|
[原创]Advanced Query Tool V8 的注册分析
3776 mod 26 = 6是不错,但把它作为字符串中的字符序号的时候应该注意这个余数6是从0算起的。所以索引得的字符应该是g而不是q。 |
|
[原创]Advanced Query Tool V8 的注册分析
不好意思,搞错了一个字符。 注册名:Articlezou 标准版注册码:aqts-45896653123450381216-gazl 扩展版注册码:aqtx-52337530399789933543-gazl |
|
[原创]Advanced Query Tool V8 的注册分析
注册名:Articlezou 标准版注册码:aqts-45896653123450381216-gazl 扩展版注册码:aqts-52337530399789933543-gazl |
|
[原创]Advanced Query Tool V8 的注册分析
请给出您的注册名(不能是中文),还有您喜欢的三个英文字母。 |
|
[原创]Advanced Query Tool V8 的注册分析
从9ACECF开始的代码主要用于显示一些提示信息并作一些善后处理。 由于代码很长,其它过程的代码就不再往上贴了。不过需要说明的是: 1、调用9A908B时,实际上计算的是20位的NumOfKey除以CheckSumOfName的余数。 2、表面上看,AlphaOfKey的末三个字符可以是“nnn”。在后面调用845426时,会调用始于81DA26的过程。其中表明,AlphaOfKey的末三个字符是“nnn”意味着AlphaOfKey中包含有评估版的限制天数。 从分析中可以总结出如下几点: 1、注册名去掉空白后不得少于三个字符; 2、注册码中要有20位的数字; 3、若AlphaOfKey的第4个字符的小写为s,且NumOfKey除以CheckSumOfName的余数为0,则为标准版; 4、若AlphaOfKey的第4个字符的小写为x,且NumOfKey除以CheckSumOfName的余数为19,则为扩展版; 5、若AlphaOfKey的第4个字符的小写为u,且NumOfKey除以CheckSumOfName的余数为7,则为v7的升级版; 6、若AlphaOfKey的第4个字符的小写为v,且NumOfKey除以CheckSumOfName的余数为7,则为v8的升级版; 7、AlphaOfKey的第8个字符应符合855D81过程的算法。 表面上看,分析到此就为止了。但还有几个问题需要给大家交流: 1、我们可以根据前面的分析写出注册机,但里面有一个算法、策略的问题。用一个20位的符合条件的数值来反推出AlphaOfKey显然是不可能的事情。我的做法是,AlphaOfKey的前三个字符固定,第四个字符定为s、x、u、v之一,第五到第七个字符交互输入,第八个字符根据分析中的算法用注册名计算出来,计算CheckSumOfName后,用随机数逐位生成一个20位的整数。这个大整数除以CheckSumOfName的余数若不是0、19、7,则把它调整一下,使其达到要求; 2、满以为这样就可以了,用注册机生成了一个扩展版的Key,输入后却发现注册信息窗口下面显示的是“v7 Extended Edtion”。这就有点不爽了。经过进一步的跟踪发现,AlphaOfKey的第四个字符必须小写才可以。把注册机修改一下,最后终于如愿以偿。 |
|
[原创]Advanced Query Tool V8 的注册分析
; 以下处理AlphaOfKey第四个字符为"v"的情况 009AC901 mov dword ptr [ebp-4], 6C 009AC908 lea eax, dword ptr [ebp-11C] 009AC90E push eax 009AC90F push 00C7D40C 009AC914 push 00C7D404 009AC919 mov eax, dword ptr [ebp+8] 009AC91C add eax, 38 009AC91F push eax 009AC920 lea eax, dword ptr [ebp-24] 009AC923 push eax 009AC924 mov eax, dword ptr [ebp+8] 009AC927 mov eax, dword ptr [eax] 009AC929 push dword ptr [ebp+8] 009AC92C call dword ptr [eax+6FC] 009AC932 mov dword ptr [ebp-120], eax 009AC938 cmp dword ptr [ebp-120], 0 009AC93F jge short 009AC961 009AC941 push 6FC 009AC946 push 004BB72C 009AC94B push dword ptr [ebp+8] 009AC94E push dword ptr [ebp-120] 009AC954 call <jmp.&MSVBVM60.__vbaHresultCheck> 009AC959 mov dword ptr [ebp-1B8], eax 009AC95F jmp short 009AC968 009AC961 and dword ptr [ebp-1B8], 0 009AC968 fld qword ptr [ebp-11C] 009AC96E fstp qword ptr [ebp-3C] 009AC971 mov dword ptr [ebp-4], 6D 009AC978 fld qword ptr [ebp-3C] 009AC97B fcomp qword ptr [405B20] ; 7.0 009AC981 fstsw ax 009AC983 sahf 009AC984 jnz 009ACECD 009AC98A mov dword ptr [ebp-4], 6E 009AC991 mov eax, dword ptr [ebp+8] 009AC994 mov eax, dword ptr [eax] 009AC996 push dword ptr [ebp+8] 009AC999 call dword ptr [eax+30C] 009AC99F push eax 009AC9A0 lea eax, dword ptr [ebp-88] 009AC9A6 push eax 009AC9A7 call <jmp.&MSVBVM60.__vbaObjSet> 009AC9AC mov dword ptr [ebp-120], eax 009AC9B2 lea eax, dword ptr [ebp-7C] 009AC9B5 push eax 009AC9B6 mov eax, dword ptr [ebp-120] 009AC9BC mov eax, dword ptr [eax] 009AC9BE push dword ptr [ebp-120] 009AC9C4 call dword ptr [eax+A0] 009AC9CA fclex 009AC9CC mov dword ptr [ebp-124], eax 009AC9D2 cmp dword ptr [ebp-124], 0 009AC9D9 jge short 009AC9FE 009AC9DB push 0A0 009AC9E0 push 004A1EC8 009AC9E5 push dword ptr [ebp-120] 009AC9EB push dword ptr [ebp-124] 009AC9F1 call <jmp.&MSVBVM60.__vbaHresultCheck> 009AC9F6 mov dword ptr [ebp-1BC], eax 009AC9FC jmp short 009ACA05 009AC9FE and dword ptr [ebp-1BC], 0 009ACA05 fldz 009ACA07 fstp qword ptr [ebp-11C] 009ACA0D mov edx, 004AF958 ; "v" 009ACA12 lea ecx, dword ptr [ebp-84] 009ACA18 call <jmp.&MSVBVM60.__vbaStrCopy> 009ACA1D mov eax, dword ptr [ebp-7C] 009ACA20 mov dword ptr [ebp-16C], eax 009ACA26 and dword ptr [ebp-7C], 0 009ACA2A mov edx, dword ptr [ebp-16C] 009ACA30 lea ecx, dword ptr [ebp-80] 009ACA33 call <jmp.&MSVBVM60.__vbaStrMove> 009ACA38 lea eax, dword ptr [ebp-11C] 009ACA3E push eax 009ACA3F lea eax, dword ptr [ebp-30] 009ACA42 push eax 009ACA43 lea eax, dword ptr [ebp-84] 009ACA49 push eax 009ACA4A lea eax, dword ptr [ebp-80] 009ACA4D push eax 009ACA4E call 00845426 009ACA53 not ax 009ACA56 mov word ptr [ebp-128], ax 009ACA5D lea eax, dword ptr [ebp-84] 009ACA63 push eax 009ACA64 lea eax, dword ptr [ebp-80] 009ACA67 push eax 009ACA68 push 2 009ACA6A call <jmp.&MSVBVM60.__vbaFreeStrList> 009ACA6F add esp, 0C 009ACA72 lea ecx, dword ptr [ebp-88] 009ACA78 call <jmp.&MSVBVM60.__vbaFreeObj> 009ACA7D movsx eax, word ptr [ebp-128] 009ACA84 test eax, eax 009ACA86 je short 009ACA8D 009ACA88 jmp 009ACECF 009ACA8D mov dword ptr [ebp-4], 71 009ACA94 mov eax, dword ptr [ebp+8] 009ACA97 mov eax, dword ptr [eax] 009ACA99 push dword ptr [ebp+8] 009ACA9C call dword ptr [eax+30C] 009ACAA2 push eax 009ACAA3 lea eax, dword ptr [ebp-88] 009ACAA9 push eax 009ACAAA call <jmp.&MSVBVM60.__vbaObjSet> 009ACAAF mov dword ptr [ebp-120], eax 009ACAB5 lea eax, dword ptr [ebp-7C] 009ACAB8 push eax 009ACAB9 mov eax, dword ptr [ebp-120] 009ACABF mov eax, dword ptr [eax] 009ACAC1 push dword ptr [ebp-120] 009ACAC7 call dword ptr [eax+A0] 009ACACD fclex 009ACACF mov dword ptr [ebp-124], eax 009ACAD5 cmp dword ptr [ebp-124], 0 009ACADC jge short 009ACB01 009ACADE push 0A0 009ACAE3 push 004A1EC8 009ACAE8 push dword ptr [ebp-120] 009ACAEE push dword ptr [ebp-124] 009ACAF4 call <jmp.&MSVBVM60.__vbaHresultCheck> 009ACAF9 mov dword ptr [ebp-1C0], eax 009ACAFF jmp short 009ACB08 009ACB01 and dword ptr [ebp-1C0], 0 009ACB08 mov eax, dword ptr [ebp-7C] 009ACB0B mov dword ptr [ebp-170], eax 009ACB11 and dword ptr [ebp-7C], 0 009ACB15 mov edx, dword ptr [ebp-170] 009ACB1B mov ecx, 00C7E4D8 009ACB20 call <jmp.&MSVBVM60.__vbaStrMove> 009ACB25 lea ecx, dword ptr [ebp-88] 009ACB2B call <jmp.&MSVBVM60.__vbaFreeObj> 009ACB30 mov dword ptr [ebp-4], 72 009ACB37 mov edx, dword ptr [ebp-24] 009ACB3A mov ecx, 00C7E4F4 009ACB3F call <jmp.&MSVBVM60.