR SS:
00531BAB .50 PUSH EAX
00531BAC .68 A8784000 PUSH 004078A8
00531BB1 .FF15 58124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNe>;MSVBVM60.__vbaNew2
00531BB7 .8B45 D8 MOV EAX, DWORD PTR SS:
00531BBA >8BF0 MOV ESI, EAX
00531BBC .8B08 MOV ECX, DWORD PTR DS:
00531BBE .50 PUSH EAX
00531BBF .FF51 24 CALL DWORD PTR DS: ;否则关机~!
00531BC2 .DBE2 FCLEX
00531BC4 .85C0 TEST EAX, EAX
00531BC6 .7D 0F JGE SHORT 00531BD7
00531BC8 .6A 24 PUSH 24
00531BCA .68 64C24100 PUSH 0041C264
00531BCF .56 PUSH ESI
00531BD0 .50 PUSH EAX
00531BD1 .FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHr>;MSVBVM60.__vbaHresultCheckObj
00531BD7 >8B45 D8 MOV EAX, DWORD PTR SS:
00531BDA .85C0 TEST EAX, EAX
00531BDC .75 12 JNZ SHORT 00531BF0
00531BDE .8D55 D8 LEA EDX, DWORD PTR SS:
00531BE1 .52 PUSH EDX
00531BE2 .68 A8784000 PUSH 004078A8
00531BE7 .FF15 58124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNe>;MSVBVM60.__vbaNew2
00531BED .8B45 D8 MOV EAX, DWORD PTR SS:
00531BF0 >8BF0 MOV ESI, EAX
00531BF2 .8B08 MOV ECX, DWORD PTR DS:
00531BF4 .50 PUSH EAX
00531BF5 .FF51 20 CALL DWORD PTR DS:
00531BF8 .DBE2 FCLEX
00531BFA .85C0 TEST EAX, EAX
00531BFC .0F8D 1F020000 JGE 00531E21
00531C02 .6A 20 PUSH 20
00531C04 .68 64C24100 PUSH 0041C264
00531C09 .56 PUSH ESI
00531C0A .50 PUSH EAX
00531C0B .FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHr>;MSVBVM60.__vbaHresultCheckObj
00531C11 .E9 0B020000 JMP 00531E21
00531C16 >8B55 E0 MOV EDX, DWORD PTR SS: ;Case 3 of switch 00531B73
00531C19 .52 PUSH EDX
00531C1A .FF15 9C124000 CALL DWORD PTR DS:[<&MSVBVM60.rtcFile>;MSVBVM60.rtcFileLen
00531C20 .3D 004E0500 CMP EAX, 54E00
00531C25 .0F84 F6010000 JE 00531E21 ;改JE为JMP
00531C2B .8B45 D8 MOV EAX, DWORD PTR SS:
00531C2E .85C0 TEST EAX, EAX
00531C30 .75 12 JNZ SHORT 00531C44
00531C32 .8D45 D8 LEA EAX, DWORD PTR SS:
00531C35 .50 PUSH EAX
00531C36 .68 A8784000 PUSH 004078A8
00531C3B .FF15 58124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNe>;MSVBVM60.__vbaNew2
00531C41 .8B45 D8 MOV EAX, DWORD PTR SS:
00531C44 >8BF0 MOV ESI, EAX
00531C46 .8B08 MOV ECX, DWORD PTR DS:
00531C48 .50 PUSH EAX
00531C49 .FF51 24 CALL DWORD PTR DS:
00531C4C .DBE2 FCLEX
00531C4E .85C0 TEST EAX, EAX
00531C50 .7D 0F JGE SHORT 00531C61
00531C52 .6A 24 PUSH 24
00531C54 .68 64C24100 PUSH 0041C264
00531C59 .56 PUSH ESI
00531C5A .50 PUSH EAX
00531C5B .FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHr>;MSVBVM60.__vbaHresultCheckObj
00531C61 >8B45 D8 MOV EAX, DWORD PTR SS:
00531C64 .85C0 TEST EAX, EAX
00531C66 .75 36 JNZ SHORT 00531C9E
00531C68 .EB 22 JMP SHORT 00531C8C
00531C6A >8B45 E0 MOV EAX, DWORD PTR SS: ;Case 5 of switch 00531B73
00531C6D .50 PUSH EAX
00531C6E .EB 58 JMP SHORT 00531CC8
00531C70 >8B4D E0 MOV ECX, DWORD PTR SS: ;Case 6 of switch 00531B73
00531C73 .51 PUSH ECX
00531C74 .FF15 9C124000 CALL DWORD PTR DS:[<&MSVBVM60.rtcFile>;MSVBVM60.rtcFileLen
00531C7A .3D 004E0500 CMP EAX, 54E00
00531C7F .0F84 9C010000 JE 00531E21 ;改JE为JMP
00531C85 .8B45 D8 MOV EAX, DWORD PTR SS:
00531C88 .85C0 TEST EAX, EAX
00531C8A .75 12 JNZ SHORT 00531C9E
00531C8C >8D55 D8 LEA EDX, DWORD PTR SS:
00531C8F .52 PUSH EDX
00531C90 .68 A8784000 PUSH 004078A8
00531C95 .FF15 58124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNe>;MSVBVM60.__vbaNew2
00531C9B .8B45 D8 MOV EAX, DWORD PTR SS:
00531C9E >8BF0 MOV ESI, EAX
00531CA0 .8B08 MOV ECX, DWORD PTR DS:
00531CA2 .50 PUSH EAX
00531CA3 .FF51 20 CALL DWORD PTR DS:
00531CA6 .DBE2 FCLEX
00531CA8 .85C0 TEST EAX, EAX
00531CAA .0F8D 71010000 JGE 00531E21
00531CB0 .6A 20 PUSH 20
00531CB2 .68 64C24100 PUSH 0041C264
00531CB7 .56 PUSH ESI
00531CB8 .50 PUSH EAX
00531CB9 .FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHr>;MSVBVM60.__vbaHresultCheckObj
00531CBF .E9 5D010000 JMP 00531E21
00531CC4 >8B55 E0 MOV EDX, DWORD PTR SS: ;Cases 4,7 of switch 00531B73
00531CC7 .52 PUSH EDX
00531CC8 >FF15 9C124000 CALL DWORD PTR DS:[<&MSVBVM60.rtcFile>;MSVBVM60.rtcFileLen
00531CCE .3D 004E0500 CMP EAX, 54E00
00531CD3 .0F84 48010000 JE 00531E21 ;改JE为JMP
00531CD9 .E9 3D010000 JMP 00531E1B
