QQ远程聊天记录查看器算法分析

cshow · 发表于 2008-9-15 03:26

为了说明第一次循环做了一个表
CSHOW@163.COM
43 53 48 4F 57 40 31 36 33 2E 43 4F 4D
45 55 4A 51 59 42 33 38 35 30 45 51 4F
EUJQYB3852EQO

----------------------------------------------------------------------------------------------------------

第一次循环:

0042C9CC> /8B85 48FDFFFF mov eax,dword ptr ss:[ebp-2B8] ;//第一次循环开始
0042C9D2. |3945 DC cmp dword ptr ss:[ebp-24],eax
0042C9D5. |0F8F A4010000 jg 123.0042CB7F
0042C9DB. |8B0Fmov ecx,dword ptr ds:[edi]
0042C9DD. |57push edi
0042C9DE. |FF91 A8030000 call dword ptr ds:[ecx+3A8]
0042C9E4. |50push eax
0042C9E5. |8D55 A4 lea edx,dword ptr ss:[ebp-5C]
0042C9E8. |52push edx
0042C9E9. |FF15 80104000 call dword ptr ds:[<&msvbvm60.__vbaO>;msvbvm60.__vbaObjSet
0042C9EF. |8985 70FDFFFF mov dword ptr ss:[ebp-290],eax
0042C9F5. |8B08mov ecx,dword ptr ds:[eax]
0042C9F7. |8D55 BC lea edx,dword ptr ss:[ebp-44]
0042C9FA. |52push edx
0042C9FB. |50push eax
0042C9FC. |FF91 A0000000 call dword ptr ds:[ecx+A0]
0042CA02. |DBE2fclex
0042CA04. |85C0test eax,eax
0042CA06. |7D 18 jge short 123.0042CA20
0042CA08. |68 A0000000 push 0A0
0042CA0D. |68 0C4A4000 push 123.00404A0C
0042CA12. |8B8D 70FDFFFF mov ecx,dword ptr ss:[ebp-290]
0042CA18. |51push ecx
0042CA19. |50push eax
0042CA1A. |FF15 5C104000 call dword ptr ds:[<&msvbvm60.__vbaH>;msvbvm60.__vbaHresultCheckObj
0042CA20> |8B55 BC mov edx,dword ptr ss:[ebp-44]
0042CA23. |52push edx ; /Arg1
0042CA24. |FF15 D8104000 call dword ptr ds:[<&msvbvm60.rtcUpp>; \//邮箱变大写
0042CA2A. |8BD0mov edx,eax
0042CA2C. |8D4D B0 lea ecx,dword ptr ss:[ebp-50]
0042CA2F. |FFD6call esi
0042CA31. |C745 90 01000>mov dword ptr ss:[ebp-70],1
0042CA38. |C745 88 02000>mov dword ptr ss:[ebp-78],2
0042CA3F. |8B55 B0 mov edx,dword ptr ss:[ebp-50]
0042CA42. |C745 B0 00000>mov dword ptr ss:[ebp-50],0
0042CA49. |8D45 88 lea eax,dword ptr ss:[ebp-78]
0042CA4C. |50push eax
0042CA4D. |8B4D DC mov ecx,dword ptr ss:[ebp-24]
0042CA50. |51push ecx
0042CA51. |8D4D B8 lea ecx,dword ptr ss:[ebp-48]
0042CA54. |FFD6call esi
0042CA56. |50push eax
0042CA57. |FFD3call ebx
0042CA59. |8BD0mov edx,eax
0042CA5B. |8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
0042CA5E. |FFD6call esi
0042CA60. |50push eax ; /Arg1
0042CA61. |FF15 3C104000 call dword ptr ds:[<&msvbvm60.rtcAns>; \//提取ASCII
0042CA67. |66:05 0200add ax,2 ;//ASCII+2
0042CA6B. |0F80 261B0000 jo 123.0042E597
0042CA71. |50push eax
0042CA72. |FF15 04104000 call dword ptr ds:[<&msvbvm60.__vbaS>;F7跟进去
0042CA78. |8BD0mov edx,eax
0042CA7A. |8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
0042CA7D. |FFD6call esi
0042CA7F. |8D55 B0 lea edx,dword ptr ss:[ebp-50]
0042CA82. |52push edx
0042CA83. |8D45 B4 lea eax,dword ptr ss:[ebp-4C]
0042CA86. |50push eax
0042CA87. |8D4D B8 lea ecx,dword ptr ss:[ebp-48]
0042CA8A. |51push ecx
0042CA8B. |8D55 BC lea edx,dword ptr ss:[ebp-44]
0042CA8E. |52push edx
0042CA8F. |6A 04 push 4
0042CA91. |FF15 A4114000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFreeStrList
0042CA97. |83C4 14 add esp,14
0042CA9A. |8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
0042CA9D. |FF15 28124000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFreeObj
0042CAA3. |8D4D 88 lea ecx,dword ptr ss:[ebp-78]
0042CAA6. |FF15 20104000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFreeVar
0042CAAC. |8D45 C4 lea eax,dword ptr ss:[ebp-3C]
0042CAAF. |8985 00FEFFFF mov dword ptr ss:[ebp-200],eax
0042CAB5. |C785 F8FDFFFF>mov dword ptr ss:[ebp-208],4008
0042CABF. |8D8D F8FDFFFF lea ecx,dword ptr ss:[ebp-208]
0042CAC5. |51push ecx ; /Arg2
0042CAC6. |8D55 88 lea edx,dword ptr ss:[ebp-78]; |
0042CAC9. |52push edx ; |Arg1
0042CACA. |FF15 A0114000 call dword ptr ds:[<&msvbvm60.rtcHex>; \F7
0042CAD0. |8B45 C0 mov eax,dword ptr ss:[ebp-40];上次的运算结果放到eax
0042CAD3. |8985 F0FDFFFF mov dword ptr ss:[ebp-210],eax
0042CAD9. |C785 E8FDFFFF>mov dword ptr ss:[ebp-218],8
0042CAE3. |8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
0042CAE6. |898D E0FDFFFF mov dword ptr ss:[ebp-220],ecx
0042CAEC. |C785 D8FDFFFF>mov dword ptr ss:[ebp-228],4008
0042CAF6. |8D95 D8FDFFFF lea edx,dword ptr ss:[ebp-228]
0042CAFC. |52push edx ; /Arg2
0042CAFD. |8D85 68FFFFFF lea eax,dword ptr ss:[ebp-98]; |
0042CB03. |50push eax ; |Arg1
0042CB04. |FF15 A8114000 call dword ptr ds:[<&msvbvm60.rtcOct>; \F7
0042CB0A. |8D4D 88 lea ecx,dword ptr ss:[ebp-78]
0042CB0D. |51push ecx ; /Arg3
0042CB0E. |8D95 E8FDFFFF lea edx,dword ptr ss:[ebp-218] ; |
0042CB14. |52push edx ; |Arg2
0042CB15. |8D85 78FFFFFF lea eax,dword ptr ss:[ebp-88]; |
0042CB1B. |50push eax ; |Arg1
0042CB1C. |FF15 6C114000 call dword ptr ds:[<&msvbvm60.__vbaV>; \__vbaVarCat
0042CB22. |50push eax ; /Arg3
0042CB23. |8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-98]; |
0042CB29. |51push ecx ; |Arg2
0042CB2A. |8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]; |
0042CB30. |52push edx ; |Arg1
0042CB31. |FF15 6C114000 call dword ptr ds:[<&msvbvm60.__vbaV>; \这次的计算结果前面放前两位后面放后三位
0042CB37. |50push eax
0042CB38. |FF15 28104000 call dword ptr ds:[<&msvbvm60.__vbaS>;msvbvm60.__vbaStrVarMove
0042CB3E. |8BD0mov edx,eax
0042CB40. |8D4D C0 lea ecx,dword ptr ss:[ebp-40]
0042CB43. |FFD6call esi
0042CB45. |8D85 58FFFFFF lea eax,dword ptr ss:[ebp-A8]
0042CB4B. |50push eax
0042CB4C. |8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-98]
0042CB52. |51push ecx
0042CB53. |8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88]
0042CB59. |52push edx
0042CB5A. |8D45 88 lea eax,dword ptr ss:[ebp-78]
0042CB5D. |50push eax
0042CB5E. |6A 04 push 4
0042CB60. |FF15 2C104000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFreeVarList
0042CB66. |83C4 14 add esp,14
0042CB69. |B8 01000000 mov eax,1
0042CB6E. |0345 DC add eax,dword ptr ss:[ebp-24]
0042CB71. |0F80 201A0000 jo 123.0042E597
0042CB77. |8945 DC mov dword ptr ss:[ebp-24],eax
0042CB7A.^\E9 4DFEFFFF jmp 123.0042C9CC
0042CB7F>8B4D C0 mov ecx,dword ptr ss:[ebp-40];//循环完毕后跳转到这里