__vbaStrCopy> 009ACB44 mov dword ptr [ebp-4], 73 009ACB4B mov edx, dword ptr [ebp-30] 009ACB4E mov ecx, 00C7E500 009ACB53 call <jmp.&MSVBVM60.__vbaStrCopy> 009ACB58 mov dword ptr [ebp-4], 74 009ACB5F or word ptr [C7D512], 0FFFF 009ACB67 mov dword ptr [ebp-4], 75 009ACB6E push 00C7E4CC 009ACB73 push 1 009ACB75 call <jmp.&MSVBVM60.__vbaStrFixstr> 009ACB7A mov edx, eax 009ACB7C lea ecx, dword ptr [ebp-7C] 009ACB7F call <jmp.&MSVBVM60.__vbaStrMove> 009ACB84 push eax 009ACB85 push 004A9C84 ; "R" 009ACB8A call <jmp.&MSVBVM60.__vbaStrCmp> 009ACB8F mov esi, eax 009ACB91 neg esi 009ACB93 sbb esi, esi 009ACB95 neg esi 009ACB97 neg esi 009ACB99 push 00C7E4CC 009ACB9E push 1 009ACBA0 call <jmp.&MSVBVM60.__vbaStrFixstr> 009ACBA5 mov edx, eax 009ACBA7 lea ecx, dword ptr [ebp-80] 009ACBAA call <jmp.&MSVBVM60.__vbaStrMove> 009ACBAF push eax 009ACBB0 push 004A9C8C ; "X" 009ACBB5 call <jmp.&MSVBVM60.__vbaStrCmp> 009ACBBA neg eax 009ACBBC sbb eax, eax 009ACBBE neg eax 009ACBC0 neg eax 009ACBC2 and si, ax 009ACBC5 mov ax, word ptr [C7E4DC] 009ACBCB not ax 009ACBCE and si, ax 009ACBD1 mov word ptr [ebp-120], si 009ACBD8 lea eax, dword ptr [ebp-80] 009ACBDB push eax 009ACBDC lea eax, dword ptr [ebp-7C] 009ACBDF push eax 009ACBE0 push 2 009ACBE2 call <jmp.&MSVBVM60.__vbaFreeStrList> 009ACBE7 add esp, 0C 009ACBEA movsx eax, word ptr [ebp-120] 009ACBF1 test eax, eax 009ACBF3 je 009ACCAA 009ACBF9 mov dword ptr [ebp-4], 76 009ACC00 mov dword ptr [ebp-C0], 80020004 009ACC0A mov dword ptr [ebp-C8], 0A 009ACC14 mov dword ptr [ebp-B0], 80020004 009ACC1E mov dword ptr [ebp-B8], 0A 009ACC28 mov dword ptr [ebp-A0], 80020004 009ACC32 mov dword ptr [ebp-A8], 0A 009ACC3C mov dword ptr [ebp-D0], 004CAD8C ; UNICODE "Warning: you have entered a Version 8 Upgrade key, yet you do not have a Standard or Extended Editio" 009ACC46 mov dword ptr [ebp-D8], 8 009ACC50 lea edx, dword ptr [ebp-D8] 009ACC56 lea ecx, dword ptr [ebp-98] 009ACC5C call <jmp.&MSVBVM60.__vbaVarDup> 009ACC61 lea eax, dword ptr [ebp-C8] 009ACC67 push eax 009ACC68 lea eax, dword ptr [ebp-B8] 009ACC6E push eax 009ACC6F lea eax, dword ptr [ebp-A8] 009ACC75 push eax 009ACC76 push 30 009ACC78 lea eax, dword ptr [ebp-98] 009ACC7E push eax 009ACC7F call <jmp.&MSVBVM60.rtcMsgBox> 009ACC84 lea eax, dword ptr [ebp-C8] 009ACC8A push eax 009ACC8B lea eax, dword ptr [ebp-B8] 009ACC91 push eax 009ACC92 lea eax, dword ptr [ebp-A8] 009ACC98 push eax 009ACC99 lea eax, dword ptr [ebp-98] 009ACC9F push eax 009ACCA0 push 4 009ACCA2 call <jmp.&MSVBVM60.__vbaFreeVarList> 009ACCA7 add esp, 14 009ACCAA mov dword ptr [ebp-4], 78 009ACCB1 mov word ptr [ebp-60], 3 009ACCB7 mov dword ptr [ebp-4], 79 009ACCBE push 00C7E54C 009ACCC3 push 00C7E550 009ACCC8 push 00C7E4F4 009ACCCD call 00BD4C31 009ACCD2 mov edx, eax 009ACCD4 lea ecx, dword ptr [ebp-24] 009ACCD7 call <jmp.&MSVBVM60.__vbaStrMove> 009ACCDC mov dword ptr [ebp-4], 7A ; 以下保存注册信息 |
|
[原创]Advanced Query Tool V8 的注册分析
; 以下是AlphaOfKey第四个字符为"u"的处理 009AC2DA mov dword ptr [ebp-4], 50 009AC2E1 lea eax, dword ptr [ebp-11C] 009AC2E7 push eax 009AC2E8 push 00C7D3FC 009AC2ED push 00C7D3F4 009AC2F2 mov eax, dword ptr [ebp+8] 009AC2F5 add eax, 38 009AC2F8 push eax 009AC2F9 lea eax, dword ptr [ebp-24] 009AC2FC push eax 009AC2FD mov eax, dword ptr [ebp+8] 009AC300 mov eax, dword ptr [eax] 009AC302 push dword ptr [ebp+8] 009AC305 call dword ptr [eax+6FC] 009AC30B mov dword ptr [ebp-120], eax 009AC311 cmp dword ptr [ebp-120], 0 009AC318 jge short 009AC33A 009AC31A push 6FC 009AC31F push 004BB72C 009AC324 push dword ptr [ebp+8] 009AC327 push dword ptr [ebp-120] 009AC32D call <jmp.&MSVBVM60.__vbaHresultCheck> 009AC332 mov dword ptr [ebp-1AC], eax 009AC338 jmp short 009AC341 009AC33A and dword ptr [ebp-1AC], 0 009AC341 fld qword ptr [ebp-11C] 009AC347 fstp qword ptr [ebp-44] 009AC34A mov dword ptr [ebp-4], 51 009AC351 fld qword ptr [ebp-44] 009AC354 fcomp qword ptr [405B28] ; 7.0 009AC35A fstsw ax 009AC35C sahf 009AC35D jnz 009AC8FC 009AC363 mov dword ptr [ebp-4], 52 009AC36A mov eax, dword ptr [ebp+8] 009AC36D mov eax, dword ptr [eax] 009AC36F push dword ptr [ebp+8] 009AC372 call dword ptr [eax+30C] 009AC378 push eax 009AC379 lea eax, dword ptr [ebp-88] 009AC37F push eax 009AC380 call <jmp.&MSVBVM60.__vbaObjSet> 009AC385 mov dword ptr [ebp-120], eax 009AC38B lea eax, dword ptr [ebp-7C] 009AC38E push eax 009AC38F mov eax, dword ptr [ebp-120] 009AC395 mov eax, dword ptr [eax] 009AC397 push dword ptr [ebp-120] 009AC39D call dword ptr [eax+A0] 009AC3A3 fclex 009AC3A5 mov dword ptr [ebp-124], eax 009AC3AB cmp dword ptr [ebp-124], 0 009AC3B2 jge short 009AC3D7 009AC3B4 push 0A0 009AC3B9 push 004A1EC8 009AC3BE push dword ptr [ebp-120] 009AC3C4 push dword ptr [ebp-124] 009AC3CA call <jmp.&MSVBVM60.__vbaHresultCheck> 009AC3CF mov dword ptr [ebp-1B0], eax 009AC3D5 jmp short 009AC3DE 009AC3D7 and dword ptr [ebp-1B0], 0 009AC3DE fldz 009AC3E0 fstp qword ptr [ebp-11C] 009AC3E6 mov edx, 004B02CC ; "u" 009AC3EB lea ecx, dword ptr [ebp-84] 009AC3F1 call <jmp.&MSVBVM60.__vbaStrCopy> 009AC3F6 mov eax, dword ptr [ebp-7C] 009AC3F9 mov dword ptr [ebp-164], eax 009AC3FF and dword ptr [ebp-7C], 0 009AC403 mov edx, dword ptr [ebp-164] 009AC409 lea ecx, dword ptr [ebp-80] 009AC40C call <jmp.&MSVBVM60.__vbaStrMove> 009AC411 lea eax, dword ptr [ebp-11C] 009AC417 push eax 009AC418 lea eax, dword ptr [ebp-30] 009AC41B push eax 009AC41C lea eax, dword ptr [ebp-84] 009AC422 push eax 009AC423 lea eax, dword ptr [ebp-80] 009AC426 push eax 009AC427 call 00845426 009AC42C not ax 009AC42F mov word ptr [ebp-128], ax 009AC436 lea eax, dword ptr [ebp-84] 009AC43C push eax 009AC43D lea eax, dword ptr [ebp-80] 009AC440 push eax 009AC441 push 2 009AC443 call <jmp.&MSVBVM60.__vbaFreeStrList> 009AC448 add esp, 0C 009AC44B lea ecx, dword ptr [ebp-88] 009AC451 call <jmp.&MSVBVM60.