淺談用Ollydbg跟蹤vb程式---soli 兄弟的問題
淺談用Ollydbg跟蹤vb程式---soli 兄弟的問題
軟體名稱: OfficeCenter-register
程式語言:
vb5.0
跟蹤目的: 演示用Ollydbg跟蹤vb程式;用記憶體斷點跟蹤註冊碼計算流程
對於本軟體的註冊演算法只大概分析,不做具體分析了
跟蹤工具: Ollydbg_cn v1.09 SmartCheck fileinfo
v2.5
本人宣告: 我也是個初學者,只是對破解感興趣,沒有別的目的.如果我的表達有錯誤,請大
家指正.
跟蹤過程:
首先當然是用fi檢查,顯示vb5.0 無殼.因此先用SmartCheck試試,載入後執行填試驗碼註冊,在記錄的事件中還容易得到註冊碼.為了跟蹤註冊演算法,現在開始用Ollydbg跟蹤.
由於vb程式一般是在MSVBVM*.DLL中執行,所以一般的vb程式都有一個特點,它的入口應該是這樣的:
68 8C1B4000 PUSH Register.00401B8C <---儲存環境
E8 EEFFFFFF CALL <JMP.&MSVBVM60.#100>
<---轉移到MSVBVM60.DLL
(一些經過加殼的vb程式,殼釋放完後來到入口點也是這樣的)
這樣,為了下vb
斷點.在此提供二種辦法:
1.) 炎之川兄的辦法
在 Ollydbg 下載入後,alt+e,選擇
msvbvm60.dll,檢視名稱,在 _vbastrcomp 下斷,即可攔下:)
2.) 我的辦法
在 Ollydbg 下載入後,直接用F8一下,到下面的CXLL語句後,用F7執行就能到達MSVBVM60.DLL中.檢視名稱,在
_vbastrcomp 下斷,即可攔下^_^ (加殼的程式只要到了入口點也可以這樣)
在本例中我用了MSVBVM60.__vbaStrCmp
中斷,填好註冊資訊--試驗碼:"78945-61230-01234-56789-14725" 按註冊鍵,被Ollydbg中斷:
0040546C
. 68 442F4000 PUSH Register.00402F44
00405471
. FF15 70104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCmp>
;
MSVBVM60.__vbaStrCmp <--中斷
// 上面的函式處理試驗碼
00405477
. 8BF8 MOV EDI, EAX
00405479 . 8D4D E4 LEA
ECX, DWORD PTR SS:[EBP-1C]
0040547C . F7DF
NEG EDI
0040547E . 1BFF
SBB EDI, EDI
00405480 . 47
INC EDI
00405481
. F7DF NEG EDI
00405483
. FF15 24114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeSt>
00405489
. 8D4D DC LEA ECX, DWORD PTR SS:[EBP-24]
0040548C
. FF15 28114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeOb>
00405492
. 66:85FF TEST DI, DI
00405495
. 74 78 JE SHORT
Register.0040550F
00405497 . 8B35 F4104000 MOV ESI,
DWORD PTR DS:[<&MSVBVM60.__vbaV>
0040549D . B9 04000280
MOV ECX, 80020004
004054A2 . 894D A4
MOV DWORD PTR SS:[EBP-5C], ECX
004054A5
. B8 0A000000 MOV EAX, 0A
004054AA . 894D
B4 MOV DWORD PTR SS:[EBP-4C], ECX
004054AD
. BF 08000000 MOV EDI, 8
004054B2
. 8D95 7CFFFFFF LEA EDX, DWORD PTR SS:[EBP-84]
004054B8
. 8D4D BC LEA ECX, DWORD PTR SS:[EBP-44]
004054BB
. 8945 9C MOV DWORD PTR SS:[EBP-64],
EAX
004054BE . 8945 AC MOV
DWORD PTR SS:[EBP-54], EAX
004054C1 . C745 84 08304>MOV
DWORD PTR SS:[EBP-7C], Register.0040>
004054C8 . 89BD
7CFFFFFF MOV DWORD PTR SS:[EBP-84], EDI
004054CE . FFD6
CALL ESI
004054D0 . 8D55 8C LEA
EDX, DWORD PTR SS:[EBP-74]
004054D3 . 8D4D CC
LEA ECX, DWORD PTR SS:[EBP-34]
004054D6 . C745 94
D02F4>MOV DWORD PTR SS:[EBP-6C], Register.0040>
004054DD
. 897D 8C MOV DWORD PTR SS:[EBP-74],
EDI
004054E0 . FFD6 CALL
ESI
004054E2 . 8D4D 9C LEA
ECX, DWORD PTR SS:[EBP-64]
004054E5 . 8D55 AC
LEA EDX, DWORD PTR SS:[EBP-54]
004054E8 . 51
PUSH ECX
004054E9 . 8D45
BC LEA EAX, DWORD PTR SS:[EBP-44]
004054EC
. 52 PUSH EDX
004054ED
. 50 PUSH EAX
004054EE
. 8D4D CC LEA ECX, DWORD PTR SS:[EBP-34]
004054F1
. 6A 00 PUSH 0
004054F3
. 51 PUSH ECX
004054F4
. FF15 4C104000 CALL DWORD PTR DS:[<&MSVBVM60.#595>]
004054FA . 8D55 9C LEA
EDX, DWORD PTR SS:[EBP-64]
004054FD . 8D45 AC
LEA EAX, DWORD PTR SS:[EBP-54]
00405500 . 52
PUSH EDX
00405501
. 8D4D BC LEA ECX, DWORD PTR SS:[EBP-44]
00405504
. 50 PUSH EAX
00405505
. 8D55 CC LEA EDX, DWORD PTR SS:[EBP-34]
00405508
. 51 PUSH ECX
00405509
. 52 PUSH EDX
0040550A
. E9 6E020000 JMP Register.0040577D
0040550F
> 8B06 MOV EAX,
DWORD PTR DS:[ESI]
00405511 . 56
PUSH ESI
00405512 . FF90 08030000 CALL
DWORD PTR DS:[EAX+308]
00405518 . 8D4D DC
LEA ECX, DWORD PTR SS:[EBP-24]
0040551B . 50
PUSH EAX
0040551C
. 51 PUSH ECX
0040551D
. FFD3 CALL EBX
0040551F
. 8BF8 MOV EDI, EAX
00405521
. 8D45 E4 LEA EAX, DWORD PTR SS:[EBP-1C]
00405524
. 50 PUSH EAX
00405525
. 57 PUSH EDI
00405526
. 8B17 MOV EDX, DWORD
PTR DS:[EDI]
00405528 . FF92 A0000000 CALL DWORD
PTR DS:[EDX+A0]
0040552E . 85C0 TEST
EAX, EAX
00405530 . DBE2
FCLEX
00405532 . 7D 12 JGE
SHORT Register.00405546
00405534 . 68 A0000000 PUSH
0A0
00405539 . 68 AC2F4000 PUSH Register.00402FAC
0040553E
. 57 PUSH EDI
0040553F
. 50 PUSH EAX
00405540
. FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresul>
00405546
> 8B45 E4 MOV EAX, DWORD PTR
SS:[EBP-1C]
; EAX<--001470BC,(UNICODE "14ZEP-EOGQS-RTBB2-XX1TK-P0ABM"<--ID
00405549
. 8B0E MOV ECX, DWORD
PTR DS:[ESI]
0040554B . 8D55 E0 LEA
EDX, DWORD PTR SS:[EBP-20]
0040554E . 52
PUSH EDX
0040554F . 50
PUSH EAX
00405550
. 56 PUSH ESI
00405551
. FF91 04070000 CALL DWORD PTR DS:[ECX+704] <--計算註冊碼的地方
F8--------->
|
004044C0 > 55 PUSH
EBP
004044C1 . 8BEC MOV
EBP, ESP
004044C3 . 83EC 0C
SUB ESP, 0C
004044C6 . 68 16124000 PUSH
<JMP.&MSVBVM60.__vbaExceptHandle>
004044CB . 64:A1
0000000>MOV EAX, DWORD PTR FS:[0]
004044D1 . 50
PUSH EAX
004044D2
. 64:8925 00000>MOV DWORD PTR FS:[0], ESP
004044D9
. 81EC DC000000 SUB ESP, 0DC
004044DF . 53
PUSH EBX
004044E0
. 56 PUSH ESI
004044E1
. 57 PUSH EDI
004044E2
. 8965 F4 MOV DWORD PTR SS:[EBP-C],
ESP
004044E5 . C745 F8 90114>MOV DWORD PTR SS:[EBP-8],
Register.0>
004044EC . 8B55 0C MOV
EDX, DWORD PTR SS:[EBP+C]
; EDX<--001470BC,(UNICODE "14ZEP-EOGQS-RTBB2-XX1TK-P0ABM"<--ID
004044EF
. 8B3D D0104000 MOV EDI, DWORD PTR DS:[<&MSVBVM60.__>
004044F5
. 33F6 XOR ESI, ESI
004044F7
. 8D4D B4 LEA ECX, DWORD PTR SS:[EBP-4C]
004044FA
. 8975 E8 MOV DWORD PTR SS:[EBP-18],
ESI
004044FD . 8975 E0 MOV
DWORD PTR SS:[EBP-20], ESI
00404500 . 8975 DC
MOV DWORD PTR SS:[EBP-24], ESI
00404503 . 8975 D8
MOV DWORD PTR SS:[EBP-28], ESI
00404506
. 8975 B4 MOV DWORD PTR SS:[EBP-4C],
ESI
00404509 . 8975 B0 MOV
DWORD PTR SS:[EBP-50], ESI
0040450C . 8975 AC
MOV DWORD PTR SS:[EBP-54], ESI
0040450F . 8975 9C
MOV DWORD PTR SS:[EBP-64], ESI
00404512
. 8975 8C MOV DWORD PTR SS:[EBP-74],
ESI
00404515 . 89B5 7CFFFFFF MOV DWORD PTR SS:[EBP-84],
ESI
0040451B . 89B5 6CFFFFFF MOV DWORD PTR SS:[EBP-94],
ESI
00404521 . 89B5 5CFFFFFF MOV DWORD PTR SS:[EBP-A4],
ESI
00404527 . 89B5 3CFFFFFF MOV DWORD PTR SS:[EBP-C4],
ESI
0040452D . 89B5 38FFFFFF MOV DWORD PTR SS:[EBP-C8],
ESI
00404533 . FFD7 CALL
EDI
00404535 . 8B45 10
MOV EAX, DWORD PTR SS:[EBP+10]
00404538 . 6A
11 PUSH 11
0040453A . 8D4D
C0 LEA ECX, DWORD PTR SS:[EBP-40]
0040453D
. 68 942F4000 PUSH Register.00402F94
00404542
. 51 PUSH ECX
00404543
. 8930 MOV DWORD
PTR DS:[EAX], ESI
00404545 . FF15 74104000 CALL DWORD
PTR DS:[<&MSVBVM60.__vbaAr>
0040454B . 8B55 B4
MOV EDX, DWORD PTR SS:[EBP-4C]
; EDX<--001470BC,(UNICODE "14ZEP-EOGQS-RTBB2-XX1TK-P0ABM"<--ID
0040454E
. 52 PUSH EDX
0040454F
. FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLe>
00404555
. BA 442F4000 MOV EDX, Register.00402F44
0040455A
. 8D4D DC LEA ECX, DWORD PTR SS:[EBP-24]
0040455D
