[反汇编练习] 160个CrackMe之017.
本系列文章的目的是从一个没有任何经验的新手的角度(其实就是我自己),一步步尝试将160个CrackMe全部破解,如果可以,通过任何方式写出一个类似于注册机的东西。
其中,文章中按照如下逻辑编排(解决如下问题):
1、使用什么环境和工具
2、程序分析
3、思路分析和破解流程
4、注册机的探索
----------------------------------
提醒各位看客: 如果文章中的逻辑看不明白,那你一定是没有亲手操刀!OD中的跳转提示很强大,只要你跟踪了,不用怎么看代码就理解了!
----------------------------------
1、工具和环境:
WinXP SP3 + 52Pojie六周年纪念版OD + PEID + 汇编金手指。
160个CrackMe的打包文件。
下载地址: http://pan.baidu.com/s/1xUWOY 密码: jbnq
注:
1、Win7系统对于模块和程序开启了随机初始地址的功能,会给分析带来很大的负担,所以不建议使用Win7进行分析。
2、以上工具都是在52PoJie论坛下的原版程序,NOD32不报毒,个人承诺绝对不会进行任何和木马病毒相关内容。
2、程序分析:
想要破解一个程序,必须先了解这个程序。所以,在破解过程中,对最初程序的分析很重要,他可以帮助我们理解作者的目的和意图,特别是对于注册码的处理细节,从而方便我们反向跟踪和推导。
和上一节一样,打开CHM,选择第17个BJCM30A.exe,保存下来。运行程序,程序界面如下:
3、思路分析和破解流程
又见信息框,我很高兴啊!
PEID: Microsoft Visual Basic 5.0 / 6.0
和以前的一样,直接上步骤:
1、打开OD,将exe拖到OD窗口中,等程序暂停后,直接点击运行按钮(F9),不用理会。
2、在exe中输入Key:bbdxf。点击OK按钮,弹出错误信息框,不要关闭。
3、在OD中点击暂停按钮(Ctrl+F12),再点击堆栈K按钮(Ctrl+K),可以看到当前堆栈情况。
在反汇编窗口信息:
00404E30 /0F84 AD000000 je 00404EE3 ; // 关键跳转 00404E36 . |8B1D CC104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVa>; msvbvm60.__vbaVarDup 00404E3C . |B9 04000280 mov ecx,0x80020004 00404E41 . |898D 20FFFFFF mov dword ptr ss:[ebp-0xE0],ecx 00404E47 . |B8 0A000000 mov eax,0xA 00404E4C . |898D 30FFFFFF mov dword ptr ss:[ebp-0xD0],ecx 00404E52 . |8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-0x108] 00404E58 . |8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8] 00404E5E . |8985 18FFFFFF mov dword ptr ss:[ebp-0xE8],eax 00404E64 . |8985 28FFFFFF mov dword ptr ss:[ebp-0xD8],eax 00404E6A . |C785 00FFFFFF>mov dword ptr ss:[ebp-0x100],00402BB4 ; UNICODE "Correct serial!" 00404E74 . |89B5 F8FEFFFF mov dword ptr ss:[ebp-0x108],esi 00404E7A . |FFD3 call ebx ; <&MSVBVM60.__vbaVarDup> 00404E7C . |8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8] 00404E82 . |8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8] 00404E88 . |C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],00402B68 ; UNICODE "Good job, tell me how you do that!" 00404E92 . |89B5 08FFFFFF mov dword ptr ss:[ebp-0xF8],esi 00404E98 . |FFD3 call ebx 00404E9A . |8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-0xE8] 00404EA0 . |8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8] 00404EA6 . |51 push ecx 00404EA7 . |8D85 38FFFFFF lea eax,dword ptr ss:[ebp-0xC8] 00404EAD . |52 push edx 00404EAE . |50 push eax 00404EAF . |8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8] 00404EB5 . |57 push edi 00404EB6 . |51 push ecx 00404EB7 . |FF15 3C104000 call dword ptr ds:[<&MSVBVM60.#595>] ; msvbvm60.rtcMsgBox 00404EBD . |8D95 18FFFFFF lea edx,dword ptr ss:[ebp-0xE8] 00404EC3 . |8D85 28FFFFFF lea eax,dword ptr ss:[ebp-0xD8] 00404EC9 . |52 push edx 00404ECA . |8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8] 00404ED0 . |50 push eax 00404ED1 . |8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8] 00404ED7 . |51 push ecx 00404ED8 . |52 push edx 00404ED9 . |E9 A8000000 jmp 00404F86 00404EDE > |BE 08000000 mov esi,0x8 00404EE3 > 8B1D CC104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVa>; msvbvm60.__vbaVarDup 00404EE9 . B9 04000280 mov ecx,0x80020004 00404EEE . 898D 20FFFFFF mov dword ptr ss:[ebp-0xE0],ecx 00404EF4 . B8 0A000000 mov eax,0xA 00404EF9 . 898D 30FFFFFF mov dword ptr ss:[ebp-0xD0],ecx 00404EFF . 8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-0x108] 00404F05 . 8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8] 00404F0B . 8985 18FFFFFF mov dword ptr ss:[ebp-0xE8],eax 00404F11 . 8985 28FFFFFF mov dword ptr ss:[ebp-0xD8],eax 00404F17 . C785 00FFFFFF>mov dword ptr ss:[ebp-0x100],00402A10 ; UNICODE "Wrong serial!" 00404F21 . 89B5 F8FEFFFF mov dword ptr ss:[ebp-0x108],esi 00404F27 . FFD3 call ebx ; <&MSVBVM60.__vbaVarDup> 00404F29 . 8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8] 00404F2F . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8] 00404F35 . C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],00402BD8 ; UNICODE "Sorry, try again!" 00404F3F . 89B5 08FFFFFF mov dword ptr ss:[ebp-0xF8],esi 00404F45 . FFD3 call ebx 00404F47 . 8D85 18FFFFFF lea eax,dword ptr ss:[ebp-0xE8] 00404F4D . 8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-0xD8] 00404F53 . 50 push eax 00404F54 . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8] 00404F5A . 51 push ecx 00404F5B . 52 push edx 00404F5C . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8] 00404F62 . 57 push edi 00404F63 . 50 push eax 00404F64 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.#595>] ; msvbvm60.rtcMsgBox
随意向上翻翻,就发现了不同含义的文本,寻找je跳转,哈哈,是不是又被找出来了!
