CrackMe By [PYG]Zass算法分析+VB注册机源码
【破文标题】CrackMe By Zass算法分析+VB注册机源码【破解作者】hrbx
【破解日期】2009-11-05
【软件简介】CrackMe By Zass
【下载地址】https://www.chinapyg.com/viewthread.php?tid=50759&extra=page%3D1
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
-----------------------------------------------------------------------------------------------
【破解过程】
1.查壳。用Peid扫描,显示为:Microsoft Visual Basic 5.0 / 6.0,无壳。
2.查找程序控件事件地址。OD载入,Ctrl+B,在Hex栏输入:816C24,查找VB各控件事件地址:
==================================================================
00402C1C .816C24 04 43000000 sub dword ptr , 43
00402C24 .E9 E7010000 jmp 00402E10 ;注册按钮_Click
00402C36 .816C24 04 47000000 sub dword ptr , 47
00402C3E E9 4D050000 jmp 00403190 ;注册名_Change
00402C43 .816C24 04 47000000 sub dword ptr , 47
00402C4B .E9 00060000 jmp 00403250 ;注册名_GotFocus
00402C50 .816C24 04 4B000000 sub dword ptr , 4B
00402C58 E9 B3060000 jmp 00403310 ;注册码_Change
00402C84 .816C24 04 4B000000 sub dword ptr , 4B
00402C8C .E9 DF1D0000 jmp 00404A70 ;注册码_GotFocus
==================================================================
3.暴破分析。OD载入,Ctrl+G,输入注册按钮_Click事件地址:00402E10,确定后F2下断:
00402E10 > \55 push ebp ;F2下断
00402E11 .8BEC mov ebp, esp
00402E13 .83EC 0C sub esp, 0C
00402E16 .68 D6114000 push <jmp.&MSVBVM60.__vbaExceptHandler> ;SE 处理程序安装
00402E1B .64:A1 00000000 mov eax, dword ptr fs:
00402E21 .50 push eax
00402E22 .64:8925 00000000 mov dword ptr fs:, esp
00402E29 .83EC 2C sub esp, 2C
00402E2C .53 push ebx
00402E2D .56 push esi
00402E2E .57 push edi
00402E2F .8965 F4 mov dword ptr , esp
00402E32 .C745 F8 18114000 mov dword ptr , 00401118
00402E39 .8B75 08 mov esi, dword ptr
00402E3C .8BC6 mov eax, esi
00402E3E .83E0 01 and eax, 1
00402E41 .8945 FC mov dword ptr , eax
00402E44 .83E6 FE and esi, FFFFFFFE
00402E47 .56 push esi
00402E48 .8975 08 mov dword ptr , esi
00402E4B .8B0E mov ecx, dword ptr
00402E4D .FF51 04 call dword ptr
00402E50 .8B16 mov edx, dword ptr
00402E52 .33C0 xor eax, eax
00402E54 .56 push esi
00402E55 .8945 E8 mov dword ptr , eax
00402E58 .8945 E4 mov dword ptr , eax
00402E5B .8945 E0 mov dword ptr , eax
00402E5E .8945 DC mov dword ptr , eax
00402E61 .FF92 04030000 call dword ptr
00402E67 .8B1D 44104000 mov ebx, dword ptr [<&MSVBVM60.__vbaObjS>
00402E6D .50 push eax
00402E6E .8D45 E0 lea eax, dword ptr
00402E71 .50 push eax
00402E72 .FFD3 call ebx
00402E74 .8BF8 mov edi, eax
00402E76 .8D55 E8 lea edx, dword ptr
00402E79 .52 push edx
00402E7A .57 push edi
00402E7B .8B0F mov ecx, dword ptr
00402E7D .FF91 A0000000 call dword ptr
00402E83 .85C0 test eax, eax
00402E85 .DBE2 fclex
00402E87 .7D 12 jge short 00402E9B
00402E89 .68 A0000000 push 0A0
00402E8E .68 D4234000 push 004023D4
00402E93 .57 push edi
00402E94 .50 push eax
00402E95 .FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
00402E9B >8B06 mov eax, dword ptr
00402E9D .56 push esi
00402E9E .FF90 00030000 call dword ptr
00402EA4 .8D4D DC lea ecx, dword ptr
00402EA7 .50 push eax
00402EA8 .51 push ecx
00402EA9 .FFD3 call ebx
00402EAB .8BF8 mov edi, eax
00402EAD .8D45 E4 lea eax, dword ptr
00402EB0 .50 push eax
00402EB1 .57 push edi
00402EB2 .8B17 mov edx, dword ptr
00402EB4 .FF92 A0000000 call dword ptr
00402EBA .85C0 test eax, eax
00402EBC .DBE2 fclex
00402EBE .7D 12 jge short 00402ED2
00402EC0 .68 A0000000 push 0A0
00402EC5 .68 D4234000 push 004023D4
00402ECA .57 push edi
00402ECB .50 push eax
00402ECC .FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
00402ED2 >8B4D E4 mov ecx, dword ptr ;注册码
00402ED5 .51 push ecx
00402ED6 .68 E8234000 push 004023E8
00402EDB .FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaStrCmp>];检测注册码是否为空
00402EE1 .8B55 E8 mov edx, dword ptr ;注册名
00402EE4 .8BF8 mov edi, eax
00402EE6 .F7DF neg edi
00402EE8 .1BFF sbb edi, edi
00402EEA .52 push edx
00402EEB .47 inc edi
00402EEC .68 E8234000 push 004023E8
00402EF1 .F7DF neg edi
00402EF3 .FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaStrCmp>];检测注册名是否为空
00402EF9 .F7D8 neg eax
00402EFB .1BC0 sbb eax, eax
00402EFD .8D4D E8 lea ecx, dword ptr
00402F00 .40 inc eax
00402F01 .F7D8 neg eax
00402F03 .0BF8 or edi, eax
00402F05 .8D45 E4 lea eax, dword ptr
00402F08 .50 push eax
00402F09 .51 push ecx
00402F0A .6A 02 push 2
00402F0C .FF15 CC104000 call dword ptr [<&MSVBVM60.__vbaFreeStrLi>
00402F12 .8D55 DC lea edx, dword ptr
00402F15 .8D45 E0 lea eax, dword ptr
00402F18 .52 push edx
00402F19 .50 push eax
00402F1A .6A 02 push 2
00402F1C .FF15 28104000 call dword ptr [<&MSVBVM60.__vbaFreeObjLi>
00402F22 .83C4 18 add esp, 18
00402F25 .66:85FF test di, di
00402F28 .74 6C je short 00402F96 ;注册名、注册码均不为空则跳
00402F2A .8B0E mov ecx, dword ptr
00402F2C .56 push esi
00402F2D .FF91 0C030000 call dword ptr
00402F33 .8D55 E0 lea edx, dword ptr
00402F36 .50 push eax
00402F37 .52 push edx
00402F38 .FFD3 call ebx
00402F3A .8BF8 mov edi, eax
00402F3C .6A FF push -1
00402F3E .57 push edi
00402F3F .8B07 mov eax, dword ptr
00402F41 .FF90 9C000000 call dword ptr
00402F47 .85C0 test eax, eax
00402F49 .DBE2 fclex
00402F4B .7D 12 jge short 00402F5F
00402F4D .68 9C000000 push 9C
00402F52 .68 EC234000 push 004023EC
00402F57 .57 push edi
00402F58 .50 push eax
00402F59 .FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
00402F5F >8B3D 08114000 mov edi, dword ptr [<&MSVBVM60.__vbaFree>
00402F65 .8D4D E0 lea ecx, dword ptr
00402F68 .FFD7 call edi
00402F6A .8B0E mov ecx, dword ptr
00402F6C .56 push esi
00402F6D .FF91 0C030000 call dword ptr
00402F73 .8D55 E0 lea edx, dword ptr
00402F76 .50 push eax
00402F77 .52 push edx
00402F78 .FFD3 call ebx
00402F7A .8BF0 mov esi, eax
00402F7C .68 00244000 push 00402400
00402F81 .56 push esi
00402F82 .8B06 mov eax, dword ptr
00402F84 .FF50 54 call dword ptr
00402F87 .85C0 test eax, eax
00402F89 .DBE2 fclex
00402F8B .0F8D E3000000 jge 00403074
00402F91 .E9 CF000000 jmp 00403065
00402F96 >66:833D 24604000 00cmp word ptr , 0 ;检测地址的值是否为0,标志位
00402F9E .8B0E mov ecx, dword ptr
00402FA0 .56 push esi
00402FA1 .75 62 jnz short 00403005 ;暴破点1,Nop
00402FA3 .FF91 0C030000 call dword ptr
00402FA9 .8D55 E0 lea edx, dword ptr
00402FAC .50 push eax
00402FAD .52 push edx
00402FAE .FFD3 call ebx
00402FB0 .8BF8 mov edi, eax
00402FB2 .6A FF push -1
00402FB4 .57 push edi
00402FB5 .8B07 mov eax, dword ptr
00402FB7 .FF90 9C000000 call dword ptr
4.算法分析。OD载入,Ctrl+G,输入注册码_Change事件地址:00403310,确定后F2下断,输入注册信息:
======================================
注册名:hrbx
注册码:9876543210
======================================
程序立即中断:
00403310 > \55 push ebp ;F2在此下断
00403311 .8BEC mov ebp, esp
00403313 .83EC 0C sub esp, 0C
00403316 .68 D6114000 push <jmp.&MSVBVM60.__vbaExceptHandler> ;SE 处理程序安装
0040331B .64:A1 00000000 mov eax, dword ptr fs:
00403321 .50 push eax
00403322 .64:8925 00000000 mov dword ptr fs:, esp
00403329 .81EC 84020000 sub esp, 284
0040332F .53 push ebx
00403330 .56 push esi
00403331 .57 push edi
00403332 .8965 F4 mov dword ptr , esp
00403335 .C745 F8 68114000 mov dword ptr , 00401168
0040333C .8B75 08 mov esi, dword ptr
0040333F .8BC6 mov eax, esi
00403341 .83E0 01 and eax, 1
00403344 .8945 FC mov dword ptr , eax
00403347 .83E6 FE and esi, FFFFFFFE
0040334A .56 push esi
0040334B .8975 08 mov dword ptr , esi
0040334E .8B0E mov ecx, dword ptr
