160 - 22 CarLitoZ.1
生活随笔
收集整理的這篇文章主要介紹了
160 - 22 CarLitoZ.1
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
環境
Windows xp sp3
工具
exeinfope
Ollydbg
查殼
無殼的VB程序
測試
輸入“1234567”
顯示這個:
直接OD載入字符串搜索。
00402D20 > \55 push ebp 00402D21 . 8BEC mov ebp,esp 00402D23 . 83EC 0C sub esp,0xC 00402D26 . 68 66104000 push <jmp.&MSVBVM50.__vbaExceptHandler> ; SE 處理程序安裝 00402D2B . 64:A1 0000000>mov eax,dword ptr fs:[0] 00402D31 . 50 push eax 00402D32 . 64:8925 00000>mov dword ptr fs:[0],esp 00402D39 . 81EC 98000000 sub esp,0x98 00402D3F . 53 push ebx 00402D40 . 56 push esi 00402D41 . 8B75 08 mov esi,dword ptr ss:[ebp+0x8] 00402D44 . 57 push edi 00402D45 . 8BC6 mov eax,esi 00402D47 . 83E6 FE and esi,0xFFFFFFFE 00402D4A . 8965 F4 mov dword ptr ss:[ebp-0xC],esp 00402D4D . 83E0 01 and eax,0x1 00402D50 . 8B1E mov ebx,dword ptr ds:[esi] 00402D52 . C745 F8 20104>mov dword ptr ss:[ebp-0x8],CarLitoZ.0040> 00402D59 . 56 push esi 00402D5A . 8945 FC mov dword ptr ss:[ebp-0x4],eax 00402D5D . 8975 08 mov dword ptr ss:[ebp+0x8],esi 00402D60 . FF53 04 call dword ptr ds:[ebx+0x4] 00402D63 . 33FF xor edi,edi 00402D65 . 56 push esi 00402D66 . 897D E8 mov dword ptr ss:[ebp-0x18],edi 00402D69 . 897D E4 mov dword ptr ss:[ebp-0x1C],edi 00402D6C . 897D D4 mov dword ptr ss:[ebp-0x2C],edi 00402D6F . 897D C4 mov dword ptr ss:[ebp-0x3C],edi 00402D72 . 897D B4 mov dword ptr ss:[ebp-0x4C],edi 00402D75 . 897D A4 mov dword ptr ss:[ebp-0x5C],edi 00402D78 . 897D 94 mov dword ptr ss:[ebp-0x6C],edi 00402D7B . 897D 84 mov dword ptr ss:[ebp-0x7C],edi 00402D7E . FF93 F8060000 call dword ptr ds:[ebx+0x6F8] ; 這里跟進去,因為這里會得出比較結果 00402D84 . 3BC7 cmp eax,edi 00402D86 . 7D 12 jge XCarLitoZ.00402D9A 00402D88 . 68 F8060000 push 0x6F8 00402D8D . 68 0C224000 push CarLitoZ.0040220C 00402D92 . 56 push esi 00402D93 . 50 push eax 00402D94 . FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj 00402D9A > 8D4E 34 lea ecx,dword ptr ds:[esi+0x34] 00402D9D . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C] 00402DA0 . 51 push ecx ; /var18 00402DA1 . 52 push edx ; |var28 00402DA2 . C745 9C 01000>mov dword ptr ss:[ebp-0x64],0x1 ; | 00402DA9 . C745 94 02800>mov dword ptr ss:[ebp-0x6C],0x8002 ; | 00402DB0 . FF15 6C614000 call dword ptr ds:[<&MSVBVM50.__vbaVarTs>; \__vbaVarTstEq 00402DB6 . 8B3D C4614000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaVa>; MSVBVM50.__vbaVarDup 00402DBC . B9 04000280 mov ecx,0x80020004 00402DC1 . 66:85C0 test ax,ax 00402DC4 . B8 0A000000 mov eax,0xA 00402DC9 . 894D AC mov dword ptr ss:[ebp-0x54],ecx 00402DCC . 894D BC mov dword ptr ss:[ebp-0x44],ecx 00402DCF . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax 00402DD2 . 8945 B4 mov dword ptr ss:[ebp-0x4C],eax 00402DD5 . C745 8C 08234>mov dword ptr ss:[ebp-0x74],CarLitoZ.004>; UNICODE "CrackMe v1.0" 00402DDC . C745 84 08000>mov dword ptr ss:[ebp-0x7C],0x8 00402DE3 . 8D55 84 lea edx,dword ptr ss:[ebp-0x7C] 00402DE6 . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C] 00402DE9 . 