- UID
- 26865
注册时间2007-2-17
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
【破文标题】**背词王 3.7算法分析
【破文作者】dgrzh(交响诗篇)
【破解工具】OD PEiD
【破解平台】XP SP2
【软件名称】**背词王 3.7
【保护方式】序列号
【破解声明】新手,不对之处还请大家多多指教~
【破解过程】PEiD查没壳,编程语言Microsoft Visual Basic 5.0 / 6.0
运行程序,右健点-菜单-用户设置-版本注册 显示:
前码: 后码:
注册 91275844 12345678(前码是程序自动显示的,输入12345678假后码)
注册按钮<-点这里(提示:注册码错误)
用字符串查找,没有找到任何可用的线索,于是查找-当前模块中的名称,找到MSVBVM60.__vbaStrCmp,在每个参考上设置断点。
下好断点,F9运行
0068382F . FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; 断在这里,然后一路F8
00683835 . 8BF8 mov edi,eax
00683837 . 8D95 C4FEFFFF lea edx,dword ptr ss:[ebp-13C]
0068383D . F7DF neg edi
0068383F . 8D85 C8FEFFFF lea eax,dword ptr ss:[ebp-138]
00683845 . 52 push edx
00683846 . 1BFF sbb edi,edi
00683848 . 8D8D CCFEFFFF lea ecx,dword ptr ss:[ebp-134]
0068384E . 50 push eax
0068384F . 51 push ecx
00683850 . F7DF neg edi
00683852 . 6A 03 push 3
00683854 . F7DF neg edi
省略代码
...................................................................................
...................................................................................
7339DE99 8945 E4 mov dword ptr ss:[ebp-1C],eax
7339DE9C 85C0 test eax,eax
7339DE9E 7C 51 jl short MSVBVM60.7339DEF1
7339DEA0 6A 00 push 0
7339DEA2 6A 00 push 0
7339DEA4 68 69100000 push 1069
7339DEA9 FF15 C8103973 call dword ptr ds:[<&KERNEL32.GetCurrentThreadId>; kernel32.GetCurrentThreadId
7339DEAF 50 push eax
7339DEB0 FF15 28163973 call dword ptr ds:[<&USER32.PostThreadMessageA>] ; USER32.PostThreadMessageA
7339DEB6 8D45 9C lea eax,dword ptr ss:[ebp-64]
7339DEB9 50 push eax
7339DEBA 8BCE mov ecx,esi
7339DEBC E8 6159FFFF call MSVBVM60.73393822
7339DEC1 85C0 test eax,eax
7339DEC3 74 14 je short MSVBVM60.7339DED9
7339DEC5 8B45 9C mov eax,dword ptr ss:[ebp-64]
7339DEC8 8B88 20050000 mov ecx,dword ptr ds:[eax+520]
7339DECE 85C9 test ecx,ecx
7339DED0 74 07 je short MSVBVM60.7339DED9
7339DED2 6A FF push -1
7339DED4 E8 366C0000 call MSVBVM60.733A4B0F ; F8来到这里程序运行起来。
右健点-菜单-用户设置-版本注册 显示:
前码: 后码:
注册 91275844 12345678(前码是程序自动显示的,输入12345678假后码)
注册按钮<-点这里
........................................................................................................
00687667 . FF15 C0104000 call dword ptr [<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp 断在这里
0068766D . 8BF0 mov esi, eax
0068766F . 8D4D D8 lea ecx, dword ptr [ebp-28]
00687672 . F7DE neg esi
00687674 . 1BF6 sbb esi, esi
00687676 . F7DE neg esi
00687678 . F7DE neg esi
0068767A . FF15 B8114000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
......................................................................................................
看堆栈显示:
0012D7EC 001F3C44 UNICODE "15527657"
0012D7F0 001F3BE4 UNICODE "12345678"
明码比较,关键地方找到了。其实下好断点,按两次F9也会断在这里,但是程序就没有响应。OD就无法继续调试。
取消00687667处的断点,来到段首
006872A6 . 68 96204000 push <jmp.&MSVBVM60.__vbaExceptHandler> 这里下F2断点
下好断点后,重载OD,F9一次断在0068382F这里,一路F8重复上面过程,来到7339DED4程序运行起来
输入假后码,点注册后断在006872A6这里(其实在按一次F9也会断在这里,但是程序就没有响应。不明白为什么。)
====================================================
====================================================
006872A6 . 68 96204000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; 断在这里
006872AB . 64:A1 00000000 mov eax,dword ptr fs:[0]
006872B1 . 50 push eax
006872B2 . 64:8925 00000000 mov dword ptr fs:[0],esp
006872B9 . 81EC 28010000 sub esp,128
006872BF . 53 push ebx
006872C0 . 56 push esi
006872C1 . 57 push edi
006872C2 . 8965 F8 mov dword ptr ss:[ebp-8],esp
006872C5 . C745 FC A01D4000 mov dword ptr ss:[ebp-4],Super背?00401DA0
006872CC . A1 D0D06800 mov eax,dword ptr ds:[68D0D0]
006872D1 . 33FF xor edi,edi
006872D3 . 3BC7 cmp eax,edi ; (初始化 cpu 选择状态)
006872D5 . 897D E8 mov dword ptr ss:[ebp-18],edi
006872D8 . 897D E4 mov dword ptr ss:[ebp-1C],edi
006872DB . 897D D8 mov dword ptr ss:[ebp-28],edi
006872DE . 897D D4 mov dword ptr ss:[ebp-2C],edi
006872E1 . 897D D0 mov dword ptr ss:[ebp-30],edi
006872E4 . 897D C0 mov dword ptr ss:[ebp-40],edi
006872E7 . 897D B0 mov dword ptr ss:[ebp-50],edi
006872EA . 897D A0 mov dword ptr ss:[ebp-60],edi
006872ED . 897D 90 mov dword ptr ss:[ebp-70],edi
006872F0 . 897D 80 mov dword ptr ss:[ebp-80],edi
006872F3 . 89BD 70FFFFFF mov dword ptr ss:[ebp-90],edi
006872F9 . 89BD 60FFFFFF mov dword ptr ss:[ebp-A0],edi
006872FF . 89BD 50FFFFFF mov dword ptr ss:[ebp-B0],edi
00687305 . 89BD 40FFFFFF mov dword ptr ss:[ebp-C0],edi
0068730B . 89BD 20FFFFFF mov dword ptr ss:[ebp-E0],edi
00687311 . 89BD F0FEFFFF mov dword ptr ss:[ebp-110],edi
00687317 . 75 10 jnz short Super背?00687329
00687319 . 68 D0D06800 push Super背?0068D0D0
0068731E . 68 60FF4200 push Super背?0042FF60
00687323 . FF15 48114000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>] ; MSVBVM60.__vbaNew2
00687329 > 8B35 D0D06800 mov esi,dword ptr ds:[68D0D0]
0068732F . 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
00687332 . 51 push ecx
00687333 . 56 push esi
00687334 . 8B06 mov eax,dword ptr ds:[esi]
00687336 . FF90 F8060000 call dword ptr ds:[eax+6F8] ; 将硬盘序列号转换为前码91275844
