《某VCD出租管理系统》算法分析与算号器。

Win2k+sp4+Od1.10+Vc#2005

因为它是用VB写的,处理的都是宽字符,我原先用C写算号器,可就是不会处理Unicode,今天学了一天C#反而搞定了，

这真是个好东西，而且发布版本才20K，用DELPHI的话起码要100K以上，哈，唯一的缺点似乎就是我的机器太慢了，

跑C#时总像是死机一样，要考虑学用命令行编译了。

分析过程中肯定很多错.一定要指出来啊！

运行FHVcdHack.exe--基本配置--软件注册,输入“来龙去脉”,注册码框输入1212154545412121,点确定报错.

运行OD,附加FHVcdHack.exe,F12暂停,按两次Alt+F9即返回到用户模块:

00611B0F?? .??51????????????PUSH????ECX

00611B10?? .??FF15 A4104000 CALL????[]?????????????? ;??MSVBVM60.rtcMsgBox

00611B16?? .??E9 80030000?? JMP???? 00611E9B????;中断在这一行

00611B1B?? ??68 D8DB4100?? PUSH????0041DBD8???????????????????????? ; /Arg1 = 0041DBD8

看到中断的下一行是一个跳转入口,往下看一看,有Company Name字样,有可能是注册成功的地方.往上拉滚动条几下可看到

00611AB2?? .??50????????????PUSH????EAX

00611AB3?? .??FF15 A0104000 CALL????[]????????;??MSVBVM60.__vbaObjSet

00611AB9?? .??66:83FF FF????CMP???? DI, 0FFFF

00611ABD?? .??75 5C???????? JNZ???? SHORT 00611B1B

把这一句改为绝对跳EB 5C试一试,真的有注册成功的提示,那么就往上看DI的来源,找到几处:

第一处:

00611A98?? .??66:F7DF?????? NEG???? DI

00611A9B?? .??1BFF??????????SBB???? EDI, EDI

00611A9D?? .??F7DF??????????NEG???? EDI

00611A9F?? .??4F????????????DEC???? EDI

第二处

00611A4C?? \33C0??????????XOR???? EAX, EAX

00611A4E?? .??66:83BD 0CFFFCMP???? WORD PTR [EBP-F4], 0FFFF;就是说,要让注册成功,必须[ebp-f4]==0ffff

00611A56?? .??0F94C0????????SETE????AL

00611A59?? .??F7D8??????????NEG???? EAX

00611A5B?? .??8BF8??????????MOV???? EDI, EAX

再往上跟[ebp-f4]的来源:

00611A1C?? .??8B0F??????????MOV???? ECX, [EDI]??

00611A1E?? .??8D95 0CFFFFFF LEA???? EDX, [EBP-F4] ;这里作为参数给下面的CALL调用.

00611A24?? .??52????????????PUSH????EDX

00611A25?? .??8D45 C8?????? LEA???? EAX, [EBP-38] ;用户名地址.

00611A28?? .??50????????????PUSH????EAX

00611A29?? .??8D55 CC?????? LEA???? EDX, [EBP-34] ;假码地址

00611A2C?? .??52????????????PUSH????EDX

00611A2D?? .??57????????????PUSH????EDI?? ;DLL句柄吗?

00611A2E?? .??FF91 88000000 CALL????[ECX+88]??;重要CALL,按F7进入内部

我怎么知道哪是用户名,哪是假码?在CALL处F2下断,F9运行,再点一次确定让它再来一次就会中断在这里,一看堆栈,都在呢.

这个CALL是DHCopyright.dll模块中的.所以下面显示的地址每次运行都不大同,只有后面的四位相同,这由DLL重定位决定.

1AABABE0?? \55???????????????? PUSH????EBP

1AABABE1?? .??8BEC?????????????? MOV???? EBP, ESP

1AABABE3?? .??83EC 18????????????SUB???? ESP, 18

......

1AABAC40?? .??C745 FC 03000000?? MOV???? DWORD PTR [EBP-4], 3??;这个东西是干什么用的我搞不明白,好像一直都有它,却又从不读过它

1AABAC47?? .??8B45 10????????????MOV???? EAX, [EBP+10]?? ;用户名地址

1AABAC4A?? .??8B08?????????????? MOV???? ECX, [EAX]

1AABAC4C?? .??51???????????????? PUSH????ECX

1AABAC4D?? .??FF15 1C10AA1A??????CALL????[]???? ;??MSVBVM60.__vbaLenBstr

1AABAC53?? .??8BC8?????????????? MOV???? ECX, EAX

1AABAC55?? .??FF15 9C10AA1A??????CALL????[]????????;??MSVBVM60.__vbaI2I4

1AABAC5B?? .??66:8945 C8???????? MOV???? [EBP-38], AX?? ;用户名长度

1AABAC5F?? .??C745 FC 04000000?? MOV???? DWORD PTR [EBP-4], 4

1AABAC66?? .??66:837D C8 03??????CMP???? WORD PTR [EBP-38], 3

1AABAC6B?? .??7C 07??????????????JL??????SHORT 1AABAC74

1AABAC6D?? .??66:837D C8 1E??????CMP???? WORD PTR [EBP-38], 1E

1AABAC72?? .??7E 12??????????????JLE???? SHORT 1AABAC86?? ;长度必须在[3~1E]之间,其实要大于6,否则重启软件会现异常不能运行.

1AABAC74?? ??C745 FC 05000000?? MOV???? DWORD PTR [EBP-4], 5

1AABAC7B?? .??66:C745 BC 0000????MOV???? WORD PTR [EBP-44], 0

1AABAC81?? .??E9 A0060000????????JMP???? 1AABB326

1AABAC86?? ??C745 FC 08000000?? MOV???? DWORD PTR [EBP-4], 8

1AABAC8D?? .??BA F043AA1A????????MOV???? EDX, 1AAA43F0??????????????????;??UNICODE "SiLong's"

1AABAC92?? .??8D4D D4????????????LEA???? ECX, [EBP-2C]

1AABAC95?? .??FF15 1C11AA1A??????CALL????[]???? ;??MSVBVM60.__vbaStrCopy

1AABAC9B?? .??C745 FC 09000000?? MOV???? DWORD PTR [EBP-4], 9

1AABACA2?? .??68 0844AA1A????????PUSH????1AAA4408?????????????????????? ; /Arg2 = 1AAA4408

1AABACA7?? .??8B55 D4????????????MOV???? EDX, [EBP-2C]??????????????????; |

1AABACAA?? .??52???????????????? PUSH????EDX????????????????????????????; |Arg1

1AABACAB?? .??FF15 3C10AA1A??????CALL????[]??????; \__vbaStrCat

1AABACB1?? .??8BD0?????????????? MOV???? EDX, EAX

1AABACB3?? .??8D4D D4????????????LEA???? ECX, [EBP-2C]?? ;串连接,得"VB-CodeSiLong's",放于[ebp-2c]