第一个F7跟进去来到

73470344 msv>/$55push ebp
73470345 |.8BECmov ebp,esp
73470347 |.51push ecx
73470348 |.8D45 FC lea eax,dword ptr ss:[ebp-4]
7347034B |.50push eax
7347034C |.6A 00 push 0
7347034E |.E8 F961F2FF call msvbvm60.7339654C
73470353 |.50push eax
73470354 |.FF75 08 push dword ptr ss:[ebp+8]
73470357 |.FF15 BC1A3973 call dword ptr ds:[<&OLEAUT32.#109>] ;F7跟进
7347035D |.85C0test eax,eax
7347035F |.7D 0C jge short msvbvm60.7347036D
73470361 |.50push eax
73470362 |.E8 8DB9FEFF call msvbvm60.7345BCF4
73470367 |.50push eax
73470368 |.E8 19DDFEFF call msvbvm60.7345E086
7347036D |>8B45 FC mov eax,dword ptr ss:[ebp-4]
73470370 |.C9leave
73470371 \.C2 0400 retn 4

跟进73470357这个call就到了

7710DD36 OLE> $8BFFmov edi,edi
7710DD38.55push ebp
7710DD39.8BECmov ebp,esp
7710DD3B.83EC 54 sub esp,54
7710DD3E.A1 04101777 mov eax,dword ptr ds:[77171004]
7710DD43.56push esi
7710DD44.8B75 10 mov esi,dword ptr ss:[ebp+10]
7710DD47.F7C6 00000010 test esi,10000000
7710DD4D.8945 FC mov dword ptr ss:[ebp-4],eax
7710DD50.57push edi
7710DD51.8B7D 14 mov edi,dword ptr ss:[ebp+14]
7710DD54.8D45 AC lea eax,dword ptr ss:[ebp-54]
7710DD57.0F85 D15A0100 jnz OLEAUT32.7712382E
7710DD5D.50push eax
7710DD5E.0FBF45 08 movsx eax,word ptr ss:[ebp+8];当前的字符ASCII给EAX
7710DD62.50push eax
7710DD63.E8 1D000000 call OLEAUT32.7710DD85 ;F7跟进
7710DD68.57push edi
7710DD69.8D45 AC lea eax,dword ptr ss:[ebp-54]
7710DD6C.50push eax
7710DD6D.E8 B6C7FEFF call OLEAUT32.770FA528
7710DD72>8B4D FC mov ecx,dword ptr ss:[ebp-4]
7710DD75.5Fpop edi
7710DD76.5Epop esi
7710DD77.E8 8137FEFF call OLEAUT32.770F14FD
7710DD7C.C9leave
7710DD7D.C2 1000 retn 10

然后再跟进7710DD63这个的CALL

7710DD85$8BFFmov edi,edi
7710DD87.55push ebp
7710DD88.8BECmov ebp,esp
7710DD8A.837D 08 00cmp dword ptr ss:[ebp+8],0
7710DD8E.0F8C 9A980100 jl OLEAUT32.7712762E
7710DD94.6A 00 push 0
7710DD96>FF75 0C push dword ptr ss:[ebp+C]
7710DD99.FF75 08 push dword ptr ss:[ebp+8]
7710DD9C.E8 BAC7FEFF call OLEAUT32.770FA55B ;F7跟进
7710DDA1.8B45 0C mov eax,dword ptr ss:[ebp+C]
7710DDA4.5Dpop ebp
7710DDA5.C2 0800 retn 8

最后跟进7710DD9C这个CALL,就来到真程序的核心算法,虽然在第一次循环没有用到算出来的结果

770FA55B$8BFFmov edi,edi ; 这里是关键算法用F(x)表示
770FA55D.55push ebp
770FA55E.8BECmov ebp,esp
770FA560.837D 10 00cmp dword ptr ss:[ebp+10],0
770FA564.8B4D 0C mov ecx,dword ptr ss:[ebp+C]
770FA567.0F85 B1D00200 jnz OLEAUT32.7712761E
770FA56D>56push esi
770FA56E.8BF1mov esi,ecx
770FA570.53push ebx
770FA571>8B45 08 mov eax,dword ptr ss:[ebp+8]
770FA574.33D2xor edx,edx
770FA576.6A 0A push 0A
770FA578.5Bpop ebx;EBP=OA
770FA579.F7F3div ebx;EAX对EBX求余余数在EDX
770FA57B.83C2 30 add edx,30 ;余数+30
770FA57E.66:8911 mov word ptr ds:[ecx],dx ;给[ECX]
770FA581.41inc ecx
770FA582.41inc ecx
770FA583.85C0test eax,eax
770FA585.8945 08 mov dword ptr ss:[ebp+8],eax
770FA588.^ 77 E7 ja short OLEAUT32.770FA571
770FA58A.66:8321 00and word ptr ds:[ecx],0;[ECX]与0
770FA58E.49dec ecx
770FA58F.49dec ecx
770FA590.5Bpop ebx;下面把计算结果位置互换第一位给最后一位最后一位给第一位
770FA591>66:8B16 mov dx,word ptr ds:[esi] ;第一次计算结果给DX
770FA594.66:8B01 mov ax,word ptr ds:[ecx] ;第二次计算结果给ax
770FA597.66:8911 mov word ptr ds:[ecx],dx ;在入栈
770FA59A.49dec ecx
770FA59B.66:8906 mov word ptr ds:[esi],ax ;在入栈
770FA59E.49dec ecx;存
770FA59F.46inc esi
770FA5A0.46inc esi
770FA5A1.3BF1cmp esi,ecx;比较ECX和ESI是否相等相等循环这个跳转在后面有用到
770FA5A3.^ 72 EC jb short OLEAUT32.770FA591
770FA5A5.5Epop esi
770FA5A6.5Dpop ebp
770FA5A7.C2 0C00 retn 0C

第一次的算法:(用字母O分析)
(ASCII+2)对A求余+30
上次的运算结果进行相同的运算--------81

我们跟进0042CACA这个CALL里面
734711BE msv>/$55push ebp
734711BF |.8BECmov ebp,esp
734711C1 |.83EC 10 sub esp,10
734711C4 |.8B45 0C mov eax,dword ptr ss:[ebp+C]
734711C7 |.56push esi
734711C8 |.57push edi
734711C9 |.66:8338 01cmp word ptr ds:[eax],1
734711CD |.74 21 je short msvbvm60.734711F0
734711CF |.50push eax ; /Arg1
734711D0 |.E8 F8FEFFFF call msvbvm60.rtcHexBstrFromVar; \F7
734711D5 |.8945 F8 mov dword ptr ss:[ebp-8],eax
734711D8 |.66:C745 F0 08>mov word ptr ss:[ebp-10],8
734711DE |>8B45 08 mov eax,dword ptr ss:[ebp+8]
734711E1 |.8D75 F0 lea esi,dword ptr ss:[ebp-10]
734711E4 |.8BF8mov edi,eax
734711E6 |.A5movs dword ptr es:[edi],dword ptr ds>
734711E7 |.A5movs dword ptr es:[edi],dword ptr ds>
734711E8 |.A5movs dword ptr es:[edi],dword ptr ds>
734711E9 |.A5movs dword ptr es:[edi],dword ptr ds>
734711EA |.5Fpop edi
734711EB |.5Epop esi
734711EC |.C9leave
734711ED |.C2 0800 retn 8
734711F0 |>66:C745 F0 01>mov word ptr ss:[ebp-10],1
734711F6 \.^ EB E6 jmp short msvbvm60.734711DE

