[反汇编练习] 160个CrackMe之022
[反汇编练习] 160个CrackMe之022.本系列文章的目的是从一个没有任何经验的新手的角度(其实就是我自己),一步步尝试将160个CrackMe全部破解,如果可以,通过任何方式写出一个类似于注册机的东西。其中,文章中按照如下逻辑编排(解决如下问题):1、使用什么环境和工具2、程序分析3、思路分析和破解流程4、注册机的探索----------------------------------提醒各位看客: 如果文章中的逻辑看不明白,那你一定是没有亲手操刀!OD中的跳转提示很强大,只要你跟踪了,不用怎么看代码就理解了!----------------------------------1、工具和环境:WinXP SP3 + 52Pojie六周年纪念版OD + PEID + 汇编金手指。160个CrackMe的打包文件。下载地址: http://pan.baidu.com/s/1xUWOY 密码: jbnq注:1、Win7系统对于模块和程序开启了随机初始地址的功能,会给分析带来很大的负担,所以不建议使用Win7进行分析。2、以上工具都是在52PoJie论坛下的原版程序,NOD32不报毒,个人承诺绝对不会进行任何和木马病毒相关内容。http://images.cnitblog.com/blog/573547/201406/192147191763366.png2、程序分析:想要破解一个程序,必须先了解这个程序。所以,在破解过程中,对最初程序的分析很重要,他可以帮助我们理解作者的目的和意图,特别是对于注册码的处理细节,从而方便我们反向跟踪和推导。和上一节一样,打开CHM,选择第22个CarLitoZ.1.EXE,保存下来。运行程序,程序界面如下:又有信息框了,我很高兴啊!PEID: Microsoft Visual Basic 5.0 / 6.03、思路分析和破解流程步骤:1、打开OD,将exe拖到OD窗口中,等程序暂停后,直接点击运行按钮(F9),不用理会。2、在exe中输入Key:123123。点击OK按钮,弹出错误信息框,不要关闭。3、在OD中点击暂停按钮(Ctrl+F12),再点击堆栈K按钮(Ctrl+K),可以看到当前堆栈情况。
4、选中最后的rtcMsgBox,右键->Show call,返回到反汇编界面: 00402D86 . /7D 12 jge short 00402D9A
00402D88 . |68 F8060000 push 0x6F8
00402D8D . |68 0C224000 push 0040220C
00402D92 . |56 push esi
00402D93 . |50 push eax
00402D94 . |FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;msvbvm50.__vbaHresultCheckObj
00402D9A > \8D4E 34 lea ecx,dword ptr ds:
00402D9D .8D55 94 lea edx,dword ptr ss:
00402DA0 .51 push ecx
00402DA1 .52 push edx
00402DA2 .C745 9C 01000>mov dword ptr ss:,0x1
00402DA9 .C745 94 02800>mov dword ptr ss:,0x8002
00402DB0 .FF15 6C614000 call dword ptr ds:[<&MSVBVM50.__vbaVarTs>;msvbvm50.__vbaVarTstEq
00402DB6 .8B3D C4614000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaVa>;msvbvm50.__vbaVarDup
00402DBC .B9 04000280 mov ecx,0x80020004
00402DC1 .66:85C0 test ax,ax
00402DC4 .B8 0A000000 mov eax,0xA
00402DC9 .894D AC mov dword ptr ss:,ecx
00402DCC .894D BC mov dword ptr ss:,ecx
00402DCF .8945 A4 mov dword ptr ss:,eax
00402DD2 .8945 B4 mov dword ptr ss:,eax
00402DD5 .C745 8C 08234>mov dword ptr ss:,00402308 ;UNICODE "CrackMe v1.0"
00402DDC .C745 84 08000>mov dword ptr ss:,0x8
00402DE3 .8D55 84 lea edx,dword ptr ss:
00402DE6 .8D4D C4 lea ecx,dword ptr ss:
00402DE9 0F84 5A010000 je 00402F49 ;// 跳到失败
00402DEF .FFD7 call edi ;<&MSVBVM50.__vbaVarDup>
00402DF1 .8D55 94 lea edx,dword ptr ss:
00402DF4 .8D4D D4 lea ecx,dword ptr ss:
00402DF7 .C745 9C D4224>mov dword ptr ss:,004022D4 ;UNICODE "Registration Successful"
00402DFE .C745 94 08000>mov dword ptr ss:,0x8 ;// 注册成功
00402E05 .FFD7 call edi
00402E07 .8D45 A4 lea eax,dword ptr ss:
00402E0A .8D4D B4 lea ecx,dword ptr ss:
00402E0D .50 push eax
00402E0E .8D55 C4 lea edx,dword ptr ss:
00402E11 .51 push ecx
00402E12 .52 push edx
00402E13 .8D45 D4 lea eax,dword ptr ss:
00402E16 .6A 30 push 0x30
00402E18 .50 push eax
00402E19 .FF15 40614000 call dword ptr ds:[<&MSVBVM50.#595>] ;msvbvm50.rtcMsgBox
00402E1F .8D4D A4 lea ecx,dword ptr ss:
00402E22 .8D55 B4 lea edx,dword ptr ss:
00402E25 .51 push ecx
00402E26 .8D45 C4 lea eax,dword ptr ss:
00402E29 .52 push edx
00402E2A .8D4D D4 lea ecx,dword ptr ss:
00402E2D .50 push eax
00402E2E .51 push ecx
00402E2F .6A 04 push 0x4
00402E31 .FF15 1C614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeV>;msvbvm50.__vbaFreeVarList
00402E37 .83C4 14 add esp,0x14
00402E3A .8D7E 44 lea edi,dword ptr ds:
00402E3D .68 40224000 push 00402240 ;UNICODE "c:\windows\MTR.dat"
00402E42 .57 push edi
00402E43 .FF15 90614000 call dword ptr ds:[<&MSVBVM50.__vbaI2Var>;msvbvm50.__vbaI2Var
00402E49 .50 push eax
00402E4A .6A FF push -0x1
00402E4C .6A 20 push 0x20
00402E4E .FF15 98614000 call dword ptr ds:[<&MSVBVM50.__vbaFileO>;msvbvm50.__vbaFileOpen
00402E54 .BA 6C224000 mov edx,0040226C ;UNICODE "trv2156j0e"
00402E59 .8D4D E8 lea ecx,dword ptr ss:
00402E5C .FF15 AC614000 call dword ptr ds:[<&MSVBVM50.__vbaStrCo>;msvbvm50.__vbaStrCopy
00402E62 .57 push edi
00402E63 .FF15 90614000 call dword ptr ds:[<&MSVBVM50.__vbaI2Var>;msvbvm50.__vbaI2Var