1AABACB6?? .??FF15 7411AA1A??????CALL????[]???? ;??MSVBVM60.__vbaStrMove

1AABACBC?? .??C745 FC 0A000000?? MOV???? DWORD PTR [EBP-4], 0A

1AABACC3?? .??8B45 D4????????????MOV???? EAX, [EBP-2C]

1AABACC6?? .??50???????????????? PUSH????EAX????????????????????????????; /Arg2

1AABACC7?? .??68 1C44AA1A????????PUSH????1AAA441C?????????????????????? ; |Arg1 = 1AAA441C

1AABACCC?? .??FF15 3C10AA1A??????CALL????[]??????; \__vbaStrCat

1AABACD2?? .??8BD0?????????????? MOV???? EDX, EAX

1AABACD4?? .??8D4D D4????????????LEA???? ECX, [EBP-2C]?? ;串连接,得"VB-CodeSiLong'sMyMother",放于[ebp-2c]

1AABACD7?? .??FF15 7411AA1A??????CALL????[]???? ;??MSVBVM60.__vbaStrMove

1AABACDD?? .??C745 FC 0B000000?? MOV???? DWORD PTR [EBP-4], 0B

1AABACE4?? .??68 3444AA1A????????PUSH????1AAA4434?????????????????????? ; /Arg2 = 1AAA4434

1AABACE9?? .??8B4D D4????????????MOV???? ECX, [EBP-2C]??????????????????; |

1AABACEC?? .??51???????????????? PUSH????ECX????????????????????????????; |Arg1

1AABACED?? .??FF15 3C10AA1A??????CALL????[]??????; \__vbaStrCat

1AABACF3?? .??8BD0?????????????? MOV???? EDX, EAX

1AABACF5?? .??8D4D D4????????????LEA???? ECX, [EBP-2C]?? ;串连接,得UNICODE "MyFatherVB-CodeSiLong'sMyMother",放于[ebp-2c]

1AABACF8?? .??FF15 7411AA1A??????CALL????[]???? ;??MSVBVM60.__vbaStrMove

1ABDACFE?? .??C745 FC 0C000 MOV???? DWORD PTR [EBP-4], 0C

1ABDAD05?? .??BA 4C44BC1A????MOV???? EDX, 1ABC444C

1ABDAD0A?? .??8D4D D8????????LEA???? ECX, [EBP-28]

1ABDAD0D?? .??FF15 1C11BC1A??CALL????[]?????????? ;??MSVBVM60.__vbaStrCopy

1ABDAD13?? .??C745 FC 0D000 MOV???? DWORD PTR [EBP-4], 0D

1ABDAD1A?? .??8B55 D8????????MOV???? EDX, [EBP-28]?? ;U("我爱你我的爱人为了咱们的将来努力吧奋斗吧好了就这些")

1ABDAD1D?? .??52???????????? PUSH????EDX??????????????????????????????????; /Arg2

1ABDAD1E?? .??68 8444BC1A????PUSH????1ABC4484???????????????????????????? ; |Arg1 = 1ABC4484

1ABDAD23?? .??FF15 3C10BC1A??CALL????[]????????????; \__vbaStrCat

1ABDAD29?? .??8BD0?????????? MOV???? EDX, EAX

1ABDAD2B?? .??8D4D D8????????LEA???? ECX, [EBP-28]?? ;U("我爱你我的爱人为了咱们的将来努力吧奋斗吧好了就这些亲爱的爸爸，妈妈、哥哥、妹妹们好。")

1ABDAD2E?? .??FF15 7411BC1A??CALL????[]?????????? ;??MSVBVM60.__vbaStrMove

1AABAD34?? .??C745 FC 0E000000?? MOV???? DWORD PTR [EBP-4], 0E

1AABAD3B?? .??66:C745 D0 0000????MOV???? WORD PTR [EBP-30], 0?????????? ;??循环次数奇偶标志

1AABAD41?? .??C745 FC 0F000000?? MOV???? DWORD PTR [EBP-4], 0F

1AABAD48?? .??66:8B45 C8???????? MOV???? AX, [EBP-38]?????????????????? ;??用户名长,作为循环次数.

1AABAD4C?? .??66:8985 4CFFFFFF?? MOV???? [EBP-B4], AX

1AABAD53?? .??66:C785 50FFFFFF 0MOV???? WORD PTR [EBP-B0], 1

1AABAD5C?? .??66:C745 AC 0100????MOV???? WORD PTR [EBP-54], 1?????????? ;??循环变量I

1AABAD62?? .??EB 15??????????????JMP???? SHORT 1AABAD79

1AABAD64?? ??66:8B4D AC???????? MOV???? CX, [EBP-54]

1AABAD68?? .??66:038D 50FFFFFF?? ADD???? CX, [EBP-B0]

1AABAD6F?? .??0F80 4E060000??????JO??????1AABB3C3

1AABAD75?? .??66:894D AC???????? MOV???? [EBP-54], CX

1AABAD79?? ??66:8B55 AC???????? MOV???? DX, [EBP-54]

1AABAD7D?? .??66:3B95 4CFFFFFF?? CMP???? DX, [EBP-B4]

1AABAD84?? .??0F8F FE040000??????JG??????1AABB288?????????????????????? ;??跳出循环

1AABAD8A?? .??C745 FC 10000000?? MOV???? DWORD PTR [EBP-4], 10

1AABAD91?? .??C745 A0 01000000?? MOV???? DWORD PTR [EBP-60], 1

1AABAD98?? .??C745 98 02000000?? MOV???? DWORD PTR [EBP-68], 2

1AABAD9F?? .??8B45 10????????????MOV???? EAX, [EBP+10]

1AABADA2?? .??8985 70FFFFFF??????MOV???? [EBP-90], EAX??????????????????;??EAX为用户名的地址

1AABADA8?? .??C785 68FFFFFF 0840MOV???? DWORD PTR [EBP-98], 4008

1AABADB2?? .??8D4D 98????????????LEA???? ECX, [EBP-68]??????????????????;??取两个字符(一个中文字)

1AABADB5?? .??51???????????????? PUSH????ECX????????????????????????????; /Arg4

1AABADB6?? .??0FBF55 AC??????????MOVSX?? EDX, WORD PTR [EBP-54]???????? ; |循环变量

1AABADBA?? .??52???????????????? PUSH????EDX????????????????????????????; |Arg3

1AABADBB?? .??8D85 68FFFFFF??????LEA???? EAX, [EBP-98]??????????????????; |串在[ebp-98+8]里.

1AABADC1?? .??50???????????????? PUSH????EAX????????????????????????????; |Arg2

1AABADC2?? .??8D4D 88????????????LEA???? ECX, [EBP-78]??????????????????; |把它放到[ebp-78+8]里头.

