- UID
- 38953
注册时间2007-12-2
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
【文章标题】: 证件批量打印管理系统分析(完美破解)
【文章作者】: JackyChou
【作者邮箱】: [email protected]
【软件名称】: 证件批量打印管理系统
【下载地址】: 自己搜索下载
【加壳方式】: UPX
【保护方式】: UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Marku
【编写语言】: VB 6.0
【使用工具】: PEID、OD
【操作平台】: XP正版SP3
【软件介绍】: 证书批量打印软件
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
最近比较空,所以打算拿几个程序练练,毕竟多练多得(是体会多得)。这个程序论坛上的hxhsy兄已经发过,不过不
是程序分析,后来发现帖子已被锁了,可能违规了把,那我就写下来和大家一起分享一下,高手飘过。
在开始之前,先要说下这个程序:这个程序在一开始启动的时候,会要求输入操作员名和密码,这个时候如果你点取消
退出改程序的话,程序并没有退出,进程还在。另外,在选择打印的时候,如果点取消,程序马上又崩掉了,提示打印机错
误,显然这个程序的BUG比较多的,小鄙视下作者,出现这样的BUG只能说明程序并没有经过严格的测试,国产软件要做得好,真的该跟日本鬼子学习,他们的测试是相当的细致,代码的覆盖率基本在90%以上。他们对于文档的要
求都非常严格,即使是WORD中的一个目录链接忘记更新,他们都会给你指出,并作为一个BUG给你记录下来。扯远了......
①脱壳
脱壳过程就不说了,毕竟这个壳的脱壳方法不难。不会的,拿脱壳机或者脱壳脚步来脱。
②程序分析
因为我不是特别喜欢分析别人的算法,毕竟也比较花时间,有兴趣的自己分析,我还是比较喜欢把程序改成无需注册的,
首先看下程序的限制:如果不注册,那么打印的时候左上角会出现【授权用户无此标志】。
开始找关键位置:运行程序,点注册,进入注册对话框。下断API DestroyWindow
bp DestroyWindow,点注册(晕死,窗口没有关闭,要多点几次才关闭),断在下面位置
--------------------------------------------CODE--------------------------------------------------------
77D2B19C > B8 63110000 mov eax, 1163 ; 断在这里
77D2B1A1 BA 0003FE7F mov edx, 7FFE0300
77D2B1A6 FF12 call dword ptr [edx]
77D2B1A8 C2 0400 retn 4
--------------------------------------------CODE--------------------------------------------------------
去除断点,Alt + F9返回:下面的代码就是点注册按钮的处理
--------------------------------------------CODE--------------------------------------------------------
004EE170 . 55 push ebp ; 点注册按钮的入口
004EE171 . 8BEC mov ebp, esp
004EE173 . 83EC 14 sub esp, 14
004EE176 . 68 661D4000 push <jmp.&msvbvm60.__vbaExceptHandle>; SE 处理程序安装
004EE17B . 64:A1 0000000>mov eax, dword ptr fs:[0]
004EE181 . 50 push eax
004EE182 . 64:8925 00000>mov dword ptr fs:[0], esp
004EE189 . 83EC 48 sub esp, 48
004EE18C . 53 push ebx
004EE18D . 56 push esi
004EE18E . 57 push edi
004EE18F . 8965 EC mov dword ptr [ebp-14], esp
004EE192 . C745 F0 281C4>mov dword ptr [ebp-10], 00401C28
004EE199 . 8B75 08 mov esi, dword ptr [ebp+8]
004EE19C . 8BC6 mov eax, esi
004EE19E . 83E0 01 and eax, 1
004EE1A1 . 8945 F4 mov dword ptr [ebp-C], eax
004EE1A4 . 83E6 FE and esi, FFFFFFFE
004EE1A7 . 8975 08 mov dword ptr [ebp+8], esi
004EE1AA . 33DB xor ebx, ebx
004EE1AC . 895D F8 mov dword ptr [ebp-8], ebx
004EE1AF . 8B0E mov ecx, dword ptr [esi]
004EE1B1 . 56 push esi
004EE1B2 . FF51 04 call dword ptr [ecx+4]
004EE1B5 . 895D D4 mov dword ptr [ebp-2C], ebx
004EE1B8 . 895D D0 mov dword ptr [ebp-30], ebx
004EE1BB . 895D CC mov dword ptr [ebp-34], ebx
004EE1BE . 895D BC mov dword ptr [ebp-44], ebx
004EE1C1 . 6A 01 push 1 ; /OnErrEvent = Goto Address
004EE1C3 . FF15 8C104000 call dword ptr [<&msvbvm60.__vbaOnErr>; \__vbaOnError
004EE1C9 . 8B16 mov edx, dword ptr [esi]
004EE1CB . 56 push esi
004EE1CC . FF92 38030000 call dword ptr [edx+338]
004EE1D2 . 50 push eax
004EE1D3 . 8D45 CC lea eax, dword ptr [ebp-34]
004EE1D6 . 50 push eax
004EE1D7 . FF15 88104000 call dword ptr [<&msvbvm60.__vbaObjSe>; msvbvm60.__vbaObjSet
004EE1DD . 8BF8 mov edi, eax
004EE1DF . 8B0F mov ecx, dword ptr [edi]
004EE1E1 . 8D55 D0 lea edx, dword ptr [ebp-30]
004EE1E4 . 52 push edx
004EE1E5 . 57 push edi
004EE1E6 . FF91 A0000000 call dword ptr [ecx+A0]
004EE1EC . DBE2 fclex
004EE1EE . 3BC3 cmp eax, ebx
004EE1F0 . 7D 12 jge short 004EE204
004EE1F2 . 68 A0000000 push 0A0
004EE1F7 . 68 C0D94000 push 0040D9C0
004EE1FC . 57 push edi
004EE1FD . 50 push eax
004EE1FE . FF15 5C104000 call dword ptr [<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
004EE204 > 8B45 D0 mov eax, dword ptr [ebp-30]
004EE207 . 895D D0 mov dword ptr [ebp-30], ebx
004EE20A . 8945 C4 mov dword ptr [ebp-3C], eax
004EE20D . C745 BC 08000>mov dword ptr [ebp-44], 8
004EE214 . 8D55 BC lea edx, dword ptr [ebp-44]
004EE217 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
004EE21A . FF15 18104000 call dword ptr [<&msvbvm60.__vbaVarMo>; msvbvm60.__vbaVarMove
004EE220 . 8D4D CC lea ecx, dword ptr [ebp-34]
004EE223 . FF15 58124000 call dword ptr [<&msvbvm60.__vbaFreeO>; msvbvm60.__vbaFreeObj
004EE229 . 8D45 D4 lea eax, dword ptr [ebp-2C]
004EE22C . 50 push eax ; /String8
004EE22D . 8D4D D0 lea ecx, dword ptr [ebp-30] ; |
004EE230 . 51 push ecx ; |ARG2
004EE231 . FF15 78114000 call dword ptr [<&msvbvm60.__vbaStrVa>; \__vbaStrVarVal
004EE237 . 50 push eax ; /szValue
004EE238 . 68 04DC4000 push 0040DC04 ; |szKey = "code"
004EE23D . 68 F4DB4000 push 0040DBF4 ; |Section = "zjdy"
004EE242 . 68 DCDB4000 push 0040DBDC ; |APPName = "microsoft"
004EE247 . FF15 08104000 call dword ptr [<&msvbvm60.rtcSaveSet>; \rtcSaveSetting
004EE24D . 8D4D D0 lea ecx, dword ptr [ebp-30]
004EE250 . FF15 54124000 call dword ptr [<&msvbvm60.__vbaFreeS>; msvbvm60.__vbaFreeStr
004EE256 . 8B46 34 mov eax, dword ptr [esi+34]
004EE259 . 83C0 01 add eax, 1
004EE25C . 0F80 D1000000 jo 004EE333
004EE262 . 8946 34 mov dword ptr [esi+34], eax
004EE265 . 83F8 05 cmp eax, 5
004EE268 . 7E 77 jle short 004EE2E1
004EE26A . 8B16 mov edx, dword ptr [esi]
004EE26C . 56 push esi
004EE26D . FF92 B4020000 call dword ptr [edx+2B4]
004EE273 . DBE2 fclex
004EE275 . 3BC3 cmp eax, ebx
004EE277 . 7D 12 jge short 004EE28B
004EE279 . 68 B4020000 push 2B4
004EE27E . 68 C8314100 push 004131C8
004EE283 . 56 push esi
004EE284 . 50 push eax
004EE285 . FF15 5C104000 call dword ptr [<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
004EE28B > 391D D8874F00 cmp dword ptr [4F87D8], ebx
004EE291 . 75 10 jnz short 004EE2A3
004EE293 . 68 D8874F00 push 004F87D8
004EE298 . 68 00D64000 push 0040D600
004EE29D . FF15 A4114000 call dword ptr [<&msvbvm60.__vbaNew2>>; msvbvm60.__vbaNew2
004EE2A3 > 8B3D D8874F00 mov edi, dword ptr [4F87D8]
004EE2A9 . 8B17 mov edx, dword ptr [edi]
004EE2AB . 56 push esi
004EE2AC . 8D45 CC lea eax, dword ptr [ebp-34]
004EE2AF . 50 push eax
004EE2B0 . 8955 9C mov dword ptr [ebp-64], edx
004EE2B3 . FF15 98104000 call dword ptr [<&msvbvm60.__vbaObjSe>; msvbvm60.__vbaObjSetAddref
004EE2B9 . 50 push eax
004EE2BA . 57 push edi
004EE2BB . 8B4D 9C mov ecx, dword ptr [ebp-64]
004EE2BE . FF51 10 call dword ptr [ecx+10]
004EE2C1 . DBE2 fclex ; Alt + F9程序返回到这里,往上看!
