160个CM之 003
本帖最后由 Otoboku 于 2021-1-13 01:07 编辑# 起手
- PEID看看还是vb的程序
- VB.Decompiler说是压缩了,点是没法载入,点否居然载入了,花Q,
# 追码
## 第一部分
和02一样,这个就简单了,只是小部分变化.
```
Len(userName) * 88888 + Asc(userName)
```
## 第二部分
浮点,妈妈咪呀,我一个指令都不会.只能百度现学
```
FLD类似于 PUSH指令
FSTP类似于POP指令
FADD类似于ADD指令
```
汇编指令:fld dword ptr ds: 意思是将的值以浮点型放进ST0里面
汇编指令:fstp dword ptr ss: 意思是将ST0里面的浮点值,放到ebp-20这个内存里面,同是清空ST0里面的值
```
FSTSW。这条指令将状态寄存器中的内容传送至 AX寄存器
```
0:无效指令,2:除零,3:溢出,4下溢出,5精度
流程如下,过程很长,作者目的明显,想要展示常用浮点指令.
````assembly
004082DD > \8B8D 58FFFFFF mov ecx,dword ptr ss: ;TextInpu.60F91140
004082E3 .8B55 E8 mov edx,dword ptr ss:
004082E6 .52 push edx
004082E7 .8B19 mov ebx,dword ptr ds: ;msvbvm50.740E5A95
004082E9 .FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vb>;注册码转单精度浮点入浮点堆栈
004082EF .D905 08104000 fld dword ptr ds:[<fRegCode>] ;压入浮点堆栈10
004082F5 .833D 00904000 0>cmp dword ptr ds:,0x0
004082FC .75 08 jnz short AfKayAs_.00408306
004082FE .D835 0C104000 fdiv dword ptr ds: ;和40100c数字除 =5
00408304 .EB 0B jmp short AfKayAs_.00408311
00408306 >FF35 0C104000 push dword ptr ds:
0040830C .E8 578DFFFF call <jmp.&MSVBVM50._adj_fdiv_m32>
00408311 >83EC 08 sub esp,0x8
00408314 .DFE0 fstsw ax ;把协处理器状态寄存器的值传送给AX
00408316 .A8 0D test al,0xD ;0b 1101 溢出,除0,无效指令?
00408318 .0F85 A1040000 jnz AfKayAs_.004087BF
0040831E .DEC1 faddp st(1),st ;浮点堆栈两个数相加
00408320 .DFE0 fstsw ax
00408322 .A8 0D test al,0xD
00408324 .0F85 95040000 jnz AfKayAs_.004087BF
0040832A .DD1C24 fstp qword ptr ss: ;把算好的数据从弹出浮点堆栈
0040832D .FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vb>;msvbvm50.__vbaStrR8
00408333 .8BD0 mov edx,eax
00408335 .8D4D E4 lea ecx,dword ptr ss:
00408338 .FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vb>;msvbvm50.__vbaStrMove
0040833E .899D 34FFFFFF mov dword ptr ss:,ebx
00408344 .8B9D 58FFFFFF mov ebx,dword ptr ss: ;TextInpu.60F91140
0040834A .50 push eax
0040834B .8B85 34FFFFFF mov eax,dword ptr ss:
00408351 .53 push ebx ;总的来说就是code+(10./2.)
00408352 .FF90 A4000000 call dword ptr ds: ;又把数据存在文本框了
004083CD .FF92 A0000000 call dword ptr ds: ;继续拉出来
004083D3 .85C0 test eax,eax
004083D5 .7D 12 jge short AfKayAs_.004083E9
004083D7 .68 A0000000 push 0xA0
004083DC .68 AC6F4000 push AfKayAs_.00406FAC
004083E1 .53 push ebx
004083E2 .50 push eax
004083E3 .FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vb>;msvbvm50.__vbaHresultCheckObj
004083E9 >8B8D 58FFFFFF mov ecx,dword ptr ss: ;TextInpu.60F91140
004083EF .8B55 E8 mov edx,dword ptr ss:
004083F2 .52 push edx
004083F3 .8B19 mov ebx,dword ptr ds: ;msvbvm50.740E5A95
004083F5 .FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vb>;msvbvm50.__vbaR8Str
004083FB .DC0D 10104000 fmul qword ptr ds: ;继续转 然后 *3
00408401 .83EC 08 sub esp,0x8
00408404 .DC25 18104000 fsub qword ptr ds: ;-2
0040840A .DFE0 fstsw ax
0040840C .A8 0D test al,0xD
0040840E .0F85 AB030000 jnz AfKayAs_.004087BF
00408414 .DD1C24 fstp qword ptr ss: ;继续变成字串,存回去
00408417 .FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vb>;msvbvm50.__vbaStrR8
0040841D .8BD0 mov edx,eax
0040841F .8D4D E4 lea ecx,dword ptr ss:
00408422 .FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vb>;msvbvm50.__vbaStrMove
00408428 .899D 2CFFFFFF mov dword ptr ss:,ebx
0040842E .8B9D 58FFFFFF mov ebx,dword ptr ss: ;TextInpu.60F91140
00408434 .50 push eax
00408435 .8B85 2CFFFFFF mov eax,dword ptr ss: ;TextInpu.60FA38C8
0040843B .53 push ebx
0040843C .FF90 A4000000 call dword ptr ds:
004084B5 .8B13 mov edx,dword ptr ds: ;继续拉出来鞭尸
004084B7 .FF92 A0000000 call dword ptr ds:
004084BD .85C0 test eax,eax
004084BF .7D 12 jge short AfKayAs_.004084D3
004084C1 .68 A0000000 push 0xA0
004084C6 .68 AC6F4000 push AfKayAs_.00406FAC
004084CB .53 push ebx
004084CC .50 push eax
004084CD .FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vb>;msvbvm50.__vbaHresultCheckObj
004084D3 >8B8D 58FFFFFF mov ecx,dword ptr ss: ;TextInpu.60F91140
004084D9 .8B55 E8 mov edx,dword ptr ss:
004084DC .52 push edx
004084DD .8B19 mov ebx,dword ptr ds: ;msvbvm50.740E5A95
004084DF .FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vb>;msvbvm50.__vbaR8Str
004084E5 .DC25 20104000 fsub qword ptr ds: ;+15减减就是加了,真是老阴b
004084EB .83EC 08 sub esp,0x8
004084EE .DFE0 fstsw ax
004084F0 .A8 0D test al,0xD
004084F2 .0F85 C7020000 jnz AfKayAs_.004087BF
004084F8 .DD1C24 fstp qword ptr ss:
004084FB .FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vb>;msvbvm50.__vbaStrR8
00408501 .8BD0 mov edx,eax
00408503 .8D4D E4 lea ecx,dword ptr ss:
00408506 .FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vb>;msvbvm50.__vbaStrMove
0040850C .899D 24FFFFFF mov dword ptr ss:,ebx
00408512 .8B9D 58FFFFFF mov ebx,dword ptr ss: ;TextInpu.60F91140
00408518 .50 push eax
00408519 .8B85 24FFFFFF mov eax,dword ptr ss:
0040851F .53 push ebx
00408520 .FF90 A4000000 call dword ptr ds: ;继续存起来
00408572 .8D4D E4 lea ecx,dword ptr ss:
00408575 .51 push ecx
00408576 .53 push ebx
00408577 .8B03 mov eax,dword ptr ds:
00408579 .FF90 A0000000 call dword ptr ds: ;拉出来
004085AB .8D55 E8 lea edx,dword ptr ss:
004085AE .52 push edx
004085AF .56 push esi
004085B0 .8B0E mov ecx,dword ptr ds:
004085B2 .FF91 A0000000 call dword ptr ds: ;读出假的注册码??
004085B8 .85C0 test eax,eax
004085BA .7D 12 jge short AfKayAs_.004085CE
004085BC .68 A0000000 push 0xA0
004085C1 .68 AC6F4000 push AfKayAs_.00406FAC
004085C6 .56 push esi
004085C7 .50 push eax
004085C8 .FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vb>;msvbvm50.__vbaHresultCheckObj
004085CE >8B45 E8 mov eax,dword ptr ss: ;吧假的注册码变浮点
004085D1 .50 push eax
004085D2 .FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vb>;msvbvm50.__vbaR8Str
004085D8 .8B4D E4 mov ecx,dword ptr ss: ;CoreUICo.60CEEBA4
004085DB .DD9D 1CFFFFFF fstp qword ptr ss: ;然后pop到内存
004085E1 .51 push ecx ;吧算出来的码到浮点
004085E2 .FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vb>;msvbvm50.__vbaR8Str
004085E8 .833D 00904000 0>cmp dword ptr ds:,0x0
004085EF .75 08 jnz short AfKayAs_.004085F9
004085F1 .DCBD 1CFFFFFF fdivr qword ptr ss: ;假的和真的相除
004085F7 .EB 11 jmp short AfKayAs_.0040860A
004085F9 >FFB5 20FFFFFF push dword ptr ss:
004085FF .FFB5 1CFFFFFF push dword ptr ss:
00408605 .E8 888AFFFF call <jmp.&MSVBVM50._adj_fdivr_m64>
0040860A >DFE0 fstsw ax
0040860C .A8 0D test al,0xD
0040860E .0F85 AB010000 jnz AfKayAs_.004087BF
00408614 .FF15 34B14000 call dword ptr ds:[<&MSVBVM50.__vb>;????
0040861A .DC1D 28104000 fcomp qword ptr ds: ;和1比较
00408620 .DFE0 fstsw ax
00408622 .F6C4 40 test ah,0x40 ;相等么
````
## 注册机
```
Function Regcode(userName As String) As String
Dim t As Single
t = Len(userName) * 88888 + Asc(userName)
t = t + 2
t = t * 3 - 2
t = t + 15
Regcode = t
End Function
```
# 疑问
这次VB程序局部变量又没有变成local.1这种形式了,有什么办法让他强制变么?
谢谢分享,楼下解答 坚持下来,做完这个系列 支持一下争取做完全部 厉害,仰望大佬。我什么时候才能像大佬一样牛 哥哥的肥皂 发表于 2021-1-13 09:23
厉害,仰望大佬。我什么时候才能像大佬一样牛
工具都不大会用,完全新手。 感谢楼主分享? 感谢楼主分享,学习 感谢楼主分享 请问开始的广告是怎么跳过的?谢谢
页:
[1]