超级字符串批量替换工具 3.68简单分析
本帖最后由 PYG官方论坛 于 2016-2-3 11:11 编辑超级字符串批量替换工具是一个文档内容批量替换工具:
[*]支持多种办公常用文档格式内容替换:文本/超文本文件(*.html;*.txt;*.htm),office文档:Word文件(*.doc)、Excel文件(*.xls)、PowerPoint幻灯片文件(*.ppt)的批量内容替换。
[*]不仅一次批量处理多个文件,更可一次批量处理多组内容替换 。例如:可以添加多个字符,然后依次处理
下载地址:http://www.yuneach.com/soft/XReplace.asp
第一串在启动软件时验证
读取注册表里的VB and VBA Program Settings\XReplace\RegCode 注册码
004423EE .C745 BC B4E94>mov dword ptr , XReplace.004>;-分割符号
004423F5 .C745 B4 08000>mov dword ptr , 8
004423FC .FF15 08124000 call dword ptr [<&MSVBVM60.__vbaVarDu>;msvbvm60.__vbaVarDup
00442402 .8B17 mov edx, dword ptr
00442404 .56 push esi
00442405 .8D4D D4 lea ecx, dword ptr
00442408 .6A FF push -1
0044240A .51 push ecx
0044240B .8D45 C4 lea eax, dword ptr
0044240E .52 push edx
0044240F .50 push eax
00442410 .FF15 4C114000 call dword ptr [<&MSVBVM60.#711>] ;msvbvm60.rtcSplit
00442416 .8D4D C4 lea ecx, dword ptr
00442419 .51 push ecx
0044241A .68 08200000 push 2008
0044241F .FF15 7C104000 call dword ptr [<&MSVBVM60.__vbaAryVa>;msvbvm60.__vbaAryVar
00442425 .8945 B0 mov dword ptr , eax
00442428 .8D55 B0 lea edx, dword ptr
0044242B .8D45 E8 lea eax, dword ptr
0044242E .52 push edx
004398A6 .B9 54504500 mov ecx, XReplace.00455054 ;ASCII "-"
004398AB .FF15 30124000 call dword ptr [<&MSVBVM60.__vbaStrMo>;msvbvm60.__vbaStrMove
004398B1 .8D45 C8 lea eax, dword ptr
004398B4 .50 push eax
004398B5 .8D4D CC lea ecx, dword ptr
004398B8 .51 push ecx
004398B9 .6A 02 push 2
004398BB .FF15 D8114000 call dword ptr [<&MSVBVM60.__vbaFreeS>;msvbvm60.__vbaFreeStrList
004398C1 .83C4 0C add esp, 0C
004398C4 >C745 FC 42000>mov dword ptr , 42
004398CB .8B15 54504500 mov edx, dword ptr
004398D1 .52 push edx ; /String => "5712074898-871-QXdmmYAaX1"
004398D2 .FF15 30104000 call dword ptr [<&MSVBVM60.__vbaLenBs>; \__vbaLenBstr
004398D8 .83F8 0D cmp eax, 0D
004398DB .7E 19 jle short XReplace.004398F6
004398DD .C745 FC 43000>mov dword ptr , 43
004398E4 .68 54504500 push XReplace.00455054 ;ASCII "-"
004398E9 .E8 A28A0000 call XReplace.00442390 ;关键计算CALL
004398EE .66:A3 5050450>mov word ptr , ax
004398F4 .EB 10 jmp short XReplace.00439906
004398F6 > \C745 FC 45000>mov dword ptr , 45
004398FD .66:C705 50504>mov word ptr , 0
00439906 >C745 FC 47000>mov dword ptr , 47
0043990D .0FBF05 505045>movsx eax, word ptr ;FFFF
00439914 .85C0 test eax, eax ;测试,上面CALL返回值比较是否正确
00439916 .75 26 jnz short XReplace.0043993E
004398E9 地址处读取注册表注册码,并分割并算出第一串
......中间省略
004423EE .C745 BC B4E94>mov dword ptr , XReplace.004>;-分割符号
004423F5 .C745 B4 08000>mov dword ptr , 8
004423FC .FF15 08124000 call dword ptr [<&MSVBVM60.__vbaVarDu>;msvbvm60.__vbaVarDup
00442402 .8B17 mov edx, dword ptr
00442404 .56 push esi
00442405 .8D4D D4 lea ecx, dword ptr
00442408 .6A FF push -1
0044240A .51 push ecx
0044240B .8D45 C4 lea eax, dword ptr
0044240E .52 push edx
0044240F .50 push eax
00442410 .FF15 4C114000 call dword ptr [<&MSVBVM60.#711>] ;msvbvm60.rtcSplit
00442416 .8D4D C4 lea ecx, dword ptr
