吾爱破解2012CM大赛破文-CM_fywy
本帖最后由 Peace 于 2012-4-30 08:14 编辑【文章标题】:吾爱破解2012CM大赛破文
【文章作者】: DZ
【软件名称】:CM_fywy
【难 度】: 易
【下载地址】: http://www.52pojie.cn/thread-146108-1-1.html
【作者声明】: 一个一个来,慢慢分析,直到最难 ^^
--------------------------------------------------------------------------------
【详细过程】
此CM是VB写的,代码看着头疼,没办法,还是硬着 头发看下去了,下面是按钮事件的过程,关键位置已经有注释
00402F50 > \55 push ebp
00402F51 .8BEC mov ebp,esp
00402F53 .83EC 0C sub esp,0C
00402F56 .68 F6104000 push <jmp.&MSVBVM60.__vbaExceptHandler> ;SE handler installation
00402F5B .64:A1 00000000mov eax,dword ptr fs:
....................此处省略10000+字@(^$^)@ .....................................
00402FEE .68 A0000000 push 0A0
00402FF3 .68 74264000 push fywy.00402674
00402FF8 .53 push ebx
00402FF9 .50 push eax
00402FFA .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ;msvbvm60.__vbaHresultCheckObj
00403000 >8B55 D4 mov edx,dword ptr ss: ;★★★★★★★★★★→|| = = 用户名
00403003 .8D4D D8 lea ecx,dword ptr ss:
00403006 .8975 D4 mov dword ptr ss:,esi
00403009 .FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ;msvbvm60.__vbaStrMove
0040300F .8B1D BC104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ;msvbvm60.__vbaFreeObj
00403015 .8D4D CC lea ecx,dword ptr ss:
00403018 .FFD3 call ebx ;<&MSVBVM60.__vbaFreeObj>
0040301A .8B45 D8 mov eax,dword ptr ss: ;★★★★★★★★★★→|| eax = =用户名
0040301D .50 push eax
0040301E .68 88264000 push fywy.00402688
00403023 .FF15 54104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ;msvbvm60.__vbaStrCmp
00403029 .85C0 test eax,eax
0040302B .75 3C jnz short fywy.00403069
0040302D .8B0F mov ecx,dword ptr ds:
0040302F .57 push edi
00403030 .FF91 08030000 call dword ptr ds:
00403036 .8D55 CC lea edx,dword ptr ss:
00403039 .50 push eax
0040303A .52 push edx
0040303B .FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ;msvbvm60.__vbaObjSet
00403041 .8BF8 mov edi,eax
00403043 .57 push edi
00403044 .8B07 mov eax,dword ptr ds:
00403046 .FF90 04020000 call dword ptr ds:
0040304C .3BC6 cmp eax,esi
0040304E .DBE2 fclex
00403050 .7D 12 jge short fywy.00403064
00403052 .68 04020000 push 204
00403057 .68 74264000 push fywy.00402674
0040305C .57 push edi
0040305D .50 push eax
0040305E .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ;msvbvm60.__vbaHresultCheckObj
00403064 >8D4D CC lea ecx,dword ptr ss:
00403067 .FFD3 call ebx
00403069 >8B4D D8 mov ecx,dword ptr ss:
0040306C .51 push ecx ;★★★★★★★★★★→|| = = 用户名
0040306D .FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ;msvbvm60.__vbaLenBstr
00403073 .8BC8 mov ecx,eax ;★★★★★★★★★★→|| ecx = 用户名长度
00403075 .FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>] ;msvbvm60.__vbaI2I4
0040307B .8B3D 20104000 mov edi,dword ptr ds:[<&MSVBVM60.#516>] ;msvbvm60.rtcAnsiValueBstr
00403081 .8985 2CFFFFFF mov dword ptr ss:,eax
下面两个循环对用户名进行操作计算:
----------------------------------- 循环1开始 --------------------------------------------------------------
00403087 .B8 01000000 mov eax,1
0040308C .8945 E8 mov dword ptr ss:,eax
0040308F >66:3B85 2CFFFFF>cmp ax,word ptr ss: ;★★★★★★★★★★→|| =用户名位数, 用ax做计次变量
00403096 .0F8F 71040000 jg fywy.0040350D
0040309C .8B1D 48104000 mov ebx,dword ptr ds:[<&MSVBVM60.#632>] ;msvbvm60.rtcMidCharVar
004030A2 .8D55 D8 lea edx,dword ptr ss:
004030A5 .0FBFF0 movsx esi,ax
004030A8 .8D45 B8 lea eax,dword ptr ss:
