药品进销存管理系统算法的详细分析
【破解作者】 jsliyangsj
【作者邮箱】 sjcrack@yahoo.com.cn
【使用工具】 peid OllyDbg1.10
【破解平台】 Winxp
【软件名称】 药品进销存管理系统
【软件地址】 http://www.onlinedown.net/soft/37048.htm
软件是用VB编写的
我的机器码:701098763
我的输入码:12345678
因为是VB,下断点:_Vbastrcmp,_Vbastrcomp,发现没用,改用_VbaVartsteq
…………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………
00643A80 > \55 push ebp
00643A81 . 8BEC mov ebp,esp
00643A83 . 83EC 0C sub esp,0C
00643A86 . 68 A63E4000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; SE handler installation
00643A8B . 64:A1 00000000 mov eax,dword ptr fs:[0]
00643A91 . 50 push eax
00643A92 . 64:8925 00000000 mov dword ptr fs:[0],esp
00643A99 . 81EC A8000000 sub esp,0A8
00643A9F . 53 push ebx
00643AA0 . 56 push esi
00643AA1 . 57 push edi
00643AA2 . 8965 F4 mov dword ptr ss:[ebp-C],esp
00643AA5 . C745 F8 F03A4000 mov dword ptr ss:[ebp-8],yyjxc.00403AF0
00643AAC . 8B75 08 mov esi,dword ptr ss:[ebp+8]
00643AAF . 8BC6 mov eax,esi
00643AB1 . 83E0 01 and eax,1
00643AB4 . 8945 FC mov dword ptr ss:[ebp-4],eax
00643AB7 . 83E6 FE and esi,FFFFFFFE
00643ABA . 56 push esi
00643ABB . 8975 08 mov dword ptr ss:[ebp+8],esi
00643ABE . 8B0E mov ecx,dword ptr ds:[esi]
00643AC0 . FF51 04 call dword ptr ds:[ecx+4]
00643AC3 . 8B16 mov edx,dword ptr ds:[esi]
00643AC5 . 33DB xor ebx,ebx
00643AC7 . 56 push esi
00643AC8 . 895D E8 mov dword ptr ss:[ebp-18],ebx
00643ACB . 895D E4 mov dword ptr ss:[ebp-1C],ebx
00643ACE . 895D E0 mov dword ptr ss:[ebp-20],ebx
00643AD1 . 895D D0 mov dword ptr ss:[ebp-30],ebx
00643AD4 . 895D C0 mov dword ptr ss:[ebp-40],ebx
00643AD7 . 895D B0 mov dword ptr ss:[ebp-50],ebx
00643ADA . 895D A0 mov dword ptr ss:[ebp-60],ebx
00643ADD . 895D 90 mov dword ptr ss:[ebp-70],ebx
00643AE0 . 895D 80 mov dword ptr ss:[ebp-80],ebx
00643AE3 . FF92 08030000 call dword ptr ds:[edx+308]
00643AE9 . 50 push eax
00643AEA . 8D45 E0 lea eax,dword ptr ss:[ebp-20]
00643AED . 50 push eax
00643AEE . FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
00643AF4 . 8BF8 mov edi,eax
00643AF6 . 8D55 E8 lea edx,dword ptr ss:[ebp-18]
00643AF9 . 52 push edx
00643AFA . 57 push edi
00643AFB . 8B0F mov ecx,dword ptr ds:[edi]
00643AFD . FF91 A0000000 call dword ptr ds:[ecx+A0]
00643B03 . 3BC3 cmp eax,ebx
00643B05 . DBE2 fclex
00643B07 . 7D 12 jge short yyjxc.00643B1B
00643B09 . 68 A0000000 push 0A0
00643B0E . 68 585E4300 push yyjxc.00435E58
00643B13 . 57 push edi
00643B14 . 50 push eax
00643B15 . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00643B1B > 8B45 E8 mov eax,dword ptr ss:[ebp-18]
00643B1E . 895D E8 mov dword ptr ss:[ebp-18],ebx
00643B21 . 8945 D8 mov dword ptr ss:[ebp-28],eax
00643B24 . 8D45 D0 lea eax,dword ptr ss:[ebp-30]
00643B27 . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00643B2A . BB 08000000 mov ebx,8
00643B2F . 50 push eax
00643B30 . 51 push ecx
00643B31 . 895D D0 mov dword ptr ss:[ebp-30],ebx
00643B34 . FF15 B0104000 call dword ptr ds:[<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
00643B3A . 8B56 38 mov edx,dword ptr ds:[esi+38] ; 出现注册码
00643B3D . 8D45 C0 lea eax,dword ptr ss:[ebp-40]
00643B40 . 8D4D 90 lea ecx,dword ptr ss:[ebp-70]
00643B43 . 50 push eax
00643B44 . 51 push ecx
00643B45 . 8955 98 mov dword ptr ss:[ebp-68],edx
00643B48 . C745 90 08800000 mov dword ptr ss:[ebp-70],8008
00643B4F . FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTs>; 我的输入码与出现的注册码比较
00643B55 . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00643B58 . 8985 54FFFFFF mov dword ptr ss:[ebp-AC],eax
