環境
Windows xp sp3

查殼
無殼的VB程序

測試：

輸入
Name:123456
Serial:12345

字符串搜索，找到判斷位置。
判斷Name的長度要大于等于5：

00402CBC . 33C9 xor ecx,ecx 00402CBE . 83F8 04 cmp eax,0x4 00402CC1 . 0F9EC1 setle cl 00402CC4 . F7D9 neg ecx 00402CC6 . 66:898D DCFEF>mov word ptr ss:[ebp-0x124],cx 00402CDF . 66:399D DCFEF>cmp word ptr ss:[ebp-0x124],bx 00402CE6 . 0F84 B0000000 je Colormas.00402D9C ; name的長度要大于等于5 00402DF1 > \8B55 D8 mov edx,dword ptr ss:[ebp-0x28] ; 獲取Name的長度 00402DF4 . 52 push edx ; /String 00402DF5 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBs>; \__vbaLenBstr 00402DFB . 8985 14FFFFFF mov dword ptr ss:[ebp-0xEC],eax 00402E01 . 8D85 1CFFFFFF lea eax,dword ptr ss:[ebp-0xE4] 00402E07 . 8D8D 0CFFFFFF lea ecx,dword ptr ss:[ebp-0xF4] 00402E0D . 50 push eax ; /Step8 00402E0E . 8D95 FCFEFFFF lea edx,dword ptr ss:[ebp-0x104] ; | 00402E14 . 51 push ecx ; |End8 00402E15 . 8D85 88FEFFFF lea eax,dword ptr ss:[ebp-0x178] ; | 00402E1B . 52 push edx ; |Start8 00402E1C . 8D8D 98FEFFFF lea ecx,dword ptr ss:[ebp-0x168] ; | 00402E22 . 50 push eax ; |TMPend8 00402E23 . 8D55 DC lea edx,dword ptr ss:[ebp-0x24] ; | 00402E26 . 51 push ecx ; |TMPstep8 00402E27 . 52 push edx ; |Counter8 00402E28 . C785 0CFFFFFF>mov dword ptr ss:[ebp-0xF4],0x3 ; | 00402E32 . C785 04FFFFFF>mov dword ptr ss:[ebp-0xFC],0x1 ; | 00402E3C . C785 FCFEFFFF>mov dword ptr ss:[ebp-0x104],0x2 ; | 00402E46 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarFo>; \__vbaVarForInit00402EB1 > \8B45 D4 mov eax,dword ptr ss:[ebp-0x2C] ; Name 00402EB4 . 50 push eax ; /String 00402EB5 . FF15 24104000 call dword ptr ds:[<&MSVBVM60.#516>] ; \rtcAnsiValueBstr00402F15 . 50 push eax 00402F16 . FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>; MSVBVM60.__vbaR8Str 00402F1C . 0FBF8D E8FEFF>movsx ecx,word ptr ss:[ebp-0x118] 00402F23 . 898D 74FEFFFF mov dword ptr ss:[ebp-0x18C],ecx 00402F29 . 8D55 8C lea edx,dword ptr ss:[ebp-0x74] 00402F2C . DB85 74FEFFFF fild dword ptr ss:[ebp-0x18C] 00402F32 . 52 push edx 00402F33 . C785 0CFFFFFF>mov dword ptr ss:[ebp-0xF4],0x5 00402F3D . C745 94 15000>mov dword ptr ss:[ebp-0x6C],0x15 00402F44 . C745 8C 02000>mov dword ptr ss:[ebp-0x74],0x2 00402F4B . DD9D 6CFEFFFF fstp qword ptr ss:[ebp-0x194] ; 這里開始計算serial的其中的一部分00402F51 . DC8D 6CFEFFFF fmul qword ptr ss:[ebp-0x194] ; 432.4 00402F57 . DC0D 00114000 fmul qword ptr ds:[0x401100] ; 17.79 00402F5D . DD9D 14FFFFFF fstp qword ptr ss:[ebp-0xEC] ; 用于下面[00402F97]的計算 00402F8C . 52 push edx ; /var18 00402F8D . 8B19 mov ebx,dword ptr ds:[ecx] ; | 00402F8F . 8D8D 6CFFFFFF lea ecx,dword ptr ss:[ebp-0x94] ; | 00402F95 . 50 push eax ; |var28 00402F96 . 51 push ecx ; |SaveToST 00402F97 . FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaVarDi>; \__vbaVarDiv 00402F9D . 8D55 D0 lea edx,dword ptr ss:[ebp-0x30] ; 其中的一個除數是150040307A . 8D95 98FEFFFF lea edx,dword ptr ss:[ebp-0x168] 00403080 . 51 push ecx ; /TMPend8 00403081 . 8D45 DC lea eax,dword ptr ss:[ebp-0x24] ; | 00403084 . 52 push edx ; |TMPstep8 00403085 . 50 push eax ; |Counter8 00403086 . FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarFo>; \__vbaVarForNext 0040308C . 8985 7CFEFFFF mov dword ptr ss:[ebp-0x184],eax 00403092 . 33DB xor ebx,ebx 00403094 .^ E9 CBFDFFFF jmp Colormas.00402E64