1AABADC5?? .??51???????????????? PUSH????ECX????????????????????????????; |Arg1

1AABADC6?? .??FF15 7C10AA1A??????CALL????[]???????????? ; \rtcMidCharVar

1AABADCC?? .??8D55 88????????????LEA???? EDX, [EBP-78]??????????????????;??取得循环次数所指的用户名字符

1AABADCF?? .??52???????????????? PUSH????EDX

1AABADD0?? .??FF15 2010AA1A??????CALL????[]??;??MSVBVM60.__vbaStrVarMove

1AABADD6?? .??8BD0?????????????? MOV???? EDX, EAX

1AABADD8?? .??8D4D B8????????????LEA???? ECX, [EBP-48]??????????????????;??结果放到[ebp-48]

1AABADDB?? .??FF15 7411AA1A??????CALL????[]???? ;??MSVBVM60.__vbaStrMove

1AABADE1?? .??8D45 88????????????LEA???? EAX, [EBP-78]

1AABADE4?? .??50???????????????? PUSH????EAX

1AABADE5?? .??8D4D 98????????????LEA???? ECX, [EBP-68]

1AABADE8?? .??51???????????????? PUSH????ECX

1AABADE9?? .??6A 02??????????????PUSH????2

1AABADEB?? .??FF15 2410AA1A??????CALL????[] ;??MSVBVM60.__vbaFreeVarList

1AABADF1?? .??83C4 0C????????????ADD???? ESP, 0C

1AABADF4?? .??C745 FC 11000000?? MOV???? DWORD PTR [EBP-4], 11

1AABADFB?? .??8B55 B8????????????MOV???? EDX, [EBP-48]

1AABADFE?? .??52???????????????? PUSH????EDX????????????????????????????; /Arg1

1AABADFF?? .??FF15 3010AA1A??????CALL????[]???????????? ; \rtcAnsiValueBstr

1AABAE05?? .??66:85C0????????????TEST????AX, AX???????????????????????? ;??wctomb,Unicode转Ansi

1AABAE08?? .??7D 6C??????????????JGE???? SHORT 1AABAE76?? ;原结果为英文字符时跳转

1AABAE0A?? .??C745 FC 12000000?? MOV???? DWORD PTR [EBP-4], 12

1AABAE11?? .??C745 A0 01000000?? MOV???? DWORD PTR [EBP-60], 1

1AABAE18?? .??C745 98 02000000?? MOV???? DWORD PTR [EBP-68], 2

1AABAE1F?? .??8D45 D4????????????LEA???? EAX, [EBP-2C]

1AABAE22?? .??8985 70FFFFFF??????MOV???? [EBP-90], EAX??????????????????;??原常量串

1AABAE28?? .??C785 68FFFFFF 0840MOV???? DWORD PTR [EBP-98], 4008

1AABAE32?? .??8D4D 98????????????LEA???? ECX, [EBP-68]??????????????????;??割两位(1位Unicode)

1AABAE35?? .??51???????????????? PUSH????ECX????????????????????????????; /Arg4

1AABAE36?? .??0FBF55 AC??????????MOVSX?? EDX, WORD PTR [EBP-54]???????? ; |也是从第I个开始

1AABAE3A?? .??52???????????????? PUSH????EDX????????????????????????????; |Arg3

1AABAE3B?? .??8D85 68FFFFFF??????LEA???? EAX, [EBP-98]??????????????????; |割常量串

1AABAE41?? .??50???????????????? PUSH????EAX????????????????????????????; |Arg2

1AABAE42?? .??8D4D 88????????????LEA???? ECX, [EBP-78]??????????????????; |放到[ebp-78+8]

1AABAE45?? .??51???????????????? PUSH????ECX????????????????????????????; |Arg1

1AABAE46?? .??FF15 7C10AA1A??????CALL????[]???????????? ; \rtcMidCharVar

1AABAE4C?? .??8D55 88????????????LEA???? EDX, [EBP-78]

1AABAE4F?? .??52???????????????? PUSH????EDX

1AABAE50?? .??FF15 2010AA1A??????CALL????[]??;??MSVBVM60.__vbaStrVarMove

1AABAE56?? .??8BD0?????????????? MOV???? EDX, EAX

1AABAE58?? .??8D4D DC????????????LEA???? ECX, [EBP-24]??????????????????;??结果存到[ebp-24]

1AABAE5B?? .??FF15 7411AA1A??????CALL????[]???? ;??MSVBVM60.__vbaStrMove

1AABAE61?? .??8D45 88????????????LEA???? EAX, [EBP-78]

1AABAE64?? .??50???????????????? PUSH????EAX

1AABAE65?? .??8D4D 98????????????LEA???? ECX, [EBP-68]

1AABAE68?? .??51???????????????? PUSH????ECX

1AABAE69?? .??6A 02??????????????PUSH????2

1AABAE6B?? .??FF15 2410AA1A??????CALL????[] ;??MSVBVM60.__vbaFreeVarList

1AABAE71?? .??83C4 0C????????????ADD???? ESP, 0C

1AABAE74?? .??EB 6A??????????????JMP???? SHORT 1AABAEE0

1AABAE76?? ??C745 FC 14000000?? MOV???? DWORD PTR [EBP-4], 14

1AABAE7D?? .??C745 A0 01000000?? MOV???? DWORD PTR [EBP-60], 1

1AABAE84?? .??C745 98 02000000?? MOV???? DWORD PTR [EBP-68], 2

1AABAE8B?? .??8D55 D8????????????LEA???? EDX, [EBP-28]

1AABAE8E?? .??8995 70FFFFFF??????MOV???? [EBP-90], EDX

1AABAE94?? .??C785 68FFFFFF 0840MOV???? DWORD PTR [EBP-98], 4008

1AABAE9E?? .??8D45 98????????????LEA???? EAX, [EBP-68]

1AABAEA1?? .??50???????????????? PUSH????EAX????????????????????????????; /Arg4

1AABAEA2?? .??0FBF4D AC??????????MOVSX?? ECX, WORD PTR [EBP-54]???????? ; |

1AABAEA6?? .??51???????????????? PUSH????ECX????????????????????????????; |Arg3

1AABAEA7?? .??8D95 68FFFFFF??????LEA???? EDX, [EBP-98]??????????????????; |

1AABAEAD?? .??52???????????????? PUSH????EDX????????????????????????????; |Arg2

1AABAEAE?? .??8D45 88????????????LEA???? EAX, [EBP-78]??????????????????; |

1AABAEB1?? .??50???????????????? PUSH????EAX????????????????????????????; |Arg1

1AABAEB2?? .??FF15 7C10AA1A??????CALL????[]???????????? ; \rtcMidCharVar

1AABAEB8?? .??8D4D 88????????????LEA???? ECX, [EBP-78]

1AABAEBB?? .??51???????????????? PUSH????ECX

1AABAEBC?? .??FF15 2010AA1A??????CALL????[]??;??MSVBVM60.__vbaStrVarMove

1AABAEC2?? .??8BD0?????????????? MOV???? EDX, EAX

1AABAEC4?? .??8D4D DC????????????LEA???? ECX, [EBP-24]?? ；取那堆爱的宣言的第I个字到[ebp-24]