继续跟进734711D0,来到第一次循环的第一个关键算法

734710CD msv>/$55push ebp
734710CE |.8BECmov ebp,esp
734710D0 |.83EC 14 sub esp,14
734710D3 |.56push esi
734710D4 |.57push edi
734710D5 |.6A 08 push 8
734710D7 |.5Fpop edi
734710D8 |.FF35 94EF4973 push dword ptr ds:[7349EF94] ; /TlsIndex = 19
734710DE |.FF15 78123973 call dword ptr ds:[<&KERNEL32.TlsGet>; \TlsGetValue
734710E4 |.8B4D 08 mov ecx,dword ptr ss:[ebp+8]
734710E7 |.83C0 50 add eax,50
734710EA |.8945 FC mov dword ptr ss:[ebp-4],eax
734710ED |.BE 00400000 mov esi,4000
734710F2 |>66:8B11 mov dx,word ptr ds:[ecx]
734710F5 |.0FB7C2movzx eax,dx
734710F8 |.80E4 BF and ah,0BF
734710FB |.48dec eax;Switch (cases 2..11)
734710FC |.48dec eax
734710FD |.0F84 90000000 je msvbvm60.73471193
73471103 |.83E8 07 sub eax,7
73471106 |.75 27 jnz short msvbvm60.7347112F;//这个跳转实现
73471108 |.66:85D6 test si,dx ;Case 9 of switch 734710FB
7347110B |.74 1D je short msvbvm60.7347112A
7347110D |.8B41 08 mov eax,dword ptr ds:[ecx+8]
73471110 |.8B08mov ecx,dword ptr ds:[eax]
73471112 |>FF75 FC push dword ptr ss:[ebp-4]; /Arg7
73471115 |.6A 03 push 3 ; |Arg6 = 00000003
73471117 |.6A 00 push 0 ; |Arg5 = 00000000
73471119 |.6A 00 push 0 ; |Arg4 = 00000000
7347111B |.6A 00 push 0 ; |Arg3 = 00000000
7347111D |.6A 00 push 0 ; |Arg2 = 00000000
7347111F |.51push ecx ; |Arg1
73471120 |.E8 8582FFFF call msvbvm60.734693AA ; \msvbvm60.734693AA
73471125 |.8B4D FC mov ecx,dword ptr ss:[ebp-4]
73471128 |.^ EB C8 jmp short msvbvm60.734710F2
7347112A |>8B49 08 mov ecx,dword ptr ds:[ecx+8]
7347112D |.^ EB E3 jmp short msvbvm60.73471112
7347112F |>48dec eax;//跳到这里
73471130 |.48dec eax
73471131 |.74 60 je short msvbvm60.73471193
73471133 |.83E8 06 sub eax,6
73471136 |.74 47 je short msvbvm60.7347117F
73471138 |.51push ecx ; /Arg1; Default case of switch 734710FB
73471139 |.E8 A0EDFFFF call msvbvm60.7346FEDE ; \msvbvm60.7346FEDE
7347113E |>8D55 FC lea edx,dword ptr ss:[ebp-4] ;开始循环~
73471141 |>8AC8/mov cl,al ;AL=ASCII+2
73471143 |.80E1 0F |and cl,0F ;(ASCII+2)还有上次运算结果和0F做与运算
73471146 |.66:0FBEC9 |movsx cx,cl
7347114A |.83C1 30 |add ecx,30;+30
7347114D |.66:83F9 39|cmp cx,39 ;和39比较
73471151 |.76 03 |jbe short msvbvm60.73471156
73471153 |.83C1 07 |add ecx,7
73471156 |>4F|dec edi
73471157 |.4A|dec edx
73471158 |.4A|dec edx ;存结果
73471159 |.C1E8 04 |shr eax,4 ;右移4个做完结果控制循环
7347115C |.66:890A |mov word ptr ds:[edx],cx;存入
7347115F |.^ 75 E0 \jnz short msvbvm60.73471141
73471161 |.6A 08 push 8
73471163 |.58pop eax
73471164 |.2BC7sub eax,edi
73471166 |.50push eax
73471167 |.8D447D EC lea eax,dword ptr ss:[ebp+edi*2-14]
7347116B |.50push eax
7347116C |.FF15 081A3973 call dword ptr ds:[<&OLEAUT32.#4>] ;OLEAUT32.SysAllocStringLen
73471172 |.8BF0mov esi,eax
73471174 |.85F6test esi,esi
73471176 |. /75 36 jnz short msvbvm60.734711AE;//跳转实现
73471178 |.6A 0E push 0E
7347117A |.E8 07CFFEFF call msvbvm60.7345E086
7347117F |>66:85D6 test si,dx ;Case 11 of switch 734710FB
73471182 |.74 0A je short msvbvm60.7347118E
73471184 |.8B41 08 mov eax,dword ptr ds:[ecx+8]
73471187 |.8A08mov cl,byte ptr ds:[eax]
73471189 |>0FB6C1movzx eax,cl
7347118C |.^ EB B0 jmp short msvbvm60.7347113E
7347118E |>8A49 08 mov cl,byte ptr ds:[ecx+8]
73471191 |.^ EB F6 jmp short msvbvm60.73471189
73471193 |>66:85D6 test si,dx ;Cases 2,B of switch 734710FB
73471196 |.74 10 je short msvbvm60.734711A8
73471198 |.8B41 08 mov eax,dword ptr ds:[ecx+8]
7347119B |.66:8B08 mov cx,word ptr ds:[eax]
7347119E |>81E1 FFFF0000 and ecx,0FFFF
734711A4 |.8BC1mov eax,ecx
734711A6 |.^ EB 96 jmp short msvbvm60.7347113E
734711A8 |>66:8B49 08mov cx,word ptr ds:[ecx+8]
734711AC |.^ EB F0 jmp short msvbvm60.7347119E
734711AE |> \8B4D FC mov ecx,dword ptr ss:[ebp-4] ;//跳到这里
734711B1 |.E8 7B560200 call msvbvm60.__vbaFreeVar
734711B6 |.8BC6mov eax,esi
734711B8 |.5Fpop edi
734711B9 |.5Epop esi
734711BA |.C9leave
734711BB \.C2 0400 retn 4

第二次的算法:((ASCII+2)and0F)+30--------51

第三次的算法在0042CB04这个CALL里面

734712E0 msv>/$55push ebp
734712E1 |.8BECmov ebp,esp
734712E3 |.83EC 10 sub esp,10
734712E6 |.8B45 0C mov eax,dword ptr ss:[ebp+C]
734712E9 |.56push esi
734712EA |.57push edi
734712EB |.66:8338 01cmp word ptr ds:[eax],1
734712EF |.74 21 je short msvbvm60.73471312
734712F1 |.50push eax ; /Arg1
734712F2 |.E8 01FFFFFF call msvbvm60.rtcOctBstrFromVar; \rtcOctBstrFromVar//F7
734712F7 |.8945 F8 mov dword ptr ss:[ebp-8],eax
734712FA |.66:C745 F0 08>mov word ptr ss:[ebp-10],8
73471300 |>8B45 08 mov eax,dword ptr ss:[ebp+8]
73471303 |.8D75 F0 lea esi,dword ptr ss:[ebp-10]
73471306 |.8BF8mov edi,eax
73471308 |.A5movs dword ptr es:[edi],dword ptr ds>
73471309 |.A5movs dword ptr es:[edi],dword ptr ds>
7347130A |.A5movs dword ptr es:[edi],dword ptr ds>
7347130B |.A5movs dword ptr es:[edi],dword ptr ds>
7347130C |.5Fpop edi
7347130D |.5Epop esi
7347130E |.C9leave
7347130F |.C2 0800 retn 8
73471312 |>66:C745 F0 01>mov word ptr ss:[ebp-10],1
73471318 \.^ EB E6 jmp short msvbvm60.73471300