00403350 .FF51 04 call dword ptr
00403353 .6A 08 push 8 ; /varType = String
00403355 .8D55 80 lea edx, dword ptr ; |定义字符串数组
00403358 .33DB xor ebx, ebx ; |
0040335A .68 70244000 push 00402470 ; |
0040335F .52 push edx ; |
00403360 .895D E8 mov dword ptr , ebx ; |
00403363 .895D E4 mov dword ptr , ebx ; |
00403366 .895D D4 mov dword ptr , ebx ; |
00403369 .895D D0 mov dword ptr , ebx ; |
0040336C .895D CC mov dword ptr , ebx ; |
0040336F .895D C8 mov dword ptr , ebx ; |
00403372 .895D B8 mov dword ptr , ebx ; |
00403375 .895D A8 mov dword ptr , ebx ; |
00403378 .895D 98 mov dword ptr , ebx ; |
0040337B .899D 6CFFFFFF mov dword ptr , ebx ; |
00403381 .899D 5CFFFFFF mov dword ptr , ebx ; |
00403387 .899D 4CFFFFFF mov dword ptr , ebx ; |
0040338D .899D 48FFFFFF mov dword ptr , ebx ; |
00403393 .899D 38FFFFFF mov dword ptr , ebx ; |
00403399 .899D 34FFFFFF mov dword ptr , ebx ; |
0040339F .899D 30FFFFFF mov dword ptr , ebx ; |
004033A5 .899D 2CFFFFFF mov dword ptr , ebx ; |
004033AB .899D 28FFFFFF mov dword ptr , ebx ; |
004033B1 .899D 24FFFFFF mov dword ptr , ebx ; |
004033B7 .899D 14FFFFFF mov dword ptr , ebx ; |
004033BD .899D 04FFFFFF mov dword ptr , ebx ; |
004033C3 .899D F4FEFFFF mov dword ptr , ebx ; |
004033C9 .899D E4FEFFFF mov dword ptr , ebx ; |
004033CF .899D D4FEFFFF mov dword ptr , ebx ; |
004033D5 .899D C4FEFFFF mov dword ptr , ebx ; |
004033DB .899D B4FEFFFF mov dword ptr , ebx ; |
004033E1 .899D A4FEFFFF mov dword ptr , ebx ; |
004033E7 .899D 94FEFFFF mov dword ptr , ebx ; |
004033ED .899D 84FEFFFF mov dword ptr , ebx ; |
004033F3 .899D 74FEFFFF mov dword ptr , ebx ; |
004033F9 .899D 64FEFFFF mov dword ptr , ebx ; |
004033FF .899D 60FEFFFF mov dword ptr , ebx ; |
00403405 .899D 5CFEFFFF mov dword ptr , ebx ; |
0040340B .899D 3CFEFFFF mov dword ptr , ebx ; |
00403411 .899D 2CFEFFFF mov dword ptr , ebx ; |
00403417 .899D 1CFEFFFF mov dword ptr , ebx ; |
0040341D .899D 0CFEFFFF mov dword ptr , ebx ; |
00403423 .899D FCFDFFFF mov dword ptr , ebx ; |
00403429 .899D ECFDFFFF mov dword ptr , ebx ; |
0040342F .899D DCFDFFFF mov dword ptr , ebx ; |
00403435 .899D CCFDFFFF mov dword ptr , ebx ; |
0040343B .899D BCFDFFFF mov dword ptr , ebx ; |
00403441 .899D ACFDFFFF mov dword ptr , ebx ; |
00403447 .FF15 70104000 call dword ptr [<&MSVBVM60.__vbaAryConstr>; \__vbaAryConstruct2
0040344D .66:891D 24604000 mov word ptr , bx
00403454 .8B06 mov eax, dword ptr
00403456 .56 push esi
00403457 .FF90 04030000 call dword ptr
0040345D .8D8D 24FFFFFF lea ecx, dword ptr
00403463 .50 push eax
00403464 .51 push ecx
00403465 .FF15 44104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
0040346B .8BF8 mov edi, eax
0040346D .8D85 34FFFFFF lea eax, dword ptr
00403473 .50 push eax
00403474 .57 push edi
00403475 .8B17 mov edx, dword ptr
00403477 .FF92 A0000000 call dword ptr
0040347D .3BC3 cmp eax, ebx
0040347F .DBE2 fclex
00403481 .7D 12 jge short 00403495
00403483 .68 A0000000 push 0A0
00403488 .68 D4234000 push 004023D4
0040348D .57 push edi
0040348E .50 push eax
0040348F .FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
00403495 >8B8D 34FFFFFF mov ecx, dword ptr ;用户名"hrbx"
0040349B .51 push ecx
0040349C .68 E8234000 push 004023E8
004034A1 .FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaStrCmp>];比较用户名是否为空
004034A7 .8BF8 mov edi, eax
004034A9 .8D8D 34FFFFFF lea ecx, dword ptr
004034AF .F7DF neg edi
004034B1 .1BFF sbb edi, edi
004034B3 .47 inc edi
004034B4 .F7DF neg edi
004034B6 .FF15 0C114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
004034BC .8D8D 24FFFFFF lea ecx, dword ptr
004034C2 .FF15 08114000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
004034C8 .66:3BFB cmp di, bx
004034CB .0F85 B10F0000 jnz 00404482 ;用户名不为空则跳
004034D1 .8B16 mov edx, dword ptr
004034D3 .56 push esi
004034D4 .FF92 04030000 call dword ptr
004034DA .50 push eax
004034DB .8D85 24FFFFFF lea eax, dword ptr
004034E1 .50 push eax
004034E2 .FF15 44104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
004034E8 .8BF8 mov edi, eax
004034EA .8D95 34FFFFFF lea edx, dword ptr
004034F0 .52 push edx
004034F1 .57 push edi
004034F2 .8B0F mov ecx, dword ptr
004034F4 .FF91 A0000000 call dword ptr
004034FA .3BC3 cmp eax, ebx
004034FC .DBE2 fclex
004034FE .7D 12 jge short 00403512
00403500 .68 A0000000 push 0A0
00403505 .68 D4234000 push 004023D4
0040350A .57 push edi
0040350B .50 push eax
0040350C .FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
00403512 >8B85 34FFFFFF mov eax, dword ptr ; 用户名"hrbx"
00403518 .53 push ebx ; lBoundn,数组下界
00403519 .50 push eax
0040351A .FF15 18104000 call dword ptr [<&MSVBVM60.__vbaLenBstr>] ; __vbaLenBstr,获取用户名长度作为数组长度
00403520 .50 push eax ; uBoundn,数组上界
00403521 .6A 01 push 1
00403523 .8D8D 48FFFFFF lea ecx, dword ptr
00403529 .6A 08 push 8
0040352B .51 push ecx
0040352C .6A 04 push 4
0040352E .68 80010000 push 180
00403533 .FF15 7C104000 call dword ptr [<&MSVBVM60.__vbaRedim>] ; __vbaRedim
00403539 .83C4 1C add esp, 1C ; 重新定义数组长度
0040353C .8D8D 34FFFFFF lea ecx, dword ptr
00403542 .FF15 0C114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
00403548 .8D8D 24FFFFFF lea ecx, dword ptr
0040354E .FF15 08114000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
00403554 .8B16 mov edx, dword ptr
00403556 .56 push esi
00403557 .C785 ACFEFFFF 010000>mov dword ptr , 1
00403561 .C785 A4FEFFFF 020000>mov dword ptr , 2
0040356B .FF92 04030000 call dword ptr
00403571 .50 push eax
00403572 .8D85 24FFFFFF lea eax, dword ptr
00403578 .50 push eax
00403579 .FF15 44104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
0040357F .8BF8 mov edi, eax
00403581 .8D95 34FFFFFF lea edx, dword ptr
00403587 .52 push edx
00403588 .57 push edi
00403589 .8B0F mov ecx, dword ptr
0040358B .FF91 A0000000 call dword ptr
00403591 .3BC3 cmp eax, ebx
00403593 .DBE2 fclex
00403595 .7D 12 jge short 004035A9
00403597 .68 A0000000 push 0A0
0040359C .68 D4234000 push 004023D4
004035A1 .57 push edi
004035A2 .50 push eax
004035A3 .FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
004035A9 >8B85 34FFFFFF mov eax, dword ptr
004035AF .50 push eax ; 用户名"hrbx"
004035B0 .FF15 18104000 call dword ptr [<&MSVBVM60.__vbaLenBstr>] ; __vbaLenBstr
004035B6 .8D8D A4FEFFFF lea ecx, dword ptr ;获取用户名长度作为循环变量
004035BC .8985 9CFEFFFF mov dword ptr , eax
004035C2 .8D95 94FEFFFF lea edx, dword ptr
004035C8 .51 push ecx ; /Step8
004035C9 .8D85 84FEFFFF lea eax, dword ptr ; |
004035CF .52 push edx ; |End8
004035D0 .8D8D 2CFEFFFF lea ecx, dword ptr ; |
004035D6 .50 push eax ; |Start8
004035D7 .8D95 3CFEFFFF lea edx, dword ptr ; |
004035DD .51 push ecx ; |TMPend8
004035DE .8D85 38FFFFFF lea eax, dword ptr ; |
004035E4 .52 push edx ; |TMPstep8
004035E5 .50 push eax ; |Counter8
004035E6 .C785 94FEFFFF 030000>mov dword ptr , 3 ; |
004035F0 .C785 8CFEFFFF 010000>mov dword ptr , 1 ; |
004035FA .C785 84FEFFFF 020000>mov dword ptr , 2 ; |
00403604 .FF15 40104000 call dword ptr [<&MSVBVM60.__vbaVarForIni>; \__vbaVarForInit
0040360A .8D8D 34FFFFFF lea ecx, dword ptr
00403610 .8BF8 mov edi, eax
00403612 .FF15 0C114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
00403618 .8D8D 24FFFFFF lea ecx, dword ptr
