**背词王 3.7算法分析
【破文标题】**背词王 3.7算法分析【破文作者】dgrzh(交响诗篇)
【破解工具】OD PEiD
【破解平台】XP SP2
【软件名称】**背词王 3.7
【保护方式】序列号
【破解声明】新手,不对之处还请大家多多指教~
【破解过程】PEiD查没壳,编程语言Microsoft Visual Basic 5.0 / 6.0
运行程序,右健点-菜单-用户设置-版本注册显示:
前码: 后码:
注册91275844 12345678(前码是程序自动显示的,输入12345678假后码)
注册按钮<-点这里(提示:注册码错误)
用字符串查找,没有找到任何可用的线索,于是查找-当前模块中的名称,找到MSVBVM60.__vbaStrCmp,在每个参考上设置断点。
下好断点,F9运行
0068382F .FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ;断在这里,然后一路F8
00683835 .8BF8 mov edi,eax
00683837 .8D95 C4FEFFFF lea edx,dword ptr ss:
0068383D .F7DF neg edi
0068383F .8D85 C8FEFFFF lea eax,dword ptr ss:
00683845 .52 push edx
00683846 .1BFF sbb edi,edi
00683848 .8D8D CCFEFFFF lea ecx,dword ptr ss:
0068384E .50 push eax
0068384F .51 push ecx
00683850 .F7DF neg edi
00683852 .6A 03 push 3
00683854 .F7DF neg edi
省略代码
...................................................................................
...................................................................................
7339DE99 8945 E4 mov dword ptr ss:,eax
7339DE9C 85C0 test eax,eax
7339DE9E 7C 51 jl short MSVBVM60.7339DEF1
7339DEA0 6A 00 push 0
7339DEA2 6A 00 push 0
7339DEA4 68 69100000 push 1069
7339DEA9 FF15 C8103973 call dword ptr ds:[<&KERNEL32.GetCurrentThreadId>; kernel32.GetCurrentThreadId
7339DEAF 50 push eax
7339DEB0 FF15 28163973 call dword ptr ds:[<&USER32.PostThreadMessageA>] ; USER32.PostThreadMessageA
7339DEB6 8D45 9C lea eax,dword ptr ss:
7339DEB9 50 push eax
7339DEBA 8BCE mov ecx,esi
7339DEBC E8 6159FFFF call MSVBVM60.73393822
7339DEC1 85C0 test eax,eax
7339DEC3 74 14 je short MSVBVM60.7339DED9
7339DEC5 8B45 9C mov eax,dword ptr ss:
7339DEC8 8B88 20050000 mov ecx,dword ptr ds:
7339DECE 85C9 test ecx,ecx
7339DED0 74 07 je short MSVBVM60.7339DED9
7339DED2 6A FF push -1
7339DED4 E8 366C0000 call MSVBVM60.733A4B0F ;F8来到这里程序运行起来。
右健点-菜单-用户设置-版本注册显示:
前码: 后码:
注册91275844 12345678(前码是程序自动显示的,输入12345678假后码)
注册按钮<-点这里
........................................................................................................
00687667 .FF15 C0104000 call dword ptr [<&MSVBVM60.__vbaStrCm>;MSVBVM60.__vbaStrCmp断在这里
0068766D .8BF0 mov esi, eax
0068766F .8D4D D8 lea ecx, dword ptr
00687672 .F7DE neg esi
00687674 .1BF6 sbb esi, esi
00687676 .F7DE neg esi
00687678 .F7DE neg esi
0068767A .FF15 B8114000 call dword ptr [<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
......................................................................................................
看堆栈显示:
0012D7EC 001F3C44UNICODE "15527657"
0012D7F0 001F3BE4UNICODE "12345678"
明码比较,关键地方找到了。其实下好断点,按两次F9也会断在这里,但是程序就没有响应。OD就无法继续调试。
取消00687667处的断点,来到段首
006872A6 .68 96204000 push <jmp.&MSVBVM60.__vbaExceptHandler> 这里下F2断点
下好断点后,重载OD,F9一次断在0068382F这里,一路F8重复上面过程,来到7339DED4程序运行起来
输入假后码,点注册后断在006872A6这里(其实在按一次F9也会断在这里,但是程序就没有响应。不明白为什么。)
====================================================
====================================================
006872A6 .68 96204000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; 断在这里
006872AB .64:A1 00000000 mov eax,dword ptr fs:
006872B1 .50 push eax
006872B2 .64:8925 00000000 mov dword ptr fs:,esp
006872B9 .81EC 28010000 sub esp,128
006872BF .53 push ebx
006872C0 .56 push esi
006872C1 .57 push edi
006872C2 .8965 F8 mov dword ptr ss:,esp
006872C5 .C745 FC A01D4000 mov dword ptr ss:,Super背?00401DA0
006872CC .A1 D0D06800 mov eax,dword ptr ds:
006872D1 .33FF xor edi,edi
006872D3 .3BC7 cmp eax,edi ;(初始化 cpu 选择状态)
006872D5 .897D E8 mov dword ptr ss:,edi
006872D8 .897D E4 mov dword ptr ss:,edi
006872DB .897D D8 mov dword ptr ss:,edi
006872DE .897D D4 mov dword ptr ss:,edi
006872E1 .897D D0 mov dword ptr ss:,edi
006872E4 .897D C0 mov dword ptr ss:,edi
006872E7 .897D B0 mov dword ptr ss:,edi
006872EA .897D A0 mov dword ptr ss:,edi
006872ED .897D 90 mov dword ptr ss:,edi
006872F0 .897D 80 mov dword ptr ss:,edi
006872F3 .89BD 70FFFFFF mov dword ptr ss:,edi
006872F9 .89BD 60FFFFFF mov dword ptr ss:,edi
006872FF .89BD 50FFFFFF mov dword ptr ss:,edi
00687305 .89BD 40FFFFFF mov dword ptr ss:,edi
0068730B .89BD 20FFFFFF mov dword ptr ss:,edi
00687311 .89BD F0FEFFFF mov dword ptr ss:,edi
00687317 .75 10 jnz short Super背?00687329
00687319 .68 D0D06800 push Super背?0068D0D0
0068731E .68 60FF4200 push Super背?0042FF60
00687323 .FF15 48114000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>] ;MSVBVM60.__vbaNew2
00687329 >8B35 D0D06800 mov esi,dword ptr ds:
0068732F .8D4D D8 lea ecx,dword ptr ss:
00687332 .51 push ecx
00687333 .56 push esi
00687334 .8B06 mov eax,dword ptr ds:
00687336 .FF90 F8060000 call dword ptr ds: ;将硬盘序列号转换为前码91275844
