一个 BumpyFlea's CrackMe 的破解分析(总共有5个关卡)(使用了P-Code的编译方式)
转自看雪论坛附件稍后补上 忘记论坛密码了标 题: 【原创】 一个 BumpyFlea's CrackMe 的破解分析(总共有5个关卡)(使用了P-Code的编译方式)
作 者: CuteSnail
时 间: 2007-12-29,14:51:38
链 接: http://bbs.pediy.com/showthread.php?t=57307
【文章标题】: 一个 BumpyFlea's CrackMe 的破解分析+(总共有5个关卡)+(使用了P-Code的编译方式)
【文章作者】: CuteSnail
【作者QQ号】: 121567771
【作者声明】: 只是感兴趣的自娱自乐,没有其他目的。失误之处还要敬请诸位大侠赐教!
-------------------------------------------------------------------------------
【详细过程】
程序用了VB6的 P-Code 方式编译,因此使用了 VBExplorer 1.1 来静态反编译;使用了 WKTVBDE 4.1 来动态跟踪(从第3关开始):
||===||
||第1关: Remove Me (NAG窗口的爆破),代码见下面的分析:
||===||
:00404C6C27FCFE LitVar ;PushVar LOCAL_0104
:00404C6F271CFF LitVar ;PushVar LOCAL_00E4
******Possible String Ref To->"Remove Me"
|
:00404C723A4CFF1400 LitVarStr ;PushVarString ptr_00402920
:00404C774E3CFF FStVarCopyObj ;=vbaVarDup(Pop)
:00404C7A043CFF FLdRfVar ;Push LOCAL_00C4
:00404C7DF530000000 LitI4 ;Push 00000030
******Possible String Ref To->"This is a nag, U need to Remove Me"
|
:00404C823A6CFF1500 LitVarStr ;PushVarString ptr_004028D4
:00404C874E5CFF FStVarCopyObj ;=vbaVarDup(Pop)
:00404C8A045CFF FLdRfVar ;Push LOCAL_00A4
**********Reference To->msvbvm60.rtcMsgBox
|
:00404C8D0A0D001400 ImpAdCallFPR4 ;//很明显,就是这里弹出了NAG的对话框!//
:00404C923608005CFF3CFF1C FFreeVar ;Free 0008/2 variants
:00404C9DF400 LitI2_Byte ;Push 00
:00404C9F21 FLdPrThis ;=
:00404CA00FFC02 VCallAd ;Return the control index 01
:00404CA319F8FE FStAdFunc ;
:00404CA608F8FE FLdPr ;=
:后面的代码省略。。。
从上面可以知道,00404C8D 处的 ImpAdCallFPR4 命令就是弹出NAG对话框的命名,只要将它跳过,就OK了;而P-Code的jmp/je/jne命令则分别对应是如下:
(正常格式) (P-Code格式)
jmp xxXX<=> Branch xxXX ;以机器码1E开头; 机器码长度为3,后2位机器码放跳转的长度;xxXX为跳转地址,xx表示地位,XX表示高位.
je xxXX <=> BranchT xxXX;以机器码1D开头; 机器码长度为3,其余同上.
jne xxXX<=> BranchF xxXX;以机器码1C开头; 机器码长度为3,其余同上.