1AABAEC7?? .??FF15 7411AA1A??????CALL????[]???? ;??MSVBVM60.__vbaStrMove

1AABAECD?? .??8D55 88????????????LEA???? EDX, [EBP-78]

1AABAED0?? .??52???????????????? PUSH????EDX

1AABAED1?? .??8D45 98????????????LEA???? EAX, [EBP-68]

1AABAED4?? .??50???????????????? PUSH????EAX

1AABAED5?? .??6A 02??????????????PUSH????2

1AABAED7?? .??FF15 2410AA1A??????CALL????[] ;??MSVBVM60.__vbaFreeVarList

1AABAEDD?? .??83C4 0C????????????ADD???? ESP, 0C

1AABAEE0?? ??C745 FC 16000000?? MOV???? DWORD PTR [EBP-4], 16

1AABAEE7?? .??8B4D B8????????????MOV???? ECX, [EBP-48]

1AABAEEA?? .??51???????????????? PUSH????ECX????????????????????????????; /Arg1

1AABAEEB?? .??FF15 3010AA1A??????CALL????[]???????????? ; \rtcAnsiValueBstr

1AABAEF1?? .??66:8BF0????????????MOV???? SI, AX???????????????????????? ;??用户名第I宽字符转Ansi?

1AABAEF4?? .??8B55 DC????????????MOV???? EDX, [EBP-24]

1AABAEF7?? .??52???????????????? PUSH????EDX????????????????????????????; /Arg1

1AABAEF8?? .??FF15 3010AA1A??????CALL????[]???????????? ; \rtcAnsiValueBstr

1AABAEFE?? .??66:33F0????????????XOR???? SI, AX???????????????????????? ;??异或常量串第I宽字符的ansi?

1AABAF01?? .??8BCE?????????????? MOV???? ECX, ESI

1AABAF03?? .??FF15 3810AA1A??????CALL????[]?????? ;??MSVBVM60.__vbaI2Abs

1AABAF09?? .??0FBFC0???????????? MOVSX?? EAX, AX

1AABAF0C?? .??8985 34FFFFFF??????MOV???? [EBP-CC], EAX??????????????????;??结果求补存到[ebp-cc]

1AABAF12?? .??DB85 34FFFFFF??????FILD????DWORD PTR [EBP-CC]

1AABAF18?? .??DD5D C0????????????FSTP????QWORD PTR [EBP-40]???????????? ;??存为浮点格式到[ebp-40]

1AABAF1B?? .??C745 FC 17000000?? MOV???? DWORD PTR [EBP-4], 17

1AABAF22?? .??0FBF4D D0??????????MOVSX?? ECX, WORD PTR [EBP-30]

1AABAF26?? .??85C9?????????????? TEST????ECX, ECX

1AABAF28?? .??75 2C??????????????JNZ???? SHORT 1AABAF56???????????????? ;??循环次数为奇数([ebp-30]==1)时跳

1AABAF2A?? .??C745 FC 18000000?? MOV???? DWORD PTR [EBP-4], 18

1AABAF31?? .??66:C745 D0 0100????MOV???? WORD PTR [EBP-30], 1?????????? ;??奇偶标志取反

1AABAF37?? .??C745 FC 19000000?? MOV???? DWORD PTR [EBP-4], 19

1AABAF3E?? .??DD45 C0????????????FLD???? QWORD PTR [EBP-40]

1AABAF41?? .??DC05 9814AA1A??????FADD????QWORD PTR [1AAA1498]?????????? ;??加上浮点常数719.0(浮点都是十进制表示)

1AABAF47?? .??DD5D C0????????????FSTP????QWORD PTR [EBP-40]

1AABAF4A?? .??DFE0?????????????? FSTSW?? AX

1AABAF4C?? .??A8 0D??????????????TEST????AL, 0D

1AABAF4E?? .??0F85 6A040000??????JNZ???? 1AABB3BE?????????????????????? ;??到异常处理

1AABAF54?? .??EB 2A??????????????JMP???? SHORT 1AABAF80

1AABAF56?? ??C745 FC 1B000000?? MOV???? DWORD PTR [EBP-4], 1B

1AABAF5D?? .??66:C745 D0 0000????MOV???? WORD PTR [EBP-30], 0?????????? ;??奇偶标志取反

1AABAF63?? .??C745 FC 1C000000?? MOV???? DWORD PTR [EBP-4], 1C

1AABAF6A?? .??DD45 C0????????????FLD???? QWORD PTR [EBP-40]

1AABAF6D?? .??DC0D 9014AA1A??????FMUL????QWORD PTR [1AAA1490]?????????? ;??乘上浮点常数9?

1AABAF73?? .??DD5D C0????????????FSTP????QWORD PTR [EBP-40]

1AABAF76?? .??DFE0?????????????? FSTSW?? AX

1AABAF78?? .??A8 0D??????????????TEST????AL, 0D

1AABAF7A?? .??0F85 3E040000??????JNZ???? 1AABB3BE?????????????????????? ;??到异常处理

1AABAF80?? ??C745 FC 1E000000?? MOV???? DWORD PTR [EBP-4], 1E

1AABAF87?? .??DD45 C0????????????FLD???? QWORD PTR [EBP-40]

1AABAF8A?? .??DC1D 8814AA1A??????FCOMP?? QWORD PTR [1AAA1488]?????????? ;??与浮点常数10,000.0比较.

1AABAF90?? .??DFE0?????????????? FSTSW?? AX

1AABAF92?? .??F6C4 41????????????TEST????AH, 41???????????????????????? ;??判断ZF,CF,即大于等于

1AABAF95?? .??74 0C??????????????JE??????SHORT 1AABAFA3

1AABAF97?? .??C785 30FFFFFF 0100MOV???? DWORD PTR [EBP-D0], 1??????????;??小于10000.0时[ebp-0d0]=1

1AABAFA1?? .??EB 0A??????????????JMP???? SHORT 1AABAFAD

1AABAFA3?? ??C785 30FFFFFF 0000MOV???? DWORD PTR [EBP-D0], 0??????????;??否则=0

1AABAFAD?? ??DD45 C0????????????FLD???? QWORD PTR [EBP-40]

1AABAFB0?? .??DC1D 8014AA1A??????FCOMP?? QWORD PTR [1AAA1480]?????????? ;??与浮点常数100,000.0比较.

