家庭理财 V2.2.0 主程序破解及算法[2006年4月12日补充算法分析]
【破文标题】家庭理财 V2.2.0 主程序破解及算法【破文作者】lzq1973[PYG][CZG]
【作者邮箱】[email protected]
【作者主页】
【破解工具】OD、PEiD、C32Asm
【破解平台】WIN98、WIN2000
【软件名称】家庭理财 V2.2.0
【软件大小】6175 KB
【原版下载】http://www4.skycn.com/soft/22911.html
【保护方式】无壳(VB6)
【软件简介】 家庭理财是一款为自己家庭开发的一款软件,友好的界面,操作方便、直观,支持个性化用户界面,可以自己设定自己的界面和背景色值,新版本V1.2.0支持数据的导出到Excel文件、打印、备份和恢复等功能。
家庭理财目前版本包含以下模块:
★ 经费收支管理:主要实现平时家庭(个人)经费收入和开支功能,两功能做为独立模块操作,各收支项目有系统默认项,也可以家庭自定义。在经费开支模块中,如设定年度经费预算值,在实际开支中将时刻提醒本年度、本月份已可开支金额和已开支金额。
★ 年初家庭经费预算管理:设定年度经费开支预算值,可按月设定,也可按年设定。
★ 年度经费核算管理:实现年度经费统计和核算功能,可以由系统自动统计,也可以按用户个人需要,进行有选择分收、支和项目统计。
★ 年度经费统计和汇总:可以根据年度,也可以根据用户指定的日期范围,可按不同的组合类别(最多分为10个类别)进行统计和汇总。
★ 银行存取款帐户和密码管理:记录平时银行存款帐号和密码功能,提供帐户销户功能,系统能自动记录销户后利息作为家庭收入项目。同时管理银行帐户密码。用户所输入的密码将由系统自动加密后保存,要获取需提供登录密码验证后才能显示,提高了管理的安全性。
★ 银行存取法款流水帐管理:记录平时对银行帐户金额流水帐管理,以便日后或销户后可以随时查询存取日期和相关记录。
★ 股票交易管理:为炒股的朋友提供流水记录,对炒股盈利的金额可由用户选择是否保存到经费收入数据库。
★ 区号、邮编查询。
★ 家庭通讯录管理:记录和查询您的朋友相关通讯信息。
0.《家庭理财》原名为《家庭经费管理系统》v1.1.0,应朋友的建议,自v1.1.1版本后更名为《家庭理财》,原《家庭经费管理系统》v1.1.0用户可以继续使用以前的数据,系统会自动升级原数据库,具体操作请看下载解压包中的《使用说明.txt》文件。
1.《家庭理财》作为共享软件发布。注册用户可免费升级以后的版本,以后有新版本将会及时通知注册用户,新版本将支持以前旧版本的数据库格式且能自动实现升级旧版本的数据库。
2.该软件可以解决多家庭多用户使用,各家庭间数据不能共享。同一家庭中不同用户数据可以共享统计或查询,但需该用户授权,而且不能修改。
3.该软件操作简单,界面友好。未注册版本没有功能限制但可使用30次。用户注册后均可免费升级新的版本,试用期间的数据库可以继续使用(如试用期间数据库版本较旧,系统会自动升级到最新版本)。注册办法可查看帮助文件。
4.《家庭理财》系统目前还在进一步完善和修正中,欢迎广大用户对本软件提出需新增的功能。
5.用户使用前请注意查看《使用说明.txt》文件。
另:拟在新版本中增加家庭记事本和备忘和家庭用户间留言的功能、各种提醒功能、节日查询生活常识等功能。
【破解声明】俺是只小小鸟,纯为学习,愿与大家分享!
------------------------------------------------------------------------
【破解过程】
先运行程序,启动时提示“未注册版本,还有XX次可有试用!请及时注册!!”等字样。进入主界面来到注窗口,乱输注册码后点击注册,说重启程序,原来是程启验证。
我的硬件号(程序中说是信息码)为12370,输入的注册名为lzq1973。
[1、找注册码]
用C32Asm载入程序查找有关字符后,OD载入断在里。
005D81EA .FF15 58124000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFreeStrList
005D81F0 .83C4 0C add esp,0C
005D81F3 .8D4D C4 lea ecx,dword ptr ss:
005D81F6 .FF15 20134000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFreeObj
005D81FC .E9 0A040000 jmp PFIN.005D860B
005D8201 >E8 8A670B00 call PFIN.0068E990 ;计算硬件号(取C盘序列号)
005D8206 .8BD0 mov edx,eax ;(UNICODE "12370")
005D8208 .8D4D D8 lea ecx,dword ptr ss:
005D820B .FFD6 call esi
005D820D .68 343C4500 push PFIN.00453C34 ;UNICODE "Txt='"
005D8212 .8D45 D8 lea eax,dword ptr ss:
005D8215 .50 push eax
005D8216 .8D4D DC lea ecx,dword ptr ss:
005D8219 .51 push ecx
005D821A .E8 A16B0B00 call PFIN.0068EDC0 ;计算注册码
005D821F .8BD0 mov edx,eax ;(UNICODE "RRVPP1RQZPQP1RRV")这里可做内存注册器
005D8221 .8D4D D4 lea ecx,dword ptr ss:
005D8224 .FFD6 call esi
005D8226 .50 push eax
005D8227 .FF15 70104000call dword ptr ds:[<&MSVBVM60.__vbaS>;MSVBVM60.__vbaStrCat
005D822D .8BD0 mov edx,eax
005D822F .8D4D D0 lea ecx,dword ptr ss:
005D8232 .FFD6 call esi
005D8234 .50 push eax
005D8235 .68 A83C4500 push PFIN.00453CA8
005D823A .FF15 70104000call dword ptr ds:[<&MSVBVM60.__vbaS>;MSVBVM60.__vbaStrCat
005D8240 .8BD0 mov edx,eax
005D8242 .8D4D C8 lea ecx,dword ptr ss:
005D8245 .FFD6 call esi
005D8247 .BA 203C4500 mov edx,PFIN.00453C20 ;UNICODE "Memory"
005D824C .8D4D CC lea ecx,dword ptr ss:
005D824F .FFD7 call edi
005D8251 .8D55 C8 lea edx,dword ptr ss:
005D8254 .52 push edx
005D8255 .8D45 CC lea eax,dword ptr ss:
005D8258 .50 push eax
005D8259 .E8 B2B10000 call PFIN.005E3410
005D825E .66:8945 B4 mov word ptr ss:,ax
005D8262 .8D4D C8 lea ecx,dword ptr ss:
005D8265 .51 push ecx
005D8266 .8D55 CC lea edx,dword ptr ss:
005D8269 .52 push edx
005D826A .8D45 D0 lea eax,dword ptr ss:
005D826D .50 push eax
005D826E .8D4D D4 lea ecx,dword ptr ss:
005D8271 .51 push ecx
005D8272 .8D55 D8 lea edx,dword ptr ss:
005D8275 .52 push edx
005D8276 .6A 05 push 5
005D8278 .FF15 58124000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFreeStrList
005D827E .83C4 18 add esp,18
005D8281 .66:837D B4 00cmp word ptr ss:,0 ;比较是否相等
005D8286 .0F84 A6000000je PFIN.005D8332 ;不等就跳(这里可爆破)
005D828C .66:C705 5C2088>mov word ptr ds:,0FFFF
005D8295 .8B45 A4 mov eax,dword ptr ss:
005D8298 .8B08 mov ecx,dword ptr ds:
005D829A .50 push eax
005D829B .FF91 00030000call dword ptr ds:
005D82A1 .50 push eax
005D82A2 .8D55 C4 lea edx,dword ptr ss:
005D82A5 .52 push edx
005D82A6 .FFD3 call ebx
005D82A8 .8BF8 mov edi,eax
005D82AA .8B07 mov eax,dword ptr ds:
005D82AC .6A 00 push 0
005D82AE .57 push edi
005D82AF .FF90 9C000000call dword ptr ds:
005D82B5 .DBE2 fclex
005D82B7 .85C0 test eax,eax
005D82B9 .7D 12 jge short PFIN.005D82CD
005D82BB .68 9C000000 push 9C
005D82C0 .68 D8484500 push PFIN.004548D8
005D82C5 .57 push edi
005D82C6 .50 push eax
005D82C7 .FF15 8C104000call dword ptr ds:[<&MSVBVM60.__vbaH>;MSVBVM60.__vbaHresultCheckObj
005D82CD >8D4D C4 lea ecx,dword ptr ss:
005D82D0 .FF15 20134000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFreeObj
005D82D6 .8B45 A4 mov eax,dword ptr ss:
005D82D9 .8B08 mov ecx,dword ptr ds:
005D82DB .50 push eax
005D82DC .FF91 04030000call dword ptr ds:
005D82E2 .50 push eax
005D82E3 .8D55 C4 lea edx,dword ptr ss:
005D82E6 .52 push edx
005D82E7 .FFD3 call ebx
005D82E9 .8BF8 mov edi,eax
005D82EB .8B1F mov ebx,dword ptr ds:
005D82ED .68 BCF24500 push PFIN.0045F2BC ; \->: 注册信息:本软件已由【
005D82F2 .8B45 DC mov eax,dword ptr ss:
005D82F5 .50 push eax
005D82F6 .FF15 70104000call dword ptr ds:[<&MSVBVM60.__vbaS>;MSVBVM60.__vbaStrCat
005D82FC .8BD0 mov edx,eax
005D82FE .8D4D D8 lea ecx,dword ptr ss:
005D8301 .FFD6 call esi
005D8303 .50 push eax
005D8304 .68 D8F24500 push PFIN.0045F2D8 ;\->: 】注册使用!
005D8309 .FF15 70104000call dword ptr ds:[<&MSVBVM60.__vbaS>;MSVBVM60.__vbaStrCat
005D830F .8BD0 mov edx,eax
005D8311 .8D4D D4 lea ecx,dword ptr ss:
005D8314 .FFD6 call esi
005D8316 .50 push eax
005D8317 .57 push edi
005D8318 .FF53 54 call dword ptr ds:
005D831B .DBE2 fclex
005D831D .85C0 test eax,eax
005D831F .0F8D FE010000jge PFIN.005D8523
005D8325 .6A 54 push 54
005D8327 .68 D8484500 push PFIN.004548D8
005D832C .57 push edi
005D832D .E9 EA010000 jmp PFIN.005D851C
005D8332 >66:C705 5C2088>mov word ptr ds:,0
005D833B .8B45 A4 mov eax,dword ptr ss:
005D833E .8B08 mov ecx,dword ptr ds:
005D8340 .50 push eax
005D8341 .FF91 04030000call dword ptr ds:
005D8347 .50 push eax
005D8348 .8D55 C4 lea edx,dword ptr ss:
005D834B .52 push edx
005D834C .FFD3 call ebx
005D834E .8BD8 mov ebx,eax
005D8350 .8B03 mov eax,dword ptr ds:
005D8352 .68 50F24500 push PFIN.0045F250 ; \->: 未注册版本,还有 次可有试用!请及时注册!!
