160 - 17 bjanes.3
生活随笔
收集整理的這篇文章主要介紹了
160 - 17 bjanes.3
小編覺(jué)得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
環(huán)境:
Wiondws XP sp3
工具:
ollydbg,ExeInfo PE
查殼:
用Exeinfo PE 查殼,沒(méi)有殼,是VB寫(xiě)的
過(guò)程:
?一:隨便輸入一個(gè)serial,得到一個(gè)錯(cuò)誤信息消息框,OD載入然后字符串搜索錯(cuò)誤信息,找到后雙擊轉(zhuǎn)回CPU窗口,可以看到:
00404E08 . 8D55 CC lea edx,dword ptr ss:[ebp-0x34] 00404E0B . 8D85 08FFFFFF lea eax,dword ptr ss:[ebp-0xF8] 00404E11 . C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],BJCM30A.00402B58 ; UNICODE "FFFF" 00404E1B . 52 push edx ; /var18 00404E1C . 50 push eax ; |var28 00404E1D . C785 08FFFFFF>mov dword ptr ss:[ebp-0xF8],0x8008 ; | 00404E27 . FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; \__vbaVarTstEq 00404E2D . 66:85C0 test ax,ax ; 等于0就跳,ax不能等于0,就是說(shuō)上面兩個(gè)位置的值要相等 00404E30 0F84 AD000000 je BJCM30A.00404EE3 ; 關(guān)鍵跳 00404E36 8B1D CC104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup 00404E3C . B9 04000280 mov ecx,0x80020004 00404E41 . 898D 20FFFFFF mov dword ptr ss:[ebp-0xE0],ecx 00404E47 . B8 0A000000 mov eax,0xA 00404E4C . 898D 30FFFFFF mov dword ptr ss:[ebp-0xD0],ecx 00404E52 . 8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-0x108] 00404E58 . 8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8] 00404E5E . 8985 18FFFFFF mov dword ptr ss:[ebp-0xE8],eax 00404E64 . 8985 28FFFFFF mov dword ptr ss:[ebp-0xD8],eax 00404E6A . C785 00FFFFFF>mov dword ptr ss:[ebp-0x100],BJCM30A.00402BB4 ; UNICODE "Correct serial!" 00404E74 . 89B5 F8FEFFFF mov dword ptr ss:[ebp-0x108],esi 00404E7A . FFD3 call ebx ; <&MSVBVM60.__vbaVarDup> 00404E7C . 8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8] 00404E82 . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8] 00404E88 . C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],BJCM30A.00402B68 ; UNICODE "Good job, tell me how you do that!" 00404E92 . 89B5 08FFFFFF mov dword ptr ss:[ebp-0xF8],esi 00404E98 . FFD3 call ebx 00404E9A . 8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-0xE8] 00404EA0 . 8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8] 00404EA6 . 51 push ecx 00404EA7 . 8D85 38FFFFFF lea eax,dword ptr ss:[ebp-0xC8] 00404EAD . 52 push edx 00404EAE . 50 push eax 00404EAF . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8] 00404EB5 . 57 push edi 00404EB6 . 51 push ecx 00404EB7 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox 00404EBD . 8D95 18FFFFFF lea edx,dword ptr ss:[ebp-0xE8] 00404EC3 . 8D85 28FFFFFF lea eax,dword ptr ss:[ebp-0xD8] 00404EC9 . 52 push edx 00404ECA . 8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8] 00404ED0 . 50 push eax 00404ED1 . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8] 00404ED7 . 51 push ecx 00404ED8 . 52 push edx 00404ED9 . E9 A8000000 jmp BJCM30A.00404F86 00404EDE > BE 08000000 mov esi,0x8 00404EE3 > 8B1D CC104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup 00404EE9 . B9 04000280 mov ecx,0x80020004 00404EEE . 898D 20FFFFFF mov dword ptr ss:[ebp-0xE0],ecx 00404EF4 . B8 0A000000 mov eax,0xA 00404EF9 . 898D 30FFFFFF mov dword ptr ss:[ebp-0xD0],ecx 00404EFF . 8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-0x108] 00404F05 . 8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8] 00404F0B . 8985 18FFFFFF mov dword ptr ss:[ebp-0xE8],eax 00404F11 . 8985 28FFFFFF mov dword ptr ss:[ebp-0xD8],eax 00404F17 . C785 00FFFFFF>mov dword ptr ss:[ebp-0x100],BJCM30A.00402A10 ; UNICODE "Wrong serial!" 00404F21 . 89B5 F8FEFFFF mov dword ptr ss:[ebp-0x108],esi 00404F27 . FFD3 call ebx ; <&MSVBVM60.__vbaVarDup> 00404F29 . 8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8] 00404F2F . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8] 00404F35 . C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],BJCM30A.00402BD8 ; UNICODE "Sorry, try again!" 00404F3F . 89B5 08FFFFFF mov dword ptr ss:[ebp-0xF8],esi 00404F45 . FFD3 call ebx 00404F47 . 8D85 18FFFFFF lea eax,dword ptr ss:[ebp-0xE8] 00404F4D . 8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-0xD8] 00404F53 . 50 push eax 00404F54 . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8] 00404F5A . 51 push ecx 00404F5B . 52 push edx 00404F5C . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8] 00404F62 . 57 push edi 00404F63 . 50 push eax 00404F64 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox爆破的話就已經(jīng)解決了,接下來(lái)是分析算法。
往上翻一翻,看到了這個(gè):