0068733C . 3BC7 cmp eax,edi
0068733E . DBE2 fclex
00687340 . 7D 12 jge short Super背?00687354
00687342 . 68 F8060000 push 6F8
00687347 . 68 B8344300 push Super背?004334B8
0068734C . 56 push esi
0068734D . 50 push eax
0068734E . FF15 5C104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckO>; MSVBVM60.__vbaHresultCheckObj
00687354 > 8B55 D8 mov edx,dword ptr ss:[ebp-28] ; 前码
00687357 . 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
0068735A . 897D D8 mov dword ptr ss:[ebp-28],edi
0068735D . FF15 94114000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
00687363 . 8B55 E4 mov edx,dword ptr ss:[ebp-1C] ; 前码
00687366 . 52 push edx
00687367 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
0068736D . 8BC8 mov ecx,eax ; 前码长度
0068736F . FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4
00687375 . 8B1D 3C104000 mov ebx,dword ptr ds:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
0068737B . 8985 DCFEFFFF mov dword ptr ss:[ebp-124],eax
00687381 . BE 01000000 mov esi,1
00687386 > 66:3BB5 DCFEFFFF cmp si,word ptr ss:[ebp-124] ; 计数值同前码长度比较
0068738D . 0F8F 87000000 jg Super背?0068741A ; 计数值大于前码长度跳出循环
00687393 . 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
00687396 . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00687399 . 0FBFD6 movsx edx,si
0068739C . 8985 48FFFFFF mov dword ptr ss:[ebp-B8],eax
006873A2 . 51 push ecx
006873A3 . 8D85 40FFFFFF lea eax,dword ptr ss:[ebp-C0]
006873A9 . 52 push edx
006873AA . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
006873AD . 50 push eax
006873AE . 51 push ecx
006873AF . C745 C8 01000000 mov dword ptr ss:[ebp-38],1
006873B6 . C745 C0 02000000 mov dword ptr ss:[ebp-40],2
006873BD . C785 40FFFFFF 08>mov dword ptr ss:[ebp-C0],4008
006873C7 . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
006873CD . 8D55 B0 lea edx,dword ptr ss:[ebp-50]
006873D0 . 8D45 D8 lea eax,dword ptr ss:[ebp-28]
006873D3 . 52 push edx
006873D4 . 50 push eax
006873D5 . FF15 30114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; 逐位取前码的值并转换为它的ASCII码值
006873DB . 50 push eax ;
006873DC . FFD3 call ebx ;
006873DE . 66:03C7 add ax,di ; 将每位ASCII码值累加结果送ax
006873E1 . 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
006873E4 . 0F80 28030000 jo Super背?00687712
006873EA . 8BF8 mov edi,eax ; 累加结果
006873EC . FF15 B8114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
006873F2 . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
006873F5 . 8D55 C0 lea edx,dword ptr ss:[ebp-40]
006873F8 . 51 push ecx
006873F9 . 52 push edx
006873FA . 6A 02 push 2
006873FC . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
00687402 . B8 01000000 mov eax,1 ; 计数器赋值为1
00687407 . 83C4 0C add esp,0C
0068740A . 66:03C6 add ax,si ; 每循环一次计数值加1
0068740D . 0F80 FF020000 jo Super背?00687712
00687413 . 8BF0 mov esi,eax ;
00687415 .^ E9 6CFFFFFF jmp Super背?00687386
0068741A > 66:8BC7 mov ax,di ; 累加结果
0068741D . 66:B9 0900 mov cx,9 ;
00687421 . 66:6BC0 13 imul ax,ax,13 累加结果乘以13送ax
00687425 . 0F80 E7020000 jo Super背?00687712
0068742B . 66:99 cwd
0068742D . 66:F7F9 idiv cx ;
00687430 . 8955 DC mov dword ptr ss:[ebp-24],edx ax除9取余存入ss:[ebp-24]中
00687433 . 8B55 E4 mov edx,dword ptr ss:[ebp-1C]
00687436 . 52 push edx ; 前码
00687437 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 前码长度
0068743D . 8BC8 mov ecx,eax ;
0068743F . FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4
00687445 . 8985 D4FEFFFF mov dword ptr ss:[ebp-12C],eax
0068744B . BE 01000000 mov esi,1
00687450 > 66:3BB5 D4FEFFFF cmp si,word ptr ss:[ebp-12C] ; 计数值同前码长度比较
00687457 . 0F8F A9010000 jg Super背?00687606 ; 大于前码长度跳出循环
0068745D . 8B45 E8 mov eax,dword ptr ss:[ebp-18]
00687460 . 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
00687463 . 0FBFFE movsx edi,si
00687466 . 8D55 C0 lea edx,dword ptr ss:[ebp-40]
00687469 . 8985 F8FEFFFF mov dword ptr ss:[ebp-108],eax
0068746F . 898D 48FFFFFF mov dword ptr ss:[ebp-B8],ecx
00687475 . 52 push edx
00687476 . 8D85 40FFFFFF lea eax,dword ptr ss:[ebp-C0]
0068747C . 57 push edi
0068747D . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
00687480 . 50 push eax
00687481 . 51 push ecx
00687482 . C785 F0FEFFFF 08>mov dword ptr ss:[ebp-110],8
0068748C . C745 C8 01000000 mov dword ptr ss:[ebp-38],1
00687493 . C745 C0 02000000 mov dword ptr ss:[ebp-40],2
0068749A . C785 40FFFFFF 08>mov dword ptr ss:[ebp-C0],4008
006874A4 . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
006874AA . 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
006874AD . 8D45 A0 lea eax,dword ptr ss:[ebp-60]
006874B0 . 8995 28FFFFFF mov dword ptr ss:[ebp-D8],edx
006874B6 . 50 push eax
006874B7 . 8D8D 20FFFFFF lea ecx,dword ptr ss:[ebp-E0]
006874BD . 57 push edi
006874BE . 8D55 90 lea edx,dword ptr ss:[ebp-70]
006874C1 . 51 push ecx
006874C2 . 52 push edx
006874C3 . C745 A8 01000000 mov dword ptr ss:[ebp-58],1
006874CA . C745 A0 02000000 mov dword ptr ss:[ebp-60],2
006874D1 . C785 20FFFFFF 08>mov dword ptr ss:[ebp-E0],4008
006874DB . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