跟进734712F2 这个CALL

734711F8 msv>/$55push ebp
734711F9 |.8BECmov ebp,esp
734711FB |.83EC 1C sub esp,1C
734711FE |.56push esi
734711FF |.57push edi
73471200 |.6A 0C push 0C
73471202 |.5Fpop edi
73471203 |.FF35 94EF4973 push dword ptr ds:[7349EF94] ; /TlsIndex = 19
73471209 |.FF15 78123973 call dword ptr ds:[<&KERNEL32.TlsGet>; \TlsGetValue
7347120F |.8B4D 08 mov ecx,dword ptr ss:[ebp+8]
73471212 |.83C0 50 add eax,50
73471215 |.8945 FC mov dword ptr ss:[ebp-4],eax
73471218 |.BE 00400000 mov esi,4000
7347121D |>66:8B11 mov dx,word ptr ds:[ecx]
73471220 |.0FB7C2movzx eax,dx
73471223 |.80E4 BF and ah,0BF
73471226 |.48dec eax;Switch (cases 2..11)
73471227 |.48dec eax
73471228 |.0F84 87000000 je msvbvm60.734712B5
7347122E |.83E8 07 sub eax,7
73471231 |.75 27 jnz short msvbvm60.7347125A;//跳转实现
73471233 |.66:85D6 test si,dx ;Case 9 of switch 73471226
73471236 |.74 1D je short msvbvm60.73471255
73471238 |.8B41 08 mov eax,dword ptr ds:[ecx+8]
7347123B |.8B08mov ecx,dword ptr ds:[eax]
7347123D |>FF75 FC push dword ptr ss:[ebp-4]; /Arg7
73471240 |.6A 03 push 3 ; |Arg6 = 00000003
73471242 |.6A 00 push 0 ; |Arg5 = 00000000
73471244 |.6A 00 push 0 ; |Arg4 = 00000000
73471246 |.6A 00 push 0 ; |Arg3 = 00000000
73471248 |.6A 00 push 0 ; |Arg2 = 00000000
7347124A |.51push ecx ; |Arg1
7347124B |.E8 5A81FFFF call msvbvm60.734693AA ; \msvbvm60.734693AA
73471250 |.8B4D FC mov ecx,dword ptr ss:[ebp-4]
73471253 |.^ EB C8 jmp short msvbvm60.7347121D
73471255 |>8B49 08 mov ecx,dword ptr ds:[ecx+8]
73471258 |.^ EB E3 jmp short msvbvm60.7347123D
7347125A |>48dec eax;//跳到这里
7347125B |.48dec eax
7347125C |.74 57 je short msvbvm60.734712B5
7347125E |.83E8 06 sub eax,6
73471261 |.74 3E je short msvbvm60.734712A1
73471263 |.51push ecx ; /Arg1; Default case of switch 73471226
73471264 |.E8 75ECFFFF call msvbvm60.7346FEDE ; \msvbvm60.7346FEDE
73471269 |>8D4D FC lea ecx,dword ptr ss:[ebp-4] ;AL=ASCII+2
7347126C |>8AD0/mov dl,al
7347126E |.4F|dec edi
7347126F |.80E2 07 |and dl,7;ASCII+2与7上次的结果和7
73471272 |.49|dec ecx
73471273 |.66:0FBED2 |movsx dx,dl
73471277 |.49|dec ecx ;存结果的地方
73471278 |.83C2 30 |add edx,30;+30
7347127B |.C1E8 03 |shr eax,3 ;右移3位直到eax为0方才结束
7347127E |.66:8911 |mov word ptr ds:[ecx],dx
73471281 |.^ 75 E9 \jnz short msvbvm60.7347126C
73471283 |.6A 0C push 0C
73471285 |.58pop eax
73471286 |.2BC7sub eax,edi
73471288 |.50push eax
73471289 |.8D447D E4 lea eax,dword ptr ss:[ebp+edi*2-1C]
7347128D |.50push eax
7347128E |.FF15 081A3973 call dword ptr ds:[<&OLEAUT32.#4>] ;OLEAUT32.SysAllocStringLen
73471294 |.8BF0mov esi,eax
73471296 |.85F6test esi,esi
73471298 |.75 36 jnz short msvbvm60.734712D0;//跳转实现
7347129A |.6A 0E push 0E
7347129C |.E8 E5CDFEFF call msvbvm60.7345E086
734712A1 |>66:85D6 test si,dx ;Case 11 of switch 73471226
734712A4 |.74 0A je short msvbvm60.734712B0
734712A6 |.8B41 08 mov eax,dword ptr ds:[ecx+8]
734712A9 |.8A08mov cl,byte ptr ds:[eax]
734712AB |>0FB6C1movzx eax,cl
734712AE |.^ EB B9 jmp short msvbvm60.73471269
734712B0 |>8A49 08 mov cl,byte ptr ds:[ecx+8]
734712B3 |.^ EB F6 jmp short msvbvm60.734712AB
734712B5 |>66:85D6 test si,dx ;Cases 2,B of switch 73471226
734712B8 |.74 10 je short msvbvm60.734712CA
734712BA |.8B41 08 mov eax,dword ptr ds:[ecx+8]
734712BD |.66:8B08 mov cx,word ptr ds:[eax]
734712C0 |>81E1 FFFF0000 and ecx,0FFFF
734712C6 |.8BC1mov eax,ecx
734712C8 |.^ EB 9F jmp short msvbvm60.73471269
734712CA |>66:8B49 08mov cx,word ptr ds:[ecx+8]
734712CE |.^ EB F0 jmp short msvbvm60.734712C0
734712D0 |>8B4D FC mov ecx,dword ptr ss:[ebp-4] ;//跳到这里
734712D3 |.E8 59550200 call msvbvm60.__vbaFreeVar
734712D8 |.8BC6mov eax,esi
734712DA |.5Fpop edi
734712DB |.5Epop esi
734712DC |.C9leave
734712DD \.C2 0400 retn 4

第三次的算法:
((ASCII+2)and7)+30
(EAX shr 3)and7)+30
(EAX shr 3)and7)+30--------112
然后在进行连接,连接方式是,本次计算结果的前两个字符放在上次计算结果字符的前面,后三个字符放在上次计算结果的后面

第一次运行后的结果:4F 51 45 30 35 38 33 42 59 51 4A 55 45 105 125 112 121 131 102 637 065 601 051 211 17

长度:7A
----------------------------------------------------------------------------------------------------------

cshow · 发表于 2008-9-15 03:26

第二次循环:

0042CB96> /8B95 40FDFFFF mov edx,dword ptr ss:[ebp-2C0] ;//第二次循环的开始
0042CB9C. |3955 DC cmp dword ptr ss:[ebp-24],edx
0042CB9F. |7F 7C jg short 123.0042CC1D
0042CBA1. |C745 90 01000>mov dword ptr ss:[ebp-70],1;//每次去一位进行运算
0042CBA8. |C745 88 02000>mov dword ptr ss:[ebp-78],2
0042CBAF. |8B45 C4 mov eax,dword ptr ss:[ebp-3C];//上次运算结果放在EAX里
0042CBB2. |50push eax ;//压栈
0042CBB3. |8D4D 88 lea ecx,dword ptr ss:[ebp-78]
0042CBB6. |51push ecx
0042CBB7. |8B55 DC mov edx,dword ptr ss:[ebp-24]
0042CBBA. |52push edx
0042CBBB. |8B45 C0 mov eax,dword ptr ss:[ebp-40];//第一次循环后的结果给EAX
0042CBBE. |50push eax
0042CBBF. |FFD3call ebx ;//这里是计算去第一次计算结果的第几位
0042CBC1. |8BD0mov edx,eax
0042CBC3. |8D4D BC lea ecx,dword ptr ss:[ebp-44]
0042CBC6. |FFD6call esi
0042CBC8. |50push eax ; /Arg1
0042CBC9. |FF15 3C104000 call dword ptr ds:[<&msvbvm60.rtcAns>; \rtcAnsiValueBstr
0042CBCF. |50push eax
0042CBD0. |FF15 04104000 call dword ptr ds:[<&msvbvm60.__vbaS>;//和F(x)的算法一样
0042CBD6. |8BD0mov edx,eax
0042CBD8. |8D4D B8 lea ecx,dword ptr ss:[ebp-48]
0042CBDB. |FFD6call esi
0042CBDD. |50push eax ; |Arg1
0042CBDE. |FF15 4C104000 call dword ptr ds:[<&msvbvm60.__vbaS>; \__vbaStrCat
0042CBE4. |8BD0mov edx,eax
0042CBE6. |8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
0042CBE9. |FFD6call esi
0042CBEB. |8D4D B8 lea ecx,dword ptr ss:[ebp-48]
0042CBEE. |51push ecx
0042CBEF. |8D55 BC lea edx,dword ptr ss:[ebp-44]
0042CBF2. |52push edx
0042CBF3. |6A 02 push 2
0042CBF5. |FF15 A4114000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFreeStrList
0042CBFB. |83C4 0C add esp,0C
0042CBFE. |8D4D 88 lea ecx,dword ptr ss:[ebp-78]
0042CC01. |FF15 20104000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFreeVar
0042CC07. |B8 01000000 mov eax,1
0042CC0C. |0345 DC add eax,dword ptr ss:[ebp-24]
0042CC0F. |0F80 82190000 jo 123.0042E597
0042CC15. |8945 DC mov dword ptr ss:[ebp-24],eax
0042CC18.^\E9 79FFFFFF jmp 123.0042CB96
0042CC1D>8B45 C4 mov eax,dword ptr ss:[ebp-3C]

跟进0042CBD0 这个CALL

73470344 msv>/$55push ebp
73470345 |.8BECmov ebp,esp
73470347 |.51push ecx
73470348 |.8D45 FC lea eax,dword ptr ss:[ebp-4]
7347034B |.50push eax
7347034C |.6A 00 push 0
7347034E |.E8 F961F2FF call msvbvm60.7339654C
73470353 |.50push eax
73470354 |.FF75 08 push dword ptr ss:[ebp+8]
73470357 |.FF15 BC1A3973 call dword ptr ds:[<&OLEAUT32.#109>] ;F7跟进
7347035D |.85C0test eax,eax
7347035F |.7D 0C jge short msvbvm60.7347036D
73470361 |.50push eax
73470362 |.E8 8DB9FEFF call msvbvm60.7345BCF4
73470367 |.50push eax
73470368 |.E8 19DDFEFF call msvbvm60.7345E086
7347036D |>8B45 FC mov eax,dword ptr ss:[ebp-4]
73470370 |.C9leave
73470371 \.C2 0400 retn 4