__vbaFreeObj> 009AC456 movsx eax, word ptr [ebp-128] 009AC45D test eax, eax 009AC45F je short 009AC466 009AC461 jmp 009ACECF 009AC466 mov dword ptr [ebp-4], 55 009AC46D mov word ptr [ebp-60], 2 009AC473 mov dword ptr [ebp-4], 56 009AC47A fld qword ptr [ebp-44] 009AC47D fstp qword ptr [C7D368] 009AC483 mov dword ptr [ebp-4], 57 009AC48A mov eax, dword ptr [ebp+8] 009AC48D mov eax, dword ptr [eax] 009AC48F push dword ptr [ebp+8] 009AC492 call dword ptr [eax+30C] 009AC498 push eax 009AC499 lea eax, dword ptr [ebp-88] 009AC49F push eax 009AC4A0 call <jmp.&MSVBVM60.__vbaObjSet> 009AC4A5 mov dword ptr [ebp-120], eax 009AC4AB lea eax, dword ptr [ebp-7C] 009AC4AE push eax 009AC4AF mov eax, dword ptr [ebp-120] 009AC4B5 mov eax, dword ptr [eax] 009AC4B7 push dword ptr [ebp-120] 009AC4BD call dword ptr [eax+A0] 009AC4C3 fclex 009AC4C5 mov dword ptr [ebp-124], eax 009AC4CB cmp dword ptr [ebp-124], 0 009AC4D2 jge short 009AC4F7 009AC4D4 push 0A0 009AC4D9 push 004A1EC8 009AC4DE push dword ptr [ebp-120] 009AC4E4 push dword ptr [ebp-124] 009AC4EA call <jmp.&MSVBVM60.__vbaHresultCheck> 009AC4EF mov dword ptr [ebp-1B4], eax 009AC4F5 jmp short 009AC4FE 009AC4F7 and dword ptr [ebp-1B4], 0 009AC4FE mov eax, dword ptr [ebp-7C] 009AC501 mov dword ptr [ebp-168], eax 009AC507 and dword ptr [ebp-7C], 0 009AC50B mov edx, dword ptr [ebp-168] 009AC511 mov ecx, 00C7E4D4 009AC516 call <jmp.&MSVBVM60.__vbaStrMove> 009AC51B lea ecx, dword ptr [ebp-88] 009AC521 call <jmp.&MSVBVM60.__vbaFreeObj> 009AC526 mov dword ptr [ebp-4], 58 009AC52D mov edx, dword ptr [ebp-24] 009AC530 mov ecx, 00C7E4F0 009AC535 call <jmp.&MSVBVM60.__vbaStrCopy> 009AC53A mov dword ptr [ebp-4], 59 009AC541 mov edx, dword ptr [ebp-30] 009AC544 mov ecx, 00C7E4FC 009AC549 call <jmp.&MSVBVM60.__vbaStrCopy> 009AC54E mov dword ptr [ebp-4], 5A 009AC555 push 00C7E4CC 009AC55A push 1 009AC55C call <jmp.&MSVBVM60.__vbaStrFixstr> 009AC561 mov edx, eax 009AC563 lea ecx, dword ptr [ebp-7C] 009AC566 call <jmp.&MSVBVM60.__vbaStrMove> 009AC56B push eax 009AC56C push 004A9C84 009AC571 call <jmp.&MSVBVM60.__vbaStrCmp> 009AC576 neg eax 009AC578 sbb eax, eax 009AC57A inc eax 009AC57B neg eax 009AC57D mov word ptr [ebp-120], ax 009AC584 lea ecx, dword ptr [ebp-7C] 009AC587 call <jmp.&MSVBVM60.__vbaFreeStr> 009AC58C movsx eax, word ptr [ebp-120] 009AC593 test eax, eax 009AC595 je short 009AC5BD 009AC597 mov dword ptr [ebp-4], 5B 009AC59E push 004A9C8C ; "X" 009AC5A3 push 00C7E4CC 009AC5A8 push 1 009AC5AA call <jmp.&MSVBVM60.__vbaLsetFixstr> 009AC5AF mov dword ptr [ebp-4], 5C 009AC5B6 and dword ptr [C7EC44], 0 009AC5BD mov dword ptr [ebp-4], 5E 009AC5C4 push 00C7E4CC 009AC5C9 push 1 009AC5CB call <jmp.&MSVBVM60.__vbaStrFixstr> 009AC5D0 mov edx, eax 009AC5D2 lea ecx, dword ptr [ebp-7C] 009AC5D5 call <jmp.&MSVBVM60.__vbaStrMove> 009AC5DA push eax 009AC5DB push 004A9C8C ; "X" 009AC5E0 call <jmp.&MSVBVM60.__vbaStrCmp> 009AC5E5 neg eax 009AC5E7 sbb eax, eax 009AC5E9 neg eax 009AC5EB neg eax 009AC5ED mov word ptr [ebp-120], ax 009AC5F4 lea ecx, dword ptr [ebp-7C] 009AC5F7 call <jmp.&MSVBVM60.__vbaFreeStr> 009AC5FC movsx eax, word ptr [ebp-120] 009AC603 test eax, eax 009AC605 je 009AC6BC 009AC60B mov dword ptr [ebp-4], 5F 009AC612 mov dword ptr [ebp-C0], 80020004 009AC61C mov dword ptr [ebp-C8], 0A 009AC626 mov dword ptr [ebp-B0], 80020004 009AC630 mov dword ptr [ebp-B8], 0A 009AC63A mov dword ptr [ebp-A0], 80020004 009AC644 mov dword ptr [ebp-A8], 0A 009AC64E mov dword ptr [ebp-D0], 004CACB4 ; UNICODE "Warning: you have entered an Edition Upgrade key, yet you do not have a Standard Edition key" 009AC658 mov dword ptr [ebp-D8], 8 009AC662 lea edx, dword ptr [ebp-D8] 009AC668 lea ecx, dword ptr [ebp-98] 009AC66E call <jmp.&MSVBVM60.__vbaVarDup> 009AC673 lea eax, dword ptr [ebp-C8] 009AC679 push eax 009AC67A lea eax, dword ptr [ebp-B8] 009AC680 push eax 009AC681 lea eax, dword ptr [ebp-A8] 009AC687 push eax 009AC688 push 30 009AC68A lea eax, dword ptr [ebp-98] 009AC690 push eax 009AC691 call <jmp.&MSVBVM60.rtcMsgBox> 009AC696 lea eax, dword ptr [ebp-C8] 009AC69C push eax 009AC69D lea eax, dword ptr [ebp-B8] 009AC6A3 push eax 009AC6A4 lea eax, dword ptr [ebp-A8] 009AC6AA push eax 009AC6AB lea eax, dword ptr [ebp-98] 009AC6B1 push eax 009AC6B2 push 4 009AC6B4 call <jmp.&MSVBVM60.__vbaFreeVarList> 009AC6B9 add esp, 14 009AC6BC mov dword ptr [ebp-4], 61 009AC6C3 push 00C7E54C 009AC6C8 push 00C7E550 009AC6CD push 00C7E4F0 009AC6D2 call 00BD4C31 009AC6D7 mov edx, eax 009AC6D9 lea ecx, dword ptr [ebp-24] 009AC6DC call <jmp.&MSVBVM60.__vbaStrMove> 009AC6E1 mov dword ptr [ebp-4], 62 009AC6E8 and word ptr [ebp-114], 0 009AC6F0 and word ptr [ebp-110], 0 009AC6F8 or word ptr [ebp-10C], 0FFFF 009AC700 mov dword ptr [ebp-D0], 00C7E4D4 009AC70A mov dword ptr [ebp-D8], 4008 009AC714 mov edx, 004C5544 ; UNICODE "NameU" 009AC719 lea ecx, dword ptr [ebp-84] 009AC71F call <jmp.&MSVBVM60.__vbaStrCopy> 009AC724 mov edx, 00499820 ; UNICODE "Register" 009AC729 lea ecx, dword ptr [ebp-80] 009AC72C call <jmp.&MSVBVM60.__vbaStrCopy> 009AC731 mov edx, 0049939C ; UNICODE "Cardett" 009AC736 lea ecx, dword ptr [ebp-7C] 009AC739 call <jmp.&MSVBVM60.__vbaStrCopy> 009AC73E lea eax, dword ptr [ebp-114] 009AC744 push eax 009AC745 lea eax, dword ptr [ebp-110] 009AC74B push eax 009AC74C lea eax, dword ptr [ebp-10C] 009AC752 push eax 009AC753 lea eax, dword ptr [ebp-D8] 009AC759 push eax 009AC75A lea eax, dword ptr [ebp-84] 009AC760 push eax 009AC761 lea eax, dword ptr [ebp-80] 009AC764 push eax 009AC765 lea eax, dword ptr [ebp-7C] 009AC768 push eax 009AC769 call 0099B31A 009AC76E lea eax, dword ptr [ebp-84] 009AC774 push eax 009AC775 lea eax, dword ptr [ebp-80] 009AC778 push eax 009AC779 lea eax, dword ptr [ebp-7C] 009AC77C push eax 009AC77D push 3 009AC77F call <jmp.&MSVBVM60.__vbaFreeStrList> 009AC784 add esp, 10 ; 以下保存注册信息 |
|
[原创]Advanced Query Tool V8 的注册分析