. 8945 B8 MOV DWORD PTR SS:[EBP-48],
EAX
00404560 . FFD7 CALL
EDI
00404562 . BF 01000000 MOV EDI,
1
00404567 . 8BDF MOV
EBX, EDI
00404569 > 3B5D B8 CMP
EBX, DWORD PTR SS:[EBP-48] ; <--傳送的長度=1d(29D)
0040456C
. 0F8F 95000000 JG Register.00404607
00404572
. 8D45 B4 LEA EAX, DWORD PTR SS:[EBP-4C]
00404575
. 8D4D 9C LEA ECX, DWORD PTR SS:[EBP-64]
00404578
. 8985 64FFFFFF MOV DWORD PTR SS:[EBP-9C], EAX
0040457E
. 51 PUSH ECX
0040457F
. 8D95 5CFFFFFF LEA EDX, DWORD PTR SS:[EBP-A4]
00404585
. 53 PUSH EBX
00404586
. 8D45 8C LEA EAX, DWORD PTR SS:[EBP-74]
00404589
. 52 PUSH EDX
0040458A
. 50 PUSH EAX
0040458B
. C745 A4 01000>MOV DWORD PTR SS:[EBP-5C], 1
00404592
. C745 9C 02000>MOV DWORD PTR SS:[EBP-64], 2
00404599
. C785 5CFFFFFF>MOV DWORD PTR SS:[EBP-A4], 4008
004045A3
. FF15 60104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>]
004045A9 . 81FB C9000000 CMP EBX, 0C9
004045AF
. 72 06 JB SHORT
Register.004045B7
004045B1 . FF15 6C104000 CALL DWORD
PTR DS:[<&MSVBVM60.__vbaGe>
004045B7 > 8D4D 8C
LEA ECX, DWORD PTR SS:[EBP-74]
004045BA
. 8D55 AC LEA EDX, DWORD PTR SS:[EBP-54]
004045BD
. 51 PUSH ECX
004045BE
. 52 PUSH EDX
004045BF
. FF15 AC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaSt>
004045C5
. 50 PUSH EAX
004045C6
. FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>]
004045CC . 8BC8 MOV
ECX, EAX
004045CE . FF15 84104000 CALL DWORD
PTR DS:[<&MSVBVM60.__vbaUI>
004045D4 . 8B4D CC
MOV ECX, DWORD PTR SS:[EBP-34]
004045D7
. 880419 MOV BYTE PTR DS:[ECX+EBX],
AL ; AL=31 ('1')
004045DA . 8D4D AC
LEA ECX, DWORD PTR SS:[EBP-54]
004045DD
. FF15 24114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFr>
004045E3
. 8D55 8C LEA EDX, DWORD PTR SS:[EBP-74]
004045E6
. 8D45 9C LEA EAX, DWORD PTR SS:[EBP-64]
004045E9
. 52 PUSH EDX
004045EA
. 50 PUSH EAX
004045EB
. 6A 02 PUSH 2
004045ED
. FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFr>
004045F3
. 8BCF MOV ECX, EDI
004045F5
. 83C4 0C ADD ESP, 0C
004045F8
. 03CB ADD ECX, EBX
004045FA
. 0F80 7C070000 JO Register.00404D7C
00404600
. 8BD9 MOV EBX, ECX
00404602
.^ E9 62FFFFFF JMP Register.00404569
;上面的迴圈把軟體號傳送到記憶體地址00149F59開始的地址中
00404607
> 8B5D 08 MOV EBX, DWORD PTR
SS:[EBP+8]
0040460A . 8D55 B0 LEA
EDX, DWORD PTR SS:[EBP-50]
0040460D . 52
PUSH EDX
0040460E . 56
PUSH ESI
0040460F
. 8B43 34 MOV EAX, DWORD PTR DS:[EBX+34]
00404612
. 56 PUSH ESI
00404613
. 68 04800000 PUSH 8004
00404618 .
50 PUSH EAX
00404619
. E8 96E6FFFF CALL Register.00402CB4
0040461E
. 8B3D 30104000 MOV EDI, DWORD PTR DS:[<&MSVBVM60.__>
00404624
. 8985 38FFFFFF MOV DWORD PTR SS:[EBP-C8], EAX
0040462A
. FFD7 CALL EDI
0040462C . 39B5 38FFFFFF CMP DWORD
PTR SS:[EBP-C8], ESI
00404632 . 0F84 BD060000 JE
Register.00404CF5
00404638 . 8B55 CC
MOV EDX, DWORD PTR SS:[EBP-34]
; EDX<--001470BC,(UNICODE "14ZEP-EOGQS-RTBB2-XX1TK-P0ABM"<--ID
0040463B
. 8B4D B8 MOV ECX, DWORD PTR SS:[EBP-48]
0040463E
. 8B45 B0 MOV EAX, DWORD PTR SS:[EBP-50]
00404641
. 56 PUSH ESI
00404642
. 42 INC EDX
00404643
. 51 PUSH ECX
00404644
. 52 PUSH EDX
00404645
. 50 PUSH EAX
00404646
. E8 B1E6FFFF CALL Register.00402CFC
0040464B
. 8985 38FFFFFF MOV DWORD PTR SS:[EBP-C8], EAX
00404651
. FFD7 CALL EDI
00404653
. 39B5 38FFFFFF CMP DWORD PTR SS:[EBP-C8], ESI
00404659
. 0F84 96060000 JE Register.00404CF5
0040465F
. 8B55 B0 MOV EDX, DWORD PTR SS:[EBP-50]
00404662
. 8B43 34 MOV EAX, DWORD PTR DS:[EBX+34]
00404665
. 8D4D E8 LEA ECX, DWORD PTR SS:[EBP-18]
00404668
. 51 PUSH ECX
00404669
. 56 PUSH ESI
0040466A
. 52 PUSH EDX
0040466B
. 68 01680000 PUSH 6801
00404670 .
50 PUSH EAX
00404671
. E8 CEE6FFFF CALL Register.00402D44
; 這個CALL用ID 計算出下面要用的值
這個計算的地方不好找到是透過ADVAPI32領空來到rsabase領空中計算的,所以一般的跟蹤方法無法到達這裡,還是用記憶體斷點的辦法:在ADVAPI32領空中看到程式取了ID 的最後一位單獨放到一個記憶體地址中,在記憶體資料視窗中找到這個地址後,先用ALT+B調出斷點視窗,將原來的斷點全部關閉(防止干擾).在選擇記憶體地址中的資料,下記憶體訪問斷點就能跟蹤到這裡:
F8------->
rsabase領空
|
7CA14370
56 PUSH ESI
7CA14371
57 PUSH EDI
7CA14372
53 PUSH EBX
7CA14373
55 PUSH EBP
7CA14374
8B5424 18 MOV EDX, DWORD PTR SS:[ESP+18]
7CA14378
81EC 40010000 SUB ESP, 140
7CA1437E
BE 10000000 MOV ESI, 10
7CA14383 BF
00FF00FF MOV EDI, FF00FF00
7CA14388 BD
FF00FF00 MOV EBP, 0FF00FF
7CA1438D 8D4C24
FC LEA ECX, DWORD PTR SS:[ESP-4]
7CA14391
8B02 MOV EAX,
DWORD PTR DS:[EDX]
; EAX<--DS:[EDX]=DS:[14A530]=4D ('M')<--ID 的最後一位
7CA14393
83C2 04 ADD EDX, 4
7CA14396
8BD8 MOV EBX,
EAX
7CA14398 23C7 AND
EAX, EDI
7CA1439A 23DD
AND EBX, EBP
7CA1439C 83C1 04
ADD ECX, 4
7CA1439F C1C0 08
ROL EAX, 8
7CA143A2 C1CB
08 ROR EBX, 8
7CA143A5 33C3
XOR EAX, EBX
7CA143A7
4E DEC
ESI
7CA143A8 8901 MOV
DWORD PTR DS:[ECX], EAX
7CA143AA ^ 75 E5
JNZ SHORT rsabase.7CA14391
7CA143AC
8BAC24 54010000 MOV EBP, DWORD PTR SS:[ESP+154]
7CA143B3
8D4C24 08 LEA ECX, DWORD PTR SS:[ESP+8]
7CA143B7
BA 20000000 MOV EDX, 20
7CA143BC
33C0 XOR EAX, EAX
7CA143BE
33DB XOR EBX,
EBX
7CA143C0 8B41 F8 MOV
EAX, DWORD PTR DS:[ECX-8]
; EAX<--DS:[12F05C]=31345A45 ("14ZE")|<--4751532D
7CA143C3 8B59 FC MOV EBX, DWORD PTR DS:[ECX-4]
; EBX<--DS:[12F060]=502D454F ("P-EO")
7CA143C6 8B31 MOV ESI, DWORD PTR DS:[ECX]
; ESI<--DS:[12F064]=4751532D ("GQS-")
7CA143C8 8B79 04 MOV EDI, DWORD PTR DS:[ECX+4]
; EDI<--DS:[12F068]=52544242 ("RTBB")
7CA143CB
33C6 XOR EAX,
ESI
7CA143CD 33DF XOR
EBX, EDI
7CA143CF 8B71 18
MOV ESI, DWORD PTR DS:[ECX+18]
7CA143D2 8B79
1C MOV EDI, DWORD PTR DS:[ECX+1C]
7CA143D5
33C6 XOR EAX,
ESI
7CA143D7 33DF XOR
EBX, EDI
7CA143D9 8B71 2C
MOV ESI, DWORD PTR DS:[ECX+2C]
7CA143DC 8B79 30 MOV
EDI, DWORD PTR DS:[ECX+30]
7CA143DF
33C6 XOR EAX, ESI
7CA143E1
83C1 08 ADD ECX, 8
7CA143E4
D1C0 ROL EAX,
1
7CA143E6 33DF XOR
EBX, EDI
7CA143E8 D1C3
ROL EBX, 1
7CA143EA 8941 30
MOV DWORD PTR DS:[ECX+30], EAX
7CA143ED
4A DEC EDX
; EDX=1F 迴圈的次數
7CA143EE 8959 34
MOV DWORD PTR DS:[ECX+34], EBX
7CA143F1 ^ 75 CD
JNZ SHORT rsabase.7CA143C0
7CA143F3
8B45 00 MOV EAX, DWORD
PTR SS:[EBP] ; EAX<--SS:[14A4F8]=67452301
7CA143F6
8B5D 04 MOV EBX, DWORD PTR SS:[EBP+4]
; EBX<--SS:[14A4FC]=EFCDAB89
7CA143F9 8B4D 08
MOV ECX, DWORD PTR SS:[EBP+8] ;
ECX<---SS:[14A500]=98BADCFE
7CA143FC 8B55 0C
MOV EDX, DWORD PTR SS:[EBP+C] ; EDX<---SS:[14A504]=10325476
7CA143FF
8B7D 10 MOV EDI, DWORD
PTR SS:[EBP+10] ; EDI<---SS:[14A508]=C3D2E1F0
7CA14402
8BE9 MOV EBP, ECX
7CA14404
33EA XOR EBP,
EDX
7CA14406 23EB AND
EBP, EBX
7CA14408 8BF0
MOV ESI, EAX
7CA1440A C1C6 05
ROL ESI, 5
7CA1440D 03FE
ADD EDI, ESI
7CA1440F
8B3424 MOV ESI, DWORD PTR
SS:[ESP]
; ESI=31345A45 <--ID
7CA14412
D1CB ROR EBX,
1