00402E69 .50 push eax
00402E6A .8D55 E8 lea edx,dword ptr ss:
00402E6D .6A 2D push 0x2D
00402E6F .52 push edx
00402E70 .6A 00 push 0x0
00402E72 .FF15 24614000 call dword ptr ds:[<&MSVBVM50.__vbaPut4>>;msvbvm50.__vbaPut4
00402E78 .8D4D E8 lea ecx,dword ptr ss:
00402E7B .FF15 DC614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>;msvbvm50.__vbaFreeStr
00402E81 .57 push edi
00402E82 .FF15 90614000 call dword ptr ds:[<&MSVBVM50.__vbaI2Var>;msvbvm50.__vbaI2Var
00402E88 .50 push eax
00402E89 .FF15 60614000 call dword ptr ds:[<&MSVBVM50.__vbaFileC>;msvbvm50.__vbaFileClose
00402E8F .56 push esi
00402E90 .FF93 0C030000 call dword ptr ds:
00402E96 .50 push eax
00402E97 .8D45 E4 lea eax,dword ptr ss:
00402E9A .50 push eax
00402E9B .FF15 3C614000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>;msvbvm50.__vbaObjSet
00402EA1 .8BF8 mov edi,eax
00402EA3 .68 88224000 push 00402288 ;UNICODE "REGISTERED"
00402EA8 .57 push edi ;// ↑的文本说明验证成功了
00402EA9 .8B0F mov ecx,dword ptr ds:
00402EAB .FF51 54 call dword ptr ds:
00402EAE .85C0 test eax,eax
00402EB0 .7D 0F jge short 00402EC1
00402EB2 .6A 54 push 0x54
00402EB4 .68 A0224000 push 004022A0
00402EB9 .57 push edi
00402EBA .50 push eax
00402EBB .FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;msvbvm50.__vbaHresultCheckObj
00402EC1 >8D4D E4 lea ecx,dword ptr ss:
00402EC4 .FF15 E0614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>;msvbvm50.__vbaFreeObj
00402ECA .56 push esi
00402ECB .FF93 04030000 call dword ptr ds:
00402ED1 .8D55 E4 lea edx,dword ptr ss:
00402ED4 .50 push eax
00402ED5 .52 push edx
00402ED6 .FF15 3C614000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>;msvbvm50.__vbaObjSet
00402EDC .8BF8 mov edi,eax
00402EDE .6A 00 push 0x0
00402EE0 .57 push edi
00402EE1 .8B07 mov eax,dword ptr ds:
00402EE3 .FF90 8C000000 call dword ptr ds:
00402EE9 .85C0 test eax,eax
00402EEB .7D 12 jge short 00402EFF
00402EED .68 8C000000 push 0x8C
00402EF2 .68 B0224000 push 004022B0
00402EF7 .57 push edi
00402EF8 .50 push eax
00402EF9 .FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;msvbvm50.__vbaHresultCheckObj
00402EFF >8B3D E0614000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaFr>;msvbvm50.__vbaFreeObj
00402F05 .8D4D E4 lea ecx,dword ptr ss:
00402F08 .FFD7 call edi ;<&MSVBVM50.__vbaFreeObj>
00402F0A .56 push esi
00402F0B .FF93 08030000 call dword ptr ds:
00402F11 .8D4D E4 lea ecx,dword ptr ss:
00402F14 .50 push eax
00402F15 .51 push ecx
00402F16 .FF15 3C614000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>;msvbvm50.__vbaObjSet
00402F1C .8BF0 mov esi,eax
00402F1E .6A 00 push 0x0
00402F20 .56 push esi
00402F21 .8B16 mov edx,dword ptr ds:
00402F23 .FF92 8C000000 call dword ptr ds:
00402F29 .85C0 test eax,eax
00402F2B .7D 12 jge short 00402F3F
00402F2D .68 8C000000 push 0x8C
00402F32 .68 C0224000 push 004022C0
00402F37 .56 push esi
00402F38 .50 push eax
00402F39 .FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;msvbvm50.__vbaHresultCheckObj
00402F3F >8D4D E4 lea ecx,dword ptr ss:
00402F42 .FFD7 call edi
00402F44 .E9 8C000000 jmp 00402FD5
00402F49 >FFD7 call edi
00402F4B .8D55 94 lea edx,dword ptr ss:
00402F4E .8D4D D4 lea ecx,dword ptr ss:
00402F51 .C745 9C 28234>mov dword ptr ss:,00402328 ;UNICODE " Wrong Code! Try Again"
00402F58 .C745 94 08000>mov dword ptr ss:,0x8
00402F5F .FFD7 call edi
00402F61 .8D45 A4 lea eax,dword ptr ss:
00402F64 .8D4D B4 lea ecx,dword ptr ss:
00402F67 .50 push eax
00402F68 .8D55 C4 lea edx,dword ptr ss:
00402F6B .51 push ecx
00402F6C .52 push edx
00402F6D .8D45 D4 lea eax,dword ptr ss:
00402F70 .6A 10 push 0x10
00402F72 .50 push eax
00402F73 .FF15 40614000 call dword ptr ds:[<&MSVBVM50.#595>] ;msvbvm50.rtcMsgBox
从当前位置向上查找,很容易地发现了好几处提示注册成功的文本,最后在头部发现了__vbaVarTstEq,并且他下面接着 je 00402F49 跳转,接着就是提示成功的文本。我们再去中间还发现了一个特殊的文件路径:c:\windows\MTR.dat,留心一下。分析到这里,爆破很简单了,直接将关键跳转使用NOP填充就可以了。选中je 00402F49 ,右键->Binary->Fill with NOPs。试一试,哈哈,成功了!