故将上面的:
:00404C8D0A0D001400 ImpAdCallFPR4 ;这里弹出NAG的对话框
这行命令的机器码:“0A0D001400” 用16进制编辑软件(如:010 Editor)定位到地址00404C8D后,
将其先修改为: “1E00000000”,然后再用VBExplorer来反编译,便发现该处变为如下的命令了:
:00404C8D1E0000 Branch ;ESI=00404C6C //注意这句中 ESI 的数值大小
:00404C900000 LargeBos ;被修改的地方,机器码仍然为3+2=5的总长度
从上面可以看到 ESI=00404C6C 这句,而要强制跳转的地方便是紧跟上面语句之后的00404C92处的语句,故用 00404C92 - 00404C6C = 26(十进制38),知道了要跳的长度为16进制的26,因此将上面修改后的机器码“1E00000000”的1E后面的长度 0000 修改为 2600 (26放前面,是因为寄存器中是低位放前面,高位放后面),即变为:“1E26000000”便OK了!运行程序,NAG窗口被爆破了,呵呵。
||===||
||第2关: Level 1 Menu: Password (Password的寻找),代码见下面的分析:
||===||
:00404D640474FF FLdRfVar
:00404D6721 FLdPrThis
:00404D680F9003 VCallAd
:00404D6B1978FF FStAdFunc
:00404D6E0878FF FLdPr
***********Reference To:TextBox.Text ;得到输入的PassWord
|
:00404D710DA0000A00 VCallHresult ;Call ptr_00402734
:00404D766C74FF ILdRf
******Possible String Ref To->"123454321" ;//假的注册码
|
:00404D791B1700 LitStr
:00404D7CFB30 EqStr
:00404D7E2F74FF FFree1Str
:00404D811A78FF FFree1Ad
:00404D841C5400 BranchF ;If Pop=0 then ESI=00404DB8//这里需要跳走
:00404D8727F4FE LitVar
:00404D8A2714FF LitVar
******Possible String Ref To->"Almost" ;//假注册对话框的标题
|
:00404D8D3A44FF1800 LitVarStr
:00404D924E34FF FStVarCopyObj
:00404D950434FF FLdRfVar
:00404D98F500000000 LitI4
******Possible String Ref To->"Nice try. I also Use this number. Unfortunatly it ain't the password."
| ;//假注册对话框的内容
:00404D9D3A64FF1900 LitVarStr
:00404DA24E54FF FStVarCopyObj
:00404DA50454FF FLdRfVar
**********Reference To->msvbvm60.rtcMsgBox
|
:00404DA80A0D001400 ImpAdCallFPR4 ;弹出假注册的对话框
:00404DAD36080054FF34FF14 FFreeVar
:00404DB80474FF FLdRfVar ;Push LOCAL_008C
:00404DBB21 FLdPrThis
:00404DBC0F9003 VCallAd
:00404DBF1978FF FStAdFunc
:00404DC20878FF FLdPr
***********Reference To:TextBox.Text ;得到输入的PassWord
|
:00404DC50DA0000A00 VCallHresult
:00404DCA6C74FF ILdRf
******Possible String Ref To->"bUmPy FlEa 1799" ;真正的PassWord,明码固定的比较
|
:00404DCD1B1A00 LitStr
:00404DD0FB30 EqStr
:00404DD22F74FF FFree1Str
:00404DD51A78FF FFree1Ad
:00404DD81CA800 BranchF ;If Pop=0 then ESI=00404E0C//关键比较,不能跳走
:00404DDB27F4FE LitVar
:00404DDE2714FF LitVar
******Possible String Ref To->"Congratz" ;//成功的注册对话框的标题
|
:00404DE13A44FF1B00 LitVarStr
:00404DE64E34FF FStVarCopyObj
:00404DE90434FF FLdRfVar
:00404DECF500000000 LitI4
******Possible String Ref To->"Congradulations. You found the correct Password"
| ;//成功的注册对话框的内容
:00404DF13A64FF1C00 LitVarStr
:00404DF64E54FF FStVarCopyObj
:00404DF90454FF FLdRfVar
**********Reference To->msvbvm60.rtcMsgBox
|
:00404DFC0A0D001400 ImpAdCallFPR4 ;弹出成功的注册对话框
:00404E0136080054FF34FF14 FFreeVar
:00404E0C0474FF FLdRfVar ;Push LOCAL_008C
:00404E0F21 FLdPrThis