00531CDE >DD05 885F4000 FLD QWORD PTR DS: ;Case 8 of switch 00531B73
00531CE4 .E8 1B4AEDFF CALL
00531CE9 .DD5D A0 FSTP QWORD PTR SS:
00531CEC .8B45 E0 MOV EAX, DWORD PTR SS:
00531CEF .50 PUSH EAX
00531CF0 .FF15 9C124000 CALL DWORD PTR DS:[<&MSVBVM60.rtcFile>;MSVBVM60.rtcFileLen
00531CF6 .8985 78FFFFFF MOV DWORD PTR SS:, EAX
00531CFC .DB85 78FFFFFF FILD DWORD PTR SS:
00531D02 .DD9D 70FFFFFF FSTP QWORD PTR SS:
00531D08 .68 00805840 PUSH 40588000
00531D0D .6A 00 PUSH 0
00531D0F .DD45 A0 FLD QWORD PTR SS:
00531D12 .FF15 54134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFP>;MSVBVM60.__vbaFPInt
00531D18 .83EC 08 SUB ESP, 8
00531D1B .DD1C24 FSTP QWORD PTR SS:
00531D1E .FF15 94124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaPo>;MSVBVM60.__vbaPowerR8
00531D24 .DC0D 805F4000 FMUL QWORD PTR DS:
00531D2A .FF15 14114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFp>;MSVBVM60.__vbaFpR8
00531D30 .DC9D 70FFFFFF FCOMP QWORD PTR SS:
00531D36 .DFE0 FSTSW AX
00531D38 .F6C4 40 TEST AH, 40
00531D3B .75 07 JNZ SHORT 00531D44
00531D3D .B8 01000000 MOV EAX, 1
00531D42 .EB 02 JMP SHORT 00531D46
00531D44 >33C0 XOR EAX, EAX
00531D46 >F7D8 NEG EAX
00531D48 .66:85C0 TEST AX, AX
00531D4B .0F84 D0000000 JE 00531E21 ;改JE为JMP
00531D51 .E9 C5000000 JMP 00531E1B
00531D56 >DD05 885F4000 FLD QWORD PTR DS: ;Case 9 of switch 00531B73
00531D5C .E8 A349EDFF CALL
00531D61 .DD5D A0 FSTP QWORD PTR SS:
00531D64 .8B4D E0 MOV ECX, DWORD PTR SS:
00531D67 .51 PUSH ECX
00531D68 .FF15 9C124000 CALL DWORD PTR DS:[<&MSVBVM60.rtcFile>;MSVBVM60.rtcFileLen
00531D6E .8985 6CFFFFFF MOV DWORD PTR SS:, EAX
00531D74 .DB85 6CFFFFFF FILD DWORD PTR SS:
00531D7A .DD9D 64FFFFFF FSTP QWORD PTR SS:
00531D80 .68 00805840 PUSH 40588000
00531D85 .6A 00 PUSH 0
00531D87 .DD45 A0 FLD QWORD PTR SS:
00531D8A .FF15 54134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFP>;MSVBVM60.__vbaFPInt
00531D90 .83EC 08 SUB ESP, 8
00531D93 .DD1C24 FSTP QWORD PTR SS:
00531D96 .FF15 94124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaPo>;MSVBVM60.__vbaPowerR8
00531D9C .DC0D 805F4000 FMUL QWORD PTR DS:
00531DA2 .FF15 14114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFp>;MSVBVM60.__vbaFpR8
00531DA8 .DC9D 64FFFFFF FCOMP QWORD PTR SS:
00531DAE .DFE0 FSTSW AX
00531DB0 .F6C4 40 TEST AH, 40
00531DB3 .75 07 JNZ SHORT 00531DBC
00531DB5 .B8 01000000 MOV EAX, 1
00531DBA .EB 02 JMP SHORT 00531DBE
00531DBC >33C0 XOR EAX, EAX
00531DBE >F7D8 NEG EAX
00531DC0 .66:85C0 TEST AX, AX
00531DC3 .74 5C JE SHORT 00531E21 ;改JE为JMP
00531DC5 .8B45 D8 MOV EAX, DWORD PTR SS:
00531DC8 .85C0 TEST EAX, EAX
00531DCA .75 12 JNZ SHORT 00531DDE
00531DCC .8D55 D8 LEA EDX, DWORD PTR SS:
00531DCF .52 PUSH EDX
00531DD0 >68 A8784000 PUSH 004078A8
00531DD5 .FF15 58124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNe>;MSVBVM60.__vbaNew2
00531DDB .8B45 D8 MOV EAX, DWORD PTR SS:
00531DDE >8BF0 MOV ESI, EAX
00531DE0 .8B08 MOV ECX, DWORD PTR DS:
00531DE2 .50 PUSH EAX
00531DE3 .FF51 20 CALL DWORD PTR DS:
00531DE6 .DBE2 FCLEX
00531DE8 .85C0 TEST EAX, EAX
00531DEA .7D 35 JGE SHORT 00531E21
00531DEC .6A 20 PUSH 20
00531DEE .68 64C24100 PUSH 0041C264
00531DF3 .56 PUSH ESI
00531DF4 .50 PUSH EAX
00531DF5 .FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHr>;MSVBVM60.__vbaHresultCheckObj
00531DFB .EB 24 JMP SHORT 00531E21
00531DFD >8B55 E0 MOV EDX, DWORD PTR SS: ;Case 0 of switch 00531B73
00531E00 .52 PUSH EDX
00531E01 .FF15 9C124000 CALL DWORD PTR DS:[<&MSVBVM60.rtcFile>;MSVBVM60.rtcFileLen
00531E07 .3D 004E0500 CMP EAX, 54E00
00531E0C .74 13 JE SHORT 00531E21 ;改JE为JMP
00531E0E .8B45 D8 MOV EAX, DWORD PTR SS:
00531E11 .85C0 TEST EAX, EAX
00531E13 .^ 75 C9 JNZ SHORT 00531DDE
00531E15 .8D45 D8 LEA EAX, DWORD PTR SS:
00531E18 .50 PUSH EAX
00531E19 .^ EB B5 JMP SHORT 00531DD0
00531E1B >FF15 38104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaEn>;跳到这里也关机
00531E21 >FF15 D4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaEx>;跳到这里就对了
00531E27 .9B WAIT
00531E28 .68 6C1E5300 PUSH 00531E6C
00531E2D .EB 2A JMP SHORT 00531E59
......