截取了for循環中我認為對計算serial有價值的一部分。
當這個for循環結束之后，會通過name算出最后一個值。
（1）會用name最后一個字符，乘以432.4 * 17.79 / 15

004030F4 . 8B18 mov ebx,dword ptr ds:[eax] 004030F6 . FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>; MSVBVM60.__vbaR8Str 004030FC . FF15 64104000 call dword ptr ds:[<&MSVBVM60.__vbaFPFix>; MSVBVM60.__vbaFPFix 00403102 . 83EC 08 sub esp,0x8 00403105 . DD1C24 fstp qword ptr ss:[esp] 00403108 . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrR8>; MSVBVM60.__vbaStrR8

（2）這一段是將上面算出來的數值取整

004032DD > \8B55 D8 mov edx,dword ptr ss:[ebp-0x28] 004032E0 . 52 push edx ; /String 004032E1 . FF15 24104000 call dword ptr ds:[<&MSVBVM60.#516>] ; \rtcAnsiValueBstr 004032E7 . 0FBFC0 movsx eax,ax 004032EA . 8B4D D4 mov ecx,dword ptr ss:[ebp-0x2C] 004032ED . 8985 60FEFFFF mov dword ptr ss:[ebp-0x1A0],eax 004032F3 . DB85 60FEFFFF fild dword ptr ss:[ebp-0x1A0] 004032F9 . 51 push ecx 004032FA . DD9D 58FEFFFF fstp qword ptr ss:[ebp-0x1A8] 00403300 . FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>; MSVBVM60.__vbaR8Str 00403306 . DC85 58FEFFFF fadd qword ptr ss:[ebp-0x1A8] 0040330C . 8B16 mov edx,dword ptr ds:[esi] 0040330E . 56 push esi 0040330F . C785 0CFFFFFF>mov dword ptr ss:[ebp-0xF4],0x5 00403319 . DD9D 14FFFFFF fstp qword ptr ss:[ebp-0xEC] ; 保存相加結果

（3）上面那一段主要是再將上面（2）得到的結果加上第一個字符的值。

00403361 > \8B55 D0 mov edx,dword ptr ss:[ebp-0x30] 00403364 . 52 push edx 00403365 . FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>; MSVBVM60.__vbaR8Str 0040336B . 66:6BDB 19 imul bx,bx,0x19 ; 第一個字符乘以0x19 0040336F . 0F80 0B050000 jo Colormas.00403880 00403375 . 0FBFC3 movsx eax,bx 00403378 . 8985 54FEFFFF mov dword ptr ss:[ebp-0x1AC],eax 0040337E . 8D4D 8C lea ecx,dword ptr ss:[ebp-0x74] 00403381 . DB85 54FEFFFF fild dword ptr ss:[ebp-0x1AC] 00403387 . 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-0x84] 0040338D . 51 push ecx 0040338E . 52 push edx 0040338F . C745 8C 05000>mov dword ptr ss:[ebp-0x74],0x5 00403396 . DD9D 4CFEFFFF fstp qword ptr ss:[ebp-0x1B4] 0040339C . DCA5 4CFEFFFF fsub qword ptr ss:[ebp-0x1B4] ; 減去上面那個值 004033A2 . DD5D 94 fstp qword ptr ss:[ebp-0x6C]

