好友
阅读权限20
听众
最后登录1970-1-1
|
【破文标题】XXX背词王 3.7算法分析
【破文作者】dgrzh
【破解工具】OD PEiD
【破解平台】XP SP2
【软件名称】XXX背词王 3.7
【保护方式】序列号
【破解声明】新手,不对之处还请大家多多指教~
【破解过程】PEiD查没壳,编程语言Microsoft Visual Basic 5.0 / 6.0
运行程序,右健点-菜单-用户设置-版本注册显示:
前码:后码:
注册9127584412345678(前码是程序自动显示的,输入12345678假后码)
注册按钮<-点这里(提示:注册码错误)
用字符串查找,没有找到任何可用的线索,于是查找-当前模块中的名称,找到MSVBVM60.__vbaStrCmp,在每个参考上设置断点。
下好断点,F9运行
0068382F .FF15 C0104000call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>];断在这里,然后一路F8
00683835 .8BF8 mov edi,eax
00683837 .8D95 C4FEFFFFlea edx,dword ptr ss:[ebp-13C]
0068383D .F7DF neg edi
0068383F .8D85 C8FEFFFFlea eax,dword ptr ss:[ebp-138]
00683845 .52 push edx
00683846 .1BFF sbb edi,edi
00683848 .8D8D CCFEFFFFlea ecx,dword ptr ss:[ebp-134]
0068384E .50 push eax
0068384F .51 push ecx
00683850 .F7DF neg edi
00683852 .6A 03push 3
00683854 .F7DF neg edi
省略代码
...................................................................................
...................................................................................
7339DE998945 E4mov dword ptr ss:[ebp-1C],eax
7339DE9C85C0 test eax,eax
7339DE9E7C 51jl short MSVBVM60.7339DEF1
7339DEA06A 00push 0
7339DEA26A 00push 0
7339DEA468 69100000push 1069
7339DEA9FF15 C8103973call dword ptr ds:[<&KERNEL32.GetCurrentThreadId>; kernel32.GetCurrentThreadId
7339DEAF50 push eax
7339DEB0FF15 28163973call dword ptr ds:[<&USER32.PostThreadMessageA>] ; USER32.PostThreadMessageA
7339DEB68D45 9Clea eax,dword ptr ss:[ebp-64]
7339DEB950 push eax
7339DEBA8BCE mov ecx,esi
7339DEBCE8 6159FFFFcall MSVBVM60.73393822
7339DEC185C0 test eax,eax
7339DEC374 14je short MSVBVM60.7339DED9
7339DEC58B45 9Cmov eax,dword ptr ss:[ebp-64]
7339DEC88B88 20050000mov ecx,dword ptr ds:[eax+520]
7339DECE85C9 test ecx,ecx
7339DED074 07je short MSVBVM60.7339DED9
7339DED26A FFpush -1
7339DED4E8 366C0000call MSVBVM60.733A4B0F;F8来到这里程序运行起来。
右健点-菜单-用户设置-版本注册显示:
前码:后码:
注册9127584412345678(前码是程序自动显示的,输入12345678假后码)
注册按钮<-点这里
........................................................................................................
00687667 .FF15 C0104000 calldword ptr [<&MSVBVM60.__vbaStrCm>;MSVBVM60.__vbaStrCmp断在这里
0068766D .8BF0mov esi, eax
0068766F .8D4D D8 lea ecx, dword ptr [ebp-28]
00687672 .F7DEneg esi
00687674 .1BF6sbb esi, esi
00687676 .F7DEneg esi
00687678 .F7DEneg esi
0068767A .FF15 B8114000 calldword ptr [<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
......................................................................................................
看堆栈显示:
0012D7EC 001F3C44UNICODE "15527657"
0012D7F0 001F3BE4UNICODE "12345678"
明码比较,关键地方找到了。其实下好断点,按两次F9也会断在这里,但是程序就没有响应。OD就无法继续调试。
取消00687667处的断点,来到段首
006872A6 .68 96204000push <jmp.&MSVBVM60.__vbaExceptHandler> 这里下F2断点
下好断点后,重载OD,F9一次断在0068382F这里,一路F8重复上面过程,来到7339DED4程序运行起来
输入假后码,点注册后断在006872A6这里(其实在按一次F9也会断在这里,但是程序就没有响应。不明白为什么。)
====================================================
====================================================
006872A6 .68 96204000push <jmp.&MSVBVM60.__vbaExceptHandler>; 断在这里
006872AB .64:A1 00000000 mov eax,dword ptr fs:[0]
006872B1 .50 push eax
006872B2 .64:8925 00000000 mov dword ptr fs:[0],esp
006872B9 .81EC 28010000sub esp,128
006872BF .53 push ebx
006872C0 .56 push esi
006872C1 .57 push edi
006872C2 .8965 F8mov dword ptr ss:[ebp-8],esp
006872C5 .C745 FC A01D4000 mov dword ptr ss:[ebp-4],Super背?00401DA0
006872CC .A1 D0D06800mov eax,dword ptr ds:[68D0D0]
006872D1 .33FF xor edi,edi
006872D3 .3BC7 cmp eax,edi;(初始化 cpu 选择状态)
006872D5 .897D E8mov dword ptr ss:[ebp-18],edi
006872D8 .897D E4mov dword ptr ss:[ebp-1C],edi
006872DB .897D D8mov dword ptr ss:[ebp-28],edi
006872DE .897D D4mov dword ptr ss:[ebp-2C],edi
006872E1 .897D D0mov dword ptr ss:[ebp-30],edi
006872E4 .897D C0mov dword ptr ss:[ebp-40],edi
006872E7 .897D B0mov dword ptr ss:[ebp-50],edi
006872EA .897D A0mov dword ptr ss:[ebp-60],edi
006872ED .897D 90mov dword ptr ss:[ebp-70],edi
006872F0 .897D 80mov dword ptr ss:[ebp-80],edi
006872F3 .89BD 70FFFFFFmov dword ptr ss:[ebp-90],edi
006872F9 .89BD 60FFFFFFmov dword ptr ss:[ebp-A0],edi
006872FF .89BD 50FFFFFFmov dword ptr ss:[ebp-B0],edi
00687305 .89BD 40FFFFFFmov dword ptr ss:[ebp-C0],edi
0068730B .89BD 20FFFFFFmov dword ptr ss:[ebp-E0],edi
00687311 .89BD F0FEFFFFmov dword ptr ss:[ebp-110],edi
00687317 .75 10jnz short Super背?00687329
00687319 .68 D0D06800push Super背?0068D0D0
0068731E .68 60FF4200push Super背?0042FF60
00687323 .FF15 48114000call dword ptr ds:[<&MSVBVM60.__vbaNew2>];MSVBVM60.__vbaNew2
00687329 >8B35 D0D06800mov esi,dword ptr ds:[68D0D0]
0068732F .8D4D D8lea ecx,dword ptr ss:[ebp-28]
00687332 .51 push ecx
00687333 .56 push esi
00687334 .8B06 mov eax,dword ptr ds:[esi]
00687336 .FF90 F8060000call dword ptr ds:[eax+6F8] ;将硬盘序列号转换为前码91275844
0068733C .3BC7 cmp eax,edi
0068733E .DBE2 fclex
00687340 .7D 12jge short Super背?00687354
