【分析过程】
经查,为无壳vb6程序,Native Code. 用wdasm返回编后查到字符串如下:
* Possible StringData Ref from Code Obj ->"RRegistration Successful"
|
:00472002 C7854CFFFFFF1C434100 mov dword ptr [ebp+FFFFFF4C], 0041431C
======================================================
* Possible StringData Ref from Code Obj ->"RRegistration Failed"
|
:004723F2 C7854CFFFFFFA0434100 mov dword ptr [ebp+FFFFFF4C], 004143A0
从这个地址开始往上找,发现如下代码:
:00471B4B 57 push edi
:00471B4C 50 push eax
:00471B4D E8DEA8FCFF call 0043C430 <========== 关键计算
:00471B52 8D4DD4 lea ecx, dword ptr [ebp-2C]
:00471B55 66894338 mov word ptr [ebx+38], ax <=========返回值在此
==========================================================
:00471C21 66837B38FF cmp word ptr [ebx+38], FFFF
:00471C26 0F857F070000 jne 004723AB <========= 跳去显示注册失败消息
=============================================================
* Possible StringData Ref from Code Obj ->"PPW"
|
:00471C94 6870104100 push 00411070
* Possible StringData Ref from Code Obj ->"DData"
|
:00471C99 680C0F4100 push 00410F0C
:00471C9E 51 push ecx
* Reference To: MSVBVM60.rtcSaveSetting, Ord:02B2h
|
:00471C9F FF1508104000 Call dword ptr [00401008] <============保存注册信息
可见,只要关键call 43C430 返回-1就算注册成功。如果就此进行爆破,可以显示注册成功消息,但重新启动之后仍然是未注册版本。用OD跟入此函数,结果如下:
0043C430 $ 55 PUSH EBP
0043C431 . 8BEC MOV EBP,ESP
0043C433 . 83EC 08 SUB ESP,8
0043C436 . 68 36314000 PUSH <JMP.&MSVBVM60.__vbaExceptHandler> ; SE handler installation
0043C43B . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0043C441 . 50 PUSH EAX
0043C442 . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
0043C449 . 81EC 50010000 SUB ESP,150
0043C44F . 53 PUSH EBX
0043C450 . 56 PUSH ESI
0043C451 . 57 PUSH EDI
0043C452 . 8965 F8 MOV DWORD PTR SS:[EBP-8],ESP
0043C455 . C745 FC F81B40>MOV DWORD PTR SS:[EBP-4],CollegeB.00401B>
0043C45C . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; 取得注册名字
0043C45F . 33F6 XOR ESI,ESI
0043C461 . 8975 EC MOV DWORD PTR SS:[EBP-14],ESI
0043C464 . 8975 DC MOV DWORD PTR SS:[EBP-24],ESI
0043C467 . 8B08 MOV ECX,DWORD PTR DS:[EAX] ; name
0043C469 . 8975 D4 MOV DWORD PTR SS:[EBP-2C],ESI
0043C46C . 51 PUSH ECX ; name
0043C46D . 8975 D8 MOV DWORD PTR SS:[EBP-28],ESI ; initialize local vars
0043C470 . 8975 C8 MOV DWORD PTR SS:[EBP-38],ESI
0043C473 . 8975 C4 MOV DWORD PTR SS:[EBP-3C],ESI
0043C476 . 8975 C0 MOV DWORD PTR SS:[EBP-40],ESI
0043C479 . 8975 B0 MOV DWORD PTR SS:[EBP-50],ESI
0043C47C . 8975 A0 MOV DWORD PTR SS:[EBP-60],ESI
0043C47F . 8975 90 MOV DWORD PTR SS:[EBP-70],ESI
0043C482 . 8975 80 MOV DWORD PTR SS:[EBP-80],ESI
0043C485 . 89B5 70FFFFFF MOV DWORD PTR SS:[EBP-90],ESI
0043C48B . 89B5 60FFFFFF MOV DWORD PTR SS:[EBP-A0],ESI
0043C491 . 89B5 50FFFFFF MOV DWORD PTR SS:[EBP-B0],ESI