从这段程序开头可看出,它先产生一个随机数,然后根据这个随机数跳向不同的分支。因此程序可能中断在上面任意一个CALL DWORD PTR DS:[<&MSVBVM60.rtcFile>处。然后我们F8单步,知道后面是根据返回的文件大小来决定生死,不符合就关你的机没商量。因此我们要修改上面的跳转,使它都跳向正确的地方,改完后记得保存。具体见上面的注释(共修改七处)。
4.我们运行修改后的程序,找到输入注册码的地方,先输入一组假信息,然后退出程序。重新OD载入,由于是重启验证,所以一定会读取文件或注册表。然后由于MSVBVM60.DLL输入表中并无注册表相关函数,故在打开文件函数_vbaFileOpen上下断。F9运行,跳过检查文件大小,继续F9就会中断在下面的读取文件的地方:
......
00536829 .FF15 4C124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFileOpe>;<==断在这里,单步向下//打开安装目录下\FXSYS\FXSYS.INI文件
0053682F .53 PUSH EBX
00536830 .8D55 B8 LEA EDX, DWORD PTR SS:
00536833 .52 PUSH EDX
00536834 .FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLine>;读取第1行的内容
0053683A .68 3C414200 PUSH 0042413C ;UNICODE "[F"
0053683F .68 48414200 PUSH 00424148
00536844 .FFD7 CALL EDI
00536846 .8BD0 MOV EDX, EAX
00536848 .8D4D A0 LEA ECX, DWORD PTR SS:
0053684B .FFD6 CALL ESI
0053684D .50 PUSH EAX
0053684E .68 50414200 PUSH 00424150
00536853 .FFD7 CALL EDI
00536855 .8BD0 MOV EDX, EAX
00536857 .8D4D 9C LEA ECX, DWORD PTR SS:
0053685A .FFD6 CALL ESI
0053685C .50 PUSH EAX
0053685D .6A 0B PUSH 0B
0053685F .FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrI>;MSVBVM60.__vbaStrI2
00536865 .8BD0 MOV EDX, EAX
00536867 .8D4D 98 LEA ECX, DWORD PTR SS:
0053686A .FFD6 CALL ESI
0053686C .50 PUSH EAX
0053686D .FFD7 CALL EDI
0053686F .8BD0 MOV EDX, EAX
00536871 .8D4D 94 LEA ECX, DWORD PTR SS:
00536874 .FFD6 CALL ESI
00536876 .50 PUSH EAX
00536877 .68 E0FC4100 PUSH 0041FCE0
0053687C .FFD7 CALL EDI ;得字符串‘’
0053687E .8945 88 MOV DWORD PTR SS:, EAX
00536881 .C745 80 08800>MOV DWORD PTR SS:, 8008
00536888 .8D45 B8 LEA EAX, DWORD PTR SS:
0053688B .50 PUSH EAX
0053688C .8D4D 80 LEA ECX, DWORD PTR SS:
0053688F .51 PUSH ECX
00536890 .FF15 70114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarT>;第1行的内容与''比较
00536896 .66:8BF8 MOV DI, AX ;相等则EAX=FFFFFFFF,不等则EAX=00000000
00536899 .8D55 94 LEA EDX, DWORD PTR SS:
0053689C .52 PUSH EDX
0053689D .8D45 98 LEA EAX, DWORD PTR SS:
005368A0 .50 PUSH EAX
005368A1 .8D4D 9C LEA ECX, DWORD PTR SS:
005368A4 .51 PUSH ECX
005368A5 .8D55 A0 LEA EDX, DWORD PTR SS:
005368A8 .52 PUSH EDX
005368A9 .6A 04 PUSH 4
005368AB .FF15 84124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFree>;MSVBVM60.__vbaFreeStrList
005368B1 .83C4 14 ADD ESP, 14
005368B4 .8D4D 80 LEA ECX, DWORD PTR SS:
005368B7 .FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFree>;MSVBVM60.__vbaFreeVar
005368BD .66:85FF TEST DI, DI
005368C0 .74 1B JE SHORT 005368DD ;(不能跳)上面相等这里就不会跳
005368C2 .53 PUSH EBX
005368C3 .8D45 AC LEA EAX, DWORD PTR SS:
005368C6 .50 PUSH EAX
005368C7 .8B3D 2C104000 MOV EDI, DWORD PTR DS:[<&MSVBVM60.__vb>;MSVBVM60.__vbaLineInputStr
005368CD .FFD7 CALL EDI ;取得机器码; <&MSVBVM60.__vbaLineInputStr>
005368CF .53 PUSH EBX
005368D0 .8D4D E0 LEA ECX, DWORD PTR SS:
005368D3 .51 PUSH ECX
005368D4 .FFD7 CALL EDI ;取得用户名
005368D6 .53 PUSH EBX
005368D7 .8D55 A8 LEA EDX, DWORD PTR SS:
005368DA .52 PUSH EDX
005368DB .FFD7 CALL EDI ;取得注册码
005368DD >53 PUSH EBX
005368DE .FF15 4C114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFile>;MSVBVM60.__vbaFileClose
005368E4 .8B45 AC MOV EAX, DWORD PTR SS:
005368E7 .50 PUSH EAX
005368E8 .FF15 70134000 CALL DWORD PTR DS:[<&MSVBVM60.rtcR8ValF>;机器码转为浮点数
005368EE .DD9D FCFEFFFF FSTP QWORD PTR SS:
005368F4 .DB45 B4 FILD DWORD PTR SS:
005368F7 .DD9D B0FEFFFF FSTP QWORD PTR SS:
005368FD .DD85 FCFEFFFF FLD QWORD PTR SS:
00536903 .FF15 14114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFpR8>;MSVBVM60.__vbaFpR8
00536909 .DC9D B0FEFFFF FCOMP QWORD PTR SS:
0053690F .DFE0 FSTSW AX
00536911 .F6C4 40 TEST AH, 40
00536914 .75 07 JNZ SHORT 0053691D
00536916 .B8 01000000 MOV EAX, 1
0053691B .EB 02 JMP SHORT 0053691F
0053691D >33C0 XOR EAX, EAX
0053691F >F7D8 NEG EAX
00536921 .66:85C0 TEST AX, AX
00536924 .74 42 JE SHORT 00536968 ;这里必须跳(检查机器码正确就跳)
00536926 .8B45 A4 MOV EAX, DWORD PTR SS:
00536929 .85C0 TEST EAX, EAX
0053692B .75 12 JNZ SHORT 0053693F
0053692D .8D4D A4 LEA ECX, DWORD PTR SS:
00536930 .51 PUSH ECX
00536931 .68 88774000 PUSH 00407788
00536936 .FF15 58124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNew2>;MSVBVM60.__vbaNew2
0053693C .8B45 A4 MOV EAX, DWORD PTR SS:
0053693F >8BF0 MOV ESI, EAX