00643B5E . FF15 10124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
00643B64 . 8B3D 2C104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeVarList
00643B6A . 8D55 C0 lea edx,dword ptr ss:[ebp-40]
00643B6D . 8D45 D0 lea eax,dword ptr ss:[ebp-30]
00643B70 . 52 push edx
00643B71 . 50 push eax
00643B72 . 6A 02 push 2
00643B74 . FFD7 call edi ; <&MSVBVM60.__vbaFreeVarList>
00643B76 . 83C4 0C add esp,0C
00643B79 . 66:83BD 54FFFFFF >cmp word ptr ss:[ebp-AC],0
00643B81 . 0F84 66010000 je yyjxc.00643CED ; 关键比较
00643B87 . 8B0E mov ecx,dword ptr ds:[esi]
00643B89 . 56 push esi
00643B8A . FF91 08030000 call dword ptr ds:[ecx+308]
00643B90 . 8D55 E0 lea edx,dword ptr ss:[ebp-20]
00643B93 . 50 push eax
00643B94 . 52 push edx
00643B95 . FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
00643B9B . 8B08 mov ecx,dword ptr ds:[eax]
00643B9D . 8D55 E8 lea edx,dword ptr ss:[ebp-18]
00643BA0 . 52 push edx
00643BA1 . 50 push eax
00643BA2 . 8985 5CFFFFFF mov dword ptr ss:[ebp-A4],eax
00643BA8 . FF91 A0000000 call dword ptr ds:[ecx+A0]
00643BAE . 85C0 test eax,eax
00643BB0 . DBE2 fclex
00643BB2 . 7D 18 jge short yyjxc.00643BCC
00643BB4 . 8B8D 5CFFFFFF mov ecx,dword ptr ss:[ebp-A4]
00643BBA . 68 A0000000 push 0A0
00643BBF . 68 585E4300 push yyjxc.00435E58
00643BC4 . 51 push ecx
00643BC5 . 50 push eax
00643BC6 . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00643BCC > 8B45 E8 mov eax,dword ptr ss:[ebp-18]
00643BCF . 8D55 D0 lea edx,dword ptr ss:[ebp-30]
00643BD2 . 8945 D8 mov dword ptr ss:[ebp-28],eax
00643BD5 . 8D45 C0 lea eax,dword ptr ss:[ebp-40]
00643BD8 . 52 push edx
00643BD9 . 50 push eax
00643BDA . C745 E8 00000000 mov dword ptr ss:[ebp-18],0
00643BE1 . 895D D0 mov dword ptr ss:[ebp-30],ebx
00643BE4 . FF15 B0104000 call dword ptr ds:[<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
00643BEA . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00643BED . 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
00643BF0 . 51 push ecx
00643BF1 . 52 push edx
00643BF2 . FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
00643BF8 . 50 push eax
00643BF9 . 68 4C2D4300 push yyjxc.00432D4C ; UNICODE "Top"
00643BFE . 68 382D4300 push yyjxc.00432D38 ; UNICODE "Startup"
00643C03 . 68 282D4300 push yyjxc.00432D28 ; UNICODE "MyApp"
00643C08 . FF15 08104000 call dword ptr ds:[<&MSVBVM60.#690>] ; MSVBVM60.rtcSaveSetting
00643C0E . 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
00643C11 . FF15 14124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00643C17 . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00643C1A . FF15 10124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
00643C20 . 8D45 C0 lea eax,dword ptr ss:[ebp-40]
00643C23 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
00643C26 . 50 push eax
00643C27 . 51 push ecx
00643C28 . 6A 02 push 2
00643C2A . FFD7 call edi
00643C2C . B9 04000280 mov ecx,80020004
00643C31 . B8 0A000000 mov eax,0A
00643C36 . 894D A8 mov dword ptr ss:[ebp-58],ecx
00643C39 . 894D B8 mov dword ptr ss:[ebp-48],ecx
00643C3C . 83C4 0C add esp,0C
00643C3F . 8D55 80 lea edx,dword ptr ss:[ebp-80]
00643C42 . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00643C45 . 8945 A0 mov dword ptr ss:[ebp-60],eax
00643C48 . 8945 B0 mov dword ptr ss:[ebp-50],eax
00643C4B . C745 88 F8C24400 mov dword ptr ss:[ebp-78],yyjxc.0044C2F8
00643C52 . 895D 80 mov dword ptr ss:[ebp-80],ebx
00643C55 . FF15 C4114000 call dword ptr ds:[<&MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
