-
-
海宇QQ斗地主记牌器助手 v1.0 注册算法分析
-
发表于: 2005-7-3 18:46 9939
-
【软件名称】海宇QQ斗地主记牌器助手 v1.0
【逆向作者】forever[RCT]
【编程语言】VB
【保护方式】注册码
【使用工具】ida4.6,ollydbg 1.10
【软件说明】
本软件为 QQ斗地主 游戏的辅助记牌器工具,它可以自动记录上家与下家出的牌,自动显示除自己外的还没出的牌。新游戏开始后,会自动重新记牌、算牌,无需人工干预,直到你停止记牌或关闭游戏。本软件使用方法简单,容易操作。
本软件为共享软件,没有注册的用户,每次运行都会提示您注册,使用时只能记录上下家的前5张牌,注册用户则没有任何限制。我们非常希望您能喜欢我们的软件,您的支持是我们最大的动力。
【破解正文】
这是帮助一个朋友分析的软件。软件是用VB编写的,加了UPX壳。UPX壳用UPX1.24W就可以脱掉了。注册算法也不是很难。但需要您有耐心看完。
很长时间来都想找个VB的软件分析一下,但分析这个软件用了我整整两天的时间。做逆向是需要耐心与毅力的:)
由于用ollydbg很容易就可以找到关键点来分析。所以这里就只把分析过程写出来了。写的不是很详细,如果您对其中的一些地方不是很明白,可以找找MengLong的关于VB的贴子。
关键地方在这里:
text:0046134C mov edx, [ebp+var_20] ; 取得假注册码
.text:0046134F mov ebx, ds:__vbaStrMove
.text:00461355 xor edi, edi
.text:00461357 lea ecx, [ebp+var_28]
.text:0046135A mov [ebp+var_20], edi
.text:0046135D call ebx ; __vbaStrMove
.text:0046135F mov edx, [ebp+var_1C]
.text:00461362 lea ecx, [ebp+var_24]
.text:00461365 mov [ebp+var_1C], edi
.text:00461368 call ebx ; __vbaStrMove
.text:0046136A lea edx, [ebp+var_28]
.text:0046136D lea eax, [ebp+var_24]
.text:00461370 push edx ; 假注册码
.text:00461371 push eax ; 用户名
.text:00461372 call sub_464EF0 ; 看来这个调用得看看去了
.text:00461377 xor ecx, ecx
.text:00461379 cmp ax, 0FFFFh ; 比较结果是否为真
后面跟进sub_464ef0看看:
.text:00464EF0 sub_464EF0 proc near ; CODE XREF: sub_455570+573p
.text:00464EF0 ; reg_460FE0+392p
.text:00464EF0 ; sub_464600+3Ap
.text:00464EF0 ; sub_466DF0+6E6p
.text:00464EF0
.text:00464EF0 var_288 = qword ptr -288h
.text:00464EF0 var_280 = dword ptr -280h
.text:00464EF0 var_27C = dword ptr -27Ch
.text:00464EF0 var_278 = dword ptr -278h
.text:00464EF0 var_274 = dword ptr -274h
.text:00464EF0 var_270 = dword ptr -270h
.text:00464EF0 var_26C = dword ptr -26Ch
.text:00464EF0 var_268 = qword ptr -268h
.text:00464EF0 var_260 = dword ptr -260h
.text:00464EF0 var_25C = dword ptr -25Ch
.text:00464EF0 var_258 = dword ptr -258h
.text:00464EF0 var_254 = qword ptr -254h
.text:00464EF0 var_24C = dword ptr -24Ch
.text:00464EF0 var_248 = dword ptr -248h
.text:00464EF0 var_244 = dword ptr -244h
.text:00464EF0 var_240 = qword ptr -240h
.text:00464EF0 var_238 = dword ptr -238h
.text:00464EF0 var_234 = dword ptr -234h
.text:00464EF0 var_230 = dword ptr -230h
.text:00464EF0 var_22C = dword ptr -22Ch
.text:00464EF0 var_228 = dword ptr -228h
.text:00464EF0 var_224 = dword ptr -224h
.text:00464EF0 var_220 = qword ptr -220h
.text:00464EF0 var_218 = dword ptr -218h
.text:00464EF0 var_214 = dword ptr -214h
.text:00464EF0 var_210 = dword ptr -210h
.text:00464EF0 var_20C = dword ptr -20Ch
.text:00464EF0 var_208 = qword ptr -208h
.text:00464EF0 var_200 = dword ptr -200h
.text:00464EF0 var_1FC = qword ptr -1FCh
.text:00464EF0 var_1F4 = dword ptr -1F4h
.text:00464EF0 var_1F0 = dword ptr -1F0h
.text:00464EF0 var_1EC = dword ptr -1ECh
.text:00464EF0 var_1E8 = dword ptr -1E8h
.text:00464EF0 var_1E4 = dword ptr -1E4h
.text:00464EF0 var_1E0 = dword ptr -1E0h
.text:00464EF0 var_1DC = dword ptr -1DCh
.text:00464EF0 var_1D8 = dword ptr -1D8h
.text:00464EF0 var_1D4 = dword ptr -1D4h
.text:00464EF0 var_1D0 = dword ptr -1D0h
.text:00464EF0 var_1CC = dword ptr -1CCh
.text:00464EF0 var_1C8 = dword ptr -1C8h
.text:00464EF0 var_1C4 = dword ptr -1C4h
.text:00464EF0 var_1C0 = dword ptr -1C0h
.text:00464EF0 var_1BC = dword ptr -1BCh
.text:00464EF0 var_1B8 = dword ptr -1B8h
.text:00464EF0 var_1A0 = word ptr -1A0h
.text:00464EF0 var_19C = word ptr -19Ch
.text:00464EF0 var_198 = word ptr -198h
.text:00464EF0 var_194 = word ptr -194h
.text:00464EF0 var_190 = word ptr -190h
.text:00464EF0 var_18C = word ptr -18Ch
.text:00464EF0 var_188 = word ptr -188h
.text:00464EF0 var_184 = word ptr -184h
.text:00464EF0 var_180 = word ptr -180h
.text:00464EF0 var_17C = word ptr -17Ch
.text:00464EF0 var_178 = word ptr -178h
.text:00464EF0 var_174 = word ptr -174h
.text:00464EF0 var_170 = word ptr -170h
.text:00464EF0 var_16C = word ptr -16Ch
.text:00464EF0 var_168 = dword ptr -168h
.text:00464EF0 var_164 = dword ptr -164h
.text:00464EF0 var_160 = dword ptr -160h
.text:00464EF0 var_15C = dword ptr -15Ch
.text:00464EF0 var_158 = dword ptr -158h
.text:00464EF0 var_154 = dword ptr -154h
.text:00464EF0 var_150 = dword ptr -150h
.text:00464EF0 var_14C = dword ptr -14Ch
.text:00464EF0 var_148 = dword ptr -148h
.text:00464EF0 var_144 = dword ptr -144h
.text:00464EF0 var_13C = dword ptr -13Ch
.text:00464EF0 var_134 = dword ptr -134h
.text:00464EF0 var_12C = dword ptr -12Ch
.text:00464EF0 var_124 = dword ptr -124h
.text:00464EF0 var_114 = dword ptr -114h
.text:00464EF0 var_10C = dword ptr -10Ch
.text:00464EF0 var_104 = dword ptr -104h
.text:00464EF0 var_100 = word ptr -100h
.text:00464EF0 var_FC = word ptr -0FCh
.text:00464EF0 var_F8 = dword ptr -0F8h
.text:00464EF0 var_F4 = dword ptr -0F4h
.text:00464EF0 var_F0 = word ptr -0F0h
.text:00464EF0 time_EC = dword ptr -0ECh
.text:00464EF0 var_E8 = word ptr -0E8h
.text:00464EF0 var_E4 = dword ptr -0E4h
.text:00464EF0 var_E0 = word ptr -0E0h
.text:00464EF0 myarray5_D8 = dword ptr -0D8h
.text:00464EF0 var_CC = dword ptr -0CCh
.text:00464EF0 var_C0 = word ptr -0C0h
.text:00464EF0 var_BC = word ptr -0BCh
.text:00464EF0 var_B8 = word ptr -0B8h
.text:00464EF0 slen1_B4 = word ptr -0B4h
.text:00464EF0 var_B0 = word ptr -0B0h
.text:00464EF0 myarray4_A8 = dword ptr -0A8h
.text:00464EF0 var_9C = dword ptr -9Ch
.text:00464EF0 myarray3_8C = dword ptr -8Ch
.text:00464EF0 var_80 = dword ptr -80h
.text:00464EF0 myarray2_70 = dword ptr -70h
.text:00464EF0 var_64 = dword ptr -64h
.text:00464EF0 s2sum_58 = word ptr -58h
.text:00464EF0 var_54 = word ptr -54h
.text:00464EF0 var_50 = dword ptr -50h
.text:00464EF0 s1sum_4C = word ptr -4Ch
.text:00464EF0 var_48 = word ptr -48h
.text:00464EF0 myarray1_40 = dword ptr -40h
.text:00464EF0 var_34 = dword ptr -34h
.text:00464EF0 var_28 = word ptr -28h
.text:00464EF0 slen2_24 = word ptr -24h
.text:00464EF0 var_20 = dword ptr -20h
.text:00464EF0 var_18 = dword ptr -18h
.text:00464EF0 var_14 = dword ptr -14h
.text:00464EF0 var_10 = dword ptr -10h
.text:00464EF0 var_C = dword ptr -0Ch
.text:00464EF0 var_4 = dword ptr -4
.text:00464EF0 arg_4 = dword ptr 8
.text:00464EF0 arg_8 = dword ptr 0Ch
.text:00464EF0
.text:00464EF0 push ebp
.text:00464EF1 mov ebp, esp
.text:00464EF3 sub esp, 18h
.text:00464EF6 push offset loc_4020A6
.text:00464EFB mov eax, large fs:0
.text:00464F01 push eax
.text:00464F02 mov large fs:0, esp
.text:00464F09 mov eax, 268h
.text:00464F0E call __vbaChkstk
.text:00464F13 push ebx
.text:00464F14 push esi
.text:00464F15 push edi
.text:00464F16 mov [ebp+var_18], esp
.text:00464F19 mov [ebp+var_14], offset dword_401B38
.text:00464F20 mov [ebp+var_10], 0
.text:00464F27 mov [ebp+var_C], 0
.text:00464F2E mov [ebp+var_4], 1
.text:00464F35 push 2
.text:00464F37 push offset array17int_40D038
.text:00464F3C lea eax, [ebp+myarray1_40]
.text:00464F3F push eax
.text:00464F40 call ds:__vbaAryConstruct2
.text:00464F46 push 2
.text:00464F48 push offset array513int_40CF90
.text:00464F4D lea ecx, [ebp+myarray2_70]
.text:00464F50 push ecx
.text:00464F51 call ds:__vbaAryConstruct2
.text:00464F57 push 2
.text:00464F59 push offset array17int_40D038
.text:00464F5E lea edx, [ebp+myarray3_8C]
.text:00464F64 push edx
.text:00464F65 call ds:__vbaAryConstruct2
.text:00464F6B push 2
.text:00464F6D push offset array513int_40CF90
.text:00464F72 lea eax, [ebp+myarray4_A8]
.text:00464F78 push eax
.text:00464F79 call ds:__vbaAryConstruct2
.text:00464F7F push 2
.text:00464F81 push offset array17int_40D038
.text:00464F86 lea ecx, [ebp+myarray5_D8]
.text:00464F8C push ecx
.text:00464F8D call ds:__vbaAryConstruct2
///////////////////////////////////////////////////////////////////////
dim myarray1(16) as integer
dim myarray2(512) as integer
dim myarray3(16) as integer
dim myarray4(512) as integer
dim myarray5(16) as integer
这里我们先看看数组的地址:
var_40 myarray1
var_34 数组1地址
var_70 myarray2
var_64 数组2地址
var_8c myarray3
var_80 数组3地址
var_a8 myarray4
var_9c 数组4地址
var_d8 myarray5
var_cc 数组5地址
///////////////////////////////////////////////////////////////////////
.text:00464F93 mov [ebp+var_4], 2
.text:00464F9A push 0FFFFFFFFh
.text:00464F9C call ds:__vbaOnError
.text:00464FA2 mov [ebp+var_4], 3
.text:00464FA9 call ds:rtcGetTimer ; 取当前时间
.text:00464FAF call ds:__vbaFpI4 ; 转成长整数
.text:00464FB5 mov [ebp+time_EC], eax ; 保存
.text:00464FBB mov [ebp+var_4], 4
.text:00464FC2 mov edx, [ebp+arg_4] ; 用户名
.text:00464FC5 push edx
.text:00464FC6 call strFun1_4678D0
.text:00464FCB mov edx, eax
.text:00464FCD lea ecx, [ebp+var_F8] ; 字符串结果保存在这里
.text:00464FD3 call ds:__vbaStrMove
.text:00464FD9 mov [ebp+var_4], 5
.text:00464FE0 mov word ptr [ebp+var_148], 0
.text:00464FE9 lea eax, [ebp+var_148] ; 参数2:0
.text:00464FEF push eax
.text:00464FF0 lea ecx, [ebp+var_F8] ; 参数1:字符串
.text:00464FF6 push ecx
.text:00464FF7 call strFun2_468060 ; 变换字符串
.text:00464FFC mov edx, eax
.text:00464FFE lea ecx, [ebp+var_F4] ; 字符串结果拷贝到这里
.text:00465004 call ds:__vbaStrMove
.text:0046500A mov [ebp+var_4], 6
.text:00465011 mov edx, [ebp+var_F8] ; 第一次变换的结果
.text:00465017 push edx
.text:00465018 call ds:__vbaLenBstr ; 取长度
.text:0046501E mov ecx, eax
.text:00465020 call ds:__vbaI2I4
.text:00465026 mov [ebp+slen1_B4], ax ; 转成长整数保存
.text:0046502D mov [ebp+var_4], 7
.text:00465034 mov eax, [ebp+var_F4] ; 第二次变换的结果
.text:0046503A push eax
.text:0046503B call ds:__vbaLenBstr ; 取长度
.text:00465041 mov ecx, eax
.text:00465043 call ds:__vbaI2I4
.text:00465049 mov [ebp+slen2_24], ax ; 转成长整数保存
.text:0046504D mov [ebp+var_4], 8
.text:00465054 mov [ebp+var_E8], 2 ; 初值2
.text:0046505D mov [ebp+var_4], 9
.text:00465064 mov [ebp+var_160], 1 ; 索引初值1
.text:0046506E cmp [ebp+var_160], 11h
.text:00465075 jnb short loc_465083
.text:00465077 mov [ebp+var_1B8], 0
.text:00465081 jmp short loc_46508F
.text:00465083 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465083
.text:00465083 loc_465083: ; CODE XREF: sub_464EF0+185j
.text:00465083 call ds:__vbaGenerateBoundsError
.text:00465089 mov [ebp+var_1B8], eax
.text:0046508F
.text:0046508F loc_46508F: ; CODE XREF: sub_464EF0+191j
.text:0046508F mov ecx, [ebp+var_160] ; 取索引
.text:00465095 mov edx, [ebp+var_34] ; 取数组1地址
.text:00465098 mov word ptr [edx+ecx*2], 2Ah ; myarray1(1) = &h2a
.text:0046509E mov [ebp+var_4], 0Ah
.text:004650A5 mov [ebp+var_160], 2 ; 索引等于2
.text:004650AF cmp [ebp+var_160], 11h
.text:004650B6 jnb short loc_4650C4
.text:004650B8 mov [ebp+var_1BC], 0
.text:004650C2 jmp short loc_4650D0
.text:004650C4 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004650C4
.text:004650C4 loc_4650C4: ; CODE XREF: sub_464EF0+1C6j
.text:004650C4 call ds:__vbaGenerateBoundsError
.text:004650CA mov [ebp+var_1BC], eax
.text:004650D0
.text:004650D0 loc_4650D0: ; CODE XREF: sub_464EF0+1D2j
.text:004650D0 mov eax, [ebp+var_160] ; 取索引
.text:004650D6 mov ecx, [ebp+var_34] ; 取数组1地址
.text:004650D9 mov word ptr [ecx+eax*2], 2Eh ; myarray1(2) = &h2e
.text:004650DF mov [ebp+var_4], 0Bh
.text:004650E6 mov [ebp+var_160], 3 ; 索引等于3
.text:004650F0 cmp [ebp+var_160], 11h
.text:004650F7 jnb short loc_465105
.text:004650F9 mov [ebp+var_1C0], 0
.text:00465103 jmp short loc_465111
.text:00465105 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465105
.text:00465105 loc_465105: ; CODE XREF: sub_464EF0+207j
.text:00465105 call ds:__vbaGenerateBoundsError
.text:0046510B mov [ebp+var_1C0], eax
.text:00465111
.text:00465111 loc_465111: ; CODE XREF: sub_464EF0+213j
.text:00465111 mov edx, [ebp+var_160] ; 取索引
.text:00465117 mov eax, [ebp+var_34] ; 取数组1地址
.text:0046511A mov word ptr [eax+edx*2], 30h ; myarray1(3) = &h30
.text:00465120 mov [ebp+var_4], 0Ch
.text:00465127 mov [ebp+var_160], 4 ; 索引等于4
.text:00465131 cmp [ebp+var_160], 11h
.text:00465138 jnb short loc_465146
.text:0046513A mov [ebp+var_1C4], 0
.text:00465144 jmp short loc_465152
.text:00465146 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465146
.text:00465146 loc_465146: ; CODE XREF: sub_464EF0+248j
.text:00465146 call ds:__vbaGenerateBoundsError
.text:0046514C mov [ebp+var_1C4], eax
.text:00465152
.text:00465152 loc_465152: ; CODE XREF: sub_464EF0+254j
.text:00465152 mov ecx, [ebp+var_160] ; 取索引
.text:00465158 mov edx, [ebp+var_34] ; 取数组1地址
.text:0046515B mov word ptr [edx+ecx*2], 2Dh ; myarray1(4) = &h2d
.text:00465161 mov [ebp+var_4], 0Dh
.text:00465168 mov [ebp+var_160], 5 ; 索引等于5
.text:00465172 cmp [ebp+var_160], 11h
.text:00465179 jnb short loc_465187
.text:0046517B mov [ebp+var_1C8], 0
.text:00465185 jmp short loc_465193
.text:00465187 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465187
.text:00465187 loc_465187: ; CODE XREF: sub_464EF0+289j
.text:00465187 call ds:__vbaGenerateBoundsError
.text:0046518D mov [ebp+var_1C8], eax
.text:00465193
.text:00465193 loc_465193: ; CODE XREF: sub_464EF0+295j
.text:00465193 mov eax, [ebp+var_160] ; 取索引
.text:00465199 mov ecx, [ebp+var_34] ; 取数组1地址
.text:0046519C mov word ptr [ecx+eax*2], 2Ch ; myarray1(5) = &h2c
.text:004651A2 mov [ebp+var_4], 0Eh
.text:004651A9 mov [ebp+var_160], 6 ; 索引= 6
.text:004651B3 cmp [ebp+var_160], 11h
.text:004651BA jnb short loc_4651C8
.text:004651BC mov [ebp+var_1CC], 0
.text:004651C6 jmp short loc_4651D4
.text:004651C8 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004651C8
.text:004651C8 loc_4651C8: ; CODE XREF: sub_464EF0+2CAj
.text:004651C8 call ds:__vbaGenerateBoundsError
.text:004651CE mov [ebp+var_1CC], eax
.text:004651D4
.text:004651D4 loc_4651D4: ; CODE XREF: sub_464EF0+2D6j
.text:004651D4 mov edx, [ebp+var_160] ; 取索引
.text:004651DA mov eax, [ebp+var_34] ; 取数组1地址
.text:004651DD mov word ptr [eax+edx*2], 27h ; myarray1(6) = &h27
.text:004651E3 mov [ebp+var_4], 0Fh
.text:004651EA mov [ebp+var_160], 7 ; 索引等于7
.text:004651F4 cmp [ebp+var_160], 11h
.text:004651FB jnb short loc_465209
.text:004651FD mov [ebp+var_1D0], 0
.text:00465207 jmp short loc_465215
.text:00465209 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465209
.text:00465209 loc_465209: ; CODE XREF: sub_464EF0+30Bj
