好友
阅读权限40
听众
最后登录1970-1-1
|
我是用户
发表于 2013-7-3 21:15
本帖最后由 我是用户 于 2013-7-15 18:46 编辑
【软件名称】: BatchPPT3.1
【作者邮箱】: 2714608453@qq.com
【下载地址】: 见附件
【软件语言】: VB
【使用工具】: OD
【操作平台】: XP SP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
通过前面四课的了解,我们对VB程序应该有了大概的认识,VB的程序很烦,代码很简单,但是反汇编起来很难看懂,现在就用实例来帮大家理解
感谢@淡然出尘 提供的程序.如果大家有好的VB程序也可以连接我,具体请见贴子:http://www.52pojie.cn/thread-202083-1-1.html
写在前言:
首先这个程序的算法CALL有三处,我们记为算法CALL1,算法CALL2,算法CALL3.
注册码保存在注册表里,具体路径:[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\BatchPPT\RegCode]
1.查壳
VB的壳无疑
2.寻找算法CALL
如何寻找这三个算法CALL呢。
当我们注册失败,以及进行算法验证时,会出现以下错误对话框。
当输入注册码注册时,进行算法CALL1验证。
如图1
当点击转换时候,进行算法CALL2验证。
如图2
当输入按钮标签中的类型转换以及幻灯片编号等,进行算法CALL3验证。
如图3
我们可以通过下断rtcMsgBox,或者搜索字符串到达关键代码处,此处就不在累述。
3.爆破
如果爆破的话,三处算法CALL都要改,所以这里干脆就直接分析出算法。
三处算法CALL分别地址分别如下:
[AppleScript] 纯文本查看 复制代码 算法CALL1:00452020
算法CALL2:00451DF0
算法CALL3:00451A10
爆破的话,直接让其返回不为0就好,大家可以自己动手试试。
4.算法分析
算法CALL1具体代码如下:
[AppleScript] 纯文本查看 复制代码 00452020 $ 55 push ebp
00452021 . 8BEC mov ebp,esp
00452023 . 83EC 14 sub esp,0x14
00452026 . 68 962A4000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; SE 处理程序安装
0045202B . 64:A1 0000000>mov eax,dword ptr fs:[0]
00452031 . 50 push eax
00452032 . 64:8925 00000>mov dword ptr fs:[0],esp
00452039 . 83EC 60 sub esp,0x60
0045203C . 53 push ebx ; MSVBVM60.__vbaObjSet
0045203D . 56 push esi
0045203E . 57 push edi ; MSVBVM60.__vbaStrMove
0045203F . 8965 EC mov dword ptr ss:[ebp-0x14],esp
00452042 . C745 F0 50264>mov dword ptr ss:[ebp-0x10],BatchPPT.004>
00452049 . 33C0 xor eax,eax
0045204B . 8945 F4 mov dword ptr ss:[ebp-0xC],eax
0045204E . 8945 F8 mov dword ptr ss:[ebp-0x8],eax
00452051 . 8945 DC mov dword ptr ss:[ebp-0x24],eax
00452054 . 8945 D4 mov dword ptr ss:[ebp-0x2C],eax
00452057 . 8945 C4 mov dword ptr ss:[ebp-0x3C],eax
0045205A . 8945 B4 mov dword ptr ss:[ebp-0x4C],eax
0045205D . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax
00452060 . 6A 01 push 0x1 ; /OnErrEvent = Goto Address
00452062 . FF15 88104000 call dword ptr ds:[<&MSVBVM60.__vbaOnErr>; \__vbaOnError
00452068 . 8B75 08 mov esi,dword ptr ss:[ebp+0x8]
0045206B . 8975 AC mov dword ptr ss:[ebp-0x54],esi
0045206E . C745 A4 08400>mov dword ptr ss:[ebp-0x5C],0x4008
00452075 . 6A 01 push 0x1
00452077 . 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C]
0045207A . 50 push eax
0045207B . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
0045207E . 51 push ecx
0045207F . FF15 0C124000 call dword ptr ds:[<&MSVBVM60.#rtcRightC>; MSVBVM60.rtcRightCharVar
00452085 . 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C]
00452088 . 52 push edx
00452089 . 8B3D 20104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrVarMove
0045208F . FFD7 call edi ; MSVBVM60.__vbaStrMove; <&MSVBVM60.__vbaStrVarMove>
00452091 . 8BD0 mov edx,eax
00452093 . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
00452096 . 8B1D 00124000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrMove
0045209C . FFD3 call ebx ; MSVBVM60.__vbaObjSet; <&MSVBVM60.__vbaStrMove>
0045209E . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
004520A1 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
004520A7 . C745 CC 01000>mov dword ptr ss:[ebp-0x34],0x1
004520AE . C745 C4 02000>mov dword ptr ss:[ebp-0x3C],0x2
004520B5 . 8975 AC mov dword ptr ss:[ebp-0x54],esi
004520B8 . C745 A4 08400>mov dword ptr ss:[ebp-0x5C],0x4008
004520BF . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]
004520C2 . 50 push eax ; /Length8 = 0x18130C
004520C3 . 6A 1F push 0x1F ; |Start = 0x1F
004520C5 . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C] ; |
004520C8 . 51 push ecx ; |dString8 = 0012EBAC
004520C9 . 8D55 B4 lea edx,dword ptr ss:[ebp-0x4C] ; |
004520CC . 52 push edx ; |RetBUFFER = 0012EBAC
004520CD . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.#rtcMidCha>; \rtcMidCharVar
004520D3 . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
004520D6 . 50 push eax
004520D7 . FFD7 call edi ; MSVBVM60.__vbaStrMove
004520D9 . 8BD0 mov edx,eax
004520DB . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
004520DE . FFD3 call ebx ; MSVBVM60.__vbaObjSet
004520E0 . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