1AABAFB6?? .??DFE0?????????????? FSTSW?? AX

1AABAFB8?? .??F6C4 01????????????TEST????AH, 1??????????????????????????;??CF,是否大于

1AABAFBB?? .??75 0C??????????????JNZ???? SHORT 1AABAFC9???????????????? ;??不大于则跳

1AABAFBD?? .??C785 2CFFFFFF 0100MOV???? DWORD PTR [EBP-D4], 1??????????;??大于100,000.0时[ebp-0d4]=1

1AABAFC7?? .??EB 0A??????????????JMP???? SHORT 1AABAFD3

1AABAFC9?? ??C785 2CFFFFFF 0000MOV???? DWORD PTR [EBP-D4], 0??????????;??否则=0

1AABAFD3?? ??8B95 30FFFFFF??????MOV???? EDX, [EBP-D0]

1AABAFD9?? .??0B95 2CFFFFFF??????OR??????EDX, [EBP-D4]

1AABAFDF?? .??85D2?????????????? TEST????EDX, EDX

1AABAFE1?? .??0F85 E5000000??????JNZ???? 1AABB0CC?????????????????????? ;??不在[10,000~100,000]则跳走

1AABAFE7?? .??C745 FC 1F000000?? MOV???? DWORD PTR [EBP-4], 1F

1AABAFEE?? .??8D45 C0????????????LEA???? EAX, [EBP-40]

1AABAFF1?? .??8985 70FFFFFF??????MOV???? [EBP-90], EAX

1AABAFF7?? .??C785 68FFFFFF 0540MOV???? DWORD PTR [EBP-98], 4005

1AABB001?? .??6A 03??????????????PUSH????3??????????????????????????????; /Arg3 = 00000003

1AABB003?? .??8D8D 68FFFFFF??????LEA???? ECX, [EBP-98]??????????????????; |浮点结果(十进制数作为字符串)

1AABB009?? .??51???????????????? PUSH????ECX????????????????????????????; |Arg2

1AABB00A?? .??8D55 98????????????LEA???? EDX, [EBP-68]??????????????????; |左割3位存到[ebp-60]

1AABB00D?? .??52???????????????? PUSH????EDX????????????????????????????; |Arg1

1AABB00E?? .??FF15 6411AA1A??????CALL????[]???????????? ; \rtcLeftCharVar

1AABB014?? .??8D45 98????????????LEA???? EAX, [EBP-68]

1AABB017?? .??50???????????????? PUSH????EAX

1AABB018?? .??FF15 2010AA1A??????CALL????[]??;??MSVBVM60.__vbaStrVarMove

1AABB01E?? .??8BD0?????????????? MOV???? EDX, EAX

1AABB020?? .??8D4D B4????????????LEA???? ECX, [EBP-4C]??????????????????;??结果再存到[ebp-4c]

1AABB023?? .??FF15 7411AA1A??????CALL????[]???? ;??MSVBVM60.__vbaStrMove

1AABB029?? .??8D4D 98????????????LEA???? ECX, [EBP-68]

1AABB02C?? .??FF15 1410AA1A??????CALL????[]???? ;??MSVBVM60.__vbaFreeVar

1AABB032?? .??C745 FC 20000000?? MOV???? DWORD PTR [EBP-4], 20

1AABB039?? .??8D4D C0????????????LEA???? ECX, [EBP-40]

1AABB03C?? .??898D 70FFFFFF??????MOV???? [EBP-90], ECX??????????????????;??浮点结果保存到[ebp-90]

1AABB042?? .??C785 68FFFFFF 0540MOV???? DWORD PTR [EBP-98], 4005

1AABB04C?? .??6A 02??????????????PUSH????2??????????????????????????????; /Arg3 = 00000002

1AABB04E?? .??8D95 68FFFFFF??????LEA???? EDX, [EBP-98]??????????????????; |

1AABB054?? .??52???????????????? PUSH????EDX????????????????????????????; |Arg2

1AABB055?? .??8D45 98????????????LEA???? EAX, [EBP-68]??????????????????; |右割2位保存到[ebp-60]

1AABB058?? .??50???????????????? PUSH????EAX????????????????????????????; |Arg1

1AABB059?? .??FF15 7811AA1A??????CALL????[]???????????? ; \rtcRightCharVar

1AABB05F?? .??8D4D 98????????????LEA???? ECX, [EBP-68]

1AABB062?? .??51???????????????? PUSH????ECX

1AABB063?? .??FF15 2010AA1A??????CALL????[]??;??MSVBVM60.__vbaStrVarMove

1AABB069?? .??8BD0?????????????? MOV???? EDX, EAX

1AABB06B?? .??8D4D B0????????????LEA???? ECX, [EBP-50]??????????????????;??结果再存到[ebp-50]

1AABB06E?? .??FF15 7411AA1A??????CALL????[]???? ;??MSVBVM60.__vbaStrMove

1AABB074?? .??8D4D 98????????????LEA???? ECX, [EBP-68]

1AABB077?? .??FF15 1410AA1A??????CALL????[]???? ;??MSVBVM60.__vbaFreeVar

1AABB07D?? .??C745 FC 21000000?? MOV???? DWORD PTR [EBP-4], 21

1AABB084?? .??8B55 B0????????????MOV???? EDX, [EBP-50]??????????????????;??浮点结果的右2位再作为浮点

1AABB087?? .??52???????????????? PUSH????EDX????????????????????????????; /Arg1

1AABB088?? .??FF15 9811AA1A??????CALL????[]???????????? ; \rtcR8ValFromBstr

1AABB08E?? .??FF15 7410AA1A??????CALL????[]????????;??MSVBVM60.__vbaFpR8

1AABB094?? .??DC1D 7814AA1A??????FCOMP?? QWORD PTR [1AAA1478]?????????? ;??浮点常数0

1AABB09A?? .??DFE0?????????????? FSTSW?? AX

1AABB09C?? .??F6C4 40????????????TEST????AH, 40???????????????????????? ;??测试ZF

1AABB09F?? .??75 26??????????????JNZ???? SHORT 1AABB0C7???????????????? ;??与常数相等则跳转

1AABB0A1?? .??C745 FC 22000000?? MOV???? DWORD PTR [EBP-4], 22

1AABB0A8?? .??DD45 C0????????????FLD???? QWORD PTR [EBP-40]???????????? ;??原浮点数转整数到EAX

1AABB0AB?? .??FF15 5C11AA1A??????CALL????[]????????;??MSVBVM60.__vbaFpI4

1AABB0B1?? .??0FBF4D AC??????????MOVSX?? ECX, WORD PTR [EBP-54]???????? ;??循环变量I

1AABB0B5?? .??99???????????????? CDQ

1AABB0B6?? .??F7F9?????????????? IDIV????ECX????????????????????????????;??整数结果除以I

1AABB0B8?? .??8985 28FFFFFF??????MOV???? [EBP-D8], EAX

1AABB0BE?? .??DB85 28FFFFFF??????FILD????DWORD PTR [EBP-D8]

1AABB0C4?? .??DD5D C0????????????FSTP????QWORD PTR [EBP-40]???????????? ;??结果再变为浮点格式存到[ebp-40]

1AABB0C7?? ??E9 21010000????????JMP???? 1AABB1ED

1AABB0CC?? ??C745 FC 24000000?? MOV???? DWORD PTR [EBP-4], 24

1AABB0D3?? .??DD45 C0????????????FLD???? QWORD PTR [EBP-40]

1AABB0D6?? .??DC1D 8014AA1A??????FCOMP?? QWORD PTR [1AAA1480]

