調酒師 CollegeBar V8.1 註冊演算法分析 - VB6

【軟體名稱】CollegeBar 調酒師 V8.1

【下載地址】http://www.pracx.com

【應用平臺】Win9x/NT/2000/XP

【軟體大小】6MB

【軟體限制】試用期15天

【破解宣告】破解只是感興趣，無其它目的。失誤之處敬請諸位大俠賜教!

【破解工具】OllyDbg 1.09, Wdasm9.0漢化版

【軟體簡介】喜歡雞尾酒各式各樣的嘗試與鮮麗的外觀嗎？何不試著自己來調製看看？CollegeBAR裡介紹有7000多種的調酒方法，具有網上更新功能可以不斷的新增調酒方法，並提供有“酒保秘方”與搜尋功能，便於新手熟悉調酒的程式。只要買齊調酒所需要的工具與酒料，就可以體會調酒的樂趣。

[破者注：酒鬼天堂]

========================================================================================
【分析過程】

經查，為無殼vb6程式，Native Code. 用wdasm返回編後查到字串如下：

* Possible StringData Ref from Code Obj ->"RRegistration Successful"
|
:00472002 C7854CFFFFFF1C434100 mov dword ptr [ebp+FFFFFF4C], 0041431C
.........................................
* Possible StringData Ref from Code Obj ->"RRegistration Failed"
|
:004723F2 C7854CFFFFFFA0434100 mov dword ptr [ebp+FFFFFF4C], 004143A0

從這個地址開始往上找，發現如下程式碼：

:00471B4B 57 push edi
:00471B4C 50 push eax
:00471B4D E8DEA8FCFF call 0043C430 <========== 關鍵計算
:00471B52 8D4DD4 lea ecx, dword ptr [ebp-2C]
:00471B55 66894338 mov word ptr [ebx+38], ax <=========返回值在此
..............................................................................................
:00471C21 66837B38FF cmp word ptr [ebx+38], FFFF
:00471C26 0F857F070000 jne 004723AB <========= 跳去顯示註冊失敗訊息
..............................................................................................
* Possible StringData Ref from Code Obj ->"PPW"
|
:00471C94 6870104100 push 00411070

* Possible StringData Ref from Code Obj ->"DData"
|
:00471C99 680C0F4100 push 00410F0C
:00471C9E 51 push ecx

* Reference To: MSVBVM60.rtcSaveSetting, Ord:02B2h
|
:00471C9F FF1508104000 Call dword ptr [00401008] <============儲存註冊資訊

可見，只要關鍵call 43C430 返回-1就算註冊成功。如果就此進行爆破，可以顯示註冊成功訊息，但重新啟動之後仍然是未註冊版本。用OD跟入此函式，結果如下：

0043C430 $ 55 PUSH EBP
0043C431 . 8BEC MOV EBP,ESP
0043C433 . 83EC 08 SUB ESP,8
0043C436 . 68 36314000 PUSH <JMP.&MSVBVM60.__vbaExceptHandler> ; SE handler installation
0043C43B . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0043C441 . 50 PUSH EAX
0043C442 . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
0043C449 . 81EC 50010000 SUB ESP,150
0043C44F . 53 PUSH EBX
0043C450 . 56 PUSH ESI
0043C451 . 57 PUSH EDI
0043C452 . 8965 F8 MOV DWORD PTR SS:[EBP-8],ESP
0043C455 . C745 FC F81B40>MOV DWORD PTR SS:[EBP-4],CollegeB.00401B>
0043C45C . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; 取得註冊名字
0043C45F . 33F6 XOR ESI,ESI
0043C461 . 8975 EC MOV DWORD PTR SS:[EBP-14],ESI
0043C464 . 8975 DC MOV DWORD PTR SS:[EBP-24],ESI
0043C467 . 8B08 MOV ECX,DWORD PTR DS:[EAX] ; name
0043C469 . 8975 D4 MOV DWORD PTR SS:[EBP-2C],ESI
0043C46C . 51 PUSH ECX ; name
0043C46D . 8975 D8 MOV DWORD PTR SS:[EBP-28],ESI ; initialize local vars
0043C470 . 8975 C8 MOV DWORD PTR SS:[EBP-38],ESI
0043C473 . 8975 C4 MOV DWORD PTR SS:[EBP-3C],ESI
0043C476 . 8975 C0 MOV DWORD PTR SS:[EBP-40],ESI
0043C479 . 8975 B0 MOV DWORD PTR SS:[EBP-50],ESI
0043C47C . 8975 A0 MOV DWORD PTR SS:[EBP-60],ESI
0043C47F . 8975 90 MOV DWORD PTR SS:[EBP-70],ESI
0043C482 . 8975 80 MOV DWORD PTR SS:[EBP-80],ESI
0043C485 . 89B5 70FFFFFF MOV DWORD PTR SS:[EBP-90],ESI
0043C48B . 89B5 60FFFFFF MOV DWORD PTR SS:[EBP-A0],ESI
0043C491 . 89B5 50FFFFFF MOV DWORD PTR SS:[EBP-B0],ESI
0043C497 . 89B5 40FFFFFF MOV DWORD PTR SS:[EBP-C0],ESI
0043C49D . FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>；註冊名字長度
0043C4A3 . 85C0 TEST EAX,EAX ; string length 0A (name)
0043C4A5 . 0F84 A00C0000 JE CollegeB.0043D14B
0043C4AB . 8B3D C8124000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrMove
0043C4B1 . 8B1D 34104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrVarMove
0043C4B7 > 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
0043C4BA . 52 PUSH EDX
0043C4BB . FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
0043C4C1 . 83F8 29 CMP EAX,29 ; 看長度是否達到 0x29 位元組
0043C4C4 . 0F8D 81000000 JGE CollegeB.0043C54B ；若夠長就繼續
0043C4CA . 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; name
0043C4CD . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] ; 0
0043C4D0 . 56 PUSH ESI ; 0 == 設定二進位制比較
0043C4D1 . 6A FF PUSH -1 ; replace any
0043C4D3 . 8B11 MOV EDX,DWORD PTR DS:[ECX] ; name
0043C4D5 . 6A 01 PUSH 1 ; start from beginning (char 1)
0043C4D7 . 68 44104100 PUSH CollegeB.00411044 ; 0
0043C4DC . 68 40154100 PUSH CollegeB.00411540 ; 0x20, 空格
0043C4E1 . 52 PUSH EDX ; name
0043C4E2 . 8985 68FFFFFF MOV DWORD PTR SS:[EBP-98],EAX ; 0
0043C4E8 . C785 60FFFFFF >MOV DWORD PTR SS:[EBP-A0],8 ; 8
0043C4F2 . FF15 C4114000 CALL rtcReplace ；把名字中所有的空格都用NULL字元代替
0043C4F8 . 8945 B8 MOV DWORD PTR SS:[EBP-48],EAX
0043C4FB . 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
0043C4FE . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
0043C501 . 50 PUSH EAX ; 0
0043C502 . 51 PUSH ECX ; 0
0043C503 . C745 B0 080000>MOV DWORD PTR SS:[EBP-50],8
0043C50A . FF15 28114000 CALL MSVBVM60.rtcUpperCaseVar ；字母全部變成大寫
0043C510 . 8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0]
0043C516 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
0043C519 . 52 PUSH EDX
0043C51A . 8D4D 90 LEA ECX,DWORD PTR SS:[EBP-70]
0043C51D . 50 PUSH EAX
0043C51E . 51 PUSH ECX
0043C51F . FF15 0C124000 CALL MSVBVM60.__vbaVarCat ；名字重複連線起來
0043C525 . 50 PUSH EAX
0043C526 . FFD3 CALL EBX
0043C528 . 8BD0 MOV EDX,EAX
0043C52A . 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
0043C52D . FFD7 CALL EDI
0043C52F . 8D55 90 LEA EDX,DWORD PTR SS:[EBP-70]
0043C532 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
0043C535 . 52 PUSH EDX
0043C536 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0043C539 . 50 PUSH EAX
0043C53A . 51 PUSH ECX
0043C53B . 6A 03 PUSH 3
0043C53D . FF15 44104000 CALL MSVBVM60.__vbaFreeVarList ；釋放臨時變數
0043C543 . 83C4 10 ADD ESP,10
0043C546 .^E9 6CFFFFFF JMP CollegeB.0043C4B7 ；跳回去檢查是否已到0x29個字元長