0F84 5A010000 je CarLitoZ.00402F49 00402DEF . FFD7 call edi ; <&MSVBVM50.__vbaVarDup> 00402DF1 . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C] 00402DF4 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C] 00402DF7 . C745 9C D4224>mov dword ptr ss:[ebp-0x64],CarLitoZ.004>; UNICODE "Registration Successful" 00402DFE . C745 94 08000>mov dword ptr ss:[ebp-0x6C],0x8 00402E05 . FFD7 call edi 00402E07 . 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C] 00402E0A . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C] 00402E0D . 50 push eax 00402E0E . 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C] 00402E11 . 51 push ecx 00402E12 . 52 push edx 00402E13 . 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C] 00402E16 . 6A 30 push 0x30 00402E18 . 50 push eax 00402E19 . FF15 40614000 call dword ptr ds:[<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox 00402E1F . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C] 00402E22 . 8D55 B4 lea edx,dword ptr ss:[ebp-0x4C] 00402E25 . 51 push ecx 00402E26 . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C] 00402E29 . 52 push edx 00402E2A . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C] 00402E2D . 50 push eax 00402E2E . 51 push ecx 00402E2F . 6A 04 push 0x4 00402E31 . FF15 1C614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeV>; MSVBVM50.__vbaFreeVarList 00402E37 . 83C4 14 add esp,0x14 00402E3A . 8D7E 44 lea edi,dword ptr ds:[esi+0x44] 00402E3D . 68 40224000 push CarLitoZ.00402240 ; UNICODE "c:\windows\MTR.dat" 00402E42 . 57 push edi 00402E43 . FF15 90614000 call dword ptr ds:[<&MSVBVM50.__vbaI2Var>; MSVBVM50.__vbaI2Var 00402E49 . 50 push eax 00402E4A . 6A FF push -0x1 00402E4C . 6A 20 push 0x20 00402E4E . FF15 98614000 call dword ptr ds:[<&MSVBVM50.__vbaFileO>; MSVBVM50.__vbaFileOpen 00402E54 . BA 6C224000 mov edx,CarLitoZ.0040226C ; UNICODE "trv2156j0e" 00402E59 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18] 00402E5C . FF15 AC614000 call dword ptr ds:[<&MSVBVM50.__vbaStrCo>; MSVBVM50.__vbaStrCopy 00402E62 . 57 push edi 00402E63 . FF15 90614000 call dword ptr ds:[<&MSVBVM50.__vbaI2Var>; MSVBVM50.__vbaI2Var 00402E69 . 50 push eax 00402E6A . 8D55 E8 lea edx,dword ptr ss:[ebp-0x18] 00402E6D . 6A 2D push 0x2D 00402E6F . 52 push edx 00402E70 . 6A 00 push 0x0 00402E72 . FF15 24614000 call dword ptr ds:[<&MSVBVM50.__vbaPut4>>; MSVBVM50.__vbaPut4 00402E78 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18] 00402E7B . FF15 DC614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStr 00402E81 . 57 push edi 00402E82 . FF15 90614000 call dword ptr ds:[<&MSVBVM50.__vbaI2Var>; MSVBVM50.__vbaI2Var 00402E88 . 50 push eax 00402E89 . FF15 60614000 call dword ptr ds:[<&MSVBVM50.__vbaFileC>; MSVBVM50.__vbaFileClose 00402E8F . 56 push esi 00402E90 . FF93 0C030000 call dword ptr ds:[ebx+0x30C] 00402E96 . 50 push eax 00402E97 . 8D45 E4 lea eax,dword ptr ss:[ebp-0x1C] 00402E9A . 50 push eax 00402E9B . FF15 3C614000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>; MSVBVM50.