005D8357 .53 push ebx
005D8358 .FF50 54 call dword ptr ds:
由于是明码比较,至此基本上完工了。
[2、找算法]
在 005D821AE8 A16B0B00call PFIN.0068EDC0处F7跟进,来到这里
0068EDC0 $55 push ebp
0068EDC1 .8BEC mov ebp,esp
0068EDC3 .83EC 0C sub esp,0C
0068EDC6 .68 76FC4000 push <jmp.&MSVBVM60.__vbaExceptHandl>;SE handler installation
0068EDCB .64:A1 00000000 mov eax,dword ptr fs:
0068EDD1 .50 push eax
0068EDD2 .64:8925 000000>mov dword ptr fs:,esp
0068EDD9 .81EC 88000000sub esp,88
0068EDDF .53 push ebx
0068EDE0 .56 push esi
0068EDE1 .57 push edi
0068EDE2 .8965 F4 mov dword ptr ss:,esp
0068EDE5 .C745 F8 506E40>mov dword ptr ss:,PFIN.00406E>
0068EDEC .33C0 xor eax,eax
0068EDEE .BA 203B4500 mov edx,PFIN.00453B20
0068EDF3 .8D4D E0 lea ecx,dword ptr ss:
0068EDF6 .8945 E4 mov dword ptr ss:,eax
0068EDF9 .8945 E0 mov dword ptr ss:,eax
0068EDFC .8945 DC mov dword ptr ss:,eax
0068EDFF .8945 D8 mov dword ptr ss:,eax
0068EE02 .8945 D4 mov dword ptr ss:,eax
0068EE05 .8945 D0 mov dword ptr ss:,eax
0068EE08 .8945 CC mov dword ptr ss:,eax
0068EE0B .8945 C8 mov dword ptr ss:,eax
0068EE0E .8945 C4 mov dword ptr ss:,eax
0068EE11 .8945 C0 mov dword ptr ss:,eax
0068EE14 .8945 B0 mov dword ptr ss:,eax
0068EE17 .8945 A0 mov dword ptr ss:,eax
0068EE1A .FF15 44124000call dword ptr ds:[<&MSVBVM60.__vbaS>;MSVBVM60.__vbaStrCopy
0068EE20 .8B45 08 mov eax,dword ptr ss:
0068EE23 .8B08 mov ecx,dword ptr ds:
0068EE25 .51 push ecx ;用户名进栈(UNICODE "lzq1973")
0068EE26 .FF15 30104000call dword ptr ds:[<&MSVBVM60.__vbaL>;MSVBVM60.__vbaLenBstr
0068EE2C .8BC8 mov ecx,eax
0068EE2E .FF15 3C114000call dword ptr ds:[<&MSVBVM60.__vbaI>;MSVBVM60.__vbaI2I4
0068EE34 .8B35 D8124000mov esi,dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaStrMove
0068EE3A .8B1D 70104000mov ebx,dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaStrCat
0068EE40 .8985 78FFFFFFmov dword ptr ss:,eax
0068EE46 .BF 01000000 mov edi,1
0068EE4B >66:3BBD 78FFFF>cmp di,word ptr ss: ;/将用户名转为ASCII
0068EE52 .0F8F D1000000jg PFIN.0068EF29
0068EE58 .8B55 08 mov edx,dword ptr ss:
0068EE5B .8B02 mov eax,dword ptr ds:
0068EE5D .50 push eax
0068EE5E .FF15 60104000call dword ptr ds:[<&MSVBVM60.#519>] ;MSVBVM60.rtcTrimBstr
0068EE64 .8BD0 mov edx,eax
0068EE66 .8D4D C0 lea ecx,dword ptr ss:
0068EE69 .FFD6 call esi
0068EE6B .8B55 C0 mov edx,dword ptr ss:
0068EE6E .8D4D B0 lea ecx,dword ptr ss:
0068EE71 .0FBFC7 movsx eax,di
0068EE74 .51 push ecx
0068EE75 .50 push eax
0068EE76 .8D4D D0 lea ecx,dword ptr ss:
0068EE79 .C745 B8 010000>mov dword ptr ss:,1
0068EE80 .C745 B0 020000>mov dword ptr ss:,2
0068EE87 .C745 C0 000000>mov dword ptr ss:,0 ;用户名
0068EE8E .FFD6 call esi
0068EE90 .50 push eax
0068EE91 .FF15 00114000call dword ptr ds:[<&MSVBVM60.#631>] ;MSVBVM60.rtcMidCharBstr
0068EE97 .8BD0 mov edx,eax
0068EE99 .8D4D CC lea ecx,dword ptr ss:
0068EE9C .FFD6 call esi
0068EE9E .50 push eax
0068EE9F .FF15 54104000call dword ptr ds:[<&MSVBVM60.#516>] ;MSVBVM60.rtcAnsiValueBstr
0068EEA5 .8BC8 mov ecx,eax
0068EEA7 .FF15 64104000call dword ptr ds:[<&MSVBVM60.__vbaI>;MSVBVM60.__vbaI2Abs
0068EEAD .8B4D E0 mov ecx,dword ptr ss:
0068EEB0 .8D55 A0 lea edx,dword ptr ss:
0068EEB3 .51 push ecx
0068EEB4 .52 push edx
0068EEB5 .66:8945 A8 mov word ptr ss:,ax
0068EEB9 .C745 A0 020000>mov dword ptr ss:,2
0068EEC0 .FF15 08124000call dword ptr ds:[<&MSVBVM60.#536>] ;MSVBVM60.rtcStrFromVar
0068EEC6 .8BD0 mov edx,eax ;逐位转换
0068EEC8 .8D4D C8 lea ecx,dword ptr ss:
0068EECB .FFD6 call esi
0068EECD .50 push eax
0068EECE .FF15 60104000call dword ptr ds:[<&MSVBVM60.#519>] ;MSVBVM60.rtcTrimBstr
0068EED4 .8BD0 mov edx,eax
0068EED6 .8D4D C4 lea ecx,dword ptr ss:
0068EED9 .FFD6 call esi
0068EEDB .50 push eax
0068EEDC .FFD3 call ebx
0068EEDE .8BD0 mov edx,eax ;逐位拼接
0068EEE0 .8D4D E0 lea ecx,dword ptr ss:
0068EEE3 .FFD6 call esi
0068EEE5 .8D45 C0 lea eax,dword ptr ss:
0068EEE8 .8D4D C4 lea ecx,dword ptr ss:
0068EEEB .50 push eax
0068EEEC .8D55 C8 lea edx,dword ptr ss:
0068EEEF .51 push ecx
0068EEF0 .8D45 CC lea eax,dword ptr ss:
0068EEF3 .52 push edx
0068EEF4 .8D4D D0 lea ecx,dword ptr ss:
0068EEF7 .50 push eax
0068EEF8 .51 push ecx
0068EEF9 .6A 05 push 5
0068EEFB .FF15 58124000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFreeStrList
0068EF01 .8D55 A0 lea edx,dword ptr ss:
0068EF04 .8D45 B0 lea eax,dword ptr ss:
0068EF07 .52 push edx
0068EF08 .50 push eax
0068EF09 .6A 02 push 2
0068EF0B .FF15 3C104000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFreeVarList
0068EF11 .B8 01000000 mov eax,1
0068EF16 .83C4 24 add esp,24
0068EF19 .66:03C7 add ax,di
0068EF1C .0F80 E9010000jo PFIN.0068F10B
0068EF22 .8BF8 mov edi,eax
0068EF24 .^ E9 22FFFFFF jmp PFIN.0068EE4B ;\循环
0068EF29 >BA 203B4500 mov edx,PFIN.00453B20
0068EF2E .8D4D D8 lea ecx,dword ptr ss:
0068EF31 .FF15 44124000call dword ptr ds:[<&MSVBVM60.__vbaS>;MSVBVM60.__vbaStrCopy
0068EF37 .8B4D 0C mov ecx,dword ptr ss:
0068EF3A .8B11 mov edx,dword ptr ds:
0068EF3C .52 push edx
0068EF3D .FF15 30104000call dword ptr ds:[<&MSVBVM60.__vbaL>;MSVBVM60.__vbaLenBstr
0068EF43 .8BC8 mov ecx,eax
0068EF45 .FF15 3C114000call dword ptr ds:[<&MSVBVM60.__vbaI>;MSVBVM60.__vbaI2I4
0068EF4B >8BF8 mov edi,eax ;/硬件号翻转
0068EF4D .B8 01000000 mov eax,1
0068EF52 .66:3BF8 cmp di,ax
0068EF55 .8945 B8 mov dword ptr ss:,eax
0068EF58 .C745 B0 020000>mov dword ptr ss:,2
0068EF5F .7C 49 jl short PFIN.0068EFAA
0068EF61 .8B45 D8 mov eax,dword ptr ss:
0068EF64 .8D4D B0 lea ecx,dword ptr ss:
0068EF67 .50 push eax
0068EF68 .8B45 0C mov eax,dword ptr ss:
0068EF6B .0FBFD7 movsx edx,di
0068EF6E .51 push ecx
0068EF6F .8B08 mov ecx,dword ptr ds:
0068EF71 .52 push edx
0068EF72 .51 push ecx
0068EF73 .FF15 00114000call dword ptr ds:[<&MSVBVM60.#631>] ;MSVBVM60.rtcMidCharBstr
0068EF79 .8BD0 mov edx,eax
0068EF7B .8D4D D0 lea ecx,dword ptr ss:
0068EF7E .FFD6 call esi
0068EF80 .50 push eax
0068EF81 .FFD3 call ebx
0068EF83 .8BD0 mov edx,eax
0068EF85 .8D4D D8 lea ecx,dword ptr ss:
0068EF88 .FFD6 call esi
0068EF8A .8D4D D0 lea ecx,dword ptr ss:
0068EF8D .FF15 1C134000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFreeStr
0068EF93 .8D4D B0 lea ecx,dword ptr ss:
0068EF96 .FF15 28104000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFreeVar
0068EF9C .83C8 FF or eax,FFFFFFFF
0068EF9F .66:03C7 add ax,di
0068EFA2 .0F80 63010000jo PFIN.0068F10B
0068EFA8 .^ EB A1 jmp short PFIN.0068EF4B ;\循环
0068EFAA >8B7D 0C mov edi,dword ptr ss:
0068EFAD .8D55 B0 lea edx,dword ptr ss:
0068EFB0 .52 push edx
0068EFB1 .6A 03 push 3
0068EFB3 .8B07 mov eax,dword ptr ds:
0068EFB5 .50 push eax
0068EFB6 .FF15 00114000call dword ptr ds:[<&MSVBVM60.#631>] ;MSVBVM60.rtcMidCharBstr
0068EFBC .8BD0 mov edx,eax
0068EFBE .8D4D C8 lea ecx,dword ptr ss:
0068EFC1 .FFD6 call esi
0068EFC3 .8B4D D8 mov ecx,dword ptr ss: ;(UNICODE "07321")
0068EFC6 .8B55 E0 mov edx,dword ptr ss: ;(UNICODE "10812211349575551")
0068EFC9 .50 push eax
0068EFCA .51 push ecx
0068EFCB .52 push edx
0068EFCC .FFD3 call ebx
0068EFCE .8BD0 mov edx,eax ;(UNICODE "0732110812211349575551")
0068EFD0 .8D4D D0 lea ecx,dword ptr ss:
0068EFD3 .FFD6 call esi
0068EFD5 .50 push eax
0068EFD6 .8B07 mov eax,dword ptr ds: ;(UNICODE "12370")
0068EFD8 .50 push eax
0068EFD9 .FFD3 call ebx
0068EFDB .8BD0 mov edx,eax ;(UNICODE "073211081221134957555112370")
0068EFDD .8D4D CC lea ecx,dword ptr ss:
0068EFE0 .FFD6 call esi
0068EFE2 .50 push eax
0068EFE3 .FF15 60104000call dword ptr ds:[<&MSVBVM60.#519>] ;MSVBVM60.rtcTrimBstr
0068EFE9 .8BD0 mov edx,eax
0068EFEB .8D4D C4 lea ecx,dword ptr ss:
0068EFEE .FFD6 call esi
0068EFF0 .50 push eax ;(UNICODE "073211081221134957555112370")
0068EFF1 .FFD3 call ebx ;在其前面加3
0068EFF3 .8BD0 mov edx,eax ;(UNICODE "3073211081221134957555112370")
0068EFF5 .8D4D DC lea ecx,dword ptr ss:
0068EFF8 .FFD6 call esi
0068EFFA .8D4D C4 lea ecx,dword ptr ss:
0068EFFD .8D55 C8 lea edx,dword ptr ss:
0068F000 .51 push ecx
0068F001 .8D45 CC lea eax,dword ptr ss:
0068F004 .52 push edx
0068F005 .8D4D D0 lea ecx,dword ptr ss:
0068F008 .50 push eax
0068F009 .51 push ecx
0068F00A .6A 04 push 4
0068F00C .FF15 58124000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFreeStrList
0068F012 .83C4 14 add esp,14
0068F015 .8D4D B0 lea ecx,dword ptr ss:
0068F018 .FF15 28104000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFreeVar
0068F01E .8B55 DC mov edx,dword ptr ss:
0068F021 .52 push edx
0068F022 .FF15 30104000call dword ptr ds:[<&MSVBVM60.__vbaL>;MSVBVM60.__vbaLenBstr
0068F028 .83F8 10 cmp eax,10
0068F02B .6A 10 push 10
0068F02D .7D 29 jge short PFIN.0068F058
0068F02F .8B45 DC mov eax,dword ptr ss:
0068F032 .8B0F mov ecx,dword ptr ds:
0068F034 .50 push eax
0068F035 .51 push ecx
0068F036 .FFD3 call ebx
0068F038 .8BD0 mov edx,eax
0068F03A .8D4D D0 lea ecx,dword ptr ss:
0068F03D .FFD6 call esi
0068F03F .50 push eax
0068F040 .FF15 C0124000call dword ptr ds:[<&MSVBVM60.#616>] ;MSVBVM60.rtcLeftCharBstr
0068F046 .8BD0 mov edx,eax
0068F048 .8D4D DC lea ecx,dword ptr ss:
0068F04B .FFD6 call esi
0068F04D .8D4D D0 lea ecx,dword ptr ss:
0068F050 .FF15 1C134000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFreeStr
0068F056 .EB 11 jmp short PFIN.0068F069
0068F058 >8B55 DC mov edx,dword ptr ss:
0068F05B .52 push edx
0068F05C .FF15 C0124000call dword ptr ds:[<&MSVBVM60.#616>] ;MSVBVM60.rtcLeftCharBstr
0068F062 .8BD0 mov edx,eax ;取前16位(UNICODE "3073211081221134")
0068F064 .8D4D DC lea ecx,dword ptr ss:
0068F067 .FFD6 call esi
0068F069 >BA 04994600 mov edx,PFIN.00469904 ;(UNICODE "cabacb")
