調酒師 CollegeBar V8.1 註冊演算法分析 - VB6
【軟體名稱】CollegeBar 調酒師 V8.1
【下載地址】http://www.pracx.com
【應用平臺】Win9x/NT/2000/XP
【軟體大小】6MB
【軟體限制】試用期15天
【破解宣告】破解只是感興趣,無其它目的。失誤之處敬請諸位大俠賜教!
【破解工具】OllyDbg 1.09, Wdasm9.0漢化版
【軟體簡介】喜歡雞尾酒各式各樣的嘗試與鮮麗的外觀嗎?何不試著自己來調製看看?CollegeBAR裡介紹有7000多種的調酒方法,具有網上更新功能可以不斷的新增調酒方法,並提供有“酒保秘方”與搜尋功能,便於新手熟悉調酒的程式。只要買齊調酒所需要的工具與酒料,就可以體會調酒的樂趣。
[破者注:酒鬼天堂]
========================================================================================
【分析過程】
經查,為無殼vb6程式,Native Code. 用wdasm返回編後查到字串如下:
* Possible StringData Ref from
Code Obj ->"RRegistration Successful"
|
:00472002 C7854CFFFFFF1C434100 mov dword ptr [ebp+FFFFFF4C],
0041431C
.........................................
* Possible StringData Ref from Code Obj ->"RRegistration Failed"
|
:004723F2 C7854CFFFFFFA0434100 mov dword ptr [ebp+FFFFFF4C],
004143A0
從這個地址開始往上找,發現如下程式碼:
:00471B4B 57
push edi
:00471B4C 50
push eax
:00471B4D E8DEA8FCFF call
0043C430 <========== 關鍵計算
:00471B52 8D4DD4 lea
ecx, dword ptr [ebp-2C]
:00471B55 66894338 mov
word ptr [ebx+38], ax <=========返回值在此
..............................................................................................
:00471C21 66837B38FF cmp word
ptr [ebx+38], FFFF
:00471C26 0F857F070000 jne 004723AB
<========= 跳去顯示註冊失敗訊息
..............................................................................................
* Possible StringData Ref from Code Obj ->"PPW"
|
:00471C94 6870104100 push
00411070
* Possible StringData Ref from
Code Obj ->"DData"
|
:00471C99 680C0F4100 push
00410F0C
:00471C9E 51
push ecx
* Reference To: MSVBVM60.rtcSaveSetting,
Ord:02B2h
|
:00471C9F FF1508104000 Call dword
ptr [00401008] <============儲存註冊資訊
可見,只要關鍵call 43C430 返回-1就算註冊成功。如果就此進行爆破,可以顯示註冊成功訊息,但重新啟動之後仍然是未註冊版本。用OD跟入此函式,結果如下:
0043C430 $ 55 PUSH EBP
0043C431 . 8BEC MOV EBP,ESP
0043C433 . 83EC 08 SUB ESP,8
0043C436 . 68 36314000 PUSH <JMP.&MSVBVM60.__vbaExceptHandler>
; SE handler installation
0043C43B . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0043C441 . 50 PUSH EAX
0043C442 . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
0043C449 . 81EC 50010000 SUB ESP,150
0043C44F . 53 PUSH EBX
0043C450 . 56 PUSH ESI
0043C451 . 57 PUSH EDI
0043C452 . 8965 F8 MOV DWORD PTR SS:[EBP-8],ESP
0043C455 . C745 FC F81B40>MOV DWORD PTR SS:[EBP-4],CollegeB.00401B>
0043C45C . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
; 取得註冊名字
0043C45F . 33F6 XOR ESI,ESI
0043C461 . 8975 EC MOV DWORD PTR SS:[EBP-14],ESI
0043C464 . 8975 DC MOV DWORD PTR SS:[EBP-24],ESI
0043C467 . 8B08 MOV ECX,DWORD PTR
DS:[EAX] ; name
0043C469 . 8975 D4 MOV DWORD PTR SS:[EBP-2C],ESI
0043C46C . 51 PUSH ECX
; name
0043C46D . 8975 D8 MOV DWORD PTR SS:[EBP-28],ESI
; initialize local vars
0043C470 . 8975 C8 MOV DWORD PTR SS:[EBP-38],ESI
0043C473 . 8975 C4 MOV DWORD PTR SS:[EBP-3C],ESI
0043C476 . 8975 C0 MOV DWORD PTR SS:[EBP-40],ESI
0043C479 . 8975 B0 MOV DWORD PTR SS:[EBP-50],ESI
0043C47C . 8975 A0 MOV DWORD PTR SS:[EBP-60],ESI
0043C47F . 8975 90 MOV DWORD PTR SS:[EBP-70],ESI
0043C482 . 8975 80 MOV DWORD PTR SS:[EBP-80],ESI
0043C485 . 89B5 70FFFFFF MOV DWORD PTR SS:[EBP-90],ESI
0043C48B . 89B5 60FFFFFF MOV DWORD PTR SS:[EBP-A0],ESI
0043C491 . 89B5 50FFFFFF MOV DWORD PTR SS:[EBP-B0],ESI
0043C497 . 89B5 40FFFFFF MOV DWORD PTR SS:[EBP-C0],ESI
0043C49D . FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>;註冊名字長度
0043C4A3 . 85C0 TEST EAX,EAX
; string length 0A (name)
0043C4A5 . 0F84 A00C0000 JE CollegeB.0043D14B
0043C4AB . 8B3D C8124000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaSt>;
MSVBVM60.__vbaStrMove
0043C4B1 . 8B1D 34104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaSt>;
MSVBVM60.__vbaStrVarMove
0043C4B7 > 8B55 EC MOV EDX,DWORD PTR
SS:[EBP-14]
0043C4BA . 52 PUSH EDX
0043C4BB . FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>;
MSVBVM60.__vbaLenBstr
0043C4C1 . 83F8 29 CMP EAX,29
; 看長度是否達到 0x29 位元組
0043C4C4 . 0F8D 81000000 JGE CollegeB.0043C54B ;若夠長就繼續
0043C4CA . 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
; name
0043C4CD . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
; 0
0043C4D0 . 56 PUSH ESI
; 0 == 設定二進位制比較
0043C4D1 . 6A FF PUSH -1
