好友 阅读权限 20
听众 最后登录 1970-1-1
本帖最后由 growuphappily 于 2020-3-2 13:22 编辑 0x01 正文 [Visual Basic] 纯文本查看 复制代码
loc_004064A2: For var_24 = 1 To Len(var_44) Step 1
loc_004064A8:
loc_004064AA: If var_24 = 0 Then GoTo loc_004065D9
loc_004064C4: var_50 = CStr(Left(var_44, 2))
loc_00406516: var_3A0 = Asc(Mid$(CStr(var_44), CLng(var_24), 1))
loc_00406558: var_8C = Hex$((var_3A8 + var_CC))
loc_00406585: var_34 = 0 & Hex$((var_3A8 + var_CC))
loc_004065CE: Next var_24
loc_004065D4: GoTo loc_004064A8
loc_004065D9: 'Referenced from: 004064AA
loc_00406601: If (var_34 = "0817E747D7A7D7C7F82836D74747A7F7E7B7C7D826D817E7B7C") = 0 Then GoTo loc_0040664F [Asm] 纯文本查看 复制代码
00406432 > \8D95 4CFFFFFF lea edx,dword ptr ss:[ebp-0xB4]
00406438 . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34]
0040643B . C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x0
00406445 . C785 4CFFFFFF>mov dword ptr ss:[ebp-0xB4],0x2
0040644F . FFD7 call edi ; user32.PeekMessageA
00406451 . B8 02000000 mov eax,0x2
00406456 . B9 01000000 mov ecx,0x1
0040645B . 8985 4CFFFFFF mov dword ptr ss:[ebp-0xB4],eax ; msvbvm60.6601A3C8
00406461 . 8985 3CFFFFFF mov dword ptr ss:[ebp-0xC4],eax ; msvbvm60.6601A3C8
00406467 . 898D 54FFFFFF mov dword ptr ss:[ebp-0xAC],ecx
0040646D . 898D 44FFFFFF mov dword ptr ss:[ebp-0xBC],ecx
00406473 . 8D85 4CFFFFFF lea eax,dword ptr ss:[ebp-0xB4]
00406479 . 8D4D BC lea ecx,dword ptr ss:[ebp-0x44]
0040647C . 50 push eax ; /Step8 = msvbvm60.6601A3C8
0040647D . 8D55 9C lea edx,dword ptr ss:[ebp-0x64] ; |
00406480 . 51 push ecx ; |/var18 = C71CB2C8
00406481 . 52 push edx ; ||retBuffer8 = NULL
00406482 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVa>; |\__vbaLenVar
00406488 . 50 push eax ; |End8 = msvbvm60.6601A3C8
00406489 . 8D85 3CFFFFFF lea eax,dword ptr ss:[ebp-0xC4] ; |
0040648F . 8D8D 68FDFFFF lea ecx,dword ptr ss:[ebp-0x298] ; |
00406495 . 50 push eax ; |Start8 = msvbvm60.6601A3C8
00406496 . 8D95 78FDFFFF lea edx,dword ptr ss:[ebp-0x288] ; |
0040649C . 51 push ecx ; |TMPend8 = C71CB2C8
0040649D . 8D45 DC lea eax,dword ptr ss:[ebp-0x24] ; |
004064A0 . 52 push edx ; |TMPstep8 = NULL
004064A1 . 50 push eax ; |Counter8 = msvbvm60.6601A3C8
004064A2 . FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarFo>; \__vbaVarForInit
004064A8 > 85C0 test eax,eax ; msvbvm60.6601A3C8
004064AA . 0F84 29010000 je Andréna.004065D9
004064B0 . 8D4D BC lea ecx,dword ptr ss:[ebp-0x44]
004064B3 . 6A 02 push 0x2 ; push了2,说明只取前两位
004064B5 . 8D55 8C lea edx,dword ptr ss:[ebp-0x74]
004064B8 . 51 push ecx
004064B9 . 52 push edx
004064BA . FFD3 call ebx ; 这个call是VB的Left()函数,取一个字符串的前几位,上面push了2,说明是取前两位
004064BC . 8D45 8C lea eax,dword ptr ss:[ebp-0x74]
004064BF . 8D4D B0 lea ecx,dword ptr ss:[ebp-0x50]
004064C2 . 50 push eax ; msvbvm60.6601A3C8
