- UID
- 37613
注册时间2007-12-1
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
发表于 2008-1-1 21:50:16
|
显示全部楼层
本人乃小菜鸟一个.....如有分析不对, 请高手指正~
00402A50 > \55 PUSH EBP ; 在这里下断..
00402A51 . 8BEC MOV EBP,ESP
00402A53 . 83EC 0C SUB ESP,0C
00402A56 . 68 06114000 PUSH <JMP.&MSVBVM60.__vbaExceptHandler> ; SE 处理程序安装
.......省略一些代码...........
00402C2E . 8985 48FEFFFF MOV DWORD PTR SS:[EBP-1B8],EAX
00402C34 . FF91 A0000000 CALL DWORD PTR DS:[ECX+A0] ; 获取用户名
00402C3A . 3BC3 CMP EAX,EBX
00402C3C . DBE2 FCLEX
00402C3E . 7D 18 JGE SHORT Crackme.00402C58
00402C40 . 8B8D 48FEFFFF MOV ECX,DWORD PTR SS:[EBP-1B8]
00402C46 . 68 A0000000 PUSH 0A0
00402C4B . 68 00224000 PUSH Crackme.00402200
00402C50 . 51 PUSH ECX
00402C51 . 50 PUSH EAX
00402C52 . FF15 2C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>;
MSVBVM60.__vbaHresultCheckObj
00402C58 > 8B85 3CFFFFFF MOV EAX,DWORD PTR SS:[EBP-C4]
00402C5E . 8D95 20FFFFFF LEA EDX,DWORD PTR SS:[EBP-E0]
00402C64 . 8D4D 9C LEA ECX,DWORD PTR SS:[EBP-64]
00402C67 . 899D 3CFFFFFF MOV DWORD PTR SS:[EBP-C4],EBX
00402C6D . 8985 28FFFFFF MOV DWORD PTR SS:[EBP-D8],EAX
00402C73 . C785 20FFFFFF>MOV DWORD PTR SS:[EBP-E0],8
00402C7D . FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>;
MSVBVM60.__vbaVarMove
00402C83 . 8D8D 30FFFFFF LEA ECX,DWORD PTR SS:[EBP-D0]
00402C89 . FF15 DC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>;
MSVBVM60.__vbaFreeObj
00402C8F . 8B17 MOV EDX,DWORD PTR DS:[EDI]
00402C91 . 57 PUSH EDI
00402C92 . FF92 04030000 CALL DWORD PTR DS:[EDX+304]
00402C98 . 50 PUSH EAX
00402C99 . 8D85 30FFFFFF LEA EAX,DWORD PTR SS:[EBP-D0]
00402C9F . 50 PUSH EAX
00402CA0 . FF15 40104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>;
MSVBVM60.__vbaObjSet
00402CA6 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
00402CA8 . 8D95 3CFFFFFF LEA EDX,DWORD PTR SS:[EBP-C4]
00402CAE . 52 PUSH EDX
00402CAF . 50 PUSH EAX
00402CB0 . 8985 48FEFFFF MOV DWORD PTR SS:[EBP-1B8],EAX
00402CB6 . FF91 A0000000 CALL DWORD PTR DS:[ECX+A0] ; 获取注册码
00402CBC . 3BC3 CMP EAX,EBX
00402CBE . DBE2 FCLEX
00402CC0 . 7D 18 JGE SHORT Crackme.00402CDA
00402CC2 . 8B8D 48FEFFFF MOV ECX,DWORD PTR SS:[EBP-1B8]
00402CC8 . 68 A0000000 PUSH 0A0
00402CCD . 68 00224000 PUSH Crackme.00402200
00402CD2 . 51 PUSH ECX
00402CD3 . 50 PUSH EAX
00402CD4 . FF15 2C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>;
MSVBVM60.__vbaHresultCheckObj
00402CDA > 8B85 3CFFFFFF MOV EAX,DWORD PTR SS:[EBP-C4]
00402CE0 . 8D95 20FFFFFF LEA EDX,DWORD PTR SS:[EBP-E0]
00402CE6 . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
00402CE9 . 899D 3CFFFFFF MOV DWORD PTR SS:[EBP-C4],EBX
00402CEF . 8985 28FFFFFF MOV DWORD PTR SS:[EBP-D8],EAX
00402CF5 . C785 20FFFFFF>MOV DWORD PTR SS:[EBP-E0],8
00402CFF . FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>;
MSVBVM60.__vbaVarMove
00402D05 . 8D8D 30FFFFFF LEA ECX,DWORD PTR SS:[EBP-D0]
00402D0B . FF15 DC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>;
MSVBVM60.__vbaFreeObj
00402D11 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
00402D14 . 8D85 20FFFFFF LEA EAX,DWORD PTR SS:[EBP-E0]
00402D1A . 52 PUSH EDX
00402D1B . 50 PUSH EAX
00402D1C . C785 A8FEFFFF>MOV DWORD PTR SS:[EBP-158],4
00402D26 . C785 A0FEFFFF>MOV DWORD PTR SS:[EBP-160],8002
00402D30 . FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVa>;
MSVBVM60.__vbaLenVar
00402D36 . 8D8D A0FEFFFF LEA ECX,DWORD PTR SS:[EBP-160]
00402D3C . 50 PUSH EAX
00402D3D . 51 PUSH ECX
00402D3E . FF15 00104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>;
MSVBVM60.__vbaVarTstGt
00402D44 . 66:85C0 TEST AX,AX
00402D47 . 0F84 BE080000 JE Crackme.0040360B
00402D4D . 8D95 20FFFFFF LEA EDX,DWORD PTR SS:[EBP-E0]
00402D53 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74]
00402D56 . 52 PUSH EDX
00402D57 . 6A 04 PUSH 4
00402D59 . 8D8D 10FFFFFF LEA ECX,DWORD PTR SS:[EBP-F0]
00402D5F . 50 PUSH EAX
00402D60 . 51 PUSH ECX
00402D61 . C785 28FFFFFF>MOV DWORD PTR SS:[EBP-D8],1
00402D6B . 89B5 20FFFFFF MOV DWORD PTR SS:[EBP-E0],ESI ; 取第4个字母
00402D71 . FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ;
MSVBVM60.rtcMidCharVar
00402D77 . 8B3D 8C104000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaSt>;
MSVBVM60.__vbaStrVarVal
00402D7D . 8D95 10FFFFFF LEA EDX,DWORD PTR SS:[EBP-F0]
00402D83 . 8D85 3CFFFFFF LEA EAX,DWORD PTR SS:[EBP-C4]
00402D89 . 52 PUSH EDX
00402D8A . 50 PUSH EAX
00402D8B . FFD7 CALL EDI ;
<&MSVBVM60.__vbaStrVarVal>
00402D8D . 50 PUSH EAX ; 第4个字母转为字符串
00402D8E . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
00402D94 . 33C9 XOR ECX,ECX ; 取第4个字母的ASCII
值
00402D96 . 66:3D 2D00 CMP AX,2D ; 第4个字母与2D('-')
比较,
00402D9A . 0F94C1 SETE CL
00402D9D . F7D9 NEG ECX
00402D9F . 66:898D 48FEF>MOV WORD PTR SS:[EBP-1B8],CX ; 取4个字母与2D比较的
结果放在[EBP-1B8]
00402DA6 . 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
00402DAC . FF15 E0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;
MSVBVM60.__vbaFreeStr
00402DB2 . 8D95 10FFFFFF LEA EDX,DWORD PTR SS:[EBP-F0]
00402DB8 . 8D85 20FFFFFF LEA EAX,DWORD PTR SS:[EBP-E0]
00402DBE . 52 PUSH EDX
00402DBF . 50 PUSH EAX
00402DC0 . 56 PUSH ESI
00402DC1 . FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;
MSVBVM60.__vbaFreeVarList
00402DC7 . 83C4 0C ADD ESP,0C
00402DCA . 66:399D 48FEF>CMP WORD PTR SS:[EBP-1B8],BX
00402DD1 . 0F84 31080000 JE Crackme.00403608 ; 取出[EBP-1B8]结果与
BX比较.由此知第4个字母为2D('-')
00402DD7 . 8B1D 50104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.#632>] ;
MSVBVM60.rtcMidCharVar
00402DDD . 8D8D 20FFFFFF LEA ECX,DWORD PTR SS:[EBP-E0]
00402DE3 . 51 PUSH ECX
00402DE4 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