再跟进73470357

7710DD36 OLE> $8BFFmov edi,edi
7710DD38.55push ebp
7710DD39.8BECmov ebp,esp
7710DD3B.83EC 54 sub esp,54
7710DD3E.A1 04101777 mov eax,dword ptr ds:[77171004]
7710DD43.56push esi
7710DD44.8B75 10 mov esi,dword ptr ss:[ebp+10]
7710DD47.F7C6 00000010 test esi,10000000
7710DD4D.8945 FC mov dword ptr ss:[ebp-4],eax
7710DD50.57push edi
7710DD51.8B7D 14 mov edi,dword ptr ss:[ebp+14]
7710DD54.8D45 AC lea eax,dword ptr ss:[ebp-54]
7710DD57.0F85 D15A0100 jnz OLEAUT32.7712382E
7710DD5D.50push eax
7710DD5E.0FBF45 08 movsx eax,word ptr ss:[ebp+8];当前的字符ASCII给EAX
7710DD62.50push eax
7710DD63.E8 1D000000 call OLEAUT32.7710DD85 ;F7跟进
7710DD68.57push edi
7710DD69.8D45 AC lea eax,dword ptr ss:[ebp-54]
7710DD6C.50push eax
7710DD6D.E8 B6C7FEFF call OLEAUT32.770FA528
7710DD72>8B4D FC mov ecx,dword ptr ss:[ebp-4]
7710DD75.5Fpop edi
7710DD76.5Epop esi
7710DD77.E8 8137FEFF call OLEAUT32.770F14FD
7710DD7C.C9leave
7710DD7D.C2 1000 retn 10

再跟进7710DD63来到

7710DD85$8BFFmov edi,edi
7710DD87.55push ebp
7710DD88.8BECmov ebp,esp
7710DD8A.837D 08 00cmp dword ptr ss:[ebp+8],0
7710DD8E.0F8C 9A980100 jl OLEAUT32.7712762E
7710DD94.6A 00 push 0
7710DD96>FF75 0C push dword ptr ss:[ebp+C]
7710DD99.FF75 08 push dword ptr ss:[ebp+8]
7710DD9C.E8 BAC7FEFF call OLEAUT32.770FA55B ;F7跟进
7710DDA1.8B45 0C mov eax,dword ptr ss:[ebp+C]
7710DDA4.5Dpop ebp
7710DDA5.C2 0800 retn 8

跟进7710DD9C 第二次循环的关键算法

770FA55B$8BFFmov edi,edi
770FA55D.55push ebp
770FA55E.8BECmov ebp,esp
770FA560.837D 10 00cmp dword ptr ss:[ebp+10],0
770FA564.8B4D 0C mov ecx,dword ptr ss:[ebp+C]
770FA567.0F85 B1D00200 jnz OLEAUT32.7712761E
770FA56D>56push esi
770FA56E.8BF1mov esi,ecx
770FA570.53push ebx
770FA571>8B45 08 mov eax,dword ptr ss:[ebp+8]
770FA574.33D2xor edx,edx
770FA576.6A 0A push 0A
770FA578.5Bpop ebx;EBP=OA
770FA579.F7F3div ebx;EAX对EBX求余余数在EDX
770FA57B.83C2 30 add edx,30 ;余数+30
770FA57E.66:8911 mov word ptr ds:[ecx],dx ;给[ECX]
770FA581.41inc ecx
770FA582.41inc ecx
770FA583.85C0test eax,eax
770FA585.8945 08 mov dword ptr ss:[ebp+8],eax
770FA588.^ 77 E7 ja short OLEAUT32.770FA571
770FA58A.66:8321 00and word ptr ds:[ecx],0;[ECX]与0
770FA58E.49dec ecx
770FA58F.49dec ecx
770FA590.5Bpop ebx;下面把计算结果位置互换
770FA591>66:8B16 mov dx,word ptr ds:[esi] ;第一次计算结果给DX
770FA594.66:8B01 mov ax,word ptr ds:[ecx] ;第二次计算结果给ax
770FA597.66:8911 mov word ptr ds:[ecx],dx ;在入栈
770FA59A.49dec ecx
770FA59B.66:8906 mov word ptr ds:[esi],ax ;在入栈
770FA59E.49dec ecx;存
770FA59F.46inc esi
770FA5A0.46inc esi
770FA5A1.3BF1cmp esi,ecx;比较ECX和ESI是否相等相等循环
770FA5A3.^ 72 EC jb short OLEAUT32.770FA591
770FA5A5.5Epop esi
770FA5A6.5Dpop ebp
770FA5A7.C2 0C00 retn 0C

这里其实就是第一循环里面的第一次算法~~那个F(x)

第一次的算法:
(ASCII+2)对A求余+30ASCII码是第一次运算结果的每一个字符的
上次的运算结果进行相同的运算

第二次运算结果:79527 05349 52535 14851 53515 65151 52505 35753 49526 55353 52534 94853 49505 34949 50495 04949 51494 94850 54515 54854

53544 84948 53495 04949 4955
长度:7C
-----------------------------------------------------------------------------------------------------------
第三次循环:(这个重点算法后面有很多算法都是和这个一样)

0042CC34> /8B8D 38FDFFFF mov ecx,dword ptr ss:[ebp-2C8] ;第三次循环开始~~
0042CC3A. |8B45 DC mov eax,dword ptr ss:[ebp-24]
0042CC3D. |3BC1cmp eax,ecx
0042CC3F. |7F 64 jg short 123.0042CCA5
0042CC41. |C745 90 05000>mov dword ptr ss:[ebp-70],5
0042CC48. |C745 88 02000>mov dword ptr ss:[ebp-78],2
0042CC4F. |8D55 88 lea edx,dword ptr ss:[ebp-78]
0042CC52. |52push edx
0042CC53. |50push eax
0042CC54. |8B4D C4 mov ecx,dword ptr ss:[ebp-3C]
0042CC57. |51push ecx
0042CC58. |FFD3call ebx
0042CC5A. |8BD0mov edx,eax
0042CC5C. |8D4D BC lea ecx,dword ptr ss:[ebp-44]
0042CC5F. |FFD6call esi
0042CC61. |50push eax
0042CC62. |FF15 8C114000 call dword ptr ds:[<&msvbvm60.__vbaR>;msvbvm60.__vbaR8Str
0042CC68. |FF15 E4114000 call dword ptr ds:[<&msvbvm60.__vbaF>;第二次运算结果的每五个字符十六进制给EAX
0042CC6E. |8945 E0 mov dword ptr ss:[ebp-20],eax
0042CC71. |8D4D BC lea ecx,dword ptr ss:[ebp-44]
0042CC74. |FF15 24124000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFreeStr
0042CC7A. |8D4D 88 lea ecx,dword ptr ss:[ebp-78]
0042CC7D. |FF15 20104000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFreeVar
0042CC83. |8B55 C8 mov edx,dword ptr ss:[ebp-38];16进制相加
0042CC86. |0355 E0 add edx,dword ptr ss:[ebp-20];第一次和用户名的位数相加
0042CC89. |0F80 08190000 jo 123.0042E597
0042CC8F. |8955 C8 mov dword ptr ss:[ebp-38],edx
0042CC92. |B8 05000000 mov eax,5
0042CC97. |0345 DC add eax,dword ptr ss:[ebp-24]
0042CC9A. |0F80 F7180000 jo 123.0042E597
0042CCA0. |8945 DC mov dword ptr ss:[ebp-24],eax
0042CCA3.^\EB 8F jmp short 123.0042CC34
0042CCA5>8B45 C0 mov eax,dword ptr ss:[ebp-40]

0042CC68.FF15 E4114000call dword ptr ds:[<&msvbvm60.__vbaF>;第二次运算结果的每五个字符十六进制给EAX

0042CC83.8B55 C8mov edx,dword ptr ss:[ebp-38];16进制相加
0042CC86.0355 E0add edx,dword ptr ss:[ebp-20];第一次和用户名的位数相加

79527--136A7
第一次和用户名的位数(我这里是D)相加,保存在edx(=136B4)
05349--14E5
52535--CD37
14851--3A03
53515--D10B
65151--FE7F
52505--CD19
35753--8BA9
49526--C176
55353--D839
52534--CD36
94853--17285
49505--C161
34949--8885
50495--C53F
04949--1355
51494--C926
94850--17282
54515--D4F3
54854--D646
53544--D128
84948--14BD4
53495--D0F7
04949--1355
4955--135B