00687342 .68 F8060000push 6F8
00687347 .68 B8344300push Super背?004334B8
0068734C .56 push esi
0068734D .50 push eax
0068734E .FF15 5C104000call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckO>;MSVBVM60.__vbaHresultCheckObj
00687354 >8B55 D8mov edx,dword ptr ss:[ebp-28];前码
00687357 .8D4D E4lea ecx,dword ptr ss:[ebp-1C]
0068735A .897D D8mov dword ptr ss:[ebp-28],edi
0068735D .FF15 94114000call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ;MSVBVM60.__vbaStrMove
00687363 .8B55 E4mov edx,dword ptr ss:[ebp-1C];前码
00687366 .52 push edx
00687367 .FF15 28104000call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ;MSVBVM60.__vbaLenBstr
0068736D .8BC8 mov ecx,eax;前码长度
0068736F .FF15 C8104000call dword ptr ds:[<&MSVBVM60.__vbaI2I4>];MSVBVM60.__vbaI2I4
00687375 .8B1D 3C104000mov ebx,dword ptr ds:[<&MSVBVM60.#516>];MSVBVM60.rtcAnsiValueBstr
0068737B .8985 DCFEFFFFmov dword ptr ss:[ebp-124],eax
00687381 .BE 01000000mov esi,1
00687386 >66:3BB5 DCFEFFFF cmp si,word ptr ss:[ebp-124] ; 计数值同前码长度比较
0068738D .0F8F 87000000jg Super背?0068741A; 计数值大于前码长度跳出循环
00687393 .8D45 E4lea eax,dword ptr ss:[ebp-1C]
00687396 .8D4D C0lea ecx,dword ptr ss:[ebp-40]
00687399 .0FBFD6 movsx edx,si
0068739C .8985 48FFFFFFmov dword ptr ss:[ebp-B8],eax
006873A2 .51 push ecx
006873A3 .8D85 40FFFFFFlea eax,dword ptr ss:[ebp-C0]
006873A9 .52 push edx
006873AA .8D4D B0lea ecx,dword ptr ss:[ebp-50]
006873AD .50 push eax
006873AE .51 push ecx
006873AF .C745 C8 01000000 mov dword ptr ss:[ebp-38],1
006873B6 .C745 C0 02000000 mov dword ptr ss:[ebp-40],2
006873BD .C785 40FFFFFF 08>mov dword ptr ss:[ebp-C0],4008
006873C7 .FF15 AC104000call dword ptr ds:[<&MSVBVM60.#632>] ;MSVBVM60.rtcMidCharVar
006873CD .8D55 B0lea edx,dword ptr ss:[ebp-50]
006873D0 .8D45 D8lea eax,dword ptr ss:[ebp-28]
006873D3 .52 push edx
006873D4 .50 push eax
006873D5 .FF15 30114000call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ;逐位取前码的值并转换为它的ASCII码值
006873DB .50 push eax ;
006873DC .FFD3 call ebx ;
006873DE .66:03C7add ax,di;将每位ASCII码值累加结果送ax
006873E1 .8D4D D8lea ecx,dword ptr ss:[ebp-28]
006873E4 .0F80 28030000jo Super背?00687712
006873EA .8BF8 mov edi,eax;累加结果
006873EC .FF15 B8114000call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
006873F2 .8D4D B0lea ecx,dword ptr ss:[ebp-50]
006873F5 .8D55 C0lea edx,dword ptr ss:[ebp-40]
006873F8 .51 push ecx
006873F9 .52 push edx
006873FA .6A 02push 2
006873FC .FF15 30104000call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ;MSVBVM60.__vbaFreeVarList
00687402 .B8 01000000mov eax,1; 计数器赋值为1
00687407 .83C4 0Cadd esp,0C
0068740A .66:03C6add ax,si;每循环一次计数值加1
0068740D .0F80 FF020000jo Super背?00687712
00687413 .8BF0 mov esi,eax;
00687415 .^ E9 6CFFFFFFjmp Super背?00687386
0068741A >66:8BC7mov ax,di;累加结果
0068741D .66:B9 0900 mov cx,9 ;
00687421 .66:6BC0 13 imul ax,ax,13 累加结果乘以13送ax
00687425 .0F80 E7020000jo Super背?00687712
0068742B .66:99cwd
0068742D .66:F7F9idiv cx;
00687430 .8955 DCmov dword ptr ss:[ebp-24],edx ax除9取余存入ss:[ebp-24]中
00687433 .8B55 E4mov edx,dword ptr ss:[ebp-1C]
00687436 .52 push edx ;前码
00687437 .FF15 28104000call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ;前码长度
0068743D .8BC8 mov ecx,eax;
0068743F .FF15 C8104000call dword ptr ds:[<&MSVBVM60.__vbaI2I4>];MSVBVM60.__vbaI2I4
00687445 .8985 D4FEFFFFmov dword ptr ss:[ebp-12C],eax
0068744B .BE 01000000mov esi,1
00687450 >66:3BB5 D4FEFFFF cmp si,word ptr ss:[ebp-12C] ;计数值同前码长度比较
00687457 .0F8F A9010000jg Super背?00687606; 大于前码长度跳出循环
0068745D .8B45 E8mov eax,dword ptr ss:[ebp-18]
00687460 .8D4D E4lea ecx,dword ptr ss:[ebp-1C]
00687463 .0FBFFE movsx edi,si
00687466 .8D55 C0lea edx,dword ptr ss:[ebp-40]
00687469 .8985 F8FEFFFFmov dword ptr ss:[ebp-108],eax
0068746F .898D 48FFFFFFmov dword ptr ss:[ebp-B8],ecx
00687475 .52 push edx
00687476 .8D85 40FFFFFFlea eax,dword ptr ss:[ebp-C0]
0068747C .57 push edi
0068747D .8D4D B0lea ecx,dword ptr ss:[ebp-50]
00687480 .50 push eax
00687481 .51 push ecx
00687482 .C785 F0FEFFFF 08>mov dword ptr ss:[ebp-110],8
0068748C .C745 C8 01000000 mov dword ptr ss:[ebp-38],1
00687493 .C745 C0 02000000 mov dword ptr ss:[ebp-40],2
0068749A .C785 40FFFFFF 08>mov dword ptr ss:[ebp-C0],4008
006874A4 .FF15 AC104000call dword ptr ds:[<&MSVBVM60.#632>] ;MSVBVM60.rtcMidCharVar
006874AA .8D55 E4lea edx,dword ptr ss:[ebp-1C]
006874AD .8D45 A0lea eax,dword ptr ss:[ebp-60]
006874B0 .8995 28FFFFFFmov dword ptr ss:[ebp-D8],edx
006874B6 .50 push eax
006874B7 .8D8D 20FFFFFFlea ecx,dword ptr ss:[ebp-E0]
006874BD .57 push edi
006874BE .8D55 90lea edx,dword ptr ss:[ebp-70]
006874C1 .51 push ecx
006874C2 .52 push edx
006874C3 .C745 A8 01000000 mov dword ptr ss:[ebp-58],1
006874CA .C745 A0 02000000 mov dword ptr ss:[ebp-60],2
006874D1 .C785 20FFFFFF 08>mov dword ptr ss:[ebp-E0],4008