004030AB .8955 80 mov dword ptr ss:,edx
004030AE .50 push eax
004030AF .8D8D 78FFFFFF lea ecx,dword ptr ss:
004030B5 .56 push esi
004030B6 .8D55 A8 lea edx,dword ptr ss:
004030B9 .51 push ecx
004030BA .52 push edx
004030BB .C745 C0 0100000>mov dword ptr ss:,1
004030C2 .C745 B8 0200000>mov dword ptr ss:,2
004030C9 .C785 78FFFFFF 0>mov dword ptr ss:,4008
004030D3 .FFD3 call ebx ;<&MSVBVM60.#632>
004030D5 .8D45 D8 lea eax,dword ptr ss:
004030D8 .8D4D 98 lea ecx,dword ptr ss:
004030DB .8985 60FFFFFF mov dword ptr ss:,eax
004030E1 .51 push ecx
004030E2 .8D95 58FFFFFF lea edx,dword ptr ss:
004030E8 .56 push esi
004030E9 .8D45 88 lea eax,dword ptr ss:
004030EC .52 push edx
004030ED .50 push eax
004030EE .C745 A0 0100000>mov dword ptr ss:,1
004030F5 .C745 98 0200000>mov dword ptr ss:,2
004030FC .C785 58FFFFFF 0>mov dword ptr ss:,4008
00403106 .FFD3 call ebx ;<&MSVBVM60.#632>
00403108 .8D4D 88 lea ecx,dword ptr ss:
0040310B .8D55 D0 lea edx,dword ptr ss:
0040310E .51 push ecx
0040310F .52 push edx
00403110 .FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ;msvbvm60.__vbaStrVarVal
00403116 .50 push eax ;★★★★★★★★★★→|| = 用户名第 i 位
00403117 .FFD7 call edi
00403119 .33DB xor ebx,ebx
0040311B .66:3D 3900 cmp ax,39 ;★★★★★★★★★★→|| 比较用户名第 i 位和 '9'
0040311F .8D45 A8 lea eax,dword ptr ss:
00403122 .8D4D D4 lea ecx,dword ptr ss:
00403125 .0F9EC3 setle bl ;★★★★★★★★★★→|| 如果用户名第一位 <= '9' ,则 bl =1
00403128 .50 push eax
00403129 .51 push ecx
0040312A .F7DB neg ebx
0040312C .FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ;msvbvm60.__vbaStrVarVal
00403132 .50 push eax ;★★★★★★★★★★→|| = 用户名第 i 位
00403133 .FFD7 call edi
00403135 .33D2 xor edx,edx ;★★★★★★★★★★→|| eax = 用户名第 i 位ASCII
00403137 .66:3D 3000 cmp ax,30 ;★★★★★★★★★★→|| 比较 用户名第 i 位和 0
0040313B .8D45 D0 lea eax,dword ptr ss:
0040313E .8D4D D4 lea ecx,dword ptr ss:
00403141 .0F9DC2 setge dl ;★★★★★★★★★★→|| 如果用户名第 i 位 >= '0' ,则dl = 1
00403144 .50 push eax
00403145 .51 push ecx
00403146 .F7DA neg edx
00403148 .6A 02 push 2
0040314A .23DA and ebx,edx
0040314C .FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ;msvbvm60.__vbaFreeStrList
00403152 .8D55 88 lea edx,dword ptr ss:
00403155 .8D45 98 lea eax,dword ptr ss:
00403158 .52 push edx
00403159 .8D4D A8 lea ecx,dword ptr ss:
0040315C .50 push eax
0040315D .8D55 B8 lea edx,dword ptr ss:
00403160 .51 push ecx
00403161 .52 push edx
00403162 .6A 04 push 4
00403164 .FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ;msvbvm60.__vbaFreeVarList
0040316A .83C4 20 add esp,20
0040316D .C745 C0 0100000>mov dword ptr ss:,1
00403174 .66:85DB test bx,bx ;★★★★★★★★★★→|| 如果用户名第 i 位 > '9' ,则跳
00403177 .C745 B8 0200000>mov dword ptr ss:,2
0040317E .0F84 8F000000 je fywy.00403213
00403184 .8D45 D8 lea eax,dword ptr ss:
00403187 .8D4D B8 lea ecx,dword ptr ss:
0040318A .8945 80 mov dword ptr ss:,eax
0040318D .51 push ecx
0040318E .8D95 78FFFFFF lea edx,dword ptr ss:
00403194 .56 push esi
00403195 .8D45 A8 lea eax,dword ptr ss:
00403198 .52 push edx
00403199 .50 push eax
0040319A .C785 78FFFFFF 0>mov dword ptr ss:,4008
004031A4 .FF15 48104000 call dword ptr ds:[<&MSVBVM60.#632>] ;msvbvm60.rtcMidCharVar
004031AA .8B4D DC mov ecx,dword ptr ss:
004031AD .8D55 A8 lea edx,dword ptr ss:
004031B0 .51 push ecx
