飘云阁all to text1.5算法分析 - Powered by Discuz! Archiver

tigerisme 发表于 2006-9-9 14:26:21

all to text1.5算法分析

【破文标题】all to text1.5算法分析
【破文作者】tigerisme
【破解工具】常用PEiD,OD
【破解平台】Windows XP　SP2
【软件名称】All to Text 1.5
【软件大小】1063KB
【原版下载】自己搜索下
【保护方式】用户名+注册码
【更新时间】2006-9-1 6:13:29

是一款设计不错的TXT文件转换工具，它可以很轻松的将.html、.htm、.doc、.rft文件转换成.txt文件。如果你需要经常的做一些这样的转换工作，那么这款软件对你来说是非常的有用。...
授权: 共享大小: 1063KB平台: Win9x/Me/NT/2000/XP/2003

上次写了这个软件的追码及内存注册机制作https://www.chinapyg.com/viewthread.php?tid=7472&extra=page%3D1，今天我来试着分析算法。算法中还有点问题需要兄弟们指点一下！！！！:lol:

注册名：tigerisme试练码：123456789

在这里下断：

0042D100 > \55          push ebp
0042D101 .8BEC       mov ebp,esp
0042D103 .83EC 08    sub esp,8
0042D106 .68 161B4000 push <jmp.&MSVBVM60.__vbaExceptHandler>       ;SE 处理程序安装
0042D10B .64:A1 00000000 mov eax,dword ptr fs:
0042D111 .50          push eax
0042D112 .64:8925 000000>mov dword ptr fs:,esp
0042D119 .81EC 0C010000sub esp,10C
0042D11F .53          push ebx
0042D120 .56          push esi
0042D121 .57          push edi
0042D122 .8965 F8    mov dword ptr ss:[ebp-8],esp
0042D125 .C745 FC A01A40>mov dword ptr ss:[ebp-4],all2text.00401AA0
0042D12C .8B55 0C    mov edx,dword ptr ss:[ebp+C]
0042D12F .8B7D 08    mov edi,dword ptr ss:[ebp+8]
0042D132 .8B07       mov eax,dword ptr ds:[edi]
0042D134 .33DB       xor ebx,ebx
0042D136 .8D4D EC    lea ecx,dword ptr ss:[ebp-14]
0042D139 .51          push ecx
0042D13A .52          push edx
0042D13B .57          push edi
0042D13C .895D EC    mov dword ptr ss:[ebp-14],ebx
0042D13F .895D E8    mov dword ptr ss:[ebp-18],ebx
0042D142 .895D E4    mov dword ptr ss:[ebp-1C],ebx
0042D145 .895D E0    mov dword ptr ss:[ebp-20],ebx
0042D148 .895D DC    mov dword ptr ss:[ebp-24],ebx
0042D14B .895D D8    mov dword ptr ss:[ebp-28],ebx
0042D14E .895D C8    mov dword ptr ss:[ebp-38],ebx
0042D151 .895D B8    mov dword ptr ss:[ebp-48],ebx
0042D154 .895D A8    mov dword ptr ss:[ebp-58],ebx
0042D157 .895D 98    mov dword ptr ss:[ebp-68],ebx
0042D15A .895D 88    mov dword ptr ss:[ebp-78],ebx
0042D15D .899D 78FFFFFFmov dword ptr ss:[ebp-88],ebx
0042D163 .899D 68FFFFFFmov dword ptr ss:[ebp-98],ebx
0042D169 .899D 58FFFFFFmov dword ptr ss:[ebp-A8],ebx
0042D16F .899D 48FFFFFFmov dword ptr ss:[ebp-B8],ebx
0042D175 .899D 38FFFFFFmov dword ptr ss:[ebp-C8],ebx
0042D17B .FF90 F8060000call dword ptr ds:[eax+6F8]                   算法call
0042D181 .3BC3       cmp eax,ebx
0042D183 .7D 12       jge short all2text.0042D197
0042D185 .68 F8060000 push 6F8
0042D18A .68 806B4000 push all2text.00406B80
0042D18F .57          push edi
0042D190 .50          push eax
0042D191 .FF15 80104000call dword ptr ds:[<&MSVBVM60.__vbaHresultCheck>;MSVBVM60.__vbaHresultCheckObj
0042D197 >8B45 10    mov eax,dword ptr ss:[ebp+10]
0042D19A .8B08       mov ecx,dword ptr ds:[eax]                   ;试练码12345送ecx
0042D19C .8B55 EC    mov edx,dword ptr ss:[ebp-14]
0042D19F .51          push ecx
0042D1A0 .52          push edx
0042D1A1 .FF15 FC104000call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ;MSVBVM60.__vbaStrCmp
0042D1A7 .8BF0       mov esi,eax
0042D1A9 .F7DE       neg esi
0042D1AB .1BF6       sbb esi,esi
0042D1AD .46          inc esi
0042D1AE .8D4D EC    lea ecx,dword ptr ss:[ebp-14]
0042D1B1 .F7DE       neg esi
0042D1B3 .FF15 5C124000call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
0042D1B9 .66:3BF3    cmp si,bx
0042D1BC .B9 04000280 mov ecx,80020004
0042D1C1 .74 71       je short all2text.0042D234
0042D1C3 .B8 0A000000 mov eax,0A
0042D1C8 .894D A0    mov dword ptr ss:[ebp-60],ecx
0042D1CB .894D B0    mov dword ptr ss:[ebp-50],ecx
0042D1CE .894D C0    mov dword ptr ss:[ebp-40],ecx
0042D1D1 .8D95 48FFFFFFlea edx,dword ptr ss:[ebp-B8]
0042D1D7 .8D4D C8    lea ecx,dword ptr ss:[ebp-38]
0042D1DA .8945 98    mov dword ptr ss:[ebp-68],eax
0042D1DD .8945 A8    mov dword ptr ss:[ebp-58],eax
0042D1E0 .8945 B8    mov dword ptr ss:[ebp-48],eax
0042D1E3 .C785 50FFFFFF >mov dword ptr ss:[ebp-B0],all2text.004085A4 ;congratulations! registration succeeded! please quit and run it again.
0042D1ED .C785 48FFFFFF >mov dword ptr ss:[ebp-B8],8
0042D1F7 .FF15 F8114000call dword ptr ds:[<&MSVBVM60.__vbaVarDup>] ;MSVBVM60.__vbaVarDup
0042D1FD .8D45 98    lea eax,dword ptr ss:[ebp-68]
0042D200 .50          push eax
0042D201 .8D4D A8    lea ecx,dword ptr ss:[ebp-58]
0042D204 .51          push ecx
0042D205 .8D55 B8    lea edx,dword ptr ss:[ebp-48]
0042D208 .52          push edx
0042D209 .53          push ebx
0042D20A .8D45 C8    lea eax,dword ptr ss:[ebp-38]
0042D20D .50          push eax
0042D20E .FF15 AC104000call dword ptr ds:[<&MSVBVM60.#595>]          ;MSVBVM60.rtcMsgBox