0043C54B > 8B3D 58104000 MOV EDI, MSVBVM60.rtcAnsivalueBstr
0043C551 . 8B1D 08124000 MOV EBX,MSVBVM60.__vbaStrVarVal；將函式地址裝入暫存器
0043C557 . 66:B8 0100 MOV AX,1 ；字元索引從1開始
0043C55B . 8975 D4 MOV DWORD PTR SS:[EBP-2C],ESI
0043C55E . 8975 D8 MOV DWORD PTR SS:[EBP-28],ESI
0043C561 . 8B35 0C114000 MOV ESI, MSVBVM60.rtcMidCharVar
0043C567 . C745 D0 030000>MOV DWORD PTR SS:[EBP-30],3 ；內定常數
0043C56E . 66:A3 58A04800 MOV WORD PTR DS:[48A058],AX
0043C574 > B9 28000000 MOV ECX,28 ; 總共要處理的字元數
0043C579 . 66:3BC1 CMP AX,CX ；是否已處理完畢
0043C57C . 0F8F 30010000 JG CollegeB.0043C6B2 ；處理完則繼續
0043C582 . 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
0043C585 . 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14] ; 裝入聯接好的夠長的字串
0043C588 . 50 PUSH EAX
0043C589 . B8 19000000 MOV EAX,19 ；第0x19個字元
0043C58E . 0FBFC8 MOVSX ECX,AX
0043C591 . 8995 68FFFFFF MOV DWORD PTR SS:[EBP-98],EDX ; linked name
0043C597 . 8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0] ; 8
0043C59D . 51 PUSH ECX ; 19
0043C59E . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
0043C5A1 . 52 PUSH EDX
0043C5A2 . 50 PUSH EAX
0043C5A3 . C745 B8 010000>MOV DWORD PTR SS:[EBP-48],1
0043C5AA . C745 B0 020000>MOV DWORD PTR SS:[EBP-50],2
0043C5B1 . C785 60FFFFFF >MOV DWORD PTR SS:[EBP-A0],4008
0043C5BB . FFD6 CALL ESI ; rtcMidCharVar: 取第 0x19 個字元
0043C5BD . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
0043C5C0 . 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C]
0043C5C3 . 51 PUSH ECX
0043C5C4 . 52 PUSH EDX
0043C5C5 . FFD3 CALL EBX ; __vbaStrVarVal
0043C5C7 . 50 PUSH EAX ; returned 'Z' = 5A
0043C5C8 . FFD7 CALL EDI ; rtcAnsivalueBStr: 專程ascii碼數字
0043C5CA . 0FBF15 58A0480>MOVSX EDX,WORD PTR DS:[48A058] ; 字元索引
0043C5D1 . 8985 2CFFFFFF MOV DWORD PTR SS:[EBP-D4],EAX ; 第0x19個字元的ascii碼
0043C5D7 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14] ; 名字串
0043C5DA . 8D4D 90 LEA ECX,DWORD PTR SS:[EBP-70]
0043C5DD . 8985 48FFFFFF MOV DWORD PTR SS:[EBP-B8],EAX
0043C5E3 . 51 PUSH ECX
0043C5E4 . 8D85 40FFFFFF LEA EAX,DWORD PTR SS:[EBP-C0]
0043C5EA . 52 PUSH EDX ；字元索引
0043C5EB . 8D4D 80 LEA ECX,DWORD PTR SS:[EBP-80]
0043C5EE . 50 PUSH EAX
0043C5EF . 51 PUSH ECX
0043C5F0 . C745 98 010000>MOV DWORD PTR SS:[EBP-68],1
0043C5F7 . C745 90 020000>MOV DWORD PTR SS:[EBP-70],2
0043C5FE . C785 40FFFFFF >MOV DWORD PTR SS:[EBP-C0],4008
0043C608 . FFD6 CALL ESI ; rtcMidCharVar：取被索引的字元
0043C60A . 8D55 80 LEA EDX,DWORD PTR SS:[EBP-80]
0043C60D . 8D45 C0 LEA EAX,DWORD PTR SS:[EBP-40]
0043C610 . 52 PUSH EDX
0043C611 . 50 PUSH EAX
0043C612 . FFD3 CALL EBX ；型別轉換：variant -> string
0043C614 . 50 PUSH EAX
0043C615 . FFD7 CALL EDI ;取ascii碼
0043C617 . 66:0FAF85 2CFF>IMUL AX,WORD PTR SS:[EBP-D4] ；乘以第0x19個字元的ascii碼
0043C61F . B9 703D0040 MOV ECX,40003D70 ; constant
0043C624 . 51 PUSH ECX
0043C625 . B9 3D0AD7A3 MOV ECX,A3D70A3D
0043C62A . 51 PUSH ECX ; 這兩個常數在堆疊上形成浮點數2.03
0043C62B . 0F80 7B0B0000 JO CollegeB.0043D1AC ；若溢位則跳去丟擲異常
0043C631 . 0FBFC8 MOVSX ECX,AX；乘積在此
0043C634 . 898D FCFEFFFF MOV DWORD PTR SS:[EBP-104],ECX；存入臨時變數
0043C63A . DB85 FCFEFFFF FILD DWORD PTR SS:[EBP-104] ; FPU 作為整數載入
0043C640 . DD9D F4FEFFFF FSTP QWORD PTR SS:[EBP-10C] ; 轉存成雙精度實數
0043C646 . 8B95 F8FEFFFF MOV EDX,DWORD PTR SS:[EBP-108] ; high word in edx
0043C64C . 8B85 F4FEFFFF MOV EAX,DWORD PTR SS:[EBP-10C] ; low word in eax
0043C652 . 52 PUSH EDX ; 將此實數壓入堆疊
0043C653 . 50 PUSH EAX
0043C654 FF15 68124000 CALL MSVBVM60.__vbaPoweR8 ; 計算其2.03次冪
0043C65A DC45 D4 FADD QWORD PTR SS:[EBP-2C] ; 加上此處的double值
0043C65D 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
0043C660 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C]
0043C663 . 51 PUSH ECX
0043C664 . 52 PUSH EDX
0043C665 . DD5D D4 FSTP QWORD PTR SS:[EBP-2C] ;結果存回此地址，暗示這裡加和運算
0043C668 . DFE0 FSTSW AX ; 協處理器狀態字檢查有無溢位
0043C66A . A8 0D TEST AL,0D
0043C66C . 0F85 350B0000 JNZ CollegeB.0043D1A7
0043C672 . 6A 02 PUSH 2
0043C674 . FF15 60124000 CALL MSVBVM60.__vbaFreeStrList
0043C67A . 8D45 80 LEA EAX,DWORD PTR SS:[EBP-80]
0043C67D . 8D4D 90 LEA ECX,DWORD PTR SS:[EBP-70]
0043C680 . 50 PUSH EAX
0043C681 . 8D55 A0 LEA EDX,DWORD PTR SS:[EBP-60]
0043C684 . 51 PUSH ECX
0043C685 . 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
0043C688 . 52 PUSH EDX
0043C689 . 50 PUSH EAX
0043C68A . 6A 04 PUSH 4
0043C68C . FF15 44104000 CALL MSVBVM60.__vbaFreeVarList ；釋放臨時變數
0043C692 . 83C4 20 ADD ESP,20
0043C695 . B8 01000000 MOV EAX,1
0043C69A . 66:0305 58A048>ADD AX,WORD PTR DS:[48A058] ；字元索引加1
0043C6A1 . 0F80 050B0000 JO CollegeB.0043D1AC ；溢位則出錯
0043C6A7 . 66:A3 58A04800 MOV WORD PTR DS:[48A058],AX ；字元索引存回
0043C6AD .^E9 C2FEFFFF JMP CollegeB.0043C574 ；下一輪