004EE2C3 . 3BC3 cmp eax, ebx
004EE2C5 . 7D 0F jge short 004EE2D6
004EE2C7 . 6A 10 push 10
004EE2C9 . 68 F0D54000 push 0040D5F0
004EE2CE . 57 push edi
004EE2CF . 50 push eax
004EE2D0 . FF15 5C104000 call dword ptr [<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
004EE2D6 > 8D4D CC lea ecx, dword ptr [ebp-34]
004EE2D9 . FF15 58124000 call dword ptr [<&msvbvm60.__vbaFreeO>; msvbvm60.__vbaFreeObj
004EE2DF . EB 00 jmp short 004EE2E1
004EE2E1 > FF15 74104000 call dword ptr [<&msvbvm60.__vbaExitP>; msvbvm60.__vbaExitProc
004EE2E7 . 68 14E34E00 push 004EE314
004EE2EC . EB 1C jmp short 004EE30A
004EE2EE . 8D4D D0 lea ecx, dword ptr [ebp-30]
004EE2F1 . FF15 54124000 call dword ptr [<&msvbvm60.__vbaFreeS>; msvbvm60.__vbaFreeStr
004EE2F7 . 8D4D CC lea ecx, dword ptr [ebp-34]
004EE2FA . FF15 58124000 call dword ptr [<&msvbvm60.__vbaFreeO>; msvbvm60.__vbaFreeObj
004EE300 . 8D4D BC lea ecx, dword ptr [ebp-44]
004EE303 . FF15 1C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVar
004EE309 . C3 retn
004EE30A > 8D4D D4 lea ecx, dword ptr [ebp-2C]
004EE30D . FF15 1C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVar
004EE313 . C3 retn
004EE314 . 8B45 08 mov eax, dword ptr [ebp+8]
004EE317 . 8B10 mov edx, dword ptr [eax]
004EE319 . 50 push eax
004EE31A . FF52 08 call dword ptr [edx+8]
004EE31D . 8B45 F4 mov eax, dword ptr [ebp-C]
004EE320 . 8B4D E4 mov ecx, dword ptr [ebp-1C]
004EE323 . 64:890D 00000>mov dword ptr fs:[0], ecx
004EE32A . 5F pop edi
004EE32B . 5E pop esi
004EE32C . 5B pop ebx
004EE32D . 8BE5 mov esp, ebp
004EE32F . 5D pop ebp
004EE330 . C2 0400 retn 4
--------------------------------------------CODE--------------------------------------------------------
从上面的代码可以看出来
--------------------------------------------CODE--------------------------------------------------------
004EE237 . 50 push eax ; /szValue
004EE238 . 68 04DC4000 push 0040DC04 ; |szKey = "code"
004EE23D . 68 F4DB4000 push 0040DBF4 ; |Section = "zjdy"
004EE242 . 68 DCDB4000 push 0040DBDC ; |APPName = "microsoft"
004EE247 . FF15 08104000 call dword ptr [<&msvbvm60.rtcSaveSet>; \rtcSaveSetting
--------------------------------------------CODE--------------------------------------------------------
这边就是把注册码保存到注册表,code就是注册码。
搜索了下注册表,[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\microsoft\zjdy]这个位置的code就是
注册码。
既然保存注册码,那么要读啊,把code搜索了下,有5处(上面的保存不算)。呵呵,作者为了防止一处干掉之后全部破解,
所以就分别用5个比较,但是代码基本相同。下面5处会进行注册码验证:1,启动。2,单条纵向打印。3,单条横向打印。
4,批量纵向打印。5,批量横向打印。
不过我这里横向打印的时候又提示错误。
下面我就分析二处,1,启动。2,单条纵向打印,其他地方都是和2一样的。
下面是启动的时候的验证:
--------------------------------------------CODE--------------------------------------------------------
上面部分代码略
004D5CA6 B8 B8D64000 mov eax, 0040D6B8
004D5CAB 8985 F8FCFFFF mov dword ptr [ebp-308], eax
004D5CB1 B9 08000000 mov ecx, 8
004D5CB6 898D F0FCFFFF mov dword ptr [ebp-310], ecx
004D5CBC 83EC 10 sub esp, 10
004D5CBF 8BD4 mov edx, esp
004D5CC1 890A mov dword ptr [edx], ecx
004D5CC3 8B8D F4FCFFFF mov ecx, dword ptr [ebp-30C]
004D5CC9 894A 04 mov dword ptr [edx+4], ecx
004D5CCC 8942 08 mov dword ptr [edx+8], eax
004D5CCF 8B85 FCFCFFFF mov eax, dword ptr [ebp-304]
004D5CD5 8942 0C mov dword ptr [edx+C], eax ; 程序启动的时候,读取注册码
004D5CD8 68 04DC4000 push 0040DC04 ; code
004D5CDD 68 F4DB4000 push 0040DBF4 ; zjdy
004D5CE2 68 DCDB4000 push 0040DBDC ; UNICODE "microsoft"
004D5CE7 FF15 E8114000 call dword ptr [<&msvbvm60.rtcGetSett>; msvbvm60.rtcGetSetting
004D5CED 8BD0 mov edx, eax
004D5CEF 8D8D 7CFEFFFF lea ecx, dword ptr [ebp-184]
004D5CF5 FFD3 call ebx
004D5CF7 8B8D 7CFEFFFF mov ecx, dword ptr [ebp-184]
004D5CFD 898D F8FCFFFF mov dword ptr [ebp-308], ecx
004D5D03 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8
004D5D0D 8D95 F0FCFFFF lea edx, dword ptr [ebp-310]
004D5D13 8D8D C0FEFFFF lea ecx, dword ptr [ebp-140]
004D5D19 FF15 10124000 call dword ptr [<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy
004D5D1F 8D95 C0FEFFFF lea edx, dword ptr [ebp-140]
004D5D25 8D8D 80FEFFFF lea ecx, dword ptr [ebp-180]
004D5D2B FF15 10124000 call dword ptr [<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy
004D5D31 C785 A8FDFFFF 0>mov dword ptr [ebp-258], 1
004D5D3B C785 A0FDFFFF 0>mov dword ptr [ebp-260], 2
004D5D45 8D95 A0FDFFFF lea edx, dword ptr [ebp-260]
004D5D4B 52 push edx
004D5D4C 6A 01 push 1
004D5D4E 8D85 80FEFFFF lea eax, dword ptr [ebp-180]
004D5D54 50 push eax
004D5D55 8D8D 90FDFFFF lea ecx, dword ptr [ebp-270]
004D5D5B 51 push ecx
004D5D5C FF15 C4104000 call dword ptr [<&msvbvm60.rtcMidChar>; msvbvm60.rtcMidCharVar
004D5D62 8D95 90FDFFFF lea edx, dword ptr [ebp-270]
004D5D68 8D8D 18FEFFFF lea ecx, dword ptr [ebp-1E8]
004D5D6E FF15 18104000 call dword ptr [<&msvbvm60.__vbaVarMo>; msvbvm60.__vbaVarMove
004D5D74 8D8D A0FDFFFF lea ecx, dword ptr [ebp-260]
004D5D7A FF15 1C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVar
004D5D80 C785 A8FDFFFF 0>mov dword ptr [ebp-258], 1
004D5D8A C785 A0FDFFFF 0>mov dword ptr [ebp-260], 2
004D5D94 8D95 A0FDFFFF lea edx, dword ptr [ebp-260]
004D5D9A 52 push edx
004D5D9B 6A 02 push 2
004D5D9D 8D85 80FEFFFF lea eax, dword ptr [ebp-180]
004D5DA3 50 push eax
004D5DA4 8D8D 90FDFFFF lea ecx, dword ptr [ebp-270]
004D5DAA 51 push ecx
004D5DAB FF15 C4104000 call dword ptr [<&msvbvm60.rtcMidChar>; msvbvm60.rtcMidCharVar
004D5DB1 8D95 90FDFFFF lea edx, dword ptr [ebp-270]
004D5DB7 8D8D F8FDFFFF lea ecx, dword ptr [ebp-208]
004D5DBD FF15 18104000 call dword ptr [<&msvbvm60.__vbaVarMo>; msvbvm60.__vbaVarMove
004D5DC3 8D8D A0FDFFFF lea ecx, dword ptr [ebp-260]
004D5DC9 FF15 1C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVar
004D5DCF C785 A8FDFFFF 0>mov dword ptr [ebp-258], 1
004D5DD9 C785 A0FDFFFF 0>mov dword ptr [ebp-260], 2
004D5DE3 8D95 A0FDFFFF lea edx, dword ptr [ebp-260]
004D5DE9 52 push edx
004D5DEA 6A 03 push 3
004D5DEC 8D85 80FEFFFF lea eax, dword ptr [ebp-180]
004D5DF2 50 push eax
004D5DF3 8D8D 90FDFFFF lea ecx, dword ptr [ebp-270]
004D5DF9 51 push ecx
004D5DFA FF15 C4104000 call dword ptr [<&msvbvm60.rtcMidChar>; msvbvm60.rtcMidCharVar
004D5E00 8D95 90FDFFFF lea edx, dword ptr [ebp-270]
004D5E06 8D8D E4FDFFFF lea ecx, dword ptr [ebp-21C]
004D5E0C FF15 18104000 call dword ptr [<&msvbvm60.__vbaVarMo>; msvbvm60.__vbaVarMove
004D5E12 8D8D A0FDFFFF lea ecx, dword ptr [ebp-260]
004D5E18 FF15 1C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVar
004D5E1E C785 A8FDFFFF 0>mov dword ptr [ebp-258], 1
004D5E28 C785 A0FDFFFF 0>mov dword ptr [ebp-260], 2
004D5E32 8D95 A0FDFFFF lea edx, dword ptr [ebp-260]
004D5E38 52 push edx
004D5E39 6A 04 push 4
004D5E3B 8D85 80FEFFFF lea eax, dword ptr [ebp-180]
004D5E41 50 push eax
004D5E42 8D8D 90FDFFFF lea ecx, dword ptr [ebp-270]
004D5E48 51 push ecx
004D5E49 FF15 C4104000 call dword ptr [<&msvbvm60.rtcMidChar>; msvbvm60.rtcMidCharVar
004D5E4F 8D95 90FDFFFF lea edx, dword ptr [ebp-270]
004D5E55 8D8D D4FDFFFF lea ecx, dword ptr [ebp-22C]
004D5E5B FF15 18104000 call dword ptr [<&msvbvm60.__vbaVarMo>; msvbvm60.__vbaVarMove
004D5E61 8D8D A0FDFFFF lea ecx, dword ptr [ebp-260]
004D5E67 FF15 1C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVar
004D5E6D C785 A8FDFFFF 0>mov dword ptr [ebp-258], 1
004D5E77 C785 A0FDFFFF 0>mov dword ptr [ebp-260], 2
004D5E81 8D95 A0FDFFFF lea edx, dword ptr [ebp-260]
004D5E87 52 push edx
004D5E88 6A 05 push 5
004D5E8A 8D85 80FEFFFF lea eax, dword ptr [ebp-180]
004D5E90 50 push eax
004D5E91 8D8D 90FDFFFF lea ecx, dword ptr [ebp-270]
004D5E97 51 push ecx
004D5E98 FF15 C4104000 call dword ptr [<&msvbvm60.rtcMidChar>; msvbvm60.rtcMidCharVar
004D5E9E 8D95 90FDFFFF lea edx, dword ptr [ebp-270]
004D5EA4 8D4D D0 lea ecx, dword ptr [ebp-30]
004D5EA7 FF15 18104000 call dword ptr [<&msvbvm60.__vbaVarMo>; msvbvm60.__vbaVarMove
004D5EAD 8D8D A0FDFFFF lea ecx, dword ptr [ebp-260]
004D5EB3 FF15 1C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVar
004D5EB9 C785 A8FDFFFF 0>mov dword ptr [ebp-258], 1
004D5EC3 C785 A0FDFFFF 0>mov dword ptr [ebp-260], 2
004D5ECD 8D95 A0FDFFFF lea edx, dword ptr [ebp-260]
004D5ED3 52 push edx
004D5ED4 6A 06 push 6
004D5ED6 8D85 80FEFFFF lea eax, dword ptr [ebp-180]
004D5EDC 50 push eax
004D5EDD 8D8D 90FDFFFF lea ecx, dword ptr [ebp-270]
004D5EE3 51 push ecx
004D5EE4 FF15 C4104000 call dword ptr [<&msvbvm60.rtcMidChar>; msvbvm60.rtcMidCharVar
004D5EEA 8D95 90FDFFFF lea edx, dword ptr [ebp-270]
004D5EF0 8D4D BC lea ecx, dword ptr [ebp-44]
004D5EF3 FF15 18104000 call dword ptr [<&msvbvm60.__vbaVarMo>; msvbvm60.__vbaVarMove
004D5EF9 8D8D A0FDFFFF lea ecx, dword ptr [ebp-260]
004D5EFF FF15 1C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVar
004D5F05 C785 A8FDFFFF 0>mov dword ptr [ebp-258], 1
004D5F0F C785 A0FDFFFF 0>mov dword ptr [ebp-260], 2
004D5F19 8D95 A0FDFFFF lea edx, dword ptr [ebp-260]
004D5F1F 52 push edx
004D5F20 6A 07 push 7
004D5F22 8D85 80FEFFFF lea eax, dword ptr [ebp-180]
004D5F28 50 push eax
004D5F29 8D8D 90FDFFFF lea ecx, dword ptr [ebp-270]
004D5F2F 51 push ecx
004D5F30 FF15 C4104000 call dword ptr [<&msvbvm60.rtcMidChar>; msvbvm60.rtcMidCharVar
004D5F36 8D95 90FDFFFF lea edx, dword ptr [ebp-270]
004D5F3C 8D4D 98 lea ecx, dword ptr [ebp-68]
004D5F3F FF15 18104000 call dword ptr [<&msvbvm60.__vbaVarMo>; msvbvm60.__vbaVarMove