0040361E .FF15 08114000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
00403624 >3BFB cmp edi, ebx
00403626 .0F84 EB010000 je 00403817
0040362C .8B0E mov ecx, dword ptr
0040362E .56 push esi
0040362F .FF91 04030000 call dword ptr
00403635 .8D95 24FFFFFF lea edx, dword ptr
0040363B .50 push eax
0040363C .52 push edx
0040363D .FF15 44104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
00403643 .8BF8 mov edi, eax
00403645 .8D8D 34FFFFFF lea ecx, dword ptr
0040364B .51 push ecx
0040364C .57 push edi
0040364D .8B07 mov eax, dword ptr
0040364F .FF90 A0000000 call dword ptr
00403655 .3BC3 cmp eax, ebx
00403657 .DBE2 fclex
00403659 .7D 12 jge short 0040366D
0040365B .68 A0000000 push 0A0
00403660 .68 D4234000 push 004023D4
00403665 .57 push edi
00403666 .50 push eax
00403667 .FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
0040366D >8B85 34FFFFFF mov eax, dword ptr ;用户名"hrbx"
00403673 .8D95 04FFFFFF lea edx, dword ptr
00403679 .8985 1CFFFFFF mov dword ptr , eax
0040367F .8D85 38FFFFFF lea eax, dword ptr
00403685 .52 push edx
00403686 .50 push eax
00403687 .C785 0CFFFFFF 010000>mov dword ptr , 1
00403691 .C785 04FFFFFF 020000>mov dword ptr , 2
0040369B .899D 34FFFFFF mov dword ptr , ebx
004036A1 .C785 14FFFFFF 080000>mov dword ptr , 8
004036AB .FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
004036B1 .8D8D 14FFFFFF lea ecx, dword ptr
004036B7 .50 push eax
004036B8 .8D95 F4FEFFFF lea edx, dword ptr
004036BE .51 push ecx
004036BF .52 push edx
004036C0 .FF15 58104000 call dword ptr [<&MSVBVM60.#632>] ; rtcMidCharVar,循环取用户名每个字符("h")
004036C6 .8D85 F4FEFFFF lea eax, dword ptr
004036CC .8D8D 30FFFFFF lea ecx, dword ptr
004036D2 .50 push eax
004036D3 .51 push ecx
004036D4 .FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaStrVarVal>
004036DA .50 push eax
004036DB .FF15 2C104000 call dword ptr [<&MSVBVM60.#516>] ; rtcAnsiValueBstr,字符ASCII值
004036E1 .8B3E mov edi, dword ptr
004036E3 .8D95 28FFFFFF lea edx, dword ptr
004036E9 .52 push edx
004036EA .50 push eax
004036EB .8985 60FEFFFF mov dword ptr , eax ;EAX=0x68("h")
004036F1 .FF15 04104000 call dword ptr [<&MSVBVM60.__vbaStrI2>] ;整数转为字符串,0x68-->104-->"104"
004036F7 .8BD0 mov edx, eax ;EAX="104"
004036F9 .8D8D 2CFFFFFF lea ecx, dword ptr ;
004036FF .FF15 F0104000 call dword ptr [<&MSVBVM60.__vbaStrMove>] ;
00403705 .50 push eax
00403706 .56 push esi
00403707 .FF97 FC060000 call dword ptr ;CALL 00402C72,EAX大于90则减去32,104-32=72
0040370D .3BC3 cmp eax, ebx ;即用户名小写字母转为大写字母
0040370F .7D 12 jge short 00403723
00403711 .68 FC060000 push 6FC
00403716 .68 B0224000 push 004022B0
0040371B .56 push esi
0040371C .50 push eax
0040371D .FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>;MSVBVM60.__vbaHresultCheckObj
00403723 >8B85 48FFFFFF mov eax, dword ptr
00403729 .3BC3 cmp eax, ebx
0040372B .74 5F je short 0040378C
0040372D .66:8338 01 cmp word ptr , 1
00403731 .75 59 jnz short 0040378C
00403733 .8D85 38FFFFFF lea eax, dword ptr
00403739 .8D8D 94FEFFFF lea ecx, dword ptr
0040373F .50 push eax
00403740 .8D95 E4FEFFFF lea edx, dword ptr
00403746 .51 push ecx
00403747 .52 push edx
00403748 .C785 9CFEFFFF 010000>mov dword ptr , 1
00403752 .C785 94FEFFFF 020000>mov dword ptr , 2
0040375C .FF15 00104000 call dword ptr [<&MSVBVM60.__vbaVarSub>]
00403762 .50 push eax
00403763 .FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
00403769 .8BF8 mov edi, eax
0040376B .8B85 48FFFFFF mov eax, dword ptr
00403771 .8B50 14 mov edx, dword ptr
00403774 .8B48 10 mov ecx, dword ptr
00403777 .2BFA sub edi, edx
00403779 .3BF9 cmp edi, ecx
0040377B .72 06 jb short 00403783
0040377D .FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
00403783 >8D04BD 00000000 lea eax, dword ptr
0040378A .EB 06 jmp short 00403792
0040378C >FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
00403792 >8B8D 48FFFFFF mov ecx, dword ptr
00403798 .8B95 28FFFFFF mov edx, dword ptr ;EDX="72"
0040379E .8B49 0C mov ecx, dword ptr
004037A1 .03C8 add ecx, eax
004037A3 .FF15 C8104000 call dword ptr [<&MSVBVM60.__vbaStrCopy>] ;MSVBVM60.__vbaStrCopy
004037A9 .8D95 28FFFFFF lea edx, dword ptr
004037AF .8D85 2CFFFFFF lea eax, dword ptr
004037B5 .52 push edx
004037B6 .8D8D 30FFFFFF lea ecx, dword ptr
004037BC .50 push eax
004037BD .51 push ecx
004037BE .6A 03 push 3
004037C0 .FF15 CC104000 call dword ptr [<&MSVBVM60.__vbaFreeStrLi>
004037C6 .83C4 10 add esp, 10
004037C9 .8D8D 24FFFFFF lea ecx, dword ptr
004037CF .FF15 08114000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
004037D5 .8D95 F4FEFFFF lea edx, dword ptr
004037DB .8D85 04FFFFFF lea eax, dword ptr
004037E1 .52 push edx
004037E2 .8D8D 14FFFFFF lea ecx, dword ptr
004037E8 .50 push eax
004037E9 .51 push ecx
004037EA .6A 03 push 3
004037EC .FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarLi>
004037F2 .83C4 10 add esp, 10
004037F5 .8D95 2CFEFFFF lea edx, dword ptr
004037FB .8D85 3CFEFFFF lea eax, dword ptr
00403801 .8D8D 38FFFFFF lea ecx, dword ptr
00403807 .52 push edx
00403808 .50 push eax
00403809 .51 push ecx
0040380A .FF15 00114000 call dword ptr [<&MSVBVM60.__vbaVarForNex>
00403810 .8BF8 mov edi, eax
00403812 .^ E9 0DFEFFFF jmp 00403624
00403817 >B8 02000000 mov eax, 2
0040381C .8D95 A4FEFFFF lea edx, dword ptr
00403822 .8985 A4FEFFFF mov dword ptr , eax
00403828 .8985 94FEFFFF mov dword ptr , eax
0040382E .8985 84FEFFFF mov dword ptr , eax
00403834 .8D85 94FEFFFF lea eax, dword ptr
0040383A .52 push edx ; /Step8
0040383B .8D8D 84FEFFFF lea ecx, dword ptr ; |
00403841 .50 push eax ; |End8
00403842 .8D95 0CFEFFFF lea edx, dword ptr ; |
00403848 .51 push ecx ; |Start8
00403849 .8D85 1CFEFFFF lea eax, dword ptr ; |
0040384F .52 push edx ; |TMPend8
00403850 .8D4D D4 lea ecx, dword ptr ; |
00403853 .50 push eax ; |TMPstep8
00403854 .51 push ecx ; |Counter8
00403855 .C785 ACFEFFFF 010000>mov dword ptr , 1 ; |
0040385F .C785 9CFEFFFF 190000>mov dword ptr , 19 ; |
00403869 .899D 8CFEFFFF mov dword ptr , ebx ; |
0040386F .FF15 40104000 call dword ptr [<&MSVBVM60.__vbaVarForIni>; \__vbaVarForInit
00403875 >3BC3 cmp eax, ebx
00403877 .0F84 C1000000 je 0040393E
0040387D .8D95 A4FEFFFF lea edx, dword ptr
00403883 .8D45 D4 lea eax, dword ptr
00403886 .52 push edx
00403887 .8D8D 14FFFFFF lea ecx, dword ptr
0040388D .50 push eax
0040388E .51 push ecx
0040388F .C785 ACFEFFFF 410000>mov dword ptr , 41 ; 0x41("A")
00403899 .C785 A4FEFFFF 020000>mov dword ptr , 2
004038A3 .FF15 E4104000 call dword ptr [<&MSVBVM60.__vbaVarAdd>]; __vbaVarAdd
004038A9 .8B3D E0104000 mov edi, dword ptr [<&MSVBVM60.__vbaI4Va>
004038AF .50 push eax
004038B0 .FFD7 call edi ;<&MSVBVM60.__vbaI4Var>
004038B2 .8D95 04FFFFFF lea edx, dword ptr
004038B8 .50 push eax
004038B9 .52 push edx
004038BA .FF15 A4104000 call dword ptr [<&MSVBVM60.#608>] ;MSVBVM60.rtcVarBstrFromAnsi,ASCII值转为字符
004038C0 .8D45 D4 lea eax, dword ptr
004038C3 .50 push eax
004038C4 .FFD7 call edi
004038C6 .8BF8 mov edi, eax
004038C8 .83FF 1A cmp edi, 1A ; EDI值与0x1A(26)比较,储存A-Z共26个字母
004038CB .72 06 jb short 004038D3
004038CD .FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
004038D3 >8D8D 04FFFFFF lea ecx, dword ptr
004038D9 .51 push ecx
004038DA .FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaStrVarMov>