006874DB .FF15 AC104000call dword ptr ds:[<&MSVBVM60.#632>] ;MSVBVM60.rtcMidCharVar
006874E1 .8B3D 30114000mov edi,dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>>;MSVBVM60.__vbaStrVarVal
006874E7 .8D45 90lea eax,dword ptr ss:[ebp-70]
006874EA .8D4D D4lea ecx,dword ptr ss:[ebp-2C]
006874ED .50 push eax
006874EE .51 push ecx
006874EF .FFD7 call edi ;逐位取前码的ASCII码值
006874F1 .50 push eax ;
006874F2 .FFD3 call ebx
006874F4 .66:8BD0mov dx,ax;
006874F7 .8D45 B0lea eax,dword ptr ss:[ebp-50]
006874FA .8D4D D8lea ecx,dword ptr ss:[ebp-28]
006874FD .50 push eax
006874FE .51 push ecx
006874FF .66:8995 CAFEFFFF mov word ptr ss:[ebp-136],dx ;
00687506 .FFD7 call edi ;<&MSVBVM60.__vbaStrVarVal>
00687508 .50 push eax ;
00687509 .FFD3 call ebx
0068750B .66:8B8D CAFEFFFF mov cx,word ptr ss:[ebp-136] ;
00687512 .C745 80 02000000 mov dword ptr ss:[ebp-80],2
00687519 .66:0FAFC8imul cx,ax ;将取出的ASCII码值自乘
0068751D .66:8BC6mov ax,si;计数值当前值
00687520 .0F80 EC010000jo Super背?00687712
00687526 .66:6BC0 03 imul ax,ax,3 ;当前值乘3送ax
0068752A .0F80 E2010000jo Super背?00687712
00687530 .66:99cwd
00687532 .66:2BC2sub ax,dx
00687535 .66:D1F8sar ax,1 ;ax除2得到商
00687538 .66:03C8add cx,ax;自乘值加商送cx
0068753B .0F80 D1010000jo Super背?00687712
00687541 .66:034D DC add cx,word ptr ss:[ebp-24];cx加上ss:[ebp-24]中的值
00687545 .0F80 C7010000jo Super背?00687712
0068754B .66:8BC1mov ax,cx
0068754E .66:B9 0A00 mov cx,0A
00687552 .66:99cwd
00687554 .66:F7F9idiv cx;将每一位结果除A取余
00687557 .8D85 70FFFFFFlea eax,dword ptr ss:[ebp-90]
0068755D .66:8955 88 mov word ptr ss:[ebp-78],dx
00687561 .8D55 80lea edx,dword ptr ss:[ebp-80]
00687564 .52 push edx
00687565 .50 push eax
00687566 .FF15 7C114000call dword ptr ds:[<&MSVBVM60.#613>] ;
0068756C .8D8D 70FFFFFFlea ecx,dword ptr ss:[ebp-90]
00687572 .8D95 60FFFFFFlea edx,dword ptr ss:[ebp-A0]
00687578 .51 push ecx
00687579 .52 push edx
0068757A .FF15 A4104000call dword ptr ds:[<&MSVBVM60.#520>] ;MSVBVM60.rtcTrimVar
00687580 .8D85 F0FEFFFFlea eax,dword ptr ss:[ebp-110]
00687586 .8D8D 60FFFFFFlea ecx,dword ptr ss:[ebp-A0]
0068758C .50 push eax
0068758D .51 push ecx
0068758E .8D95 50FFFFFFlea edx,dword ptr ss:[ebp-B0]
00687594 .52 push edx
00687595 .FF15 34114000call dword ptr ds:[<&MSVBVM60.__vbaVarCat>];MSVBVM60.__vbaVarCat
0068759B .50 push eax ;
0068759C .FF15 20104000call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>];将余数连接起来就得到真正后码
006875A2 .8BD0 mov edx,eax;
006875A4 .8D4D E8lea ecx,dword ptr ss:[ebp-18]
006875A7 .FF15 94114000call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ;MSVBVM60.__vbaStrMove
006875AD .8D45 D4lea eax,dword ptr ss:[ebp-2C]
006875B0 .8D4D D8lea ecx,dword ptr ss:[ebp-28]
006875B3 .50 push eax
006875B4 .51 push ecx
006875B5 .6A 02push 2
006875B7 .FF15 58114000call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ;
006875BD .8D95 50FFFFFFlea edx,dword ptr ss:[ebp-B0]
006875C3 .8D85 60FFFFFFlea eax,dword ptr ss:[ebp-A0]
006875C9 .52 push edx
006875CA .8D8D 70FFFFFFlea ecx,dword ptr ss:[ebp-90]
006875D0 .50 push eax
006875D1 .8D55 80lea edx,dword ptr ss:[ebp-80]
006875D4 .51 push ecx
006875D5 .8D45 90lea eax,dword ptr ss:[ebp-70]
006875D8 .52 push edx
006875D9 .8D4D A0lea ecx,dword ptr ss:[ebp-60]
006875DC .50 push eax
006875DD .8D55 B0lea edx,dword ptr ss:[ebp-50]
006875E0 .51 push ecx
006875E1 .8D45 C0lea eax,dword ptr ss:[ebp-40]
006875E4 .52 push edx
006875E5 .50 push eax
006875E6 .6A 08push 8
006875E8 .FF15 30104000call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ;获得注册码长度
006875EE .B8 01000000mov eax,1;计数器赋值为1
006875F3 .83C4 30add esp,30
006875F6 .66:03C6add ax,si;每循环一次计数值加1
006875F9 .0F80 13010000jo Super背?00687712
006875FF .8BF0 mov esi,eax;
00687601 .^ E9 4AFEFFFFjmp Super背?00687450;
00687606 >A1 D0D06800mov eax,dword ptr ds:[68D0D0]
0068760B .85C0 test eax,eax
0068760D .75 15jnz short Super背?00687624
0068760F .68 D0D06800push Super背?0068D0D0
00687614 .68 60FF4200push Super背?0042FF60
00687619 .FF15 48114000call dword ptr ds:[<&MSVBVM60.__vbaNew2>];MSVBVM60.__vbaNew2
0068761F .A1 D0D06800mov eax,dword ptr ds:[68D0D0]
00687624 >8B08 mov ecx,dword ptr ds:[eax]
00687626 .50 push eax
00687627 .FF91 14030000call dword ptr ds:[ecx+314]
0068762D .8D55 D0lea edx,dword ptr ss:[ebp-30]
00687630 .50 push eax
00687631 .52 push edx
00687632 .FF15 84104000call dword ptr ds:[<&MSVBVM60.__vbaObjSet>];MSVBVM60.__vbaObjSet
00687638 .8BF0 mov esi,eax
0068763A .8D4D D8lea ecx,dword ptr ss:[ebp-28]
0068763D .51 push ecx
0068763E .56 push esi
0068763F .8B06 mov eax,dword ptr ds:[esi]
00687641 .FF90 A0000000call dword ptr ds:[eax+A0]
00687647 .85C0 test eax,eax
00687649 .DBE2 fclex
0068764B .7D 12jge short Super背?0068765F
0068764D .68 A0000000push 0A0
00687652 .68 543E4300push Super背?00433E54
00687657 .56 push esi
00687658 .50 push eax
00687659 .FF15 5C104000call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckO>;MSVBVM60.__vbaHresultCheckObj