004D5F45 8D8D A0FDFFFF lea ecx, dword ptr [ebp-260]
004D5F4B FF15 1C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVar
004D5F51 C785 A8FDFFFF 0>mov dword ptr [ebp-258], 1
004D5F5B C785 A0FDFFFF 0>mov dword ptr [ebp-260], 2
004D5F65 8D95 A0FDFFFF lea edx, dword ptr [ebp-260]
004D5F6B 52 push edx
004D5F6C 6A 08 push 8
004D5F6E 8D85 80FEFFFF lea eax, dword ptr [ebp-180]
004D5F74 50 push eax
004D5F75 8D8D 90FDFFFF lea ecx, dword ptr [ebp-270]
004D5F7B 51 push ecx
004D5F7C FF15 C4104000 call dword ptr [<&msvbvm60.rtcMidChar>; msvbvm60.rtcMidCharVar
004D5F82 8D95 90FDFFFF lea edx, dword ptr [ebp-270]
004D5F88 52 push edx
004D5F89 FF15 24104000 call dword ptr [<&msvbvm60.__vbaStrVa>; msvbvm60.__vbaStrVarMove
004D5F8F 8BD0 mov edx, eax
004D5F91 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
004D5F97 FFD3 call ebx
004D5F99 8D85 90FDFFFF lea eax, dword ptr [ebp-270]
004D5F9F 50 push eax
004D5FA0 8D8D A0FDFFFF lea ecx, dword ptr [ebp-260]
004D5FA6 51 push ecx
004D5FA7 6A 02 push 2
004D5FA9 FF15 2C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVarList
004D5FAF 83C4 0C add esp, 0C
004D5FB2 C785 F8FCFFFF 5>mov dword ptr [ebp-308], 0040DA54
004D5FBC C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D5FC6 8D95 18FEFFFF lea edx, dword ptr [ebp-1E8]
004D5FCC 52 push edx
004D5FCD 8D85 F0FCFFFF lea eax, dword ptr [ebp-310]
004D5FD3 50 push eax
004D5FD4 FF15 E4104000 call dword ptr [<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
004D5FDA 66:85C0 test ax, ax ; 关键比较1,(可以直接跳004D6972)
004D5FDD 74 2D je short 004D600C ; 这边NOP
004D5FDF C785 F8FCFFFF 1>mov dword ptr [ebp-308], 0040DC14
004D5FE9 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8
004D5FF3 8D95 F0FCFFFF lea edx, dword ptr [ebp-310]
004D5FF9 8D8D 18FEFFFF lea ecx, dword ptr [ebp-1E8]
004D5FFF 8B1D 10124000 mov ebx, dword ptr [<&msvbvm60.__vba>; msvbvm60.__vbaVarCopy
004D6005 FFD3 call ebx
004D6007 E9 1F020000 jmp 004D622B ; 跳了,到地址 004D622B
004D600C C785 F8FCFFFF 5>mov dword ptr [ebp-308], 0040DB54
004D6016 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D6020 8D8D 18FEFFFF lea ecx, dword ptr [ebp-1E8]
004D6026 51 push ecx
004D6027 8D95 F0FCFFFF lea edx, dword ptr [ebp-310]
004D602D 52 push edx
004D602E 8B1D E4104000 mov ebx, dword ptr [<&msvbvm60.__vba>; msvbvm60.__vbaVarTstEq
004D6034 FFD3 call ebx
004D6036 66:85C0 test ax, ax
004D6039 74 0F je short 004D604A
004D603B C785 F8FCFFFF 1>mov dword ptr [ebp-308], 0040DC1C
004D6045 E9 BF010000 jmp 004D6209
004D604A C785 F8FCFFFF 7>mov dword ptr [ebp-308], 0040DA74
004D6054 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D605E 8D85 18FEFFFF lea eax, dword ptr [ebp-1E8]
004D6064 50 push eax
004D6065 8D8D F0FCFFFF lea ecx, dword ptr [ebp-310]
004D606B 51 push ecx
004D606C FFD3 call ebx
004D606E 66:85C0 test ax, ax
004D6071 74 0F je short 004D6082
004D6073 C785 F8FCFFFF 2>mov dword ptr [ebp-308], 0040DC24
004D607D E9 87010000 jmp 004D6209
004D6082 C785 F8FCFFFF 8>mov dword ptr [ebp-308], 0040DA84
004D608C C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D6096 8D95 18FEFFFF lea edx, dword ptr [ebp-1E8]
004D609C 52 push edx
004D609D 8D85 F0FCFFFF lea eax, dword ptr [ebp-310]
004D60A3 50 push eax
004D60A4 FFD3 call ebx
004D60A6 66:85C0 test ax, ax
004D60A9 74 0F je short 004D60BA
004D60AB C785 F8FCFFFF 2>mov dword ptr [ebp-308], 0040DC2C
004D60B5 E9 4F010000 jmp 004D6209
004D60BA C785 F8FCFFFF A>mov dword ptr [ebp-308], 0040DAA4
004D60C4 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D60CE 8D8D 18FEFFFF lea ecx, dword ptr [ebp-1E8]
004D60D4 51 push ecx
004D60D5 8D95 F0FCFFFF lea edx, dword ptr [ebp-310]
004D60DB 52 push edx
004D60DC FFD3 call ebx
004D60DE 66:85C0 test ax, ax
004D60E1 74 0F je short 004D60F2
004D60E3 C785 F8FCFFFF 3>mov dword ptr [ebp-308], 0040DC34
004D60ED E9 17010000 jmp 004D6209
004D60F2 C785 F8FCFFFF A>mov dword ptr [ebp-308], 0040DAAC
004D60FC C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D6106 8D85 18FEFFFF lea eax, dword ptr [ebp-1E8]
004D610C 50 push eax
004D610D 8D8D F0FCFFFF lea ecx, dword ptr [ebp-310]
004D6113 51 push ecx
004D6114 FFD3 call ebx
004D6116 66:85C0 test ax, ax
004D6119 74 0F je short 004D612A
004D611B C785 F8FCFFFF 3>mov dword ptr [ebp-308], 0040DC3C
004D6125 E9 DF000000 jmp 004D6209
004D612A C785 F8FCFFFF D>mov dword ptr [ebp-308], 0040DAD4
004D6134 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D613E 8D95 18FEFFFF lea edx, dword ptr [ebp-1E8]
004D6144 52 push edx
004D6145 8D85 F0FCFFFF lea eax, dword ptr [ebp-310]
004D614B 50 push eax
004D614C FFD3 call ebx
004D614E 66:85C0 test ax, ax
004D6151 74 0F je short 004D6162
004D6153 C785 F8FCFFFF 4>mov dword ptr [ebp-308], 0040DC44
004D615D E9 A7000000 jmp 004D6209
004D6162 C785 F8FCFFFF D>mov dword ptr [ebp-308], 0040DADC
004D616C C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D6176 8D8D 18FEFFFF lea ecx, dword ptr [ebp-1E8]
004D617C 51 push ecx
004D617D 8D95 F0FCFFFF lea edx, dword ptr [ebp-310]
004D6183 52 push edx
004D6184 FFD3 call ebx
004D6186 66:85C0 test ax, ax
004D6189 74 0C je short 004D6197
004D618B C785 F8FCFFFF 4>mov dword ptr [ebp-308], 0040DC4C
004D6195 EB 72 jmp short 004D6209
004D6197 C785 F8FCFFFF E>mov dword ptr [ebp-308], 0040DAE4
004D61A1 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D61AB 8D85 18FEFFFF lea eax, dword ptr [ebp-1E8]
004D61B1 50 push eax
004D61B2 8D8D F0FCFFFF lea ecx, dword ptr [ebp-310]
004D61B8 51 push ecx
004D61B9 FFD3 call ebx
004D61BB 66:85C0 test ax, ax
004D61BE 74 0C je short 004D61CC
004D61C0 C785 F8FCFFFF 5>mov dword ptr [ebp-308], 0040DC54
004D61CA EB 3D jmp short 004D6209
004D61CC C785 F8FCFFFF 0>mov dword ptr [ebp-308], 0040DB04
004D61D6 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D61E0 8D95 18FEFFFF lea edx, dword ptr [ebp-1E8]
004D61E6 52 push edx
004D61E7 8D85 F0FCFFFF lea eax, dword ptr [ebp-310]
004D61ED 50 push eax
004D61EE FFD3 call ebx
004D61F0 66:85C0 test ax, ax
004D61F3 C785 F8FCFFFF 5>mov dword ptr [ebp-308], 0040DC5C
004D61FD 75 0A jnz short 004D6209
004D61FF C785 F8FCFFFF 9>mov dword ptr [ebp-308], 0040DB94
004D6209 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8
004D6213 8D95 F0FCFFFF lea edx, dword ptr [ebp-310]
004D6219 8D8D 18FEFFFF lea ecx, dword ptr [ebp-1E8]
004D621F FF15 10124000 call dword ptr [<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy
004D6225 8B1D 10124000 mov ebx, dword ptr [<&msvbvm60.__vba>; msvbvm60.__vbaVarCopy
004D622B C785 F8FCFFFF 5>mov dword ptr [ebp-308], 0040DA54
004D6235 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D623F 8D8D E4FDFFFF lea ecx, dword ptr [ebp-21C]
004D6245 51 push ecx
004D6246 8D95 F0FCFFFF lea edx, dword ptr [ebp-310]
004D624C 52 push edx
004D624D FF15 E4104000 call dword ptr [<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
004D6253 66:85C0 test ax, ax ; 关键比较2
004D6256 74 0F je short 004D6267 ; 这边NOP
004D6258 C785 F8FCFFFF 1>mov dword ptr [ebp-308], 0040DC14
004D6262 E9 1B020000 jmp 004D6482 ; 跳向地址004D6482
004D6267 C785 F8FCFFFF 5>mov dword ptr [ebp-308], 0040DB54
004D6271 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D627B 8D85 E4FDFFFF lea eax, dword ptr [ebp-21C]
004D6281 50 push eax
004D6282 8D8D F0FCFFFF lea ecx, dword ptr [ebp-310]
004D6288 51 push ecx
004D6289 FF15 E4104000 call dword ptr [<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
004D628F 66:85C0 test ax, ax
004D6292 74 0F je short 004D62A3
004D6294 C785 F8FCFFFF 1>mov dword ptr [ebp-308], 0040DC1C
004D629E E9 DF010000 jmp 004D6482
004D62A3 C785 F8FCFFFF 7>mov dword ptr [ebp-308], 0040DA74
004D62AD C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D62B7 8D95 E4FDFFFF lea edx, dword ptr [ebp-21C]
004D62BD 52 push edx
004D62BE 8D85 F0FCFFFF lea eax, dword ptr [ebp-310]
004D62C4 50 push eax
004D62C5 FF15 E4104000 call dword ptr [<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
004D62CB 66:85C0 test ax, ax
004D62CE 74 0F je short 004D62DF
004D62D0 C785 F8FCFFFF 2>mov dword ptr [ebp-308], 0040DC24
004D62DA E9 A3010000 jmp 004D6482
004D62DF C785 F8FCFFFF 8>mov dword ptr [ebp-308], 0040DA84
004D62E9 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D62F3 8D8D E4FDFFFF lea ecx, dword ptr [ebp-21C]
004D62F9 51 push ecx
004D62FA 8D95 F0FCFFFF lea edx, dword ptr [ebp-310]
004D6300 52 push edx
004D6301 FF15 E4104000 call dword ptr [<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
004D6307 66:85C0 test ax, ax
004D630A 74 0F je short 004D631B
004D630C C785 F8FCFFFF 2>mov dword ptr [ebp-308], 0040DC2C
004D6316 E9 67010000 jmp 004D6482
004D631B C785 F8FCFFFF A>mov dword ptr [ebp-308], 0040DAA4
004D6325 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D632F 8D85 E4FDFFFF lea eax, dword ptr [ebp-21C]
004D6335 50 push eax
004D6336 8D8D F0FCFFFF lea ecx, dword ptr [ebp-310]
004D633C 51 push ecx
004D633D FF15 E4104000 call dword ptr [<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
004D6343 66:85C0 test ax, ax
004D6346 74 0F je short 004D6357
004D6348 C785 F8FCFFFF 3>mov dword ptr [ebp-308], 0040DC34
004D6352 E9 2B010000 jmp 004D6482
004D6357 C785 F8FCFFFF A>mov dword ptr [ebp-308], 0040DAAC