00404476 . 83F8 05 cmp eax,0x5 ; 這里就是判斷是否彈出下面的消息框的 00404479 . 0F8E AD000000 jle BJCM30A.0040452C 0040447F . 8B1D CC104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup 00404485 . B9 04000280 mov ecx,0x80020004 0040448A . 898D 20FFFFFF mov dword ptr ss:[ebp-0xE0],ecx 00404490 . B8 0A000000 mov eax,0xA 00404495 . 898D 30FFFFFF mov dword ptr ss:[ebp-0xD0],ecx 0040449B . BE 08000000 mov esi,0x8 004044A0 . 8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-0x108] 004044A6 . 8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8] 004044AC . 8985 18FFFFFF mov dword ptr ss:[ebp-0xE8],eax 004044B2 . 8985 28FFFFFF mov dword ptr ss:[ebp-0xD8],eax 004044B8 . C785 00FFFFFF>mov dword ptr ss:[ebp-0x100],BJCM30A.00402AE0 ; UNICODE "Cheater!!! CHEATER!!! Cheater!!! CHEATER!!!" 004044C2 . 89B5 F8FEFFFF mov dword ptr ss:[ebp-0x108],esi 004044C8 . FFD3 call ebx ; <&MSVBVM60.__vbaVarDup> 004044CA . 8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8] 004044D0 . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8] 004044D6 . C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],BJCM30A.00402A68 ; UNICODE " You have SmartCheck loaded!...Close it and try again!!!" 004044E0 . 89B5 08FFFFFF mov dword ptr ss:[ebp-0xF8],esi 004044E6 . FFD3 call ebx 004044E8 . 8D95 18FFFFFF lea edx,dword ptr ss:[ebp-0xE8] 004044EE . 8D85 28FFFFFF lea eax,dword ptr ss:[ebp-0xD8] 004044F4 . 52 push edx 004044F5 . 8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8] 004044FB . 50 push eax 004044FC . 51 push ecx 004044FD . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8] 00404503 . 57 push edi 00404504 . 52 push edx 00404505 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox 0040450B . 8D85 18FFFFFF lea eax,dword ptr ss:[ebp-0xE8] 00404511 . 8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-0xD8] 00404517 . 50 push eax 00404518 . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8] 0040451E . 51 push ecx 0040451F . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8] 00404525 . 52 push edx 00404526 . 50 push eax 00404527 . E9 5A0A0000 jmp BJCM30A.00404F86 0040452C > 8B0E mov ecx,dword ptr ds:[esi]SmartCheck是一個(gè)VB程序調(diào)試器。那應(yīng)該就是說(shuō)這里的判斷會(huì)檢測(cè)出是否加載了調(diào)試器。
繼續(xù)往上翻:
00404320 . FF15 94104000 call dword ptr ds:[<&MSVBVM60.#535>] ; MSVBVM60.rtcGetTimer 00404326 . FF15 D0104000 call dword ptr ds:[<&MSVBVM60.__vbaFpI4>] ; MSVBVM60.__vbaFpI4 0040432C . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax 0040432F . 8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8] 00404335 . 8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-0x108] 0040433B . 52 push edx ; /Step8 0040433C . 8D8D E8FEFFFF lea ecx,dword ptr ss:[ebp-0x118] ; | 00404342 . 50 push eax ; |End8 00404343 . 8D95 A4FEFFFF lea edx,dword ptr ss:[ebp-0x15C] ; | 00404349 . 51 push ecx ; |Start8 0040434A . 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-0x14C] ; | 00404350 . 52 push edx ; |TMPend8 00404351 . 8D4D 80 lea ecx,dword ptr ss:[ebp-0x80] ; | 00404354 . BB 02000000 mov ebx,0x2 ; | 00404359 . 50 push eax ; |TMPstep8 0040435A . 51 push ecx ; |Counter8 0040435B . C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],0x1 ; | 00404365 . 899D 08FFFFFF mov dword ptr ss:[ebp-0xF8],ebx ; | 0040436B . C785 00FFFFFF>mov dword ptr ss:[ebp-0x100],0x3E8 ; | 00404375 . 899D F8FEFFFF mov dword ptr ss:[ebp-0x108],ebx ; | 0040437B . C785 F0FEFFFF>mov dword ptr ss:[ebp-0x110],0x1 ; | 00404385 . 899D E8FEFFFF mov dword ptr ss:[ebp-0x118],ebx ; | 0040438B . FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>] ; \__vbaVarForInit 00404391 > 3BC7 cmp eax,edi 00404393 . 0F84 C8000000 je BJCM30A.00404461 00404399 . B8 01000000 mov eax,0x1 0040439E . 8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8] 004043A4 . 8985 10FFFFFF mov dword ptr ss:[ebp-0xF0],eax 004043AA . 8985 F0FEFFFF mov dword ptr ss:[ebp-0x110],eax 004043B0 . 8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-0x108] 004043B6 . 52 push edx ; /Step8 004043B7 . 8D8D E8FEFFFF lea ecx,dword ptr ss:[ebp-0x118] ; | 004043BD . 50 push eax ; |End8 004043BE . 8D95 84FEFFFF lea edx,dword ptr ss:[ebp-0x17C] ; | 004043C4 . 51 push ecx ; |Start8 004043C5 . 8D85 94FEFFFF lea eax,dword ptr ss:[ebp-0x16C] ; | 004043CB . 52 push edx ; |TMPend8 004043CC . 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58] ; | 004043CF . 50 push eax ; |TMPstep8 004043D0 . 51 push ecx ; |Counter8 004043D1 . 899D 08FFFFFF mov dword ptr ss:[ebp-0xF8],ebx ; | 004043D7 . C785 00FFFFFF>mov dword ptr ss:[ebp-0x100],0xFA ; | 004043E1 . 899D F8FEFFFF mov dword ptr ss:[ebp-0x108],ebx ; | 004043E7 . 899D E8FEFFFF mov dword ptr ss:[ebp-0x118],ebx ; | 004043ED . FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>] ; \__vbaVarForInit 004043F3 > 3BC7 cmp eax,edi 004043F5 . 74 4D je XBJCM30A.00404444 004043F7 . 68 342A4000 push BJCM30A.00402A34 ; UNICODE "IS SMARTCHECK LOADED???" 004043FC . 68 342A4000 push BJCM30A.00402A34 ; UNICODE "IS SMARTCHECK LOADED???" 00404401 . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp 00404407 . 85C0 test eax,eax 00404409 . 75 1F jnz XBJCM30A.0040442A 0040440B . 8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8] 00404411 . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24] 00404414 . C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],0x1 0040441E . 899D 08FFFFFF mov dword ptr ss:[ebp-0xF8],ebx 00404424 . FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>] ; MSVBVM60.__vbaVarMove 0040442A > 8D95 84FEFFFF lea edx,dword ptr ss:[ebp-0x17C] 00404430 . 8D85 94FEFFFF lea eax,dword ptr ss:[ebp-0x16C] 00404436 . 52 push edx ; /TMPend8 00404437 . 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58] ; | 0040443A . 50 push eax ; |TMPstep8 0040443B . 51 push ecx ; |Counter8 0040443C . FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>] ; \__vbaVarForNext 00404442 .^ EB AF jmp XBJCM30A.004043F3 00404444 > 8D95 A4FEFFFF lea edx,dword ptr ss:[ebp-0x15C] 0040444A . 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-0x14C] 00404450 . 52 push edx ; /TMPend8 00404451 . 8D4D 80 lea ecx,dword ptr ss:[ebp-0x80] ; | 00404454 . 50 push eax ; |TMPstep8 00404455 . 51 push ecx ; |Counter8 00404456 . FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>] ; \__vbaVarForNext 0040445C .^ E9 30FFFFFF jmp BJCM30A.00404391 00404461 > FF15 94104000 call dword ptr ds:[<&MSVBVM60.#535>] ; MSVBVM60.rtcGetTimer 00404467 . FF15 D0104000 call dword ptr ds:[<&MSVBVM60.__vbaFpI4>] ; MSVBVM60.__vbaFpI4 0040446D . 2B45 A4 sub eax,dword ptr ss:[ebp-0x5C]這段代碼頭和尾都有一個(gè)GetTimer,最后面0040446D這里有一個(gè)相減,中間有個(gè)雙重循環(huán),如果單步走的話走完的時(shí)間花費(fèi)比較大,所以后面就會(huì)有一個(gè)兩次GetTimer的結(jié)果相減,如果結(jié)果大于5,就說(shuō)明程序在被調(diào)試。當(dāng)然這里沒(méi)什么意義,沒(méi)必要單步走,所以也就不用管了。
繼續(xù)往下:
這是段判斷serial長(zhǎng)度的代碼,在0040457C處存在下列情況:
(1)如果serial長(zhǎng)度len < 5 :相減會(huì)借位,CF位置1,OF位置0,BL的結(jié)果也就會(huì)是1
(2) ? len >= 5 :相減不會(huì)借位,CF位和OF位都置0,BL的結(jié)果也就會(huì)是0
00404588 處的neg指令取補(bǔ),這樣(1)情況下的結(jié)果會(huì)是ebx = FFFFFFF,(2)情況下是ebx = 00000000
得知serial長(zhǎng)度要大于等于5之后,繼續(xù)往下:
00404616 > \8B8D 7CFFFFFF mov ecx,dword ptr ss:[ebp-0x84] ; 取serial 0040461C . 51 push ecx ; /String 0040461D . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; \__vbaLenBstr 00404623 . 8985 00FFFFFF mov dword ptr ss:[ebp-0x100],eax ; serial長(zhǎng)度 00404629 . 8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8] 0040462F . 8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-0x108] 00404635 . 52 push edx ; /Step8 00404636 . 8D8D E8FEFFFF lea ecx,dword ptr ss:[ebp-0x118] ; | 0040463C . 50 push eax ; |End8 0040463D . 8D95 64FEFFFF lea edx,dword ptr ss:[ebp-0x19C] ; | 00404643 . 51 push ecx ; |Start8 00404644 . 8D85 74FEFFFF lea eax,dword ptr ss:[ebp-0x18C] ; | 0040464A . 52 push edx ; |TMPend8 0040464B . 8D4D 94 lea ecx,dword ptr ss:[ebp-0x6C] ; | 0040464E . 50 push eax ; |TMPstep8 0040464F . 51 push ecx ; |Counter8 00404650 . C785 F8FEFFFF>mov dword ptr ss:[ebp-0x108],0x3 ; | 0040465A . C785 F0FEFFFF>mov dword ptr ss:[ebp-0x110],0x1 ; | 00404664 . C785 E8FEFFFF>mov dword ptr ss:[ebp-0x118],0x2 ; | 0040466E . FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>] ; \__vbaVarForInit 00404674 . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84] ; 指向serial地址的指針的地址 0040467A . 8985 30FEFFFF mov dword ptr ss:[ebp-0x1D0],eax ; 這個(gè)是用來(lái)判斷是否已經(jīng)結(jié)束循環(huán) 00404680 . FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr 00404686 . 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4] 0040468C . FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj 00404692 . 8B1D DC104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove 00404698 > 39BD 30FEFFFF cmp dword ptr ss:[ebp-0x1D0],edi 0040469E . 0F84 F5010000 je BJCM30A.00404899 ; 循環(huán)結(jié)束,跳出循環(huán) 004046A4 . 8B16 mov edx,dword ptr ds:[esi] 004046A6 . 56 push esi 004046A7 . FF92 08030000 call dword ptr ds:[edx+0x308] 004046AD . 50 push eax ; 004046AE . 8D85 5CFFFFFF lea eax,dword ptr ss:[ebp-0xA4] 004046B4 . 50 push eax 004046B5 . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet 004046BB . 8B08 mov ecx,dword ptr ds:[eax] ; 注意觀察一下,程序很經(jīng)常出現(xiàn)這樣的內(nèi)容 004046BD . 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-0x84] ; 可以考慮是不是由程序編譯生成出來(lái)的,與算法無(wú)關(guān) 004046C3 . 52 push edx ; 區(qū)分好可以降低分析難度 004046C4 . 50 push eax 004046C5 . 8985 D4FEFFFF mov dword ptr ss:[ebp-0x12C],eax 004046CB . FF91 A0000000 call dword ptr ds:[ecx+0xA0] 004046D1 . 3BC7 cmp eax,edi 004046D3 . DBE2 fclex 004046D5 . 7D 18 jge XBJCM30A.004046EF ; 004046D7 . 8B8D D4FEFFFF mov ecx,dword ptr ss:[ebp-0x12C] 004046DD . 68 A0000000 push 0xA0 004046E2 . 68 442B4000 push BJCM30A.00402B44 004046E7 . 