0068F06E .8D4D D0 lea ecx,dword ptr ss:
0068F071 .FF15 44124000call dword ptr ds:[<&MSVBVM60.__vbaS>;MSVBVM60.__vbaStrCopy
0068F077 .8D45 D0 lea eax,dword ptr ss:
0068F07A .8D4D DC lea ecx,dword ptr ss:
0068F07D .50 push eax
0068F07E .51 push ecx
0068F07F .E8 8C68F5FF call PFIN.005E5910 ;注册算法
0068F084 .8BD0 mov edx,eax ;(UNICODE "RRVPP1RQZPQP1RRV")这里也可内存注册器
0068F086 .8D4D E4 lea ecx,dword ptr ss:
0068F089 .FFD6 call esi
0068F08B .8D4D D0 lea ecx,dword ptr ss:
0068F08E .FF15 1C134000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFreeStr
0068F094 .68 F5F06800 push PFIN.0068F0F5
0068F099 .EB 3F jmp short PFIN.0068F0DA
0068F09B .F645 FC 04 test byte ptr ss:,4
0068F09F .74 09 je short PFIN.0068F0AA
0068F0A1 .8D4D E4 lea ecx,dword ptr ss:
0068F0A4 .FF15 1C134000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFreeStr
0068F0AA >8D55 C0 lea edx,dword ptr ss:
0068F0AD .8D45 C4 lea eax,dword ptr ss:
0068F0B0 .52 push edx
0068F0B1 .8D4D C8 lea ecx,dword ptr ss:
0068F0B4 .50 push eax
0068F0B5 .8D55 CC lea edx,dword ptr ss:
0068F0B8 .51 push ecx
0068F0B9 .8D45 D0 lea eax,dword ptr ss:
0068F0BC .52 push edx
0068F0BD .50 push eax
0068F0BE .6A 05 push 5
0068F0C0 .FF15 58124000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFreeStrList
0068F0C6 .8D4D A0 lea ecx,dword ptr ss:
0068F0C9 .8D55 B0 lea edx,dword ptr ss:
0068F0CC .51 push ecx
0068F0CD .52 push edx
0068F0CE .6A 02 push 2
0068F0D0 .FF15 3C104000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFreeVarList
0068F0D6 .83C4 24 add esp,24
0068F0D9 .C3 retn
0068F0DA >8B35 1C134000mov esi,dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaFreeStr
0068F0E0 .8D4D E0 lea ecx,dword ptr ss:
0068F0E3 .FFD6 call esi ;<&MSVBVM60.__vbaFreeStr>
0068F0E5 .8D4D DC lea ecx,dword ptr ss:
0068F0E8 .FFD6 call esi
0068F0EA .8D4D D8 lea ecx,dword ptr ss:
0068F0ED .FFD6 call esi
0068F0EF .8D4D D4 lea ecx,dword ptr ss:
0068F0F2 .FFD6 call esi
0068F0F4 .C3 retn
0068F0F5 .8B4D EC mov ecx,dword ptr ss:
0068F0F8 .8B45 E4 mov eax,dword ptr ss:
0068F0FB .5F pop edi
0068F0FC .5E pop esi
0068F0FD .64:890D 000000>mov dword ptr fs:,ecx
0068F104 .5B pop ebx
0068F105 .8BE5 mov esp,ebp
0068F107 .5D pop ebp
0068F108 .C2 0800 retn 8
上面代码的大意是:
A、先将用户名转为ASCII;
B、再将哽件号翻转;
C、连接(翻转后的放在前面即左边,用户名转后的ASCII放在中间,后面是硬件号);
D、在连接好的前面加3;
E、取整个字串的前16位即3073211081221134;
F、将常量"cabacb"转为ASCII;
G、最后用“F”与“E”进行运算得到注册码。
[3、具体算法]
在0068F07FE8 8C68F5FFcall PFIN.005E5910处F7跟进,来到这里
005E5910 $55 push ebp
005E5911 .8BEC mov ebp,esp
005E5913 .83EC 0C sub esp,0C
005E5916 .68 76FC4000 push <jmp.&MSVBVM60.__vbaExceptHandl>;SE handler installation
005E591B .64:A1 00000000 mov eax,dword ptr fs:
005E5921 .50 push eax
005E5922 .64:8925 000000>mov dword ptr fs:,esp
005E5929 .81EC 98000000sub esp,98
005E592F .53 push ebx
005E5930 .56 push esi
005E5931 .57 push edi
005E5932 .8965 F4 mov dword ptr ss:,esp
005E5935 .C745 F8 183A40>mov dword ptr ss:,PFIN.00403A>
005E593C .8B45 0C mov eax,dword ptr ss:
005E593F .33FF xor edi,edi
005E5941 .897D E0 mov dword ptr ss:,edi
005E5944 .897D D8 mov dword ptr ss:,edi
005E5947 .8B08 mov ecx,dword ptr ds: ; (UNICODE "cabacb")
005E5949 .897D D4 mov dword ptr ss:,edi
005E594C .51 push ecx ;(UNICODE "cabacb")
005E594D .897D D0 mov dword ptr ss:,edi
005E5950 .897D C0 mov dword ptr ss:,edi
005E5953 .897D B0 mov dword ptr ss:,edi
005E5956 .897D A0 mov dword ptr ss:,edi
005E5959 .FF15 30104000call dword ptr ds:[<&MSVBVM60.__vbaL>;MSVBVM60.__vbaLenBstr
005E595F .8BC8 mov ecx,eax
005E5961 .FF15 3C114000call dword ptr ds:[<&MSVBVM60.__vbaI>;MSVBVM60.__vbaI2I4
005E5967 .8BF0 mov esi,eax
005E5969 .57 push edi
005E596A .0FBFD6 movsx edx,si
005E596D .52 push edx
005E596E .6A 01 push 1
005E5970 .6A 02 push 2
005E5972 .68 24258800 push PFIN.00882524
005E5977 .6A 02 push 2
005E5979 .68 80000000 push 80
005E597E .8975 DC mov dword ptr ss:,esi
005E5981 .FF15 70114000call dword ptr ds:[<&MSVBVM60.__vbaR>;MSVBVM60.__vbaRedim
005E5987 .83C4 1C add esp,1C
005E598A .66:83EE 01 sub si,1
005E598E .0F80 CA040000jo PFIN.005E5E5E
005E5994 .0FBFC6 movsx eax,si
005E5997 .8985 78FFFFFFmov dword ptr ss:,eax
005E599D .33C0 xor eax,eax
005E599F .BB 01000000 mov ebx,1
005E59A4 .A3 1C258800 mov dword ptr ds:,eax
005E59A9 >3B85 78FFFFFFcmp eax,dword ptr ss: ;/将cabac转为ASCII
005E59AF .0F8F 07010000jg PFIN.005E5ABC
005E59B5 .8B4D 0C mov ecx,dword ptr ss:
005E59B8 .8D55 C0 lea edx,dword ptr ss:
005E59BB .83C0 01 add eax,1
005E59BE .52 push edx
005E59BF .0F80 99040000jo PFIN.005E5E5E
005E59C5 .50 push eax
005E59C6 .894D A8 mov dword ptr ss:,ecx
005E59C9 .8D45 A0 lea eax,dword ptr ss:
005E59CC .8D4D B0 lea ecx,dword ptr ss:
005E59CF .50 push eax
005E59D0 .51 push ecx
005E59D1 .C745 C8 010000>mov dword ptr ss:,1
005E59D8 .C745 C0 020000>mov dword ptr ss:,2
005E59DF .C745 A0 084000>mov dword ptr ss:,4008
005E59E6 .FF15 04114000call dword ptr ds:[<&MSVBVM60.#632>] ;MSVBVM60.rtcMidCharVar
005E59EC .8D55 B0 lea edx,dword ptr ss:
005E59EF .8D45 D8 lea eax,dword ptr ss:
005E59F2 .52 push edx
005E59F3 .50 push eax
005E59F4 .FF15 FC114000call dword ptr ds:[<&MSVBVM60.__vbaS>;MSVBVM60.__vbaStrVarVal
005E59FA .50 push eax
005E59FB .FF15 54104000call dword ptr ds:[<&MSVBVM60.#516>] ;MSVBVM60.rtcAnsiValueBstr
005E5A01 .8BF0 mov esi,eax
005E5A03 .A1 24258800 mov eax,dword ptr ds:
005E5A08 .3BC7 cmp eax,edi
005E5A0A .74 22 je short PFIN.005E5A2E
005E5A0C .66:8338 01 cmp word ptr ds:,1
005E5A10 .75 1C jnz short PFIN.005E5A2E
005E5A12 .8B3D 1C258800mov edi,dword ptr ds:
005E5A18 .8B50 14 mov edx,dword ptr ds:
005E5A1B .8B48 10 mov ecx,dword ptr ds:
005E5A1E .2BFA sub edi,edx
005E5A20 .3BF9 cmp edi,ecx
005E5A22 .72 06 jb short PFIN.005E5A2A
005E5A24 .FF15 18114000call dword ptr ds:[<&MSVBVM60.__vbaG>;MSVBVM60.__vbaGenerateBoundsError
005E5A2A >03FF add edi,edi
005E5A2C .EB 08 jmp short PFIN.005E5A36
005E5A2E >FF15 18114000call dword ptr ds:[<&MSVBVM60.__vbaG>;MSVBVM60.__vbaGenerateBoundsError
005E5A34 .8BF8 mov edi,eax
005E5A36 >6A 02 push 2
005E5A38 .8BCE mov ecx,esi
005E5A3A .FF15 64104000call dword ptr ds:[<&MSVBVM60.__vbaI>;MSVBVM60.__vbaI2Abs
005E5A40 .50 push eax
005E5A41 .FF15 0C104000call dword ptr ds:[<&MSVBVM60.__vbaS>;MSVBVM60.__vbaStrI2
005E5A47 .8B35 D8124000mov esi,dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaStrMove
005E5A4D .8BD0 mov edx,eax
005E5A4F .8D4D D4 lea ecx,dword ptr ss:
005E5A52 .FFD6 call esi ;<&MSVBVM60.__vbaStrMove>
005E5A54 .50 push eax
005E5A55 .FF15 C0124000call dword ptr ds:[<&MSVBVM60.#616>] ;MSVBVM60.rtcLeftCharBstr
005E5A5B .8BD0 mov edx,eax
005E5A5D .8D4D D0 lea ecx,dword ptr ss:
005E5A60 .FFD6 call esi
005E5A62 .50 push eax
005E5A63 .FF15 24134000call dword ptr ds:[<&MSVBVM60.#581>] ;MSVBVM60.rtcR8ValFromBstr
005E5A69 .FF15 B0124000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFpI2
005E5A6F .8B0D 24258800mov ecx,dword ptr ds:
005E5A75 .8B51 0C mov edx,dword ptr ds:
005E5A78 .8D4D D4 lea ecx,dword ptr ss:
005E5A7B .66:89043A mov word ptr ds:,ax
005E5A7F .8D45 D0 lea eax,dword ptr ss:
005E5A82 .50 push eax
005E5A83 .8D55 D8 lea edx,dword ptr ss:
005E5A86 .51 push ecx
005E5A87 .52 push edx
005E5A88 .6A 03 push 3
005E5A8A .FF15 58124000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFreeStrList
005E5A90 .8D45 B0 lea eax,dword ptr ss:
005E5A93 .8D4D C0 lea ecx,dword ptr ss:
005E5A96 .50 push eax
005E5A97 .51 push ecx
005E5A98 .6A 02 push 2
005E5A9A .FF15 3C104000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFreeVarList
005E5AA0 .A1 1C258800 mov eax,dword ptr ds:
005E5AA5 .83C4 1C add esp,1C
005E5AA8 .03C3 add eax,ebx
005E5AAA .0F80 AE030000jo PFIN.005E5E5E
005E5AB0 .A3 1C258800 mov dword ptr ds:,eax
005E5AB5 .33FF xor edi,edi
005E5AB7 .^ E9 EDFEFFFF jmp PFIN.005E59A9 ;\循环(将cabac转为ASCII)
005E5ABC >8B5D 08 mov ebx,dword ptr ss:
005E5ABF .8B13 mov edx,dword ptr ds: ;(UNICODE "3073211081221134")
005E5AC1 .52 push edx
005E5AC2 .FF15 30104000call dword ptr ds:[<&MSVBVM60.__vbaL>;MSVBVM60.__vbaLenBstr
005E5AC8 .8BC8 mov ecx,eax
005E5ACA .FF15 3C114000call dword ptr ds:[<&MSVBVM60.__vbaI>;MSVBVM60.__vbaI2I4
005E5AD0 .8BF0 mov esi,eax
005E5AD2 .57 push edi
005E5AD3 .0FBFC6 movsx eax,si
005E5AD6 .50 push eax
005E5AD7 .6A 01 push 1
005E5AD9 .6A 02 push 2
005E5ADB .68 20258800 push PFIN.00882520
005E5AE0 .6A 02 push 2
005E5AE2 .68 80000000 push 80
005E5AE7 .8975 E8 mov dword ptr ss:,esi
005E5AEA .FF15 70114000call dword ptr ds:[<&MSVBVM60.__vbaR>;MSVBVM60.__vbaRedim
005E5AF0 .66:8BCE mov cx,si
005E5AF3 .83C4 1C add esp,1C
005E5AF6 .66:83E9 01 sub cx,1
005E5AFA .BF 01000000 mov edi,1
005E5AFF .0F80 59030000jo PFIN.005E5E5E
005E5B05 .0FBFD1 movsx edx,cx
005E5B08 .33C0 xor eax,eax
005E5B0A .8995 70FFFFFFmov dword ptr ss:,edx
005E5B10 .A3 1C258800 mov dword ptr ds:,eax
005E5B15 >3B85 70FFFFFFcmp eax,dword ptr ss:
005E5B1B .0F8F BF000000jg PFIN.005E5BE0
005E5B21 .8D4D C0 lea ecx,dword ptr ss:
005E5B24 .83C0 01 add eax,1
005E5B27 .51 push ecx
005E5B28 .8D55 A0 lea edx,dword ptr ss:
005E5B2B .0F80 2D030000jo PFIN.005E5E5E
005E5B31 .50 push eax
005E5B32 .8D45 B0 lea eax,dword ptr ss:
005E5B35 .52 push edx
005E5B36 .50 push eax
005E5B37 .C745 C8 010000>mov dword ptr ss:,1
005E5B3E .C745 C0 020000>mov dword ptr ss:,2
005E5B45 .895D A8 mov dword ptr ss:,ebx
005E5B48 .C745 A0 084000>mov dword ptr ss:,4008
005E5B4F .FF15 04114000call dword ptr ds:[<&MSVBVM60.#632>] ;MSVBVM60.rtcMidCharVar
005E5B55 .A1 20258800 mov eax,dword ptr ds:
005E5B5A .85C0 test eax,eax