直接选中je 00404EE3 ,右键->Binary->Fill with NOPs.再试试:
哈哈,是不是被爆破了!
4、注册机的探索
写得多了,写到这里就郁闷了!
由于是VB程序,所以注册码比较的关键一般都是那几个文本比较函数,__vbastrcomp,__vbavartsteq,__vbastrcmp等。我们从关键跳转向上浏览,不理解的地方F8跟随:
0040461C . 51 push ecx ; // ecx ="123123" 0040461D . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBs>; msvbvm60.__vbaLenBstr 00404623 . 8985 00FFFFFF mov dword ptr ss:[ebp-0x100],eax 00404629 . 8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8] 0040462F . 8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-0x108] 00404635 . 52 push edx 00404636 . 8D8D E8FEFFFF lea ecx,dword ptr ss:[ebp-0x118] 0040463C . 50 push eax 0040463D . 8D95 64FEFFFF lea edx,dword ptr ss:[ebp-0x19C] 00404643 . 51 push ecx 00404644 . 8D85 74FEFFFF lea eax,dword ptr ss:[ebp-0x18C] 0040464A . 52 push edx 0040464B . 8D4D 94 lea ecx,dword ptr ss:[ebp-0x6C] 0040464E . 50 push eax 0040464F . 51 push ecx 00404650 . C785 F8FEFFFF>mov dword ptr ss:[ebp-0x108],0x3 0040465A . C785 F0FEFFFF>mov dword ptr ss:[ebp-0x110],0x1 00404664 . C785 E8FEFFFF>mov dword ptr ss:[ebp-0x118],0x2 ; // for 循环 0040466E . FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarFo>; msvbvm60.__vbaVarForInit 00404674 . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84] 0040467A . 8985 30FEFFFF mov dword ptr ss:[ebp-0x1D0],eax 00404680 . FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; msvbvm60.__vbaFreeStr 00404686 . 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4] 0040468C . FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>; msvbvm60.__vbaFreeObj 00404692 . 8B1D DC104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaSt>; msvbvm60.__vbaStrMove 00404698 > 39BD 30FEFFFF cmp dword ptr ss:[ebp-0x1D0],edi ; 1 0 0040469E . 0F84 F5010000 je 00404899 004046A4 . 8B16 mov edx,dword ptr ds:[esi] 004046A6 . 56 push esi 004046A7 . FF92 08030000 call dword ptr ds:[edx+0x308] 004046AD . 50 push eax 004046AE . 8D85 5CFFFFFF lea eax,dword ptr ss:[ebp-0xA4] 004046B4 . 50 push eax 004046B5 . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>; msvbvm60.__vbaObjSet 004046BB . 8B08 mov ecx,dword ptr ds:[eax] 004046BD . 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-0x84] 004046C3 . 52 push edx 004046C4 . 50 push eax 004046C5 . 8985 D4FEFFFF mov dword ptr ss:[ebp-0x12C],eax 004046CB . FF91 A0000000 call dword ptr ds:[ecx+0xA0] 004046D1 . 3BC7 cmp eax,edi 004046D3 . DBE2 fclex 004046D5 . 7D 18 jge short 004046EF 004046D7 . 8B8D D4FEFFFF mov ecx,dword ptr ss:[ebp-0x12C] 004046DD . 68 A0000000 push 0xA0 004046E2 . 68 442B4000 push 00402B44 004046E7 . 51 push ecx 004046E8 . 50 push eax 004046E9 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj 004046EF > 8B16 mov edx,dword ptr ds:[esi] 004046F1 . 56 push esi 004046F2 . FF92 08030000 call dword ptr ds:[edx+0x308] 004046F8 . 50 push eax 004046F9 . 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-0xA8] 004046FF . 50 push eax 00404700 . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>; msvbvm60.__vbaObjSet 00404706 . 8B08 mov ecx,dword ptr ds:[eax] 00404708 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88] 0040470E . 52 push edx 0040470F . 50 push eax 00404710 . 8985 CCFEFFFF mov dword ptr ss:[ebp-0x134],eax 00404716 . FF91 A0000000 call dword ptr ds:[ecx+0xA0] 0040471C . 3BC7 cmp eax,edi 0040471E . DBE2 fclex 00404720 . 7D 18 jge short 0040473A 00404722 . 8B8D CCFEFFFF mov ecx,dword ptr ss:[ebp-0x134] 00404728 . 68 A0000000 push 0xA0 0040472D . 68 442B4000 push 00402B44 00404732 . 51 push ecx 00404733 . 50 push eax 00404734 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj 0040473A > B8 01000000 mov eax,0x1 0040473F . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8] 00404745 . 8985 50FFFFFF mov dword ptr ss:[ebp-0xB0],eax 0040474B . 8985 30FFFFFF mov dword ptr ss:[ebp-0xD0],eax 00404751 . 8985 00FFFFFF mov dword ptr ss:[ebp-0x100],eax 00404757 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C] 0040475A . B9 02000000 mov ecx,0x2 0040475F . 52 push edx ; 1 00404760 . 50 push eax ; 1 00404761 . 898D 48FFFFFF mov dword ptr ss:[ebp-0xB8],ecx 00404767 . 898D 28FFFFFF mov dword ptr ss:[ebp-0xD8],ecx 0040476D . 898D F8FEFFFF mov dword ptr ss:[ebp-0x108],ecx 00404773 . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>; msvbvm60.__vbaI4Var 00404779 . 8B8D 7CFFFFFF mov ecx,dword ptr ss:[ebp-0x84] 0040477F . 8B3D 54104000 mov edi,dword ptr ds:[<&MSVBVM60.#631>] ; msvbvm60.rtcMidCharBstr 00404785 . 50 push eax ; // eax = 1 2 3 00404786 . 51 push ecx ; // ecx ="123123" 00404787 . FFD7 call edi ; msvbvm60.rtcMidCharBstr; <&MSVBVM60.#631> 00404789 . 8BD0 mov edx,eax ; // eax = "1" "2" "3" 0040478B . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C] 00404791 . FFD3 call ebx ; msvbvm60.__vbaStrMove 00404793 . 50 push eax ; // eax = "1" "2" 00404794 . 8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8] 0040479A . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C] 0040479D . 52 push edx ; 1 0040479E . 8D8D F8FEFFFF lea ecx,dword ptr ss:[ebp-0x108] 004047A4 . 50 push eax ; 1 004047A5 . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8] 004047AB . 51 push ecx ; 1 004047AC . 52 push edx ; -1 004047AD . FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAd>; msvbvm60.__vbaVarAdd 004047B3 . 50 push eax 004047B4 . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>; msvbvm60.__vbaI4Var 004047BA . 50 push eax ; // eax = 2 3 4 004047BB . 8B85 78FFFFFF mov eax,dword ptr ss:[ebp-0x88] 004047C1 . 50 push eax ; // eax = "123123" 004047C2 . FFD7 call edi ; msvbvm60.rtcMidCharBstr 004047C4 . 8BD0 mov edx,eax ; // eax = "2" "3" "1" 004047C6 . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90] 004047CC . FFD3 call ebx ; msvbvm60.__vbaStrMove 004047CE . 50 push eax 004047CF . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCm>; msvbvm60.__vbaStrCmp 004047D5 . 8BF8 mov edi,eax ; eax = -1 004047D7 . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90] 004047DD . F7DF neg edi 004047DF . 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C] 004047E5 . 51 push ecx 004047E6 . 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88] 004047EC . 52 push edx 004047ED . 1BFF sbb edi,edi 004047EF . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84] 004047F5 . 50 push eax 004047F6 . 47 inc edi 004047F7 . 51 push ecx 004047F8 . 6A 04 push 0x4 004047FA . F7DF neg edi 004047FC . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; msvbvm60.__vbaFreeStrList 00404802 . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-0xA8] 00404808 . 8D85 5CFFFFFF lea eax,dword ptr ss:[ebp-0xA4] 0040480E . 52 push edx 0040480F . 50 push eax 00404810 . 6A 02 push 0x2 00404812 . FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>; msvbvm60.__vbaFreeObjList 00404818 . 8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-0xD8] 0040481E . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8] 00404824 . 51 push ecx 00404825 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8] 0040482B . 52 push edx 0040482C . 50 push eax 0040482D . 6A 03 push 0x3 0040482F . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; msvbvm60.__vbaFreeVarList 00404835 . 83C4 30 add esp,0x30 00404838 . 66:85FF test di,di 0040483B . 74 37 je short 00404874 0040483D . 8D4D B8 lea ecx,dword ptr ss:[ebp-0x48] 00404840 . 8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8] 00404846 . 51 push ecx 00404847 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8] 0040484D . 52 push edx 0040484E . 50 push eax 0040484F . C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],0x1 00404859 . C785 08FFFFFF>mov dword ptr ss:[ebp-0xF8],0x2 00404863 . FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAd>; msvbvm60.__vbaVarAdd 00404869 . 8BD0 mov edx,eax 0040486B . 8D4D B8 lea ecx,dword ptr ss:[ebp-0x48] 0040486E . FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMo>; msvbvm60.__vbaVarMove 00404874 > 8D8D 64FEFFFF lea ecx,dword ptr ss:[ebp-0x19C] 0040487A . 8D95 74FEFFFF lea edx,dword ptr ss:[ebp-0x18C] 00404880 . 51 push ecx 00404881 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C] 00404884 . 52 push edx 00404885 . 50 push eax 00404886 . FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarFo>; msvbvm60.__vbaVarForNext 0040488C . 8985 30FEFFFF mov dword ptr ss:[ebp-0x1D0],eax 00404892 . 33FF xor edi,edi 00404894 .^ E9 FFFDFFFF jmp 00404698 ; // for 循环 00404899 > 8B0E mov ecx,dword ptr ds:[esi] 0040489B . 56 push esi 0040489C . FF91 08030000 call dword ptr ds:[ecx+0x308] 004048A2 . 8D95 5CFFFFFF lea edx,dword ptr ss:[ebp-0xA4] 004048A8 . 50 push eax 004048A9 . 52 push edx 004048AA . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>; msvbvm60.__vbaObjSet 004048B0 . 8B08 mov ecx,dword ptr ds:[eax] 004048B2 . 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-0x84] 004048B8 . 52 push edx 004048B9 . 50 push eax 004048BA . 8985 D4FEFFFF mov dword ptr ss:[ebp-0x12C],eax 004048C0 . FF91 A0000000 call dword ptr ds:[ecx+0xA0] 004048C6 . 3BC7 cmp eax,edi 004048C8 . DBE2 fclex 004048CA . 7D 18 jge short 004048E4 004048CC . 8B8D D4FEFFFF mov ecx,dword ptr ss:[ebp-0x12C] 004048D2 . 68 A0000000 push 0xA0 004048D7 . 68 442B4000 push 00402B44 004048DC . 51 push ecx 004048DD . 50 push eax 004048DE . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj 004048E4 > 8B95 7CFFFFFF mov edx,dword ptr ss:[ebp-0x84] 004048EA . 52 push edx 004048EB . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBs>; msvbvm60.__vbaLenBstr 004048F1 . 83E8 01 sub eax,0x1 004048F4 . 8D8D 08FFFFFF lea ecx,dword ptr ss:[ebp-0xF8] 004048FA . 0F80 AA070000 jo 004050AA ; // 溢出错误 00404900 . 8985 10FFFFFF mov dword ptr ss:[ebp-0xF0],eax 00404906 . 8D45 B8 lea eax,dword ptr ss:[ebp-0x48] 00404909 . 50 push eax 0040490A . 51 push ecx 0040490B . C785 08FFFFFF>mov dword ptr ss:[ebp-0xF8],0x8003 00404915 . FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTs>; msvbvm60.__vbaVarTstEq 0040491B . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84] 00404921 . 66:8985 CCFEF>mov word ptr ss:[ebp-0x134],ax 00404928 . FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; msvbvm60.__vbaFreeStr 0040492E . 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4] 00404934 . FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>; msvbvm60.__vbaFreeObj 0040493A . 66:39BD CCFEF>cmp word ptr ss:[ebp-0x134],di 00404941 . 0F85 97050000 jnz 00404EDE ; // 跳到错误提示 00404947 . 8B16 mov edx,dword ptr ds:[esi] 00404949 . 56 push esi 0040494A . C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],0x1 00404954 . C785 08FFFFFF>mov dword ptr ss:[ebp-0xF8],0x2 0040495E . FF92 08030000 call dword ptr ds:[edx+0x308] 00404964 . 50 push eax 00404965 . 8D85 5CFFFFFF lea eax,dword ptr ss:[ebp-0xA4] 0040496B . 50 push eax 0040496C . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>; msvbvm60.__vbaObjSet 00404972 . 8B08 mov ecx,dword ptr ds:[eax] 00404974 . 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-0x84] 0040497A . 52 push edx 0040497B . 50 push eax 0040497C . 8985 D4FEFFFF mov dword ptr ss:[ebp-0x12C],eax 00404982 . FF91 A0000000 call dword ptr ds:[ecx+0xA0] 00404988 . 3BC7 cmp eax,edi 0040498A . DBE2 fclex 0040498C . 7D 18 jge short 004049A6 0040498E . 8B8D D4FEFFFF mov ecx,dword ptr ss:[ebp-0x12C] 00404994 . 68 A0000000 push 0xA0 00404999 . 68 442B4000 push 00402B44 0040499E . 51 push ecx 0040499F . 50 push eax 004049A0 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj 004049A6 > 8B95 7CFFFFFF mov edx,dword ptr ss:[ebp-0x84] 004049AC . 52 push edx ; // edx = "123123" 004049AD . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBs>; msvbvm60.__vbaLenBstr 004049B3 . 8985 00FFFFFF mov dword ptr ss:[ebp-0x100],eax ; // eax = 6 004049B9 . 8D85 08FFFFFF lea eax,dword ptr ss:[ebp-0xF8] 004049BF . 8D8D F8FEFFFF lea ecx,dword ptr ss:[ebp-0x108] 004049C5 . 50 push eax 004049C6 . 8D95 E8FEFFFF lea edx,dword ptr ss:[ebp-0x118] 004049CC . 51 push ecx 004049CD . 8D85 44FEFFFF lea eax,dword ptr ss:[ebp-0x1BC] 004049D3 . 52 push edx 004049D4 . 8D8D 54FEFFFF lea ecx,dword ptr ss:[ebp-0x1AC] 004049DA . 50 push eax 004049DB . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C] 004049DE . 51 push ecx 004049DF . 52 push edx 004049E0 . C785 F8FEFFFF>mov dword ptr ss:[ebp-0x108],0x3 004049EA . C785 F0FEFFFF>mov dword ptr ss:[ebp-0x110],0x1 004049F4 . C785 E8FEFFFF>mov dword ptr ss:[ebp-0x118],0x2 ; // for 循环开始 004049FE . FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarFo>; msvbvm60.__vbaVarForInit 00404A04 . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84] 00404A0A . 8985 2CFEFFFF mov dword ptr ss:[ebp-0x1D4],eax 00404A10 . FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; msvbvm60.__vbaFreeStr 00404A16 . 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4] 00404A1C . FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>; msvbvm60.__vbaFreeObj 00404A22 > 39BD 2CFEFFFF cmp dword ptr ss:[ebp-0x1D4],edi ; // 循环条件判断 00404A28 . 0F84 1D030000 je 00404D4B 00404A2E . 8B06 mov eax,dword ptr ds:[esi] 00404A30 . 56 push esi 00404A31 . FF90 08030000 call dword ptr ds:[eax+0x308] 00404A37 . 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4] 00404A3D . 50 push eax 00404A3E . 51 push ecx 00404A3F . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>; msvbvm60.__vbaObjSet 00404A45 . 8B10 mov edx,dword ptr ds:[eax] 00404A47 . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84] 00404A4D . 51 push ecx 00404A4E . 50 push eax 00404A4F . 8985 D4FEFFFF mov dword ptr ss:[ebp-0x12C],eax 00404A55 . FF92 A0000000 call dword ptr ds:[edx+0xA0] 00404A5B . 3BC7 cmp eax,edi 00404A5D . DBE2 fclex 00404A5F . 7D 18 jge short 00404A79 00404A61 . 8B95 D4FEFFFF mov edx,dword ptr ss:[ebp-0x12C] 00404A67 . 68 A0000000 push 0xA0 00404A6C . 68 442B4000 push 00402B44 00404A71 . 52 push edx 00404A72 . 50 push eax 00404A73 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj 00404A79 > 8B85 7CFFFFFF mov eax,dword ptr ss:[ebp-0x84] 00404A7F . 