0043C497 . 89B5 40FFFFFF MOV DWORD PTR SS:[EBP-C0],ESI
0043C49D . FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>;注册名字长度
0043C4A3 . 85C0 TEST EAX,EAX ; string length 0A (name)
0043C4A5 . 0F84 A00C0000 JE CollegeB.0043D14B
0043C4AB . 8B3D C8124000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrMove
0043C4B1 . 8B1D 34104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrVarMove
0043C4B7 > 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
0043C4BA . 52 PUSH EDX
0043C4BB . FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
0043C4C1 . 83F8 29 CMP EAX,29 ; 看长度是否达到 0x29 字节
0043C4C4 . 0F8D 81000000 JGE CollegeB.0043C54B ;若够长就继续
0043C4CA . 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; name
0043C4CD . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] ; 0
0043C4D0 . 56 PUSH ESI ; 0 == 设置二进制比较
0043C4D1 . 6A FF PUSH -1 ; replace any
0043C4D3 . 8B11 MOV EDX,DWORD PTR DS:[ECX] ; name
0043C4D5 . 6A 01 PUSH 1 ; start from beginning (char 1)
0043C4D7 . 68 44104100 PUSH CollegeB.00411044 ; 0
0043C4DC . 68 40154100 PUSH CollegeB.00411540 ; 0x20, 空格
0043C4E1 . 52 PUSH EDX ; name
0043C4E2 . 8985 68FFFFFF MOV DWORD PTR SS:[EBP-98],EAX ; 0
0043C4E8 . C785 60FFFFFF >MOV DWORD PTR SS:[EBP-A0],8 ; 8
0043C4F2 . FF15 C4114000 CALL rtcReplace ; 把名字中所有的空格都用NULL字符代替
0043C4F8 . 8945 B8 MOV DWORD PTR SS:[EBP-48],EAX
0043C4FB . 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
0043C4FE . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
0043C501 . 50 PUSH EAX ; 0
0043C502 . 51 PUSH ECX ; 0
0043C503 . C745 B0 080000>MOV DWORD PTR SS:[EBP-50],8
0043C50A . FF15 28114000 CALL MSVBVM60.rtcUpperCaseVar ;字母全部变成大写
0043C510 . 8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0]
0043C516 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
0043C519 . 52 PUSH EDX
0043C51A . 8D4D 90 LEA ECX,DWORD PTR SS:[EBP-70]
0043C51D . 50 PUSH EAX
0043C51E . 51 PUSH ECX
0043C51F . FF15 0C124000 CALL MSVBVM60.__vbaVarCat ;名字重复连接起来
0043C525 . 50 PUSH EAX
0043C526 . FFD3 CALL EBX
0043C528 . 8BD0 MOV EDX,EAX
0043C52A . 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
0043C52D . FFD7 CALL EDI
0043C52F . 8D55 90 LEA EDX,DWORD PTR SS:[EBP-70]
0043C532 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
0043C535 . 52 PUSH EDX
0043C536 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0043C539 . 50 PUSH EAX
0043C53A . 51 PUSH ECX
0043C53B . 6A 03 PUSH 3
0043C53D . FF15 44104000 CALL MSVBVM60.__vbaFreeVarList ;释放临时变量
0043C543 . 83C4 10 ADD ESP,10
0043C546 .^E9 6CFFFFFF JMP CollegeB.0043C4B7 ;跳回去检查是否已到0x29个字符长
0043C54B > 8B3D 58104000 MOV EDI, MSVBVM60.rtcAnsivalueBstr
0043C551 . 8B1D 08124000 MOV EBX,MSVBVM60.__vbaStrVarVal;将函数地址装入寄存器