考虑到刚才的那个文件路径,我们重启文件一下,看看是否可行:
4、注册机的探索直接上VB Decompiler Pro, 分析了一下:
Private Sub reg_Click() '402D20
Dim var_5C As Me
Dim var_1C As Variant
loc_00402D52: var_8 = &H401020
loc_00402D7E: Call Crack.rgr
loc_00402DA2: var_64 = 1
loc_00402DA9: var_6C = &H8002
loc_00402DB0: Var_Ret_1 = (Me.SaveProp = 1)
loc_00402DC9: var_54 = 80020004h
loc_00402DCC: var_44 = 80020004h
loc_00402DCF: var_5C = 10
loc_00402DD2: var_4C = 10
loc_00402DD5: var_74 = "CrackMe v1.0"
loc_00402DDC: var_7C = 8
If Var_Ret_1 = 0 Then GoTo loc_00402F49
loc_00402DEF: var_3C = "CrackMe v1.0"
loc_00402DF7: var_64 = "Registration Successful"
loc_00402DFE: var_6C = 8
loc_00402E05: var_2C = "Registration Successful"
loc_00402E19: MsgBox var_2C, 48, var_3C
loc_00402E43: Me = %x1 = CInt("c:\windows\MTR.dat")
loc_00402E4E: Open Me For Random As #var_3C
loc_00402E5C: var_18 = "trv2156j0e"
loc_00402E63: Me = %x1 = CInt(4203020)
loc_00402E72: Put #var_18, 45, var_18
loc_00402E82: Me = %x1 = CInt(1784)
loc_00402E89: Close #Put #var_18, 45, var_18
loc_00402E9B: Set var_1C = Close #Put #var_18, 45, var_18
loc_00402EAB: Unknown_VTable_Call
loc_00402ED6: Set var_1C = Unknown_VTable_Call
loc_00402EE3: reg.Enabled = False
loc_00402F23: Text.Enabled = False
loc_00402F51: var_64 = "Wrong Code! Try Again"
loc_00402F58: var_6C = 8
loc_00402F73: MsgBox var_2C, 16, var_3C
loc_00402FB0: Text.Text = 4203356
loc_00402FE1: GoTo loc_00403011
loc_00403010: Exit Sub
loc_00403011: Exit Sub
End Sub
发现按钮点击事件调用了Call Crack.rgr进行验证,而他自身只进行判断:ublic Sub rgr() '403230
Dim var_3C As TextBox
loc_0040325C: var_8 = &H401040
loc_0040339E: Set var_40 = 404024h
loc_004033A9: Unknown_VTable_Call
loc_004033D2: CreateObject(4200340, 4210724)
loc_004033DD:
loc_004033EB: Set var_44 = 404024h
loc_004033F6: Unknown_VTable_Call
loc_0040341F: CreateObject(4200340, 4210724)
loc_0040342A:
loc_00403438: Set var_48 = 404024h
loc_00403443: Unknown_VTable_Call
loc_0040346C: CreateObject(4200340, 4210724)
loc_00403477:
loc_00403485: Set var_4C = 404024h
loc_00403490: Unknown_VTable_Call
loc_004034B9: CreateObject(4200340, 4210724)
loc_004034C4:
loc_004034D2: Set var_50 = 404024h
loc_004034DD: Unknown_VTable_Call
loc_00403506: CreateObject(4200340, 4210724)
loc_00403511:
loc_0040351F: Set var_54 = 404024h
loc_0040352A: Unknown_VTable_Call
loc_00403553: CreateObject(4200340, 4210724)
loc_0040355E:
loc_0040356C: Set var_58 = 404024h
loc_00403577: Unknown_VTable_Call
loc_004035A0: CreateObject(4200340, 4210724)
loc_004035AB:
loc_004035B9: Set var_5C = 404024h
loc_004035C4: Unknown_VTable_Call
loc_004035EF: Set var_3C = Me
loc_004035FA: var_18 = Text.Text
loc_0040361F: var_254 = var_18
loc_0040362B: var_64 = var_1C
loc_00403644: var_25C = &H8008
loc_0040364E: var_74 = 1
loc_00403655: var_7C = 2
loc_0040365B: var_6C = 8
loc_0040366D: var_94 = var_20
loc_00403684: var_A4 = 1
loc_0040368E: var_AC = 2
loc_00403697: var_9C = 8
loc_004036AC: var_D4 = var_24
loc_004036C6: var_E4 = 1
loc_004036D0: var_EC = 2
loc_004036D9: var_DC = 8
loc_004036EE: var_114 = var_28
loc_00403705: var_124 = 1
loc_0040370F: var_12C = 2
loc_00403718: var_11C = 8
loc_0040372D: var_154 = var_2C
loc_00403747: var_164 = 1
loc_00403751: var_16C = 2
loc_0040375A: var_15C = 8
loc_00403769: var_1A4 = 1
loc_00403773: var_1AC = 2
loc_0040377C: var_194 = var_30
loc_0040379C: var_19C = 8
loc_004037B1: var_1D4 = var_34
loc_004037CB: var_1E4 = 1
loc_004037D5: var_1EC = 2
loc_004037DE: var_1DC = 8
loc_004037F3: var_214 = var_38
loc_0040380D: var_224 = 1
loc_00403817: var_22C = 2
loc_00403820: var_21C = 8
loc_0040384E: Var_Ret_1 = Mid$(var_1C, 6, 1) + Mid$(var_20, 9, 1)
loc_0040385F: Var_Ret_2 = Var_Ret_1 + Mid$(var_24, 143, 1)
loc_00403870: Var_Ret_3 = Var_Ret_2 + Mid$(var_28, 16, 1)
loc_00403881: Var_Ret_4 = Var_Ret_3 + Mid$(var_2C, 161, 1)
loc_00403892: Var_Ret_5 = Var_Ret_4 + Mid$(var_30, 171, 1)
loc_004038A3: Var_Ret_6 = Var_Ret_5 + Mid$(var_34, 166, 1)
loc_004038B4: Var_Ret_7 = Var_Ret_6 + Mid$(var_38, 168, 1)
loc_004038B7: Var_Ret_8 = (var_18 = Var_Ret_7)
If Var_Ret_8 = 0 Then GoTo loc_004039FD
loc_004039E4: var_274 = 1
loc_004039EE: var_27C = 2
loc_004039F7: ecx = 1
loc_004039FD:
loc_00403A02: GoTo loc_00403B55
loc_00403B54: Exit Sub
loc_00403B55: Exit Sub
End Sub
我们在OD中,Ctrl+G,输入 ublic Sub rgr() 的开头地址:403230,在OD中参照上述代码进行具体分析:00403230 > \55 push ebp ;// 验证注册码的函数
00403231 .8BEC mov ebp,esp
00403233 .83EC 0C sub esp,0xC
00403236 .68 66104000 push <jmp.&MSVBVM50.__vbaExceptHandler>;SE handler installation