以上程式碼用串聯名字中的第1至第0x28個字元分別與第0x19個字元的相乘並計算結果的2.03次冪，並將所有結果相加，得到一個double值，存在[ebp-2C]處。

0043C6B2 > B8 99000000 MOV EAX,99 ; 常數0x99
0043C6B7 . 0FBFC8 MOVSX ECX,AX
0043C6BA . 898D F0FEFFFF MOV DWORD PTR SS:[EBP-110],ECX
0043C6C0 . DB85 F0FEFFFF FILD DWORD PTR SS:[EBP-110] ; 作為整數載入FPU
0043C6C6 . DD9D E8FEFFFF FSTP QWORD PTR SS:[EBP-118] ; 存成double
0043C6CC . DD85 E8FEFFFF FLD QWORD PTR SS:[EBP-118] ; reload
0043C6D2 . DC45 D4 FADD QWORD PTR SS:[EBP-2C] ; 加上先前的計算結果
0043C6D5 > DD5D D4 FSTP QWORD PTR SS:[EBP-2C] ; 儲存新結果
0043C6D8 . DFE0 FSTSW AX
0043C6DA . A8 0D TEST AL,0D ; no abnormal
0043C6DC . 0F85 C50A0000 JNZ CollegeB.0043D1A7
0043C6E2 . 8D85 60FFFFFF LEA EAX,DWORD PTR SS:[EBP-A0] ; 一個臨時Variant型變數
0043C6E8 . 6A 00 PUSH 0
0043C6EA . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]；存放返回結果的variant變數
0043C6ED . 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
0043C6F0 . 50 PUSH EAX
0043C6F1 . 51 PUSH ECX
0043C6F2 . 8995 68FFFFFF MOV DWORD PTR SS:[EBP-98],EDX；使此變數指向計算結果
0043C6F8 . C785 60FFFFFF >MOV DWORD PTR SS:[EBP-A0],4005；型別為double, 指標訪問
0043C702 . FF15 E4114000 CALL rtcRound ；四捨五入取整
0043C708 . 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50]；取整後的結果
0043C70B . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]；存放返回結果的變數
0043C70E . 52 PUSH EDX
0043C70F . 50 PUSH EAX
0043C710 . C785 58FFFFFF >MOV DWORD PTR SS:[EBP-A8],0B ; 常數
0043C71A . C785 50FFFFFF >MOV DWORD PTR SS:[EBP-B0],8002 ；
0043C724 . FF15 84104000 CALL MSVBVM60.__vbaLenVar ；取得取整結果的十進位制形式的位數
0043C72A . 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0]
0043C730 . 50 PUSH EAX
0043C731 . 51 PUSH ECX
0043C732 . FF15 F4104000 CALL vbaVarTstLt ；比較是否小於11（0xB）位
0043C738 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50] ; return -1 means arg1 < arg2
0043C73B . 8985 24FFFFFF MOV DWORD PTR SS:[EBP-DC],EAX ；返回0表示不小於
0043C741 . FF15 2C104000 CALL MSVBVM60.__vbaFreeVar
0043C747 . 66:83BD 24FFFF>CMP WORD PTR SS:[EBP-DC],0 ; 是否返回了0？
0043C74F . 74 0A JE SHORT CollegeB.0043C75B ；若是，即已經超過11位，跳走繼續
0043C751 . DD45 D4 FLD QWORD PTR SS:[EBP-2C] ；否則將結果加倍
0043C754 . DCC0 FADD ST(0),ST(0)
0043C756 .^E9 7AFFFFFF JMP CollegeB.0043C6D5；直到達到11位
0043C75B > 8D85 60FFFFFF LEA EAX,DWORD PTR SS:[EBP-A0]
0043C761 . 6A 00 PUSH 0
0043C763 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0043C766 . 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
0043C769 . 50 PUSH EAX
0043C76A . 51 PUSH ECX
0043C76B . 8995 68FFFFFF MOV DWORD PTR SS:[EBP-98],EDX
0043C771 . C785 60FFFFFF >MOV DWORD PTR SS:[EBP-A0],4005
0043C77B . FF15 E4114000 CALL MSVBVM60.rtcRound ；取整
0043C781 . 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50]
0043C784 . 52 PUSH EDX
0043C785 . FF15 6C124000 CALL MSVBVM60.__vbaR8Var ; 型別轉換，variant -> R8
0043C78B . DD5D D4 FSTP QWORD PTR SS:[EBP-2C] ;存
0043C78E . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0043C791 . FF15 2C104000 CALL MSVBVM60.__vbaFreeVar
0043C797 . 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C] ; rounded value