; 下面保存注册信息 009ABFAF mov dword ptr [ebp-4], 3E 009ABFB6 and word ptr [ebp-114], 0 009ABFBE and word ptr [ebp-110], 0 009ABFC6 or word ptr [ebp-10C], 0FFFF 009ABFCE mov dword ptr [ebp-D0], 00C7E4D0 009ABFD8 mov dword ptr [ebp-D8], 4008 009ABFE2 mov edx, 004AC70C ; UNICODE "Name4" 009ABFE7 lea ecx, dword ptr [ebp-84] 009ABFED call <jmp.&MSVBVM60.__vbaStrCopy> 009ABFF2 mov edx, 00499820 ; UNICODE "Register" 009ABFF7 lea ecx, dword ptr [ebp-80] 009ABFFA call <jmp.&MSVBVM60.__vbaStrCopy> 009ABFFF mov edx, 0049939C ; UNICODE "Cardett" 009AC004 lea ecx, dword ptr [ebp-7C] 009AC007 call <jmp.&MSVBVM60.__vbaStrCopy> 009AC00C lea eax, dword ptr [ebp-114] 009AC012 push eax 009AC013 lea eax, dword ptr [ebp-110] 009AC019 push eax 009AC01A lea eax, dword ptr [ebp-10C] 009AC020 push eax 009AC021 lea eax, dword ptr [ebp-D8] 009AC027 push eax 009AC028 lea eax, dword ptr [ebp-84] 009AC02E push eax 009AC02F lea eax, dword ptr [ebp-80] 009AC032 push eax 009AC033 lea eax, dword ptr [ebp-7C] 009AC036 push eax 009AC037 call 0099B31A 009AC03C lea eax, dword ptr [ebp-84] 009AC042 push eax 009AC043 lea eax, dword ptr [ebp-80] 009AC046 push eax 009AC047 lea eax, dword ptr [ebp-7C] 009AC04A push eax 009AC04B push 3 009AC04D call <jmp.&MSVBVM60.__vbaFreeStrList> 009AC052 add esp, 10 009AC055 mov dword ptr [ebp-4], 3F 009AC05C and word ptr [ebp-114], 0 009AC064 and word ptr [ebp-110], 0 009AC06C or word ptr [ebp-10C], 0FFFF 009AC074 lea eax, dword ptr [ebp-24] 009AC077 mov dword ptr [ebp-D0], eax 009AC07D mov dword ptr [ebp-D8], 4008 009AC087 mov edx, 004AC71C ; UNICODE "Key4" 009AC08C lea ecx, dword ptr [ebp-84] 009AC092 call <jmp.&MSVBVM60.__vbaStrCopy> 009AC097 mov edx, 00499820 ; UNICODE "Register" 009AC09C lea ecx, dword ptr [ebp-80] 009AC09F call <jmp.&MSVBVM60.__vbaStrCopy> 009AC0A4 mov edx, 0049939C ; UNICODE "Cardett" 009AC0A9 lea ecx, dword ptr [ebp-7C] 009AC0AC call <jmp.&MSVBVM60.__vbaStrCopy> 009AC0B1 lea eax, dword ptr [ebp-114] 009AC0B7 push eax 009AC0B8 lea eax, dword ptr [ebp-110] 009AC0BE push eax 009AC0BF lea eax, dword ptr [ebp-10C] 009AC0C5 push eax 009AC0C6 lea eax, dword ptr [ebp-D8] 009AC0CC push eax 009AC0CD lea eax, dword ptr [ebp-84] 009AC0D3 push eax 009AC0D4 lea eax, dword ptr [ebp-80] 009AC0D7 push eax 009AC0D8 lea eax, dword ptr [ebp-7C] 009AC0DB push eax 009AC0DC call 0099B31A 009AC0E1 lea eax, dword ptr [ebp-84] 009AC0E7 push eax 009AC0E8 lea eax, dword ptr [ebp-80] 009AC0EB push eax 009AC0EC lea eax, dword ptr [ebp-7C] 009AC0EF push eax 009AC0F0 push 3 009AC0F2 call <jmp.&MSVBVM60.__vbaFreeStrList> 009AC0F7 add esp, 10 009AC0FA mov dword ptr [ebp-4], 40 009AC101 and word ptr [ebp-114], 0 009AC109 and word ptr [ebp-110], 0 009AC111 or word ptr [ebp-10C], 0FFFF 009AC119 mov dword ptr [ebp-D0], 00C7E4F8 009AC123 mov dword ptr [ebp-D8], 4008 009AC12D mov edx, 004AC72C ; UNICODE "Keyh" 009AC132 lea ecx, dword ptr [ebp-84] 009AC138 call <jmp.&MSVBVM60.__vbaStrCopy> 009AC13D mov edx, 00499820 ; UNICODE "Register" 009AC142 lea ecx, dword ptr [ebp-80] 009AC145 call <jmp.&MSVBVM60.__vbaStrCopy> 009AC14A mov edx, 0049939C ; UNICODE "Cardett" 009AC14F lea ecx, dword ptr [ebp-7C] 009AC152 call <jmp.&MSVBVM60.__vbaStrCopy> 009AC157 lea eax, dword ptr [ebp-114] 009AC15D push eax 009AC15E lea eax, dword ptr [ebp-110] 009AC164 push eax 009AC165 lea eax, dword ptr [ebp-10C] 009AC16B push eax 009AC16C lea eax, dword ptr [ebp-D8] 009AC172 push eax 009AC173 lea eax, dword ptr [ebp-84] 009AC179 push eax 009AC17A lea eax, dword ptr [ebp-80] 009AC17D push eax 009AC17E lea eax, dword ptr [ebp-7C] 009AC181 push eax 009AC182 call 0099B31A 009AC187 lea eax, dword ptr [ebp-84] 009AC18D push eax 009AC18E lea eax, dword ptr [ebp-80] 009AC191 push eax 009AC192 lea eax, dword ptr [ebp-7C] 009AC195 push eax 009AC196 push 3 009AC198 call <jmp.&MSVBVM60.__vbaFreeStrList> 009AC19D add esp, 10 009AC1A0 mov dword ptr [ebp-4], 41 009AC1A7 and word ptr [C7D512], 0 009AC1AF mov dword ptr [ebp-4], 42 009AC1B6 push dword ptr [C7E4F8] 009AC1BC push 004998F0 009AC1C1 call <jmp.&MSVBVM60.__vbaStrCmp> 009AC1C6 test eax, eax 009AC1C8 je 009AC26E 009AC1CE mov dword ptr [ebp-4], 43 009AC1D5 mov dword ptr [ebp-90], 1 009AC1DF mov dword ptr [ebp-98], 2 009AC1E9 lea eax, dword ptr [ebp-98] 009AC1EF push eax 009AC1F0 push 4 009AC1F2 push dword ptr [C7E4F8] 009AC1F8 call <jmp.&MSVBVM60.rtcMidCharBstr> 009AC1FD mov edx, eax 009AC1FF lea ecx, dword ptr [ebp-7C] 009AC202 call <jmp.&MSVBVM60.__vbaStrMove> 009AC207 push eax 009AC208 call <jmp.&MSVBVM60.rtcLowerCaseBstr> 009AC20D mov edx, eax 009AC20F lea ecx, dword ptr [ebp-6C] 009AC212 call <jmp.&MSVBVM60.__vbaStrMove> 009AC217 lea ecx, dword ptr [ebp-7C] 009AC21A call <jmp.&MSVBVM60.__vbaFreeStr> 009AC21F lea ecx, dword ptr [ebp-98] 009AC225 call <jmp.&MSVBVM60.__vbaFreeVar> 009AC22A mov dword ptr [ebp-4], 44 009AC231 push dword ptr [ebp-6C] 009AC234 push 004AF690 009AC239 call <jmp.&MSVBVM60.__vbaStrCmp> 009AC23E mov esi, eax 009AC240 neg esi 009AC242 sbb esi, esi 009AC244 neg esi 009AC246 push dword ptr [ebp-6C] 009AC249 push 004AE8E0 009AC24E call <jmp.&MSVBVM60.__vbaStrCmp> 009AC253 neg eax 009AC255 sbb eax, eax 009AC257 neg eax 009AC259 and esi, eax 009AC25B test esi, esi 009AC25D jnz short 009AC26E 009AC25F mov dword ptr [ebp-4], 45 009AC266 or word ptr [C7D512], 0FFFF 009AC26E mov dword ptr [ebp-4], 48 009AC275 mov eax, dword ptr [ebp+8] 009AC278 mov eax, dword ptr [eax] 009AC27A push dword ptr [ebp+8] 009AC27D call dword ptr [eax+714] 009AC283 mov dword ptr [ebp-120], eax 009AC289 cmp dword ptr [ebp-120], 0 009AC290 jge short 009AC2B2 009AC292 push 714 009AC297 push 004BB72C 009AC29C push dword ptr [ebp+8] 009AC29F push dword ptr [ebp-120] 009AC2A5 call <jmp.&MSVBVM60.__vbaHresultCheck> 009AC2AA mov dword ptr [ebp-1A8], eax 009AC2B0 jmp short 009AC2B9 009AC2B2 and dword ptr [ebp-1A8], 0 009AC2B9 jmp short 009AC2D5 009AC2BB mov dword ptr [ebp-4], 4A 009AC2C2 push dword ptr [ebp-30] 009AC2C5 push 004998F0 009AC2CA call <jmp.&MSVBVM60.__vbaStrCmp> ; AlphaOfKey与空串比较 009AC2CF test eax, eax 009AC2D1 jnz short 009AC2D5 ; 若非空串则转9ACEDB(出错提示) 009AC2D3 jmp short 009AC2DA 009AC2D5 jmp 009ACEDB |