004520E3 . 51 push ecx
004520E4 . 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C]
004520E7 . 52 push edx
004520E8 . 6A 02 push 0x2
004520EA . FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
004520F0 . 83C4 0C add esp,0xC
004520F3 . 8B45 D4 mov eax,dword ptr ss:[ebp-0x2C]
004520F6 . 50 push eax
004520F7 . FF15 48114000 call dword ptr ds:[<&MSVBVM60.__vbaI2Str>; MSVBVM60.__vbaI2Str
004520FD . 66:8BF0 mov si,ax
00452100 . 66:83E6 01 and si,0x1
00452104 . 79 08 jns short BatchPPT.0045210E
00452106 . 66:4E dec si
00452108 . 66:83CE FE or si,0xFFFE
0045210C . 66:46 inc si
0045210E > 8B4D DC mov ecx,dword ptr ss:[ebp-0x24]
00452111 . 51 push ecx
00452112 . 68 18564100 push BatchPPT.00415618 ; X
00452117 . 8B3D D0104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrCmp
0045211D . FFD7 call edi ; MSVBVM60.__vbaStrMove; <&MSVBVM60.__vbaStrCmp>
0045211F . 8BD8 mov ebx,eax
00452121 . F7DB neg ebx ; MSVBVM60.__vbaObjSet
00452123 . 1BDB sbb ebx,ebx ; MSVBVM60.__vbaObjSet
00452125 . 43 inc ebx ; MSVBVM60.__vbaObjSet
00452126 . F7DB neg ebx ; MSVBVM60.__vbaObjSet
00452128 . 33D2 xor edx,edx
0045212A . 66:85F6 test si,si
0045212D . 0F95C2 setne dl
00452130 . F7DA neg edx
00452132 . 23DA and ebx,edx
00452134 . 8B45 DC mov eax,dword ptr ss:[ebp-0x24]
00452137 . 50 push eax
00452138 . 68 10564100 push BatchPPT.00415610 ; 1
0045213D . FFD7 call edi ; MSVBVM60.__vbaStrMove
0045213F . F7D8 neg eax
00452141 . 1BC0 sbb eax,eax
00452143 . 40 inc eax
00452144 . F7D8 neg eax
00452146 . 33C9 xor ecx,ecx
00452148 . 66:85F6 test si,si
0045214B . 0F94C1 sete cl
0045214E . F7D9 neg ecx
00452150 . 23C1 and eax,ecx
00452152 . 0BD8 or ebx,eax
00452154 . 895D D8 mov dword ptr ss:[ebp-0x28],ebx ; MSVBVM60.__vbaObjSet
00452157 . FF15 74104000 call dword ptr ds:[<&MSVBVM60.__vbaExitP>; MSVBVM60.__vbaExitProc
0045215D . 68 9D214500 push BatchPPT.0045219D
00452162 . EB 28 jmp short BatchPPT.0045218C
00452164 . C745 D8 00000>mov dword ptr ss:[ebp-0x28],0x0
0045216B . FF15 74104000 call dword ptr ds:[<&MSVBVM60.__vbaExitP>; MSVBVM60.__vbaExitProc
00452171 . 68 9D214500 push BatchPPT.0045219D
00452176 . EB 14 jmp short BatchPPT.0045218C
00452178 . 8D55 B4 lea edx,dword ptr ss:[ebp-0x4C]
0045217B . 52 push edx
0045217C . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]
0045217F . 50 push eax
00452180 . 6A 02 push 0x2
00452182 . FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
00452188 . 83C4 0C add esp,0xC
0045218B . C3 retn
0045218C > 8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
0045218F . 8B35 28124000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeStr
00452195 . FFD6 call esi ; <&MSVBVM60.__vbaFreeStr>
00452197 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
0045219A . FFD6 call esi
0045219C . C3 retn
0045219D . 66:8B45 D8 mov ax,word ptr ss:[ebp-0x28]
004521A1 . 8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C]
004521A4 . 64:890D 00000>mov dword ptr fs:[0],ecx
004521AB . 5F pop edi ; BatchPPT.00452868
004521AC . 5E pop esi ; BatchPPT.00452868
004521AD . 5B pop ebx ; BatchPPT.00452868
004521AE . 8BE5 mov esp,ebp
004521B0 . 5D pop ebp ; BatchPPT.00452868
004521B1 . C2 0400 retn 0x4
由上述代码可知:
注册码中的第1F位只能为数字。
当第1F位为奇数时,最后一位为X
当第1F位为偶数时,最后一位为1
算法CALL2具体代码如下:
[AppleScript] 纯文本查看 复制代码 00451DF0 $ 53 push ebx
00451DF1 . 55 push ebp
00451DF2 . 56 push esi
00451DF3 . 57 push edi ; BatchPPT.0045A028
00451DF4 . 8B7C24 14 mov edi,dword ptr ss:[esp+0x14] ; BatchPPT.0045A028
00451DF8 . 8B1D 90114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaIn>; MSVBVM60.__vbaInStr
00451DFE . 6A 01 push 0x1
00451E00 . 8B07 mov eax,dword ptr ds:[edi]
00451E02 . 50 push eax
00451E03 . 68 08564100 push BatchPPT.00415608 ; -
00451E08 . 6A 01 push 0x1
00451E0A . FFD3 call ebx ; <&MSVBVM60.__vbaInStr>
00451E0C . 8B2D DC104000 mov ebp,dword ptr ds:[<&MSVBVM60.__vbaI2>; MSVBVM60.__vbaI2I4
00451E12 . 8BC8 mov ecx,eax
00451E14 . FFD5 call ebp ; <&MSVBVM60.__vbaI2I4>
00451E16 . 8BF0 mov esi,eax
00451E18 . 66:83FE 01 cmp si,0x1 ; si大于等于1
00451E1C . 7D 09 jge short BatchPPT.00451E27
00451E1E . 5F pop edi ; 0012FB20
00451E1F . 5E pop esi ; 0012FB20
00451E20 . 5D pop ebp ; 0012FB20
00451E21 . 33C0 xor eax,eax