00402DE7 . 6A 01 PUSH 1
00402DE9 . 8D85 10FFFFFF LEA EAX,DWORD PTR SS:[EBP-F0]
00402DEF . 52 PUSH EDX
00402DF0 . 50 PUSH EAX
00402DF1 . C785 28FFFFFF>MOV DWORD PTR SS:[EBP-D8],1
00402DFB . 89B5 20FFFFFF MOV DWORD PTR SS:[EBP-E0],ESI
00402E01 . FFD3 CALL EBX ; <&MSVBVM60.#632>
00402E03 . 8D8D 00FFFFFF LEA ECX,DWORD PTR SS:[EBP-100] ; 取注册码第1个字母,
放在[ebp-f0]
00402E09 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
00402E0C . 51 PUSH ECX
00402E0D . 56 PUSH ESI
00402E0E . 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]
00402E14 . 52 PUSH EDX
00402E15 . 50 PUSH EAX
00402E16 . C785 08FFFFFF>MOV DWORD PTR SS:[EBP-F8],1
00402E20 . 89B5 00FFFFFF MOV DWORD PTR SS:[EBP-100],ESI
00402E26 . FFD3 CALL EBX ; 取注册码第2个字母,
放在[ebp-110]
00402E28 . 8D8D E0FEFFFF LEA ECX,DWORD PTR SS:[EBP-120]
00402E2E . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
00402E31 . 51 PUSH ECX
00402E32 . 6A 03 PUSH 3
00402E34 . 8D85 D0FEFFFF LEA EAX,DWORD PTR SS:[EBP-130]
00402E3A . 52 PUSH EDX
00402E3B . 50 PUSH EAX
00402E3C . C785 E8FEFFFF>MOV DWORD PTR SS:[EBP-118],1
00402E46 . 89B5 E0FEFFFF MOV DWORD PTR SS:[EBP-120],ESI
00402E4C . FFD3 CALL EBX ; 取注册码第3个字母,
放在[ebp-130]
00402E4E . 8D8D F0FEFFFF LEA ECX,DWORD PTR SS:[EBP-110]
00402E54 . 8D95 38FFFFFF LEA EDX,DWORD PTR SS:[EBP-C8]
00402E5A . 51 PUSH ECX
00402E5B . 52 PUSH EDX
00402E5C . FFD7 CALL EDI ; 第2个字母转为字符串
00402E5E . 50 PUSH EAX
00402E5F . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
00402E65 . 66:8BD8 MOV BX,AX ; 第2个字母转为整数
00402E68 . 8D85 10FFFFFF LEA EAX,DWORD PTR SS:[EBP-F0]
00402E6E . 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
00402E74 . 50 PUSH EAX
00402E75 . 51 PUSH ECX
00402E76 . FFD7 CALL EDI ; 第1个字母转为字符串
00402E78 . 50 PUSH EAX ; 第1个字母再转为
ASCII码
00402E79 . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
00402E7F . 66:03D8 ADD BX,AX ; 第1, 2两个字母的
ASCII码相加
00402E82 . 8D95 D0FEFFFF LEA EDX,DWORD PTR SS:[EBP-130]
00402E88 . 8D85 34FFFFFF LEA EAX,DWORD PTR SS:[EBP-CC]
00402E8E . 52 PUSH EDX
00402E8F . 50 PUSH EAX
00402E90 . 0F80 950B0000 JO Crackme.00403A2B
00402E96 . FFD7 CALL EDI ; 第3个字母转为字符串
00402E98 . 50 PUSH EAX ; 第3个字母转为ASCII
码
00402E99 . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
00402E9F . 66:03D8 ADD BX,AX ; 第1, 2两字母ASCII码
相加后在加上第3个字母ASCII码
00402EA2 . 8D95 70FEFFFF LEA EDX,DWORD PTR SS:[EBP-190]
00402EA8 . 0F80 7D0B0000 JO Crackme.00403A2B
00402EAE . 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
00402EB1 . 66:899D 78FEF>MOV WORD PTR SS:[EBP-188],BX
00402EB8 . 89B5 70FEFFFF MOV DWORD PTR SS:[EBP-190],ESI
00402EBE . FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>;
MSVBVM60.__vbaVarMove
00402EC4 . 8D8D 34FFFFFF LEA ECX,DWORD PTR SS:[EBP-CC] ; 前3个字母的ASCII码
之和放到[ebp-34]
00402ECA . 8D95 38FFFFFF LEA EDX,DWORD PTR SS:[EBP-C8]
00402ED0 . 51 PUSH ECX
00402ED1 . 8D85 3CFFFFFF LEA EAX,DWORD PTR SS:[EBP-C4]
00402ED7 . 52 PUSH EDX
00402ED8 . 50 PUSH EAX
00402ED9 . 6A 03 PUSH 3
00402EDB . FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;
MSVBVM60.__vbaFreeStrList
00402EE1 . 8D8D D0FEFFFF LEA ECX,DWORD PTR SS:[EBP-130] ; 变量释放空间
00402EE7 . 8D95 E0FEFFFF LEA EDX,DWORD PTR SS:[EBP-120]
00402EED . 51 PUSH ECX
00402EEE . 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]
00402EF4 . 52 PUSH EDX
00402EF5 . 8D8D 00FFFFFF LEA ECX,DWORD PTR SS:[EBP-100]
00402EFB . 50 PUSH EAX
00402EFC . 8D95 10FFFFFF LEA EDX,DWORD PTR SS:[EBP-F0]
00402F02 . 51 PUSH ECX
00402F03 . 52 PUSH EDX
00402F04 . 8D85 20FFFFFF LEA EAX,DWORD PTR SS:[EBP-E0]
00402F0A . 50 PUSH EAX
00402F0B . 6A 06 PUSH 6 ; 变量释放空间
00402F0D . FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;
MSVBVM60.__vbaFreeVarList
00402F13 . 8B1D 50104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.#632>] ;
MSVBVM60.rtcMidCharVar
00402F19 . 83C4 2C ADD ESP,2C
00402F1C . 8D8D 20FFFFFF LEA ECX,DWORD PTR SS:[EBP-E0]
00402F22 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
00402F25 . 51 PUSH ECX
00402F26 . 6A 01 PUSH 1
00402F28 . 8D85 10FFFFFF LEA EAX,DWORD PTR SS:[EBP-F0]
00402F2E . 52 PUSH EDX ; EDX中为注册码变量地
址
00402F2F . 50 PUSH EAX
00402F30 . C785 28FFFFFF>MOV DWORD PTR SS:[EBP-D8],1
00402F3A . 89B5 20FFFFFF MOV DWORD PTR SS:[EBP-E0],ESI ; 这里取取注册码第1个
字母放在[ebp-f0]
00402F40 . FFD3 CALL EBX ; <&MSVBVM60.#632>
00402F42 . 8D8D 00FFFFFF LEA ECX,DWORD PTR SS:[EBP-100]
00402F48 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
00402F4B . 51 PUSH ECX
00402F4C . 56 PUSH ESI
00402F4D . 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]
00402F53 . 52 PUSH EDX
00402F54 . 50 PUSH EAX
00402F55 . C785 08FFFFFF>MOV DWORD PTR SS:[EBP-F8],1
00402F5F . 89B5 00FFFFFF MOV DWORD PTR SS:[EBP-100],ESI
00402F65 . FFD3 CALL EBX ; 这里取注册码的第2个
字母放在[ebp-110]
00402F67 . 8D8D E0FEFFFF LEA ECX,DWORD PTR SS:[EBP-120]
00402F6D . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
00402F70 . 51 PUSH ECX
00402F71 . 6A 03 PUSH 3
00402F73 . 8D85 D0FEFFFF LEA EAX,DWORD PTR SS:[EBP-130]
00402F79 . 52 PUSH EDX
00402F7A . 50 PUSH EAX
00402F7B . C785 E8FEFFFF>MOV DWORD PTR SS:[EBP-118],1
00402F85 . 89B5 E0FEFFFF MOV DWORD PTR SS:[EBP-120],ESI
00402F8B . FFD3 CALL EBX ; 这里取注册码的第3个
字母放在[ebp-130]
00402F8D . 8D8D F0FEFFFF LEA ECX,DWORD PTR SS:[EBP-110]
00402F93 . 8D95 38FFFFFF LEA EDX,DWORD PTR SS:[EBP-C8]
00402F99 . 51 PUSH ECX
00402F9A . 52 PUSH EDX
00402F9B . FFD7 CALL EDI
00402F9D . 50 PUSH EAX ; 注册码第2个字母转为
字符串
00402F9E . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
00402FA4 . 66:8BD8 MOV BX,AX ; 注册码第2个字母转为
ASCII码
00402FA7 . 8D85 10FFFFFF LEA EAX,DWORD PTR SS:[EBP-F0]
00402FAD . 66:6BDB 02 IMUL BX,BX,2 ; 注册码第2个字母