51 push ecx 004046E8 . 50 push eax ; 特別是這些函數(shù)調(diào)用,注意是push了幾個(gè)參數(shù) 004046E9 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckOb>; MSVBVM60.__vbaHresultCheckObj 004046EF > 8B16 mov edx,dword ptr ds:[esi] 004046F1 . 56 push esi 004046F2 . FF92 08030000 call dword ptr ds:[edx+0x308] 004046F8 . 50 push eax 004046F9 . 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-0xA8] 004046FF . 50 push eax 00404700 . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet 00404706 . 8B08 mov ecx,dword ptr ds:[eax] 00404708 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88] 0040470E . 52 push edx 0040470F . 50 push eax 00404710 . 8985 CCFEFFFF mov dword ptr ss:[ebp-0x134],eax 00404716 . FF91 A0000000 call dword ptr ds:[ecx+0xA0] 0040471C . 3BC7 cmp eax,edi 0040471E . DBE2 fclex 00404720 . 7D 18 jge XBJCM30A.0040473A 00404722 . 8B8D CCFEFFFF mov ecx,dword ptr ss:[ebp-0x134] 00404728 . 68 A0000000 push 0xA0 0040472D . 68 442B4000 push BJCM30A.00402B44 00404732 . 51 push ecx 00404733 . 50 push eax 00404734 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckOb>; MSVBVM60.__vbaHresultCheckObj 0040473A > B8 01000000 mov eax,0x1 0040473F . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8] 00404745 . 8985 50FFFFFF mov dword ptr ss:[ebp-0xB0],eax 0040474B . 8985 30FFFFFF mov dword ptr ss:[ebp-0xD0],eax 00404751 . 8985 00FFFFFF mov dword ptr ss:[ebp-0x100],eax 00404757 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C] 0040475A . B9 02000000 mov ecx,0x2 0040475F . 52 push edx 00404760 . 50 push eax 00404761 . 898D 48FFFFFF mov dword ptr ss:[ebp-0xB8],ecx 00404767 . 898D 28FFFFFF mov dword ptr ss:[ebp-0xD8],ecx 0040476D . 898D F8FEFFFF mov dword ptr ss:[ebp-0x108],ecx 00404773 . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var 00404779 . 8B8D 7CFFFFFF mov ecx,dword ptr ss:[ebp-0x84] 0040477F . 8B3D 54104000 mov edi,dword ptr ds:[<&MSVBVM60.#631>] ; MSVBVM60.rtcMidCharBstr 00404785 . 50 push eax 00404786 . 51 push ecx 00404787 . FFD7 call edi ; <&MSVBVM60.#631> 00404789 . 8BD0 mov edx,eax ; eax為返回的字符的地址 0040478B . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C] 00404791 . FFD3 call ebx ; 將剛剛返回的字符的地址copy到ebp-0x8c 00404793 . 50 push eax 00404794 . 8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8] 0040479A . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C] 0040479D . 52 push edx 0040479E . 8D8D F8FEFFFF lea ecx,dword ptr ss:[ebp-0x108] ; ecx的值肯定是0x02,這個(gè)位置的值是上面賦值的 004047A4 . 50 push eax ; /var18 004047A5 . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8] ; |保存位置 004047AB . 51 push ecx ; |var28 004047AC . 52 push edx ; |saveto8 004047AD . FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; \__vbaVarAdd 004047B3 . 50 push eax 004047B4 . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var 004047BA . 50 push eax 004047BB . 8B85 78FFFFFF mov eax,dword ptr ss:[ebp-0x88] 004047C1 . 50 push eax 004047C2 . FFD7 call edi ; 這里是后一個(gè)位置的字符 004047C4 . 8BD0 mov edx,eax 004047C6 . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90] 004047CC . FFD3 call ebx 004047CE . 50 push eax 004047CF . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp 004047D5 . 8BF8 mov edi,eax ; 將比較結(jié)果存到edi,相同返回0,不同返回-1 004047D7 . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90] ; 后面的內(nèi)容都是free 004047DD . F7DF neg edi ; 這里有個(gè)取補(bǔ) 004047DF . 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C] 004047E5 . 51 push ecx 004047E6 . 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88] 004047EC . 52 push edx 004047ED . 1BFF sbb edi,edi ; 再減CF的值 004047EF . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84] 004047F5 . 50 push eax 004047F6 . 47 inc edi ; 這里edi+1 004047F7 . 51 push ecx 004047F8 . 6A 04 push 0x4 004047FA . F7DF neg edi ; 再對(duì)edi取補(bǔ) 004047FC . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList 00404802 . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-0xA8] 00404808 . 8D85 5CFFFFFF lea eax,dword ptr ss:[ebp-0xA4] 0040480E . 52 push edx 0040480F . 50 push eax 00404810 . 6A 02 push 0x2 00404812 . FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObjList>] ; MSVBVM60.__vbaFreeObjList 00404818 . 8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-0xD8] 0040481E . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8] 00404824 . 51 push ecx 00404825 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8] 0040482B . 52 push edx 0040482C . 50 push eax 0040482D . 6A 03 push 0x3 0040482F . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList 00404835 . 83C4 30 add esp,0x30 00404838 . 66:85FF test di,di ; 比較edi是否為0 0040483B . 74 37 je XBJCM30A.00404874 ; 如果為0就跳轉(zhuǎn),意味著兩個(gè)字符是不相同的 0040483D . 