:00404E100F9003 VCallAd
:00404E131978FF FStAdFunc
:00404E160878FF FLdPr
***********Reference To:TextBox.Text
|
:00404E190DA0000A00 VCallHresult ;得到输入的PassWord
:00404E1E6C74FF ILdRf
:00404E214A FnLenStr
:00404E22F519000000 LitI4
:00404E27E0 GeI4
:00404E282F74FF FFree1Str
:00404E2B1A78FF FFree1Ad
:00404E2E1CFE00 BranchF ;If Pop=0 then ESI=00404E62 //PassWord不长,则不提示
:00404E3127F4FE LitVar
:00404E342714FF LitVar
******Possible String Ref To->"Password isn't this long"
|
:00404E373A44FF1D00 LitVarStr ;PassWord太长的提示标题
:00404E3C4E34FF FStVarCopyObj
:00404E3F0434FF FLdRfVar
:00404E42F500000000 LitI4
******Possible String Ref To->"Your Password is a little too long"
|
:00404E473A64FF1E00 LitVarStr ;PassWord太长的提示内容
:00404E4C4E54FF FStVarCopyObj
:00404E4F0454FF FLdRfVar
**********Reference To->msvbvm60.rtcMsgBox
|
:00404E520A0D001400 ImpAdCallFPR4 ;PassWord太长的提示对话框
:00404E5736080054FF34FF14 FFreeVar
:00404E6213 ExitProcHresult ;
从上面的分析,便可以很轻松的得到真正正确的PassWord为:bUmPy FlEa 1799
然后,开始进入第3关。
||===||
||第3关: Level 1 Menu: Enable Me (启用屏蔽的菜单),见下面的修改:
||===||
http://bbs.pediy.com/attachment.php?attachmentid=10641&d=1198911003
用16进制编辑软件(如:010 Editor)打开该CrackMe后,搜索字符串'Enable Me',找到后,将它后面紧跟的(1BC2处开始)机器码:
00 05 修改为:
00 06
即可!(因为:05=表示禁用; 06=表示启用,呵呵 ;)
||===||
||第4关: Level 2 Menu: Serial Code (注册名/注册码的检测),代码见下面的分析(VBExplorer1.1配合WKTVBDE4.1的分析):
||===||
:004052200002 LargeBos ;IDE beginning of line with 02 byte codes
:004052220005 LargeBos ;IDE beginning of line with 05 byte codes
:004052244BFFFF OnErrorGoto
:004052270027 LargeBos ;IDE beginning of line with 27 byte codes
:004052290474FF FLdRfVar
:0040522C21 FLdPrThis
:0040522D0F2003 VCallAd
:004052301978FF FStAdFunc
:004052330878FF FLdPr
***********Reference To:TextBox.Text
|
:004052360DA0000A00 VCallHresult ;得到注册名
:0040523B6C74FF ILdRf
:0040523E4A FnLenStr ;得到其长度
:0040523FF506000000 LitI4 ;装入数值6
:00405244D6 LeI4
:004052452F74FF FFree1Str
:004052481A78FF FFree1Ad ;与6比较
:0040524B1C6400 BranchF ;If Pop=0 then ESI=00405284 //大于跳走
:0040524E0033 LargeBos ;IDE beginning of line with 33 byte codes
:0040525027F4FE LitVar
:004052532714FF LitVar
******Possible String Ref To->"Try again"
|
:004052563A44FF0B00 LitVarStr ;注册名长度不符的提示标题
:0040525B4E34FF FStVarCopyObj
:0040525E0434FF FLdRfVar
:00405261F500000000 LitI4
******Possible String Ref To->"Name must be greater than 6 characters"
|
:004052663A64FF0C00 LitVarStr ;注册名长度不符的提示内容
:0040526B4E54FF FStVarCopyObj
:0040526E0454FF FLdRfVar
**********Reference To->msvbvm60.rtcMsgBox
|
:004052710A0D001400 ImpAdCallFPR4 ;注册名长度不符的提示对话框
:0040527636080054FF34FF14 FFreeVar
:004052811EC101 Branch ;跳走,失败
:004052840025 LargeBos ;注册名长度大于6,来到这里:
:004052860474FF FLdRfVar
:0040528921 FLdPrThis
:0040528A0F1C03 VCallAd
:0040528D1978FF FStAdFunc
:004052900878FF FLdPr
***********Reference To:TextBox.Text
|
:004052930DA0000A00 VCallHresult ;得到注册码
:004052986C74FF ILdRf
******Possible String Ref To->""
|
:0040529B1B0E00 LitStr
:0040529EFB30 EqStr
:004052A02F74FF FFree1Str
:004052A31A78FF FFree1Ad ;是否为空
:004052A61CBF00 BranchF ;If Pop=0 then ESI=004052DF //不为空,跳走
:004052A90033 LargeBos
:004052AB27F4FE LitVar
:004052AE2714FF LitVar
******Possible String Ref To->"Might help"
|
:004052B13A44FF0F00 LitVarStr ;注册码不符的提示标题
:004052B64E34FF FStVarCopyObj
:004052B90434FF FLdRfVar
:004052BCF500000000 LitI4
******Possible String Ref To->"Please enter a serial code"
|
:004052C13A64FF1000 LitVarStr ;注册码不符的提示内容
:004052C64E54FF FStVarCopyObj
:004052C90454FF FLdRfVar
**********Reference To->msvbvm60.rtcMsgBox
|
:004052CC0A0D001400 ImpAdCallFPR4 ;注册码不符的提示对话框
:004052D136080054FF34FF14 FFreeVar
:004052DC1EC101 Branch ;跳走,失败
:004052DF0041 LargeBos ;注册码符合要求,来到这里//在WKTVBDE中这里下断,F8键跟进://
:004052E10474FF FLdRfVar
:004052E421 FLdPrThis
:004052E50F1C03 VCallAd
:004052E81978FF FStAdFunc
:004052EB0878FF FLdPr
***********Reference To:TextBox.Text
|
:004052EE0DA0000A00 VCallHresult ;得到注册名
:004052F36C74FF ILdRf
:004052F6F35243 LitI2
:004052F9FBFD CStrUI1 ;转换为10进制字符码值
:004052FB23F0FE FStStrNoPop
:004052FE080800 FLdPr
:00405301893400 MemLdI2
:00405304FBFD CStrUI1 ;再次转换?
:0040530623ECFE FStStrNoPop
:004053092A ConcatStr ;连接字符//得到完全的注册码
:0040530A23E8FE FStStrNoPop
:0040530DFB3D NeStr
:0040530F320800F0FEECFE74 FFreeStr
:0040531A1A78FF FFree1Ad ;关键比较
:0040531D1C4D01 BranchF ;If Pop=0 then ESI=0040536D //跳走,成功
:004053200033 LargeBos
:0040532227F4FE LitVar
:004053252714FF LitVar
******Possible String Ref To->"Try again"
|
:004053283A44FF0B00 LitVarStr ;注册码错误提示标题
:0040532D4E34FF FStVarCopyObj
:004053300434FF FLdRfVar
:00405333F500000000 LitI4
******Possible String Ref To->"Soz, but that ain't the correct serial"
|
:004053383A64FF1100 LitVarStr ;注册码错误提示内容
:0040533D4E54FF FStVarCopyObj
:004053400454FF FLdRfVar
**********Reference To->msvbvm60.rtcMsgBox
|
:004053430A0D001400 ImpAdCallFPR4 ;注册码错误提示对话框
:0040534836080054FF34FF14 FFreeVar
:004053530017 LargeBos
******Possible String Ref To->""
|
:004053551B0E00 LitStr
:0040535821 FLdPrThis
:004053590F1C03 VCallAd
:0040535C1978FF FStAdFunc
:0040535F0878FF FLdPr
***********Reference To:TextBox.Text
|
:004053620DA4000A00 VCallHresult ;清空注册码
:004053671A78FF FFree1Ad
:0040536A1EC101 Branch ;失败,从这里跳走
:0040536D0041 LargeBos ;前面成功,便来到这里
:0040536F0474FF FLdRfVar
:0040537221 FLdPrThis
:004053730F1C03 VCallAd
:004053761978FF FStAdFunc