0043C557 . 66:B8 0100 MOV AX,1 ;字符索引从1开始
0043C55B . 8975 D4 MOV DWORD PTR SS:[EBP-2C],ESI
0043C55E . 8975 D8 MOV DWORD PTR SS:[EBP-28],ESI
0043C561 . 8B35 0C114000 MOV ESI, MSVBVM60.rtcMidCharVar
0043C567 . C745 D0 030000>MOV DWORD PTR SS:[EBP-30],3 ;内定常数
0043C56E . 66:A3 58A04800 MOV WORD PTR DS:[48A058],AX
0043C574 > B9 28000000 MOV ECX,28 ; 总共要处理的字符数
0043C579 . 66:3BC1 CMP AX,CX ;是否已处理完毕
0043C57C . 0F8F 30010000 JG CollegeB.0043C6B2 ;处理完则继续
0043C582 . 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
0043C585 . 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14] ; 装入联接好的够长的字符串
0043C588 . 50 PUSH EAX
0043C589 . B8 19000000 MOV EAX,19 ;第0x19个字符
0043C58E . 0FBFC8 MOVSX ECX,AX
0043C591 . 8995 68FFFFFF MOV DWORD PTR SS:[EBP-98],EDX ; linked name
0043C597 . 8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0] ; 8
0043C59D . 51 PUSH ECX ; 19
0043C59E . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
0043C5A1 . 52 PUSH EDX
0043C5A2 . 50 PUSH EAX
0043C5A3 . C745 B8 010000>MOV DWORD PTR SS:[EBP-48],1
0043C5AA . C745 B0 020000>MOV DWORD PTR SS:[EBP-50],2
0043C5B1 . C785 60FFFFFF >MOV DWORD PTR SS:[EBP-A0],4008
0043C5BB . FFD6 CALL ESI ; rtcMidCharVar: 取第 0x19 个字符
0043C5BD . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
0043C5C0 . 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C]
0043C5C3 . 51 PUSH ECX
0043C5C4 . 52 PUSH EDX
0043C5C5 . FFD3 CALL EBX ; __vbaStrVarVal
0043C5C7 . 50 PUSH EAX ; returned 'Z' = 5A
0043C5C8 . FFD7 CALL EDI ; rtcAnsivalueBStr: 专程ascii码数字
0043C5CA . 0FBF15 58A0480>MOVSX EDX,WORD PTR DS:[48A058] ; 字符索引
0043C5D1 . 8985 2CFFFFFF MOV DWORD PTR SS:[EBP-D4],EAX ; 第0x19个字符的ascii码
0043C5D7 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14] ; 名字串
0043C5DA . 8D4D 90 LEA ECX,DWORD PTR SS:[EBP-70]
0043C5DD . 8985 48FFFFFF MOV DWORD PTR SS:[EBP-B8],EAX
0043C5E3 . 51 PUSH ECX
0043C5E4 . 8D85 40FFFFFF LEA EAX,DWORD PTR SS:[EBP-C0]
0043C5EA . 52 PUSH EDX ;字符索引
0043C5EB . 8D4D 80 LEA ECX,DWORD PTR SS:[EBP-80]
0043C5EE . 50 PUSH EAX
0043C5EF . 51 PUSH ECX
0043C5F0 . C745 98 010000>MOV DWORD PTR SS:[EBP-68],1
0043C5F7 . C745 90 020000>MOV DWORD PTR SS:[EBP-70],2
0043C5FE . C785 40FFFFFF >MOV DWORD PTR SS:[EBP-C0],4008
0043C608 . FFD6 CALL ESI ; rtcMidCharVar:取被索引的字符
0043C60A . 8D55 80 LEA EDX,DWORD PTR SS:[EBP-80]
0043C60D . 8D45 C0 LEA EAX,DWORD PTR SS:[EBP-40]
0043C610 . 52 PUSH EDX
0043C611 . 50 PUSH EAX
0043C612 . FFD3 CALL EBX ;类型转换:variant -> string
0043C614 . 50 PUSH EAX
0043C615 . FFD7 CALL EDI ;取ascii码
0043C617 . 66:0FAF85 2CFF>IMUL AX,WORD PTR SS:[EBP-D4] ;乘以第0x19个字符的ascii码
0043C61F . B9 703D0040 MOV ECX,40003D70 ; constant
0043C624 . 51 PUSH ECX
0043C625 . B9 3D0AD7A3 MOV ECX,A3D70A3D