006874E1 . 8B3D 30114000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>>; MSVBVM60.__vbaStrVarVal
006874E7 . 8D45 90 lea eax,dword ptr ss:[ebp-70]
006874EA . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
006874ED . 50 push eax
006874EE . 51 push ecx
006874EF . FFD7 call edi ; 逐位取前码的ASCII码值
006874F1 . 50 push eax ;
006874F2 . FFD3 call ebx
006874F4 . 66:8BD0 mov dx,ax ;
006874F7 . 8D45 B0 lea eax,dword ptr ss:[ebp-50]
006874FA . 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
006874FD . 50 push eax
006874FE . 51 push ecx
006874FF . 66:8995 CAFEFFFF mov word ptr ss:[ebp-136],dx ;
00687506 . FFD7 call edi ; <&MSVBVM60.__vbaStrVarVal>
00687508 . 50 push eax ;
00687509 . FFD3 call ebx
0068750B . 66:8B8D CAFEFFFF mov cx,word ptr ss:[ebp-136] ;
00687512 . C745 80 02000000 mov dword ptr ss:[ebp-80],2
00687519 . 66:0FAFC8 imul cx,ax ; 将取出的ASCII码值自乘
0068751D . 66:8BC6 mov ax,si ; 计数值当前值
00687520 . 0F80 EC010000 jo Super背?00687712
00687526 . 66:6BC0 03 imul ax,ax,3 ; 当前值乘3送ax
0068752A . 0F80 E2010000 jo Super背?00687712
00687530 . 66:99 cwd
00687532 . 66:2BC2 sub ax,dx
00687535 . 66:D1F8 sar ax,1 ; ax除2得到商
00687538 . 66:03C8 add cx,ax ; 自乘值加商送cx
0068753B . 0F80 D1010000 jo Super背?00687712
00687541 . 66:034D DC add cx,word ptr ss:[ebp-24] ; cx加上ss:[ebp-24]中的值
00687545 . 0F80 C7010000 jo Super背?00687712
0068754B . 66:8BC1 mov ax,cx
0068754E . 66:B9 0A00 mov cx,0A
00687552 . 66:99 cwd
00687554 . 66:F7F9 idiv cx ; 将每一位结果除A取余
00687557 . 8D85 70FFFFFF lea eax,dword ptr ss:[ebp-90]
0068755D . 66:8955 88 mov word ptr ss:[ebp-78],dx
00687561 . 8D55 80 lea edx,dword ptr ss:[ebp-80]
00687564 . 52 push edx
00687565 . 50 push eax
00687566 . FF15 7C114000 call dword ptr ds:[<&MSVBVM60.#613>] ;
0068756C . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-90]
00687572 . 8D95 60FFFFFF lea edx,dword ptr ss:[ebp-A0]
00687578 . 51 push ecx
00687579 . 52 push edx
0068757A . FF15 A4104000 call dword ptr ds:[<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
00687580 . 8D85 F0FEFFFF lea eax,dword ptr ss:[ebp-110]
00687586 . 8D8D 60FFFFFF lea ecx,dword ptr ss:[ebp-A0]
0068758C . 50 push eax
0068758D . 51 push ecx
0068758E . 8D95 50FFFFFF lea edx,dword ptr ss:[ebp-B0]
00687594 . 52 push edx
00687595 . FF15 34114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; MSVBVM60.__vbaVarCat
0068759B . 50 push eax ;
0068759C . FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>] ; 将余数连接起来就得到真正后码
006875A2 . 8BD0 mov edx,eax ;
006875A4 . 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
006875A7 . FF15 94114000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
006875AD . 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
006875B0 . 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
006875B3 . 50 push eax
006875B4 . 51 push ecx
006875B5 . 6A 02 push 2
006875B7 . FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ;
006875BD . 8D95 50FFFFFF lea edx,dword ptr ss:[ebp-B0]
006875C3 . 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-A0]
006875C9 . 52 push edx
006875CA . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-90]
006875D0 . 50 push eax
006875D1 . 8D55 80 lea edx,dword ptr ss:[ebp-80]
006875D4 . 51 push ecx
006875D5 . 8D45 90 lea eax,dword ptr ss:[ebp-70]
006875D8 . 52 push edx
006875D9 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
006875DC . 50 push eax
006875DD . 8D55 B0 lea edx,dword ptr ss:[ebp-50]
006875E0 . 51 push ecx
006875E1 . 8D45 C0 lea eax,dword ptr ss:[ebp-40]
006875E4 . 52 push edx
006875E5 . 50 push eax
006875E6 . 6A 08 push 8
006875E8 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ; 获得注册码长度
006875EE . B8 01000000 mov eax,1 ; 计数器赋值为1
006875F3 . 83C4 30 add esp,30
006875F6 . 66:03C6 add ax,si ; 每循环一次计数值加1
006875F9 . 0F80 13010000 jo Super背?00687712
006875FF . 8BF0 mov esi,eax ;
00687601 .^ E9 4AFEFFFF jmp Super背?00687450 ;
00687606 > A1 D0D06800 mov eax,dword ptr ds:[68D0D0]
0068760B . 85C0 test eax,eax
0068760D . 75 15 jnz short Super背?00687624
0068760F . 68 D0D06800 push Super背?0068D0D0
00687614 . 68 60FF4200 push Super背?0042FF60
00687619 . FF15 48114000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>] ; MSVBVM60.__vbaNew2
0068761F . A1 D0D06800 mov eax,dword ptr ds:[68D0D0]
00687624 > 8B08 mov ecx,dword ptr ds:[eax]
00687626 . 50 push eax
00687627 . FF91 14030000 call dword ptr ds:[ecx+314]
0068762D . 8D55 D0 lea edx,dword ptr ss:[ebp-30]
00687630 . 50 push eax
00687631 . 52 push edx
00687632 . FF15 84104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00687638 . 8BF0 mov esi,eax
0068763A . 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
0068763D . 51 push ecx
0068763E . 56 push esi
0068763F . 8B06 mov eax,dword ptr ds:[esi]
00687641 . FF90 A0000000 call dword ptr ds:[eax+A0]
00687647 . 85C0 test eax,eax
00687649 . DBE2 fclex
0068764B . 7D 12 jge short Super背?0068765F
0068764D . 68 A0000000 push 0A0
00687652 . 68 543E4300 push Super背?00433E54
00687657 . 56 push esi