.text:00465209 call ds:__vbaGenerateBoundsError
.text:0046520F mov [ebp+var_1D0], eax
.text:00465215
.text:00465215 loc_465215: ; CODE XREF: sub_464EF0+317j
.text:00465215 mov ecx, [ebp+var_160] ; 取索引
.text:0046521B mov edx, [ebp+var_34] ; 取数组1地址
.text:0046521E mov word ptr [edx+ecx*2], 2Ah ; myarray1(7) = &h2a
.text:00465224 mov [ebp+var_4], 10h
.text:0046522B mov [ebp+var_160], 8 ; 索引等于8
.text:00465235 cmp [ebp+var_160], 11h
.text:0046523C jnb short loc_46524A
.text:0046523E mov [ebp+var_1D4], 0
.text:00465248 jmp short loc_465256
.text:0046524A ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046524A
.text:0046524A loc_46524A: ; CODE XREF: sub_464EF0+34Cj
.text:0046524A call ds:__vbaGenerateBoundsError
.text:00465250 mov [ebp+var_1D4], eax
.text:00465256
.text:00465256 loc_465256: ; CODE XREF: sub_464EF0+358j
.text:00465256 mov eax, [ebp+var_160] ; 取索引
.text:0046525C mov ecx, [ebp+var_34] ; 取数组1地址
.text:0046525F mov word ptr [ecx+eax*2], 4Ch ; myarray1(8) = &h4c
.text:00465265 mov [ebp+var_4], 11h
.text:0046526C mov [ebp+var_160], 9 ; 索引等于9
.text:00465276 cmp [ebp+var_160], 11h
.text:0046527D jnb short loc_46528B
.text:0046527F mov [ebp+var_1D8], 0
.text:00465289 jmp short loc_465297
.text:0046528B ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046528B
.text:0046528B loc_46528B: ; CODE XREF: sub_464EF0+38Dj
.text:0046528B call ds:__vbaGenerateBoundsError
.text:00465291 mov [ebp+var_1D8], eax
.text:00465297
.text:00465297 loc_465297: ; CODE XREF: sub_464EF0+399j
.text:00465297 mov edx, [ebp+var_160] ; 取索引
.text:0046529D mov eax, [ebp+var_34] ; 取数组1地址
.text:004652A0 mov word ptr [eax+edx*2], 42h ; myarray1(9) = &h42
.text:004652A6 mov [ebp+var_4], 12h
.text:004652AD mov [ebp+var_160], 0Ah ; 索引等于10
.text:004652B7 cmp [ebp+var_160], 11h
.text:004652BE jnb short loc_4652CC
.text:004652C0 mov [ebp+var_1DC], 0
.text:004652CA jmp short loc_4652D8
.text:004652CC ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004652CC
.text:004652CC loc_4652CC: ; CODE XREF: sub_464EF0+3CEj
.text:004652CC call ds:__vbaGenerateBoundsError
.text:004652D2 mov [ebp+var_1DC], eax
.text:004652D8
.text:004652D8 loc_4652D8: ; CODE XREF: sub_464EF0+3DAj
.text:004652D8 mov ecx, [ebp+var_160] ; 取索引
.text:004652DE mov edx, [ebp+var_34] ; 取数组1地址
.text:004652E1 mov word ptr [edx+ecx*2], 44h ; myarray1(10) = &h44
.text:004652E7 mov [ebp+var_4], 13h
.text:004652EE mov [ebp+var_160], 0Bh ; 索引等于11
.text:004652F8 cmp [ebp+var_160], 11h
.text:004652FF jnb short loc_46530D
.text:00465301 mov [ebp+var_1E0], 0
.text:0046530B jmp short loc_465319
.text:0046530D ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046530D
.text:0046530D loc_46530D: ; CODE XREF: sub_464EF0+40Fj
.text:0046530D call ds:__vbaGenerateBoundsError
.text:00465313 mov [ebp+var_1E0], eax
.text:00465319
.text:00465319 loc_465319: ; CODE XREF: sub_464EF0+41Bj
.text:00465319 mov eax, [ebp+var_160] ; 取索引
.text:0046531F mov ecx, [ebp+var_34] ; 取数组1地址
.text:00465322 mov word ptr [ecx+eax*2], 7Ch ; myarray1(11) = &h7c
.text:00465328 mov [ebp+var_4], 14h
.text:0046532F mov [ebp+var_160], 0Ch ; 索引等于12
.text:00465339 cmp [ebp+var_160], 11h
.text:00465340 jnb short loc_46534E
.text:00465342 mov [ebp+var_1E4], 0
.text:0046534C jmp short loc_46535A
.text:0046534E ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046534E
.text:0046534E loc_46534E: ; CODE XREF: sub_464EF0+450j
.text:0046534E call ds:__vbaGenerateBoundsError
.text:00465354 mov [ebp+var_1E4], eax
.text:0046535A
.text:0046535A loc_46535A: ; CODE XREF: sub_464EF0+45Cj
.text:0046535A mov edx, [ebp+var_160] ; 取索引
.text:00465360 mov eax, [ebp+var_34] ; 取数组1地址
.text:00465363 mov word ptr [eax+edx*2], 82h ; myarray1(12) = &h82
.text:00465369 mov [ebp+var_4], 15h
.text:00465370 mov [ebp+var_160], 0Dh ; 索引等于13
.text:0046537A cmp [ebp+var_160], 11h
.text:00465381 jnb short loc_46538F
.text:00465383 mov [ebp+var_1E8], 0
.text:0046538D jmp short loc_46539B
.text:0046538F ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046538F
.text:0046538F loc_46538F: ; CODE XREF: sub_464EF0+491j
.text:0046538F call ds:__vbaGenerateBoundsError
.text:00465395 mov [ebp+var_1E8], eax
.text:0046539B
.text:0046539B loc_46539B: ; CODE XREF: sub_464EF0+49Dj
.text:0046539B mov ecx, [ebp+var_160] ; 取索引
.text:004653A1 mov edx, [ebp+var_34] ; 取数组1地址
.text:004653A4 mov word ptr [edx+ecx*2], 73h ; myarray1(13) = &h73
.text:004653AA mov [ebp+var_4], 16h
.text:004653B1 mov [ebp+var_160], 0Eh ; 索引等于14
.text:004653BB cmp [ebp+var_160], 11h
.text:004653C2 jnb short loc_4653D0
.text:004653C4 mov [ebp+var_1EC], 0
.text:004653CE jmp short loc_4653DC
.text:004653D0 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004653D0
.text:004653D0 loc_4653D0: ; CODE XREF: sub_464EF0+4D2j
.text:004653D0 call ds:__vbaGenerateBoundsError
.text:004653D6 mov [ebp+var_1EC], eax
.text:004653DC
.text:004653DC loc_4653DC: ; CODE XREF: sub_464EF0+4DEj
.text:004653DC mov eax, [ebp+var_160] ; 取索引
.text:004653E2 mov ecx, [ebp+var_34] ; 取数组1地址
.text:004653E5 mov word ptr [ecx+eax*2], 50h ; myarray1(14) = &h50
.text:004653EB mov [ebp+var_4], 17h
.text:004653F2 mov [ebp+var_160], 0Fh ; 索引等于15
.text:004653FC cmp [ebp+var_160], 11h
.text:00465403 jnb short loc_465411
.text:00465405 mov [ebp+var_1F0], 0
.text:0046540F jmp short loc_46541D
.text:00465411 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465411
.text:00465411 loc_465411: ; CODE XREF: sub_464EF0+513j
.text:00465411 call ds:__vbaGenerateBoundsError
.text:00465417 mov [ebp+var_1F0], eax
.text:0046541D
.text:0046541D loc_46541D: ; CODE XREF: sub_464EF0+51Fj
.text:0046541D mov edx, [ebp+var_160] ; 取索引
.text:00465423 mov eax, [ebp+var_34] ; 取数组1地址
.text:00465426 mov word ptr [eax+edx*2], 66h ; myarray1(15) = &h66
.text:0046542C mov [ebp+var_4], 18h
.text:00465433 mov [ebp+var_160], 10h ; 索引等于16
.text:0046543D cmp [ebp+var_160], 11h
.text:00465444 jnb short loc_465452
.text:00465446 mov [ebp+var_1F4], 0
.text:00465450 jmp short loc_46545E
.text:00465452 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465452
.text:00465452 loc_465452: ; CODE XREF: sub_464EF0+554j
.text:00465452 call ds:__vbaGenerateBoundsError
.text:00465458 mov [ebp+var_1F4], eax
.text:0046545E
.text:0046545E loc_46545E: ; CODE XREF: sub_464EF0+560j
.text:0046545E mov ecx, [ebp+var_160] ; 取索引
.text:00465464 mov edx, [ebp+var_34] ; 取数组1地址
.text:00465467 mov word ptr [edx+ecx*2], 67h ; myarray1(16) = &h67
///////////////////////////////////////////////////////////////////////////////////////
dim myname as string
dim mycode as string
dim mynamestr as string
dim mynamestr2 as string
dim slen1 as integer
dim slen2 as integer
dim var_e8 as integer
mynamestr = fun4678D0(myname)
mynamestr2 = fun468060(mynamestr,0)
slen1 = len(mynamestr)
slen2 = len(mynamestr2)
var_e8 = 2
myarray1(1) = &h2a
myarray1(2) = &h2e
myarray1(3) = &h30
myarray1(4) = &h2d
myarray1(5) = &h2c
myarray1(6) = &h27
myarray1(7) = &h2a
myarray1(8) = &h4c
myarray1(9) = &h42
myarray1(10) = &h44
myarray1(11) = &h7c
myarray1(12) = &h82
myarray1(13) = &h73
myarray1(14) = &h50
myarray1(15) = &h66
myarray1(16) = &h67
//////////////////////////////////////////////////////////////////////////////////////
.text:0046546D mov [ebp+var_4], 19h
.text:00465474 mov [ebp+var_BC], 0 ; 初值0
.text:0046547D mov [ebp+var_4], 1Ah
.text:00465484 mov [ebp+var_100], 0 ; 初值0
.text:0046548D mov [ebp+var_4], 1Bh
.text:00465494 call ds:rtcGetTimer ; 取时间
.text:0046549A fild [ebp+time_EC]
.text:004654A0 fstp [ebp+var_1FC]
.text:004654A6 fsub [ebp+var_1FC]
.text:004654AC fnstsw ax
.text:004654AE test al, 0Dh
.text:004654B0 jnz loc_46682D
.text:004654B6 call ds:__vbaFpR8
.text:004654BC fcomp ds:dbl_401D90 ; 6.0
.text:004654C2 fnstsw ax
.text:004654C4 test ah, 1
.text:004654C7 jnz short loc_4654CE
.text:004654C9 jmp loc_466742 ; 大于6s则退出,用于反跟踪
.text:004654CE ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004654CE
.text:004654CE loc_4654CE: ; CODE XREF: sub_464EF0+5D7j
.text:004654CE mov [ebp+var_4], 1Eh
.text:004654D5 mov [ebp+var_170], 200h ; 初值512
.text:004654DE mov [ebp+var_16C], 1 ; 初值1
.text:004654E7 mov [ebp+var_B8], 0 ; 当前索引初值0
.text:004654F0 jmp short loc_46550D
.text:004654F2 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004654F2
.text:004654F2 loc_4654F2: ; CODE XREF: sub_464EF0+683j
.text:004654F2 mov ax, [ebp+var_B8]
.text:004654F9 add ax, [ebp+var_16C]
.text:00465500 jo loc_466832
.text:00465506 mov [ebp+var_B8], ax ; 当前索引加1
.text:0046550D
.text:0046550D loc_46550D: ; CODE XREF: sub_464EF0+600j
.text:0046550D mov cx, [ebp+var_B8]
.text:00465514 cmp cx, [ebp+var_170] ; 大于512则跳
.text:0046551B jg short loc_465578
.text:0046551D mov [ebp+var_4], 1Fh
.text:00465524 movsx edx, [ebp+var_B8] ; 取当前索引
.text:0046552B mov [ebp+var_160], edx ; 保存到这里
.text:00465531 cmp [ebp+var_160], 201h
.text:0046553B jnb short loc_465549
.text:0046553D mov [ebp+var_200], 0
.text:00465547 jmp short loc_465555
.text:00465549 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465549
.text:00465549 loc_465549: ; CODE XREF: sub_464EF0+64Bj
.text:00465549 call ds:__vbaGenerateBoundsError
.text:0046554F mov [ebp+var_200], eax
.text:00465555
.text:00465555 loc_465555: ; CODE XREF: sub_464EF0+657j
.text:00465555 mov eax, [ebp+var_160] ; 当前索引
.text:0046555B mov ecx, [ebp+var_9C] ; 数组4地址
.text:00465561 mov dx, [ebp+var_B8]
.text:00465568 mov [ecx+eax*2], dx ; 把当前索引保存到数组4
.text:0046556C mov [ebp+var_4], 20h
.text:00465573 jmp loc_4654F2
.text:00465578 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465578
.text:00465578 loc_465578: ; CODE XREF: sub_464EF0+62Bj
.text:00465578 mov [ebp+var_4], 21h
.text:0046557F call ds:rtcGetTimer
.text:00465585 fild [ebp+time_EC]
.text:0046558B fstp [ebp+var_208]
.text:00465591 fsub [ebp+var_208]
.text:00465597 fnstsw ax
.text:00465599 test al, 0Dh
.text:0046559B jnz loc_46682D
.text:004655A1 call ds:__vbaFpR8
.text:004655A7 fcomp ds:dbl_401D90
.text:004655AD fnstsw ax
.text:004655AF test ah, 1
.text:004655B2 jnz short loc_4655B9
.text:004655B4 jmp loc_466742
.text:004655B9 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004655B9
.text:004655B9 loc_4655B9: ; CODE XREF: sub_464EF0+6C2j
.text:004655B9 mov [ebp+var_4], 24h
.text:004655C0 mov [ebp+var_178], 200h ; 初值512
.text:004655C9 mov [ebp+var_174], 1 ; 初值1
.text:004655D2 mov [ebp+var_B8], 0 ; 当前索引初值0
.text:004655DB jmp short loc_4655F8
.text:004655DD ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004655DD
.text:004655DD loc_4655DD: ; CODE XREF: sub_464EF0+876j
.text:004655DD mov ax, [ebp+var_B8]
.text:004655E4 add ax, [ebp+var_174]
.text:004655EB jo loc_466832
.text:004655F1 mov [ebp+var_B8], ax ; 当前索引加1
.text:004655F8
.text:004655F8 loc_4655F8: ; CODE XREF: sub_464EF0+6EBj
.text:004655F8 mov cx, [ebp+var_B8]
.text:004655FF cmp cx, [ebp+var_178]
.text:00465606 jg loc_46576B ; 大于512则跳
.text:0046560C mov [ebp+var_4], 25h
.text:00465613 mov dx, [ebp+var_BC] ; 取var_bc
.text:0046561A add dx, [ebp+var_B8] ; 累加当前索引
.text:00465621 jo loc_466832
.text:00465627 and dx, 0FFh ; 模256
.text:0046562C jns short loc_465637
.text:0046562E dec dx
.text:00465630 or dx, 0FF00h
.text:00465635 inc dx
.text:00465637
.text:00465637 loc_465637: ; CODE XREF: sub_464EF0+73Cj
.text:00465637 mov [ebp+var_BC], dx
.text:0046563E mov [ebp+var_4], 26h
.text:00465645 movsx eax, [ebp+var_B8] ; 取当前索引
.text:0046564C mov [ebp+var_160], eax ; 放到这里
.text:00465652 cmp [ebp+var_160], 201h
.text:0046565C jnb short loc_46566A
.text:0046565E mov [ebp+var_20C], 0
.text:00465668 jmp short loc_465676
.text:0046566A ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046566A
.text:0046566A loc_46566A: ; CODE XREF: sub_464EF0+76Cj
.text:0046566A call ds:__vbaGenerateBoundsError
.text:00465670 mov [ebp+var_20C], eax
.text:00465676
.text:00465676 loc_465676: ; CODE XREF: sub_464EF0+778j
.text:00465676 mov ecx, [ebp+var_160] ; 当前索引
.text:0046567C mov edx, [ebp+var_9C] ; 数组4地址
.text:00465682 mov ax, [edx+ecx*2] ; 取数组4一个元素
.text:00465686 mov [ebp+var_54], ax ; 保存到var_54
.text:0046568A mov [ebp+var_4], 27h
.text:00465691 movsx ecx, [ebp+var_BC] ; 取变量var_bc
.text:00465698 mov [ebp+var_164], ecx ; 保存到这里
.text:0046569E cmp [ebp+var_164], 201h
.text:004656A8 jnb short loc_4656B6
.text:004656AA mov [ebp+var_210], 0
.text:004656B4 jmp short loc_4656C2
.text:004656B6 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004656B6
.text:004656B6 loc_4656B6: ; CODE XREF: sub_464EF0+7B8j
.text:004656B6 call ds:__vbaGenerateBoundsError
.text:004656BC mov [ebp+var_210], eax
.text:004656C2
.text:004656C2 loc_4656C2: ; CODE XREF: sub_464EF0+7C4j
.text:004656C2 movsx edx, [ebp+var_B8] ; 取当前索引
.text:004656C9 mov [ebp+var_160], edx ; 保存到这里
.text:004656CF cmp [ebp+var_160], 201h
.text:004656D9 jnb short loc_4656E7
.text:004656DB mov [ebp+var_214], 0
.text:004656E5 jmp short loc_4656F3
.text:004656E7 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004656E7
.text:004656E7 loc_4656E7: ; CODE XREF: sub_464EF0+7E9j
.text:004656E7 call ds:__vbaGenerateBoundsError
.text:004656ED mov [ebp+var_214], eax
.text:004656F3
.text:004656F3 loc_4656F3: ; CODE XREF: sub_464EF0+7F5j
.text:004656F3 mov eax, [ebp+var_160] ; 当前索引
.text:004656F9 mov ecx, [ebp+var_9C] ; 数组4地址
.text:004656FF mov edx, [ebp+var_164] ; var_bc
.text:00465705 mov esi, [ebp+var_9C] ; 数组4地址
.text:0046570B mov dx, [esi+edx*2] ; var_bc指向的元素
.text:0046570F mov [ecx+eax*2], dx ; 赋值到当前索引处
.text:00465713 mov [ebp+var_4], 28h
.text:0046571A movsx eax, [ebp+var_BC] ; var_bc
.text:00465721 mov [ebp+var_160], eax ; 放到这里
.text:00465727 cmp [ebp+var_160], 201h
.text:00465731 jnb short loc_46573F
.text:00465733 mov [ebp+var_218], 0
.text:0046573D jmp short loc_46574B
.text:0046573F ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046573F
.text:0046573F loc_46573F: ; CODE XREF: sub_464EF0+841j
.text:0046573F call ds:__vbaGenerateBoundsError
.text:00465745 mov [ebp+var_218], eax
.text:0046574B
.text:0046574B loc_46574B: ; CODE XREF: sub_464EF0+84Dj