:004053790878FF FLdPr
***********Reference To:TextBox.Text
|
:0040537C0DA0000A00 VCallHresult
:004053816C74FF ILdRf
:00405384F35243 LitI2
:00405387FBFD CStrUI1
:0040538923F0FE FStStrNoPop
:0040538C080800 FLdPr
:0040538F893400 MemLdI2
:00405392FBFD CStrUI1
:0040539423ECFE FStStrNoPop
:004053972A ConcatStr
:0040539823E8FE FStStrNoPop
:0040539BFB30 EqStr
:0040539D320800F0FEECFE74 FFreeStr
:004053A81A78FF FFree1Ad
:004053AB1CC101 BranchF ;If Pop=0 then ESI=004053E1 //跳走,失败
:004053AE0033 LargeBos
:004053B027F4FE LitVar
:004053B32714FF LitVar
******Possible String Ref To->"Congradz"
|
:004053B63A44FF1200 LitVarStr ;注册码正确提示标题
:004053BB4E34FF FStVarCopyObj
:004053BE0434FF FLdRfVar
:004053C1F500000000 LitI4
******Possible String Ref To->"Well Done. Now generate a keygen"
|
:004053C63A64FF1300 LitVarStr ;注册码正确提示内容
:004053CB4E54FF FStVarCopyObj
:004053CE0454FF FLdRfVar
**********Reference To->msvbvm60.rtcMsgBox
|
:004053D10A0D001400 ImpAdCallFPR4 ;注册码正确提示对话框
:004053D636080054FF34FF14 FFreeVar
:004053E10002 LargeBos
:004053E30000 LargeBos
:004053E513 ExitProcHresult
:004053E60000 LargeBos
经过上面的分析后,知道了注册码是由固定字符串‘17234’连接上注册名的运算结果后得到的,注册名的运算通过在WKTVBDE中分析后,大致算法用pascal语言表示,就是:
//////////////////////////////////////
program keygen;
var
name : string;
i, tmp : integer;
begin
write('name:');
readln(name);
tmp := 0;
for i := 1 to length(name) do
tmp := tmp + ord(name) * (i-1);
writeln('Serial: 17234', tmp);
readln;
end.
//////////////////////////////////////
够简单吧,嘿嘿,放上一组注册信息:
Name: CuteSnail
Serial Code: 172343715
||===||
||第5关: Level 3 Menu: Solve The Patterns (框框条条的很奇怪的检测),代码见下面的分析:
||===||
:0040543C0476FF FLdRfVar ;开始分析:
:0040543F21 FLdPrThis
:004054400F7003 VCallAd ;第1个选择框的状态(在WKTVBDE中定位)
:004054431978FF FStAdFunc
:004054460878FF FLdPr
***********Reference To:CheckBox.Value
|
:004054490DE0000200 VCallHresult
:0040544E6B76FF FLdI2
:00405451F401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了
:00405453C6 EqI2 ;检测是否被选上!
:00405454046EFF FLdRfVar
:0040545721 FLdPrThis
:004054580F5C03 VCallAd ;第6个选择框的状态(排列顺序为:从上倒下,从左到右)
:0040545B1970FF FStAdFunc
:0040545E0870FF FLdPr
***********Reference To:CheckBox.Value
|
:004054610DE0000200 VCallHresult
:004054666B6EFF FLdI2
:00405469F401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了
:0040546BC6 EqI2 ;检测是否被选上!
:0040546CC4 AndI4
:0040546D0466FF FLdRfVar
:0040547021 FLdPrThis
:004054710F4803 VCallAd ;第11个选择框的状态
:004054741968FF FStAdFunc
:004054770868FF FLdPr
***********Reference To:CheckBox.Value
|
:0040547A0DE0000200 VCallHresult
:0040547F6B66FF FLdI2
:00405482F401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了
:00405484C6 EqI2 ;检测是否被选上!