00687658 . 50 push eax
00687659 . FF15 5C104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckO>; MSVBVM60.__vbaHresultCheckObj
0068765F > 8B55 D8 mov edx,dword ptr ss:[ebp-28] ; 12345678
00687662 . 8B45 E8 mov eax,dword ptr ss:[ebp-18] ; 15527657
00687665 . 52 push edx
00687666 . 50 push eax
00687667 . FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; 注册码后码真假比较
0068766D . 8BF0 mov esi,eax ; 不等eax=-1
0068766F . 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
00687672 . F7DE neg esi
00687674 . 1BF6 sbb esi,esi
00687676 . F7DE neg esi
00687678 . F7DE neg esi
0068767A . FF15 B8114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00687680 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
00687683 . FF15 BC114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00687689 . 66:F7DE neg si
0068768C . 1BF6 sbb esi,esi
0068768E . 68 FD766800 push Super背?006876FD
00687693 . F7DE neg esi
00687695 . 4E dec esi
00687696 . 8975 E0 mov dword ptr ss:[ebp-20],esi
00687699 . EB 51 jmp short Super背?006876EC
0068769B . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
0068769E . 8D55 D8 lea edx,dword ptr ss:[ebp-28]
006876A1 . 51 push ecx
006876A2 . 52 push edx
006876A3 . 6A 02 push 2
006876A5 . FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList
006876AB . 83C4 0C add esp,0C
006876AE . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
006876B1 . FF15 BC114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
006876B7 . 8D85 50FFFFFF lea eax,dword ptr ss:[ebp-B0]
006876BD . 8D8D 60FFFFFF lea ecx,dword ptr ss:[ebp-A0]
006876C3 . 50 push eax
006876C4 . 8D95 70FFFFFF lea edx,dword ptr ss:[ebp-90]
006876CA . 51 push ecx
006876CB . 8D45 80 lea eax,dword ptr ss:[ebp-80]
006876CE . 52 push edx
006876CF . 8D4D 90 lea ecx,dword ptr ss:[ebp-70]
006876D2 . 50 push eax
006876D3 . 8D55 A0 lea edx,dword ptr ss:[ebp-60]
006876D6 . 51 push ecx
006876D7 . 8D45 B0 lea eax,dword ptr ss:[ebp-50]
006876DA . 52 push edx
006876DB . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
006876DE . 50 push eax
006876DF . 51 push ecx
006876E0 . 6A 08 push 8
006876E2 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
006876E8 . 83C4 24 add esp,24
006876EB . C3 retn
006876EC > 8B35 B8114000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
006876F2 . 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
006876F5 . FFD6 call esi ; <&MSVBVM60.__vbaFreeStr>
006876F7 . 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
006876FA . FFD6 call esi ; <&MSVBVM60.__vbaFreeStr>
006876FC . C3 retn
006876FD . 8B4D F0 mov ecx, dword ptr [ebp-10]
00687700 . 66:8B45 E0 mov ax, word ptr [ebp-20]
00687704 . 5F pop edi
00687705 . 5E pop esi
00687706 . 64:890D 00000>mov dword ptr fs:[0], ecx
0068770D . 5B pop ebx
0068770E . 8BE5 mov esp, ebp
00687710 . 5D pop ebp
00687711 . C3 retn
==================================================
==================================================
0067C716 . 68 96204000 push <jmp.&MSVBVM60.__vbaExceptHandle>; SE 处理程序安装
0067C71B . 64:A1 0000000>mov eax, dword ptr fs:[0]
0067C721 . 50 push eax
0067C722 . 64:8925 00000>mov dword ptr fs:[0], esp
0067C729 . 83EC 28 sub esp, 28
0067C72C . 53 push ebx
0067C72D . 56 push esi
0067C72E . 57 push edi
0067C72F . 8965 F4 mov dword ptr [ebp-C], esp
0067C732 . C745 F8 30184>mov dword ptr [ebp-8], 00401830
0067C739 . 8B7D 08 mov edi, dword ptr [ebp+8]
0067C73C . 8BC7 mov eax, edi
0067C73E . 83E0 01 and eax, 1
0067C741 . 8945 FC mov dword ptr [ebp-4], eax
0067C744 . 83E7 FE and edi, FFFFFFFE
0067C747 . 57 push edi
0067C748 . 897D 08 mov dword ptr [ebp+8], edi
0067C74B . 8B0F mov ecx, dword ptr [edi]
0067C74D . FF51 04 call dword ptr [ecx+4]
0067C750 . 33DB xor ebx, ebx
0067C752 . 895D E8 mov dword ptr [ebp-18], ebx
0067C755 . 895D E4 mov dword ptr [ebp-1C], ebx
0067C758 . 895D E0 mov dword ptr [ebp-20], ebx
0067C75B . 895D DC mov dword ptr [ebp-24], ebx
0067C75E . 895D D8 mov dword ptr [ebp-28], ebx
0067C761 . E8 3AAB0000 call 006872A0 ; 这就是关键call
0067C766 . 66:85C0 test ax, ax ; ax=0跳向失败
0067C769 . 0F84 04010000 je 0067C873 ; 关键跳转,不能跳
0067C76F . 8B35 54114000 mov esi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrCopy
0067C775 . BA 103E4300 mov edx, 00433E10
0067C77A . 8D4D E8 lea ecx, dword ptr [ebp-18]
0067C77D . FFD6 call esi ; <&MSVBVM60.__vbaStrCopy>
0067C77F . 8B17 mov edx, dword ptr [edi]
0067C781 . 8D45 E8 lea eax, dword ptr [ebp-18]
0067C784 . 50 push eax
0067C785 . 57 push edi
0067C786 . FF92 40070000 call dword ptr [edx+740]
0067C78C . 8D4D E8 lea ecx, dword ptr [ebp-18]
0067C78F . FF15 B8114000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0067C795 . 8B0F mov ecx, dword ptr [edi]
0067C797 . 57 push edi
0067C798 . FF91 14030000 call dword ptr [ecx+314]
0067C79E . 8D55 D8 lea edx, dword ptr [ebp-28]
0067C7A1 . 50 push eax
0067C7A2 . 52 push edx
0067C7A3 . FF15 84104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
0067C7A9 . 8BF8 mov edi, eax
0067C7AB . 8D4D E8 lea ecx, dword ptr [ebp-18]