ASCII码乘以2
00402FB1 . 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
00402FB7 . 50 PUSH EAX
00402FB8 . 51 PUSH ECX
00402FB9 . 0F80 6C0A0000 JO Crackme.00403A2B ; 注册码第1个字母转为
字符串
00402FBF . FFD7 CALL EDI
00402FC1 . 50 PUSH EAX ; 注册码第1个字母转为
ASCII码
00402FC2 . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
00402FC8 . 66:03D8 ADD BX,AX ; 乘2后的积加上字母1
00402FCB . 8D95 D0FEFFFF LEA EDX,DWORD PTR SS:[EBP-130]
00402FD1 . 8D85 34FFFFFF LEA EAX,DWORD PTR SS:[EBP-CC]
00402FD7 . 52 PUSH EDX
00402FD8 . 50 PUSH EAX
00402FD9 . 0F80 4C0A0000 JO Crackme.00403A2B
00402FDF . FFD7 CALL EDI
00402FE1 . 50 PUSH EAX ; 将注册码第3个字母转
为字符串再转为ASCII码
00402FE2 . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
00402FE8 . 66:6BC0 03 IMUL AX,AX,3 ; 字母3的值乘以3
00402FEC . 0F80 390A0000 JO Crackme.00403A2B
00402FF2 . 66:2BD8 SUB BX,AX ; 字母1值+字母2值*2-
字母3值*3
00402FF5 . 8D95 70FEFFFF LEA EDX,DWORD PTR SS:[EBP-190]
00402FFB . 0F80 2A0A0000 JO Crackme.00403A2B
00403001 . 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
00403004 . 66:899D 78FEF>MOV WORD PTR SS:[EBP-188],BX
0040300B . 89B5 70FEFFFF MOV DWORD PTR SS:[EBP-190],ESI ; 将字母1值+字母2值
*2-字母3值*3 放在[ebp-44]
00403011 . FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>;
MSVBVM60.__vbaVarMove
00403017 . 8D8D 34FFFFFF LEA ECX,DWORD PTR SS:[EBP-CC]
0040301D . 8D95 38FFFFFF LEA EDX,DWORD PTR SS:[EBP-C8]
00403023 . 51 PUSH ECX
00403024 . 8D85 3CFFFFFF LEA EAX,DWORD PTR SS:[EBP-C4]
0040302A . 52 PUSH EDX
0040302B . 50 PUSH EAX
0040302C . 6A 03 PUSH 3
0040302E . FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;
MSVBVM60.__vbaFreeStrList
00403034 . 8D8D D0FEFFFF LEA ECX,DWORD PTR SS:[EBP-130]
0040303A . 8D95 E0FEFFFF LEA EDX,DWORD PTR SS:[EBP-120]
00403040 . 51 PUSH ECX
00403041 . 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]
00403047 . 52 PUSH EDX
00403048 . 8D8D 00FFFFFF LEA ECX,DWORD PTR SS:[EBP-100]
0040304E . 50 PUSH EAX
0040304F . 8D95 10FFFFFF LEA EDX,DWORD PTR SS:[EBP-F0]
00403055 . 51 PUSH ECX
00403056 . 8D85 20FFFFFF LEA EAX,DWORD PTR SS:[EBP-E0]
0040305C . 52 PUSH EDX
0040305D . 50 PUSH EAX
0040305E . 6A 06 PUSH 6
00403060 . FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;
MSVBVM60.__vbaFreeVarList
00403066 . 8B1D 50104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.#632>] ;
MSVBVM60.rtcMidCharVar
0040306C . 83C4 2C ADD ESP,2C
0040306F . 8D8D 20FFFFFF LEA ECX,DWORD PTR SS:[EBP-E0]
00403075 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
00403078 . 51 PUSH ECX
00403079 . 6A 01 PUSH 1
0040307B . 8D85 10FFFFFF LEA EAX,DWORD PTR SS:[EBP-F0]
00403081 . 52 PUSH EDX
00403082 . 50 PUSH EAX
00403083 . C785 28FFFFFF>MOV DWORD PTR SS:[EBP-D8],1
0040308D . 89B5 20FFFFFF MOV DWORD PTR SS:[EBP-E0],ESI ; 取注册码第1个字母放
在[ebp-f0]
00403093 . FFD3 CALL EBX ; <&MSVBVM60.#632>
00403095 . 8D8D 00FFFFFF LEA ECX,DWORD PTR SS:[EBP-100]
0040309B . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
0040309E . 51 PUSH ECX
0040309F . 56 PUSH ESI
004030A0 . 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]
004030A6 . 52 PUSH EDX
004030A7 . 50 PUSH EAX
004030A8 . C785 08FFFFFF>MOV DWORD PTR SS:[EBP-F8],1
004030B2 . 89B5 00FFFFFF MOV DWORD PTR SS:[EBP-100],ESI
004030B8 . FFD3 CALL EBX ; 取注册码第2个字母放
在[ebp-110]
004030BA . 8D8D E0FEFFFF LEA ECX,DWORD PTR SS:[EBP-120]
004030C0 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
004030C3 . 51 PUSH ECX
004030C4 . 6A 03 PUSH 3
004030C6 . 8D85 D0FEFFFF LEA EAX,DWORD PTR SS:[EBP-130]
004030CC . 52 PUSH EDX
004030CD . 50 PUSH EAX
004030CE . C785 E8FEFFFF>MOV DWORD PTR SS:[EBP-118],1
004030D8 . 89B5 E0FEFFFF MOV DWORD PTR SS:[EBP-120],ESI
004030DE . FFD3 CALL EBX ; 取注册码第3个字母放
在[ebp-130]
004030E0 . 8D8D F0FEFFFF LEA ECX,DWORD PTR SS:[EBP-110]
004030E6 . 8D95 38FFFFFF LEA EDX,DWORD PTR SS:[EBP-C8]
004030EC . 51 PUSH ECX
004030ED . 52 PUSH EDX
004030EE . FFD7 CALL EDI
004030F0 . 50 PUSH EAX
004030F1 . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
004030F7 . 66:8BD8 MOV BX,AX ; 第2个字母转为ASCII
码
004030FA . 8D85 10FFFFFF LEA EAX,DWORD PTR SS:[EBP-F0]
00403100 . 66:6BDB 04 IMUL BX,BX,4 ; 字母2的值*4
00403104 . 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
0040310A . 50 PUSH EAX
0040310B . 51 PUSH ECX
0040310C . 0F80 19090000 JO Crackme.00403A2B
00403112 . FFD7 CALL EDI
00403114 . 50 PUSH EAX
00403115 . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
0040311B . 66:8BD3 MOV DX,BX ; 字母1转为ASCII码
0040311E . 66:8BD8 MOV BX,AX
00403121 . 66:6BDB 03 IMUL BX,BX,3 ; 字母1值*3
00403125 . 8D85 D0FEFFFF LEA EAX,DWORD PTR SS:[EBP-130]
0040312B . 0F80 FA080000 JO Crackme.00403A2B
00403131 . 8D8D 34FFFFFF LEA ECX,DWORD PTR SS:[EBP-CC]
00403137 . 66:2BDA SUB BX,DX ; 字母1值*3 - 字母2值
*4
0040313A . 50 PUSH EAX
0040313B . 51 PUSH ECX
0040313C . 0F80 E9080000 JO Crackme.00403A2B
00403142 . FFD7 CALL EDI
00403144 . 50 PUSH EAX
00403145 . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
0040314B . 66:6BC0 06 IMUL AX,AX,6 ; 字母3转为ASCII码并
乘以6
0040314F . 0F80 D6080000 JO Crackme.00403A2B
00403155 . 66:03D8 ADD BX,AX ; 字母1值*3 - 字母2值
*4 + 字母3值
00403158 . 89B5 70FEFFFF MOV DWORD PTR SS:[EBP-190],ESI
0040315E . 0F80 C7080000 JO Crackme.00403A2B
00403164 . 66:899D 78FEF>MOV WORD PTR SS:[EBP-188],BX
0040316B . 8D95 70FEFFFF LEA EDX,DWORD PTR SS:[EBP-190]
00403171 . 8B1D 10104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaVa>;
MSVBVM60.__vbaVarMove
00403177 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54] ; 字母1值*3 - 字母2值
*4 + 字母3值 放到[ebp-54]
0040317A . FFD3 CALL EBX ;
<&MSVBVM60.__vbaVarMove>
0040317C . 8D95 34FFFFFF LEA EDX,DWORD PTR SS:[EBP-CC]