1AABB0DC?? .??DFE0?????????????? FSTSW?? AX

1AABB0DE?? .??F6C4 41????????????TEST????AH, 41

1AABB0E1?? .??0F85 06010000??????JNZ???? 1AABB1ED

1AABB0E7?? .??C745 FC 25000000?? MOV???? DWORD PTR [EBP-4], 25

1AABB0EE?? .??8D55 C0????????????LEA???? EDX, [EBP-40]

1AABB0F1?? .??8995 70FFFFFF??????MOV???? [EBP-90], EDX

1AABB0F7?? .??C785 68FFFFFF 0540MOV???? DWORD PTR [EBP-98], 4005

1AABB101?? .??6A 04??????????????PUSH????4??????????????????????????????; /Arg3 = 00000004

1AABB103?? .??8D85 68FFFFFF??????LEA???? EAX, [EBP-98]??????????????????; |

1AABB109?? .??50???????????????? PUSH????EAX????????????????????????????; |Arg2

1AABB10A?? .??8D4D 98????????????LEA???? ECX, [EBP-68]??????????????????; |

1AABB10D?? .??51???????????????? PUSH????ECX????????????????????????????; |Arg1

1AABB10E?? .??FF15 6411AA1A??????CALL????[]???????????? ; \rtcLeftCharVar

1AABB114?? .??8D55 98????????????LEA???? EDX, [EBP-68]??????????????????;??左割4位

1AABB117?? .??52???????????????? PUSH????EDX

1AABB118?? .??FF15 2010AA1A??????CALL????[]??;??MSVBVM60.__vbaStrVarMove

1AABB11E?? .??8BD0?????????????? MOV???? EDX, EAX

1AABB120?? .??8D4D B4????????????LEA???? ECX, [EBP-4C]??????????????????;??保存到[ebp-4c]

1AABB123?? .??FF15 7411AA1A??????CALL????[]???? ;??MSVBVM60.__vbaStrMove

1AABB129?? .??8D4D 98????????????LEA???? ECX, [EBP-68]

1AABB12C?? .??FF15 1410AA1A??????CALL????[]???? ;??MSVBVM60.__vbaFreeVar

1AABB132?? .??C745 FC 26000000?? MOV???? DWORD PTR [EBP-4], 26

1AABB139?? .??8D45 C0????????????LEA???? EAX, [EBP-40]

1AABB13C?? .??8985 70FFFFFF??????MOV???? [EBP-90], EAX

1AABB142?? .??C785 68FFFFFF 0540MOV???? DWORD PTR [EBP-98], 4005

1AABB14C?? .??6A 02??????????????PUSH????2??????????????????????????????; /Arg3 = 00000002

1AABB14E?? .??8D8D 68FFFFFF??????LEA???? ECX, [EBP-98]??????????????????; |

1AABB154?? .??51???????????????? PUSH????ECX????????????????????????????; |Arg2

1AABB155?? .??8D55 98????????????LEA???? EDX, [EBP-68]??????????????????; |

1AABB158?? .??52???????????????? PUSH????EDX????????????????????????????; |Arg1

1AABB159?? .??FF15 7811AA1A??????CALL????[]???????????? ; \rtcRightCharVar

1AABB15F?? .??8D45 98????????????LEA???? EAX, [EBP-68]??????????????????;??右割两位

1AABB162?? .??50???????????????? PUSH????EAX

1AABB163?? .??FF15 2010AA1A??????CALL????[]??;??MSVBVM60.__vbaStrVarMove

1AABB169?? .??8BD0?????????????? MOV???? EDX, EAX

1AABB16B?? .??8D4D B0????????????LEA???? ECX, [EBP-50]??????????????????;??保存到[ebp-50]

1AABB16E?? .??FF15 7411AA1A??????CALL????[]???? ;??MSVBVM60.__vbaStrMove

1AABB174?? .??8D4D 98????????????LEA???? ECX, [EBP-68]

1AABB177?? .??FF15 1410AA1A??????CALL????[]???? ;??MSVBVM60.__vbaFreeVar

1AABB17D?? .??C745 FC 27000000?? MOV???? DWORD PTR [EBP-4], 27

1AABB184?? .??8B4D B0????????????MOV???? ECX, [EBP-50]??????????????????;??这两位再作为浮点.

1AABB187?? .??51???????????????? PUSH????ECX????????????????????????????; /Arg1

1AABB188?? .??FF15 9811AA1A??????CALL????[]???????????? ; \rtcR8ValFromBstr

1AABB18E?? .??FF15 7410AA1A??????CALL????[]????????;??MSVBVM60.__vbaFpR8

1AABB194?? .??DC1D 7814AA1A??????FCOMP?? QWORD PTR [1AAA1478]?????????? ;??与常数0比较

1AABB19A?? .??DFE0?????????????? FSTSW?? AX

1AABB19C?? .??F6C4 40????????????TEST????AH, 40

1AABB19F?? .??75 4C??????????????JNZ???? SHORT 1AABB1ED???????????????? ;??相等(为0)则跳走.

1AABB1A1?? .??C745 FC 28000000?? MOV???? DWORD PTR [EBP-4], 28??????????;??后两位不为0时.

1AABB1A8?? .??8B55 B4????????????MOV???? EDX, [EBP-4C]

1AABB1AB?? .??52???????????????? PUSH????EDX????????????????????????????; /Arg1

1AABB1AC?? .??FF15 9811AA1A??????CALL????[]???????????? ; \rtcR8ValFromBstr

1AABB1B2?? .??FF15 5C11AA1A??????CALL????[]????????;??MSVBVM60.__vbaFpI4

1AABB1B8?? .??8BF0?????????????? MOV???? ESI, EAX?????????????????????? ;??把左4位变成整数

1AABB1BA?? .??8B45 B0????????????MOV???? EAX, [EBP-50]

1AABB1BD?? .??50???????????????? PUSH????EAX????????????????????????????; /Arg1

1AABB1BE?? .??FF15 9811AA1A??????CALL????[]???????????? ; \rtcR8ValFromBstr

1AABB1C4?? .??FF15 5C11AA1A??????CALL????[]????????;??MSVBVM60.__vbaFpI4

1AABB1CA?? .??8BC8?????????????? MOV???? ECX, EAX?????????????????????? ;??再把右两位变成整数

1AABB1CC?? .??8BC6?????????????? MOV???? EAX, ESI

1AABB1CE?? .??99???????????????? CDQ

1AABB1CF?? .??F7F9?????????????? IDIV????ECX????????????????????????????;??左4位除以右2位

1AABB1D1?? .??0FBF55 AC??????????MOVSX?? EDX, WORD PTR [EBP-54]

1AABB1D5?? .??0FAFC2???????????? IMUL????EAX, EDX?????????????????????? ;??再乘以循环变量I

1AABB1D8?? .??0F80 E5010000??????JO??????1AABB3C3

1AABB1DE?? .??8985 24FFFFFF??????MOV???? [EBP-DC], EAX

1AABB1E4?? .??DB85 24FFFFFF??????FILD????DWORD PTR [EBP-DC]