__vbaObjSet 00402EA1 . 8BF8 mov edi,eax 00402EA3 . 68 88224000 push CarLitoZ.00402288 ; UNICODE "REGISTERED" 00402EA8 . 57 push edi 00402EA9 . 8B0F mov ecx,dword ptr ds:[edi] 00402EAB . FF51 54 call dword ptr ds:[ecx+0x54] 00402EAE . 85C0 test eax,eax 00402EB0 . 7D 0F jge XCarLitoZ.00402EC1 00402EB2 . 6A 54 push 0x54 00402EB4 . 68 A0224000 push CarLitoZ.004022A0 00402EB9 . 57 push edi 00402EBA . 50 push eax 00402EBB . FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj 00402EC1 > 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C] 00402EC4 . FF15 E0614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>; MSVBVM50.__vbaFreeObj 00402ECA . 56 push esi 00402ECB . FF93 04030000 call dword ptr ds:[ebx+0x304] 00402ED1 . 8D55 E4 lea edx,dword ptr ss:[ebp-0x1C] 00402ED4 . 50 push eax 00402ED5 . 52 push edx 00402ED6 . FF15 3C614000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>; MSVBVM50.__vbaObjSet 00402EDC . 8BF8 mov edi,eax 00402EDE . 6A 00 push 0x0 00402EE0 . 57 push edi 00402EE1 . 8B07 mov eax,dword ptr ds:[edi] 00402EE3 . FF90 8C000000 call dword ptr ds:[eax+0x8C] 00402EE9 . 85C0 test eax,eax 00402EEB . 7D 12 jge XCarLitoZ.00402EFF 00402EED . 68 8C000000 push 0x8C 00402EF2 . 68 B0224000 push CarLitoZ.004022B0 00402EF7 . 57 push edi 00402EF8 . 50 push eax 00402EF9 . FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj 00402EFF > 8B3D E0614000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaFr>; MSVBVM50.__vbaFreeObj 00402F05 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C] 00402F08 . FFD7 call edi ; <&MSVBVM50.__vbaFreeObj> 00402F0A . 56 push esi 00402F0B . FF93 08030000 call dword ptr ds:[ebx+0x308] 00402F11 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C] 00402F14 . 50 push eax 00402F15 . 51 push ecx 00402F16 . FF15 3C614000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>; MSVBVM50.__vbaObjSet 00402F1C . 8BF0 mov esi,eax 00402F1E . 6A 00 push 0x0 00402F20 . 56 push esi 00402F21 . 8B16 mov edx,dword ptr ds:[esi] 00402F23 . FF92 8C000000 call dword ptr ds:[edx+0x8C] 00402F29 . 85C0 test eax,eax 00402F2B . 7D 12 jge XCarLitoZ.00402F3F 00402F2D . 68 8C000000 push 0x8C 00402F32 . 68 C0224000 push CarLitoZ.004022C0 00402F37 . 56 push esi 00402F38 . 50 push eax 00402F39 . FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj 00402F3F > 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C] 00402F42 . FFD7 call edi 00402F44 . E9 8C000000 jmp CarLitoZ.00402FD5 00402F49 > FFD7 call edi 00402F4B . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C] 00402F4E . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C] 00402F51 . C745 9C 28234>mov dword ptr ss:[ebp-0x64],CarLitoZ.004>; UNICODE " Wrong Code! Try Again" 00402F58 . C745 94 08000>mov dword ptr ss:[ebp-0x6C],0x8 00402F5F . FFD7 call edi 00402F61 . 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C] 00402F64 . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C] 00402F67 . 50 push eax 00402F68 . 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C] 00402F6B . 