00451E23 . 5B pop ebx ; 0012FB20
00451E24 . C2 0400 retn 0x4
00451E27 > 66:8BCE mov cx,si ; cx=si
00451E2A . 8B07 mov eax,dword ptr ds:[edi]
00451E2C . 66:83C1 01 add cx,0x1 ; cx=cx+1
00451E30 . 70 40 jo short BatchPPT.00451E72
00451E32 . 0FBFD1 movsx edx,cx
00451E35 . 52 push edx ; 从上一个位置开始再找
00451E36 . 50 push eax
00451E37 . 68 08564100 push BatchPPT.00415608 ; -
00451E3C . 6A 01 push 0x1
00451E3E . FFD3 call ebx
00451E40 . 8BC8 mov ecx,eax
00451E42 . FFD5 call ebp
00451E44 . 66:8BCE mov cx,si ; cx=第一个的位置
00451E47 . 66:83C1 02 add cx,0x2 ; cx=cx+2
00451E4B . 70 25 jo short BatchPPT.00451E72
00451E4D . 66:3BC1 cmp ax,cx ; 找到的位置要大于cx
00451E50 . 7D 09 jge short BatchPPT.00451E5B
00451E52 . 5F pop edi ; 0012FB20
00451E53 . 5E pop esi ; 0012FB20
00451E54 . 5D pop ebp ; 0012FB20
00451E55 . 33C0 xor eax,eax
00451E57 . 5B pop ebx ; 0012FB20
00451E58 . C2 0400 retn 0x4
00451E5B > 66:03F0 add si,ax ; si+ax
00451E5E . 5F pop edi ; 0012FB20
00451E5F . 70 11 jo short BatchPPT.00451E72
00451E61 . 33C0 xor eax,eax
00451E63 . 66:83FE 21 cmp si,0x21 //等于0x21
00451E67 . 0F94C0 sete al
00451E6A . 5E pop esi ; 0012FB20
00451E6B . 5D pop ebp ; 0012FB20
00451E6C . F7D8 neg eax
00451E6E . 5B pop ebx ; 0012FB20
00451E6F . C2 0400 retn 0x4
00451E72 > FF15 80114000 call dword ptr ds:[<&MSVBVM60.__vbaError>; MSVBVM60.__vbaErrorOverflow
由上述代码可知:
他是通过计算"-"号出现的位置来进行验证的,我们把第一次,第二次出现的位置记为a1,a2.它要满足以下三个条件。
第一个:a1>=1(既必须存在)(要等于B)
第二个:a2>=a1+2(要等于0x16)
第二个:si=a2+a1要等于0x21
算法CALL3具体代码如下:
[AppleScript] 纯文本查看 复制代码
00451E80 $ 55 push ebp
00451E81 . 8BEC mov ebp,esp
00451E83 . 83EC 08 sub esp,0x8
00451E86 . 68 962A4000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; SE 处理程序安装
00451E8B . 64:A1 0000000>mov eax,dword ptr fs:[0]
00451E91 . 50 push eax
00451E92 . 64:8925 00000>mov dword ptr fs:[0],esp
00451E99 . 83EC 5C sub esp,0x5C
00451E9C . 53 push ebx ; MSVBVM60.__vbaObjSet
00451E9D . 56 push esi
00451E9E . 57 push edi ; MSVBVM60.__vbaStrMove
00451E9F . 8965 F8 mov dword ptr ss:[ebp-0x8],esp
00451EA2 . C745 FC 40264>mov dword ptr ss:[ebp-0x4],BatchPPT.0040>
00451EA9 . 8B75 08 mov esi,dword ptr ss:[ebp+0x8]
00451EAC . 8B1D 90114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaIn>; MSVBVM60.__vbaInStr
00451EB2 . 6A 01 push 0x1
00451EB4 . 33FF xor edi,edi ; MSVBVM60.__vbaStrMove
00451EB6 . 8B06 mov eax,dword ptr ds:[esi] ; BatchPPT.0045CA40
00451EB8 . 897D E4 mov dword ptr ss:[ebp-0x1C],edi ; MSVBVM60.__vbaStrMove
00451EBB . 50 push eax
00451EBC . 68 08564100 push BatchPPT.00415608 ; -
00451EC1 . 6A 01 push 0x1
00451EC3 . 897D E0 mov dword ptr ss:[ebp-0x20],edi ; MSVBVM60.__vbaStrMove
00451EC6 . 897D D8 mov dword ptr ss:[ebp-0x28],edi ; MSVBVM60.__vbaStrMove
00451EC9 . 897D C8 mov dword ptr ss:[ebp-0x38],edi ; MSVBVM60.__vbaStrMove
00451ECC . 897D B8 mov dword ptr ss:[ebp-0x48],edi ; MSVBVM60.__vbaStrMove
00451ECF . 897D A8 mov dword ptr ss:[ebp-0x58],edi ; MSVBVM60.__vbaStrMove
00451ED2 . FFD3 call ebx ; MSVBVM60.__vbaObjSet; <&MSVBVM60.__vbaInStr>
00451ED4 . 8BC8 mov ecx,eax
00451ED6 . FF15 DC104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>>; MSVBVM60.__vbaI2I4
00451EDC . 66:3D 0B00 cmp ax,0xB
00451EE0 . 74 0D je short BatchPPT.00451EEF
00451EE2 . 897D E8 mov dword ptr ss:[ebp-0x18],edi ; MSVBVM60.__vbaStrMove
00451EE5 . 68 03204500 push BatchPPT.00452003
00451EEA . E9 03010000 jmp BatchPPT.00451FF2
00451EEF > 8B0E mov ecx,dword ptr ds:[esi] ; BatchPPT.0045CA40
00451EF1 . 6A 0C push 0xC
00451EF3 . 51 push ecx
00451EF4 . 68 08564100 push BatchPPT.00415608 ; -
00451EF9 . 6A 01 push 0x1
00451EFB . FFD3 call ebx ; MSVBVM60.__vbaObjSet
00451EFD . 8BC8 mov ecx,eax
00451EFF . FF15 DC104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>>; MSVBVM60.__vbaI2I4
00451F05 . 66:3D 1600 cmp ax,0x16
00451F09 . 74 0D je short BatchPPT.00451F18
00451F0B . 897D E8 mov dword ptr ss:[ebp-0x18],edi ; MSVBVM60.__vbaStrMove
00451F0E . 68 03204500 push BatchPPT.00452003
00451F13 . E9 DA000000 jmp BatchPPT.00451FF2
00451F18 > 8D55 C8 lea edx,dword ptr ss:[ebp-0x38]
00451F1B . 8D45 A8 lea eax,dword ptr ss:[ebp-0x58]
00451F1E . 52 push edx ; /Length8 = 0x12EBAC
00451F1F . 6A 0C push 0xC ; |Start = 0xC