|
[原创]Advanced Query Tool V8 的注册分析
; 若C4OfAlphaOfKey为"s"或空串,且前面调用返回的余数为零则 009ABCDE mov dword ptr [ebp-4], 2D 009ABCE5 push 004A9C84 ; "R" 009ABCEA push 00C7E4CC ; "F" 009ABCEF push 1 009ABCF1 call <jmp.&MSVBVM60.__vbaLsetFixstr> 009ABCF6 mov dword ptr [ebp-4], 2E 009ABCFD mov word ptr [ebp-60], 1 009ABD03 mov dword ptr [ebp-4], 30 009ABD0A fld qword ptr [ebp-3C] 009ABD0D fcomp qword ptr [405B30] ; 前面调用返回的余数与19比较 009ABD13 fstsw ax 009ABD15 sahf 009ABD16 je short 009ABD24 009ABD18 mov dword ptr [ebp-19C], 1 ; 不等于19则[ebp-19C]w=1 009ABD22 jmp short 009ABD2B 009ABD24 and dword ptr [ebp-19C], 0 ; 等于19则[ebp-19C]w=0 009ABD2B push dword ptr [ebp-70] 009ABD2E push 004AE8E0 ; "x" 009ABD33 call <jmp.&MSVBVM60.__vbaStrCmp> ; C4OfAlphaOfKey与"x"比较 009ABD38 mov esi, eax 009ABD3A neg esi 009ABD3C sbb esi, esi 009ABD3E neg esi 009ABD40 push dword ptr [ebp-70] 009ABD43 push 004998F0 009ABD48 call <jmp.&MSVBVM60.__vbaStrCmp> ; C4OfAlphaOfKey与空串比较 009ABD4D neg eax 009ABD4F sbb eax, eax 009ABD51 neg eax 009ABD53 and esi, eax 009ABD55 neg esi 009ABD57 sbb esi, esi 009ABD59 neg esi 009ABD5B mov eax, dword ptr [ebp-19C] 009ABD61 or eax, esi 009ABD63 test eax, eax 009ABD65 jnz short 009ABD9A ; 若C4OfAlphaOfKey为"x"或空串,且前面调用返回的余数等于19则 009ABD67 mov dword ptr [ebp-4], 31 009ABD6E push 004A9C8C ; "X" 009ABD73 push 00C7E4CC ; "F" 009ABD78 push 1 009ABD7A call <jmp.&MSVBVM60.__vbaLsetFixstr> 009ABD7F mov dword ptr [ebp-4], 32 009ABD86 mov word ptr [ebp-60], 2 009ABD8C mov dword ptr [ebp-4], 33 009ABD93 and dword ptr [C7EC44], 0 009ABD9A mov dword ptr [ebp-4], 35 009ABDA1 cmp word ptr [ebp-60], 0 009ABDA6 jle 009AC2BB ; 若非前两种情况则转9AC2BB 009ABDAC mov dword ptr [ebp-4], 36 009ABDB3 mov eax, dword ptr [ebp+8] 009ABDB6 mov eax, dword ptr [eax] 009ABDB8 push dword ptr [ebp+8] 009ABDBB call dword ptr [eax+30C] 009ABDC1 push eax 009ABDC2 lea eax, dword ptr [ebp-88] 009ABDC8 push eax 009ABDC9 call <jmp.&MSVBVM60.__vbaObjSet> 009ABDCE mov dword ptr [ebp-120], eax 009ABDD4 lea eax, dword ptr [ebp-7C] 009ABDD7 push eax 009ABDD8 mov eax, dword ptr [ebp-120] 009ABDDE mov eax, dword ptr [eax] 009ABDE0 push dword ptr [ebp-120] 009ABDE6 call dword ptr [eax+A0] ; 取RegName 009ABDEC fclex 009ABDEE mov dword ptr [ebp-124], eax 009ABDF4 cmp dword ptr [ebp-124], 0 009ABDFB jge short 009ABE20 009ABDFD push 0A0 009ABE02 push 004A1EC8 009ABE07 push dword ptr [ebp-120] 009ABE0D push dword ptr [ebp-124] 009ABE13 call <jmp.&MSVBVM60.__vbaHresultCheck> 009ABE18 mov dword ptr [ebp-1A0], eax 009ABE1E jmp short 009ABE27 009ABE20 and dword ptr [ebp-1A0], 0 009ABE27 fldz 009ABE29 fstp qword ptr [ebp-11C] 009ABE2F mov edx, 004B02C4 ; "k" 009ABE34 lea ecx, dword ptr [ebp-84] 009ABE3A call <jmp.&MSVBVM60.__vbaStrCopy> 009ABE3F mov eax, dword ptr [ebp-7C] ; RegName 009ABE42 mov dword ptr [ebp-15C], eax 009ABE48 and dword ptr [ebp-7C], 0 009ABE4C mov edx, dword ptr [ebp-15C] 009ABE52 lea ecx, dword ptr [ebp-80] 009ABE55 call <jmp.&MSVBVM60.__vbaStrMove> 009ABE5A lea eax, dword ptr [ebp-11C] ; 0.0 009ABE60 push eax 009ABE61 lea eax, dword ptr [ebp-30] ; AlphaOfKey 009ABE64 push eax 009ABE65 lea eax, dword ptr [ebp-84] ; "k" 009ABE6B push eax 009ABE6C lea eax, dword ptr [ebp-80] ; RegName 009ABE6F push eax 009ABE70 call 00845426 009ABE75 not ax 009ABE78 mov word ptr [ebp-128], ax 009ABE7F lea eax, dword ptr [ebp-84] 009ABE85 push eax 009ABE86 lea eax, dword ptr [ebp-80] 009ABE89 push eax 009ABE8A push 2 009ABE8C call <jmp.&MSVBVM60.__vbaFreeStrList> 009ABE91 add esp, 0C 009ABE94 lea ecx, dword ptr [ebp-88] 009ABE9A call <jmp.&MSVBVM60.__vbaFreeObj> 009ABE9F movsx eax, word ptr [ebp-128] 009ABEA6 test eax, eax 009ABEA8 je short 009ABEAF 009ABEAA jmp 009ACECF 009ABEAF mov dword ptr [ebp-4], 39 009ABEB6 fld qword ptr [ebp-3C] 009ABEB9 fstp qword ptr [C7D360] 009ABEBF mov dword ptr [ebp-4], 3A 009ABEC6 mov eax, dword ptr [ebp+8] 009ABEC9 mov eax, dword ptr [eax] 009ABECB push dword ptr [ebp+8] 009ABECE call dword ptr [eax+30C] 009ABED4 push eax 009ABED5 lea eax, dword ptr [ebp-88] 009ABEDB push eax 009ABEDC call <jmp.&MSVBVM60.__vbaObjSet> 009ABEE1 mov dword ptr [ebp-120], eax 009ABEE7 lea eax, dword ptr [ebp-7C] 009ABEEA push eax 009ABEEB mov eax, dword ptr [ebp-120] 009ABEF1 mov eax, dword ptr [eax] 009ABEF3 push dword ptr [ebp-120] 009ABEF9 call dword ptr [eax+A0] 009ABEFF fclex 009ABF01 mov dword ptr [ebp-124], eax 009ABF07 cmp dword ptr [ebp-124], 0 009ABF0E jge short 009ABF33 009ABF10 push 0A0 009ABF15 push 004A1EC8 009ABF1A push dword ptr [ebp-120] 009ABF20 push dword ptr [ebp-124] 009ABF26 call <jmp.&MSVBVM60.__vbaHresultCheck> 009ABF2B mov dword ptr [ebp-1A4], eax 009ABF31 jmp short 009ABF3A 009ABF33 and dword ptr [ebp-1A4], 0 009ABF3A mov eax, dword ptr [ebp-7C] 009ABF3D mov dword ptr [ebp-160], eax 009ABF43 and dword ptr [ebp-7C], 0 009ABF47 mov edx, dword ptr [ebp-160] 009ABF4D mov ecx, 00C7E4D0 009ABF52 call <jmp.&MSVBVM60.__vbaStrMove> ; [C7E4D0]指向RegName 009ABF57 lea ecx, dword ptr [ebp-88] 009ABF5D call <jmp.&MSVBVM60.__vbaFreeObj> 009ABF62 mov dword ptr [ebp-4], 3B 009ABF69 mov edx, dword ptr [ebp-24] 009ABF6C mov ecx, 00C7E4E4 009ABF71 call <jmp.&MSVBVM60.__vbaStrCopy> ; [C7E4E4]指向NumberOfKey 009ABF76 mov dword ptr [ebp-4], 3C 009ABF7D mov edx, dword ptr [ebp-30] 009ABF80 mov ecx, 00C7E4F8 009ABF85 call <jmp.&MSVBVM60.__vbaStrCopy> ; [C7E4F8]指向AlphaOfKey 009ABF8A mov dword ptr [ebp-4], 3D 009ABF91 push 00C7E54C 009ABF96 push 00C7E550 009ABF9B push 00C7E4E4 009ABFA0 call 00BD4C31 ; 对注册信息变换一下 009ABFA5 mov edx, eax 009ABFA7 lea ecx, dword ptr [ebp-24] 009ABFAA call <jmp.&MSVBVM60.__vbaStrMove> |
|
[原创]Advanced Query Tool V8 的注册分析