; replace any
0043C4D3 . 8B11 MOV EDX,DWORD PTR
DS:[ECX] ; name
0043C4D5 . 6A 01 PUSH 1
; start from beginning (char 1)
0043C4D7 . 68 44104100 PUSH CollegeB.00411044
; 0
0043C4DC . 68 40154100 PUSH CollegeB.00411540
; 0x20, 空格
0043C4E1 . 52 PUSH EDX
; name
0043C4E2 . 8985 68FFFFFF MOV DWORD PTR SS:[EBP-98],EAX
; 0
0043C4E8 . C785 60FFFFFF >MOV DWORD PTR SS:[EBP-A0],8
; 8
0043C4F2 . FF15 C4114000 CALL rtcReplace ; 把名字中所有的空格都用NULL字元代替
0043C4F8 . 8945 B8 MOV DWORD PTR SS:[EBP-48],EAX
0043C4FB . 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
0043C4FE . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
0043C501 . 50 PUSH EAX
; 0
0043C502 . 51 PUSH ECX
; 0
0043C503 . C745 B0 080000>MOV DWORD PTR SS:[EBP-50],8
0043C50A . FF15 28114000 CALL MSVBVM60.rtcUpperCaseVar ;字母全部變成大寫
0043C510 . 8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0]
0043C516 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
0043C519 . 52 PUSH EDX
0043C51A . 8D4D 90 LEA ECX,DWORD PTR SS:[EBP-70]
0043C51D . 50 PUSH EAX
0043C51E . 51 PUSH ECX
0043C51F . FF15 0C124000 CALL MSVBVM60.__vbaVarCat ;名字重複連線起來
0043C525 . 50 PUSH EAX
0043C526 . FFD3 CALL EBX
0043C528 . 8BD0 MOV EDX,EAX
0043C52A . 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
0043C52D . FFD7 CALL EDI
0043C52F . 8D55 90 LEA EDX,DWORD PTR SS:[EBP-70]
0043C532 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
0043C535 . 52 PUSH EDX
0043C536 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0043C539 . 50 PUSH EAX
0043C53A . 51 PUSH ECX
0043C53B . 6A 03 PUSH 3
0043C53D . FF15 44104000 CALL MSVBVM60.__vbaFreeVarList
;釋放臨時變數
0043C543 . 83C4 10 ADD ESP,10
0043C546 .^E9 6CFFFFFF JMP CollegeB.0043C4B7
;跳回去檢查是否已到0x29個字元長
0043C54B > 8B3D 58104000
MOV EDI, MSVBVM60.rtcAnsivalueBstr
0043C551 . 8B1D 08124000 MOV EBX,MSVBVM60.__vbaStrVarVal;將函式地址裝入暫存器
0043C557 . 66:B8 0100 MOV AX,1
;字元索引從1開始
0043C55B . 8975 D4 MOV DWORD PTR SS:[EBP-2C],ESI
0043C55E . 8975 D8 MOV DWORD PTR SS:[EBP-28],ESI
0043C561 . 8B35 0C114000 MOV ESI, MSVBVM60.rtcMidCharVar
0043C567 . C745 D0 030000>MOV DWORD PTR SS:[EBP-30],3 ;內定常數
0043C56E . 66:A3 58A04800 MOV WORD PTR DS:[48A058],AX
0043C574 > B9 28000000 MOV ECX,28
; 總共要處理的字元數
0043C579 . 66:3BC1 CMP AX,CX
;是否已處理完畢
0043C57C . 0F8F 30010000 JG CollegeB.0043C6B2 ;處理完則繼續
0043C582 . 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
0043C585 . 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
; 裝入聯接好的夠長的字串
0043C588 . 50 PUSH EAX
0043C589 . B8 19000000 MOV EAX,19
;第0x19個字元
0043C58E . 0FBFC8 MOVSX ECX,AX
0043C591 . 8995 68FFFFFF MOV DWORD PTR SS:[EBP-98],EDX
; linked name
0043C597 . 8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0]
; 8
0043C59D . 51 PUSH ECX
; 19
0043C59E . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
0043C5A1 . 52 PUSH EDX
0043C5A2 . 50 PUSH EAX
0043C5A3 . C745 B8 010000>MOV DWORD PTR SS:[EBP-48],1
0043C5AA . C745 B0 020000>MOV DWORD PTR SS:[EBP-50],2
0043C5B1 . C785 60FFFFFF >MOV DWORD PTR SS:[EBP-A0],4008
0043C5BB . FFD6 CALL ESI
; rtcMidCharVar: 取第 0x19 個字元
0043C5BD . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
0043C5C0 . 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C]
0043C5C3 . 51 PUSH ECX
0043C5C4 . 52 PUSH EDX
0043C5C5 . FFD3 CALL EBX
; __vbaStrVarVal
0043C5C7 . 50 PUSH EAX
; returned 'Z' = 5A
0043C5C8 . FFD7 CALL EDI
; rtcAnsivalueBStr: 專程ascii碼數字
0043C5CA . 0FBF15 58A0480>MOVSX EDX,WORD PTR DS:[48A058]
; 字元索引
0043C5D1 . 8985 2CFFFFFF MOV DWORD PTR SS:[EBP-D4],EAX
; 第0x19個字元的ascii碼
0043C5D7 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
; 名字串
0043C5DA . 8D4D 90 LEA ECX,DWORD PTR SS:[EBP-70]
0043C5DD . 8985 48FFFFFF MOV DWORD PTR SS:[EBP-B8],EAX
0043C5E3 . 51 PUSH ECX
0043C5E4 . 8D85 40FFFFFF LEA EAX,DWORD PTR SS:[EBP-C0]
0043C5EA . 52 PUSH EDX
;字元索引
0043C5EB . 8D4D 80 LEA ECX,DWORD PTR SS:[EBP-80]
0043C5EE . 50 PUSH EAX
0043C5EF . 51 PUSH ECX
0043C5F0 . C745 98 010000>MOV DWORD PTR SS:[EBP-68],1
0043C5F7 . C745 90 020000>MOV DWORD PTR SS:[EBP-70],2
0043C5FE . C785 40FFFFFF >MOV DWORD PTR SS:[EBP-C0],4008
0043C608 . FFD6 CALL ESI
; rtcMidCharVar:取被索引的字元
0043C60A . 8D55 80 LEA EDX,DWORD PTR SS:[EBP-80]