:00405485C4 AndI4
:00405486045EFF FLdRfVar
:0040548921 FLdPrThis
:0040548A0F3403 VCallAd ;第16个选择框的状态
:0040548D1960FF FStAdFunc
:004054900860FF FLdPr
***********Reference To:CheckBox.Value
|
:004054930DE0000200 VCallHresult
:004054986B5EFF FLdI2
:0040549BF401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了
:0040549DC6 EqI2 ;检测是否被选上!
:0040549EC4 AndI4
:0040549F0456FF FLdRfVar
:004054A221 FLdPrThis
:004054A30F6C03 VCallAd ;第2个选择框的状态
:004054A61958FF FStAdFunc
:004054A90858FF FLdPr
***********Reference To:CheckBox.Value
|
:004054AC0DE0000200 VCallHresult
:004054B16B56FF FLdI2
:004054B4F401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了
:004054B6C6 EqI2 ;检测是否被选上!
:004054B7C4 AndI4
:004054B8044EFF FLdRfVar
:004054BB21 FLdPrThis
:004054BC0F5003 VCallAd ;第9个选择框的状态
:004054BF1950FF FStAdFunc
:004054C20850FF FLdPr
***********Reference To:CheckBox.Value
|
:004054C50DE0000200 VCallHresult
:004054CA6B4EFF FLdI2
:004054CDF401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了
:004054CFC6 EqI2 ;检测是否被选上!
:004054D0C4 AndI4
:004054D10446FF FLdRfVar
:004054D421 FLdPrThis
:004054D50F3C03 VCallAd ;第14个选择框的状态
:004054D81948FF FStAdFunc
:004054DB0848FF FLdPr
***********Reference To:CheckBox.Value
|
:004054DE0DE0000200 VCallHresult
:004054E36B46FF FLdI2
:004054E6F401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了
:004054E8C6 EqI2 ;检测是否被选上!
:004054E9C4 AndI4
:004054EA043EFF FLdRfVar
:004054ED21 FLdPrThis
:004054EE0F6403 VCallAd ;第4个选择框的状态
:004054F11940FF FStAdFunc
:004054F40840FF FLdPr
***********Reference To:CheckBox.Value
|
:004054F70DE0000200 VCallHresult
:004054FC6B3EFF FLdI2
:004054FFF401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了
:00405501C6 EqI2 ;检测是否被选上!
:00405502C4 AndI4
:004055030436FF FLdRfVar
:0040550621 FLdPrThis
:004055070F5403 VCallAd ;第8个选择框的状态
:0040550A1938FF FStAdFunc
:0040550D0838FF FLdPr
***********Reference To:CheckBox.Value
|
:004055100DE0000200 VCallHresult
:004055156B36FF FLdI2
:00405518F400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上
:0040551AC6 EqI2 ;检测是否被选上!
:0040551BC4 AndI4
:0040551C042EFF FLdRfVar
:0040551F21 FLdPrThis
:004055200F6803 VCallAd ;第3个选择框的状态
:004055231930FF FStAdFunc
:004055260830FF FLdPr
***********Reference To:CheckBox.Value
|
:004055290DE0000200 VCallHresult
:0040552E6B2EFF FLdI2
:00405531F400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上
:00405533C6 EqI2 ;检测是否被选上!
:00405534C4 AndI4
:004055350426FF FLdRfVar
:0040553821 FLdPrThis
:004055390F6003 VCallAd ;第5个选择框的状态
:0040553C1928FF FStAdFunc
:0040553F0828FF FLdPr
***********Reference To:CheckBox.Value
|
:004055420DE0000200 VCallHresult
:004055476B26FF FLdI2
:0040554AF400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上
:0040554CC6 EqI2 ;检测是否被选上!