004D6361 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D636B 8D95 E4FDFFFF lea edx, dword ptr [ebp-21C]
004D6371 52 push edx
004D6372 8D85 F0FCFFFF lea eax, dword ptr [ebp-310]
004D6378 50 push eax
004D6379 FF15 E4104000 call dword ptr [<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
004D637F 66:85C0 test ax, ax
004D6382 74 0F je short 004D6393
004D6384 C785 F8FCFFFF 3>mov dword ptr [ebp-308], 0040DC3C
004D638E E9 EF000000 jmp 004D6482
004D6393 C785 F8FCFFFF D>mov dword ptr [ebp-308], 0040DAD4
004D639D C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D63A7 8D8D E4FDFFFF lea ecx, dword ptr [ebp-21C]
004D63AD 51 push ecx
004D63AE 8D95 F0FCFFFF lea edx, dword ptr [ebp-310]
004D63B4 52 push edx
004D63B5 FF15 E4104000 call dword ptr [<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
004D63BB 66:85C0 test ax, ax
004D63BE 74 0F je short 004D63CF
004D63C0 C785 F8FCFFFF 4>mov dword ptr [ebp-308], 0040DC44
004D63CA E9 B3000000 jmp 004D6482
004D63CF C785 F8FCFFFF D>mov dword ptr [ebp-308], 0040DADC
004D63D9 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D63E3 8D85 E4FDFFFF lea eax, dword ptr [ebp-21C]
004D63E9 50 push eax
004D63EA 8D8D F0FCFFFF lea ecx, dword ptr [ebp-310]
004D63F0 51 push ecx
004D63F1 FF15 E4104000 call dword ptr [<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
004D63F7 66:85C0 test ax, ax
004D63FA 74 0C je short 004D6408
004D63FC C785 F8FCFFFF 4>mov dword ptr [ebp-308], 0040DC4C
004D6406 EB 7A jmp short 004D6482
004D6408 C785 F8FCFFFF E>mov dword ptr [ebp-308], 0040DAE4
004D6412 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D641C 8D95 E4FDFFFF lea edx, dword ptr [ebp-21C]
004D6422 52 push edx
004D6423 8D85 F0FCFFFF lea eax, dword ptr [ebp-310]
004D6429 50 push eax
004D642A FF15 E4104000 call dword ptr [<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
004D6430 66:85C0 test ax, ax
004D6433 74 0C je short 004D6441
004D6435 C785 F8FCFFFF 5>mov dword ptr [ebp-308], 0040DC54
004D643F EB 41 jmp short 004D6482
004D6441 C785 F8FCFFFF 0>mov dword ptr [ebp-308], 0040DB04
004D644B C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D6455 8D8D E4FDFFFF lea ecx, dword ptr [ebp-21C]
004D645B 51 push ecx
004D645C 8D95 F0FCFFFF lea edx, dword ptr [ebp-310]
004D6462 52 push edx
004D6463 FF15 E4104000 call dword ptr [<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
004D6469 66:85C0 test ax, ax
004D646C C785 F8FCFFFF 5>mov dword ptr [ebp-308], 0040DC5C
004D6476 75 0A jnz short 004D6482
004D6478 C785 F8FCFFFF 9>mov dword ptr [ebp-308], 0040DB94
004D6482 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8
004D648C 8D95 F0FCFFFF lea edx, dword ptr [ebp-310]
004D6492 8D8D E4FDFFFF lea ecx, dword ptr [ebp-21C]
004D6498 FFD3 call ebx
004D649A C785 F8FCFFFF 5>mov dword ptr [ebp-308], 0040DA54
004D64A4 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D64AE 8D45 D0 lea eax, dword ptr [ebp-30]
004D64B1 50 push eax
004D64B2 8D8D F0FCFFFF lea ecx, dword ptr [ebp-310]
004D64B8 51 push ecx
004D64B9 FF15 E4104000 call dword ptr [<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
004D64BF 66:85C0 test ax, ax ; 关键比较3
004D64C2 74 0F je short 004D64D3 ; 这边NOP掉
004D64C4 C785 F8FCFFFF 1>mov dword ptr [ebp-308], 0040DC14
004D64CE E9 00020000 jmp 004D66D3 ; 跳向地址004D66D3
004D64D3 C785 F8FCFFFF 5>mov dword ptr [ebp-308], 0040DB54
004D64DD C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D64E7 8D55 D0 lea edx, dword ptr [ebp-30]
004D64EA 52 push edx
004D64EB 8D85 F0FCFFFF lea eax, dword ptr [ebp-310]
004D64F1 50 push eax
004D64F2 FF15 E4104000 call dword ptr [<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
004D64F8 66:85C0 test ax, ax
004D64FB 74 0F je short 004D650C
004D64FD C785 F8FCFFFF 1>mov dword ptr [ebp-308], 0040DC1C
004D6507 E9 C7010000 jmp 004D66D3
004D650C C785 F8FCFFFF 7>mov dword ptr [ebp-308], 0040DA74
004D6516 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D6520 8D4D D0 lea ecx, dword ptr [ebp-30]
004D6523 51 push ecx
004D6524 8D95 F0FCFFFF lea edx, dword ptr [ebp-310]
004D652A 52 push edx
004D652B FF15 E4104000 call dword ptr [<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
004D6531 66:85C0 test ax, ax
004D6534 74 0F je short 004D6545
004D6536 C785 F8FCFFFF 2>mov dword ptr [ebp-308], 0040DC24
004D6540 E9 8E010000 jmp 004D66D3
004D6545 C785 F8FCFFFF 8>mov dword ptr [ebp-308], 0040DA84
004D654F C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D6559 8D45 D0 lea eax, dword ptr [ebp-30]
004D655C 50 push eax
004D655D 8D8D F0FCFFFF lea ecx, dword ptr [ebp-310]
004D6563 51 push ecx
004D6564 FF15 E4104000 call dword ptr [<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
004D656A 66:85C0 test ax, ax
004D656D 74 0F je short 004D657E
004D656F C785 F8FCFFFF 2>mov dword ptr [ebp-308], 0040DC2C
004D6579 E9 55010000 jmp 004D66D3
004D657E C785 F8FCFFFF A>mov dword ptr [ebp-308], 0040DAA4
004D6588 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D6592 8D55 D0 lea edx, dword ptr [ebp-30]
004D6595 52 push edx
004D6596 8D85 F0FCFFFF lea eax, dword ptr [ebp-310]
004D659C 50 push eax
004D659D FF15 E4104000 call dword ptr [<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
004D65A3 66:85C0 test ax, ax
004D65A6 74 0F je short 004D65B7
004D65A8 C785 F8FCFFFF 3>mov dword ptr [ebp-308], 0040DC34
004D65B2 E9 1C010000 jmp 004D66D3
004D65B7 C785 F8FCFFFF A>mov dword ptr [ebp-308], 0040DAAC
004D65C1 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D65CB 8D4D D0 lea ecx, dword ptr [ebp-30]
004D65CE 51 push ecx
004D65CF 8D95 F0FCFFFF lea edx, dword ptr [ebp-310]
004D65D5 52 push edx
004D65D6 FF15 E4104000 call dword ptr [<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
004D65DC 66:85C0 test ax, ax
004D65DF 74 0F je short 004D65F0
004D65E1 C785 F8FCFFFF 3>mov dword ptr [ebp-308], 0040DC3C
004D65EB E9 E3000000 jmp 004D66D3
004D65F0 C785 F8FCFFFF D>mov dword ptr [ebp-308], 0040DAD4
004D65FA C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D6604 8D45 D0 lea eax, dword ptr [ebp-30]
004D6607 50 push eax
004D6608 8D8D F0FCFFFF lea ecx, dword ptr [ebp-310]
004D660E 51 push ecx
004D660F FF15 E4104000 call dword ptr [<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
004D6615 66:85C0 test ax, ax
004D6618 74 0F je short 004D6629
004D661A C785 F8FCFFFF 4>mov dword ptr [ebp-308], 0040DC44
004D6624 E9 AA000000 jmp 004D66D3
004D6629 C785 F8FCFFFF D>mov dword ptr [ebp-308], 0040DADC
004D6633 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D663D 8D55 D0 lea edx, dword ptr [ebp-30]
004D6640 52 push edx
004D6641 8D85 F0FCFFFF lea eax, dword ptr [ebp-310]
004D6647 50 push eax
004D6648 FF15 E4104000 call dword ptr [<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
004D664E 66:85C0 test ax, ax
004D6651 74 0C je short 004D665F
004D6653 C785 F8FCFFFF 4>mov dword ptr [ebp-308], 0040DC4C
004D665D EB 74 jmp short 004D66D3
004D665F C785 F8FCFFFF E>mov dword ptr [ebp-308], 0040DAE4
004D6669 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D6673 8D4D D0 lea ecx, dword ptr [ebp-30]
004D6676 51 push ecx
004D6677 8D95 F0FCFFFF lea edx, dword ptr [ebp-310]
004D667D 52 push edx
004D667E FF15 E4104000 call dword ptr [<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
004D6684 66:85C0 test ax, ax
004D6687 74 0C je short 004D6695
004D6689 C785 F8FCFFFF 5>mov dword ptr [ebp-308], 0040DC54
004D6693 EB 3E jmp short 004D66D3
004D6695 C785 F8FCFFFF 0>mov dword ptr [ebp-308], 0040DB04
004D669F C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8008
004D66A9 8D45 D0 lea eax, dword ptr [ebp-30]
004D66AC 50 push eax
004D66AD 8D8D F0FCFFFF lea ecx, dword ptr [ebp-310]
004D66B3 51 push ecx
004D66B4 FF15 E4104000 call dword ptr [<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
004D66BA 66:85C0 test ax, ax
004D66BD C785 F8FCFFFF 5>mov dword ptr [ebp-308], 0040DC5C
004D66C7 75 0A jnz short 004D66D3
004D66C9 C785 F8FCFFFF 9>mov dword ptr [ebp-308], 0040DB94
004D66D3 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8
004D66DD 8D95 F0FCFFFF lea edx, dword ptr [ebp-310]
004D66E3 8D4D D0 lea ecx, dword ptr [ebp-30]
004D66E6 FFD3 call ebx
004D66E8 8B95 70FFFFFF mov edx, dword ptr [ebp-90]
004D66EE 52 push edx
004D66EF 68 54DA4000 push 0040DA54
004D66F4 8B1D DC104000 mov ebx, dword ptr [<&msvbvm60.__vba>; msvbvm60.__vbaStrCmp
004D66FA FFD3 call ebx
004D66FC 85C0 test eax, eax ; 关键跳转4
004D66FE 75 0A jnz short 004D670A ; NOP掉
004D6700 BA 14DC4000 mov edx, 0040DC14
004D6705 E9 F0000000 jmp 004D67FA ; 跳向地址004D67FA
004D670A 8B85 70FFFFFF mov eax, dword ptr [ebp-90]
004D6710 50 push eax
004D6711 68 54DB4000 push 0040DB54
004D6716 FFD3 call ebx
004D6718 85C0 test eax, eax
004D671A 75 0A jnz short 004D6726
004D671C BA 1CDC4000 mov edx, 0040DC1C
004D6721 E9 D4000000 jmp 004D67FA
004D6726 8B8D 70FFFFFF mov ecx, dword ptr [ebp-90]
004D672C 51 push ecx
004D672D 68 74DA4000 push 0040DA74
004D6732 FFD3 call ebx
004D6734 85C0 test eax, eax
004D6736 75 0A jnz short 004D6742
004D6738 BA 24DC4000 mov edx, 0040DC24
004D673D E9 B8000000 jmp 004D67FA
004D6742 8B95 70FFFFFF mov edx, dword ptr [ebp-90]
004D6748 52 push edx
004D6749 68 84DA4000 push 0040DA84
004D674E FFD3 call ebx
004D6750 85C0 test eax, eax