004031B1 .8D45 D4 lea eax,dword ptr ss:
004031B4 .52 push edx
004031B5 .50 push eax
004031B6 .FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ;msvbvm60.__vbaStrVarVal
004031BC .50 push eax
004031BD .FFD7 call edi
004031BF .66:05 3000 add ax,30 ;★★★★★★★★★★→|| 用户名第 i 位<='9' 时 = '用户名各位ASCII(十进制)+ 48再连接起来 ;暂时叫字符串S1
004031C3 .0F80 CB050000 jo fywy.00403794
004031C9 .50 push eax
004031CA .FF15 00104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI2>] ;msvbvm60.__vbaStrI2
004031D0 .8B35 AC104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ;msvbvm60.__vbaStrMove
004031D6 .8BD0 mov edx,eax
004031D8 .8D4D D0 lea ecx,dword ptr ss:
004031DB .FFD6 call esi ;<&MSVBVM60.__vbaStrMove>
004031DD .50 push eax
004031DE .FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ;msvbvm60.__vbaStrCat
004031E4 .8BD0 mov edx,eax
004031E6 .8D4D DC lea ecx,dword ptr ss:
004031E9 .FFD6 call esi ;<&MSVBVM60.__vbaStrMove>
004031EB .8D4D D0 lea ecx,dword ptr ss:
004031EE .8D55 D4 lea edx,dword ptr ss:
004031F1 .51 push ecx
004031F2 .52 push edx
004031F3 .6A 02 push 2
004031F5 .FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ;msvbvm60.__vbaFreeStrList
004031FB .8D45 A8 lea eax,dword ptr ss:
004031FE .8D4D B8 lea ecx,dword ptr ss:
00403201 .50 push eax
00403202 .51 push ecx
00403203 .6A 02 push 2
00403205 .FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ;msvbvm60.__vbaFreeVarList
0040320B .83C4 18 add esp,18
0040320E .E9 E3020000 jmp fywy.004034F6
00403213 >8B1D 48104000 mov ebx,dword ptr ds:[<&MSVBVM60.#632>] ;msvbvm60.rtcMidCharVar
00403219 .8D55 D8 lea edx,dword ptr ss:
0040321C .8D45 B8 lea eax,dword ptr ss:
0040321F .8955 80 mov dword ptr ss:,edx
00403222 .50 push eax
00403223 .8D8D 78FFFFFF lea ecx,dword ptr ss:
00403229 .56 push esi
0040322A .8D55 A8 lea edx,dword ptr ss:
0040322D .51 push ecx
0040322E .52 push edx
0040322F .C785 78FFFFFF 0>mov dword ptr ss:,4008
00403239 .FFD3 call ebx ;<&MSVBVM60.#632>
0040323B .8D45 D8 lea eax,dword ptr ss:
0040323E .8D4D 98 lea ecx,dword ptr ss:
00403241 .8985 60FFFFFF mov dword ptr ss:,eax
00403247 .51 push ecx
00403248 .8D95 58FFFFFF lea edx,dword ptr ss:
0040324E .56 push esi
0040324F .8D45 88 lea eax,dword ptr ss:
00403252 .52 push edx
00403253 .50 push eax
00403254 .C745 A0 0100000>mov dword ptr ss:,1
0040325B .C745 98 0200000>mov dword ptr ss:,2
00403262 .C785 58FFFFFF 0>mov dword ptr ss:,4008
0040326C .FFD3 call ebx ;<&MSVBVM60.#632>
0040326E .8D4D 88 lea ecx,dword ptr ss:
00403271 .8D55 D0 lea edx,dword ptr ss:
00403274 .51 push ecx
00403275 .52 push edx
00403276 .FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ;msvbvm60.__vbaStrVarVal
0040327C .50 push eax
0040327D .FFD7 call edi
0040327F .33DB xor ebx,ebx
00403281 .66:3D 5A00 cmp ax,5A ;★★★★★★★★★★→|| 比较用户名第 i 位和 'Z'
00403285 .8D45 A8 lea eax,dword ptr ss:
00403288 .8D4D D4 lea ecx,dword ptr ss:
0040328B .0F9EC3 setle bl ;★★★★★★★★★★→|| 如果用户名第 i 位 <= ' Z' ,则 bl = 1
0040328E .50 push eax
0040328F .51 push ecx
00403290 .F7DB neg ebx
00403292 .FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ;msvbvm60.__vbaStrVarVal
00403298 .50 push eax ; = 's'
00403299 .FFD7 call edi
0040329B .33D2 xor edx,edx ;eax = 用户名第一位ASCII
0040329D .66:3D 4100 cmp ax,41 ;★★★★★★★★★★→|| 比较用户名第 i 位和 'A'
004032A1 .8D45 D0 lea eax,dword ptr ss:
004032A4 .8D4D D4 lea ecx,dword ptr ss:
004032A7 .0F9DC2 setge dl ;★★★★★★★★★★→|| 如果用户名第 i 位 >= 'A',则 dl = 1
004032AA .50 push eax
004032AB .51 push ecx
004032AC .F7DA neg edx
004032AE .6A 02 push 2
004032B0 .23DA and ebx,edx
004032B2 .FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ;msvbvm60.__vbaFreeStrList
004032B8 .8D55 88 lea edx,dword ptr ss:
004032BB .8D45 98 lea eax,dword ptr ss:
004032BE .52 push edx
004032BF .8D4D A8 lea ecx,dword ptr ss:
004032C2 .50 push eax
004032C3 .8D55 B8 lea edx,dword ptr ss:
004032C6 .51 push ecx
004032C7 .52 push edx
004032C8 .6A 04 push 4
004032CA .FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ;msvbvm60.__vbaFreeVarList
004032D0 .83C4 20 add esp,20
004032D3 .C745 C0 0100000>mov dword ptr ss:,1
004032DA .66:85DB test bx,bx ;★★★★★★★★★★→||若用户名第 i 位 >' Z ' ,则跳
004032DD .C745 B8 0200000>mov dword ptr ss:,2
004032E4 .0F84 8F000000 je fywy.00403379
004032EA .8D45 D8 lea eax,dword ptr ss:
004032ED .8D4D B8 lea ecx,dword ptr ss:
004032F0 .8945 80 mov dword ptr ss:,eax
004032F3 .51 push ecx
004032F4 .8D95 78FFFFFF lea edx,dword ptr ss:
004032FA .56 push esi
004032FB .8D45 A8 lea eax,dword ptr ss:
004032FE .52 push edx
004032FF .50 push eax
00403300 .C785 78FFFFFF 0>mov dword ptr ss:,4008
0040330A .FF15 48104000 call dword ptr ds:[<&MSVBVM60.#632>] ;msvbvm60.rtcMidCharVar
00403310 .8B4D DC mov ecx,dword ptr ss:
00403313 .8D55 A8 lea edx,dword ptr ss:
00403316 .51 push ecx
00403317 .8D45 D4 lea eax,dword ptr ss:
0040331A .52 push edx
0040331B .50 push eax
0040331C .FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ;msvbvm60.__vbaStrVarVal
00403322 .50 push eax
00403323 .FFD7 call edi
00403325 .66:05 3200 add ax,32 ;★★★★★★★★★★→|| 用户名第 i 位 > '9 ' 且 <= 'Z' 时 = '用户名各位ASCII(十进制)+ 50 ,再连接起来
00403329 .0F80 65040000 jo fywy.00403794
0040332F .50 push eax
00403330 .FF15 00104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI2>] ;msvbvm60.__vbaStrI2
00403336 .8B35 AC104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ;msvbvm60.__vbaStrMove
0040333C .8BD0 mov edx,eax
0040333E .8D4D D0 lea ecx,dword ptr ss:
00403341 .FFD6 call esi ;<&MSVBVM60.__vbaStrMove>
00403343 .50 push eax
00403344 .FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ;msvbvm60.__vbaStrCat
0040334A .8BD0 mov edx,eax
0040334C .8D4D DC lea ecx,dword ptr ss:
0040334F .FFD6 call esi ;<&MSVBVM60.__vbaStrMove>
00403351 .8D4D D0 lea ecx,dword ptr ss:
00403354 .8D55 D4 lea edx,dword ptr ss:
00403357 .51 push ecx
00403358 .52 push edx
00403359 .6A 02 push 2
0040335B .FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ;msvbvm60.__vbaFreeStrList
00403361 .8D45 A8 lea eax,dword ptr ss:
00403364 .8D4D B8 lea ecx,dword ptr ss:
00403367 .50 push eax
00403368 .51 push ecx
00403369 .6A 02 push 2
0040336B .FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ;msvbvm60.__vbaFreeVarList
00403371 .83C4 18 add esp,18
00403374 .E9 7D010000 jmp fywy.004034F6
00403379 >8B1D 48104000 mov ebx,dword ptr ds:[<&MSVBVM60.#632>] ;msvbvm60.rtcMidCharVar
0040337F .8D55 D8 lea edx,dword ptr ss:
00403382 .8D45 B8 lea eax,dword ptr ss:
00403385 .8955 80 mov dword ptr ss:,edx
00403388 .50 push eax
00403389 .8D8D 78FFFFFF lea ecx,dword ptr ss:
0040338F .56 push esi
00403390 .8D55 A8 lea edx,dword ptr ss:
00403393 .51 push ecx