0043C60D . 8D45 C0 LEA EAX,DWORD PTR SS:[EBP-40]
0043C610 . 52 PUSH EDX
0043C611 . 50 PUSH EAX
0043C612 . FFD3 CALL EBX ;型別轉換:variant
-> string
0043C614 . 50 PUSH EAX
0043C615 . FFD7 CALL EDI ;取ascii碼
0043C617 . 66:0FAF85 2CFF>IMUL AX,WORD PTR SS:[EBP-D4] ;乘以第0x19個字元的ascii碼
0043C61F . B9 703D0040 MOV ECX,40003D70
;
constant
0043C624 . 51 PUSH ECX
0043C625 . B9 3D0AD7A3 MOV ECX,A3D70A3D
0043C62A . 51 PUSH ECX
; 這兩個常數在堆疊上形成浮點數2.03
0043C62B . 0F80 7B0B0000 JO CollegeB.0043D1AC
;若溢位則跳去丟擲異常
0043C631 . 0FBFC8 MOVSX ECX,AX;乘積在此
0043C634 . 898D FCFEFFFF MOV DWORD PTR SS:[EBP-104],ECX;存入臨時變數
0043C63A . DB85 FCFEFFFF FILD DWORD PTR SS:[EBP-104]
; FPU 作為整數載入
0043C640 . DD9D F4FEFFFF FSTP QWORD PTR SS:[EBP-10C]
; 轉存成雙精度實數
0043C646 . 8B95 F8FEFFFF MOV EDX,DWORD PTR SS:[EBP-108]
; high word in edx
0043C64C . 8B85 F4FEFFFF MOV EAX,DWORD PTR SS:[EBP-10C]
; low word in eax
0043C652 . 52 PUSH EDX
; 將此實數壓入堆疊
0043C653 . 50 PUSH EAX
0043C654 FF15 68124000 CALL MSVBVM60.__vbaPoweR8 ;
計算其2.03次冪
0043C65A DC45 D4 FADD QWORD PTR SS:[EBP-2C]
; 加上此處的double值
0043C65D 8D4D C0 LEA ECX,DWORD PTR
SS:[EBP-40]
0043C660 8D55 C4 LEA EDX,DWORD PTR
SS:[EBP-3C]
0043C663 . 51 PUSH ECX
0043C664 . 52 PUSH EDX
0043C665 . DD5D D4 FSTP QWORD PTR SS:[EBP-2C]
;結果存回此地址,暗示這裡加和運算
0043C668 . DFE0 FSTSW AX
; 協處理器狀態字檢查有無溢位
0043C66A . A8 0D TEST AL,0D
0043C66C . 0F85 350B0000 JNZ CollegeB.0043D1A7
0043C672 . 6A 02 PUSH 2
0043C674 . FF15 60124000 CALL MSVBVM60.__vbaFreeStrList
0043C67A . 8D45 80 LEA EAX,DWORD PTR SS:[EBP-80]
0043C67D . 8D4D 90 LEA ECX,DWORD PTR SS:[EBP-70]
0043C680 . 50 PUSH EAX
0043C681 . 8D55 A0 LEA EDX,DWORD PTR SS:[EBP-60]
0043C684 . 51 PUSH ECX
0043C685 . 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
0043C688 . 52 PUSH EDX
0043C689 . 50 PUSH EAX
0043C68A . 6A 04 PUSH 4
0043C68C . FF15 44104000 CALL MSVBVM60.__vbaFreeVarList
;釋放臨時變數
0043C692 . 83C4 20 ADD ESP,20
0043C695 . B8 01000000 MOV EAX,1
0043C69A . 66:0305 58A048>ADD AX,WORD PTR DS:[48A058] ;字元索引加1
0043C6A1 . 0F80 050B0000 JO CollegeB.0043D1AC ;溢位則出錯
0043C6A7 . 66:A3 58A04800 MOV WORD PTR DS:[48A058],AX ;字元索引存回
0043C6AD .^E9 C2FEFFFF JMP CollegeB.0043C574 ;下一輪
以上程式碼用串聯名字中的第1至第0x28個字元分別與第0x19個字元的相乘並計算結果的2.03次冪,並將所有結果相加,得到一個double值,存在[ebp-2C]處。
0043C6B2 > B8 99000000
MOV EAX,99
; 常數0x99
0043C6B7 . 0FBFC8 MOVSX ECX,AX
0043C6BA . 898D F0FEFFFF MOV DWORD PTR SS:[EBP-110],ECX
0043C6C0 . DB85 F0FEFFFF FILD DWORD PTR SS:[EBP-110]
; 作為整數載入FPU
0043C6C6 . DD9D E8FEFFFF FSTP QWORD PTR SS:[EBP-118]
; 存成double
0043C6CC . DD85 E8FEFFFF FLD QWORD PTR SS:[EBP-118]
; reload
0043C6D2 . DC45 D4 FADD QWORD PTR SS:[EBP-2C]
; 加上先前的計算結果
0043C6D5 > DD5D D4 FSTP QWORD PTR SS:[EBP-2C]
; 儲存新結果
0043C6D8 . DFE0 FSTSW AX
0043C6DA . A8 0D TEST AL,0D
; no abnormal
0043C6DC . 0F85 C50A0000 JNZ CollegeB.0043D1A7
0043C6E2 . 8D85 60FFFFFF LEA EAX,DWORD PTR SS:[EBP-A0]
; 一個臨時Variant型變數
0043C6E8 . 6A 00 PUSH 0
0043C6EA . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50];存放返回結果的variant變數
0043C6ED . 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
0043C6F0 . 50 PUSH EAX
0043C6F1 . 51 PUSH ECX
0043C6F2 . 8995 68FFFFFF MOV DWORD PTR SS:[EBP-98],EDX;使此變數指向計算結果
0043C6F8 . C785 60FFFFFF >MOV DWORD PTR SS:[EBP-A0],4005;型別為double,
指標訪問
0043C702 . FF15 E4114000 CALL rtcRound ;四捨五入取整
0043C708 . 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50];取整後的結果
0043C70B . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60];存放返回結果的變數
0043C70E . 52 PUSH EDX
0043C70F . 50 PUSH EAX
0043C710 . C785 58FFFFFF >MOV DWORD PTR SS:[EBP-A8],0B ;
常數
0043C71A . C785 50FFFFFF >MOV DWORD PTR SS:[EBP-B0],8002 ;
0043C724 . FF15 84104000 CALL MSVBVM60.__vbaLenVar ;取得取整結果的十進位制形式的位數
0043C72A . 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0]
0043C730 . 50 PUSH EAX
0043C731 . 51 PUSH ECX
0043C732 . FF15 F4104000 CALL vbaVarTstLt ;比較是否小於11(0xB)位
0043C738 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
; return -1 means arg1
< arg2
0043C73B . 8985 24FFFFFF MOV DWORD PTR SS:[EBP-DC],EAX ;返回0表示不小於
0043C741 . FF15 2C104000 CALL MSVBVM60.__vbaFreeVar
0043C747 . 66:83BD 24FFFF>CMP WORD PTR SS:[EBP-DC],0 ;
是否返回了0?