最后:EDX=127287

结果:7952705349525351485153515651515250535753495265535352534948534950534949504950494951494948505451554854
长度:3D
-------------------------------------------------------------------------------------------------------------
第四次循环:(这次是对第一次循环的结果进行的运算)0042CCBC> /8B8D 30FDFFFF mov ecx,dword ptr ss:[ebp-2D0]
0042CCC2. |394D DC cmp dword ptr ss:[ebp-24],ecx
0042CCC5. |6A 01 push 1
0042CCC7. |0F8F 82000000 jg 123.0042CD4F
0042CCCD. |FF15 84104000 call dword ptr ds:[<&msvbvm60.__vbaO>;msvbvm60.__vbaOnError
0042CCD3. |C745 90 01000>mov dword ptr ss:[ebp-70],1
0042CCDA. |C745 88 02000>mov dword ptr ss:[ebp-78],2
0042CCE1. |8B55 C4 mov edx,dword ptr ss:[ebp-3C]
0042CCE4. |52push edx
0042CCE5. |8D45 88 lea eax,dword ptr ss:[ebp-78]
0042CCE8. |50push eax
0042CCE9. |8B4D DC mov ecx,dword ptr ss:[ebp-24]
0042CCEC. |51push ecx
0042CCED. |8B55 C0 mov edx,dword ptr ss:[ebp-40];第一次循环的结果
0042CCF0. |52push edx
0042CCF1. |FFD3call ebx ;每一位的ASCII
0042CCF3. |8BD0mov edx,eax
0042CCF5. |8D4D BC lea ecx,dword ptr ss:[ebp-44]
0042CCF8. |FFD6call esi
0042CCFA. |50push eax ; /Arg1
0042CCFB. |FF15 3C104000 call dword ptr ds:[<&msvbvm60.rtcAns>; \提取ASCII
0042CD01. |50push eax
0042CD02. |FF15 04104000 call dword ptr ds:[<&msvbvm60.__vbaS>;进行F(x)的算法
0042CD08. |8BD0mov edx,eax
0042CD0A. |8D4D B8 lea ecx,dword ptr ss:[ebp-48]
0042CD0D. |FFD6call esi
0042CD0F. |50push eax ; |Arg1
0042CD10. |FF15 4C104000 call dword ptr ds:[<&msvbvm60.__vbaS>; \连接到第二次循环运算结果的后面
0042CD16. |8BD0mov edx,eax;跟进去才可以看见出来就看不见了
0042CD18. |8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
0042CD1B. |FFD6call esi
0042CD1D. |8D45 B8 lea eax,dword ptr ss:[ebp-48]
0042CD20. |50push eax
0042CD21. |8D4D BC lea ecx,dword ptr ss:[ebp-44]
0042CD24. |51push ecx
0042CD25. |6A 02 push 2
0042CD27. |FF15 A4114000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFreeStrList
0042CD2D. |83C4 0C add esp,0C
0042CD30. |8D4D 88 lea ecx,dword ptr ss:[ebp-78]
0042CD33. |FF15 20104000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFreeVar
0042CD39. |B8 01000000 mov eax,1
0042CD3E. |0345 DC add eax,dword ptr ss:[ebp-24]
0042CD41. |0F80 50180000 jo 123.0042E597
0042CD47. |8945 DC mov dword ptr ss:[ebp-24],eax
0042CD4A.^\E9 6DFFFFFF jmp 123.0042CCBC
0042CD4F>FF15 84104000 call dword ptr ds:[<&msvbvm60.__vbaO>;msvbvm60.__vbaOnError

算法:
(ASCII)对A求余+30
第一次循环结果:4F 51 45 30 35 38 33 42 59 51 4A 55 45 105 125 112 121 131 102 637 065 601 051 211 17
4--52
F--70
5--53
1--49
4--52
5--53
.....
2--50
1--49
1--49
1--49
7--55
第二次运算结果:7952705349525351485153515651515250535753495265535352534948534950534949504950494951494948505451554854535448494853495049494955

第四次运算结果:7952705349525351485153515651515250535753495265535352534948534950534949504950494951494948505451554854535448494853495049494955
5270534952535148515351565151525053575349526553535253494853495053494950495049495149494850545155485453544849485349504949495
长度:F6(246)
------------------------------------------------------------------------------------------------------------
第五次循环:(方法和第三次循环一样)

0042CD6F> /3B85 28FDFFFF cmp eax,dword ptr ss:[ebp-2D8] ;第五次开始
0042CD75. |6A 01 push 1
0042CD77. |7F 75 jg short 123.0042CDEE
0042CD79. |FF15 84104000 call dword ptr ds:[<&msvbvm60.__vbaO>;msvbvm60.__vbaOnError
0042CD7F. |C745 90 05000>mov dword ptr ss:[ebp-70],5;每循环一次提取五个字符
0042CD86. |C745 88 02000>mov dword ptr ss:[ebp-78],2
0042CD8D. |8D45 88 lea eax,dword ptr ss:[ebp-78]
0042CD90. |50push eax
0042CD91. |8B4D DC mov ecx,dword ptr ss:[ebp-24]
0042CD94. |51push ecx
0042CD95. |8B55 C4 mov edx,dword ptr ss:[ebp-3C]
0042CD98. |52push edx
0042CD99. |FFD3call ebx ;提取第四次循环结果的前五个字符
0042CD9B. |8BD0mov edx,eax
0042CD9D. |8D4D BC lea ecx,dword ptr ss:[ebp-44]
0042CDA0. |FFD6call esi
0042CDA2. |50push eax
0042CDA3. |FF15 8C114000 call dword ptr ds:[<&msvbvm60.__vbaR>;msvbvm60.__vbaR8Str
0042CDA9. |FF15 E4114000 call dword ptr ds:[<&msvbvm60.__vbaF>;将这五个字符转换成16进制
0042CDAF. |8945 E0 mov dword ptr ss:[ebp-20],eax
0042CDB2. |8D4D BC lea ecx,dword ptr ss:[ebp-44]
0042CDB5. |FF15 24124000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFreeStr
0042CDBB. |8D4D 88 lea ecx,dword ptr ss:[ebp-78]
0042CDBE. |FF15 20104000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFreeVar
0042CDC4. |6A 01 push 1
0042CDC6. |FF15 84104000 call dword ptr ds:[<&msvbvm60.__vbaO>;msvbvm60.__vbaOnError
0042CDCC. |8B45 C8 mov eax,dword ptr ss:[ebp-38];[EBP-38]->EAX
0042CDCF. |0345 E0 add eax,dword ptr ss:[ebp-20];[EBP-38]+16进制->EAX
0042CDD2. |0F80 BF170000 jo 123.0042E597
0042CDD8. |8945 C8 mov dword ptr ss:[ebp-38],eax;结果给[EBP-38]
0042CDDB. |B8 05000000 mov eax,5;下面是控制下次循环的
0042CDE0. |0345 DC add eax,dword ptr ss:[ebp-24]
0042CDE3. |0F80 AE170000 jo 123.0042E597
0042CDE9. |8945 DC mov dword ptr ss:[ebp-24],eax
0042CDEC.^\EB 81 jmp short 123.0042CD6F
0042CDEE>FF15 84104000 call dword ptr ds:[<&msvbvm60.__vbaO>;msvbvm60.__vbaOnError

第一次和第三次循环后保存的结果相加,接着继续累加,只是保存在EAX

79527--136A7
05349--CD37
52535--3A03
...........
48534--BD96
95049--17349
49495--C157

最后累加后的结果:EAX=00368607

长度:F6
------------------------------------------------------------------------------------------------------------
第六次循环:(算法和第三次循环一样)

0042CE0E> /3B85 20FDFFFF cmp eax,dword ptr ss:[ebp-2E0] ;第六次开始
0042CE14. |6A 01 push 1
0042CE16. |7F 75 jg short 123.0042CE8D
0042CE18. |FF15 84104000 call dword ptr ds:[<&msvbvm60.__vbaO>;msvbvm60.__vbaOnError
0042CE1E. |C745 90 04000>mov dword ptr ss:[ebp-70],4;取4个字符
0042CE25. |C745 88 02000>mov dword ptr ss:[ebp-78],2
0042CE2C. |8D55 88 lea edx,dword ptr ss:[ebp-78]
0042CE2F. |52push edx
0042CE30. |8B45 DC mov eax,dword ptr ss:[ebp-24]
0042CE33. |50push eax
0042CE34. |8B4D C4 mov ecx,dword ptr ss:[ebp-3C]
0042CE37. |51push ecx
0042CE38. |FFD3call ebx ;取第二次循环的每四个字符
0042CE3A. |8BD0mov edx,eax
0042CE3C. |8D4D BC lea ecx,dword ptr ss:[ebp-44]
0042CE3F. |FFD6call esi
0042CE41. |50push eax
0042CE42. |FF15 8C114000 call dword ptr ds:[<&msvbvm60.__vbaR>;msvbvm60.__vbaR8Str
0042CE48. |FF15 E4114000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFpI4
0042CE4E. |8945 E0 mov dword ptr ss:[ebp-20],eax
0042CE51. |8D4D BC lea ecx,dword ptr ss:[ebp-44]
0042CE54. |FF15 24124000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFreeStr
0042CE5A. |8D4D 88 lea ecx,dword ptr ss:[ebp-78]
0042CE5D. |FF15 20104000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFreeVar
0042CE63. |6A 01 push 1
0042CE65. |FF15 84104000 call dword ptr ds:[<&msvbvm60.__vbaO>;msvbvm60.__vbaOnError
0042CE6B. |8B55 D8 mov edx,dword ptr ss:[ebp-28]
0042CE6E. |0355 E0 add edx,dword ptr ss:[ebp-20]
0042CE71. |0F80 20170000 jo 123.0042E597
0042CE77. |8955 D8 mov dword ptr ss:[ebp-28],edx;从EDX转存到堆栈
0042CE7A. |B8 04000000 mov eax,4
0042CE7F. |0345 DC add eax,dword ptr ss:[ebp-24]
0042CE82. |0F80 0F170000 jo 123.0042E597
0042CE88. |8945 DC mov dword ptr ss:[ebp-24],eax
0042CE8B.^\EB 81 jmp short 123.0042CE0E
0042CE8D>FF15 84104000 call dword ptr ds:[<&msvbvm60.__vbaO>;msvbvm60.__vbaOnError