00451F21 . 8D4D B8 lea ecx,dword ptr ss:[ebp-0x48] ; |
00451F24 . 50 push eax ; |dString8 = 0018130C
00451F25 . 51 push ecx ; |RetBUFFER = 0012EBAC
00451F26 . C745 D0 0A000>mov dword ptr ss:[ebp-0x30],0xA ; |
00451F2D . C745 C8 02000>mov dword ptr ss:[ebp-0x38],0x2 ; |
00451F34 . 8975 B0 mov dword ptr ss:[ebp-0x50],esi ; |
00451F37 . C745 A8 08400>mov dword ptr ss:[ebp-0x58],0x4008 ; |
00451F3E . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.#rtcMidCha>; \rtcMidCharVar
00451F44 . 8B1D 20104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaSt>; 、
00451F4A . 8D55 B8 lea edx,dword ptr ss:[ebp-0x48]
00451F4D . 52 push edx
00451F4E . FFD3 call ebx ; MSVBVM60.__vbaObjSet; <&MSVBVM60.__vbaStrVarMove>
00451F50 . 8B3D 00124000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrMove
00451F56 . 8BD0 mov edx,eax
00451F58 . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
00451F5B . FFD7 call edi ; MSVBVM60.__vbaStrMove; <&MSVBVM60.__vbaStrMove>
00451F5D . 8D45 B8 lea eax,dword ptr ss:[ebp-0x48]
00451F60 . 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38]
00451F63 . 50 push eax
00451F64 . 51 push ecx
00451F65 . 6A 02 push 0x2
00451F67 . FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
00451F6D . 83C4 0C add esp,0xC
00451F70 . 8D55 A8 lea edx,dword ptr ss:[ebp-0x58]
00451F73 . 8D45 C8 lea eax,dword ptr ss:[ebp-0x38]
00451F76 . 8975 B0 mov dword ptr ss:[ebp-0x50],esi
00451F79 . 6A 0A push 0xA
00451F7B . 52 push edx
00451F7C . 50 push eax
00451F7D . C745 A8 08400>mov dword ptr ss:[ebp-0x58],0x4008
00451F84 . FF15 F4114000 call dword ptr ds:[<&MSVBVM60.#rtcLeftCh>; 取字符串的前A位
00451F8A . 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38]
00451F8D . 51 push ecx
00451F8E . FFD3 call ebx ; MSVBVM60.__vbaObjSet
00451F90 . 8BD0 mov edx,eax
00451F92 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00451F95 . FFD7 call edi ; MSVBVM60.__vbaStrMove
00451F97 . 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38]
00451F9A . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
00451FA0 . 8B55 E0 mov edx,dword ptr ss:[ebp-0x20]
00451FA3 . 8D45 E4 lea eax,dword ptr ss:[ebp-0x1C]
00451FA6 . 52 push edx
00451FA7 . 50 push eax
00451FA8 . E8 63FAFFFF call BatchPPT.00451A10 //关键CALL,进入
00451FAD . 8BD0 mov edx,eax
00451FAF . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
00451FB2 . FFD7 call edi ; MSVBVM60.__vbaStrMove
00451FB4 . 50 push eax
00451FB5 . FF15 D0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
00451FBB . F7D8 neg eax
00451FBD . 1BC0 sbb eax,eax
00451FBF . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
00451FC2 . 40 inc eax
00451FC3 . F7D8 neg eax
00451FC5 . 8945 E8 mov dword ptr ss:[ebp-0x18],eax
00451FC8 . FF15 28124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00451FCE . 68 03204500 push BatchPPT.00452003
00451FD3 . EB 1D jmp short BatchPPT.00451FF2
00451FD5 . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
00451FD8 . FF15 28124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00451FDE . 8D4D B8 lea ecx,dword ptr ss:[ebp-0x48]
00451FE1 . 8D55 C8 lea edx,dword ptr ss:[ebp-0x38]
00451FE4 . 51 push ecx
00451FE5 . 52 push edx
00451FE6 . 6A 02 push 0x2
00451FE8 . FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
00451FEE . 83C4 0C add esp,0xC
00451FF1 . C3 retn
00451FF2 > 8B35 28124000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeStr
00451FF8 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00451FFB . FFD6 call esi ; <&MSVBVM60.__vbaFreeStr>
00451FFD . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
00452000 . FFD6 call esi
00452002 . C3 retn
00452003 . 8B4D F0 mov ecx,dword ptr ss:[ebp-0x10] ; BatchPPT.00402A96
00452006 . 66:8B45 E8 mov ax,word ptr ss:[ebp-0x18]
0045200A . 5F pop edi ; BatchPPT.00452868
0045200B . 5E pop esi ; BatchPPT.00452868
0045200C . 64:890D 00000>mov dword ptr fs:[0],ecx
00452013 . 5B pop ebx ; BatchPPT.00452868
00452014 . 8BE5 mov esp,ebp
00452016 . 5D pop ebp ; BatchPPT.00452868
00452017 . C2 0400 retn 0x4
//00451A10 进入
[AppleScript] 纯文本查看 复制代码 00451A10 > $ 55 push ebp
00451A11 . 8BEC mov ebp,esp
00451A13 . 83EC 0C sub esp,0xC
00451A16 . 68 962A4000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; SE 处理程序安装