009ABA4B mov dword ptr [ebp-4], 1B 009ABA52 and word ptr [ebp-60], 0 009ABA57 mov dword ptr [ebp-4], 1C 009ABA5E mov eax, dword ptr [ebp+8] 009ABA61 mov eax, dword ptr [eax] 009ABA63 push dword ptr [ebp+8] 009ABA66 call dword ptr [eax+30C] 009ABA6C push eax 009ABA6D lea eax, dword ptr [ebp-88] 009ABA73 push eax 009ABA74 call <jmp.&MSVBVM60.__vbaObjSet> 009ABA79 mov dword ptr [ebp-120], eax 009ABA7F lea eax, dword ptr [ebp-7C] 009ABA82 push eax 009ABA83 mov eax, dword ptr [ebp-120] 009ABA89 mov eax, dword ptr [eax] 009ABA8B push dword ptr [ebp-120] 009ABA91 call dword ptr [eax+A0] ; 取得RegName 009ABA97 fclex 009ABA99 mov dword ptr [ebp-124], eax 009ABA9F cmp dword ptr [ebp-124], 0 009ABAA6 jge short 009ABACB ; 无错则转9ABACB 009ABAA8 push 0A0 009ABAAD push 004A1EC8 009ABAB2 push dword ptr [ebp-120] 009ABAB8 push dword ptr [ebp-124] 009ABABE call <jmp.&MSVBVM60.__vbaHresultCheck> 009ABAC3 mov dword ptr [ebp-190], eax 009ABAC9 jmp short 009ABAD2 009ABACB and dword ptr [ebp-190], 0 009ABAD2 mov eax, dword ptr [ebp-7C] 009ABAD5 mov dword ptr [ebp-158], eax 009ABADB and dword ptr [ebp-7C], 0 009ABADF mov edx, dword ptr [ebp-158] 009ABAE5 lea ecx, dword ptr [ebp-80] 009ABAE8 call <jmp.&MSVBVM60.__vbaStrMove> ; 调用855D81,若AlphaOfKey的后三位字符是"nnn",则返回-1 ; 或者,将RegName去掉空格后转成小写,计算前面最多20个字符与其序号乘积的累加和, ; 用该累加和除以26所得余数为索引,从串"NTKMLQGUZBORYHFCXASPJEVDIW"中取出一个字符, ; 该字符的小写形式与AlphaOfKey的第八个字符的小写形式进行比较,相等则返回-1。 ; 其他情况返回零值。 009ABAED lea eax, dword ptr [ebp-30] ; AlphaOfKey 009ABAF0 push eax 009ABAF1 lea eax, dword ptr [ebp-80] ; RegName 009ABAF4 push eax 009ABAF5 call 00855D81 009ABAFA not ax 009ABAFD mov word ptr [ebp-128], ax ; 返回值取反后保存 009ABB04 lea ecx, dword ptr [ebp-80] 009ABB07 call <jmp.&MSVBVM60.__vbaFreeStr> 009ABB0C lea ecx, dword ptr [ebp-88] 009ABB12 call <jmp.&MSVBVM60.__vbaFreeObj> 009ABB17 movsx eax, word ptr [ebp-128] 009ABB1E test eax, eax 009ABB20 je short 009ABB27 ; 若调用855D81后返回-1则转9ABB27 009ABB22 jmp 009ACEDB ; 否则转9ACEDB(错误提示) 009ABB27 mov dword ptr [ebp-4], 1F 009ABB2E mov dword ptr [ebp-90], 1 009ABB38 mov dword ptr [ebp-98], 2 009ABB42 lea eax, dword ptr [ebp-98] 009ABB48 push eax 009ABB49 push 4 009ABB4B push dword ptr [ebp-30] 009ABB4E call <jmp.&MSVBVM60.rtcMidCharBstr> ; C4OfAlphaOfKey=Mid(AlphaOfKey,4,1) 009ABB53 mov edx, eax 009ABB55 lea ecx, dword ptr [ebp-7C] 009ABB58 call <jmp.&MSVBVM60.__vbaStrMove> 009ABB5D push eax 009ABB5E call <jmp.&MSVBVM60.rtcLowerCaseBstr> ; C4OfAlphaOfKey=LCase(C4OfAlphaOfKey) 009ABB63 mov edx, eax 009ABB65 lea ecx, dword ptr [ebp-70] 009ABB68 call <jmp.&MSVBVM60.__vbaStrMove> 009ABB6D lea ecx, dword ptr [ebp-7C] 009ABB70 call <jmp.&MSVBVM60.__vbaFreeStr> 009ABB75 lea ecx, dword ptr [ebp-98] 009ABB7B call <jmp.&MSVBVM60.__vbaFreeVar> 009ABB80 mov dword ptr [ebp-4], 20 009ABB87 mov edx, dword ptr [ebp-70] 009ABB8A lea ecx, dword ptr [ebp-130] 009ABB90 call <jmp.&MSVBVM60.__vbaStrCopy> ; CopyC4OfAlphaOfKey=C4OfAlphaOfKey 009ABB95 mov dword ptr [ebp-4], 21 009ABB9C push dword ptr [ebp-130] 009ABBA2 push 004AF690 ; "s" 009ABBA7 call <jmp.&MSVBVM60.__vbaStrCmp> ; 与"s"比较 009ABBAC test eax, eax 009ABBAE je short 009ABBC4 ; 是则转到9ABC0A 009ABBB0 push dword ptr [ebp-130] 009ABBB6 push 004AE8E0 ; "x" 009ABBBB call <jmp.&MSVBVM60.__vbaStrCmp> ; 若非"s"则与"x"比较 009ABBC0 test eax, eax 009ABBC2 jnz short 009ABBC8 009ABBC4 jmp short 009ABC0A ; 是则转到9ABC0A 009ABBC6 jmp short 009ABC0A 009ABBC8 mov dword ptr [ebp-4], 23 009ABBCF push dword ptr [ebp-130] 009ABBD5 push 004B02CC ; "u" 009ABBDA call <jmp.&MSVBVM60.__vbaStrCmp> ; 若非"s"、"x"则与"u"比较 009ABBDF test eax, eax 009ABBE1 jnz short 009ABBEA 009ABBE3 jmp 009AC2DA ; 是则转9AC2DA 009ABBE8 jmp short 009ABC0A 009ABBEA mov dword ptr [ebp-4], 25 009ABBF1 push dword ptr [ebp-130] 009ABBF7 push 004AF958 ; "v" 009ABBFC call <jmp.&MSVBVM60.__vbaStrCmp> ; 若非"s"、"x"、"u"则与"v"比较 009ABC01 test eax, eax 009ABC03 jnz short 009ABC0A 009ABC05 jmp 009AC901 ; 是则转9AC901 009ABC0A mov dword ptr [ebp-4], 2B ; 调用9A908B,其中: ; 1、传入的NumOfKey去掉"-",长度不小于20,且必须都是数字 ; 2、去掉"-"的NumOfKey的前10位转成整数VF10,紧接着的10位转成整数VS10 ; 3、VF10除以CheckSumOfName的商存入第三个压入堆栈的参数,余数设为R1 ; 4、VT=10000000000*R1+VS10 ; 5、VT除以CheckSumOfName的商存入第二个压入堆栈的参数,余数存入第一个压入堆栈的参数 009ABC11 lea eax, dword ptr [ebp-11C] 009ABC17 push eax ; 存放前述最后计算出来的余数 009ABC18 push 00C7D3EC ; 存放前述第二个商 009ABC1D push 00C7D3E4 ; 存放前述第一个商 009ABC22 mov eax, dword ptr [ebp+8] 009ABC25 add eax, 38 009ABC28 push eax ; 指向CheckSumOfName 009ABC29 lea eax, dword ptr [ebp-24] ; NumOfKey 009ABC2C push eax 009ABC2D mov eax, dword ptr [ebp+8] 009ABC30 mov eax, dword ptr [eax] 009ABC32 push dword ptr [ebp+8] 009ABC35 call dword ptr [eax+6FC] ; 调用9A908B 009ABC3B mov dword ptr [ebp-120], eax 009ABC41 cmp dword ptr [ebp-120], 0 009ABC48 jge short 009ABC6A 009ABC4A push 6FC 009ABC4F push 004BB72C 009ABC54 push dword ptr [ebp+8] 009ABC57 push dword ptr [ebp-120] 009ABC5D call <jmp.&MSVBVM60.__vbaHresultCheck> 009ABC62 mov dword ptr [ebp-194], eax 009ABC68 jmp short 009ABC71 009ABC6A and dword ptr [ebp-194], 0 009ABC71 fld qword ptr [ebp-11C] 009ABC77 fstp qword ptr [ebp-3C] 009ABC7A mov dword ptr [ebp-4], 2C 009ABC81 fld qword ptr [ebp-3C] 009ABC84 fcomp qword ptr [401CA8] ; 前面调用返回的余数与0比较 009ABC8A fstsw ax 009ABC8C sahf 009ABC8D je short 009ABC9B 009ABC8F mov dword ptr [ebp-198], 1 ; 非零则[ebp-198]w=1 009ABC99 jmp short 009ABCA2 009ABC9B and dword ptr [ebp-198], 0 ; 为零则[ebp-198]w=0 009ABCA2 push dword ptr [ebp-70] 009ABCA5 push 004AF690 009ABCAA call <jmp.&MSVBVM60.__vbaStrCmp> ; C4OfAlphaOfKey与"s"比较 009ABCAF mov esi, eax 009ABCB1 neg esi 009ABCB3 sbb esi, esi 009ABCB5 neg esi 009ABCB7 push dword ptr [ebp-70] 009ABCBA push 004998F0 009ABCBF call <jmp.&MSVBVM60.__vbaStrCmp> ; C4OfAlphaOfKey与空串比较 009ABCC4 neg eax 009ABCC6 sbb eax, eax 009ABCC8 neg eax 009ABCCA and esi, eax 009ABCCC neg esi 009ABCCE sbb esi, esi 009ABCD0 neg esi 009ABCD2 mov eax, dword ptr [ebp-198] 009ABCD8 or eax, esi 009ABCDA test eax, eax 009ABCDC jnz short 009ABD03 |