004D6752 75 0A jnz short 004D675E
004D6754 BA 2CDC4000 mov edx, 0040DC2C
004D6759 E9 9C000000 jmp 004D67FA
004D675E 8B85 70FFFFFF mov eax, dword ptr [ebp-90]
004D6764 50 push eax
004D6765 68 A4DA4000 push 0040DAA4
004D676A FFD3 call ebx
004D676C 85C0 test eax, eax
004D676E 75 0A jnz short 004D677A
004D6770 BA 34DC4000 mov edx, 0040DC34
004D6775 E9 80000000 jmp 004D67FA
004D677A 8B8D 70FFFFFF mov ecx, dword ptr [ebp-90]
004D6780 51 push ecx
004D6781 68 ACDA4000 push 0040DAAC
004D6786 FFD3 call ebx
004D6788 85C0 test eax, eax
004D678A 75 07 jnz short 004D6793
004D678C BA 3CDC4000 mov edx, 0040DC3C
004D6791 EB 67 jmp short 004D67FA
004D6793 8B95 70FFFFFF mov edx, dword ptr [ebp-90]
004D6799 52 push edx
004D679A 68 D4DA4000 push 0040DAD4
004D679F FFD3 call ebx
004D67A1 85C0 test eax, eax
004D67A3 75 07 jnz short 004D67AC
004D67A5 BA 44DC4000 mov edx, 0040DC44
004D67AA EB 4E jmp short 004D67FA
004D67AC 8B85 70FFFFFF mov eax, dword ptr [ebp-90]
004D67B2 50 push eax
004D67B3 68 DCDA4000 push 0040DADC
004D67B8 FFD3 call ebx
004D67BA 85C0 test eax, eax
004D67BC 75 07 jnz short 004D67C5
004D67BE BA 4CDC4000 mov edx, 0040DC4C
004D67C3 EB 35 jmp short 004D67FA
004D67C5 8B8D 70FFFFFF mov ecx, dword ptr [ebp-90]
004D67CB 51 push ecx
004D67CC 68 E4DA4000 push 0040DAE4
004D67D1 FFD3 call ebx
004D67D3 85C0 test eax, eax
004D67D5 75 07 jnz short 004D67DE
004D67D7 BA 54DC4000 mov edx, 0040DC54
004D67DC EB 1C jmp short 004D67FA
004D67DE 8B95 70FFFFFF mov edx, dword ptr [ebp-90]
004D67E4 52 push edx
004D67E5 68 04DB4000 push 0040DB04
004D67EA FFD3 call ebx
004D67EC 85C0 test eax, eax
004D67EE BA 5CDC4000 mov edx, 0040DC5C
004D67F3 74 05 je short 004D67FA
004D67F5 BA 94DB4000 mov edx, 0040DB94
004D67FA 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
004D6800 FF15 BC114000 call dword ptr [<&msvbvm60.__vbaStrCo>; msvbvm60.__vbaStrCopy
004D6806 8B85 70FFFFFF mov eax, dword ptr [ebp-90]
004D680C 8985 F8FCFFFF mov dword ptr [ebp-308], eax
004D6812 C785 F0FCFFFF 0>mov dword ptr [ebp-310], 8
004D681C 8D8D 18FEFFFF lea ecx, dword ptr [ebp-1E8]
004D6822 51 push ecx
004D6823 8D95 F8FDFFFF lea edx, dword ptr [ebp-208]
004D6829 52 push edx
004D682A 8D85 A0FDFFFF lea eax, dword ptr [ebp-260]
004D6830 50 push eax
004D6831 8B1D 80114000 mov ebx, dword ptr [<&msvbvm60.__vba>; msvbvm60.__vbaVarCat
004D6837 FFD3 call ebx
004D6839 50 push eax
004D683A 8D8D E4FDFFFF lea ecx, dword ptr [ebp-21C]
004D6840 51 push ecx
004D6841 8D95 90FDFFFF lea edx, dword ptr [ebp-270]
004D6847 52 push edx
004D6848 FFD3 call ebx
004D684A 50 push eax
004D684B 8D85 D4FDFFFF lea eax, dword ptr [ebp-22C]
004D6851 50 push eax
004D6852 8D8D 80FDFFFF lea ecx, dword ptr [ebp-280]
004D6858 51 push ecx
004D6859 FFD3 call ebx
004D685B 50 push eax
004D685C 8D55 D0 lea edx, dword ptr [ebp-30]
004D685F 52 push edx
004D6860 8D85 70FDFFFF lea eax, dword ptr [ebp-290]
004D6866 50 push eax
004D6867 FFD3 call ebx
004D6869 50 push eax
004D686A 8D4D BC lea ecx, dword ptr [ebp-44]
004D686D 51 push ecx
004D686E 8D95 60FDFFFF lea edx, dword ptr [ebp-2A0]
004D6874 52 push edx
004D6875 FFD3 call ebx
004D6877 50 push eax
004D6878 8D45 98 lea eax, dword ptr [ebp-68]
004D687B 50 push eax
004D687C 8D8D 50FDFFFF lea ecx, dword ptr [ebp-2B0]
004D6882 51 push ecx
004D6883 FFD3 call ebx
004D6885 50 push eax
004D6886 8D95 F0FCFFFF lea edx, dword ptr [ebp-310]
004D688C 52 push edx
004D688D 8D85 40FDFFFF lea eax, dword ptr [ebp-2C0]
004D6893 50 push eax
004D6894 FFD3 call ebx
004D6896 8BD0 mov edx, eax
004D6898 8D8D C0FEFFFF lea ecx, dword ptr [ebp-140]
004D689E 8B1D 18104000 mov ebx, dword ptr [<&msvbvm60.__vba>; msvbvm60.__vbaVarMove
004D68A4 FFD3 call ebx
004D68A6 8D8D 50FDFFFF lea ecx, dword ptr [ebp-2B0]
004D68AC 51 push ecx
004D68AD 8D95 60FDFFFF lea edx, dword ptr [ebp-2A0]
004D68B3 52 push edx
004D68B4 8D85 70FDFFFF lea eax, dword ptr [ebp-290]
004D68BA 50 push eax
004D68BB 8D8D 80FDFFFF lea ecx, dword ptr [ebp-280]
004D68C1 51 push ecx
004D68C2 8D95 90FDFFFF lea edx, dword ptr [ebp-270]
004D68C8 52 push edx
004D68C9 8D85 A0FDFFFF lea eax, dword ptr [ebp-260]
004D68CF 50 push eax
004D68D0 6A 06 push 6
004D68D2 FF15 2C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVarList
004D68D8 83C4 1C add esp, 1C
004D68DB 8D8D C0FEFFFF lea ecx, dword ptr [ebp-140]
004D68E1 51 push ecx
004D68E2 8D95 CCFDFFFF lea edx, dword ptr [ebp-234]
004D68E8 52 push edx
004D68E9 FF15 78114000 call dword ptr [<&msvbvm60.__vbaStrVa>; msvbvm60.__vbaStrVarVal
004D68EF 50 push eax
004D68F0 FF15 5C124000 call dword ptr [<&msvbvm60.rtcR8ValFr>; msvbvm60.rtcR8ValFromBstr
004D68F6 DD9D F8FCFFFF fstp qword ptr [ebp-308]
004D68FC C785 F0FCFFFF 0>mov dword ptr [ebp-310], 5
004D6906 8D95 F0FCFFFF lea edx, dword ptr [ebp-310]
004D690C 8D8D C0FEFFFF lea ecx, dword ptr [ebp-140]
004D6912 FFD3 call ebx
004D6914 8D8D CCFDFFFF lea ecx, dword ptr [ebp-234]
004D691A FF15 54124000 call dword ptr [<&msvbvm60.__vbaFreeS>; msvbvm60.__vbaFreeStr
004D6920 C785 F8FCFFFF 3>mov dword ptr [ebp-308], 3039
004D692A C785 F0FCFFFF 0>mov dword ptr [ebp-310], 2
004D6934 8D85 C0FEFFFF lea eax, dword ptr [ebp-140]
004D693A 50 push eax
004D693B 8D8D F0FCFFFF lea ecx, dword ptr [ebp-310]
004D6941 51 push ecx
004D6942 8D95 A0FDFFFF lea edx, dword ptr [ebp-260]
004D6948 52 push edx
004D6949 FF15 F0114000 call dword ptr [<&msvbvm60.__vbaVarAd>; msvbvm60.__vbaVarAdd
004D694F 8BD0 mov edx, eax
004D6951 8D8D 38FEFFFF lea ecx, dword ptr [ebp-1C8]
004D6957 FFD3 call ebx
004D6959 8D85 58FEFFFF lea eax, dword ptr [ebp-1A8]
004D695F 50 push eax
004D6960 8D8D 38FEFFFF lea ecx, dword ptr [ebp-1C8]
004D6966 51 push ecx
004D6967 FF15 E4104000 call dword ptr [<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
004D696D 66:85C0 test ax, ax ; 关键比较5
004D6970 74 6F je short 004D69E1 ; 这里NOP
004D6972 8B16 mov edx, dword ptr [esi] ; 我们还可以从一开始跳向这里
004D6974 56 push esi
004D6975 FF92 A8060000 call dword ptr [edx+6A8]
004D697B 50 push eax
004D697C 8D85 B4FDFFFF lea eax, dword ptr [ebp-24C]
004D6982 50 push eax
004D6983 FFD7 call edi
004D6985 8BD8 mov ebx, eax
004D6987 8B0B mov ecx, dword ptr [ebx]
004D6989 6A 00 push 0
004D698B 53 push ebx
004D698C FF51 74 call dword ptr [ecx+74]
004D698F DBE2 fclex
004D6991 85C0 test eax, eax
004D6993 7D 0F jge short 004D69A4
004D6995 6A 74 push 74
004D6997 68 24E44000 push 0040E424
004D699C 53 push ebx
004D699D 50 push eax
004D699E FF15 5C104000 call dword ptr [<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
004D69A4 8D8D B4FDFFFF lea ecx, dword ptr [ebp-24C]
004D69AA FF15 58124000 call dword ptr [<&msvbvm60.__vbaFreeO>; msvbvm60.__vbaFreeObj
004D69B0 8B16 mov edx, dword ptr [esi]
004D69B2 56 push esi
004D69B3 FF92 A8060000 call dword ptr [edx+6A8]
004D69B9 50 push eax
004D69BA 8D85 B4FDFFFF lea eax, dword ptr [ebp-24C]
004D69C0 50 push eax
004D69C1 FFD7 call edi
004D69C3 8BD8 mov ebx, eax
004D69C5 8B0B mov ecx, dword ptr [ebx]
下面部分代码略
--------------------------------------------CODE--------------------------------------------------------
下面的单条纵向打印的验证:
--------------------------------------------CODE--------------------------------------------------------
上面代码略
0049983E B9 08000000 mov ecx, 8
00499843 8BD4 mov edx, esp
00499845 898D A8FCFFFF mov dword ptr [ebp-358], ecx
0049984B B8 B8D64000 mov eax, 0040D6B8 ; 单条纵向打印时验证
00499850 68 04DC4000 push 0040DC04 ; code
00499855 890A mov dword ptr [edx], ecx
00499857 8B8D ACFCFFFF mov ecx, dword ptr [ebp-354]
0049985D 8985 B0FCFFFF mov dword ptr [ebp-350], eax
00499863 68 F4DB4000 push 0040DBF4 ; zjdy
00499868 894A 04 mov dword ptr [edx+4], ecx
0049986B 68 DCDB4000 push 0040DBDC ; UNICODE "microsoft"
00499870 8942 08 mov dword ptr [edx+8], eax
00499873 8B85 B4FCFFFF mov eax, dword ptr [ebp-34C]
00499879 8942 0C mov dword ptr [edx+C], eax
0049987C FF15 E8114000 call dword ptr [<&msvbvm60.rtcGetSett>; msvbvm60.rtcGetSetting
00499882 8BD0 mov edx, eax
00499884 8D8D 4CFEFFFF lea ecx, dword ptr [ebp-1B4]
0049988A FFD3 call ebx
0049988C 8B8D 4CFEFFFF mov ecx, dword ptr [ebp-1B4]
00499892 8B35 10124000 mov esi, dword ptr [<&msvbvm60.__vba>; msvbvm60.__vbaVarCopy
00499898 898D B0FCFFFF mov dword ptr [ebp-350], ecx
0049989E 8D95 A8FCFFFF lea edx, dword ptr [ebp-358]
004998A4 8D8D 90FEFFFF lea ecx, dword ptr [ebp-170]
004998AA C785 A8FCFFFF 0>mov dword ptr [ebp-358], 8
004998B4 FFD6 call esi
004998B6 8D95 90FEFFFF lea edx, dword ptr [ebp-170]
004998BC 8D8D 50FEFFFF lea ecx, dword ptr [ebp-1B0]
004998C2 FFD6 call esi
004998C4 8D95 58FDFFFF lea edx, dword ptr [ebp-2A8]
004998CA 8D85 50FEFFFF lea eax, dword ptr [ebp-1B0]
004998D0 52 push edx
004998D1 6A 01 push 1
004998D3 8D8D 48FDFFFF lea ecx, dword ptr [ebp-2B8]
004998D9 89BD 58FDFFFF mov dword ptr [ebp-2A8], edi
004998DF 8B3D C4104000 mov edi, dword ptr [<&msvbvm60.rtcMi>; msvbvm60.rtcMidCharVar
004998E5 50 push eax
004998E6 51 push ecx
004998E7 C785 60FDFFFF 0>mov dword ptr [ebp-2A0], 1
004998F1 FFD7 call edi
004998F3 8D95 48FDFFFF lea edx, dword ptr [ebp-2B8]
004998F9 8D8D E4FDFFFF lea ecx, dword ptr [ebp-21C]
004998FF FF15 18104000 call dword ptr [<&msvbvm60.__vbaVarMo>; msvbvm60.__vbaVarMove
00499905 8D8D 58FDFFFF lea ecx, dword ptr [ebp-2A8]