跟进算法call到这里：

0042D5F0 > \55          push ebp
0042D5F1 .8BEC       mov ebp,esp
0042D5F3 .83EC 0C    sub esp,0C
0042D5F6 .68 161B4000 push <jmp.&MSVBVM60.__vbaExceptHandler>    ;SE 处理程序安装
0042D5FB .64:A1 0000000>mov eax,dword ptr fs:
0042D601 .50          push eax
0042D602 .64:8925 00000>mov dword ptr fs:,esp
0042D609 .81EC 38010000 sub esp,138
0042D60F .53          push ebx
0042D610 .56          push esi
0042D611 .57          push edi
0042D612 .8965 F4    mov dword ptr ss:[ebp-C],esp
0042D615 .C745 F8 B01A4>mov dword ptr ss:[ebp-8],all2text.00401AB0
0042D61C .33F6       xor esi,esi
0042D61E .8975 FC    mov dword ptr ss:[ebp-4],esi
0042D621 .8B45 08    mov eax,dword ptr ss:[ebp+8]
0042D624 .8B08       mov ecx,dword ptr ds:[eax]
0042D626 .50          push eax
0042D627 .FF51 04    call dword ptr ds:[ecx+4]
0042D62A .8B55 10    mov edx,dword ptr ss:[ebp+10]
0042D62D .8B45 0C    mov eax,dword ptr ss:[ebp+C]
0042D630 .8932       mov dword ptr ds:[edx],esi
0042D632 .8B10       mov edx,dword ptr ds:[eax]                   ;注册名tigerisme送edx
0042D634 .8D4D C0    lea ecx,dword ptr ss:[ebp-40]
0042D637 .8975 DC    mov dword ptr ss:[ebp-24],esi
0042D63A .8975 CC    mov dword ptr ss:[ebp-34],esi
0042D63D .8975 C4    mov dword ptr ss:[ebp-3C],esi
0042D640 .8975 C0    mov dword ptr ss:[ebp-40],esi
0042D643 .8975 B8    mov dword ptr ss:[ebp-48],esi
0042D646 .8975 A8    mov dword ptr ss:[ebp-58],esi
0042D649 .8975 98    mov dword ptr ss:[ebp-68],esi
0042D64C .8975 88    mov dword ptr ss:[ebp-78],esi
0042D64F .89B5 78FFFFFF mov dword ptr ss:[ebp-88],esi
0042D655 .89B5 68FFFFFF mov dword ptr ss:[ebp-98],esi
0042D65B .89B5 58FFFFFF mov dword ptr ss:[ebp-A8],esi
0042D661 .89B5 48FFFFFF mov dword ptr ss:[ebp-B8],esi
0042D667 .89B5 38FFFFFF mov dword ptr ss:[ebp-C8],esi
0042D66D .89B5 28FFFFFF mov dword ptr ss:[ebp-D8],esi
0042D673 .89B5 18FFFFFF mov dword ptr ss:[ebp-E8],esi
0042D679 .89B5 08FFFFFF mov dword ptr ss:[ebp-F8],esi
0042D67F .89B5 F8FEFFFF mov dword ptr ss:[ebp-108],esi
0042D685 .89B5 E8FEFFFF mov dword ptr ss:[ebp-118],esi
0042D68B .89B5 D8FEFFFF mov dword ptr ss:[ebp-128],esi
0042D691 .FF15 C4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>] ;MSVBVM60.__vbaStrCopy
0042D697 .8B55 C0    mov edx,dword ptr ss:[ebp-40]                ;tigerisme放入ebp-40，并送edx
0042D69A .8B3D 30104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaLenBstr>>;MSVBVM60.__vbaLenBstr
0042D6A0 .8D4D C0    lea ecx,dword ptr ss:[ebp-40]
0042D6A3 .BE 08000000 mov esi,8                                  ;esi=8
0042D6A8 .BB 08400000 mov ebx,4008                               ;ebx=4008
0042D6AD .52          push edx                                     ;tigerisme
0042D6AE .C785 20FFFFFF>mov dword ptr ss:[ebp-E0],all2text.00408710 ;i送ebp-E0**********************