:0040554DC4 AndI4
:0040554E041EFF FLdRfVar
:0040555121 FLdPrThis
:004055520F5803 VCallAd ;第7个选择框的状态
:004055551920FF FStAdFunc
:004055580820FF FLdPr
***********Reference To:CheckBox.Value
|
:0040555B0DE0000200 VCallHresult
:004055606B1EFF FLdI2
:00405563F400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上
:00405565C6 EqI2 ;检测是否被选上!
:00405566C4 AndI4
:004055670416FF FLdRfVar
:0040556A21 FLdPrThis
:0040556B0F4C03 VCallAd ;第10个选择框的状态
:0040556E1918FF FStAdFunc
:004055710818FF FLdPr
***********Reference To:CheckBox.Value
|
:004055740DE0000200 VCallHresult
:004055796B16FF FLdI2
:0040557CF400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上
:0040557EC6 EqI2 ;检测是否被选上!
:0040557FC4 AndI4
:00405580040EFF FLdRfVar
:0040558321 FLdPrThis
:004055840F4403 VCallAd ;第12个选择框的状态
:004055871910FF FStAdFunc
:0040558A0810FF FLdPr
***********Reference To:CheckBox.Value
|
:0040558D0DE0000200 VCallHresult
:004055926B0EFF FLdI2
:00405595F400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上
:00405597C6 EqI2 ;检测是否被选上!
:00405598C4 AndI4
:004055990406FF FLdRfVar
:0040559C21 FLdPrThis
:0040559D0F4003 VCallAd ;第13个选择框的状态
:004055A01908FF FStAdFunc
:004055A30808FF FLdPr
***********Reference To:CheckBox.Value
|
:004055A60DE0000200 VCallHresult
:004055AB6B06FF FLdI2
:004055AEF400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上
:004055B0C6 EqI2 ;检测是否被选上!
:004055B1C4 AndI4
:004055B204FEFE FLdRfVar
:004055B521 FLdPrThis
:004055B60F3803 VCallAd ;第15个选择框的状态
:004055B91900FF FStAdFunc
:004055BC0800FF FLdPr
***********Reference To:CheckBox.Value
|
:004055BF0DE0000200 VCallHresult ;第16个选择框的状态
:004055C46BFEFE FLdI2
:004055C7F400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上
:004055C9C6 EqI2 ;检测是否被选上!
:004055CAC4 AndI4
:004055CB29200078FF70FF68 FFreeAd
:004055EE1CC101 BranchF ;关键跳转,符合上面的条件,便不跳走
******Possible String Ref To->"true"
|
:004055F13ADCFE0300 LitVarStr
:004055F6FD00ECFE FStVarCopy
:004055FA1ECA01 Branch ;跳走
******Possible String Ref To->"false"
|
:004055FD3ADCFE0400 LitVarStr
:00405602FD00ECFE FStVarCopy
:0040560621 FLdPrThis ;跳来到这里(当符合上面的要求时)
:004056070FBC03 VCallAd ;得到滑动条1的状态
:0040560A1978FF FStAdFunc
:0040560D0878FF FLdPr
:0040561061CCFE0B000000 LateIdLdVar
:00405617FC22 CI4Var
:00405619F503000000 LitI4 ;Push 00000003 //压入数值3
:0040561EC7 EqI4 ;Push (Pop1 == Pop2) //两者比较是否一样
:0040561F21 FLdPrThis
:004056200FB803 VCallAd ;得到滑动条2的状态
:004056231970FF FStAdFunc
:004056260870FF FLdPr
:0040562961BCFE0B000000 LateIdLdVar
:00405630FC22 CI4Var
:00405632F508000000 LitI4 ;Push 00000008 //压入数值8
:00405637C7 EqI4 ;Push (Pop1 == Pop2) //两者比较是否一样
:00405638C4 AndI4
:0040563929040078FF70FF FFreeAd
:00405640360400CCFEBCFE FFreeVar