0067C7AE . 51 push ecx
0067C7AF . 57 push edi
0067C7B0 . 8B07 mov eax, dword ptr [edi]
0067C7B2 . FF90 A0000000 call dword ptr [eax+A0]
0067C7B8 . 3BC3 cmp eax, ebx
0067C7BA . DBE2 fclex
0067C7BC . 7D 12 jge short 0067C7D0
0067C7BE . 68 A0000000 push 0A0
0067C7C3 . 68 543E4300 push 00433E54
0067C7C8 . 57 push edi
0067C7C9 . 50 push eax
0067C7CA . FF15 5C104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0067C7D0 > 8B55 E8 mov edx, dword ptr [ebp-18]
0067C7D3 . 8D4D DC lea ecx, dword ptr [ebp-24]
0067C7D6 . 895D E8 mov dword ptr [ebp-18], ebx
0067C7D9 . FF15 94114000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0067C7DF . BA 483E4300 mov edx, 00433E48 ; UNICODE "value"
0067C7E4 . 8D4D E0 lea ecx, dword ptr [ebp-20]
0067C7E7 . FFD6 call esi
0067C7E9 . BA 303E4300 mov edx, 00433E30 ; UNICODE "register"
0067C7EE . 8D4D E4 lea ecx, dword ptr [ebp-1C]
0067C7F1 . FFD6 call esi
0067C7F3 . 8D55 DC lea edx, dword ptr [ebp-24]
0067C7F6 . 8D45 E0 lea eax, dword ptr [ebp-20]
0067C7F9 . 52 push edx
0067C7FA . 8D4D E4 lea ecx, dword ptr [ebp-1C]
0067C7FD . 50 push eax
0067C7FE . 51 push ecx
0067C7FF . E8 FCA40000 call 00686D00
0067C804 . 8B3D 58114000 mov edi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaFreeStrList
0067C80A . 8D55 DC lea edx, dword ptr [ebp-24]
0067C80D . 8D45 E0 lea eax, dword ptr [ebp-20]
0067C810 . 52 push edx
0067C811 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
0067C814 . 50 push eax
0067C815 . 51 push ecx
0067C816 . 6A 03 push 3
0067C818 . FFD7 call edi ; <&MSVBVM60.__vbaFreeStrList>
0067C81A . 83C4 10 add esp, 10
0067C81D . 8D4D D8 lea ecx, dword ptr [ebp-28]
0067C820 . FF15 BC114000 call dword ptr [<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
0067C826 . BA 14384300 mov edx, 00433814
0067C82B . 8D4D E0 lea ecx, dword ptr [ebp-20]
0067C82E . FFD6 call esi
0067C830 . BA 683E4300 mov edx, 00433E68 ; UNICODE "rflag"
0067C835 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
0067C838 . FFD6 call esi
0067C83A . BA 58394300 mov edx, 00433958 ; UNICODE "Security"
0067C83F . 8D4D E8 lea ecx, dword ptr [ebp-18]
0067C842 . FFD6 call esi
0067C844 . 8D55 E0 lea edx, dword ptr [ebp-20]
0067C847 . 8D45 E4 lea eax, dword ptr [ebp-1C]
0067C84A . 52 push edx
0067C84B . 8D4D E8 lea ecx, dword ptr [ebp-18]
0067C84E . 50 push eax
0067C84F . 51 push ecx
0067C850 . E8 ABA40000 call 00686D00
0067C855 . 8D55 E0 lea edx, dword ptr [ebp-20]
0067C858 . 8D45 E4 lea eax, dword ptr [ebp-1C]
0067C85B . 52 push edx
0067C85C . 8D4D E8 lea ecx, dword ptr [ebp-18]
0067C85F . 50 push eax
0067C860 . 51 push ecx
0067C861 . 6A 03 push 3
0067C863 . FFD7 call edi
0067C865 . 83C4 10 add esp, 10
0067C868 . 66:C705 50D06>mov word ptr [68D050], 0FFFF
0067C871 . EB 24 jmp short 0067C897
0067C873 > BA 783E4300 mov edx, 00433E78
0067C878 . 8D4D E8 lea ecx, dword ptr [ebp-18]
0067C87B . FF15 54114000 call dword ptr [<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
0067C881 . 8B17 mov edx, dword ptr [edi]
0067C883 . 8D45 E8 lea eax, dword ptr [ebp-18]
0067C886 . 50 push eax
0067C887 . 57 push edi
0067C888 . FF92 40070000 call dword ptr [edx+740]
0067C88E . 8D4D E8 lea ecx, dword ptr [ebp-18]
0067C891 . FF15 B8114000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0067C897 > 895D FC mov dword ptr [ebp-4], ebx
0067C89A . 68 C7C86700 push 0067C8C7
0067C89F . EB 25 jmp short 0067C8C6
0067C8A1 . 8D4D DC lea ecx, dword ptr [ebp-24]
0067C8A4 . 8D55 E0 lea edx, dword ptr [ebp-20]
0067C8A7 . 51 push ecx
0067C8A8 . 8D45 E4 lea eax, dword ptr [ebp-1C]
0067C8AB . 52 push edx
0067C8AC . 8D4D E8 lea ecx, dword ptr [ebp-18]
0067C8AF . 50 push eax
0067C8B0 . 51 push ecx
0067C8B1 . 6A 04 push 4
0067C8B3 . FF15 58114000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
0067C8B9 . 83C4 14 add esp, 14
0067C8BC . 8D4D D8 lea ecx, dword ptr [ebp-28]
0067C8BF . FF15 BC114000 call dword ptr [<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
0067C8C5 . C3 retn
0067C8C6 > C3 retn ; RET 用作跳转到 0067C8C7
0067C8C7 > 8B45 08 mov eax, dword ptr [ebp+8]
0067C8CA . 50 push eax
0067C8CB . 8B10 mov edx, dword ptr [eax]
0067C8CD . FF52 08 call dword ptr [edx+8]
0067C8D0 . 8B45 FC mov eax, dword ptr [ebp-4]
0067C8D3 . 8B4D EC mov ecx, dword ptr [ebp-14]
0067C8D6 . 5F pop edi
0067C8D7 . 5E pop esi
0067C8D8 . 64:890D 00000>mov dword ptr fs:[0], ecx
0067C8DF . 5B pop ebx
0067C8E0 . 8BE5 mov esp, ebp
0067C8E2 . 5D pop ebp
0067C8E3 . C2 0400 retn 4
==================================================
==================================================
00687336 . FF90 F8060000 call dword ptr ds:[eax+6F8] 将硬盘序列号转换为91275844
....................................................................................................
00431986 . /E9 05172500 jmp Super背?00683090
0043198B |00 db 00
0043198C |00 db 00
0043198D |00 db 00
0043198E |00 db 00
0043198F |00 db 00
00431990 |54D16800 dd Super背?0068D154
省略代码
..............................................................