0043C79A . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0043C79D . 8985 68FFFFFF MOV DWORD PTR SS:[EBP-98],EAX ; ref to rounded value
0043C7A3 . 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30] ；內定常數 3
0043C7A6 . 66:05 0100 ADD AX,1 ；+1得4
0043C7AA . 51 PUSH ECX
0043C7AB . 0F80 FB090000 JO CollegeB.0043D1AC
0043C7B1 . 0FBFD0 MOVSX EDX,AX
0043C7B4 . 8D85 60FFFFFF LEA EAX,DWORD PTR SS:[EBP-A0]
0043C7BA . 52 PUSH EDX ；4
0043C7BB . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
0043C7BE . 50 PUSH EAX
0043C7BF . 51 PUSH ECX
0043C7C0 . C745 B8 010000>MOV DWORD PTR SS:[EBP-48],1
0043C7C7 . C745 B0 020000>MOV DWORD PTR SS:[EBP-50],2
0043C7CE . C785 60FFFFFF >MOV DWORD PTR SS:[EBP-A0],4005
0043C7D8 . FFD6 CALL ESI ; rtcMidCharVar ；取所得結果的十進位制形式的左起第4個字元
0043C7DA . 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C] ;輸入的註冊碼
0043C7DD . 8D45 90 LEA EAX,DWORD PTR SS:[EBP-70]
0043C7E0 . 50 PUSH EAX
0043C7E1 . B8 19000000 MOV EAX,19
0043C7E6 . 0FBFC8 MOVSX ECX,AX
0043C7E9 . 8995 48FFFFFF MOV DWORD PTR SS:[EBP-B8],EDX
0043C7EF . 8D95 40FFFFFF LEA EDX,DWORD PTR SS:[EBP-C0]
0043C7F5 . 51 PUSH ECX
0043C7F6 . 8D45 80 LEA EAX,DWORD PTR SS:[EBP-80]
0043C7F9 . 52 PUSH EDX
0043C7FA . 50 PUSH EAX
0043C7FB . C745 98 010000>MOV DWORD PTR SS:[EBP-68],1
0043C802 . C745 90 020000>MOV DWORD PTR SS:[EBP-70],2
0043C809 . C785 40FFFFFF >MOV DWORD PTR SS:[EBP-C0],4008
0043C813 . FFD6 CALL ESI ; rtcMidCharVar, 註冊碼的第0x19個字元
0043C815 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
0043C818 . 8D55 80 LEA EDX,DWORD PTR SS:[EBP-80]
0043C81B . 51 PUSH ECX
0043C81C . 52 PUSH EDX
0043C81D . FF15 38114000 CALL MSVBVM60.__vbaVarTstEq ；比較二者是否相同
0043C823 . 8985 24FFFFFF MOV DWORD PTR SS:[EBP-DC],EAX ; 返回0表示否
0043C829 . 8D45 80 LEA EAX,DWORD PTR SS:[EBP-80]
0043C82C . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
0043C82F . 50 PUSH EAX
0043C830 . 8D55 90 LEA EDX,DWORD PTR SS:[EBP-70]
0043C833 . 51 PUSH ECX
0043C834 . 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
0043C837 . 52 PUSH EDX
0043C838 . 50 PUSH EAX
0043C839 . 6A 04 PUSH 4
0043C83B . FF15 44104000 CALL MSVBVM60.__vbaFreeVarList ；釋放臨時變數
0043C841 . 33C0 XOR EAX,EAX
0043C843 . 83C4 14 ADD ESP,14
0043C846 . 66:3985 24FFFF>CMP WORD PTR SS:[EBP-DC],AX ; 看比較結果
0043C84D . 74 11 JE SHORT CollegeB.0043C860 ；若不同則跳走
0043C84F . 66:8B4D C8 MOV CX,WORD PTR SS:[EBP-38] ；否則[ebp-38]處的計數器加1
0043C853 . 66:83C1 01 ADD CX,1 ；表示第一輪透過
0043C857 . 0F80 4F090000 JO CollegeB.0043D1AC
0043C85D . 894D C8 MOV DWORD PTR SS:[EBP-38],ECX
0043C860 > 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX ; 清零復位
0043C863 . 8945 D8 MOV DWORD PTR SS:[EBP-28],EAX
0043C866 . C745 D0 020000>MOV DWORD PTR SS:[EBP-30],2 ；內定常數
0043C86D . 66:B8 0100 MOV AX,1
0043C871 > B9 28000000 MOV ECX,28
0043C876 . 66:A3 58A04800 MOV WORD PTR DS:[48A058],AX ；字元索引復位至1
以下程式碼完全相同，只是引數不同。引數共有5個，對於上面的程式碼來說：[0x19 2.03 0x99 4 0x19]
固定字元索引 = 0x19
乘冪指數 = 2.03
增量常數 = 0x99
結果十進位索引 = 4
註冊碼字元索引= 0x19
第二輪：[0x4 1.4 0x21f 0x3 0x4]
第三輪：[0xE 2.4 0x3d8 0xA 0xE]
第四輪：[0xD 2.6 0x234 0x5 0xD]
如果4輪全透過，即[ebp-38]處的計數器為4，則：