0068733C .3BC7 cmp eax,edi
0068733E .DBE2 fclex
00687340 .7D 12 jge short Super背?00687354
00687342 .68 F8060000 push 6F8
00687347 .68 B8344300 push Super背?004334B8
0068734C .56 push esi
0068734D .50 push eax
0068734E .FF15 5C104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckO>;MSVBVM60.__vbaHresultCheckObj
00687354 >8B55 D8 mov edx,dword ptr ss: ;前码
00687357 .8D4D E4 lea ecx,dword ptr ss:
0068735A .897D D8 mov dword ptr ss:,edi
0068735D .FF15 94114000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ;MSVBVM60.__vbaStrMove
00687363 .8B55 E4 mov edx,dword ptr ss: ;前码
00687366 .52 push edx
00687367 .FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ;MSVBVM60.__vbaLenBstr
0068736D .8BC8 mov ecx,eax ;前码长度
0068736F .FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>] ;MSVBVM60.__vbaI2I4
00687375 .8B1D 3C104000 mov ebx,dword ptr ds:[<&MSVBVM60.#516>] ;MSVBVM60.rtcAnsiValueBstr
0068737B .8985 DCFEFFFF mov dword ptr ss:,eax
00687381 .BE 01000000 mov esi,1
00687386 >66:3BB5 DCFEFFFF cmp si,word ptr ss: ; 计数值同前码长度比较
0068738D .0F8F 87000000 jg Super背?0068741A ; 计数值大于前码长度跳出循环
00687393 .8D45 E4 lea eax,dword ptr ss:
00687396 .8D4D C0 lea ecx,dword ptr ss:
00687399 .0FBFD6 movsx edx,si
0068739C .8985 48FFFFFF mov dword ptr ss:,eax
006873A2 .51 push ecx
006873A3 .8D85 40FFFFFF lea eax,dword ptr ss:
006873A9 .52 push edx
006873AA .8D4D B0 lea ecx,dword ptr ss:
006873AD .50 push eax
006873AE .51 push ecx
006873AF .C745 C8 01000000 mov dword ptr ss:,1
006873B6 .C745 C0 02000000 mov dword ptr ss:,2
006873BD .C785 40FFFFFF 08>mov dword ptr ss:,4008
006873C7 .FF15 AC104000 call dword ptr ds:[<&MSVBVM60.#632>] ;MSVBVM60.rtcMidCharVar
006873CD .8D55 B0 lea edx,dword ptr ss:
006873D0 .8D45 D8 lea eax,dword ptr ss:
006873D3 .52 push edx
006873D4 .50 push eax
006873D5 .FF15 30114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ;逐位取前码的值并转换为它的ASCII码值
006873DB .50 push eax ;
006873DC .FFD3 call ebx ;
006873DE .66:03C7 add ax,di ;将每位ASCII码值累加结果送ax
006873E1 .8D4D D8 lea ecx,dword ptr ss:
006873E4 .0F80 28030000 jo Super背?00687712
006873EA .8BF8 mov edi,eax ;累加结果
006873EC .FF15 B8114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
006873F2 .8D4D B0 lea ecx,dword ptr ss:
006873F5 .8D55 C0 lea edx,dword ptr ss:
006873F8 .51 push ecx
006873F9 .52 push edx
006873FA .6A 02 push 2
006873FC .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ;MSVBVM60.__vbaFreeVarList
00687402 .B8 01000000 mov eax,1 ; 计数器赋值为1
00687407 .83C4 0C add esp,0C
0068740A .66:03C6 add ax,si ;每循环一次计数值加1
0068740D .0F80 FF020000 jo Super背?00687712
00687413 .8BF0 mov esi,eax ;
00687415 .^ E9 6CFFFFFF jmp Super背?00687386
0068741A >66:8BC7 mov ax,di ;累加结果
0068741D .66:B9 0900 mov cx,9 ;
00687421 .66:6BC0 13 imul ax,ax,13 累加结果乘以13送ax
00687425 .0F80 E7020000 jo Super背?00687712
0068742B .66:99 cwd
0068742D .66:F7F9 idiv cx ;
00687430 .8955 DC mov dword ptr ss:,edx ax除9取余存入ss:中
00687433 .8B55 E4 mov edx,dword ptr ss:
00687436 .52 push edx ;前码
00687437 .FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ;前码长度
0068743D .8BC8 mov ecx,eax ;
0068743F .FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>] ;MSVBVM60.__vbaI2I4
00687445 .8985 D4FEFFFF mov dword ptr ss:,eax
0068744B .BE 01000000 mov esi,1
00687450 >66:3BB5 D4FEFFFF cmp si,word ptr ss: ;计数值同前码长度比较
00687457 .0F8F A9010000 jg Super背?00687606 ; 大于前码长度跳出循环
0068745D .8B45 E8 mov eax,dword ptr ss:
00687460 .8D4D E4 lea ecx,dword ptr ss:
00687463 .0FBFFE movsx edi,si
00687466 .8D55 C0 lea edx,dword ptr ss:
00687469 .8985 F8FEFFFF mov dword ptr ss:,eax
0068746F .898D 48FFFFFF mov dword ptr ss:,ecx
00687475 .52 push edx
00687476 .8D85 40FFFFFF lea eax,dword ptr ss:
0068747C .57 push edi
0068747D .8D4D B0 lea ecx,dword ptr ss:
00687480 .50 push eax
00687481 .51 push ecx
00687482 .C785 F0FEFFFF 08>mov dword ptr ss:,8
0068748C .C745 C8 01000000 mov dword ptr ss:,1
00687493 .C745 C0 02000000 mov dword ptr ss:,2
0068749A .C785 40FFFFFF 08>mov dword ptr ss:,4008
006874A4 .FF15 AC104000 call dword ptr ds:[<&MSVBVM60.#632>] ;MSVBVM60.rtcMidCharVar
006874AA .8D55 E4 lea edx,dword ptr ss:
006874AD .8D45 A0 lea eax,dword ptr ss:
006874B0 .8995 28FFFFFF mov dword ptr ss:,edx
006874B6 .50 push eax
006874B7 .8D8D 20FFFFFF lea ecx,dword ptr ss:
006874BD .57 push edi
006874BE .8D55 90 lea edx,dword ptr ss:
006874C1 .51 push ecx
006874C2 .52 push edx
006874C3 .C745 A8 01000000 mov dword ptr ss:,1
006874CA .C745 A0 02000000 mov dword ptr ss:,2
006874D1 .C785 20FFFFFF 08>mov dword ptr ss:,4008