005E5B5C .74 22 je short PFIN.005E5B80
005E5B5E .66:8338 01 cmp word ptr ds:,1
005E5B62 .75 1C jnz short PFIN.005E5B80
005E5B64 .8B35 1C258800mov esi,dword ptr ds:
005E5B6A .8B50 14 mov edx,dword ptr ds:
005E5B6D .8B48 10 mov ecx,dword ptr ds:
005E5B70 .2BF2 sub esi,edx
005E5B72 .3BF1 cmp esi,ecx
005E5B74 .72 06 jb short PFIN.005E5B7C
005E5B76 .FF15 18114000call dword ptr ds:[<&MSVBVM60.__vbaG>;MSVBVM60.__vbaGenerateBoundsError
005E5B7C >03F6 add esi,esi
005E5B7E .EB 08 jmp short PFIN.005E5B88
005E5B80 >FF15 18114000call dword ptr ds:[<&MSVBVM60.__vbaG>;MSVBVM60.__vbaGenerateBoundsError
005E5B86 .8BF0 mov esi,eax
005E5B88 >8D4D B0 lea ecx,dword ptr ss:
005E5B8B .8D55 D8 lea edx,dword ptr ss:
005E5B8E .51 push ecx
005E5B8F .52 push edx
005E5B90 .FF15 FC114000call dword ptr ds:[<&MSVBVM60.__vbaS>;MSVBVM60.__vbaStrVarVal
005E5B96 .50 push eax
005E5B97 .FF15 54104000call dword ptr ds:[<&MSVBVM60.#516>] ;MSVBVM60.rtcAnsiValueBstr
005E5B9D .8B0D 20258800mov ecx,dword ptr ds:
005E5BA3 .8B51 0C mov edx,dword ptr ds:
005E5BA6 .8D4D D8 lea ecx,dword ptr ss:
005E5BA9 .66:890432 mov word ptr ds:,ax
005E5BAD .FF15 1C134000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFreeStr
005E5BB3 .8D45 B0 lea eax,dword ptr ss:
005E5BB6 .8D4D C0 lea ecx,dword ptr ss:
005E5BB9 .50 push eax
005E5BBA .51 push ecx
005E5BBB .6A 02 push 2
005E5BBD .FF15 3C104000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFreeVarList
005E5BC3 .A1 1C258800 mov eax,dword ptr ds:
005E5BC8 .8B75 E8 mov esi,dword ptr ss:
005E5BCB .83C4 0C add esp,0C
005E5BCE .03C7 add eax,edi
005E5BD0 .0F80 88020000jo PFIN.005E5E5E
005E5BD6 .A3 1C258800 mov dword ptr ds:,eax
005E5BDB .^ E9 35FFFFFF jmp PFIN.005E5B15
005E5BE0 >66:8BD6 mov dx,si
005E5BE3 .33C9 xor ecx,ecx
005E5BE5 .66:83EA 01 sub dx,1
005E5BE9 .0F80 6F020000jo PFIN.005E5E5E
005E5BEF .0FBFC2 movsx eax,dx
005E5BF2 .8985 68FFFFFFmov dword ptr ss:,eax
005E5BF8 .33C0 xor eax,eax
005E5BFA .A3 1C258800 mov dword ptr ds:,eax
005E5BFF >3B85 68FFFFFFcmp eax,dword ptr ss: ;/将ASCII转为字符串
005E5C05 .0F8F 20010000jg PFIN.005E5D2B
005E5C0B .66:3B4D DC cmp cx,word ptr ss:
005E5C0F .7C 09 jl short PFIN.005E5C1A
005E5C11 .C745 E4 000000>mov dword ptr ss:,0
005E5C18 .EB 0D jmp short PFIN.005E5C27
005E5C1A >66:83C1 01 add cx,1
005E5C1E .0F80 3A020000jo PFIN.005E5E5E
005E5C24 .894D E4 mov dword ptr ss:,ecx
005E5C27 >8B0D 20258800mov ecx,dword ptr ds:
005E5C2D .85C9 test ecx,ecx
005E5C2F .74 32 je short PFIN.005E5C63
005E5C31 .66:8339 01 cmp word ptr ds:,1
005E5C35 .75 2C jnz short PFIN.005E5C63
005E5C37 .8B79 14 mov edi,dword ptr ds:
005E5C3A .8B51 10 mov edx,dword ptr ds:
005E5C3D .8B1D 18114000mov ebx,dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaGenerateBoundsError
005E5C43 .8BF0 mov esi,eax
005E5C45 .2BF7 sub esi,edi
005E5C47 .3BF2 cmp esi,edx
005E5C49 .72 0D jb short PFIN.005E5C58
005E5C4B .FFD3 call ebx ;<&MSVBVM60.__vbaGenerateBoundsError>
005E5C4D .8B0D 20258800mov ecx,dword ptr ds:
005E5C53 .A1 1C258800 mov eax,dword ptr ds:
005E5C58 >8D1436 lea edx,dword ptr ds:
005E5C5B .8995 54FFFFFFmov dword ptr ss:,edx
005E5C61 .EB 1D jmp short PFIN.005E5C80
005E5C63 >FF15 18114000call dword ptr ds:[<&MSVBVM60.__vbaG>;MSVBVM60.__vbaGenerateBoundsError
005E5C69 .8B0D 20258800mov ecx,dword ptr ds:
005E5C6F .8B1D 18114000mov ebx,dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaGenerateBoundsError
005E5C75 .8985 54FFFFFFmov dword ptr ss:,eax
005E5C7B .A1 1C258800 mov eax,dword ptr ds:
005E5C80 >8B15 24258800mov edx,dword ptr ds:
005E5C86 .85D2 test edx,edx
005E5C88 .74 27 je short PFIN.005E5CB1
005E5C8A .66:833A 01 cmp word ptr ds:,1
005E5C8E .75 21 jnz short PFIN.005E5CB1
005E5C90 .0FBF75 E4 movsx esi,word ptr ss:
005E5C94 .8B7A 14 mov edi,dword ptr ds:
005E5C97 .2BF7 sub esi,edi
005E5C99 .8B7A 10 mov edi,dword ptr ds:
005E5C9C .3BF7 cmp esi,edi
005E5C9E .72 0D jb short PFIN.005E5CAD
005E5CA0 .FFD3 call ebx
005E5CA2 .8B0D 20258800mov ecx,dword ptr ds:
005E5CA8 .A1 1C258800 mov eax,dword ptr ds:
005E5CAD >03F6 add esi,esi
005E5CAF .EB 0F jmp short PFIN.005E5CC0
005E5CB1 >FFD3 call ebx
005E5CB3 .8B0D 20258800mov ecx,dword ptr ds:
005E5CB9 .8BF0 mov esi,eax
005E5CBB .A1 1C258800 mov eax,dword ptr ds:
005E5CC0 >85C9 test ecx,ecx
005E5CC2 .74 1F je short PFIN.005E5CE3
005E5CC4 .66:8339 01 cmp word ptr ds:,1
005E5CC8 .75 19 jnz short PFIN.005E5CE3
005E5CCA .2B41 14 sub eax,dword ptr ds:
005E5CCD .8BF8 mov edi,eax
005E5CCF .8B41 10 mov eax,dword ptr ds:
005E5CD2 .3BF8 cmp edi,eax
005E5CD4 .72 08 jb short PFIN.005E5CDE
005E5CD6 .FFD3 call ebx
005E5CD8 .8B0D 20258800mov ecx,dword ptr ds:
005E5CDE >8D043F lea eax,dword ptr ds:
005E5CE1 .EB 08 jmp short PFIN.005E5CEB
005E5CE3 >FFD3 call ebx
005E5CE5 .8B0D 20258800mov ecx,dword ptr ds:
005E5CEB >8B15 24258800mov edx,dword ptr ds:
005E5CF1 .8B49 0C mov ecx,dword ptr ds: ;(UNICODE "3073211081221134")
005E5CF4 .8B52 0C mov edx,dword ptr ds: ;(UNICODE "cabacb")
005E5CF7 .66:8B1432 mov dx,word ptr ds:
005E5CFB .8BB5 54FFFFFFmov esi,dword ptr ss:
005E5D01 .66:331431 xor dx,word ptr ds:
005E5D05 .8B75 E8 mov esi,dword ptr ss: ;这里是转换的(如何转不明)
005E5D08 .66:891401 mov word ptr ds:,dx
005E5D0C .A1 1C258800 mov eax,dword ptr ds:
005E5D11 .B9 01000000 mov ecx,1
005E5D16 .03C1 add eax,ecx
005E5D18 .8B4D E4 mov ecx,dword ptr ss:
005E5D1B .0F80 3D010000jo PFIN.005E5E5E
005E5D21 .A3 1C258800 mov dword ptr ds:,eax
005E5D26 .^ E9 D4FEFFFF jmp PFIN.005E5BFF ;\循环(将ASCII转为字符串)
005E5D2B >BA 203B4500 mov edx,PFIN.00453B20
005E5D30 .8D4D E0 lea ecx,dword ptr ss:
005E5D33 .FF15 44124000call dword ptr ds:[<&MSVBVM60.__vbaS>;MSVBVM60.__vbaStrCopy
005E5D39 .66:83EE 01 sub si,1
005E5D3D .8B1D 38104000mov ebx,dword ptr ds:[<&MSVBVM60.__v>;MSVBVM60.__vbaStrVarMove
005E5D43 .0F80 15010000jo PFIN.005E5E5E
005E5D49 .0FBFC6 movsx eax,si
005E5D4C .8985 60FFFFFFmov dword ptr ss:,eax
005E5D52 .33C0 xor eax,eax
005E5D54 .BF 01000000 mov edi,1
005E5D59 .A3 1C258800 mov dword ptr ds:,eax
005E5D5E >3B85 60FFFFFFcmp eax,dword ptr ss:
005E5D64 .0F8F 9E000000jg PFIN.005E5E08
005E5D6A .8B4D E0 mov ecx,dword ptr ss:
005E5D6D .C745 A0 080000>mov dword ptr ss:,8
005E5D74 .894D A8 mov dword ptr ss:,ecx
005E5D77 .8B0D 20258800mov ecx,dword ptr ds:
005E5D7D .85C9 test ecx,ecx
005E5D7F .74 23 je short PFIN.005E5DA4
005E5D81 .66:8339 01 cmp word ptr ds:,1
005E5D85 .75 1D jnz short PFIN.005E5DA4
005E5D87 .2B41 14 sub eax,dword ptr ds:
005E5D8A .8BF0 mov esi,eax
005E5D8C .8B41 10 mov eax,dword ptr ds:
005E5D8F .3BF0 cmp esi,eax
005E5D91 .72 0C jb short PFIN.005E5D9F
005E5D93 .FF15 18114000call dword ptr ds:[<&MSVBVM60.__vbaG>;MSVBVM60.__vbaGenerateBoundsError
005E5D99 .8B0D 20258800mov ecx,dword ptr ds:
005E5D9F >8D0436 lea eax,dword ptr ds:
005E5DA2 .EB 0C jmp short PFIN.005E5DB0
005E5DA4 >FF15 18114000call dword ptr ds:[<&MSVBVM60.__vbaG>;MSVBVM60.__vbaGenerateBoundsError
005E5DAA .8B0D 20258800mov ecx,dword ptr ds:
005E5DB0 >8B51 0C mov edx,dword ptr ds:
005E5DB3 .8D4D C0 lea ecx,dword ptr ss:
005E5DB6 .0FBF0402 movsx eax,word ptr ds:
005E5DBA .50 push eax
005E5DBB .51 push ecx
005E5DBC .FF15 E0114000call dword ptr ds:[<&MSVBVM60.#608>] ;MSVBVM60.rtcVarBstrFromAnsi
005E5DC2 .8D55 A0 lea edx,dword ptr ss:
005E5DC5 .8D45 C0 lea eax,dword ptr ss:
005E5DC8 .52 push edx
005E5DC9 .8D4D B0 lea ecx,dword ptr ss:
005E5DCC .50 push eax
005E5DCD .51 push ecx
005E5DCE .FF15 00124000call dword ptr ds:[<&MSVBVM60.__vbaV>;MSVBVM60.__vbaVarCat
005E5DD4 .50 push eax
005E5DD5 .FFD3 call ebx
005E5DD7 .8BD0 mov edx,eax
005E5DD9 .8D4D E0 lea ecx,dword ptr ss:
005E5DDC .FF15 D8124000call dword ptr ds:[<&MSVBVM60.__vbaS>;MSVBVM60.__vbaStrMove
005E5DE2 .8D55 B0 lea edx,dword ptr ss:
005E5DE5 .8D45 C0 lea eax,dword ptr ss:
005E5DE8 .52 push edx
005E5DE9 .50 push eax
005E5DEA .6A 02 push 2
005E5DEC .FF15 3C104000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFreeVarList
005E5DF2 .A1 1C258800 mov eax,dword ptr ds:
005E5DF7 .83C4 0C add esp,0C
005E5DFA .03C7 add eax,edi
005E5DFC .70 60 jo short PFIN.005E5E5E
005E5DFE .A3 1C258800 mov dword ptr ds:,eax
005E5E03 .^ E9 56FFFFFF jmp PFIN.005E5D5E
005E5E08 >9B wait
005E5E09 .68 485E5E00 push PFIN.005E5E48
005E5E0E .EB 37 jmp short PFIN.005E5E47
005E5E10 .F645 FC 04 test byte ptr ss:,4
005E5E14 .74 09 je short PFIN.005E5E1F
005E5E16 .8D4D E0 lea ecx,dword ptr ss:
005E5E19 .FF15 1C134000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFreeStr
005E5E1F >8D4D D0 lea ecx,dword ptr ss:
005E5E22 .8D55 D4 lea edx,dword ptr ss:
005E5E25 .51 push ecx
005E5E26 .8D45 D8 lea eax,dword ptr ss:
005E5E29 .52 push edx
005E5E2A .50 push eax
005E5E2B .6A 03 push 3
005E5E2D .FF15 58124000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFreeStrList
005E5E33 .8D4D B0 lea ecx,dword ptr ss:
005E5E36 .8D55 C0 lea edx,dword ptr ss:
005E5E39 .51 push ecx
005E5E3A .52 push edx
005E5E3B .6A 02 push 2
005E5E3D .FF15 3C104000call dword ptr ds:[<&MSVBVM60.__vbaF>;MSVBVM60.__vbaFreeVarList
005E5E43 .83C4 1C add esp,1C
005E5E46 .C3 retn
005E5E47 >C3 retn ;RET used as a jump to 005E5E48
005E5E48 >8B4D EC mov ecx,dword ptr ss:
005E5E4B .8B45 E0 mov eax,dword ptr ss:
005E5E4E .5F pop edi
005E5E4F .5E pop esi
005E5E50 .64:890D 000000>mov dword ptr fs:,ecx
005E5E57 .5B pop ebx
005E5E58 .8BE5 mov esp,ebp
005E5E5A .5D pop ebp
005E5E5B .C2 0800 retn 8
这部分有点看不懂~~~~
------------------------------------------------------------------------
【破解总结】
此次破解不是很顺利,最后的那个算法不懂,之所以写出来,是希望与大家一起探讨!