..............................................................
00683090 > \55 push ebp
00683091 . 8BEC mov ebp,esp
00683093 . 83EC 0C sub esp,0C
00683096 . 68 96204000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; SE 句柄安装
0068309B . 64:A1 00000000 mov eax,dword ptr fs:[0]
006830A1 . 50 push eax
006830A2 . 64:8925 00000000 mov dword ptr fs:[0],esp
006830A9 . 81EC A8000000 sub esp,0A8
006830AF . 53 push ebx
006830B0 . 56 push esi
006830B1 . 57 push edi
006830B2 . 8965 F4 mov dword ptr ss:[ebp-C],esp
006830B5 . C745 F8 701B4000 mov dword ptr ss:[ebp-8],Super背?00401B70
006830BC . 33DB xor ebx,ebx
006830BE . 895D FC mov dword ptr ss:[ebp-4],ebx
006830C1 . 8B45 08 mov eax,dword ptr ss:[ebp+8]
006830C4 . 50 push eax
006830C5 . 8B08 mov ecx,dword ptr ds:[eax]
006830C7 . FF51 04 call dword ptr ds:[ecx+4]
006830CA . 8B55 0C mov edx,dword ptr ss:[ebp+C]
006830CD . 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
006830D0 . 53 push ebx
006830D1 . 50 push eax
006830D2 . 895D E8 mov dword ptr ss:[ebp-18],ebx
006830D5 . 895D E4 mov dword ptr ss:[ebp-1C],ebx
006830D8 . 895D E0 mov dword ptr ss:[ebp-20],ebx
006830DB . 895D DC mov dword ptr ss:[ebp-24],ebx
006830DE . 895D D8 mov dword ptr ss:[ebp-28],ebx
006830E1 . 895D D4 mov dword ptr ss:[ebp-2C],ebx
006830E4 . 895D C4 mov dword ptr ss:[ebp-3C],ebx
006830E7 . 895D B4 mov dword ptr ss:[ebp-4C],ebx
006830EA . 895D A4 mov dword ptr ss:[ebp-5C],ebx
006830ED . 895D 94 mov dword ptr ss:[ebp-6C],ebx
006830F0 . 895D 84 mov dword ptr ss:[ebp-7C],ebx
006830F3 . 899D 74FFFFFF mov dword ptr ss:[ebp-8C],ebx
006830F9 . 899D 54FFFFFF mov dword ptr ss:[ebp-AC],ebx
006830FF . 891A mov dword ptr ds:[edx],ebx
00683101 . FF15 24114000 call dword ptr ds:[<&MSVBVM60.#608>] ; MSVBVM60.rtcVarBstrFromAnsi
00683107 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
0068310A . 8D55 B4 lea edx,dword ptr ss:[ebp-4C]
0068310D . 51 push ecx
0068310E . 68 00040000 push 400
00683113 . 52 push edx
00683114 . FF15 1C114000 call dword ptr ds:[<&MSVBVM60.#607>] ; MSVBVM60.rtcStringVar
0068311A . 8B3D 20104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>; MSVBVM60.__vbaStrVarMove
00683120 . 8D45 B4 lea eax,dword ptr ss:[ebp-4C]
00683123 . 50 push eax
00683124 . FFD7 call edi ; <&MSVBVM60.__vbaStrVarMove>
00683126 . 8B35 94114000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0068312C . 8BD0 mov edx,eax
0068312E . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00683131 . FFD6 call esi ; <&MSVBVM60.__vbaStrMove>
00683133 . 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
00683136 . 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
00683139 . 51 push ecx
0068313A . 52 push edx
0068313B . 6A 02 push 2
0068313D . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
00683143 . 8B45 E0 mov eax,dword ptr ss:[ebp-20]
00683146 . 83C4 0C add esp,0C
00683149 . 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
0068314C . 50 push eax
0068314D . 51 push ecx
0068314E . FF15 74114000 call dword ptr ds:[<&MSVBVM60.__vbaStrToAnsi>] ; MSVBVM60.__vbaStrToAnsi
00683154 . 50 push eax
00683155 . E8 6606DBFF call Super背?004337C0
0068315A . DDD8 fstp st
0068315C . FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaSetSystemErro>; MSVBVM60.__vbaSetSystemError
00683162 . 8B55 D8 mov edx,dword ptr ss:[ebp-28] ; 获得硬盘序列号(ASCII " 5MT1A8DX")
00683165 . 8D45 E0 lea eax,dword ptr ss:[ebp-20]
00683168 . 52 push edx
00683169 . 50 push eax
0068316A . FF15 0C114000 call dword ptr ds:[<&MSVBVM60.__vbaStrToUnicode>>; eax= (ASCII " 5MT1A8DX")
00683170 . 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
00683173 . FF15 B8114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00683179 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
0068317C . 53 push ebx
0068317D . 51 push ecx
0068317E . FF15 24114000 call dword ptr ds:[<&MSVBVM60.#608>] ; MSVBVM60.rtcVarBstrFromAnsi
00683184 . 53 push ebx
00683185 . 6A FF push -1
00683187 . 6A 01 push 1
00683189 . 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
0068318C . 68 881E4300 push Super背?00431E88
00683191 . 8D45 D8 lea eax,dword ptr ss:[ebp-28]
00683194 . 52 push edx
00683195 . 50 push eax
00683196 . FF15 30114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
0068319C . 50 push eax
0068319D . 8B4D E0 mov ecx,dword ptr ss:[ebp-20] ; ecx= (UNICODE " 5MT1A8DX")
006831A0 . 51 push ecx
006831A1 . FF15 10114000 call dword ptr ds:[<&MSVBVM60.#712>] ; MSVBVM60.rtcReplace
006831A7 . 8945 BC mov dword ptr ss:[ebp-44],eax ; eax= (UNICODE " 5MT1A8DX")
006831AA . 8D55 B4 lea edx,dword ptr ss:[ebp-4C]
006831AD . 8D45 A4 lea eax,dword ptr ss:[ebp-5C]
006831B0 . 52 push edx
006831B1 . 50 push eax
006831B2 . C745 B4 08000000 mov dword ptr ss:[ebp-4C],8
006831B9 . FF15 A4104000 call dword ptr ds:[<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
006831BF . 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
006831C2 . 51 push ecx
006831C3 . FFD7 call edi ; <&MSVBVM60.__vbaStrVarMove>
006831C5 . 8BD0 mov edx,eax ; eax=(UNICODE "5MT1A8DX")
006831C7 . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
006831CA . FFD6 call esi ; <&MSVBVM60.__vbaStrMove>
006831CC . 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
006831CF . FF15 B8114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
006831D5 . 8D55 A4 lea edx,dword ptr ss:[ebp-5C]
006831D8 . 8D45 B4 lea eax,dword ptr ss:[ebp-4C]
006831DB . 52 push edx
006831DC . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