00451A1B . 64:A1 0000000>mov eax,dword ptr fs:[0]
00451A21 . 50 push eax
00451A22 . 64:8925 00000>mov dword ptr fs:[0],esp
00451A29 . 83EC 6C sub esp,0x6C
00451A2C . 53 push ebx ; MSVBVM60.__vbaObjSet
00451A2D . 56 push esi
00451A2E . 57 push edi ; MSVBVM60.__vbaStrMove
00451A2F . 8965 F4 mov dword ptr ss:[ebp-0xC],esp
00451A32 . C745 F8 30264>mov dword ptr ss:[ebp-0x8],BatchPPT.0040>
00451A39 . 8B7D 08 mov edi,dword ptr ss:[ebp+0x8]
00451A3C . 33F6 xor esi,esi
00451A3E . 8975 D8 mov dword ptr ss:[ebp-0x28],esi
00451A41 . 8975 D4 mov dword ptr ss:[ebp-0x2C],esi
00451A44 . 8B07 mov eax,dword ptr ds:[edi]
00451A46 . 8975 D0 mov dword ptr ss:[ebp-0x30],esi
00451A49 . 50 push eax ; /String = ""
00451A4A . 8975 C4 mov dword ptr ss:[ebp-0x3C],esi ; |
00451A4D . 8975 C0 mov dword ptr ss:[ebp-0x40],esi ; |
00451A50 . 8975 B0 mov dword ptr ss:[ebp-0x50],esi ; |
00451A53 . 8975 AC mov dword ptr ss:[ebp-0x54],esi ; |
00451A56 . 8975 9C mov dword ptr ss:[ebp-0x64],esi ; |
00451A59 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBs>; \__vbaLenBstr
00451A5F . 85C0 test eax,eax
00451A61 . 0F84 20030000 je BatchPPT.00451D87
00451A67 . 56 push esi
00451A68 . 8D4D 9C lea ecx,dword ptr ss:[ebp-0x64]
00451A6B . 68 80000000 push 0x80
00451A70 . 8D55 B0 lea edx,dword ptr ss:[ebp-0x50]
00451A73 . 51 push ecx
00451A74 . 52 push edx
00451A75 . 897D A4 mov dword ptr ss:[ebp-0x5C],edi ; MSVBVM60.__vbaStrMove
00451A78 . C745 9C 08400>mov dword ptr ss:[ebp-0x64],0x4008
00451A7F . FF15 5C114000 call dword ptr ds:[<&MSVBVM60.#rtcStrCon>; MSVBVM60.rtcStrConvVar2
00451A85 . 8D45 B0 lea eax,dword ptr ss:[ebp-0x50] ; 转成ASCII码
00451A88 . 8D4D AC lea ecx,dword ptr ss:[ebp-0x54]
00451A8B . 50 push eax
00451A8C . 51 push ecx
00451A8D . FF15 88114000 call dword ptr ds:[<&MSVBVM60.__vbaVar2V>; MSVBVM60.__vbaVar2Vec
00451A93 . 8D55 AC lea edx,dword ptr ss:[ebp-0x54] ; 转成数组
00451A96 . 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
00451A99 . 52 push edx
00451A9A . 50 push eax
00451A9B . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaAryMo>; MSVBVM60.__vbaAryMove
00451AA1 . 8D4D B0 lea ecx,dword ptr ss:[ebp-0x50]
00451AA4 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
00451AAA . 8B4D D8 mov ecx,dword ptr ss:[ebp-0x28]
00451AAD . 51 push ecx
00451AAE . 6A 01 push 0x1
00451AB0 . FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaLboun>; MSVBVM60.__vbaLbound
00451AB6 . 8B55 D8 mov edx,dword ptr ss:[ebp-0x28]
00451AB9 . 8BF8 mov edi,eax
00451ABB . 52 push edx
00451ABC . 6A 01 push 0x1 ; 前面的去除符号
00451ABE . 897D DC mov dword ptr ss:[ebp-0x24],edi ; MSVBVM60.__vbaStrMove
00451AC1 . FF15 64114000 call dword ptr ds:[<&MSVBVM60.__vbaUboun>; MSVBVM60.__vbaUbound
00451AC7 . 8BD8 mov ebx,eax ; 取下界
00451AC9 . 57 push edi ; |lBoundn = 0x73476A74
00451ACA . 83C3 01 add ebx,0x1 ; |
00451ACD . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C] ; |
00451AD0 . 0F80 13030000 jo BatchPPT.00451DE9 ; |
00451AD6 . 8BC3 mov eax,ebx ; |MSVBVM60.__vbaObjSet
00451AD8 . 895D C8 mov dword ptr ss:[ebp-0x38],ebx ; |MSVBVM60.__vbaObjSet
00451ADB . 83E8 01 sub eax,0x1 ; |
00451ADE . 0F80 05030000 jo BatchPPT.00451DE9 ; |
00451AE4 . 50 push eax ; |uBoundn = 0x18130C
00451AE5 . 6A 01 push 0x1 ; |TotalArray = 0x1
00451AE7 . 6A 11 push 0x11 ; |vBType = Byte
00451AE9 . 51 push ecx ; |RetADDR = 0012EBAC
00451AEA . 6A 01 push 0x1 ; |VAlign = BYTE
00451AEC . 68 80000000 push 0x80 ; |Arg1 = 0x80
00451AF1 . FF15 04114000 call dword ptr ds:[<&MSVBVM60.__vbaRedim>; \__vbaRedim
00451AF7 . 8BCB mov ecx,ebx ; 重定义数组 BYTE[0-9]
00451AF9 . 83C4 1C add esp,0x1C
00451AFC . 83E9 01 sub ecx,0x1
00451AFF . 0F80 E4020000 jo BatchPPT.00451DE9
00451B05 . FF15 DC104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>>; MSVBVM60.__vbaI2I4
00451B0B . 8BCF mov ecx,edi ; MSVBVM60.__vbaStrMove
00451B0D . 8945 90 mov dword ptr ss:[ebp-0x70],eax
00451B10 . FF15 DC104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>>; MSVBVM60.__vbaI2I4
00451B16 . 8945 E8 mov dword ptr ss:[ebp-0x18],eax
00451B19 > 66:3B45 90 cmp ax,word ptr ss:[ebp-0x70] ; 循环开始
00451B1D . 0F8F 07020000 jg BatchPPT.00451D2A