小子我献丑了!
内存注册器
中断地址:68F084
中断次数:1
第一字节:8B
指令长度:2
注 册 码:内存方式--寄存器--EDX--宽字符串
其实有多处可做的,大家在文中找找吧!
最后再说两句:
注册信息在数据库PFin.mdb的Memory表里,清除字段RegPwd里的注册码就成为未注册版!
数据库密码:yw@131#$4.10&_*
------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者信息并保持文章的完整,谢谢!
[ 本帖最后由 lzq1973 于 2006-4-12 04:30 编辑 ] 2006年4月12日补充算法部分
内存注册器下载:
https://www.chinapyg.com/viewthread.php?tid=3652&extra=page%3D1
【文章标题】: 家庭理财 V2.4.0 破解手记
【文章作者】: lzq1973
【作者邮箱】: [email protected]
【作者QQ号】: 150787972
【软件名称】: 家庭理财 V2.4.0
【软件大小】: 6262 KB
【下载地址】: http://www4.skycn.com/soft/22911.html
【加壳方式】: 无
【保护方式】: SN
【编写语言】: Microsoft Visual Basic 5.0 / 6.0
【使用工具】: OD、PEID
【操作平台】: WIN2000
【软件介绍】: 家庭理财是一款为自己家庭开发的一款软件,友好的界面,操作方便、直观,支持个性化用户界面,可以自己设定自己的界面和背景色值,新版本V1.2.0支持数据的导出到Excel文件、打印、备份和恢复等功能。
家庭理财目前版本包含以下模块:
★ 经费收支管理:主要实现平时家庭(个人)经费收入和开支功能,两功能做为独立模块操作,各收支项目有系统默认项,也可以家庭自定义。在经费开支模块中,如设定年度经费预算值,在实际开支中将时刻提醒本年度、本月份已可开支金额和已开支金额。
★ 年初家庭经费预算管理:设定年度经费开支预算值,可按月设定,也可按年设定。
★ 年度经费核算管理:实现年度经费统计和核算功能,可以由系统自动统计,也可以按用户个人需要,进行有选择分收、支和项目统计。
★ 年度经费统计和汇总:可以根据年度,也可以根据用户指定的日期范围,可按不同的组合类别(最多分为10个类别)进行统计和汇总。
★ 银行存取款帐户和密码管理:记录平时银行存款帐号和密码功能,提供帐户销户功能,系统能自动记录销户后利息作为家庭收入项目。同时管理银行帐户密码。用户所输入的密码将由系统自动加密后保存,要获取需提供登录密码验证后才能显示,提高了管理的安全性。
★ 银行存取法款流水帐管理:记录平时对银行帐户金额流水帐管理,以便日后或销户后可以随时查询存取日期和相关记录。
★ 股票交易管理:为炒股的朋友提供流水记录,对炒股盈利的金额可由用户选择是否保存到经费收入数据库。
★ 区号、邮编查询。
★ 家庭通讯录管理:记录和查询您的朋友相关通讯信息。
0.《家庭理财》原名为《家庭经费管理系统》v1.1.0,应朋友的建议,自v1.1.1版本后更名为《家庭理财》,原《家庭经费管理系统》v1.1.0用户可以继续使用以前的数据,系统会自动升级原数据库,具体操作请看下载解压包中的《使用说明.txt》文件。
1.《家庭理财》作为共享软件发布。注册用户可免费升级以后的版本,以后有新版本将会及时通知注册用户,新版本将支持以前旧版本的数据库格式且能自动实现升级旧版本的数据库。
2.该软件可以解决多家庭多用户使用,各家庭间数据不能共享。同一家庭中不同用户数据可以共享统计或查询,但需该用户授权,而且不能修改。
3.该软件操作简单,界面友好。未注册版本没有功能限制但可使用30次。用户注册后均可免费升级新的版本,试用期间的数据库可以继续使用(如试用期间数据库版本较旧,系统会自动升级到最新版本)。注册办法可查看帮助文件。
4.《家庭理财》系统目前还在进一步完善和修正中,欢迎广大用户对本软件提出需新增的功能。
5.用户使用前请注意查看《使用说明.txt》文件。
另:拟在新版本中增加家庭记事本和备忘和家庭用户间留言的功能、各种提醒功能、节日查询生活常识等功能。
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
以前曾写过,算法不是很明白,今一友人说想试试此软体,帮其找了找码,顺便分析了下。
此软是重启验证,注册码放在数据库里。
OD载入,断在这里
-----------------前面省略部分代码------------------
005F6D41 > \E8 DA8E0B00 CALL PFin.006AFC20
005F6D46 .8BD0 MOV EDX,EAX ;机器码
005F6D48 .8D4D D8 LEA ECX,DWORD PTR SS:
005F6D4B .FFD6 CALL ESI
005F6D4D .68 4C904500 PUSH PFin.0045904C ;txt='
005F6D52 .8D45 D8 LEA EAX,DWORD PTR SS:
005F6D55 .50 PUSH EAX
005F6D56 .8D4D DC LEA ECX,DWORD PTR SS:
005F6D59 .51 PUSH ECX
005F6D5A .E8 F1920B00 CALL PFin.006B0050 ;这里有好东东
005F6D5F .8BD0 MOV EDX,EAX ;(UNICODE "QXUP2TSQYR2QSPRW")
005F6D61 .8D4D D4 LEA ECX,DWORD PTR SS:
005F6D64 .FFD6 CALL ESI
005F6D66 .50 PUSH EAX
005F6D67 .FF15 70104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCa>;MSVBVM60.__vbaStrCat
005F6D6D .8BD0 MOV EDX,EAX ; (UNICODE "Txt='QXUP2TSQYR2QSPRW")
005F6D6F .8D4D D0 LEA ECX,DWORD PTR SS:
005F6D72 .FFD6 CALL ESI
005F6D74 .50 PUSH EAX
005F6D75 .68 C0904500 PUSH PFin.004590C0 ;'
005F6D7A .FF15 70104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCa>;MSVBVM60.__vbaStrCat
005F6D80 .8BD0 MOV EDX,EAX
005F6D82 .8D4D C8 LEA ECX,DWORD PTR SS:
哟,明码比较,省了咱很多时间。此行目的不是找码,而是算法,那就看下面
-----在这里 005F6D5A .E8 F1920B00 CALL PFin.006B0050 F7跟进 -----
006B0050 $55 PUSH EBP
006B0051 .8BEC MOV EBP,ESP
006B0053 .83EC 0C SUB ESP,0C
006B0056 .68 A60D4100 PUSH <JMP.&MSVBVM60.__vbaExceptHandler>;SE 处理程序安装
006B005B .64:A1 0000000>MOV EAX,DWORD PTR FS:
006B0061 .50 PUSH EAX
006B0062 .64:8925 00000>MOV DWORD PTR FS:,ESP
006B0069 .81EC 88000000 SUB ESP,88
006B006F .53 PUSH EBX
006B0070 .56 PUSH ESI
006B0071 .57 PUSH EDI
006B0072 .8965 F4 MOV DWORD PTR SS:,ESP
006B0075 .C745 F8 D06F4>MOV DWORD PTR SS:,PFin.00406FD0
006B007C .33C0 XOR EAX,EAX
006B007E .BA 2C8F4500 MOV EDX,PFin.00458F2C
006B0083 .8D4D E0 LEA ECX,DWORD PTR SS:
006B0086 .8945 E4 MOV DWORD PTR SS:,EAX
006B0089 .8945 E0 MOV DWORD PTR SS:,EAX
006B008C .8945 DC MOV DWORD PTR SS:,EAX
006B008F .8945 D8 MOV DWORD PTR SS:,EAX
006B0092 .8945 D4 MOV DWORD PTR SS:,EAX
006B0095 .8945 D0 MOV DWORD PTR SS:,EAX
006B0098 .8945 CC MOV DWORD PTR SS:,EAX
006B009B .8945 C8 MOV DWORD PTR SS:,EAX
006B009E .8945 C4 MOV DWORD PTR SS:,EAX
006B00A1 .8945 C0 MOV DWORD PTR SS:,EAX
006B00A4 .8945 B0 MOV DWORD PTR SS:,EAX
006B00A7 .8945 A0 MOV DWORD PTR SS:,EAX
006B00AA .FF15 44124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCo>;MSVBVM60.__vbaStrCopy
006B00B0 .8B45 08 MOV EAX,DWORD PTR SS:
006B00B3 .8B08 MOV ECX,DWORD PTR DS: ;用户名
006B00B5 .51 PUSH ECX
006B00B6 .FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>;MSVBVM60.__vbaLenBstr
006B00BC .8BC8 MOV ECX,EAX ;用户名长度
006B00BE .FF15 3C114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>>;MSVBVM60.__vbaI2I4
006B00C4 .8B35 D8124000 MOV ESI,DWORD PTR DS:[<&MSVBVM60.__vbaSt>;MSVBVM60.__vbaStrMove
006B00CA .8B1D 70104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaSt>;MSVBVM60.__vbaStrCat
006B00D0 .8985 78FFFFFF MOV DWORD PTR SS:,EAX
006B00D6 .BF 01000000 MOV EDI,1
006B00DB >66:3BBD 78FFF>CMP DI,WORD PTR SS: ;/ 取用户各字符的10进制后进行拼接
006B00E2 .0F8F D1000000 JG PFin.006B01B9 ;| 取完就跳出
006B00E8 .8B55 08 MOV EDX,DWORD PTR SS:
006B00EB .8B02 MOV EAX,DWORD PTR DS: ;| 用户名
006B00ED .50 PUSH EAX
006B00EE .FF15 60104000 CALL DWORD PTR DS:[<&MSVBVM60.#519>] ;MSVBVM60.rtcTrimBstr
006B00F4 .8BD0 MOV EDX,EAX
006B00F6 .8D4D C0 LEA ECX,DWORD PTR SS:
006B00F9 .FFD6 CALL ESI
006B00FB .8B55 C0 MOV EDX,DWORD PTR SS:
006B00FE .8D4D B0 LEA ECX,DWORD PTR SS:
006B0101 .0FBFC7 MOVSX EAX,DI ;取第几位
006B0104 .51 PUSH ECX
006B0105 .50 PUSH EAX
006B0106 .8D4D D0 LEA ECX,DWORD PTR SS:
006B0109 .C745 B8 01000>MOV DWORD PTR SS:,1
006B0110 .C745 B0 02000>MOV DWORD PTR SS:,2
006B0117 .C745 C0 00000>MOV DWORD PTR SS:,0
006B011E .FFD6 CALL ESI
006B0120 .50 PUSH EAX
006B0121 .FF15 00114000 CALL DWORD PTR DS:[<&MSVBVM60.#631>] ;MSVBVM60.rtcMidCharBstr
006B0127 .8BD0 MOV EDX,EAX
006B0129 .8D4D CC LEA ECX,DWORD PTR SS:
006B012C .FFD6 CALL ESI
006B012E .50 PUSH EAX
006B012F .FF15 54104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;MSVBVM60.rtcAnsiValueBstr
006B0135 .8BC8 MOV ECX,EAX ;当前位16进制
006B0137 .FF15 64104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2Abs>;MSVBVM60.__vbaI2Abs
006B013D .8B4D E0 MOV ECX,DWORD PTR SS:
006B0140 .8D55 A0 LEA EDX,DWORD PTR SS:
006B0143 .51 PUSH ECX
006B0144 .52 PUSH EDX
006B0145 .66:8945 A8 MOV WORD PTR SS:,AX ;当前位16进制
006B0149 .C745 A0 02000>MOV DWORD PTR SS:,2
006B0150 .FF15 08124000 CALL DWORD PTR DS:[<&MSVBVM60.#536>] ;MSVBVM60.rtcStrFromVar
006B0156 .8BD0 MOV EDX,EAX ;转为十制
006B0158 .8D4D C8 LEA ECX,DWORD PTR SS:
006B015B .FFD6 CALL ESI
006B015D .50 PUSH EAX
006B015E .FF15 60104000 CALL DWORD PTR DS:[<&MSVBVM60.#519>] ;MSVBVM60.rtcTrimBstr
006B0164 .8BD0 MOV EDX,EAX
006B0166 .8D4D C4 LEA ECX,DWORD PTR SS:
006B0169 .FFD6 CALL ESI
006B016B .50 PUSH EAX
006B016C .FFD3 CALL EBX
006B016E .8BD0 MOV EDX,EAX ;进行拼接
006B0170 .8D4D E0 LEA ECX,DWORD PTR SS:
006B0173 .FFD6 CALL ESI
006B0175 .8D45 C0 LEA EAX,DWORD PTR SS:
006B0178 .8D4D C4 LEA ECX,DWORD PTR SS:
006B017B .50 PUSH EAX
006B017C .8D55 C8 LEA EDX,DWORD PTR SS:
006B017F .51 PUSH ECX
006B0180 .8D45 CC LEA EAX,DWORD PTR SS:
006B0183 .52 PUSH EDX
006B0184 .8D4D D0 LEA ECX,DWORD PTR SS:
006B0187 .50 PUSH EAX
006B0188 .51 PUSH ECX
006B0189 .6A 05 PUSH 5
006B018B .FF15 58124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStrList
006B0191 .8D55 A0 LEA EDX,DWORD PTR SS:
006B0194 .8D45 B0 LEA EAX,DWORD PTR SS:
006B0197 .52 PUSH EDX
006B0198 .50 PUSH EAX
006B0199 .6A 02 PUSH 2
006B019B .FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
006B01A1 .B8 01000000 MOV EAX,1
006B01A6 .83C4 24 ADD ESP,24
006B01A9 .66:03C7 ADD AX,DI
006B01AC .0F80 E9010000 JO PFin.006B039B
006B01B2 .8BF8 MOV EDI,EAX
006B01B4 .^ E9 22FFFFFF JMP PFin.006B00DB
006B01B9 >BA 2C8F4500 MOV EDX,PFin.00458F2C
006B01BE .8D4D D8 LEA ECX,DWORD PTR SS:
006B01C1 .FF15 44124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCo>;MSVBVM60.__vbaStrCopy
006B01C7 .8B4D 0C MOV ECX,DWORD PTR SS:
006B01CA .8B11 MOV EDX,DWORD PTR DS: ;堆栈 DS:=001DB38C, (UNICODE "72349")