8D4D B8 lea ecx,dword ptr ss:[ebp-0x48] ; 如果相同就+1 00404840 . 8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8] 00404846 . 51 push ecx ; /var18 00404847 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8] ; | 0040484D . 52 push edx ; |var28 0040484E . 50 push eax ; |saveto8 0040484F . C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],0x1 ; | 00404859 . C785 08FFFFFF>mov dword ptr ss:[ebp-0xF8],0x2 ; | 00404863 . FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; \__vbaVarAdd 00404869 . 8BD0 mov edx,eax 0040486B . 8D4D B8 lea ecx,dword ptr ss:[ebp-0x48] 0040486E . FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>] ; MSVBVM60.__vbaVarMove 00404874 > 8D8D 64FEFFFF lea ecx,dword ptr ss:[ebp-0x19C] ; 循環(huán)終止的次數(shù) 0040487A . 8D95 74FEFFFF lea edx,dword ptr ss:[ebp-0x18C] ; 循環(huán)每一步的步長(zhǎng) 00404880 . 51 push ecx ; /TMPend8 00404881 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C] ; |循環(huán)的當(dāng)前值 00404884 . 52 push edx ; |TMPstep8 00404885 . 50 push eax ; |Counter8 00404886 . FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>] ; \__vbaVarForNext 0040488C . 8985 30FEFFFF mov dword ptr ss:[ebp-0x1D0],eax 00404892 . 33FF xor edi,edi 00404894 .^ E9 FFFDFFFF jmp BJCM30A.00404698
這里是就是判斷整個(gè)serial是否僅由一個(gè)字符組成,如:66666,66656就不是了。判斷的方法是從上一段代碼處計(jì)算出相鄰且相同的字符的次數(shù),然后與serial的長(zhǎng)度-1比較。相同就是由一個(gè)字符組成,不相同的話就不是。如果僅有1個(gè)字符組成就會(huì)彈出錯(cuò)誤的消息框,原因的話分析完算法就知道了。 004049A6 > \8B95 7CFFFFFF mov edx,dword ptr ss:[ebp-0x84] ; 讀serial長(zhǎng)度 004049AC . 52 push edx ; /String 004049AD . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; \__vbaLenBstr 004049B3 . 8985 00FFFFFF mov dword ptr ss:[ebp-0x100],eax 004049B9 . 8D85 08FFFFFF lea eax,dword ptr ss:[ebp-0xF8] 004049BF . 8D8D F8FEFFFF lea ecx,dword ptr ss:[ebp-0x108] 004049C5 . 50 push eax ; /Step8 004049C6 . 8D95 E8FEFFFF lea edx,dword ptr ss:[ebp-0x118] ; | 004049CC . 51 push ecx ; |End8 004049CD . 8D85 44FEFFFF lea eax,dword ptr ss:[ebp-0x1BC] ; | 004049D3 . 52 push edx ; |Start8 004049D4 . 8D8D 54FEFFFF lea ecx,dword ptr ss:[ebp-0x1AC] ; | 004049DA . 50 push eax ; |TMPend8 004049DB . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C] ; | 004049DE . 51 push ecx ; |TMPstep8 004049DF . 52 push edx ; |Counter8 004049E0 . C785 F8FEFFFF>mov dword ptr ss:[ebp-0x108],0x3 ; | 004049EA . C785 F0FEFFFF>mov dword ptr ss:[ebp-0x110],0x1 ; | 004049F4 . C785 E8FEFFFF>mov dword ptr ss:[ebp-0x118],0x2 ; | 004049FE . FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>] ; \__vbaVarForInit 00404A04 . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84] ; seial保存的地址存入ecx 00404A0A . 8985 2CFEFFFF mov dword ptr ss:[ebp-0x1D4],eax 00404A10 . FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr 00404A16 . 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4] 00404A1C . FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj 00404A22 > 39BD 2CFEFFFF cmp dword ptr ss:[ebp-0x1D4],edi ; 判斷是否結(jié)束循環(huán) 00404A28 . 0F84 1D030000 je BJCM30A.00404D4B 00404A2E . 8B06 mov eax,dword ptr ds:[esi] 00404A30 . 56 push esi 00404A31 . FF90 08030000 call dword ptr ds:[eax+0x308] 00404A37 . 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4] 00404A3D . 50 push eax 00404A3E . 51 push ecx 00404A3F . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet 00404A45 . 8B10 mov edx,dword ptr ds:[eax] 00404A47 . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84] 00404A4D . 51 push ecx 00404A4E . 50 push eax 00404A4F . 8985 D4FEFFFF mov dword ptr ss:[ebp-0x12C],eax 00404A55 . FF92 A0000000 call dword ptr ds:[edx+0xA0] 00404A5B . 3BC7 cmp eax,edi 00404A5D . DBE2 fclex 00404A5F . 7D 18 jge XBJCM30A.00404A79 00404A61 . 8B95 D4FEFFFF mov edx,dword ptr ss:[ebp-0x12C] 00404A67 . 68 A0000000 push 0xA0 00404A6C . 68 442B4000 push BJCM30A.00402B44 00404A71 . 52 push edx 00404A72 . 50 push eax 00404A73 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckOb>; MSVBVM60.__vbaHresultCheckObj 00404A79 > 8B85 7CFFFFFF mov eax,dword ptr ss:[ebp-0x84] 00404A7F . 50 push eax ; /String 00404A80 . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; \__vbaLenBstr 00404A86 . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8] 00404A8C . 8985 50FFFFFF mov dword ptr ss:[ebp-0xB0],eax ; 獲取serial長(zhǎng)度存入0xB0 00404A92 . 51 push ecx 00404A93 . C785 48FFFFFF>mov dword ptr ss:[ebp-0xB8],0x3 00404A9D . FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#572>] ; MSVBVM60.rtcHexBstrFromVar 00404AA3 . 8BD0 mov edx,eax ; serial的長(zhǎng)度轉(zhuǎn)為16進(jìn)制 00404AA5 . 8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-0x9C] 00404AAB . FFD3 call ebx ; 將edx的值存到ecx的位置 00404AAD . 8B16 mov edx,dword ptr ds:[esi] 00404AAF . 