7CA14414 33EA XOR
EBP, EDX
7CA14416 D1CB
ROR EBX, 1
7CA14418 8DBC3E 9979825A LEA
EDI, DWORD PTR DS:[ESI+EDI+5A827999]
7CA1441F 03FD
ADD EDI, EBP
7CA14421
8BF3 MOV ESI, EBX
7CA14423
33F1 XOR ESI,
ECX
7CA14425 8BEF MOV
EBP, EDI
7CA14427 C1C5 05
ROL EBP, 5
7CA1442A 23F0
AND ESI, EAX
7CA1442C 03D5
ADD EDX, EBP
7CA1442E D1C8
ROR EAX, 1
7CA14430
8B6C24 04 MOV EBP, DWORD PTR SS:[ESP+4]
; EBP<---SS:[12F060]=502D454F <--ID
7CA14434
D1C8 ROR EAX, 1
7CA14436
33F1 XOR ESI,
ECX
7CA14438 8D9415 9979825A LEA EDX, DWORD PTR
SS:[EBP+EDX+5A827999]
7CA1443F 8BE8
MOV EBP, EAX
7CA14441 03D6
ADD EDX, ESI
7CA14443 33EB
XOR EBP, EBX
7CA14445
23EF AND EBP,
EDI
7CA14447 8BF2 MOV
ESI, EDX
7CA14449 C1C6 05
ROL ESI, 5
7CA1444C 03CE
ADD ECX, ESI
7CA1444E 8B7424 08
MOV ESI, DWORD PTR SS:[ESP+8]
; ESI<--SS:[12F064]=4751532D <--ID
7CA14452
D1CF ROR EDI,
1
7CA14454 33EB XOR
EBP, EBX
7CA14456 D1CF
ROR EDI, 1
7CA14458 8D8C0E 9979825A LEA
ECX, DWORD PTR DS:[ESI+ECX+5A827999]
7CA1445F 03CD
ADD ECX, EBP
7CA14461
8BF7 MOV ESI, EDI
7CA14463
33F0 XOR ESI,
EAX
7CA14465 8BE9 MOV
EBP, ECX
7CA14467 C1C5 05
ROL EBP, 5
7CA1446A 23F2
AND ESI, EDX
7CA1446C 03DD
ADD EBX, EBP
7CA1446E D1CA
ROR EDX, 1
7CA14470
8B6C24 0C MOV EBP, DWORD PTR SS:[ESP+C]
; EBP<--SS:[12F068]=52544242 <--ID
7CA14474
D1CA ROR EDX,
1
7CA14476 33F0 XOR
ESI, EAX
7CA14478 8D9C1D 9979825A LEA EBX,
DWORD PTR SS:[EBP+EBX+5A827999]
7CA1447F 8BEA
MOV EBP, EDX
7CA14481 03DE
ADD EBX, ESI
7CA14483
33EF XOR EBP, EDI
7CA14485
23E9 AND EBP,
ECX
7CA14487 8BF3 MOV
ESI, EBX
7CA14489 C1C6 05
ROL ESI, 5
7CA1448C 03C6
ADD EAX, ESI
7CA1448E 8B7424 10
MOV ESI, DWORD PTR SS:[ESP+10]
; ESI<--SS:[12F06C]=322D5858<--ID
7CA14492
D1C9 ROR ECX,
1
7CA14494 33EF XOR
EBP, EDI
7CA14496 D1C9
ROR ECX, 1
7CA14498 8D8406 9979825A LEA
EAX, DWORD PTR DS:[ESI+EAX+5A827999]
7CA1449F 03C5
ADD EAX, EBP
7CA144A1
8BF1 MOV ESI, ECX
7CA144A3
33F2 XOR ESI,
EDX
7CA144A5 8BE8 MOV
EBP, EAX
7CA144A7 C1C5 05
ROL EBP, 5
7CA144AA 23F3
AND ESI, EBX
7CA144AC 03FD
ADD EDI, EBP
7CA144AE D1CB
ROR EBX, 1
7CA144B0
8B6C24 14 MOV EBP, DWORD PTR SS:[ESP+14]
; EBP<--SS:[12F070]=31544B2D <--ID
7CA144B4
D1CB ROR EBX,
1
7CA144B6 33F2 XOR
ESI, EDX
7CA144B8 8DBC3D 9979825A LEA EDI,
DWORD PTR SS:[EBP+EDI+5A827999]
7CA144BF 8BEB
MOV EBP, EBX
7CA144C1 03FE
ADD EDI, ESI
7CA144C3
33E9 XOR EBP, ECX
7CA144C5
23E8 AND EBP,
EAX
7CA144C7 8BF7 MOV
ESI, EDI
7CA144C9 C1C6 05
ROL ESI, 5
7CA144CC 03D6
ADD EDX, ESI
7CA144CE 8B7424 18
MOV ESI, DWORD PTR SS:[ESP+18]
; ESI<--SS:[12F074]=50304142<--ID
7CA144D2
D1C8 ROR EAX,
1
7CA144D4 33E9 XOR
EBP, ECX
7CA144D6 D1C8
ROR EAX, 1
7CA144D8 8D9416 9979825A LEA
EDX, DWORD PTR DS:[ESI+EDX+5A827999]
7CA144DF 03D5
ADD EDX, EBP
7CA144E1
8BF0 MOV ESI, EAX
7CA144E3
33F3 XOR ESI,
EBX
7CA144E5 8BEA MOV
EBP, EDX
7CA144E7 C1C5 05
ROL EBP, 5
7CA144EA 23F7
AND ESI, EDI
7CA144EC 03CD
ADD ECX, EBP
7CA144EE D1CF
ROR EDI, 1
7CA144F0
8B6C24 1C MOV EBP, DWORD PTR SS:[ESP+1C]
; EBP<--SS:[12F078]=4D800000 <--ID的第一位加800000
7CA144F4
D1CF ROR EDI,
1
7CA144F6 33F3 XOR
ESI, EBX
7CA144F8 8D8C0D 9979825A LEA ECX,
DWORD PTR SS:[EBP+ECX+5A827999]
7CA144FF 8BEF
MOV EBP, EDI
7CA14501 03CE
ADD ECX, ESI
7CA14503
33E8 XOR EBP, EAX
7CA14505
23EA AND EBP,
EDX
7CA14507 8BF1 MOV
ESI, ECX
7CA14509 C1C6 05
ROL ESI, 5
7CA1450C 03DE
ADD EBX, ESI
7CA1450E 8B7424 20
MOV ESI, DWORD PTR SS:[ESP+20] ;
ESI=0
……
7CA14EC6 03FD ADD
EDI, EBP
7CA14EC8 8906
MOV DWORD PTR DS:[ESI], EAX ;
EAX=BF1AEB0F ==>DS:[14A4F8]
7CA14ECA 895E 04
MOV DWORD PTR DS:[ESI+4], EBX ;
EBX=154344B9
7CA14ECD 894E 08 MOV
DWORD PTR DS:[ESI+8], ECX ; ECX=CE1EAC47
7CA14ED0
8956 0C MOV DWORD PTR DS:[ESI+C],
EDX ; EDX=67E14CDD
7CA14ED3 897E 10
MOV DWORD PTR DS:[ESI+10], EDI ;
EDI=95CE0D8F
7CA14ED6 5D
POP EBP
; // 經過上面用ID計算的值==>DS:[14A4F8]
7CA14ED7
5B POP
EBX
7CA14ED8 5F POP
EDI
7CA14ED9 5E
POP ESI
7CA14EDA C2 0800
RETN 8
-------------
下面進行
|
7CA15A40
56 PUSH ESI
7CA15A41
8B7424 10 MOV ESI, DWORD PTR SS:[ESP+10]
7CA15A45
85F6 TEST ESI,
ESI
7CA15A47 76 33 JBE
SHORT rsabase.7CA15A7C
7CA15A49 8B4424 08
MOV EAX, DWORD PTR SS:[ESP+8]
7CA15A4D 8D48
01 LEA ECX, DWORD PTR DS:[EAX+1]
7CA15A50
8B4424 0C MOV EAX, DWORD PTR SS:[ESP+C]
7CA15A54
8B10 MOV EDX,
DWORD PTR DS:[EAX]
7CA15A56 83C0 04
ADD EAX, 4
7CA15A59 C1EA 18
SHR EDX, 18
7CA15A5C 8851 FF
MOV BYTE PTR DS:[ECX-1], DL
7CA15A5F 8B50
FC MOV EDX, DWORD PTR DS:[EAX-4]
7CA15A62
C1EA 10 SHR EDX, 10
7CA15A65
8811 MOV BYTE
PTR DS:[ECX], DL
7CA15A67 8B50 FC
MOV EDX, DWORD PTR DS:[EAX-4]
7CA15A6A C1EA 08
SHR EDX, 8
7CA15A6D 8851 01
MOV BYTE PTR DS:[ECX+1], DL
7CA15A70
8A50 FC MOV DL, BYTE PTR
DS:[EAX-4]
7CA15A73 8851 02 MOV
BYTE PTR DS:[ECX+2], DL
7CA15A76 83C1 04
ADD ECX, 4
7CA15A79 4E
DEC ESI
7CA15A7A ^ 75
D8 JNZ SHORT rsabase.7CA15A54
7CA15A7C
5E POP
ESI
7CA15A7D C2 0C00 RETN 0C
//這段用上面的值重新計算把計算的值==>DS:[0014E4]
<--------------RETN
|
00404676
. 8985 38FFFFFF MOV DWORD PTR SS:[EBP-C8], EAX
0040467C
. FFD7 CALL EDI
0040467E
. 39B5 38FFFFFF CMP DWORD PTR SS:[EBP-C8], ESI
00404684
. 0F84 6B060000 JE Register.00404CF5
0040468A
. 68 A4264000 PUSH Register.004026A4
; UNICODE "OfficeCenterFromMindswareMadeByKenny"<--引數
0040468F
. FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLe>;
MSVBVM60.__vbaLenBstr
00404695 . BF 01000000 MOV
EDI, 1
0040469A . 8945 E0 MOV
DWORD PTR SS:[EBP-20], EAX
0040469D . 8985 20FFFFFF
MOV DWORD PTR SS:[EBP-E0], EAX
004046A3 . 8BDF
MOV EBX, EDI
004046A5 >
3B9D 20FFFFFF CMP EBX, DWORD PTR SS:[EBP-E0]
004046AB
. 0F8F AF000000 JG Register.00404760
004046B1
. 8D95 5CFFFFFF LEA EDX, DWORD PTR SS:[EBP-A4]
004046B7
. 8D4D 9C LEA ECX, DWORD PTR SS:[EBP-64]
004046BA
. C745 94 01000>MOV DWORD PTR SS:[EBP-6C], 1
004046C1
. C745 8C 02000>MOV DWORD PTR SS:[EBP-74], 2
004046C8
. C785 64FFFFFF>MOV DWORD PTR SS:[EBP-9C], Register.>
; UNICODE "OfficeCenterFromMindswareMadeByKenny"
004046D2
. C785 5CFFFFFF>MOV DWORD PTR SS:[EBP-A4], 8
004046DC
. FF15 F4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVa>;
MSVBVM60.__vbaVarDup
004046E2 . 8D4D 8C
LEA ECX, DWORD PTR SS:[EBP-74]
004046E5 . 8D55 9C
LEA EDX, DWORD PTR SS:[EBP-64]
004046E8
. 51 PUSH ECX
004046E9
. 53 PUSH EBX
004046EA
. 8D85 7CFFFFFF LEA EAX, DWORD PTR SS:[EBP-84]
004046F0
. 52 PUSH EDX
004046F1
. 50 PUSH EAX
004046F2
. FF15 60104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>]
; MSVBVM60.rtcMidCharVar
004046F8 . 81FB C9000000
CMP EBX, 0C9
004046FE . 72 06
JB SHORT Register.00404706