00451B23 . 8B4D D8 mov ecx,dword ptr ss:[ebp-0x28]
00451B26 . 0FBFC0 movsx eax,ax
00451B29 . 3BC7 cmp eax,edi ; i与edi比较
00451B2B . 8945 84 mov dword ptr ss:[ebp-0x7C],eax ; 变量7C为eax
00451B2E . 0F85 BA000000 jnz BatchPPT.00451BEE
00451B34 . 85C9 test ecx,ecx
00451B36 . 74 2A je short BatchPPT.00451B62
00451B38 . 66:8339 01 cmp word ptr ds:[ecx],0x1
00451B3C . 75 24 jnz short BatchPPT.00451B62 ; 以上的数组的一些判断
00451B3E . 8B51 14 mov edx,dword ptr ds:[ecx+0x14] ; BatchPPT.004026F0
00451B41 . 8B41 10 mov eax,dword ptr ds:[ecx+0x10] ; eax为数组大小
00451B44 . 8BF3 mov esi,ebx ; MSVBVM60.__vbaObjSet
00451B46 . 8B3D CC104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaGe>; MSVBVM60.__vbaGenerateBoundsError
00451B4C . 83EE 01 sub esi,0x1
00451B4F . 0F80 94020000 jo BatchPPT.00451DE9
00451B55 . 2BF2 sub esi,edx
00451B57 . 3BF0 cmp esi,eax ; 9与A比较
00451B59 . 72 18 jb short BatchPPT.00451B73
00451B5B . FFD7 call edi ; MSVBVM60.__vbaStrMove; <&MSVBVM60.__vbaGenerateBoundsError>
00451B5D . 8B4D D8 mov ecx,dword ptr ss:[ebp-0x28]
00451B60 . EB 11 jmp short BatchPPT.00451B73
00451B62 > FF15 CC104000 call dword ptr ds:[<&MSVBVM60.__vbaGener>; MSVBVM60.__vbaGenerateBoundsError
00451B68 . 8B4D D8 mov ecx,dword ptr ss:[ebp-0x28]
00451B6B . 8B3D CC104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaGe>; MSVBVM60.__vbaGenerateBoundsError
00451B71 . 8BF0 mov esi,eax
00451B73 > 8B51 0C mov edx,dword ptr ds:[ecx+0xC] ; BatchPPT.00402A96
00451B76 . 33C0 xor eax,eax
00451B78 . 83FB 01 cmp ebx,0x1
00451B7B . 8A0432 mov al,byte ptr ds:[edx+esi] ; al为第A位
00451B7E . 8945 D0 mov dword ptr ss:[ebp-0x30],eax ; 变量30为第A位(初始)
00451B81 . 75 28 jnz short BatchPPT.00451BAB
00451B83 . 85C9 test ecx,ecx
00451B85 . 74 56 je short BatchPPT.00451BDD
00451B87 . 66:3919 cmp word ptr ds:[ecx],bx
00451B8A . 75 51 jnz short BatchPPT.00451BDD
00451B8C . 8B71 14 mov esi,dword ptr ds:[ecx+0x14] ; BatchPPT.004026F0
00451B8F . 8B41 10 mov eax,dword ptr ds:[ecx+0x10]
00451B92 . F7DE neg esi
00451B94 . 3BF0 cmp esi,eax
00451B96 . 72 05 jb short BatchPPT.00451B9D
00451B98 . FFD7 call edi ; MSVBVM60.__vbaStrMove
00451B9A . 8B4D D8 mov ecx,dword ptr ss:[ebp-0x28]
00451B9D > 8B51 0C mov edx,dword ptr ds:[ecx+0xC] ; BatchPPT.00402A96
00451BA0 . 8BC6 mov eax,esi
00451BA2 . 33DB xor ebx,ebx ; MSVBVM60.__vbaObjSet
00451BA4 . 8A1C02 mov bl,byte ptr ds:[edx+eax]
00451BA7 . 8BF3 mov esi,ebx ; MSVBVM60.__vbaObjSet
00451BA9 . EB 49 jmp short BatchPPT.00451BF4
00451BAB > 85C9 test ecx,ecx
00451BAD . 74 2E je short BatchPPT.00451BDD
00451BAF . 66:8339 01 cmp word ptr ds:[ecx],0x1
00451BB3 . 75 28 jnz short BatchPPT.00451BDD
00451BB5 . 8B51 14 mov edx,dword ptr ds:[ecx+0x14] ; BatchPPT.004026F0
00451BB8 . 8B41 10 mov eax,dword ptr ds:[ecx+0x10]
00451BBB . 83EB 02 sub ebx,0x2
00451BBE . 0F80 25020000 jo BatchPPT.00451DE9
00451BC4 . 2BDA sub ebx,edx
00451BC6 . 3BD8 cmp ebx,eax
00451BC8 . 72 05 jb short BatchPPT.00451BCF
00451BCA . FFD7 call edi ; MSVBVM60.__vbaStrMove
00451BCC . 8B4D D8 mov ecx,dword ptr ss:[ebp-0x28]
00451BCF > 8B51 0C mov edx,dword ptr ds:[ecx+0xC] ; BatchPPT.00402A96
00451BD2 . 8BC3 mov eax,ebx ; MSVBVM60.__vbaObjSet
00451BD4 . 33DB xor ebx,ebx ; MSVBVM60.__vbaObjSet
00451BD6 . 8A1C02 mov bl,byte ptr ds:[edx+eax] ; bl为第九位
00451BD9 . 8BF3 mov esi,ebx ; esi=bl
00451BDB . EB 17 jmp short BatchPPT.00451BF4
00451BDD > FFD7 call edi ; MSVBVM60.__vbaStrMove
00451BDF . 8B4D D8 mov ecx,dword ptr ss:[ebp-0x28]
00451BE2 . 33DB xor ebx,ebx ; MSVBVM60.__vbaObjSet
00451BE4 . 8B51 0C mov edx,dword ptr ds:[ecx+0xC] ; BatchPPT.00402A96
00451BE7 . 8A1C02 mov bl,byte ptr ds:[edx+eax]
00451BEA . 8BF3 mov esi,ebx ; MSVBVM60.__vbaObjSet
00451BEC . EB 06 jmp short BatchPPT.00451BF4
00451BEE > 8B3D CC104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaGe>; MSVBVM60.__vbaGenerateBoundsError
00451BF4 > 85C9 test ecx,ecx
00451BF6 . 74 1E je short BatchPPT.00451C16
00451BF8 . 66:8339 01 cmp word ptr ds:[ecx],0x1
00451BFC . 75 18 jnz short BatchPPT.00451C16
00451BFE . 8B5D 84 mov ebx,dword ptr ss:[ebp-0x7C]
00451C01 . 8B51 14 mov edx,dword ptr ds:[ecx+0x14] ; BatchPPT.004026F0
00451C04 . 8B41 10 mov eax,dword ptr ds:[ecx+0x10]
00451C07 . 2BDA sub ebx,edx