1AABB1EA?? .??DD5D C0????????????FSTP????QWORD PTR [EBP-40]???????????? ;??化为浮点保存到[ebp-40]

1AABB1ED?? ??C745 FC 2B000000?? MOV???? DWORD PTR [EBP-4], 2B

1AABB1F4?? .??0FBF45 D0??????????MOVSX?? EAX, WORD PTR [EBP-30]

1AABB1F8?? .??85C0?????????????? TEST????EAX, EAX

1AABB1FA?? .??75 41??????????????JNZ???? SHORT 1AABB23D???????????????? ;??循环次数为偶数([ebp-30]==1)时跳

1AABB1FC?? .??C745 FC 2C000000?? MOV???? DWORD PTR [EBP-4], 2C

1AABB203?? .??8B4D CC????????????MOV???? ECX, [EBP-34]??????????????????;??[ebp-34]为上一次循环结果串

1AABB206?? .??51???????????????? PUSH????ECX????????????????????????????;??这个是StrCat的第二个参数

1AABB207?? .??8B55 C4????????????MOV???? EDX, [EBP-3C]

1AABB20A?? .??52???????????????? PUSH????EDX

1AABB20B?? .??8B45 C0????????????MOV???? EAX, [EBP-40]

1AABB20E?? .??50???????????????? PUSH????EAX

1AABB20F?? .??FF15 BC10AA1A??????CALL????[]?????? ;??MSVBVM60.__vbaStrR8

1AABB215?? .??8BD0?????????????? MOV???? EDX, EAX?????????????????????? ;??浮点结果转为串存至[ebp-58]

1AABB217?? .??8D4D A8????????????LEA???? ECX, [EBP-58]

1AABB21A?? .??FF15 7411AA1A??????CALL????[]???? ;??MSVBVM60.__vbaStrMove

1AABB220?? .??50???????????????? PUSH????EAX????????????????????????????; |Arg1

1AABB221?? .??FF15 3C10AA1A??????CALL????[]??????; \__vbaStrCat

1AABB227?? .??8BD0?????????????? MOV???? EDX, EAX

1AABB229?? .??8D4D CC????????????LEA???? ECX, [EBP-34]??????????????????;??把上一次结果和本次结果连起来,存至[ebp-34]

1AABB22C?? .??FF15 7411AA1A??????CALL????[]???? ;??MSVBVM60.__vbaStrMove

1AABB232?? .??8D4D A8????????????LEA???? ECX, [EBP-58]

1AABB235?? .??FF15 9011AA1A??????CALL????[]???? ;??MSVBVM60.__vbaFreeStr

1AABB23B?? .??EB 3F??????????????JMP???? SHORT 1AABB27C

1AABB23D?? ??C745 FC 2E000000?? MOV???? DWORD PTR [EBP-4], 2E

1AABB244?? .??8B4D C4????????????MOV???? ECX, [EBP-3C]

1AABB247?? .??51???????????????? PUSH????ECX

1AABB248?? .??8B55 C0????????????MOV???? EDX, [EBP-40]

1AABB24B?? .??52???????????????? PUSH????EDX

1AABB24C?? .??FF15 BC10AA1A??????CALL????[]?????? ;??MSVBVM60.__vbaStrR8

1AABB252?? .??8BD0?????????????? MOV???? EDX, EAX?????????????????????? ;??浮点结果转为串

1AABB254?? .??8D4D A8????????????LEA???? ECX, [EBP-58]??????????????????;??放到[ebp-58]

1AABB257?? .??FF15 7411AA1A??????CALL????[]???? ;??MSVBVM60.__vbaStrMove

1AABB25D?? .??50???????????????? PUSH????EAX????????????????????????????; /Arg2

1AABB25E?? .??8B45 CC????????????MOV???? EAX, [EBP-34]??????????????????; |

1AABB261?? .??50???????????????? PUSH????EAX????????????????????????????; |Arg1

1AABB262?? .??FF15 3C10AA1A??????CALL????[]??????; \__vbaStrCat

1AABB268?? .??8BD0?????????????? MOV???? EDX, EAX?????????????????????? ;??把本次结果串和上一结果串连起来

1AABB26A?? .??8D4D CC????????????LEA???? ECX, [EBP-34]??????????????????;??放到[ebp-34]

1AABB26D?? .??FF15 7411AA1A??????CALL????[]???? ;??MSVBVM60.__vbaStrMove

1AABB273?? .??8D4D A8????????????LEA???? ECX, [EBP-58]

1AABB276?? .??FF15 9011AA1A??????CALL????[]???? ;??MSVBVM60.__vbaFreeStr

1AABB27C?? ??C745 FC 30000000?? MOV???? DWORD PTR [EBP-4], 30

1AABB283?? .^ E9 DCFAFFFF????????JMP???? 1AABAD64

1AABB288?? ??C745 FC 31000000?? MOV???? DWORD PTR [EBP-4], 31

1AABB28F?? .??8B4D 0C????????????MOV???? ECX, [EBP+C]?????????????????? ;??假注册码放到[ebp-90]

1AABB292?? .??898D 70FFFFFF??????MOV???? [EBP-90], ECX

1AABB298?? .??C785 68FFFFFF 0840MOV???? DWORD PTR [EBP-98], 4008

1AABB2A2?? .??8D95 68FFFFFF??????LEA???? EDX, [EBP-98]

1AABB2A8?? .??52???????????????? PUSH????EDX????????????????????????????; /Arg2

1AABB2A9?? .??8D45 98????????????LEA???? EAX, [EBP-68]??????????????????; |

1AABB2AC?? .??50???????????????? PUSH????EAX????????????????????????????; |Arg1

1AABB2AD?? .??FF15 7010AA1A??????CALL????[]???????????? ; \rtcTrimVar

1AABB2B3?? .??8D4D CC????????????LEA???? ECX, [EBP-34]??????????????????;??真注册码放到[ebp-a0]

1AABB2B6?? .??898D 60FFFFFF??????MOV???? [EBP-A0], ECX

1AABB2BC?? .??C785 58FFFFFF 0840MOV???? DWORD PTR [EBP-A8], 4008

1AABB2C6?? .??8D95 58FFFFFF??????LEA???? EDX, [EBP-A8]

1AABB2CC?? .??52???????????????? PUSH????EDX????????????????????????????; /Arg2

1AABB2CD?? .??8D45 88????????????LEA???? EAX, [EBP-78]??????????????????; |

1AABB2D0?? .??50???????????????? PUSH????EAX????????????????????????????; |Arg1

1AABB2D1?? .??FF15 7010AA1A??????CALL????[]???????????? ; \rtcTrimVar

1AABB2D7?? .??8D4D 98????????????LEA???? ECX, [EBP-68]??????????????????;??判断注册码是否相等

1AABB2DA?? .??51???????????????? PUSH????ECX

1AABB2DB??????8D55 88????????????LEA???? EDX, [EBP-78]