006B01CC .52 PUSH EDX
006B01CD .FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>;MSVBVM60.__vbaLenBstr
006B01D3 .8BC8 MOV ECX,EAX
006B01D5 .FF15 3C114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>>;MSVBVM60.__vbaI2I4
006B01DB >8BF8 MOV EDI,EAX ;/ 机器码长度(机器码翻转开始)
006B01DD .B8 01000000 MOV EAX,1
006B01E2 .66:3BF8 CMP DI,AX
006B01E5 .8945 B8 MOV DWORD PTR SS:,EAX
006B01E8 .C745 B0 02000>MOV DWORD PTR SS:,2
006B01EF .7C 49 JL SHORT PFin.006B023A ;翻转完毕跳出
006B01F1 .8B45 D8 MOV EAX,DWORD PTR SS:
006B01F4 .8D4D B0 LEA ECX,DWORD PTR SS:
006B01F7 .50 PUSH EAX
006B01F8 .8B45 0C MOV EAX,DWORD PTR SS:
006B01FB .0FBFD7 MOVSX EDX,DI
006B01FE .51 PUSH ECX
006B01FF .8B08 MOV ECX,DWORD PTR DS: ; (UNICODE "72349")
006B0201 .52 PUSH EDX
006B0202 .51 PUSH ECX
006B0203 .FF15 00114000 CALL DWORD PTR DS:[<&MSVBVM60.#631>] ;MSVBVM60.rtcMidCharBstr
006B0209 .8BD0 MOV EDX,EAX
006B020B .8D4D D0 LEA ECX,DWORD PTR SS:
006B020E .FFD6 CALL ESI
006B0210 .50 PUSH EAX
006B0211 .FFD3 CALL EBX
006B0213 .8BD0 MOV EDX,EAX ;机器逐位码翻转
006B0215 .8D4D D8 LEA ECX,DWORD PTR SS:
006B0218 .FFD6 CALL ESI
006B021A .8D4D D0 LEA ECX,DWORD PTR SS:
006B021D .FF15 1C134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
006B0223 .8D4D B0 LEA ECX,DWORD PTR SS:
006B0226 .FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVar
006B022C .83C8 FF OR EAX,FFFFFFFF
006B022F .66:03C7 ADD AX,DI
006B0232 .0F80 63010000 JO PFin.006B039B
006B0238 .^ EB A1 JMP SHORT PFin.006B01DB ;\ 循环
006B023A >8B7D 0C MOV EDI,DWORD PTR SS:
006B023D .8D55 B0 LEA EDX,DWORD PTR SS:
006B0240 .52 PUSH EDX
006B0241 .6A 03 PUSH 3
006B0243 .8B07 MOV EAX,DWORD PTR DS:
006B0245 .50 PUSH EAX
006B0246 .FF15 00114000 CALL DWORD PTR DS:[<&MSVBVM60.#631>] ;MSVBVM60.rtcMidCharBstr
006B024C .8BD0 MOV EDX,EAX
006B024E .8D4D C8 LEA ECX,DWORD PTR SS:
006B0251 .FFD6 CALL ESI
006B0253 .8B4D D8 MOV ECX,DWORD PTR SS: ;翻转后的(UNICODE "94327"),设为C
006B0256 .8B55 E0 MOV EDX,DWORD PTR SS: ;用户转换后的(UNICODE "10812211349575551"),设为B
006B0259 .50 PUSH EAX
006B025A .51 PUSH ECX ;进栈(UNICODE "94327")
006B025B .52 PUSH EDX ;(UNICODE "10812211349575551")
006B025C .FFD3 CALL EBX
006B025E .8BD0 MOV EDX,EAX ;C+B (UNICODE "9432710812211349575551")
006B0260 .8D4D D0 LEA ECX,DWORD PTR SS:
006B0263 .FFD6 CALL ESI
006B0265 .50 PUSH EAX
006B0266 .8B07 MOV EAX,DWORD PTR DS: ;机器码(UNICODE "72349"),设为A
006B0268 .50 PUSH EAX
006B0269 .FFD3 CALL EBX
006B026B .8BD0 MOV EDX,EAX ;D=B+C+A (UNICODE "943271081221134957555172349")
006B026D .8D4D CC LEA ECX,DWORD PTR SS:
006B0270 .FFD6 CALL ESI
006B0272 .50 PUSH EAX
006B0273 .FF15 60104000 CALL DWORD PTR DS:[<&MSVBVM60.#519>] ;MSVBVM60.rtcTrimBstr
006B0279 .8BD0 MOV EDX,EAX
006B027B .8D4D C4 LEA ECX,DWORD PTR SS:
006B027E .FFD6 CALL ESI
006B0280 .50 PUSH EAX
006B0281 .FFD3 CALL EBX
006B0283 .8BD0 MOV EDX,EAX ;3+D (UNICODE "3943271081221134957555172349")
006B0285 .8D4D DC LEA ECX,DWORD PTR SS:
006B0288 .FFD6 CALL ESI
006B028A .8D4D C4 LEA ECX,DWORD PTR SS:
006B028D .8D55 C8 LEA EDX,DWORD PTR SS:
006B0290 .51 PUSH ECX
006B0291 .8D45 CC LEA EAX,DWORD PTR SS:
006B0294 .52 PUSH EDX
006B0295 .8D4D D0 LEA ECX,DWORD PTR SS:
006B0298 .50 PUSH EAX
006B0299 .51 PUSH ECX
006B029A .6A 04 PUSH 4
006B029C .FF15 58124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStrList
006B02A2 .83C4 14 ADD ESP,14
006B02A5 .8D4D B0 LEA ECX,DWORD PTR SS:
006B02A8 .FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVar
006B02AE .8B55 DC MOV EDX,DWORD PTR SS: ;(UNICODE "3943271081221134957555172349")
006B02B1 .52 PUSH EDX
006B02B2 .FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>;MSVBVM60.__vbaLenBstr
006B02B8 .83F8 10 CMP EAX,10 ;是否大于16
006B02BB .6A 10 PUSH 10
006B02BD .7D 29 JGE SHORT PFin.006B02E8 ;大于16就跳
006B02BF .8B45 DC MOV EAX,DWORD PTR SS:
006B02C2 .8B0F MOV ECX,DWORD PTR DS:
006B02C4 .50 PUSH EAX
006B02C5 .51 PUSH ECX
006B02C6 .FFD3 CALL EBX
006B02C8 .8BD0 MOV EDX,EAX
006B02CA .8D4D D0 LEA ECX,DWORD PTR SS:
006B02CD .FFD6 CALL ESI
006B02CF .50 PUSH EAX
006B02D0 .FF15 C0124000 CALL DWORD PTR DS:[<&MSVBVM60.#616>] ;MSVBVM60.rtcLeftCharBstr
006B02D6 .8BD0 MOV EDX,EAX
006B02D8 .8D4D DC LEA ECX,DWORD PTR SS:
006B02DB .FFD6 CALL ESI
006B02DD .8D4D D0 LEA ECX,DWORD PTR SS:
006B02E0 .FF15 1C134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
006B02E6 .EB 11 JMP SHORT PFin.006B02F9
006B02E8 >8B55 DC MOV EDX,DWORD PTR SS: ;跳到这里(UNICODE "3943271081221134957555172349")
006B02EB .52 PUSH EDX
006B02EC .FF15 C0124000 CALL DWORD PTR DS:[<&MSVBVM60.#616>] ;MSVBVM60.rtcLeftCharBstr
006B02F2 .8BD0 MOV EDX,EAX ;取D前16位(UNICODE "3943271081221134")
006B02F4 .8D4D DC LEA ECX,DWORD PTR SS:
006B02F7 .FFD6 CALL ESI
006B02F9 >BA 38F84600 MOV EDX,PFin.0046F838 ;UNICODE "cbaac"
006B02FE .8D4D D0 LEA ECX,DWORD PTR SS:
006B0301 .FF15 44124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCo>;MSVBVM60.__vbaStrCopy
006B0307 .8D45 D0 LEA EAX,DWORD PTR SS:
006B030A .8D4D DC LEA ECX,DWORD PTR SS:
006B030D .50 PUSH EAX
006B030E .51 PUSH ECX
006B030F .E8 AC4AF5FF CALL PFin.00604DC0 ;这里要看的
006B0314 .8BD0 MOV EDX,EAX ;(UNICODE "QXUP2TSQYR2QSPRW")
006B0316 .8D4D E4 LEA ECX,DWORD PTR SS:
006B0319 .FFD6 CALL ESI
006B031B .8D4D D0 LEA ECX,DWORD PTR SS:
006B031E .FF15 1C134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
006B0324 .68 85036B00 PUSH PFin.006B0385
006B0329 .EB 3F JMP SHORT PFin.006B036A
006B032B .F645 FC 04 TEST BYTE PTR SS:,4
006B032F .74 09 JE SHORT PFin.006B033A
006B0331 .8D4D E4 LEA ECX,DWORD PTR SS:
006B0334 .FF15 1C134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
006B033A >8D55 C0 LEA EDX,DWORD PTR SS:
006B033D .8D45 C4 LEA EAX,DWORD PTR SS:
006B0340 .52 PUSH EDX
006B0341 .8D4D C8 LEA ECX,DWORD PTR SS:
006B0344 .50 PUSH EAX
006B0345 .8D55 CC LEA EDX,DWORD PTR SS:
006B0348 .51 PUSH ECX
006B0349 .8D45 D0 LEA EAX,DWORD PTR SS:
006B034C .52 PUSH EDX
006B034D .50 PUSH EAX
006B034E .6A 05 PUSH 5
006B0350 .FF15 58124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStrList
006B0356 .8D4D A0 LEA ECX,DWORD PTR SS:
006B0359 .8D55 B0 LEA EDX,DWORD PTR SS:
006B035C .51 PUSH ECX
006B035D .52 PUSH EDX
006B035E .6A 02 PUSH 2
006B0360 .FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
006B0366 .83C4 24 ADD ESP,24
006B0369 .C3 RETN
006B036A >8B35 1C134000 MOV ESI,DWORD PTR DS:[<&MSVBVM60.__vbaFr>;MSVBVM60.__vbaFreeStr
006B0370 .8D4D E0 LEA ECX,DWORD PTR SS:
006B0373 .FFD6 CALL ESI ;<&MSVBVM60.__vbaFreeStr>
006B0375 .8D4D DC LEA ECX,DWORD PTR SS:
006B0378 .FFD6 CALL ESI
006B037A .8D4D D8 LEA ECX,DWORD PTR SS:
006B037D .FFD6 CALL ESI
006B037F .8D4D D4 LEA ECX,DWORD PTR SS:
006B0382 .FFD6 CALL ESI
006B0384 .C3 RETN
------- 在这里 006B030F .E8 AC4AF5FF CALL PFin.00604DC0 F7进去后来到这里------------
00604DC0 $55 PUSH EBP
00604DC1 .8BEC MOV EBP,ESP
00604DC3 .83EC 0C SUB ESP,0C
00604DC6 .68 A60D4100 PUSH <JMP.&MSVBVM60.__vbaExceptHandler>;SE 处理程序安装
00604DCB .64:A1 0000000>MOV EAX,DWORD PTR FS:
00604DD1 .50 PUSH EAX
00604DD2 .64:8925 00000>MOV DWORD PTR FS:,ESP
00604DD9 .81EC 98000000 SUB ESP,98
00604DDF .53 PUSH EBX
00604DE0 .56 PUSH ESI
00604DE1 .57 PUSH EDI
00604DE2 .8965 F4 MOV DWORD PTR SS:,ESP
00604DE5 .C745 F8 483B4>MOV DWORD PTR SS:,PFin.00403B48
00604DEC .8B45 0C MOV EAX,DWORD PTR SS:
00604DEF .33FF XOR EDI,EDI
00604DF1 .897D E0 MOV DWORD PTR SS:,EDI
00604DF4 .897D D8 MOV DWORD PTR SS:,EDI ;D
00604DF7 .8B08 MOV ECX,DWORD PTR DS: ;堆栈 DS:=001DB3B4, (UNICODE "cbaac")
00604DF9 .897D D4 MOV DWORD PTR SS:,EDI
00604DFC .51 PUSH ECX
00604DFD .897D D0 MOV DWORD PTR SS:,EDI
00604E00 .897D C0 MOV DWORD PTR SS:,EDI
00604E03 .897D B0 MOV DWORD PTR SS:,EDI
00604E06 .897D A0 MOV DWORD PTR SS:,EDI
00604E09 .FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>;MSVBVM60.__vbaLenBstr
00604E0F .8BC8 MOV ECX,EAX
00604E11 .FF15 3C114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>>;MSVBVM60.__vbaI2I4
00604E17 .8BF0 MOV ESI,EAX
00604E19 .57 PUSH EDI
00604E1A .0FBFD6 MOVSX EDX,SI
00604E1D .52 PUSH EDX