0043C62A . 51 PUSH ECX ; 这两个常数在堆栈上形成浮点数2.03
0043C62B . 0F80 7B0B0000 JO CollegeB.0043D1AC ;若溢出则跳去抛出异常
0043C631 . 0FBFC8 MOVSX ECX,AX;乘积在此
0043C634 . 898D FCFEFFFF MOV DWORD PTR SS:[EBP-104],ECX;存入临时变量
0043C63A . DB85 FCFEFFFF FILD DWORD PTR SS:[EBP-104] ; FPU 作为整数载入
0043C640 . DD9D F4FEFFFF FSTP QWORD PTR SS:[EBP-10C] ; 转存成双精度实数
0043C646 . 8B95 F8FEFFFF MOV EDX,DWORD PTR SS:[EBP-108] ; high word in edx
0043C64C . 8B85 F4FEFFFF MOV EAX,DWORD PTR SS:[EBP-10C] ; low word in eax
0043C652 . 52 PUSH EDX ; 将此实数压入堆栈
0043C653 . 50 PUSH EAX
0043C654 FF15 68124000 CALL MSVBVM60.__vbaPoweR8 ; 计算其2.03次幂
0043C65A DC45 D4 FADD QWORD PTR SS:[EBP-2C] ; 加上此处的double值
0043C65D 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
0043C660 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C]
0043C663 . 51 PUSH ECX
0043C664 . 52 PUSH EDX
0043C665 . DD5D D4 FSTP QWORD PTR SS:[EBP-2C] ;结果存回此地址,暗示这里加和运算
0043C668 . DFE0 FSTSW AX ; 协处理器状态字检查有无溢出
0043C66A . A8 0D TEST AL,0D
0043C66C . 0F85 350B0000 JNZ CollegeB.0043D1A7
0043C672 . 6A 02 PUSH 2
0043C674 . FF15 60124000 CALL MSVBVM60.__vbaFreeStrList
0043C67A . 8D45 80 LEA EAX,DWORD PTR SS:[EBP-80]
0043C67D . 8D4D 90 LEA ECX,DWORD PTR SS:[EBP-70]
0043C680 . 50 PUSH EAX
0043C681 . 8D55 A0 LEA EDX,DWORD PTR SS:[EBP-60]
0043C684 . 51 PUSH ECX
0043C685 . 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
0043C688 . 52 PUSH EDX
0043C689 . 50 PUSH EAX
0043C68A . 6A 04 PUSH 4
0043C68C . FF15 44104000 CALL MSVBVM60.__vbaFreeVarList ;释放临时变量
0043C692 . 83C4 20 ADD ESP,20
0043C695 . B8 01000000 MOV EAX,1
0043C69A . 66:0305 58A048>ADD AX,WORD PTR DS:[48A058] ;字符索引加1
0043C6A1 . 0F80 050B0000 JO CollegeB.0043D1AC ;溢出则出错
0043C6A7 . 66:A3 58A04800 MOV WORD PTR DS:[48A058],AX ;字符索引存回
0043C6AD .^E9 C2FEFFFF JMP CollegeB.0043C574 ;下一轮
以上代码用串联名字中的第1至第0x28个字符分别与第0x19个字符的相乘并计算结果的2.03次幂,并将所有结果相加,得到一个double值,存在[ebp-2C]处。
0043C6B2 > B8 99000000 MOV EAX,99 ; 常数0x99
0043C6B7 . 0FBFC8 MOVSX ECX,AX
0043C6BA . 898D F0FEFFFF MOV DWORD PTR SS:[EBP-110],ECX
0043C6C0 . DB85 F0FEFFFF FILD DWORD PTR SS:[EBP-110] ; 作为整数载入FPU
0043C6C6 . DD9D E8FEFFFF FSTP QWORD PTR SS:[EBP-118] ; 存成double
0043C6CC . DD85 E8FEFFFF FLD QWORD PTR SS:[EBP-118] ; reload
0043C6D2 . DC45 D4 FADD QWORD PTR SS:[EBP-2C] ; 加上先前的计算结果
0043C6D5 > DD5D D4 FSTP QWORD PTR SS:[EBP-2C] ; 存储新结果
0043C6D8 . DFE0 FSTSW AX
0043C6DA . A8 0D TEST AL,0D ; no abnormal
0043C6DC . 0F85 C50A0000 JNZ CollegeB.0043D1A7
0043C6E2 . 8D85 60FFFFFF LEA EAX,DWORD PTR SS:[EBP-A0] ; 一个临时Variant型变量
0043C6E8 . 6A 00 PUSH 0
0043C6EA . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50];存放返回结果的variant变量
0043C6ED . 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
0043C6F0 . 50 PUSH EAX