00403394 .52 push edx
00403395 .C785 78FFFFFF 0>mov dword ptr ss:,4008
0040339F .FFD3 call ebx ;<&MSVBVM60.#632>
004033A1 .8D45 D8 lea eax,dword ptr ss:
004033A4 .8D4D 98 lea ecx,dword ptr ss:
004033A7 .8985 60FFFFFF mov dword ptr ss:,eax
004033AD .51 push ecx
004033AE .8D95 58FFFFFF lea edx,dword ptr ss:
004033B4 .56 push esi
004033B5 .8D45 88 lea eax,dword ptr ss:
004033B8 .52 push edx
004033B9 .50 push eax
004033BA .C745 A0 0100000>mov dword ptr ss:,1
004033C1 .C745 98 0200000>mov dword ptr ss:,2
004033C8 .C785 58FFFFFF 0>mov dword ptr ss:,4008
004033D2 .FFD3 call ebx ;<&MSVBVM60.#632>
004033D4 .8D4D 88 lea ecx,dword ptr ss:
004033D7 .8D55 D0 lea edx,dword ptr ss:
004033DA .51 push ecx
004033DB .52 push edx
004033DC .FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ;msvbvm60.__vbaStrVarVal
004033E2 .50 push eax
004033E3 .FFD7 call edi
004033E5 .33DB xor ebx,ebx ;★★★★★★★★★★→|| eax = 用户名第 i 位ASCII
004033E7 .66:3D 7A00 cmp ax,7A ;★★★★★★★★★★→|| 比较用户名第 i 位和 'z'
004033EB .8D45 A8 lea eax,dword ptr ss:
004033EE .8D4D D4 lea ecx,dword ptr ss:
004033F1 .0F9EC3 setle bl ;★★★★★★★★★★→|| 如果用户名第 i 位 <= 'z',则 bl = 1
004033F4 .50 push eax
004033F5 .51 push ecx
004033F6 .F7DB neg ebx
004033F8 .FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ;msvbvm60.__vbaStrVarVal
004033FE .50 push eax
004033FF .FFD7 call edi
00403401 .33D2 xor edx,edx ;★★★★★★★★★★→|| eax = 用户名第 i 位ASCII
00403403 .66:3D 6100 cmp ax,61 ;★★★★★★★★★★→|| 比较用户名第 i 位和 'a'
00403407 .8D45 D0 lea eax,dword ptr ss:
0040340A .8D4D D4 lea ecx,dword ptr ss:
0040340D .0F9DC2 setge dl ;★★★★★★★★★★→|| 如果用户名第 i 位 >= 'a' ,则 dl = 1
00403410 .50 push eax
00403411 .51 push ecx
00403412 .F7DA neg edx
00403414 .6A 02 push 2
00403416 .23DA and ebx,edx
00403418 .FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ;msvbvm60.__vbaFreeStrList
0040341E .8D55 88 lea edx,dword ptr ss:
00403421 .8D45 98 lea eax,dword ptr ss:
00403424 .52 push edx
00403425 .8D4D A8 lea ecx,dword ptr ss:
00403428 .50 push eax
00403429 .8D55 B8 lea edx,dword ptr ss:
0040342C .51 push ecx
0040342D .52 push edx
0040342E .6A 04 push 4
00403430 .FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ;msvbvm60.__vbaFreeVarList
00403436 .83C4 20 add esp,20
00403439 .66:85DB test bx,bx
0040343C .0F84 9A000000 je fywy.004034DC ;★★★★★★★★★★→|| 如果用户第i位 > 'z' ,则跳
00403442 .8D45 D8 lea eax,dword ptr ss:
00403445 .8D4D B8 lea ecx,dword ptr ss:
00403448 .8945 80 mov dword ptr ss:,eax
0040344B .51 push ecx
0040344C .8D95 78FFFFFF lea edx,dword ptr ss:
00403452 .56 push esi
00403453 .8D45 A8 lea eax,dword ptr ss:
00403456 .52 push edx
00403457 .50 push eax
00403458 .C745 C0 0100000>mov dword ptr ss:,1
0040345F .C745 B8 0200000>mov dword ptr ss:,2
00403466 .C785 78FFFFFF 0>mov dword ptr ss:,4008
00403470 .FF15 48104000 call dword ptr ds:[<&MSVBVM60.#632>] ;msvbvm60.rtcMidCharVar
00403476 .8B4D DC mov ecx,dword ptr ss:
00403479 .8D55 A8 lea edx,dword ptr ss:
0040347C .51 push ecx
0040347D .8D45 D4 lea eax,dword ptr ss:
00403480 .52 push edx
00403481 .50 push eax
00403482 .FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ;msvbvm60.__vbaStrVarVal
00403488 .50 push eax ;★★★★★★★★★★→|| = 用户名第 i 位
00403489 .FFD7 call edi
0040348B .66:05 3400 add ax,34 ;★★★★★★★★★★→|| 若用户名第 i 位 > 'Z'且 <= 'z'时, '用户名各位ASCII(十进制)+ 52',再连接起来