0043C74F . 74 0A JE SHORT CollegeB.0043C75B
;若是,即已經超過11位,跳走繼續
0043C751 . DD45 D4 FLD QWORD PTR SS:[EBP-2C]
;否則將結果加倍
0043C754 . DCC0 FADD ST(0),ST(0)
0043C756 .^E9 7AFFFFFF JMP CollegeB.0043C6D5;直到達到11位
0043C75B > 8D85 60FFFFFF LEA EAX,DWORD PTR SS:[EBP-A0]
0043C761 . 6A 00 PUSH 0
0043C763 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0043C766 . 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
0043C769 . 50 PUSH EAX
0043C76A . 51 PUSH ECX
0043C76B . 8995 68FFFFFF MOV DWORD PTR SS:[EBP-98],EDX
0043C771 . C785 60FFFFFF >MOV DWORD PTR SS:[EBP-A0],4005
0043C77B . FF15 E4114000 CALL MSVBVM60.rtcRound ;取整
0043C781 . 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50]
0043C784 . 52 PUSH EDX
0043C785 . FF15 6C124000 CALL MSVBVM60.__vbaR8Var ;
型別轉換,variant -> R8
0043C78B . DD5D D4 FSTP QWORD PTR SS:[EBP-2C]
;存
0043C78E . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0043C791 . FF15 2C104000 CALL MSVBVM60.__vbaFreeVar
0043C797 . 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
; rounded value
0043C79A . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0043C79D . 8985 68FFFFFF MOV DWORD PTR SS:[EBP-98],EAX
; ref to rounded value
0043C7A3 . 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
;內定常數 3
0043C7A6 . 66:05 0100 ADD AX,1 ;+1得4
0043C7AA . 51 PUSH ECX
0043C7AB . 0F80 FB090000 JO CollegeB.0043D1AC
0043C7B1 . 0FBFD0 MOVSX EDX,AX
0043C7B4 . 8D85 60FFFFFF LEA EAX,DWORD PTR SS:[EBP-A0]
0043C7BA . 52 PUSH EDX ;4
0043C7BB . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
0043C7BE . 50 PUSH EAX
0043C7BF . 51 PUSH ECX
0043C7C0 . C745 B8 010000>MOV DWORD PTR SS:[EBP-48],1
0043C7C7 . C745 B0 020000>MOV DWORD PTR SS:[EBP-50],2
0043C7CE . C785 60FFFFFF >MOV DWORD PTR SS:[EBP-A0],4005
0043C7D8 . FFD6 CALL ESI
; rtcMidCharVar
; 取所得結果的十進位制形式的左起第4個字元
0043C7DA . 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
;輸入的註冊碼
0043C7DD . 8D45 90 LEA EAX,DWORD PTR SS:[EBP-70]
0043C7E0 . 50 PUSH EAX
0043C7E1 . B8 19000000 MOV EAX,19
0043C7E6 . 0FBFC8 MOVSX ECX,AX
0043C7E9 . 8995 48FFFFFF MOV DWORD PTR SS:[EBP-B8],EDX
0043C7EF . 8D95 40FFFFFF LEA EDX,DWORD PTR SS:[EBP-C0]
0043C7F5 . 51 PUSH ECX
0043C7F6 . 8D45 80 LEA EAX,DWORD PTR SS:[EBP-80]
0043C7F9 . 52 PUSH EDX
0043C7FA . 50 PUSH EAX
0043C7FB . C745 98 010000>MOV DWORD PTR SS:[EBP-68],1
0043C802 . C745 90 020000>MOV DWORD PTR SS:[EBP-70],2
0043C809 . C785 40FFFFFF >MOV DWORD PTR SS:[EBP-C0],4008
0043C813 . FFD6 CALL ESI
; rtcMidCharVar, 註冊碼的第0x19個字元
0043C815 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
0043C818 . 8D55 80 LEA EDX,DWORD PTR SS:[EBP-80]
0043C81B . 51 PUSH ECX
0043C81C . 52 PUSH EDX
0043C81D . FF15 38114000 CALL MSVBVM60.__vbaVarTstEq ;比較二者是否相同
0043C823 . 8985 24FFFFFF MOV DWORD PTR SS:[EBP-DC],EAX
; 返回0表示否
0043C829 . 8D45 80 LEA EAX,DWORD PTR SS:[EBP-80]
0043C82C . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
0043C82F . 50 PUSH EAX
0043C830 . 8D55 90 LEA EDX,DWORD PTR SS:[EBP-70]
0043C833 . 51 PUSH ECX
0043C834 . 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
0043C837 . 52 PUSH EDX
0043C838 . 50 PUSH EAX
0043C839 . 6A 04 PUSH 4
0043C83B . FF15 44104000 CALL MSVBVM60.__vbaFreeVarList
;釋放臨時變數
0043C841 . 33C0 XOR EAX,EAX
0043C843 . 83C4 14 ADD ESP,14
0043C846 . 66:3985 24FFFF>CMP WORD PTR SS:[EBP-DC],AX ;
看比較結果
0043C84D . 74 11 JE SHORT CollegeB.0043C860
;若不同則跳走
0043C84F . 66:8B4D C8 MOV CX,WORD PTR SS:[EBP-38] ;否則[ebp-38]處的計數器加1
0043C853 . 66:83C1 01 ADD CX,1
;表示第一輪透過
0043C857 . 0F80 4F090000 JO CollegeB.0043D1AC
0043C85D . 894D C8 MOV DWORD PTR SS:[EBP-38],ECX
0043C860 > 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX
; 清零復位
0043C863 . 8945 D8 MOV DWORD PTR SS:[EBP-28],EAX
0043C866 . C745 D0 020000>MOV DWORD PTR SS:[EBP-30],2 ;內定常數
0043C86D . 66:B8 0100 MOV AX,1
0043C871 > B9 28000000 MOV ECX,28
0043C876 . 66:A3 58A04800 MOV WORD PTR DS:[48A058],AX ;字元索引復位至1
以下程式碼完全相同,只是引數不同。引數共有5個,對於上面的程式碼來說:[0x19 2.03 0x99 4 0x19]
固定字元索引 = 0x19
乘冪指數 = 2.03
增量常數 = 0x99
結果十進位索引 = 4
註冊碼字元索引= 0x19
第二輪:[0x4 1.4 0x21f 0x3 0x4]
第三輪:[0xE 2.4 0x3d8 0xA 0xE]
第四輪:[0xD 2.6 0x234 0x5 0xD]
如果4輪全透過,即[ebp-38]處的計數器為4,則:
0043D13B > 8B45 C8
MOV EAX,DWORD PTR SS:[EBP-38]
0043D13E > 66:3D 0400 CMP AX,4
0043D142 . 75 07 JNZ SHORT CollegeB.0043D14B
0043D144 . C745 DC FFFFFF>MOV DWORD PTR SS:[EBP-24],-1
;如全透過, [ebp-24]=-1
......................................................................................