.text:0046574B mov ecx, [ebp+var_160] ; var_bc
.text:00465751 mov edx, [ebp+var_9C] ; 取数组4地址
.text:00465757 mov ax, [ebp+var_54] ; var_54
.text:0046575B mov [edx+ecx*2], ax ; 保存到var_bc指向的元素位置
.text:0046575F mov [ebp+var_4], 29h
.text:00465766 jmp loc_4655DD ; 上面实际在交换元素
.text:0046576B ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046576B
////////////////////////////////////////////////////////////////////////////////////////////////
dim i as integer
dim tmpchar as integer
dim var_bc as integer
for i = 0 to 512
myarray4(i) = i
next i
for i = 0 to 512
var_bc = (var_bc + i) mod 256
tmpchar = myarray4(i)
myarray4(i) = myarray4(var_bc)
myarray4(var_bc) = tmpchar
next i
////////////////////////////////////////////////////////////////////////////////////////////////
.text:0046576B loc_46576B: ; CODE XREF: sub_464EF0+716j
.text:0046576B mov [ebp+var_4], 2Ah
.text:00465772 call ds:rtcGetTimer
.text:00465778 fild [ebp+time_EC]
.text:0046577E fstp [ebp+var_220]
.text:00465784 fsub [ebp+var_220]
.text:0046578A fnstsw ax
.text:0046578C test al, 0Dh
.text:0046578E jnz loc_46682D
.text:00465794 call ds:__vbaFpR8
.text:0046579A fcomp ds:dbl_401D90
.text:004657A0 fnstsw ax
.text:004657A2 test ah, 1
.text:004657A5 jnz short loc_4657AC
.text:004657A7 jmp loc_466742
.text:004657AC ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004657AC
.text:004657AC loc_4657AC: ; CODE XREF: sub_464EF0+8B5j
.text:004657AC mov [ebp+var_4], 2Dh
.text:004657B3 cmp [ebp+var_E8], 1
.text:004657BB jnz loc_465986 ; var_e8不等于1则跳
.text:004657C1 mov [ebp+var_4], 2Eh
.text:004657C8 mov [ebp+var_E0], 0 ; 初值0
.text:004657D1 mov [ebp+var_4], 2Fh
.text:004657D8 mov [ebp+var_48], 10h ; 赋值16
.text:004657DE mov [ebp+var_4], 30h
.text:004657E5 mov [ebp+var_12C], offset asc_40CF38 ; " "
.text:004657EF mov [ebp+var_134], 8
.text:004657F9 lea edx, [ebp+var_134]
.text:004657FF lea ecx, [ebp+var_114]
.text:00465805 call ds:__vbaVarDup
.text:0046580B lea ecx, [ebp+var_114]
.text:00465811 push ecx
.text:00465812 push 10h
.text:00465814 lea edx, [ebp+var_124]
.text:0046581A push edx
.text:0046581B call ds:rtcStringVar ; String(16," ")
.text:00465821 lea eax, [ebp+var_124]
.text:00465827 push eax
.text:00465828 call ds:__vbaStrVarMove
.text:0046582E mov edx, eax
.text:00465830 lea ecx, [ebp+var_50]
.text:00465833 call ds:__vbaStrMove
.text:00465839 lea ecx, [ebp+var_124]
.text:0046583F push ecx
.text:00465840 lea edx, [ebp+var_114]
.text:00465846 push edx
.text:00465847 push 2
.text:00465849 call ds:__vbaFreeVarList
.text:0046584F add esp, 0Ch
.text:00465852 mov [ebp+var_4], 31h
.text:00465859 mov [ebp+var_180], 200h ; 初值512
.text:00465862 mov [ebp+var_17C], 1 ; 初值1
.text:0046586B mov [ebp+var_B8], 0 ; 当前索引初值0
.text:00465874 jmp short loc_465891
.text:00465876 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465876
.text:00465876 loc_465876: ; CODE XREF: sub_464EF0+A8Cj
.text:00465876 mov ax, [ebp+var_B8]
.text:0046587D add ax, [ebp+var_17C]
.text:00465884 jo loc_466832
.text:0046588A mov [ebp+var_B8], ax ; 当前索引加1
.text:00465891
.text:00465891 loc_465891: ; CODE XREF: sub_464EF0+984j
.text:00465891 mov cx, [ebp+var_B8]
.text:00465898 cmp cx, [ebp+var_180]
.text:0046589F jg loc_465981 ; 大于512则跳
.text:004658A5 mov [ebp+var_4], 32h
.text:004658AC movsx edx, [ebp+var_B8] ; 取当前索引
.text:004658B3 mov [ebp+var_160], edx ; 放到这里
.text:004658B9 cmp [ebp+var_160], 201h
.text:004658C3 jnb short loc_4658D1
.text:004658C5 mov [ebp+var_224], 0
.text:004658CF jmp short loc_4658DD
.text:004658D1 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004658D1
.text:004658D1 loc_4658D1: ; CODE XREF: sub_464EF0+9D3j
.text:004658D1 call ds:__vbaGenerateBoundsError
.text:004658D7 mov [ebp+var_224], eax
.text:004658DD
.text:004658DD loc_4658DD: ; CODE XREF: sub_464EF0+9DFj
.text:004658DD mov eax, [ebp+var_160] ; 当前索引
.text:004658E3 mov ecx, [ebp+var_9C] ; 数组4地址
.text:004658E9 movsx edx, word ptr [ecx+eax*2] ; 取数组4一个元素
.text:004658ED mov [ebp+var_164], edx ; 放到这里
.text:004658F3 cmp [ebp+var_164], 201h
.text:004658FD jnb short loc_46590B
.text:004658FF mov [ebp+var_228], 0
.text:00465909 jmp short loc_465917
.text:0046590B ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046590B
.text:0046590B loc_46590B: ; CODE XREF: sub_464EF0+A0Dj
.text:0046590B call ds:__vbaGenerateBoundsError
.text:00465911 mov [ebp+var_228], eax
.text:00465917
.text:00465917 loc_465917: ; CODE XREF: sub_464EF0+A19j
.text:00465917 mov ax, [ebp+var_E0] ; 取var_e0
.text:0046591E add ax, 30h ; 加&h30
.text:00465922 jo loc_466832
.text:00465928 mov ecx, [ebp+var_164] ; 数组4的一个元素
.text:0046592E mov edx, [ebp+var_64] ; 取数组2地址
.text:00465931 mov [edx+ecx*2], ax ; 保存到数组2
.text:00465935 mov [ebp+var_4], 33h
.text:0046593C mov ax, [ebp+var_E0]
.text:00465943 add ax, 1
.text:00465947 jo loc_466832
.text:0046594D mov [ebp+var_E0], ax ; var_e0加1
.text:00465954 mov [ebp+var_4], 34h
.text:0046595B cmp [ebp+var_E0], 0Ah
.text:00465963 jnz short loc_465975
.text:00465965 mov [ebp+var_4], 35h
.text:0046596C mov [ebp+var_E0], 0 ; var_e0等于10则赋值0
.text:00465975
.text:00465975 loc_465975: ; CODE XREF: sub_464EF0+A73j
.text:00465975 mov [ebp+var_4], 37h
.text:0046597C jmp loc_465876
.text:00465981 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465981
.text:00465981 loc_465981: ; CODE XREF: sub_464EF0+9AFj
.text:00465981 jmp loc_465CFA
.text:00465986 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465986
.text:00465986 loc_465986: ; CODE XREF: sub_464EF0+8CBj
.text:00465986 mov [ebp+var_4], 38h
.text:0046598D cmp [ebp+var_E8], 2
.text:00465995 jnz loc_465C79 ; var_e8不等于2则跳
.text:0046599B mov [ebp+var_4], 39h
.text:004659A2 mov [ebp+var_E0], 0 ; 初值0
.text:004659AB mov [ebp+var_4], 3Ah
.text:004659B2 mov [ebp+var_28], 0 ; 初值0
.text:004659B8 mov [ebp+var_4], 3Bh
.text:004659BF mov [ebp+var_48], 10h ; 赋值16
.text:004659C5 mov [ebp+var_4], 3Ch
.text:004659CC mov [ebp+var_12C], offset asc_40CF38 ; " "
.text:004659D6 mov [ebp+var_134], 8
.text:004659E0 lea edx, [ebp+var_134]
.text:004659E6 lea ecx, [ebp+var_114]
.text:004659EC call ds:__vbaVarDup
.text:004659F2 lea ecx, [ebp+var_114]
.text:004659F8 push ecx
.text:004659F9 push 10h
.text:004659FB lea edx, [ebp+var_124]
.text:00465A01 push edx
.text:00465A02 call ds:rtcStringVar ; String(16," ")
.text:00465A08 lea eax, [ebp+var_124]
.text:00465A0E push eax
.text:00465A0F call ds:__vbaStrVarMove
.text:00465A15 mov edx, eax
.text:00465A17 lea ecx, [ebp+var_50] ; 保存到var_50
.text:00465A1A call ds:__vbaStrMove
.text:00465A20 lea ecx, [ebp+var_124]
.text:00465A26 push ecx
.text:00465A27 lea edx, [ebp+var_114]
.text:00465A2D push edx
.text:00465A2E push 2
.text:00465A30 call ds:__vbaFreeVarList
.text:00465A36 add esp, 0Ch
.text:00465A39 mov [ebp+var_4], 3Dh
.text:00465A40 mov [ebp+var_C0], 0 ; 初值0
.text:00465A49 mov [ebp+var_4], 3Eh
.text:00465A50 mov [ebp+var_188], 200h ; 初值512
.text:00465A59 mov [ebp+var_184], 1 ; 初值1
.text:00465A62 mov [ebp+var_B8], 0 ; 当前索引初值0
.text:00465A6B jmp short loc_465A88
.text:00465A6D ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465A6D
.text:00465A6D loc_465A6D: ; CODE XREF: sub_464EF0+D7Fj
.text:00465A6D mov ax, [ebp+var_B8]
.text:00465A74 add ax, [ebp+var_184]
.text:00465A7B jo loc_466832
.text:00465A81 mov [ebp+var_B8], ax ; 当前索引加1
.text:00465A88
.text:00465A88 loc_465A88: ; CODE XREF: sub_464EF0+B7Bj
.text:00465A88 mov cx, [ebp+var_B8]
.text:00465A8F cmp cx, [ebp+var_188]
.text:00465A96 jg loc_465C74 ; 大于512则退出
.text:00465A9C mov [ebp+var_4], 3Fh
.text:00465AA3 movsx edx, [ebp+var_C0] ; 取var_c0
.text:00465AAA test edx, edx
.text:00465AAC jz loc_465B97 ; 为0则跳
.text:00465AB2 mov [ebp+var_4], 40h
.text:00465AB9 movsx eax, [ebp+var_B8] ; 取当前索引
.text:00465AC0 mov [ebp+var_160], eax ; 保存到这里
.text:00465AC6 cmp [ebp+var_160], 201h
.text:00465AD0 jnb short loc_465ADE
.text:00465AD2 mov [ebp+var_22C], 0
.text:00465ADC jmp short loc_465AEA
.text:00465ADE ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465ADE
.text:00465ADE loc_465ADE: ; CODE XREF: sub_464EF0+BE0j
.text:00465ADE call ds:__vbaGenerateBoundsError
.text:00465AE4 mov [ebp+var_22C], eax
.text:00465AEA
.text:00465AEA loc_465AEA: ; CODE XREF: sub_464EF0+BECj
.text:00465AEA mov ecx, [ebp+var_160] ; 当前索引
.text:00465AF0 mov edx, [ebp+var_9C] ; 数组4地址
.text:00465AF6 movsx eax, word ptr [edx+ecx*2] ; 取数组4一个元素
.text:00465AFA mov [ebp+var_164], eax ; 保存到这里
.text:00465B00 cmp [ebp+var_164], 201h
.text:00465B0A jnb short loc_465B18
.text:00465B0C mov [ebp+var_230], 0
.text:00465B16 jmp short loc_465B24
.text:00465B18 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465B18
.text:00465B18 loc_465B18: ; CODE XREF: sub_464EF0+C1Aj
.text:00465B18 call ds:__vbaGenerateBoundsError
.text:00465B1E mov [ebp+var_230], eax
.text:00465B24
.text:00465B24 loc_465B24: ; CODE XREF: sub_464EF0+C26j
.text:00465B24 mov cx, [ebp+var_E0] ; var_e0
.text:00465B2B add cx, 30h ; 加&H30变成可见字符
.text:00465B2F jo loc_466832
.text:00465B35 mov edx, [ebp+var_164] ; 数组4的一个元素
.text:00465B3B mov eax, [ebp+var_64] ; 数组2地址
.text:00465B3E mov [eax+edx*2], cx ; 保存到数组2
.text:00465B42 mov [ebp+var_4], 41h
.text:00465B49 mov cx, [ebp+var_E0]
.text:00465B50 add cx, 1
.text:00465B54 jo loc_466832
.text:00465B5A mov [ebp+var_E0], cx ; var_e0加1
.text:00465B61 mov [ebp+var_4], 42h
.text:00465B68 cmp [ebp+var_E0], 0Ah
.text:00465B70 jnz short loc_465B82
.text:00465B72 mov [ebp+var_4], 43h
.text:00465B79 mov [ebp+var_E0], 0 ; var_e0等于10则赋值0
.text:00465B82
.text:00465B82 loc_465B82: ; CODE XREF: sub_464EF0+C80j
.text:00465B82 mov [ebp+var_4], 45h
.text:00465B89 mov [ebp+var_C0], 0
.text:00465B92 jmp loc_465C68
.text:00465B97 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465B97
.text:00465B97 loc_465B97: ; CODE XREF: sub_464EF0+BBCj
.text:00465B97 mov [ebp+var_4], 47h
.text:00465B9E movsx edx, [ebp+var_B8] ; 取当前索引
.text:00465BA5 mov [ebp+var_160], edx ; 保存到这里
.text:00465BAB cmp [ebp+var_160], 201h
.text:00465BB5 jnb short loc_465BC3
.text:00465BB7 mov [ebp+var_234], 0
.text:00465BC1 jmp short loc_465BCF
.text:00465BC3 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465BC3
.text:00465BC3 loc_465BC3: ; CODE XREF: sub_464EF0+CC5j
.text:00465BC3 call ds:__vbaGenerateBoundsError
.text:00465BC9 mov [ebp+var_234], eax
.text:00465BCF
.text:00465BCF loc_465BCF: ; CODE XREF: sub_464EF0+CD1j
.text:00465BCF mov eax, [ebp+var_160] ; 当前索引
.text:00465BD5 mov ecx, [ebp+var_9C] ; 数组4地址
.text:00465BDB movsx edx, word ptr [ecx+eax*2] ; 取数组4一个元素
.text:00465BDF mov [ebp+var_164], edx ; 保存到这里
.text:00465BE5 cmp [ebp+var_164], 201h
.text:00465BEF jnb short loc_465BFD
.text:00465BF1 mov [ebp+var_238], 0
.text:00465BFB jmp short loc_465C09
.text:00465BFD ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465BFD
.text:00465BFD loc_465BFD: ; CODE XREF: sub_464EF0+CFFj
.text:00465BFD call ds:__vbaGenerateBoundsError
.text:00465C03 mov [ebp+var_238], eax
.text:00465C09
.text:00465C09 loc_465C09: ; CODE XREF: sub_464EF0+D0Bj
.text:00465C09 mov ax, [ebp+var_28] ; 取var_28
.text:00465C0D add ax, 41h ; 加&H41变成可见字符
.text:00465C11 jo loc_466832
.text:00465C17 mov ecx, [ebp+var_164] ; 数组4的一个元素
.text:00465C1D mov edx, [ebp+var_64] ; 数组2地址
.text:00465C20 mov [edx+ecx*2], ax ; 保存到数组2
.text:00465C24 mov [ebp+var_4], 48h
.text:00465C2B mov ax, [ebp+var_28]
.text:00465C2F add ax, 1
.text:00465C33 jo loc_466832
.text:00465C39 mov [ebp+var_28], ax ; var_28加1
.text:00465C3D mov [ebp+var_4], 49h
.text:00465C44 cmp [ebp+var_28], 1Ah
.text:00465C49 jnz short loc_465C58
.text:00465C4B mov [ebp+var_4], 4Ah
.text:00465C52 mov [ebp+var_28], 0 ; var_28等于26则赋值0
.text:00465C58
.text:00465C58 loc_465C58: ; CODE XREF: sub_464EF0+D59j
.text:00465C58 mov [ebp+var_4], 4Ch
.text:00465C5F mov [ebp+var_C0], 0FFFFh
.text:00465C68
.text:00465C68 loc_465C68: ; CODE XREF: sub_464EF0+CA2j
.text:00465C68 mov [ebp+var_4], 4Eh
.text:00465C6F jmp loc_465A6D
.text:00465C74 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465C74
.text:00465C74 loc_465C74: ; CODE XREF: sub_464EF0+BA6j
.text:00465C74 jmp loc_465CFA
.text:00465C79 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465C79
.text:00465C79 loc_465C79: ; CODE XREF: sub_464EF0+AA5j
.text:00465C79 mov [ebp+var_4], 50h
.text:00465C80 mov [ebp+var_48], 8 ; 赋值8
.text:00465C86 mov [ebp+var_4], 51h
.text:00465C8D mov [ebp+var_12C], offset asc_40CF38 ; " "
.text:00465C97 mov [ebp+var_134], 8
.text:00465CA1 lea edx, [ebp+var_134]
.text:00465CA7 lea ecx, [ebp+var_114]
.text:00465CAD call ds:__vbaVarDup
.text:00465CB3 lea ecx, [ebp+var_114]
.text:00465CB9 push ecx
.text:00465CBA push 13h
.text:00465CBC lea edx, [ebp+var_124]
.text:00465CC2 push edx
.text:00465CC3 call ds:rtcStringVar ; var_50 = String(19," ")
.text:00465CC9 lea eax, [ebp+var_124]
.text:00465CCF push eax
.text:00465CD0 call ds:__vbaStrVarMove
.text:00465CD6 mov edx, eax
.text:00465CD8 lea ecx, [ebp+var_50]
.text:00465CDB call ds:__vbaStrMove
.text:00465CE1 lea ecx, [ebp+var_124]
.text:00465CE7 push ecx
.text:00465CE8 lea edx, [ebp+var_114]
.text:00465CEE push edx
.text:00465CEF push 2
.text:00465CF1 call ds:__vbaFreeVarList
.text:00465CF7 add esp, 0Ch
.text:00465CFA
.text:00465CFA loc_465CFA:
.text:00465CFA
///////////////////////////////////////////////////////////////////////////////////////
dim var_50 as string
dim var_48 as integer
dim var_e0 as integer
dim j as integer
dim var_28 as integer
dim var_c0 as boolean
if var_e8 = 1 then
var_48 = 16
var_e0 = 0
var_50 = string(16," ")
for i = 0 to 512
j = myarray4(i)
myarray2(j) = var_e0 + &h30
var_e0 = var_e0 + 1
if var_e0 = 10 then var_e0 = 0
next i
elseif var_e8 = 2 then
var_48 = 16
var_e0 = 0
var_28 = 0
var_50 = string(16," ")
var_c0 = false
for i = 0 to 512
if var_c0 then
j = myarray4(i)
myarray2(j) = var_e0 + &h30
var_e0 = var_e0 + 1
if var_e0 = 10 then var_e0 = 0
var_c0 = false
else
j = myarray4(i)
myarray2(j) = var_28 + &h41
var_28 = var_28 + 1
if var_28 = 26 then var_28 = 0
var_c0 = true
end if
next i
else