00404700 . FF15
6C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGe>; MSVBVM60.__vbaGenerateBoundsError
00404706
> 8D8D 7CFFFFFF LEA ECX, DWORD PTR SS:[EBP-84]
0040470C
. 8D55 AC LEA EDX, DWORD PTR SS:[EBP-54]
0040470F
. 51 PUSH ECX
00404710
. 52 PUSH EDX
00404711
. FF15 AC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaSt>;
MSVBVM60.__vbaStrVarVal
00404717 . 50
PUSH EAX
00404718 . FF15 24104000
CALL DWORD PTR DS:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsivalueBstr
0040471E
. 8BC8 MOV ECX, EAX
00404720
. FF15 84104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaUI>;
MSVBVM60.__vbaUI1I2
00404726 . 8B4D CC
MOV ECX, DWORD PTR SS:[EBP-34]
00404729 . 880419
MOV BYTE PTR DS:[ECX+EBX], AL
0040472C
. 8D4D AC LEA ECX, DWORD PTR SS:[EBP-54]
0040472F
. FF15 24114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFr>;
MSVBVM60.__vbaFreeStr
00404735 . 8D95 7CFFFFFF LEA
EDX, DWORD PTR SS:[EBP-84]
0040473B . 8D45 8C
LEA EAX, DWORD PTR SS:[EBP-74]
0040473E . 52
PUSH EDX
0040473F
. 8D4D 9C LEA ECX, DWORD PTR SS:[EBP-64]
00404742
. 50 PUSH EAX
00404743
. 51 PUSH ECX
00404744
. 6A 03 PUSH 3
00404746
. FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFr>;
MSVBVM60.__vbaFreeVarList
0040474C . 8BD7
MOV EDX, EDI
0040474E . 83C4
10 ADD ESP, 10
00404751 . 03D3
ADD EDX, EBX
00404753
. 0F80 23060000 JO Register.00404D7C
00404759
. 8BDA MOV EBX, EDX
0040475B
.^ E9 45FFFFFF JMP Register.004046A5
; //以上傳送UNICODE "OfficeCenterFromMindswareMadeByKenny"
00404760
> 8B4D CC MOV ECX, DWORD PTR
SS:[EBP-34]
00404763 . 8B55 E8
MOV EDX, DWORD PTR SS:[EBP-18]
00404766 . 8D45
E0 LEA EAX, DWORD PTR SS:[EBP-20]
00404769
. 68 C8000000 PUSH 0C8
0040476E . 41
INC ECX
0040476F
. 50 PUSH EAX
00404770
. 51 PUSH ECX
00404771
. 56 PUSH ESI
00404772
. 6A FF PUSH -1
00404774
. 56 PUSH ESI
00404775
. 52 PUSH EDX
00404776
. E8 11E6FFFF CALL Register.00402D8C
; //用ID 計算的值與字串"OfficeCenterFromMindswareMadeByKenny"再次進行計算
F8----------->
|
7CA11920
8B4424 04 MOV EAX, DWORD PTR SS:[ESP+4]
7CA11924
33C9 XOR ECX,
ECX
7CA11926 8948 2C MOV
DWORD PTR DS:[EAX+2C], ECX
7CA11929 8948 30
MOV DWORD PTR DS:[EAX+30], ECX
7CA1192C C740
18 0123456>MOV DWORD PTR DS:[EAX+18], 67452301 <--傳遞引數
7CA11933
C740 1C 89ABCDE>MOV DWORD PTR DS:[EAX+1C], EFCDAB89
7CA1193A
C740 20 FEDCBA9>MOV DWORD PTR DS:[EAX+20], 98BADCFE
7CA11941
C740 24 7654321>MOV DWORD PTR DS:[EAX+24], 10325476
7CA11948
C740 28 F0E1D2C>MOV DWORD PTR DS:[EAX+28], C3D2E1F0
7CA1194F
C2 0400 RETN 4
7CA114F0
53 PUSH EBX
7CA114F1
56 PUSH ESI
7CA114F2
57 PUSH EDI
7CA114F3
55 PUSH EBP
7CA114F4
33C9 XOR ECX,
ECX
7CA114F6 33D2 XOR
EDX, EDX
7CA114F8 8B7424 14
MOV ESI, DWORD PTR SS:[ESP+14]
7CA114FC 8B6C24 18
MOV EBP, DWORD PTR SS:[ESP+18]
7CA11500
8B7C24 1C MOV EDI, DWORD PTR SS:[ESP+1C]
7CA11504
8A8E 00010000 MOV CL, BYTE PTR DS:[ESI+100]
7CA1150A
8A96 01010000 MOV DL, BYTE PTR DS:[ESI+101]
7CA11510
85ED TEST EBP,
EBP
7CA11512 74 2B JE
SHORT rsabase.7CA1153F
7CA11514 41
INC ECX
7CA11515 BB
FF000000 MOV EBX, 0FF
7CA1151A 23CB
AND ECX, EBX
7CA1151C
33C0 XOR EAX,
EAX
7CA1151E 8A040E MOV
AL, BYTE PTR DS:[ESI+ECX]
7CA11521 03D0
ADD EDX, EAX
7CA11523 23D3
AND EDX, EBX
7CA11525
33DB XOR EBX, EBX
7CA11527
8A1C16 MOV BL, BYTE
PTR DS:[ESI+EDX]
7CA1152A 881C0E MOV
BYTE PTR DS:[ESI+ECX], BL
7CA1152D 880416
MOV BYTE PTR DS:[ESI+EDX], AL
7CA11530
02C3 ADD AL,
BL
7CA11532 8A1F MOV
BL, BYTE PTR DS:[EDI]
; BL=DS:[EDI]=DS:[149F59]=4F ('O')<--引數串的第一位
7CA11534 8A0406 MOV AL, BYTE PTR DS:[ESI+EAX]
; AL=DS:[ESI+EAX]=07 ESI=0014A640 EAX=80
7CA11537
32D8 XOR BL,
AL
7CA11539 881F MOV
BYTE PTR DS:[EDI], BL
7CA1153B 47
INC EDI
7CA1153C 4D
DEC EBP
7CA1153D
^ 75 D5 JNZ SHORT rsabase.7CA11514
7CA1153F
5D POP
EBP
7CA11540 5F POP
EDI
7CA11541 8D86 00010000 LEA
EAX, DWORD PTR DS:[ESI+100]
7CA11547 5E
POP ESI
7CA11548 8808
MOV BYTE PTR DS:[EAX], CL
7CA1154A
5B POP
EBX
7CA1154B 8850 01 MOV
BYTE PTR DS:[EAX+1], DL
7CA1154E C2 0C00
RETN 0C
7CA11551 53
PUSH EBX
7CA11552 B8 00010203
MOV EAX, 3020100
7CA11557 56
PUSH ESI
7CA11558
B9 40000000 MOV ECX, 40
7CA1155D 8B7424
0C MOV ESI, DWORD PTR SS:[ESP+C]
7CA11561
57 PUSH EDI
7CA11562
8BD6 MOV EDX,
ESI
7CA11564 55 PUSH
EBP
7CA11565 8902
MOV DWORD PTR DS:[EDX], EAX
7CA11567 83C2
04 ADD EDX, 4
7CA1156A 05
04040404 ADD EAX, 4040404
7CA1156F 49
DEC ECX
7CA11570
^ 75 F3 JNZ SHORT rsabase.7CA11565
7CA11572
33C9 XOR ECX,
ECX
7CA11574 33FF XOR
EDI, EDI
7CA11576 8B6C24 1C
MOV EBP, DWORD PTR SS:[ESP+1C]
7CA1157A 888E 00010000
MOV BYTE PTR DS:[ESI+100], CL
7CA11580 888E
01010000 MOV BYTE PTR DS:[ESI+101], CL
7CA11586
33DB XOR EBX, EBX
7CA11588
33D2 XOR EDX,
EDX
7CA1158A 33C0 XOR
EAX, EAX
7CA1158C 8A1437
MOV DL, BYTE PTR DS:[EDI+ESI] <--上面傳送的固定引數
7CA1158F
8A440D 00 MOV AL, BYTE PTR SS:[EBP+ECX]
<--ID計算的值
7CA11593 02D8
ADD BL, AL
7CA11595 41
INC ECX
7CA11596
02DA ADD BL, DL
7CA11598
47 INC
EDI
7CA11599 8A0433 MOV
AL, BYTE PTR DS:[EBX+ESI] <---用上面值來查表取值
7CA1159C 884437
FF MOV BYTE PTR DS:[EDI+ESI-1], AL
7CA115A0
394C24 18 CMP DWORD PTR SS:[ESP+18],
ECX
7CA115A4 881433 MOV
BYTE PTR DS:[EBX+ESI], DL
7CA115A7 75 02
JNZ SHORT rsabase.7CA115AB
7CA115A9
33C9 XOR ECX, ECX
7CA115AB
81FF 00010000 CMP EDI, 100
7CA115B1 ^
72 D5 JB SHORT rsabase.7CA11588
7CA115B3
5D POP
EBP
7CA115B4 5F POP
EDI
7CA115B5 5E
POP ESI
7CA115B6 5B
POP EBX
7CA115B7 C2 0C00
RETN 0C
不怕死的就來看看演算法,我投降了^_^
<---------RETN
|
0040477B
. 8985 38FFFFFF MOV DWORD PTR SS:[EBP-C8], EAX
00404781
. FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaSe>;
MSVBVM60.__vbaSetSystemError
00404787 . 39B5 38FFFFFF CMP
DWORD PTR SS:[EBP-C8], ESI
0040478D . 0F84 62050000
JE Register.00404CF5
00404793 . BA 442F4000
MOV EDX, Register.00402F44
00404798 . 8D4D
D8 LEA ECX, DWORD PTR SS:[EBP-28]
0040479B
. FF15 D0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaSt>;
MSVBVM60.__vbaStrCopy
004047A1 . 8B1D 14114000 MOV
EBX, DWORD PTR DS:[<&MSVBVM60.__>; MSVBVM60.__vbaStrMove
004047A7
. 33FF XOR EDI, EDI
004047A9
> B8 18000000 MOV EAX, 18
; //開始計算取值
004047AE
. 3BF8 CMP EDI, EAX
004047B0
. 0F8F 17050000 JG Register.00404CCD
; //計算完就出來
004047B6
. 8B45 D8 MOV EAX, DWORD PTR SS:[EBP-28]
004047B9
. 8BF7 MOV ESI, EDI
004047BB
. 83C6 02 ADD ESI, 2
004047BE
. 8985 44FFFFFF MOV DWORD PTR SS:[EBP-BC], EAX
004047C4
. 0F80 B2050000 JO Register.00404D7C
004047CA
. 81FE C9000000 CMP ESI, 0C9
004047D0 . C785
3CFFFFFF>MOV DWORD PTR SS:[EBP-C4], 8
004047DA . C745