0040323B .64:A1 0000000>mov eax,dword ptr fs:
00403241 .50 push eax
00403242 .64:8925 00000>mov dword ptr fs:,esp
00403249 .81EC 54030000 sub esp,0x354
0040324F .8B45 08 mov eax,dword ptr ss:
00403252 .53 push ebx
00403253 .56 push esi
00403254 .57 push edi
00403255 .8B08 mov ecx,dword ptr ds:
00403257 .8965 F4 mov dword ptr ss:,esp
0040325A .33F6 xor esi,esi
0040325C .C745 F8 40104>mov dword ptr ss:,00401040
00403263 .50 push eax
00403264 .8975 FC mov dword ptr ss:,esi
00403267 .898D 98FCFFFF mov dword ptr ss:,ecx
0040326D .FF51 04 call dword ptr ds:
00403270 .A1 24404000 mov eax,dword ptr ds:
00403275 .8975 E8 mov dword ptr ss:,esi
00403278 .3BC6 cmp eax,esi
0040327A .8975 E4 mov dword ptr ss:,esi
0040327D .8975 E0 mov dword ptr ss:,esi
00403280 .8975 DC mov dword ptr ss:,esi
00403283 .8975 D8 mov dword ptr ss:,esi
00403286 .8975 D4 mov dword ptr ss:,esi
00403289 .8975 D0 mov dword ptr ss:,esi
0040328C .8975 CC mov dword ptr ss:,esi
0040328F .8975 C8 mov dword ptr ss:,esi
00403292 .8975 C4 mov dword ptr ss:,esi
00403295 .8975 C0 mov dword ptr ss:,esi
00403298 .8975 BC mov dword ptr ss:,esi
0040329B .8975 B8 mov dword ptr ss:,esi
0040329E .8975 B4 mov dword ptr ss:,esi
004032A1 .8975 B0 mov dword ptr ss:,esi
004032A4 .8975 AC mov dword ptr ss:,esi
004032A7 .8975 A8 mov dword ptr ss:,esi
004032AA .8975 A4 mov dword ptr ss:,esi
004032AD .8975 94 mov dword ptr ss:,esi
004032B0 .8975 84 mov dword ptr ss:,esi
004032B3 .89B5 74FFFFFF mov dword ptr ss:,esi
004032B9 .89B5 64FFFFFF mov dword ptr ss:,esi
004032BF .89B5 54FFFFFF mov dword ptr ss:,esi
004032C5 .89B5 44FFFFFF mov dword ptr ss:,esi
004032CB .89B5 34FFFFFF mov dword ptr ss:,esi
004032D1 .89B5 24FFFFFF mov dword ptr ss:,esi
004032D7 .89B5 14FFFFFF mov dword ptr ss:,esi
004032DD .89B5 04FFFFFF mov dword ptr ss:,esi
004032E3 .89B5 F4FEFFFF mov dword ptr ss:,esi
004032E9 .89B5 E4FEFFFF mov dword ptr ss:,esi
004032EF .89B5 D4FEFFFF mov dword ptr ss:,esi
004032F5 .89B5 C4FEFFFF mov dword ptr ss:,esi
004032FB .89B5 B4FEFFFF mov dword ptr ss:,esi
00403301 .89B5 A4FEFFFF mov dword ptr ss:,esi
00403307 .89B5 94FEFFFF mov dword ptr ss:,esi
0040330D .89B5 84FEFFFF mov dword ptr ss:,esi
00403313 .89B5 74FEFFFF mov dword ptr ss:,esi
00403319 .89B5 64FEFFFF mov dword ptr ss:,esi
0040331F .89B5 54FEFFFF mov dword ptr ss:,esi
00403325 .89B5 44FEFFFF mov dword ptr ss:,esi
0040332B .89B5 34FEFFFF mov dword ptr ss:,esi
00403331 .89B5 24FEFFFF mov dword ptr ss:,esi
00403337 .89B5 14FEFFFF mov dword ptr ss:,esi
0040333D .89B5 04FEFFFF mov dword ptr ss:,esi
00403343 .89B5 F4FDFFFF mov dword ptr ss:,esi
00403349 .89B5 E4FDFFFF mov dword ptr ss:,esi
0040334F .89B5 D4FDFFFF mov dword ptr ss:,esi
00403355 .89B5 C4FDFFFF mov dword ptr ss:,esi
0040335B .89B5 B4FDFFFF mov dword ptr ss:,esi
00403361 .89B5 A4FDFFFF mov dword ptr ss:,esi
00403367 .89B5 94FDFFFF mov dword ptr ss:,esi
0040336D .89B5 84FDFFFF mov dword ptr ss:,esi
00403373 .75 15 jnz short 0040338A
00403375 .68 24404000 push 00404024
0040337A .68 94174000 push 00401794
0040337F .FF15 9C614000 call dword ptr ds:[<&MSVBVM50.__vbaNew2>>;msvbvm50.__vbaNew2
00403385 .A1 24404000 mov eax,dword ptr ds:
0040338A >8B08 mov ecx,dword ptr ds:
0040338C .50 push eax
0040338D .FF91 00030000 call dword ptr ds:
00403393 .8B1D 3C614000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaOb>;msvbvm50.__vbaObjSet
00403399 .8D55 C0 lea edx,dword ptr ss:
0040339C .50 push eax
0040339D .52 push edx
0040339E .FFD3 call ebx ;<&MSVBVM50.__vbaObjSet>
004033A0 .8BF8 mov edi,eax
004033A2 .8D4D E4 lea ecx,dword ptr ss:
004033A5 .51 push ecx
004033A6 .57 push edi
004033A7 .8B07 mov eax,dword ptr ds:
004033A9 .FF50 50 call dword ptr ds:
004033AC .3BC6 cmp eax,esi
004033AE .7D 0F jge short 004033BF
004033B0 .6A 50 push 0x50
004033B2 .68 A0224000 push 004022A0
004033B7 .57 push edi
004033B8 .50 push eax
004033B9 .FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;msvbvm50.__vbaHresultCheckObj
004033BF >A1 24404000 mov eax,dword ptr ds:
004033C4 .3BC6 cmp eax,esi
004033C6 .75 15 jnz short 004033DD
004033C8 .68 24404000 push 00404024
004033CD .68 94174000 push 00401794
004033D2 .FF15 9C614000 call dword ptr ds:[<&MSVBVM50.__vbaNew2>>;msvbvm50.__vbaNew2
004033D8 .A1 24404000 mov eax,dword ptr ds:
004033DD >8B10 mov edx,dword ptr ds:
004033DF .50 push eax
004033E0 .FF92 00030000 call dword ptr ds:
004033E6 .50 push eax
004033E7 .8D45 BC lea eax,dword ptr ss:
004033EA .50 push eax
004033EB .FFD3 call ebx
004033ED .8BF8 mov edi,eax