00643C5B . 8D55 90 lea edx,dword ptr ss:[ebp-70]
00643C5E . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
00643C61 . C745 98 E0C24400 mov dword ptr ss:[ebp-68],yyjxc.0044C2E0
00643C68 . 895D 90 mov dword ptr ss:[ebp-70],ebx
00643C6B . FF15 C4114000 call dword ptr ds:[<&MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
00643C71 . 8D55 A0 lea edx,dword ptr ss:[ebp-60]
00643C74 . 8D45 B0 lea eax,dword ptr ss:[ebp-50]
00643C77 . 52 push edx
00643C78 . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00643C7B . 50 push eax
00643C7C . 51 push ecx
00643C7D . 8D55 D0 lea edx,dword ptr ss:[ebp-30]
00643C80 . 6A 40 push 40
00643C82 . 52 push edx
00643C83 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
00643C89 . 8D45 A0 lea eax,dword ptr ss:[ebp-60]
00643C8C . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
00643C8F . 50 push eax
00643C90 . 8D55 C0 lea edx,dword ptr ss:[ebp-40]
00643C93 . 51 push ecx
00643C94 . 8D45 D0 lea eax,dword ptr ss:[ebp-30]
00643C97 . 52 push edx
00643C98 . 50 push eax
00643C99 . 6A 04 push 4
00643C9B . FFD7 call edi
00643C9D . 66:C746 34 FFFF mov word ptr ds:[esi+34],0FFFF
00643CA3 . A1 104A6600 mov eax,dword ptr ds:[664A10]
00643CA8 . 83C4 14 add esp,14
00643CAB . 85C0 test eax,eax
00643CAD . 75 10 jnz short yyjxc.00643CBF
00643CAF . 68 104A6600 push yyjxc.00664A10
00643CB4 . 68 9C2A4300 push yyjxc.00432A9C
00643CB9 . FF15 74114000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
00643CBF > 8B3D 104A6600 mov edi,dword ptr ds:[664A10]
00643CC5 . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00643CC8 . 56 push esi
00643CC9 . 51 push ecx
00643CCA . 8B1F mov ebx,dword ptr ds:[edi]
00643CCC . FF15 A0104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSetAddref
00643CD2 . 50 push eax
00643CD3 . 57 push edi
00643CD4 . FF53 10 call dword ptr ds:[ebx+10]
00643CD7 . 85C0 test eax,eax
00643CD9 . DBE2 fclex
00643CDB . 0F8D B4000000 jge yyjxc.00643D95
00643CE1 . 6A 10 push 10
00643CE3 . 68 8C2A4300 push yyjxc.00432A8C
00643CE8 . E9 A0000000 jmp yyjxc.00643D8D
00643CED > B9 04000280 mov ecx,80020004
00643CF2 . B8 0A000000 mov eax,0A
00643CF7 . 894D A8 mov dword ptr ss:[ebp-58],ecx
00643CFA . 894D B8 mov dword ptr ss:[ebp-48],ecx
00643CFD . 8D55 80 lea edx,dword ptr ss:[ebp-80]
00643D00 . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00643D03 . 8945 A0 mov dword ptr ss:[ebp-60],eax
00643D06 . 8945 B0 mov dword ptr ss:[ebp-50],eax
00643D09 . C745 88 402E4300 mov dword ptr ss:[ebp-78],yyjxc.00432E40
00643D10 . 895D 80 mov dword ptr ss:[ebp-80],ebx
00643D13 . FF15 C4114000 call dword ptr ds:[<&MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
00643D19 . 8D55 90 lea edx,dword ptr ss:[ebp-70]
00643D1C . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
00643D1F . C745 98 04C34400 mov dword ptr ss:[ebp-68],yyjxc.0044C304
00643D26 . 895D 90 mov dword ptr ss:[ebp-70],ebx
00643D29 . FF15 C4114000 call dword ptr ds:[<&MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
00643D2F . 8D55 A0 lea edx,dword ptr ss:[ebp-60]
00643D32 . 8D45 B0 lea eax,dword ptr ss:[ebp-50]
00643D35 . 52 push edx
00643D36 . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00643D39 . 50 push eax
00643D3A . 51 push ecx
00643D3B . 8D55 D0 lea edx,dword ptr ss:[ebp-30]
00643D3E . 6A 30 push 30
00643D40 . 52 push edx
00643D41 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.#595>] ; 出现错误对话框
…………………………………………………………………………………………………………………………
发现注册码已经在那里了,明码比较,但我们当然要分析算法的,注册是次要的,
再次输入,想找出关键的CALL计算注册码的地方就是找不到!