0043D193 . 66:8B45 DC MOV AX,WORD PTR SS:[EBP-24]
; 返回-1
0043D197 . 5F POP EDI
0043D198 . 5E POP ESI
0043D199 . 64:890D 000000>MOV DWORD PTR FS:[0],ECX
0043D1A0 . 5B POP EBX
0043D1A1 . 8BE5 MOV ESP,EBP
0043D1A3 . 5D POP EBP
0043D1A4 . C2 0800 RETN 8
到這裡,演算法分析就算完了,奇怪的是註冊碼有25位,這裡雖然演算法複雜,卻只驗證了4位(4,13,14,25),令人疑惑。我的試煉碼是1111122222333334444455555,
根據這裡的分析,改成1117122222338934444455551,居然也毫無問題地透過了。如果回到上層函式仔細觀察,就會發現另外有一個函式進行了另一次像樣的多的驗證,但結果卻沒有用到。其程式碼如下:
0043A10B . 8B45 08
MOV EAX,DWORD PTR SS:[EBP+8]
;名字(原來形式)
0043A10E . 8985 74FFFFFF MOV DWORD PTR SS:[EBP-8C],EAX
0043A114 . C785 6CFFFFFF >MOV DWORD PTR SS:[EBP-94],4008
0043A11E . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
0043A124 . 51 PUSH ECX
0043A125 . 8D55 9C LEA EDX,DWORD PTR SS:[EBP-64]
0043A128 . 52 PUSH EDX
0043A129 . FF15 E8104000 CALL tcTrimVar ;去除空格
0043A12F . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
0043A132 . 50 PUSH EAX
0043A133 . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
0043A136 . 51 PUSH ECX
0043A137 . FF15 84104000 CALL MSVBVM60.__vbaLenVar
;取得名字長度
0043A13D . 50 PUSH EAX
0043A13E . FF15 10124000 CALL MSVBVM60.__vbaI2Var
;轉成整型 integer
0043A144 . 66:8985 38FFFF>MOV WORD PTR SS:[EBP-C8],AX
0043A14B . 66:C785 3CFFFF>MOV WORD PTR SS:[EBP-C4],1
;所引增量為1
0043A154 . 66:C745 DC 010>MOV WORD PTR SS:[EBP-24],1
;索引從1開始
0043A15A . 8D4D 9C LEA ECX,DWORD PTR SS:[EBP-64]
0043A15D . FF15 2C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>]
0043A163 . EB 15 JMP SHORT CollegeB.0043A17A
0043A165 > 66:8B55 DC MOV DX,WORD PTR SS:[EBP-24]
;取索引
0043A169 . 66:0395 3CFFFF>ADD DX,WORD PTR SS:[EBP-C4] ;增1至下一個字元
0043A170 . 0F80 E7070000 JO CollegeB.0043A95D
0043A176 . 66:8955 DC MOV WORD PTR SS:[EBP-24],DX
0043A17A > 66:8B45 DC MOV AX,WORD PTR SS:[EBP-24]
;字元索引
0043A17E . 66:3B85 38FFFF>CMP AX,WORD PTR SS:[EBP-C8] ; 名字長度
0043A185 . 0F8F 0A020000 JG CollegeB.0043A395
0043A18B . C745 FC 040000>MOV DWORD PTR SS:[EBP-4],4
0043A192 . C745 A4 010000>MOV DWORD PTR SS:[EBP-5C],1
0043A199 . C745 9C 020000>MOV DWORD PTR SS:[EBP-64],2
0043A1A0 . 8D4D 9C LEA ECX,DWORD PTR SS:[EBP-64]
0043A1A3 . 51 PUSH ECX
;
variant型別,整數1
0043A1A4 . 0FBF55 DC MOVSX EDX,WORD PTR SS:[EBP-24]
0043A1A8 . 52 PUSH EDX
0043A1A9 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0043A1AC . 8B08 MOV ECX,DWORD PTR
DS:[EAX]
0043A1AE . 51 PUSH ECX
0043A1AF . FF15 00114000 CALL rtcMidCharBStr
;取註冊名字的一個字元
0043A1B5 . 8BD0 MOV EDX,EAX
0043A1B7 . 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
0043A1BA . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]
; MSVBVM60.__vbaStrMove
0043A1C0 . 50 PUSH EAX
0043A1C1 . FF15 58104000 CALL MSVBVM60.rtcAnsivalueBstr
; 該字元的ascii
0043A1C7 . 66:8985 48FFFF>MOV WORD PTR SS:[EBP-B8],AX
; 存入[ebp-B8]
0043A1CE . C745 94 010000>MOV DWORD PTR SS:[EBP-6C],1
0043A1D5 . C745 8C 020000>MOV DWORD PTR SS:[EBP-74],2
0043A1DC . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
0043A1DF . 52 PUSH EDX
0043A1E0 . 0FBF45 DC MOVSX EAX,WORD PTR SS:[EBP-24]
0043A1E4 . 50 PUSH EAX
0043A1E5 . 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
0043A1E8 . 8B11 MOV EDX,DWORD PTR
DS:[ECX]
0043A1EA . 52 PUSH EDX
0043A1EB . FF15 00114000 CALL rtcMidCharBStr
;取同一個字元
0043A1F1 . 8BD0 MOV EDX,EAX
0043A1F3 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0043A1F6 . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]
; MSVBVM60.__vbaStrMove
0043A1FC . 50 PUSH EAX
0043A1FD . FF15 58104000 CALL MSVBVM60.rtcAnsivalueBstr
; 該字元的ascii
0043A203 . 66:8985 44FFFF>MOV WORD PTR SS:[EBP-BC],AX
;存入此處
0043A20A . C745 84 010000>MOV DWORD PTR SS:[EBP-7C],1
0043A211 . C785 7CFFFFFF >MOV DWORD PTR SS:[EBP-84],2
0043A21B . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
0043A221 . 50 PUSH EAX
0043A222 . 0FBF4D DC MOVSX ECX,WORD PTR SS:[EBP-24]
0043A226 . 51 PUSH ECX
0043A227 . 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
0043A22A . 8B02 MOV EAX,DWORD PTR
DS:[EDX]
0043A22C . 50 PUSH EAX
0043A22D . FF15 00114000 CALL rtcMidCharBStr
;又來一遍(真笨)
0043A233 . 8BD0 MOV EDX,EAX
0043A235 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
0043A238 . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]
; MSVBVM60.__vbaStrMove
0043A23E . 50 PUSH EAX
0043A23F . FF15 58104000 CALL MSVBVM60.rtcAnsivalueBstr
; 該字元的ascii
0043A245 . 66:8985 40FFFF>MOV WORD PTR SS:[EBP-C0],AX
;存入此處
0043A24C . 66:8B8D 48FFFF>MOV CX,WORD PTR SS:[EBP-B8]
;第一遍取出的結果
0043A253 . 66:0FAF8D 44FF>IMUL CX,WORD PTR SS:[EBP-BC]
;乘以第二編的結果
0043A25B . 0F80 FC060000 JO CollegeB.0043A95D
0043A261 . 0FBFD1 MOVSX EDX,CX
0043A264 . 8995 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EDX
;結果存在這裡
0043A26A . DB85 08FFFFFF FILD DWORD PTR SS:[EBP-F8]
;作為整數載入
0043A270 . DD9D 00FFFFFF FSTP QWORD PTR SS:[EBP-100]
;存成浮點
0043A276 . DD45 D4 FLD QWORD PTR SS:[EBP-2C]
;加到總和中
0043A279 . DC85 00FFFFFF FADD QWORD PTR SS:[EBP-100]
0043A27F . DFE0 FSTSW AX
0043A281 . A8 0D TEST AL,0D
0043A283 . 0F85 CF060000 JNZ CollegeB.0043A958
0043A289 . DD9D F8FEFFFF FSTP QWORD PTR SS:[EBP-108]
;結果暫時存在此處
0043A28F . 68 00000040 PUSH 40000000
0043A294 . 6A 00 PUSH 0
; 在堆疊上構成浮點數2.0
0043A296 . 0FBF85 40FFFFF>MOVSX EAX,WORD PTR SS:[EBP-C0]
;第三遍的結果
0043A29D . 8985 F4FEFFFF MOV DWORD PTR SS:[EBP-10C],EAX
0043A2A3 . DB85 F4FEFFFF FILD DWORD PTR SS:[EBP-10C]
;
0043A2A9 . DD9D ECFEFFFF FSTP QWORD PTR SS:[EBP-114]
;
0043A2AF . 8B8D F0FEFFFF MOV ECX,DWORD PTR SS:[EBP-110]
0043A2B5 . 51 PUSH ECX
0043A2B6 . 8B95 ECFEFFFF MOV EDX,DWORD PTR SS:[EBP-114]
0043A2BC . 52 PUSH EDX
0043A2BD . FF15 68124000 CALL MSVBVM60.__vbaPowerR8
; 求平方
0043A2C3 . DC85 F8FEFFFF FADD QWORD PTR SS:[EBP-108]
;加到上面的結果中
0043A2C9 . DD5D D4 FSTP QWORD PTR SS:[EBP-2C]
; 總數存回[ebp-2c]
以上程式碼實際上計算x*x+x**2 = 2 * x**2
.................................................................