004064C3 . 51 push ecx
004064C4 . FFD6 call esi ; 这个call是把前面取到的字符串放到一个内存地址,并把地址放在eax
004064C6 . 50 push eax ; msvbvm60.6601A3C8
004064C7 . FF15 D8104000 call dword ptr ds:[<&MSVBVM60.#581>] ; 将取出的字符转换成16进制放到浮点寄存器 注意:不是10进制到16进制,举个例子:输入12,输出0x12
004064CD . DD9D 34FFFFFF fstp qword ptr ss:[ebp-0xCC] ;这里把刚刚转换的十六进制数字赋值给ebp-0xCC
004064D3 . 8D55 9C lea edx,dword ptr ss:[ebp-0x64]
004064D6 . 8D45 DC lea eax,dword ptr ss:[ebp-0x24]
004064D9 . 52 push edx
004064DA . 50 push eax ; msvbvm60.6601A3C8
004064DB . C745 A4 01000>mov dword ptr ss:[ebp-0x5C],0x1
004064E2 . C745 9C 02000>mov dword ptr ss:[ebp-0x64],0x2
004064E9 . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>; msvbvm60.__vbaI4Var
004064EF . 8D4D BC lea ecx,dword ptr ss:[ebp-0x44]
004064F2 . 50 push eax ; msvbvm60.6601A3C8
004064F3 . 8D55 B8 lea edx,dword ptr ss:[ebp-0x48]
004064F6 . 51 push ecx
004064F7 . 52 push edx
004064F8 . FFD6 call esi
004064FA . 50 push eax ; msvbvm60.6601A3C8
004064FB . FF15 4C104000 call dword ptr ds:[<&MSVBVM60.#631>] ; msvbvm60.rtcMidCharBstr
00406501 . 8BD0 mov edx,eax ; msvbvm60.6601A3C8
00406503 . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
00406506 . FF15 BC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMo>; msvbvm60.__vbaStrMove
0040650C . 50 push eax ; /String = "tl"
0040650D . FF15 20104000 call dword ptr ds:[<&MSVBVM60.#516>] ; \rtcAnsiValueBstr
00406513 . 0FBFC0 movsx eax,ax
00406516 . 8985 60FCFFFF mov dword ptr ss:[ebp-0x3A0],eax ; msvbvm60.6601A3C8
0040651C . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
00406522 . DB85 60FCFFFF fild dword ptr ss:[ebp-0x3A0]
00406528 . 51 push ecx
00406529 . C785 7CFFFFFF>mov dword ptr ss:[ebp-0x84],0x5
00406533 . DD9D 58FCFFFF fstp qword ptr ss:[ebp-0x3A8]
00406539 . DD85 58FCFFFF fld qword ptr ss:[ebp-0x3A8]
0040653F . DC85 34FFFFFF fadd qword ptr ss:[ebp-0xCC]
00406545 . DD5D 84 fstp qword ptr ss:[ebp-0x7C]
00406548 . DFE0 fstsw ax
0040654A . A8 0D test al,0xD
0040654C . 0F85 7A040000 jnz Andréna.004069CC
00406552 . FF15 94104000 call dword ptr ds:[<&MSVBVM60.#572>] ; msvbvm60.rtcHexBstrFromVar
00406558 . 8985 74FFFFFF mov dword ptr ss:[ebp-0x8C],eax ; msvbvm60.6601A3C8
0040655E . 8D55 CC lea edx,dword ptr ss:[ebp-0x34]
00406561 . 8D85 6CFFFFFF lea eax,dword ptr ss:[ebp-0x94]
00406567 . 52 push edx
00406568 . 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
0040656E . 50 push eax ; msvbvm60.6601A3C8
0040656F . 51 push ecx
00406570 . C785 6CFFFFFF>mov dword ptr ss:[ebp-0x94],0x8
0040657A . FF15 84104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCa>; msvbvm60.__vbaVarCat
00406580 . 8BD0 mov edx,eax ; msvbvm60.6601A3C8
00406582 . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34]
00406585 . FFD7 call edi ; user32.PeekMessageA