50 push eax ; // eax = "123123" 00404A80 . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBs>; msvbvm60.__vbaLenBstr 00404A86 . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8] ; // eax = 6 00404A8C . 8985 50FFFFFF mov dword ptr ss:[ebp-0xB0],eax 00404A92 . 51 push ecx ; 6 00404A93 . C785 48FFFFFF>mov dword ptr ss:[ebp-0xB8],0x3 00404A9D . FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#572>] ; msvbvm60.rtcHexBstrFromVar 00404AA3 . 8BD0 mov edx,eax ; // eax = 6 ; 长度的16进制文本 00404AA5 . 8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-0x9C] 00404AAB . FFD3 call ebx ; msvbvm60.__vbaStrMove 00404AAD . 8B16 mov edx,dword ptr ds:[esi] 00404AAF . 56 push esi 00404AB0 . FF92 08030000 call dword ptr ds:[edx+0x308] 00404AB6 . 50 push eax 00404AB7 . 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-0xA8] 00404ABD . 50 push eax 00404ABE . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>; msvbvm60.__vbaObjSet 00404AC4 . 8B85 58FFFFFF mov eax,dword ptr ss:[ebp-0xA8] 00404ACA . 8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8] 00404AD0 . 6A 01 push 0x1 ; 1 00404AD2 . 8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8] 00404AD8 . 51 push ecx ; 07 00404AD9 . 52 push edx ; 1 00404ADA . 89BD 58FFFFFF mov dword ptr ss:[ebp-0xA8],edi 00404AE0 . 8985 40FFFFFF mov dword ptr ss:[ebp-0xC0],eax 00404AE6 . C785 38FFFFFF>mov dword ptr ss:[ebp-0xC8],0x9 00404AF0 . FF15 D4104000 call dword ptr ds:[<&MSVBVM60.#617>] ; msvbvm60.rtcLeftCharVar 00404AF6 . 8D85 28FFFFFF lea eax,dword ptr ss:[ebp-0xD8] ; // eax = "1" 00404AFC . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88] 00404B02 . 50 push eax 00404B03 . 51 push ecx 00404B04 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVa>; msvbvm60.__vbaStrVarVal 00404B0A . 50 push eax ; // eax ="1" 00404B0B . FF15 28104000 call dword ptr ds:[<&MSVBVM60.#516>] ; msvbvm60.rtcAnsiValueBstr 00404B11 . 8D95 18FFFFFF lea edx,dword ptr ss:[ebp-0xE8] ; // eax = 0x31 00404B17 . 66:8985 20FFF>mov word ptr ss:[ebp-0xE0],ax 00404B1E . 52 push edx ; 0x31 00404B1F . C785 18FFFFFF>mov dword ptr ss:[ebp-0xE8],0x2 00404B29 . FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#572>] ; msvbvm60.rtcHexBstrFromVar 00404B2F . 8BD0 mov edx,eax ; // eax ="31" 00404B31 . 8D8D 60FFFFFF lea ecx,dword ptr ss:[ebp-0xA0] 00404B37 . FFD3 call ebx ; msvbvm60.__vbaStrMove 00404B39 . BA 6C294000 mov edx,0040296C ; UNICODE "*" 00404B3E . 8D8D 6CFFFFFF lea ecx,dword ptr ss:[ebp-0x94] 00404B44 . FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCo>; msvbvm60.__vbaStrCopy 00404B4A . 8B95 60FFFFFF mov edx,dword ptr ss:[ebp-0xA0] ; // eax ="*", edx="31" 00404B50 . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90] 00404B56 . 89BD 60FFFFFF mov dword ptr ss:[ebp-0xA0],edi 00404B5C . FFD3 call ebx ; msvbvm60.__vbaStrMove 00404B5E . 8B95 64FFFFFF mov edx,dword ptr ss:[ebp-0x9C] ; // eax ="31" 00404B64 . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C] ; // ecx = "123123" 00404B6A . 89BD 64FFFFFF mov dword ptr ss:[ebp-0x9C],edi ; 0 00404B70 . FFD3 call ebx ; msvbvm60.__vbaStrMove 00404B72 . 8B06 mov eax,dword ptr ds:[esi] 00404B74 . 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-0x98] 00404B7A . 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-0x94] 00404B80 . 51 push ecx 00404B81 . 52 push edx 00404B82 . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90] 00404B88 . 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C] 00404B8E . 51 push ecx 00404B8F . 52 push edx 00404B90 . 56 push esi 00404B91 . FF90 F8060000 call dword ptr ds:[eax+0x6F8] ; BJCM30A.00401FE8 00404B97 . 3BC7 cmp eax,edi 00404B99 . 7D 12 jge short 00404BAD 00404B9B . 68 F8060000 push 0x6F8 00404BA0 . 68 B4274000 push 004027B4 00404BA5 . 56 push esi 00404BA6 . 50 push eax 00404BA7 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj 00404BAD > 8B95 68FFFFFF mov edx,dword ptr ss:[ebp-0x98] 00404BB3 . 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38] 00404BB6 . 89BD 68FFFFFF mov dword ptr ss:[ebp-0x98],edi 00404BBC . FFD3 call ebx 00404BBE . 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-0xA0] 00404BC4 . 8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-0x9C] 00404BCA . 50 push eax 00404BCB . 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-0x94] 00404BD1 . 51 push ecx 00404BD2 . 8D85 70FFFFFF lea eax,dword ptr ss:[ebp-0x90] 00404BD8 . 52 push edx 00404BD9 . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C] 00404BDF . 50 push eax 00404BE0 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88] 00404BE6 . 