0043A307 . C745 FC 050000>MOV DWORD PTR SS:[EBP-4],5
0043A30E . DD45 D4 FLD QWORD PTR SS:[EBP-2C]
;結果裝入
0043A311 . FF15 A8124000 CALL MSVBVM60.__vbaFpI4 ;轉成長整型
0043A317 . 8BF0 MOV ESI,EAX
0043A319 . 81E6 01000080 AND ESI,80000001 ;檢查最高位和最低位
0043A31F . 79 05 JNS SHORT CollegeB.0043A326
0043A321 . 4E DEC ESI
0043A322 . 83CE FE OR ESI,FFFFFFFE
0043A325 . 46 INC ESI
0043A326 > F7DE NEG ESI
0043A328 . 1BF6 SBB ESI,ESI
0043A32A . F7DE NEG ESI
;最後反映的只是最低位,即奇偶位
0043A32C . DD45 D4 FLD QWORD PTR SS:[EBP-2C]
;再次裝入運算結果
0043A32F . FF15 A8124000 CALL MSVBVM60.__vbaFpI4 ;再次轉型(VB真笨得可以)
0043A335 . 99 CDQ
;符號擴充套件
0043A336 . B9 03000000 MOV ECX,3
0043A33B . F7F9 IDIV ECX
;除以3
0043A33D . F7DA NEG EDX ;餘數變號
0043A33F . 1BD2 SBB EDX,EDX ;借位減
0043A341 . F7DA NEG EDX
;變號
0043A343 . 23F2 AND ESI,EDX ;和上面的結果按位與
0043A345 . 85F6 TEST ESI,ESI
;這裡的條件是“奇數且不被3整除”
0043A347 . 75 40 JNZ SHORT CollegeB.0043A389
;條件滿足則繼續
0043A349 . C745 FC 060000>MOV DWORD PTR SS:[EBP-4],6 ;這裡不知道是什麼標誌
0043A350 . 66:8B55 DC MOV DX,WORD PTR SS:[EBP-24] ;條件不滿足則取字元索引
0043A354 . 66:6BD2 03 IMUL DX,DX,3
;乘以3
0043A358 . 0F80 FF050000 JO CollegeB.0043A95D
0043A35E . 0FBFC2 MOVSX EAX,DX
;並加到結果中
0043A361 . 8985 E8FEFFFF MOV DWORD PTR SS:[EBP-118],EAX
0043A367 . DB85 E8FEFFFF FILD DWORD PTR SS:[EBP-118]
0043A36D . DD9D E0FEFFFF FSTP QWORD PTR SS:[EBP-120]
0043A373 . DD45 D4 FLD QWORD PTR SS:[EBP-2C]
0043A376 . DC85 E0FEFFFF FADD QWORD PTR SS:[EBP-120]
0043A37C . DD5D D4 FSTP QWORD PTR SS:[EBP-2C]
; ebp-2c again
0043A37F . DFE0 FSTSW AX
0043A381 . A8 0D TEST AL,0D
0043A383 . 0F85 CF050000 JNZ CollegeB.0043A958
0043A389 > C745 FC 080000>MOV DWORD PTR SS:[EBP-4],8
0043A390 .^E9 D0FDFFFF JMP CollegeB.0043A165
;下一輪
以上程式碼從名字的第一個字元開始計算每一個字元的 2*x**2,並將結果相加。每一步的結果如果不滿足條件
“奇數且不被3整除”就再加上當前索引值的3倍。直到每一個字元都處理完。結果存在[ebp-2c]處。
下面的程式碼又進行了一輪完全同樣的計算,結果也完全相同,存在[ebp-44]處。令人費解的重複勞動。省略。接下去:
0043A626 > C745 FC 0F0000>MOV
DWORD PTR SS:[EBP-4],0F
0043A62D . 8B4D C0 MOV ECX,DWORD PTR SS:[EBP-40]
0043A630 . 51 PUSH ECX
0043A631 . 8B55 BC MOV EDX,DWORD PTR SS:[EBP-44]
;取的(第二次計算)計算結果
0043A634 . 52 PUSH EDX
0043A635 . FF15 80114000 CALL [<&MSVBVM60.__vbaStrR8>]
;R8轉成string
0043A63B . 8BD0 MOV EDX,EAX
0043A63D . 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
0043A640 . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]
; MSVBVM60.__vbaStrMove
0043A646 . 50 PUSH EAX
0043A647 . FF15 D0114000 CALL rtcStrReverse
;字串逆序
0043A64D . 8BD0 MOV EDX,EAX
0043A64F . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0043A652 . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]
0043A658 . 50 PUSH EAX
0043A659 . FF15 3C124000 CALL [<&MSVBVM60.__vbaR8Str>]
;轉回R8
0043A65F . DC05 381B4000 FADD QWORD PTR DS:[401B38] ;加上此處的內定值
38473.0
0043A665 . DD5D BC FSTP QWORD PTR SS:[EBP-44]
;存回結果
............................................................
0043A685 . C745 FC 100000>MOV DWORD PTR SS:[EBP-4],10
0043A68C . 8B55 C0 MOV EDX,DWORD PTR SS:[EBP-40]
0043A68F . 52 PUSH EDX
0043A690 . 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44]
0043A693 . 50 PUSH EAX
0043A694 . FF15 80114000 CALL [<&MSVBVM60.__vbaStrR8>]
;又轉成字串
0043A69A . 8BD0 MOV EDX,EAX
0043A69C . 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
0043A69F . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]
0043A6A5 . 50 PUSH EAX
0043A6A6 . FF15 D0114000 CALL MSVBVM60.rtcStrReverse ;逆序
0043A6AC . 8BD0 MOV EDX,EAX
0043A6AE . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0043A6B1 . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]
0043A6B7 . 50 PUSH EAX
0043A6B8 . FF15 3C124000 CALL [<&MSVBVM60.__vbaR8Str>]
;又回到R8
0043A6BE . DCC0 FADD ST(0),ST(0)
;加倍
0043A6C0 . DD5D BC FSTP QWORD PTR SS:[EBP-44]
;存回
.......................................................................