0049990B FF15 1C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVar
00499911 8D95 58FDFFFF lea edx, dword ptr [ebp-2A8]
00499917 8D85 50FEFFFF lea eax, dword ptr [ebp-1B0]
0049991D 52 push edx
0049991E 6A 02 push 2
00499920 8D8D 48FDFFFF lea ecx, dword ptr [ebp-2B8]
00499926 50 push eax
00499927 51 push ecx
00499928 C785 60FDFFFF 0>mov dword ptr [ebp-2A0], 1
00499932 C785 58FDFFFF 0>mov dword ptr [ebp-2A8], 2
0049993C FFD7 call edi
0049993E 8D95 48FDFFFF lea edx, dword ptr [ebp-2B8]
00499944 8D8D C4FDFFFF lea ecx, dword ptr [ebp-23C]
0049994A FF15 18104000 call dword ptr [<&msvbvm60.__vbaVarMo>; msvbvm60.__vbaVarMove
00499950 8D8D 58FDFFFF lea ecx, dword ptr [ebp-2A8]
00499956 FF15 1C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVar
0049995C 8D95 58FDFFFF lea edx, dword ptr [ebp-2A8]
00499962 8D85 50FEFFFF lea eax, dword ptr [ebp-1B0]
00499968 52 push edx
00499969 6A 03 push 3
0049996B 8D8D 48FDFFFF lea ecx, dword ptr [ebp-2B8]
00499971 50 push eax
00499972 51 push ecx
00499973 C785 60FDFFFF 0>mov dword ptr [ebp-2A0], 1
0049997D C785 58FDFFFF 0>mov dword ptr [ebp-2A8], 2
00499987 FFD7 call edi
00499989 8D95 48FDFFFF lea edx, dword ptr [ebp-2B8]
0049998F 8D8D 9CFDFFFF lea ecx, dword ptr [ebp-264]
00499995 FF15 18104000 call dword ptr [<&msvbvm60.__vbaVarMo>; msvbvm60.__vbaVarMove
0049999B 8D8D 58FDFFFF lea ecx, dword ptr [ebp-2A8]
004999A1 FF15 1C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVar
004999A7 8D95 58FDFFFF lea edx, dword ptr [ebp-2A8]
004999AD 8D85 50FEFFFF lea eax, dword ptr [ebp-1B0]
004999B3 52 push edx
004999B4 6A 04 push 4
004999B6 8D8D 48FDFFFF lea ecx, dword ptr [ebp-2B8]
004999BC 50 push eax
004999BD 51 push ecx
004999BE C785 60FDFFFF 0>mov dword ptr [ebp-2A0], 1
004999C8 C785 58FDFFFF 0>mov dword ptr [ebp-2A8], 2
004999D2 FFD7 call edi
004999D4 8D95 48FDFFFF lea edx, dword ptr [ebp-2B8]
004999DA 8D8D 8CFDFFFF lea ecx, dword ptr [ebp-274]
004999E0 FF15 18104000 call dword ptr [<&msvbvm60.__vbaVarMo>; msvbvm60.__vbaVarMove
004999E6 8D8D 58FDFFFF lea ecx, dword ptr [ebp-2A8]
004999EC FF15 1C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVar
004999F2 8D95 58FDFFFF lea edx, dword ptr [ebp-2A8]
004999F8 8D85 50FEFFFF lea eax, dword ptr [ebp-1B0]
004999FE 52 push edx
004999FF 6A 05 push 5
00499A01 8D8D 48FDFFFF lea ecx, dword ptr [ebp-2B8]
00499A07 50 push eax
00499A08 51 push ecx
00499A09 C785 60FDFFFF 0>mov dword ptr [ebp-2A0], 1
00499A13 C785 58FDFFFF 0>mov dword ptr [ebp-2A8], 2
00499A1D FFD7 call edi
00499A1F 8D95 48FDFFFF lea edx, dword ptr [ebp-2B8]
00499A25 8D4D DC lea ecx, dword ptr [ebp-24]
00499A28 FF15 18104000 call dword ptr [<&msvbvm60.__vbaVarMo>; msvbvm60.__vbaVarMove
00499A2E 8D8D 58FDFFFF lea ecx, dword ptr [ebp-2A8]
00499A34 FF15 1C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVar
00499A3A 8D95 58FDFFFF lea edx, dword ptr [ebp-2A8]
00499A40 8D85 50FEFFFF lea eax, dword ptr [ebp-1B0]
00499A46 52 push edx
00499A47 6A 06 push 6
00499A49 8D8D 48FDFFFF lea ecx, dword ptr [ebp-2B8]
00499A4F 50 push eax
00499A50 51 push ecx
00499A51 C785 60FDFFFF 0>mov dword ptr [ebp-2A0], 1
00499A5B C785 58FDFFFF 0>mov dword ptr [ebp-2A8], 2
00499A65 FFD7 call edi
00499A67 8D95 48FDFFFF lea edx, dword ptr [ebp-2B8]
00499A6D 8D4D C4 lea ecx, dword ptr [ebp-3C]
00499A70 FF15 18104000 call dword ptr [<&msvbvm60.__vbaVarMo>; msvbvm60.__vbaVarMove
00499A76 8D8D 58FDFFFF lea ecx, dword ptr [ebp-2A8]
00499A7C FF15 1C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVar
00499A82 8D95 58FDFFFF lea edx, dword ptr [ebp-2A8]
00499A88 8D85 50FEFFFF lea eax, dword ptr [ebp-1B0]
00499A8E 52 push edx
00499A8F 6A 07 push 7
00499A91 8D8D 48FDFFFF lea ecx, dword ptr [ebp-2B8]
00499A97 50 push eax
00499A98 51 push ecx
00499A99 C785 60FDFFFF 0>mov dword ptr [ebp-2A0], 1
00499AA3 C785 58FDFFFF 0>mov dword ptr [ebp-2A8], 2
00499AAD FFD7 call edi
00499AAF 8D95 48FDFFFF lea edx, dword ptr [ebp-2B8]
00499AB5 8D4D A0 lea ecx, dword ptr [ebp-60]
00499AB8 FF15 18104000 call dword ptr [<&msvbvm60.__vbaVarMo>; msvbvm60.__vbaVarMove
00499ABE 8D8D 58FDFFFF lea ecx, dword ptr [ebp-2A8]
00499AC4 FF15 1C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVar
00499ACA 8D95 58FDFFFF lea edx, dword ptr [ebp-2A8]
00499AD0 C785 60FDFFFF 0>mov dword ptr [ebp-2A0], 1
00499ADA 52 push edx
00499ADB C785 58FDFFFF 0>mov dword ptr [ebp-2A8], 2
00499AE5 6A 08 push 8
00499AE7 8D85 50FEFFFF lea eax, dword ptr [ebp-1B0]
00499AED 8D8D 48FDFFFF lea ecx, dword ptr [ebp-2B8]
00499AF3 50 push eax
00499AF4 51 push ecx
00499AF5 FFD7 call edi
00499AF7 8D95 48FDFFFF lea edx, dword ptr [ebp-2B8]
00499AFD 52 push edx
00499AFE FF15 24104000 call dword ptr [<&msvbvm60.__vbaStrVa>; msvbvm60.__vbaStrVarMove
00499B04 8BD0 mov edx, eax
00499B06 8D8D 68FFFFFF lea ecx, dword ptr [ebp-98]
00499B0C FFD3 call ebx
00499B0E 8D85 48FDFFFF lea eax, dword ptr [ebp-2B8]
00499B14 8D8D 58FDFFFF lea ecx, dword ptr [ebp-2A8]
00499B1A 50 push eax
00499B1B 51 push ecx
00499B1C 6A 02 push 2
00499B1E FF15 2C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVarList
00499B24 8B1D E4104000 mov ebx, dword ptr [<&msvbvm60.__vba>; msvbvm60.__vbaVarTstEq
00499B2A 83C4 0C add esp, 0C
00499B2D 8D95 E4FDFFFF lea edx, dword ptr [ebp-21C]
00499B33 8D85 A8FCFFFF lea eax, dword ptr [ebp-358]
00499B39 52 push edx
00499B3A 50 push eax
00499B3B C785 B0FCFFFF 5>mov dword ptr [ebp-350], 0040DA54
00499B45 C785 A8FCFFFF 0>mov dword ptr [ebp-358], 8008
00499B4F FFD3 call ebx ; 下面可以直接跳向0049ACD9,跳过全部验证
00499B51 66:85C0 test ax, ax ; 关键比较1
00499B54 74 28 je short 00499B7E ; NOP掉
00499B56 BF 08000000 mov edi, 8
00499B5B 8D95 A8FCFFFF lea edx, dword ptr [ebp-358]
00499B61 8D8D E4FDFFFF lea ecx, dword ptr [ebp-21C]
00499B67 C785 B0FCFFFF 1>mov dword ptr [ebp-350], 0040DC14
00499B71 89BD A8FCFFFF mov dword ptr [ebp-358], edi
00499B77 FFD6 call esi
00499B79 E9 F5010000 jmp 00499D73 ; 跳向地址00499D73
00499B7E 8D8D E4FDFFFF lea ecx, dword ptr [ebp-21C]
00499B84 8D95 A8FCFFFF lea edx, dword ptr [ebp-358]
00499B8A BF 08800000 mov edi, 8008
00499B8F 51 push ecx
00499B90 52 push edx
00499B91 C785 B0FCFFFF 5>mov dword ptr [ebp-350], 0040DB54
00499B9B 89BD A8FCFFFF mov dword ptr [ebp-358], edi
00499BA1 FFD3 call ebx
00499BA3 66:85C0 test ax, ax
00499BA6 74 0F je short 00499BB7
00499BA8 C785 B0FCFFFF 1>mov dword ptr [ebp-350], 0040DC1C
00499BB2 E9 9F010000 jmp 00499D56
00499BB7 8D85 E4FDFFFF lea eax, dword ptr [ebp-21C]
00499BBD 8D8D A8FCFFFF lea ecx, dword ptr [ebp-358]
00499BC3 50 push eax
00499BC4 51 push ecx
00499BC5 C785 B0FCFFFF 7>mov dword ptr [ebp-350], 0040DA74
00499BCF 89BD A8FCFFFF mov dword ptr [ebp-358], edi
00499BD5 FFD3 call ebx
00499BD7 66:85C0 test ax, ax
00499BDA 74 0F je short 00499BEB
00499BDC C785 B0FCFFFF 2>mov dword ptr [ebp-350], 0040DC24
00499BE6 E9 6B010000 jmp 00499D56
00499BEB 8D95 E4FDFFFF lea edx, dword ptr [ebp-21C]
00499BF1 8D85 A8FCFFFF lea eax, dword ptr [ebp-358]
00499BF7 52 push edx
00499BF8 50 push eax
00499BF9 C785 B0FCFFFF 8>mov dword ptr [ebp-350], 0040DA84
00499C03 89BD A8FCFFFF mov dword ptr [ebp-358], edi
00499C09 FFD3 call ebx
00499C0B 66:85C0 test ax, ax
00499C0E 74 0F je short 00499C1F
00499C10 C785 B0FCFFFF 2>mov dword ptr [ebp-350], 0040DC2C
00499C1A E9 37010000 jmp 00499D56
00499C1F 8D8D E4FDFFFF lea ecx, dword ptr [ebp-21C]
00499C25 8D95 A8FCFFFF lea edx, dword ptr [ebp-358]
00499C2B 51 push ecx
00499C2C 52 push edx
00499C2D C785 B0FCFFFF A>mov dword ptr [ebp-350], 0040DAA4
00499C37 89BD A8FCFFFF mov dword ptr [ebp-358], edi
00499C3D FFD3 call ebx
00499C3F 66:85C0 test ax, ax
00499C42 74 0F je short 00499C53
00499C44 C785 B0FCFFFF 3>mov dword ptr [ebp-350], 0040DC34
00499C4E E9 03010000 jmp 00499D56
00499C53 8D85 E4FDFFFF lea eax, dword ptr [ebp-21C]
00499C59 8D8D A8FCFFFF lea ecx, dword ptr [ebp-358]
00499C5F 50 push eax
00499C60 51 push ecx
00499C61 C785 B0FCFFFF A>mov dword ptr [ebp-350], 0040DAAC
00499C6B 89BD A8FCFFFF mov dword ptr [ebp-358], edi
00499C71 FFD3 call ebx
00499C73 66:85C0 test ax, ax
00499C76 74 0F je short 00499C87
00499C78 C785 B0FCFFFF 3>mov dword ptr [ebp-350], 0040DC3C
00499C82 E9 CF000000 jmp 00499D56
00499C87 8D95 E4FDFFFF lea edx, dword ptr [ebp-21C]
00499C8D 8D85 A8FCFFFF lea eax, dword ptr [ebp-358]
00499C93 52 push edx
00499C94 50 push eax
00499C95 C785 B0FCFFFF D>mov dword ptr [ebp-350], 0040DAD4
00499C9F 89BD A8FCFFFF mov dword ptr [ebp-358], edi
00499CA5 FFD3 call ebx
00499CA7 66:85C0 test ax, ax
00499CAA 74 0F je short 00499CBB
00499CAC C785 B0FCFFFF 4>mov dword ptr [ebp-350], 0040DC44
00499CB6 E9 9B000000 jmp 00499D56
00499CBB 8D8D E4FDFFFF lea ecx, dword ptr [ebp-21C]
00499CC1 8D95 A8FCFFFF lea edx, dword ptr [ebp-358]
00499CC7 51 push ecx
00499CC8 52 push edx
00499CC9 C785 B0FCFFFF D>mov dword ptr [ebp-350], 0040DADC
00499CD3 89BD A8FCFFFF mov dword ptr [ebp-358], edi
00499CD9 FFD3 call ebx
00499CDB 66:85C0 test ax, ax
00499CDE 74 0C je short 00499CEC
00499CE0 C785 B0FCFFFF 4>mov dword ptr [ebp-350], 0040DC4C
00499CEA EB 6A jmp short 00499D56
00499CEC 8D85 E4FDFFFF lea eax, dword ptr [ebp-21C]
00499CF2 8D8D A8FCFFFF lea ecx, dword ptr [ebp-358]
00499CF8 50 push eax
00499CF9 51 push ecx