51 push ecx 00402F6C . 52 push edx 00402F6D . 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C] 00402F70 . 6A 10 push 0x10 00402F72 . 50 push eax 00402F73 . FF15 40614000 call dword ptr ds:[<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox 00402F79 . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C] 00402F7C . 8D55 B4 lea edx,dword ptr ss:[ebp-0x4C] 00402F7F . 51 push ecx 00402F80 . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C] 00402F83 . 52 push edx 00402F84 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C] 00402F87 . 50 push eax 00402F88 . 51 push ecx 00402F89 . 6A 04 push 0x4 00402F8B . FF15 1C614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeV>; MSVBVM50.__vbaFreeVarList 00402F91 . 83C4 14 add esp,0x14 00402F94 . 56 push esi 00402F95 . FF93 08030000 call dword ptr ds:[ebx+0x308] 00402F9B . 8D55 E4 lea edx,dword ptr ss:[ebp-0x1C] 00402F9E . 50 push eax 00402F9F . 52 push edx 00402FA0 . FF15 3C614000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>; MSVBVM50.__vbaObjSet 00402FA6 . 8BF0 mov esi,eax 00402FA8 . 68 5C234000 push CarLitoZ.0040235C 00402FAD . 56 push esi 00402FAE . 8B06 mov eax,dword ptr ds:[esi] 00402FB0 . FF90 A4000000 call dword ptr ds:[eax+0xA4] 00402FB6 . 85C0 test eax,eax 00402FB8 . 7D 12 jge XCarLitoZ.00402FCC 00402FBA . 68 A4000000 push 0xA4 00402FBF . 68 C0224000 push CarLitoZ.004022C0 00402FC4 . 56 push esi 00402FC5 . 50 push eax 00402FC6 . FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj 00402FCC > 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C] 00402FCF . FF15 E0614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>; MSVBVM50.__vbaFreeObj 00402FD5 > C745 FC 00000>mov dword ptr ss:[ebp-0x4],0x0 00402FDC . 68 12304000 push CarLitoZ.00403012 00402FE1 . EB 2E jmp XCarLitoZ.00403011 00402FE3 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18] 00402FE6 . FF15 DC614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStr 00402FEC . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C] 00402FEF . FF15 E0614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>; MSVBVM50.__vbaFreeObj 00402FF5 . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C] 00402FF8 . 8D55 B4 lea edx,dword ptr ss:[ebp-0x4C] 00402FFB . 51 push ecx 00402FFC . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C] 00402FFF . 52 push edx 00403000 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C] 00403003 . 50 push eax 00403004 . 51 push ecx 00403005 . 6A 04 push 0x4 00403007 . FF15 1C614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeV>; MSVBVM50.__vbaFreeVarList 0040300D . 83C4 14 add esp,0x14 00403010 . C3 retn 00403011 > C3 retn ; RET 用作跳轉到 00403012 00403012 > 8B45 08 mov eax,dword ptr ss:[ebp+0x8] 00403015 . 50 push eax 00403016 . 8B10 mov edx,dword ptr ds:[eax] 00403018 . FF52 08 call dword ptr ds:[edx+0x8] 0040301B . 8B4D EC mov ecx,dword ptr ss:[ebp-0x14] 0040301E . 8B45 FC mov eax,dword ptr ss:[ebp-0x4] 00403021 . 5F pop edi 00403022 . 5E pop esi 00403023 . 64:890D 00000>mov dword ptr fs:[0],ecx 0040302A . 5B pop ebx 0040302B . 8BE5 mov esp,ebp 0040302D . 5D pop ebp 0040302E . C2 0400 retn 0x4因為是VB程序,所以會有很多變量的生成銷毀函數調用,注意一下就好了,因為結構都差不多,看看哪些語句重復的,基本上就可考慮是為函數調用服務的,與算法無關。