94 01000>MOV DWORD PTR SS:[EBP-6C], 1
004047E1 . C745
8C 02000>MOV DWORD PTR SS:[EBP-74], 2
004047E8 . 72
06 JB SHORT Register.004047F0
004047EA
. FF15 6C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGe>
004047F0
> 8BC7 MOV EAX,
EDI
004047F2 . 83C0 03 ADD
EAX, 3
004047F5 . 0F80 81050000 JO Register.00404D7C
004047FB
. 3D C9000000 CMP EAX, 0C9
00404800
. 8985 30FFFFFF MOV DWORD PTR SS:[EBP-D0], EAX
00404806
. 72 06 JB SHORT
Register.0040480E
00404808 . FF15 6C104000 CALL DWORD
PTR DS:[<&MSVBVM60.__vbaGe>
0040480E > 8D95 5CFFFFFF
LEA EDX, DWORD PTR SS:[EBP-A4]
00404814 . 8D4D 9C
LEA ECX, DWORD PTR SS:[EBP-64]
00404817
. C785 64FFFFFF>MOV DWORD PTR SS:[EBP-9C], Register.>
; UNICODE "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789oc4"<--引數
00404821
. C785 5CFFFFFF>MOV DWORD PTR SS:[EBP-A4], 8
0040482B
. FF15 F4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVa>
00404831
. 8B45 CC MOV EAX, DWORD PTR SS:[EBP-34]
00404834
. 8D4D 8C LEA ECX, DWORD PTR SS:[EBP-74]
00404837
. 51 PUSH ECX
00404838
. 66:33C9 XOR CX, CX
0040483B
. 8A1430 MOV DL, BYTE PTR
DS:[EAX+ESI] ; 從的三位開始取引數
0040483E
. 80E2 03 AND DL, 3
00404841
. 8ACA MOV CL, DL
00404843
. 8B95 30FFFFFF MOV EDX, DWORD PTR SS:[EBP-D0]
00404849
. 66:6BC9 10 IMUL CX, CX, 10
0040484D
. 8A0410 MOV AL, BYTE PTR
DS:[EAX+EDX]
00404850 . 0F80 26050000 JO Register.00404D7C
00404856
. C0E8 04 SHR AL, 4
00404859
. 66:33D2 XOR DX, DX
0040485C
. 8AD0 MOV DL, AL
0040485E
. 0BCA OR ECX,
EDX
00404860 . 8D95 7CFFFFFF LEA EDX, DWORD PTR
SS:[EBP-84]
00404866 . 66:83C1 01 ADD
CX, 1
0040486A . 0F80 0C050000 JO Register.00404D7C
00404870
. 0FBFC1 MOVSX EAX, CX
00404873
. 8D4D 9C LEA ECX, DWORD PTR SS:[EBP-64]
00404876
. 50 PUSH EAX
00404877
. 51 PUSH ECX
00404878
. 52 PUSH EDX
00404879
. FF15 60104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>]
; MSVBVM60.rtcMidCharVar
0040487F . 8D85 3CFFFFFF
LEA EAX, DWORD PTR SS:[EBP-C4]
00404885 . 8D8D 7CFFFFFF
LEA ECX, DWORD PTR SS:[EBP-84]
0040488B . 50
PUSH EAX
0040488C . 8D95
6CFFFFFF LEA EDX, DWORD PTR SS:[EBP-94]
00404892 . 51
PUSH ECX
00404893
. 52 PUSH EDX
00404894
. FF15 EC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVa>
0040489A
. 50 PUSH EAX
0040489B
. FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaSt>
004048A1
. 8BD0 MOV EDX, EAX
004048A3
. 8D4D D8 LEA ECX, DWORD PTR SS:[EBP-28]
004048A6
. FFD3 CALL EBX
004048A8
. 8D85 6CFFFFFF LEA EAX, DWORD PTR SS:[EBP-94]
004048AE
. 8D8D 7CFFFFFF LEA ECX, DWORD PTR SS:[EBP-84]
004048B4
. 50 PUSH EAX
004048B5
. 8D55 8C LEA EDX, DWORD PTR SS:[EBP-74]
004048B8
. 51 PUSH ECX
004048B9
. 8D45 9C LEA EAX, DWORD PTR SS:[EBP-64]
004048BC
. 52 PUSH EDX
004048BD
. 50 PUSH EAX
004048BE
. 6A 04 PUSH 4
004048C0
. FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFr>
004048C6
. 8B4D D8 MOV ECX, DWORD PTR SS:[EBP-28]
004048C9
. 8BF7 MOV ESI, EDI
004048CB
. 83C4 14 ADD ESP, 14
004048CE
. 83C6 03 ADD ESI, 3
004048D1
. 0F80 A5040000 JO Register.00404D7C
004048D7
. 81FE C9000000 CMP ESI, 0C9
004048DD . 898D
44FFFFFF MOV DWORD PTR SS:[EBP-BC], ECX
004048E3 . C785
3CFFFFFF>MOV DWORD PTR SS:[EBP-C4], 8
004048ED . C745
94 01000>MOV DWORD PTR SS:[EBP-6C], 1
004048F4 . C745
8C 02000>MOV DWORD PTR SS:[EBP-74], 2
004048FB . 72
06 JB SHORT Register.00404903
004048FD
. FF15 6C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGe>
00404903
> 8BC7 MOV EAX,
EDI
00404905 . 83C0 04 ADD
EAX, 4
00404908 . 0F80 6E040000 JO Register.00404D7C
0040490E
. 3D C9000000 CMP EAX, 0C9
00404913
. 8985 30FFFFFF MOV DWORD PTR SS:[EBP-D0], EAX
00404919
. 72 06 JB SHORT
Register.00404921
0040491B . FF15 6C104000 CALL DWORD
PTR DS:[<&MSVBVM60.__vbaGe>
00404921 > 8D95 5CFFFFFF
LEA EDX, DWORD PTR SS:[EBP-A4]
00404927 . 8D4D 9C
LEA ECX, DWORD PTR SS:[EBP-64]
0040492A
. C785 64FFFFFF>MOV DWORD PTR SS:[EBP-9C], Register.>
; UNICODE "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789oc4" <--引數
00404934
. C785 5CFFFFFF>MOV DWORD PTR SS:[EBP-A4], 8
0040493E
. FF15 F4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVa>
00404944
. 8B45 CC MOV EAX, DWORD PTR SS:[EBP-34]
00404947
. 8D55 8C LEA EDX, DWORD PTR SS:[EBP-74]
0040494A
. 52 PUSH EDX
0040494B
. 66:33D2 XOR DX, DX
0040494E
. 8A0C30 MOV CL, BYTE PTR
DS:[EAX+ESI]
00404951 . 80E1 0F AND
CL, 0F
00404954 . 8AD1 MOV
DL, CL
00404956 . 8B8D 30FFFFFF MOV
ECX, DWORD PTR SS:[EBP-D0]
0040495C . 66:6BD2 04 IMUL
DX, DX, 4
00404960 . 8A0408
MOV AL, BYTE PTR DS:[EAX+ECX]
00404963 . 0F80
13040000 JO Register.00404D7C
00404969 . C0E8
06 SHR AL, 6
0040496C . 66:33C9
XOR CX, CX
0040496F . 8AC8
MOV CL, AL
00404971
. 8D45 9C LEA EAX, DWORD PTR SS:[EBP-64]
00404974
. 0BD1 OR EDX,
ECX
00404976 . 8D8D 7CFFFFFF LEA ECX, DWORD PTR
SS:[EBP-84]
0040497C . 66:83C2 01 ADD
DX, 1
00404980 . 0F80 F6030000 JO Register.00404D7C
00404986
. 0FBFD2 MOVSX EDX, DX
00404989
. 52 PUSH EDX
0040498A
. 50 PUSH EAX
0040498B
. 51 PUSH ECX
0040498C
. FF15 60104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>]
F8-------->
|
733B45C3
50 PUSH EAX
733B45C4
8B45 0C MOV EAX, DWORD
PTR SS:[EBP+C] <--這裡把計算的值取出
733B45C7 8D4400 FF
LEA EAX, DWORD PTR DS:[EAX+EAX-1] <--再次計算
733B45CB
50 PUSH EAX
733B45CC
FF75 08 PUSH DWORD PTR SS:[EBP+8]
<---引數入棧 UNICODE "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789oc4"
733B45CF
E8 1E000000 CALL MSVBVM60.rtcMidBstr
<---這裡應該是取值的地方
733B45D4 C9
LEAVE
733B45D5 C2 0C00
RETN 0C
CALL MSVBVM60.rtcMidBstr <---這裡應該是取值的地方
733B45F2
> 8B4424 08 MOV EAX, DWORD PTR SS:[ESP+8]
<--EAX=計算的值
733B45F6 53
PUSH EBX
733B45F7 56
PUSH ESI
733B45F8 57
PUSH EDI
733B45F9
8D78 FF LEA EDI, DWORD PTR DS:[EAX-1]
<--上面的值-1
733B45FC 85FF
TEST EDI, EDI
733B45FE 0F8C 10330200
JL MSVBVM60.733D7914
733B4604 81FF FFFFFF7F
CMP EDI, 7FFFFFFF
733B460A 0F8F 04330200
JG MSVBVM60.733D7914
733B4610 8B4424
10 MOV EAX, DWORD PTR SS:[ESP+10]
<--引數 UNICODE "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789oc4"
733B4614
8BDF MOV EBX,
EDI
733B4616 85C0 TEST
EAX, EAX
733B4618 0F84 FD320200 JE
MSVBVM60.733D791B
733B461E 8B70 FC
MOV ESI, DWORD PTR DS:[EAX-4] <--ESI=82
733B4621
3BFE CMP EDI,
ESI <--EDI<82
733B4623 0F87 F9320200 JA
MSVBVM60.733D7922
733B4629 8B4C24 18
MOV ECX, DWORD PTR SS:[ESP+18]
733B462D 66:8339
0A CMP WORD PTR DS:[ECX], 0A
733B4631
75 35 JNZ SHORT MSVBVM60.733B4668
733B4633
8179 08 0400028>CMP DWORD PTR DS:[ECX+8], 80020004
733B463A
75 2C JNZ SHORT
MSVBVM60.733B4668