0040348F .0F80 FF020000 jo fywy.00403794 ;若 OF = 1 则跳
00403495 .50 push eax
00403496 .FF15 00104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI2>] ;msvbvm60.__vbaStrI2
0040349C .8B35 AC104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ;msvbvm60.__vbaStrMove
004034A2 .8BD0 mov edx,eax
004034A4 .8D4D D0 lea ecx,dword ptr ss:
004034A7 .FFD6 call esi ;<&MSVBVM60.__vbaStrMove>
004034A9 .50 push eax
004034AA .FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ;msvbvm60.__vbaStrCat
004034B0 .8BD0 mov edx,eax
004034B2 .8D4D DC lea ecx,dword ptr ss:
004034B5 .FFD6 call esi ;<&MSVBVM60.__vbaStrMove>
004034B7 .8D4D D0 lea ecx,dword ptr ss:
004034BA .8D55 D4 lea edx,dword ptr ss:
004034BD .51 push ecx
004034BE .52 push edx
004034BF .6A 02 push 2
004034C1 .FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ;msvbvm60.__vbaFreeStrList
004034C7 .8D45 A8 lea eax,dword ptr ss:
004034CA .8D4D B8 lea ecx,dword ptr ss:
004034CD .50 push eax
004034CE .51 push ecx
004034CF .6A 02 push 2
004034D1 .FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ;msvbvm60.__vbaFreeVarList
004034D7 .83C4 18 add esp,18
004034DA .EB 1A jmp short fywy.004034F6
004034DC >8B55 DC mov edx,dword ptr ss:
004034DF .52 push edx
004034E0 .68 90264000 push fywy.00402690 ;2012
004034E5 .FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ;msvbvm60.__vbaStrCat
004034EB .8BD0 mov edx,eax ;★★★★★★★★★★→|| 若用户名第 i 位 > 'z' ,则把第 i 位ASCII替换成'2012',再连接起来
004034ED .8D4D DC lea ecx,dword ptr ss:
004034F0 .FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ;msvbvm60.__vbaStrMove
004034F6 >B8 01000000 mov eax,1
004034FB .66:0345 E8 add ax,word ptr ss: ;★★★★★★★★★★→|| 保存计次变量
004034FF .0F80 8F020000 jo fywy.00403794
00403505 .8945 E8 mov dword ptr ss:,eax
00403508 .^ E9 82FBFFFF jmp fywy.0040308F
0040350D >8B45 DC mov eax,dword ptr ss:
----------------------------------- 循环1结束 --------------------------------------------------------------
循环1功能:
获取用户名,然后根据用户名每位字符(姑且称作 name(i)吧)所在的范围,对name(i)的ASCII码加上不同的数x,把加后的结果R
作为字符串连接起来得到字符串Str1。
范围大体如下(保守):
'0' <= name <= '9' 时 + 0x30 即:48
'A' <= name <= 'Z' 时 + 0x32 即:50
'a' <= name <= 'z' 时 + 0x34 即:52
name > 'z' 时 String(R) = '2012'
00403510 .83CB FF or ebx,FFFFFFFF
00403513 .50 push eax
00403514 .FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ;msvbvm60.__vbaLenBstr
0040351A .8BC8 mov ecx,eax ;★★★★★★★★★★→|| ecx = eax = 上面字符串S1的长度
0040351C .FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>] ;msvbvm60.__vbaI2I4
00403522 .8BF0 mov esi,eax
----------------------------------- 循环2开始 --------------------------------------------------------------
00403524 >B8 01000000 mov eax,1
00403529 .66:3BF0 cmp si,ax ;★★★★★★★★★★→|| si 做计数变量 ,从S1中倒着取每一个字符
0040352C .0F8C D4000000 jl fywy.00403606 ;★★★★★★★★★★→|| 即si 开始为S1的长度 ,每循环一次递减1,当si <1时跳转实现,结束循环
00403532 .8945 C0 mov dword ptr ss:,eax
00403535 .8D4D DC lea ecx,dword ptr ss:
00403538 .0FBFC6 movsx eax,si ;★★★★★★★★★★→|| eax = 字符串S1长度
0040353B .8D55 B8 lea edx,dword ptr ss:
0040353E .894D 80 mov dword ptr ss:,ecx
00403541 .52 push edx
00403542 .8D8D 78FFFFFF lea ecx,dword ptr ss:
00403548 .50 push eax
00403549 .8D55 A8 lea edx,dword ptr ss:
0040354C .51 push ecx
0040354D .52 push edx
0040354E .C745 B8 0200000>mov dword ptr ss:,2