004038E0 .8BD0 mov edx, eax
004038E2 .8D8D 34FFFFFF lea ecx, dword ptr
004038E8 .FF15 F0104000 call dword ptr [<&MSVBVM60.__vbaStrMove>]
004038EE .8BD0 mov edx, eax
004038F0 .8B45 8C mov eax, dword ptr
004038F3 .8D0CB8 lea ecx, dword ptr
004038F6 .FF15 C8104000 call dword ptr [<&MSVBVM60.__vbaStrCopy>]
004038FC .8D8D 34FFFFFF lea ecx, dword ptr
00403902 .FF15 0C114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
00403908 .8D8D 04FFFFFF lea ecx, dword ptr
0040390E .8D95 14FFFFFF lea edx, dword ptr
00403914 .51 push ecx
00403915 .52 push edx
00403916 .6A 02 push 2
00403918 .FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarLi>
0040391E .83C4 0C add esp, 0C
00403921 .8D85 0CFEFFFF lea eax, dword ptr
00403927 .8D8D 1CFEFFFF lea ecx, dword ptr
0040392D .8D55 D4 lea edx, dword ptr
00403930 .50 push eax ; /TMPend8
00403931 .51 push ecx ; |TMPstep8
00403932 .52 push edx ; |Counter8
00403933 .FF15 00114000 call dword ptr [<&MSVBVM60.__vbaVarForNex>; \__vbaVarForNext
00403939 .^ E9 37FFFFFF jmp 00403875
0040393E >8B06 mov eax, dword ptr
00403940 .56 push esi
00403941 .FF90 00030000 call dword ptr
00403947 .8D8D 24FFFFFF lea ecx, dword ptr
0040394D .50 push eax
0040394E .51 push ecx
0040394F .FF15 44104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
00403955 .8BF8 mov edi, eax
00403957 .8D85 34FFFFFF lea eax, dword ptr
0040395D .50 push eax
0040395E .57 push edi
0040395F .8B17 mov edx, dword ptr
00403961 .FF92 A0000000 call dword ptr
00403967 .3BC3 cmp eax, ebx
00403969 .DBE2 fclex
0040396B .7D 12 jge short 0040397F
0040396D .68 A0000000 push 0A0
00403972 .68 D4234000 push 004023D4
00403977 .57 push edi
00403978 .50 push eax
00403979 .FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
0040397F >8B8D 34FFFFFF mov ecx, dword ptr ;注册码"9876543210"
00403985 .51 push ecx ;
00403986 .FF15 18104000 call dword ptr [<&MSVBVM60.__vbaLenBstr>] ; __vbaLenBstr,获取注册码长度
0040398C .8BF8 mov edi, eax
0040398E .8D8D 34FFFFFF lea ecx, dword ptr
00403994 .F7DF neg edi
00403996 .1BFF sbb edi, edi
00403998 .F7DF neg edi
0040399A .F7DF neg edi
0040399C .FF15 0C114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
004039A2 .8D8D 24FFFFFF lea ecx, dword ptr
004039A8 .FF15 08114000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
004039AE .66:3BFB cmp di, bx ;注册码是否为空
004039B1 .0F84 CB0A0000 je 00404482
004039B7 .8B16 mov edx, dword ptr
004039B9 .56 push esi
004039BA .FF92 00030000 call dword ptr
004039C0 .50 push eax
004039C1 .8D85 24FFFFFF lea eax, dword ptr
004039C7 .50 push eax
004039C8 .FF15 44104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
004039CE .8BF8 mov edi, eax
004039D0 .8D95 34FFFFFF lea edx, dword ptr
004039D6 .52 push edx
004039D7 .57 push edi
004039D8 .8B0F mov ecx, dword ptr
004039DA .FF91 A0000000 call dword ptr
004039E0 .3BC3 cmp eax, ebx
004039E2 .DBE2 fclex
004039E4 .7D 12 jge short 004039F8
004039E6 .68 A0000000 push 0A0
004039EB .68 D4234000 push 004023D4
004039F0 .57 push edi
004039F1 .50 push eax
004039F2 .FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
004039F8 >8B95 34FFFFFF mov edx, dword ptr ;注册码"9876543210"
004039FE .8B06 mov eax, dword ptr
00403A00 .8D8D 60FEFFFF lea ecx, dword ptr
00403A06 .51 push ecx
00403A07 .52 push edx
00403A08 .56 push esi
00403A09 .FF90 F8060000 call dword ptr ;CALL 00402C65,检测注册码否为空
00403A0F .3BC3 cmp eax, ebx
00403A11 .7D 12 jge short 00403A25
00403A13 .68 F8060000 push 6F8
00403A18 .68 B0224000 push 004022B0
00403A1D .56 push esi
00403A1E .50 push eax
00403A1F .FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
00403A25 >33C0 xor eax, eax
00403A27 .66:83BD 60FEFFFF FFcmp word ptr , 0FFFF
00403A2F .8D8D 34FFFFFF lea ecx, dword ptr
00403A35 .0F94C0 sete al
00403A38 .F7D8 neg eax
00403A3A .8BF8 mov edi, eax
00403A3C .FF15 0C114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
00403A42 .8D8D 24FFFFFF lea ecx, dword ptr
00403A48 .FF15 08114000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
00403A4E .66:3BFB cmp di, bx
00403A51 .0F84 2B0A0000 je 00404482 ;注册码为空则跳
00403A57 .8B0E mov ecx, dword ptr
00403A59 .56 push esi
00403A5A .C785 ACFEFFFF 010000>mov dword ptr , 1
00403A64 .C785 A4FEFFFF 020000>mov dword ptr , 2
00403A6E .FF91 00030000 call dword ptr
00403A74 .8D95 24FFFFFF lea edx, dword ptr
00403A7A .50 push eax
00403A7B .52 push edx
00403A7C .FF15 44104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
00403A82 .8BF8 mov edi, eax
00403A84 .8D8D 34FFFFFF lea ecx, dword ptr
00403A8A .51 push ecx
00403A8B .57 push edi
00403A8C .8B07 mov eax, dword ptr
00403A8E .FF90 A0000000 call dword ptr
00403A94 .3BC3 cmp eax, ebx
00403A96 .DBE2 fclex
00403A98 .7D 12 jge short 00403AAC
00403A9A .68 A0000000 push 0A0
00403A9F .68 D4234000 push 004023D4
00403AA4 .57 push edi
00403AA5 .50 push eax
00403AA6 .FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
00403AAC >8B95 34FFFFFF mov edx, dword ptr
00403AB2 .52 push edx ; /String
00403AB3 .FF15 18104000 call dword ptr [<&MSVBVM60.__vbaLenBstr>] ; \__vbaLenBstr
00403AB9 .8985 9CFEFFFF mov dword ptr , eax
00403ABF .8D85 A4FEFFFF lea eax, dword ptr
00403AC5 .8D8D 94FEFFFF lea ecx, dword ptr
00403ACB .50 push eax ; /Step8
00403ACC .8D95 84FEFFFF lea edx, dword ptr ; |
00403AD2 .51 push ecx ; |End8
00403AD3 .8D85 ECFDFFFF lea eax, dword ptr ; |
00403AD9 .52 push edx ; |Start8
00403ADA .8D8D FCFDFFFF lea ecx, dword ptr ; |
00403AE0 .50 push eax ; |TMPend8
00403AE1 .8D55 B8 lea edx, dword ptr ; |
00403AE4 .51 push ecx ; |TMPstep8
00403AE5 .52 push edx ; |Counter8
00403AE6 .C785 94FEFFFF 030000>mov dword ptr , 3 ; |
00403AF0 .C785 8CFEFFFF 010000>mov dword ptr , 1 ; |
00403AFA .C785 84FEFFFF 020000>mov dword ptr , 2 ; |
00403B04 .FF15 40104000 call dword ptr [<&MSVBVM60.__vbaVarForIni>; \__vbaVarForInit
00403B0A .8D8D 34FFFFFF lea ecx, dword ptr
00403B10 .8BF8 mov edi, eax
00403B12 .FF15 0C114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
00403B18 .8D8D 24FFFFFF lea ecx, dword ptr
00403B1E .FF15 08114000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
00403B24 .8B1D 8C104000 mov ebx, dword ptr [<&MSVBVM60.__vbaVarA>
00403B2A >85FF test edi, edi
00403B2C .0F84 0B030000 je 00403E3D
00403B32 .8B06 mov eax, dword ptr
00403B34 .56 push esi
00403B35 .FF90 00030000 call dword ptr
00403B3B .8D8D 24FFFFFF lea ecx, dword ptr
00403B41 .50 push eax
00403B42 .51 push ecx
00403B43 .FF15 44104000 call dword ptr [<&MSVBVM60.__vbaObjSet>]
00403B49 .8BF8 mov edi, eax
00403B4B .8D85 34FFFFFF lea eax, dword ptr
00403B51 .50 push eax
00403B52 .57 push edi
00403B53 .8B17 mov edx, dword ptr
00403B55 .FF92 A0000000 call dword ptr
00403B5B .85C0 test eax, eax
00403B5D .DBE2 fclex
00403B5F .7D 12 jge short 00403B73
00403B61 .68 A0000000 push 0A0
00403B66 .68 D4234000 push 004023D4
00403B6B .57 push edi
00403B6C .50 push eax
00403B6D .FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
00403B73 >8B85 34FFFFFF mov eax, dword ptr ;注册码"9876543210"
00403B79 .8D8D 04FFFFFF lea ecx, dword ptr
00403B7F .8D55 B8 lea edx, dword ptr
00403B82 .51 push ecx
00403B83 .52 push edx
00403B84 .C785 0CFFFFFF 010000>mov dword ptr , 1
00403B8E .C785 04FFFFFF 020000>mov dword ptr , 2