——————————————————————————
我们停在这里看一下：

下d 00408710命令，则看到数据处显示：
0000871049 00 00 00 02 00 00 00I......
这里是将固定值I放入注册名中，后面还有两处

0000871856 00 00 00 02 00 00 00V......
0000872059 00 00 00 08 00 00 00Y......
——————————————————————————

0042D6B8 .89B5 18FFFFFF mov dword ptr ss:[ebp-E8],esi                ;ebp-E8=8
0042D6BE .898D 30FFFFFF mov dword ptr ss:[ebp-D0],ecx
0042D6C4 .899D 28FFFFFF mov dword ptr ss:[ebp-D8],ebx                ;ebp-D8=4008
0042D6CA .FFD7       call edi                                     ;<&MSVBVM60.__vbaLenBstr>
0042D6CC .83C0 01    add eax,1                                  ;这里是注册名位数9与1相加，等于A
0042D6CF .0F80 07060000 jo all2text.0042DCDC
0042D6D5 .99          cdq
0042D6D6 .2BC2       sub eax,edx                                  ;A-0
0042D6D8 .D1F8       sar eax,1                                  ;A与1进行sar运算，结果为5
0042D6DA .50          push eax                                     ;eax为5
0042D6DB .8D85 28FFFFFF lea eax,dword ptr ss:[ebp-D8]
0042D6E1 .50          push eax
0042D6E2 .8D4D A8    lea ecx,dword ptr ss:[ebp-58]
0042D6E5 .51          push ecx
0042D6E6 .FF15 18124000 call dword ptr ds:[<&MSVBVM60.#617>]       ;MSVBVM60.rtcLeftCharVar
0042D6EC .8B4D C0    mov ecx,dword ptr ss:[ebp-40]                ;tigerisme送ecx
0042D6EF .8D85 78FFFFFF lea eax,dword ptr ss:[ebp-88]
0042D6F5 .50          push eax
0042D6F6 .8D55 C0    lea edx,dword ptr ss:[ebp-40]
0042D6F9 .51          push ecx                                     ;ecx为tigerisme
0042D6FA .C785 10FFFFFF>mov dword ptr ss:[ebp-F0],all2text.00408718 ;v送ebp-F0**********************
0042D704 .89B5 08FFFFFF mov dword ptr ss:[ebp-F8],esi                ;ebp-F8等于8
0042D70A .C745 80 04000>mov dword ptr ss:[ebp-80],80020004          ;等于80020004
0042D711 .C785 78FFFFFF>mov dword ptr ss:[ebp-88],0A                ;等于0A
0042D71B .8995 00FFFFFF mov dword ptr ss:[ebp-100],edx             ;ebp-100等于tigerisme
0042D721 .899D F8FEFFFF mov dword ptr ss:[ebp-108],ebx             ;ebx=4008
0042D727 .FFD7       call edi                                     ;<&MSVBVM60.__vbaLenBstr>
0042D729 .8B1D E4104000 mov ebx,dword ptr ds:[<&MSVBVM60.#632>]    ;MSVBVM60.rtcMidCharVar
0042D72F .83C0 01    add eax,1                                  ;9+1=A
0042D732 .0F80 A4050000 jo all2text.0042DCDC
0042D738 .99          cdq
0042D739 .2BC2       sub eax,edx                                  ;A-0
0042D73B .D1F8       sar eax,1                                  ;A与1进行sar运算
0042D73D .50          push eax                                     ;5
0042D73E .8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-108]
0042D744 .52          push edx
0042D745 .8D85 68FFFFFF lea eax,dword ptr ss:[ebp-98]
0042D74B .50          push eax
0042D74C .FFD3       call ebx                                     ;<&MSVBVM60.#632>
0042D74E .8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-E8]
0042D754 .51          push ecx
0042D755 .8D55 A8    lea edx,dword ptr ss:[ebp-58]
0042D758 .52          push edx
0042D759 .8D45 98    lea eax,dword ptr ss:[ebp-68]
0042D75C .89B5 D8FEFFFF mov dword ptr ss:[ebp-128],esi             ;ebp-128等于8
0042D762 .8B35 84114000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ;MSVBVM60.__vbaVarCat
0042D768 .50          push eax
0042D769 .C785 E0FEFFFF>mov dword ptr ss:[ebp-120],all2text.00408720 ;y送ebp-120**********************
0042D773 .FFD6       call esi                                     ;<&MSVBVM60.__vbaVarCat>
0042D775 .50          push eax
0042D776 .8D8D 08FFFFFF lea ecx,dword ptr ss:[ebp-F8]
0042D77C .51          push ecx
0042D77D .8D55 88    lea edx,dword ptr ss:[ebp-78]
0042D780 .52          push edx
0042D781 .FFD6       call esi                                     ;<&MSVBVM60.__vbaVarCat>
0042D783 .50          push eax
0042D784 .8D85 68FFFFFF lea eax,dword ptr ss:[ebp-98]
0042D78A .50          push eax
0042D78B .8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
0042D791 .51          push ecx
0042D792 .FFD6       call esi                                     ;<&MSVBVM60.__vbaVarCat>
0042D794 .50          push eax
0042D795 .8D95 D8FEFFFF lea edx,dword ptr ss:[ebp-128]
0042D79B .52          push edx
0042D79C .8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8]
0042D7A2 .50          push eax
0042D7A3 .FFD6       call esi                                     ;<&MSVBVM60.__vbaVarCat>
0042D7A5 .50          push eax
0042D7A6 .FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>>;MSVBVM60.__vbaStrVarMove
0042D7AC .8BD0       mov edx,eax                                  ;结果为ItigerVrismeY
0042D7AE .8D4D C0    lea ecx,dword ptr ss:[ebp-40]
0042D7B1 .FF15 24124000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ;MSVBVM60.__vbaStrMove
0042D7B7 .8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8]
0042D7BD .51          push ecx
0042D7BE .8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
0042D7C4 .52          push edx
0042D7C5 .8D85 68FFFFFF lea eax,dword ptr ss:[ebp-98]
0042D7CB .50          push eax
0042D7CC .8D4D 88    lea ecx,dword ptr ss:[ebp-78]
0042D7CF .51          push ecx
0042D7D0 .8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88]
0042D7D6 .52          push edx
0042D7D7 .8D45 98    lea eax,dword ptr ss:[ebp-68]
0042D7DA .50          push eax
0042D7DB .8D4D A8    lea ecx,dword ptr ss:[ebp-58]
0042D7DE .51          push ecx
0042D7DF .6A 07       push 7
0042D7E1 .FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>;MSVBVM60.__vbaFreeVarList
0042D7E7 .83C4 20    add esp,20
0042D7EA .8D95 28FFFFFF lea edx,dword ptr ss:[ebp-D8]
0042D7F0 .8D4D CC    lea ecx,dword ptr ss:[ebp-34]
0042D7F3 .C785 30FFFFFF>mov dword ptr ss:[ebp-D0],all2text.00406834
0042D7FD .C785 28FFFFFF>mov dword ptr ss:[ebp-D8],8
0042D807 .FF15 04124000 call dword ptr ds:[<&MSVBVM60.__vbaVarCopy>] ;MSVBVM60.__vbaVarCopy
0042D80D .8B55 C0    mov edx,dword ptr ss:[ebp-40]                ;ItigerVrismeY送edx