00442419 .51 push ecx
0044241A .68 08200000 push 2008
0044241F .FF15 7C104000 call dword ptr [<&MSVBVM60.__vbaAryVa>;msvbvm60.__vbaAryVar
00442425 .8945 B0 mov dword ptr , eax
00442428 .8D55 B0 lea edx, dword ptr
0044242B .8D45 E8 lea eax, dword ptr
0044242E .52 push edx
0044242F .50 push eax
00442430 .FF15 2C124000 call dword ptr [<&MSVBVM60.__vbaAryCo>;msvbvm60.__vbaAryCopy
00442436 .8D4D C4 lea ecx, dword ptr
00442439 .8D55 D4 lea edx, dword ptr
0044243C .51 push ecx
0044243D .52 push edx
0044243E .6A 02 push 2
00442440 .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaFreeV>;msvbvm60.__vbaFreeVarList
00442446 .8B4D E8 mov ecx, dword ptr
00442449 .83C4 0C add esp, 0C
0044244C .3BCE cmp ecx, esi
0044244E .74 24 je short XReplace.00442474
00442450 .66:8339 01 cmp word ptr , 1
00442454 .75 1E jnz short XReplace.00442474
00442456 .8B71 14 mov esi, dword ptr
00442459 .8B41 10 mov eax, dword ptr
0044245C .F7DE neg esi
0044245E .3BF0 cmp esi, eax
00442460 .72 09 jb short XReplace.0044246B
00442462 .FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaGener>;msvbvm60.__vbaGenerateBoundsError
00442468 .8B4D E8 mov ecx, dword ptr
0044246B >8D04B5 000000>lea eax, dword ptr
00442472 .EB 09 jmp short XReplace.0044247D
00442474 >FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaGener>;msvbvm60.__vbaGenerateBoundsError
0044247A .8B4D E8 mov ecx, dword ptr
0044247D >8B49 0C mov ecx, dword ptr
00442480 .8B1401 mov edx, dword ptr
00442483 .52 push edx ;用 “-” 号分割注册码得到的第一串 UNICODE "5712074898"
00442484 .68 4C504500 push XReplace.0045504C
00442489 .E8 92FCFFFF call XReplace.00442120 ;第一串关键算法,只是密码表字符替换计算
0044248E .8BD0 mov edx, eax
00442489 .E8 92FCFFFF call XReplace.00442120 ;第一串关键算法
.....中间省略,机器码为8则替换为1,为1替换为6,为2替换为4.....
0044220B .68 48DE4000 push XReplace.0040DE48 ;0
00442210 .FFD7 call edi
00442212 .85C0 test eax, eax
00442214 .75 0E jnz short XReplace.00442224
00442216 .8B45 E0 mov eax, dword ptr
00442219 .50 push eax
0044221A .68 B4ED4000 push XReplace.0040EDB4 ;8
0044221F .E9 F4000000 jmp XReplace.00442318
00442224 >8B4D 9C mov ecx, dword ptr
00442227 .51 push ecx
00442228 .68 40DE4000 push XReplace.0040DE40 ;1
0044222D .FFD7 call edi
0044222F .85C0 test eax, eax
00442231 .75 0E jnz short XReplace.00442241
00442233 .8B55 E0 mov edx, dword ptr
00442236 .52 push edx
00442237 .68 BCED4000 push XReplace.0040EDBC ;6
0044223C .E9 D7000000 jmp XReplace.00442318
00442241 >8B45 9C mov eax, dword ptr
00442244 .50 push eax
00442245 .68 C4ED4000 push XReplace.0040EDC4 ;2
0044224A .FFD7 call edi
0044224C .85C0 test eax, eax
0044224E .75 0E jnz short XReplace.0044225E
00442250 .8B4D E0 mov ecx, dword ptr
00442253 .51 push ecx
00442254 .68 CCED4000 push XReplace.0040EDCC ;4
00442259 .E9 BA000000 jmp XReplace.00442318
0044225E >8B55 9C mov edx, dword ptr
00442261 .52 push edx
00442262 .68 44EC4000 push XReplace.0040EC44 ;3
00442267 .FFD7 call edi
00442269 .85C0 test eax, eax
0044226B .75 0E jnz short XReplace.0044227B