00403B98 .C785 34FFFFFF 000000>mov dword ptr , 0
00403BA2 .8985 1CFFFFFF mov dword ptr , eax
00403BA8 .C785 14FFFFFF 080000>mov dword ptr , 8
00403BB2 .FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
00403BB8 .50 push eax
00403BB9 .8D85 14FFFFFF lea eax, dword ptr
00403BBF .8D8D F4FEFFFF lea ecx, dword ptr
00403BC5 .50 push eax
00403BC6 .51 push ecx
00403BC7 .FF15 58104000 call dword ptr [<&MSVBVM60.#632>] ; rtcMidCharVar,循环取注册码每个字符("9")
00403BCD .8D95 F4FEFFFF lea edx, dword ptr
00403BD3 .8D85 30FFFFFF lea eax, dword ptr
00403BD9 .52 push edx
00403BDA .50 push eax
00403BDB .FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaStrVarVal>
00403BE1 .50 push eax
00403BE2 .FF15 2C104000 call dword ptr [<&MSVBVM60.#516>] ; rtcAnsiValueBstr,字符ASCII值
00403BE8 .8B3E mov edi, dword ptr
00403BEA .8D8D 28FFFFFF lea ecx, dword ptr
00403BF0 .51 push ecx
00403BF1 .50 push eax
00403BF2 .8985 60FEFFFF mov dword ptr , eax ;EAX=0x39("9")
00403BF8 .FF15 04104000 call dword ptr [<&MSVBVM60.__vbaStrI2>] ;整数转为字符串,0x39-->39-->"39"
00403BFE .8BD0 mov edx, eax
00403C00 .8D8D 2CFFFFFF lea ecx, dword ptr
00403C06 .FF15 F0104000 call dword ptr [<&MSVBVM60.__vbaStrMove>]
00403C0C .50 push eax
00403C0D .56 push esi
00403C0E .FF97 FC060000 call dword ptr ;CALL 00402C72,EAX大于90则减去32,EAX=0x39(57)
00403C14 .85C0 test eax, eax
00403C16 .7D 12 jge short 00403C2A
00403C18 .68 FC060000 push 6FC
00403C1D .68 B0224000 push 004022B0
00403C22 .56 push esi
00403C23 .50 push eax
00403C24 .FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
00403C2A >8B85 28FFFFFF mov eax, dword ptr ;"57"
00403C30 .8D95 E4FEFFFF lea edx, dword ptr
00403C36 .8D8D 4CFFFFFF lea ecx, dword ptr
00403C3C .C785 28FFFFFF 000000>mov dword ptr , 0
00403C46 .8985 ECFEFFFF mov dword ptr , eax
00403C4C .C785 E4FEFFFF 080000>mov dword ptr , 8
00403C56 .FF15 10104000 call dword ptr [<&MSVBVM60.__vbaVarMove>]
00403C5C .8D95 2CFFFFFF lea edx, dword ptr
00403C62 .8D85 30FFFFFF lea eax, dword ptr
00403C68 .52 push edx
00403C69 .50 push eax
00403C6A .6A 02 push 2
00403C6C .FF15 CC104000 call dword ptr [<&MSVBVM60.__vbaFreeStrLi>
00403C72 .83C4 0C add esp, 0C
00403C75 .8D8D 24FFFFFF lea ecx, dword ptr
00403C7B .FF15 08114000 call dword ptr [<&MSVBVM60.__vbaFreeObj>]
00403C81 .8D8D F4FEFFFF lea ecx, dword ptr
00403C87 .8D95 04FFFFFF lea edx, dword ptr
00403C8D .51 push ecx
00403C8E .8D85 14FFFFFF lea eax, dword ptr
00403C94 .52 push edx
00403C95 .50 push eax
00403C96 .6A 03 push 3
00403C98 .FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarLi>
00403C9E .8B3D 5C104000 mov edi, dword ptr [<&MSVBVM60.__vbaVarC>;MSVBVM60.__vbaVarCmpGt
00403CA4 .83C4 10 add esp, 10
00403CA7 .B8 02800000 mov eax, 8002
00403CAC .8D8D 4CFFFFFF lea ecx, dword ptr
00403CB2 .8985 A4FEFFFF mov dword ptr , eax
00403CB8 .8985 94FEFFFF mov dword ptr , eax
00403CBE .8985 84FEFFFF mov dword ptr , eax
00403CC4 .8985 74FEFFFF mov dword ptr , eax
00403CCA .8D95 A4FEFFFF lea edx, dword ptr
00403CD0 .51 push ecx
00403CD1 .8D85 14FFFFFF lea eax, dword ptr
00403CD7 .52 push edx
00403CD8 .50 push eax
00403CD9 .C785 ACFEFFFF 2F0000>mov dword ptr , 2F ;"/"
00403CE3 .C785 9CFEFFFF 3A0000>mov dword ptr , 3A ;":"
00403CED .C785 8CFEFFFF 400000>mov dword ptr , 40 ;"@"
00403CF7 .C785 7CFEFFFF 470000>mov dword ptr , 47 ;"G"
00403D01 .FFD7 call edi ;/__vbaVarCmpGt
00403D03 .8D8D 4CFFFFFF lea ecx, dword ptr ;|
00403D09 .50 push eax ;|
00403D0A .8D95 94FEFFFF lea edx, dword ptr ;|
00403D10 .51 push ecx ;|比较注册码是否介于0x2F~0x3A,即是否为数字
00403D11 .8D85 04FFFFFF lea eax, dword ptr ;|
00403D17 .52 push edx ;|
00403D18 .50 push eax ;|
00403D19 .FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaVarCmpLt>>;\__vbaVarCmpLt
00403D1F .8D8D F4FEFFFF lea ecx, dword ptr
00403D25 .50 push eax
00403D26 .51 push ecx
00403D27 .FFD3 call ebx
00403D29 .50 push eax
00403D2A .8D95 4CFFFFFF lea edx, dword ptr
00403D30 .8D85 84FEFFFF lea eax, dword ptr
00403D36 .52 push edx
00403D37 .8D8D E4FEFFFF lea ecx, dword ptr
00403D3D .50 push eax
00403D3E .51 push ecx
00403D3F .FFD7 call edi ;/__vbaVarCmpGt
00403D41 .50 push eax ;|
00403D42 .8D95 4CFFFFFF lea edx, dword ptr ;|
00403D48 .8D85 74FEFFFF lea eax, dword ptr ;|
00403D4E .52 push edx ;|比较注册码是否介于0x40~0x4F,即是否为A~F
00403D4F .8D8D D4FEFFFF lea ecx, dword ptr ;|
00403D55 .50 push eax ;|
00403D56 .51 push ecx ;|
00403D57 .FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaVarCmpLt>>;\__vbaVarCmpLt
00403D5D .8D95 C4FEFFFF lea edx, dword ptr
00403D63 .50 push eax
00403D64 .52 push edx
00403D65 .FFD3 call ebx
00403D67 .50 push eax
00403D68 .8D85 B4FEFFFF lea eax, dword ptr
00403D6E .50 push eax
00403D6F .FF15 74104000 call dword ptr [<&MSVBVM60.__vbaVarOr>]
00403D75 .50 push eax
00403D76 .FF15 50104000 call dword ptr [<&MSVBVM60.__vbaBoolVarNu>
00403D7C .66:85C0 test ax, ax
00403D7F .0F84 A1000000 je 00403E26 ;注册码不为0-9,A-Z则跳
00403D85 .8D8D 4CFFFFFF lea ecx, dword ptr
00403D8B .51 push ecx
00403D8C .FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
00403D92 .8D95 14FFFFFF lea edx, dword ptr
00403D98 .50 push eax
00403D99 .52 push edx
00403D9A .FF15 A4104000 call dword ptr [<&MSVBVM60.#608>]
00403DA0 .8D95 14FFFFFF lea edx, dword ptr
00403DA6 .8D8D 6CFFFFFF lea ecx, dword ptr
00403DAC .FF15 10104000 call dword ptr [<&MSVBVM60.__vbaVarMove>]
00403DB2 .8B45 E4 mov eax, dword ptr
00403DB5 .8D8D A4FEFFFF lea ecx, dword ptr
00403DBB .8985 ACFEFFFF mov dword ptr , eax
00403DC1 .8D95 6CFFFFFF lea edx, dword ptr
00403DC7 .51 push ecx
00403DC8 .8D85 14FFFFFF lea eax, dword ptr
00403DCE .52 push edx
00403DCF .50 push eax
00403DD0 .66:C705 24604000 000>mov word ptr , 0
00403DD9 .C785 A4FEFFFF 080000>mov dword ptr , 8
00403DE3 .FF15 B0104000 call dword ptr [<&MSVBVM60.__vbaVarCat>]
00403DE9 .50 push eax
00403DEA .FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaStrVarMov>
00403DF0 .8BD0 mov edx, eax
00403DF2 .8D4D E4 lea ecx, dword ptr
00403DF5 .FF15 F0104000 call dword ptr [<&MSVBVM60.__vbaStrMove>]
00403DFB .8D8D 14FFFFFF lea ecx, dword ptr
00403E01 .FF15 14104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>]
00403E07 .8D8D ECFDFFFF lea ecx, dword ptr
00403E0D .8D95 FCFDFFFF lea edx, dword ptr
00403E13 .51 push ecx
00403E14 .8D45 B8 lea eax, dword ptr
00403E17 .52 push edx
00403E18 .50 push eax
00403E19 .FF15 00114000 call dword ptr [<&MSVBVM60.__vbaVarForNex>
00403E1F .8BF8 mov edi, eax
00403E21 .^ E9 04FDFFFF jmp 00403B2A
00403E26 >BA E8234000 mov edx, 004023E8
00403E2B .8D4D E4 lea ecx, dword ptr
00403E2E .FF15 C8104000 call dword ptr [<&MSVBVM60.__vbaStrCopy>]
00403E34 .66:C705 24604000 FFF>mov word ptr , 0FFFF
00403E3D >8B45 E4 mov eax, dword ptr
00403E40 .8B0E mov ecx, dword ptr
00403E42 .8D95 60FEFFFF lea edx, dword ptr
00403E48 .52 push edx
00403E49 .50 push eax
00403E4A .56 push esi
00403E4B .FF91 F8060000 call dword ptr
00403E51 .85C0 test eax, eax
00403E53 .7D 12 jge short 00403E67
00403E55 .68 F8060000 push 6F8
00403E5A .68 B0224000 push 004022B0
00403E5F .56 push esi
00403E60 .50 push eax
00403E61 .FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
00403E67 >66:83BD 60FEFFFF 00cmp word ptr , 0
00403E6F .75 09 jnz short 00403E7A