004033EF .8D55 E0 lea edx,dword ptr ss:
004033F2 .52 push edx
004033F3 .57 push edi
004033F4 .8B0F mov ecx,dword ptr ds:
004033F6 .FF51 50 call dword ptr ds:
004033F9 .3BC6 cmp eax,esi
004033FB .7D 0F jge short 0040340C
004033FD .6A 50 push 0x50
004033FF .68 A0224000 push 004022A0
00403404 .57 push edi
00403405 .50 push eax
00403406 .FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;msvbvm50.__vbaHresultCheckObj
0040340C >A1 24404000 mov eax,dword ptr ds:
00403411 .3BC6 cmp eax,esi
00403413 .75 15 jnz short 0040342A
00403415 .68 24404000 push 00404024
0040341A .68 94174000 push 00401794
0040341F .FF15 9C614000 call dword ptr ds:[<&MSVBVM50.__vbaNew2>>;msvbvm50.__vbaNew2
00403425 .A1 24404000 mov eax,dword ptr ds:
0040342A >8B08 mov ecx,dword ptr ds:
0040342C .50 push eax
0040342D .FF91 00030000 call dword ptr ds:
00403433 .8D55 B8 lea edx,dword ptr ss:
00403436 .50 push eax
00403437 .52 push edx
00403438 .FFD3 call ebx
0040343A .8BF8 mov edi,eax
0040343C .8D4D DC lea ecx,dword ptr ss:
0040343F .51 push ecx
00403440 .57 push edi
00403441 .8B07 mov eax,dword ptr ds:
00403443 .FF50 50 call dword ptr ds:
00403446 .3BC6 cmp eax,esi
00403448 .7D 0F jge short 00403459
0040344A .6A 50 push 0x50
0040344C .68 A0224000 push 004022A0
00403451 .57 push edi
00403452 .50 push eax
00403453 .FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;msvbvm50.__vbaHresultCheckObj
00403459 >A1 24404000 mov eax,dword ptr ds:
0040345E .3BC6 cmp eax,esi
00403460 .75 15 jnz short 00403477
00403462 .68 24404000 push 00404024
00403467 .68 94174000 push 00401794
0040346C .FF15 9C614000 call dword ptr ds:[<&MSVBVM50.__vbaNew2>>;msvbvm50.__vbaNew2
00403472 .A1 24404000 mov eax,dword ptr ds:
00403477 >8B10 mov edx,dword ptr ds:
00403479 .50 push eax
0040347A .FF92 00030000 call dword ptr ds:
00403480 .50 push eax
00403481 .8D45 B4 lea eax,dword ptr ss:
00403484 .50 push eax
00403485 .FFD3 call ebx
00403487 .8BF8 mov edi,eax
00403489 .8D55 D8 lea edx,dword ptr ss:
0040348C .52 push edx
0040348D .57 push edi
0040348E .8B0F mov ecx,dword ptr ds:
00403490 .FF51 50 call dword ptr ds:
00403493 .3BC6 cmp eax,esi
00403495 .7D 0F jge short 004034A6
00403497 .6A 50 push 0x50
00403499 .68 A0224000 push 004022A0
0040349E .57 push edi
0040349F .50 push eax
004034A0 .FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;msvbvm50.__vbaHresultCheckObj
004034A6 >A1 24404000 mov eax,dword ptr ds:
004034AB .3BC6 cmp eax,esi
004034AD .75 15 jnz short 004034C4
004034AF .68 24404000 push 00404024
004034B4 .68 94174000 push 00401794
004034B9 .FF15 9C614000 call dword ptr ds:[<&MSVBVM50.__vbaNew2>>;msvbvm50.__vbaNew2
004034BF .A1 24404000 mov eax,dword ptr ds:
004034C4 >8B08 mov ecx,dword ptr ds:
004034C6 .50 push eax
004034C7 .FF91 00030000 call dword ptr ds:
004034CD .8D55 B0 lea edx,dword ptr ss:
004034D0 .50 push eax
004034D1 .52 push edx
004034D2 .FFD3 call ebx
004034D4 .8BF8 mov edi,eax
004034D6 .8D4D D4 lea ecx,dword ptr ss:
004034D9 .51 push ecx
004034DA .57 push edi
004034DB .8B07 mov eax,dword ptr ds:
004034DD .FF50 50 call dword ptr ds:
004034E0 .3BC6 cmp eax,esi
004034E2 .7D 0F jge short 004034F3
004034E4 .6A 50 push 0x50
004034E6 .68 A0224000 push 004022A0
004034EB .57 push edi
004034EC .50 push eax
004034ED .FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;msvbvm50.__vbaHresultCheckObj
004034F3 >A1 24404000 mov eax,dword ptr ds:
004034F8 .3BC6 cmp eax,esi
004034FA .75 15 jnz short 00403511
004034FC .68 24404000 push 00404024
00403501 .68 94174000 push 00401794
00403506 .FF15 9C614000 call dword ptr ds:[<&MSVBVM50.__vbaNew2>>;msvbvm50.__vbaNew2
0040350C .A1 24404000 mov eax,dword ptr ds:
00403511 >8B10 mov edx,dword ptr ds:
00403513 .50 push eax
00403514 .FF92 00030000 call dword ptr ds:
0040351A .50 push eax
0040351B .8D45 AC lea eax,dword ptr ss:
0040351E .50 push eax
0040351F .FFD3 call ebx
00403521 .8BF8 mov edi,eax
00403523 .8D55 D0 lea edx,dword ptr ss:
00403526 .52 push edx
00403527 .57 push edi
00403528 .8B0F mov ecx,dword ptr ds:
0040352A .FF51 50 call dword ptr ds:
0040352D .3BC6 cmp eax,esi
0040352F .7D 0F jge short 00403540
00403531 .6A 50 push 0x50
00403533 .68 A0224000 push 004022A0
00403538 .57 push edi
00403539 .50 push eax
0040353A .FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;msvbvm50.__vbaHresultCheckObj
00403540 >A1 24404000 mov eax,dword ptr ds:
00403545 .3BC6 cmp eax,esi
00403547 .75 15 jnz short 0040355E
00403549 .68 24404000 push 00404024
0040354E .68 94174000 push 00401794