51 push ecx 00404BE7 . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84] 00404BED . 52 push edx 00404BEE . 50 push eax 00404BEF . 6A 07 push 0x7 00404BF1 . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; msvbvm60.__vbaFreeStrList 00404BF7 . 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-0xA8] 00404BFD . 8D95 5CFFFFFF lea edx,dword ptr ss:[ebp-0xA4] 00404C03 . 51 push ecx 00404C04 . 52 push edx 00404C05 . 6A 02 push 0x2 00404C07 . FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>; msvbvm60.__vbaFreeObjList 00404C0D . 8D85 18FFFFFF lea eax,dword ptr ss:[ebp-0xE8] 00404C13 . 8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-0xD8] 00404C19 . 50 push eax 00404C1A . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8] 00404C20 . 51 push ecx 00404C21 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8] 00404C27 . 52 push edx 00404C28 . 50 push eax 00404C29 . 6A 04 push 0x4 00404C2B . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; msvbvm60.__vbaFreeVarList 00404C31 . 8B0E mov ecx,dword ptr ds:[esi] 00404C33 . 83C4 40 add esp,0x40 00404C36 . 56 push esi 00404C37 . FF91 08030000 call dword ptr ds:[ecx+0x308] 00404C3D . 8D95 5CFFFFFF lea edx,dword ptr ss:[ebp-0xA4] 00404C43 . 50 push eax 00404C44 . 52 push edx 00404C45 . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>; msvbvm60.__vbaObjSet 00404C4B . 8B08 mov ecx,dword ptr ds:[eax] 00404C4D . 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-0x84] 00404C53 . 52 push edx 00404C54 . 50 push eax 00404C55 . 8985 D4FEFFFF mov dword ptr ss:[ebp-0x12C],eax 00404C5B . FF91 A0000000 call dword ptr ds:[ecx+0xA0] 00404C61 . 3BC7 cmp eax,edi 00404C63 . DBE2 fclex 00404C65 . 7D 18 jge short 00404C7F 00404C67 . 8B8D D4FEFFFF mov ecx,dword ptr ss:[ebp-0x12C] 00404C6D . 68 A0000000 push 0xA0 00404C72 . 68 442B4000 push 00402B44 00404C77 . 51 push ecx 00404C78 . 50 push eax 00404C79 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj 00404C7F > 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8] 00404C85 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C] 00404C88 . 52 push edx ; 1 00404C89 . 50 push eax ; 1 00404C8A . C785 50FFFFFF>mov dword ptr ss:[ebp-0xB0],0x1 00404C94 . C785 48FFFFFF>mov dword ptr ss:[ebp-0xB8],0x2 00404C9E . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>; msvbvm60.__vbaI4Var 00404CA4 . 8B8D 7CFFFFFF mov ecx,dword ptr ss:[ebp-0x84] ; // eax = 1 00404CAA . 50 push eax 00404CAB . 51 push ecx ; // ecx ="123123" 00404CAC . FF15 54104000 call dword ptr ds:[<&MSVBVM60.#631>] ; msvbvm60.rtcMidCharBstr 00404CB2 . 8BD0 mov edx,eax ; // eax ="1" "2" 00404CB4 . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88] 00404CBA . FFD3 call ebx ; msvbvm60.__vbaStrMove 00404CBC . 50 push eax 00404CBD . FF15 28104000 call dword ptr ds:[<&MSVBVM60.#516>] ; msvbvm60.rtcAnsiValueBstr 00404CC3 . 66:8985 00FFF>mov word ptr ss:[ebp-0x100],ax ; // eax =0x31 0x32 00404CCA . 8D55 CC lea edx,dword ptr ss:[ebp-0x34] 00404CCD . 8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-0x108] 00404CD3 . 52 push edx ; 1 00404CD4 . 8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8] 00404CDA . 50 push eax ; 31 00404CDB . 51 push ecx 00404CDC . C785 F8FEFFFF>mov dword ptr ss:[ebp-0x108],0x2 00404CE6 . FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAd>; msvbvm60.__vbaVarAdd 00404CEC . 8BD0 mov edx,eax ; // eax =31 00404CEE . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34] 00404CF1 . FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMo>; msvbvm60.__vbaVarMove 00404CF7 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88] 00404CFD . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84] 00404D03 . 52 push edx 00404D04 . 50 push eax 00404D05 . 6A 02 push 0x2 00404D07 . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; msvbvm60.__vbaFreeStrList 00404D0D . 83C4 0C add esp,0xC 00404D10 . 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4] 00404D16 . FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>; msvbvm60.__vbaFreeObj 00404D1C . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8] 00404D22 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; msvbvm60.__vbaFreeVar 00404D28 . 8D8D 44FEFFFF lea ecx,dword ptr ss:[ebp-0x1BC] 00404D2E . 8D95 54FEFFFF lea edx,dword ptr ss:[ebp-0x1AC] 00404D34 . 51 push ecx 00404D35 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C] 00404D38 . 52 push edx 00404D39 . 50 push eax 00404D3A . FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarFo>; msvbvm60.__vbaVarForNext 00404D40 . 8985 2CFEFFFF mov dword ptr ss:[ebp-0x1D4],eax 00404D46 .