006874DB .FF15 AC104000 call dword ptr ds:[<&MSVBVM60.#632>] ;MSVBVM60.rtcMidCharVar
006874E1 .8B3D 30114000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>>;MSVBVM60.__vbaStrVarVal
006874E7 .8D45 90 lea eax,dword ptr ss:
006874EA .8D4D D4 lea ecx,dword ptr ss:
006874ED .50 push eax
006874EE .51 push ecx
006874EF .FFD7 call edi ;逐位取前码的ASCII码值
006874F1 .50 push eax ;
006874F2 .FFD3 call ebx
006874F4 .66:8BD0 mov dx,ax ;
006874F7 .8D45 B0 lea eax,dword ptr ss:
006874FA .8D4D D8 lea ecx,dword ptr ss:
006874FD .50 push eax
006874FE .51 push ecx
006874FF .66:8995 CAFEFFFF mov word ptr ss:,dx ;
00687506 .FFD7 call edi ;<&MSVBVM60.__vbaStrVarVal>
00687508 .50 push eax ;
00687509 .FFD3 call ebx
0068750B .66:8B8D CAFEFFFF mov cx,word ptr ss: ;
00687512 .C745 80 02000000 mov dword ptr ss:,2
00687519 .66:0FAFC8 imul cx,ax ;将取出的ASCII码值自乘
0068751D .66:8BC6 mov ax,si ;计数值当前值
00687520 .0F80 EC010000 jo Super背?00687712
00687526 .66:6BC0 03 imul ax,ax,3 ;当前值乘3送ax
0068752A .0F80 E2010000 jo Super背?00687712
00687530 .66:99 cwd
00687532 .66:2BC2 sub ax,dx
00687535 .66:D1F8 sar ax,1 ;ax除2得到商
00687538 .66:03C8 add cx,ax ;自乘值加商送cx
0068753B .0F80 D1010000 jo Super背?00687712
00687541 .66:034D DC add cx,word ptr ss: ;cx加上ss:中的值
00687545 .0F80 C7010000 jo Super背?00687712
0068754B .66:8BC1 mov ax,cx
0068754E .66:B9 0A00 mov cx,0A
00687552 .66:99 cwd
00687554 .66:F7F9 idiv cx ;将每一位结果除A取余
00687557 .8D85 70FFFFFF lea eax,dword ptr ss:
0068755D .66:8955 88 mov word ptr ss:,dx
00687561 .8D55 80 lea edx,dword ptr ss:
00687564 .52 push edx
00687565 .50 push eax
00687566 .FF15 7C114000 call dword ptr ds:[<&MSVBVM60.#613>] ;
0068756C .8D8D 70FFFFFF lea ecx,dword ptr ss:
00687572 .8D95 60FFFFFF lea edx,dword ptr ss:
00687578 .51 push ecx
00687579 .52 push edx
0068757A .FF15 A4104000 call dword ptr ds:[<&MSVBVM60.#520>] ;MSVBVM60.rtcTrimVar
00687580 .8D85 F0FEFFFF lea eax,dword ptr ss:
00687586 .8D8D 60FFFFFF lea ecx,dword ptr ss:
0068758C .50 push eax
0068758D .51 push ecx
0068758E .8D95 50FFFFFF lea edx,dword ptr ss:
00687594 .52 push edx
00687595 .FF15 34114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ;MSVBVM60.__vbaVarCat
0068759B .50 push eax ;
0068759C .FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>];将余数连接起来就得到真正后码
006875A2 .8BD0 mov edx,eax ;
006875A4 .8D4D E8 lea ecx,dword ptr ss:
006875A7 .FF15 94114000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ;MSVBVM60.__vbaStrMove
006875AD .8D45 D4 lea eax,dword ptr ss:
006875B0 .8D4D D8 lea ecx,dword ptr ss:
006875B3 .50 push eax
006875B4 .51 push ecx
006875B5 .6A 02 push 2
006875B7 .FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ;
006875BD .8D95 50FFFFFF lea edx,dword ptr ss:
006875C3 .8D85 60FFFFFF lea eax,dword ptr ss:
006875C9 .52 push edx
006875CA .8D8D 70FFFFFF lea ecx,dword ptr ss:
006875D0 .50 push eax
006875D1 .8D55 80 lea edx,dword ptr ss:
006875D4 .51 push ecx
006875D5 .8D45 90 lea eax,dword ptr ss:
006875D8 .52 push edx
006875D9 .8D4D A0 lea ecx,dword ptr ss:
006875DC .50 push eax
006875DD .8D55 B0 lea edx,dword ptr ss:
006875E0 .51 push ecx
006875E1 .8D45 C0 lea eax,dword ptr ss:
006875E4 .52 push edx
006875E5 .50 push eax
006875E6 .6A 08 push 8
006875E8 .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ;获得注册码长度
006875EE .B8 01000000 mov eax,1 ;计数器赋值为1
006875F3 .83C4 30 add esp,30
006875F6 .66:03C6 add ax,si ;每循环一次计数值加1
006875F9 .0F80 13010000 jo Super背?00687712
006875FF .8BF0 mov esi,eax ;
00687601 .^ E9 4AFEFFFF jmp Super背?00687450 ;
00687606 >A1 D0D06800 mov eax,dword ptr ds:
0068760B .85C0 test eax,eax
0068760D .75 15 jnz short Super背?00687624
0068760F .68 D0D06800 push Super背?0068D0D0
00687614 .68 60FF4200 push Super背?0042FF60
00687619 .FF15 48114000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>] ;MSVBVM60.__vbaNew2
0068761F .A1 D0D06800 mov eax,dword ptr ds:
00687624 >8B08 mov ecx,dword ptr ds:
00687626 .50 push eax
00687627 .FF91 14030000 call dword ptr ds:
0068762D .8D55 D0 lea edx,dword ptr ss:
00687630 .50 push eax
00687631 .52 push edx
00687632 .FF15 84104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ;MSVBVM60.__vbaObjSet
00687638 .8BF0 mov esi,eax
0068763A .8D4D D8 lea ecx,dword ptr ss:
0068763D .51 push ecx
0068763E .56 push esi
0068763F .8B06 mov eax,dword ptr ds:
00687641 .FF90 A0000000 call dword ptr ds:
00687647 .85C0 test eax,eax
00687649 .DBE2 fclex
0068764B .7D 12 jge short Super背?0068765F
0068764D .68 A0000000 push 0A0
00687652 .68 543E4300 push Super背?00433E54
00687657 .56 push esi
00687658 .50 push eax