var_48 = 8
var_50 = string(19," ")
end if
///////////////////////////////////////////////////////////////////////////////////////
.text:00465CFA mov [ebp+var_4], 53h
.text:00465D01 mov [ebp+var_FC], 1 ; 初值1
.text:00465D0A mov [ebp+var_4], 54h
.text:00465D11 call ds:rtcGetTimer
.text:00465D17 fild [ebp+time_EC]
.text:00465D1D fstp [ebp+var_240]
.text:00465D23 fsub [ebp+var_240]
.text:00465D29 fnstsw ax
.text:00465D2B test al, 0Dh
.text:00465D2D jnz loc_46682D
.text:00465D33 call ds:__vbaFpR8
.text:00465D39 fcomp ds:dbl_401D90
.text:00465D3F fnstsw ax
.text:00465D41 test ah, 1
.text:00465D44 jnz short loc_465D4B
.text:00465D46 jmp loc_466742
.text:00465D4B ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465D4B
.text:00465D4B loc_465D4B: ; CODE XREF: sub_464EF0+E54j
.text:00465D4B mov [ebp+var_4], 57h
.text:00465D52 mov ax, [ebp+slen1_B4] ; 取第一次变换的字符串的长度
.text:00465D59 mov [ebp+var_190], ax ; 保存到这里
.text:00465D60 mov [ebp+var_18C], 1 ; 初值1
.text:00465D69 mov [ebp+var_B8], 1 ; 当前索引初值1
.text:00465D72 jmp short loc_465D8F
.text:00465D74 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465D74
.text:00465D74 loc_465D74: ; CODE XREF: sub_464EF0+106Aj
.text:00465D74 mov cx, [ebp+var_B8]
.text:00465D7B add cx, [ebp+var_18C]
.text:00465D82 jo loc_466832
.text:00465D88 mov [ebp+var_B8], cx ; 当前索引加1
.text:00465D8F
.text:00465D8F loc_465D8F: ; CODE XREF: sub_464EF0+E82j
.text:00465D8F mov dx, [ebp+var_B8]
.text:00465D96 cmp dx, [ebp+var_190]
.text:00465D9D jg loc_465F5F ; 大于字符串长度则跳
.text:00465DA3 mov [ebp+var_4], 58h
.text:00465DAA movsx eax, [ebp+var_FC] ; 取var_fc
.text:00465DB1 mov [ebp+var_164], eax ; 保存到这里
.text:00465DB7 cmp [ebp+var_164], 11h
.text:00465DBE jnb short loc_465DCC
.text:00465DC0 mov [ebp+var_244], 0
.text:00465DCA jmp short loc_465DD8
.text:00465DCC ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465DCC
.text:00465DCC loc_465DCC: ; CODE XREF: sub_464EF0+ECEj
.text:00465DCC call ds:__vbaGenerateBoundsError
.text:00465DD2 mov [ebp+var_244], eax
.text:00465DD8
.text:00465DD8 loc_465DD8: ; CODE XREF: sub_464EF0+EDAj
.text:00465DD8 mov [ebp+var_10C], 1
.text:00465DE2 mov [ebp+var_114], 2
.text:00465DEC lea ecx, [ebp+var_F8]
.text:00465DF2 mov [ebp+var_12C], ecx
.text:00465DF8 mov [ebp+var_134], 4008h
.text:00465E02 lea edx, [ebp+var_114] ; 1
.text:00465E08 push edx
.text:00465E09 movsx eax, [ebp+var_B8] ; 当前索引
.text:00465E10 push eax
.text:00465E11 lea ecx, [ebp+var_134] ; 第一次变换的字符串
.text:00465E17 push ecx
.text:00465E18 lea edx, [ebp+var_124]
.text:00465E1E push edx
.text:00465E1F call ds:rtcMidCharVar ; 取一个字符
.text:00465E25 movsx eax, [ebp+var_FC] ; 取var_fc
.text:00465E2C mov [ebp+var_160], eax ; 放到这里
.text:00465E32 cmp [ebp+var_160], 11h
.text:00465E39 jnb short loc_465E47
.text:00465E3B mov [ebp+var_248], 0
.text:00465E45 jmp short loc_465E53
.text:00465E47 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465E47
.text:00465E47 loc_465E47: ; CODE XREF: sub_464EF0+F49j
.text:00465E47 call ds:__vbaGenerateBoundsError
.text:00465E4D mov [ebp+var_248], eax
.text:00465E53
.text:00465E53 loc_465E53: ; CODE XREF: sub_464EF0+F55j
.text:00465E53 lea ecx, [ebp+var_124] ; 上面取出的一个字符
.text:00465E59 push ecx
.text:00465E5A lea edx, [ebp+var_104]
.text:00465E60 push edx
.text:00465E61 call ds:__vbaStrVarVal
.text:00465E67 push eax
.text:00465E68 call ds:rtcAnsiValueBstr ; 取ascii码
.text:00465E6E mov ecx, [ebp+var_164] ; var_fc
.text:00465E74 mov edx, [ebp+var_CC] ; 数组5地址
.text:00465E7A mov cx, [edx+ecx*2] ; 取数组5一个元素
.text:00465E7E add cx, ax ; 加上上面那个字符的ascii码
.text:00465E81 jo loc_466832
.text:00465E87 xor cx, 12h ; 异或上&H12
.text:00465E8B mov edx, [ebp+var_160] ; var_fc
.text:00465E91 mov eax, [ebp+var_CC] ; 数组5地址
.text:00465E97 mov [eax+edx*2], cx ; 保存到数组5
.text:00465E9B lea ecx, [ebp+var_104]
.text:00465EA1 call ds:__vbaFreeStr
.text:00465EA7 lea ecx, [ebp+var_124]
.text:00465EAD push ecx
.text:00465EAE lea edx, [ebp+var_114]
.text:00465EB4 push edx
.text:00465EB5 push 2
.text:00465EB7 call ds:__vbaFreeVarList
.text:00465EBD add esp, 0Ch
.text:00465EC0 mov [ebp+var_4], 59h
.text:00465EC7 movsx eax, [ebp+var_FC] ; 取var_fc
.text:00465ECE mov [ebp+var_160], eax ; 保存到这里
.text:00465ED4 cmp [ebp+var_160], 11h
.text:00465EDB jnb short loc_465EE9
.text:00465EDD mov [ebp+var_24C], 0
.text:00465EE7 jmp short loc_465EF5
.text:00465EE9 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465EE9
.text:00465EE9 loc_465EE9: ; CODE XREF: sub_464EF0+FEBj
.text:00465EE9 call ds:__vbaGenerateBoundsError
.text:00465EEF mov [ebp+var_24C], eax
.text:00465EF5
.text:00465EF5 loc_465EF5: ; CODE XREF: sub_464EF0+FF7j
.text:00465EF5 mov ecx, [ebp+var_160] ; var_fc
.text:00465EFB mov edx, [ebp+var_CC] ; 数组5地址
.text:00465F01 mov ax, [ebp+s1sum_4C]
.text:00465F05 add ax, [edx+ecx*2] ; 数组5的一个元素累加到s1sum
.text:00465F09 jo loc_466832
.text:00465F0F mov [ebp+s1sum_4C], ax
.text:00465F13 mov [ebp+var_4], 5Ah
.text:00465F1A mov cx, [ebp+var_FC]
.text:00465F21 add cx, 1
.text:00465F25 jo loc_466832
.text:00465F2B mov [ebp+var_FC], cx ; var_fc 加1
.text:00465F32 mov [ebp+var_4], 5Bh
.text:00465F39 cmp [ebp+var_FC], 9
.text:00465F41 jnz short loc_465F53
.text:00465F43 mov [ebp+var_4], 5Ch
.text:00465F4A mov [ebp+var_FC], 1 ; var_fc等于9则赋值1
.text:00465F53
.text:00465F53 loc_465F53: ; CODE XREF: sub_464EF0+1051j
.text:00465F53 mov [ebp+var_4], 5Eh
.text:00465F5A jmp loc_465D74
.text:00465F5F ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465F5F
.text:00465F5F loc_465F5F: ; CODE XREF: sub_464EF0+EADj
.text:00465F5F mov [ebp+var_4], 5Fh
.text:00465F66 call ds:rtcGetTimer
.text:00465F6C fild [ebp+time_EC]
.text:00465F72 fstp [ebp+var_254]
.text:00465F78 fsub [ebp+var_254]
.text:00465F7E fnstsw ax
.text:00465F80 test al, 0Dh
.text:00465F82 jnz loc_46682D
.text:00465F88 call ds:__vbaFpR8
.text:00465F8E fcomp ds:dbl_401D90
.text:00465F94 fnstsw ax
.text:00465F96 test ah, 1
.text:00465F99 jnz short loc_465FA0
.text:00465F9B jmp loc_466742
.text:00465FA0 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465FA0
.text:00465FA0 loc_465FA0: ; CODE XREF: sub_464EF0+10A9j
.text:00465FA0 mov [ebp+var_4], 62h
.text:00465FA7 mov dx, [ebp+slen2_24] ; 取第二次变换的字符串的长度
.text:00465FAB mov [ebp+var_198], dx ; 保存到这里
.text:00465FB2 mov [ebp+var_194], 1
.text:00465FBB mov [ebp+var_B8], 1 ; 当前索引初值1
.text:00465FC4 jmp short loc_465FE1
.text:00465FC6 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00465FC6
.text:00465FC6 loc_465FC6: ; CODE XREF: sub_464EF0+12B3j
.text:00465FC6 mov ax, [ebp+var_B8]
.text:00465FCD add ax, [ebp+var_194]
.text:00465FD4 jo loc_466832
.text:00465FDA mov [ebp+var_B8], ax ; 当前索引加1
.text:00465FE1
.text:00465FE1 loc_465FE1: ; CODE XREF: sub_464EF0+10D4j
.text:00465FE1 mov cx, [ebp+var_B8]
.text:00465FE8 cmp cx, [ebp+var_198]
.text:00465FEF jg loc_4661A8 ; 大于字符串长度则跳
.text:00465FF5 mov [ebp+var_4], 63h
.text:00465FFC movsx edx, [ebp+var_FC] ; 取var_fc
.text:00466003 mov [ebp+var_164], edx ; 保存到这里
.text:00466009 cmp [ebp+var_164], 11h
.text:00466010 jnb short loc_46601E
.text:00466012 mov [ebp+var_258], 0
.text:0046601C jmp short loc_46602A
.text:0046601E ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046601E
.text:0046601E loc_46601E: ; CODE XREF: sub_464EF0+1120j
.text:0046601E call ds:__vbaGenerateBoundsError
.text:00466024 mov [ebp+var_258], eax
.text:0046602A
.text:0046602A loc_46602A: ; CODE XREF: sub_464EF0+112Cj
.text:0046602A mov [ebp+var_10C], 1
.text:00466034 mov [ebp+var_114], 2
.text:0046603E lea eax, [ebp+var_F4]
.text:00466044 mov [ebp+var_12C], eax
.text:0046604A mov [ebp+var_134], 4008h
.text:00466054 lea ecx, [ebp+var_114] ; 1
.text:0046605A push ecx
.text:0046605B movsx edx, [ebp+var_B8] ; 当前索引
.text:00466062 push edx
.text:00466063 lea eax, [ebp+var_134] ; 第二次变换的字符串
.text:00466069 push eax
.text:0046606A lea ecx, [ebp+var_124]
.text:00466070 push ecx
.text:00466071 call ds:rtcMidCharVar ; 取一个字符
.text:00466077 movsx edx, [ebp+var_FC] ; 取var_fc
.text:0046607E mov [ebp+var_160], edx ; 保存到这里
.text:00466084 cmp [ebp+var_160], 11h
.text:0046608B jnb short loc_466099
.text:0046608D mov [ebp+var_25C], 0
.text:00466097 jmp short loc_4660A5
.text:00466099 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00466099
.text:00466099 loc_466099: ; CODE XREF: sub_464EF0+119Bj
.text:00466099 call ds:__vbaGenerateBoundsError
.text:0046609F mov [ebp+var_25C], eax
.text:004660A5
.text:004660A5 loc_4660A5: ; CODE XREF: sub_464EF0+11A7j
.text:004660A5 lea eax, [ebp+var_124] ; 上面取出的一个字符
.text:004660AB push eax
.text:004660AC lea ecx, [ebp+var_104]
.text:004660B2 push ecx
.text:004660B3 call ds:__vbaStrVarVal
.text:004660B9 push eax
.text:004660BA call ds:rtcAnsiValueBstr ; 取ascii码
.text:004660C0 mov edx, [ebp+var_164] ; var_fc
.text:004660C6 mov ecx, [ebp+var_80] ; 数组3地址
.text:004660C9 mov dx, [ecx+edx*2] ; 取数组3一个元素
.text:004660CD add dx, ax ; 加上上面那个字符的ascii码
.text:004660D0 jo loc_466832
.text:004660D6 xor dx, 19h ; 异或上&H19
.text:004660DA mov eax, [ebp+var_160] ; var_fc
.text:004660E0 mov ecx, [ebp+var_80] ; 数组3地址
.text:004660E3 mov [ecx+eax*2], dx ; 保存到数组3
.text:004660E7 lea ecx, [ebp+var_104]
.text:004660ED call ds:__vbaFreeStr
.text:004660F3 lea edx, [ebp+var_124]
.text:004660F9 push edx
.text:004660FA lea eax, [ebp+var_114]
.text:00466100 push eax
.text:00466101 push 2
.text:00466103 call ds:__vbaFreeVarList
.text:00466109 add esp, 0Ch
.text:0046610C mov [ebp+var_4], 64h
.text:00466113 movsx ecx, [ebp+var_FC] ; 取var_fc
.text:0046611A mov [ebp+var_160], ecx ; 放到这里
.text:00466120 cmp [ebp+var_160], 11h
.text:00466127 jnb short loc_466135
.text:00466129 mov [ebp+var_260], 0
.text:00466133 jmp short loc_466141
.text:00466135 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00466135
.text:00466135 loc_466135: ; CODE XREF: sub_464EF0+1237j
.text:00466135 call ds:__vbaGenerateBoundsError
.text:0046613B mov [ebp+var_260], eax
.text:00466141
.text:00466141 loc_466141: ; CODE XREF: sub_464EF0+1243j
.text:00466141 mov edx, [ebp+var_160] ; var_fc
.text:00466147 mov eax, [ebp+var_80] ; 数组3地址
.text:0046614A mov cx, [ebp+s2sum_58]
.text:0046614E add cx, [eax+edx*2] ; 数组3一个元素累加到s2sum
.text:00466152 jo loc_466832
.text:00466158 mov [ebp+s2sum_58], cx
.text:0046615C mov [ebp+var_4], 65h
.text:00466163 mov dx, [ebp+var_FC]
.text:0046616A add dx, 1
.text:0046616E jo loc_466832
.text:00466174 mov [ebp+var_FC], dx ; var_fc加1
.text:0046617B mov [ebp+var_4], 66h
.text:00466182 cmp [ebp+var_FC], 9
.text:0046618A jnz short loc_46619C
.text:0046618C mov [ebp+var_4], 67h
.text:00466193 mov [ebp+var_FC], 1 ; var_fc等于9则初值1
.text:0046619C
.text:0046619C loc_46619C: ; CODE XREF: sub_464EF0+129Aj
.text:0046619C mov [ebp+var_4], 69h
.text:004661A3 jmp loc_465FC6
.text:004661A8 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004661A8
///////////////////////////////////////////////////////////////////////////////////////////
dim var_fc as integer
dim tmpint as integer
dim s1sum as integer
dim s2sum as integer
var_fc = 1
for i = 1 to slen1
tmpint = asc(mid(mynamestr,i,1))
myarray5(var_fc) = (myarray5(var_fc) + tmpint) xor &h12
s1sum = s1sum + myarray5(var_fc)
var_fc = var_fc + 1
if var_fc = 9 then var_fc = 1
next i
for i = 1 to slen2
tmpint = asc(mid(mynamestr2,i,1))
myarray3(var_fc) = (myarray3(var_fc) + tmpint) xor &h19
s2sum = s2sum + myarray3(var_fc)
var_fc = var_fc + 1
if var_fc = 9 then var_fc = 1
next i
///////////////////////////////////////////////////////////////////////////////////////////
.text:004661A8 loc_4661A8: ; CODE XREF: sub_464EF0+10FFj
.text:004661A8 mov [ebp+var_4], 6Ah
.text:004661AF mov ax, [ebp+s1sum_4C]
.text:004661B3 add ax, [ebp+s2sum_58] ; s1sum 加上 s2sum 的和
.text:004661B7 jo loc_466832
.text:004661BD and ax, 1FFh ; 模512
.text:004661C1 jns short loc_4661CB
.text:004661C3 dec ax
.text:004661C5 or ax, 0FE00h
.text:004661C9 inc ax
.text:004661CB
.text:004661CB loc_4661CB: ; CODE XREF: sub_464EF0+12D1j
.text:004661CB mov [ebp+var_B0], ax ; 保存到这里
.text:004661D2 mov [ebp+var_4], 6Bh
.text:004661D9 mov [ebp+var_FC], 1 ; 初值1
.text:004661E2 mov [ebp+var_4], 6Ch
.text:004661E9 mov [ebp+var_F0], 1 ; 初值1
.text:004661F2 mov [ebp+var_4], 6Dh
.text:004661F9 call ds:rtcGetTimer
.text:004661FF fild [ebp+time_EC]
.text:00466205 fstp [ebp+var_268]
.text:0046620B fsub [ebp+var_268]
.text:00466211 fnstsw ax
.text:00466213 test al, 0Dh
.text:00466215 jnz loc_46682D
.text:0046621B call ds:__vbaFpR8
.text:00466221 fcomp ds:dbl_401D90
.text:00466227 fnstsw ax
.text:00466229 test ah, 1
.text:0046622C jnz short loc_466233
.text:0046622E jmp loc_466742
.text:00466233 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00466233
.text:00466233 loc_466233: ; CODE XREF: sub_464EF0+133Cj
.text:00466233 mov [ebp+var_4], 70h
.text:0046623A mov cx, [ebp+var_48] ; 取var_48
.text:0046623E mov [ebp+var_1A0], cx ; 保存到这里
.text:00466245 mov [ebp+var_19C], 1
.text:0046624E mov [ebp+var_B8], 1 ; 当前索引初值1
.text:00466257 jmp short loc_466274
.text:00466259 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00466259
.text:00466259 loc_466259: ; CODE XREF: sub_464EF0+17C6j
.text:00466259 mov dx, [ebp+var_B8]
.text:00466260 add dx, [ebp+var_19C]
.text:00466267 jo loc_466832
.text:0046626D mov [ebp+var_B8], dx ; 当前索引加1
.text:00466274
.text:00466274 loc_466274: ; CODE XREF: sub_464EF0+1367j
.text:00466274 mov ax, [ebp+var_B8]
.text:0046627B cmp ax, [ebp+var_1A0]
.text:00466282 jg loc_4666BB ; 大于var_48则跳
.text:00466288 mov [ebp+var_4], 71h
.text:0046628F movsx ecx, [ebp+var_B8] ; 取当前索引
.text:00466296 mov [ebp+var_164], ecx ; 保存到这里
.text:0046629C cmp [ebp+var_164], 11h
.text:004662A3 jnb short loc_4662B1
.text:004662A5 mov [ebp+var_26C], 0
.text:004662AF jmp short loc_4662BD
.text:004662B1 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004662B1
.text:004662B1 loc_4662B1: ; CODE XREF: sub_464EF0+13B3j
.text:004662B1 call ds:__vbaGenerateBoundsError
.text:004662B7 mov [ebp+var_26C], eax
.text:004662BD
.text:004662BD loc_4662BD: ; CODE XREF: sub_464EF0+13BFj