00451C09 . 3BD8 cmp ebx,eax
00451C0B . 72 05 jb short BatchPPT.00451C12
00451C0D . FFD7 call edi ; MSVBVM60.__vbaStrMove
00451C0F . 8B4D D8 mov ecx,dword ptr ss:[ebp-0x28]
00451C12 > 8BC3 mov eax,ebx ; MSVBVM60.__vbaObjSet
00451C14 . EB 05 jmp short BatchPPT.00451C1B
00451C16 > FFD7 call edi ; MSVBVM60.__vbaStrMove
00451C18 . 8B4D D8 mov ecx,dword ptr ss:[ebp-0x28]
00451C1B > 8B51 0C mov edx,dword ptr ds:[ecx+0xC] ; BatchPPT.00402A96
00451C1E . 33DB xor ebx,ebx ; MSVBVM60.__vbaObjSet
00451C20 . 8A1C02 mov bl,byte ptr ds:[edx+eax] ; 依次取数组每一位
00451C23 . 8B55 D0 mov edx,dword ptr ss:[ebp-0x30] ; edx为变量30
00451C26 . 23DA and ebx,edx ; 每一位与第A位and
00451C28 . 85C9 test ecx,ecx
00451C2A . 74 22 je short BatchPPT.00451C4E
00451C2C . 66:8339 01 cmp word ptr ds:[ecx],0x1
00451C30 . 75 1C jnz short BatchPPT.00451C4E
00451C32 . 8B7D 84 mov edi,dword ptr ss:[ebp-0x7C]
00451C35 . 8B51 14 mov edx,dword ptr ds:[ecx+0x14] ; BatchPPT.004026F0
00451C38 . 8B41 10 mov eax,dword ptr ds:[ecx+0x10]
00451C3B . 2BFA sub edi,edx
00451C3D . 3BF8 cmp edi,eax
00451C3F . 72 09 jb short BatchPPT.00451C4A
00451C41 . FF15 CC104000 call dword ptr ds:[<&MSVBVM60.__vbaGener>; MSVBVM60.__vbaGenerateBoundsError
00451C47 . 8B4D D8 mov ecx,dword ptr ss:[ebp-0x28]
00451C4A > 8BC7 mov eax,edi ; MSVBVM60.__vbaStrMove
00451C4C . EB 05 jmp short BatchPPT.00451C53
00451C4E > FFD7 call edi ; MSVBVM60.__vbaStrMove
00451C50 . 8B4D D8 mov ecx,dword ptr ss:[ebp-0x28]
00451C53 > 8B49 0C mov ecx,dword ptr ds:[ecx+0xC] ; BatchPPT.00402A96
00451C56 . 33D2 xor edx,edx
00451C58 . 8A1401 mov dl,byte ptr ds:[ecx+eax] ; dl为每一位
00451C5B . 8BFA mov edi,edx
00451C5D . 0BFE or edi,esi ; 每一位与第九位(初始)(有经过计算)or
00451C5F . 81FB 80000000 cmp ebx,0x80
00451C65 . 7E 0F jle short BatchPPT.00451C76
00451C67 . B8 00010000 mov eax,0x100
00451C6C . 2BC3 sub eax,ebx ; MSVBVM60.__vbaObjSet
00451C6E . 0F80 75010000 jo BatchPPT.00451DE9
00451C74 . 8BD8 mov ebx,eax
00451C76 > 81FF 80000000 cmp edi,0x80
00451C7C . 7E 0F jle short BatchPPT.00451C8D
00451C7E . B9 00010000 mov ecx,0x100
00451C83 . 2BCF sub ecx,edi ; MSVBVM60.__vbaStrMove
00451C85 . 0F80 5E010000 jo BatchPPT.00451DE9
00451C8B . 8BF9 mov edi,ecx
00451C8D > 8B45 C4 mov eax,dword ptr ss:[ebp-0x3C]
00451C90 . 85C0 test eax,eax
00451C92 . 74 22 je short BatchPPT.00451CB6
00451C94 . 66:8338 01 cmp word ptr ds:[eax],0x1
00451C98 . 75 1C jnz short BatchPPT.00451CB6
00451C9A . 8B4D 84 mov ecx,dword ptr ss:[ebp-0x7C]
00451C9D . 8B50 14 mov edx,dword ptr ds:[eax+0x14]
00451CA0 . 2BCA sub ecx,edx
00451CA2 . 8BF1 mov esi,ecx
00451CA4 . 8B48 10 mov ecx,dword ptr ds:[eax+0x10]
00451CA7 . 3BF1 cmp esi,ecx
00451CA9 . 72 06 jb short BatchPPT.00451CB1
00451CAB . FF15 CC104000 call dword ptr ds:[<&MSVBVM60.__vbaGener>; MSVBVM60.__vbaGenerateBoundsError
00451CB1 > 8975 80 mov dword ptr ss:[ebp-0x80],esi
00451CB4 . EB 09 jmp short BatchPPT.00451CBF
00451CB6 > FF15 CC104000 call dword ptr ds:[<&MSVBVM60.__vbaGener>; MSVBVM60.__vbaGenerateBoundsError
00451CBC . 8945 80 mov dword ptr ss:[ebp-0x80],eax
00451CBF > 68 00564100 push BatchPPT.00415600 ; /A
00451CC4 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.#rtcAnsiVa>; \rtcAnsiValueBstr
00451CCA . 0FBFC8 movsx ecx,ax ; ax为A的ASCII码
00451CCD . 8BC7 mov eax,edi ; eax=edi经过or过的值
00451CCF . BE 34000000 mov esi,0x34 ; esi=34
00451CD4 . 0FAFC3 imul eax,ebx ; and过的值*or过的值
00451CD7 . 0F80 0C010000 jo BatchPPT.00451DE9
00451CDD . 99 cdq
00451CDE . F7FE idiv esi ; /34
00451CE0 . 03CA add ecx,edx ; 余数加上41
00451CE2 . 0F80 01010000 jo BatchPPT.00451DE9
00451CE8 . FF15 28114000 call dword ptr ds:[<&MSVBVM60.__vbaUI1I4>; MSVBVM60.__vbaUI1I4
00451CEE . 8B55 C4 mov edx,dword ptr ss:[ebp-0x3C]
00451CF1 . 8BF7 mov esi,edi ; esi=edi经过or过的值
00451CF3 . 03F3 add esi,ebx ; and过的值加上or过的值
00451CF5 . 8B5D C8 mov ebx,dword ptr ss:[ebp-0x38]
00451CF8 . 8B4A 0C mov ecx,dword ptr ds:[edx+0xC] ; BatchPPT.00402A96
00451CFB . 8B55 80 mov edx,dword ptr ss:[ebp-0x80]
00451CFE . 0F80 E5000000 jo BatchPPT.00451DE9
00451D04 . 880411 mov byte ptr ds:[ecx+edx],al ; 保存起来
00451D07 . B8 01000000 mov eax,0x1
00451D0C . 81E6 FF000000 and esi,0xFF ; esi只保留低16位
00451D12 . 66:0345 E8 add ax,word ptr ss:[ebp-0x18]