0068765F >8B55 D8mov edx,dword ptr ss:[ebp-28]; 12345678
00687662 .8B45 E8mov eax,dword ptr ss:[ebp-18]; 15527657
00687665 .52 push edx
00687666 .50 push eax
00687667 .FF15 C0104000call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>];注册码后码真假比较
0068766D .8BF0 mov esi,eax; 不等eax=-1
0068766F .8D4D D8lea ecx,dword ptr ss:[ebp-28]
00687672 .F7DE neg esi
00687674 .1BF6 sbb esi,esi
00687676 .F7DE neg esi
00687678 .F7DE neg esi
0068767A .FF15 B8114000call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
00687680 .8D4D D0lea ecx,dword ptr ss:[ebp-30]
00687683 .FF15 BC114000call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ;MSVBVM60.__vbaFreeObj
00687689 .66:F7DEneg si
0068768C .1BF6 sbb esi,esi
0068768E .68 FD766800push Super背?006876FD
00687693 .F7DE neg esi
00687695 .4E dec esi
00687696 .8975 E0mov dword ptr ss:[ebp-20],esi
00687699 .EB 51jmp short Super背?006876EC
0068769B .8D4D D4lea ecx,dword ptr ss:[ebp-2C]
0068769E .8D55 D8lea edx,dword ptr ss:[ebp-28]
006876A1 .51 push ecx
006876A2 .52 push edx
006876A3 .6A 02push 2
006876A5 .FF15 58114000call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ;MSVBVM60.__vbaFreeStrList
006876AB .83C4 0Cadd esp,0C
006876AE .8D4D D0lea ecx,dword ptr ss:[ebp-30]
006876B1 .FF15 BC114000call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ;MSVBVM60.__vbaFreeObj
006876B7 .8D85 50FFFFFFlea eax,dword ptr ss:[ebp-B0]
006876BD .8D8D 60FFFFFFlea ecx,dword ptr ss:[ebp-A0]
006876C3 .50 push eax
006876C4 .8D95 70FFFFFFlea edx,dword ptr ss:[ebp-90]
006876CA .51 push ecx
006876CB .8D45 80lea eax,dword ptr ss:[ebp-80]
006876CE .52 push edx
006876CF .8D4D 90lea ecx,dword ptr ss:[ebp-70]
006876D2 .50 push eax
006876D3 .8D55 A0lea edx,dword ptr ss:[ebp-60]
006876D6 .51 push ecx
006876D7 .8D45 B0lea eax,dword ptr ss:[ebp-50]
006876DA .52 push edx
006876DB .8D4D C0lea ecx,dword ptr ss:[ebp-40]
006876DE .50 push eax
006876DF .51 push ecx
006876E0 .6A 08push 8
006876E2 .FF15 30104000call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ;MSVBVM60.__vbaFreeVarList
006876E8 .83C4 24add esp,24
006876EB .C3 retn
006876EC >8B35 B8114000mov esi,dword ptr ds:[<&MSVBVM60.__vbaFreeStr>];MSVBVM60.__vbaFreeStr
006876F2 .8D4D E8lea ecx,dword ptr ss:[ebp-18]
006876F5 .FFD6 call esi ;<&MSVBVM60.__vbaFreeStr>
006876F7 .8D4D E4lea ecx,dword ptr ss:[ebp-1C]
006876FA .FFD6 call esi ;<&MSVBVM60.__vbaFreeStr>
006876FC .C3 retn
006876FD .8B4D F0 mov ecx, dword ptr [ebp-10]
00687700 .66:8B45 E0mov ax, word ptr [ebp-20]
00687704 .5Fpop edi
00687705 .5Epop esi
00687706 .64:890D 00000>mov dword ptr fs:[0], ecx
0068770D .5Bpop ebx
0068770E .8BE5mov esp, ebp
00687710 .5Dpop ebp
00687711 .C3retn
==================================================
==================================================
0067C716 .68 96204000 push<jmp.&MSVBVM60.__vbaExceptHandle>;SE 处理程序安装
0067C71B .64:A1 0000000>mov eax, dword ptr fs:[0]
0067C721 .50pusheax
0067C722 .64:8925 00000>mov dword ptr fs:[0], esp
0067C729 .83EC 28 sub esp, 28
0067C72C .53pushebx
0067C72D .56pushesi
0067C72E .57pushedi
0067C72F .8965 F4 mov dword ptr [ebp-C], esp
0067C732 .C745 F8 30184>mov dword ptr [ebp-8], 00401830
0067C739 .8B7D 08 mov edi, dword ptr [ebp+8]
0067C73C .8BC7mov eax, edi
0067C73E .83E0 01 and eax, 1
0067C741 .8945 FC mov dword ptr [ebp-4], eax
0067C744 .83E7 FE and edi, FFFFFFFE
0067C747 .57pushedi
0067C748 .897D 08 mov dword ptr [ebp+8], edi
0067C74B .8B0Fmov ecx, dword ptr [edi]
0067C74D .FF51 04 calldword ptr [ecx+4]
0067C750 .33DBxor ebx, ebx
0067C752 .895D E8 mov dword ptr [ebp-18], ebx
0067C755 .895D E4 mov dword ptr [ebp-1C], ebx
0067C758 .895D E0 mov dword ptr [ebp-20], ebx
0067C75B .895D DC mov dword ptr [ebp-24], ebx
0067C75E .895D D8 mov dword ptr [ebp-28], ebx
0067C761 .E8 3AAB0000 call006872A0 ;这就是关键call
0067C766 .66:85C0 testax, ax ;ax=0跳向失败
0067C769 .0F84 04010000 je0067C873 ;关键跳转,不能跳
0067C76F .8B35 54114000 mov esi, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaStrCopy
0067C775 .BA 103E4300 mov edx, 00433E10
0067C77A .8D4D E8 lea ecx, dword ptr [ebp-18]
0067C77D .FFD6callesi;<&MSVBVM60.__vbaStrCopy>
0067C77F .8B17mov edx, dword ptr [edi]
0067C781 .8D45 E8 lea eax, dword ptr [ebp-18]
0067C784 .50pusheax
0067C785 .57pushedi
0067C786 .FF92 40070000 calldword ptr [edx+740]
0067C78C .8D4D E8 lea ecx, dword ptr [ebp-18]
0067C78F .FF15 B8114000 calldword ptr [<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
0067C795 .8B0Fmov ecx, dword ptr [edi]
0067C797 .57pushedi
0067C798 .FF91 14030000 calldword ptr [ecx+314]
0067C79E .8D55 D8 lea edx, dword ptr [ebp-28]
0067C7A1 .50pusheax
0067C7A2 .52pushedx
0067C7A3 .FF15 84104000 calldword ptr [<&MSVBVM60.__vbaObjSe>;MSVBVM60.__vbaObjSet
0067C7A9 .8BF8mov edi, eax
0067C7AB .8D4D E8 lea ecx, dword ptr [ebp-18]