00604E1E .6A 01 PUSH 1
00604E20 .6A 02 PUSH 2
00604E22 .68 4CF58C00 PUSH PFin.008CF54C
00604E27 .6A 02 PUSH 2
00604E29 .68 80000000 PUSH 80
00604E2E .8975 DC MOV DWORD PTR SS:,ESI
00604E31 .FF15 70114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaRedim>;MSVBVM60.__vbaRedim
00604E37 .83C4 1C ADD ESP,1C
00604E3A .66:83EE 01 SUB SI,1
00604E3E .0F80 CA040000 JO PFin.0060530E
00604E44 .0FBFC6 MOVSX EAX,SI ;SI=0004
00604E47 .8985 78FFFFFF MOV DWORD PTR SS:,EAX
00604E4D .33C0 XOR EAX,EAX
00604E4F .BB 01000000 MOV EBX,1
00604E54 .A3 44F58C00 MOV DWORD PTR DS:,EAX
00604E59 >3B85 78FFFFFF CMP EAX,DWORD PTR SS: ;/ 比较是否转换完(常量cbcac各字符转为十制开始)
00604E5F .0F8F 07010000 JG PFin.00604F6C ;| 完毕就跳出循环
00604E65 .8B4D 0C MOV ECX,DWORD PTR SS:
00604E68 .8D55 C0 LEA EDX,DWORD PTR SS:
00604E6B .83C0 01 ADD EAX,1
00604E6E .52 PUSH EDX
00604E6F .0F80 99040000 JO PFin.0060530E
00604E75 .50 PUSH EAX
00604E76 .894D A8 MOV DWORD PTR SS:,ECX
00604E79 .8D45 A0 LEA EAX,DWORD PTR SS:
00604E7C .8D4D B0 LEA ECX,DWORD PTR SS:
00604E7F .50 PUSH EAX
00604E80 .51 PUSH ECX
00604E81 .C745 C8 01000>MOV DWORD PTR SS:,1
00604E88 .C745 C0 02000>MOV DWORD PTR SS:,2
00604E8F .C745 A0 08400>MOV DWORD PTR SS:,4008
00604E96 .FF15 04114000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ;MSVBVM60.rtcMidCharVar
00604E9C .8D55 B0 LEA EDX,DWORD PTR SS:
00604E9F .8D45 D8 LEA EAX,DWORD PTR SS:
00604EA2 .52 PUSH EDX
00604EA3 .50 PUSH EAX
00604EA4 .FF15 FC114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>;MSVBVM60.__vbaStrVarVal
00604EAA .50 PUSH EAX
00604EAB .FF15 54104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;MSVBVM60.rtcAnsiValueBstr
00604EB1 .8BF0 MOV ESI,EAX ;字符串各字符的16进制 EAX=00000063
00604EB3 .A1 4CF58C00 MOV EAX,DWORD PTR DS:
00604EB8 .3BC7 CMP EAX,EDI
00604EBA .74 22 JE SHORT PFin.00604EDE
00604EBC .66:8338 01 CMP WORD PTR DS:,1
00604EC0 .75 1C JNZ SHORT PFin.00604EDE
00604EC2 .8B3D 44F58C00 MOV EDI,DWORD PTR DS:
00604EC8 .8B50 14 MOV EDX,DWORD PTR DS:
00604ECB .8B48 10 MOV ECX,DWORD PTR DS:
00604ECE .2BFA SUB EDI,EDX
00604ED0 .3BF9 CMP EDI,ECX
00604ED2 .72 06 JB SHORT PFin.00604EDA
00604ED4 .FF15 18114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGener>;MSVBVM60.__vbaGenerateBoundsError
00604EDA >03FF ADD EDI,EDI
00604EDC .EB 08 JMP SHORT PFin.00604EE6
00604EDE >FF15 18114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGener>;MSVBVM60.__vbaGenerateBoundsError
00604EE4 .8BF8 MOV EDI,EAX
00604EE6 >6A 02 PUSH 2
00604EE8 .8BCE MOV ECX,ESI
00604EEA .FF15 64104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2Abs>;MSVBVM60.__vbaI2Abs
00604EF0 .50 PUSH EAX
00604EF1 .FF15 0C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrI2>;MSVBVM60.__vbaStrI2
00604EF7 .8B35 D8124000 MOV ESI,DWORD PTR DS:[<&MSVBVM60.__vbaSt>;MSVBVM60.__vbaStrMove
00604EFD .8BD0 MOV EDX,EAX ;转为十制
00604EFF .8D4D D4 LEA ECX,DWORD PTR SS:
00604F02 .FFD6 CALL ESI ;<&MSVBVM60.__vbaStrMove>
00604F04 .50 PUSH EAX
00604F05 .FF15 C0124000 CALL DWORD PTR DS:[<&MSVBVM60.#616>] ;MSVBVM60.rtcLeftCharBstr
00604F0B .8BD0 MOV EDX,EAX
00604F0D .8D4D D0 LEA ECX,DWORD PTR SS:
00604F10 .FFD6 CALL ESI
00604F12 .50 PUSH EAX
00604F13 .FF15 24134000 CALL DWORD PTR DS:[<&MSVBVM60.#581>] ;MSVBVM60.rtcR8ValFromBstr
00604F19 .FF15 B0124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFpI2>>;MSVBVM60.__vbaFpI2
00604F1F .8B0D 4CF58C00 MOV ECX,DWORD PTR DS:
00604F25 .8B51 0C MOV EDX,DWORD PTR DS:
00604F28 .8D4D D4 LEA ECX,DWORD PTR SS:
00604F2B .66:89043A MOV WORD PTR DS:,AX
00604F2F .8D45 D0 LEA EAX,DWORD PTR SS:
00604F32 .50 PUSH EAX
00604F33 .8D55 D8 LEA EDX,DWORD PTR SS:
00604F36 .51 PUSH ECX
00604F37 .52 PUSH EDX
00604F38 .6A 03 PUSH 3
00604F3A .FF15 58124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStrList
00604F40 .8D45 B0 LEA EAX,DWORD PTR SS:
00604F43 .8D4D C0 LEA ECX,DWORD PTR SS:
00604F46 .50 PUSH EAX
00604F47 .51 PUSH ECX
00604F48 .6A 02 PUSH 2
00604F4A .FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
00604F50 .A1 44F58C00 MOV EAX,DWORD PTR DS:
00604F55 .83C4 1C ADD ESP,1C
00604F58 .03C3 ADD EAX,EBX
00604F5A .0F80 AE030000 JO PFin.0060530E
00604F60 .A3 44F58C00 MOV DWORD PTR DS:,EAX
00604F65 .33FF XOR EDI,EDI
00604F67 .^ E9 EDFEFFFF JMP PFin.00604E59 ;\ 循环
00604F6C >8B5D 08 MOV EBX,DWORD PTR SS:
00604F6F .8B13 MOV EDX,DWORD PTR DS: ;D (UNICODE "3943271081221134")
00604F71 .52 PUSH EDX
00604F72 .FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>;MSVBVM60.__vbaLenBstr
00604F78 .8BC8 MOV ECX,EAX
00604F7A .FF15 3C114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>>;MSVBVM60.__vbaI2I4
00604F80 .8BF0 MOV ESI,EAX
00604F82 .57 PUSH EDI
00604F83 .0FBFC6 MOVSX EAX,SI
00604F86 .50 PUSH EAX
00604F87 .6A 01 PUSH 1
00604F89 .6A 02 PUSH 2
00604F8B .68 48F58C00 PUSH PFin.008CF548
00604F90 .6A 02 PUSH 2
00604F92 .68 80000000 PUSH 80
00604F97 .8975 E8 MOV DWORD PTR SS:,ESI
00604F9A .FF15 70114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaRedim>;MSVBVM60.__vbaRedim
00604FA0 .66:8BCE MOV CX,SI
00604FA3 .83C4 1C ADD ESP,1C
00604FA6 .66:83E9 01 SUB CX,1
00604FAA .BF 01000000 MOV EDI,1
00604FAF .0F80 59030000 JO PFin.0060530E
00604FB5 .0FBFD1 MOVSX EDX,CX
00604FB8 .33C0 XOR EAX,EAX
00604FBA .8995 70FFFFFF MOV DWORD PTR SS:,EDX
00604FC0 .A3 44F58C00 MOV DWORD PTR DS:,EAX
00604FC5 >3B85 70FFFFFF CMP EAX,DWORD PTR SS:
00604FCB .0F8F BF000000 JG PFin.00605090
00604FD1 .8D4D C0 LEA ECX,DWORD PTR SS:
00604FD4 .83C0 01 ADD EAX,1
00604FD7 .51 PUSH ECX
00604FD8 .8D55 A0 LEA EDX,DWORD PTR SS:
00604FDB .0F80 2D030000 JO PFin.0060530E
00604FE1 .50 PUSH EAX
00604FE2 .8D45 B0 LEA EAX,DWORD PTR SS:
00604FE5 .52 PUSH EDX
00604FE6 .50 PUSH EAX
00604FE7 .C745 C8 01000>MOV DWORD PTR SS:,1
00604FEE .C745 C0 02000>MOV DWORD PTR SS:,2
00604FF5 .895D A8 MOV DWORD PTR SS:,EBX
00604FF8 .C745 A0 08400>MOV DWORD PTR SS:,4008
00604FFF .FF15 04114000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ;MSVBVM60.rtcMidCharVar
00605005 .A1 48F58C00 MOV EAX,DWORD PTR DS:
0060500A .85C0 TEST EAX,EAX
0060500C .74 22 JE SHORT PFin.00605030
0060500E .66:8338 01 CMP WORD PTR DS:,1
00605012 .75 1C JNZ SHORT PFin.00605030
00605014 .8B35 44F58C00 MOV ESI,DWORD PTR DS:
0060501A .8B50 14 MOV EDX,DWORD PTR DS:
0060501D .8B48 10 MOV ECX,DWORD PTR DS:
00605020 .2BF2 SUB ESI,EDX
00605022 .3BF1 CMP ESI,ECX
00605024 .72 06 JB SHORT PFin.0060502C
00605026 .FF15 18114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGener>;MSVBVM60.__vbaGenerateBoundsError
0060502C >03F6 ADD ESI,ESI
0060502E .EB 08 JMP SHORT PFin.00605038
00605030 >FF15 18114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGener>;MSVBVM60.__vbaGenerateBoundsError
00605036 .8BF0 MOV ESI,EAX
00605038 >8D4D B0 LEA ECX,DWORD PTR SS:
0060503B .8D55 D8 LEA EDX,DWORD PTR SS:
0060503E .51 PUSH ECX
0060503F .52 PUSH EDX
00605040 .FF15 FC114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>;MSVBVM60.__vbaStrVarVal
00605046 .50 PUSH EAX
00605047 .FF15 54104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;MSVBVM60.rtcAnsiValueBstr
0060504D .8B0D 48F58C00 MOV ECX,DWORD PTR DS:
00605053 .8B51 0C MOV EDX,DWORD PTR DS:
00605056 .8D4D D8 LEA ECX,DWORD PTR SS:
00605059 .66:890432 MOV WORD PTR DS:,AX ;D的当前位16进制
0060505D .FF15 1C134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
00605063 .8D45 B0 LEA EAX,DWORD PTR SS:
00605066 .8D4D C0 LEA ECX,DWORD PTR SS:
00605069 .50 PUSH EAX
0060506A .51 PUSH ECX
0060506B .6A 02 PUSH 2
0060506D .FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
00605073 .A1 44F58C00 MOV EAX,DWORD PTR DS:
00605078 .8B75 E8 MOV ESI,DWORD PTR SS:
0060507B .83C4 0C ADD ESP,0C
0060507E .03C7 ADD EAX,EDI
00605080 .0F80 88020000 JO PFin.0060530E
00605086 .A3 44F58C00 MOV DWORD PTR DS:,EAX
0060508B .^ E9 35FFFFFF JMP PFin.00604FC5
00605090 >66:8BD6 MOV DX,SI
00605093 .33C9 XOR ECX,ECX
00605095 .66:83EA 01 SUB DX,1
00605099 .0F80 6F020000 JO PFin.0060530E
0060509F .0FBFC2 MOVSX EAX,DX