00403E71 .66:C705 24604000 FFF>mov word ptr , 0FFFF
00403E7A >8B45 E4 mov eax, dword ptr ;注册码"9876543210"
00403E7D .8B0E mov ecx, dword ptr
00403E7F .8D95 34FFFFFF lea edx, dword ptr
00403E85 .52 push edx
00403E86 .50 push eax
00403E87 .56 push esi
00403E88 .FF91 00070000 call dword ptr ;CALL 00402C7F,注册码每2位一组逆序连接
00403E8E .85C0 test eax, eax
00403E90 .7D 12 jge short 00403EA4
00403E92 .68 00070000 push 700
00403E97 .68 B0224000 push 004022B0
00403E9C .56 push esi
00403E9D .50 push eax
00403E9E .FF15 34104000 call dword ptr [<&MSVBVM60.__vbaHresultCh>
00403EA4 >8B95 34FFFFFF mov edx, dword ptr ;变换后的注册码"1032547698"
00403EAA .8D4D E4 lea ecx, dword ptr
00403EAD .C785 34FFFFFF 000000>mov dword ptr , 0
00403EB7 .FF15 F0104000 call dword ptr [<&MSVBVM60.__vbaStrMove>]
00403EBD .8B4D E4 mov ecx, dword ptr
00403EC0 .8B35 18104000 mov esi, dword ptr [<&MSVBVM60.__vbaLenB>;__vbaLenBstr
00403EC6 .51 push ecx
00403EC7 .FFD6 call esi ;获取变换后的注册码长度,记为Length
00403EC9 .8985 7CFDFFFF mov dword ptr , eax
00403ECF .8D95 A4FEFFFF lea edx, dword ptr
00403ED5 .DB85 7CFDFFFF fild dword ptr
00403EDB .8D4D 98 lea ecx, dword ptr
00403EDE .C785 A4FEFFFF 050000>mov dword ptr , 5
00403EE8 .DD9D 74FDFFFF fstp qword ptr
00403EEE .DD85 74FDFFFF fld qword ptr
00403EF4 .833D 00604000 00 cmp dword ptr , 0
00403EFB .75 08 jnz short 00403F05
00403EFD .DC35 60114000 fdiv qword ptr ;注册码长度除以2,=2,Length=Length/2
00403F03 .EB 11 jmp short 00403F16
00403F05 >FF35 64114000 push dword ptr
00403F0B .FF35 60114000 push dword ptr
00403F11 .E8 DED2FFFF call <jmp.&MSVBVM60._adj_fdiv_m64>
00403F16 >DC25 58114000 fsub qword ptr ;结果减1,=1,Length=Length/2-1
00403F1C .DD9D ACFEFFFF fstp qword ptr
00403F22 .DFE0 fstsw ax
00403F24 .A8 0D test al, 0D
00403F26 .0F85 D6060000 jnz 00404602
00403F2C .FF15 10104000 call dword ptr [<&MSVBVM60.__vbaVarMove>]
00403F32 .8B55 E4 mov edx, dword ptr
00403F35 .6A 00 push 0
00403F37 .52 push edx
00403F38 .FFD6 call esi
00403F3A .8B3D 7C104000 mov edi, dword ptr [<&MSVBVM60.__vbaRedi>
00403F40 .50 push eax
00403F41 .6A 01 push 1
00403F43 .8D45 D0 lea eax, dword ptr
00403F46 .6A 08 push 8
00403F48 .50 push eax
00403F49 .6A 04 push 4
00403F4B .68 80010000 push 180
00403F50 .FFD7 call edi
00403F52 .8B4D E4 mov ecx, dword ptr
00403F55 .83C4 1C add esp, 1C
00403F58 .6A 00 push 0
00403F5A .51 push ecx
00403F5B .FFD6 call esi
00403F5D .50 push eax
00403F5E .BB 02000000 mov ebx, 2
00403F63 .6A 01 push 1
00403F65 .8D55 C8 lea edx, dword ptr
00403F68 .53 push ebx
00403F69 .52 push edx
00403F6A .53 push ebx
00403F6B .68 80000000 push 80
00403F70 .FFD7 call edi
00403F72 .8B45 E4 mov eax, dword ptr
00403F75 .83C4 1C add esp, 1C
00403F78 .6A 00 push 0
00403F7A .50 push eax
00403F7B .FFD6 call esi
00403F7D .50 push eax
00403F7E .6A 01 push 1
00403F80 .8D4D CC lea ecx, dword ptr
00403F83 .53 push ebx
00403F84 .51 push ecx
00403F85 .53 push ebx
00403F86 .68 80000000 push 80
00403F8B .FFD7 call edi
00403F8D .83C4 1C add esp, 1C
00403F90 .8D95 A4FEFFFF lea edx, dword ptr
00403F96 .8D45 98 lea eax, dword ptr
00403F99 .8D8D 94FEFFFF lea ecx, dword ptr
00403F9F .52 push edx
00403FA0 .50 push eax
00403FA1 .8D95 CCFDFFFF lea edx, dword ptr
00403FA7 .51 push ecx
00403FA8 .8D85 DCFDFFFF lea eax, dword ptr
00403FAE .52 push edx
00403FAF .8D4D A8 lea ecx, dword ptr
00403FB2 .50 push eax
00403FB3 .51 push ecx
00403FB4 .C785 ACFEFFFF 010000>mov dword ptr , 1
00403FBE .899D A4FEFFFF mov dword ptr , ebx
00403FC4 .C785 9CFEFFFF 000000>mov dword ptr , 0
00403FCE .899D 94FEFFFF mov dword ptr , ebx
00403FD4 .FF15 40104000 call dword ptr [<&MSVBVM60.__vbaVarForIni>
00403FDA >8B3D E0104000 mov edi, dword ptr [<&MSVBVM60.__vbaI4Va>
00403FE0 .85C0 test eax, eax
00403FE2 .0F84 4F030000 je 00404337
00403FE8 .8D55 E4 lea edx, dword ptr
00403FEB .8D85 F4FEFFFF lea eax, dword ptr
00403FF1 .8995 8CFEFFFF mov dword ptr , edx
00403FF7 .8D8D A4FEFFFF lea ecx, dword ptr
00403FFD .50 push eax
00403FFE .8D55 A8 lea edx, dword ptr
00404001 .51 push ecx
00404002 .8D85 14FFFFFF lea eax, dword ptr
00404008 .52 push edx
00404009 .50 push eax
0040400A .C785 6CFEFFFF 642440>mov dword ptr , 00402464 ; UNICODE "&h"
00404014 .C785 64FEFFFF 080000>mov dword ptr , 8
0040401E .899D FCFEFFFF mov dword ptr , ebx
00404024 .899D F4FEFFFF mov dword ptr , ebx
0040402A .899D ACFEFFFF mov dword ptr , ebx
00404030 .899D A4FEFFFF mov dword ptr , ebx
00404036 .C785 9CFEFFFF 010000>mov dword ptr , 1
00404040 .899D 94FEFFFF mov dword ptr , ebx
00404046 .C785 84FEFFFF 084000>mov dword ptr , 4008
00404050 .FF15 94104000 call dword ptr [<&MSVBVM60.__vbaVarMul>]
00404056 .8D8D 94FEFFFF lea ecx, dword ptr
0040405C .50 push eax
0040405D .8D95 04FFFFFF lea edx, dword ptr
00404063 .51 push ecx
00404064 .52 push edx
00404065 .FF15 E4104000 call dword ptr [<&MSVBVM60.__vbaVarAdd>]
0040406B .50 push eax
0040406C .FFD7 call edi
0040406E .50 push eax
0040406F .8D85 84FEFFFF lea eax, dword ptr
00404075 .8D8D E4FEFFFF lea ecx, dword ptr
0040407B .50 push eax
0040407C .51 push ecx
0040407D .FF15 58104000 call dword ptr [<&MSVBVM60.#632>] ; rtcMidCharVar,循环取变换后的注册码字符串,"10"
00404083 .8B45 C8 mov eax, dword ptr ; 每次取2位字符,设循环变量为I
00404086 .85C0 test eax, eax
00404088 .74 27 je short 004040B1
0040408A .66:8338 01 cmp word ptr , 1
0040408E .75 21 jnz short 004040B1
00404090 .8D55 A8 lea edx, dword ptr
00404093 .52 push edx
00404094 .FFD7 call edi
00404096 .8BF0 mov esi, eax
00404098 .8B45 C8 mov eax, dword ptr
0040409B .8B50 14 mov edx, dword ptr
0040409E .8B48 10 mov ecx, dword ptr
004040A1 .2BF2 sub esi, edx
004040A3 .3BF1 cmp esi, ecx
004040A5 .72 06 jb short 004040AD
004040A7 .FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
004040AD >03F6 add esi, esi
004040AF .EB 08 jmp short 004040B9
004040B1 >FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
004040B7 .8BF0 mov esi, eax
004040B9 >8D85 64FEFFFF lea eax, dword ptr
004040BF .8D8D E4FEFFFF lea ecx, dword ptr
004040C5 .50 push eax
004040C6 .8D95 D4FEFFFF lea edx, dword ptr
004040CC .51 push ecx
004040CD .52 push edx
004040CE .FF15 B0104000 call dword ptr [<&MSVBVM60.__vbaVarCat>];__vbaVarCat,连接"&h"与取出的字符串,即转为16进制数
004040D4 .50 push eax
004040D5 .8D85 34FFFFFF lea eax, dword ptr
004040DB .50 push eax
004040DC .FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaStrVarVal>
004040E2 .50 push eax ;EAX="&h10"
004040E3 .FF15 10114000 call dword ptr [<&MSVBVM60.#581>] ;rtcR8ValFromBstr,字符串转为数值
004040E9 .FF15 E8104000 call dword ptr [<&MSVBVM60.__vbaFpI2>]
004040EF .8B4D C8 mov ecx, dword ptr
004040F2 .8B51 0C mov edx, dword ptr
004040F5 .8D8D 34FFFFFF lea ecx, dword ptr
004040FB .66:890432 mov word ptr , ax ;EAX=0X10,记为TmpNum1
004040FF .FF15 0C114000 call dword ptr [<&MSVBVM60.__vbaFreeStr>]
00404105 .8D85 D4FEFFFF lea eax, dword ptr
0040410B .8D8D E4FEFFFF lea ecx, dword ptr
00404111 .50 push eax
00404112 .8D95 F4FEFFFF lea edx, dword ptr
00404118 .51 push ecx
00404119 .8D85 04FFFFFF lea eax, dword ptr
0040411F .52 push edx
00404120 .50 push eax
00404121 .6A 04 push 4
00404123 .FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeVarLi>
00404129 .8B45 CC mov eax, dword ptr
0040412C .83C4 14 add esp, 14
0040412F .85C0 test eax, eax