0043D13B > 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
0043D13E > 66:3D 0400 CMP AX,4
0043D142 . 75 07 JNZ SHORT CollegeB.0043D14B
0043D144 . C745 DC FFFFFF>MOV DWORD PTR SS:[EBP-24],-1 ;如全透過， [ebp-24]=-1
......................................................................................
0043D193 . 66:8B45 DC MOV AX,WORD PTR SS:[EBP-24] ; 返回-1
0043D197 . 5F POP EDI
0043D198 . 5E POP ESI
0043D199 . 64:890D 000000>MOV DWORD PTR FS:[0],ECX
0043D1A0 . 5B POP EBX
0043D1A1 . 8BE5 MOV ESP,EBP
0043D1A3 . 5D POP EBP
0043D1A4 . C2 0800 RETN 8
到這裡，演算法分析就算完了，奇怪的是註冊碼有25位，這裡雖然演算法複雜，卻只驗證了4位（4，13，14，25），令人疑惑。我的試煉碼是1111122222333334444455555, 根據這裡的分析，改成1117122222338934444455551，居然也毫無問題地透過了。如果回到上層函式仔細觀察，就會發現另外有一個函式進行了另一次像樣的多的驗證，但結果卻沒有用到。其程式碼如下：

0043A10B . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ；名字（原來形式）
0043A10E . 8985 74FFFFFF MOV DWORD PTR SS:[EBP-8C],EAX
0043A114 . C785 6CFFFFFF >MOV DWORD PTR SS:[EBP-94],4008
0043A11E . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
0043A124 . 51 PUSH ECX
0043A125 . 8D55 9C LEA EDX,DWORD PTR SS:[EBP-64]
0043A128 . 52 PUSH EDX
0043A129 . FF15 E8104000 CALL tcTrimVar ;去除空格
0043A12F . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
0043A132 . 50 PUSH EAX
0043A133 . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
0043A136 . 51 PUSH ECX
0043A137 . FF15 84104000 CALL MSVBVM60.__vbaLenVar ;取得名字長度
0043A13D . 50 PUSH EAX
0043A13E . FF15 10124000 CALL MSVBVM60.__vbaI2Var ;轉成整型 integer
0043A144 . 66:8985 38FFFF>MOV WORD PTR SS:[EBP-C8],AX
0043A14B . 66:C785 3CFFFF>MOV WORD PTR SS:[EBP-C4],1 ；所引增量為1
0043A154 . 66:C745 DC 010>MOV WORD PTR SS:[EBP-24],1 ；索引從1開始
0043A15A . 8D4D 9C LEA ECX,DWORD PTR SS:[EBP-64]
0043A15D . FF15 2C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>]
0043A163 . EB 15 JMP SHORT CollegeB.0043A17A
0043A165 > 66:8B55 DC MOV DX,WORD PTR SS:[EBP-24] ；取索引
0043A169 . 66:0395 3CFFFF>ADD DX,WORD PTR SS:[EBP-C4] ；增1至下一個字元
0043A170 . 0F80 E7070000 JO CollegeB.0043A95D
0043A176 . 66:8955 DC MOV WORD PTR SS:[EBP-24],DX
0043A17A > 66:8B45 DC MOV AX,WORD PTR SS:[EBP-24] ；字元索引
0043A17E . 66:3B85 38FFFF>CMP AX,WORD PTR SS:[EBP-C8] ; 名字長度
0043A185 . 0F8F 0A020000 JG CollegeB.0043A395
0043A18B . C745 FC 040000>MOV DWORD PTR SS:[EBP-4],4
0043A192 . C745 A4 010000>MOV DWORD PTR SS:[EBP-5C],1
0043A199 . C745 9C 020000>MOV DWORD PTR SS:[EBP-64],2
0043A1A0 . 8D4D 9C LEA ECX,DWORD PTR SS:[EBP-64]
0043A1A3 . 51 PUSH ECX ; variant型別，整數1
0043A1A4 . 0FBF55 DC MOVSX EDX,WORD PTR SS:[EBP-24]
0043A1A8 . 52 PUSH EDX
0043A1A9 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0043A1AC . 8B08 MOV ECX,DWORD PTR DS:[EAX]
0043A1AE . 51 PUSH ECX
0043A1AF . FF15 00114000 CALL rtcMidCharBStr ;取註冊名字的一個字元
0043A1B5 . 8BD0 MOV EDX,EAX
0043A1B7 . 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
0043A1BA . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0043A1C0 . 50 PUSH EAX
0043A1C1 . FF15 58104000 CALL MSVBVM60.rtcAnsivalueBstr ; 該字元的ascii
0043A1C7 . 66:8985 48FFFF>MOV WORD PTR SS:[EBP-B8],AX ; 存入[ebp-B8]
0043A1CE . C745 94 010000>MOV DWORD PTR SS:[EBP-6C],1
0043A1D5 . C745 8C 020000>MOV DWORD PTR SS:[EBP-74],2
0043A1DC . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
0043A1DF . 52 PUSH EDX
0043A1E0 . 0FBF45 DC MOVSX EAX,WORD PTR SS:[EBP-24]
0043A1E4 . 50 PUSH EAX
0043A1E5 . 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
0043A1E8 . 8B11 MOV EDX,DWORD PTR DS:[ECX]
0043A1EA . 52 PUSH EDX
0043A1EB . FF15 00114000 CALL rtcMidCharBStr ;取同一個字元
0043A1F1 . 8BD0 MOV EDX,EAX
0043A1F3 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0043A1F6 . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0043A1FC . 50 PUSH EAX
0043A1FD . FF15 58104000 CALL MSVBVM60.rtcAnsivalueBstr ; 該字元的ascii
0043A203 . 66:8985 44FFFF>MOV WORD PTR SS:[EBP-BC],AX ；存入此處
0043A20A . C745 84 010000>MOV DWORD PTR SS:[EBP-7C],1
0043A211 . C785 7CFFFFFF >MOV DWORD PTR SS:[EBP-84],2
0043A21B . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
0043A221 . 50 PUSH EAX
0043A222 . 0FBF4D DC MOVSX ECX,WORD PTR SS:[EBP-24]
0043A226 . 51 PUSH ECX
0043A227 . 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
0043A22A . 8B02 MOV EAX,DWORD PTR DS:[EDX]
0043A22C . 50 PUSH EAX
0043A22D . FF15 00114000 CALL rtcMidCharBStr ;又來一遍（真笨）
0043A233 . 8BD0 MOV EDX,EAX
0043A235 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
0043A238 . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0043A23E . 50 PUSH EAX
0043A23F . FF15 58104000 CALL MSVBVM60.rtcAnsivalueBstr ; 該字元的ascii
0043A245 . 66:8985 40FFFF>MOV WORD PTR SS:[EBP-C0],AX ；存入此處
0043A24C . 66:8B8D 48FFFF>MOV CX,WORD PTR SS:[EBP-B8] ；第一遍取出的結果
0043A253 . 66:0FAF8D 44FF>IMUL CX,WORD PTR SS:[EBP-BC] ；乘以第二編的結果
0043A25B . 0F80 FC060000 JO CollegeB.0043A95D
0043A261 . 0FBFD1 MOVSX EDX,CX
0043A264 . 8995 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EDX ；結果存在這裡
0043A26A . DB85 08FFFFFF FILD DWORD PTR SS:[EBP-F8] ；作為整數載入
0043A270 . DD9D 00FFFFFF FSTP QWORD PTR SS:[EBP-100] ；存成浮點
0043A276 . DD45 D4 FLD QWORD PTR SS:[EBP-2C] ；加到總和中
0043A279 . DC85 00FFFFFF FADD QWORD PTR SS:[EBP-100]
0043A27F . DFE0 FSTSW AX
0043A281 . A8 0D TEST AL,0D
0043A283 . 0F85 CF060000 JNZ CollegeB.0043A958
0043A289 . DD9D F8FEFFFF FSTP QWORD PTR SS:[EBP-108] ；結果暫時存在此處
0043A28F . 68 00000040 PUSH 40000000
0043A294 . 6A 00 PUSH 0 ; 在堆疊上構成浮點數2.0
0043A296 . 0FBF85 40FFFFF>MOVSX EAX,WORD PTR SS:[EBP-C0] ；第三遍的結果
0043A29D . 8985 F4FEFFFF MOV DWORD PTR SS:[EBP-10C],EAX
0043A2A3 . DB85 F4FEFFFF FILD DWORD PTR SS:[EBP-10C] ;
0043A2A9 . DD9D ECFEFFFF FSTP QWORD PTR SS:[EBP-114] ;
0043A2AF . 8B8D F0FEFFFF MOV ECX,DWORD PTR SS:[EBP-110]
0043A2B5 . 51 PUSH ECX
0043A2B6 . 8B95 ECFEFFFF MOV EDX,DWORD PTR SS:[EBP-114]
0043A2BC . 52 PUSH EDX
0043A2BD . FF15 68124000 CALL MSVBVM60.__vbaPowerR8 ; 求平方
0043A2C3 . DC85 F8FEFFFF FADD QWORD PTR SS:[EBP-108] ；加到上面的結果中
0043A2C9 . DD5D D4 FSTP QWORD PTR SS:[EBP-2C] ; 總數存回[ebp-2c]