00499CFA C785 B0FCFFFF E>mov dword ptr [ebp-350], 0040DAE4
00499D04 89BD A8FCFFFF mov dword ptr [ebp-358], edi
00499D0A FFD3 call ebx
00499D0C 66:85C0 test ax, ax
00499D0F 74 0C je short 00499D1D
00499D11 C785 B0FCFFFF 5>mov dword ptr [ebp-350], 0040DC54
00499D1B EB 39 jmp short 00499D56
00499D1D 8D95 E4FDFFFF lea edx, dword ptr [ebp-21C]
00499D23 8D85 A8FCFFFF lea eax, dword ptr [ebp-358]
00499D29 52 push edx
00499D2A 50 push eax
00499D2B C785 B0FCFFFF 0>mov dword ptr [ebp-350], 0040DB04
00499D35 89BD A8FCFFFF mov dword ptr [ebp-358], edi
00499D3B FFD3 call ebx
00499D3D 66:85C0 test ax, ax
00499D40 C785 B0FCFFFF 5>mov dword ptr [ebp-350], 0040DC5C
00499D4A 75 0A jnz short 00499D56
00499D4C C785 B0FCFFFF 9>mov dword ptr [ebp-350], 0040DB94
00499D56 8D95 A8FCFFFF lea edx, dword ptr [ebp-358]
00499D5C 8D8D E4FDFFFF lea ecx, dword ptr [ebp-21C]
00499D62 C785 A8FCFFFF 0>mov dword ptr [ebp-358], 8
00499D6C FFD6 call esi
00499D6E BF 08000000 mov edi, 8
00499D73 8D8D 9CFDFFFF lea ecx, dword ptr [ebp-264]
00499D79 8D95 A8FCFFFF lea edx, dword ptr [ebp-358]
00499D7F 51 push ecx
00499D80 52 push edx
00499D81 C785 B0FCFFFF 5>mov dword ptr [ebp-350], 0040DA54
00499D8B C785 A8FCFFFF 0>mov dword ptr [ebp-358], 8008
00499D95 FFD3 call ebx
00499D97 66:85C0 test ax, ax ; 关键比较2
00499D9A 74 0F je short 00499DAB ; NOP
00499D9C C785 B0FCFFFF 1>mov dword ptr [ebp-350], 0040DC14
00499DA6 E9 F7010000 jmp 00499FA2 ; 跳向00499FA2
00499DAB 8D85 9CFDFFFF lea eax, dword ptr [ebp-264]
00499DB1 8D8D A8FCFFFF lea ecx, dword ptr [ebp-358]
00499DB7 50 push eax
00499DB8 51 push ecx
00499DB9 C785 B0FCFFFF 5>mov dword ptr [ebp-350], 0040DB54
00499DC3 C785 A8FCFFFF 0>mov dword ptr [ebp-358], 8008
00499DCD FFD3 call ebx
00499DCF 66:85C0 test ax, ax
00499DD2 74 0F je short 00499DE3
00499DD4 C785 B0FCFFFF 1>mov dword ptr [ebp-350], 0040DC1C
00499DDE E9 BF010000 jmp 00499FA2
00499DE3 8D95 9CFDFFFF lea edx, dword ptr [ebp-264]
00499DE9 8D85 A8FCFFFF lea eax, dword ptr [ebp-358]
00499DEF 52 push edx
00499DF0 50 push eax
00499DF1 C785 B0FCFFFF 7>mov dword ptr [ebp-350], 0040DA74
00499DFB C785 A8FCFFFF 0>mov dword ptr [ebp-358], 8008
00499E05 FFD3 call ebx
00499E07 66:85C0 test ax, ax
00499E0A 74 0F je short 00499E1B
00499E0C C785 B0FCFFFF 2>mov dword ptr [ebp-350], 0040DC24
00499E16 E9 87010000 jmp 00499FA2
00499E1B 8D8D 9CFDFFFF lea ecx, dword ptr [ebp-264]
00499E21 8D95 A8FCFFFF lea edx, dword ptr [ebp-358]
00499E27 51 push ecx
00499E28 52 push edx
00499E29 C785 B0FCFFFF 8>mov dword ptr [ebp-350], 0040DA84
00499E33 C785 A8FCFFFF 0>mov dword ptr [ebp-358], 8008
00499E3D FFD3 call ebx
00499E3F 66:85C0 test ax, ax
00499E42 74 0F je short 00499E53
00499E44 C785 B0FCFFFF 2>mov dword ptr [ebp-350], 0040DC2C
00499E4E E9 4F010000 jmp 00499FA2
00499E53 8D85 9CFDFFFF lea eax, dword ptr [ebp-264]
00499E59 8D8D A8FCFFFF lea ecx, dword ptr [ebp-358]
00499E5F 50 push eax
00499E60 51 push ecx
00499E61 C785 B0FCFFFF A>mov dword ptr [ebp-350], 0040DAA4
00499E6B C785 A8FCFFFF 0>mov dword ptr [ebp-358], 8008
00499E75 FFD3 call ebx
00499E77 66:85C0 test ax, ax
00499E7A 74 0F je short 00499E8B
00499E7C C785 B0FCFFFF 3>mov dword ptr [ebp-350], 0040DC34
00499E86 E9 17010000 jmp 00499FA2
00499E8B 8D95 9CFDFFFF lea edx, dword ptr [ebp-264]
00499E91 8D85 A8FCFFFF lea eax, dword ptr [ebp-358]
00499E97 52 push edx
00499E98 50 push eax
00499E99 C785 B0FCFFFF A>mov dword ptr [ebp-350], 0040DAAC
00499EA3 C785 A8FCFFFF 0>mov dword ptr [ebp-358], 8008
00499EAD FFD3 call ebx
00499EAF 66:85C0 test ax, ax
00499EB2 74 0F je short 00499EC3
00499EB4 C785 B0FCFFFF 3>mov dword ptr [ebp-350], 0040DC3C
00499EBE E9 DF000000 jmp 00499FA2
00499EC3 8D8D 9CFDFFFF lea ecx, dword ptr [ebp-264]
00499EC9 8D95 A8FCFFFF lea edx, dword ptr [ebp-358]
00499ECF 51 push ecx
00499ED0 52 push edx
00499ED1 C785 B0FCFFFF D>mov dword ptr [ebp-350], 0040DAD4
00499EDB C785 A8FCFFFF 0>mov dword ptr [ebp-358], 8008
00499EE5 FFD3 call ebx
00499EE7 66:85C0 test ax, ax
00499EEA 74 0F je short 00499EFB
00499EEC C785 B0FCFFFF 4>mov dword ptr [ebp-350], 0040DC44
00499EF6 E9 A7000000 jmp 00499FA2
00499EFB 8D85 9CFDFFFF lea eax, dword ptr [ebp-264]
00499F01 8D8D A8FCFFFF lea ecx, dword ptr [ebp-358]
00499F07 50 push eax
00499F08 51 push ecx
00499F09 C785 B0FCFFFF D>mov dword ptr [ebp-350], 0040DADC
00499F13 C785 A8FCFFFF 0>mov dword ptr [ebp-358], 8008
00499F1D FFD3 call ebx
00499F1F 66:85C0 test ax, ax
00499F22 74 0C je short 00499F30
00499F24 C785 B0FCFFFF 4>mov dword ptr [ebp-350], 0040DC4C
00499F2E EB 72 jmp short 00499FA2
00499F30 8D95 9CFDFFFF lea edx, dword ptr [ebp-264]
00499F36 8D85 A8FCFFFF lea eax, dword ptr [ebp-358]
00499F3C 52 push edx
00499F3D 50 push eax
00499F3E C785 B0FCFFFF E>mov dword ptr [ebp-350], 0040DAE4
00499F48 C785 A8FCFFFF 0>mov dword ptr [ebp-358], 8008
00499F52 FFD3 call ebx
00499F54 66:85C0 test ax, ax
00499F57 74 0C je short 00499F65
00499F59 C785 B0FCFFFF 5>mov dword ptr [ebp-350], 0040DC54
00499F63 EB 3D jmp short 00499FA2
00499F65 8D8D 9CFDFFFF lea ecx, dword ptr [ebp-264]
00499F6B 8D95 A8FCFFFF lea edx, dword ptr [ebp-358]
00499F71 51 push ecx
00499F72 52 push edx
00499F73 C785 B0FCFFFF 0>mov dword ptr [ebp-350], 0040DB04
00499F7D C785 A8FCFFFF 0>mov dword ptr [ebp-358], 8008
00499F87 FFD3 call ebx
00499F89 66:85C0 test ax, ax
00499F8C C785 B0FCFFFF 5>mov dword ptr [ebp-350], 0040DC5C
00499F96 75 0A jnz short 00499FA2
00499F98 C785 B0FCFFFF 9>mov dword ptr [ebp-350], 0040DB94
00499FA2 8D95 A8FCFFFF lea edx, dword ptr [ebp-358]
00499FA8 8D8D 9CFDFFFF lea ecx, dword ptr [ebp-264]
00499FAE 89BD A8FCFFFF mov dword ptr [ebp-358], edi
00499FB4 FFD6 call esi
00499FB6 8D45 DC lea eax, dword ptr [ebp-24]
00499FB9 8D8D A8FCFFFF lea ecx, dword ptr [ebp-358]
00499FBF 50 push eax
00499FC0 51 push ecx
00499FC1 C785 B0FCFFFF 5>mov dword ptr [ebp-350], 0040DA54
00499FCB C785 A8FCFFFF 0>mov dword ptr [ebp-358], 8008
00499FD5 FFD3 call ebx
00499FD7 66:85C0 test ax, ax ; 关键比较3
00499FDA 74 0F je short 00499FEB ; NOP掉
00499FDC C785 B0FCFFFF 1>mov dword ptr [ebp-350], 0040DC14
00499FE6 E9 DC010000 jmp 0049A1C7 ; 跳向0049A1C7
00499FEB 8D55 DC lea edx, dword ptr [ebp-24]
00499FEE 8D85 A8FCFFFF lea eax, dword ptr [ebp-358]
00499FF4 52 push edx
00499FF5 50 push eax
00499FF6 C785 B0FCFFFF 5>mov dword ptr [ebp-350], 0040DB54
0049A000 C785 A8FCFFFF 0>mov dword ptr [ebp-358], 8008
0049A00A FFD3 call ebx
0049A00C 66:85C0 test ax, ax
0049A00F 74 0F je short 0049A020
0049A011 C785 B0FCFFFF 1>mov dword ptr [ebp-350], 0040DC1C
0049A01B E9 A7010000 jmp 0049A1C7
0049A020 8D4D DC lea ecx, dword ptr [ebp-24]
0049A023 8D95 A8FCFFFF lea edx, dword ptr [ebp-358]
0049A029 51 push ecx
0049A02A 52 push edx
0049A02B C785 B0FCFFFF 7>mov dword ptr [ebp-350], 0040DA74
0049A035 C785 A8FCFFFF 0>mov dword ptr [ebp-358], 8008
0049A03F FFD3 call ebx
0049A041 66:85C0 test ax, ax
0049A044 74 0F je short 0049A055
0049A046 C785 B0FCFFFF 2>mov dword ptr [ebp-350], 0040DC24
0049A050 E9 72010000 jmp 0049A1C7
0049A055 8D45 DC lea eax, dword ptr [ebp-24]
0049A058 8D8D A8FCFFFF lea ecx, dword ptr [ebp-358]
0049A05E 50 push eax
0049A05F 51 push ecx
0049A060 C785 B0FCFFFF 8>mov dword ptr [ebp-350], 0040DA84
0049A06A C785 A8FCFFFF 0>mov dword ptr [ebp-358], 8008
0049A074 FFD3 call ebx
0049A076 66:85C0 test ax, ax
0049A079 74 0F je short 0049A08A
0049A07B C785 B0FCFFFF 2>mov dword ptr [ebp-350], 0040DC2C
0049A085 E9 3D010000 jmp 0049A1C7
0049A08A 8D55 DC lea edx, dword ptr [ebp-24]
0049A08D 8D85 A8FCFFFF lea eax, dword ptr [ebp-358]
0049A093 52 push edx
0049A094 50 push eax
0049A095 C785 B0FCFFFF A>mov dword ptr [ebp-350], 0040DAA4
0049A09F C785 A8FCFFFF 0>mov dword ptr [ebp-358], 8008
0049A0A9 FFD3 call ebx
0049A0AB 66:85C0 test ax, ax
0049A0AE 74 0F je short 0049A0BF
0049A0B0 C785 B0FCFFFF 3>mov dword ptr [ebp-350], 0040DC34
0049A0BA E9 08010000 jmp 0049A1C7
0049A0BF 8D4D DC lea ecx, dword ptr [ebp-24]
0049A0C2 8D95 A8FCFFFF lea edx, dword ptr [ebp-358]
0049A0C8 51 push ecx
0049A0C9 52 push edx
0049A0CA C785 B0FCFFFF A>mov dword ptr [ebp-350], 0040DAAC
0049A0D4 C785 A8FCFFFF 0>mov dword ptr [ebp-358], 8008
0049A0DE FFD3 call ebx
0049A0E0 66:85C0 test ax, ax
0049A0E3 74 0F je short 0049A0F4
0049A0E5 C785 B0FCFFFF 3>mov dword ptr [ebp-350], 0040DC3C
0049A0EF E9 D3000000 jmp 0049A1C7
0049A0F4 8D45 DC lea eax, dword ptr [ebp-24]
0049A0F7 8D8D A8FCFFFF lea ecx, dword ptr [ebp-358]
0049A0FD 50 push eax
0049A0FE 51 push ecx
0049A0FF C785 B0FCFFFF D>mov dword ptr [ebp-350], 0040DAD4
0049A109 C785 A8FCFFFF 0>mov dword ptr [ebp-358], 8008
0049A113 FFD3 call ebx
0049A115 66:85C0 test ax, ax
0049A118 74 0F je short 0049A129
0049A11A C785 B0FCFFFF 4>mov dword ptr [ebp-350], 0040DC44
0049A124 E9 9E000000 jmp 0049A1C7
0049A129 8D55 DC lea edx, dword ptr [ebp-24]
0049A12C 8D85 A8FCFFFF lea eax, dword ptr [ebp-358]
0049A132 52 push edx
0049A133 50 push eax
0049A134 C785 B0FCFFFF D>mov dword ptr [ebp-350], 0040DADC
0049A13E C785 A8FCFFFF 0>mov dword ptr [ebp-358], 8008
0049A148 FFD3 call ebx
0049A14A 66:85C0 test ax, ax
0049A14D 74 0C je short 0049A15B
0049A14F C785 B0FCFFFF 4>mov dword ptr [ebp-350], 0040DC4C
0049A159 EB 6C jmp short 0049A1C7
0049A15B 8D4D DC lea ecx, dword ptr [ebp-24]