00536941 .C785 0CFFFFFF>MOV DWORD PTR SS:, 0
0053694B .8B10 MOV EDX, DWORD PTR DS:
0053694D .8D8D 08FFFFFF LEA ECX, DWORD PTR SS:
00536953 .51 PUSH ECX
00536954 .8D8D 0CFFFFFF LEA ECX, DWORD PTR SS:
0053695A .51 PUSH ECX
0053695B .8D4D DC LEA ECX, DWORD PTR SS:
0053695E .51 PUSH ECX
0053695F .50 PUSH EAX
00536960 .FF52 24 CALL DWORD PTR DS:
00536963 .E9 1E020000 JMP 00536B86
00536968 >8B55 E0 MOV EDX, DWORD PTR SS:
0053696B .52 PUSH EDX
0053696C .FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenB>;取注册名长度
00536972 .83F8 02 CMP EAX, 2
00536975 .7D 14 JGE SHORT 0053698B ;大于等于就跳
00536977 .8B45 A4 MOV EAX, DWORD PTR SS:
0053697A .85C0 TEST EAX, EAX
0053697C .0F85 E0010000 JNZ 00536B62
00536982 .8D45 A4 LEA EAX, DWORD PTR SS:
00536985 .50 PUSH EAX
00536986 .E9 C9010000 JMP 00536B54
0053698B >C745 88 01000>MOV DWORD PTR SS:, 1
00536992 .C745 80 02000>MOV DWORD PTR SS:, 2
00536999 .8D45 80 LEA EAX, DWORD PTR SS:
0053699C .50 PUSH EAX ;取1位
0053699D .6A 01 PUSH 1 ;从第1位起
0053699F .8B4D E0 MOV ECX, DWORD PTR SS:
005369A2 .51 PUSH ECX ;用户名
005369A3 .8B3D 24114000 MOV EDI, DWORD PTR DS:[<&MSVBVM60.rtcM>;MSVBVM60.rtcMidCharBstr
005369A9 .FFD7 CALL EDI ;取用户名第1位; <&MSVBVM60.rtcMidCharBstr>
005369AB .8BD0 MOV EDX, EAX
005369AD .8D4D A0 LEA ECX, DWORD PTR SS:
005369B0 .FFD6 CALL ESI
005369B2 .50 PUSH EAX
005369B3 .FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcAnsiVa>;取用户名字符ASCII码
005369B9 .8985 0CFFFFFF MOV DWORD PTR SS:, EAX
005369BF .6A 01 PUSH 1
005369C1 .8B55 A8 MOV EDX, DWORD PTR SS:
005369C4 .52 PUSH EDX
005369C5 .FF15 E4124000 CALL DWORD PTR DS:[<&MSVBVM60.rtcLeftCh>;取注册码的左边第一位
005369CB .8BD0 MOV EDX, EAX
005369CD .8D4D 98 LEA ECX, DWORD PTR SS:
005369D0 .FFD6 CALL ESI
005369D2 .50 PUSH EAX
005369D3 .6A 01 PUSH 1
005369D5 .8B85 0CFFFFFF MOV EAX, DWORD PTR SS:
005369DB .50 PUSH EAX
005369DC .FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrI>;用户名第1位的ASCII码转为十进制字串
005369E2 .8BD0 MOV EDX, EAX
005369E4 .8D4D 9C LEA ECX, DWORD PTR SS:
005369E7 .FFD6 CALL ESI
005369E9 .50 PUSH EAX
005369EA .FF15 08134000 CALL DWORD PTR DS:[<&MSVBVM60.rtcRightC>;取十进制字串的右边的1位字符
005369F0 .8BD0 MOV EDX, EAX
005369F2 .8D4D 94 LEA ECX, DWORD PTR SS:
005369F5 .FFD6 CALL ESI
005369F7 .50 PUSH EAX
005369F8 .FF15 68114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrC>;与注册码左边第1位进行比较
005369FE .8BD8 MOV EBX, EAX
00536A00 .F7DB NEG EBX
00536A02 .1BDB SBB EBX, EBX
00536A04 .F7DB NEG EBX
00536A06 .F7DB NEG EBX
00536A08 .8D4D 94 LEA ECX, DWORD PTR SS:
00536A0B .51 PUSH ECX
00536A0C .8D55 98 LEA EDX, DWORD PTR SS:
00536A0F .52 PUSH EDX
00536A10 .8D45 9C LEA EAX, DWORD PTR SS:
00536A13 .50 PUSH EAX
00536A14 .8D4D A0 LEA ECX, DWORD PTR SS:
00536A17 .51 PUSH ECX
00536A18 .6A 04 PUSH 4
00536A1A .FF15 84124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFree>;MSVBVM60.__vbaFreeStrList
00536A20 .83C4 14 ADD ESP, 14
00536A23 .8D4D 80 LEA ECX, DWORD PTR SS:
00536A26 .FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFree>;MSVBVM60.__vbaFreeVar
00536A2C .66:85DB TEST BX, BX
00536A2F .74 5B JE SHORT 00536A8C ;这里要跳(要爆就要改为JMP)
00536A31 .8B45 A4 MOV EAX, DWORD PTR SS:
00536A34 .85C0 TEST EAX, EAX
00536A36 .75 12 JNZ SHORT 00536A4A
00536A38 .8D55 A4 LEA EDX, DWORD PTR SS:
00536A3B .52 PUSH EDX
00536A3C .68 88774000 PUSH 00407788
00536A41 .FF15 58124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNew2>;MSVBVM60.__vbaNew2
00536A47 .8B45 A4 MOV EAX, DWORD PTR SS:
00536A4A >8BF0 MOV ESI, EAX
00536A4C .C785 0CFFFFFF>MOV DWORD PTR SS:, 0
00536A56 .8B08 MOV ECX, DWORD PTR DS:
00536A58 .8D95 08FFFFFF LEA EDX, DWORD PTR SS:
00536A5E .52 PUSH EDX
00536A5F .8D95 0CFFFFFF LEA EDX, DWORD PTR SS:
00536A65 .52 PUSH EDX
00536A66 .8D55 DC LEA EDX, DWORD PTR SS:
00536A69 .52 PUSH EDX
00536A6A .50 PUSH EAX
00536A6B .FF51 24 CALL DWORD PTR DS:
00536A6E .DBE2 FCLEX
00536A70 .85C0 TEST EAX, EAX
00536A72 .0F8D 51080000 JGE 005372C9
00536A78 .6A 24 PUSH 24
00536A7A .68 F0684100 PUSH 004168F0
00536A7F .56 PUSH ESI
00536A80 .50 PUSH EAX
00536A81 .FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHres>;MSVBVM60.__vbaHresultCheckObj
00536A87 .E9 3D080000 JMP 005372C9
00536A8C >BB 01000000 MOV EBX, 1
00536A91 .899D 78FFFFFF MOV DWORD PTR SS:, EBX