以上程式碼實際上計算x*x+x**2 = 2 * x**2

.................................................................
0043A307 . C745 FC 050000>MOV DWORD PTR SS:[EBP-4],5
0043A30E . DD45 D4 FLD QWORD PTR SS:[EBP-2C] ;結果裝入
0043A311 . FF15 A8124000 CALL MSVBVM60.__vbaFpI4 ；轉成長整型
0043A317 . 8BF0 MOV ESI,EAX
0043A319 . 81E6 01000080 AND ESI,80000001 ；檢查最高位和最低位
0043A31F . 79 05 JNS SHORT CollegeB.0043A326
0043A321 . 4E DEC ESI
0043A322 . 83CE FE OR ESI,FFFFFFFE
0043A325 . 46 INC ESI
0043A326 > F7DE NEG ESI
0043A328 . 1BF6 SBB ESI,ESI
0043A32A . F7DE NEG ESI ；最後反映的只是最低位，即奇偶位
0043A32C . DD45 D4 FLD QWORD PTR SS:[EBP-2C] ；再次裝入運算結果
0043A32F . FF15 A8124000 CALL MSVBVM60.__vbaFpI4 ；再次轉型(VB真笨得可以)
0043A335 . 99 CDQ ；符號擴充套件
0043A336 . B9 03000000 MOV ECX,3
0043A33B . F7F9 IDIV ECX ；除以3
0043A33D . F7DA NEG EDX ；餘數變號
0043A33F . 1BD2 SBB EDX,EDX ；借位減
0043A341 . F7DA NEG EDX ；變號
0043A343 . 23F2 AND ESI,EDX ；和上面的結果按位與
0043A345 . 85F6 TEST ESI,ESI ；這裡的條件是“奇數且不被3整除”
0043A347 . 75 40 JNZ SHORT CollegeB.0043A389 ；條件滿足則繼續
0043A349 . C745 FC 060000>MOV DWORD PTR SS:[EBP-4],6 ；這裡不知道是什麼標誌
0043A350 . 66:8B55 DC MOV DX,WORD PTR SS:[EBP-24] ；條件不滿足則取字元索引
0043A354 . 66:6BD2 03 IMUL DX,DX,3 ；乘以3
0043A358 . 0F80 FF050000 JO CollegeB.0043A95D
0043A35E . 0FBFC2 MOVSX EAX,DX ；並加到結果中
0043A361 . 8985 E8FEFFFF MOV DWORD PTR SS:[EBP-118],EAX
0043A367 . DB85 E8FEFFFF FILD DWORD PTR SS:[EBP-118]
0043A36D . DD9D E0FEFFFF FSTP QWORD PTR SS:[EBP-120]
0043A373 . DD45 D4 FLD QWORD PTR SS:[EBP-2C]
0043A376 . DC85 E0FEFFFF FADD QWORD PTR SS:[EBP-120]
0043A37C . DD5D D4 FSTP QWORD PTR SS:[EBP-2C] ; ebp-2c again
0043A37F . DFE0 FSTSW AX
0043A381 . A8 0D TEST AL,0D
0043A383 . 0F85 CF050000 JNZ CollegeB.0043A958
0043A389 > C745 FC 080000>MOV DWORD PTR SS:[EBP-4],8
0043A390 .^E9 D0FDFFFF JMP CollegeB.0043A165 ；下一輪

以上程式碼從名字的第一個字元開始計算每一個字元的 2*x**2,並將結果相加。每一步的結果如果不滿足條件
“奇數且不被3整除”就再加上當前索引值的3倍。直到每一個字元都處理完。結果存在[ebp-2c]處。