0049A15E 8D95 A8FCFFFF lea edx, dword ptr [ebp-358]
0049A164 51 push ecx
0049A165 52 push edx
0049A166 C785 B0FCFFFF E>mov dword ptr [ebp-350], 0040DAE4
0049A170 C785 A8FCFFFF 0>mov dword ptr [ebp-358], 8008
0049A17A FFD3 call ebx
0049A17C 66:85C0 test ax, ax
0049A17F 74 0C je short 0049A18D
0049A181 C785 B0FCFFFF 5>mov dword ptr [ebp-350], 0040DC54
0049A18B EB 3A jmp short 0049A1C7
0049A18D 8D45 DC lea eax, dword ptr [ebp-24]
0049A190 8D8D A8FCFFFF lea ecx, dword ptr [ebp-358]
0049A196 50 push eax
0049A197 51 push ecx
0049A198 C785 B0FCFFFF 0>mov dword ptr [ebp-350], 0040DB04
0049A1A2 C785 A8FCFFFF 0>mov dword ptr [ebp-358], 8008
0049A1AC FFD3 call ebx
0049A1AE 66:85C0 test ax, ax
0049A1B1 C785 B0FCFFFF 5>mov dword ptr [ebp-350], 0040DC5C
0049A1BB 75 0A jnz short 0049A1C7
0049A1BD C785 B0FCFFFF 9>mov dword ptr [ebp-350], 0040DB94
0049A1C7 8D95 A8FCFFFF lea edx, dword ptr [ebp-358]
0049A1CD 8D4D DC lea ecx, dword ptr [ebp-24]
0049A1D0 89BD A8FCFFFF mov dword ptr [ebp-358], edi
0049A1D6 FFD6 call esi
0049A1D8 8B95 68FFFFFF mov edx, dword ptr [ebp-98]
0049A1DE 8B35 DC104000 mov esi, dword ptr [<&msvbvm60.__vba>; msvbvm60.__vbaStrCmp
0049A1E4 52 push edx
0049A1E5 68 54DA4000 push 0040DA54
0049A1EA FFD6 call esi
0049A1EC 85C0 test eax, eax ; 关键比较4
0049A1EE 75 0A jnz short 0049A1FA ; NOP掉
0049A1F0 BA 14DC4000 mov edx, 0040DC14
0049A1F5 E9 F0000000 jmp 0049A2EA ; 跳向 0049A2EA
0049A1FA 8B85 68FFFFFF mov eax, dword ptr [ebp-98]
0049A200 50 push eax
0049A201 68 54DB4000 push 0040DB54
0049A206 FFD6 call esi
0049A208 85C0 test eax, eax
0049A20A 75 0A jnz short 0049A216
0049A20C BA 1CDC4000 mov edx, 0040DC1C
0049A211 E9 D4000000 jmp 0049A2EA
0049A216 8B8D 68FFFFFF mov ecx, dword ptr [ebp-98]
0049A21C 51 push ecx
0049A21D 68 74DA4000 push 0040DA74
0049A222 FFD6 call esi
0049A224 85C0 test eax, eax
0049A226 75 0A jnz short 0049A232
0049A228 BA 24DC4000 mov edx, 0040DC24
0049A22D E9 B8000000 jmp 0049A2EA
0049A232 8B95 68FFFFFF mov edx, dword ptr [ebp-98]
0049A238 52 push edx
0049A239 68 84DA4000 push 0040DA84
0049A23E FFD6 call esi
0049A240 85C0 test eax, eax
0049A242 75 0A jnz short 0049A24E
0049A244 BA 2CDC4000 mov edx, 0040DC2C
0049A249 E9 9C000000 jmp 0049A2EA
0049A24E 8B85 68FFFFFF mov eax, dword ptr [ebp-98]
0049A254 50 push eax
0049A255 68 A4DA4000 push 0040DAA4
0049A25A FFD6 call esi
0049A25C 85C0 test eax, eax
0049A25E 75 0A jnz short 0049A26A
0049A260 BA 34DC4000 mov edx, 0040DC34
0049A265 E9 80000000 jmp 0049A2EA
0049A26A 8B8D 68FFFFFF mov ecx, dword ptr [ebp-98]
0049A270 51 push ecx
0049A271 68 ACDA4000 push 0040DAAC
0049A276 FFD6 call esi
0049A278 85C0 test eax, eax
0049A27A 75 07 jnz short 0049A283
0049A27C BA 3CDC4000 mov edx, 0040DC3C
0049A281 EB 67 jmp short 0049A2EA
0049A283 8B95 68FFFFFF mov edx, dword ptr [ebp-98]
0049A289 52 push edx
0049A28A 68 D4DA4000 push 0040DAD4
0049A28F FFD6 call esi
0049A291 85C0 test eax, eax
0049A293 75 07 jnz short 0049A29C
0049A295 BA 44DC4000 mov edx, 0040DC44
0049A29A EB 4E jmp short 0049A2EA
0049A29C 8B85 68FFFFFF mov eax, dword ptr [ebp-98]
0049A2A2 50 push eax
0049A2A3 68 DCDA4000 push 0040DADC
0049A2A8 FFD6 call esi
0049A2AA 85C0 test eax, eax
0049A2AC 75 07 jnz short 0049A2B5
0049A2AE BA 4CDC4000 mov edx, 0040DC4C
0049A2B3 EB 35 jmp short 0049A2EA
0049A2B5 8B8D 68FFFFFF mov ecx, dword ptr [ebp-98]
0049A2BB 51 push ecx
0049A2BC 68 E4DA4000 push 0040DAE4
0049A2C1 FFD6 call esi
0049A2C3 85C0 test eax, eax
0049A2C5 75 07 jnz short 0049A2CE
0049A2C7 BA 54DC4000 mov edx, 0040DC54
0049A2CC EB 1C jmp short 0049A2EA
0049A2CE 8B95 68FFFFFF mov edx, dword ptr [ebp-98]
0049A2D4 52 push edx
0049A2D5 68 04DB4000 push 0040DB04
0049A2DA FFD6 call esi
0049A2DC 85C0 test eax, eax
0049A2DE BA 5CDC4000 mov edx, 0040DC5C
0049A2E3 74 05 je short 0049A2EA
0049A2E5 BA 94DB4000 mov edx, 0040DB94
0049A2EA 8D8D 68FFFFFF lea ecx, dword ptr [ebp-98]
0049A2F0 FF15 BC114000 call dword ptr [<&msvbvm60.__vbaStrCo>; msvbvm60.__vbaStrCopy
0049A2F6 8B85 68FFFFFF mov eax, dword ptr [ebp-98]
0049A2FC 8B35 80114000 mov esi, dword ptr [<&msvbvm60.__vba>; msvbvm60.__vbaVarCat
0049A302 8D8D E4FDFFFF lea ecx, dword ptr [ebp-21C]
0049A308 8985 B0FCFFFF mov dword ptr [ebp-350], eax
0049A30E 8D95 C4FDFFFF lea edx, dword ptr [ebp-23C]
0049A314 51 push ecx
0049A315 8D85 58FDFFFF lea eax, dword ptr [ebp-2A8]
0049A31B 52 push edx
0049A31C 50 push eax
0049A31D 89BD A8FCFFFF mov dword ptr [ebp-358], edi
0049A323 FFD6 call esi
0049A325 8D8D 9CFDFFFF lea ecx, dword ptr [ebp-264]
0049A32B 50 push eax
0049A32C 8D95 48FDFFFF lea edx, dword ptr [ebp-2B8]
0049A332 51 push ecx
0049A333 52 push edx
0049A334 FFD6 call esi
0049A336 50 push eax
0049A337 8D85 8CFDFFFF lea eax, dword ptr [ebp-274]
0049A33D 8D8D 38FDFFFF lea ecx, dword ptr [ebp-2C8]
0049A343 50 push eax
0049A344 51 push ecx
0049A345 FFD6 call esi
0049A347 50 push eax
0049A348 8D55 DC lea edx, dword ptr [ebp-24]
0049A34B 8D85 28FDFFFF lea eax, dword ptr [ebp-2D8]
0049A351 52 push edx
0049A352 50 push eax
0049A353 FFD6 call esi
0049A355 8D4D C4 lea ecx, dword ptr [ebp-3C]
0049A358 50 push eax
0049A359 8D95 18FDFFFF lea edx, dword ptr [ebp-2E8]
0049A35F 51 push ecx
0049A360 52 push edx
0049A361 FFD6 call esi
0049A363 50 push eax
0049A364 8D45 A0 lea eax, dword ptr [ebp-60]
0049A367 8D8D 08FDFFFF lea ecx, dword ptr [ebp-2F8]
0049A36D 50 push eax
0049A36E 51 push ecx
0049A36F FFD6 call esi
0049A371 50 push eax
0049A372 8D95 A8FCFFFF lea edx, dword ptr [ebp-358]
0049A378 8D85 F8FCFFFF lea eax, dword ptr [ebp-308]
0049A37E 52 push edx
0049A37F 50 push eax
0049A380 FFD6 call esi
0049A382 8B35 18104000 mov esi, dword ptr [<&msvbvm60.__vba>; msvbvm60.__vbaVarMove
0049A388 8BD0 mov edx, eax
0049A38A 8D8D 90FEFFFF lea ecx, dword ptr [ebp-170]
0049A390 FFD6 call esi
0049A392 8D8D 08FDFFFF lea ecx, dword ptr [ebp-2F8]
0049A398 8D95 18FDFFFF lea edx, dword ptr [ebp-2E8]
0049A39E 51 push ecx
0049A39F 8D85 28FDFFFF lea eax, dword ptr [ebp-2D8]
0049A3A5 52 push edx
0049A3A6 8D8D 38FDFFFF lea ecx, dword ptr [ebp-2C8]
0049A3AC 50 push eax
0049A3AD 8D95 48FDFFFF lea edx, dword ptr [ebp-2B8]
0049A3B3 51 push ecx
0049A3B4 8D85 58FDFFFF lea eax, dword ptr [ebp-2A8]
0049A3BA 52 push edx
0049A3BB 50 push eax
0049A3BC 6A 06 push 6
0049A3BE FF15 2C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVarList
0049A3C4 83C4 1C add esp, 1C
0049A3C7 8D8D 90FEFFFF lea ecx, dword ptr [ebp-170]
0049A3CD 8D95 84FDFFFF lea edx, dword ptr [ebp-27C]
0049A3D3 51 push ecx
0049A3D4 52 push edx
0049A3D5 FF15 78114000 call dword ptr [<&msvbvm60.__vbaStrVa>; msvbvm60.__vbaStrVarVal
0049A3DB 50 push eax
0049A3DC FF15 5C124000 call dword ptr [<&msvbvm60.rtcR8ValFr>; msvbvm60.rtcR8ValFromBstr
0049A3E2 DD9D B0FCFFFF fstp qword ptr [ebp-350]
0049A3E8 8D95 A8FCFFFF lea edx, dword ptr [ebp-358]
0049A3EE 8D8D 90FEFFFF lea ecx, dword ptr [ebp-170]
0049A3F4 C785 A8FCFFFF 0>mov dword ptr [ebp-358], 5
0049A3FE FFD6 call esi
0049A400 8D8D 84FDFFFF lea ecx, dword ptr [ebp-27C]
0049A406 FF15 54124000 call dword ptr [<&msvbvm60.__vbaFreeS>; msvbvm60.__vbaFreeStr
0049A40C 8D85 90FEFFFF lea eax, dword ptr [ebp-170]
0049A412 8D8D A8FCFFFF lea ecx, dword ptr [ebp-358]
0049A418 50 push eax
0049A419 8D95 58FDFFFF lea edx, dword ptr [ebp-2A8]
0049A41F 51 push ecx
0049A420 52 push edx
0049A421 C785 B0FCFFFF 3>mov dword ptr [ebp-350], 3039
0049A42B C785 A8FCFFFF 0>mov dword ptr [ebp-358], 2
0049A435 FF15 F0114000 call dword ptr [<&msvbvm60.__vbaVarAd>; msvbvm60.__vbaVarAdd
0049A43B 8BD0 mov edx, eax
0049A43D 8D8D 04FEFFFF lea ecx, dword ptr [ebp-1FC]
0049A443 FFD6 call esi
0049A445 8D85 28FEFFFF lea eax, dword ptr [ebp-1D8]
0049A44B 8D8D 04FEFFFF lea ecx, dword ptr [ebp-1FC]
0049A451 50 push eax
0049A452 51 push ecx
0049A453 FF15 DC114000 call dword ptr [<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstNe
0049A459 66:85C0 test ax, ax ; 关键比较5
0049A45C 0F84 77080000 je 0049ACD9 ; 这边直接跳向0049ACD9即可完成验证了
0049A462 A1 D8874F00 mov eax, dword ptr [4F87D8]
0049A467 BF 00007A44 mov edi, 447A0000
0049A46C 85C0 test eax, eax
0049A46E 89BD B0FCFFFF mov dword ptr [ebp-350], edi
0049A474 C785 A8FCFFFF 0>mov dword ptr [ebp-358], 4
0049A47E 75 10 jnz short 0049A490
0049A480 68 D8874F00 push 004F87D8
0049A485 68 00D64000 push 0040D600
0049A48A FF15 A4114000 call dword ptr [<&msvbvm60.__vbaNew2>>; msvbvm60.__vbaNew2
0049A490 8B35 D8874F00 mov esi, dword ptr [4F87D8]
0049A496 8D85 6CFDFFFF lea eax, dword ptr [ebp-294]
0049A49C 50 push eax
0049A49D 56 push esi
0049A49E 8B16 mov edx, dword ptr [esi]
0049A4A0 FF52 20 call dword ptr [edx+20]
下面代码略
--------------------------------------------CODE--------------------------------------------------------
改完5处后,就可以去除全部限制,达到完美破解,测试下打印就没有【授权用户无此标志】的限制了。
--------------------------------------------------------------------------------
【经验总结】
这个程序的分析,只要还是借助code的字段,当然你要先确定保存注册码的位置,然后就可以确定出读的地方了。多练多得
,呵呵。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于飘云阁技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2008年05月18日 13:06:53
[ 本帖最后由 JackyChou 于 2008-5-18 17:52 编辑 ] |
评分
-
查看全部评分
|
IP卡
发表于 2008-5-18 13:08:43
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-5-18 17:43:46
发表于 2008-7-27 16:55:56
发表于 2019-6-19 12:44:51