0043C6F1 . 51 PUSH ECX
0043C6F2 . 8995 68FFFFFF MOV DWORD PTR SS:[EBP-98],EDX;使此变量指向计算结果
0043C6F8 . C785 60FFFFFF >MOV DWORD PTR SS:[EBP-A0],4005;类型为double, 指针访问
0043C702 . FF15 E4114000 CALL rtcRound ;四舍五入取整
0043C708 . 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50];取整后的结果
0043C70B . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60];存放返回结果的变量
0043C70E . 52 PUSH EDX
0043C70F . 50 PUSH EAX
0043C710 . C785 58FFFFFF >MOV DWORD PTR SS:[EBP-A8],0B ; 常数
0043C71A . C785 50FFFFFF >MOV DWORD PTR SS:[EBP-B0],8002 ;
0043C724 . FF15 84104000 CALL MSVBVM60.__vbaLenVar ;取得取整结果的十进制形式的位数
0043C72A . 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0]
0043C730 . 50 PUSH EAX
0043C731 . 51 PUSH ECX
0043C732 . FF15 F4104000 CALL vbaVarTstLt ;比较是否小于11(0xB)位
0043C738 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50] ; return -1 means arg1 < arg2
0043C73B . 8985 24FFFFFF MOV DWORD PTR SS:[EBP-DC],EAX ;返回0表示不小于
0043C741 . FF15 2C104000 CALL MSVBVM60.__vbaFreeVar
0043C747 . 66:83BD 24FFFF>CMP WORD PTR SS:[EBP-DC],0 ; 是否返回了0?
0043C74F . 74 0A JE SHORT CollegeB.0043C75B ;若是,即已经超过11位,跳走继续
0043C751 . DD45 D4 FLD QWORD PTR SS:[EBP-2C] ;否则将结果加倍
0043C754 . DCC0 FADD ST(0),ST(0)
0043C756 .^E9 7AFFFFFF JMP CollegeB.0043C6D5;直到达到11位
0043C75B > 8D85 60FFFFFF LEA EAX,DWORD PTR SS:[EBP-A0]
0043C761 . 6A 00 PUSH 0
0043C763 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0043C766 . 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
0043C769 . 50 PUSH EAX
0043C76A . 51 PUSH ECX
0043C76B . 8995 68FFFFFF MOV DWORD PTR SS:[EBP-98],EDX
0043C771 . C785 60FFFFFF >MOV DWORD PTR SS:[EBP-A0],4005
0043C77B . FF15 E4114000 CALL MSVBVM60.rtcRound ;取整
0043C781 . 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50]
0043C784 . 52 PUSH EDX
0043C785 . FF15 6C124000 CALL MSVBVM60.__vbaR8Var ; 类型转换,variant -> R8
0043C78B . DD5D D4 FSTP QWORD PTR SS:[EBP-2C] ;存
0043C78E . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0043C791 . FF15 2C104000 CALL MSVBVM60.__vbaFreeVar
0043C797 . 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C] ; rounded value
0043C79A . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0043C79D . 8985 68FFFFFF MOV DWORD PTR SS:[EBP-98],EAX ; ref to rounded value
0043C7A3 . 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30] ;内定常数 3
0043C7A6 . 66:05 0100 ADD AX,1 ;+1得4
0043C7AA . 51 PUSH ECX
0043C7AB . 0F80 FB090000 JO CollegeB.0043D1AC
0043C7B1 . 0FBFD0 MOVSX EDX,AX
0043C7B4 . 8D85 60FFFFFF LEA EAX,DWORD PTR SS:[EBP-A0]
0043C7BA . 52 PUSH EDX ;4
0043C7BB . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
0043C7BE . 50 PUSH EAX
0043C7BF . 51 PUSH ECX
0043C7C0 . C745 B8 010000>MOV DWORD PTR SS:[EBP-48],1