0044226D .8B45 E0 mov eax, dword ptr
00442270 .50 push eax
00442271 .68 48DE4000 push XReplace.0040DE48 ;0
00442276 .E9 9D000000 jmp XReplace.00442318
0044227B >8B4D 9C mov ecx, dword ptr
0044227E .51 push ecx
0044227F .68 CCED4000 push XReplace.0040EDCC ;4
00442284 .FFD7 call edi
00442286 .85C0 test eax, eax
00442288 .75 0E jnz short XReplace.00442298
0044228A .8B55 E0 mov edx, dword ptr
0044228D .52 push edx
0044228E .68 4CEC4000 push XReplace.0040EC4C ;5
00442293 .E9 80000000 jmp XReplace.00442318
00442298 >8B45 9C mov eax, dword ptr
0044229B .50 push eax
0044229C .68 4CEC4000 push XReplace.0040EC4C ;5
004422A1 .FFD7 call edi
004422A3 .85C0 test eax, eax
004422A5 .75 0B jnz short XReplace.004422B2
004422A7 .8B4D E0 mov ecx, dword ptr
004422AA .51 push ecx
004422AB .68 C4ED4000 push XReplace.0040EDC4 ;2
004422B0 .EB 66 jmp short XReplace.00442318
004422B2 >8B55 9C mov edx, dword ptr
004422B5 .52 push edx
004422B6 .68 BCED4000 push XReplace.0040EDBC ;6
004422BB .FFD7 call edi
004422BD .85C0 test eax, eax
004422BF .75 0B jnz short XReplace.004422CC
004422C1 .8B45 E0 mov eax, dword ptr
004422C4 .50 push eax
004422C5 .68 54EB4000 push XReplace.0040EB54 ;9
004422CA .EB 4C jmp short XReplace.00442318
004422CC >8B4D 9C mov ecx, dword ptr
004422CF .51 push ecx
004422D0 .68 5CEB4000 push XReplace.0040EB5C ;7
004422D5 .FFD7 call edi
004422D7 .85C0 test eax, eax
004422D9 .75 0B jnz short XReplace.004422E6
004422DB .8B55 E0 mov edx, dword ptr
004422DE .52 push edx
004422DF .68 40DE4000 push XReplace.0040DE40 ;1
004422E4 .EB 32 jmp short XReplace.00442318
004422E6 >8B45 9C mov eax, dword ptr
004422E9 .50 push eax
004422EA .68 B4ED4000 push XReplace.0040EDB4 ;8
004422EF .FFD7 call edi
004422F1 .85C0 test eax, eax
004422F3 .75 0B jnz short XReplace.00442300
004422F5 .8B4D E0 mov ecx, dword ptr
004422F8 .51 push ecx
004422F9 .68 44EC4000 push XReplace.0040EC44 ;3
004422FE .EB 18 jmp short XReplace.00442318
00442300 >8B55 9C mov edx, dword ptr
00442303 .52 push edx
00442304 .68 54EB4000 push XReplace.0040EB54 ;9
00442309 .FFD7 call edi
0044230B .85C0 test eax, eax
0044230D .75 12 jnz short XReplace.00442321
0044230F .8B45 E0 mov eax, dword ptr
00442312 .50 push eax
00442313 .68 5CEB4000 push XReplace.0040EB5C ;7
00442318 >FFD3 call ebx
0044231A .8BD0 mov edx, eax
0044231C .8D4D E0 lea ecx, dword ptr
第二串计算最简单,在主界面最上面功能选择 Word文档全角/半角替换,点击添加按钮触发验证,验证的是一串常量 “781” 这写错了应是“871” 感谢wgz001提醒
004428A6 .C745 B8 B4E94>mov dword ptr , XReplace.004>;-
004428AD .C745 B0 08000>mov dword ptr , 8
004428B4 .FF15 08124000 call dword ptr [<&MSVBVM60.__vbaVarDu>;msvbvm60.__vbaVarDup
004428BA .8B4D 08 mov ecx, dword ptr
004428BD .56 push esi
004428BE .8D45 D0 lea eax, dword ptr
004428C1 .6A FF push -1
004428C3 .8B11 mov edx, dword ptr ;UNICODE "5712074898-872-QXdmmYAaXA"
004428C5 .50 push eax
004428C6 .8D45 C0 lea eax, dword ptr
004428C9 .52 push edx
004428CA .50 push eax
004428CB .FF15 4C114000 call dword ptr [<&MSVBVM60.#711>] ;msvbvm60.rtcSplit