（4）用（2）得出的結果減去name第一個字符*0x19的值，并且將這個值轉成16進制。

004033E6 > \8B45 C8 mov eax,dword ptr ss:[ebp-0x38] 004033E9 . 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4] 004033EF . 8D95 4CFFFFFF lea edx,dword ptr ss:[ebp-0xB4] 004033F5 . 51 push ecx 004033F6 . 52 push edx 004033F7 . C745 C8 00000>mov dword ptr ss:[ebp-0x38],0x0 004033FE . 8985 64FFFFFF mov dword ptr ss:[ebp-0x9C],eax 00403404 . C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],0x8 0040340E . FF15 C0104000 call dword ptr ds:[<&MSVBVM60.#573>] ; MSVBVM60.rtcHexVarFromVar

（5）將(2)的結果轉為16進制

00403482 > \8B55 C4 mov edx,dword ptr ss:[ebp-0x3C] 00403485 . 52 push edx ; /String = "1" 00403486 . FF15 24104000 call dword ptr ds:[<&MSVBVM60.#516>] ; \rtcAnsiValueBstr 0040348C . 0FBFD8 movsx ebx,ax 0040348F . 8B45 C0 mov eax,dword ptr ss:[ebp-0x40] 00403492 . 50 push eax ; /String 00403493 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBs>; \__vbaLenBstr 00403499 . 0FAFD8 imul ebx,eax ; 長度*首字符 0040349C . 8B8D ACFEFFFF mov ecx,dword ptr ss:[ebp-0x154] 004034A2 . C785 FCFEFFFF>mov dword ptr ss:[ebp-0x104],0x3 004034AC . 0F80 CE030000 jo Colormas.00403880 004034B2 . 83EB 1B sub ebx,0x1B ; 減去0x1B

（6）取出name的第一個字符 * name的長度 - 0x1B

004034C9 . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84] 004034CF . 52 push edx 004034D0 . 8D8D 6CFFFFFF lea ecx,dword ptr ss:[ebp-0x94] 004034D6 . 50 push eax 004034D7 . 51 push ecx 004034D8 . FF15 A4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCa>; MSVBVM60.__vbaVarCat 004034DE . 50 push eax 004034DF . 8D95 4CFFFFFF lea edx,dword ptr ss:[ebp-0xB4] 004034E5 . 8D85 3CFFFFFF lea eax,dword ptr ss:[ebp-0xC4] 004034EB . 52 push edx 004034EC . 50 push eax 004034ED . FF15 A4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCa>; MSVBVM60.__vbaVarCat 004034F3 . 8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-0x104] 004034F9 . 50 push eax 004034FA . 8D95 2CFFFFFF lea edx,dword ptr ss:[ebp-0xD4] 00403500 . 51 push ecx 00403501 . 52 push edx 00403502 . FF15 A4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCa>; MSVBVM60.__vbaVarCat 00403508 . 50 push eax ; /String8 00403509 . 8D45 BC lea eax,dword ptr ss:[ebp-0x44] ; | 0040350C . 50 push eax ; |ARG2 0040350D . FF15 A0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVa>; \__vbaStrVarVal

（7）將（3）（4）（5）（6）的值合起來。

00403665 . 50 push eax 00403666 . 51 push ecx 00403667 . 52 push edx ; /String 00403668 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBs>; \__vbaLenBstr 0040366E . 50 push eax 0040366F . FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI4>; MSVBVM60.__vbaStrI4 00403675 . 8B35 DC104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrMove 0040367B . 8BD0 mov edx,eax 0040367D . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34] 00403680 . FFD6 call esi ; <&MSVBVM60.__vbaStrMove> 00403682 . 8B3D 30104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrCat 00403688 . 50 push eax ; /String 00403689 . FFD7 call edi ; \__vbaStrCat 0040368B . 8BD0 mov edx,eax ; 將name的長度加到serial里面去 0040368D . 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38] 00403690 . FFD6 call esi 00403692 . 50 push eax 00403693 . 68 741F4000 push Colormas.00401F74 ; UNICODE "-CM" 00403698 . FFD7 call edi ; 計算出來的值再加上-CM

（8）將（7）的結果加上name的長度，后面再加一個字符串“-CM”

所以（8）就是所求的serial了

總結

以上是生活随笔為你收集整理的160 - 26 Colormaster的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。