0067C7AE .51pushecx
0067C7AF .57pushedi
0067C7B0 .8B07mov eax, dword ptr [edi]
0067C7B2 .FF90 A0000000 calldword ptr [eax+A0]
0067C7B8 .3BC3cmp eax, ebx
0067C7BA .DBE2fclex
0067C7BC .7D 12 jge short 0067C7D0
0067C7BE .68 A0000000 push0A0
0067C7C3 .68 543E4300 push00433E54
0067C7C8 .57pushedi
0067C7C9 .50pusheax
0067C7CA .FF15 5C104000 calldword ptr [<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
0067C7D0 >8B55 E8 mov edx, dword ptr [ebp-18]
0067C7D3 .8D4D DC lea ecx, dword ptr [ebp-24]
0067C7D6 .895D E8 mov dword ptr [ebp-18], ebx
0067C7D9 .FF15 94114000 calldword ptr [<&MSVBVM60.__vbaStrMo>;MSVBVM60.__vbaStrMove
0067C7DF .BA 483E4300 mov edx, 00433E48;UNICODE "value"
0067C7E4 .8D4D E0 lea ecx, dword ptr [ebp-20]
0067C7E7 .FFD6callesi
0067C7E9 .BA 303E4300 mov edx, 00433E30;UNICODE "register"
0067C7EE .8D4D E4 lea ecx, dword ptr [ebp-1C]
0067C7F1 .FFD6callesi
0067C7F3 .8D55 DC lea edx, dword ptr [ebp-24]
0067C7F6 .8D45 E0 lea eax, dword ptr [ebp-20]
0067C7F9 .52pushedx
0067C7FA .8D4D E4 lea ecx, dword ptr [ebp-1C]
0067C7FD .50pusheax
0067C7FE .51pushecx
0067C7FF .E8 FCA40000 call00686D00
0067C804 .8B3D 58114000 mov edi, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaFreeStrList
0067C80A .8D55 DC lea edx, dword ptr [ebp-24]
0067C80D .8D45 E0 lea eax, dword ptr [ebp-20]
0067C810 .52pushedx
0067C811 .8D4D E4 lea ecx, dword ptr [ebp-1C]
0067C814 .50pusheax
0067C815 .51pushecx
0067C816 .6A 03 push3
0067C818 .FFD7calledi;<&MSVBVM60.__vbaFreeStrList>
0067C81A .83C4 10 add esp, 10
0067C81D .8D4D D8 lea ecx, dword ptr [ebp-28]
0067C820 .FF15 BC114000 calldword ptr [<&MSVBVM60.__vbaFreeO>;MSVBVM60.__vbaFreeObj
0067C826 .BA 14384300 mov edx, 00433814
0067C82B .8D4D E0 lea ecx, dword ptr [ebp-20]
0067C82E .FFD6callesi
0067C830 .BA 683E4300 mov edx, 00433E68;UNICODE "rflag"
0067C835 .8D4D E4 lea ecx, dword ptr [ebp-1C]
0067C838 .FFD6callesi
0067C83A .BA 58394300 mov edx, 00433958;UNICODE "Security"
0067C83F .8D4D E8 lea ecx, dword ptr [ebp-18]
0067C842 .FFD6callesi
0067C844 .8D55 E0 lea edx, dword ptr [ebp-20]
0067C847 .8D45 E4 lea eax, dword ptr [ebp-1C]
0067C84A .52pushedx
0067C84B .8D4D E8 lea ecx, dword ptr [ebp-18]
0067C84E .50pusheax
0067C84F .51pushecx
0067C850 .E8 ABA40000 call00686D00
0067C855 .8D55 E0 lea edx, dword ptr [ebp-20]
0067C858 .8D45 E4 lea eax, dword ptr [ebp-1C]
0067C85B .52pushedx
0067C85C .8D4D E8 lea ecx, dword ptr [ebp-18]
0067C85F .50pusheax
0067C860 .51pushecx
0067C861 .6A 03 push3
0067C863 .FFD7calledi
0067C865 .83C4 10 add esp, 10
0067C868 .66:C705 50D06>mov word ptr [68D050], 0FFFF
0067C871 .EB 24 jmp short 0067C897
0067C873 >BA 783E4300 mov edx, 00433E78
0067C878 .8D4D E8 lea ecx, dword ptr [ebp-18]
0067C87B .FF15 54114000 calldword ptr [<&MSVBVM60.__vbaStrCo>;MSVBVM60.__vbaStrCopy
0067C881 .8B17mov edx, dword ptr [edi]
0067C883 .8D45 E8 lea eax, dword ptr [ebp-18]
0067C886 .50pusheax
0067C887 .57pushedi
0067C888 .FF92 40070000 calldword ptr [edx+740]
0067C88E .8D4D E8 lea ecx, dword ptr [ebp-18]
0067C891 .FF15 B8114000 calldword ptr [<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
0067C897 >895D FC mov dword ptr [ebp-4], ebx
0067C89A .68 C7C86700 push0067C8C7
0067C89F .EB 25 jmp short 0067C8C6
0067C8A1 .8D4D DC lea ecx, dword ptr [ebp-24]
0067C8A4 .8D55 E0 lea edx, dword ptr [ebp-20]
0067C8A7 .51pushecx
0067C8A8 .8D45 E4 lea eax, dword ptr [ebp-1C]
0067C8AB .52pushedx
0067C8AC .8D4D E8 lea ecx, dword ptr [ebp-18]
0067C8AF .50pusheax
0067C8B0 .51pushecx
0067C8B1 .6A 04 push4
0067C8B3 .FF15 58114000 calldword ptr [<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStrList
0067C8B9 .83C4 14 add esp, 14
0067C8BC .8D4D D8 lea ecx, dword ptr [ebp-28]
0067C8BF .FF15 BC114000 calldword ptr [<&MSVBVM60.__vbaFreeO>;MSVBVM60.__vbaFreeObj
0067C8C5 .C3retn
0067C8C6 >C3retn ;RET 用作跳转到 0067C8C7
0067C8C7 >8B45 08 mov eax, dword ptr [ebp+8]
0067C8CA .50pusheax
0067C8CB .8B10mov edx, dword ptr [eax]
0067C8CD .FF52 08 calldword ptr [edx+8]
0067C8D0 .8B45 FC mov eax, dword ptr [ebp-4]
0067C8D3 .8B4D EC mov ecx, dword ptr [ebp-14]
0067C8D6 .5Fpop edi
0067C8D7 .5Epop esi
0067C8D8 .64:890D 00000>mov dword ptr fs:[0], ecx
0067C8DF .5Bpop ebx
0067C8E0 .8BE5mov esp, ebp
0067C8E2 .5Dpop ebp
0067C8E3 .C2 0400 retn4
==================================================
==================================================
00687336 .FF90 F8060000call dword ptr ds:[eax+6F8]将硬盘序列号转换为91275844
....................................................................................................
00431986 . /E9 05172500jmp Super背?00683090
0043198B |00 db 00
0043198C |00 db 00
0043198D |00 db 00
0043198E |00 db 00
0043198F |00 db 00
00431990 |54D16800 dd Super背?0068D154
省略代码
..............................................................
..............................................................