:004056471C1A02 BranchF ;关键跳转,符合上面的条件,便不跳走
******Possible String Ref To->"true"
|
:0040564A3ADCFE0300 LitVarStr
:0040564FFD00ACFE FStVarCopy
:004056531E2302 Branch ;跳走
******Possible String Ref To->"false"
|
:004056563ADCFE0400 LitVarStr
:0040565BFD00ACFE FStVarCopy
:0040565F04ECFE FLdRfVar ;跳来到这里(当符合上面的要求时)
******Possible String Ref To->"true"
|
:004056623ADCFE0300 LitVarStr
:004056675D HardType
:00405668FB2FCCFE EqVar
:0040566C04ACFE FLdRfVar
******Possible String Ref To->"false"
|
:0040566F3A9CFE0400 LitVarStr
:004056745D HardType
:00405675FB2FBCFE EqVar
:00405679FB278CFE AndVar
:0040567DFF1B CBoolVarNull
:0040567F1C5B02 BranchF ;关键跳转,符合上面的条件,跳走
******Possible String Ref To->"Almost there, now just get the slider values"
|
:004056821B0500 LitStr ;这是快要成功的提示
:0040568521 FLdPrThis
:004056860F7403 VCallAd
:004056891978FF FStAdFunc
:0040568C0878FF FLdPr
***********Reference To:Label.Caption
|
:0040568F0D54000600 VCallHresult
:004056941A78FF FFree1Ad
:0040569704ECFE FLdRfVar ;跳来到这里(当符合上面的要求时)
******Possible String Ref To->"false"
|
:0040569A3ADCFE0400 LitVarStr
:0040569F5D HardType
:004056A0FB2FCCFE EqVar
:004056A404ACFE FLdRfVar
******Possible String Ref To->"true"
|
:004056A73A9CFE0300 LitVarStr
:004056AC5D HardType
:004056ADFB2FBCFE EqVar
:004056B1FB278CFE AndVar
:004056B5FF1B CBoolVarNull
:004056B71C9302 BranchF ;关键跳转,符合上面的条件,跳走
******Possible String Ref To->"Almost there, now just get the boxes right"
|
:004056BA1B0700 LitStr ;这是快要成功的提示
:004056BD21 FLdPrThis
:004056BE0F7403 VCallAd
:004056C11978FF FStAdFunc
:004056C40878FF FLdPr
***********Reference To:Label.Caption
|
:004056C70D54000600 VCallHresult
:004056CC1A78FF FFree1Ad
:004056CF04ECFE FLdRfVar ;跳来到这里(当符合上面的要求时)
******Possible String Ref To->"true"
|
:004056D23ADCFE0300 LitVarStr
:004056D75D HardType
:004056D8FB2FCCFE EqVar
:004056DC04ACFE FLdRfVar
******Possible String Ref To->"true"
|
:004056DF3A9CFE0300 LitVarStr
:004056E45D HardType
:004056E5FB2FBCFE EqVar
:004056E9FB278CFE AndVar
:004056EDFF1B CBoolVarNull
:004056EF1CCB02 BranchF ;关键跳转,符合上面的条件,便不跳走
******Possible String Ref To->"Congradulations, you figured it out"
|
:004056F21B0800 LitStr ;注册成功的提示
:004056F521 FLdPrThis
:004056F60F7403 VCallAd
:004056F91978FF FStAdFunc
:004056FC0878FF FLdPr
:后面的代码省略。。。
从上面的比较来看,有8处的CheckBox状态检测是Push 01,剩下的8处便是Push 00,因此需要有8个CheckBox选择框需要被选上,它们分别是:第1、6、11、16、2、9、14、4位置的CheckBox选择框,而8、3、5、7、10、12、13、15位置的选择框则不能被选上;上面的第一根滑动条的数值必须是3,下面的第二根滑动条的数值必须是8,符合上面的这些要求,便注册成功了,哈哈^_^
-----------------------------------------------------------------------------------
【版权声明】: 本文由 CuteSnail 原创, 转载请注明作者并保持文章的完整性, 谢谢! 再见!!
不会吧。。。。看这里。。。。。。。。
http://www.unpack.cn/forum.php?mod=viewthread&tid=20896
页:
[1]