00404131 .C785 ACFEFFFF 5F0000>mov dword ptr , 5F ;常数0x5F
0040413B .899D A4FEFFFF mov dword ptr , ebx
00404141 .74 27 je short 0040416A
00404143 .66:8338 01 cmp word ptr , 1
00404147 .75 21 jnz short 0040416A
00404149 .8D4D A8 lea ecx, dword ptr
0040414C .51 push ecx
0040414D .FFD7 call edi
0040414F .8BF0 mov esi, eax
00404151 .8B45 CC mov eax, dword ptr
00404154 .8B50 14 mov edx, dword ptr
00404157 .8B48 10 mov ecx, dword ptr
0040415A .2BF2 sub esi, edx
0040415C .3BF1 cmp esi, ecx
0040415E .72 06 jb short 00404166
00404160 .FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
00404166 >03F6 add esi, esi
00404168 .EB 08 jmp short 00404172
0040416A >FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
00404170 .8BF0 mov esi, eax
00404172 >8B1D 00104000 mov ebx, dword ptr [<&MSVBVM60.__vbaVarS>
00404178 .8D95 A4FEFFFF lea edx, dword ptr
0040417E .8D45 98 lea eax, dword ptr
00404181 .52 push edx
00404182 .8D4D A8 lea ecx, dword ptr
00404185 .50 push eax
00404186 .8D95 14FFFFFF lea edx, dword ptr
0040418C .51 push ecx
0040418D .52 push edx
0040418E .FFD3 call ebx ; __vbaVarSub,(Length-I)
00404190 .50 push eax
00404191 .8D85 04FFFFFF lea eax, dword ptr
00404197 .50 push eax
00404198 .FFD3 call ebx ; __vbaVarSub,常数0x5F-(Length-I)
0040419A .50 push eax
0040419B .FF15 B4104000 call dword ptr [<&MSVBVM60.__vbaI2Var>]
004041A1 .8B4D CC mov ecx, dword ptr
004041A4 .8B51 0C mov edx, dword ptr
004041A7 .66:890432 mov word ptr , ax ;AX=0x5F-(Length-I),记为TmpNum2
004041AB .8B45 C8 mov eax, dword ptr
004041AE .85C0 test eax, eax
004041B0 .74 28 je short 004041DA
004041B2 .66:8338 01 cmp word ptr , 1
004041B6 .75 22 jnz short 004041DA
004041B8 .8D45 A8 lea eax, dword ptr
004041BB .50 push eax
004041BC .FFD7 call edi
004041BE .8BF0 mov esi, eax
004041C0 .8B45 C8 mov eax, dword ptr
004041C3 .8B50 14 mov edx, dword ptr
004041C6 .8B48 10 mov ecx, dword ptr
004041C9 .2BF2 sub esi, edx
004041CB .3BF1 cmp esi, ecx
004041CD .72 06 jb short 004041D5
004041CF .FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
004041D5 >8D1C36 lea ebx, dword ptr
004041D8 .EB 08 jmp short 004041E2
004041DA >FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
004041E0 .8BD8 mov ebx, eax
004041E2 >8B45 CC mov eax, dword ptr
004041E5 .85C0 test eax, eax
004041E7 .74 2C je short 00404215
004041E9 .66:8338 01 cmp word ptr , 1
004041ED .75 26 jnz short 00404215
004041EF .8D4D A8 lea ecx, dword ptr
004041F2 .51 push ecx
004041F3 .FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
004041F9 .8BF0 mov esi, eax
004041FB .8B45 CC mov eax, dword ptr
004041FE .8B50 14 mov edx, dword ptr
00404201 .8B48 10 mov ecx, dword ptr
00404204 .2BF2 sub esi, edx
00404206 .3BF1 cmp esi, ecx
00404208 .72 06 jb short 00404210
0040420A .FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
00404210 >8D3C36 lea edi, dword ptr
00404213 .EB 08 jmp short 0040421D
00404215 >FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
0040421B .8BF8 mov edi, eax
0040421D >8B45 C8 mov eax, dword ptr
00404220 .85C0 test eax, eax
00404222 .74 2C je short 00404250
00404224 .66:8338 01 cmp word ptr , 1
00404228 .75 26 jnz short 00404250
0040422A .8D55 A8 lea edx, dword ptr
0040422D .52 push edx
0040422E .FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
00404234 .8BF0 mov esi, eax
00404236 .8B45 C8 mov eax, dword ptr
00404239 .8B50 14 mov edx, dword ptr
0040423C .8B48 10 mov ecx, dword ptr
0040423F .2BF2 sub esi, edx
00404241 .3BF1 cmp esi, ecx
00404243 .72 06 jb short 0040424B
00404245 .FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
0040424B >8D0436 lea eax, dword ptr
0040424E .EB 06 jmp short 00404256
00404250 >FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
00404256 >8B55 CC mov edx, dword ptr
00404259 .8B4D C8 mov ecx, dword ptr
0040425C .8B52 0C mov edx, dword ptr
0040425F .8B49 0C mov ecx, dword ptr
00404262 .66:8B143A mov dx, word ptr ; DX=TmpNum1,=TmpNum2
00404266 .66:33140B xor dx, word ptr ; xor运算
0040426A .66:891408 mov word ptr , dx ; xor运算结果保存
0040426E .8B45 C8 mov eax, dword ptr
00404271 .85C0 test eax, eax
00404273 .74 2E je short 004042A3
00404275 .66:8338 01 cmp word ptr , 1
00404279 .75 28 jnz short 004042A3
0040427B .8D45 A8 lea eax, dword ptr
0040427E .50 push eax
0040427F .FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
00404285 .8BF0 mov esi, eax
00404287 .8B45 C8 mov eax, dword ptr
0040428A .8B1D 68104000 mov ebx, dword ptr [<&MSVBVM60.__vbaGene>
00404290 .8B50 14 mov edx, dword ptr
00404293 .8B48 10 mov ecx, dword ptr
00404296 .2BF2 sub esi, edx
00404298 .3BF1 cmp esi, ecx
0040429A .72 02 jb short 0040429E
0040429C .FFD3 call ebx
0040429E >8D0436 lea eax, dword ptr
004042A1 .EB 0C jmp short 004042AF
004042A3 >FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerateB>
004042A9 .8B1D 68104000 mov ebx, dword ptr [<&MSVBVM60.__vbaGene>
004042AF >8B4D C8 mov ecx, dword ptr
004042B2 .8B51 0C mov edx, dword ptr
004042B5 .66:B9 1A00 mov cx, 1A ;CX=0x1A(26)
004042B9 .66:8B0402 mov ax, word ptr ;AX=(TmpNum1 xorTmpNum2)
004042BD .66:99 cwd
004042BF .66:F7F9 idiv cx ;AX/CX,商给DX
004042C2 .0FBFFA movsx edi, dx ;EDI=DX=余数
004042C5 .83FF 1A cmp edi, 1A
004042C8 .72 02 jb short 004042CC
004042CA .FFD3 call ebx
004042CC >8B45 D0 mov eax, dword ptr
004042CF .85C0 test eax, eax
004042D1 .74 2C je short 004042FF
004042D3 .66:8338 01 cmp word ptr , 1
004042D7 .75 26 jnz short 004042FF
004042D9 .8D55 A8 lea edx, dword ptr
004042DC .52 push edx
004042DD .FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
004042E3 .8BF0 mov esi, eax
004042E5 .8B45 D0 mov eax, dword ptr
004042E8 .8B50 14 mov edx, dword ptr
004042EB .8B48 10 mov ecx, dword ptr
004042EE .2BF2 sub esi, edx
004042F0 .3BF1 cmp esi, ecx
004042F2 .72 02 jb short 004042F6
004042F4 .FFD3 call ebx
004042F6 >8D04B5 00000000 lea eax, dword ptr
004042FD .EB 02 jmp short 00404301
004042FF >FFD3 call ebx
00404301 >8B4D 8C mov ecx, dword ptr ;地址,保存A-Z共26个字母的地址
00404304 .8B14B9 mov edx, dword ptr ;根据EDI值取字符A-Z,EDX=
00404307 .8B4D D0 mov ecx, dword ptr
0040430A .8B49 0C mov ecx, dword ptr
0040430D .03C8 add ecx, eax
0040430F .FF15 C8104000 call dword ptr [<&MSVBVM60.__vbaStrCopy>]
00404315 .8D95 CCFDFFFF lea edx, dword ptr
0040431B .8D85 DCFDFFFF lea eax, dword ptr
00404321 .52 push edx
00404322 .8D4D A8 lea ecx, dword ptr
00404325 .50 push eax
00404326 .51 push ecx
00404327 .FF15 00114000 call dword ptr [<&MSVBVM60.__vbaVarForNex>
0040432D .BB 02000000 mov ebx, 2
00404332 .^ E9 A3FCFFFF jmp 00403FDA
00404337 >8D95 A4FEFFFF lea edx, dword ptr
0040433D .8D45 98 lea eax, dword ptr
00404340 .52 push edx
00404341 .8D8D 94FEFFFF lea ecx, dword ptr
00404347 .50 push eax
00404348 .8D95 ACFDFFFF lea edx, dword ptr
0040434E .51 push ecx
0040434F .8D85 BCFDFFFF lea eax, dword ptr
00404355 .52 push edx
00404356 .8D8D 5CFFFFFF lea ecx, dword ptr
0040435C .50 push eax
0040435D .51 push ecx
0040435E .C785 ACFEFFFF 010000>mov dword ptr , 1
00404368 .899D A4FEFFFF mov dword ptr , ebx
0040436E .C785 9CFEFFFF 000000>mov dword ptr , 0
00404378 .899D 94FEFFFF mov dword ptr , ebx
0040437E .FF15 40104000 call dword ptr [<&MSVBVM60.__vbaVarForI>
00404384 .8B1D 2C104000 mov ebx, dword ptr [<&MSVBVM60.#516>];rtcAnsiValueBstr