0043A6E0 . C745 FC 110000>MOV DWORD PTR SS:[EBP-4],11
0043A6E7 . 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
;取第一次計算結果
0043A6EA . 50 PUSH EAX
0043A6EB . 8B4D D4 MOV ECX,DWORD PTR SS:[EBP-2C]
0043A6EE . 51 PUSH ECX
0043A6EF . FF15 80114000 CALL MSVBVM60.__vbaStrR8 ;轉成String
0043A6F5 . 8BD0 MOV EDX,EAX
0043A6F7 . 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
0043A6FA . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]
0043A700 . 50 PUSH EAX
0043A701 . FF15 D0114000 CALL MSVBVM60.rtcStrReverse ;逆序
0043A707 . 8BD0 MOV EDX,EAX
0043A709 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0043A70C . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]
0043A712 . 50 PUSH EAX
0043A713 . FF15 3C124000 CALL MSVBVM60.__vbaR8Str ;轉回R8
0043A719 . DD5D D4 FSTP QWORD PTR SS:[EBP-2C]
;存回
......................................................................
0043A736 . 68 00000040 PUSH 40000000
0043A73B . 6A 00 PUSH 0
; 浮點數 2.0
0043A73D . 8B4D D8 MOV ECX,DWORD PTR SS:[EBP-28]
0043A740 . 51 PUSH ECX
0043A741 . 8B55 D4 MOV EDX,DWORD PTR SS:[EBP-2C]
0043A744 . 52 PUSH EDX
0043A745 . FF15 68124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaPowerR8>]
; 結果平方
0043A74B . DD5D D4 FSTP QWORD PTR SS:[EBP-2C]
; 存回
0043A74E . C745 FC 130000>MOV DWORD PTR SS:[EBP-4],13
0043A755 . C745 A4 0C0000>MOV DWORD PTR SS:[EBP-5C],0C
0043A75C . C745 9C 020000>MOV DWORD PTR SS:[EBP-64],2
0043A763 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
; var type integer value 0C
0043A766 . 50 PUSH EAX
0043A767 . 6A 05 PUSH 5
0043A769 . 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]
;註冊碼
0043A76C . 8B11 MOV EDX,DWORD PTR
DS:[ECX]
0043A76E . 52 PUSH EDX
0043A76F . FF15 00114000 CALL rtcMidCharBStr ;取註冊碼子串,從第5個字元開始,取0xC個字元
0043A775 . 8BD0 MOV EDX,EAX
0043A777 . 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
0043A77A . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]
0043A780 . 50 PUSH EAX
0043A781 . FF15 3C124000 CALL [<&MSVBVM60.__vbaR8Str>]
; 轉成R8
0043A787 . DD5D C4 FSTP QWORD PTR SS:[EBP-3C]
;存在 ebp-3C 處
.................................................................
0043A79C . C745 FC 140000>MOV DWORD PTR SS:[EBP-4],14
0043A7A3 . DD45 C4 FLD QWORD PTR SS:[EBP-3C]
; 該子串表示的實數
0043A7A6 . DC05 301B4000 FADD QWORD PTR DS:[401B30] ;加上內定值
334.0
0043A7AC . DD5D C4 FSTP QWORD PTR SS:[EBP-3C]
;存回
0043A7AF . DFE0 FSTSW AX
0043A7B1 . A8 0D TEST AL,0D
0043A7B3 . 0F85 9F010000 JNZ CollegeB.0043A958
0043A7B9 . C745 FC 150000>MOV DWORD PTR SS:[EBP-4],15
0043A7C0 . 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
0043A7C3 . 50 PUSH EAX
0043A7C4 . 8B4D C4 MOV ECX,DWORD PTR SS:[EBP-3C]
0043A7C7 . 51 PUSH ECX
0043A7C8 . FF15 80114000 CALL [<&MSVBVM60.__vbaStrR8>]
;轉成String
0043A7CE . 8BD0 MOV EDX,EAX
0043A7D0 . 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
0043A7D3 . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]
0043A7D9 . 50 PUSH EAX
0043A7DA . FF15 D0114000 CALL MSVBVM60.rtcStrReverse ;逆序
0043A7E0 . 8BD0 MOV EDX,EAX
0043A7E2 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0043A7E5 . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]
; MSVBVM60.__vbaStrMove
0043A7EB . 50 PUSH EAX
0043A7EC . FF15 3C124000 CALL MSVBVM60.__vbaR8Str ;轉回R8
0043A7F2 . DD5D C4 FSTP QWORD PTR SS:[EBP-3C]
;存回
....................................................................
0043A808 . C745 FC 160000>MOV DWORD PTR SS:[EBP-4],16
0043A80F . DD45 C4 FLD QWORD PTR SS:[EBP-3C]
;裝入結果
0043A812 . DC25 281B4000 FSUB QWORD PTR DS:[401B28]
; 減去內定值1032.0
0043A818 . DD5D C4 FSTP QWORD PTR SS:[EBP-3C]
; 存回
0043A81B . DFE0 FSTSW AX
0043A81D . A8 0D TEST AL,0D
0043A81F . 0F85 33010000 JNZ CollegeB.0043A958
0043A825 . C745 FC 170000>MOV DWORD PTR SS:[EBP-4],17
0043A82C . DD45 C4 FLD QWORD PTR SS:[EBP-3C]
; 這裡的結果
0043A82F . DC5D D4 FCOMP QWORD PTR SS:[EBP-2C]
; 與[ebp-2c]處的結果作實數比較
0043A832 . DFE0 FSTSW AX
0043A834 . F6C4 40 TEST AH,40
; 相等?