004428D1 .8D4D C0 lea ecx, dword ptr
004428D4 .51 push ecx
004428D5 .68 08200000 push 2008
004428DA .FF15 7C104000 call dword ptr [<&MSVBVM60.__vbaAryVa>;msvbvm60.__vbaAryVar
004428E0 .8945 9C mov dword ptr , eax
004428E3 .8D55 9C lea edx, dword ptr
004428E6 .8D45 E8 lea eax, dword ptr
004428E9 .52 push edx
004428EA .50 push eax
004428EB .FF15 2C124000 call dword ptr [<&MSVBVM60.__vbaAryCo>;msvbvm60.__vbaAryCopy
004428F1 .8D4D C0 lea ecx, dword ptr
004428F4 .8D55 D0 lea edx, dword ptr
004428F7 .51 push ecx
004428F8 .52 push edx
004428F9 .6A 02 push 2
004428FB .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaFreeV>;msvbvm60.__vbaFreeVarList
00442901 .83C4 0C add esp, 0C
00442904 .BA F8CB4000 mov edx, XReplace.0040CBF8
00442909 .8D4D EC lea ecx, dword ptr
0044290C .FF15 D0114000 call dword ptr [<&MSVBVM60.__vbaStrCo>;msvbvm60.__vbaStrCopy
00442912 .8B45 E8 mov eax, dword ptr
00442915 .50 push eax
00442916 .6A 01 push 1
00442918 .FF15 84114000 call dword ptr [<&MSVBVM60.__vbaUboun>;msvbvm60.__vbaUbound
0044291E .83F8 02 cmp eax, 2 ;判断数组最大值是否小于2
00442921 .0F8C 9C000000 jl XReplace.004429C3
00442927 .8B4D E8 mov ecx, dword ptr
0044292A .8D55 E0 lea edx, dword ptr
0044292D .51 push ecx
0044292E .52 push edx
0044292F .FF15 00124000 call dword ptr [<&MSVBVM60.__vbaAryLo>;msvbvm60.__vbaAryLock
00442935 .8B4D E0 mov ecx, dword ptr
00442938 .3BCE cmp ecx, esi
0044293A .74 29 je short XReplace.00442965
0044293C .66:8339 01 cmp word ptr , 1
00442940 .75 23 jnz short XReplace.00442965
00442942 .8B51 14 mov edx, dword ptr
00442945 .8B41 10 mov eax, dword ptr
00442948 .BE 01000000 mov esi, 1
0044294D .2BF2 sub esi, edx
0044294F .3BF0 cmp esi, eax
00442951 .72 09 jb short XReplace.0044295C
00442953 .FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaGener>;msvbvm60.__vbaGenerateBoundsError
00442959 .8B4D E0 mov ecx, dword ptr
0044295C >8D04B5 000000>lea eax, dword ptr
00442963 .EB 09 jmp short XReplace.0044296E
00442965 >FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaGener>;msvbvm60.__vbaGenerateBoundsError
0044296B .8B4D E0 mov ecx, dword ptr
0044296E >8B49 0C mov ecx, dword ptr
00442971 .8D55 B0 lea edx, dword ptr
00442974 .03C8 add ecx, eax
00442976 .6A 03 push 3
00442978 .8D45 D0 lea eax, dword ptr
0044297B .52 push edx
0044297C .50 push eax
0044297D .894D B8 mov dword ptr , ecx
00442980 .C745 B0 08400>mov dword ptr , 4008
00442987 .FF15 24124000 call dword ptr [<&MSVBVM60.#617>] ;msvbvm60.rtcLeftCharVar
0044298D .8D4D E0 lea ecx, dword ptr
00442990 .51 push ecx
00442991 .FF15 5C124000 call dword ptr [<&MSVBVM60.__vbaAryUn>;msvbvm60.__vbaAryUnlock
00442997 .8D55 D0 lea edx, dword ptr
0044299A .8D45 A0 lea eax, dword ptr
0044299D .52 push edx ; /var18
0044299E .50 push eax ; |var28
0044299F .C745 A8 BCE94>mov dword ptr , XReplace.004>; |871 常量值
004429A6 .C745 A0 08800>mov dword ptr , 8008 ; |
004429AD .FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaVarTs>; \__vbaVarTstEq 关键比较