006831DF . 50 push eax
006831E0 . 51 push ecx
006831E1 . 6A 03 push 3
006831E3 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
006831E9 . 8B1D 1C104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
006831EF . 83C4 10 add esp,10
006831F2 > 8B55 E0 mov edx,dword ptr ss:[ebp-20] ; 保存当前硬盘序列号
006831F5 . 52 push edx ;
006831F6 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 当前硬盘序列号长度
006831FC . 85C0 test eax,eax ; 检查长度是否为0为0跳出循环
006831FE . 0F8E CB000000 jle Super背?006832CF
00683204 . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-8C]
0068320A . 6A 01 push 1
0068320C . 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
0068320F . 8D45 E0 lea eax,dword ptr ss:[ebp-20]
00683212 . 51 push ecx
00683213 . 52 push edx
00683214 . 8985 7CFFFFFF mov dword ptr ss:[ebp-84],eax
0068321A . C785 74FFFFFF 08>mov dword ptr ss:[ebp-8C],4008
00683224 . FF15 88114000 call dword ptr ds:[<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar
0068322A . 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
0068322D . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00683230 . 50 push eax
00683231 . 8D55 D8 lea edx,dword ptr ss:[ebp-28]
00683234 . 51 push ecx
00683235 . 52 push edx
00683236 . FF15 30114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; 逐位取硬盘序列号的ASCII码值存入eax
0068323C . 50 push eax ;
0068323D . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
00683243 . 66:99 cwd
00683245 . 66:B9 0A00 mov cx,0A
00683249 . 66:F7F9 idiv cx ; 将取得值除A取余
0068324C . 52 push edx
0068324D . FF15 04104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI2>] ; 将余数转换成它的ASCII码值
00683253 . 8BD0 mov edx,eax ;
00683255 . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00683258 . FFD6 call esi
0068325A . 50 push eax
0068325B . FF15 50104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; 将余数连接起来得到新的数值串
00683261 . 8BD0 mov edx,eax ;
00683263 . 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
00683266 . FFD6 call esi
00683268 . 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
0068326B . 8D45 D8 lea eax,dword ptr ss:[ebp-28]
0068326E . 52 push edx
0068326F . 50 push eax
00683270 . 6A 02 push 2
00683272 . FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList
00683278 . 83C4 0C add esp,0C
0068327B . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
0068327E . FFD3 call ebx
00683280 . 8B55 E0 mov edx,dword ptr ss:[ebp-20] ; 保存当前的硬盘序列号
00683283 . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00683286 . 52 push edx
00683287 . 898D 7CFFFFFF mov dword ptr ss:[ebp-84],ecx
0068328D . C785 74FFFFFF 08>mov dword ptr ss:[ebp-8C],4008
00683297 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 当前硬盘序列号长度
0068329D . 83E8 01 sub eax,1 ; 当前长度减1
006832A0 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
006832A3 . 0F80 F5010000 jo Super背?0068349E
006832A9 . 50 push eax
006832AA . 8D85 74FFFFFF lea eax,dword ptr ss:[ebp-8C]
006832B0 . 50 push eax
006832B1 . 51 push ecx
006832B2 . FF15 98114000 call dword ptr ds:[<&MSVBVM60.#619>] ; MSVBVM60.rtcRightCharVar
006832B8 . 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
006832BB . 52 push edx
006832BC . FFD7 call edi ; 保存当前硬盘序列号
006832BE . 8BD0 mov edx,eax ;
006832C0 . 8D4D E0 lea ecx,dword ptr ss:[ebp-20] ;
006832C3 . FFD6 call esi
006832C5 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
006832C8 . FFD3 call ebx
006832CA .^ E9 23FFFFFF jmp Super背?006831F2
006832CF > 8B45 E4 mov eax,dword ptr ss:[ebp-1C] ; 保存当前的新数值串
006832D2 . 50 push eax
006832D3 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 当前新数值串的长度
006832D9 . 85C0 test eax,eax ; 检查长度是否为0为0跳出循环
006832DB . 0F8E 28010000 jle Super背?00683409
006832E1 . 8B4D E8 mov ecx,dword ptr ss:[ebp-18]
006832E4 . 8D85 74FFFFFF lea eax,dword ptr ss:[ebp-8C]
006832EA . 898D 5CFFFFFF mov dword ptr ss:[ebp-A4],ecx
006832F0 . 6A 01 push 1
006832F2 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
006832F5 . 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
006832F8 . 50 push eax
006832F9 . 51 push ecx
006832FA . C785 54FFFFFF 08>mov dword ptr ss:[ebp-AC],8
00683304 . 8995 7CFFFFFF mov dword ptr ss:[ebp-84],edx
0068330A . C785 74FFFFFF 08>mov dword ptr ss:[ebp-8C],4008
00683314 . FF15 88114000 call dword ptr ds:[<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar
0068331A . 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
0068331D . 8D45 D8 lea eax,dword ptr ss:[ebp-28]
00683320 . 52 push edx
00683321 . 50 push eax
00683322 . FF15 30114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
00683328 . 50 push eax ;
00683329 . FF15 C0114000 call dword ptr ds:[<&MSVBVM60.#581>] ; 逐位取新数值的实数到(ST0)
0068332F . DC0D 681B4000 fmul qword ptr ds:[401B68] (ST0)乘以ds:[401B68]的值将结果送(ST0)
00683335 . DFE0 fstsw ax ;
00683337 . A8 0D test al,0D
00683339 . 0F85 5A010000 jnz Super背?00683499
0068333F . FF15 84114000 call dword ptr ds:[<&MSVBVM60.__vbaFpI4>] ; 将(ST0)十进制值转换为它的十六进制值
00683345 . 99 cdq ;
00683346 . B9 0A000000 mov ecx,0A
0068334B . C745 B4 03000000 mov dword ptr ss:[ebp-4C],3
00683352 . F7F9 idiv ecx ; 将十六进制值除A取余
00683354 . 8D45 A4 lea eax,dword ptr ss:[ebp-5C]
00683357 . 8955 BC mov dword ptr ss:[ebp-44],edx
0068335A . 8D55 B4 lea edx,dword ptr ss:[ebp-4C]
0068335D . 52 push edx
0068335E . 50 push eax
0068335F . FF15 7C114000 call dword ptr ds:[<&MSVBVM60.#613>] ; MSVBVM60.rtcVarStrFromVar
00683365 . 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