^ E9 D7FCFFFF jmp 00404A22 ; // for 循环 00404D4B > 8D4D CC lea ecx,dword ptr ss:[ebp-0x34] 00404D4E . 51 push ecx ; // ecx = 00D2012C 00404D4F . FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#572>] ; msvbvm60.rtcHexBstrFromVar 00404D55 . 8BD0 mov edx,eax 00404D57 . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90] 00404D5D . FFD3 call ebx 00404D5F . BA 0C294000 mov edx,0040290C ; UNICODE "=" 00404D64 . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88] ; eax ="12C" 00404D6A . FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCo>; msvbvm60.__vbaStrCopy 00404D70 . 8B95 70FFFFFF mov edx,dword ptr ss:[ebp-0x90] ; // eax = "=" 00404D76 . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84] 00404D7C . 89BD 70FFFFFF mov dword ptr ss:[ebp-0x90],edi 00404D82 . FFD3 call ebx ; msvbvm60.__vbaStrMove 00404D84 . 8B16 mov edx,dword ptr ds:[esi] 00404D86 . 8D85 74FFFFFF lea eax,dword ptr ss:[ebp-0x8C] 00404D8C . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88] 00404D92 . 50 push eax 00404D93 . 51 push ecx 00404D94 . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84] 00404D9A . 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38] 00404D9D . 50 push eax 00404D9E . 51 push ecx 00404D9F . 56 push esi 00404DA0 . FF92 F8060000 call dword ptr ds:[edx+0x6F8] 00404DA6 . 3BC7 cmp eax,edi 00404DA8 . 7D 12 jge short 00404DBC 00404DAA . 68 F8060000 push 0x6F8 00404DAF . 68 B4274000 push 004027B4 00404DB4 . 56 push esi 00404DB5 . 50 push eax 00404DB6 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj 00404DBC > 8B85 74FFFFFF mov eax,dword ptr ss:[ebp-0x8C] 00404DC2 . BE 08000000 mov esi,0x8 00404DC7 . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8] 00404DCD . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34] 00404DD0 . 89BD 74FFFFFF mov dword ptr ss:[ebp-0x8C],edi 00404DD6 . 8985 50FFFFFF mov dword ptr ss:[ebp-0xB0],eax ; // eax="0" 00404DDC . 89B5 48FFFFFF mov dword ptr ss:[ebp-0xB8],esi 00404DE2 . FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMo>; msvbvm60.__vbaVarMove 00404DE8 . 8D95 70FFFFFF lea edx,dword ptr ss:[ebp-0x90] ; // eax="0" 00404DEE . 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88] 00404DF4 . 52 push edx 00404DF5 . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84] 00404DFB . 50 push eax 00404DFC . 51 push ecx 00404DFD . 6A 03 push 0x3 00404DFF . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; msvbvm60.__vbaFreeStrList 00404E05 . 83C4 10 add esp,0x10 00404E08 . 8D55 CC lea edx,dword ptr ss:[ebp-0x34] 00404E0B . 8D85 08FFFFFF lea eax,dword ptr ss:[ebp-0xF8] 00404E11 . C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],00402B58 ; UNICODE "FFFF" 00404E1B . 52 push edx ; // edx = "0" 00404E1C . 50 push eax ; // eax = "FFFF" 00404E1D . C785 08FFFFFF>mov dword ptr ss:[ebp-0xF8],0x8008 00404E27 . FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTs>; msvbvm60.__vbaVarTstEq 00404E2D . 66:85C0 test ax,ax 00404E30 0F84 AD000000 je 00404EE3 ; // 关键跳转
对于上面的这一长段反汇编,我不想做什么详细解释了。前2/3部分都是For循环,并且没有做什么有用的东西,最后的msvbvm60.__vbaVarTstEq 附近才算了一些东西,但是我也没弄明白到底是怎么回事。所以,抱歉了!
由于使用OD没搞明白,使用VB Decoder反编译如下:
Private Sub Command1_Click() '404230
Dim var_A4 As TextBox
Dim var_A8 As TextBox
loc_00404255: var_8 = &H401130
loc_00404326: Var_Ret_1 = CLng(Timer)
loc_0040432C: var_5C = Var_Ret_1
loc_0040435B: var_F0 = 1
loc_00404365: var_F8 = 2
loc_0040436B: var_100 = &H3E8
loc_00404375: var_108 = 2
loc_0040437B: var_110 = 1
loc_00404385: var_118 = 2
For var_80 = 1 To 1000 Step 1
If var_14C = 0 Then GoTo loc_00404461
loc_004043A4: var_F0 = 1
loc_004043AA: var_110 = 1
loc_004043D1: var_F8 = 2
loc_004043D7: var_100 = &HFA
loc_004043E1: var_108 = 2
loc_004043E7: var_118 = 2
For var_58 = 1 To 250 Step 1
If var_16C = 0 Then GoTo loc_00404444
If (4205108 <> 4205108) <> 0 Then GoTo loc_0040442A
loc_00404414: var_F0 = 1
loc_0040441E: var_F8 = 2
loc_00404424: var_24 = 1
loc_0040442A:
Next var_58
loc_00404442: GoTo loc_004043F3
loc_00404444:
Next var_80
loc_0040445C: GoTo loc_00404391
loc_00404461:
loc_00404467: Var_Ret_2 = CLng(Timer)
loc_0040446D: Var_Ret_2 = Var_Ret_2 - Var_Ret_1
If Var_Ret_2 <= 0 Then GoTo loc_0040452C
loc_0040448A: var_E0 = 80020004h
loc_00404495: var_D0 = 80020004h
loc_004044AC: var_E8 = 10
loc_004044B2: var_D8 = 10
loc_004044B8: var_100 = "Cheater!!! CHEATER!!! Cheater!!! CHEATER!!!"
loc_004044C2: var_108 = 8
loc_004044D6: var_F0 = "You have SmartCheck loaded!...Close it and try again!!!"
loc_004044E0: var_F8 = 8
loc_004044E6: var_B8 = "You have SmartCheck loaded!...Close it and try again!!!"
loc_00404505: MsgBox var_B8, 0, "Cheater!!! CHEATER!!! Cheater!!! CHEATER!!!"