006050A2 .8985 68FFFFFF MOV DWORD PTR SS:,EAX
006050A8 .33C0 XOR EAX,EAX
006050AA .A3 44F58C00 MOV DWORD PTR DS:,EAX
006050AF >3B85 68FFFFFF CMP EAX,DWORD PTR SS:
006050B5 .0F8F 20010000 JG PFin.006051DB
006050BB .66:3B4D DC CMP CX,WORD PTR SS:
006050BF .7C 09 JL SHORT PFin.006050CA
006050C1 .C745 E4 00000>MOV DWORD PTR SS:,0
006050C8 .EB 0D JMP SHORT PFin.006050D7
006050CA >66:83C1 01 ADD CX,1
006050CE .0F80 3A020000 JO PFin.0060530E
006050D4 .894D E4 MOV DWORD PTR SS:,ECX
006050D7 >8B0D 48F58C00 MOV ECX,DWORD PTR DS:
006050DD .85C9 TEST ECX,ECX
006050DF .74 32 JE SHORT PFin.00605113
006050E1 .66:8339 01 CMP WORD PTR DS:,1
006050E5 .75 2C JNZ SHORT PFin.00605113
006050E7 .8B79 14 MOV EDI,DWORD PTR DS:
006050EA .8B51 10 MOV EDX,DWORD PTR DS:
006050ED .8B1D 18114000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaGe>;MSVBVM60.__vbaGenerateBoundsError
006050F3 .8BF0 MOV ESI,EAX
006050F5 .2BF7 SUB ESI,EDI
006050F7 .3BF2 CMP ESI,EDX
006050F9 .72 0D JB SHORT PFin.00605108
006050FB .FFD3 CALL EBX ;<&MSVBVM60.__vbaGenerateBoundsError>
006050FD .8B0D 48F58C00 MOV ECX,DWORD PTR DS:
00605103 .A1 44F58C00 MOV EAX,DWORD PTR DS:
00605108 >8D1436 LEA EDX,DWORD PTR DS:
0060510B .8995 54FFFFFF MOV DWORD PTR SS:,EDX
00605111 .EB 1D JMP SHORT PFin.00605130
00605113 >FF15 18114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGener>;MSVBVM60.__vbaGenerateBoundsError
00605119 .8B0D 48F58C00 MOV ECX,DWORD PTR DS:
0060511F .8B1D 18114000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaGe>;MSVBVM60.__vbaGenerateBoundsError
00605125 .8985 54FFFFFF MOV DWORD PTR SS:,EAX
0060512B .A1 44F58C00 MOV EAX,DWORD PTR DS:
00605130 >8B15 4CF58C00 MOV EDX,DWORD PTR DS:
00605136 .85D2 TEST EDX,EDX
00605138 .74 27 JE SHORT PFin.00605161
0060513A .66:833A 01 CMP WORD PTR DS:,1
0060513E .75 21 JNZ SHORT PFin.00605161
00605140 .0FBF75 E4 MOVSX ESI,WORD PTR SS:
00605144 .8B7A 14 MOV EDI,DWORD PTR DS:
00605147 .2BF7 SUB ESI,EDI
00605149 .8B7A 10 MOV EDI,DWORD PTR DS:
0060514C .3BF7 CMP ESI,EDI
0060514E .72 0D JB SHORT PFin.0060515D
00605150 .FFD3 CALL EBX
00605152 .8B0D 48F58C00 MOV ECX,DWORD PTR DS:
00605158 .A1 44F58C00 MOV EAX,DWORD PTR DS:
0060515D >03F6 ADD ESI,ESI
0060515F .EB 0F JMP SHORT PFin.00605170
00605161 >FFD3 CALL EBX
00605163 .8B0D 48F58C00 MOV ECX,DWORD PTR DS:
00605169 .8BF0 MOV ESI,EAX
0060516B .A1 44F58C00 MOV EAX,DWORD PTR DS:
00605170 >85C9 TEST ECX,ECX
00605172 .74 1F JE SHORT PFin.00605193
00605174 .66:8339 01 CMP WORD PTR DS:,1
00605178 .75 19 JNZ SHORT PFin.00605193
0060517A .2B41 14 SUB EAX,DWORD PTR DS:
0060517D .8BF8 MOV EDI,EAX
0060517F .8B41 10 MOV EAX,DWORD PTR DS:
00605182 .3BF8 CMP EDI,EAX
00605184 .72 08 JB SHORT PFin.0060518E
00605186 .FFD3 CALL EBX
00605188 .8B0D 48F58C00 MOV ECX,DWORD PTR DS:
0060518E >8D043F LEA EAX,DWORD PTR DS:
00605191 .EB 08 JMP SHORT PFin.0060519B
00605193 >FFD3 CALL EBX
00605195 .8B0D 48F58C00 MOV ECX,DWORD PTR DS:
0060519B >8B15 4CF58C00 MOV EDX,DWORD PTR DS:
006051A1 .8B49 0C MOV ECX,DWORD PTR DS: ;(UNICODE "3943271081221134")
006051A4 .8B52 0C MOV EDX,DWORD PTR DS: ;(UNICODE "cbaac")
006051A7 .66:8B1432 MOV DX,WORD PTR DS: ;DS:=0061
006051AB .8BB5 54FFFFFF MOV ESI,DWORD PTR SS:
006051B1 .66:331431 XOR DX,WORD PTR DS: ;XOR(39,61)=58
006051B5 .8B75 E8 MOV ESI,DWORD PTR SS:
006051B8 .66:891401 MOV WORD PTR DS:,DX ;第一位的十进制 DX=0051
006051BC .A1 44F58C00 MOV EAX,DWORD PTR DS:
006051C1 .B9 01000000 MOV ECX,1
006051C6 .03C1 ADD EAX,ECX
006051C8 .8B4D E4 MOV ECX,DWORD PTR SS:
006051CB .0F80 3D010000 JO PFin.0060530E
006051D1 .A3 44F58C00 MOV DWORD PTR DS:,EAX
006051D6 .^ E9 D4FEFFFF JMP PFin.006050AF
006051DB >BA 2C8F4500 MOV EDX,PFin.00458F2C
006051E0 .8D4D E0 LEA ECX,DWORD PTR SS:
006051E3 .FF15 44124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCo>;MSVBVM60.__vbaStrCopy
006051E9 .66:83EE 01 SUB SI,1
006051ED .8B1D 38104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaSt>;MSVBVM60.__vbaStrVarMove
006051F3 .0F80 15010000 JO PFin.0060530E
006051F9 .0FBFC6 MOVSX EAX,SI
006051FC .8985 60FFFFFF MOV DWORD PTR SS:,EAX
00605202 .33C0 XOR EAX,EAX
00605204 .BF 01000000 MOV EDI,1
00605209 .A3 44F58C00 MOV DWORD PTR DS:,EAX
0060520E >3B85 60FFFFFF CMP EAX,DWORD PTR SS:
00605214 .0F8F 9E000000 JG PFin.006052B8
0060521A .8B4D E0 MOV ECX,DWORD PTR SS:
0060521D .C745 A0 08000>MOV DWORD PTR SS:,8
00605224 .894D A8 MOV DWORD PTR SS:,ECX
00605227 .8B0D 48F58C00 MOV ECX,DWORD PTR DS:
0060522D .85C9 TEST ECX,ECX
0060522F .74 23 JE SHORT PFin.00605254
00605231 .66:8339 01 CMP WORD PTR DS:,1
00605235 .75 1D JNZ SHORT PFin.00605254
00605237 .2B41 14 SUB EAX,DWORD PTR DS:
0060523A .8BF0 MOV ESI,EAX
0060523C .8B41 10 MOV EAX,DWORD PTR DS:
0060523F .3BF0 CMP ESI,EAX
00605241 .72 0C JB SHORT PFin.0060524F
00605243 .FF15 18114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGener>;MSVBVM60.__vbaGenerateBoundsError
00605249 .8B0D 48F58C00 MOV ECX,DWORD PTR DS:
0060524F >8D0436 LEA EAX,DWORD PTR DS:
00605252 .EB 0C JMP SHORT PFin.00605260
00605254 >FF15 18114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGener>;MSVBVM60.__vbaGenerateBoundsError
0060525A .8B0D 48F58C00 MOV ECX,DWORD PTR DS:
00605260 >8B51 0C MOV EDX,DWORD PTR DS:
00605263 .8D4D C0 LEA ECX,DWORD PTR SS:
00605266 .0FBF0402 MOVSX EAX,WORD PTR DS:
0060526A .50 PUSH EAX
0060526B .51 PUSH ECX
0060526C .FF15 E0114000 CALL DWORD PTR DS:[<&MSVBVM60.#608>] ;MSVBVM60.rtcVarBstrFromAnsi
00605272 .8D55 A0 LEA EDX,DWORD PTR SS:
00605275 .8D45 C0 LEA EAX,DWORD PTR SS:
00605278 .52 PUSH EDX
00605279 .8D4D B0 LEA ECX,DWORD PTR SS:
0060527C .50 PUSH EAX
0060527D .51 PUSH ECX
0060527E .FF15 00124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCa>;MSVBVM60.__vbaVarCat
00605284 .50 PUSH EAX
00605285 .FFD3 CALL EBX
00605287 .8BD0 MOV EDX,EAX
00605289 .8D4D E0 LEA ECX,DWORD PTR SS:
0060528C .FF15 D8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>;MSVBVM60.__vbaStrMove
00605292 .8D55 B0 LEA EDX,DWORD PTR SS:
00605295 .8D45 C0 LEA EAX,DWORD PTR SS:
00605298 .52 PUSH EDX
00605299 .50 PUSH EAX
0060529A .6A 02 PUSH 2
0060529C .FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
006052A2 .A1 44F58C00 MOV EAX,DWORD PTR DS:
006052A7 .83C4 0C ADD ESP,0C
006052AA .03C7 ADD EAX,EDI
006052AC .70 60 JO SHORT PFin.0060530E
006052AE .A3 44F58C00 MOV DWORD PTR DS:,EAX
006052B3 .^ E9 56FFFFFF JMP PFin.0060520E
006052B8 >9B WAIT
006052B9 .68 F8526000 PUSH PFin.006052F8
006052BE .EB 37 JMP SHORT PFin.006052F7
006052C0 .F645 FC 04 TEST BYTE PTR SS:,4
006052C4 .74 09 JE SHORT PFin.006052CF
006052C6 .8D4D E0 LEA ECX,DWORD PTR SS:
006052C9 .FF15 1C134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
006052CF >8D4D D0 LEA ECX,DWORD PTR SS:
006052D2 .8D55 D4 LEA EDX,DWORD PTR SS:
006052D5 .51 PUSH ECX
006052D6 .8D45 D8 LEA EAX,DWORD PTR SS:
006052D9 .52 PUSH EDX
006052DA .50 PUSH EAX
006052DB .6A 03 PUSH 3
006052DD .FF15 58124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStrList
006052E3 .8D4D B0 LEA ECX,DWORD PTR SS:
006052E6 .8D55 C0 LEA EDX,DWORD PTR SS:
006052E9 .51 PUSH ECX
006052EA .52 PUSH EDX
006052EB .6A 02 PUSH 2
006052ED .FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
006052F3 .83C4 1C ADD ESP,1C
006052F6 .C3 RETN
就是这样,说起来还是蛮简单的。。。
--------------------------------------------------------------------------------
【经验总结】
1、用户名各字符转为十进制后进行连接后为B,机器码A翻转后为C,然后进行拼为A=C+B+D;
2、E=3+A的前15位;
3、D的各字符的16进制分别与常量caabc(顺序为baac0cbaac0cbaac)各字符的16进制进行异或运算的值转为字符即为注册
码。
如,用户名为lzq1973,则B=10812211349575551;机器码A=72349,则C=94327;D=943271081221134957555172349。
E=3943271081221134
F=baac0cbaac0cbaac
E的各字符16进制分别与F的各字符16制异或运算后进行连接就为QXUP2TSQYR2QSPRW,即注册码。
--------------------------------------------------------------------------------
【版权声明】: 本文纯属技术交流[请支持正版], 转载请注明作者并保持文章的完整, 谢谢!
2006年04月10日 08:12:47
[ 本帖最后由 lzq1973 于 2006-4-12 04:29 编辑 ] 兄弟有耐心@
不错@ Cracker最重要一点的是耐心!
等你把本文彻底完善后,给个"精华"标志,加油啊! 先收藏,水平提高后再学习。 终于完成了 个人觉得算法分析才是最美妙的破解。谢谢了。收藏。
页:
[1]