00687659 .FF15 5C104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckO>;MSVBVM60.__vbaHresultCheckObj
0068765F >8B55 D8 mov edx,dword ptr ss: ; 12345678
00687662 .8B45 E8 mov eax,dword ptr ss: ; 15527657
00687665 .52 push edx
00687666 .50 push eax
00687667 .FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ;注册码后码真假比较
0068766D .8BF0 mov esi,eax ; 不等eax=-1
0068766F .8D4D D8 lea ecx,dword ptr ss:
00687672 .F7DE neg esi
00687674 .1BF6 sbb esi,esi
00687676 .F7DE neg esi
00687678 .F7DE neg esi
0068767A .FF15 B8114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
00687680 .8D4D D0 lea ecx,dword ptr ss:
00687683 .FF15 BC114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ;MSVBVM60.__vbaFreeObj
00687689 .66:F7DE neg si
0068768C .1BF6 sbb esi,esi
0068768E .68 FD766800 push Super背?006876FD
00687693 .F7DE neg esi
00687695 .4E dec esi
00687696 .8975 E0 mov dword ptr ss:,esi
00687699 .EB 51 jmp short Super背?006876EC
0068769B .8D4D D4 lea ecx,dword ptr ss:
0068769E .8D55 D8 lea edx,dword ptr ss:
006876A1 .51 push ecx
006876A2 .52 push edx
006876A3 .6A 02 push 2
006876A5 .FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ;MSVBVM60.__vbaFreeStrList
006876AB .83C4 0C add esp,0C
006876AE .8D4D D0 lea ecx,dword ptr ss:
006876B1 .FF15 BC114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ;MSVBVM60.__vbaFreeObj
006876B7 .8D85 50FFFFFF lea eax,dword ptr ss:
006876BD .8D8D 60FFFFFF lea ecx,dword ptr ss:
006876C3 .50 push eax
006876C4 .8D95 70FFFFFF lea edx,dword ptr ss:
006876CA .51 push ecx
006876CB .8D45 80 lea eax,dword ptr ss:
006876CE .52 push edx
006876CF .8D4D 90 lea ecx,dword ptr ss:
006876D2 .50 push eax
006876D3 .8D55 A0 lea edx,dword ptr ss:
006876D6 .51 push ecx
006876D7 .8D45 B0 lea eax,dword ptr ss:
006876DA .52 push edx
006876DB .8D4D C0 lea ecx,dword ptr ss:
006876DE .50 push eax
006876DF .51 push ecx
006876E0 .6A 08 push 8
006876E2 .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ;MSVBVM60.__vbaFreeVarList
006876E8 .83C4 24 add esp,24
006876EB .C3 retn
006876EC >8B35 B8114000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaFreeStr>];MSVBVM60.__vbaFreeStr
006876F2 .8D4D E8 lea ecx,dword ptr ss:
006876F5 .FFD6 call esi ;<&MSVBVM60.__vbaFreeStr>
006876F7 .8D4D E4 lea ecx,dword ptr ss:
006876FA .FFD6 call esi ;<&MSVBVM60.__vbaFreeStr>
006876FC .C3 retn
006876FD .8B4D F0 mov ecx, dword ptr
00687700 .66:8B45 E0 mov ax, word ptr
00687704 .5F pop edi
00687705 .5E pop esi
00687706 .64:890D 00000>mov dword ptr fs:, ecx
0068770D .5B pop ebx
0068770E .8BE5 mov esp, ebp
00687710 .5D pop ebp
00687711 .C3 retn
==================================================
==================================================
0067C716 .68 96204000 push <jmp.&MSVBVM60.__vbaExceptHandle>;SE 处理程序安装
0067C71B .64:A1 0000000>mov eax, dword ptr fs:
0067C721 .50 push eax
0067C722 .64:8925 00000>mov dword ptr fs:, esp
0067C729 .83EC 28 sub esp, 28
0067C72C .53 push ebx
0067C72D .56 push esi
0067C72E .57 push edi
0067C72F .8965 F4 mov dword ptr , esp
0067C732 .C745 F8 30184>mov dword ptr , 00401830
0067C739 .8B7D 08 mov edi, dword ptr
0067C73C .8BC7 mov eax, edi
0067C73E .83E0 01 and eax, 1
0067C741 .8945 FC mov dword ptr , eax
0067C744 .83E7 FE and edi, FFFFFFFE
0067C747 .57 push edi
0067C748 .897D 08 mov dword ptr , edi
0067C74B .8B0F mov ecx, dword ptr
0067C74D .FF51 04 call dword ptr
0067C750 .33DB xor ebx, ebx
0067C752 .895D E8 mov dword ptr , ebx
0067C755 .895D E4 mov dword ptr , ebx
0067C758 .895D E0 mov dword ptr , ebx
0067C75B .895D DC mov dword ptr , ebx
0067C75E .895D D8 mov dword ptr , ebx
0067C761 .E8 3AAB0000 call 006872A0 ;这就是关键call
0067C766 .66:85C0 test ax, ax ;ax=0跳向失败
0067C769 .0F84 04010000 je 0067C873 ;关键跳转,不能跳
0067C76F .8B35 54114000 mov esi, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaStrCopy
0067C775 .BA 103E4300 mov edx, 00433E10
0067C77A .8D4D E8 lea ecx, dword ptr
0067C77D .FFD6 call esi ;<&MSVBVM60.__vbaStrCopy>
0067C77F .8B17 mov edx, dword ptr
0067C781 .8D45 E8 lea eax, dword ptr
0067C784 .50 push eax
0067C785 .57 push edi
0067C786 .FF92 40070000 call dword ptr
0067C78C .8D4D E8 lea ecx, dword ptr
0067C78F .FF15 B8114000 call dword ptr [<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
0067C795 .8B0F mov ecx, dword ptr
0067C797 .57 push edi
0067C798 .FF91 14030000 call dword ptr
0067C79E .8D55 D8 lea edx, dword ptr
0067C7A1 .50 push eax
0067C7A2 .52 push edx
0067C7A3 .FF15 84104000 call dword ptr [<&MSVBVM60.__vbaObjSe>;MSVBVM60.__vbaObjSet
0067C7A9 .8BF8 mov edi, eax
0067C7AB .8D4D E8 lea ecx, dword ptr
0067C7AE .51 push ecx