004429B3 .8D4D D0 lea ecx, dword ptr
004429B6 .8BF0 mov esi, eax
004429B8 .FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeV>;msvbvm60.__vbaFreeVar
004429BE .66:F7DE neg si
第三串计算,在主界面替换内容 页签,按添加按钮时触发验证
00442656 .C745 B0 B4E94>mov dword ptr , XReplace.0040>;-
0044265D .C745 A8 08000>mov dword ptr , 8
00442664 .FF15 08124000 call dword ptr [<&MSVBVM60.__vbaVarDup>;msvbvm60.__vbaVarDup
0044266A .8B4D 08 mov ecx, dword ptr
0044266D .57 push edi
0044266E .8D45 C8 lea eax, dword ptr
00442671 .6A FF push -1
00442673 .8B11 mov edx, dword ptr
00442675 .50 push eax
00442676 .8D45 B8 lea eax, dword ptr
00442679 .52 push edx
0044267A .50 push eax
0044267B .FF15 4C114000 call dword ptr [<&MSVBVM60.#711>] ;msvbvm60.rtcSplit
00442681 .8D4D B8 lea ecx, dword ptr
00442684 .51 push ecx
00442685 .68 08200000 push 2008
0044268A .FF15 7C104000 call dword ptr [<&MSVBVM60.__vbaAryVar>;msvbvm60.__vbaAryVar
00442690 .8945 A4 mov dword ptr , eax
00442693 .8D55 A4 lea edx, dword ptr
00442696 .8D45 E4 lea eax, dword ptr
00442699 .52 push edx
0044269A .50 push eax
0044269B .FF15 2C124000 call dword ptr [<&MSVBVM60.__vbaAryCop>;msvbvm60.__vbaAryCopy
004426A1 .8D4D B8 lea ecx, dword ptr
004426A4 .8D55 C8 lea edx, dword ptr
004426A7 .51 push ecx
004426A8 .52 push edx
004426A9 .6A 02 push 2
004426AB .FF15 38104000 call dword ptr [<&MSVBVM60.__vbaFreeVa>;msvbvm60.__vbaFreeVarList
004426B1 .83C4 0C add esp, 0C
004426B4 .BA F8CB4000 mov edx, XReplace.0040CBF8
004426B9 .8D4D E8 lea ecx, dword ptr
004426BC .FF15 D0114000 call dword ptr [<&MSVBVM60.__vbaStrCop>;msvbvm60.__vbaStrCopy
004426C2 .8B45 E4 mov eax, dword ptr
004426C5 .8B35 84114000 mov esi, dword ptr [<&MSVBVM60.__vbaU>;msvbvm60.__vbaUbound
004426CB .50 push eax
004426CC .6A 01 push 1
004426CE .FFD6 call esi ;返回分割后数组维度的最大值; <&MSVBVM60.__vbaUbound>
004426D0 .83F8 02 cmp eax, 2 ;最大值是否小于2个,小于则跳走,不进行第三串比较
004426D3 .0F8C 16010000 jl XReplace.004427EF
004426D9 .8B4D E4 mov ecx, dword ptr
004426DC .51 push ecx
004426DD .6A 01 push 1
004426DF .FFD6 call esi
004426E1 .8BC8 mov ecx, eax
004426E3 .FF15 EC104000 call dword ptr [<&MSVBVM60.__vbaI2I4>] ;msvbvm60.__vbaI2I4
004426E9 .8945 94 mov dword ptr , eax
004426EC .BB 01000000 mov ebx, 1
004426F1 .BE 02000000 mov esi, 2
004426F6 >66:3B75 94 cmp si, word ptr
004426FA .8B4D E4 mov ecx, dword ptr
004426FD .7F 62 jg short XReplace.00442761
004426FF .3BCF cmp ecx, edi
00442701 .74 29 je short XReplace.0044272C
00442703 .66:8339 01 cmp word ptr , 1
00442707 .75 23 jnz short XReplace.0044272C
00442709 .8B51 14 mov edx, dword ptr
0044270C .8B41 10 mov eax, dword ptr
0044270F .0FBFFE movsx edi, si
00442712 .2BFA sub edi, edx
00442714 .3BF8 cmp edi, eax
00442716 .72 09 jb short XReplace.00442721
00442718 .FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaGenera>;msvbvm60.__vbaGenerateBoundsError
0044271E .8B4D E4 mov ecx, dword ptr
00442721 >8D04BD 000000>lea eax, dword ptr
00442728 .33FF xor edi, edi