而且发现,当一断在00643A80时,用d 00161844(不一定是这个,反复CTRL+F2后固定)注册码已经的躺在那里了
二却也进不到原程序领空。还发现当“取消”注册对话框CTRL+F2后时再查看,就没有了,干脆,就在 00161844
下内存写入断点(此时,应该是CTRL+F2后的第一次也就是说d 00161844并没有发现注册码)
…………………………………………………………………………………………………………………………
770F36C8 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWOR> 断在这句上
770F36CA 8BCA MOV ECX,EDX
770F36CC 83E1 >AND ECX,3
770F36CF F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE >
770F36D1 C6041>MOV BYTE PTR DS:[EAX+EBX],0
…………………………………………………………………………………………………………………………
你会在堆栈中发现第一个返回在0012F498 006445D1 返回到 yyjxc.006445D1 来自 MSVBVM60.__vbaStrCopy
按回车返回来到006445D1,再向上看,已经来到了产生和计算注册码的地方:
…………………………………………………………………………………………………………………………
00644070 > \55 push ebp
00644071 . 8BEC mov ebp,esp
00644073 . 83EC 0C sub esp,0C
00644076 . 68 A63E4000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; SE handler installation
0064407B . 64:A1 00000000 mov eax,dword ptr fs:[0]
00644081 . 50 push eax
00644082 . 64:8925 0000000>mov dword ptr fs:[0],esp
00644089 . 81EC 8C010000 sub esp,18C
0064408F . 53 push ebx
00644090 . 56 push esi
00644091 . 57 push edi
00644092 . 8965 F4 mov dword ptr ss:[ebp-C],esp
00644095 . C745 F8 103B400>mov dword ptr ss:[ebp-8],yyjxc.00403B10
0064409C . 8B7D 08 mov edi,dword ptr ss:[ebp+8]
0064409F . 8BC7 mov eax,edi
006440A1 . 83E0 01 and eax,1
006440A4 . 8945 FC mov dword ptr ss:[ebp-4],eax
006440A7 . 83E7 FE and edi,FFFFFFFE
006440AA . 57 push edi
006440AB . 897D 08 mov dword ptr ss:[ebp+8],edi
006440AE . 8B0F mov ecx,dword ptr ds:[edi]
006440B0 . FF51 04 call dword ptr ds:[ecx+4]
006440B3 . 8B1D CC114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarCopy>] ; MSVBVM60.__vbaVarCopy
006440B9 . 33F6 xor esi,esi
006440BB . 89B5 C0FEFFFF mov dword ptr ss:[ebp-140],esi
006440C1 . 8D95 C0FEFFFF lea edx,dword ptr ss:[ebp-140]
006440C7 . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
006440CA . 8975 E8 mov dword ptr ss:[ebp-18],esi
006440CD . 8975 D8 mov dword ptr ss:[ebp-28],esi
006440D0 . 8975 C4 mov dword ptr ss:[ebp-3C],esi
006440D3 . 8975 B0 mov dword ptr ss:[ebp-50],esi
006440D6 . 8975 AC mov dword ptr ss:[ebp-54],esi
006440D9 . 8975 9C mov dword ptr ss:[ebp-64],esi
006440DC . 8975 98 mov dword ptr ss:[ebp-68],esi
006440DF . 8975 94 mov dword ptr ss:[ebp-6C],esi
006440E2 . 8975 90 mov dword ptr ss:[ebp-70],esi
006440E5 . 8975 8C mov dword ptr ss:[ebp-74],esi
006440E8 . 8975 88 mov dword ptr ss:[ebp-78],esi
006440EB . 8975 84 mov dword ptr ss:[ebp-7C],esi
006440EE . 8975 80 mov dword ptr ss:[ebp-80],esi
006440F1 . 89B5 7CFFFFFF mov dword ptr ss:[ebp-84],esi
006440F7 . 89B5 78FFFFFF mov dword ptr ss:[ebp-88],esi
006440FD . 89B5 74FFFFFF mov dword ptr ss:[ebp-8C],esi
00644103 . 89B5 70FFFFFF mov dword ptr ss:[ebp-90],esi
00644109 . 89B5 60FFFFFF mov dword ptr ss:[ebp-A0],esi
0064410F . 89B5 50FFFFFF mov dword ptr ss:[ebp-B0],esi
00644115 . 89B5 40FFFFFF mov dword ptr ss:[ebp-C0],esi
0064411B . 89B5 30FFFFFF mov dword ptr ss:[ebp-D0],esi
00644121 . 89B5 20FFFFFF mov dword ptr ss:[ebp-E0],esi
00644127 . 89B5 10FFFFFF mov dword ptr ss:[ebp-F0],esi
0064412D . 89B5 00FFFFFF mov dword ptr ss:[ebp-100],esi
00644133 . 89B5 F0FEFFFF mov dword ptr ss:[ebp-110],esi
00644139 . 89B5 E0FEFFFF mov dword ptr ss:[ebp-120],esi
0064413F . 89B5 D0FEFFFF mov dword ptr ss:[ebp-130],esi
00644145 . 89B5 B0FEFFFF mov dword ptr ss:[ebp-150],esi
0064414B . 89B5 ACFEFFFF mov dword ptr ss:[ebp-154],esi
00644151 . 89B5 A8FEFFFF mov dword ptr ss:[ebp-158],esi
00644157 . C785 C8FEFFFF 1>mov dword ptr ss:[ebp-138],yyjxc.00432D1C ; UNICODE "c:\"
00644161 . C785 C0FEFFFF 0>mov dword ptr ss:[ebp-140],8
0064416B . FFD3 call ebx ; <&MSVBVM60.__vbaVarCopy>