下面的程式碼又進行了一輪完全同樣的計算，結果也完全相同，存在[ebp-44]處。令人費解的重複勞動。省略。接下去：

0043A626 > C745 FC 0F0000>MOV DWORD PTR SS:[EBP-4],0F
0043A62D . 8B4D C0 MOV ECX,DWORD PTR SS:[EBP-40]
0043A630 . 51 PUSH ECX
0043A631 . 8B55 BC MOV EDX,DWORD PTR SS:[EBP-44] ；取的（第二次計算）計算結果
0043A634 . 52 PUSH EDX
0043A635 . FF15 80114000 CALL [<&MSVBVM60.__vbaStrR8>] ；R8轉成string
0043A63B . 8BD0 MOV EDX,EAX
0043A63D . 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
0043A640 . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0043A646 . 50 PUSH EAX
0043A647 . FF15 D0114000 CALL rtcStrReverse ;字串逆序
0043A64D . 8BD0 MOV EDX,EAX
0043A64F . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0043A652 . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]
0043A658 . 50 PUSH EAX
0043A659 . FF15 3C124000 CALL [<&MSVBVM60.__vbaR8Str>] ;轉回R8
0043A65F . DC05 381B4000 FADD QWORD PTR DS:[401B38] ；加上此處的內定值 38473.0
0043A665 . DD5D BC FSTP QWORD PTR SS:[EBP-44] ；存回結果
............................................................
0043A685 . C745 FC 100000>MOV DWORD PTR SS:[EBP-4],10
0043A68C . 8B55 C0 MOV EDX,DWORD PTR SS:[EBP-40]
0043A68F . 52 PUSH EDX
0043A690 . 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44]
0043A693 . 50 PUSH EAX
0043A694 . FF15 80114000 CALL [<&MSVBVM60.__vbaStrR8>] ;又轉成字串
0043A69A . 8BD0 MOV EDX,EAX
0043A69C . 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
0043A69F . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]
0043A6A5 . 50 PUSH EAX
0043A6A6 . FF15 D0114000 CALL MSVBVM60.rtcStrReverse ；逆序
0043A6AC . 8BD0 MOV EDX,EAX
0043A6AE . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0043A6B1 . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]
0043A6B7 . 50 PUSH EAX
0043A6B8 . FF15 3C124000 CALL [<&MSVBVM60.__vbaR8Str>] ；又回到R8
0043A6BE . DCC0 FADD ST(0),ST(0) ;加倍
0043A6C0 . DD5D BC FSTP QWORD PTR SS:[EBP-44] ；存回
.......................................................................
0043A6E0 . C745 FC 110000>MOV DWORD PTR SS:[EBP-4],11
0043A6E7 . 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28] ;取第一次計算結果
0043A6EA . 50 PUSH EAX
0043A6EB . 8B4D D4 MOV ECX,DWORD PTR SS:[EBP-2C]
0043A6EE . 51 PUSH ECX
0043A6EF . FF15 80114000 CALL MSVBVM60.__vbaStrR8 ；轉成String
0043A6F5 . 8BD0 MOV EDX,EAX
0043A6F7 . 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
0043A6FA . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]
0043A700 . 50 PUSH EAX
0043A701 . FF15 D0114000 CALL MSVBVM60.rtcStrReverse ;逆序
0043A707 . 8BD0 MOV EDX,EAX
0043A709 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0043A70C . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]
0043A712 . 50 PUSH EAX
0043A713 . FF15 3C124000 CALL MSVBVM60.__vbaR8Str ；轉回R8
0043A719 . DD5D D4 FSTP QWORD PTR SS:[EBP-2C] ；存回
......................................................................
0043A736 . 68 00000040 PUSH 40000000
0043A73B . 6A 00 PUSH 0 ; 浮點數 2.0
0043A73D . 8B4D D8 MOV ECX,DWORD PTR SS:[EBP-28]
0043A740 . 51 PUSH ECX
0043A741 . 8B55 D4 MOV EDX,DWORD PTR SS:[EBP-2C]
0043A744 . 52 PUSH EDX
0043A745 . FF15 68124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaPowerR8>] ; 結果平方
0043A74B . DD5D D4 FSTP QWORD PTR SS:[EBP-2C] ; 存回
0043A74E . C745 FC 130000>MOV DWORD PTR SS:[EBP-4],13
0043A755 . C745 A4 0C0000>MOV DWORD PTR SS:[EBP-5C],0C
0043A75C . C745 9C 020000>MOV DWORD PTR SS:[EBP-64],2
0043A763 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64] ; var type integer value 0C
0043A766 . 50 PUSH EAX
0043A767 . 6A 05 PUSH 5
0043A769 . 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C] ；註冊碼
0043A76C . 8B11 MOV EDX,DWORD PTR DS:[ECX]
0043A76E . 52 PUSH EDX
0043A76F . FF15 00114000 CALL rtcMidCharBStr ;取註冊碼子串，從第5個字元開始，取0xC個字元
0043A775 . 8BD0 MOV EDX,EAX
0043A777 . 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
0043A77A . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]
0043A780 . 50 PUSH EAX
0043A781 . FF15 3C124000 CALL [<&MSVBVM60.__vbaR8Str>] ; 轉成R8
0043A787 . DD5D C4 FSTP QWORD PTR SS:[EBP-3C] ;存在 ebp-3C 處
.................................................................
0043A79C . C745 FC 140000>MOV DWORD PTR SS:[EBP-4],14
0043A7A3 . DD45 C4 FLD QWORD PTR SS:[EBP-3C] ; 該子串表示的實數
0043A7A6 . DC05 301B4000 FADD QWORD PTR DS:[401B30] ；加上內定值 334.0
0043A7AC . DD5D C4 FSTP QWORD PTR SS:[EBP-3C] ；存回
0043A7AF . DFE0 FSTSW AX
0043A7B1 . A8 0D TEST AL,0D