0067C7AF .57 push edi
0067C7B0 .8B07 mov eax, dword ptr
0067C7B2 .FF90 A0000000 call dword ptr
0067C7B8 .3BC3 cmp eax, ebx
0067C7BA .DBE2 fclex
0067C7BC .7D 12 jge short 0067C7D0
0067C7BE .68 A0000000 push 0A0
0067C7C3 .68 543E4300 push 00433E54
0067C7C8 .57 push edi
0067C7C9 .50 push eax
0067C7CA .FF15 5C104000 call dword ptr [<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
0067C7D0 >8B55 E8 mov edx, dword ptr
0067C7D3 .8D4D DC lea ecx, dword ptr
0067C7D6 .895D E8 mov dword ptr , ebx
0067C7D9 .FF15 94114000 call dword ptr [<&MSVBVM60.__vbaStrMo>;MSVBVM60.__vbaStrMove
0067C7DF .BA 483E4300 mov edx, 00433E48 ;UNICODE "value"
0067C7E4 .8D4D E0 lea ecx, dword ptr
0067C7E7 .FFD6 call esi
0067C7E9 .BA 303E4300 mov edx, 00433E30 ;UNICODE "register"
0067C7EE .8D4D E4 lea ecx, dword ptr
0067C7F1 .FFD6 call esi
0067C7F3 .8D55 DC lea edx, dword ptr
0067C7F6 .8D45 E0 lea eax, dword ptr
0067C7F9 .52 push edx
0067C7FA .8D4D E4 lea ecx, dword ptr
0067C7FD .50 push eax
0067C7FE .51 push ecx
0067C7FF .E8 FCA40000 call 00686D00
0067C804 .8B3D 58114000 mov edi, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaFreeStrList
0067C80A .8D55 DC lea edx, dword ptr
0067C80D .8D45 E0 lea eax, dword ptr
0067C810 .52 push edx
0067C811 .8D4D E4 lea ecx, dword ptr
0067C814 .50 push eax
0067C815 .51 push ecx
0067C816 .6A 03 push 3
0067C818 .FFD7 call edi ;<&MSVBVM60.__vbaFreeStrList>
0067C81A .83C4 10 add esp, 10
0067C81D .8D4D D8 lea ecx, dword ptr
0067C820 .FF15 BC114000 call dword ptr [<&MSVBVM60.__vbaFreeO>;MSVBVM60.__vbaFreeObj
0067C826 .BA 14384300 mov edx, 00433814
0067C82B .8D4D E0 lea ecx, dword ptr
0067C82E .FFD6 call esi
0067C830 .BA 683E4300 mov edx, 00433E68 ;UNICODE "rflag"
0067C835 .8D4D E4 lea ecx, dword ptr
0067C838 .FFD6 call esi
0067C83A .BA 58394300 mov edx, 00433958 ;UNICODE "Security"
0067C83F .8D4D E8 lea ecx, dword ptr
0067C842 .FFD6 call esi
0067C844 .8D55 E0 lea edx, dword ptr
0067C847 .8D45 E4 lea eax, dword ptr
0067C84A .52 push edx
0067C84B .8D4D E8 lea ecx, dword ptr
0067C84E .50 push eax
0067C84F .51 push ecx
0067C850 .E8 ABA40000 call 00686D00
0067C855 .8D55 E0 lea edx, dword ptr
0067C858 .8D45 E4 lea eax, dword ptr
0067C85B .52 push edx
0067C85C .8D4D E8 lea ecx, dword ptr
0067C85F .50 push eax
0067C860 .51 push ecx
0067C861 .6A 03 push 3
0067C863 .FFD7 call edi
0067C865 .83C4 10 add esp, 10
0067C868 .66:C705 50D06>mov word ptr , 0FFFF
0067C871 .EB 24 jmp short 0067C897
0067C873 >BA 783E4300 mov edx, 00433E78
0067C878 .8D4D E8 lea ecx, dword ptr
0067C87B .FF15 54114000 call dword ptr [<&MSVBVM60.__vbaStrCo>;MSVBVM60.__vbaStrCopy
0067C881 .8B17 mov edx, dword ptr
0067C883 .8D45 E8 lea eax, dword ptr
0067C886 .50 push eax
0067C887 .57 push edi
0067C888 .FF92 40070000 call dword ptr
0067C88E .8D4D E8 lea ecx, dword ptr
0067C891 .FF15 B8114000 call dword ptr [<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
0067C897 >895D FC mov dword ptr , ebx
0067C89A .68 C7C86700 push 0067C8C7
0067C89F .EB 25 jmp short 0067C8C6
0067C8A1 .8D4D DC lea ecx, dword ptr
0067C8A4 .8D55 E0 lea edx, dword ptr
0067C8A7 .51 push ecx
0067C8A8 .8D45 E4 lea eax, dword ptr
0067C8AB .52 push edx
0067C8AC .8D4D E8 lea ecx, dword ptr
0067C8AF .50 push eax
0067C8B0 .51 push ecx
0067C8B1 .6A 04 push 4
0067C8B3 .FF15 58114000 call dword ptr [<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStrList
0067C8B9 .83C4 14 add esp, 14
0067C8BC .8D4D D8 lea ecx, dword ptr
0067C8BF .FF15 BC114000 call dword ptr [<&MSVBVM60.__vbaFreeO>;MSVBVM60.__vbaFreeObj
0067C8C5 .C3 retn
0067C8C6 >C3 retn ;RET 用作跳转到 0067C8C7
0067C8C7 >8B45 08 mov eax, dword ptr
0067C8CA .50 push eax
0067C8CB .8B10 mov edx, dword ptr
0067C8CD .FF52 08 call dword ptr
0067C8D0 .8B45 FC mov eax, dword ptr
0067C8D3 .8B4D EC mov ecx, dword ptr
0067C8D6 .5F pop edi
0067C8D7 .5E pop esi
0067C8D8 .64:890D 00000>mov dword ptr fs:, ecx
0067C8DF .5B pop ebx
0067C8E0 .8BE5 mov esp, ebp
0067C8E2 .5D pop ebp
0067C8E3 .C2 0400 retn 4
==================================================
==================================================
00687336 .FF90 F8060000 call dword ptr ds: 将硬盘序列号转换为91275844
....................................................................................................
00431986 . /E9 05172500 jmp Super背?00683090
0043198B |00 db 00
0043198C |00 db 00
0043198D |00 db 00
0043198E |00 db 00
0043198F |00 db 00
00431990 |54D16800 dd Super背?0068D154
省略代码
..............................................................
..............................................................