733B463C 83C8 FF
OR EAX, FFFFFFFF
733B463F 66:85C0
TEST AX, AX
733B4642 74 28
JE SHORT MSVBVM60.733B466C
733B4644
2BF3 SUB ESI,
EBX
733B4646 8BC6 MOV
EAX, ESI
733B4648 50
PUSH EAX
733B4649 8B4424 14
MOV EAX, DWORD PTR SS:[ESP+14]
733B464D
03D8 ADD EBX, EAX
733B464F
53 PUSH EBX
733B4650
FF15 EC193973 CALL DWORD PTR DS:[<&OLEAUT32.#150>]
733B4656 8BF0 MOV
ESI, EAX
733B4658 85F6
TEST ESI, ESI
733B465A 0F84 D0320200
JE MSVBVM60.733D7930
733B4660 8BC6
MOV EAX, ESI
733B4662
5F POP
EDI
733B4663 5E POP
ESI
733B4664 5B
POP EBX
733B4665 C2 0C00
RETN 0C
733B4672
8BF8 MOV EDI,
EAX
733B4674 85FF TEST
EDI, EDI
733B4676 0F8C AD320200 JL
MSVBVM60.733D7929
733B467C 81FF FFFFFF7F CMP
EDI, 7FFFFFFF
733B4682 0F8F A1320200 JG
MSVBVM60.733D7929
733B4688 2BF3
SUB ESI, EBX <---ESI=ESI-EBX=82-7E(上面的值)=4
733B468A
8BC7 MOV EAX,
EDI
733B468C 3BFE CMP
EDI, ESI
733B468E ^ 77 B6
JA SHORT MSVBVM60.733B4646
733B4648
50 PUSH EAX
733B4649
8B4424 14 MOV EAX, DWORD PTR SS:[ESP+14]
<--引數 UNICODE "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789oc4"
733B464D 03D8 ADD EBX, EAX
<--取以EAX位基址,EBX位偏移的位數字符
733B464F
53 PUSH EBX
733B4650
FF15 EC193973 CALL DWORD PTR DS:[<&OLEAUT32.#150>]
733B4656 8BF0 MOV
ESI, EAX
733B4658 85F6
TEST ESI, ESI
733B465A 0F84 D0320200
JE MSVBVM60.733D7930
733B4660 8BC6
MOV EAX, ESI
733B4662
5F POP
EDI
733B4663 5E POP
ESI
733B4664 5B
POP EBX
733B4665 C2 0C00
RETN 0C
RETN<---------------
|
00404992
. 8D95 3CFFFFFF LEA EDX, DWORD PTR SS:[EBP-C4]
00404998
. 8D85 7CFFFFFF LEA EAX, DWORD PTR SS:[EBP-84]
0040499E
. 52 PUSH EDX
0040499F
. 8D8D 6CFFFFFF LEA ECX, DWORD PTR SS:[EBP-94]
004049A5
. 50 PUSH EAX
004049A6
. 51 PUSH ECX
004049A7
. FF15 EC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVa>
004049AD
. 50 PUSH EAX
004049AE
. FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaSt>
004049B4
. 8BD0 MOV EDX, EAX
; EDX<--EAX=00146F44,(UNICODE "Hs")<--上面計算出註冊碼的前二位
004049B6
. 8D4D D8 LEA ECX, DWORD PTR SS:[EBP-28]
004049B9
. FFD3 CALL EBX
004049BB
. 8D95 6CFFFFFF LEA EDX, DWORD PTR SS:[EBP-94]
004049C1
. 8D85 7CFFFFFF LEA EAX, DWORD PTR SS:[EBP-84]
004049C7
. 52 PUSH EDX
004049C8
. 8D4D 8C LEA ECX, DWORD PTR SS:[EBP-74]
004049CB
. 50 PUSH EAX
004049CC
. 8D55 9C LEA EDX, DWORD PTR SS:[EBP-64]
004049CF
. 51 PUSH ECX
004049D0
. 52 PUSH EDX
004049D1
. 6A 04 PUSH 4
004049D3
. FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFr>
004049D9
. 8B45 D8 MOV EAX, DWORD PTR SS:[EBP-28]
; EAX=00146F44,(UNICODE "Hs")<--上面計算出註冊碼的前二位
004049DC
. 8BF7 MOV ESI, EDI
004049DE
. 83C4 14 ADD ESP, 14
004049E1
. 83C6 04 ADD ESI, 4
004049E4
. 0F80 92030000 JO Register.00404D7C
004049EA
. 81FE C9000000 CMP ESI, 0C9
004049F0 . 8985
44FFFFFF MOV DWORD PTR SS:[EBP-BC], EAX
004049F6
. C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4], 8
00404A00
. C745 94 01000>MOV DWORD PTR SS:[EBP-6C], 1
00404A07
. C745 8C 02000>MOV DWORD PTR SS:[EBP-74], 2
00404A0E
. 72 06 JB SHORT
Register.00404A16
00404A10 . FF15 6C104000 CALL DWORD
PTR DS:[<&MSVBVM60.__vbaGe>;
00404A16 > 8D95
5CFFFFFF LEA EDX, DWORD PTR SS:[EBP-A4]
00404A1C . 8D4D
9C LEA ECX, DWORD PTR SS:[EBP-64]
00404A1F
. C785 64FFFFFF>MOV DWORD PTR SS:[EBP-9C], Register.>;
UNICODE "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789oc4"<--引數
00404A29
. C785 5CFFFFFF>MOV DWORD PTR SS:[EBP-A4], 8
00404A33
. FF15 F4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVa>
00404A39
. 8B55 CC MOV EDX, DWORD PTR SS:[EBP-34]
00404A3C
. 8D4D 8C LEA ECX, DWORD PTR SS:[EBP-74]
00404A3F
. 51 PUSH ECX
00404A40
. 66:33C9 XOR CX, CX
00404A43
. 8A0432 MOV AL, BYTE PTR
DS:[EDX+ESI]
00404A46 . 24 3F AND
AL, 3F
00404A48 . 8AC8
MOV CL, AL
00404A4A . 8D45 9C
LEA EAX, DWORD PTR SS:[EBP-64]
00404A4D . 66:83C1
01 ADD CX, 1
00404A51 . 0F80 25030000
JO Register.00404D7C
00404A57 . 0FBFD1
MOVSX EDX, CX
00404A5A . 52
PUSH EDX
00404A5B . 8D8D
7CFFFFFF LEA ECX, DWORD PTR SS:[EBP-84]
00404A61 . 50
PUSH EAX
00404A62
. 51 PUSH ECX
00404A63
. FF15 60104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>]
; 上面的函式計算了第三位
00404A69
. 8D95 3CFFFFFF LEA EDX, DWORD PTR SS:[EBP-C4]
00404A6F . 8D85 7CFFFFFF LEA EAX,
DWORD PTR SS:[EBP-84]
00404A75 . 52
PUSH EDX
00404A76 . 8D8D 6CFFFFFF LEA
ECX, DWORD PTR SS:[EBP-94]
00404A7C . 50
PUSH EAX
00404A7D . 51
PUSH ECX
00404A7E
. FF15 EC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVa>
00404A84
. 50 PUSH EAX
00404A85
. FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaSt>
00404A8B
. 8BD0 MOV EDX, EAX
; 上面的函式把得到的第三位加進儲存註冊碼的記憶體中
00404A8D
. 8D4D D8 LEA ECX, DWORD PTR SS:[EBP-28]
00404A90
. FFD3 CALL EBX
00404A92
. 8D95 6CFFFFFF LEA EDX, DWORD PTR SS:[EBP-94]
00404A98
. 8D85 7CFFFFFF LEA EAX, DWORD PTR SS:[EBP-84]
00404A9E
. 52 PUSH EDX
00404A9F
. 8D4D 8C LEA ECX, DWORD PTR SS:[EBP-74]
00404AA2
. 50 PUSH EAX
00404AA3
. 8D55 9C LEA EDX, DWORD PTR SS:[EBP-64]
00404AA6
. 51 PUSH ECX
00404AA7
. 52 PUSH EDX
00404AA8
. 6A 04 PUSH 4
00404AAA
. FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFr>
00404AB0
. 8B45 D8 MOV EAX, DWORD PTR SS:[EBP-28]
; EAX<--0013B14C,(UNICODE "HsL")
00404AB3
. 8BF7 MOV ESI, EDI
00404AB5
. 83C4 14 ADD ESP, 14
00404AB8
. 83C6 05 ADD ESI, 5
00404ABB
. 0F80 BB020000 JO Register.00404D7C
00404AC1
. 81FE C9000000 CMP ESI, 0C9
00404AC7 . 8985
44FFFFFF MOV DWORD PTR SS:[EBP-BC], EAX
; <--把得到的註冊碼放到00146F44記憶體中
00404ACD
. C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4], 8
00404AD7
. C745 94 01000>MOV DWORD PTR SS:[EBP-6C], 1
00404ADE
. C745 8C 02000>MOV DWORD PTR SS:[EBP-74], 2
00404AE5
. 72 06 JB SHORT
Register.00404AED
00404AE7 . FF15 6C104000 CALL DWORD
PTR DS:[<&MSVBVM60.__vbaGe>
00404AED > 8D95 5CFFFFFF
LEA EDX, DWORD PTR SS:[EBP-A4]
00404AF3 . 8D4D 9C
LEA ECX, DWORD PTR SS:[EBP-64]
00404AF6
. C785 64FFFFFF>MOV DWORD PTR SS:[EBP-9C], Register.>
; UNICODE "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789oc4"
00404B00
. C785 5CFFFFFF>MOV DWORD PTR SS:[EBP-A4], 8
00404B0A
. FF15 F4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVa>
00404B10
. 8B55 CC MOV EDX, DWORD PTR SS:[EBP-34]
00404B13
. 8D4D 8C LEA ECX, DWORD PTR SS:[EBP-74]
00404B16
. 51 PUSH ECX
00404B17
. 66:33C9 XOR CX, CX
00404B1A
. 8A0432 MOV AL, BYTE PTR
DS:[EDX+ESI]
; AL<--DS:[EDX+ESI]=DS:[001477A5]=FE EDX=001477A0 ESI=5
00404B1D
. C0E8 02 SHR AL, 2
00404B20
. 8AC8 MOV CL, AL
00404B22
. 8D45 9C LEA EAX, DWORD PTR SS:[EBP-64]
00404B25
. 66:83C1 01 ADD CX, 1
00404B29