在關鍵call那里跟進去:
跳過一些函數調用,直接來到算法部分:
0040362B . 8945 9C mov dword ptr ss:[ebp-0x64],eax 0040362E . 52 push edx ; /Length8 0040362F . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C] ; | 00403632 . 6A 06 push 0x6 ; |Start = 6 00403634 . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C] ; | 0040363A . BB 02000000 mov ebx,0x2 ; | 0040363F . 50 push eax ; |dString8 00403640 . 51 push ecx ; |RetBUFFER 00403641 . 8975 E8 mov dword ptr ss:[ebp-0x18],esi ; | 00403644 . C785 A4FDFFFF>mov dword ptr ss:[ebp-0x25C],0x8008 ; | 0040364E . C745 8C 01000>mov dword ptr ss:[ebp-0x74],0x1 ; | 00403655 . 895D 84 mov dword ptr ss:[ebp-0x7C],ebx ; | 00403658 . 8975 E4 mov dword ptr ss:[ebp-0x1C],esi ; | 0040365B . C745 94 08000>mov dword ptr ss:[ebp-0x6C],0x8 ; | 00403662 . FFD7 call edi ; \rtcMidCharVar 00403664 . 8B45 E0 mov eax,dword ptr ss:[ebp-0x20] 00403667 . 8D95 54FFFFFF lea edx,dword ptr ss:[ebp-0xAC] 0040366D . 8985 6CFFFFFF mov dword ptr ss:[ebp-0x94],eax 00403673 . 52 push edx ; /Length8 00403674 . 8D85 64FFFFFF lea eax,dword ptr ss:[ebp-0x9C] ; | 0040367A . 6A 09 push 0x9 ; |Start = 9 0040367C . 8D8D 44FFFFFF lea ecx,dword ptr ss:[ebp-0xBC] ; | 00403682 . 50 push eax ; |dString8 00403683 . 51 push ecx ; |RetBUFFER 00403684 . C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],0x1 ; | 0040368E . 899D 54FFFFFF mov dword ptr ss:[ebp-0xAC],ebx ; | 00403694 . 8975 E0 mov dword ptr ss:[ebp-0x20],esi ; | 00403697 . C785 64FFFFFF>mov dword ptr ss:[ebp-0x9C],0x8 ; | 004036A1 . FFD7 call edi ; \rtcMidCharVar 004036A3 . 8B45 DC mov eax,dword ptr ss:[ebp-0x24] 004036A6 . 8D95 14FFFFFF lea edx,dword ptr ss:[ebp-0xEC] 004036AC . 8985 2CFFFFFF mov dword ptr ss:[ebp-0xD4],eax 004036B2 . 52 push edx ; /Length8 004036B3 . 8D85 24FFFFFF lea eax,dword ptr ss:[ebp-0xDC] ; | 004036B9 . 68 8F000000 push 0x8F ; |Start = 8F 004036BE . 8D8D 04FFFFFF lea ecx,dword ptr ss:[ebp-0xFC] ; | 004036C4 . 50 push eax ; |dString8 004036C5 . 51 push ecx ; |RetBUFFER 004036C6 . C785 1CFFFFFF>mov dword ptr ss:[ebp-0xE4],0x1 ; | 004036D0 . 899D 14FFFFFF mov dword ptr ss:[ebp-0xEC],ebx ; | 004036D6 . 8975 DC mov dword ptr ss:[ebp-0x24],esi ; | 004036D9 . C785 24FFFFFF>mov dword ptr ss:[ebp-0xDC],0x8 ; | 004036E3 . FFD7 call edi ; \rtcMidCharVar 004036E5 . 8B45 D8 mov eax,dword ptr ss:[ebp-0x28] 004036E8 . 8D95 D4FEFFFF lea edx,dword ptr ss:[ebp-0x12C] 004036EE . 8985 ECFEFFFF mov dword ptr ss:[ebp-0x114],eax 004036F4 . 52 push edx ; /Length8 004036F5 . 8D85 E4FEFFFF lea eax,dword ptr ss:[ebp-0x11C] ; | 004036FB . 6A 10 push 0x10 ; |Start = 10 004036FD . 8D8D C4FEFFFF lea ecx,dword ptr ss:[ebp-0x13C] ; | 00403703 . 50 push eax ; |dString8 00403704 . 51 push ecx ; |RetBUFFER 00403705 . C785 DCFEFFFF>mov dword ptr ss:[ebp-0x124],0x1 ; | 0040370F . 