00683090 > \55 push ebp
00683091 .8BEC mov ebp,esp
00683093 .83EC 0C sub esp,0C
00683096 .68 96204000 push <jmp.&MSVBVM60.__vbaExceptHandler> ;SE 句柄安装
0068309B .64:A1 00000000 mov eax,dword ptr fs:
006830A1 .50 push eax
006830A2 .64:8925 00000000 mov dword ptr fs:,esp
006830A9 .81EC A8000000 sub esp,0A8
006830AF .53 push ebx
006830B0 .56 push esi
006830B1 .57 push edi
006830B2 .8965 F4 mov dword ptr ss:,esp
006830B5 .C745 F8 701B4000 mov dword ptr ss:,Super背?00401B70
006830BC .33DB xor ebx,ebx
006830BE .895D FC mov dword ptr ss:,ebx
006830C1 .8B45 08 mov eax,dword ptr ss:
006830C4 .50 push eax
006830C5 .8B08 mov ecx,dword ptr ds:
006830C7 .FF51 04 call dword ptr ds:
006830CA .8B55 0C mov edx,dword ptr ss:
006830CD .8D45 C4 lea eax,dword ptr ss:
006830D0 .53 push ebx
006830D1 .50 push eax
006830D2 .895D E8 mov dword ptr ss:,ebx
006830D5 .895D E4 mov dword ptr ss:,ebx
006830D8 .895D E0 mov dword ptr ss:,ebx
006830DB .895D DC mov dword ptr ss:,ebx
006830DE .895D D8 mov dword ptr ss:,ebx
006830E1 .895D D4 mov dword ptr ss:,ebx
006830E4 .895D C4 mov dword ptr ss:,ebx
006830E7 .895D B4 mov dword ptr ss:,ebx
006830EA .895D A4 mov dword ptr ss:,ebx
006830ED .895D 94 mov dword ptr ss:,ebx
006830F0 .895D 84 mov dword ptr ss:,ebx
006830F3 .899D 74FFFFFF mov dword ptr ss:,ebx
006830F9 .899D 54FFFFFF mov dword ptr ss:,ebx
006830FF .891A mov dword ptr ds:,ebx
00683101 .FF15 24114000 call dword ptr ds:[<&MSVBVM60.#608>] ;MSVBVM60.rtcVarBstrFromAnsi
00683107 .8D4D C4 lea ecx,dword ptr ss:
0068310A .8D55 B4 lea edx,dword ptr ss:
0068310D .51 push ecx
0068310E .68 00040000 push 400
00683113 .52 push edx
00683114 .FF15 1C114000 call dword ptr ds:[<&MSVBVM60.#607>] ;MSVBVM60.rtcStringVar
0068311A .8B3D 20104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>;MSVBVM60.__vbaStrVarMove
00683120 .8D45 B4 lea eax,dword ptr ss:
00683123 .50 push eax
00683124 .FFD7 call edi ;<&MSVBVM60.__vbaStrVarMove>
00683126 .8B35 94114000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaStrMove>];MSVBVM60.__vbaStrMove
0068312C .8BD0 mov edx,eax
0068312E .8D4D E0 lea ecx,dword ptr ss:
00683131 .FFD6 call esi ;<&MSVBVM60.__vbaStrMove>
00683133 .8D4D B4 lea ecx,dword ptr ss:
00683136 .8D55 C4 lea edx,dword ptr ss:
00683139 .51 push ecx
0068313A .52 push edx
0068313B .6A 02 push 2
0068313D .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ;MSVBVM60.__vbaFreeVarList
00683143 .8B45 E0 mov eax,dword ptr ss:
00683146 .83C4 0C add esp,0C
00683149 .8D4D D8 lea ecx,dword ptr ss:
0068314C .50 push eax
0068314D .51 push ecx
0068314E .FF15 74114000 call dword ptr ds:[<&MSVBVM60.__vbaStrToAnsi>] ;MSVBVM60.__vbaStrToAnsi
00683154 .50 push eax
00683155 .E8 6606DBFF call Super背?004337C0
0068315A .DDD8 fstp st
0068315C .FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaSetSystemErro>;MSVBVM60.__vbaSetSystemError
00683162 .8B55 D8 mov edx,dword ptr ss: ;获得硬盘序列号(ASCII " 5MT1A8DX")
00683165 .8D45 E0 lea eax,dword ptr ss:
00683168 .52 push edx
00683169 .50 push eax
0068316A .FF15 0C114000 call dword ptr ds:[<&MSVBVM60.__vbaStrToUnicode>>;eax= (ASCII " 5MT1A8DX")
00683170 .8D4D D8 lea ecx,dword ptr ss:
00683173 .FF15 B8114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
00683179 .8D4D C4 lea ecx,dword ptr ss:
0068317C .53 push ebx
0068317D .51 push ecx
0068317E .FF15 24114000 call dword ptr ds:[<&MSVBVM60.#608>] ;MSVBVM60.rtcVarBstrFromAnsi
00683184 .53 push ebx
00683185 .6A FF push -1
00683187 .6A 01 push 1
00683189 .8D55 C4 lea edx,dword ptr ss:
0068318C .68 881E4300 push Super背?00431E88
00683191 .8D45 D8 lea eax,dword ptr ss:
00683194 .52 push edx
00683195 .50 push eax
00683196 .FF15 30114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ;MSVBVM60.__vbaStrVarVal
0068319C .50 push eax
0068319D .8B4D E0 mov ecx,dword ptr ss: ;ecx= (UNICODE " 5MT1A8DX")
006831A0 .51 push ecx
006831A1 .FF15 10114000 call dword ptr ds:[<&MSVBVM60.#712>] ;MSVBVM60.rtcReplace
006831A7 .8945 BC mov dword ptr ss:,eax ;eax= (UNICODE " 5MT1A8DX")
006831AA .8D55 B4 lea edx,dword ptr ss:
006831AD .8D45 A4 lea eax,dword ptr ss:
006831B0 .52 push edx
006831B1 .50 push eax
006831B2 .C745 B4 08000000 mov dword ptr ss:,8
006831B9 .FF15 A4104000 call dword ptr ds:[<&MSVBVM60.#520>] ;MSVBVM60.rtcTrimVar
006831BF .8D4D A4 lea ecx,dword ptr ss:
006831C2 .51 push ecx
006831C3 .FFD7 call edi ;<&MSVBVM60.__vbaStrVarMove>
006831C5 .8BD0 mov edx,eax ;eax=(UNICODE "5MT1A8DX")
006831C7 .8D4D E0 lea ecx,dword ptr ss:
006831CA .FFD6 call esi ;<&MSVBVM60.__vbaStrMove>
006831CC .8D4D D8 lea ecx,dword ptr ss:
006831CF .FF15 B8114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
006831D5 .8D55 A4 lea edx,dword ptr ss:
006831D8 .8D45 B4 lea eax,dword ptr ss:
006831DB .52 push edx
006831DC .8D4D C4 lea ecx,dword ptr ss:
006831DF .50 push eax
006831E0 .51 push ecx