0044272A .EB 09 jmp short XReplace.00442735
0044272C >FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaGenera>;msvbvm60.__vbaGenerateBoundsError
00442732 .8B4D E4 mov ecx, dword ptr
00442735 >8B55 E8 mov edx, dword ptr
00442738 .8B49 0C mov ecx, dword ptr
0044273B .52 push edx
0044273C .8B1401 mov edx, dword ptr
0044273F .52 push edx ; /String
00442740 .FF15 5C104000 call dword ptr [<&MSVBVM60.__vbaStrCa>; \__vbaStrCat
00442746 .8BD0 mov edx, eax
00442748 .8D4D E8 lea ecx, dword ptr
0044274B .FF15 30124000 call dword ptr [<&MSVBVM60.__vbaStrMo>;msvbvm60.__vbaStrMove
00442751 .66:8BC3 mov ax, bx
00442754 .66:03C6 add ax, si
00442757 .0F80 F0000000 jo XReplace.0044284D
0044275D .8BF0 mov esi, eax
0044275F .^ EB 95 jmp short XReplace.004426F6
00442761 >8D55 DC lea edx, dword ptr
00442764 .51 push ecx
00442765 .52 push edx
00442766 .FF15 00124000 call dword ptr [<&MSVBVM60.__vbaAryLo>;msvbvm60.__vbaAryLock
0044276C .8B4D DC mov ecx, dword ptr
0044276F .3BCF cmp ecx, edi
00442771 .74 24 je short XReplace.00442797
00442773 .66:8339 01 cmp word ptr , 1
00442777 .75 1E jnz short XReplace.00442797
00442779 .8B71 14 mov esi, dword ptr
0044277C .8B41 10 mov eax, dword ptr
0044277F .F7DE neg esi
00442781 .3BF0 cmp esi, eax
00442783 .72 09 jb short XReplace.0044278E
00442785 .FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaGener>;msvbvm60.__vbaGenerateBoundsError
0044278B .8B4D DC mov ecx, dword ptr
0044278E >8D04B5 000000>lea eax, dword ptr
00442795 .EB 09 jmp short XReplace.004427A0
00442797 >FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaGener>;msvbvm60.__vbaGenerateBoundsError
0044279D .8B4D DC mov ecx, dword ptr
004427A0 >8B49 0C mov ecx, dword ptr
004427A3 .03C8 add ecx, eax
004427A5 .51 push ecx
004427A6 .E8 95F5FFFF call XReplace.00441D40 ;第三串计算CALL
004427AB .8BD0 mov edx, eax
004427AD .8D4D D8 lea ecx, dword ptr
004427B0 .FF15 30124000 call dword ptr [<&MSVBVM60.__vbaStrMo>;msvbvm60.__vbaStrMove
004427B6 .8D55 DC lea edx, dword ptr
004427B9 .52 push edx
004427BA .FF15 5C124000 call dword ptr [<&MSVBVM60.__vbaAryUn>;msvbvm60.__vbaAryUnlock
004427C0 .8B45 E8 mov eax, dword ptr
004427C3 .8B4D D8 mov ecx, dword ptr
004427C6 .50 push eax ;假码UNICODE "QXdmmYAaX1"
004427C7 .51 push ecx ;真码UNICODE "QXdmmYAaXA")
004427C8 .FF15 D8104000 call dword ptr [<&MSVBVM60.__vbaStrCm>;关键比较
004427A6 关键地址CALL 计算第三串
00441EA3 > \8B51 0C mov edx, dword ptr ;"5712074898"
00441EA6 .33C0 xor eax, eax
00441EA8 .83FB 01 cmp ebx, 1
00441EAB .8A0432 mov al, byte ptr ;取最后一位
00441EAE .8945 D0 mov dword ptr , eax ;38
00441EB1 .75 28 jnz short XReplace.00441EDB
00441EB3 .85C9 test ecx, ecx
00441EB5 .74 56 je short XReplace.00441F0D
00441EB7 .66:3919 cmp word ptr , bx
00441EBA .75 51 jnz short XReplace.00441F0D
00441EBC .8B71 14 mov esi, dword ptr
00441EBF .8B41 10 mov eax, dword ptr
00441EC2 .F7DE neg esi
00441EC4 .3BF0 cmp esi, eax
00441EC6 .72 05 jb short XReplace.00441ECD
00441EC8 .FFD7 call edi