0043A7B3 . 0F85 9F010000 JNZ CollegeB.0043A958
0043A7B9 . C745 FC 150000>MOV DWORD PTR SS:[EBP-4],15
0043A7C0 . 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
0043A7C3 . 50 PUSH EAX
0043A7C4 . 8B4D C4 MOV ECX,DWORD PTR SS:[EBP-3C]
0043A7C7 . 51 PUSH ECX
0043A7C8 . FF15 80114000 CALL [<&MSVBVM60.__vbaStrR8>] ;轉成String
0043A7CE . 8BD0 MOV EDX,EAX
0043A7D0 . 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
0043A7D3 . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]
0043A7D9 . 50 PUSH EAX
0043A7DA . FF15 D0114000 CALL MSVBVM60.rtcStrReverse ;逆序
0043A7E0 . 8BD0 MOV EDX,EAX
0043A7E2 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0043A7E5 . FF15 C8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0043A7EB . 50 PUSH EAX
0043A7EC . FF15 3C124000 CALL MSVBVM60.__vbaR8Str ；轉回R8
0043A7F2 . DD5D C4 FSTP QWORD PTR SS:[EBP-3C] ；存回
....................................................................
0043A808 . C745 FC 160000>MOV DWORD PTR SS:[EBP-4],16
0043A80F . DD45 C4 FLD QWORD PTR SS:[EBP-3C] ;裝入結果
0043A812 . DC25 281B4000 FSUB QWORD PTR DS:[401B28] ; 減去內定值1032.0
0043A818 . DD5D C4 FSTP QWORD PTR SS:[EBP-3C] ; 存回
0043A81B . DFE0 FSTSW AX
0043A81D . A8 0D TEST AL,0D
0043A81F . 0F85 33010000 JNZ CollegeB.0043A958
0043A825 . C745 FC 170000>MOV DWORD PTR SS:[EBP-4],17
0043A82C . DD45 C4 FLD QWORD PTR SS:[EBP-3C] ; 這裡的結果
0043A82F . DC5D D4 FCOMP QWORD PTR SS:[EBP-2C] ; 與[ebp-2c]處的結果作實數比較
0043A832 . DFE0 FSTSW AX
0043A834 . F6C4 40 TEST AH,40 ; 相等？
0043A837 . 74 0D JE SHORT CollegeB.0043A846 ; if not equal then jmp
0043A839 . C745 FC 180000>MOV DWORD PTR SS:[EBP-4],18
0043A840 . 66:C745 D0 FFF>MOV WORD PTR SS:[EBP-30],0FFFF ; 若相等則[ebp-30]=-1，看上去應該是成功標誌
0043A846 > C745 FC 1A0000>MOV DWORD PTR SS:[EBP-4],1A ; 但隨後的程式碼使之無論如何不為-1
0043A84D . 66:C785 28FFFF>MOV WORD PTR SS:[EBP-D8],4
0043A856 . 66:C785 2CFFFF>MOV WORD PTR SS:[EBP-D4],1
0043A85F . 66:C745 DC 010>MOV WORD PTR SS:[EBP-24],1
0043A865 . EB 15 JMP SHORT CollegeB.0043A87C
0043A867 > 66:8B4D DC MOV CX,WORD PTR SS:[EBP-24]
0043A86B . 66:038D 2CFFFF>ADD CX,WORD PTR SS:[EBP-D4]
0043A872 . 0F80 E5000000 JO CollegeB.0043A95D
0043A878 . 66:894D DC MOV WORD PTR SS:[EBP-24],CX
0043A87C > 66:8B55 DC MOV DX,WORD PTR SS:[EBP-24]
0043A880 . 66:3B95 28FFFF>CMP DX,WORD PTR SS:[EBP-D8]
0043A887 . 7F 16 JG SHORT CollegeB.0043A89F
0043A889 . C745 FC 1B0000>MOV DWORD PTR SS:[EBP-4],1B
0043A890 . 66:C745 D0 000>MOV WORD PTR SS:[EBP-30],0
0043A896 . C745 FC 1C0000>MOV DWORD PTR SS:[EBP-4],1C
0043A89D .^EB C8 JMP SHORT CollegeB.0043A867
0043A89F > C745 FC 1D0000>MOV DWORD PTR SS:[EBP-4],1D
0043A8A6 . 66:C785 20FFFF>MOV WORD PTR SS:[EBP-E0],11
0043A8AF . 66:C785 24FFFF>MOV WORD PTR SS:[EBP-DC],1
0043A8B8 . 66:C745 DC 010>MOV WORD PTR SS:[EBP-24],1
0043A8BE . EB 15 JMP SHORT CollegeB.0043A8D5
0043A8C0 > 66:8B45 DC MOV AX,WORD PTR SS:[EBP-24]
0043A8C4 . 66:0385 24FFFF>ADD AX,WORD PTR SS:[EBP-DC]
0043A8CB . 0F80 8C000000 JO CollegeB.0043A95D
0043A8D1 . 66:8945 DC MOV WORD PTR SS:[EBP-24],AX
0043A8D5 > 66:8B4D DC MOV CX,WORD PTR SS:[EBP-24]
0043A8D9 . 66:3B8D 20FFFF>CMP CX,WORD PTR SS:[EBP-E0]
0043A8E0 . 7F 09 JG SHORT CollegeB.0043A8EB
0043A8E2 . C745 FC 1E0000>MOV DWORD PTR SS:[EBP-4],1E
0043A8E9 .^EB D5 JMP SHORT CollegeB.0043A8C0
0043A8EB > C745 FC 1F0000>MOV DWORD PTR SS:[EBP-4],1F
0043A8F2 . 66:837D DC 11 CMP WORD PTR SS:[EBP-24],11
0043A8F7 . 7C 0D JL SHORT CollegeB.0043A906
0043A8F9 . C745 FC 200000>MOV DWORD PTR SS:[EBP-4],20
0043A900 . 66:C745 D0 000>MOV WORD PTR SS:[EBP-30],0
0043A906 > 9B WAIT
0043A907 . 68 41A94300 PUSH CollegeB.0043A941
0043A90C . EB 32 JMP SHORT CollegeB.0043A940
..............................................................
0043A940 > C3 RETN ; RET used as a jump to 0043A941
0043A941 > 66:8B45 D0 MOV AX,WORD PTR SS:[EBP-30] ; EBP-30 處為返回值
0043A945 . 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20]
0043A948 . 64:890D 000000>MOV DWORD PTR FS:[0],ECX
0043A94F . 5F POP EDI
0043A950 . 5E POP ESI
0043A951 . 5B POP EBX
0043A952 . 8BE5 MOV ESP,EBP
0043A954 . 5D POP EBP
0043A955 . C2 0800 RETN 8

後記：這裡雖然很象驗證程式碼，但有點自相矛盾，而且最後也沒有用到這裡的任何結果。不解。

========================================================================================
【分析總結】

自己去總結吧，只要用第一段程式碼就行了。

================================================================================

【版權資訊】無

2003-7-16

調酒師 CollegeBar V8.1 註冊演算法分析 - VB6

相關文章