006831E1 .6A 03 push 3
006831E3 .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ;MSVBVM60.__vbaFreeVarList
006831E9 .8B1D 1C104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaFreeVar>];MSVBVM60.__vbaFreeVar
006831EF .83C4 10 add esp,10
006831F2 >8B55 E0 mov edx,dword ptr ss: ; 保存当前硬盘序列号
006831F5 .52 push edx ;
006831F6 .FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ;当前硬盘序列号长度
006831FC .85C0 test eax,eax ;检查长度是否为0为0跳出循环
006831FE .0F8E CB000000 jle Super背?006832CF
00683204 .8D8D 74FFFFFF lea ecx,dword ptr ss:
0068320A .6A 01 push 1
0068320C .8D55 C4 lea edx,dword ptr ss:
0068320F .8D45 E0 lea eax,dword ptr ss:
00683212 .51 push ecx
00683213 .52 push edx
00683214 .8985 7CFFFFFF mov dword ptr ss:,eax
0068321A .C785 74FFFFFF 08>mov dword ptr ss:,4008
00683224 .FF15 88114000 call dword ptr ds:[<&MSVBVM60.#617>] ;MSVBVM60.rtcLeftCharVar
0068322A .8B45 E4 mov eax,dword ptr ss:
0068322D .8D4D C4 lea ecx,dword ptr ss:
00683230 .50 push eax
00683231 .8D55 D8 lea edx,dword ptr ss:
00683234 .51 push ecx
00683235 .52 push edx
00683236 .FF15 30114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ;逐位取硬盘序列号的ASCII码值存入eax
0068323C .50 push eax ;
0068323D .FF15 3C104000 call dword ptr ds:[<&MSVBVM60.#516>] ;MSVBVM60.rtcAnsiValueBstr
00683243 .66:99 cwd
00683245 .66:B9 0A00 mov cx,0A
00683249 .66:F7F9 idiv cx ;将取得值除A取余
0068324C .52 push edx
0068324D .FF15 04104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI2>] ;将余数转换成它的ASCII码值
00683253 .8BD0 mov edx,eax ;
00683255 .8D4D D4 lea ecx,dword ptr ss:
00683258 .FFD6 call esi
0068325A .50 push eax
0068325B .FF15 50104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ;将余数连接起来得到新的数值串
00683261 .8BD0 mov edx,eax ;
00683263 .8D4D E4 lea ecx,dword ptr ss:
00683266 .FFD6 call esi
00683268 .8D55 D4 lea edx,dword ptr ss:
0068326B .8D45 D8 lea eax,dword ptr ss:
0068326E .52 push edx
0068326F .50 push eax
00683270 .6A 02 push 2
00683272 .FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ;MSVBVM60.__vbaFreeStrList
00683278 .83C4 0C add esp,0C
0068327B .8D4D C4 lea ecx,dword ptr ss:
0068327E .FFD3 call ebx
00683280 .8B55 E0 mov edx,dword ptr ss: ;保存当前的硬盘序列号
00683283 .8D4D E0 lea ecx,dword ptr ss:
00683286 .52 push edx
00683287 .898D 7CFFFFFF mov dword ptr ss:,ecx
0068328D .C785 74FFFFFF 08>mov dword ptr ss:,4008
00683297 .FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ;当前硬盘序列号长度
0068329D .83E8 01 sub eax,1 ;当前长度减1
006832A0 .8D4D C4 lea ecx,dword ptr ss:
006832A3 .0F80 F5010000 jo Super背?0068349E
006832A9 .50 push eax
006832AA .8D85 74FFFFFF lea eax,dword ptr ss:
006832B0 .50 push eax
006832B1 .51 push ecx
006832B2 .FF15 98114000 call dword ptr ds:[<&MSVBVM60.#619>] ;MSVBVM60.rtcRightCharVar
006832B8 .8D55 C4 lea edx,dword ptr ss:
006832BB .52 push edx
006832BC .FFD7 call edi ;保存当前硬盘序列号
006832BE .8BD0 mov edx,eax ;
006832C0 .8D4D E0 lea ecx,dword ptr ss: ;
006832C3 .FFD6 call esi
006832C5 .8D4D C4 lea ecx,dword ptr ss:
006832C8 .FFD3 call ebx
006832CA .^ E9 23FFFFFF jmp Super背?006831F2
006832CF >8B45 E4 mov eax,dword ptr ss: ;保存当前的新数值串
006832D2 .50 push eax
006832D3 .FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ;当前新数值串的长度
006832D9 .85C0 test eax,eax ; 检查长度是否为0为0跳出循环
006832DB .0F8E 28010000 jle Super背?00683409
006832E1 .8B4D E8 mov ecx,dword ptr ss:
006832E4 .8D85 74FFFFFF lea eax,dword ptr ss:
006832EA .898D 5CFFFFFF mov dword ptr ss:,ecx
006832F0 .6A 01 push 1
006832F2 .8D4D C4 lea ecx,dword ptr ss:
006832F5 .8D55 E4 lea edx,dword ptr ss:
006832F8 .50 push eax
006832F9 .51 push ecx
006832FA .C785 54FFFFFF 08>mov dword ptr ss:,8
00683304 .8995 7CFFFFFF mov dword ptr ss:,edx
0068330A .C785 74FFFFFF 08>mov dword ptr ss:,4008
00683314 .FF15 88114000 call dword ptr ds:[<&MSVBVM60.#617>] ;MSVBVM60.rtcLeftCharVar
0068331A .8D55 C4 lea edx,dword ptr ss:
0068331D .8D45 D8 lea eax,dword ptr ss:
00683320 .52 push edx
00683321 .50 push eax
00683322 .FF15 30114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ;MSVBVM60.__vbaStrVarVal
00683328 .50 push eax ;
00683329 .FF15 C0114000 call dword ptr ds:[<&MSVBVM60.#581>] ;逐位取新数值的实数到(ST0)
0068332F .DC0D 681B4000 fmul qword ptr ds: (ST0)乘以ds:的值将结果送(ST0)
00683335 .DFE0 fstsw ax ;
00683337 .A8 0D test al,0D
00683339 .0F85 5A010000 jnz Super背?00683499
0068333F .FF15 84114000 call dword ptr ds:[<&MSVBVM60.__vbaFpI4>] ;将(ST0)十进制值转换为它的十六进制值
00683345 .99 cdq ;
00683346 .B9 0A000000 mov ecx,0A
0068334B .C745 B4 03000000 mov dword ptr ss:,3
00683352 .F7F9 idiv ecx ;将十六进制值除A取余
00683354 .8D45 A4 lea eax,dword ptr ss:
00683357 .8955 BC mov dword ptr ss:,edx
0068335A .8D55 B4 lea edx,dword ptr ss:
0068335D .52 push edx
0068335E .50 push eax
0068335F .FF15 7C114000 call dword ptr ds:[<&MSVBVM60.#613>] ;MSVBVM60.rtcVarStrFromVar
00683365 .8D4D A4 lea ecx,dword ptr ss:
00683368 .8D55 94 lea edx,dword ptr ss:
0068336B .51 push ecx
0068336C .52 push edx
0068336D .FF15 A4104000 call dword ptr ds:[<&MSVBVM60.#520>] ;MSVBVM60.rtcTrimVar
00683373 .8D85 54FFFFFF lea eax,dword ptr ss:
00683379 .8D4D 94 lea ecx,dword ptr ss:
0068337C .50 push eax
0068337D .8D55 84 lea edx,dword ptr ss:
00683380 .51 push ecx
00683381 .52 push edx
00683382 .FF15 34114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ;MSVBVM60.__vbaVarCat
00683388 .50 push eax
00683389 .FFD7 call edi 将余数连接起来得到前码
0068338B .8BD0 mov edx,eax
0068338D .8D4D E8 lea ecx,dword ptr ss:
00683390 .FFD6 call esi
00683392 .8D4D D8 lea ecx,dword ptr ss:
00683395 .FF15 B8114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
0068339B .8D45 84 lea eax,dword ptr ss:
0068339E .8D4D 94 lea ecx,dword ptr ss:
006833A1 .50 push eax
006833A2 .8D55 A4 lea edx,dword ptr ss:
006833A5 .51 push ecx
006833A6 .8D45 B4 lea eax,dword ptr ss:
006833A9 .52 push edx
006833AA .8D4D C4 lea ecx,dword ptr ss:
006833AD .50 push eax
006833AE .51 push ecx
006833AF .6A 05 push 5
006833B1 .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ;MSVBVM60.__vbaFreeVarList
006833B7 .8B45 E4 mov eax,dword ptr ss: ;获得当前的新数值串
006833BA .83C4 18 add esp,18
006833BD .8D55 E4 lea edx,dword ptr ss:
006833C0 .C785 74FFFFFF 08>mov dword ptr ss:,4008
006833CA .50 push eax
006833CB .8995 7CFFFFFF mov dword ptr ss:,edx
006833D1 .FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ;获得当前的新数值串长度
006833D7 .83E8 01 sub eax,1 当前长度减1
006833DA .8D8D 74FFFFFF lea ecx,dword ptr ss:
006833E0 .0F80 B8000000 jo Super背?0068349E
006833E6 .50 push eax
006833E7 .8D55 C4 lea edx,dword ptr ss:
006833EA .51 push ecx
006833EB .52 push edx
006833EC .FF15 98114000 call dword ptr ds:[<&MSVBVM60.#619>] ;MSVBVM60.rtcRightCharVar
006833F2 .8D45 C4 lea eax,dword ptr ss:
006833F5 .50 push eax
006833F6 .FFD7 call edi ;获得当前的新数值串
006833F8 .8BD0 mov edx,eax
006833FA .8D4D E4 lea ecx,dword ptr ss:
006833FD .FFD6 call esi
006833FF .8D4D C4 lea ecx,dword ptr ss:
00683402 .FFD3 call ebx
00683404 .^ E9 C6FEFFFF jmp Super背?006832CF ;
00683409 >8B55 E8 mov edx,dword ptr ss: ;显示前码
0068340C .8D4D DC lea ecx,dword ptr ss:
0068340F .FF15 54114000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>] ;MSVBVM60.__vbaStrCopy
00683415 .9B wait
00683416 .68 72346800 push Super背?00683472
0068341B .EB 3F jmp short Super背?0068345C
0068341D .F645 FC 04 test byte ptr ss:,4
00683421 .74 09 je short Super背?0068342C
00683423 .8D4D DC lea ecx,dword ptr ss:
00683426 .FF15 B8114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
0068342C >8D4D D4 lea ecx,dword ptr ss:
0068342F .8D55 D8 lea edx,dword ptr ss:
00683432 .51 push ecx
00683433 .52 push edx
00683434 .6A 02 push 2
00683436 .FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ;MSVBVM60.__vbaFreeStrList
0068343C .8D45 84 lea eax,dword ptr ss:
0068343F .8D4D 94 lea ecx,dword ptr ss:
00683442 .50 push eax
00683443 .8D55 A4 lea edx,dword ptr ss:
00683446 .51 push ecx
00683447 .8D45 B4 lea eax,dword ptr ss:
0068344A .52 push edx
0068344B .8D4D C4 lea ecx,dword ptr ss:
0068344E .50 push eax
0068344F .51 push ecx
00683450 .6A 05 push 5
00683452 .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ;MSVBVM60.__vbaFreeVarList
00683458 .83C4 24 add esp,24
0068345B .C3 retn
0068345C >8B35 B8114000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaFreeStr>];MSVBVM60.__vbaFreeStr
00683462 .8D4D E8 lea ecx,dword ptr ss:
00683465 .FFD6 call esi ;<&MSVBVM60.__vbaFreeStr>
00683467 .8D4D E4 lea ecx,dword ptr ss:
0068346A .FFD6 call esi ;<&MSVBVM60.__vbaFreeStr>
0068346C .8D4D E0 lea ecx,dword ptr ss:
0068346F .FFD6 call esi ;<&MSVBVM60.__vbaFreeStr>
00683471 .C3 retn
00683472 .8B45 08 mov eax,dword ptr ss:
00683475 .50 push eax
00683476 .8B10 mov edx,dword ptr ds:
00683478 .FF52 08 call dword ptr ds:
0068347B .8B45 0C mov eax,dword ptr ss:
0068347E .8B4D DC mov ecx,dword ptr ss:
00683481 .8908 mov dword ptr ds:,ecx
00683483 .8B45 FC mov eax,dword ptr ss:
00683486 .8B4D EC mov ecx,dword ptr ss:
00683489 .5F pop edi
0068348A .5E pop esi
0068348B .64:890D 00000000 mov dword ptr fs:,ecx
00683492 .5B pop ebx
00683493 .8BE5 mov esp,ebp
00683495 .5D pop ebp
00683496 .C2 0800 retn 8
00683499 >^ E9 FEEBD7FF jmp <jmp.&MSVBVM60.__vbaFPException>
算法总结:
计算前码:首先获得硬盘序列号5MT1A8DX,循环逐位取序列号的ASCII码值除A取余,最后将余数连接起来得到37495688.
循环逐位取37495688的值送入(st0)并乘以ds:的值(我这里是3),得到十进制值,将(ST0)十进制值
转换为它的十六进制值除A取余,最后将余数连接起来得到91275844,这就是前码.
计算后码:1.循环逐位取91275844的值,转换为它的ASCII码值,然后累加得到1A8在乘以13得到1F78除9取余存入ss:中.
2.循环逐位取91275844的ASCII码值,自乘,同时计数,将它取第一位数,计数为1,每循环一次计数值加1,将当前计
数值乘3除2得到商加上自乘值和ss:中的值,除A取余,最后将余数连接起来就得到15527657,这就是后码.
[ 本帖最后由 交响诗篇 于 2008-8-7 10:42 编辑 ] /:good VB的不好分析 /:good 正在学习VB,谢谢
VB可以用VBExplorer找关键点
[ 本帖最后由 指舞瞬间 于 2008-8-9 21:59 编辑 ] 楼主好文 ,学习了!谢谢分享! 牛!!!!!!!!!!!!!!!!!!!! 学习了!谢谢分享!
页:
[1]