1AABB2DE?? .??52???????????????? PUSH????EDX

1AABB2DF?? .??FF15 9410AA1A??????CALL????[]????;??MSVBVM60.__vbaVarTstEq

1AABB2E5?? .??66:8985 54FFFFFF?? MOV???? [EBP-AC], AX?????????????????? ;??若相等为0FFFF否则为0,保存到[ebp-ac]

1AABB2EC?? .??8D45 88????????????LEA???? EAX, [EBP-78]

1AABB2EF?? .??50???????????????? PUSH????EAX

1AABB2F0?? .??8D4D 98????????????LEA???? ECX, [EBP-68]

1AABB2F3?? .??51???????????????? PUSH????ECX

1AABB2F4?? .??6A 02??????????????PUSH????2

1AABB2F6?? .??FF15 2410AA1A??????CALL????[] ;??MSVBVM60.__vbaFreeVarList

1AABB2FC?? .??83C4 0C????????????ADD???? ESP, 0C

1AABB2FF?? .??0FBF95 54FFFFFF????MOVSX?? EDX, WORD PTR [EBP-AC]

1AABB306?? .??85D2?????????????? TEST????EDX, EDX

1AABB308?? .??74 0F??????????????JE??????SHORT 1AABB319???????????????? ;??爆破的好地方,把它NOP掉就行了.

1AABB30A?? .??C745 FC 32000000?? MOV???? DWORD PTR [EBP-4], 32

1AABB311?? .??66:C745 BC FFFF????MOV???? WORD PTR [EBP-44], 0FFFF?????? ;??若[EBP-AC]不为0则设[EBP-44]为FFFF

1AABB317?? .??EB 0D??????????????JMP???? SHORT 1AABB326

1AABB319?? ??C745 FC 34000000?? MOV???? DWORD PTR [EBP-4], 34

1AABB320?? .??66:C745 BC 0000????MOV???? WORD PTR [EBP-44], 0?????????? ;??否则设它为0

1AABB326?? ??9B???????????????? WAIT

1AABB327?? .??68 92B3AB1A????????PUSH????1AABB392

1AABB32C?? .??EB 24??????????????JMP???? SHORT 1AABB352

1AABB32E?? .??8D4D A8????????????LEA???? ECX, [EBP-58]

1AABB331?? .??FF15 9011AA1A??????CALL????[]???? ;??MSVBVM60.__vbaFreeStr

1AABB337?? .??8D85 78FFFFFF??????LEA???? EAX, [EBP-88]

1AABB33D?? .??50???????????????? PUSH????EAX

1AABB33E?? .??8D4D 88????????????LEA???? ECX, [EBP-78]

1AABB341?? .??51???????????????? PUSH????ECX

1AABB342?? .??8D55 98????????????LEA???? EDX, [EBP-68]

1AABB345?? .??52???????????????? PUSH????EDX

1AABB346?? .??6A 03??????????????PUSH????3

1AABB348?? .??FF15 2410AA1A??????CALL????[] ;??MSVBVM60.__vbaFreeVarList

1AABB34E?? .??83C4 10????????????ADD???? ESP, 10

1AABB351?? .??C3???????????????? RETN

1AABB352?? ??8D4D DC????????????LEA???? ECX, [EBP-24]

......

1AABB391?? .??C3???????????????? RETN

......

1AABB39E?? .??8B45 14????????????MOV???? EAX, [EBP+14]

1AABB3A1?? .??66:8B4D BC???????? MOV???? CX, [EBP-44]?? ;这里和下一句改mov word ptr[eax],0ffff可注册成功.

1AABB3A5?? .??66:8908????????????MOV???? [EAX], CX?? ;我习惯上就是这样做爆破的.

1AABB3A8?? .??8B45 F0????????????MOV???? EAX, [EBP-10]

1AABB3AB?? .??8B4D E0????????????MOV???? ECX, [EBP-20]

1AABB3AE?? .??64:890D 00000000?? MOV???? FS:[0], ECX????????????????????;??恢复异常链

1AABB3B5?? .??5F???????????????? POP???? EDI

1AABB3B6?? .??5E???????????????? POP???? ESI

1AABB3B7?? .??5B???????????????? POP???? EBX

1AABB3B8?? .??8BE5?????????????? MOV???? ESP, EBP

1AABB3BA?? .??5D???????????????? POP???? EBP

1AABB3BB?? .??C2 1000????????????RETN????10

1AABB3BE?? ^ E9 9963FEFF????????JMP????

1AABB3C3?? ??FF15 0411AA1A??????CALL????[;??MSVBVM60.__vbaErrorOverflow

?

算号器用C#实现：

const string s1 = "MyFatherVB-CodeSiLong'sMyMother";

const string s2 = "我爱你我的爱人为了咱们的将来努力吧奋斗吧好了就这些亲爱的爸爸，妈妈、哥哥、妹妹们好。";

const short ftemp1 = 719;

const short ftemp2 = 9;

byte[] tmp = new byte[100];

int tmp1, tmp2, tmp3, f1, f2, count1 = 0,mark = 0,i=0;

string username = textBox1.Text, result = "";

while (i

{

?? tmp = Encoding.Default.GetBytes(username);

?? if ((tmp.Length 20))

?? {

??????MessageBox.Show("用户名长度要适中！");

??????return;

?? }

?? if (username[i]

?? {

??????tmp1 = username[i];

??????tmp = Encoding.Default.GetBytes(s2);

??????tmp2 = (tmp[i * 2]

??????count1++;

?? }

?? else

?? {

??????tmp1 = (tmp[count1]

??????tmp = Encoding.Default.GetBytes(s1);

??????tmp2 = tmp[i];

??????count1 += 2;

?? }

?? tmp3 = (~(tmp1 ^ tmp2) + 1)&0xffff;

?? if (mark == 0)

?? {

??????mark = 1;

??????tmp3 += ftemp1;

?? }

?? else

?? {

??????mark = 0;

??????tmp3 *= ftemp2;

?? }

?? if ((tmp3 = 10000) && (tmp3

?? {

??????f1 = tmp3 / 100;

??????f2 = tmp3 - tmp3 / 100 * 100;

??????if (f2 != 0)

??????tmp3 /= i+1;

?? }

?? else if(tmp3 100000)

?? {

??????f1 = tmp3 / 100;

??????f2 = tmp3 - tmp3 / 100 * 100;

??????if (f2 != 0)

???????? tmp3 = f1 / f2 * (i+1);

?? }

?? if (mark == 0)

??????result = result + tmp3.ToString();

?? else

??????result = tmp3.ToString() + result;

?? i++;

}

textBox2.Text = result;

MessageBox.Show(result);

• ·Data Structures with .N
• ·Data Structures with .N
• ·Data Structures with .N
• ·Data Structures with .N
• ·VB语言－－夕阳残照
• ·使用Groovy IDE插件
• ·升级SQL　SERVER　6.5到2000的注
• ·MySQL 4.0.21 发布 [Smarty
• ·安装SQL SERVER 2000的注意事项
• ·在vmware上升级linux内核及配置ope