00403182 . 8D85 38FFFFFF LEA EAX,DWORD PTR SS:[EBP-C8]
00403188 . 52 PUSH EDX
00403189 . 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
0040318F . 50 PUSH EAX
00403190 . 51 PUSH ECX
00403191 . 6A 03 PUSH 3
00403193 . FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;
MSVBVM60.__vbaFreeStrList
00403199 . 8D95 D0FEFFFF LEA EDX,DWORD PTR SS:[EBP-130]
0040319F . 8D85 E0FEFFFF LEA EAX,DWORD PTR SS:[EBP-120]
004031A5 . 52 PUSH EDX
004031A6 . 8D8D F0FEFFFF LEA ECX,DWORD PTR SS:[EBP-110]
004031AC . 50 PUSH EAX
004031AD . 8D95 00FFFFFF LEA EDX,DWORD PTR SS:[EBP-100]
004031B3 . 51 PUSH ECX
004031B4 . 8D85 10FFFFFF LEA EAX,DWORD PTR SS:[EBP-F0]
004031BA . 52 PUSH EDX
004031BB . 8D8D 20FFFFFF LEA ECX,DWORD PTR SS:[EBP-E0]
004031C1 . 50 PUSH EAX
004031C2 . 51 PUSH ECX
004031C3 . 6A 06 PUSH 6
004031C5 . FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;
MSVBVM60.__vbaFreeVarList
004031CB . 83C4 2C ADD ESP,2C
004031CE . 8D55 9C LEA EDX,DWORD PTR SS:[EBP-64] ; 用户名
004031D1 . 8D85 A0FEFFFF LEA EAX,DWORD PTR SS:[EBP-160]
004031D7 . 8D8D 20FFFFFF LEA ECX,DWORD PTR SS:[EBP-E0]
004031DD . 52 PUSH EDX
004031DE . 50 PUSH EAX
004031DF . 51 PUSH ECX
004031E0 . C785 A8FEFFFF>MOV DWORD PTR SS:[EBP-158],Crackme.00402>
004031EA . C785 A0FEFFFF>MOV DWORD PTR SS:[EBP-160],8 ; 用户名和zjjtr连接为
串1
004031F4 . FF15 90104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCa>;
MSVBVM60.__vbaVarCat
004031FA . 8BD0 MOV EDX,EAX
004031FC . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
00403202 . FFD3 CALL EBX ; 串1放到[ebp-84]
00403204 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
00403207 . 8D85 20FFFFFF LEA EAX,DWORD PTR SS:[EBP-E0]
0040320D . 52 PUSH EDX
0040320E . 50 PUSH EAX
0040320F . C785 A8FEFFFF>MOV DWORD PTR SS:[EBP-158],4
00403219 . 89B5 A0FEFFFF MOV DWORD PTR SS:[EBP-160],ESI
0040321F . FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVa>;
MSVBVM60.__vbaLenVar
00403225 . 8D8D A0FEFFFF LEA ECX,DWORD PTR SS:[EBP-160] ; 取注册码长度
0040322B . 50 PUSH EAX
0040322C . 8D95 10FFFFFF LEA EDX,DWORD PTR SS:[EBP-F0]
00403232 . 51 PUSH ECX
00403233 . 52 PUSH EDX ; 注册码长度减去4
00403234 . FF15 04104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarSu>;
MSVBVM60.__vbaVarSub
0040323A . 8B1D B8104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaI4>; MSVBVM60.__vbaI4Var
00403240 . 50 PUSH EAX
00403241 . FFD3 CALL EBX ;
<&MSVBVM60.__vbaI4Var>
00403243 . 50 PUSH EAX ; 注册码长度-4的结果
从var变为整数
00403244 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74]
00403247 . 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
0040324D . 50 PUSH EAX
0040324E . 51 PUSH ECX
0040324F . FFD7 CALL EDI
00403251 . 50 PUSH EAX ; 取注册码前4位后的字
符串, 形成子串2
00403252 . FF15 C8104000 CALL DWORD PTR DS:[<&MSVBVM60.#618>] ;
MSVBVM60.rtcRightCharBstr
00403258 . 8D95 00FFFFFF LEA EDX,DWORD PTR SS:[EBP-100]
0040325E . 8D8D 5CFFFFFF LEA ECX,DWORD PTR SS:[EBP-A4]
00403264 . 8985 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EAX
0040326A . C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],8 ; 子串2放到[ebp-a4]
00403274 . FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>;
MSVBVM60.__vbaVarMove
0040327A . 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
00403280 . FF15 E0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;
MSVBVM60.__vbaFreeStr
00403286 . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
0040328C . 8D85 20FFFFFF LEA EAX,DWORD PTR SS:[EBP-E0]
00403292 . 52 PUSH EDX
00403293 . 50 PUSH EAX
00403294 . C785 A8FEFFFF>MOV DWORD PTR SS:[EBP-158],4
0040329E . 89B5 A0FEFFFF MOV DWORD PTR SS:[EBP-160],ESI ; 取串1的长度
004032A4 . FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVa>;
MSVBVM60.__vbaLenVar
004032AA . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
004032AD . 50 PUSH EAX
004032AE . 8D95 10FFFFFF LEA EDX,DWORD PTR SS:[EBP-F0]
004032B4 . 51 PUSH ECX
004032B5 . 52 PUSH EDX ; 取注册码长度
004032B6 . FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVa>;
MSVBVM60.__vbaLenVar
004032BC . 50 PUSH EAX
004032BD . 8D85 A0FEFFFF LEA EAX,DWORD PTR SS:[EBP-160]
004032C3 . 8D8D 00FFFFFF LEA ECX,DWORD PTR SS:[EBP-100]
004032C9 . 50 PUSH EAX
004032CA . 51 PUSH ECX ; 注册码长度-4
004032CB . FF15 04104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarSu>;
MSVBVM60.__vbaVarSub
004032D1 . 50 PUSH EAX
004032D2 . FF15 64104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>;
MSVBVM60.__vbaVarTstEq
004032D8 . 66:85C0 TEST AX,AX ; 串1长度必须等于注册
码长度-4
004032DB . 0F84 25030000 JE Crackme.00403606
004032E1 . B8 01000000 MOV EAX,1
004032E6 . 8D95 A0FEFFFF LEA EDX,DWORD PTR SS:[EBP-160]
004032EC . 8985 A8FEFFFF MOV DWORD PTR SS:[EBP-158],EAX
004032F2 . 8985 98FEFFFF MOV DWORD PTR SS:[EBP-168],EAX
004032F8 . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
004032FE . 52 PUSH EDX
004032FF . 8D8D 20FFFFFF LEA ECX,DWORD PTR SS:[EBP-E0]
00403305 . 50 PUSH EAX
00403306 . 51 PUSH ECX
00403307 . 89B5 A0FEFFFF MOV DWORD PTR SS:[EBP-160],ESI
0040330D . 89B5 90FEFFFF MOV DWORD PTR SS:[EBP-170],ESI
00403313 . FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVa>; 取串1的长度放在
[ebp-e0]
00403319 . 50 PUSH EAX ; 将串1的长度作为下面
循环变量的上限
0040331A . 8D95 90FEFFFF LEA EDX,DWORD PTR SS:[EBP-170]
00403320 . 8D85 04FEFFFF LEA EAX,DWORD PTR SS:[EBP-1FC]
00403326 . 52 PUSH EDX
00403327 . 8D8D 14FEFFFF LEA ECX,DWORD PTR SS:[EBP-1EC]
0040332D . 50 PUSH EAX
0040332E . 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
00403331 . 51 PUSH ECX
00403332 . 52 PUSH EDX
00403333 . FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarFo>;
MSVBVM60.__vbaVarForInit
00403339 > 85C0 TEST EAX,EAX ; 这里是一个循环..