00683090 > \55 push ebp
00683091 .8BEC mov ebp,esp
00683093 .83EC 0Csub esp,0C
00683096 .68 96204000push <jmp.&MSVBVM60.__vbaExceptHandler>;SE 句柄安装
0068309B .64:A1 00000000 mov eax,dword ptr fs:[0]
006830A1 .50 push eax
006830A2 .64:8925 00000000 mov dword ptr fs:[0],esp
006830A9 .81EC A8000000sub esp,0A8
006830AF .53 push ebx
006830B0 .56 push esi
006830B1 .57 push edi
006830B2 .8965 F4mov dword ptr ss:[ebp-C],esp
006830B5 .C745 F8 701B4000 mov dword ptr ss:[ebp-8],Super背?00401B70
006830BC .33DB xor ebx,ebx
006830BE .895D FCmov dword ptr ss:[ebp-4],ebx
006830C1 .8B45 08mov eax,dword ptr ss:[ebp+8]
006830C4 .50 push eax
006830C5 .8B08 mov ecx,dword ptr ds:[eax]
006830C7 .FF51 04call dword ptr ds:[ecx+4]
006830CA .8B55 0Cmov edx,dword ptr ss:[ebp+C]
006830CD .8D45 C4lea eax,dword ptr ss:[ebp-3C]
006830D0 .53 push ebx
006830D1 .50 push eax
006830D2 .895D E8mov dword ptr ss:[ebp-18],ebx
006830D5 .895D E4mov dword ptr ss:[ebp-1C],ebx
006830D8 .895D E0mov dword ptr ss:[ebp-20],ebx
006830DB .895D DCmov dword ptr ss:[ebp-24],ebx
006830DE .895D D8mov dword ptr ss:[ebp-28],ebx
006830E1 .895D D4mov dword ptr ss:[ebp-2C],ebx
006830E4 .895D C4mov dword ptr ss:[ebp-3C],ebx
006830E7 .895D B4mov dword ptr ss:[ebp-4C],ebx
006830EA .895D A4mov dword ptr ss:[ebp-5C],ebx
006830ED .895D 94mov dword ptr ss:[ebp-6C],ebx
006830F0 .895D 84mov dword ptr ss:[ebp-7C],ebx
006830F3 .899D 74FFFFFFmov dword ptr ss:[ebp-8C],ebx
006830F9 .899D 54FFFFFFmov dword ptr ss:[ebp-AC],ebx
006830FF .891A mov dword ptr ds:[edx],ebx
00683101 .FF15 24114000call dword ptr ds:[<&MSVBVM60.#608>] ;MSVBVM60.rtcVarBstrFromAnsi
00683107 .8D4D C4lea ecx,dword ptr ss:[ebp-3C]
0068310A .8D55 B4lea edx,dword ptr ss:[ebp-4C]
0068310D .51 push ecx
0068310E .68 00040000push 400
00683113 .52 push edx
00683114 .FF15 1C114000call dword ptr ds:[<&MSVBVM60.#607>] ;MSVBVM60.rtcStringVar
0068311A .8B3D 20104000mov edi,dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>;MSVBVM60.__vbaStrVarMove
00683120 .8D45 B4lea eax,dword ptr ss:[ebp-4C]
00683123 .50 push eax
00683124 .FFD7 call edi ;<&MSVBVM60.__vbaStrVarMove>
00683126 .8B35 94114000mov esi,dword ptr ds:[<&MSVBVM60.__vbaStrMove>];MSVBVM60.__vbaStrMove
0068312C .8BD0 mov edx,eax
0068312E .8D4D E0lea ecx,dword ptr ss:[ebp-20]
00683131 .FFD6 call esi ;<&MSVBVM60.__vbaStrMove>
00683133 .8D4D B4lea ecx,dword ptr ss:[ebp-4C]
00683136 .8D55 C4lea edx,dword ptr ss:[ebp-3C]
00683139 .51 push ecx
0068313A .52 push edx
0068313B .6A 02push 2
0068313D .FF15 30104000call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ;MSVBVM60.__vbaFreeVarList
00683143 .8B45 E0mov eax,dword ptr ss:[ebp-20]
00683146 .83C4 0Cadd esp,0C
00683149 .8D4D D8lea ecx,dword ptr ss:[ebp-28]
0068314C .50 push eax
0068314D .51 push ecx
0068314E .FF15 74114000call dword ptr ds:[<&MSVBVM60.__vbaStrToAnsi>] ;MSVBVM60.__vbaStrToAnsi
00683154 .50 push eax
00683155 .E8 6606DBFFcall Super背?004337C0
0068315A .DDD8 fstp st
0068315C .FF15 58104000call dword ptr ds:[<&MSVBVM60.__vbaSetSystemErro>;MSVBVM60.__vbaSetSystemError
00683162 .8B55 D8mov edx,dword ptr ss:[ebp-28];获得硬盘序列号(ASCII "5MT1A8DX")
00683165 .8D45 E0lea eax,dword ptr ss:[ebp-20]
00683168 .52 push edx
00683169 .50 push eax
0068316A .FF15 0C114000call dword ptr ds:[<&MSVBVM60.__vbaStrToUnicode>>;eax= (ASCII "5MT1A8DX")
00683170 .8D4D D8lea ecx,dword ptr ss:[ebp-28]
00683173 .FF15 B8114000call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
00683179 .8D4D C4lea ecx,dword ptr ss:[ebp-3C]
0068317C .53 push ebx
0068317D .51 push ecx
0068317E .FF15 24114000call dword ptr ds:[<&MSVBVM60.#608>] ;MSVBVM60.rtcVarBstrFromAnsi
00683184 .53 push ebx
00683185 .6A FFpush -1
00683187 .6A 01push 1
00683189 .8D55 C4lea edx,dword ptr ss:[ebp-3C]
0068318C .68 881E4300push Super背?00431E88
00683191 .8D45 D8lea eax,dword ptr ss:[ebp-28]
00683194 .52 push edx
00683195 .50 push eax
00683196 .FF15 30114000call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ;MSVBVM60.__vbaStrVarVal
0068319C .50 push eax
0068319D .8B4D E0mov ecx,dword ptr ss:[ebp-20];ecx= (UNICODE "5MT1A8DX")
006831A0 .51 push ecx
006831A1 .FF15 10114000call dword ptr ds:[<&MSVBVM60.#712>] ;MSVBVM60.rtcReplace
006831A7 .8945 BCmov dword ptr ss:[ebp-44],eax;eax= (UNICODE "5MT1A8DX")
006831AA .8D55 B4lea edx,dword ptr ss:[ebp-4C]
006831AD .8D45 A4lea eax,dword ptr ss:[ebp-5C]
006831B0 .52 push edx
006831B1 .50 push eax
006831B2 .C745 B4 08000000 mov dword ptr ss:[ebp-4C],8
006831B9 .FF15 A4104000call dword ptr ds:[<&MSVBVM60.#520>] ;MSVBVM60.rtcTrimVar
006831BF .8D4D A4lea ecx,dword ptr ss:[ebp-5C]
006831C2 .51 push ecx
006831C3 .FFD7 call edi ;<&MSVBVM60.__vbaStrVarMove>
006831C5 .8BD0 mov edx,eax;eax=(UNICODE "5MT1A8DX")
006831C7 .8D4D E0lea ecx,dword ptr ss:[ebp-20]
006831CA .FFD6 call esi ;<&MSVBVM60.__vbaStrMove>
006831CC .8D4D D8lea ecx,dword ptr ss:[ebp-28]
006831CF .FF15 B8114000call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
006831D5 .8D55 A4lea edx,dword ptr ss:[ebp-5C]
006831D8 .8D45 B4lea eax,dword ptr ss:[ebp-4C]
006831DB .52 push edx
006831DC .8D4D C4lea ecx,dword ptr ss:[ebp-3C]