.text:004662BD movsx edx, [ebp+var_B8] ; 取当前索引
.text:004662C4 mov [ebp+var_168], edx ; 保存到这里
.text:004662CA cmp [ebp+var_168], 11h
.text:004662D1 jnb short loc_4662DF
.text:004662D3 mov [ebp+var_270], 0
.text:004662DD jmp short loc_4662EB
.text:004662DF ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004662DF
.text:004662DF loc_4662DF: ; CODE XREF: sub_464EF0+13E1j
.text:004662DF call ds:__vbaGenerateBoundsError
.text:004662E5 mov [ebp+var_270], eax
.text:004662EB
.text:004662EB loc_4662EB: ; CODE XREF: sub_464EF0+13EDj
.text:004662EB movsx eax, [ebp+var_B8] ; 取当前索引
.text:004662F2 mov [ebp+var_160], eax ; 保存到这里
.text:004662F8 cmp [ebp+var_160], 11h
.text:004662FF jnb short loc_46630D
.text:00466301 mov [ebp+var_274], 0
.text:0046630B jmp short loc_466319
.text:0046630D ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046630D
.text:0046630D loc_46630D: ; CODE XREF: sub_464EF0+140Fj
.text:0046630D call ds:__vbaGenerateBoundsError
.text:00466313 mov [ebp+var_274], eax
.text:00466319
.text:00466319 loc_466319: ; CODE XREF: sub_464EF0+141Bj
.text:00466319 mov ecx, [ebp+var_164] ; 当前索引
.text:0046631F mov edx, [ebp+var_80] ; 数组3地址
.text:00466322 mov eax, [ebp+var_168] ; 当前索引
.text:00466328 mov esi, [ebp+var_34] ; 数组1地址
.text:0046632B mov cx, [edx+ecx*2] ; 取数组3一个元素
.text:0046632F xor cx, [esi+eax*2] ; 和数组1一个元素异或
.text:00466333 mov edx, [ebp+var_160] ; 当前索引
.text:00466339 mov eax, [ebp+var_80] ; 数组3地址
.text:0046633C mov [eax+edx*2], cx ; 结果保存到数组3
.text:00466340 mov [ebp+var_4], 72h
.text:00466347 movsx ecx, [ebp+var_B8] ; 取当前索引
.text:0046634E mov [ebp+var_160], ecx ; 保存到这里
.text:00466354 cmp [ebp+var_160], 11h
.text:0046635B jnb short loc_466369
.text:0046635D mov [ebp+var_278], 0
.text:00466367 jmp short loc_466375
.text:00466369 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00466369
.text:00466369 loc_466369: ; CODE XREF: sub_464EF0+146Bj
.text:00466369 call ds:__vbaGenerateBoundsError
.text:0046636F mov [ebp+var_278], eax
.text:00466375
.text:00466375 loc_466375: ; CODE XREF: sub_464EF0+1477j
.text:00466375 movsx edx, [ebp+var_B8] ; 取当前索引
.text:0046637C mov [ebp+var_164], edx ; 保存到这里
.text:00466382 cmp [ebp+var_164], 11h
.text:00466389 jnb short loc_466397
.text:0046638B mov [ebp+var_27C], 0
.text:00466395 jmp short loc_4663A3
.text:00466397 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00466397
.text:00466397 loc_466397: ; CODE XREF: sub_464EF0+1499j
.text:00466397 call ds:__vbaGenerateBoundsError
.text:0046639D mov [ebp+var_27C], eax
.text:004663A3
.text:004663A3 loc_4663A3: ; CODE XREF: sub_464EF0+14A5j
.text:004663A3 mov eax, [ebp+var_160] ; 当前索引
.text:004663A9 mov ecx, [ebp+var_CC] ; 数组5地址
.text:004663AF mov edx, [ebp+var_164] ; 当前索引
.text:004663B5 mov esi, [ebp+var_80] ; 数组3地址
.text:004663B8 mov ax, [ecx+eax*2] ; 取数组5一个元素
.text:004663BC xor ax, [esi+edx*2] ; 和数组3一个元素异或
.text:004663C0 mov cx, ax
.text:004663C3 and cx, 1FFh ; 结果模512
.text:004663C8 jns short loc_4663D3
.text:004663CA dec cx
.text:004663CC or cx, 0FE00h
.text:004663D1 inc cx
.text:004663D3
.text:004663D3 loc_4663D3: ; CODE XREF: sub_464EF0+14D8j
.text:004663D3 sub cx, [ebp+var_B0] ; 结果减去var_b0
.text:004663DA jo loc_466832
.text:004663E0 call ds:__vbaI2Abs ; 取绝对值
.text:004663E6 mov word ptr [ebp+var_E4], ax ; 保存到var_e4
.text:004663ED mov [ebp+var_4], 73h
.text:004663F4 cmp [ebp+var_E8], 3
.text:004663FC jnz loc_466612 ; var_e8不等于3则跳
.text:00466402 mov [ebp+var_4], 74h
.text:00466409 cmp word ptr [ebp+var_E4], 10h
.text:00466411 jge loc_4664CA ; 绝对值大于等于16则跳
.text:00466417 mov [ebp+var_4], 75h
.text:0046641E mov [ebp+var_13C], offset a0 ; "0"
.text:00466428 mov [ebp+var_144], 8
.text:00466432 lea ecx, [ebp+var_E4]
.text:00466438 mov [ebp+var_12C], ecx
.text:0046643E mov [ebp+var_134], 4002h ; 绝对值
.text:00466448 lea edx, [ebp+var_134]
.text:0046644E push edx
.text:0046644F lea eax, [ebp+var_114]
.text:00466455 push eax
.text:00466456 call ds:rtcHexVarFromVar ; hex(绝对值)
.text:0046645C lea ecx, [ebp+var_50]
.text:0046645F push ecx
.text:00466460 movsx edx, [ebp+var_FC]
.text:00466467 push edx
.text:00466468 push 2
.text:0046646A lea eax, [ebp+var_144] ; "0"
.text:00466470 push eax
.text:00466471 lea ecx, [ebp+var_114]
.text:00466477 push ecx
.text:00466478 lea edx, [ebp+var_124]
.text:0046647E push edx
.text:0046647F call ds:__vbaVarCat ; 前面连接"0"
.text:00466485 push eax
.text:00466486 call ds:__vbaStrVarMove
.text:0046648C mov edx, eax
.text:0046648E lea ecx, [ebp+var_104]
.text:00466494 call ds:__vbaStrMove
.text:0046649A push eax
.text:0046649B push 0
.text:0046649D call ds:__vbaMidStmtBstr ; mid(var_50,var_fc,2) = "0" & hex(绝对值)
.text:004664A3 lea ecx, [ebp+var_104]
.text:004664A9 call ds:__vbaFreeStr
.text:004664AF lea eax, [ebp+var_124]
.text:004664B5 push eax
.text:004664B6 lea ecx, [ebp+var_114]
.text:004664BC push ecx
.text:004664BD push 2
.text:004664BF call ds:__vbaFreeVarList
.text:004664C5 add esp, 0Ch
.text:004664C8 jmp short loc_466545
.text:004664CA ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004664CA
.text:004664CA loc_4664CA: ; CODE XREF: sub_464EF0+1521j
.text:004664CA mov [ebp+var_4], 77h
.text:004664D1 lea edx, [ebp+var_E4]
.text:004664D7 mov [ebp+var_12C], edx
.text:004664DD mov [ebp+var_134], 4002h ; 绝对值
.text:004664E7 lea eax, [ebp+var_134]
.text:004664ED push eax
.text:004664EE lea ecx, [ebp+var_114]
.text:004664F4 push ecx
.text:004664F5 call ds:rtcHexVarFromVar ; hex(绝对值)
.text:004664FB lea edx, [ebp+var_50]
.text:004664FE push edx
.text:004664FF movsx eax, [ebp+var_FC]
.text:00466506 push eax
.text:00466507 push 2
.text:00466509 lea ecx, [ebp+var_114]
.text:0046650F push ecx
.text:00466510 call ds:__vbaStrVarMove
.text:00466516 mov edx, eax
.text:00466518 lea ecx, [ebp+var_104]
.text:0046651E call ds:__vbaStrMove
.text:00466524 push eax
.text:00466525 push 0
.text:00466527 call ds:__vbaMidStmtBstr ; mid(var_50,var_fc,2) = hex(绝对值)
.text:0046652D lea ecx, [ebp+var_104]
.text:00466533 call ds:__vbaFreeStr
.text:00466539 lea ecx, [ebp+var_114]
.text:0046653F call ds:__vbaFreeVar
.text:00466545
.text:00466545 loc_466545: ; CODE XREF: sub_464EF0+15D8j
.text:00466545 mov [ebp+var_4], 79h
.text:0046654C cmp [ebp+var_F0], 2
.text:00466554 jnz short loc_4665AE ; var_f0不等于2则跳
.text:00466556 cmp [ebp+var_FC], 12h
.text:0046655E jge short loc_4665AE ; var_fc大于等于18则跳
.text:00466560 mov [ebp+var_4], 7Ah
.text:00466567 mov dx, [ebp+var_FC]
.text:0046656E add dx, 1
.text:00466572 jo loc_466832
.text:00466578 mov [ebp+var_FC], dx ; var_fc加1
.text:0046657F mov [ebp+var_4], 7Bh
.text:00466586 lea eax, [ebp+var_50]
.text:00466589 push eax
.text:0046658A mov cx, [ebp+var_FC]
.text:00466591 add cx, 1
.text:00466595 jo loc_466832
.text:0046659B movsx edx, cx
.text:0046659E push edx
.text:0046659F push 1
.text:004665A1 push offset asc_40D030 ; "-"
.text:004665A6 push 0
.text:004665A8 call ds:__vbaMidStmtBstr ; mid(var_50,var_fc+1,1) = "-"
.text:004665AE
.text:004665AE loc_4665AE: ; CODE XREF: sub_464EF0+1664j
.text:004665AE ; sub_464EF0+166Ej
.text:004665AE mov [ebp+var_4], 7Dh
.text:004665B5 mov ax, [ebp+var_FC]
.text:004665BC add ax, 2
.text:004665C0 jo loc_466832
.text:004665C6 mov [ebp+var_FC], ax ; var_fc加2
.text:004665CD mov [ebp+var_4], 7Eh
.text:004665D4 mov cx, [ebp+var_F0]
.text:004665DB add cx, 1
.text:004665DF jo loc_466832
.text:004665E5 mov [ebp+var_F0], cx ; var_f0加1
.text:004665EC mov [ebp+var_4], 7Fh
.text:004665F3 cmp [ebp+var_F0], 3
.text:004665FB jnz short loc_46660D
.text:004665FD mov [ebp+var_4], 80h
.text:00466604 mov [ebp+var_F0], 1 ; var_f0等于3则赋值1
.text:0046660D
.text:0046660D loc_46660D: ; CODE XREF: sub_464EF0+170Bj
.text:0046660D jmp loc_4666AF
.text:00466612 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00466612
.text:00466612 loc_466612: ; CODE XREF: sub_464EF0+150Cj
.text:00466612 mov [ebp+var_4], 83h
.text:00466619 movsx edx, word ptr [ebp+var_E4] ; 取绝对值
.text:00466620 mov [ebp+var_160], edx ; 保存到这里
.text:00466626 cmp [ebp+var_160], 201h
.text:00466630 jnb short loc_46663E
.text:00466632 mov [ebp+var_280], 0
.text:0046663C jmp short loc_46664A
.text:0046663E ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046663E
.text:0046663E loc_46663E: ; CODE XREF: sub_464EF0+1740j
.text:0046663E call ds:__vbaGenerateBoundsError
.text:00466644 mov [ebp+var_280], eax
.text:0046664A
.text:0046664A loc_46664A: ; CODE XREF: sub_464EF0+174Cj
.text:0046664A mov eax, [ebp+var_160] ; 绝对值
.text:00466650 mov ecx, [ebp+var_64] ; 数组2地址
.text:00466653 movsx edx, word ptr [ecx+eax*2] ; 取数组2一个元素
.text:00466657 push edx
.text:00466658 lea eax, [ebp+var_114]
.text:0046665E push eax
.text:0046665F call ds:rtcVarBstrFromAnsi ; 转成字符
.text:00466665 lea ecx, [ebp+var_50]
.text:00466668 push ecx
.text:00466669 movsx edx, [ebp+var_B8] ; 当前索引
.text:00466670 push edx
.text:00466671 push 1
.text:00466673 lea eax, [ebp+var_114]
.text:00466679 push eax
.text:0046667A call ds:__vbaStrVarMove
.text:00466680 mov edx, eax
.text:00466682 lea ecx, [ebp+var_104]
.text:00466688 call ds:__vbaStrMove
.text:0046668E push eax
.text:0046668F push 0
.text:00466691 call ds:__vbaMidStmtBstr ; mid(var_50,当前索引,1) = chr(数组2一个元素)
.text:00466697 lea ecx, [ebp+var_104]
.text:0046669D call ds:__vbaFreeStr
.text:004666A3 lea ecx, [ebp+var_114]
.text:004666A9 call ds:__vbaFreeVar
.text:004666AF
.text:004666AF loc_4666AF: ; CODE XREF: sub_464EF0+171Dj
.text:004666AF mov [ebp+var_4], 85h
.text:004666B6 jmp loc_466259
.text:004666BB ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004666BB
.text:004666BB loc_4666BB: ; CODE XREF: sub_464EF0+1392j
.text:004666BB mov [ebp+var_4], 86h
.text:004666C2 mov ecx, [ebp+var_50] ; var_50
.text:004666C5 push ecx
.text:004666C6 mov edx, [ebp+arg_8] ; 假注册码
.text:004666C9 mov eax, [edx]
.text:004666CB push eax
.text:004666CC call ds:__vbaStrCmp ; strcomp
.text:004666D2 test eax, eax
.text:004666D4 jnz short loc_466742 ; 不等则跳
.text:004666D6 mov [ebp+var_4], 87h
.text:004666DD call ds:rtcGetTimer
.text:004666E3 fild [ebp+time_EC]
.text:004666E9 fstp [ebp+var_288]
.text:004666EF fsub [ebp+var_288]
.text:004666F5 fnstsw ax
.text:004666F7 test al, 0Dh
.text:004666F9 jnz loc_46682D
.text:004666FF call ds:__vbaFpR8
.text:00466705 fcomp ds:dbl_401D90
.text:0046670B fnstsw ax
.text:0046670D test ah, 1
.text:00466710 jnz short loc_466714
.text:00466712 jmp short loc_466742
.text:00466714 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00466714
.text:00466714 loc_466714: ; CODE XREF: sub_464EF0+1820j
.text:00466714 mov [ebp+var_4], 8Ah
.text:0046671B mov ecx, [ebp+var_F8] ; 第一次变换的字符串
.text:00466721 push ecx
.text:00466722 mov edx, [ebp+arg_4] ; 用户名
.text:00466725 mov eax, [edx]
.text:00466727 push eax
.text:00466728 call ds:__vbaStrCmp ; strcomp
.text:0046672E test eax, eax
.text:00466730 jnz short loc_466742 ; 不等则跳
.text:00466732 mov [ebp+var_4], 8Bh
.text:00466739 mov [ebp+var_100], 0FFFFh ; 相等则结果为真
.text:00466742
.text:00466742 loc_466742: ; CODE XREF: sub_464EF0+5D9j
.text:00466742 ; sub_464EF0+6C4j
.text:00466742 ; sub_464EF0+8B7j
.text:00466742 ; sub_464EF0+E56j
.text:00466742 ; sub_464EF0+10ABj ...
.text:00466742 wait
.text:00466743 push offset loc_466813
.text:00466748 jmp short loc_466770
.text:0046674A ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046674A lea ecx, [ebp+var_104]
.text:00466750 call ds:__vbaFreeStr
.text:00466756 lea ecx, [ebp+var_124]
.text:0046675C push ecx
.text:0046675D lea edx, [ebp+var_114]
.text:00466763 push edx
.text:00466764 push 2
.text:00466766 call ds:__vbaFreeVarList
.text:0046676C add esp, 0Ch
.text:0046676F retn
.text:00466770 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00466770
.text:00466770 loc_466770: ; CODE XREF: sub_464EF0+1858j
.text:00466770 lea eax, [ebp+myarray1_40]
.text:00466773 mov [ebp+var_14C], eax
.text:00466779 lea ecx, [ebp+var_14C]
.text:0046677F push ecx
.text:00466780 push 0
.text:00466782 call ds:__vbaAryDestruct
.text:00466788 lea ecx, [ebp+var_50]
.text:0046678B call ds:__vbaFreeStr
.text:00466791 lea edx, [ebp+myarray2_70]
.text:00466794 mov [ebp+var_150], edx
.text:0046679A lea eax, [ebp+var_150]
.text:004667A0 push eax
.text:004667A1 push 0
.text:004667A3 call ds:__vbaAryDestruct
.text:004667A9 lea ecx, [ebp+myarray3_8C]
.text:004667AF mov [ebp+var_154], ecx
.text:004667B5 lea edx, [ebp+var_154]
.text:004667BB push edx
.text:004667BC push 0
.text:004667BE call ds:__vbaAryDestruct
.text:004667C4 lea eax, [ebp+myarray4_A8]
.text:004667CA mov [ebp+var_158], eax
.text:004667D0 lea ecx, [ebp+var_158]
.text:004667D6 push ecx
.text:004667D7 push 0
.text:004667D9 call ds:__vbaAryDestruct
.text:004667DF lea edx, [ebp+myarray5_D8]
.text:004667E5 mov [ebp+var_15C], edx
.text:004667EB lea eax, [ebp+var_15C]
.text:004667F1 push eax
.text:004667F2 push 0
.text:004667F4 call ds:__vbaAryDestruct
.text:004667FA lea ecx, [ebp+var_F4]
.text:00466800 call ds:__vbaFreeStr
.text:00466806 lea ecx, [ebp+var_F8]
.text:0046680C call ds:__vbaFreeStr
.text:00466812 retn
.text:00466813 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00466813
.text:00466813 loc_466813: ; DATA XREF: sub_464EF0+1853o
.text:00466813 mov ax, [ebp+var_100] ; 返回结果
.text:0046681A mov ecx, [ebp+var_20]
.text:0046681D mov large fs:0, ecx
.text:00466824 pop edi
.text:00466825 pop esi
.text:00466826 pop ebx
.text:00466827 mov esp, ebp
.text:00466829 pop ebp
.text:0046682A retn 8
.text:0046682D ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046682D
.text:0046682D loc_46682D: ; CODE XREF: sub_464EF0+5C0j
.text:0046682D ; sub_464EF0+6ABj
.text:0046682D ; sub_464EF0+89Ej
.text:0046682D ; sub_464EF0+E3Dj
.text:0046682D ; sub_464EF0+1092j ...
.text:0046682D jmp loc_4020AC
.text:00466832 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00466832
.text:00466832 loc_466832: ; CODE XREF: sub_464EF0+610j
.text:00466832 ; sub_464EF0+6FBj
.text:00466832 ; sub_464EF0+731j
.text:00466832 ; sub_464EF0+994j
.text:00466832 ; sub_464EF0+A32j ...