00536A97 .C785 70FFFFFF>MOV DWORD PTR SS:, 2
00536AA1 .8D85 70FFFFFF LEA EAX, DWORD PTR SS:
00536AA7 .50 PUSH EAX
00536AA8 .6A 02 PUSH 2
00536AAA .8B4D E0 MOV ECX, DWORD PTR SS:
00536AAD .51 PUSH ECX
00536AAE .FFD7 CALL EDI ;取用户名第2位
00536AB0 .8BD0 MOV EDX, EAX
00536AB2 .8D4D A0 LEA ECX, DWORD PTR SS:
00536AB5 .FFD6 CALL ESI
00536AB7 .50 PUSH EAX
00536AB8 .FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcAnsiVa>;取第2位ASCII码
00536ABE .8985 0CFFFFFF MOV DWORD PTR SS:, EAX
00536AC4 .895D 88 MOV DWORD PTR SS:, EBX
00536AC7 .C745 80 02000>MOV DWORD PTR SS:, 2
00536ACE .8D55 80 LEA EDX, DWORD PTR SS:
00536AD1 .52 PUSH EDX
00536AD2 .6A 02 PUSH 2
00536AD4 .8B45 A8 MOV EAX, DWORD PTR SS:
00536AD7 .50 PUSH EAX
00536AD8 .FFD7 CALL EDI ;取注册码的第2位
00536ADA .8BD0 MOV EDX, EAX
00536ADC .8D4D 98 LEA ECX, DWORD PTR SS:
00536ADF .FFD6 CALL ESI
00536AE1 .50 PUSH EAX
00536AE2 .53 PUSH EBX
00536AE3 .8B8D 0CFFFFFF MOV ECX, DWORD PTR SS:
00536AE9 .51 PUSH ECX
00536AEA .FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrI>;第2位用户名的ASCII码转为十进制串
00536AF0 .8BD0 MOV EDX, EAX
00536AF2 .8D4D 9C LEA ECX, DWORD PTR SS:
00536AF5 .FFD6 CALL ESI
00536AF7 .50 PUSH EAX
00536AF8 .FF15 08134000 CALL DWORD PTR DS:[<&MSVBVM60.rtcRightC>;取十进制串的右边一位
00536AFE .8BD0 MOV EDX, EAX
00536B00 .8D4D 94 LEA ECX, DWORD PTR SS:
00536B03 .FFD6 CALL ESI
00536B05 .50 PUSH EAX
00536B06 .FF15 68114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrC>;与注册码第2位进行比较
00536B0C .8BD8 MOV EBX, EAX
00536B0E .F7DB NEG EBX
00536B10 .1BDB SBB EBX, EBX
00536B12 .F7DB NEG EBX
00536B14 .F7DB NEG EBX
00536B16 .8D55 94 LEA EDX, DWORD PTR SS:
00536B19 .52 PUSH EDX
00536B1A .8D45 98 LEA EAX, DWORD PTR SS:
00536B1D .50 PUSH EAX
00536B1E .8D4D 9C LEA ECX, DWORD PTR SS:
00536B21 .51 PUSH ECX
00536B22 .8D55 A0 LEA EDX, DWORD PTR SS:
00536B25 .52 PUSH EDX
00536B26 .6A 04 PUSH 4
00536B28 .FF15 84124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFree>;MSVBVM60.__vbaFreeStrList
00536B2E .8D85 70FFFFFF LEA EAX, DWORD PTR SS:
00536B34 .50 PUSH EAX
00536B35 .8D4D 80 LEA ECX, DWORD PTR SS:
00536B38 .51 PUSH ECX
00536B39 .6A 02 PUSH 2
00536B3B .FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFree>;MSVBVM60.__vbaFreeVarList
00536B41 .83C4 20 ADD ESP, 20
00536B44 .66:85DB TEST BX, BX
00536B47 .74 5B JE SHORT 00536BA4 ;这里要跳(要爆就改为JMP)
00536B49 .8B45 A4 MOV EAX, DWORD PTR SS:
00536B4C .85C0 TEST EAX, EAX
00536B4E .75 12 JNZ SHORT 00536B62
00536B50 .8D55 A4 LEA EDX, DWORD PTR SS:
00536B53 .52 PUSH EDX
00536B54 >68 88774000 PUSH 00407788
00536B59 .FF15 58124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNew2>;MSVBVM60.__vbaNew2
00536B5F .8B45 A4 MOV EAX, DWORD PTR SS:
00536B62 >8BF0 MOV ESI, EAX
00536B64 .C785 0CFFFFFF>MOV DWORD PTR SS:, 0
00536B6E .8B08 MOV ECX, DWORD PTR DS:
00536B70 .8D95 08FFFFFF LEA EDX, DWORD PTR SS:
00536B76 .52 PUSH EDX
00536B77 .8D95 0CFFFFFF LEA EDX, DWORD PTR SS:
00536B7D .52 PUSH EDX
00536B7E .8D55 DC LEA EDX, DWORD PTR SS:
00536B81 .52 PUSH EDX
00536B82 .50 PUSH EAX
00536B83 .FF51 24 CALL DWORD PTR DS:
00536B86 >DBE2 FCLEX
00536B88 .85C0 TEST EAX, EAX
00536B8A .0F8D 39070000 JGE 005372C9
00536B90 .6A 24 PUSH 24
00536B92 .68 F0684100 PUSH 004168F0
00536B97 .56 PUSH ESI
00536B98 .50 PUSH EAX
00536B99 .FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHres>;MSVBVM60.__vbaHresultCheckObj
00536B9F .E9 25070000 JMP 005372C9
00536BA4 >C745 88 04000>MOV DWORD PTR SS:, 80020004
00536BAB .C745 80 0A000>MOV DWORD PTR SS:, 0A
00536BB2 .8D45 80 LEA EAX, DWORD PTR SS:
00536BB5 .50 PUSH EAX
00536BB6 .6A 03 PUSH 3
00536BB8 .8B4D A8 MOV ECX, DWORD PTR SS:
00536BBB .51 PUSH ECX
00536BBC .FFD7 CALL EDI ;从注册码第3位起取10位(不足就取到尾)
00536BBE .8BD0 MOV EDX, EAX
00536BC0 .8D4D A0 LEA ECX, DWORD PTR SS:
00536BC3 .FFD6 CALL ESI
00536BC5 .50 PUSH EAX
00536BC6 .FF15 70134000 CALL DWORD PTR DS:[<&MSVBVM60.rtcR8ValF>;转化为浮点数
00536BCC .FF15 E8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFpI4>;转为整数
00536BD2 .8BD8 MOV EBX, EAX
00536BD4 .895D C8 MOV DWORD PTR SS:, EBX
00536BD7 .8D4D A0 LEA ECX, DWORD PTR SS:
00536BDA .FF15 68134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFree>;MSVBVM60.__vbaFreeStr
00536BE0 .8D4D 80 LEA ECX, DWORD PTR SS:
00536BE3 .FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFree>;MSVBVM60.__vbaFreeVar
00536BE9 .8B55 E0 MOV EDX, DWORD PTR SS:
00536BEC .52 PUSH EDX
00536BED .FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenB>;取用户名长度
00536BF3 .83F8 01 CMP EAX, 1 ;长度与1比较
00536BF6 .7E 0C JLE SHORT 00536C04
00536BF8 .81FB 3F420F00 CMP EBX, 0F423F ;注册码后几位与0xf423f=999999比较
00536BFE .7E 04 JLE SHORT 00536C04
00536C00 .33DB XOR EBX, EBX ;大于则EBX=0
00536C02 .EB 05 JMP SHORT 00536C09
00536C04 >BB 01000000 MOV EBX, 1 ;小于等于则EBX=1
00536C09 >8B45 AC MOV EAX, DWORD PTR SS:
00536C0C .50 PUSH EAX
00536C0D .FF15 54124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8St>;机器码转为浮点数
00536C13 .DC1D 38244000 FCOMP QWORD PTR DS: ;与101.0比较
00536C19 .DFE0 FSTSW AX
00536C1B .F6C4 41 TEST AH, 41
00536C1E .74 07 JE SHORT 00536C27
00536C20 .B8 01000000 MOV EAX, 1 ;机器码=101则EAX=1
00536C25 .EB 02 JMP SHORT 00536C29
00536C27 >33C0 XOR EAX, EAX ;机器码不等于101则EAX=0
00536C29 >0BD8 OR EBX, EAX
00536C2B 0F85 98060000 JNZ 005372C9 ;不能跳(注册码应该在9位以上),要爆就NOP掉
00536C31 .C785 48FFFFFF>MOV DWORD PTR SS:, 1
00536C3B .C785 40FFFFFF>MOV DWORD PTR SS:, 2
00536C45 .8D95 40FFFFFF LEA EDX, DWORD PTR SS:
00536C4B .8D4D B8 LEA ECX, DWORD PTR SS:
00536C4E .FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarM>;MSVBVM60.__vbaVarMove
00536C54 .C785 DCFEFFFF>MOV DWORD PTR SS:, 3
00536C5E .BB 01000000 MOV EBX, 1 ;循环变量BX初始置1
00536C63 >66:3B9D DCFEF>CMP BX, WORD PTR SS:
00536C6A .7F 7C JG SHORT 00536CE8 ;BX大于3退出循环
00536C6C .C745 88 01000>MOV DWORD PTR SS:, 1
00536C73 .C745 80 02000>MOV DWORD PTR SS:, 2
00536C7A .8D4D 80 LEA ECX, DWORD PTR SS:
00536C7D .51 PUSH ECX
00536C7E .0FBFD3 MOVSX EDX, BX
00536C81 .52 PUSH EDX
00536C82 .8B45 AC MOV EAX, DWORD PTR SS:
00536C85 .50 PUSH EAX
00536C86 .FFD7 CALL EDI ;机器码从第BX位起取1位
00536C88 .8BD0 MOV EDX, EAX
00536C8A .8D4D A0 LEA ECX, DWORD PTR SS:
00536C8D .FFD6 CALL ESI
00536C8F .50 PUSH EAX
00536C90 .FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcAnsiVa>;得其ASCII
00536C96 .66:8985 38FFF>MOV WORD PTR SS:, AX
00536C9D .C785 30FFFFFF>MOV DWORD PTR SS:, 2
00536CA7 .8D4D B8 LEA ECX, DWORD PTR SS:
00536CAA .51 PUSH ECX
00536CAB .8D95 30FFFFFF LEA EDX, DWORD PTR SS:
00536CB1 .52 PUSH EDX
00536CB2 .8D85 70FFFFFF LEA EAX, DWORD PTR SS:
00536CB8 .50 PUSH EAX
00536CB9 .FF15 BC124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarA>;ASCII累加(初始为1),得数A
00536CBF .8BD0 MOV EDX, EAX
00536CC1 .8D4D B8 LEA ECX, DWORD PTR SS:
00536CC4 .FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarM>;MSVBVM60.__vbaVarMove
00536CCA .8D4D A0 LEA ECX, DWORD PTR SS:
00536CCD .FF15 68134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFree>;MSVBVM60.__vbaFreeStr
00536CD3 .8D4D 80 LEA ECX, DWORD PTR SS:
00536CD6 .FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFree>;MSVBVM60.__vbaFreeVar
00536CDC .B8 01000000 MOV EAX, 1
00536CE1 .03D8 ADD EBX, EAX ;循环变量加1
00536CE3 .^ E9 7BFFFFFF JMP 00536C63 ;循环
00536CE8 >8B4D AC MOV ECX, DWORD PTR SS:
00536CEB .51 PUSH ECX
00536CEC .FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenB>;取机器码长度
00536CF2 .8985 D4FEFFFF MOV DWORD PTR SS:, EAX
00536CF8 .BB 04000000 MOV EBX, 4 ;循环变量BX=4
00536CFD >66:3B9D D4FEF>CMP BX, WORD PTR SS: ;与机器码长度进行比较
00536D04 .7F 7C JG SHORT 00536D82 ;大于就退出循环
00536D06 .C745 88 01000>MOV DWORD PTR SS:, 1
00536D0D .C745 80 02000>MOV DWORD PTR SS:, 2
00536D14 .8D55 80 LEA EDX, DWORD PTR SS:
00536D17 .52 PUSH EDX
00536D18 .0FBFC3 MOVSX EAX, BX
00536D1B .50 PUSH EAX
00536D1C .8B4D AC MOV ECX, DWORD PTR SS:
00536D1F .51 PUSH ECX
00536D20 .FFD7 CALL EDI ;取机器码第BX位
00536D22 .8BD0 MOV EDX, EAX
00536D24 .8D4D A0 LEA ECX, DWORD PTR SS:
00536D27 .FFD6 CALL ESI
00536D29 .50 PUSH EAX
00536D2A .FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcAnsiVa>;得其ASCII
00536D30 .66:8985 38FFF>MOV WORD PTR SS:, AX
00536D37 .C785 30FFFFFF>MOV DWORD PTR SS:, 2
00536D41 .8D55 B8 LEA EDX, DWORD PTR SS:
00536D44 .52 PUSH EDX
00536D45 .8D85 30FFFFFF LEA EAX, DWORD PTR SS:
00536D4B .50 PUSH EAX
00536D4C .8D8D 70FFFFFF LEA ECX, DWORD PTR SS:
00536D52 .51 PUSH ECX
00536D53 .FF15 D4114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarM>;与A累乘,得数B
00536D59 .8BD0 MOV EDX, EAX
00536D5B .8D4D B8 LEA ECX, DWORD PTR SS:
00536D5E .FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarM>;MSVBVM60.__vbaVarMove
00536D64 .8D4D A0 LEA ECX, DWORD PTR SS:
00536D67 .FF15 68134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFree>;MSVBVM60.__vbaFreeStr
00536D6D .8D4D 80 LEA ECX, DWORD PTR SS:
00536D70 .FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFree>;MSVBVM60.__vbaFreeVar
00536D76 .B8 01000000 MOV EAX, 1
00536D7B .03D8 ADD EBX, EAX ;循环变量加1
00536D7D .^ E9 7BFFFFFF JMP 00536CFD ;循环
00536D82 >8D55 B8 LEA EDX, DWORD PTR SS:
00536D85 .52 PUSH EDX
00536D86 .FF15 90124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8Va>;B转为浮点数
00536D8C .E8 6DF9ECFF CALL ;开方
00536D91 .DD9D FCFEFFFF FSTP QWORD PTR SS:
00536D97 .6A 05 PUSH 5
00536D99 .8B85 00FFFFFF MOV EAX, DWORD PTR SS:
00536D9F .50 PUSH EAX
00536DA0 .8B8D FCFEFFFF MOV ECX, DWORD PTR SS:
00536DA6 .51 PUSH ECX
00536DA7 .FF15 B4114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrR>;开方结果转为字串
00536DAD .8BD0 MOV EDX, EAX
00536DAF .8D4D A0 LEA ECX, DWORD PTR SS:
00536DB2 .FFD6 CALL ESI
00536DB4 .50 PUSH EAX
00536DB5 .FF15 08134000 CALL DWORD PTR DS:[<&MSVBVM60.rtcRightC>;取右边5位
00536DBB .8BD0 MOV EDX, EAX
00536DBD .8D4D 9C LEA ECX, DWORD PTR SS:
00536DC0 .FFD6 CALL ESI
00536DC2 .50 PUSH EAX
00536DC3 .FF15 70134000 CALL DWORD PTR DS:[<&MSVBVM60.rtcR8ValF>;再转为浮点数,得数C
00536DC9 .DD9D F4FEFFFF FSTP QWORD PTR SS:
00536DCF .8D55 B8 LEA EDX, DWORD PTR SS:
00536DD2 .52 PUSH EDX
00536DD3 .FF15 90124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8Va>;B转为浮点数
00536DD9 .E8 20F9ECFF CALL ;开方
00536DDE .DC0D B8614000 FMUL QWORD PTR DS: ;乘10000.0
00536DE4 .FF15 54134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFPIn>;取整数部分,得D
00536DEA .DC85 F4FEFFFF FADD QWORD PTR SS: ;与上面的得到的位(5位数)相加,得E
00536DF0 .DD9D 48FFFFFF FSTP QWORD PTR SS:
00536DF6 .C785 40FFFFFF>MOV DWORD PTR SS:, 5
00536E00 .8D95 40FFFFFF LEA EDX, DWORD PTR SS:
00536E06 .8D4D B8 LEA ECX, DWORD PTR SS:
00536E09 .FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarM>;MSVBVM60.__vbaVarMove
00536E0F .8D45 9C LEA EAX, DWORD PTR SS:
00536E12 .50 PUSH EAX
00536E13 .8D4D A0 LEA ECX, DWORD PTR SS:
00536E16 .51 PUSH ECX
00536E17 .6A 02 PUSH 2
00536E19 .FF15 84124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFree>;MSVBVM60.__vbaFreeStrList
00536E1F .83C4 0C ADD ESP, 0C
00536E22 .C745 88 01000>MOV DWORD PTR SS:, 1
00536E29 .C745 80 02000>MOV DWORD PTR SS:, 2
00536E30 .8D55 80 LEA EDX, DWORD PTR SS:
00536E33 .52 PUSH EDX
00536E34 .6A 01 PUSH 1
00536E36 .8B45 E0 MOV EAX, DWORD PTR SS:
00536E39 .50 PUSH EAX
00536E3A .FFD7 CALL EDI ;取用户名的第1位
00536E3C .8BD0 MOV EDX, EAX
00536E3E .8D4D A0 LEA ECX, DWORD PTR SS:
00536E41 .FFD6 CALL ESI
00536E43 .50 PUSH EAX
00536E44 .FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcAnsiVa>;取其ASCII码
00536E4A .8985 0CFFFFFF MOV DWORD PTR SS:, EAX
00536E50 .8D4D B8 LEA ECX, DWORD PTR SS:
00536E53 .51 PUSH ECX
00536E54 .FF15 90124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8Va>;取上面两浮点数相加的结果E
00536E5A .E8 9FF8ECFF CALL ;开方
00536E5F .E8 8EF8ECFF CALL ;ln
00536E64 .DD9D FCFEFFFF FSTP QWORD PTR SS:
00536E6A .DB45 C8 FILD DWORD PTR SS: ;注册码的后10位转为浮点数(第3位起)
00536E6D .DD9D A8FEFFFF FSTP QWORD PTR SS:
00536E73 .DD85 FCFEFFFF FLD QWORD PTR SS:
00536E79 .DC0D B0614000 FMUL QWORD PTR DS: ;ln结果乘100
00536E7F .FF15 54134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFPIn>;取整数部分,得数F
00536E85 .8B95 0CFFFFFF MOV EDX, DWORD PTR SS: ;用户名第1位ASCII码
00536E8B .83C2 F9 ADD EDX, -7 ;减7
00536E8E .0FBFC2 MOVSX EAX, DX
00536E91 .8985 A4FEFFFF MOV DWORD PTR SS:, EAX
00536E97 .DB85 A4FEFFFF FILD DWORD PTR SS:
00536E9D .DD9D 9CFEFFFF FSTP QWORD PTR SS: ;转为浮点数
00536EA3 .DC8D 9CFEFFFF FMUL QWORD PTR SS: ;乘F
00536EA9 .DCAD A8FEFFFF FSUBR QWORD PTR SS: ;注册码的后10位-上面的结果
00536EAF .FF15 E8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFpI4>;转为16进制数,得G
00536EB5 .8945 C8 MOV DWORD PTR SS:, EAX
00536EB8 .8D4D A0 LEA ECX, DWORD PTR SS:
00536EBB .FF15 68134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFree>;MSVBVM60.__vbaFreeStr
00536EC1 .8D4D 80 LEA ECX, DWORD PTR SS:
00536EC4 .FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFree>;MSVBVM60.__vbaFreeVar
00536ECA .8B4D E0 MOV ECX, DWORD PTR SS:
00536ECD .51 PUSH ECX
00536ECE .FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenB>;取用户名长度
00536ED4 .8BD8 MOV EBX, EAX ;循环变量BX初值=用户名长度
00536ED6 >B8 02000000 MOV EAX, 2
00536EDB .66:3BD8 CMP BX, AX
00536EDE .8B55 C8 MOV EDX, DWORD PTR SS:
00536EE1 .8995 48FFFFFF MOV DWORD PTR SS:, EDX
00536EE7 .C785 40FFFFFF>MOV DWORD PTR SS:, 3
00536EF1 .0F8C EA000000 JL 00536FE1 ;循环变量小于2时退出循环
00536EF7 .C785 78FFFFFF>MOV DWORD PTR SS:, 1
00536F01 .8985 70FFFFFF MOV DWORD PTR SS:, EAX
00536F07 .8D85 70FFFFFF LEA EAX, DWORD PTR SS:
00536F0D .50 PUSH EAX
00536F0E .0FBFCB MOVSX ECX, BX
00536F11 .51 PUSH ECX
00536F12 .8B55 E0 MOV EDX, DWORD PTR SS:
00536F15 .52 PUSH EDX
00536F16 .FFD7 CALL EDI ;取用户名第BX位
00536F18 .8BD0 MOV EDX, EAX
00536F1A .8D4D A0 LEA ECX, DWORD PTR SS:
00536F1D .FFD6 CALL ESI
00536F1F .50 PUSH EAX
00536F20 .FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcAnsiVa>;得ASCII
00536F26 .83E8 32 SUB EAX, 32 ;减0x32,得H
00536F29 .66:8985 28FFF>MOV WORD PTR SS:, AX
00536F30 .C785 20FFFFFF>MOV DWORD PTR SS:, 2
00536F3A .8D45 B8 LEA EAX, DWORD PTR SS:
00536F3D .50 PUSH EAX
00536F3E .FF15 90124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8Va>;数E
00536F44 .E8 A9F7ECFF CALL ;ln
00536F49 .DC0D B0614000 FMUL QWORD PTR DS: ;乘100
00536F4F .FF15 54134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFPIn>;取整,得I
00536F55 .DD9D 18FFFFFF FSTP QWORD PTR SS:
00536F5B .C785 10FFFFFF>MOV DWORD PTR SS:, 5
00536F65 .8D8D 40FFFFFF LEA ECX, DWORD PTR SS:
00536F6B .51 PUSH ECX
00536F6C .8D55 B8 LEA EDX, DWORD PTR SS:
00536F6F .52 PUSH EDX
00536F70 .8D45 80 LEA EAX, DWORD PTR SS:
00536F73 .50 PUSH EAX
00536F74 .FF15 04104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarS>;E-G
00536F7A .50 PUSH EAX
00536F7B .8D8D 20FFFFFF LEA ECX, DWORD PTR SS:
00536F81 .51 PUSH ECX
00536F82 .8D95 60FFFFFF LEA EDX, DWORD PTR SS:
00536F88 .52 PUSH EDX
00536F89 .FF15 BC124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarA>;+H
00536F8F .50 PUSH EAX
00536F90 .8D85 10FFFFFF LEA EAX, DWORD PTR SS:
00536F96 .50 PUSH EAX
00536F97 .8D8D 50FFFFFF LEA ECX, DWORD PTR SS:
00536F9D .51 PUSH ECX
00536F9E .FF15 BC124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarA>;+I
00536FA4 .50 PUSH EAX
00536FA5 .FF15 A8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Va>;MSVBVM60.__vbaI4Var
00536FAB .8945 C8 MOV DWORD PTR SS:, EAX ;G=E-G+H+I
00536FAE .8D4D A0 LEA ECX, DWORD PTR SS:
00536FB1 .FF15 68134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFree>;MSVBVM60.__vbaFreeStr
00536FB7 .8D95 50FFFFFF LEA EDX, DWORD PTR SS:
00536FBD .52 PUSH EDX
00536FBE .8D85 60FFFFFF LEA EAX, DWORD PTR SS:
00536FC4 .50 PUSH EAX
00536FC5 .8D8D 70FFFFFF LEA ECX, DWORD PTR SS:
00536FCB .51 PUSH ECX
00536FCC .6A 03 PUSH 3
00536FCE .FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFree>;MSVBVM60.__vbaFreeVarList
00536FD4 .83C4 10 ADD ESP, 10
00536FD7 .83C8 FF OR EAX, FFFFFFFF
00536FDA .03D8 ADD EBX, EAX ;BX减1
00536FDC .^ E9 F5FEFFFF JMP 00536ED6 ;循环
00536FE1 >8D95 40FFFFFF LEA EDX, DWORD PTR SS:
00536FE7 .8D4D B8 LEA ECX, DWORD PTR SS:
00536FEA .FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarM>;MSVBVM60.__vbaVarMove
00536FF0 .C785 48FFFFFF>MOV DWORD PTR SS:, 0
00536FFA .C785 40FFFFFF>MOV DWORD PTR SS:, 8002
00537004 .8D45 B8 LEA EAX, DWORD PTR SS:
00537007 .50 PUSH EAX ;最后结果G
00537008 .8D8D 40FFFFFF LEA ECX, DWORD PTR SS:
0053700E .51 PUSH ECX ;0
0053700F .FF15 70114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarT>;G=0?
00537015 .66:85C0 TEST AX, AX
00537018 0F84 AB020000 JE 005372C9 ;相等就注册成功(要爆就改为NOP)
......
5.算法总结
1.注册码的第1位等于用户名第1位字符的ASCII码十进制形式的右边第1位;
2.注册码的第2位等于用户名第2位字符的ASCII码十进制形式的右边第1位;
3.机器码前3位ASCII码累加+1,得数A;
4.数A乘以机器码从第4位起的各位ASCII码,得数B;
5.(数B开方×10000取整)+(数B开方结果右边5位),得数E;
6.ln(数E开方)×100取整,得数F;
7.注册码后几位(从第3位起)为:(E-INT(100*ln(E))+50)×(用户名长度-1)-用户名从第2位起的ASCII码之和+(第户名第1位的ASCII码-7)×F。
--------------------------------------------------------------------------------
【版权声明】: 转载请注明作者并保持文章的完整, 谢谢!
2007年02月04日 21:55:02
[ 本帖最后由 dewar 于 2007-2-5 08:03 编辑 ] 学习了,讲得很详细。 分析的不错,这是我电脑上的注册号
机器号:555222
用户名:云枫
注册码:6135093827 好文,顶起! 确实分析的不错! 分析不错,好好向楼主学习! 学习啊 !!! 支持啊~学习了~~ 分析不错,好好向楼主学习!/:good /:good /:good 谢谢分享!
/:014
页:
[1]
2