0042D810 .52          push edx                                     ;ItigerVrismeY等于edx
0042D811 .FFD7       call edi                                     ;<&MSVBVM60.__vbaLenBstr>
0042D813 .8BC8       mov ecx,eax                                  ;eax=ecx
0042D815 .FF15 0C114000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>]    ;MSVBVM60.__vbaI2I4
0042D81B .BF 02000000 mov edi,2                                  ;2送edi
0042D820 .8985 D0FEFFFF mov dword ptr ss:[ebp-130],eax             ;ebp-130等于D
0042D826 .B8 01000000 mov eax,1
0042D82B .8945 C8    mov dword ptr ss:[ebp-38],eax                ;ebp-38等于1
0042D82E >66:3B85 D0FEF>cmp ax,word ptr ss:[ebp-130]                ;循环与D进行比较，即与13比较
0042D835 .0F8F 0B010000 jg all2text.0042D946                         ;大于D则跳转
0042D83B .8D55 A8    lea edx,dword ptr ss:[ebp-58]                ;ebp-58等于ItigerVrismeY
0042D83E .52          push edx
0042D83F .0FBFC0    movsx eax,ax
0042D842 .8D4D C0    lea ecx,dword ptr ss:[ebp-40]
0042D845 .898D 30FFFFFF mov dword ptr ss:[ebp-D0],ecx
0042D84B .50          push eax
0042D84C .8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-D8]
0042D852 .51          push ecx
0042D853 .8D55 98    lea edx,dword ptr ss:[ebp-68]
0042D856 .52          push edx
0042D857 .C745 B0 01000>mov dword ptr ss:[ebp-50],1                ;ebp-50=tiger，即字符传的前半部分
0042D85E .897D A8    mov dword ptr ss:[ebp-58],edi
0042D861 .C785 28FFFFFF>mov dword ptr ss:[ebp-D8],4008
0042D86B .FFD3       call ebx
0042D86D .6A 01       push 1
0042D86F .8D45 CC    lea eax,dword ptr ss:[ebp-34]
0042D872 .50          push eax
0042D873 .8D8D 08FFFFFF lea ecx,dword ptr ss:[ebp-F8]
0042D879 .51          push ecx
0042D87A .8D55 88    lea edx,dword ptr ss:[ebp-78]
0042D87D .52          push edx
0042D87E .C785 10FFFFFF>mov dword ptr ss:[ebp-F0],8                ;ebp-F0等于8
0042D888 .89BD 08FFFFFF mov dword ptr ss:[ebp-F8],edi
0042D88E .FFD6       call esi
0042D890 .50          push eax
0042D891 .8D85 78FFFFFF lea eax,dword ptr ss:[ebp-88]
0042D897 .50          push eax
0042D898 .FF15 18124000 call dword ptr ds:[<&MSVBVM60.#617>]       ;MSVBVM60.rtcLeftCharVar
0042D89E .8D4D 98    lea ecx,dword ptr ss:[ebp-68]
0042D8A1 .51          push ecx
0042D8A2 .8D55 B8    lea edx,dword ptr ss:[ebp-48]
0042D8A5 .52          push edx
0042D8A6 .FF15 80114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ;MSVBVM60.__vbaStrVarVal
0042D8AC .50          push eax
0042D8AD .FF15 50104000 call dword ptr ds:[<&MSVBVM60.#516>]       ;MSVBVM60.rtcAnsiValueBstr
0042D8B3 .0FBFD8    movsx ebx,ax                               ;ItigerVrismeY字符逐个送ebx
0042D8B6 .8D85 78FFFFFF lea eax,dword ptr ss:[ebp-88]
0042D8BC .50          push eax
0042D8BD .FF15 54124000 call dword ptr ds:[<&MSVBVM60.__vbaI4ErrVar>];MSVBVM60.__vbaI4ErrVar
0042D8C3 .0FAFD8    imul ebx,eax                               ;ItigerVrismeY字符的ascii码与8相乘
0042D8C6 .8D4D CC    lea ecx,dword ptr ss:[ebp-34]
0042D8C9 .51          push ecx
0042D8CA .8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-108]
0042D8D0 .52          push edx
0042D8D1 .8D85 68FFFFFF lea eax,dword ptr ss:[ebp-98]
0042D8D7 .0F80 FF030000 jo all2text.0042DCDC
0042D8DD .50          push eax
0042D8DE .899D 00FFFFFF mov dword ptr ss:[ebp-100],ebx             ;ebx=codeB，送ebp-100
0042D8E4 .C785 F8FEFFFF>mov dword ptr ss:[ebp-108],3                ;ebp-108等于3
0042D8EE .FFD6       call esi
0042D8F0 .8BD0       mov edx,eax
0042D8F2 .8D4D CC    lea ecx,dword ptr ss:[ebp-34]
0042D8F5 .FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>] ;MSVBVM60.__vbaVarMove
0042D8FB .8D4D B8    lea ecx,dword ptr ss:[ebp-48]
0042D8FE .FF15 5C124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
0042D904 .8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
0042D90A .51          push ecx
0042D90B .8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88]
0042D911 .52          push edx
0042D912 .8D45 88    lea eax,dword ptr ss:[ebp-78]
0042D915 .50          push eax
0042D916 .8D4D 98    lea ecx,dword ptr ss:[ebp-68]
0042D919 .51          push ecx
0042D91A .8D55 A8    lea edx,dword ptr ss:[ebp-58]
0042D91D .52          push edx
0042D91E .6A 05       push 5
0042D920 .FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>;MSVBVM60.__vbaFreeVarList
0042D926 .8B1D E4104000 mov ebx,dword ptr ds:[<&MSVBVM60.#632>]    ;codeB送ebx
0042D92C .B8 01000000 mov eax,1
0042D931 .83C4 18    add esp,18
0042D934 .66:0345 C8 add ax,word ptr ss:[ebp-38]                ;1+1
0042D938 .0F80 9E030000 jo all2text.0042DCDC
0042D93E .8945 C8    mov dword ptr ss:[ebp-38],eax                ;2
0042D941 .^ E9 E8FEFFFF jmp all2text.0042D82E
0042D946 >8D95 28FFFFFF lea edx,dword ptr ss:[ebp-D8]
0042D94C .8D4D DC    lea ecx,dword ptr ss:[ebp-24]
0042D94F .C785 30FFFFFF>mov dword ptr ss:[ebp-D0],all2text.00406834
0042D959 .C785 28FFFFFF>mov dword ptr ss:[ebp-D8],8
0042D963 .FF15 04124000 call dword ptr ds:[<&MSVBVM60.__vbaVarCopy>] ;MSVBVM60.__vbaVarCopy
0042D969 .8D45 CC    lea eax,dword ptr ss:[ebp-34]
0042D96C .50          push eax
0042D96D .8D4D A8    lea ecx,dword ptr ss:[ebp-58]
0042D970 .51          push ecx
0042D971 .89BD 30FFFFFF mov dword ptr ss:[ebp-D0],edi
0042D977 .89BD 28FFFFFF mov dword ptr ss:[ebp-D8],edi
0042D97D .FF15 84104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVar>] ;MSVBVM60.__vbaLenVar
0042D983 .50          push eax
0042D984 .8D95 28FFFFFF lea edx,dword ptr ss:[ebp-D8]
0042D98A .52          push edx
0042D98B .8D45 98    lea eax,dword ptr ss:[ebp-68]
0042D98E .50          push eax
0042D98F .FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarIdiv>] ;MSVBVM60.__vbaVarIdiv
0042D995 .50          push eax
0042D996 .FF15 88114000 call dword ptr ds:[<&MSVBVM60.__vbaI2Var>] ;MSVBVM60.__vbaI2Var
0042D99C .8985 C8FEFFFF mov dword ptr ss:[ebp-138],eax             ;ebp-138等于13
0042D9A2 .B8 01000000 mov eax,1
0042D9A7 .8945 C8    mov dword ptr ss:[ebp-38],eax