00403555 .C785 78FFFFFF 0>mov dword ptr ss:,4008
0040355F .FF15 48104000 call dword ptr ds:[<&MSVBVM60.#632>] ;msvbvm60.rtcMidCharVar
00403565 .8D45 A8 lea eax,dword ptr ss:
00403568 .8D4D D4 lea ecx,dword ptr ss:
0040356B .50 push eax
0040356C .51 push ecx
0040356D .FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ;msvbvm60.__vbaStrVarVal
00403573 .50 push eax
00403574 .FFD7 call edi
00403576 .66:05 3400 add ax,34 ;★★★★★★★★★★→|| ax = 倒取每位的ASCII(Hex) + 0x34
0040357A .8D55 98 lea edx,dword ptr ss:
0040357D .0F80 11020000 jo fywy.00403794
00403583 .66:8945 A0 mov word ptr ss:,ax
00403587 .8D45 88 lea eax,dword ptr ss:
0040358A .52 push edx
0040358B .50 push eax
0040358C .C745 98 0200000>mov dword ptr ss:,2
00403593 .FF15 94104000 call dword ptr ds:[<&MSVBVM60.#573>] ;msvbvm60.rtcHexVarFromVar
00403599 .8B4D E0 mov ecx,dword ptr ss:
0040359C .8D55 88 lea edx,dword ptr ss:
0040359F .51 push ecx
004035A0 .52 push edx
004035A1 .FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaStrErrVarCopy>] ;msvbvm60.__vbaStrErrVarCopy
004035A7 .8BD0 mov edx,eax ;★★★★★★★★★★→|| 倒取S1每位,转成十六进制,再和 0x34 相加
004035A9 .8D4D D0 lea ecx,dword ptr ss:
004035AC .FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ;msvbvm60.__vbaStrMove
004035B2 .50 push eax
004035B3 .FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ;msvbvm60.__vbaStrCat
004035B9 .8BD0 mov edx,eax
004035BB .8D4D E0 lea ecx,dword ptr ss:
004035BE .FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ;msvbvm60.__vbaStrMove
004035C4 .8D45 D0 lea eax,dword ptr ss:
004035C7 .8D4D D4 lea ecx,dword ptr ss:
004035CA .50 push eax
004035CB .51 push ecx
004035CC .6A 02 push 2
004035CE .FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ;msvbvm60.__vbaFreeStrList
004035D4 .8D55 88 lea edx,dword ptr ss:
004035D7 .8D45 88 lea eax,dword ptr ss:
004035DA .52 push edx
004035DB .8D4D 98 lea ecx,dword ptr ss:
004035DE .50 push eax
004035DF .8D55 A8 lea edx,dword ptr ss:
004035E2 .51 push ecx
004035E3 .8D45 B8 lea eax,dword ptr ss:
004035E6 .52 push edx
004035E7 .50 push eax
004035E8 .6A 05 push 5
004035EA .FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ;msvbvm60.__vbaFreeVarList
004035F0 .66:8BCB mov cx,bx
004035F3 .83C4 24 add esp,24
004035F6 .66:03CE add cx,si
004035F9 .0F80 95010000 jo fywy.00403794
004035FF .8BF1 mov esi,ecx
00403601 .^ E9 1EFFFFFF jmp fywy.00403524
00403606 >8B7D 08 mov edi,dword ptr ss:
----------------------------------- 循环2结束 --------------------------------------------------------------
循环2功能:
针对循环1得到的Str1,逆序取每一位字符 Str(i 为循环计次变量),把该字符的ASCII码加52得到数N1,把N1转换成十六进制Hex(N1)
然后把Hex(N1)连接成字符串Str2,即为真码啦~
-----------------------------------下面就是对计算出的真码和假码进行比较了,不再叙述--------------------------------------------------------------
00403609 .57 push edi
0040360A .8B17 mov edx,dword ptr ds:
0040360C .FF92 08030000 call dword ptr ds:
00403612 .8B1D 38104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ;msvbvm60.__vbaObjSet
00403618 .50 push eax
00403619 .8D45 CC lea eax,dword ptr ss:
0040361C .50 push eax
0040361D .FFD3 call ebx ;<&MSVBVM60.__vbaObjSet>
0040361F .8BF0 mov esi,eax
00403621 .8D55 D4 lea edx,dword ptr ss:
00403624 .52 push edx
00403625 .56 push esi
00403626 .8B0E mov ecx,dword ptr ds:
00403628 .FF91 A0000000 call dword ptr ds:
0040362E .85C0 test eax,eax
00403630 .DBE2 fclex
00403632 .7D 12 jge short fywy.00403646
00403634 .68 A0000000 push 0A0
00403639 .68 74264000 push fywy.00402674
0040363E .56 push esi
0040363F .50 push eax
00403640 .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ;msvbvm60.__vbaHresultCheckObj
00403646 >8B07 mov eax,dword ptr ds:
00403648 .57 push edi
00403649 .FF90 04030000 call dword ptr ds:
0040364F .8D4D C8 lea ecx,dword ptr ss:
00403652 .50 push eax
00403653 .51 push ecx
00403654 .FFD3 call ebx
00403656 .8BF0 mov esi,eax
00403658 .8D45 D0 lea eax,dword ptr ss:
0040365B .50 push eax
0040365C .56 push esi
0040365D .8B16 mov edx,dword ptr ds:
0040365F .FF92 A0000000 call dword ptr ds:
00403665 .85C0 test eax,eax
00403667 .DBE2 fclex
00403669 .7D 12 jge short fywy.0040367D
0040366B .68 A0000000 push 0A0
00403670 .68 74264000 push fywy.00402674
00403675 .56 push esi
00403676 .50 push eax
00403677 .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ;msvbvm60.__vbaHresultCheckObj
0040367D >8B4D D8 mov ecx,dword ptr ss: ;★★★★★★★★★★→|| = = 用户名
00403680 .8B55 D4 mov edx,dword ptr ss: ;★★★★★★★★★★→|| = = 用户名
00403683 .8B1D 54104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ;msvbvm60.__vbaStrCmp
00403689 .51 push ecx
0040368A .52 push edx
0040368B .FFD3 call ebx ;<&MSVBVM60.__vbaStrCmp>
0040368D .8B4D D0 mov ecx,dword ptr ss: ;★★★★★★★★★★→|| = = 密码
00403690 .8BF0 mov esi,eax
00403692 .8B45 E0 mov eax,dword ptr ss: ;★★★★★★★★★★→|| = = 上面转换后的字符串
00403695 .F7DE neg esi
00403697 .1BF6 sbb esi,esi ;★★★★★★★★★★→|| esi 置 0
00403699 .50 push eax
0040369A .46 inc esi ;★★★★★★★★★★→|| esi = 1
0040369B .51 push ecx
0040369C .F7DE neg esi
0040369E .FFD3 call ebx ;★★★★★★★★★★→|| 注意下,关键比较; <&MSVBVM60.__vbaStrCmp>
004036A0 .F7D8 neg eax ;★★★★★★★★★★→|| 求 eax 补码
004036A2 .1BC0 sbb eax,eax
004036A4 .8D55 D0 lea edx,dword ptr ss:
004036A7 .40 inc eax
004036A8 .52 push edx
004036A9 .F7D8 neg eax ;★★★★★★★★★★→|| 求 eax 补码
004036AB .23F0 and esi,eax ;★★★★★★★★★★→|| esi = esi AND eax
004036AD .8D45 D4 lea eax,dword ptr ss:
004036B0 .50 push eax
004036B1 .6A 02 push 2
004036B3 .FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ;msvbvm60.__vbaFreeStrList
004036B9 .8D4D C8 lea ecx,dword ptr ss:
004036BC .8D55 CC lea edx,dword ptr ss:
004036BF .51 push ecx
004036C0 .52 push edx
004036C1 .6A 02 push 2
004036C3 .FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObjList>] ;msvbvm60.__vbaFreeObjList
004036C9 .83C4 18 add esp,18
004036CC .66:85F6 test si,si
004036CF .74 3F je short fywy.00403710 ;★★★★★★★★★★→|| esi = 0 则跳向失败, ==> 爆破点 <==
004036D1 .8B07 mov eax,dword ptr ds:
004036D3 .57 push edi
004036D4 .FF90 10030000 call dword ptr ds:
004036DA .8D4D CC lea ecx,dword ptr ss:
004036DD .50 push eax
004036DE .51 push ecx
004036DF .FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ;msvbvm60.__vbaObjSet
004036E5 .8BF0 mov esi,eax
004036E7 .68 A0264000 push fywy.004026A0 ;吾爱破解2012CM大赛作品已注册
004036EC .56 push esi
004036ED .8B16 mov edx,dword ptr ds:
分析完后,附带写了一个注册机(见附件),证明分析思路大的错误没有,注册机可以用~~
--------------------------------------------------------------------------------
2012年04月29日 23:28:31
附件:
很厉害的破文 {:1_912:} {:301_978:}膜拜大牛+1 {:301_983:}说实话看不懂也看不明白。 {:1_921:}高实在是高,还得多看几次,膜拜 膜拜 要好好学了 一如既往的支持! 不错的,很实在啊LZ呵呵,很全面 学习中
学习了 老师厉害 终于会破了
页:
[1]
2