00403553 .FF15 9C614000 call dword ptr ds:[<&MSVBVM50.__vbaNew2>>;msvbvm50.__vbaNew2
00403559 .A1 24404000 mov eax,dword ptr ds:
0040355E >8B08 mov ecx,dword ptr ds:
00403560 .50 push eax
00403561 .FF91 00030000 call dword ptr ds:
00403567 .8D55 A8 lea edx,dword ptr ss:
0040356A .50 push eax
0040356B .52 push edx
0040356C .FFD3 call ebx
0040356E .8BF8 mov edi,eax
00403570 .8D4D CC lea ecx,dword ptr ss:
00403573 .51 push ecx
00403574 .57 push edi
00403575 .8B07 mov eax,dword ptr ds:
00403577 .FF50 50 call dword ptr ds:
0040357A .3BC6 cmp eax,esi
0040357C .7D 0F jge short 0040358D
0040357E .6A 50 push 0x50
00403580 .68 A0224000 push 004022A0
00403585 .57 push edi
00403586 .50 push eax
00403587 .FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;msvbvm50.__vbaHresultCheckObj
0040358D >A1 24404000 mov eax,dword ptr ds:
00403592 .3BC6 cmp eax,esi
00403594 .75 15 jnz short 004035AB
00403596 .68 24404000 push 00404024
0040359B .68 94174000 push 00401794
004035A0 .FF15 9C614000 call dword ptr ds:[<&MSVBVM50.__vbaNew2>>;msvbvm50.__vbaNew2
004035A6 .A1 24404000 mov eax,dword ptr ds:
004035AB >8B10 mov edx,dword ptr ds:
004035AD .50 push eax
004035AE .FF92 00030000 call dword ptr ds:
004035B4 .50 push eax
004035B5 .8D45 A4 lea eax,dword ptr ss:
004035B8 .50 push eax
004035B9 .FFD3 call ebx
004035BB .8BF8 mov edi,eax
004035BD .8D55 C8 lea edx,dword ptr ss:
004035C0 .52 push edx
004035C1 .57 push edi
004035C2 .8B0F mov ecx,dword ptr ds:
004035C4 .FF51 50 call dword ptr ds:
004035C7 .3BC6 cmp eax,esi
004035C9 .7D 0F jge short 004035DA
004035CB .6A 50 push 0x50
004035CD .68 A0224000 push 004022A0
004035D2 .57 push edi
004035D3 .50 push eax
004035D4 .FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;msvbvm50.__vbaHresultCheckObj
004035DA >8B45 08 mov eax,dword ptr ss:
004035DD .8B8D 98FCFFFF mov ecx,dword ptr ss:
004035E3 .50 push eax
004035E4 .FF91 08030000 call dword ptr ds:
004035EA .8D55 C4 lea edx,dword ptr ss:
004035ED .50 push eax
004035EE .52 push edx
004035EF .FFD3 call ebx
004035F1 .8BF8 mov edi,eax
004035F3 .8D4D E8 lea ecx,dword ptr ss:
004035F6 .51 push ecx
004035F7 .57 push edi
004035F8 .8B07 mov eax,dword ptr ds:
004035FA .FF90 A0000000 call dword ptr ds:
00403600 .3BC6 cmp eax,esi
00403602 .7D 12 jge short 00403616
00403604 .68 A0000000 push 0xA0
00403609 .68 C0224000 push 004022C0
0040360E .57 push edi
0040360F .50 push eax
00403610 .FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;msvbvm50.__vbaHresultCheckObj
00403616 >8B45 E8 mov eax,dword ptr ss:
00403619 .8B3D 58614000 mov edi,dword ptr ds:[<&MSVBVM50.#632>];msvbvm50.rtcMidCharVar
0040361F .8985 ACFDFFFF mov dword ptr ss:,eax
00403625 .8B45 E4 mov eax,dword ptr ss:
00403628 .8D55 84 lea edx,dword ptr ss:
0040362B .8945 9C mov dword ptr ss:,eax
0040362E .52 push edx
0040362F .8D45 94 lea eax,dword ptr ss:
00403632 .6A 06 push 0x6
00403634 .8D8D 74FFFFFF lea ecx,dword ptr ss:
0040363A .BB 02000000 mov ebx,0x2
0040363F .50 push eax ;UNICODE "bPe CrackMe v1.0 "
00403640 .51 push ecx
00403641 .8975 E8 mov dword ptr ss:,esi
00403644 .C785 A4FDFFFF>mov dword ptr ss:,0x8008
0040364E .C745 8C 01000>mov dword ptr ss:,0x1
00403655 .895D 84 mov dword ptr ss:,ebx
00403658 .8975 E4 mov dword ptr ss:,esi
0040365B .C745 94 08000>mov dword ptr ss:,0x8
00403662 .FFD7 call edi ;msvbvm50.rtcMidCharVar; <&MSVBVM50.#632>
00403664 .8B45 E0 mov eax,dword ptr ss:
00403667 .8D95 54FFFFFF lea edx,dword ptr ss:
0040366D .8985 6CFFFFFF mov dword ptr ss:,eax
00403673 .52 push edx
00403674 .8D85 64FFFFFF lea eax,dword ptr ss:
0040367A .6A 09 push 0x9
0040367C .8D8D 44FFFFFF lea ecx,dword ptr ss:
00403682 .50 push eax ;UNICODE "bPe CrackMe v1.0 "
00403683 .51 push ecx
00403684 .C785 5CFFFFFF>mov dword ptr ss:,0x1
0040368E .899D 54FFFFFF mov dword ptr ss:,ebx
00403694 .8975 E0 mov dword ptr ss:,esi
00403697 .C785 64FFFFFF>mov dword ptr ss:,0x8
004036A1 .FFD7 call edi ;msvbvm50.rtcMidCharVar
004036A3 .8B45 DC mov eax,dword ptr ss:
004036A6 .8D95 14FFFFFF lea edx,dword ptr ss:
004036AC .8985 2CFFFFFF mov dword ptr ss:,eax
004036B2 .52 push edx
004036B3 .8D85 24FFFFFF lea eax,dword ptr ss:
004036B9 .68 8F000000 push 0x8F
004036BE .8D8D 04FFFFFF lea ecx,dword ptr ss:
004036C4 .50 push eax ;UNICODE "bPe CrackMe v1.0 "
004036C5 .51 push ecx
004036C6 .C785 1CFFFFFF>mov dword ptr ss:,0x1
004036D0 .899D 14FFFFFF mov dword ptr ss:,ebx
004036D6 .8975 DC mov dword ptr ss:,esi
004036D9 .C785 24FFFFFF>mov dword ptr ss:,0x8