006831DF .50 push eax
006831E0 .51 push ecx
006831E1 .6A 03push 3
006831E3 .FF15 30104000call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ;MSVBVM60.__vbaFreeVarList
006831E9 .8B1D 1C104000mov ebx,dword ptr ds:[<&MSVBVM60.__vbaFreeVar>];MSVBVM60.__vbaFreeVar
006831EF .83C4 10add esp,10
006831F2 >8B55 E0mov edx,dword ptr ss:[ebp-20]; 保存当前硬盘序列号
006831F5 .52 push edx ;
006831F6 .FF15 28104000call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ;当前硬盘序列号长度
006831FC .85C0 test eax,eax ;检查长度是否为0为0跳出循环
006831FE .0F8E CB000000jle Super背?006832CF
00683204 .8D8D 74FFFFFFlea ecx,dword ptr ss:[ebp-8C]
0068320A .6A 01push 1
0068320C .8D55 C4lea edx,dword ptr ss:[ebp-3C]
0068320F .8D45 E0lea eax,dword ptr ss:[ebp-20]
00683212 .51 push ecx
00683213 .52 push edx
00683214 .8985 7CFFFFFFmov dword ptr ss:[ebp-84],eax
0068321A .C785 74FFFFFF 08>mov dword ptr ss:[ebp-8C],4008
00683224 .FF15 88114000call dword ptr ds:[<&MSVBVM60.#617>] ;MSVBVM60.rtcLeftCharVar
0068322A .8B45 E4mov eax,dword ptr ss:[ebp-1C]
0068322D .8D4D C4lea ecx,dword ptr ss:[ebp-3C]
00683230 .50 push eax
00683231 .8D55 D8lea edx,dword ptr ss:[ebp-28]
00683234 .51 push ecx
00683235 .52 push edx
00683236 .FF15 30114000call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ;逐位取硬盘序列号的ASCII码值存入eax
0068323C .50 push eax ;
0068323D .FF15 3C104000call dword ptr ds:[<&MSVBVM60.#516>] ;MSVBVM60.rtcAnsiValueBstr
00683243 .66:99cwd
00683245 .66:B9 0A00 mov cx,0A
00683249 .66:F7F9idiv cx;将取得值除A取余
0068324C .52 push edx
0068324D .FF15 04104000call dword ptr ds:[<&MSVBVM60.__vbaStrI2>] ;将余数转换成它的ASCII码值
00683253 .8BD0 mov edx,eax;
00683255 .8D4D D4lea ecx,dword ptr ss:[ebp-2C]
00683258 .FFD6 call esi
0068325A .50 push eax
0068325B .FF15 50104000call dword ptr ds:[<&MSVBVM60.__vbaStrCat>];将余数连接起来得到新的数值串
00683261 .8BD0 mov edx,eax;
00683263 .8D4D E4lea ecx,dword ptr ss:[ebp-1C]
00683266 .FFD6 call esi
00683268 .8D55 D4lea edx,dword ptr ss:[ebp-2C]
0068326B .8D45 D8lea eax,dword ptr ss:[ebp-28]
0068326E .52 push edx
0068326F .50 push eax
00683270 .6A 02push 2
00683272 .FF15 58114000call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ;MSVBVM60.__vbaFreeStrList
00683278 .83C4 0Cadd esp,0C
0068327B .8D4D C4lea ecx,dword ptr ss:[ebp-3C]
0068327E .FFD3 call ebx
00683280 .8B55 E0mov edx,dword ptr ss:[ebp-20];保存当前的硬盘序列号
00683283 .8D4D E0lea ecx,dword ptr ss:[ebp-20]
00683286 .52 push edx
00683287 .898D 7CFFFFFFmov dword ptr ss:[ebp-84],ecx
0068328D .C785 74FFFFFF 08>mov dword ptr ss:[ebp-8C],4008
00683297 .FF15 28104000call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ;当前硬盘序列号长度
0068329D .83E8 01sub eax,1;当前长度减1
006832A0 .8D4D C4lea ecx,dword ptr ss:[ebp-3C]
006832A3 .0F80 F5010000jo Super背?0068349E
006832A9 .50 push eax
006832AA .8D85 74FFFFFFlea eax,dword ptr ss:[ebp-8C]
006832B0 .50 push eax
006832B1 .51 push ecx
006832B2 .FF15 98114000call dword ptr ds:[<&MSVBVM60.#619>] ;MSVBVM60.rtcRightCharVar
006832B8 .8D55 C4lea edx,dword ptr ss:[ebp-3C]
006832BB .52 push edx
006832BC .FFD7 call edi ;保存当前硬盘序列号
006832BE .8BD0 mov edx,eax;
006832C0 .8D4D E0lea ecx,dword ptr ss:[ebp-20];
006832C3 .FFD6 call esi
006832C5 .8D4D C4lea ecx,dword ptr ss:[ebp-3C]
006832C8 .FFD3 call ebx
006832CA .^ E9 23FFFFFFjmp Super背?006831F2
006832CF >8B45 E4mov eax,dword ptr ss:[ebp-1C];保存当前的新数值串
006832D2 .50 push eax
006832D3 .FF15 28104000call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ;当前新数值串的长度
006832D9 .85C0 test eax,eax ; 检查长度是否为0为0跳出循环
006832DB .0F8E 28010000jle Super背?00683409
006832E1 .8B4D E8mov ecx,dword ptr ss:[ebp-18]
006832E4 .8D85 74FFFFFFlea eax,dword ptr ss:[ebp-8C]
006832EA .898D 5CFFFFFFmov dword ptr ss:[ebp-A4],ecx
006832F0 .6A 01push 1
006832F2 .8D4D C4lea ecx,dword ptr ss:[ebp-3C]
006832F5 .8D55 E4lea edx,dword ptr ss:[ebp-1C]
006832F8 .50 push eax
006832F9 .51 push ecx
006832FA .C785 54FFFFFF 08>mov dword ptr ss:[ebp-AC],8
00683304 .8995 7CFFFFFFmov dword ptr ss:[ebp-84],edx
0068330A .C785 74FFFFFF 08>mov dword ptr ss:[ebp-8C],4008
00683314 .FF15 88114000call dword ptr ds:[<&MSVBVM60.#617>] ;MSVBVM60.rtcLeftCharVar
0068331A .8D55 C4lea edx,dword ptr ss:[ebp-3C]
0068331D .8D45 D8lea eax,dword ptr ss:[ebp-28]
00683320 .52 push edx
00683321 .50 push eax
00683322 .FF15 30114000call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ;MSVBVM60.__vbaStrVarVal
00683328 .50 push eax ;
00683329 .FF15 C0114000call dword ptr ds:[<&MSVBVM60.#581>] ;逐位取新数值的实数到(ST0)
0068332F .DC0D 681B4000fmul qword ptr ds:[401B68](ST0)乘以ds:[401B68]的值将结果送(ST0)
00683335 .DFE0 fstsw ax ;
00683337 .A8 0Dtest al,0D
00683339 .0F85 5A010000jnz Super背?00683499
0068333F .FF15 84114000call dword ptr ds:[<&MSVBVM60.__vbaFpI4>];将(ST0)十进制值转换为它的十六进制值
00683345 .99 cdq;
00683346 .B9 0A000000mov ecx,0A
0068334B .C745 B4 03000000 mov dword ptr ss:[ebp-4C],3
00683352 .F7F9 idiv ecx ;将十六进制值除A取余
00683354 .8D45 A4lea eax,dword ptr ss:[ebp-5C]
00683357 .8955 BCmov dword ptr ss:[ebp-44],edx
0068335A .8D55 B4lea edx,dword ptr ss:[ebp-4C]
0068335D .52 push edx
0068335E .50 push eax
0068335F .FF15 7C114000call dword ptr ds:[<&MSVBVM60.#613>] ;MSVBVM60.rtcVarStrFromVar