00451D16 . 897D D0 mov dword ptr ss:[ebp-0x30],edi ; edi保存给变量30
00451D19 . 8B7D DC mov edi,dword ptr ss:[ebp-0x24]
00451D1C . 0F80 C7000000 jo BatchPPT.00451DE9
00451D22 . 8945 E8 mov dword ptr ss:[ebp-0x18],eax
00451D25 .^ E9 EFFDFFFF jmp BatchPPT.00451B19
00451D2A > 8B45 C4 mov eax,dword ptr ss:[ebp-0x3C]
00451D2D . 8D4D 9C lea ecx,dword ptr ss:[ebp-0x64]
00451D30 . 51 push ecx
00451D31 . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax
00451D34 . C745 9C 11200>mov dword ptr ss:[ebp-0x64],0x2011
00451D3B . FF15 08124000 call dword ptr ds:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarCopy
00451D41 . 8B35 00124000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrMove
00451D47 . 8BD0 mov edx,eax
00451D49 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
00451D4C . FFD6 call esi ; <&MSVBVM60.__vbaStrMove>
00451D4E . 6A 00 push 0x0
00451D50 . 8D45 9C lea eax,dword ptr ss:[ebp-0x64]
00451D53 . 6A 40 push 0x40
00451D55 . 8D4D B0 lea ecx,dword ptr ss:[ebp-0x50]
00451D58 . 8D55 D4 lea edx,dword ptr ss:[ebp-0x2C]
00451D5B . 50 push eax
00451D5C . 51 push ecx
00451D5D . 8955 A4 mov dword ptr ss:[ebp-0x5C],edx
00451D60 . C745 9C 08400>mov dword ptr ss:[ebp-0x64],0x4008
00451D67 . FF15 5C114000 call dword ptr ds:[<&MSVBVM60.#rtcStrCon>; MSVBVM60.rtcStrConvVar2
00451D6D . 8D55 B0 lea edx,dword ptr ss:[ebp-0x50]
00451D70 . 52 push edx
00451D71 . FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarMove
00451D77 . 8BD0 mov edx,eax
00451D79 . 8D4D C0 lea ecx,dword ptr ss:[ebp-0x40]
00451D7C . FFD6 call esi
00451D7E . 8D4D B0 lea ecx,dword ptr ss:[ebp-0x50]
00451D81 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
00451D87 > 68 D31D4500 push BatchPPT.00451DD3
00451D8C . EB 25 jmp short BatchPPT.00451DB3
00451D8E . F645 FC 04 test byte ptr ss:[ebp-0x4],0x4
00451D92 . 74 09 je short BatchPPT.00451D9D
00451D94 . 8D4D C0 lea ecx,dword ptr ss:[ebp-0x40]
00451D97 . FF15 28124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00451D9D > 8D4D B0 lea ecx,dword ptr ss:[ebp-0x50]
00451DA0 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
00451DA6 . 8D45 AC lea eax,dword ptr ss:[ebp-0x54]
00451DA9 . 50 push eax
00451DAA . 6A 00 push 0x0
00451DAC . FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vbaAryDe>; MSVBVM60.__vbaAryDestruct
00451DB2 . C3 retn
00451DB3 > 8B35 6C104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaAr>; MSVBVM60.__vbaAryDestruct
00451DB9 . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
00451DBC . 51 push ecx
00451DBD . 6A 00 push 0x0
00451DBF . FFD6 call esi ; <&MSVBVM60.__vbaAryDestruct>
00451DC1 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
00451DC4 . FF15 28124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00451DCA . 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C]
00451DCD . 52 push edx
00451DCE . 6A 00 push 0x0
00451DD0 . FFD6 call esi
00451DD2 . C3 retn
00451DD3 . 8B4D EC mov ecx,dword ptr ss:[ebp-0x14]
00451DD6 . 8B45 C0 mov eax,dword ptr ss:[ebp-0x40]
00451DD9 . 5F pop edi ; BatchPPT.00452868
00451DDA . 5E pop esi ; BatchPPT.00452868
00451DDB . 64:890D 00000>mov dword ptr fs:[0],ecx
00451DE2 . 5B pop ebx ; BatchPPT.00452868
00451DE3 . 8BE5 mov esp,ebp
00451DE5 . 5D pop ebp ; BatchPPT.00452868
00451DE6 . C2 0400 retn 0x4
00451DE9 > FF15 80114000 call dword ptr ds:[<&MSVBVM60.__vbaError>; MSVBVM60.__vbaErrorOverflow
由上述代码可知:
我们可以确定a1,a2的具体位置,分别为0xB和0x16,他们加起来刚好是0x21,满足算法CALL1。
注册码的格式应该是0000000000-0000000000-0000000000,用-号分为三部分。
第一部分通过计算得出的值要与第二部分的值相等,第三部分中的倒数第二数要为数字,最后一位由倒数第二位决定。
大概的注释我已经标在代码上了,不过VB的程序很是烦人,所以我用VB的语言来还原了一下。
如图4:
注册机如图5:
附注册成功的界面6:
OK,VB系列到此就更新完毕了,下一个系列可能会是Delphi,但不确定,敬请期待,谢谢大家的支持,有分加分,有热心的加点热心哈
传送门==============================================================================
Crack实战系列教程-《VB系列-第一课》
http://www.52pojie.cn/thread-200996-1-1.html
Crack实战系列教程-《VB系列-第二课》
http://www.52pojie.cn/thread-201358-1-1.html
Crack实战系列教程-《VB系列-第三课》
http://www.52pojie.cn/thread-201748-1-1.html
Crack实战系列教程-《VB系列-第四课》
http://www.52pojie.cn/thread-202544-1-1.html
Crack实战系列教程-《VB系列-第五课》
http://www.52pojie.cn/thread-202545-1-1.html
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2013-7-3 21:17