0043C7C7 . C745 B0 020000>MOV DWORD PTR SS:[EBP-50],2
0043C7CE . C785 60FFFFFF >MOV DWORD PTR SS:[EBP-A0],4005
0043C7D8 . FFD6 CALL ESI ; rtcMidCharVar ; 取所得结果的十进制形式的左起第4个字符
0043C7DA . 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C] ;输入的注册码
0043C7DD . 8D45 90 LEA EAX,DWORD PTR SS:[EBP-70]
0043C7E0 . 50 PUSH EAX
0043C7E1 . B8 19000000 MOV EAX,19
0043C7E6 . 0FBFC8 MOVSX ECX,AX
0043C7E9 . 8995 48FFFFFF MOV DWORD PTR SS:[EBP-B8],EDX
0043C7EF . 8D95 40FFFFFF LEA EDX,DWORD PTR SS:[EBP-C0]
0043C7F5 . 51 PUSH ECX
0043C7F6 . 8D45 80 LEA EAX,DWORD PTR SS:[EBP-80]
0043C7F9 . 52 PUSH EDX
0043C7FA . 50 PUSH EAX
0043C7FB . C745 98 010000>MOV DWORD PTR SS:[EBP-68],1
0043C802 . C745 90 020000>MOV DWORD PTR SS:[EBP-70],2
0043C809 . C785 40FFFFFF >MOV DWORD PTR SS:[EBP-C0],4008
0043C813 . FFD6 CALL ESI ; rtcMidCharVar, 注册码的第0x19个字符
0043C815 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
0043C818 . 8D55 80 LEA EDX,DWORD PTR SS:[EBP-80]
0043C81B . 51 PUSH ECX
0043C81C . 52 PUSH EDX
0043C81D . FF15 38114000 CALL MSVBVM60.__vbaVarTstEq ;比较二者是否相同
0043C823 . 8985 24FFFFFF MOV DWORD PTR SS:[EBP-DC],EAX ; 返回0表示否
0043C829 . 8D45 80 LEA EAX,DWORD PTR SS:[EBP-80]
0043C82C . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
0043C82F . 50 PUSH EAX
0043C830 . 8D55 90 LEA EDX,DWORD PTR SS:[EBP-70]
0043C833 . 51 PUSH ECX
0043C834 . 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
0043C837 . 52 PUSH EDX
0043C838 . 50 PUSH EAX
0043C839 . 6A 04 PUSH 4
0043C83B . FF15 44104000 CALL MSVBVM60.__vbaFreeVarList ;释放临时变量
0043C841 . 33C0 XOR EAX,EAX
0043C843 . 83C4 14 ADD ESP,14
0043C846 . 66:3985 24FFFF>CMP WORD PTR SS:[EBP-DC],AX ; 看比较结果
0043C84D . 74 11 JE SHORT CollegeB.0043C860 ;若不同则跳走
0043C84F . 66:8B4D C8 MOV CX,WORD PTR SS:[EBP-38] ;否则[ebp-38]处的计数器加1
0043C853 . 66:83C1 01 ADD CX,1 ;表示第一轮通过
0043C857 . 0F80 4F090000 JO CollegeB.0043D1AC
0043C85D . 894D C8 MOV DWORD PTR SS:[EBP-38],ECX
0043C860 > 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX ; 清零复位
0043C863 . 8945 D8 MOV DWORD PTR SS:[EBP-28],EAX
0043C866 . C745 D0 020000>MOV DWORD PTR SS:[EBP-30],2 ;内定常数
0043C86D . 66:B8 0100 MOV AX,1
0043C871 > B9 28000000 MOV ECX,28
0043C876 . 66:A3 58A04800 MOV WORD PTR DS:[48A058],AX ;字符索引复位至1
以下代码完全相同,只是参数不同。参数共有5个,对于上面的代码来说:[0x19 2.03 0x99 4 0x19]
固定字符索引 = 0x19
乘幂指数 = 2.03
增量常数 = 0x99
结果十进位索引 = 4
注册码字符索引= 0x19
第二轮:[0x4 1.4 0x21f 0x3 0x4]
第三轮:[0xE 2.4 0x3d8 0xA 0xE]
第四轮:[0xD 2.6 0x234 0x5 0xD]
如果4轮全通过,即[ebp-38]处的计数器为4,则:
0043D13B > 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
0043D13E > 66:3D 0400 CMP AX,4
0043D142 . 75 07 JNZ SHORT CollegeB.0043D14B
0043D144 . C745 DC FFFFFF>MOV DWORD PTR SS:[EBP-24],-1 ;如全通过, [ebp-24]=-1
设为首页
加入收藏
总编信箱
投稿或申请专栏请先 [登 陆]