0064416D . 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
00644170 . 52 push edx
00644171 . FF15 A4114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var
00644177 . 8985 A8FEFFFF mov dword ptr ss:[ebp-158],eax
0064417D . 8D45 D8 lea eax,dword ptr ss:[ebp-28]
00644180 . 50 push eax
00644181 . FF15 A4114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var
00644187 . 8B4D AC mov ecx,dword ptr ss:[ebp-54]
0064418A . 6A 7F push 7F
0064418C . 8D55 88 lea edx,dword ptr ss:[ebp-78]
0064418F . 51 push ecx
00644190 . 52 push edx
00644191 . 8985 ACFEFFFF mov dword ptr ss:[ebp-154],eax
00644197 . FF15 C0114000 call dword ptr ds:[<&MSVBVM60.__vbaStrToAnsi>] ; MSVBVM60.__vbaStrToAnsi
0064419D . 50 push eax
0064419E . 8D45 E8 lea eax,dword ptr ss:[ebp-18]
006441A1 . 8D8D A8FEFFFF lea ecx,dword ptr ss:[ebp-158]
006441A7 . 50 push eax
006441A8 . 8D95 ACFEFFFF lea edx,dword ptr ss:[ebp-154]
006441AE . 51 push ecx
006441AF . 52 push edx
006441B0 . 8D45 9C lea eax,dword ptr ss:[ebp-64]
006441B3 . 6A 7F push 7F
006441B5 . 8D4D 90 lea ecx,dword ptr ss:[ebp-70]
006441B8 . 50 push eax
006441B9 . 51 push ecx
006441BA . FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
006441C0 . 50 push eax
006441C1 . 8D55 8C lea edx,dword ptr ss:[ebp-74]
006441C4 . 52 push edx
006441C5 . FF15 C0114000 call dword ptr ds:[<&MSVBVM60.__vbaStrToAnsi>] ; MSVBVM60.__vbaStrToAnsi
006441CB . 50 push eax
006441CC . 8D45 B0 lea eax,dword ptr ss:[ebp-50]
006441CF . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
006441D2 . 50 push eax
006441D3 . 51 push ecx
006441D4 . FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
006441DA . 8D55 94 lea edx,dword ptr ss:[ebp-6C]
006441DD . 50 push eax
006441DE . 52 push edx
006441DF . FF15 C0114000 call dword ptr ds:[<&MSVBVM60.__vbaStrToAnsi>] ; MSVBVM60.__vbaStrToAnsi
006441E5 . 50 push eax
006441E6 . E8 F5E7DEFF call yyjxc.004329E0
006441EB . FF15 5C104000 call dword ptr ds:[<&MSVBVM60.__vbaSetSystemErr>; MSVBVM60.__vbaSetSystemError
006441F1 . 8B85 ACFEFFFF mov eax,dword ptr ss:[ebp-154]
006441F7 . 8D95 C0FEFFFF lea edx,dword ptr ss:[ebp-140]
006441FD . 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
00644200 . 8985 C8FEFFFF mov dword ptr ss:[ebp-138],eax
00644206 . C785 C0FEFFFF 0>mov dword ptr ss:[ebp-140],3
00644210 . FFD3 call ebx
00644212 . 8B8D A8FEFFFF mov ecx,dword ptr ss:[ebp-158]
00644218 . 8D95 B0FEFFFF lea edx,dword ptr ss:[ebp-150]
0064421E . 898D B8FEFFFF mov dword ptr ss:[ebp-148],ecx
00644224 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00644227 . C785 B0FEFFFF 0>mov dword ptr ss:[ebp-150],3
00644231 . FFD3 call ebx
00644233 . 8B55 88 mov edx,dword ptr ss:[ebp-78]
00644236 . 8D45 AC lea eax,dword ptr ss:[ebp-54]
00644239 . 52 push edx
0064423A . 50 push eax
0064423B . FF15 3C114000 call dword ptr ds:[<&MSVBVM60.__vbaStrToUnicode>; MSVBVM60.__vbaStrToUnicode
00644241 . 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
00644244 . 8D55 8C lea edx,dword ptr ss:[ebp-74]
00644247 . 51 push ecx
00644248 . 8D45 90 lea eax,dword ptr ss:[ebp-70]
0064424B . 52 push edx
0064424C . 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
0064424F . 50 push eax
00644250 . 8D55 98 lea edx,dword ptr ss:[ebp-68]
00644253 . 51 push ecx
00644254 . 52 push edx
00644255 . 6A 05 push 5
00644257 . FF15 88114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>>; MSVBVM60.__vbaFreeStrList
0064425D . B8 02000000 mov eax,2
00644262 . 83C4 18 add esp,18
00644265 . 8985 C8FEFFFF mov dword ptr ss:[ebp-138],eax
0064426B . 8985 C0FEFFFF mov dword ptr ss:[ebp-140],eax
00644271 . 8D45 D8 lea eax,dword ptr ss:[ebp-28]
00644274 . 8D8D C0FEFFFF lea ecx,dword ptr ss:[ebp-140]