. 0F80 4D020000 JO Register.00404D7C
00404B2F
. 0FBFD1 MOVSX EDX, CX
00404B32
. 52 PUSH EDX
00404B33
. 8D8D 7CFFFFFF LEA ECX, DWORD PTR SS:[EBP-84]
00404B39
. 50 PUSH EAX
00404B3A
. 51 PUSH ECX
00404B3B
. FF15 60104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>]
00404B41 . 8D95 3CFFFFFF LEA EDX, DWORD PTR SS:[EBP-C4]
00404B47
. 8D85 7CFFFFFF LEA EAX, DWORD PTR SS:[EBP-84]
00404B4D
. 52 PUSH EDX
00404B4E
. 8D8D 6CFFFFFF LEA ECX, DWORD PTR SS:[EBP-94]
00404B54
. 50 PUSH EAX
00404B55
. 51 PUSH ECX
00404B56
. FF15 EC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVa>;<--連線函式
F8--------->
|
77A10968
> 55 PUSH EBP
77A10969
8BEC MOV EBP,
ESP
77A1096B 53 PUSH
EBX
77A1096C 56
PUSH ESI
77A1096D 8B75 08
MOV ESI, DWORD PTR SS:[EBP+8]
77A10970 57
PUSH EDI
77A10971
85F6 TEST ESI,
ESI
77A10973 75 04 JNZ
SHORT OLEAUT32.77A10979
77A10975 33DB
XOR EBX, EBX
77A10977 EB 03
JMP SHORT OLEAUT32.77A1097C
77A10979
8B5E FC MOV EBX, DWORD
PTR DS:[ESI-4]
77A1097C 8B45 0C MOV
EAX, DWORD PTR SS:[EBP+C]
77A1097F 85C0
TEST EAX, EAX
77A10981 75
05 JNZ SHORT OLEAUT32.77A10988
77A10983
2145 08 AND DWORD PTR SS:[EBP+8],
EAX
77A10986 EB 06 JMP
SHORT OLEAUT32.77A1098E
77A10988 8B40 FC
MOV EAX, DWORD PTR DS:[EAX-4]
77A1098B 8945
08 MOV DWORD PTR SS:[EBP+8], EAX
77A1098E
8B45 08 MOV EAX, DWORD
PTR SS:[EBP+8]
77A10991 03C3
ADD EAX, EBX
77A10993 50
PUSH EAX
77A10994 6A 00
PUSH 0
77A10996 E8
F589FAFF CALL OLEAUT32.SysAllocStringByteLen
77A1099B
8B4D 10 MOV ECX, DWORD
PTR SS:[EBP+10]
77A1099E 85C0
TEST EAX, EAX
77A109A0 8901
MOV DWORD PTR DS:[ECX], EAX
77A109A2
75 07 JNZ SHORT OLEAUT32.77A109AB
77A109A4
B8 0E000780 MOV EAX, 8007000E
77A109A9
EB 2B JMP SHORT
OLEAUT32.77A109D6
77A109AB 8BCB
MOV ECX, EBX
77A109AD 8BF8
MOV EDI, EAX
77A109AF 8BD1
MOV EDX, ECX
77A109B1
C1E9 02 SHR ECX, 2
77A109B4
F3:A5 REP MOVS DWORD
PTR ES:[EDI], DWORD P>
77A109B6 8BCA
MOV ECX, EDX
77A109B8 83E1 03
AND ECX, 3
77A109BB F3:A4
REP MOVS BYTE PTR ES:[EDI], BYTE PTR>
77A109BD
8B4D 08 MOV ECX, DWORD
PTR SS:[EBP+8]
77A109C0 8B75 0C MOV
ESI, DWORD PTR SS:[EBP+C]
77A109C3 8D3C18
LEA EDI, DWORD PTR DS:[EAX+EBX]
77A109C6
8BC1 MOV EAX,
ECX
77A109C8 C1E9 02 SHR
ECX, 2
77A109CB F3:A5
REP MOVS DWORD PTR ES:[EDI], DWORD P>
77A109CD 8BC8
MOV ECX, EAX
77A109CF
83E1 03 AND ECX, 3
77A109D2
33C0 XOR EAX,
EAX
77A109D4 F3:A4 REP
MOVS BYTE PTR ES:[EDI], BYTE PTR>
77A109D6 5F
POP EDI
77A109D7
5E POP ESI
77A109D8
5B POP
EBX
77A109D9 5D POP
EBP
77A109DA C2 0C00
RETN 0C
//連線函式的具體操作
RETN<---------
|
00404B5C
. 50 PUSH EAX
00404B5D . FF15 14104000 CALL DWORD
PTR DS:[<&MSVBVM60.__vbaSt>
00404B63 . 8BD0
MOV EDX, EAX
00404B65 . 8D4D
D8 LEA ECX, DWORD PTR SS:[EBP-28]
00404B68
. FFD3 CALL EBX
00404B6A
. 8D95 6CFFFFFF LEA EDX, DWORD PTR SS:[EBP-94]
00404B70
. 8D85 7CFFFFFF LEA EAX, DWORD PTR SS:[EBP-84]
00404B76
. 52 PUSH EDX
00404B77
. 8D4D 8C LEA ECX, DWORD PTR SS:[EBP-74]
00404B7A
. 50 PUSH EAX
00404B7B
. 8D55 9C LEA EDX, DWORD PTR SS:[EBP-64]
00404B7E
. 51 PUSH ECX
00404B7F
. 52 PUSH EDX
00404B80
. 6A 04 PUSH 4
00404B82
. FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFr>
00404B88
. 8B45 D8 MOV EAX, DWORD PTR SS:[EBP-28]
00404B8B
. 8BF7 MOV ESI, EDI
00404B8D
. 83C4 14 ADD ESP, 14
00404B90
. 83C6 06 ADD ESI, 6
00404B93
. 0F80 E3010000 JO Register.00404D7C
00404B99
. 81FE C9000000 CMP ESI, 0C9
00404B9F . 8985
44FFFFFF MOV DWORD PTR SS:[EBP-BC], EAX
00404BA5 . C785
3CFFFFFF>MOV DWORD PTR SS:[EBP-C4], 8
00404BAF . C745
94 01000>MOV DWORD PTR SS:[EBP-6C], 1
00404BB6 . C745
8C 02000>MOV DWORD PTR SS:[EBP-74], 2
00404BBD . 72
06 JB SHORT Register.00404BC5
00404BBF
. FF15 6C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGe>
00404BC5
> 8BC7 MOV EAX,
EDI
00404BC7 . 83C0 07 ADD
EAX, 7
00404BCA . 0F80 AC010000 JO Register.00404D7C
00404BD0
. 3D C9000000 CMP EAX, 0C9
00404BD5
. 8985 30FFFFFF MOV DWORD PTR SS:[EBP-D0], EAX
00404BDB
. 72 06 JB SHORT
Register.00404BE3
00404BDD . FF15 6C104000 CALL DWORD
PTR DS:[<&MSVBVM60.__vbaGe>
00404BE3 > 8D95 5CFFFFFF
LEA EDX, DWORD PTR SS:[EBP-A4]
00404BE9 . 8D4D 9C
LEA ECX, DWORD PTR SS:[EBP-64]
00404BEC
. C785 64FFFFFF>MOV DWORD PTR SS:[EBP-9C], Register.>
; UNICODE "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789oc4"
00404BF6
. C785 5CFFFFFF>MOV DWORD PTR SS:[EBP-A4], 8
00404C00
. FF15 F4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVa>
00404C06
. 8B45 CC MOV EAX, DWORD PTR SS:[EBP-34]
00404C09
. 8D4D 8C LEA ECX, DWORD PTR SS:[EBP-74]
00404C0C
. 51 PUSH ECX
00404C0D
. 66:33C9 XOR CX, CX
00404C10
. 8A1430 MOV DL, BYTE PTR
DS:[EAX+ESI]
00404C13 . 80E2 03 AND
DL, 3
00404C16 . 8ACA MOV
CL, DL
00404C18 . 8B95 30FFFFFF MOV
EDX, DWORD PTR SS:[EBP-D0]
00404C1E . 66:6BC9 10 IMUL
CX, CX, 10
00404C22 . 8A0410
MOV AL, BYTE PTR DS:[EAX+EDX]
00404C25 . 0F80
51010000 JO Register.00404D7C
00404C2B . C0E8
04 SHR AL, 4
00404C2E . 66:33D2
XOR DX, DX
00404C31 . 8AD0
MOV DL, AL
00404C33
. 0BCA OR ECX, EDX
00404C35
. 8D95 7CFFFFFF LEA EDX, DWORD PTR SS:[EBP-84]
00404C3B
. 66:83C1 01 ADD CX, 1
00404C3F
. 0F80 37010000 JO Register.00404D7C
00404C45
. 0FBFC1 MOVSX EAX, CX
00404C48
. 8D4D 9C LEA ECX, DWORD PTR SS:[EBP-64]
00404C4B
. 50 PUSH EAX
00404C4C
. 51 PUSH ECX
00404C4D
. 52 PUSH EDX
00404C4E
. FF15 60104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>]
00404C54 . 8D85 3CFFFFFF LEA EAX, DWORD PTR
SS:[EBP-C4]
00404C5A . 8D8D 7CFFFFFF LEA ECX, DWORD
PTR SS:[EBP-84]
00404C60 . 50
PUSH EAX
00404C61 . 8D95 6CFFFFFF LEA
EDX, DWORD PTR SS:[EBP-94]
00404C67 . 51
PUSH ECX
00404C68 . 52
PUSH EDX
00404C69
. FF15 EC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVa>
00404C6F
. 50 PUSH EAX
00404C70
. FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaSt>
00404C76
. 8BD0 MOV EDX, EAX
00404C78
. 8D4D D8 LEA ECX, DWORD PTR SS:[EBP-28]
00404C7B
. FFD3 CALL EBX
00404C7D
. 8D85 6CFFFFFF LEA EAX, DWORD PTR SS:[EBP-94]
00404C83
. 8D8D 7CFFFFFF LEA ECX, DWORD PTR SS:[EBP-84]
00404C89
. 50 PUSH EAX
00404C8A
. 8D55 8C LEA EDX, DWORD PTR SS:[EBP-74]
00404C8D
. 51 PUSH ECX
00404C8E
. 8D45 9C LEA EAX, DWORD PTR SS:[EBP-64]
00404C91
. 52 PUSH EDX
00404C92
. 50 PUSH EAX
00404C93
. 6A 04 PUSH 4
00404C95
. FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFr>
00404C9B
. 83C4 14 ADD ESP, 14
00404C9E
. 83FF 14 CMP EDI, 14
00404CA1
. 74 16 JE SHORT
Register.00404CB9
00404CA3 . 8B4D D8 MOV
ECX, DWORD PTR SS:[EBP-28]
00404CA6 . 51
PUSH ECX
00404CA7 . 68