0042D9AA >66:3B85 C8FEF>cmp ax,word ptr ss:[ebp-138]                ;循环到大于13
0042D9B1 .0F8F 47010000 jg all2text.0042DAFE                         ;大于13则跳转
0042D9B7 .0FBFD0    movsx edx,ax
0042D9BA .8D4D A8    lea ecx,dword ptr ss:[ebp-58]
0042D9BD .51          push ecx
0042D9BE .52          push edx
0042D9BF .8D45 CC    lea eax,dword ptr ss:[ebp-34]
0042D9C2 .50          push eax
0042D9C3 .8D4D 98    lea ecx,dword ptr ss:[ebp-68]
0042D9C6 .51          push ecx
0042D9C7 .C745 B0 01000>mov dword ptr ss:[ebp-50],1
0042D9CE .897D A8    mov dword ptr ss:[ebp-58],edi
0042D9D1 .FFD3       call ebx
0042D9D3 .66:8B55 C8 mov dx,word ptr ss:[ebp-38]
0042D9D7 .8D85 58FFFFFF lea eax,dword ptr ss:[ebp-A8]
0042D9DD .50          push eax
0042D9DE .8D4D CC    lea ecx,dword ptr ss:[ebp-34]
0042D9E1 .66:8995 10FFF>mov word ptr ss:[ebp-F0],dx
0042D9E8 .51          push ecx
0042D9E9 .8D55 88    lea edx,dword ptr ss:[ebp-78]
0042D9EC .52          push edx
0042D9ED .C785 60FFFFFF>mov dword ptr ss:[ebp-A0],1
0042D9F7 .89BD 58FFFFFF mov dword ptr ss:[ebp-A8],edi                ;ebp-A8等于2
0042D9FD .89BD 20FFFFFF mov dword ptr ss:[ebp-E0],edi                ;ebp-E0等于2
0042DA03 .89BD 18FFFFFF mov dword ptr ss:[ebp-E8],edi                ;ebp-E8等于2
0042DA09 .89BD 08FFFFFF mov dword ptr ss:[ebp-F8],edi                ;ebp-F8等于2
0042DA0F .FF15 84104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVar>] ;MSVBVM60.__vbaLenVar
0042DA15 .50          push eax
0042DA16 .8D85 18FFFFFF lea eax,dword ptr ss:[ebp-E8]
0042DA1C .50          push eax
0042DA1D .8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
0042DA23 .51          push ecx
0042DA24 .FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarIdiv>] ;MSVBVM60.__vbaVarIdiv
0042DA2A .50          push eax
0042DA2B .8D95 08FFFFFF lea edx,dword ptr ss:[ebp-F8]
0042DA31 .52          push edx
0042DA32 .8D85 68FFFFFF lea eax,dword ptr ss:[ebp-98]
0042DA38 .50          push eax
0042DA39 .FF15 F0114000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ;MSVBVM60.__vbaVarAdd
0042DA3F .50          push eax
0042DA40 .FF15 E8114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>] ;MSVBVM60.__vbaI4Var
0042DA46 .50          push eax                                     ;14
0042DA47 .8D4D CC    lea ecx,dword ptr ss:[ebp-34]
0042DA4A .51          push ecx
0042DA4B .8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8]
0042DA51 .52          push edx
0042DA52 .FFD3       call ebx
0042DA54 .8B1D 54124000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaI4ErrVar>;MSVBVM60.__vbaI4ErrVar
0042DA5A .8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8]
0042DA60 .50          push eax
0042DA61 .FFD3       call ebx                                     ;<&MSVBVM60.__vbaI4ErrVar>
0042DA63 .8D4D 98    lea ecx,dword ptr ss:[ebp-68]
0042DA66 .8BD0       mov edx,eax
0042DA68 .51          push ecx
0042DA69 .8995 B4FEFFFF mov dword ptr ss:[ebp-14C],edx
0042DA6F .FFD3       call ebx                                     ;<&MSVBVM60.__vbaI4ErrVar>
0042DA71 .8B95 B4FEFFFF mov edx,dword ptr ss:[ebp-14C]
0042DA77 .03D0       add edx,eax
0042DA79 .8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118]
0042DA7F .0F80 57020000 jo all2text.0042DCDC
0042DA85 .50          push eax
0042DA86 .8D4D DC    lea ecx,dword ptr ss:[ebp-24]
0042DA89 .8995 F0FEFFFF mov dword ptr ss:[ebp-110],edx
0042DA8F .51          push ecx
0042DA90 .8D95 38FFFFFF lea edx,dword ptr ss:[ebp-C8]
0042DA96 .52          push edx
0042DA97 .C785 E8FEFFFF>mov dword ptr ss:[ebp-118],3
0042DAA1 .FFD6       call esi
0042DAA3 .8BD0       mov edx,eax
0042DAA5 .8D4D DC    lea ecx,dword ptr ss:[ebp-24]
0042DAA8 .FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>] ;MSVBVM60.__vbaVarMove
0042DAAE .8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8]
0042DAB4 .50          push eax