.text:00466832 call ds:__vbaErrorOverflow
.text:00466832 sub_464EF0 endp
////////////////////////////////////////////////////////////////////////////////////////////
dim var_b0 as integer
dim var_e4 as integer
dim var_f0 as integer
var_fc = 1
var_f0 = 1
var_b0 = (s1sum + s2sum) mod 512
for i = 1 to var_48
myarray3(i) = myarray3(i) xor myarray1(i)
var_e4 = abs((myarray5(i) xor myarray3(i)) mod 512 - var_b0)
if var_e8 = 3 then
if var_e4 < 16 then
mid(var_50,var_fc,2) = ("0" & hex(var_e4))
else
mid(var_50,var_fc,2) = hex(var_e4)
end if
if var_f0 = 2 and var_fc < 18 then
var_fc = var_fc + 1
mid(var_50,var_fc+1,1) = "-"
end if
var_fc = var_fc + 2
var_f0 = var_f0 + 1
if var_f0 = 3 then var_f0 = 1
else
mid(var_50,i,1) = chr(myarray2(var_e4))
end if
next i
if strcomp(var_50,regcode) = 0 and strcomp(myname,mynamestr) = 0 then
返回值:true
else
返回值:false
end if
////////////////////////////////////////////////////////////////////////////////////////////
整理一下sub_464ef0,逆向如下
function fun464ef0(byval myname as string,byval mycode as string) as boolean
dim myarray1(16) as integer
dim myarray2(512) as integer
dim myarray3(16) as integer
dim myarray4(512) as integer
dim myarray5(16) as integer
dim mynamestr as string
dim mynamestr2 as string
dim slen1 as integer
dim slen2 as integer
dim var_e8 as integer
dim i as integer
dim tmpchar as integer
dim var_bc as integer
dim var_50 as string
dim var_48 as integer
dim var_e0 as integer
dim j as integer
dim var_28 as integer
dim var_c0 as boolean
dim var_fc as integer
dim tmpint as integer
dim s1sum as integer
dim s1sum as integer
dim var_b0 as integer
dim var_e4 as integer
dim var_f0 as integer
mynamestr = fun4678D0(myname)
mynamestr2 = fun468060(mynamestr,0)
slen1 = len(mynamestr)
slen2 = len(mynamestr2)
var_e8 = 2
myarray1(1) = &h2a
myarray1(2) = &h2e
myarray1(3) = &h30
myarray1(4) = &h2d
myarray1(5) = &h2c
myarray1(6) = &h27
myarray1(7) = &h2a
myarray1(8) = &h4c
myarray1(9) = &h42
myarray1(10) = &h44
myarray1(11) = &h7c
myarray1(12) = &h82
myarray1(13) = &h73
myarray1(14) = &h50
myarray1(15) = &h66
myarray1(16) = &h67
for i = 0 to 512
myarray4(i) = i
next i
for i = 0 to 512
var_bc = (var_bc + i) mod 256
tmpchar = myarray4(i)
myarray4(i) = myarray4(var_bc)
myarray4(var_bc) = tmpchar
next i
if var_e8 = 1 then
var_48 = 16
var_e0 = 0
var_50 = string(16," ")
for i = 0 to 512
j = myarray4(i)
myarray2(j) = var_e0 + &h30
var_e0 = var_e0 + 1
if var_e0 = 10 then var_e0 = 0
next i
elseif var_e8 = 2 then
var_48 = 16
var_e0 = 0
var_28 = 0
var_50 = string(16," ")
var_c0 = false
for i = 0 to 512
if var_c0 then
j = myarray4(i)
myarray2(j) = var_e0 + &h30
var_e0 = var_e0 + 1
if var_e0 = 10 then var_e0 = 0
var_c0 = false
else
j = myarray4(i)
myarray(j) = var_28 + &h41
var_28 = var_28 + 1
if var_28 = 26 then var_28 = 0
var_c0 = true
end if
next i
else
var_48 = 8
var_50 = string(19," ")
end if
var_fc = 1
for i = 1 to slen1
tmpint = asc(mid(mynamestr,i,1))
myarray5(var_fc) = (myarray5(var_fc) + tmpint) xor &h12
s1sum = s1sum + myarray5(var_fc)
var_fc = var_fc + 1
if var_fc = 9 then var_fc = 1
next i
for i = 1 to slen2
tmpint = asc(mid(mynamestr2,i,1))
myarray3(var_fc) = (myarray3(var_fc) + tmpint) xor &h19
s2sum = s2sum + myarray3(var_fc)
var_fc = var_fc + 1
if var_fc = 9 then var_fc = 1
next i
var_fc = 1
var_f0 = 1
var_b0 = (s1sum + s2sum) mod 512
for i = 1 to var_48
myarray3(i) = myarray3(i) xor myarray1(i)
var_e4 = abs((myarray5(i) xor myarray3(i)) mod 512 - var_b0)
if var_e8 = 3 then
if var_e4 < 16 then
mid(var_50,var_fc,2) = ("0" & hex(var_e4))
else
mid(var_50,var_fc,2) = hex(var_e4)
end if
if var_f0 = 2 and var_fc < 18 then
var_fc = var_fc + 1
mid(var_50,var_fc+1,1) = "-"
end if
var_fc = var_fc + 2
var_f0 = var_f0 + 1
if var_f0 = 3 then var_f0 = 1
else
mid(var_50,i,1) = chr(myarray2(var_e4))
end if
next i
if strcomp(var_50,mycode) = 0 and strcomp(myname,mynamestr) = 0 then
fun464ef0 = true
else
fun464ef0 = false
end if
end function
呵呵。长了点。但还没有完。看看上面还有两个函数需要跟进,
第一个fun4678D0是对用户名做变换的。由于这个结果还要和用户名
比较。所以能否算出注册码这个fun4678D0调用是关键。
第二个fun468060函数调用是对fun4678d0的结果再做一次变换,
算法和外面这个函数调用是相同的。
先看看fun468060,我把对用户名变换的第一个函数调用放在
后面,方便后面分析。
00468060 sub_468060 proc near ; CODE XREF: sub_464EF0+107p
.text:00468060
.text:00468060 var_248 = dword ptr -248h
.text:00468060 var_244 = dword ptr -244h
.text:00468060 var_240 = dword ptr -240h
.text:00468060 var_23C = dword ptr -23Ch
.text:00468060 var_238 = dword ptr -238h
.text:00468060 var_234 = dword ptr -234h
.text:00468060 var_230 = dword ptr -230h
.text:00468060 var_22C = dword ptr -22Ch
.text:00468060 var_228 = dword ptr -228h
.text:00468060 var_224 = dword ptr -224h
.text:00468060 var_220 = dword ptr -220h
.text:00468060 var_21C = dword ptr -21Ch
.text:00468060 var_218 = dword ptr -218h
.text:00468060 var_214 = dword ptr -214h
.text:00468060 var_210 = dword ptr -210h
.text:00468060 var_20C = dword ptr -20Ch
.text:00468060 var_208 = dword ptr -208h
.text:00468060 var_204 = dword ptr -204h
.text:00468060 var_200 = dword ptr -200h
.text:00468060 var_1FC = dword ptr -1FCh
.text:00468060 var_1F8 = dword ptr -1F8h
.text:00468060 var_1F4 = dword ptr -1F4h
.text:00468060 var_1F0 = dword ptr -1F0h
.text:00468060 var_1EC = dword ptr -1ECh
.text:00468060 var_1E8 = dword ptr -1E8h
.text:00468060 var_1E4 = dword ptr -1E4h
.text:00468060 var_1E0 = dword ptr -1E0h
.text:00468060 var_1DC = dword ptr -1DCh
.text:00468060 var_1D8 = dword ptr -1D8h
.text:00468060 var_1D4 = dword ptr -1D4h
.text:00468060 var_1D0 = dword ptr -1D0h
.text:00468060 var_1CC = dword ptr -1CCh
.text:00468060 var_1C8 = dword ptr -1C8h
.text:00468060 var_1C4 = dword ptr -1C4h
.text:00468060 var_1C0 = dword ptr -1C0h
.text:00468060 var_1BC = dword ptr -1BCh
.text:00468060 var_1B8 = dword ptr -1B8h
.text:00468060 var_1B4 = dword ptr -1B4h
.text:00468060 var_1B0 = dword ptr -1B0h
.text:00468060 var_198 = word ptr -198h
.text:00468060 var_194 = word ptr -194h
.text:00468060 var_190 = word ptr -190h
.text:00468060 var_18C = word ptr -18Ch
.text:00468060 var_188 = word ptr -188h
.text:00468060 var_184 = word ptr -184h
.text:00468060 var_180 = word ptr -180h
.text:00468060 var_17C = word ptr -17Ch
.text:00468060 var_178 = word ptr -178h
.text:00468060 var_174 = word ptr -174h
.text:00468060 var_170 = word ptr -170h
.text:00468060 var_16C = word ptr -16Ch
.text:00468060 var_168 = word ptr -168h
.text:00468060 var_164 = word ptr -164h
.text:00468060 var_160 = dword ptr -160h
.text:00468060 var_15C = dword ptr -15Ch
.text:00468060 index_158 = dword ptr -158h
.text:00468060 var_154 = dword ptr -154h
.text:00468060 var_150 = dword ptr -150h
.text:00468060 var_14C = dword ptr -14Ch
.text:00468060 var_148 = dword ptr -148h
.text:00468060 var_144 = dword ptr -144h
.text:00468060 var_140 = dword ptr -140h
.text:00468060 var_138 = dword ptr -138h
.text:00468060 var_130 = dword ptr -130h
.text:00468060 var_128 = dword ptr -128h
.text:00468060 var_120 = dword ptr -120h
.text:00468060 var_110 = dword ptr -110h
.text:00468060 var_108 = dword ptr -108h
.text:00468060 var_100 = dword ptr -100h
.text:00468060 var_FC = word ptr -0FCh
.text:00468060 var_F8 = dword ptr -0F8h
.text:00468060 var_F4 = word ptr -0F4h
.text:00468060 time_F0 = dword ptr -0F0h
.text:00468060 var_EC = word ptr -0ECh
.text:00468060 var_E8 = dword ptr -0E8h
.text:00468060 var_E4 = word ptr -0E4h
.text:00468060 array5_DC = dword ptr -0DCh
.text:00468060 var_D0 = dword ptr -0D0h
.text:00468060 var_C4 = word ptr -0C4h
.text:00468060 var_C0 = word ptr -0C0h
.text:00468060 var_BC = word ptr -0BCh
.text:00468060 arg0Len_B8 = word ptr -0B8h
.text:00468060 mysum_B4 = word ptr -0B4h
.text:00468060 var_B0 = dword ptr -0B0h
.text:00468060 array4_A8 = dword ptr -0A8h
.text:00468060 var_9C = dword ptr -9Ch
.text:00468060 array3_8C = dword ptr -8Ch
.text:00468060 var_80 = dword ptr -80h
.text:00468060 array2_70 = dword ptr -70h
.text:00468060 var_64 = dword ptr -64h
.text:00468060 var_58 = word ptr -58h
.text:00468060 var_54 = word ptr -54h
.text:00468060 var_50 = dword ptr -50h
.text:00468060 var_4C = word ptr -4Ch
.text:00468060 var_48 = word ptr -48h
.text:00468060 var_44 = dword ptr -44h
.text:00468060 array1_40 = dword ptr -40h
.text:00468060 var_3C = dword ptr -3Ch
.text:00468060 var_34 = dword ptr -34h
.text:00468060 var_30 = dword ptr -30h
.text:00468060 var_28 = word ptr -28h
.text:00468060 constLen_24 = word ptr -24h
.text:00468060 var_20 = dword ptr -20h
.text:00468060 var_18 = dword ptr -18h
.text:00468060 var_14 = dword ptr -14h
.text:00468060 var_10 = dword ptr -10h
.text:00468060 var_C = dword ptr -0Ch
.text:00468060 var_8 = dword ptr -8
.text:00468060 var_4 = dword ptr -4
.text:00468060 arg_0 = dword ptr 8
.text:00468060 arg_4 = dword ptr 0Ch
.text:00468060
.text:00468060 push ebp
.text:00468061 mov ebp, esp
.text:00468063 sub esp, 18h
.text:00468066 push offset loc_4020A6
.text:0046806B mov eax, large fs:0
.text:00468071 push eax
.text:00468072 mov large fs:0, esp
.text:00468079 mov eax, 228h
.text:0046807E call __vbaChkstk
.text:00468083 push ebx
.text:00468084 push esi
.text:00468085 push edi
.text:00468086 mov [ebp+var_18], esp
.text:00468089 mov [ebp+var_14], offset dword_401E28
.text:00468090 mov [ebp+var_10], 0
.text:00468097 mov [ebp+var_C], 0
.text:0046809E mov [ebp+var_4], 1
.text:004680A5 push 2
.text:004680A7 push offset array17int_40D038
.text:004680AC lea eax, [ebp+array1_40]
.text:004680AF push eax
.text:004680B0 call ds:__vbaAryConstruct2
.text:004680B6 push 2
.text:004680B8 push offset array513int_40CF90
.text:004680BD lea ecx, [ebp+array2_70]
.text:004680C0 push ecx
.text:004680C1 call ds:__vbaAryConstruct2
.text:004680C7 push 2
.text:004680C9 push offset array17int_40D038
.text:004680CE lea edx, [ebp+array3_8C]
.text:004680D4 push edx
.text:004680D5 call ds:__vbaAryConstruct2
.text:004680DB push 2
.text:004680DD push offset array513int_40CF90
.text:004680E2 lea eax, [ebp+array4_A8]
.text:004680E8 push eax
.text:004680E9 call ds:__vbaAryConstruct2
.text:004680EF push 2
.text:004680F1 push offset array17int_40D038
.text:004680F6 lea ecx, [ebp+array5_DC]
.text:004680FC push ecx
.text:004680FD call ds:__vbaAryConstruct2
.text:00468103 mov [ebp+var_4], 2
.text:0046810A push 0FFFFFFFFh
.text:0046810C call ds:__vbaOnError
.text:00468112 mov [ebp+var_4], 3
.text:00468119 call ds:rtcGetTimer ; 取时间
.text:0046811F call ds:__vbaFpI4
.text:00468125 mov [ebp+time_F0], eax
.text:0046812B mov [ebp+var_4], 4
.text:00468132 mov edx, offset aLxhsxylovefore ; "lxhsxyloveforever"
.text:00468137 lea ecx, [ebp+var_F8]
.text:0046813D call ds:__vbaStrCopy
.text:00468143 mov [ebp+var_4], 5
.text:0046814A mov edx, [ebp+arg_0] ; 参数0,字符串
.text:0046814D mov eax, [edx]
.text:0046814F push eax
.text:00468150 call ds:__vbaLenBstr ; 取长度
.text:00468156 mov ecx, eax
.text:00468158 call ds:__vbaI2I4
.text:0046815E mov [ebp+arg0Len_B8], ax ; 保存参数0长度
.text:00468165 mov [ebp+var_4], 6
.text:0046816C mov ecx, [ebp+var_F8] ; "lxhsxyloveforever"
.text:00468172 push ecx
.text:00468173 call ds:__vbaLenBstr ; 取长度 17
.text:00468179 mov ecx, eax
.text:0046817B call ds:__vbaI2I4
.text:00468181 mov [ebp+constLen_24], ax ; 保存
.text:00468185 mov [ebp+var_4], 7
.text:0046818C mov edx, [ebp+arg_4] ; 这里传递的是0
.text:0046818F cmp word ptr [edx], 0
.text:00468193 jle short loc_4681AB
.text:00468195 mov [ebp+var_4], 8
.text:0046819C mov eax, [ebp+arg_4]
.text:0046819F mov cx, [eax]
.text:004681A2 mov [ebp+var_EC], cx
.text:004681A9 jmp short loc_4681BB
.text:004681AB ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004681AB
.text:004681AB loc_4681AB: ; CODE XREF: sub_468060+133j
.text:004681AB mov [ebp+var_4], 0Ah
.text:004681B2 mov [ebp+var_EC], 2 ; 这里赋值 2
.text:004681BB
.text:004681BB loc_4681BB: ; CODE XREF: sub_468060+149j
.text:004681BB mov [ebp+var_4], 0Ch
.text:004681C2 mov [ebp+index_158], 1 ; 索引初值为1
.text:004681CC cmp [ebp+index_158], 11h
.text:004681D3 jnb short loc_4681E1
.text:004681D5 mov [ebp+var_1B0], 0
.text:004681DF jmp short loc_4681ED
.text:004681E1 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004681E1
.text:004681E1 loc_4681E1: ; CODE XREF: sub_468060+173j
.text:004681E1 call ds:__vbaGenerateBoundsError
.text:004681E7 mov [ebp+var_1B0], eax
.text:004681ED
.text:004681ED loc_4681ED: ; CODE XREF: sub_468060+17Fj
.text:004681ED mov edx, [ebp+index_158]
.text:004681F3 mov eax, [ebp+var_34] ; 取数组1地址
.text:004681F6 mov word ptr [eax+edx*2], 28h ; array1(1) = &H28
.text:004681FC mov [ebp+var_4], 0Dh
.text:00468203 mov [ebp+index_158], 2 ; 索引 = 2
.text:0046820D cmp [ebp+index_158], 11h
.text:00468214 jnb short loc_468222
.text:00468216 mov [ebp+var_1B4], 0
.text:00468220 jmp short loc_46822E
.text:00468222 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468222
.text:00468222 loc_468222: ; CODE XREF: sub_468060+1B4j
.text:00468222 call ds:__vbaGenerateBoundsError
.text:00468228 mov [ebp+var_1B4], eax
.text:0046822E
.text:0046822E loc_46822E: ; CODE XREF: sub_468060+1C0j
.text:0046822E mov ecx, [ebp+index_158]
.text:00468234 mov edx, [ebp+var_34] ; 取数组1地址
.text:00468237 mov word ptr [edx+ecx*2], 53h ; array(2) = &H53
.text:0046823D mov [ebp+var_4], 0Eh
.text:00468244 mov [ebp+index_158], 3 ; 索引 = 3
.text:0046824E cmp [ebp+index_158], 11h
.text:00468255 jnb short loc_468263
.text:00468257 mov [ebp+var_1B8], 0
.text:00468261 jmp short loc_46826F
.text:00468263 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468263
.text:00468263 loc_468263: ; CODE XREF: sub_468060+1F5j
.text:00468263 call ds:__vbaGenerateBoundsError
.text:00468269 mov [ebp+var_1B8], eax
.text:0046826F
.text:0046826F loc_46826F: ; CODE XREF: sub_468060+201j
.text:0046826F mov eax, [ebp+index_158]
.text:00468275 mov ecx, [ebp+var_34] ; 取数组1地址
.text:00468278 mov word ptr [ecx+eax*2], 84h ; array1(3) = &H84
.text:0046827E mov [ebp+var_4], 0Fh
.text:00468285 mov [ebp+index_158], 4 ; 索引 = 4
.text:0046828F cmp [ebp+index_158], 11h
.text:00468296 jnb short loc_4682A4
.text:00468298 mov [ebp+var_1BC], 0
.text:004682A2 jmp short loc_4682B0
.text:004682A4 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004682A4
.text:004682A4 loc_4682A4: ; CODE XREF: sub_468060+236j
.text:004682A4 call ds:__vbaGenerateBoundsError
.text:004682AA mov [ebp+var_1BC], eax
.text:004682B0
.text:004682B0 loc_4682B0: ; CODE XREF: sub_468060+242j
.text:004682B0 mov edx, [ebp+index_158]
.text:004682B6 mov eax, [ebp+var_34] ; 取数组1地址
.text:004682B9 mov word ptr [eax+edx*2], 45h ; array(4) = &H45
.text:004682BF mov [ebp+var_4], 10h
.text:004682C6 mov [ebp+index_158], 5 ; 索引 = 5
.text:004682D0 cmp [ebp+index_158], 11h
.text:004682D7 jnb short loc_4682E5
.text:004682D9 mov [ebp+var_1C0], 0
.text:004682E3 jmp short loc_4682F1
.text:004682E5 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004682E5
.text:004682E5 loc_4682E5: ; CODE XREF: sub_468060+277j
.text:004682E5 call ds:__vbaGenerateBoundsError
.text:004682EB mov [ebp+var_1C0], eax
.text:004682F1
.text:004682F1 loc_4682F1: ; CODE XREF: sub_468060+283j
.text:004682F1 mov ecx, [ebp+index_158]
.text:004682F7 mov edx, [ebp+var_34] ; 取数组1地址
.text:004682FA mov word ptr [edx+ecx*2], 0EDh ; array1(5) = &HED
.text:00468300 mov [ebp+var_4], 11h
.text:00468307 mov [ebp+index_158], 6 ; 索引 = 6
.text:00468311 cmp [ebp+index_158], 11h
.text:00468318 jnb short loc_468326
.text:0046831A mov [ebp+var_1C4], 0
.text:00468324 jmp short loc_468332
.text:00468326 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468326
.text:00468326 loc_468326: ; CODE XREF: sub_468060+2B8j
.text:00468326 call ds:__vbaGenerateBoundsError
.text:0046832C mov [ebp+var_1C4], eax
.text:00468332
.text:00468332 loc_468332: ; CODE XREF: sub_468060+2C4j
.text:00468332 mov eax, [ebp+index_158]
.text:00468338 mov ecx, [ebp+var_34] ; 取数组1地址
.text:0046833B mov word ptr [ecx+eax*2], 25h ; array1(6) = &H25
.text:00468341 mov [ebp+var_4], 12h
.text:00468348 mov [ebp+index_158], 7 ; 索引 = 7
.text:00468352 cmp [ebp+index_158], 11h
.text:00468359 jnb short loc_468367
.text:0046835B mov [ebp+var_1C8], 0
.text:00468365 jmp short loc_468373
.text:00468367 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468367