0064427A . 50 push eax
0064427B . 8D95 60FFFFFF lea edx,dword ptr ss:[ebp-A0]
00644281 . 51 push ecx
00644282 . 52 push edx
00644283 . C785 B8FEFFFF 6>mov dword ptr ss:[ebp-148],914A162
0064428D . C785 B0FEFFFF 0>mov dword ptr ss:[ebp-150],3
00644297 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaVarIdiv>] ; MSVBVM60.__vbaVarIdiv
0064429D . 50 push eax
0064429E . 8D85 B0FEFFFF lea eax,dword ptr ss:[ebp-150]
006442A4 . 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-B0]
006442AA . 50 push eax
006442AB . 51 push ecx
006442AC . FF15 B4114000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; MSVBVM60.__vbaVarAdd
006442B2 . 8D95 40FFFFFF lea edx,dword ptr ss:[ebp-C0]
006442B8 . 50 push eax
006442B9 . 52 push edx
006442BA . FF15 E0104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAbs>] ; MSVBVM60.__vbaVarAbs
006442C0 . 50 push eax
006442C1 . FF15 A4114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var
006442C7 . 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-B0] ; 出现了机器码EAX以16进制表示
006442CD . 8BD8 mov ebx,eax
006442CF . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
006442D5 . 8B07 mov eax,dword ptr ds:[edi]
006442D7 . 57 push edi
006442D8 . FF90 0C030000 call dword ptr ds:[eax+30C]
006442DE . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
006442E4 . 50 push eax
006442E5 . 51 push ecx
006442E6 . FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
006442EC . 8B10 mov edx,dword ptr ds:[eax]
006442EE . 8985 88FEFFFF mov dword ptr ss:[ebp-178],eax
006442F4 . 53 push ebx
006442F5 . 8995 60FEFFFF mov dword ptr ss:[ebp-1A0],edx
006442FB . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI4>] ; MSVBVM60.__vbaStrI4
00644301 . 8BD0 mov edx,eax ; 出现字符串形式的机器码
00644303 . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
00644306 . FF15 E0114000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0064430C . 8B9D 88FEFFFF mov ebx,dword ptr ss:[ebp-178]
00644312 . 8B95 60FEFFFF mov edx,dword ptr ss:[ebp-1A0]
00644318 . 50 push eax
00644319 . 53 push ebx
0064431A . FF92 A4000000 call dword ptr ds:[edx+A4]
00644320 . 3BC6 cmp eax,esi
00644322 . DBE2 fclex
00644324 . 7D 12 jge short yyjxc.00644338
00644326 . 68 A4000000 push 0A4
0064432B . 68 585E4300 push yyjxc.00435E58
00644330 . 53 push ebx
00644331 . 50 push eax
00644332 . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheck>; MSVBVM60.__vbaHresultCheckObj
00644338 > 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
0064433B . FF15 14124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00644341 . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
00644347 . FF15 10124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
0064434D . 8B07 mov eax,dword ptr ds:[edi]
0064434F . 57 push edi
00644350 . FF90 0C030000 call dword ptr ds:[eax+30C]
00644356 . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
0064435C . 50 push eax
0064435D . 51 push ecx
0064435E . FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00644364 . 8BD8 mov ebx,eax
00644366 . 8D45 98 lea eax,dword ptr ss:[ebp-68]
00644369 . 50 push eax
0064436A . 53 push ebx
0064436B . 8B13 mov edx,dword ptr ds:[ebx]
0064436D . FF92 A0000000 call dword ptr ds:[edx+A0]
00644373 . 3BC6 cmp eax,esi
00644375 . DBE2 fclex
00644377 . 7D 12 jge short yyjxc.0064438B
00644379 . 68 A0000000 push 0A0
0064437E . 68 585E4300 push yyjxc.00435E58
00644383 . 53 push ebx
00644384 . 50 push eax
00644385 . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheck>; MSVBVM60.__vbaHresultCheckObj
0064438B > 8B45 98 mov eax,dword ptr ss:[ebp-68] ; 拷贝机器码
0064438E . 8D8D 60FFFFFF lea ecx,dword ptr ss:[ebp-A0]
00644394 . 8D95 50FFFFFF lea edx,dword ptr ss:[ebp-B0]