00683368 . 8D55 94 lea edx,dword ptr ss:[ebp-6C]
0068336B . 51 push ecx
0068336C . 52 push edx
0068336D . FF15 A4104000 call dword ptr ds:[<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
00683373 . 8D85 54FFFFFF lea eax,dword ptr ss:[ebp-AC]
00683379 . 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
0068337C . 50 push eax
0068337D . 8D55 84 lea edx,dword ptr ss:[ebp-7C]
00683380 . 51 push ecx
00683381 . 52 push edx
00683382 . FF15 34114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; MSVBVM60.__vbaVarCat
00683388 . 50 push eax
00683389 . FFD7 call edi 将余数连接起来得到前码
0068338B . 8BD0 mov edx,eax
0068338D . 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
00683390 . FFD6 call esi
00683392 . 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
00683395 . FF15 B8114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
0068339B . 8D45 84 lea eax,dword ptr ss:[ebp-7C]
0068339E . 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
006833A1 . 50 push eax
006833A2 . 8D55 A4 lea edx,dword ptr ss:[ebp-5C]
006833A5 . 51 push ecx
006833A6 . 8D45 B4 lea eax,dword ptr ss:[ebp-4C]
006833A9 . 52 push edx
006833AA . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
006833AD . 50 push eax
006833AE . 51 push ecx
006833AF . 6A 05 push 5
006833B1 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
006833B7 . 8B45 E4 mov eax,dword ptr ss:[ebp-1C] ; 获得当前的新数值串
006833BA . 83C4 18 add esp,18
006833BD . 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
006833C0 . C785 74FFFFFF 08>mov dword ptr ss:[ebp-8C],4008
006833CA . 50 push eax
006833CB . 8995 7CFFFFFF mov dword ptr ss:[ebp-84],edx
006833D1 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 获得当前的新数值串长度
006833D7 . 83E8 01 sub eax,1 当前长度减1
006833DA . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-8C]
006833E0 . 0F80 B8000000 jo Super背?0068349E
006833E6 . 50 push eax
006833E7 . 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
006833EA . 51 push ecx
006833EB . 52 push edx
006833EC . FF15 98114000 call dword ptr ds:[<&MSVBVM60.#619>] ; MSVBVM60.rtcRightCharVar
006833F2 . 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
006833F5 . 50 push eax
006833F6 . FFD7 call edi ; 获得当前的新数值串
006833F8 . 8BD0 mov edx,eax
006833FA . 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
006833FD . FFD6 call esi
006833FF . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00683402 . FFD3 call ebx
00683404 .^ E9 C6FEFFFF jmp Super背?006832CF ;
00683409 > 8B55 E8 mov edx,dword ptr ss:[ebp-18] ; 显示前码
0068340C . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
0068340F . FF15 54114000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>] ; MSVBVM60.__vbaStrCopy
00683415 . 9B wait
00683416 . 68 72346800 push Super背?00683472
0068341B . EB 3F jmp short Super背?0068345C
0068341D . F645 FC 04 test byte ptr ss:[ebp-4],4
00683421 . 74 09 je short Super背?0068342C
00683423 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
00683426 . FF15 B8114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
0068342C > 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
0068342F . 8D55 D8 lea edx,dword ptr ss:[ebp-28]
00683432 . 51 push ecx
00683433 . 52 push edx
00683434 . 6A 02 push 2
00683436 . FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList
0068343C . 8D45 84 lea eax,dword ptr ss:[ebp-7C]
0068343F . 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
00683442 . 50 push eax
00683443 . 8D55 A4 lea edx,dword ptr ss:[ebp-5C]
00683446 . 51 push ecx
00683447 . 8D45 B4 lea eax,dword ptr ss:[ebp-4C]
0068344A . 52 push edx
0068344B . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
0068344E . 50 push eax
0068344F . 51 push ecx
00683450 . 6A 05 push 5
00683452 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
00683458 . 83C4 24 add esp,24
0068345B . C3 retn
0068345C > 8B35 B8114000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00683462 . 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
00683465 . FFD6 call esi ; <&MSVBVM60.__vbaFreeStr>
00683467 . 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
0068346A . FFD6 call esi ; <&MSVBVM60.__vbaFreeStr>
0068346C . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0068346F . FFD6 call esi ; <&MSVBVM60.__vbaFreeStr>
00683471 . C3 retn
00683472 . 8B45 08 mov eax,dword ptr ss:[ebp+8]
00683475 . 50 push eax
00683476 . 8B10 mov edx,dword ptr ds:[eax]
00683478 . FF52 08 call dword ptr ds:[edx+8]
0068347B . 8B45 0C mov eax,dword ptr ss:[ebp+C]
0068347E . 8B4D DC mov ecx,dword ptr ss:[ebp-24]
00683481 . 8908 mov dword ptr ds:[eax],ecx
00683483 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00683486 . 8B4D EC mov ecx,dword ptr ss:[ebp-14]
00683489 . 5F pop edi
0068348A . 5E pop esi
0068348B . 64:890D 00000000 mov dword ptr fs:[0],ecx
00683492 . 5B pop ebx
00683493 . 8BE5 mov esp,ebp
00683495 . 5D pop ebp
00683496 . C2 0800 retn 8
00683499 >^ E9 FEEBD7FF jmp <jmp.&MSVBVM60.__vbaFPException>
算法总结:
计算前码: 首先获得硬盘序列号5MT1A8DX,循环逐位取序列号的ASCII码值除A取余,最后将余数连接起来得到37495688.
循环逐位取37495688的值送入(st0)并乘以ds:[401B68]的值(我这里是3),得到十进制值,将(ST0)十进制值
转换为它的十六进制值除A取余,最后将余数连接起来得到91275844,这就是前码.
计算后码:1.循环逐位取91275844的值,转换为它的ASCII码值,然后累加得到1A8在乘以13得到1F78除9取余存入ss:[ebp-24]中.
2.循环逐位取91275844的ASCII码值,自乘,同时计数,将它取第一位数,计数为1,每循环一次计数值加1,将当前计
数值乘3除2得到商加上自乘值和ss:[ebp-24]中的值,除A取余,最后将余数连接起来就得到15527657,这就是后码.
[ 本帖最后由 交响诗篇 于 2008-8-7 10:42 编辑 ] |
|
IP卡
发表于 2008-8-7 10:36:21
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-8-7 18:47:50
发表于 2008-9-4 07:03:54