.text:00468367 loc_468367: ; CODE XREF: sub_468060+2F9j
.text:00468367 call ds:__vbaGenerateBoundsError
.text:0046836D mov [ebp+var_1C8], eax
.text:00468373
.text:00468373 loc_468373: ; CODE XREF: sub_468060+305j
.text:00468373 mov edx, [ebp+index_158]
.text:00468379 mov eax, [ebp+var_34] ; 取数组1地址
.text:0046837C mov word ptr [eax+edx*2], 76h ; array1(7) = &h76
.text:00468382 mov [ebp+var_4], 13h
.text:00468389 mov [ebp+index_158], 8 ; 索引 = 8
.text:00468393 cmp [ebp+index_158], 11h
.text:0046839A jnb short loc_4683A8
.text:0046839C mov [ebp+var_1CC], 0
.text:004683A6 jmp short loc_4683B4
.text:004683A8 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004683A8
.text:004683A8 loc_4683A8: ; CODE XREF: sub_468060+33Aj
.text:004683A8 call ds:__vbaGenerateBoundsError
.text:004683AE mov [ebp+var_1CC], eax
.text:004683B4
.text:004683B4 loc_4683B4: ; CODE XREF: sub_468060+346j
.text:004683B4 mov ecx, [ebp+index_158]
.text:004683BA mov edx, [ebp+var_34] ; 取数组1地址
.text:004683BD mov word ptr [edx+ecx*2], 37h ; array1(8) = &H37
.text:004683C3 mov [ebp+var_4], 14h
.text:004683CA mov [ebp+index_158], 9 ; 索引 = 9
.text:004683D4 cmp [ebp+index_158], 11h
.text:004683DB jnb short loc_4683E9
.text:004683DD mov [ebp+var_1D0], 0
.text:004683E7 jmp short loc_4683F5
.text:004683E9 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004683E9
.text:004683E9 loc_4683E9: ; CODE XREF: sub_468060+37Bj
.text:004683E9 call ds:__vbaGenerateBoundsError
.text:004683EF mov [ebp+var_1D0], eax
.text:004683F5
.text:004683F5 loc_4683F5: ; CODE XREF: sub_468060+387j
.text:004683F5 mov eax, [ebp+index_158]
.text:004683FB mov ecx, [ebp+var_34] ; 取数组1地址
.text:004683FE mov word ptr [ecx+eax*2], 17h ; array1(9) = &H17
.text:00468404 mov [ebp+var_4], 15h
.text:0046840B mov [ebp+index_158], 0Ah ; 索引 = 10
.text:00468415 cmp [ebp+index_158], 11h
.text:0046841C jnb short loc_46842A
.text:0046841E mov [ebp+var_1D4], 0
.text:00468428 jmp short loc_468436
.text:0046842A ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046842A
.text:0046842A loc_46842A: ; CODE XREF: sub_468060+3BCj
.text:0046842A call ds:__vbaGenerateBoundsError
.text:00468430 mov [ebp+var_1D4], eax
.text:00468436
.text:00468436 loc_468436: ; CODE XREF: sub_468060+3C8j
.text:00468436 mov edx, [ebp+index_158]
.text:0046843C mov eax, [ebp+var_34] ; 取数组1地址
.text:0046843F mov word ptr [eax+edx*2], 5Bh ; array1(10) = &H5B
.text:00468445 mov [ebp+var_4], 16h
.text:0046844C mov [ebp+index_158], 0Bh ; 索引 = 11
.text:00468456 cmp [ebp+index_158], 11h
.text:0046845D jnb short loc_46846B
.text:0046845F mov [ebp+var_1D8], 0
.text:00468469 jmp short loc_468477
.text:0046846B ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046846B
.text:0046846B loc_46846B: ; CODE XREF: sub_468060+3FDj
.text:0046846B call ds:__vbaGenerateBoundsError
.text:00468471 mov [ebp+var_1D8], eax
.text:00468477
.text:00468477 loc_468477: ; CODE XREF: sub_468060+409j
.text:00468477 mov ecx, [ebp+index_158]
.text:0046847D mov edx, [ebp+var_34] ; 取数组1地址
.text:00468480 mov word ptr [edx+ecx*2], 0F2h ; array1(11) = &HF2
.text:00468486 mov [ebp+var_4], 17h
.text:0046848D mov [ebp+index_158], 0Ch ; 索引 = 12
.text:00468497 cmp [ebp+index_158], 11h
.text:0046849E jnb short loc_4684AC
.text:004684A0 mov [ebp+var_1DC], 0
.text:004684AA jmp short loc_4684B8
.text:004684AC ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004684AC
.text:004684AC loc_4684AC: ; CODE XREF: sub_468060+43Ej
.text:004684AC call ds:__vbaGenerateBoundsError
.text:004684B2 mov [ebp+var_1DC], eax
.text:004684B8
.text:004684B8 loc_4684B8: ; CODE XREF: sub_468060+44Aj
.text:004684B8 mov eax, [ebp+index_158]
.text:004684BE mov ecx, [ebp+var_34] ; 取数组1地址
.text:004684C1 mov word ptr [ecx+eax*2], 2Fh ; array1(12) = &H2F
.text:004684C7 mov [ebp+var_4], 18h
.text:004684CE mov [ebp+index_158], 0Dh ; 索引 = 13
.text:004684D8 cmp [ebp+index_158], 11h
.text:004684DF jnb short loc_4684ED
.text:004684E1 mov [ebp+var_1E0], 0
.text:004684EB jmp short loc_4684F9
.text:004684ED ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004684ED
.text:004684ED loc_4684ED: ; CODE XREF: sub_468060+47Fj
.text:004684ED call ds:__vbaGenerateBoundsError
.text:004684F3 mov [ebp+var_1E0], eax
.text:004684F9
.text:004684F9 loc_4684F9: ; CODE XREF: sub_468060+48Bj
.text:004684F9 mov edx, [ebp+index_158]
.text:004684FF mov eax, [ebp+var_34] ; 取数组1地址
.text:00468502 mov word ptr [eax+edx*2], 82h ; array1(13) = &H82
.text:00468508 mov [ebp+var_4], 19h
.text:0046850F mov [ebp+index_158], 0Eh ; 索引 = 14
.text:00468519 cmp [ebp+index_158], 11h
.text:00468520 jnb short loc_46852E
.text:00468522 mov [ebp+var_1E4], 0
.text:0046852C jmp short loc_46853A
.text:0046852E ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046852E
.text:0046852E loc_46852E: ; CODE XREF: sub_468060+4C0j
.text:0046852E call ds:__vbaGenerateBoundsError
.text:00468534 mov [ebp+var_1E4], eax
.text:0046853A
.text:0046853A loc_46853A: ; CODE XREF: sub_468060+4CCj
.text:0046853A mov ecx, [ebp+index_158] ; 取数组1地址
.text:00468540 mov edx, [ebp+var_34]
.text:00468543 mov word ptr [edx+ecx*2], 3Bh ; array1(14) = &H3B
.text:00468549 mov [ebp+var_4], 1Ah
.text:00468550 mov [ebp+index_158], 0Fh ; 索引 = 15
.text:0046855A cmp [ebp+index_158], 11h
.text:00468561 jnb short loc_46856F
.text:00468563 mov [ebp+var_1E8], 0
.text:0046856D jmp short loc_46857B
.text:0046856F ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046856F
.text:0046856F loc_46856F: ; CODE XREF: sub_468060+501j
.text:0046856F call ds:__vbaGenerateBoundsError
.text:00468575 mov [ebp+var_1E8], eax
.text:0046857B
.text:0046857B loc_46857B: ; CODE XREF: sub_468060+50Dj
.text:0046857B mov eax, [ebp+index_158]
.text:00468581 mov ecx, [ebp+var_34] ; 取数组1地址
.text:00468584 mov word ptr [ecx+eax*2], 47h ; array1(15) = &H47
.text:0046858A mov [ebp+var_4], 1Bh
.text:00468591 mov [ebp+index_158], 10h ; 索引 = 16
.text:0046859B cmp [ebp+index_158], 11h
.text:004685A2 jnb short loc_4685B0
.text:004685A4 mov [ebp+var_1EC], 0
.text:004685AE jmp short loc_4685BC
.text:004685B0 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004685B0
.text:004685B0 loc_4685B0: ; CODE XREF: sub_468060+542j
.text:004685B0 call ds:__vbaGenerateBoundsError
.text:004685B6 mov [ebp+var_1EC], eax
.text:004685BC
.text:004685BC loc_4685BC: ; CODE XREF: sub_468060+54Ej
.text:004685BC mov edx, [ebp+index_158]
.text:004685C2 mov eax, [ebp+var_34] ; 取数组1地址
.text:004685C5 mov word ptr [eax+edx*2], 0A8h ; array1(16) = &HA8
///////////////////////////////////////////////////////////////////////
在这里先对5个数组的地址分析一下:
var_40 数组变量1
var_34 数组1地址
var_70 数组变量2
var_64 数组2地址
var_8c 数组变量3
var_80 数组3地址
var_a8 数组变量4
var_9c 数组4地址
var_dc 数组变量5
var_d0 数组5地址
输入参数
dim arg0 as string
dim arg1 as integer
'数组下标基于0
dim array1(16) as integer
dim array2(512) as integer
dim array3(16) as integer
dim array4(512) as integer
dim array5(16) as integer
dim s1 as string
dim s1len as long
dim arg0len as long
dim time1 as long
dim time2 as long
dim var_ec as integer
dim i as integer
time1 = clng(timer)
s1 = "lxhsxyloveforever"
arg0len = len(arg0)
s1len = len(s1)
if arg1 <= 0 then
var_ec = 2
else
var_ec = arg1
endif
array1(1) = &h28
array1(2) = &h53
array1(3) = &h84
array1(4) = &h45
array1(5) = &hed
array1(6) = &h25
array1(7) = &h76
array1(8) = &h37
array1(9) = &h17
array1(10) = &h5b
array1(11) = &hf2
array1(12) = &h2f
array1(13) = &h82
array1(14) = &h3b
array1(15) = &h47
array1(16) = &ha8
//////////////////////////////////////////////////////////////////////
.text:004685CB mov [ebp+var_4], 1Ch
.text:004685D2 mov [ebp+var_C0], 0 ; 初值为0
.text:004685DB mov [ebp+var_4], 1Dh
.text:004685E2 mov [ebp+var_168], 200h ; 初值512
.text:004685EB mov [ebp+var_164], 1
.text:004685F4 mov [ebp+var_BC], 0 ; 初值为0
.text:004685FD jmp short loc_46861A
.text:004685FF ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004685FF
.text:004685FF loc_4685FF: ; CODE XREF: sub_468060+620j
.text:004685FF mov cx, [ebp+var_BC] ; 加1
.text:00468606 add cx, [ebp+var_164]
.text:0046860D jo loc_469788
.text:00468613 mov [ebp+var_BC], cx
.text:0046861A
.text:0046861A loc_46861A: ; CODE XREF: sub_468060+59Dj
.text:0046861A mov dx, [ebp+var_BC]
.text:00468621 cmp dx, [ebp+var_168]
.text:00468628 jg short loc_468685 ; 小于等于 512 循环
.text:0046862A mov [ebp+var_4], 1Eh
.text:00468631 movsx eax, [ebp+var_BC] ; 取索引
.text:00468638 mov [ebp+index_158], eax
.text:0046863E cmp [ebp+index_158], 201h
.text:00468648 jnb short loc_468656
.text:0046864A mov [ebp+var_1F0], 0
.text:00468654 jmp short loc_468662
.text:00468656 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468656
.text:00468656 loc_468656: ; CODE XREF: sub_468060+5E8j
.text:00468656 call ds:__vbaGenerateBoundsError
.text:0046865C mov [ebp+var_1F0], eax
.text:00468662
.text:00468662 loc_468662: ; CODE XREF: sub_468060+5F4j
.text:00468662 mov ecx, [ebp+index_158]
.text:00468668 mov edx, [ebp+var_9C] ; 取 数组4 地址
.text:0046866E mov ax, [ebp+var_BC] ; 取索引值
.text:00468675 mov [edx+ecx*2], ax ; 保存到数组
.text:00468679 mov [ebp+var_4], 1Fh
.text:00468680 jmp loc_4685FF
.text:00468685 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468685
.text:00468685 loc_468685: ; CODE XREF: sub_468060+5C8j
.text:00468685 mov [ebp+var_4], 20h
.text:0046868C mov [ebp+var_170], 200h ; 初值512
.text:00468695 mov [ebp+var_16C], 1 ; 初值1
.text:0046869E mov [ebp+var_BC], 0 ; 初值0
.text:004686A7 jmp short loc_4686C4
.text:004686A9 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004686A9
.text:004686A9 loc_4686A9: ; CODE XREF: sub_468060+7D0j
.text:004686A9 mov cx, [ebp+var_BC] ; 索引加 1
.text:004686B0 add cx, [ebp+var_16C]
.text:004686B7 jo loc_469788
.text:004686BD mov [ebp+var_BC], cx
.text:004686C4
.text:004686C4 loc_4686C4: ; CODE XREF: sub_468060+647j
.text:004686C4 mov dx, [ebp+var_BC]
.text:004686CB cmp dx, [ebp+var_170]
.text:004686D2 jg loc_468835 ; 索引小于等于512则循环
.text:004686D8 mov [ebp+var_4], 21h
.text:004686DF mov ax, [ebp+var_C0]
.text:004686E6 add ax, [ebp+var_BC] ; 索引值累加到var_c0
.text:004686ED jo loc_469788
.text:004686F3 and ax, 0FFh ; 模256
.text:004686F7 jns short loc_468701
.text:004686F9 dec ax
.text:004686FB or ax, 0FF00h
.text:004686FF inc ax
.text:00468701
.text:00468701 loc_468701: ; CODE XREF: sub_468060+697j
.text:00468701 mov [ebp+var_C0], ax
.text:00468708 mov [ebp+var_4], 22h
.text:0046870F movsx ecx, [ebp+var_BC] ; 取当前索引
.text:00468716 mov [ebp+index_158], ecx
.text:0046871C cmp [ebp+index_158], 201h
.text:00468726 jnb short loc_468734
.text:00468728 mov [ebp+var_1F4], 0
.text:00468732 jmp short loc_468740
.text:00468734 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468734
.text:00468734 loc_468734: ; CODE XREF: sub_468060+6C6j
.text:00468734 call ds:__vbaGenerateBoundsError
.text:0046873A mov [ebp+var_1F4], eax
.text:00468740
.text:00468740 loc_468740: ; CODE XREF: sub_468060+6D2j
.text:00468740 mov edx, [ebp+index_158]
.text:00468746 mov eax, [ebp+var_9C] ; 取 数组4 地址
.text:0046874C mov cx, [eax+edx*2] ; 在当前索引位置取一个元素
.text:00468750 mov [ebp+var_54], cx ; 保存到var_54
.text:00468754 mov [ebp+var_4], 23h
.text:0046875B movsx edx, [ebp+var_C0] ; 取模256后的值
.text:00468762 mov [ebp+var_15C], edx ; 保存到var_15c
.text:00468768 cmp [ebp+var_15C], 201h
.text:00468772 jnb short loc_468780
.text:00468774 mov [ebp+var_1F8], 0
.text:0046877E jmp short loc_46878C
.text:00468780 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468780
.text:00468780 loc_468780: ; CODE XREF: sub_468060+712j
.text:00468780 call ds:__vbaGenerateBoundsError
.text:00468786 mov [ebp+var_1F8], eax
.text:0046878C
.text:0046878C loc_46878C: ; CODE XREF: sub_468060+71Ej
.text:0046878C movsx eax, [ebp+var_BC] ; 取当前索引
.text:00468793 mov [ebp+index_158], eax
.text:00468799 cmp [ebp+index_158], 201h
.text:004687A3 jnb short loc_4687B1
.text:004687A5 mov [ebp+var_1FC], 0
.text:004687AF jmp short loc_4687BD
.text:004687B1 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004687B1
.text:004687B1 loc_4687B1: ; CODE XREF: sub_468060+743j
.text:004687B1 call ds:__vbaGenerateBoundsError
.text:004687B7 mov [ebp+var_1FC], eax
.text:004687BD
.text:004687BD loc_4687BD: ; CODE XREF: sub_468060+74Fj
.text:004687BD mov ecx, [ebp+index_158]
.text:004687C3 mov edx, [ebp+var_9C] ; 取数组4地址
.text:004687C9 mov eax, [ebp+var_15C]
.text:004687CF mov esi, [ebp+var_9C] ; 取数组4地址
.text:004687D5 mov ax, [esi+eax*2] ; 取数组4一个元素
.text:004687D9 mov [edx+ecx*2], ax ; 移动到当前索引指向的位置
.text:004687DD mov [ebp+var_4], 24h
.text:004687E4 movsx ecx, [ebp+var_C0]
.text:004687EB mov [ebp+index_158], ecx
.text:004687F1 cmp [ebp+index_158], 201h
.text:004687FB jnb short loc_468809
.text:004687FD mov [ebp+var_200], 0
.text:00468807 jmp short loc_468815
.text:00468809 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468809
.text:00468809 loc_468809: ; CODE XREF: sub_468060+79Bj
.text:00468809 call ds:__vbaGenerateBoundsError
.text:0046880F mov [ebp+var_200], eax
.text:00468815
.text:00468815 loc_468815: ; CODE XREF: sub_468060+7A7j
.text:00468815 mov edx, [ebp+index_158]
.text:0046881B mov eax, [ebp+var_9C] ; 取数组4地址
.text:00468821 mov cx, [ebp+var_54]
.text:00468825 mov [eax+edx*2], cx
.text:00468829 mov [ebp+var_4], 25h
.text:00468830 jmp loc_4686A9 ; 上面这段实际在交换数组元素
.text:00468835 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468835
////////////////////////////////////////////////////////////////////////////////////////////
for i = 0 to 512
array4(i) = i
next i
dim tmpsum as integer
dim tmpvar as integer
tmpsum = 0
for i = 0 to 512
tmpsum = (tmpsum + i) mod 256
tmpvar = array4(i)
array4(i) = array4(tmpsum)
array4(tmpsum) = tmpvar
next i
////////////////////////////////////////////////////////////////////////////////////////////
.text:00468835 loc_468835: ; CODE XREF: sub_468060+672j
.text:00468835 mov [ebp+var_4], 26h
.text:0046883C cmp [ebp+var_EC], 1 ; 比较var_ec是否是1,这里和第二个参数有关
.text:00468844 jnz loc_468A0F ; 不等则跳。这里是个大的分支跳转
.text:0046884A mov [ebp+var_4], 27h
.text:00468851 mov [ebp+var_E4], 0 ; 初值为0
.text:0046885A mov [ebp+var_4], 28h
.text:00468861 mov [ebp+var_48], 10h ; 初值为16
.text:00468867 mov [ebp+var_4], 29h
.text:0046886E mov [ebp+var_128], offset asc_40CF38 ; " "
.text:00468878 mov [ebp+var_130], 8 ; 这是字符串变量,初值为一个空格
.text:00468882 lea edx, [ebp+var_130]
.text:00468888 lea ecx, [ebp+var_110]
.text:0046888E call ds:__vbaVarDup ; 复制一个空格到这里
.text:00468894 lea edx, [ebp+var_110]
.text:0046889A push edx
.text:0046889B push 10h
.text:0046889D lea eax, [ebp+var_120] ; String(16," ")
.text:004688A3 push eax
.text:004688A4 call ds:rtcStringVar
.text:004688AA lea ecx, [ebp+var_120]
.text:004688B0 push ecx
.text:004688B1 call ds:__vbaStrVarMove
.text:004688B7 mov edx, eax
.text:004688B9 lea ecx, [ebp+var_50] ; 16个空格的字符串
.text:004688BC call ds:__vbaStrMove
.text:004688C2 lea edx, [ebp+var_120]
.text:004688C8 push edx
.text:004688C9 lea eax, [ebp+var_110]
.text:004688CF push eax
.text:004688D0 push 2
.text:004688D2 call ds:__vbaFreeVarList ; 释放这两个临时变量
.text:004688D8 add esp, 0Ch
.text:004688DB mov [ebp+var_4], 2Ah
.text:004688E2 mov [ebp+var_178], 200h ; 初值512
.text:004688EB mov [ebp+var_174], 1 ; 初值1
.text:004688F4 mov [ebp+var_BC], 0 ; 初值0
.text:004688FD jmp short loc_46891A
.text:004688FF ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004688FF
.text:004688FF loc_4688FF: ; CODE XREF: sub_468060+9A5j
.text:004688FF mov cx, [ebp+var_BC]
.text:00468906 add cx, [ebp+var_174]
.text:0046890D jo loc_469788
.text:00468913 mov [ebp+var_BC], cx ; 当前索引加1
.text:0046891A
.text:0046891A loc_46891A: ; CODE XREF: sub_468060+89Dj
.text:0046891A mov dx, [ebp+var_BC]
.text:00468921 cmp dx, [ebp+var_178] ; 大于512退出循环
.text:00468928 jg loc_468A0A
.text:0046892E mov [ebp+var_4], 2Bh
.text:00468935 movsx eax, [ebp+var_BC]
.text:0046893C mov [ebp+index_158], eax ; 取当前索引
.text:00468942 cmp [ebp+index_158], 201h
.text:0046894C jnb short loc_46895A
.text:0046894E mov [ebp+var_204], 0
.text:00468958 jmp short loc_468966
.text:0046895A ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046895A
.text:0046895A loc_46895A: ; CODE XREF: sub_468060+8ECj
.text:0046895A call ds:__vbaGenerateBoundsError
.text:00468960 mov [ebp+var_204], eax