0040333B . 0F84 C5020000 JE Crackme.00403606
00403341 . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24] ; 这里是循环变量i, 从
i=1开始每次加1
00403344 . 8D8D A0FEFFFF LEA ECX,DWORD PTR SS:[EBP-160] ; 数字2
0040334A . 50 PUSH EAX
0040334B . 8D95 20FFFFFF LEA EDX,DWORD PTR SS:[EBP-E0]
00403351 . 51 PUSH ECX
00403352 . 52 PUSH EDX
00403353 . 89B5 A8FEFFFF MOV DWORD PTR SS:[EBP-158],ESI
00403359 . 89B5 A0FEFFFF MOV DWORD PTR SS:[EBP-160],ESI
0040335F . C785 98FEFFFF>MOV DWORD PTR SS:[EBP-168],1
00403369 . C785 90FEFFFF>MOV DWORD PTR SS:[EBP-170],8002 ; 循环变量对2取余,判
断是奇是偶
00403373 . FF15 C0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>;
MSVBVM60.__vbaVarMod
00403379 . 50 PUSH EAX
0040337A . 8D85 90FEFFFF LEA EAX,DWORD PTR SS:[EBP-170]
00403380 . 50 PUSH EAX
00403381 . FF15 64104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>;
MSVBVM60.__vbaVarTstEq
00403387 . 8D8D 20FFFFFF LEA ECX,DWORD PTR SS:[EBP-E0]
0040338D . 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
00403390 . 66:85C0 TEST AX,AX
00403393 . 51 PUSH ECX
00403394 . C785 28FFFFFF>MOV DWORD PTR SS:[EBP-D8],1
0040339E . 89B5 20FFFFFF MOV DWORD PTR SS:[EBP-E0],ESI
004033A4 . 52 PUSH EDX
004033A5 . 0F84 C8000000 JE Crackme.00403473 ; 如果循环变量是2的倍
数,则跳转
004033AB . FFD3 CALL EBX
004033AD . 50 PUSH EAX
004033AE . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84] ; 串1, 是用户名和
zjjtr连接得来的
004033B4 . 8D8D 10FFFFFF LEA ECX,DWORD PTR SS:[EBP-F0]
004033BA . 50 PUSH EAX
004033BB . 51 PUSH ECX
004033BC . FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ;
MSVBVM60.rtcMidCharVar
004033C2 . 8D95 10FFFFFF LEA EDX,DWORD PTR SS:[EBP-F0] ; 取串1第i个字母
004033C8 . 8D85 3CFFFFFF LEA EAX,DWORD PTR SS:[EBP-C4]
004033CE . 52 PUSH EDX
004033CF . 50 PUSH EAX
004033D0 . FFD7 CALL EDI ; 转为字符串
004033D2 . 50 PUSH EAX
004033D3 . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
004033D9 . 8D8D F0FEFFFF LEA ECX,DWORD PTR SS:[EBP-110] ; 将串1第i个字母转为
ASCII码
004033DF . 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
004033E2 . 51 PUSH ECX
004033E3 . 52 PUSH EDX
004033E4 . 66:8985 98FEF>MOV WORD PTR SS:[EBP-168],AX ; 将串1[i ]的ASCII码放
在[ebp-168]
004033EB . 89B5 90FEFFFF MOV DWORD PTR SS:[EBP-170],ESI
004033F1 . C785 F8FEFFFF>MOV DWORD PTR SS:[EBP-108],1
004033FB . 89B5 F0FEFFFF MOV DWORD PTR SS:[EBP-110],ESI
00403401 . FFD3 CALL EBX
00403403 . 50 PUSH EAX
00403404 . 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4]
0040340A . 8D8D E0FEFFFF LEA ECX,DWORD PTR SS:[EBP-120]
00403410 . 50 PUSH EAX
00403411 . 51 PUSH ECX ; 取串2的第i个字母
00403412 . FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ;
MSVBVM60.rtcMidCharVar
00403418 . 8D95 E0FEFFFF LEA EDX,DWORD PTR SS:[EBP-120]
0040341E . 8D85 38FFFFFF LEA EAX,DWORD PTR SS:[EBP-C8]
00403424 . 52 PUSH EDX
00403425 . 50 PUSH EAX
00403426 . FFD7 CALL EDI
00403428 . 50 PUSH EAX
00403429 . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
0040342F . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24] ; 将串2[i ]转为ASCII码
00403432 . 66:8985 78FEF>MOV WORD PTR SS:[EBP-188],AX ; 将串2[i ]放在[ebp-
188]
00403439 . 51 PUSH ECX
0040343A . 89B5 70FEFFFF MOV DWORD PTR SS:[EBP-190],ESI
00403440 . C785 68FEFFFF>MOV DWORD PTR SS:[EBP-198],41
0040344A . 89B5 60FEFFFF MOV DWORD PTR SS:[EBP-1A0],ESI
00403450 . C785 58FEFFFF>MOV DWORD PTR SS:[EBP-1A8],1A
0040345A . 89B5 50FEFFFF MOV DWORD PTR SS:[EBP-1B0],ESI
00403460 . FFD3 CALL EBX
00403462 . 8BD8 MOV EBX,EAX
00403464 . 4B DEC EBX
00403465 . 83FB 64 CMP EBX,64
00403468 . 0F82 CA000000 JB Crackme.00403538 ; 判断是否访问数组越
界
0040346E . E9 BF000000 JMP Crackme.00403532
00403473 > FFD3 CALL EBX
00403475 . 50 PUSH EAX
00403476 . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
0040347C . 8D8D 10FFFFFF LEA ECX,DWORD PTR SS:[EBP-F0]
00403482 . 50 PUSH EAX
00403483 . 51 PUSH ECX ; 取串1第i个字母
00403484 . FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ;
MSVBVM60.rtcMidCharVar
0040348A . 8D95 10FFFFFF LEA EDX,DWORD PTR SS:[EBP-F0]
00403490 . 8D85 3CFFFFFF LEA EAX,DWORD PTR SS:[EBP-C4]
00403496 . 52 PUSH EDX
00403497 . 50 PUSH EAX
00403498 . FFD7 CALL EDI
0040349A . 50 PUSH EAX
0040349B . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
004034A1 . 8D8D F0FEFFFF LEA ECX,DWORD PTR SS:[EBP-110] ; 得到串1[i ]的ASCII码
值
004034A7 . 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
004034AA . 51 PUSH ECX
004034AB . 52 PUSH EDX
004034AC . 66:8985 98FEF>MOV WORD PTR SS:[EBP-168],AX ; 串1[i ]的ASCII码值放
在[ebp-168]
004034B3 . 89B5 90FEFFFF MOV DWORD PTR SS:[EBP-170],ESI
004034B9 . C785 F8FEFFFF>MOV DWORD PTR SS:[EBP-108],1
004034C3 . 89B5 F0FEFFFF MOV DWORD PTR SS:[EBP-110],ESI
004034C9 . FFD3 CALL EBX
004034CB . 50 PUSH EAX
004034CC . 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4]
004034D2 . 8D8D E0FEFFFF LEA ECX,DWORD PTR SS:[EBP-120]
004034D8 . 50 PUSH EAX
004034D9 . 51 PUSH ECX ; 取串2第i个字母
004034DA . FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ;
MSVBVM60.rtcMidCharVar
004034E0 . 8D95 E0FEFFFF LEA EDX,DWORD PTR SS:[EBP-120]
004034E6 . 8D85 38FFFFFF LEA EAX,DWORD PTR SS:[EBP-C8]
004034EC . 52 PUSH EDX
004034ED . 50 PUSH EAX
004034EE . FFD7 CALL EDI
004034F0 . 50 PUSH EAX