004036E3 .FFD7 call edi ;msvbvm50.rtcMidCharVar
004036E5 .8B45 D8 mov eax,dword ptr ss:
004036E8 .8D95 D4FEFFFF lea edx,dword ptr ss:
004036EE .8985 ECFEFFFF mov dword ptr ss:,eax
004036F4 .52 push edx
004036F5 .8D85 E4FEFFFF lea eax,dword ptr ss:
004036FB .6A 10 push 0x10
004036FD .8D8D C4FEFFFF lea ecx,dword ptr ss:
00403703 .50 push eax
00403704 .51 push ecx
00403705 .C785 DCFEFFFF>mov dword ptr ss:,0x1
0040370F .899D D4FEFFFF mov dword ptr ss:,ebx
00403715 .8975 D8 mov dword ptr ss:,esi
00403718 .C785 E4FEFFFF>mov dword ptr ss:,0x8
00403722 .FFD7 call edi ;msvbvm50.rtcMidCharVar
00403724 .8B45 D4 mov eax,dword ptr ss:
00403727 .8D95 94FEFFFF lea edx,dword ptr ss:
0040372D .8985 ACFEFFFF mov dword ptr ss:,eax
00403733 .52 push edx
00403734 .8D85 A4FEFFFF lea eax,dword ptr ss:
0040373A .68 A1000000 push 0xA1
0040373F .8D8D 84FEFFFF lea ecx,dword ptr ss:
00403745 .50 push eax
00403746 .51 push ecx
00403747 .C785 9CFEFFFF>mov dword ptr ss:,0x1
00403751 .899D 94FEFFFF mov dword ptr ss:,ebx
00403757 .8975 D4 mov dword ptr ss:,esi
0040375A .C785 A4FEFFFF>mov dword ptr ss:,0x8
00403764 .FFD7 call edi ;msvbvm50.rtcMidCharVar
00403766 .8B45 D0 mov eax,dword ptr ss:
00403769 .C785 5CFEFFFF>mov dword ptr ss:,0x1
00403773 .899D 54FEFFFF mov dword ptr ss:,ebx
00403779 .8975 D0 mov dword ptr ss:,esi
0040377C .8985 6CFEFFFF mov dword ptr ss:,eax
00403782 .8D95 54FEFFFF lea edx,dword ptr ss:
00403788 .8D85 64FEFFFF lea eax,dword ptr ss:
0040378E .52 push edx
0040378F .68 AB000000 push 0xAB
00403794 .8D8D 44FEFFFF lea ecx,dword ptr ss:
0040379A .50 push eax
0040379B .51 push ecx
0040379C .C785 64FEFFFF>mov dword ptr ss:,0x8
004037A6 .FFD7 call edi ;msvbvm50.rtcMidCharVar
004037A8 .8B45 CC mov eax,dword ptr ss:
004037AB .8D95 14FEFFFF lea edx,dword ptr ss:
004037B1 .8985 2CFEFFFF mov dword ptr ss:,eax
004037B7 .52 push edx
004037B8 .8D85 24FEFFFF lea eax,dword ptr ss:
004037BE .68 A6000000 push 0xA6
004037C3 .8D8D 04FEFFFF lea ecx,dword ptr ss:
004037C9 .50 push eax
004037CA .51 push ecx
004037CB .C785 1CFEFFFF>mov dword ptr ss:,0x1
004037D5 .899D 14FEFFFF mov dword ptr ss:,ebx
004037DB .8975 CC mov dword ptr ss:,esi
004037DE .C785 24FEFFFF>mov dword ptr ss:,0x8
004037E8 .FFD7 call edi ;msvbvm50.rtcMidCharVar
004037EA .8B45 C8 mov eax,dword ptr ss:
004037ED .8D95 D4FDFFFF lea edx,dword ptr ss:
004037F3 .8985 ECFDFFFF mov dword ptr ss:,eax
004037F9 .52 push edx
004037FA .8D85 E4FDFFFF lea eax,dword ptr ss:
00403800 .68 A8000000 push 0xA8
00403805 .8D8D C4FDFFFF lea ecx,dword ptr ss:
0040380B .50 push eax
0040380C .51 push ecx
0040380D .C785 DCFDFFFF>mov dword ptr ss:,0x1
00403817 .899D D4FDFFFF mov dword ptr ss:,ebx
0040381D .8975 C8 mov dword ptr ss:,esi
00403820 .C785 E4FDFFFF>mov dword ptr ss:,0x8
0040382A .FFD7 call edi ;msvbvm50.rtcMidCharVar
0040382C .8B3D C0614000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaVa>;msvbvm50.__vbaVarAdd
00403832 .8D95 A4FDFFFF lea edx,dword ptr ss:
00403838 .8D85 74FFFFFF lea eax,dword ptr ss:
0040383E .52 push edx ;// "123123"
0040383F .8D8D 44FFFFFF lea ecx,dword ptr ss:
00403845 .50 push eax ;// eax ="r"
00403846 .8D95 34FFFFFF lea edx,dword ptr ss:
0040384C .51 push ecx ;// ecx ="k"
0040384D .52 push edx
0040384E .FFD7 call edi ;msvbvm50.__vbaVarAdd; <&MSVBVM50.__vbaVarAdd>
00403850 .50 push eax ;// eax = "rk"
00403851 .8D85 04FFFFFF lea eax,dword ptr ss:
00403857 .8D8D F4FEFFFF lea ecx,dword ptr ss:
0040385D .50 push eax ;// rax ="h"
0040385E .51 push ecx
0040385F .FFD7 call edi ;msvbvm50.__vbaVarAdd
00403861 .50 push eax ;// eax = "rkh"
00403862 .8D95 C4FEFFFF lea edx,dword ptr ss:
00403868 .8D85 B4FEFFFF lea eax,dword ptr ss:
0040386E .52 push edx ;// edx = "1"
0040386F .50 push eax
00403870 .FFD7 call edi ;msvbvm50.__vbaVarAdd
00403872 .8D8D 84FEFFFF lea ecx,dword ptr ss: ;// eax = "rkh1"
00403878 .50 push eax
00403879 .8D95 74FEFFFF lea edx,dword ptr ss:
0040387F .51 push ecx ;// ecx ="o"
00403880 .52 push edx
00403881 .FFD7 call edi ;msvbvm50.__vbaVarAdd
00403883 .50 push eax
00403884 .8D85 44FEFFFF lea eax,dword ptr ss:
0040388A .8D8D 34FEFFFF lea ecx,dword ptr ss:
00403890 .50 push eax ;// "y"
00403891 .51 push ecx
00403892 .FFD7 call edi ;msvbvm50.__vbaVarAdd
00403894 .50 push eax ;// eax = "rkh1oy"
00403895 .8D95 04FEFFFF lea edx,dword ptr ss:
0040389B .8D85 F4FDFFFF lea eax,dword ptr ss:
004038A1 .52 push edx ;// "i"
004038A2 .50 push eax
004038A3 .FFD7 call edi ;msvbvm50.__vbaVarAdd
004038A5 .8D8D C4FDFFFF lea ecx,dword ptr ss:
004038AB .50 push eax