loc_00404527: GoTo loc_00404F86
loc_0040452C:
loc_0040453D: Set var_A4 = var_B8
loc_0040457F: setl bl
If ebx <> 0 Then GoTo loc_00404EDE
loc_004045B9: var_F8 = 2
loc_004045C8: var_F0 = 1
loc_004045D2: var_F8 = 2
loc_004045E6: Set var_A4 = 8
loc_004045F8: var_84 = Text1.Text
loc_00404623: var_100 = Len(var_84)
loc_00404650: var_108 = 3
loc_0040465A: var_110 = 1
loc_00404664: var_118 = 2
For var_6C = 1 To Len(var_84) Step 1
loc_0040467A: var_1D0 = var_18C
If var_18C = 0 Then GoTo loc_00404899
loc_004046C5: var_12C = var_18C
loc_004046CB: var_84 = Text1.Text
loc_00404700: Set var_A8 = var_84
loc_00404710: var_134 = var_A8
loc_00404716: var_88 = Text1.Text
loc_00404745: var_B0 = 1
loc_0040474B: var_D0 = 1
loc_00404751: var_100 = 1
loc_00404767: var_D8 = 2
loc_0040476D: var_108 = 2
loc_00404773: Var_Ret_3 = CLng(var_6C)
loc_00404791: var_8C = Mid$(var_84, Var_Ret_3, 2)
loc_004047AD: Var_Ret_4 = var_6C + 1
loc_004047B4: Var_Ret_5 = CLng(Var_Ret_4)
loc_004047F6: edi = (var_8C = Mid$(var_88, Var_Ret_5, 1)) + 1
If (var_8C = var_90) + 1 = 0 Then GoTo loc_00404874
loc_0040484F: var_F0 = 1
loc_00404859: var_F8 = 2
loc_00404863: Var_Ret_6 = 0 + 1
loc_0040486E: var_48 = Var_Ret_6
loc_00404874:
Next var_6C
loc_00404894: GoTo loc_00404698
loc_00404899:
loc_004048BA: var_12C = Next var_6C
loc_004048C0: var_84 = Text1.Text
loc_004048F1: Len(var_84) = Len(var_84) - 00000001h
loc_00404900: var_F0 = Len(var_84)
loc_0040490B: var_F8 = &H8003
loc_00404915: Var_Ret_7 = (var_48 = Len(var_84))
loc_00404921: var_134 = Var_Ret_7
If var_A8 <> 0 Then GoTo loc_00404EDE
loc_0040494A: var_F0 = 1
loc_00404954: var_F8 = 2
loc_0040497C: var_12C = Var_Ret_7
loc_00404982: var_84 = Text1.Text
loc_004049B3: var_100 = Len(var_84)
loc_004049E0: var_108 = 3
loc_004049EA: var_110 = 1
loc_004049F4: var_118 = 2
For var_6C = 1 To Len(var_84) Step 1
loc_00404A0A: var_1D4 = var_1BC
If var_1BC = 0 Then GoTo loc_00404D4B
loc_00404A4F: var_12C = 8
loc_00404A55: var_84 = Text1.Text
loc_00404A8C: var_B0 = Len(var_84)
loc_00404A93: var_B8 = 3
loc_00404AAB: var_9C = Hex$(Len(var_84))
loc_00404AE0: var_C0 = var_9C
loc_00404AE6: var_C8 = 9
loc_00404AF0: var_D8 = Left(vbObject, 1)
loc_00404B17: var_E0 = Asc(CStr(1))
loc_00404B1F: var_E8 = 2
loc_00404B44: var_94 = 0040296Ch
loc_00404B5C: var_90 = Hex$(0)
loc_00404B70: var_8C = var_9C
loc_00404B91: Unknown_VTable_Call[eax+000006F8h]
loc_00404BBC: var_38 = var_98
loc_00404C55: var_12C = Len(var_84)
loc_00404C5B: var_84 = Text1.Text
loc_00404C8A: var_B0 = 1
loc_00404C94: var_B8 = 2
loc_00404C9E: Var_Ret_8 = CLng(var_6C)
loc_00404CC3: var_100 = Asc(Mid$(var_84, Var_Ret_8, 1))
loc_00404CDC: var_108 = 2
loc_00404CE6: Var_Ret_9 = var_34 + 0
loc_00404CF1: var_34 = Var_Ret_9
Next var_6C
loc_00404D46: GoTo loc_00404A22
loc_00404D4B:
loc_00404D6A: var_88 = 0040290Ch
loc_00404D82: var_84 = Hex$(var_34)
loc_00404DA0: Unknown_VTable_Call[edx+000006F8h]
loc_00404DD6: var_B0 = var_8C
loc_00404DDC: var_B8 = 8
loc_00404E11: var_F0 = "FFFF"
loc_00404E1D: var_F8 = &H8008
loc_00404E27: Var_Ret_A = (var_8C = "FFFF")
If Var_Ret_A = 0 Then GoTo loc_00404EE3
loc_00404E41: var_E0 = 80020004h
loc_00404E4C: var_D0 = 80020004h
loc_00404E5E: var_E8 = 10
loc_00404E64: var_D8 = 10
loc_00404E6A: var_100 = "Correct serial!"
loc_00404E74: var_108 = 8
loc_00404E88: var_F0 = "Good job, tell me how you do that!"
loc_00404E92: var_F8 = 8
loc_00404EB7: MsgBox "Good job, tell me how you do that!", 0, "Correct serial!"
loc_00404ED9: GoTo loc_00404F86
loc_00404EDE:
loc_00404EE3:
loc_00404EEE: var_E0 = 80020004h
loc_00404EF9: var_D0 = 80020004h
loc_00404F0B: var_E8 = 10
loc_00404F11: var_D8 = 10
loc_00404F17: var_100 = "Wrong serial!"
loc_00404F21: var_108 = 8
loc_00404F35: var_F0 = "Sorry, try again!"
loc_00404F3F: var_F8 = 8
loc_00404F64: MsgBox "Sorry, try again!", 0, "Wrong serial!"
loc_00404F86:
loc_00404F9A: GoTo loc_00404F1A
loc_00405019: Exit Sub
loc_0040508A: Exit Sub
End Sub
不好意思,看的更迷糊了。
暂时只到这里,留待以后继续深挖!
BY 笨笨D幸福