004034F1 . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
004034F7 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24] ; 得到串2[i ]的ASCII码
值
004034FA . 66:8985 78FEF>MOV WORD PTR SS:[EBP-188],AX ; 串2[i ]的ASCII码值放
在[ebp-188]
00403501 . 51 PUSH ECX
00403502 . 89B5 70FEFFFF MOV DWORD PTR SS:[EBP-190],ESI
00403508 . C785 68FEFFFF>MOV DWORD PTR SS:[EBP-198],61
00403512 . 89B5 60FEFFFF MOV DWORD PTR SS:[EBP-1A0],ESI
00403518 . C785 58FEFFFF>MOV DWORD PTR SS:[EBP-1A8],1A
00403522 . 89B5 50FEFFFF MOV DWORD PTR SS:[EBP-1B0],ESI
00403528 . FFD3 CALL EBX
0040352A . 8BD8 MOV EBX,EAX
0040352C . 4B DEC EBX
0040352D . 83FB 64 CMP EBX,64
00403530 . 72 06 JB SHORT Crackme.00403538
00403532 > FF15 5C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGener>;
MSVBVM60.__vbaGenerateBoundsError
00403538 > 8D95 90FEFFFF LEA EDX,DWORD PTR SS:[EBP-170] ; 串1的第i个字母ASCII
码值, 即串1[i ]
0040353E . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24] ; 这里是数字i
00403541 . 52 PUSH EDX
00403542 . 8D8D 00FFFFFF LEA ECX,DWORD PTR SS:[EBP-100]
00403548 . 50 PUSH EAX
00403549 . 51 PUSH ECX ; 串1[i ]*i
0040354A . FF15 78104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMu>;
MSVBVM60.__vbaVarMul
00403550 . 50 PUSH EAX
00403551 . 8D95 70FEFFFF LEA EDX,DWORD PTR SS:[EBP-190] ; 串2[i ]
00403557 . 8D85 D0FEFFFF LEA EAX,DWORD PTR SS:[EBP-130]
0040355D . 52 PUSH EDX
0040355E . 50 PUSH EAX ; 串1[i ]*i - 串2[ i]结
果放在[ebp-130]
0040355F . FF15 04104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarSu>;
MSVBVM60.__vbaVarSub
00403565 . 8D8D 60FEFFFF LEA ECX,DWORD PTR SS:[EBP-1A0] ; 一个字母记做ch, 如
果i为奇数,这里是大写字母A,
0040356B . 50 PUSH EAX ; 否则为小写字母a
0040356C . 8D95 C0FEFFFF LEA EDX,DWORD PTR SS:[EBP-140]
00403572 . 51 PUSH ECX
00403573 . 52 PUSH EDX ; 串1[i ]*i - 串2[i ] +
ch
00403574 . FF15 BC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAd>;
MSVBVM60.__vbaVarAdd
0040357A . 50 PUSH EAX
0040357B . 8D85 50FEFFFF LEA EAX,DWORD PTR SS:[EBP-1B0] ; 这里是数字1A
00403581 . 8D8D B0FEFFFF LEA ECX,DWORD PTR SS:[EBP-150]
00403587 . 50 PUSH EAX
00403588 . 51 PUSH ECX ; (串1[i ] - 串2[i ] +
ch) MOD (1A)
00403589 . FF15 C0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>;
MSVBVM60.__vbaVarMod
0040358F . 50 PUSH EAX
00403590 . FF15 94104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2Var>; MSVBVM60.__vbaI2Var
00403596 . 8B95 50FFFFFF MOV EDX,DWORD PTR SS:[EBP-B0] ; 将结果转为整数
0040359C . 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
004035A2 . 66:89045A MOV WORD PTR DS:[EDX+EBX*2],AX ; 将计算结果顺序保存
起来[ebp-b0]处
004035A6 . 8D85 38FFFFFF LEA EAX,DWORD PTR SS:[EBP-C8]
004035AC . 50 PUSH EAX
004035AD . 51 PUSH ECX
004035AE . 56 PUSH ESI
004035AF . FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;
MSVBVM60.__vbaFreeStrList
004035B5 . 8D95 C0FEFFFF LEA EDX,DWORD PTR SS:[EBP-140]
004035BB . 8D85 E0FEFFFF LEA EAX,DWORD PTR SS:[EBP-120]
004035C1 . 52 PUSH EDX
004035C2 . 8D8D F0FEFFFF LEA ECX,DWORD PTR SS:[EBP-110]
004035C8 . 50 PUSH EAX
004035C9 . 8D95 10FFFFFF LEA EDX,DWORD PTR SS:[EBP-F0]
004035CF . 51 PUSH ECX
004035D0 . 8D85 20FFFFFF LEA EAX,DWORD PTR SS:[EBP-E0]
004035D6 . 52 PUSH EDX
004035D7 . 50 PUSH EAX
004035D8 . 6A 05 PUSH 5
004035DA . FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;
MSVBVM60.__vbaFreeVarList
004035E0 . 83C4 24 ADD ESP,24
004035E3 . 8D8D 04FEFFFF LEA ECX,DWORD PTR SS:[EBP-1FC]
004035E9 . 8D95 14FEFFFF LEA EDX,DWORD PTR SS:[EBP-1EC]
004035EF . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
004035F2 . 51 PUSH ECX
004035F3 . 52 PUSH EDX
004035F4 . 50 PUSH EAX
004035F5 . FF15 D4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarFo>;
MSVBVM60.__vbaVarForNext
004035FB . 8B1D B8104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaI4>; MSVBVM60.__vbaI4Var
00403601 .^ E9 33FDFFFF JMP Crackme.00403339
00403606 > 33DB XOR EBX,EBX
00403608 > 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
0040360B > 8D95 A0FEFFFF LEA EDX,DWORD PTR SS:[EBP-160]
00403611 . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
00403617 . 899D A8FEFFFF MOV DWORD PTR SS:[EBP-158],EBX
0040361D . 89B5 A0FEFFFF MOV DWORD PTR SS:[EBP-160],ESI
00403623 . FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>;
MSVBVM60.__vbaVarMove
00403629 . 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
0040362C . 8D95 A0FEFFFF LEA EDX,DWORD PTR SS:[EBP-160]
00403632 . 51 PUSH ECX
00403633 . 52 PUSH EDX
00403634 . C785 A8FEFFFF>MOV DWORD PTR SS:[EBP-158],0F0 ; 前3个字母的ASCII码
之和必须等于F0
0040363E . C785 A0FEFFFF>MOV DWORD PTR SS:[EBP-160],8002
00403648 . FF15 64104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>;
MSVBVM60.__vbaVarTstEq
0040364E . 66:85C0 TEST AX,AX
00403651 . 74 76 JE SHORT Crackme.004036C9
00403653 . 8D45 BC LEA EAX,DWORD PTR SS:[EBP-44]
00403656 . 8D8D A0FEFFFF LEA ECX,DWORD PTR SS:[EBP-160]
0040365C . 50 PUSH EAX
0040365D . 51 PUSH ECX
0040365E . C785 A8FEFFFF>MOV DWORD PTR SS:[EBP-158],2D ; 注册码 字母1值+字母
2值*2-字母3值*3 必须等于2D
00403668 . C785 A0FEFFFF>MOV DWORD PTR SS:[EBP-160],8002
00403672 . FF15 64104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>;
MSVBVM60.__vbaVarTstEq
00403678 . 66:85C0 TEST AX,AX
0040367B . 74 4C JE SHORT Crackme.004036C9