8C2F4000 PUSH Register.00402F8C
00404CAC . FF15
2C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaSt>
00404CB2
. 8BD0 MOV EDX, EAX
00404CB4
. 8D4D D8 LEA ECX, DWORD PTR SS:[EBP-28]
00404CB7
. FFD3 CALL EBX
00404CB9
> B8 05000000 MOV EAX, 5
<---每次迴圈取5位字元
00404CBE
. 03C7 ADD EAX, EDI
00404CC0
. 0F80 B6000000 JO Register.00404D7C
00404CC6
. 8BF8 MOV EDI, EAX
00404CC8
.^ E9 DCFAFFFF JMP Register.004047A9
<---迴圈計算取字元
00404CCD > 8B55 B0
MOV EDX, DWORD PTR SS:[EBP-50]
00404CD0
. 52 PUSH EDX
00404CD1
. E8 5AE1FFFF CALL Register.00402E30
00404CD6
. 8B35 30104000 MOV ESI, DWORD PTR DS:[<&MSVBVM60.__>
00404CDC
. FFD6 CALL ESI
00404CDE . 8B45 E8 MOV
EAX, DWORD PTR SS:[EBP-18]
00404CE1 . 50
PUSH EAX
00404CE2 . E8
91E1FFFF CALL Register.00402E78
00404CE7 . FFD6
CALL ESI
00404CE9 . 8B55
D8 MOV EDX, DWORD PTR SS:[EBP-28]
; EDX<--00145CA4 UNICODE "HsLcA-GtvGa-pwPwm-HlrId-xh1P"<--正確的註冊碼
00404CEC
. 8D4D DC LEA ECX, DWORD PTR SS:[EBP-24]
00404CEF
. FF15 D0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaSt>
00404CF5
> 68 5F4D4000 PUSH Register.00404D5F
00404CFA
. EB 3A JMP SHORT Register.00404D36
00404CFC
. F645 FC 04 TEST BYTE PTR SS:[EBP-4],
4
00404D00 . 74 09 JE
SHORT Register.00404D0B
00404D02 . 8D4D DC
LEA ECX, DWORD PTR SS:[EBP-24]
00404D05 . FF15
24114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFr>
00404D0B
> 8D4D AC LEA ECX, DWORD PTR
SS:[EBP-54]
00404D0E . FF15 24114000 CALL DWORD PTR
DS:[<&MSVBVM60.__vbaFr>
00404D14 . 8D8D 6CFFFFFF LEA
ECX, DWORD PTR SS:[EBP-94]
00404D1A . 8D95 7CFFFFFF
LEA EDX, DWORD PTR SS:[EBP-84]
00404D20 . 51
PUSH ECX
00404D21 . 8D45
8C LEA EAX, DWORD PTR SS:[EBP-74]
00404D24
. 52 PUSH EDX
00404D25
. 8D4D 9C LEA ECX, DWORD PTR SS:[EBP-64]
00404D28
. 50 PUSH EAX
00404D29
. 51 PUSH ECX
00404D2A
. 6A 04 PUSH 4
RETN<---------
|
00405557
. 8B55 E0 MOV EDX, DWORD PTR SS:[EBP-20]
; EDX<--SS:[12F648]=00145CA4,(UNICODE "HsLcA-GtvGa-pwPwm-HlrId-xh1P3"<--CODE
0040555A
. 8D4D E8 LEA ECX, DWORD PTR SS:[EBP-18]
0040555D
. C745 E0 00000>MOV DWORD PTR SS:[EBP-20], 0
00405564
. FF15 14114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMov>
0040556A
. 8D4D E4 LEA ECX, DWORD PTR SS:[EBP-1C]
0040556D
. FF15 24114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeSt>
00405573
. 8D4D DC LEA ECX, DWORD PTR SS:[EBP-24]
00405576
. FF15 28114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeOb>
0040557C
. 8B0E MOV ECX, DWORD
PTR DS:[ESI]
0040557E . 56
PUSH ESI
0040557F . FF91 00030000 CALL
DWORD PTR DS:[ECX+300]
00405585 . 8D55 DC
LEA EDX, DWORD PTR SS:[EBP-24]
00405588 . 50
PUSH EAX
00405589
. 52 PUSH EDX
0040558A
. FFD3 CALL EBX
0040558C
. 8BF8 MOV EDI, EAX
0040558E
. 8D4D E4 LEA ECX, DWORD PTR SS:[EBP-1C]
00405591
. 51 PUSH ECX
00405592
. 57 PUSH EDI
00405593
. 8B07 MOV EAX, DWORD
PTR DS:[EDI]
00405595 . FF90 A0000000 CALL DWORD
PTR DS:[EAX+A0]
0040559B . 85C0 TEST
EAX, EAX
0040559D . DBE2
FCLEX
0040559F . 7D 12 JGE
SHORT Register.004055B3
004055A1 . 68 A0000000 PUSH
0A0
004055A6 . 68 AC2F4000 PUSH Register.00402FAC
004055AB
. 57 PUSH EDI
004055AC
. 50 PUSH EAX
004055AD
. FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresul>
004055B3
> 8B55 E4 MOV EDX, DWORD PTR
SS:[EBP-1C]
; EDX<--00147114,(UNICODE "78945-61230-01234-56789-14725")<--試驗碼
004055B6 . 8B45 E8 MOV EAX, DWORD PTR SS:[EBP-18]
;
EDX<--00145CA4,(UNICODE "HsLcA-GtvGa-pwPwm-HlrId-xh1P3"<--CODE
004055B9
. 52 PUSH EDX
004055BA
. 50 PUSH EAX
004055BB
. 6A 00 PUSH 0
004055BD
. FF15 F8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCom>
<--比較的函式
004055C3
. 66:8BF8 MOV DI, AX
004055C6
. 8D4D E4 LEA ECX, DWORD PTR SS:[EBP-1C]
004055C9
. 66:F7DF NEG DI
004055CC
. 1BFF SBB EDI, EDI
004055CE
. 47 INC EDI
004055CF
. F7DF NEG EDI
004055D1
. FF15 24114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeSt>
004055D7
. 8D4D DC LEA ECX, DWORD PTR SS:[EBP-24]
004055DA
. FF15 28114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeOb>
004055E0
. B9 04000280 MOV ECX, 80020004
004055E5
. B8 0A000000 MOV EAX, 0A
004055EA
. 66:85FF TEST DI, DI
; 關鍵的比較
004055ED
. 894D A4 MOV DWORD PTR SS:[EBP-5C],
ECX
004055F0 . 8945 9C MOV
DWORD PTR SS:[EBP-64], EAX
004055F3 . 894D B4
MOV DWORD PTR SS:[EBP-4C], ECX
004055F6 . 8945 AC
MOV DWORD PTR SS:[EBP-54], EAX
004055F9
0F84 21010000 JE Register.00405720
; 關鍵的跳轉
004055FF . 8B1D F4104000
MOV EBX, DWORD PTR DS:[<&MSVBVM60.__vbaV>
00405605
. BF 08000000 MOV EDI, 8
0040560A
. 8D95 7CFFFFFF LEA EDX, DWORD PTR SS:[EBP-84]
00405610
. 8D4D BC LEA ECX, DWORD PTR SS:[EBP-44]
00405613
. C745 84 48304>MOV DWORD PTR SS:[EBP-7C], Register.0040>
0040561A
. 89BD 7CFFFFFF MOV DWORD PTR SS:[EBP-84], EDI
00405620
. FFD3 CALL EBX
00405622 . 8D55 8C
LEA EDX, DWORD PTR SS:[EBP-74]
00405625 . 8D4D CC
LEA ECX, DWORD PTR SS:[EBP-34]
00405628
. C745 94 14304>MOV DWORD PTR SS:[EBP-6C], Register.0040>
0040562F
. 897D 8C MOV DWORD PTR SS:[EBP-74],
EDI
00405632 . FFD3 CALL
EBX
====================================================
以上演示只是個人觀點,可能有錯誤.請大家諒解.
by fxyang[OCN]
2003.4.14
相關文章
- 夢幻Ollydbg ―― 淺談 ACProtect V1.09 Pro
的反跟蹤And脫殼2015-11-15
- 動態跟蹤分析VB程式2015-11-15
- jivejdon程式碼跟蹤問題2013-05-30
- 用ollydbg跟蹤te!lock加殼的軟體
(2千字)2015-11-15
- 用ollydbg跟蹤asproctect1.2加殼的軟體
(1千字)2015-11-15
- 【Longkin】ASP.NET應用程式跟蹤 --- (三) 在程式碼裡訪問跟蹤資訊2008-06-02ASP.NET
- 用ollyDbg尋找VB程式的註冊核心的一點思路2003-06-20
- session跟蹤失效的問題和原因2014-11-27Session
- 淺談利用 TEB 實現的反跟蹤 (6千字)2003-02-09
- 【Longkin】ASP.NET應用程式跟蹤---(一)跟蹤頁面2008-06-02ASP.NET
- ActionView - 更好用的問題需求跟蹤工具2018-07-18View
- 如何用 OllyDbg 的跟蹤功能分析虛擬機器保護2017-01-14虛擬機
- 用Ollydbg破解全功能數字時鐘(想學用Ollydbg破VB的必看!) (1千字)2001-11-03
- 啟用使用者程式跟蹤2011-07-29
- 12個有用的Bug跟蹤應用程式2014-12-15
- 淺談 js 中的 this 指向問題2019-03-07JS
- 淺談VB6逆向工程(1)2004-12-22
- 淺談VB6逆向工程(2)2004-12-23
- 淺談VB6逆向工程(3)2004-12-25
- 淺談VB6逆向工程(4)2004-12-27
- 淺談VB6逆向工程(5)2004-12-27
- 視覺目標跟蹤漫談:從原理到應用2020-07-06視覺
- HP下對程式的跟蹤2009-02-27
- 推薦15 款最好的 Bug跟蹤應用程式2014-03-04
- 淺談SQL Server中的快照問題2021-09-09SQLServer
- 淺談深度學習的落地問題2021-02-21深度學習
- 再談應用程式的例項問題 (轉)2007-12-06
- 談談VB程式的破解 (5千字)2002-10-28
- 淺談深度學習落地問題2018-10-15深度學習
- 淺談天涯收費問題薦2009-06-17
- windows下10.2.0.2 arc程式跟蹤檔案問題 kcrrwkx: nothing to do (start)2007-01-20WindowsC程式
- 淺談桌面應用程式的開發2021-01-02
- 淺談C#託管程式中的資源釋放問題2009-09-29C#
- 淺談動態追蹤技術2019-04-18
- 用oracle trace 來跟蹤session2017-05-18OracleSession
- XML 程式設計思想:知識管理的基本 XML 和 RDF 技術:問題跟蹤程式模式(轉)2007-08-12XML程式設計模式
- 使用HANGANALYZE跟蹤檔案診例項hang問題2004-12-06
- ACM 兄弟郊遊問題2014-04-02ACM