899D D4FEFFFF mov dword ptr ss:[ebp-0x12C],ebx ; | 00403715 . 8975 D8 mov dword ptr ss:[ebp-0x28],esi ; | 00403718 . C785 E4FEFFFF>mov dword ptr ss:[ebp-0x11C],0x8 ; | 00403722 . FFD7 call edi ; \rtcMidCharVar 00403724 . 8B45 D4 mov eax,dword ptr ss:[ebp-0x2C] 00403727 . 8D95 94FEFFFF lea edx,dword ptr ss:[ebp-0x16C] 0040372D . 8985 ACFEFFFF mov dword ptr ss:[ebp-0x154],eax 00403733 . 52 push edx ; /Length8 00403734 . 8D85 A4FEFFFF lea eax,dword ptr ss:[ebp-0x15C] ; | 0040373A . 68 A1000000 push 0xA1 ; |Start = A1 0040373F . 8D8D 84FEFFFF lea ecx,dword ptr ss:[ebp-0x17C] ; | 00403745 . 50 push eax ; |dString8 00403746 . 51 push ecx ; |RetBUFFER 00403747 . C785 9CFEFFFF>mov dword ptr ss:[ebp-0x164],0x1 ; | 00403751 . 899D 94FEFFFF mov dword ptr ss:[ebp-0x16C],ebx ; | 00403757 . 8975 D4 mov dword ptr ss:[ebp-0x2C],esi ; | 0040375A . C785 A4FEFFFF>mov dword ptr ss:[ebp-0x15C],0x8 ; | 00403764 . FFD7 call edi ; \rtcMidCharVar 00403766 . 8B45 D0 mov eax,dword ptr ss:[ebp-0x30] 00403769 . C785 5CFEFFFF>mov dword ptr ss:[ebp-0x1A4],0x1 00403773 . 899D 54FEFFFF mov dword ptr ss:[ebp-0x1AC],ebx 00403779 . 8975 D0 mov dword ptr ss:[ebp-0x30],esi 0040377C . 8985 6CFEFFFF mov dword ptr ss:[ebp-0x194],eax 00403782 . 8D95 54FEFFFF lea edx,dword ptr ss:[ebp-0x1AC] 00403788 . 8D85 64FEFFFF lea eax,dword ptr ss:[ebp-0x19C] 0040378E . 52 push edx ; /Length8 0040378F . 68 AB000000 push 0xAB ; |Start = AB 00403794 . 8D8D 44FEFFFF lea ecx,dword ptr ss:[ebp-0x1BC] ; | 0040379A . 50 push eax ; |dString8 0040379B . 51 push ecx ; |RetBUFFER 0040379C . C785 64FEFFFF>mov dword ptr ss:[ebp-0x19C],0x8 ; | 004037A6 . FFD7 call edi ; \rtcMidCharVar 004037A8 . 8B45 CC mov eax,dword ptr ss:[ebp-0x34] 004037AB . 8D95 14FEFFFF lea edx,dword ptr ss:[ebp-0x1EC] 004037B1 . 8985 2CFEFFFF mov dword ptr ss:[ebp-0x1D4],eax 004037B7 . 52 push edx ; /Length8 004037B8 . 8D85 24FEFFFF lea eax,dword ptr ss:[ebp-0x1DC] ; | 004037BE . 68 A6000000 push 0xA6 ; |Start = A6 004037C3 . 8D8D 04FEFFFF lea ecx,dword ptr ss:[ebp-0x1FC] ; | 004037C9 . 50 push eax ; |dString8 004037CA . 51 push ecx ; |RetBUFFER 004037CB . C785 1CFEFFFF>mov dword ptr ss:[ebp-0x1E4],0x1 ; | 004037D5 . 899D 14FEFFFF mov dword ptr ss:[ebp-0x1EC],ebx ; | 004037DB . 8975 CC mov dword ptr ss:[ebp-0x34],esi ; | 004037DE . C785 24FEFFFF>mov dword ptr ss:[ebp-0x1DC],0x8 ; | 004037E8 . FFD7 call edi ; \rtcMidCharVar 004037EA . 8B45 C8 mov eax,dword ptr ss:[ebp-0x38] 004037ED . 8D95 D4FDFFFF lea edx,dword ptr ss:[ebp-0x22C] 004037F3 . 8985 ECFDFFFF mov dword ptr ss:[ebp-0x214],eax 004037F9 . 52 push edx ; /Length8 004037FA . 8D85 E4FDFFFF lea eax,dword ptr ss:[ebp-0x21C] ; | 00403800 . 68 A8000000 push 0xA8 ; |Start = A8 00403805 . 8D8D C4FDFFFF lea ecx,dword ptr ss:[ebp-0x23C] ; | 0040380B . 50 push eax ; |dString8 0040380C . 51 push ecx ; |RetBUFFER 0040380D . C785 DCFDFFFF>mov dword ptr ss:[ebp-0x224],0x1 ; | 00403817 . 899D D4FDFFFF mov dword ptr ss:[ebp-0x22C],ebx ; | 0040381D . 