0040367D . 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54]
00403680 . 8D85 A0FEFFFF LEA EAX,DWORD PTR SS:[EBP-160]
00403686 . 52 PUSH EDX
00403687 . 50 PUSH EAX
00403688 . C785 A8FEFFFF>MOV DWORD PTR SS:[EBP-158],136 ; 字母1值*3 - 字母2值
*4 + 字母3值 必须等于136
00403692 . C785 A0FEFFFF>MOV DWORD PTR SS:[EBP-160],8002
0040369C . FF15 64104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>;
MSVBVM60.__vbaVarTstEq
004036A2 . 66:85C0 TEST AX,AX
004036A5 . 74 22 JE SHORT Crackme.004036C9
004036A7 . 8D95 A0FEFFFF LEA EDX,DWORD PTR SS:[EBP-160]
004036AD . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94] ; 全都比较成功,则将标
志变量[ebp-94]置为true
004036B3 . C785 A8FEFFFF>MOV DWORD PTR SS:[EBP-158],1
004036BD . 89B5 A0FEFFFF MOV DWORD PTR SS:[EBP-160],ESI
004036C3 . FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>;
MSVBVM60.__vbaVarMove
004036C9 > 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
004036CF . 8D95 A0FEFFFF LEA EDX,DWORD PTR SS:[EBP-160]
004036D5 . 51 PUSH ECX
004036D6 . 52 PUSH EDX
004036D7 . C785 A8FEFFFF>MOV DWORD PTR SS:[EBP-158],1
004036E1 . C785 A0FEFFFF>MOV DWORD PTR SS:[EBP-160],8002 ; 比较标志变量[ebp-
94]为true否.?
004036EB . FF15 64104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>;
MSVBVM60.__vbaVarTstEq
004036F1 . 66:85C0 TEST AX,AX
004036F4 . 0F84 C2000000 JE Crackme.004037BC
004036FA . B8 01000000 MOV EAX,1
004036FF . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
00403705 . 8985 A8FEFFFF MOV DWORD PTR SS:[EBP-158],EAX
0040370B . 8985 98FEFFFF MOV DWORD PTR SS:[EBP-168],EAX
00403711 . 8D85 A0FEFFFF LEA EAX,DWORD PTR SS:[EBP-160]
00403717 . 8D95 20FFFFFF LEA EDX,DWORD PTR SS:[EBP-E0]
0040371D . 50 PUSH EAX
0040371E . 51 PUSH ECX
0040371F . 52 PUSH EDX
00403720 . 89B5 A0FEFFFF MOV DWORD PTR SS:[EBP-160],ESI
00403726 . 89B5 90FEFFFF MOV DWORD PTR SS:[EBP-170],ESI ; 取串1的长度
0040372C . FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVa>;
MSVBVM60.__vbaLenVar
00403732 . 50 PUSH EAX
00403733 . 8D85 90FEFFFF LEA EAX,DWORD PTR SS:[EBP-170]
00403739 . 8D8D E4FDFFFF LEA ECX,DWORD PTR SS:[EBP-21C]
0040373F . 50 PUSH EAX
00403740 . 8D95 F4FDFFFF LEA EDX,DWORD PTR SS:[EBP-20C]
00403746 . 51 PUSH ECX
00403747 . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
0040374A . 52 PUSH EDX
0040374B . 50 PUSH EAX ; 设置下面循环变量的
上限为串1长度
0040374C . FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarFo>;
MSVBVM60.__vbaVarForInit
00403752 > 3BC3 CMP EAX,EBX ; 这里又是一个循环..
将循环变量记为j
00403754 . 74 66 JE SHORT Crackme.004037BC
00403756 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00403759 . 51 PUSH ECX ; 取循环变量j
0040375A . FF15 B8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
00403760 . 48 DEC EAX
00403761 . 83F8 64 CMP EAX,64
00403764 . 8985 48FEFFFF MOV DWORD PTR SS:[EBP-1B8],EAX ; 判断数组访问是否越
界
0040376A . 72 0C JB SHORT Crackme.00403778
0040376C . FF15 5C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGener>;
MSVBVM60.__vbaGenerateBoundsError
00403772 . 8B85 48FEFFFF MOV EAX,DWORD PTR SS:[EBP-1B8]
00403778 > 8B95 50FFFFFF MOV EDX,DWORD PTR SS:[EBP-B0]
0040377E . 66:391C42 CMP WORD PTR DS:[EDX+EAX*2],BX ; 将前面那个循环产生
的结果逐个与0比较
00403782 . 75 1A JNZ SHORT Crackme.0040379E
00403784 . 8D85 E4FDFFFF LEA EAX,DWORD PTR SS:[EBP-21C]
0040378A . 8D8D F4FDFFFF LEA ECX,DWORD PTR SS:[EBP-20C]
00403790 . 50 PUSH EAX
00403791 . 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
00403794 . 51 PUSH ECX
00403795 . 52 PUSH EDX
00403796 . FF15 D4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarFo>;
MSVBVM60.__vbaVarForNext
0040379C .^ EB B4 JMP SHORT Crackme.00403752
0040379E > 8D95 A0FEFFFF LEA EDX,DWORD PTR SS:[EBP-160]
004037A4 . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94] ; 如果上面逐个与0比较
时不等,则将标志变量[ebp-94]值为false
004037AA . 899D A8FEFFFF MOV DWORD PTR SS:[EBP-158],EBX
004037B0 . 89B5 A0FEFFFF MOV DWORD PTR SS:[EBP-160],ESI
004037B6 . FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>;
MSVBVM60.__vbaVarMove
004037BC > 8D85 6CFFFFFF LEA EAX,DWORD PTR SS:[EBP-94]
004037C2 . 8D8D A0FEFFFF LEA ECX,DWORD PTR SS:[EBP-160]
004037C8 . 50 PUSH EAX
004037C9 . 51 PUSH ECX
004037CA . C785 A8FEFFFF>MOV DWORD PTR SS:[EBP-158],1
004037D4 . C785 A0FEFFFF>MOV DWORD PTR SS:[EBP-160],8002
004037DE . FF15 64104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>;
MSVBVM60.__vbaVarTstEq
004037E4 . 66:85C0 TEST AX,AX
004037E7 . 0F84 18010000 JE Crackme.00403905
004037ED . 8B17 MOV EDX,DWORD PTR DS:[EDI]
004037EF . 57 PUSH EDI
004037F0 . FF92 0C030000 CALL DWORD PTR DS:[EDX+30C]
004037F6 . 50 PUSH EAX
004037F7 . 8D85 30FFFFFF LEA EAX,DWORD PTR SS:[EBP-D0]
004037FD . 50 PUSH EAX
004037FE . FF15 40104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>;
MSVBVM60.__vbaObjSet
00403804 . 8BF0 MOV ESI,EAX
00403806 . 68 24224000 PUSH Crackme.00402224 ; UNICODE
"Congratulations"
0040380B . 56 PUSH ESI
0040380C . 8B0E MOV ECX,DWORD PTR DS:[ESI]
0040380E . FF51 54 CALL DWORD PTR DS:[ECX+54]
00403811 . 3BC3 CMP EAX,EBX
00403813 . DBE2 FCLEX
00403815 . 7D 0F JGE SHORT Crackme.00403826
00403817 . 6A 54 PUSH 54
00403819 . 68 74224000 PUSH Crackme.00402274
0040381E . 56 PUSH ESI
0040381F . 50 PUSH EAX
............后面省略..................