0040438A >85C0 test eax, eax
0040438C .0F84 F9000000 je 0040448B
00404392 .8B45 D0 mov eax, dword ptr
00404395 .85C0 test eax, eax
00404397 .74 33 je short 004043CC
00404399 .66:8338 01 cmp word ptr , 1
0040439D .75 2D jnz short 004043CC
0040439F .8D95 5CFFFFFF lea edx, dword ptr
004043A5 .52 push edx
004043A6 .FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
004043AC .8BF0 mov esi, eax
004043AE .8B45 D0 mov eax, dword ptr
004043B1 .8B50 14 mov edx, dword ptr
004043B4 .8B48 10 mov ecx, dword ptr
004043B7 .2BF2 sub esi, edx
004043B9 .3BF1 cmp esi, ecx
004043BB .72 06 jb short 004043C3
004043BD .FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerat>
004043C3 >8D3CB5 00000000 lea edi, dword ptr
004043CA .EB 08 jmp short 004043D4
004043CC >FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerat>
004043D2 .8BF8 mov edi, eax
004043D4 >8B85 48FFFFFF mov eax, dword ptr
004043DA .85C0 test eax, eax
004043DC .74 32 je short 00404410
004043DE .66:8338 01 cmp word ptr , 1
004043E2 .75 2C jnz short 00404410
004043E4 .8D85 5CFFFFFF lea eax, dword ptr
004043EA .50 push eax
004043EB .FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaI4Var>]
004043F1 .8BF0 mov esi, eax
004043F3 .8B85 48FFFFFF mov eax, dword ptr
004043F9 .8B50 14 mov edx, dword ptr
004043FC .8B48 10 mov ecx, dword ptr
004043FF .2BF2 sub esi, edx
00404401 .3BF1 cmp esi, ecx
00404403 .72 06 jb short 0040440B
00404405 .FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerat>
0040440B >C1E6 02 shl esi, 2
0040440E .EB 08 jmp short 00404418
00404410 >FF15 68104000 call dword ptr [<&MSVBVM60.__vbaGenerat>
00404416 .8BF0 mov esi, eax
00404418 >8B4D D0 mov ecx, dword ptr
0040441B .8B51 0C mov edx, dword ptr
0040441E .8B043A mov eax, dword ptr
00404421 .50 push eax
00404422 .FFD3 call ebx
00404424 .8B95 48FFFFFF mov edx, dword ptr ;rtcAnsiValueBstr
0040442A .0FBFC8 movsx ecx, ax
0040442D .8B42 0C mov eax, dword ptr
00404430 .898D 70FDFFFF mov dword ptr , ecx
00404436 .DB85 70FDFFFF fild dword ptr
0040443C .8B0C30 mov ecx, dword ptr
0040443F .51 push ecx
00404440 .DD9D 68FDFFFF fstp qword ptr
00404446 .FF15 BC104000 call dword ptr [<&MSVBVM60.__vbaR8Str>] ;__vbaR8Str
0040444C .DC9D 68FDFFFF fcomp qword ptr ;注册码运算结果与转为大写的用户名比较
00404452 .DFE0 fstsw ax
00404454 .F6C4 40 test ah, 40
00404457 .74 29 je short 00404482 ;暴破点2,Nop
00404459 .8D95 ACFDFFFF lea edx, dword ptr
0040445F .8D85 BCFDFFFF lea eax, dword ptr
00404465 .52 push edx
00404466 .8D8D 5CFFFFFF lea ecx, dword ptr
0040446C .50 push eax
0040446D .51 push ecx
0040446E .66:C705 24604000 000>mov word ptr , 0
00404477 .FF15 00114000 call dword ptr [<&MSVBVM60.__vbaVarForN>
0040447D .^ E9 08FFFFFF jmp 0040438A
00404482 >66:C705 24604000 FFF>mov word ptr , 0FFFF ;标志位赋值0FFFF
0040448B >C745 FC 00000000 mov dword ptr , 0
00404492 .9B wait
00404493 .68 E3454000 push 004045E3
00404498 .EB 70 jmp short 0040450A
0040449A .8D95 28FFFFFF lea edx, dword ptr
004044A0 .8D85 2CFFFFFF lea eax, dword ptr
-----------------------------------------------------------------------------------------------
【破解总结】
1.注册码文本框输入时进行注册验证,并对进行赋值。
2.点击注册按钮时对标志位进行比较,=0则注册成功。
3.循环取用户名每一位字符,将小写字母转为大写字母后保存。
4.注册码只能为0-9,A-Z,注册码同用户名进行相同的处理,即小写字母转为大写字母。
5.注册码每2位一组逆序连接。设变换后的注册码长度为Length,Length=Length/2-1。
6.循环取变换后的用户名字符串,每次取2位字符转为16进制数,记为TmpNum1,循环变量记为I。
7.常数0x5F,0x5F-(Length-I),记为TmpNum2。
8.TmpNum3=(TmpNum1 xor TmpNum2)/0x1A,根据EDI值从字母A-Z取字符。
9.比较根据EDI值取出字符和变换后的用户名,相等则注册成功。
10.由第9步知道,用户名只能为英文字母,大小写注册码相同。
一组可用注册信息:
==========================================
注册名:hrbx
注册码:485F4C5B
==========================================
暴破更改以下任意一处位置:
00402FA1 jnz short 00403005 ;jnz====>NOP
00404457 je short 00404482 ;je====>NOP
【VB注册机源码】
Private Sub Generate_Click()
On Error Resume Next
Dim UserName As String
Dim RegCode As String
Dim TmpStr As String
Dim Length As Integer
Dim i As Integer
Dim TmpNum1 As Integer
Dim TmpNum2 As Integer
Dim TmpNum3 As Integer
For i = 1 To Len(Text1.Text)
TmpStr = Mid(Text1.Text, i, 1)
If Asc(TmpStr) > 90 Then TmpStr = Chr(Asc(TmpStr) - 32)
UserName = UserName & TmpStr
Next
TmpStr = ""
Length = Len(UserName)
For i = 1 To Length
TmpNum1 = &H5F - (Length - i)
TmpNum2 = Asc(Mid(UserName, i, 1)) - &H41
TmpNum3 = (TmpNum1 Xor TmpNum2)
TmpStr = TmpStr & Hex(TmpNum3)
Next
Length = Len(TmpStr)
For i = 1 To Length / 2
RegCode = RegCode & Mid(TmpStr, Length - i * 2 + 1, 2)
Next i
Text2.Text = RegCode
End Sub
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 hrbx 于 2009-11-6 16:51 编辑 ] 截个图,:) 不错 支持下^_ 写得很详细,支持下大侠~~ 厉害厉害!这些天忙于课业以致于这么晚才看到这个好帖!今天我把源代码贴下,大家相互印证:) my CrackMe源代码:Private Sub Command1_Click()
If Text1.Text = "" Or Text2.Text = "" Then
Label3.Caption = "不跟我玩儿了?怕我了吧?"
Else
If WrongKey = False Then
Label3.Caption = "算你狠,你初级毕业了。"
Else
Label3.Caption = "哦哦。。要不再试试?"
End If
End If
End Sub
Private Sub Form_Load()
Label3.Caption = ""
End Sub
Private Sub Text1_GotFocus()
Label3.Caption = ""
Text2.Text = ""
End Sub
Private Sub Text2_Change()
WrongKey = False '初始默认注册成功
Dim UserName() As String
If Text1.Text = "" Or 2 * Len(Text1.Text) <> Len(Text2.Text) Then '如果注册名为空,注册名长度不等于注册码长度的一半直接结束
WrongKey = True
Exit Sub
Else
ReDim UserName(Len(Text1.Text)) '注册名转大写的ascii放入数组
For dd = 1 To Len(Text1.Text)
UserName(dd - 1) = UcaseIt(Asc(Mid(Text1.Text, dd, 1)))
Next
End If
'/////////////////////初始化26个字母数组
Dim List(25) As String
For k = 0 To 25
List(k) = Chr(65 + k)
Next k
'/////////////////////检测注册码
If CheckLength(Text2.Text) = True Then
For a = 1 To Len(Text2.Text)
Onechar = UcaseIt(Asc(Mid(Text2.Text, a, 1))) '取一个字符的ascii
If (Onechar > 47 And Onechar < 58) Or (Onechar > 64 And Onechar < 71) Then '判断是不是0-F
Dim NewString As String
NewChar = Chr(Onechar)
WrongKey = False
Else
WrongKey = True
Exit Sub
End If
NewString = NewString & NewChar '组合
Next
Else
WrongKey = True
Exit Sub
End If
'///////////////////计算部分
NewString = InvertString(NewString) '两两倒序
'定义数组
Length = Len(NewString) / 2 - 1
Dim TwoChar() As Integer
Dim Number() As Integer
Dim EndWord() As String
Dim OutputString As String
ReDim EndWord(Len(NewString)) As String
ReDim TwoChar(Len(NewString)) As Integer
ReDim Number(Len(NewString)) As Integer '随便找了个数用来 Xor
'注册码放入数组
For b = 0 To Length
TwoChar(b) = Val("&h" & Mid(NewString, 2 * b + 1, 2))'两两保存到数组
Number(b) = 95 - (Length - b)
TwoChar(b) = TwoChar(b) Xor Number(b) '二者xor
EndWord(b) = List(TwoChar(b) Mod 26) '查字母表
Next
'/////计算完毕转化字符串
'//////////比较字符串
For en = 0 To Length
If Asc(EndWord(en)) <> UserName(en) Then
WrongKey = True
Exit For
Else
WrongKey = False
End If
Next
End Sub
Function CheckLength(ByVal InputString As String) As Boolean '检查是不是2的倍数位字符
If Len(InputString) Mod 2 = 0 Then
CheckLength = True
Else
CheckLength = False
End If
End Function
Function UcaseIt(ByVal Onechar As String) As String '检查大写
If Onechar > 90 Then
UcaseIt = Onechar - 32 '转大写
Else
UcaseIt = Onechar
End If
End Function
Function InvertString(ByVal CheckString As String) As String '倒序
For b = Len(CheckString) / 2 - 1 To 0 Step -1
c = c + Mid(CheckString, 2 * b + 1, 2)
Next
InvertString = c
End Function
Private Sub Text2_GotFocus()
Label3.Caption = ""
End Sub
/:011 兄弟啥时候的 CM ,不晓得喃 真是牛啊,看了CM源码,也学了注册机源码 不错,留下脚印,慢慢学习
页:
[1]