8975 C8 mov dword ptr ss:[ebp-0x38],esi ; | 00403820 . C785 E4FDFFFF>mov dword ptr ss:[ebp-0x21C],0x8 ; | 0040382A . FFD7 call edi ; \rtcMidCharVar 0040382C . 8B3D C0614000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaVa>; MSVBVM50.__vbaVarAdd 00403832 . 8D95 A4FDFFFF lea edx,dword ptr ss:[ebp-0x25C] 00403838 . 8D85 74FFFFFF lea eax,dword ptr ss:[ebp-0x8C] ; 輸入的字符串 0040383E . 52 push edx ; /var18 0040383F . 8D8D 44FFFFFF lea ecx,dword ptr ss:[ebp-0xBC] ; |將字符串連起來而已 00403845 . 50 push eax ; |/var18 00403846 . 8D95 34FFFFFF lea edx,dword ptr ss:[ebp-0xCC] ; || 0040384C . 51 push ecx ; ||var28 0040384D . 52 push edx ; ||saveto8 0040384E . FFD7 call edi ; |\__vbaVarAdd 00403850 . 50 push eax ; |/var18 00403851 . 8D85 04FFFFFF lea eax,dword ptr ss:[ebp-0xFC] ; || 00403857 . 8D8D F4FEFFFF lea ecx,dword ptr ss:[ebp-0x10C] ; || 0040385D . 50 push eax ; ||var28 0040385E . 51 push ecx ; ||saveto8 0040385F . FFD7 call edi ; |\__vbaVarAdd 00403861 . 50 push eax ; |/var18 00403862 . 8D95 C4FEFFFF lea edx,dword ptr ss:[ebp-0x13C] ; || 00403868 . 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-0x14C] ; || 0040386E . 52 push edx ; ||var28 0040386F . 50 push eax ; ||saveto8 00403870 . FFD7 call edi ; |\__vbaVarAdd 00403872 . 8D8D 84FEFFFF lea ecx,dword ptr ss:[ebp-0x17C] ; | 00403878 . 50 push eax ; |/var18 00403879 . 8D95 74FEFFFF lea edx,dword ptr ss:[ebp-0x18C] ; || 0040387F . 51 push ecx ; ||var28 00403880 . 52 push edx ; ||saveto8 00403881 . FFD7 call edi ; |\__vbaVarAdd 00403883 . 50 push eax ; |/var18 00403884 . 8D85 44FEFFFF lea eax,dword ptr ss:[ebp-0x1BC] ; || 0040388A . 8D8D 34FEFFFF lea ecx,dword ptr ss:[ebp-0x1CC] ; || 00403890 . 50 push eax ; ||var28 00403891 . 51 push ecx ; ||saveto8 00403892 . FFD7 call edi ; |\__vbaVarAdd 00403894 . 50 push eax ; |/var18 00403895 . 8D95 04FEFFFF lea edx,dword ptr ss:[ebp-0x1FC] ; || 0040389B . 8D85 F4FDFFFF lea eax,dword ptr ss:[ebp-0x20C] ; || 004038A1 . 52 push edx ; ||var28 004038A2 . 50 push eax ; ||saveto8 004038A3 . FFD7 call edi ; |\__vbaVarAdd 004038A5 . 8D8D C4FDFFFF lea ecx,dword ptr ss:[ebp-0x23C] ; | 004038AB . 50 push eax ; |/var18 004038AC . 51 push ecx ; ||var28 004038AD . 8D95 B4FDFFFF lea edx,dword ptr ss:[ebp-0x24C] ; || 004038B3 . 52 push edx ; ||saveto8 004038B4 . FFD7 call edi ; |\__vbaVarAdd 004038B6 . 50 push eax ; |var28 004038B7 . FF15 6C614000 call dword ptr ds:[<&MSVBVM50.__vbaVarTs>; \__vbaVarTstEq 004038BD . 8BF8 mov edi,eax每次rtcMidCharVar函數調用完后,eax會是一個地址,內存跟隨這個地址,會得到一個variant類型的變量,如:
0012F390 08 00 00 00 00 D1 91 00 ....褢. 0012F398 44 36 16 00 C5 A5 07 74 D6.鈕t再跟隨這個163644地址,就會得到一個字符。
00163644 72 00 00 00 00 00 00 00 r....... 0016364C 80 37 16 00 25 00 03 00 €7.%..剛剛好rctMidCharVar這個函數出現了8次,于是有8個字符。
而后面的vbaVarAdd函數則是將這8個字符合在了一起,變成了字符串。
在0040383E位置是我們輸入的serial,
而在004038B6是那合在一起的8個字符,
后面的vbaVarTstEq函數的作用就不言而喻了。
所以最后那8個字符為:
rkh1oyie
這就是serial了。
總結
以上是生活随笔為你收集整理的160 - 22 CarLitoZ.1的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 驻马店治疗输卵管积液最好的医院推荐
- 下一篇: 160 - 23 Chafe.1