0042DAB5 .8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8]
0042DABB .51          push ecx
0042DABC .8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
0042DAC2 .52          push edx
0042DAC3 .8D85 68FFFFFF lea eax,dword ptr ss:[ebp-98]
0042DAC9 .50          push eax
0042DACA .8D4D 98    lea ecx,dword ptr ss:[ebp-68]
0042DACD .51          push ecx
0042DACE .8D55 98    lea edx,dword ptr ss:[ebp-68]
0042DAD1 .52          push edx
0042DAD2 .8D45 A8    lea eax,dword ptr ss:[ebp-58]
0042DAD5 .50          push eax
0042DAD6 .6A 07       push 7
0042DAD8 .FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>;MSVBVM60.__vbaFreeVarList
0042DADE .8B1D E4104000 mov ebx,dword ptr ds:[<&MSVBVM60.#632>]    ;MSVBVM60.rtcMidCharVar
0042DAE4 .B8 01000000 mov eax,1
0042DAE9 .83C4 20    add esp,20
0042DAEC .66:0345 C8 add ax,word ptr ss:[ebp-38]
0042DAF0 .0F80 E6010000 jo all2text.0042DCDC
0042DAF6 .8945 C8    mov dword ptr ss:[ebp-38],eax
0042DAF9 .^ E9 ACFEFFFF jmp all2text.0042D9AA
0042DAFE >8D55 DC    lea edx,dword ptr ss:[ebp-24]
0042DB01 .8D4D CC    lea ecx,dword ptr ss:[ebp-34]
0042DB04 .FF15 04124000 call dword ptr ds:[<&MSVBVM60.__vbaVarCopy>] ;MSVBVM60.__vbaVarCopy
0042DB0A .BA 34684000 mov edx,all2text.00406834                   ;32
0042DB0F .8D4D C0    lea ecx,dword ptr ss:[ebp-40]
0042DB12 .FF15 C4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>] ;MSVBVM60.__vbaStrCopy
0042DB18 .8D4D CC    lea ecx,dword ptr ss:[ebp-34]
0042DB1B .51          push ecx
0042DB1C .8D55 A8    lea edx,dword ptr ss:[ebp-58]
0042DB1F .52          push edx
0042DB20 .89BD 30FFFFFF mov dword ptr ss:[ebp-D0],edi
0042DB26 .89BD 28FFFFFF mov dword ptr ss:[ebp-D8],edi
0042DB2C .FF15 84104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVar>] ;MSVBVM60.__vbaLenVar
0042DB32 .50          push eax
0042DB33 .8D85 28FFFFFF lea eax,dword ptr ss:[ebp-D8]
0042DB39 .50          push eax
0042DB3A .8D4D 98    lea ecx,dword ptr ss:[ebp-68]
0042DB3D .51          push ecx
0042DB3E .FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarIdiv>] ;MSVBVM60.__vbaVarIdiv
0042DB44 .50          push eax
0042DB45 .FF15 88114000 call dword ptr ds:[<&MSVBVM60.__vbaI2Var>] ;MSVBVM60.__vbaI2Var
0042DB4B .8985 C0FEFFFF mov dword ptr ss:[ebp-140],eax             ;C送ebp-140************************
0042DB51 .B8 01000000 mov eax,1
0042DB56 .8945 C8    mov dword ptr ss:[ebp-38],eax
0042DB59 > /66:3B85 C0FEFF>cmp ax,word ptr ss:[ebp-140]                ;ax逐个与C即12比较
0042DB60 . |0F8F CF000000jg all2text.0042DC35
0042DB66 . |66:6BC0 02 imul ax,ax,2                                  ;imul运算
0042DB6A . |0F80 6C010000jo all2text.0042DCDC
0042DB70 . |66:2D 0100 sub ax,1                                     ;结果分别为2，4，6，8……
0042DB74 . |0F80 62010000jo all2text.0042DCDC
0042DB7A . |8D55 A8    lea edx,dword ptr ss:[ebp-58]
0042DB7D . |52          push edx
0042DB7E . |0FBFC0       movsx eax,ax                                  ;1，3，5，7，9……送eax
0042DB81 . |50          push eax
0042DB82 . |8D4D CC    lea ecx,dword ptr ss:[ebp-34]                ;ecx为C
0042DB85 . |51          push ecx
0042DB86 . |8D55 98    lea edx,dword ptr ss:[ebp-68]
0042DB89 . |52          push edx
0042DB8A . |897D B0    mov dword ptr ss:[ebp-50],edi                ;2送ebp-50
0042DB8D . |897D A8    mov dword ptr ss:[ebp-58],edi                ;2送ebp-58
0042DB90 . |FFD3       call ebx
0042DB92 . |8D45 98    lea eax,dword ptr ss:[ebp-68]
0042DB95 . |50          push eax
0042DB96 . |FF15 88114000call dword ptr ds:[<&MSVBVM60.__vbaI2Var>]    ;经过运算eax分别得出54，C，33……记做codeA
0042DB9C . |8D4D 98    lea ecx,dword ptr ss:[ebp-68]
0042DB9F . |51          push ecx
0042DBA0 . |8D55 A8    lea edx,dword ptr ss:[ebp-58]                ;edx分别为54，C，33……
0042DBA3 . |52          push edx
0042DBA4 . |57          push edi