这次只是把取五个字符改成取四个字符而已,把字符全部转换成16进制后累加(不是和前面的结果累加)

7952--1F10
7053--1B8D
4952--1358
5351--14E7
..........
3495--DA7
0494--1EE
9495--2517

最后累加结果:EDX=0004E264

长度:F6
------------------------------------------------------------------------------------------------------------
第七次循环:(算法和第三次循环一样)

0042CEAD> /3B85 18FDFFFF cmp eax,dword ptr ss:[ebp-2E8] ;第七次循环
0042CEB3. |7F 77 jg short 123.0042CF2C
0042CEB5. |6A 01 push 1
0042CEB7. |FF15 84104000 call dword ptr ds:[<&msvbvm60.__vbaO>;msvbvm60.__vbaOnError
0042CEBD. |C745 90 03000>mov dword ptr ss:[ebp-70],3;取三个字符
0042CEC4. |C745 88 02000>mov dword ptr ss:[ebp-78],2
0042CECB. |8D4D 88 lea ecx,dword ptr ss:[ebp-78]
0042CECE. |51push ecx
0042CECF. |8B55 DC mov edx,dword ptr ss:[ebp-24]
0042CED2. |52push edx
0042CED3. |8B45 C4 mov eax,dword ptr ss:[ebp-3C]
0042CED6. |50push eax
0042CED7. |FFD3call ebx
0042CED9. |8BD0mov edx,eax
0042CEDB. |8D4D BC lea ecx,dword ptr ss:[ebp-44]
0042CEDE. |FFD6call esi
0042CEE0. |50push eax
0042CEE1. |FF15 8C114000 call dword ptr ds:[<&msvbvm60.__vbaR>;msvbvm60.__vbaR8Str
0042CEE7. |FF15 E4114000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFpI4
0042CEED. |8945 E0 mov dword ptr ss:[ebp-20],eax
0042CEF0. |8D4D BC lea ecx,dword ptr ss:[ebp-44]
0042CEF3. |FF15 24124000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFreeStr
0042CEF9. |8D4D 88 lea ecx,dword ptr ss:[ebp-78]
0042CEFC. |FF15 20104000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFreeVar
0042CF02. |6A 01 push 1
0042CF04. |FF15 84104000 call dword ptr ds:[<&msvbvm60.__vbaO>;msvbvm60.__vbaOnError
0042CF0A. |8B4D D4 mov ecx,dword ptr ss:[ebp-2C]
0042CF0D. |034D E0 add ecx,dword ptr ss:[ebp-20]
0042CF10. |0F80 81160000 jo 123.0042E597
0042CF16. |894D D4 mov dword ptr ss:[ebp-2C],ecx
0042CF19. |B8 03000000 mov eax,3
0042CF1E. |0345 DC add eax,dword ptr ss:[ebp-24]
0042CF21. |0F80 70160000 jo 123.0042E597
0042CF27. |8945 DC mov dword ptr ss:[ebp-24],eax
0042CF2A.^\EB 81 jmp short 123.0042CEAD
0042CF2C>8B55 C4 mov edx,dword ptr ss:[ebp-3C]

这次只是把取五个字符改成取三个字符而已,把字符全部转换成16进制后累加(不是和前面的结果累加)

795--31B
270--10E
534--216
........
504--1F8
949--3B5
495--1EF

最后累加的结果:ECX=A944

长度:F6
--------------------------------------------------------------------------------------------------------------
第八次循环:(算法和第三次一样)

0042CF43> /8B85 10FDFFFF mov eax,dword ptr ss:[ebp-2F0] ;第八次
0042CF49. |3945 DC cmp dword ptr ss:[ebp-24],eax
0042CF4C. |7F 67 jg short 123.0042CFB5
0042CF4E. |C745 90 04000>mov dword ptr ss:[ebp-70],4;取4个
0042CF55. |C745 88 02000>mov dword ptr ss:[ebp-78],2
0042CF5C. |8D4D 88 lea ecx,dword ptr ss:[ebp-78]
0042CF5F. |51push ecx
0042CF60. |8B55 DC mov edx,dword ptr ss:[ebp-24]
0042CF63. |52push edx
0042CF64. |8B45 C4 mov eax,dword ptr ss:[ebp-3C]
0042CF67. |50push eax
0042CF68. |FFD3call ebx
0042CF6A. |8BD0mov edx,eax
0042CF6C. |8D4D BC lea ecx,dword ptr ss:[ebp-44]
0042CF6F. |FFD6call esi
0042CF71. |50push eax
0042CF72. |FF15 8C114000 call dword ptr ds:[<&msvbvm60.__vbaR>;msvbvm60.__vbaR8Str
0042CF78. |FF15 E4114000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFpI4
0042CF7E. |8945 E0 mov dword ptr ss:[ebp-20],eax
0042CF81. |8D4D BC lea ecx,dword ptr ss:[ebp-44]
0042CF84. |FF15 24124000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFreeStr
0042CF8A. |8D4D 88 lea ecx,dword ptr ss:[ebp-78]
0042CF8D. |FF15 20104000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFreeVar
0042CF93. |8B4D D8 mov ecx,dword ptr ss:[ebp-28]
0042CF96. |034D E0 add ecx,dword ptr ss:[ebp-20]
0042CF99. |0F80 F8150000 jo 123.0042E597
0042CF9F. |894D D8 mov dword ptr ss:[ebp-28],ecx
0042CFA2. |B8 04000000 mov eax,4
0042CFA7. |0345 DC add eax,dword ptr ss:[ebp-24]
0042CFAA. |0F80 E7150000 jo 123.0042E597
0042CFB0. |8945 DC mov dword ptr ss:[ebp-24],eax
0042CFB3.^\EB 8E jmp short 123.0042CF43
0042CFB5>8B55 C4 mov edx,dword ptr ss:[ebp-3C]

第一次是和第五次的结果(0004E264)累加

7952--1F10
7053--1B8D
4952--1358
5351--14E7
..........
3495--DA7
0494--1EE
9495--2517

最后累加结果:ECX=0009C4C8

长度:F6
----------------------------------------------------------------------------------------------------------------
第九次循环:(算法和第三次一样)

0042CFCC> /8B85 08FDFFFF mov eax,dword ptr ss:[ebp-2F8] ;第九次循环
0042CFD2. |3945 DC cmp dword ptr ss:[ebp-24],eax
0042CFD5. |7F 67 jg short 123.0042D03E
0042CFD7. |C745 90 03000>mov dword ptr ss:[ebp-70],3
0042CFDE. |C745 88 02000>mov dword ptr ss:[ebp-78],2
0042CFE5. |8D4D 88 lea ecx,dword ptr ss:[ebp-78]
0042CFE8. |51push ecx
0042CFE9. |8B55 DC mov edx,dword ptr ss:[ebp-24]
0042CFEC. |52push edx
0042CFED. |8B45 C4 mov eax,dword ptr ss:[ebp-3C]
0042CFF0. |50push eax
0042CFF1. |FFD3call ebx
0042CFF3. |8BD0mov edx,eax
0042CFF5. |8D4D BC lea ecx,dword ptr ss:[ebp-44]
0042CFF8. |FFD6call esi
0042CFFA. |50push eax
0042CFFB. |FF15 8C114000 call dword ptr ds:[<&msvbvm60.__vbaR>;msvbvm60.__vbaR8Str
0042D001. |FF15 E4114000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFpI4
0042D007. |8945 E0 mov dword ptr ss:[ebp-20],eax
0042D00A. |8D4D BC lea ecx,dword ptr ss:[ebp-44]
0042D00D. |FF15 24124000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFreeStr
0042D013. |8D4D 88 lea ecx,dword ptr ss:[ebp-78]
0042D016. |FF15 20104000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFreeVar
0042D01C. |8B4D D4 mov ecx,dword ptr ss:[ebp-2C]
0042D01F. |034D E0 add ecx,dword ptr ss:[ebp-20]
0042D022. |0F80 6F150000 jo 123.0042E597
0042D028. |894D D4 mov dword ptr ss:[ebp-2C],ecx
0042D02B. |B8 03000000 mov eax,3
0042D030. |0345 DC add eax,dword ptr ss:[ebp-24]
0042D033. |0F80 5E150000 jo 123.0042E597
0042D039. |8945 DC mov dword ptr ss:[ebp-24],eax
0042D03C.^\EB 8E jmp short 123.0042CFCC
0042D03E>8B55 C4 mov edx,dword ptr ss:[ebp-3C]