00441ECA .8B4D D8 mov ecx, dword ptr
00441ECD >8B51 0C mov edx, dword ptr
00441ED0 .8BC6 mov eax, esi
00441ED2 .33DB xor ebx, ebx
00441ED4 .8A1C02 mov bl, byte ptr
00441ED7 .8BF3 mov esi, ebx
00441ED9 .EB 49 jmp short XReplace.00441F24
00441EDB >85C9 test ecx, ecx
00441EDD .74 2E je short XReplace.00441F0D
00441EDF .66:8339 01 cmp word ptr , 1
00441EE3 .75 28 jnz short XReplace.00441F0D
00441EE5 .8B51 14 mov edx, dword ptr
00441EE8 .8B41 10 mov eax, dword ptr
00441EEB .83EB 02 sub ebx, 2
00441EEE .0F80 25020000 jo XReplace.00442119
00441EF4 .2BDA sub ebx, edx
00441EF6 .3BD8 cmp ebx, eax
00441EF8 .72 05 jb short XReplace.00441EFF
00441EFA .FFD7 call edi
00441EFC .8B4D D8 mov ecx, dword ptr
00441EFF >8B51 0C mov edx, dword ptr
00441F02 .8BC3 mov eax, ebx
00441F04 .33DB xor ebx, ebx
00441F06 .8A1C02 mov bl, byte ptr ;取倒数第二位
00441F09 .8BF3 mov esi, ebx ;39
00441F0B .EB 17 jmp short XReplace.00441F24
00441F0D >FFD7 call edi
00441F0F .8B4D D8 mov ecx, dword ptr
00441F12 .33DB xor ebx, ebx
00441F14 .8B51 0C mov edx, dword ptr
00441F17 .8A1C02 mov bl, byte ptr
00441F1A .8BF3 mov esi, ebx
00441F1C .EB 06 jmp short XReplace.00441F24
00441F1E >8B3D D0104000 mov edi, dword ptr [<&MSVBVM60.__vbaG>;msvbvm60.__vbaGenerateBoundsError
00441F24 >85C9 test ecx, ecx
00441F26 .74 1E je short XReplace.00441F46
00441F28 .66:8339 01 cmp word ptr , 1
00441F2C .75 18 jnz short XReplace.00441F46
00441F2E .8B5D 84 mov ebx, dword ptr
00441F31 .8B51 14 mov edx, dword ptr
00441F34 .8B41 10 mov eax, dword ptr
00441F37 .2BDA sub ebx, edx
00441F39 .3BD8 cmp ebx, eax
00441F3B .72 05 jb short XReplace.00441F42
00441F3D .FFD7 call edi
00441F3F .8B4D D8 mov ecx, dword ptr
00441F42 >8BC3 mov eax, ebx
00441F44 .EB 05 jmp short XReplace.00441F4B
00441F46 >FFD7 call edi
00441F48 .8B4D D8 mov ecx, dword ptr
00441F4B >8B51 0C mov edx, dword ptr
00441F4E .33DB xor ebx, ebx
00441F50 .8A1C02 mov bl, byte ptr
00441F53 .8B55 D0 mov edx, dword ptr
00441F56 .23DA and ebx, edx ;第一位与最后一位位与操作
00441F58 .85C9 test ecx, ecx
00441F5A .74 22 je short XReplace.00441F7E
00441F5C .66:8339 01 cmp word ptr , 1
00441F60 .75 1C jnz short XReplace.00441F7E
00441F62 .8B7D 84 mov edi, dword ptr
00441F65 .8B51 14 mov edx, dword ptr
00441F68 .8B41 10 mov eax, dword ptr
00441F6B .2BFA sub edi, edx
00441F6D .3BF8 cmp edi, eax
00441F6F .72 09 jb short XReplace.00441F7A
00441F71 .FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaGenera>;msvbvm60.__vbaGenerateBoundsError
00441F77 .8B4D D8 mov ecx, dword ptr
00441F7A >8BC7 mov eax, edi
00441F7C .EB 05 jmp short XReplace.00441F83
00441F7E >FFD7 call edi
00441F80 .8B4D D8 mov ecx, dword ptr
00441F83 >8B49 0C mov ecx, dword ptr
00441F86 .33D2 xor edx, edx
00441F88 .8A1401 mov dl, byte ptr
00441F8B .8BFA mov edi, edx
00441F8D .0BFE or edi, esi ;第一位与倒数第二位位或操作
00441F8F .81FB 80000000 cmp ebx, 80 ;
00441F95 .7E 0F jle short XReplace.00441FA6 ;大于80
00441F97 .B8 00010000 mov eax, 100 ;
00441F9C .2BC3 sub eax, ebx ;100减去ebx