总结一下这个算法:
1. regcode[0]+regcode[1]+regcode[2] = F0;
regcode[0]+regcode[1]*2-regcode[2]*3 = 2D;
regcode[0]*3-regcode[1]*4+regcode[2] = 136;
解这个线性方程组可以知道regcode[0-3] 分别为P, Y, G
另外regcode[3]必须为2D, 也就是'-'
2. 串1 = 用户名 + "zjjtr";
串2 = 注册码去掉前4位
串1长度必须等于串2长度
3. for (i=0; i<串1长度; i++)
{
ch = (i%2==0)?'A':'a'
sum = 串1[i ]*(i+1) - 串2[i ] + ch;
sum%1A==0必须为真
}
VC注册机源码(注册机及全部源码见附件):
void CForTempCrackmeDlg::OnOK()
{
// TODO: Add extra validation here
char name[128];
char code[132] = {'P', 'Y', 'G', '-', 0};
int namelen = GetDlgItemText(IDC_USER, name, 128);
int i, j;
char ch;
unsigned long temp;
strcpy(name+namelen, "zjjtr");
namelen += 5;
for (i=0; i<namelen; i++)
{
ch = (i%2==0) ? 'A' : 'a';
for (j=0; j<10000; j++)
{
temp = name[i ]*(i+1) + ch - j*0x1A;
if ('0'<=temp && 'z'>=temp)
{
code[i+4] = temp;
break;
}
}
}
SetDlgItemText(IDC_CODE, code);
}
顺便说下在VB的VARIANT类型中如何看真正的数据, 我文中的"保存在[EBP-XXX]"要这么看才对.
看看VC中的VARIANT定义:
struct tagVARIANT
{
union
{
struct __tagVARIANT
{
VARTYPE vt;
WORD wReserved1;
WORD wReserved2;
WORD wReserved3;
union
{
LONG lVal;
BYTE bVal;
SHORT iVal;
FLOAT fltVal;
DOUBLE dblVal;
VARIANT_BOOL boolVal;
_VARIANT_BOOL bool;
SCODE scode;
CY cyVal;
DATE date;
BSTR bstrVal;
IUnknown __RPC_FAR *punkVal;
IDispatch __RPC_FAR *pdispVal;
SAFEARRAY __RPC_FAR *parray;
BYTE __RPC_FAR *pbVal;
SHORT __RPC_FAR *piVal;
LONG __RPC_FAR *plVal;
FLOAT __RPC_FAR *pfltVal;
DOUBLE __RPC_FAR *pdblVal;
VARIANT_BOOL __RPC_FAR *pboolVal;
_VARIANT_BOOL __RPC_FAR *pbool;
SCODE __RPC_FAR *pscode;
CY __RPC_FAR *pcyVal;
DATE __RPC_FAR *pdate;
BSTR __RPC_FAR *pbstrVal;
IUnknown __RPC_FAR *__RPC_FAR *ppunkVal;
IDispatch __RPC_FAR *__RPC_FAR *ppdispVal;
SAFEARRAY __RPC_FAR *__RPC_FAR *pparray;
VARIANT __RPC_FAR *pvarVal;
PVOID byref;
CHAR cVal;
USHORT uiVal;
ULONG ulVal;
INT intVal;
UINT uintVal;
DECIMAL __RPC_FAR *pdecVal;
CHAR __RPC_FAR *pcVal;
USHORT __RPC_FAR *puiVal;
ULONG __RPC_FAR *pulVal;
INT __RPC_FAR *pintVal;
UINT __RPC_FAR *puintVal;
struct __tagBRECORD
{
PVOID pvRecord;
IRecordInfo __RPC_FAR *pRecInfo;
} __VARIANT_NAME_4;
} __VARIANT_NAME_3;
} __VARIANT_NAME_2;
DECIMAL decVal;
} __VARIANT_NAME_1;
};
typedef tagVARIANT VARIANT;
大家看VARTYPE vt;
WORD wReserved1;
WORD wReserved2;
WORD wReserved3;
占了8个字节, 也就是说真正的数据是从第9个字节开始的, 当我们在内存中遇到一个VARIANT时. 必须将
眼光然后移到第9个字节才能读到真正的数据..
而前2个字节VARTYPE vt也是很重要的...它指明了这个VARIANT中存放的是什么类型的数据, 是字符串还
是短整, 抑或是长整, 或者别的各种类型. 给出以下类型参考:
VT_EMPTY = 0,
VT_NULL = 1,
VT_I2 = 2,
VT_I4 = 3,
VT_R4 = 4,
VT_R8 = 5,
VT_CY = 6,
VT_DATE = 7,
VT_BSTR = 8,
VT_DISPATCH = 9,
VT_ERROR = 10,
VT_BOOL = 11,
VT_VARIANT = 12,
VT_UNKNOWN = 13,
VT_DECIMAL = 14,
VT_I1 = 16,
VT_UI1 = 17,
VT_UI2 = 18,
VT_UI4 = 19,
VT_I8 = 20,
VT_UI8 = 21,
VT_INT = 22,
VT_UINT = 23,
VT_VOID = 24,
VT_HRESULT = 25,
VT_PTR = 26,
VT_SAFEARRAY = 27,
VT_CARRAY = 28,
VT_USERDEFINED = 29,
VT_LPSTR = 30,
VT_LPWSTR = 31,
VT_RECORD = 36,
VT_FILETIME = 64,
VT_BLOB = 65,
VT_STREAM = 66,
VT_STORAGE = 67,
VT_STREAMED_OBJECT = 68,
VT_STORED_OBJECT = 69,
VT_BLOB_OBJECT = 70,
VT_CF = 71,
VT_CLSID = 72,
VT_BSTR_BLOB = 0xfff,
VT_VECTOR = 0x1000,
VT_ARRAY = 0x2000,
VT_BYREF = 0x4000,
VT_RESERVED = 0x8000,
VT_ILLEGAL = 0xffff,
VT_ILLEGALMASKED = 0xfff,
VT_TYPEMASK = 0xfff
这里指明了VARIANT中数据的类型
所以在内存里如果遇到一个VARIANT数据不懂, 先查查它存放的数据是哪种类型的, 再然后看第9个字节
起存了什么, 基本能弄明白这个VARIANT中数据的含义
这里所写的都是个人心得, 如有不对, 请高手指正~~~~~~~~
[ 本帖最后由 vecri 于 2008-1-1 22:26 编辑 ] |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?加入我们
x
|
楼主: zjjtr
IP卡
发表于 2007-12-31 21:18:48
显身卡
发表于 2007-12-31 23:39:51