0042DBA5 . |8945 BC    mov dword ptr ss:[ebp-44],eax                ;ebp-44分别等于54，C……,记做codeA
0042DBA8 . |FF15 3C104000call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>>;MSVBVM60.__vbaFreeVarList
0042DBAE . |66:8B45 BC mov ax,word ptr ss:[ebp-44]
0042DBB2 . |66:99       cwd
0042DBB4 . |66:B9 1A00 mov cx,1A                                     ;1A送cx
0042DBB8 . |66:F7F9    idiv cx                                     ;codeA的ascii码除1A，余数记做codeB，余数放在edx中
0042DBBB . |83C4 0C    add esp,0C
0042DBBE . |8D45 A8    lea eax,dword ptr ss:[ebp-58]
0042DBC1 . |66:83C2 41 add dx,41                                     ;codeB分别与41相加，结果转成字符即分别为G，M……
0042DBC5 . |0F80 11010000jo all2text.0042DCDC
0042DBCB . |0FBFD2       movsx edx,dx
0042DBCE . |52          push edx
0042DBCF . |50          push eax
0042DBD0 . |FF15 68114000call dword ptr ds:[<&MSVBVM60.#608>]          ;MSVBVM60.rtcVarBstrFromAnsi
0042DBD6 . |8B4D C0    mov ecx,dword ptr ss:[ebp-40]
0042DBD9 . |8D55 A8    lea edx,dword ptr ss:[ebp-58]
0042DBDC . |52          push edx
0042DBDD . |8D85 28FFFFFFlea eax,dword ptr ss:[ebp-D8]
0042DBE3 . |898D 30FFFFFFmov dword ptr ss:[ebp-D0],ecx
0042DBE9 . |50          push eax
0042DBEA . |8D4D 98    lea ecx,dword ptr ss:[ebp-68]
0042DBED . |51          push ecx
0042DBEE . |C785 28FFFFFF >mov dword ptr ss:[ebp-D8],8
0042DBF8 . |FFD6       call esi
0042DBFA . |50          push eax
0042DBFB . |FF15 2C104000call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>] ;算法call
0042DC01 . |8BD0       mov edx,eax                                  ;这里逐个出现注册码MG……，最后出现的是UMGZKMGNFZMG，即为真正注册码
0042DC03 . |8D4D C0    lea ecx,dword ptr ss:[ebp-40]
0042DC06 . |FF15 24124000call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ;MSVBVM60.__vbaStrMove
0042DC0C . |8D55 98    lea edx,dword ptr ss:[ebp-68]
0042DC0F . |52          push edx
0042DC10 . |8D45 A8    lea eax,dword ptr ss:[ebp-58]
0042DC13 . |50          push eax
0042DC14 . |57          push edi
0042DC15 . |FF15 3C104000call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>>;MSVBVM60.__vbaFreeVarList
0042DC1B . |B8 01000000 mov eax,1
0042DC20 . |83C4 0C    add esp,0C
0042DC23 . |66:0345 C8 add ax,word ptr ss:[ebp-38]
0042DC27 . |0F80 AF000000jo all2text.0042DCDC
0042DC2D . |8945 C8    mov dword ptr ss:[ebp-38],eax
0042DC30 .^\E9 24FFFFFF jmp all2text.0042DB59
0042DC35 >8B55 C0    mov edx,dword ptr ss:[ebp-40]
0042DC38 .8D4D C4    lea ecx,dword ptr ss:[ebp-3C]
0042DC3B .FF15 C4114000call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>] ;MSVBVM60.__vbaStrCopy
0042DC41 .68 B5DC4200 push all2text.0042DCB5
0042DC46 .EB 53       jmp short all2text.0042DC9B
0042DC48 .F645 FC 04 test byte ptr ss:[ebp-4],4
0042DC4C .74 09       je short all2text.0042DC57
0042DC4E .8D4D C4    lea ecx,dword ptr ss:[ebp-3C]
0042DC51 .FF15 5C124000call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
0042DC57 >8D4D B8    lea ecx,dword ptr ss:[ebp-48]
0042DC5A .FF15 5C124000call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
0042DC60 .8D8D 38FFFFFFlea ecx,dword ptr ss:[ebp-C8]
0042DC66 .51          push ecx
0042DC67 .8D95 48FFFFFFlea edx,dword ptr ss:[ebp-B8]
0042DC6D .52          push edx
0042DC6E .8D85 58FFFFFFlea eax,dword ptr ss:[ebp-A8]
0042DC74 .50          push eax
0042DC75 .8D8D 68FFFFFFlea ecx,dword ptr ss:[ebp-98]
0042DC7B .51          push ecx
0042DC7C .8D95 78FFFFFFlea edx,dword ptr ss:[ebp-88]
0042DC82 .52          push edx
0042DC83 .8D45 88    lea eax,dword ptr ss:[ebp-78]
0042DC86 .50          push eax
0042DC87 .8D4D 98    lea ecx,dword ptr ss:[ebp-68]
0042DC8A .51          push ecx
0042DC8B .8D55 A8    lea edx,dword ptr ss:[ebp-58]
0042DC8E .52          push edx
0042DC8F .6A 08       push 8
0042DC91 .FF15 3C104000call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>>;MSVBVM60.__vbaFreeVarList
0042DC97 .83C4 24    add esp,24
0042DC9A .C3          retn