00441F9E .0F80 75010000 jo XReplace.00442119
00441FA4 .8BD8 mov ebx, eax
00441FA6 >81FF 80000000 cmp edi, 80
00441FAC .7E 0F jle short XReplace.00441FBD ;大于80
00441FAE .B9 00010000 mov ecx, 100
00441FB3 .2BCF sub ecx, edi ;100减去edi
00441FB5 .0F80 5E010000 jo XReplace.00442119
00441FBB .8BF9 mov edi, ecx
00441FBD >8B45 C4 mov eax, dword ptr
00441FC0 .85C0 test eax, eax
00441FC2 .74 22 je short XReplace.00441FE6
00441FC4 .66:8338 01 cmp word ptr , 1
00441FC8 .75 1C jnz short XReplace.00441FE6
00441FCA .8B4D 84 mov ecx, dword ptr
00441FCD .8B50 14 mov edx, dword ptr
00441FD0 .2BCA sub ecx, edx
00441FD2 .8BF1 mov esi, ecx
00441FD4 .8B48 10 mov ecx, dword ptr
00441FD7 .3BF1 cmp esi, ecx
00441FD9 .72 06 jb short XReplace.00441FE1
00441FDB .FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaGenera>;msvbvm60.__vbaGenerateBoundsError
00441FE1 >8975 80 mov dword ptr , esi
00441FE4 .EB 09 jmp short XReplace.00441FEF
00441FE6 >FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaGenera>;msvbvm60.__vbaGenerateBoundsError
00441FEC .8945 80 mov dword ptr , eax
00441FEF >68 ACED4000 push XReplace.0040EDAC ; /A
00441FF4 .FF15 48104000 call dword ptr [<&MSVBVM60.#516>] ; \rtcAnsiValueBstr
00441FFA .0FBFC8 movsx ecx, ax
00441FFD .8BC7 mov eax, edi
00441FFF .BE 34000000 mov esi, 34
00442004 .0FAFC3 imul eax, ebx ;相乘
00442007 .0F80 0C010000 jo XReplace.00442119
0044200D .99 cdq
0044200E .F7FE idiv esi ;求余
00442010 .03CA add ecx, edx ;相加
00442012 .0F80 01010000 jo XReplace.00442119
00442018 .FF15 40114000 call dword ptr [<&MSVBVM60.__vbaUI1I4>>;msvbvm60.__vbaUI1I4
0044201E .8B55 C4 mov edx, dword ptr
00442021 .8BF7 mov esi, edi
00442023 .03F3 add esi, ebx
00442025 .8B5D C8 mov ebx, dword ptr
00442028 .8B4A 0C mov ecx, dword ptr ;取字符
0044202B .8B55 80 mov edx, dword ptr
0044202E .0F80 E5000000 jo XReplace.00442119
00442034 .880411 mov byte ptr , al
00442037 .B8 01000000 mov eax, 1
0044203C .81E6 FF000000 and esi, 0FF
00442042 .66:0345 E8 add ax, word ptr
00442046 .897D D0 mov dword ptr , edi
00442049 .8B7D DC mov edi, dword ptr
0044204C .0F80 C7000000 jo XReplace.00442119
00442052 .8945 E8 mov dword ptr , eax
00442055 .^ E9 EFFDFFFF jmp XReplace.00441E49 ;循环计算,字符串相加得到第三串。
0044205A >8B45 C4 mov eax, dword ptr
0044205D .8D4D 9C lea ecx, dword ptr
00442060 .51 push ecx
00442061 .8945 A4 mov dword ptr , eax
00442064 .C745 9C 11200>mov dword ptr , 2011
0044206B .FF15 38124000 call dword ptr [<&MSVBVM60.__vbaStrVar>;msvbvm60.__vbaStrVarCopy
00442071 .8B35 30124000 mov esi, dword ptr [<&MSVBVM60.__vbaS>;上面计算生成的正确第三段 "QXdmmYAaXA"
00442077 .8BD0 mov edx, eax ;"QXdmmYAaXA"
00442079 .8D4D D4 lea ecx, dword ptr
0044207C .FFD6 call esi ;<&MSVBVM60.__vbaStrMove>
第一次发破文,分析不完整请勿怪哈。
总结忘了,这里补上
软件共分三串,中间用 “-” 号分隔
第一串通过机器码按密码表替换相应位置的字符,得到第一串
第二串固定串“871”
第三串通过第一串计算得到
一三串在内存中都可以找到,做内存注册机分段取出也可以得到 支持楼主,我下午也玩晕了。只是靠蒙
啥也不说了,楼主就是给力! 支持楼主,哈哈哈哈 学习一个了 支持楼主了 小白一枚,支持楼主 不负有心人,问题是早晚被解决掉了 很好帖子
技术讨论帖
希望大家一起交流、提高~~~
这种将注册码分段验证的程序大家可以玩一下 ~
页:
[1]
2