0064439A . 51 push ecx
0064439B . 52 push edx
0064439C . 8975 98 mov dword ptr ss:[ebp-68],esi
0064439F . 8985 68FFFFFF mov dword ptr ss:[ebp-98],eax
006443A5 . C785 60FFFFFF 0>mov dword ptr ss:[ebp-A0],8
006443AF . FF15 B0104000 call dword ptr ds:[<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
006443B5 . 8D85 50FFFFFF lea eax,dword ptr ss:[ebp-B0]
006443BB . 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
006443BE . 50 push eax
006443BF . 51 push ecx
006443C0 . FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
006443C6 . 50 push eax
006443C7 . FF15 18124000 call dword ptr ds:[<&MSVBVM60.#581>] ; 把机器码转化为实数放于ST0
006443CD . 8B17 mov edx,dword ptr ds:[edi]
006443CF . 57 push edi
006443D0 . DD9D 9CFEFFFF fstp qword ptr ss:[ebp-164]
006443D6 . FF92 0C030000 call dword ptr ds:[edx+30C]
006443DC . 50 push eax
006443DD . 8D85 74FFFFFF lea eax,dword ptr ss:[ebp-8C]
006443E3 . 50 push eax
006443E4 . FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
006443EA . 8BD8 mov ebx,eax
006443EC . 8D55 8C lea edx,dword ptr ss:[ebp-74]
006443EF . 52 push edx
006443F0 . 53 push ebx
006443F1 . 8B0B mov ecx,dword ptr ds:[ebx]
006443F3 . FF91 A0000000 call dword ptr ds:[ecx+A0]
006443F9 . 3BC6 cmp eax,esi
006443FB . DBE2 fclex
006443FD . 7D 12 jge short yyjxc.00644411
006443FF . 68 A0000000 push 0A0
00644404 . 68 585E4300 push yyjxc.00435E58
00644409 . 53 push ebx
0064440A . 50 push eax
0064440B . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheck>; MSVBVM60.__vbaHresultCheckObj
00644411 > 8B45 8C mov eax,dword ptr ss:[ebp-74]
00644414 . 50 push eax
00644415 . FF15 18124000 call dword ptr ds:[<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
0064441B . 8B0F mov ecx,dword ptr ds:[edi]
0064441D . 57 push edi
0064441E . DD9D 94FEFFFF fstp qword ptr ss:[ebp-16C]
00644424 . FF91 0C030000 call dword ptr ds:[ecx+30C]
0064442A . 8D95 70FFFFFF lea edx,dword ptr ss:[ebp-90]
00644430 . 50 push eax
00644431 . 52 push edx
00644432 . FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00644438 . 8BD8 mov ebx,eax
0064443A . 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
0064443D . 51 push ecx
0064443E . 53 push ebx
0064443F . 8B03 mov eax,dword ptr ds:[ebx]
00644441 . FF90 A0000000 call dword ptr ds:[eax+A0]
00644447 . 3BC6 cmp eax,esi
00644449 . DBE2 fclex
0064444B . 7D 12 jge short yyjxc.0064445F
0064444D . 68 A0000000 push 0A0
00644452 . 68 585E4300 push yyjxc.00435E58
00644457 . 53 push ebx
00644458 . 50 push eax
00644459 . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheck>; MSVBVM60.__vbaHresultCheckObj
0064445F > 8B45 88 mov eax,dword ptr ss:[ebp-78] ; 取机器码的字符串
00644462 . 8D95 00FFFFFF lea edx,dword ptr ss:[ebp-100]
00644468 . 8985 08FFFFFF mov dword ptr ss:[ebp-F8],eax
0064446E . 8D85 F0FEFFFF lea eax,dword ptr ss:[ebp-110]
00644474 . 52 push edx
00644475 . 50 push eax
00644476 . 8975 88 mov dword ptr ss:[ebp-78],esi
00644479 . C785 00FFFFFF 0>mov dword ptr ss:[ebp-100],8
00644483 . FF15 B0104000 call dword ptr ds:[<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
00644489 . 8D8D F0FEFFFF lea ecx,dword ptr ss:[ebp-110]
0064448F . 8D55 84 lea edx,dword ptr ss:[ebp-7C]
00644492 . 51 push ecx
00644493 . 52 push edx
00644494 . FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; 得到机器码的字符串
0064449A . 50 push eax
0064449B . FF15 18124000 call dword ptr ds:[<&MSVBVM60.#581>] ; 将字符串转化为10 进制放于ST0
006444A1 . DD9D 8CFEFFFF fstp qword ptr ss:[ebp-174]
006444A7 . DD85 9CFEFFFF fld qword ptr ss:[ebp-164]
006444AD . 6A 02 push 2
006444AF . FF15 D4114000 call dword ptr ds:[<&MSVBVM60.__vbaFpI4>] ; 把在ST0中的10进制的机器码转化为16进制放于EAX中