56 push esi 00404AB0 . FF92 08030000 call dword ptr ds:[edx+0x308] 00404AB6 . 50 push eax 00404AB7 . 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-0xA8] 00404ABD . 50 push eax 00404ABE . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet 00404AC4 . 8B85 58FFFFFF mov eax,dword ptr ss:[ebp-0xA8] 00404ACA . 8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8] 00404AD0 . 6A 01 push 0x1 00404AD2 . 8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8] 00404AD8 . 51 push ecx 00404AD9 . 52 push edx 00404ADA . 89BD 58FFFFFF mov dword ptr ss:[ebp-0xA8],edi 00404AE0 . 8985 40FFFFFF mov dword ptr ss:[ebp-0xC0],eax 00404AE6 . C785 38FFFFFF>mov dword ptr ss:[ebp-0xC8],0x9 00404AF0 . FF15 D4104000 call dword ptr ds:[<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar 00404AF6 . 8D85 28FFFFFF lea eax,dword ptr ss:[ebp-0xD8] 00404AFC . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88] 00404B02 . 50 push eax ; /String8 00404B03 . 51 push ecx ; |ARG2 00404B04 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; \__vbaStrVarVal 00404B0A . 50 push eax ; /String 00404B0B . FF15 28104000 call dword ptr ds:[<&MSVBVM60.#516>] ; \rtcAnsiValueBstr 00404B11 . 8D95 18FFFFFF lea edx,dword ptr ss:[ebp-0xE8] 00404B17 . 66:8985 20FFF>mov word ptr ss:[ebp-0xE0],ax 00404B1E . 52 push edx 00404B1F . C785 18FFFFFF>mov dword ptr ss:[ebp-0xE8],0x2 00404B29 . FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#572>] ; MSVBVM60.rtcHexBstrFromVar 00404B2F . 8BD0 mov edx,eax ; 將上面字符的unicode碼的每一個(gè)數(shù)字分別轉(zhuǎn)成unicode值 00404B31 . 8D8D 60FFFFFF lea ecx,dword ptr ss:[ebp-0xA0] 00404B37 . FFD3 call ebx ; 將剛剛的結(jié)果存到0xA0 00404B39 . BA 6C294000 mov edx,BJCM30A.0040296C ; * 00404B3E . 8D8D 6CFFFFFF lea ecx,dword ptr ss:[ebp-0x94] ; 將edx的內(nèi)容copy到ecx地址上 00404B44 . FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>] ; MSVBVM60.__vbaStrCopy 00404B4A . 8B95 60FFFFFF mov edx,dword ptr ss:[ebp-0xA0] 00404B50 . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90] 00404B56 . 89BD 60FFFFFF mov dword ptr ss:[ebp-0xA0],edi 00404B5C . FFD3 call ebx ; vbaStrMove 00404B5E . 8B95 64FFFFFF mov edx,dword ptr ss:[ebp-0x9C] 00404B64 . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C] 00404B6A . 89BD 64FFFFFF mov dword ptr ss:[ebp-0x9C],edi 00404B70 . FFD3 call ebx ; 將edx的內(nèi)容strmov到ecx地址上 00404B72 . 8B06 mov eax,dword ptr ds:[esi] 00404B74 . 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-0x98] 00404B7A . 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-0x94] 00404B80 . 51 push ecx 00404B81 . 52 push edx 00404B82 . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90] 00404B88 . 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C] 00404B8E . 51 push ecx 00404B8F . 52 push edx 00404B90 . 56 push esi 00404B91 . FF90 F8060000 call dword ptr ds:[eax+0x6F8] ; 計(jì)算第一個(gè)字符*serial長(zhǎng)度的值 00404B97 . 3BC7 cmp eax,edi 00404B99 . 7D 12 jge XBJCM30A.00404BAD 00404B9B . 68 F8060000 push 0x6F8 00404BA0 . 68 B4274000 push BJCM30A.004027B4 00404BA5 . 56 push esi 00404BA6 . 50 push eax 00404BA7 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckOb>; MSVBVM60.__vbaHresultCheckObj 00404BAD > 8B95 68FFFFFF mov edx,dword ptr ss:[ebp-0x98] ; 這里是剛剛計(jì)算的結(jié)果 00404BB3 . 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38] ; 將剛剛計(jì)算的結(jié)果存到這里來(lái) 00404BB6 . 89BD 68FFFFFF mov dword ptr ss:[ebp-0x98],edi 00404BBC . FFD3 call ebx 00404BBE . 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-0xA0] ; 下面都是一些free,就不用看了 00404BC4 . 8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-0x9C] 00404BCA . 50 push eax 00404BCB . 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-0x94] 00404BD1 . 51 push ecx 00404BD2 . 8D85 70FFFFFF lea eax,dword ptr ss:[ebp-0x90] 00404BD8 . 52 push edx 00404BD9 . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C] 00404BDF . 50 push eax 00404BE0 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88] 00404BE6 . 51 push ecx 00404BE7 . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84] 00404BED . 52 push edx 00404BEE . 50 push eax 00404BEF . 6A 07 push 0x7 00404BF1 . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList 00404BF7 . 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-0xA8] 00404BFD . 8D95 5CFFFFFF lea edx,dword ptr ss:[ebp-0xA4] 00404C03 . 51 push ecx 00404C04 . 52 push edx 00404C05 . 6A 02 push 0x2 00404C07 . FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObjList>] ; MSVBVM60.__vbaFreeObjList 00404C0D . 8D85 18FFFFFF lea eax,dword ptr ss:[ebp-0xE8] 00404C13 . 8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-0xD8] 00404C19 . 50 push eax 00404C1A . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8] 00404C20 . 51 push ecx 00404C21 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8] 00404C27 . 52 push edx 00404C28 . 50 push eax 00404C29 . 6A 04 push 0x4 00404C2B . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList 00404C31 . 8B0E mov ecx,dword ptr ds:[esi] 00404C33 . 83C4 40 add esp,0x40 00404C36 . 56 push esi 00404C37 . FF91 08030000 call dword ptr ds:[ecx+0x308] 00404C3D . 8D95 5CFFFFFF lea edx,dword ptr ss:[ebp-0xA4] 00404C43 . 50 push eax 00404C44 . 52 push edx 00404C45 . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet 00404C4B . 8B08 mov ecx,dword ptr ds:[eax] 00404C4D . 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-0x84] 00404C53 . 52 push edx 00404C54 . 50 push eax 00404C55 . 8985 D4FEFFFF mov dword ptr ss:[ebp-0x12C],eax 00404C5B . FF91 A0000000 call dword ptr ds:[ecx+0xA0] 00404C61 . 3BC7 cmp eax,edi 00404C63 . DBE2 fclex 00404C65 . 7D 18 jge XBJCM30A.00404C7F 00404C67 . 8B8D D4FEFFFF mov ecx,dword ptr ss:[ebp-0x12C] 00404C6D . 68 A0000000 push 0xA0 00404C72 . 68 442B4000 push BJCM30A.00402B44 00404C77 . 51 push ecx 00404C78 . 50 push eax 00404C79 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckOb>; MSVBVM60.__vbaHresultCheckObj 00404C7F > 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8] 00404C85 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C] 00404C88 . 52 push edx 00404C89 . 50 push eax 00404C8A . C785 50FFFFFF>mov dword ptr ss:[ebp-0xB0],0x1 00404C94 . C785 48FFFFFF>mov dword ptr ss:[ebp-0xB8],0x2 00404C9E . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var 00404CA4 . 8B8D 7CFFFFFF mov ecx,dword ptr ss:[ebp-0x84] ; 到這里再看。讀取輸入的serial 00404CAA . 50 push eax 00404CAB . 51 push ecx 00404CAC . FF15 54104000 call dword ptr ds:[<&MSVBVM60.#631>] ; MSVBVM60.rtcMidCharBstr 00404CB2 . 8BD0 mov edx,eax 00404CB4 . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88] 00404CBA . FFD3 call ebx 00404CBC . 50 push eax ; /String 00404CBD . FF15 28104000 call dword ptr ds:[<&MSVBVM60.#516>] ; \rtcAnsiValueBstr 00404CC3 . 66:8985 00FFF>mov word ptr ss:[ebp-0x100],ax 00404CCA . 8D55 CC lea edx,dword ptr ss:[ebp-0x34] 00404CCD . 8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-0x108] 00404CD3 . 52 push edx ; /var18 00404CD4 . 8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8] ; | 00404CDA . 50 push eax ; |var28 00404CDB . 51 push ecx ; |saveto8 00404CDC . C785 F8FEFFFF>mov dword ptr ss:[ebp-0x108],0x2 ; | 00404CE6 . FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; \__vbaVarAdd 00404CEC . 8BD0 mov edx,eax ; 結(jié)果保存的地址 00404CEE . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34] ; 將相加結(jié)果復(fù)制到這里 00404CF1 . FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>] ; MSVBVM60.__vbaVarMove 00404CF7 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88] 00404CFD . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84] 00404D03 . 52 push edx 00404D04 . 50 push eax 00404D05 . 6A 02 push 0x2 00404D07 . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList 00404D0D . 83C4 0C add esp,0xC 00404D10 . 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4] 00404D16 . FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj 00404D1C . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8] 00404D22 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar 00404D28 . 8D8D 44FEFFFF lea ecx,dword ptr ss:[ebp-0x1BC] ; 終值 00404D2E . 8D95 54FEFFFF lea edx,dword ptr ss:[ebp-0x1AC] ; 步長(zhǎng) 00404D34 . 51 push ecx ; /TMPend8 00404D35 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C] ; |累加值 00404D38 . 52 push edx ; |TMPstep8 00404D39 . 50 push eax ; |Counter8 00404D3A . FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>] ; \__vbaVarForNext 00404D40 . 8985 2CFEFFFF mov dword ptr ss:[ebp-0x1D4],eax 00404D46 .^ E9 D7FCFFFF jmp BJCM30A.00404A22
這里是計(jì)算sum(serial)的值,就是將每個(gè)字符都加起來(lái)。還有就是計(jì)算serial[0]*len(serial)的值。具體計(jì)算的過(guò)程在:00404B91處。
在00404B91單步跟進(jìn)去,單步走可以走到這里:
00403C3A . 50 push eax 00403C3B . 68 6C294000 push BJCM30A.0040296C ; * 00403C40 . FFD7 call edi 00403C42 . 85C0 test eax,eax 00403C44 . 75 1F jnz XBJCM30A.00403C65 00403C46 . 8B76 50 mov esi,dword ptr ds:[esi+0x50] ; serial的長(zhǎng)度 00403C49 . 8D55 D8 lea edx,dword ptr ss:[ebp-0x28] 00403C4C . 52 push edx 00403C4D . 8B4E 04 mov ecx,dword ptr ds:[esi+0x4] ; serial第一個(gè)字符的16進(jìn)制值 00403C50 . 0FAF0E imul ecx,dword ptr ds:[esi] 00403C53 . 0F80 CA000000 jo BJCM30A.00403D23 00403C59 . 894D E0 mov dword ptr ss:[ebp-0x20],ecx 00403C5C . C745 D8 03000>mov dword ptr ss:[ebp-0x28],0x3 00403C63 . EB 4D jmp XBJCM30A.00403CB2
循環(huán)結(jié)束之后,可以來(lái)到這里:
00404D4B > \8D4D CC lea ecx,dword ptr ss:[ebp-0x34] 00404D4E . 51 push ecx ; 將計(jì)算值轉(zhuǎn)成unicode,如0xFF變成"FF" 00404D4F . FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#572>] ; MSVBVM60.rtcHexBstrFromVar 00404D55 . 8BD0 mov edx,eax 00404D57 . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90] 00404D5D . FFD3 call ebx 00404D5F . BA 0C294000 mov edx,BJCM30A.0040290C ; = 00404D64 . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88] 00404D6A . FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>] ; MSVBVM60.__vbaStrCopy 00404D70 . 8B95 70FFFFFF mov edx,dword ptr ss:[ebp-0x90] 00404D76 . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84] 00404D7C . 89BD 70FFFFFF mov dword ptr ss:[ebp-0x90],edi 00404D82 . FFD3 call ebx 00404D84 . 8B16 mov edx,dword ptr ds:[esi] 00404D86 . 8D85 74FFFFFF lea eax,dword ptr ss:[ebp-0x8C] 00404D8C . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88] 00404D92 . 50 push eax 00404D93 . 51 push ecx 00404D94 . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84] 00404D9A . 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38] 00404D9D . 50 push eax 00404D9E . 51 push ecx 00404D9F . 56 push esi 00404DA0 . FF92 F8060000 call dword ptr ds:[edx+0x6F8] ; 這里也是調(diào)用剛剛那個(gè)函數(shù),只是選擇的是另一個(gè)case 00404DA6 . 3BC7 cmp eax,edi 00404DA8 . 7D 12 jge XBJCM30A.00404DBC 00404DAA . 68 F8060000 push 0x6F8 00404DAF . 68 B4274000 push BJCM30A.004027B4 00404DB4 . 56 push esi 00404DB5 . 50 push eax 00404DB6 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckOb>; MSVBVM60.__vbaHresultCheckObj 00404DBC > 8B85 74FFFFFF mov eax,dword ptr ss:[ebp-0x8C] 00404DC2 BE 08000000 mov esi,0x8 00404DC7 . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8] 00404DCD . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34] 00404DD0 . 89BD 74FFFFFF mov dword ptr ss:[ebp-0x8C],edi 00404DD6 . 8985 50FFFFFF mov dword ptr ss:[ebp-0xB0],eax 00404DDC . 89B5 48FFFFFF mov dword ptr ss:[ebp-0xB8],esi 00404DE2 . FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>] ; MSVBVM60.__vbaVarMove 00404DE8 . 8D95 70FFFFFF lea edx,dword ptr ss:[ebp-0x90] 00404DEE . 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88] 00404DF4 . 52 push edx 00404DF5 . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84] 00404DFB . 50 push eax 00404DFC . 51 push ecx 00404DFD . 6A 03 push 0x3 00404DFF . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList 00404E05 . 83C4 10 add esp,0x10 00404E08 . 8D55 CC lea edx,dword ptr ss:[ebp-0x34] 00404E0B . 8D85 08FFFFFF lea eax,dword ptr ss:[ebp-0xF8] 00404E11 . C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],BJCM30A.00402B58 ; UNICODE "FFFF" 00404E1B . 52 push edx ; /var18 00404E1C . 50 push eax ; |var28 00404E1D . C785 08FFFFFF>mov dword ptr ss:[ebp-0xF8],0x8008 ; | 00404E27 . FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; \__vbaVarTstEq 00404E2D . 66:85C0 test ax,ax ; 等于0就跳,ax不能等于0,就是說(shuō)上面兩個(gè)位置的值要相等 00404E30 0F84 AD000000 je BJCM30A.00404EE3 ; 關(guān)鍵跳 00404E36 8B1D CC104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup后面那幾行指令就是判斷serial的正確性了,要注意的地方還有00404DA0的call,這行的是這個(gè)case:
00403A57 . 51 push ecx 00403A58 . 68 0C294000 push BJCM30A.0040290C ; = 00403A5D . FFD7 call edi 00403A5F . 85C0 test eax,eax 00403A61 . 75 37 jnz XBJCM30A.00403A9A 00403A63 . 8B76 50 mov esi,dword ptr ds:[esi+0x50] 00403A66 . 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38] 00403A69 . 51 push ecx 00403A6A . 8B16 mov edx,dword ptr ds:[esi] ; 這里是之前*計(jì)算的結(jié)果 00403A6C . 8B7E 04 mov edi,dword ptr ds:[esi+0x4] ; 這里是每個(gè)字符相加的結(jié)果 00403A6F . 3BD7 cmp edx,edi 00403A71 . C745 C8 0B000>mov dword ptr ss:[ebp-0x38],0xB 00403A78 . 0F94C0 sete al 00403A7B . F7D8 neg eax 00403A7D . 66:8945 D0 mov word ptr ss:[ebp-0x30],ax ; 將比較值轉(zhuǎn)成unicode 00403A81 . FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#572>] ; MSVBVM60.rtcHexBstrFromVar 00403A87 . 8BD0 mov edx,eax 00403A89 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18] 00403A8C . FF15 DC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove 00403A92 . 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38] 00403A95 . E9 2C020000 jmp BJCM30A.00403CC6注意一下00403A78的指令,這里是將上面的sum(serial)和serial[0]*len(serial)比較,比較結(jié)果有兩種:
(1)相同:ZF位為1,然后neg就會(huì)變成FFFFFFFF
(2)不同:ZF位為0,neg后仍為00000000
后面一個(gè)轉(zhuǎn)換:
(1)會(huì)變成“FFFF”
(2)變成“0”
留意到00404E11里有個(gè)"FFFF",這樣的話就知道算法了。
算法不是很復(fù)雜,只是簡(jiǎn)單的判斷sum(serial)和serial[0]*len(serial)是否相等。
而那個(gè)serial不能為同一個(gè)字符組成的原因也知道了,不然的話顯然滿足判斷條件。
注冊(cè)機(jī)也不用寫(xiě)了。任意一串編碼連續(xù)的字符(長(zhǎng)度是單數(shù)),只要把中間的字符放在第一位,就能滿足要求了。
總結(jié)
以上是生活随笔為你收集整理的160 - 17 bjanes.3的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: 160 - 16 bjanes.2
- 下一篇: DNF练啥职业好