第一次是和第六次的结果(0000A944)累加

795--31B
270--10E
534--216
........
504--1F8
949--3B5
495--1EF

最后累加的结果:ECX=00015288

长度:F6
----------------------------------------------------------------------------------------------------------------
第十次循环:(算法和第三次一样)

0042D055> /8B85 00FDFFFF mov eax,dword ptr ss:[ebp-300] ;第十次循环
0042D05B. |3945 DC cmp dword ptr ss:[ebp-24],eax
0042D05E. |7F 67 jg short 123.0042D0C7
0042D060. |C745 90 01000>mov dword ptr ss:[ebp-70],1;取1个
0042D067. |C745 88 02000>mov dword ptr ss:[ebp-78],2
0042D06E. |8D4D 88 lea ecx,dword ptr ss:[ebp-78]
0042D071. |51push ecx
0042D072. |8B55 DC mov edx,dword ptr ss:[ebp-24]
0042D075. |52push edx
0042D076. |8B45 C4 mov eax,dword ptr ss:[ebp-3C]
0042D079. |50push eax
0042D07A. |FFD3call ebx
0042D07C. |8BD0mov edx,eax
0042D07E. |8D4D BC lea ecx,dword ptr ss:[ebp-44]
0042D081. |FFD6call esi
0042D083. |50push eax
0042D084. |FF15 8C114000 call dword ptr ds:[<&msvbvm60.__vbaR>;msvbvm60.__vbaR8Str
0042D08A. |FF15 E4114000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFpI4
0042D090. |8945 E0 mov dword ptr ss:[ebp-20],eax
0042D093. |8D4D BC lea ecx,dword ptr ss:[ebp-44]
0042D096. |FF15 24124000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFreeStr
0042D09C. |8D4D 88 lea ecx,dword ptr ss:[ebp-78]
0042D09F. |FF15 20104000 call dword ptr ds:[<&msvbvm60.__vbaF>;msvbvm60.__vbaFreeVar
0042D0A5. |8B4D CC mov ecx,dword ptr ss:[ebp-34]
0042D0A8. |034D E0 add ecx,dword ptr ss:[ebp-20]
0042D0AB. |0F80 E6140000 jo 123.0042E597
0042D0B1. |894D CC mov dword ptr ss:[ebp-34],ecx
0042D0B4. |B8 01000000 mov eax,1
0042D0B9. |0345 DC add eax,dword ptr ss:[ebp-24]
0042D0BC. |0F80 D5140000 jo 123.0042E597
0042D0C2. |8945 DC mov dword ptr ss:[ebp-24],eax
0042D0C5.^\EB 8E jmp short 123.0042D055
0042D0C7>8D55 CC lea edx,dword ptr ss:[ebp-34];终于走完了十大循环

每次取一个字符,把字符全部转换成16进制后累加(不是和前面的结果累加)

7--7
9--9
5--5
2--2
7--7
....
9--9
4--4
9--9
4--4
9--9
5--5

最后结果:ECX=00000486

--------------------------------------------------------------------------------------------------------------------
0042D0C7> \8D55 CC lea edx,dword ptr ss:[ebp-34];终于走完了十大循环
0042D0CA.8995 00FEFFFF mov dword ptr ss:[ebp-200],edx ;保存第九次循环结果地址存在[ebp-200]
0042D0D0.C785 F8FDFFFF>mov dword ptr ss:[ebp-208],4003;4003保存在[ebp-208]
0042D0DA.8D85 F8FDFFFF lea eax,dword ptr ss:[ebp-208] ;[ebp-208]的地址给eax
0042D0E0.50push eax
0042D0E1.8D4D 88 lea ecx,dword ptr ss:[ebp-78]
0042D0E4.51push ecx
0042D0E5.8B1D DC114000 mov ebx,dword ptr ds:[<&msvbvm60.rtc>;msvbvm60.rtcVarStrFromVar
0042D0EB.FFD3call ebx ;得到一串注册码字符; <&msvbvm60.rtcVarStrFromVar>
0042D0ED.8D55 88 lea edx,dword ptr ss:[ebp-78]
0042D0F0.52push edx ; /Arg2
0042D0F1.8D85 78FFFFFF lea eax,dword ptr ss:[ebp-88]; |
0042D0F7.50push eax ; |Arg1
0042D0F8.FF15 AC104000 call dword ptr ds:[<&msvbvm60.rtcLef>; \过滤掉空格

用第九次循环得到结果(486)通过第一次的算法:[(ASCII+2)对A求余+30]得到" 1158"(有个空格)

剩下的三个方法一样~~~

用第八次循环得到结果(15288)通过第一次的算法:[(ASCII+2)对A求余+30]得到" 86664")(有个空格) 清空格

用第七次循环得到结果(15288)通过第一次的算法:[(ASCII+2)对A求余+30]得到" 640200")(有个空格) 清空格

用第五次循环得到结果(00368607)通过第一次的算法:[(ASCII+2)对A求余+30]得到" 3573255"(有个空格) 清空格

最后经过__vbaVarCat连接到一起

0042D1A3.C785 C0FDFFFF>mov dword ptr ss:[ebp-240],14
0042D1AD.C785 B8FDFFFF>mov dword ptr ss:[ebp-248],8002
0042D1B7.8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
0042D1BD.51push ecx ; /Arg3
0042D1BE.8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]; |
0042D1C4.52push edx ; |Arg2
0042D1C5.8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8]; |
0042D1CB.50push eax ; |Arg1
0042D1CC.FF15 6C114000 call dword ptr ds:[<&msvbvm60.__vbaV>; \__vbaVarCat
0042D1D2.50push eax ; /Arg3
0042D1D3.8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-D8]; |
0042D1D9.51push ecx ; |Arg2
0042D1DA.8D95 18FFFFFF lea edx,dword ptr ss:[ebp-E8]; |
0042D1E0.52push edx ; |Arg1
0042D1E1.FF15 6C114000 call dword ptr ds:[<&msvbvm60.__vbaV>; \__vbaVarCat
0042D1E7.50push eax ; /Arg3
0042D1E8.8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-108] ; |
0042D1EE.50push eax ; |Arg2
0042D1EF.8D8D E8FEFFFF lea ecx,dword ptr ss:[ebp-118] ; |
0042D1F5.51push ecx ; |Arg1
0042D1F6.FF15 6C114000 call dword ptr ds:[<&msvbvm60.__vbaV>; \__vbaVarCat;//跟进可找到注册码

找注册码的可见我的追码教程

就得到

1158866646402003573255

丶寳 · 发表于 2008-9-15 08:42

[s:38][s:38] 好多看的迷糊了

cshow · 发表于 2008-9-15 09:09

我也迷糊了~~~
不过为了熟悉VB程序`~
我也只好认了~~
十次循环呢~~~

cshow · 发表于 2008-9-15 12:22

引用第5楼ill于2008-09-15 09:26发表的:
好牛喔!
只不过看得有点让人头晕目眩 [s:38]

所以我感觉没有头了

XuZhenG · 发表于 2008-9-15 12:27

这个东东我也分析了啊不过好像没这么复杂...

Hmily · 发表于 2008-9-15 21:33

欢迎cshow兄多发布算法教程~

xx132464 · 发表于 2008-9-16 00:29

[s:44][s:44] 头大了啊哦

sfl4800 · 发表于 2008-9-16 08:33

算法。。先支持。。
[s:43]

cshow · 发表于 2008-9-16 13:40

引用第7楼XzOsAPl于2008-09-15 12:27发表的:
这个东东我也分析了啊不过好像没这么复杂...

交流下如果没有这么麻烦的话
我倒想写注册机

帐号		自动登录	找回密码
密码			注册[Register]

QQ远程聊天记录查看器 算法分析

QQ远程聊天记录查看器算法分析