00683365 .8D4D A4lea ecx,dword ptr ss:[ebp-5C]
00683368 .8D55 94lea edx,dword ptr ss:[ebp-6C]
0068336B .51 push ecx
0068336C .52 push edx
0068336D .FF15 A4104000call dword ptr ds:[<&MSVBVM60.#520>] ;MSVBVM60.rtcTrimVar
00683373 .8D85 54FFFFFFlea eax,dword ptr ss:[ebp-AC]
00683379 .8D4D 94lea ecx,dword ptr ss:[ebp-6C]
0068337C .50 push eax
0068337D .8D55 84lea edx,dword ptr ss:[ebp-7C]
00683380 .51 push ecx
00683381 .52 push edx
00683382 .FF15 34114000call dword ptr ds:[<&MSVBVM60.__vbaVarCat>];MSVBVM60.__vbaVarCat
00683388 .50 push eax
00683389 .FFD7 call edi将余数连接起来得到前码
0068338B .8BD0 mov edx,eax
0068338D .8D4D E8lea ecx,dword ptr ss:[ebp-18]
00683390 .FFD6 call esi
00683392 .8D4D D8lea ecx,dword ptr ss:[ebp-28]
00683395 .FF15 B8114000call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
0068339B .8D45 84lea eax,dword ptr ss:[ebp-7C]
0068339E .8D4D 94lea ecx,dword ptr ss:[ebp-6C]
006833A1 .50 push eax
006833A2 .8D55 A4lea edx,dword ptr ss:[ebp-5C]
006833A5 .51 push ecx
006833A6 .8D45 B4lea eax,dword ptr ss:[ebp-4C]
006833A9 .52 push edx
006833AA .8D4D C4lea ecx,dword ptr ss:[ebp-3C]
006833AD .50 push eax
006833AE .51 push ecx
006833AF .6A 05push 5
006833B1 .FF15 30104000call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ;MSVBVM60.__vbaFreeVarList
006833B7 .8B45 E4mov eax,dword ptr ss:[ebp-1C];获得当前的新数值串
006833BA .83C4 18add esp,18
006833BD .8D55 E4lea edx,dword ptr ss:[ebp-1C]
006833C0 .C785 74FFFFFF 08>mov dword ptr ss:[ebp-8C],4008
006833CA .50 push eax
006833CB .8995 7CFFFFFFmov dword ptr ss:[ebp-84],edx
006833D1 .FF15 28104000call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ;获得当前的新数值串长度
006833D7 .83E8 01sub eax,1 当前长度减1
006833DA .8D8D 74FFFFFFlea ecx,dword ptr ss:[ebp-8C]
006833E0 .0F80 B8000000jo Super背?0068349E
006833E6 .50 push eax
006833E7 .8D55 C4lea edx,dword ptr ss:[ebp-3C]
006833EA .51 push ecx
006833EB .52 push edx
006833EC .FF15 98114000call dword ptr ds:[<&MSVBVM60.#619>] ;MSVBVM60.rtcRightCharVar
006833F2 .8D45 C4lea eax,dword ptr ss:[ebp-3C]
006833F5 .50 push eax
006833F6 .FFD7 call edi ;获得当前的新数值串
006833F8 .8BD0 mov edx,eax
006833FA .8D4D E4lea ecx,dword ptr ss:[ebp-1C]
006833FD .FFD6 call esi
006833FF .8D4D C4lea ecx,dword ptr ss:[ebp-3C]
00683402 .FFD3 call ebx
00683404 .^ E9 C6FEFFFFjmp Super背?006832CF;
00683409 >8B55 E8mov edx,dword ptr ss:[ebp-18] ;显示前码
0068340C .8D4D DClea ecx,dword ptr ss:[ebp-24]
0068340F .FF15 54114000call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>] ;MSVBVM60.__vbaStrCopy
00683415 .9B wait
00683416 .68 72346800push Super背?00683472
0068341B .EB 3Fjmp short Super背?0068345C
0068341D .F645 FC 04 test byte ptr ss:[ebp-4],4
00683421 .74 09je short Super背?0068342C
00683423 .8D4D DClea ecx,dword ptr ss:[ebp-24]
00683426 .FF15 B8114000call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
0068342C >8D4D D4lea ecx,dword ptr ss:[ebp-2C]
0068342F .8D55 D8lea edx,dword ptr ss:[ebp-28]
00683432 .51 push ecx
00683433 .52 push edx
00683434 .6A 02push 2
00683436 .FF15 58114000call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ;MSVBVM60.__vbaFreeStrList
0068343C .8D45 84lea eax,dword ptr ss:[ebp-7C]
0068343F .8D4D 94lea ecx,dword ptr ss:[ebp-6C]
00683442 .50 push eax
00683443 .8D55 A4lea edx,dword ptr ss:[ebp-5C]
00683446 .51 push ecx
00683447 .8D45 B4lea eax,dword ptr ss:[ebp-4C]
0068344A .52 push edx
0068344B .8D4D C4lea ecx,dword ptr ss:[ebp-3C]
0068344E .50 push eax
0068344F .51 push ecx
00683450 .6A 05push 5
00683452 .FF15 30104000call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ;MSVBVM60.__vbaFreeVarList
00683458 .83C4 24add esp,24
0068345B .C3 retn
0068345C >8B35 B8114000mov esi,dword ptr ds:[<&MSVBVM60.__vbaFreeStr>];MSVBVM60.__vbaFreeStr
00683462 .8D4D E8lea ecx,dword ptr ss:[ebp-18]
00683465 .FFD6 call esi ;<&MSVBVM60.__vbaFreeStr>
00683467 .8D4D E4lea ecx,dword ptr ss:[ebp-1C]
0068346A .FFD6 call esi ;<&MSVBVM60.__vbaFreeStr>
0068346C .8D4D E0lea ecx,dword ptr ss:[ebp-20]
0068346F .FFD6 call esi ;<&MSVBVM60.__vbaFreeStr>
00683471 .C3 retn
00683472 .8B45 08mov eax,dword ptr ss:[ebp+8]
00683475 .50 push eax
00683476 .8B10 mov edx,dword ptr ds:[eax]
00683478 .FF52 08call dword ptr ds:[edx+8]
0068347B .8B45 0Cmov eax,dword ptr ss:[ebp+C]
0068347E .8B4D DCmov ecx,dword ptr ss:[ebp-24]
00683481 .8908 mov dword ptr ds:[eax],ecx
00683483 .8B45 FCmov eax,dword ptr ss:[ebp-4]
00683486 .8B4D ECmov ecx,dword ptr ss:[ebp-14]
00683489 .5F pop edi
0068348A .5E pop esi
0068348B .64:890D 00000000 mov dword ptr fs:[0],ecx
00683492 .5B pop ebx
00683493 .8BE5 mov esp,ebp
00683495 .5D pop ebp
00683496 .C2 0800retn 8
00683499 >^ E9 FEEBD7FFjmp <jmp.&MSVBVM60.__vbaFPException>
算法总结:
计算前码:首先获得硬盘序列号5MT1A8DX,循环逐位取序列号的ASCII码值除A取余,最后将余数连接起来得到
37495688.
循环逐位取37495688的值送入(st0)并乘以ds:[401B68]的值(我这里是3),得到十进制值,将(ST0)十进制值
转换为它的十六进制值除A取余,最后将余数连接起来得到91275844,这就是前码.
计算后码:1.循环逐位取91275844的值,转换为它的ASCII码值,然后累加得到1A8在乘以13得到1F78除9取余存入
ss:[ebp-24]中.
2.循环逐位取91275844的ASCII码值,自乘,同时计数,将它取第一位数,计数为1,每循环一次计数值加1,
将当前计数值乘3除2得到商加上自乘值和ss:[ebp-24]中的值,除A取余,最后将余数连接起来就
得到15527657,这就是后码. |
|