00406587 . 8D55 B0 lea edx,dword ptr ss:[ebp-0x50]
0040658A . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
0040658D . 52 push edx
0040658E . 8D4D B8 lea ecx,dword ptr ss:[ebp-0x48]
00406591 . 50 push eax ; msvbvm60.6601A3C8
00406592 . 51 push ecx
00406593 . 6A 03 push 0x3
00406595 . FF15 9C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; msvbvm60.__vbaFreeStrList
0040659B . 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-0x94]
004065A1 . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84]
004065A7 . 52 push edx
004065A8 . 8D4D 8C lea ecx,dword ptr ss:[ebp-0x74]
004065AB . 50 push eax ; msvbvm60.6601A3C8
004065AC . 8D55 9C lea edx,dword ptr ss:[ebp-0x64]
004065AF . 51 push ecx
004065B0 . 52 push edx
004065B1 . 6A 04 push 0x4
004065B3 . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; msvbvm60.__vbaFreeVarList
004065B9 . 83C4 24 add esp,0x24
004065BC . 8D85 68FDFFFF lea eax,dword ptr ss:[ebp-0x298]
004065C2 . 50 push eax ; /TMPend8 = msvbvm60.6601A3C8
004065C3 . 8D8D 78FDFFFF lea ecx,dword ptr ss:[ebp-0x288] ; |
004065C9 . 8D55 DC lea edx,dword ptr ss:[ebp-0x24] ; |
004065CC . 51 push ecx ; |TMPstep8 = C71CB2C8
004065CD . 52 push edx ; |Counter8 = NULL
004065CE . FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarFo>; \__vbaVarForNext
004065D4 .^ E9 CFFEFFFF jmp Andréna.004064A8
004065D9 > 8D45 CC lea eax,dword ptr ss:[ebp-0x34]
004065DC . 8D8D 4CFFFFFF lea ecx,dword ptr ss:[ebp-0xB4]
004065E2 . 50 push eax ; /var18 = msvbvm60.6601A3C8
004065E3 . 51 push ecx ; |var28 = C71CB2C8
004065E4 . C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],Andréna.0040>; |0817E747D7A7D7C7F82836D74747A7F7E7B7C7D826D817E7B7C
004065EE . C785 4CFFFFFF>mov dword ptr ss:[ebp-0xB4],0x8008 ; |
004065F8 . FF15 5C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTs>; \__vbaVarTstEq
取输入的key,取到第二位,然后把前面的结果转换成数字,再把输入的每个字符的ASCII加上前面计算所得的数字,转换成16进制字符串,然后合并在一起,在前面加上0,与0817E747D7A7D7C7F82836D74747A7F7E7B7C7D826D817E7B7C比较 [Python] 纯文本查看 复制代码
key = "81,7E,74,7D,7A,7D,7C,7F,82,83,6D,74,74,7A,7F,7E,7B,7C,7D,82,6D,81,7E,7B,7C"
keys = []
for i in key.split(','):
keys.append(int(i,16))
t = 1
for i in ['0','1','2','3','4','5','6','7','8','9']:
for ii in ['0','1','2','3','4','5','6','7','8','9']:
a = i + ii
if chr(keys[0] - int(a)) in ['1','2','3','4','5','6','7','8','9']:
print('密匙{0}:'.format(t),end='')
for iii in keys:
print(chr(iii-int(a)),end='')
print('')
t += 1 [Python] 纯文本查看 复制代码
密匙1:96,52547:;%,,276345:%9634
密匙2:85+414369:$++1652349$8523
密匙3:74*3032589#**0541238#7412
密匙4:63)2/21478"))/430127"6301
密匙5:52(1.10367!((.32/016!52/0
密匙6:41'0-0/256 ''-21./05 41./
密匙7:30&/,/.145�&&,10-./4�30-.
密匙8:2/%.+.-034�%%+0/,-.3�2/,-
密匙9:1.$-*-,/23�$$*/.+,-2�1.+, 74*3032589#**0541238#7412
0x03 最后 评分不要钱!评分不要钱!评分不要钱!
查看全部评分
[复制链接]
发表于 2020-3-2 13:21