006444B5 . 8BC8 mov ecx,eax
006444B7 . B8 398EE338 mov eax,38E38E39
006444BC . F7E9 imul ecx ; 16进制的机器码与38E338E39相乘结果放于EAX与EDX中
006444BE . D1FA sar edx,1 ; EDX中的进行SAR运算
006444C0 . 8BC2 mov eax,edx
006444C2 . C1E8 1F shr eax,1F ; 计算结果向右移
006444C5 . 03D0 add edx,eax ; 将右移的结果加上刚才EDX的值
006444C7 . 52 push edx
006444C8 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI4>] ; 把上面结果EDX的16进制转化为10进制
006444CE . 8B1D E0114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; 出现10进制的数
006444D4 . 8BD0 mov edx,eax
006444D6 . 8D4D 90 lea ecx,dword ptr ss:[ebp-70]
006444D9 . FFD3 call ebx ; <&MSVBVM60.__vbaStrMove>
006444DB . 50 push eax
006444DC . FF15 D0114000 call dword ptr ds:[<&MSVBVM60.#616>] ; 取前为做为注册码的前两位
006444E2 . DD85 94FEFFFF fld qword ptr ss:[ebp-16C] ; 取机器码
006444E8 . 8985 28FFFFFF mov dword ptr ss:[ebp-D8],eax
006444EE . C785 20FFFFFF 0>mov dword ptr ss:[ebp-E0],8
006444F8 . FF15 D4114000 call dword ptr ds:[<&MSVBVM60.__vbaFpI4>] ; MSVBVM60.__vbaFpI4
006444FE . 8BC8 mov ecx,eax ; 又把机器码转化为16进制
00644500 . B8 310CC330 mov eax,30C30C31
00644505 . F7E9 imul ecx ; 与30C30C31相称
00644507 . C1FA 02 sar edx,2 ; 得到的结果放于EAX与EDX中,让EDX中的值进行SAR2运算
0064450A . 8BCA mov ecx,edx
0064450C . 6A 09 push 9
0064450E . C1E9 1F shr ecx,1F ; 取最高位
00644511 . 03D1 add edx,ecx ; 刚才EDX的最高位加上EDX
00644513 . 8D85 30FFFFFF lea eax,dword ptr ss:[ebp-D0]
00644519 . 81C2 B700B228 add edx,28B200B7 ; 与28B200B7相加它的10进制很有用
0064451F . C785 40FFFFFF 0>mov dword ptr ss:[ebp-C0],3
00644529 . 0F80 23020000 jo yyjxc.00644752
0064452F . 8995 48FFFFFF mov dword ptr ss:[ebp-B8],edx ; 把刚才的结果EDX储存到EBP-B8中
00644535 . 8D95 40FFFFFF lea edx,dword ptr ss:[ebp-C0]
0064453B . 52 push edx
0064453C . 50 push eax
0064453D . FF15 EC114000 call dword ptr ds:[<&MSVBVM60.#619>] ; 把上面的结果转化为10进制字符串的形式存与EBP-C8
00644543 . DD85 8CFEFFFF fld qword ptr ss:[ebp-174] ; 取机器吗
00644549 . DC0D 68124000 fmul qword ptr ds:[401268] ; 与9相称
0064454F . 6A 04 push 4
00644551 . 83EC 08 sub esp,8
00644554 . DFE0 fstsw ax
00644556 . A8 0D test al,0D
00644558 . 0F85 EF010000 jnz yyjxc.0064474D
0064455E . DD1C24 fstp qword ptr ss:[esp]
00644561 . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__vbaStrR8>] ; 取实数部分作为字符串
00644567 . 8BD0 mov edx,eax
00644569 . 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
0064456C . FFD3 call ebx
0064456E . 50 push eax
0064456F . FF15 D0114000 call dword ptr ds:[<&MSVBVM60.#616>] ; 取左边前4位字符串
00644575 . 8D8D 20FFFFFF lea ecx,dword ptr ss:[ebp-E0]
0064457B . 8985 E8FEFFFF mov dword ptr ss:[ebp-118],eax
00644581 . 8D95 30FFFFFF lea edx,dword ptr ss:[ebp-D0]
00644587 . 51 push ecx
00644588 . 8D85 10FFFFFF lea eax,dword ptr ss:[ebp-F0]
0064458E . 52 push edx
0064458F . 50 push eax
00644590 . C785 E0FEFFFF 0>mov dword ptr ss:[ebp-120],8
0064459A . FF15 5C114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 把第一次前2位与第二次组合成字符串
006445A0 . 8D8D E0FEFFFF lea ecx,dword ptr ss:[ebp-120]
006445A6 . 50 push eax
006445A7 . 51 push ecx
006445A8 . 8D95 D0FEFFFF lea edx,dword ptr ss:[ebp-130]
006445AE . 52 push edx
006445AF . FF15 5C114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 把上次的结果与第三次的前4位组合
006445B5 . 50 push eax
006445B6 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>] ; 拷贝
006445BC . 8BD0 mov edx,eax ; 出现正确的!(三次组合)
…………………………………………………………………………………………………………………………
总结算法:
一共分为3次计算,取第一次计算结果的前2位,取第二次计算的全部,取第三次计算的
前4位,三次组合即为注册码:
第一次:将机器码转化为16进制与38E338E39相乘,取后8位进行SAR1运算,运算的结果加上
自己的2进制的最高位,然后把此次计算得到的结果转化为10进制,取前2位。
第二次:将机器码转化为16进制与30C30C31相乘,取后8位进行SAR2运算,运算的结果加上
自己的2进制的最高位,得到的结果与28B200B7相加,将结果转化为10进制,取其全部
第三次:机器码本身与9相乘,直接取前4位,
…………………………………………………………………………………………………………………………
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)