|
[原创]Advanced Query Tool V8 的注册分析
009AB827 and dword ptr [ebp-180], 0 009AB82E mov eax, dword ptr [ebp-7C] 009AB831 mov dword ptr [ebp-154], eax 009AB837 and dword ptr [ebp-7C], 0 009AB83B mov edx, dword ptr [ebp-154] 009AB841 lea ecx, dword ptr [ebp-80] 009AB844 call <jmp.&MSVBVM60.__vbaStrMove> ; BCE816始的函数用以将一个字符串去掉连字符后的内容分成字母部分和数字部分 009AB849 lea eax, dword ptr [ebp-30] ; 用以存放RegKey的字母部分(AlphaOfKey) 009AB84C push eax 009AB84D lea eax, dword ptr [ebp-24] ; 用以存放RegKey的数字部分(NumOfKey) 009AB850 push eax 009AB851 lea eax, dword ptr [ebp-80] ; RegKey 009AB854 push eax 009AB855 call 00BCE816 009AB85A lea ecx, dword ptr [ebp-80] 009AB85D call <jmp.&MSVBVM60.__vbaFreeStr> 009AB862 lea ecx, dword ptr [ebp-88] 009AB868 call <jmp.&MSVBVM60.__vbaFreeObj> 009AB86D mov dword ptr [ebp-4], 13 009AB874 push dword ptr [ebp-74] 009AB877 push dword ptr [ebp-30] 009AB87A call <jmp.&MSVBVM60.rtcUpperCaseBstr> ; UCAlphaOfKey=UCase(AlphaOfKey) 009AB87F mov edx, eax 009AB881 lea ecx, dword ptr [ebp-7C] 009AB884 call <jmp.&MSVBVM60.__vbaStrMove> 009AB889 push eax 009AB88A call <jmp.&MSVBVM60.__vbaStrCat> ; NewRegName=NewRegName & UCAlphaOfKey 009AB88F mov edx, eax 009AB891 lea ecx, dword ptr [ebp-74] 009AB894 call <jmp.&MSVBVM60.__vbaStrMove> 009AB899 lea ecx, dword ptr [ebp-7C] 009AB89C call <jmp.&MSVBVM60.__vbaFreeStr> 009AB8A1 mov dword ptr [ebp-4], 14 009AB8A8 push dword ptr [ebp-74] 009AB8AB call <jmp.&MSVBVM60.__vbaLenBstr> 009AB8B0 cmp eax, 14 009AB8B3 jle short 009AB8D0 009AB8B5 mov dword ptr [ebp-4], 15 009AB8BC push 14 009AB8BE push dword ptr [ebp-74] 009AB8C1 call <jmp.&MSVBVM60.rtcRightCharBstr> ; NewRegName长度大于20则从右边取20个字符 009AB8C6 mov edx, eax 009AB8C8 lea ecx, dword ptr [ebp-74] 009AB8CB call <jmp.&MSVBVM60.__vbaStrMove> ; 三个NewRegName连接 009AB8D0 mov dword ptr [ebp-4], 17 009AB8D7 push dword ptr [ebp-74] 009AB8DA push dword ptr [ebp-74] 009AB8DD call <jmp.&MSVBVM60.__vbaStrCat> 009AB8E2 mov edx, eax 009AB8E4 lea ecx, dword ptr [ebp-7C] 009AB8E7 call <jmp.&MSVBVM60.__vbaStrMove> 009AB8EC push eax 009AB8ED push dword ptr [ebp-74] 009AB8F0 call <jmp.&MSVBVM60.__vbaStrCat> 009AB8F5 mov edx, eax 009AB8F7 lea ecx, dword ptr [ebp-80] 009AB8FA call <jmp.&MSVBVM60.__vbaStrMove> 009AB8FF push eax 009AB900 push dword ptr [ebp-74] 009AB903 call <jmp.&MSVBVM60.__vbaStrCat> 009AB908 mov edx, eax 009AB90A lea ecx, dword ptr [ebp-74] 009AB90D call <jmp.&MSVBVM60.__vbaStrMove> 009AB912 lea eax, dword ptr [ebp-80] 009AB915 push eax 009AB916 lea eax, dword ptr [ebp-7C] 009AB919 push eax 009AB91A push 2 009AB91C call <jmp.&MSVBVM60.__vbaFreeStrList> 009AB921 add esp, 0C 009AB924 mov dword ptr [ebp-4], 18 ; 下面这个循环计算NewRegName前20个字符的ASCII值与其序号乘积的累加和 009AB92B mov dword ptr [ebp-13C], 14 ; 循环20次 009AB935 mov dword ptr [ebp-138], 1 009AB93F mov dword ptr [C7D304], 1 009AB949 jmp short 009AB961 009AB94B mov eax, dword ptr [C7D304] 009AB950 add eax, dword ptr [ebp-138] 009AB956 jo 009AD49E 009AB95C mov dword ptr [C7D304], eax 009AB961 mov eax, dword ptr [C7D304] 009AB966 cmp eax, dword ptr [ebp-13C] 009AB96C jg 009ABA4B 009AB972 mov dword ptr [ebp-4], 19 009AB979 mov dword ptr [ebp-90], 1 009AB983 mov dword ptr [ebp-98], 2 009AB98D lea eax, dword ptr [ebp-74] 009AB990 mov dword ptr [ebp-D0], eax 009AB996 mov dword ptr [ebp-D8], 4008 009AB9A0 lea eax, dword ptr [ebp-98] 009AB9A6 push eax 009AB9A7 push dword ptr [C7D304] 009AB9AD lea eax, dword ptr [ebp-D8] 009AB9B3 push eax 009AB9B4 lea eax, dword ptr [ebp-A8] 009AB9BA push eax 009AB9BB call <jmp.&MSVBVM60.rtcMidCharVar> ; 取NewRegName的一个字符 009AB9C0 lea eax, dword ptr [ebp-A8] 009AB9C6 push eax 009AB9C7 lea eax, dword ptr [ebp-7C] 009AB9CA push eax 009AB9CB call <jmp.&MSVBVM60.__vbaStrVarVal> 009AB9D0 push eax 009AB9D1 call <jmp.&MSVBVM60.rtcAnsiValueBstr> ; 取所取字符的ASCII值 009AB9D6 mov word ptr [ebp-10C], ax 009AB9DD mov eax, dword ptr [ebp+8] 009AB9E0 movsx ecx, word ptr [ebp-10C] 009AB9E7 imul ecx, dword ptr [C7D304] ; 与字符序号相乘 009AB9EE jo 009AD49E 009AB9F4 mov dword ptr [ebp-184], ecx 009AB9FA fild dword ptr [ebp-184] 009ABA00 fstp qword ptr [ebp-18C] 009ABA06 fld qword ptr [ebp-18C] 009ABA0C fadd qword ptr [eax+38] 009ABA0F mov ecx, dword ptr [ebp+8] 009ABA12 fstp qword ptr [ecx+38] ; 累加 009ABA15 fstsw ax 009ABA17 test al, 0D 009ABA19 jnz 009AD499 009ABA1F lea ecx, dword ptr [ebp-7C] 009ABA22 call <jmp.&MSVBVM60.__vbaFreeStr> 009ABA27 lea eax, dword ptr [ebp-A8] 009ABA2D push eax 009ABA2E lea eax, dword ptr [ebp-98] 009ABA34 push eax 009ABA35 push 2 009ABA37 call <jmp.&MSVBVM60.__vbaFreeVarList> 009ABA3C add esp, 0C 009ABA3F mov dword ptr [ebp-4], 1A 009ABA46 jmp 009AB94B |
|
[原创]Advanced Query Tool V8 的注册分析
009AB6FD and dword ptr [ebp-17C], 0 009AB704 push 0 009AB706 push -1 009AB708 push 1 009AB70A push 004998F0 ; vbNull 009AB70F push 00499674 ; Space 009AB714 push dword ptr [ebp-7C] 009AB717 call <jmp.&MSVBVM60.rtcReplace> ; 去掉RegName中的空格得NewRegName 009AB71C mov edx, eax 009AB71E lea ecx, dword ptr [ebp-80] 009AB721 call <jmp.&MSVBVM60.__vbaStrMove> 009AB726 push eax 009AB727 call <jmp.&MSVBVM60.rtcUpperCaseBstr> ; NewRegName转成大写 009AB72C mov dword ptr [ebp-90], eax 009AB732 mov dword ptr [ebp-98], 8 009AB73C lea eax, dword ptr [ebp-98] 009AB742 push eax 009AB743 lea eax, dword ptr [ebp-A8] 009AB749 push eax 009AB74A call <jmp.&MSVBVM60.rtcTrimVar> ; NewRegName=Trim(NewRegName) 009AB74F lea eax, dword ptr [ebp-A8] 009AB755 push eax 009AB756 call <jmp.&MSVBVM60.__vbaStrVarMove> 009AB75B mov edx, eax 009AB75D lea ecx, dword ptr [ebp-74] 009AB760 call <jmp.&MSVBVM60.__vbaStrMove> 009AB765 lea eax, dword ptr [ebp-80] 009AB768 push eax 009AB769 lea eax, dword ptr [ebp-7C] 009AB76C push eax 009AB76D push 2 009AB76F call <jmp.&MSVBVM60.__vbaFreeStrList> 009AB774 add esp, 0C 009AB777 lea ecx, dword ptr [ebp-88] 009AB77D call <jmp.&MSVBVM60.