004038AC .51 push ecx ;// "e"
004038AD .8D95 B4FDFFFF lea edx,dword ptr ss:
004038B3 .52 push edx
004038B4 .FFD7 call edi ;msvbvm50.__vbaVarAdd
004038B6 .50 push eax ;// Arg1 = eax ="rkh1oyie",Arg2="123123"
004038B7 .FF15 6C614000 call dword ptr ds:[<&MSVBVM50.__vbaVarTs>;msvbvm50.__vbaVarTstEq
004038BD .8BF8 mov edi,eax ;// eax = 结果
004038BF .8D45 A4 lea eax,dword ptr ss:
004038C2 .8D4D A8 lea ecx,dword ptr ss:
004038C5 .50 push eax
004038C6 .8D55 AC lea edx,dword ptr ss:
004038C9 .51 push ecx
004038CA .8D45 B0 lea eax,dword ptr ss:
004038CD .52 push edx
004038CE .8D4D B4 lea ecx,dword ptr ss:
004038D1 .50 push eax
004038D2 .8D55 B8 lea edx,dword ptr ss:
004038D5 .51 push ecx
004038D6 .8D45 BC lea eax,dword ptr ss:
004038D9 .52 push edx
004038DA .8D4D C0 lea ecx,dword ptr ss:
004038DD .50 push eax
004038DE .8D55 C4 lea edx,dword ptr ss:
004038E1 .51 push ecx
004038E2 .52 push edx
004038E3 .6A 09 push 0x9
004038E5 .FF15 28614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>;msvbvm50.__vbaFreeObjList
004038EB .83C4 28 add esp,0x28
004038EE .8D85 C4FDFFFF lea eax,dword ptr ss:
004038F4 .8D8D F4FDFFFF lea ecx,dword ptr ss:
004038FA .8D95 D4FDFFFF lea edx,dword ptr ss:
00403900 .50 push eax
00403901 .51 push ecx
00403902 .8D85 E4FDFFFF lea eax,dword ptr ss:
00403908 .52 push edx
00403909 .8D8D 04FEFFFF lea ecx,dword ptr ss:
0040390F .50 push eax
00403910 .8D95 34FEFFFF lea edx,dword ptr ss:
00403916 .51 push ecx
00403917 .8D85 14FEFFFF lea eax,dword ptr ss:
0040391D .52 push edx
0040391E .8D8D 24FEFFFF lea ecx,dword ptr ss:
00403924 .50 push eax
00403925 .8D95 44FEFFFF lea edx,dword ptr ss:
0040392B .51 push ecx
0040392C .8D85 74FEFFFF lea eax,dword ptr ss:
00403932 .52 push edx
00403933 .8D8D 54FEFFFF lea ecx,dword ptr ss:
00403939 .50 push eax
0040393A .8D95 64FEFFFF lea edx,dword ptr ss:
00403940 .51 push ecx
00403941 .8D85 84FEFFFF lea eax,dword ptr ss:
00403947 .52 push edx
00403948 .8D8D B4FEFFFF lea ecx,dword ptr ss:
0040394E .50 push eax
0040394F .8D95 94FEFFFF lea edx,dword ptr ss:
00403955 .51 push ecx
00403956 .8D85 A4FEFFFF lea eax,dword ptr ss:
0040395C .52 push edx
0040395D .8D8D C4FEFFFF lea ecx,dword ptr ss:
00403963 .50 push eax
00403964 .8D95 F4FEFFFF lea edx,dword ptr ss:
0040396A .51 push ecx
0040396B .8D85 D4FEFFFF lea eax,dword ptr ss:
00403971 .52 push edx
00403972 .8D8D E4FEFFFF lea ecx,dword ptr ss:
00403978 .50 push eax
00403979 .8D95 04FFFFFF lea edx,dword ptr ss:
0040397F .51 push ecx
00403980 .8D85 34FFFFFF lea eax,dword ptr ss:
00403986 .52 push edx
00403987 .8D8D 14FFFFFF lea ecx,dword ptr ss:
0040398D .50 push eax
0040398E .8D95 24FFFFFF lea edx,dword ptr ss:
00403994 .51 push ecx
00403995 .8D85 44FFFFFF lea eax,dword ptr ss:
0040399B .52 push edx
0040399C .8D8D 74FFFFFF lea ecx,dword ptr ss:
004039A2 .50 push eax
004039A3 .8D95 54FFFFFF lea edx,dword ptr ss:
004039A9 .51 push ecx
004039AA .52 push edx
004039AB .8D85 64FFFFFF lea eax,dword ptr ss:
004039B1 .8D4D 84 lea ecx,dword ptr ss:
004039B4 .50 push eax
004039B5 .8D55 94 lea edx,dword ptr ss:
004039B8 .51 push ecx
004039B9 .8D85 B4FDFFFF lea eax,dword ptr ss:
004039BF .52 push edx
004039C0 .8D8D A4FDFFFF lea ecx,dword ptr ss:
004039C6 .50 push eax
004039C7 .51 push ecx
004039C8 .6A 20 push 0x20
004039CA .FF15 1C614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeV>;msvbvm50.__vbaFreeVarList
004039D0 .81C4 84000000 add esp,0x84
004039D6 .66:3BFE cmp di,si
004039D9 74 22 je short 004039FD ;// 如果正确,将结果给另一个变量赋值
004039DB .8B45 08 mov eax,dword ptr ss:
004039DE .8D95 84FDFFFF lea edx,dword ptr ss:
004039E4 .C785 8CFDFFFF>mov dword ptr ss:,0x1
004039EE .899D 84FDFFFF mov dword ptr ss:,ebx
004039F4 .8D48 34 lea ecx,dword ptr ds:
004039F7 .FF15 10614000 call dword ptr ds:[<&MSVBVM50.__vbaVarMo>;msvbvm50.__vbaVarMove
004039FD >68 563B4000 push 00403B56
00403A02 .E9 4E010000 jmp 00403B55
上半部分 msvbvm50.rtcMidCharVar 都是对 UNICODE "bPe CrackMe v1.0 " 进行处理,并且结果未发现进行了什么处理,似乎都没什么用处。只有最后的部分才是真正的处理比较。虽然具体内容分析了出来,但是还是不是很明白为什么有这么多的加法和比较,最后得到的文本还是一个固定的:rkh1oyie。
BY 笨笨D幸福
本帖最后由 125733578 于 2014-7-19 21:19 编辑
44018723 发表于 2014-7-19 21:05
我的品德好用不着你评判!你也没这资格!最后,这里不欢迎你!
我不知道是怎么发这里来的,看到一个贴子,破解过程中,“尼玛”二字忒多,刚看了下,不是你这篇,不好意思啊!今天不知怎么搞的,明明这里发的是支持,那里说的是口德,怎么到这里反了? 我只是路过的;
我只是路过的; 顺便问下楼主,您一天都在玩这个吗? dych1688 发表于 2014-7-1 21:13
顺便问下楼主,您一天都在玩这个吗?
挤出来的时间啊!才做了20+篇,感觉快累死了! 百度云升级,地址不存在额。。。 lyxsh2013 发表于 2014-7-2 21:18
百度云升级,地址不存在额。。。
{:301_997:}还有哦!你试试! 44018723 发表于 2014-7-2 21:29
还有哦!你试试!
多试几次好啦,已经开始再练手了~不过第一个都没过。。。