0043A837 . 74 0D JE SHORT CollegeB.0043A846
; if not equal then
jmp
0043A839 . C745 FC 180000>MOV DWORD PTR SS:[EBP-4],18
0043A840 . 66:C745 D0 FFF>MOV WORD PTR SS:[EBP-30],0FFFF
; 若相等則[ebp-30]=-1,看上去應該是成功標誌
0043A846 > C745 FC 1A0000>MOV DWORD PTR SS:[EBP-4],1A
; 但隨後的程式碼使之無論如何不為-1
0043A84D . 66:C785 28FFFF>MOV WORD PTR SS:[EBP-D8],4
0043A856 . 66:C785 2CFFFF>MOV WORD PTR SS:[EBP-D4],1
0043A85F . 66:C745 DC 010>MOV WORD PTR SS:[EBP-24],1
0043A865 . EB 15 JMP SHORT CollegeB.0043A87C
0043A867 > 66:8B4D DC MOV CX,WORD PTR SS:[EBP-24]
0043A86B . 66:038D 2CFFFF>ADD CX,WORD PTR SS:[EBP-D4]
0043A872 . 0F80 E5000000 JO CollegeB.0043A95D
0043A878 . 66:894D DC MOV WORD PTR SS:[EBP-24],CX
0043A87C > 66:8B55 DC MOV DX,WORD PTR SS:[EBP-24]
0043A880 . 66:3B95 28FFFF>CMP DX,WORD PTR SS:[EBP-D8]
0043A887 . 7F 16 JG SHORT CollegeB.0043A89F
0043A889 . C745 FC 1B0000>MOV DWORD PTR SS:[EBP-4],1B
0043A890 . 66:C745 D0 000>MOV WORD PTR SS:[EBP-30],0
0043A896 . C745 FC 1C0000>MOV DWORD PTR SS:[EBP-4],1C
0043A89D .^EB C8 JMP SHORT CollegeB.0043A867
0043A89F > C745 FC 1D0000>MOV DWORD PTR SS:[EBP-4],1D
0043A8A6 . 66:C785 20FFFF>MOV WORD PTR SS:[EBP-E0],11
0043A8AF . 66:C785 24FFFF>MOV WORD PTR SS:[EBP-DC],1
0043A8B8 . 66:C745 DC 010>MOV WORD PTR SS:[EBP-24],1
0043A8BE . EB 15 JMP SHORT CollegeB.0043A8D5
0043A8C0 > 66:8B45 DC MOV AX,WORD PTR SS:[EBP-24]
0043A8C4 . 66:0385 24FFFF>ADD AX,WORD PTR SS:[EBP-DC]
0043A8CB . 0F80 8C000000 JO CollegeB.0043A95D
0043A8D1 . 66:8945 DC MOV WORD PTR SS:[EBP-24],AX
0043A8D5 > 66:8B4D DC MOV CX,WORD PTR SS:[EBP-24]
0043A8D9 . 66:3B8D 20FFFF>CMP CX,WORD PTR SS:[EBP-E0]
0043A8E0 . 7F 09 JG SHORT CollegeB.0043A8EB
0043A8E2 . C745 FC 1E0000>MOV DWORD PTR SS:[EBP-4],1E
0043A8E9 .^EB D5 JMP SHORT CollegeB.0043A8C0
0043A8EB > C745 FC 1F0000>MOV DWORD PTR SS:[EBP-4],1F
0043A8F2 . 66:837D DC 11 CMP WORD PTR SS:[EBP-24],11
0043A8F7 . 7C 0D JL SHORT CollegeB.0043A906
0043A8F9 . C745 FC 200000>MOV DWORD PTR SS:[EBP-4],20
0043A900 . 66:C745 D0 000>MOV WORD PTR SS:[EBP-30],0
0043A906 > 9B WAIT
0043A907 . 68 41A94300 PUSH CollegeB.0043A941
0043A90C . EB 32 JMP SHORT CollegeB.0043A940
..............................................................
0043A940 > C3 RETN
; RET used as a jump to 0043A941
0043A941 > 66:8B45 D0 MOV AX,WORD PTR SS:[EBP-30]
; EBP-30 處為返回值
0043A945 . 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20]
0043A948 . 64:890D 000000>MOV DWORD PTR FS:[0],ECX
0043A94F . 5F POP EDI
0043A950 . 5E POP ESI
0043A951 . 5B POP EBX
0043A952 . 8BE5 MOV ESP,EBP
0043A954 . 5D POP EBP
0043A955 . C2 0800 RETN 8
後記:這裡雖然很象驗證程式碼,但有點自相矛盾,而且最後也沒有用到這裡的任何結果。不解。
========================================================================================
【分析總結】
自己去總結吧,只要用第一段程式碼就行了。
================================================================================
【版權資訊】 無
2003-7-16
相關文章
- supercleaner註冊演算法分析2015-11-15演算法
- SpeedFlash註冊演算法分析(VB)2015-11-15演算法
- 財智老闆通3.04註冊版---註冊演算法分析2003-03-16演算法
- Instant Source 註冊演算法分析+註冊器原始碼2015-11-15演算法原始碼
- Screen Demo Maker 3.0 註冊演算法分析2003-07-15演算法
- <<Anti-Hack>> 2.0註冊演算法分析2003-06-06演算法
- Personal Antispy 1.14 註冊演算法分析2015-11-15演算法
- 冰盾濾鏡註冊演算法分析2015-11-15演算法
- DLL Show V4.4 註冊演算法分析2015-11-15演算法
- Disk
Chief 1.2 簡單註冊演算法分析2015-11-15演算法
- E族百變桌面6.0註冊演算法分析2015-11-15演算法
- FolderView 1.7
註冊演算法分析 (14千字)2015-11-15View演算法
- ffmpeg分析系列之一(註冊該註冊的)2010-11-04
- LanSee 註冊演算法2015-11-15演算法
- 新狐傳真群發2.0註冊演算法分析2003-06-29演算法
- 網路精確時鐘 2.25註冊演算法分析2003-07-30演算法
- 重新貼過註冊演算法分析 (16千字)2001-10-23演算法
- 長沙vod點歌系統(註冊演算法分析)2015-11-15演算法
- Netscan pro 3.3 註冊演算法分析全過程2015-11-15演算法
- 公務員之路3.0註冊分析2015-11-15
- 東晨庫管網路版 6.5註冊演算法分析2003-08-14演算法
- EffeTech HTTP Sniffer 3.2註冊演算法分析 (5千字)2002-06-24HTTP演算法
- Green Tea 2.60註冊碼演算法分析 (3千字)2000-07-17演算法
- VB控制元件21Hex DockIt註冊演算法分析2015-11-15控制元件演算法
- [原創]Focus
Magic V3.01 註冊演算法分析2015-11-15演算法
- 海嘯錄音機Ver2.1註冊演算法分析2015-11-15演算法
- 財智家庭理財V3.30註冊演算法分析2003-08-19演算法
- SuperCleaner 2.31註冊碼演算法分析 - OCG (13千字)2002-04-02演算法
- Registry Crawler 4.0註冊碼演算法分析 - OCG
(20千字)2002-04-07演算法
- UltraEdit-32
10註冊碼演算法分析 (19千字)2003-05-17演算法
- AZR註冊流程分析及疑問(BlowFish演算法) (699字)2001-11-03演算法
- 完美解除安裝6.0註冊演算法分析 (2千字)2002-02-27演算法
- Directory Scanner v1.5 註冊演算法分析 (6千字)2015-11-15演算法
- 海月圖片獵手(SeaMoon Pic Hunter) 1.52 註冊演算法分析2015-11-15演算法
- MouseStar V3.01註冊演算法分析 (18千字)2015-11-15演算法
- **********.exe註冊碼演算法分析--高手莫笑 (31千字)2015-11-15演算法
- Theme Builder註冊碼分析2015-11-15UI
- ShadowDefender 註冊碼 分析2024-08-17