总结：算法基本思路我是有了，但还是在关键的地方没有弄清楚，还请高人指点

0042DB59 > /66:3B85 C0FEFF>cmp ax,word ptr ss:[ebp-140]                ;ax逐个与C即12比较
0042DB60 . |0F8F CF000000jg all2text.0042DC35
0042DB66 . |66:6BC0 02 imul ax,ax,2                                  ;imul运算
0042DB6A . |0F80 6C010000jo all2text.0042DCDC
0042DB70 . |66:2D 0100 sub ax,1                                     ;结果分别为2，4，6，8……
0042DB74 . |0F80 62010000jo all2text.0042DCDC
0042DB7A . |8D55 A8    lea edx,dword ptr ss:[ebp-58]
0042DB7D . |52          push edx
0042DB7E . |0FBFC0       movsx eax,ax                                  ;1，3，5，7，9……送eax
0042DB81 . |50          push eax
0042DB82 . |8D4D CC    lea ecx,dword ptr ss:[ebp-34]                ;ecx为C
0042DB85 . |51          push ecx
0042DB86 . |8D55 98    lea edx,dword ptr ss:[ebp-68]
0042DB89 . |52          push edx
0042DB8A . |897D B0    mov dword ptr ss:[ebp-50],edi                ;2送ebp-50
0042DB8D . |897D A8    mov dword ptr ss:[ebp-58],edi                ;2送ebp-58
0042DB90 . |FFD3       call ebx
0042DB92 . |8D45 98    lea eax,dword ptr ss:[ebp-68]
0042DB95 . |50          push eax
0042DB96 . |FF15 88114000call dword ptr ds:[<&MSVBVM60.__vbaI2Var>]    ;经过运算eax分别得出54，C，33……记做codeA

这里的eax是如何运算得到的54，C，33……，我是菜鸟，向兄弟们学习！

[ 本帖最后由 tigerisme 于 2006-9-9 14:29 编辑 ]

页: [1]

飘云阁's Archiver

all to text1.5算法分析