__vbaFreeObj> 009AB782 lea eax, dword ptr [ebp-A8] 009AB788 push eax 009AB789 lea eax, dword ptr [ebp-98] 009AB78F push eax 009AB790 push 2 009AB792 call <jmp.&MSVBVM60.__vbaFreeVarList> 009AB797 add esp, 0C 009AB79A mov dword ptr [ebp-4], 0F 009AB7A1 push dword ptr [ebp-74] 009AB7A4 call <jmp.&MSVBVM60.__vbaLenBstr> ; 取NewRegName的长度 009AB7A9 cmp eax, 3 009AB7AC jge short 009AB7B3 ; 不能小于3 009AB7AE jmp 009AD3D4 009AB7B3 mov dword ptr [ebp-4], 12 009AB7BA mov eax, dword ptr [ebp+8] 009AB7BD mov eax, dword ptr [eax] ; 取得RegKey 009AB7BF push dword ptr [ebp+8] 009AB7C2 call dword ptr [eax+308] 009AB7C8 push eax 009AB7C9 lea eax, dword ptr [ebp-88] 009AB7CF push eax 009AB7D0 call <jmp.&MSVBVM60.__vbaObjSet> 009AB7D5 mov dword ptr [ebp-120], eax 009AB7DB lea eax, dword ptr [ebp-7C] 009AB7DE push eax 009AB7DF mov eax, dword ptr [ebp-120] 009AB7E5 mov eax, dword ptr [eax] 009AB7E7 push dword ptr [ebp-120] 009AB7ED call dword ptr [eax+A0] 009AB7F3 fclex 009AB7F5 mov dword ptr [ebp-124], eax 009AB7FB cmp dword ptr [ebp-124], 0 009AB802 jge short 009AB827 009AB804 push 0A0 009AB809 push 004A1EC8 009AB80E push dword ptr [ebp-120] 009AB814 push dword ptr [ebp-124] 009AB81A call <jmp.&MSVBVM60.__vbaHresultCheck> 009AB81F mov dword ptr [ebp-180], eax 009AB825 jmp short 009AB82E |
|
[原创]Advanced Query Tool V8 的注册分析
; 取得RegKey 009AB5C4 mov eax, dword ptr [ebp+8] 009AB5C7 mov eax, dword ptr [eax] 009AB5C9 push dword ptr [ebp+8] 009AB5CC call dword ptr [eax+308] 009AB5D2 push eax 009AB5D3 lea eax, dword ptr [ebp-88] 009AB5D9 push eax 009AB5DA call <jmp.&MSVBVM60.__vbaObjSet> 009AB5DF mov dword ptr [ebp-120], eax 009AB5E5 lea eax, dword ptr [ebp-7C] 009AB5E8 push eax 009AB5E9 mov eax, dword ptr [ebp-120] 009AB5EF mov eax, dword ptr [eax] 009AB5F1 push dword ptr [ebp-120] 009AB5F7 call dword ptr [eax+A0] 009AB5FD fclex 009AB5FF mov dword ptr [ebp-124], eax 009AB605 cmp dword ptr [ebp-124], 0 009AB60C jge short 009AB631 009AB60E push 0A0 009AB613 push 004A1EC8 009AB618 push dword ptr [ebp-120] 009AB61E push dword ptr [ebp-124] 009AB624 call <jmp.&MSVBVM60.__vbaHresultCheck> 009AB629 mov dword ptr [ebp-178], eax 009AB62F jmp short 009AB638 009AB631 and dword ptr [ebp-178], 0 009AB638 push dword ptr [ebp-7C] 009AB63B push 004998F0 009AB640 call <jmp.&MSVBVM60.__vbaStrCmp> ; RegKey与空串比较 009AB645 neg eax 009AB647 sbb eax, eax 009AB649 inc eax 009AB64A neg eax 009AB64C mov word ptr [ebp-128], ax 009AB653 lea ecx, dword ptr [ebp-7C] 009AB656 call <jmp.&MSVBVM60.__vbaFreeStr> 009AB65B lea ecx, dword ptr [ebp-88] 009AB661 call <jmp.&MSVBVM60.__vbaFreeObj> 009AB666 movsx eax, word ptr [ebp-128] 009AB66D test eax, eax 009AB66F je short 009AB676 ; RegKey非空则转9AB676 009AB671 jmp 009AD3D4 009AB676 mov dword ptr [ebp-4], 0D 009AB67D mov eax, dword ptr [ebp+8] 009AB680 mov ecx, dword ptr [ebp+8] 009AB683 fld qword ptr [eax+38] 009AB686 fstp qword ptr [ecx+40] 009AB689 mov dword ptr [ebp-4], 0E ; 取得RegName 009AB690 mov eax, dword ptr [ebp+8] 009AB693 mov eax, dword ptr [eax] 009AB695 push dword ptr [ebp+8] 009AB698 call dword ptr [eax+30C] 009AB69E push eax 009AB69F lea eax, dword ptr [ebp-88] 009AB6A5 push eax 009AB6A6 call <jmp.&MSVBVM60.__vbaObjSet> 009AB6AB mov dword ptr [ebp-120], eax 009AB6B1 lea eax, dword ptr [ebp-7C] 009AB6B4 push eax 009AB6B5 mov eax, dword ptr [ebp-120] 009AB6BB mov eax, dword ptr [eax] 009AB6BD push dword ptr [ebp-120] 009AB6C3 call dword ptr [eax+A0] 009AB6C9 fclex 009AB6CB mov dword ptr [ebp-124], eax 009AB6D1 cmp dword ptr [ebp-124], 0 009AB6D8 jge short 009AB6FD 009AB6DA push 0A0 009AB6DF push 004A1EC8 009AB6E4 push dword ptr [ebp-120] 009AB6EA push dword ptr [ebp-124] 009AB6F0 call <jmp.&MSVBVM60.__vbaHresultCheck> 009AB6F5 mov dword ptr [ebp-17C], eax 009AB6FB jmp short 009AB704 |
|
[原创]Advanced Query Tool V8 的注册分析
; 0/8293=0 009AB4CF fdiv qword ptr [eax+38] 009AB4D2 jmp short 009AB4DF 009AB4D4 push dword ptr [eax+3C] 009AB4D7 push dword ptr [eax+38] 009AB4DA call <jmp.&MSVBVM60._adj_fdiv_m64> 009AB4DF fstsw ax 009AB4E1 test al, 0D 009AB4E3 jnz 009AD499 009AB4E9 call <jmp.&MSVBVM60.__vbaFPInt> 009AB4EE fstp qword ptr [ebp-4C] 009AB4F1 mov dword ptr [ebp-4], 4 009AB4F8 push dword ptr [ebp-78] 009AB4FB call <jmp.&MSVBVM60.rtcR8ValFromBstr> 009AB500 mov eax, dword ptr [ebp+8] 009AB503 fld qword ptr [ebp-4C] 009AB506 fmul qword ptr [eax+38] 009AB509 fsubp st(1), st 009AB50B fstp qword ptr [ebp-68] 009AB50E fstsw ax 009AB510 test al, 0D 009AB512 jnz 009AD499 009AB518 mov dword ptr [ebp-4], 5 009AB51F push dword ptr [ebp-28] 009AB522 call <jmp.&MSVBVM60.rtcR8ValFromBstr> 009AB527 fstp qword ptr [ebp-11C] 009AB52D fld qword ptr [ebp-68] 009AB530 fmul qword ptr [404140] ; 10000000000 009AB536 fadd qword ptr [ebp-11C] 009AB53C fstp qword ptr [ebp-54] 009AB53F fstsw ax 009AB541 test al, 0D 009AB543 jnz 009AD499 009AB549 mov dword ptr [ebp-4], 6 009AB550 mov eax, dword ptr [ebp+8] 009AB553 fld qword ptr [ebp-54] 009AB556 cmp dword ptr [C7D000], 0 009AB55D jnz short 009AB564 009AB55F fdiv qword ptr [eax+38] 009AB562 jmp short 009AB56F 009AB564 push dword ptr [eax+3C] 009AB567 push dword ptr [eax+38] 009AB56A call <jmp.&MSVBVM60._adj_fdiv_m64> 009AB56F fstsw ax 009AB571 test al, 0D 009AB573 jnz 009AD499 009AB579 call <jmp.&MSVBVM60.__vbaFPInt> 009AB57E fstp qword ptr [ebp-5C] 009AB581 mov dword ptr [ebp-4], 7 009AB588 mov eax, dword ptr [ebp+8] 009AB58B fldz 009AB58D fstp qword ptr [eax+38] 009AB590 mov dword ptr [ebp-4], 8 009AB597 mov eax, dword ptr [ebp+8] 009AB59A fld qword ptr [ebp-5C] 009AB59D fmul qword ptr [eax+38] 009AB5A0 fsubr qword ptr [ebp-54] 009AB5A3 fstp qword ptr [ebp-3C] 009AB5A6 fstsw ax 009AB5A8 test al, 0D 009AB5AA jnz 009AD499 009AB5B0 mov dword ptr [ebp-4], 9 009AB5B7 fld qword ptr [ebp-3C] 009AB5BA fstp qword ptr [ebp-44] 009AB5BD mov dword ptr [ebp-4], 0A |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值