.text:00468966
.text:00468966 loc_468966: ; CODE XREF: sub_468060+8F8j
.text:00468966 mov ecx, [ebp+index_158] ; 取当前索引
.text:0046896C mov edx, [ebp+var_9C] ; 取数组4地址
.text:00468972 movsx eax, word ptr [edx+ecx*2] ; 取一个元素
.text:00468976 mov [ebp+var_15C], eax ; 保存到这里
.text:0046897C cmp [ebp+var_15C], 201h
.text:00468986 jnb short loc_468994
.text:00468988 mov [ebp+var_208], 0
.text:00468992 jmp short loc_4689A0
.text:00468994 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468994
.text:00468994 loc_468994: ; CODE XREF: sub_468060+926j
.text:00468994 call ds:__vbaGenerateBoundsError
.text:0046899A mov [ebp+var_208], eax
.text:004689A0
.text:004689A0 loc_4689A0: ; CODE XREF: sub_468060+932j
.text:004689A0 mov cx, [ebp+var_E4] ; 取var_e4
.text:004689A7 add cx, 30h ; 加上 &H30 变成可见字符
.text:004689AB jo loc_469788
.text:004689B1 mov edx, [ebp+var_15C] ; 取刚才那个元素
.text:004689B7 mov eax, [ebp+var_64] ; 取数组2地址
.text:004689BA mov [eax+edx*2], cx ; 保存到数组2
.text:004689BE mov [ebp+var_4], 2Ch
.text:004689C5 mov cx, [ebp+var_E4]
.text:004689CC add cx, 1 ; var_e4加1
.text:004689D0 jo loc_469788
.text:004689D6 mov [ebp+var_E4], cx
.text:004689DD mov [ebp+var_4], 2Dh
.text:004689E4 cmp [ebp+var_E4], 0Ah
.text:004689EC jnz short loc_4689FE
.text:004689EE mov [ebp+var_4], 2Eh
.text:004689F5 mov [ebp+var_E4], 0 ; 等于10则赋值0
.text:004689FE
.text:004689FE loc_4689FE: ; CODE XREF: sub_468060+98Cj
.text:004689FE mov [ebp+var_4], 30h
.text:00468A05 jmp loc_4688FF
.text:00468A0A ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468A0A
.text:00468A0A loc_468A0A: ; CODE XREF: sub_468060+8C8j
.text:00468A0A jmp loc_468D83
.text:00468A0F ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468A0F
.text:00468A0F loc_468A0F: ; CODE XREF: sub_468060+7E4j
.text:00468A0F mov [ebp+var_4], 31h
.text:00468A16 cmp [ebp+var_EC], 2 ; 比较var_ec是否是2,这里和第二个参数有关
.text:00468A1E jnz loc_468D02 ; 不等则跳
.text:00468A24 mov [ebp+var_4], 32h
.text:00468A2B mov [ebp+var_E4], 0 ; 初值0
.text:00468A34 mov [ebp+var_4], 33h
.text:00468A3B mov [ebp+var_28], 0 ; 初值0
.text:00468A41 mov [ebp+var_4], 34h
.text:00468A48 mov [ebp+var_48], 10h ; 初值16
.text:00468A4E mov [ebp+var_4], 35h
.text:00468A55 mov [ebp+var_128], offset asc_40CF38 ; " "
.text:00468A5F mov [ebp+var_130], 8 ; 字符串" "
.text:00468A69 lea edx, [ebp+var_130]
.text:00468A6F lea ecx, [ebp+var_110]
.text:00468A75 call ds:__vbaVarDup
.text:00468A7B lea edx, [ebp+var_110]
.text:00468A81 push edx
.text:00468A82 push 10h
.text:00468A84 lea eax, [ebp+var_120]
.text:00468A8A push eax
.text:00468A8B call ds:rtcStringVar ; String(16," ")
.text:00468A91 lea ecx, [ebp+var_120]
.text:00468A97 push ecx
.text:00468A98 call ds:__vbaStrVarMove
.text:00468A9E mov edx, eax
.text:00468AA0 lea ecx, [ebp+var_50] ; var_50 = String(16," ")
.text:00468AA3 call ds:__vbaStrMove
.text:00468AA9 lea edx, [ebp+var_120]
.text:00468AAF push edx
.text:00468AB0 lea eax, [ebp+var_110]
.text:00468AB6 push eax
.text:00468AB7 push 2
.text:00468AB9 call ds:__vbaFreeVarList ; 释放临时变量
.text:00468ABF add esp, 0Ch
.text:00468AC2 mov [ebp+var_4], 36h
.text:00468AC9 mov [ebp+var_C4], 0 ; 初值0
.text:00468AD2 mov [ebp+var_4], 37h
.text:00468AD9 mov [ebp+var_180], 200h ; 初值512
.text:00468AE2 mov [ebp+var_17C], 1 ; 初值1
.text:00468AEB mov [ebp+var_BC], 0 ; 当前索引初值0
.text:00468AF4 jmp short loc_468B11
.text:00468AF6 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468AF6
.text:00468AF6 loc_468AF6: ; CODE XREF: sub_468060+C98j
.text:00468AF6 mov cx, [ebp+var_BC]
.text:00468AFD add cx, [ebp+var_17C]
.text:00468B04 jo loc_469788
.text:00468B0A mov [ebp+var_BC], cx ; 当前索引加1
.text:00468B11
.text:00468B11 loc_468B11: ; CODE XREF: sub_468060+A94j
.text:00468B11 mov dx, [ebp+var_BC]
.text:00468B18 cmp dx, [ebp+var_180] ; 大于512则跳出循环
.text:00468B1F jg loc_468CFD
.text:00468B25 mov [ebp+var_4], 38h
.text:00468B2C movsx eax, [ebp+var_C4] ; 取var_c4
.text:00468B33 test eax, eax
.text:00468B35 jz loc_468C20 ; 为0则跳
.text:00468B3B mov [ebp+var_4], 39h
.text:00468B42 movsx ecx, [ebp+var_BC] ; 取当前索引
.text:00468B49 mov [ebp+index_158], ecx ; 保存到var_158
.text:00468B4F cmp [ebp+index_158], 201h
.text:00468B59 jnb short loc_468B67
.text:00468B5B mov [ebp+var_20C], 0
.text:00468B65 jmp short loc_468B73
.text:00468B67 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468B67
.text:00468B67 loc_468B67: ; CODE XREF: sub_468060+AF9j
.text:00468B67 call ds:__vbaGenerateBoundsError
.text:00468B6D mov [ebp+var_20C], eax
.text:00468B73
.text:00468B73 loc_468B73: ; CODE XREF: sub_468060+B05j
.text:00468B73 mov edx, [ebp+index_158] ; 取当前索引
.text:00468B79 mov eax, [ebp+var_9C] ; 取数组4地址
.text:00468B7F movsx ecx, word ptr [eax+edx*2] ; 取数组4一个元素
.text:00468B83 mov [ebp+var_15C], ecx ; 保存到var_15c
.text:00468B89 cmp [ebp+var_15C], 201h
.text:00468B93 jnb short loc_468BA1
.text:00468B95 mov [ebp+var_210], 0
.text:00468B9F jmp short loc_468BAD
.text:00468BA1 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468BA1
.text:00468BA1 loc_468BA1: ; CODE XREF: sub_468060+B33j
.text:00468BA1 call ds:__vbaGenerateBoundsError
.text:00468BA7 mov [ebp+var_210], eax
.text:00468BAD
.text:00468BAD loc_468BAD: ; CODE XREF: sub_468060+B3Fj
.text:00468BAD mov dx, [ebp+var_E4] ; 取var_e4
.text:00468BB4 add dx, 30h ; 加 &H30
.text:00468BB8 jo loc_469788
.text:00468BBE mov eax, [ebp+var_15C] ; 取var_15c
.text:00468BC4 mov ecx, [ebp+var_64] ; 取数组2地址
.text:00468BC7 mov [ecx+eax*2], dx ; 保存元素
.text:00468BCB mov [ebp+var_4], 3Ah
.text:00468BD2 mov dx, [ebp+var_E4]
.text:00468BD9 add dx, 1 ; var_e4 加1
.text:00468BDD jo loc_469788
.text:00468BE3 mov [ebp+var_E4], dx
.text:00468BEA mov [ebp+var_4], 3Bh
.text:00468BF1 cmp [ebp+var_E4], 0Ah ; var_e4 等于10赋值0
.text:00468BF9 jnz short loc_468C0B
.text:00468BFB mov [ebp+var_4], 3Ch
.text:00468C02 mov [ebp+var_E4], 0
.text:00468C0B
.text:00468C0B loc_468C0B: ; CODE XREF: sub_468060+B99j
.text:00468C0B mov [ebp+var_4], 3Eh
.text:00468C12 mov [ebp+var_C4], 0 ; var_c4 赋值0
.text:00468C1B jmp loc_468CF1
.text:00468C20 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468C20
.text:00468C20 loc_468C20: ; CODE XREF: sub_468060+AD5j
.text:00468C20 mov [ebp+var_4], 40h
.text:00468C27 movsx eax, [ebp+var_BC] ; 取当前索引
.text:00468C2E mov [ebp+index_158], eax ; 保存到这里
.text:00468C34 cmp [ebp+index_158], 201h
.text:00468C3E jnb short loc_468C4C
.text:00468C40 mov [ebp+var_214], 0
.text:00468C4A jmp short loc_468C58
.text:00468C4C ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468C4C
.text:00468C4C loc_468C4C: ; CODE XREF: sub_468060+BDEj
.text:00468C4C call ds:__vbaGenerateBoundsError
.text:00468C52 mov [ebp+var_214], eax
.text:00468C58
.text:00468C58 loc_468C58: ; CODE XREF: sub_468060+BEAj
.text:00468C58 mov ecx, [ebp+index_158] ; 取当前索引
.text:00468C5E mov edx, [ebp+var_9C] ; 取数组4地址
.text:00468C64 movsx eax, word ptr [edx+ecx*2] ; 取数组4一个元素
.text:00468C68 mov [ebp+var_15C], eax ; 保存到var_15c
.text:00468C6E cmp [ebp+var_15C], 201h
.text:00468C78 jnb short loc_468C86
.text:00468C7A mov [ebp+var_218], 0
.text:00468C84 jmp short loc_468C92
.text:00468C86 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468C86
.text:00468C86 loc_468C86: ; CODE XREF: sub_468060+C18j
.text:00468C86 call ds:__vbaGenerateBoundsError
.text:00468C8C mov [ebp+var_218], eax
.text:00468C92
.text:00468C92 loc_468C92: ; CODE XREF: sub_468060+C24j
.text:00468C92 mov cx, [ebp+var_28] ; 取var_28
.text:00468C96 add cx, 41h ; 加&H41变成大写字母
.text:00468C9A jo loc_469788
.text:00468CA0 mov edx, [ebp+var_15C] ; 数组4中的一个元素
.text:00468CA6 mov eax, [ebp+var_64] ; 数组2地址
.text:00468CA9 mov [eax+edx*2], cx ; 保存一个元素
.text:00468CAD mov [ebp+var_4], 41h
.text:00468CB4 mov cx, [ebp+var_28]
.text:00468CB8 add cx, 1 ; var28 加1
.text:00468CBC jo loc_469788
.text:00468CC2 mov [ebp+var_28], cx
.text:00468CC6 mov [ebp+var_4], 42h
.text:00468CCD cmp [ebp+var_28], 1Ah ; var28等于26则赋值0
.text:00468CD2 jnz short loc_468CE1
.text:00468CD4 mov [ebp+var_4], 43h
.text:00468CDB mov [ebp+var_28], 0
.text:00468CE1
.text:00468CE1 loc_468CE1: ; CODE XREF: sub_468060+C72j
.text:00468CE1 mov [ebp+var_4], 45h
.text:00468CE8 mov [ebp+var_C4], 0FFFFh ; var_c4 = -1
.text:00468CF1
.text:00468CF1 loc_468CF1: ; CODE XREF: sub_468060+BBBj
.text:00468CF1 mov [ebp+var_4], 47h
.text:00468CF8 jmp loc_468AF6
.text:00468CFD ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468CFD
.text:00468CFD loc_468CFD: ; CODE XREF: sub_468060+ABFj
.text:00468CFD jmp loc_468D83
.text:00468D02 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468D02
.text:00468D02 loc_468D02: ; CODE XREF: sub_468060+9BEj
.text:00468D02 mov [ebp+var_4], 49h
.text:00468D09 mov [ebp+var_48], 8
.text:00468D0F mov [ebp+var_4], 4Ah
.text:00468D16 mov [ebp+var_128], offset asc_40CF38 ; " "
.text:00468D20 mov [ebp+var_130], 8 ; 字符串" "
.text:00468D2A lea edx, [ebp+var_130]
.text:00468D30 lea ecx, [ebp+var_110]
.text:00468D36 call ds:__vbaVarDup
.text:00468D3C lea edx, [ebp+var_110]
.text:00468D42 push edx
.text:00468D43 push 13h
.text:00468D45 lea eax, [ebp+var_120]
.text:00468D4B push eax
.text:00468D4C call ds:rtcStringVar
.text:00468D52 lea ecx, [ebp+var_120]
.text:00468D58 push ecx
.text:00468D59 call ds:__vbaStrVarMove
.text:00468D5F mov edx, eax
.text:00468D61 lea ecx, [ebp+var_50] ; var_50 = String(19," ")
.text:00468D64 call ds:__vbaStrMove
.text:00468D6A lea edx, [ebp+var_120]
.text:00468D70 push edx
.text:00468D71 lea eax, [ebp+var_110]
.text:00468D77 push eax
.text:00468D78 push 2
.text:00468D7A call ds:__vbaFreeVarList
.text:00468D80 add esp, 0Ch
.text:00468D83
///////////////////////////////////////////////////////////////
dim var_48 as integer
dim var_50 as string
dim j as integer
dim tmpi as integer
dim tmpj as integer
dim isd as boolean
if var_ec = 1 then
var_50 = string(16," ")
var_48 = 16
tmpi = 0
for i = 0 to 512
j = array4(i)
array2(j) = tmpi + &h30
tmpi = tmpi + 1
if tmpi = 10 then tmpi = 0
next i
elseif var_ec = 2 then
var_50 = string(16," ")
var_48 = 16
isd = false
tmpi = 0
tmpj = 0
for i = 0 to 512
if isd then
j = array4(i)
array2(j) = tmpi + &h30
tmpi = tmpi + 1
if tmpi = 10 then tmpi = 0
isd = false
else
j = array4(i)
array2(j) = tmpj + &h41
tmpj = tmpj + 1
if tmpj = 26 then tmpj = 0
isd = true
endif
next i
else
var_50 = string(19," ")
var_48 = 8
endif
/////////////////////////////////////////////////////////////////////////////////////////
.text:00468D83 loc_468D83: ; CODE XREF: sub_468060+9AAj
.text:00468D83 ; sub_468060+C9Dj
.text:00468D83 mov [ebp+var_4], 4Ch
.text:00468D8A mov [ebp+var_FC], 1 ; 初值1
.text:00468D93 mov [ebp+var_4], 4Dh
.text:00468D9A mov cx, [ebp+arg0Len_B8] ; 取参数0长度
.text:00468DA1 mov [ebp+var_188], cx ; 保存到var_188
.text:00468DA8 mov [ebp+var_184], 1 ; 初值1
.text:00468DB1 mov [ebp+var_BC], 1 ; 当前索引初值1
.text:00468DBA jmp short loc_468DD7
.text:00468DBC ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468DBC
.text:00468DBC loc_468DBC: ; CODE XREF: sub_468060+F3Fj
.text:00468DBC mov dx, [ebp+var_BC]
.text:00468DC3 add dx, [ebp+var_184]
.text:00468DCA jo loc_469788
.text:00468DD0 mov [ebp+var_BC], dx ; 当前索引加1
.text:00468DD7
.text:00468DD7 loc_468DD7: ; CODE XREF: sub_468060+D5Aj
.text:00468DD7 mov ax, [ebp+var_BC] ; 取当前索引
.text:00468DDE cmp ax, [ebp+var_188]
.text:00468DE5 jg loc_468FA4 ; 大于参数0长度则跳
.text:00468DEB mov [ebp+var_4], 4Eh
.text:00468DF2 movsx ecx, [ebp+var_FC] ; 取var_fc
.text:00468DF9 mov [ebp+var_15C], ecx ; 保存到这里
.text:00468DFF cmp [ebp+var_15C], 11h
.text:00468E06 jnb short loc_468E14
.text:00468E08 mov [ebp+var_21C], 0
.text:00468E12 jmp short loc_468E20
.text:00468E14 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468E14
.text:00468E14 loc_468E14: ; CODE XREF: sub_468060+DA6j
.text:00468E14 call ds:__vbaGenerateBoundsError
.text:00468E1A mov [ebp+var_21C], eax
.text:00468E20
.text:00468E20 loc_468E20: ; CODE XREF: sub_468060+DB2j
.text:00468E20 mov [ebp+var_108], 1
.text:00468E2A mov [ebp+var_110], 2 ; 整型变量var_110 = 1
.text:00468E34 mov edx, [ebp+arg_0]
.text:00468E37 mov [ebp+var_128], edx
.text:00468E3D mov [ebp+var_130], 4008h ; 参数0
.text:00468E47 lea eax, [ebp+var_110] ; 1
.text:00468E4D push eax
.text:00468E4E movsx ecx, [ebp+var_BC] ; 当前索引
.text:00468E55 push ecx
.text:00468E56 lea edx, [ebp+var_130] ; 参数0
.text:00468E5C push edx
.text:00468E5D lea eax, [ebp+var_120]
.text:00468E63 push eax
.text:00468E64 call ds:rtcMidCharVar ; 取参数0一个字符
.text:00468E6A movsx ecx, [ebp+var_FC] ; 取变量var_fc
.text:00468E71 mov [ebp+index_158], ecx ; 保存到这里
.text:00468E77 cmp [ebp+index_158], 11h
.text:00468E7E jnb short loc_468E8C
.text:00468E80 mov [ebp+var_220], 0
.text:00468E8A jmp short loc_468E98
.text:00468E8C ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468E8C
.text:00468E8C loc_468E8C: ; CODE XREF: sub_468060+E1Ej
.text:00468E8C call ds:__vbaGenerateBoundsError
.text:00468E92 mov [ebp+var_220], eax
.text:00468E98
.text:00468E98 loc_468E98: ; CODE XREF: sub_468060+E2Aj
.text:00468E98 lea edx, [ebp+var_120] ; 参数0的一个字符
.text:00468E9E push edx
.text:00468E9F lea eax, [ebp+var_100]
.text:00468EA5 push eax
.text:00468EA6 call ds:__vbaStrVarVal
.text:00468EAC push eax
.text:00468EAD call ds:rtcAnsiValueBstr ; 函数Asc
.text:00468EB3 mov ecx, [ebp+var_15C] ; var_fc
.text:00468EB9 mov edx, [ebp+var_D0] ; 取数组5地址
.text:00468EBF mov cx, [edx+ecx*2] ; 取数组5一个元素
.text:00468EC3 add cx, ax ; 和参数0一个字符的ascii码相加
.text:00468EC6 jo loc_469788
.text:00468ECC xor cx, 12h ; 异或 &H12
.text:00468ED0 mov edx, [ebp+index_158]
.text:00468ED6 mov eax, [ebp+var_D0] ; 取数组5地址
.text:00468EDC mov [eax+edx*2], cx ; 保存
.text:00468EE0 lea ecx, [ebp+var_100]
.text:00468EE6 call ds:__vbaFreeStr
.text:00468EEC lea ecx, [ebp+var_120]
.text:00468EF2 push ecx
.text:00468EF3 lea edx, [ebp+var_110]
.text:00468EF9 push edx
.text:00468EFA push 2
.text:00468EFC call ds:__vbaFreeVarList
.text:00468F02 add esp, 0Ch
.text:00468F05 mov [ebp+var_4], 4Fh
.text:00468F0C movsx eax, [ebp+var_FC] ; 取var_fc
.text:00468F13 mov [ebp+index_158], eax ; 保存到这里
.text:00468F19 cmp [ebp+index_158], 11h
.text:00468F20 jnb short loc_468F2E
.text:00468F22 mov [ebp+var_224], 0
.text:00468F2C jmp short loc_468F3A
.text:00468F2E ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468F2E
.text:00468F2E loc_468F2E: ; CODE XREF: sub_468060+EC0j
.text:00468F2E call ds:__vbaGenerateBoundsError
.text:00468F34 mov [ebp+var_224], eax
.text:00468F3A
.text:00468F3A loc_468F3A: ; CODE XREF: sub_468060+ECCj
.text:00468F3A mov ecx, [ebp+index_158] ; 取var_fc
.text:00468F40 mov edx, [ebp+var_D0] ; 取数组5地址
.text:00468F46 mov ax, [ebp+var_4C] ; 取变量var_4c
.text:00468F4A add ax, [edx+ecx*2]
.text:00468F4E jo loc_469788
.text:00468F54 mov [ebp+var_4C], ax ; var_fc指向的数组5元素累加到var_4c
.text:00468F58 mov [ebp+var_4], 50h
.text:00468F5F mov cx, [ebp+var_FC]
.text:00468F66 add cx, 1
.text:00468F6A jo loc_469788
.text:00468F70 mov [ebp+var_FC], cx ; var_fc加1
.text:00468F77 mov [ebp+var_4], 51h
.text:00468F7E cmp [ebp+var_FC], 9
.text:00468F86 jnz short loc_468F98
.text:00468F88 mov [ebp+var_4], 52h
.text:00468F8F mov [ebp+var_FC], 1 ; var_fc等于9初值1
.text:00468F98
.text:00468F98 loc_468F98: ; CODE XREF: sub_468060+F26j
.text:00468F98 mov [ebp+var_4], 54h
.text:00468F9F jmp loc_468DBC
.text:00468FA4 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468FA4
.text:00468FA4 loc_468FA4: ; CODE XREF: sub_468060+D85j
.text:00468FA4 mov [ebp+var_4], 55h
.text:00468FAB mov dx, [ebp+constLen_24] ; 取常量字符串长度
.text:00468FAF mov [ebp+var_190], dx ; 保存到变量var_190
.text:00468FB6 mov [ebp+var_18C], 1 ; 初值1
.text:00468FBF mov [ebp+var_BC], 1 ; 当前索引初值1
.text:00468FC8 jmp short loc_468FE5
.text:00468FCA ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468FCA
.text:00468FCA loc_468FCA: ; CODE XREF: sub_468060+1147j
.text:00468FCA mov ax, [ebp+var_BC]
.text:00468FD1 add ax, [ebp+var_18C]
.text:00468FD8 jo loc_469788
.text:00468FDE mov [ebp+var_BC], ax ; 当前索引加1
.text:00468FE5
.text:00468FE5 loc_468FE5: ; CODE XREF: sub_468060+F68j
.text:00468FE5 mov cx, [ebp+var_BC]
.text:00468FEC cmp cx, [ebp+var_190]
.text:00468FF3 jg loc_4691AC ; 当前索引大于常量字符串长度则跳
.text:00468FF9 mov [ebp+var_4], 56h
.text:00469000 movsx edx, [ebp+var_FC] ; 取var_fc(注意没有重新赋值)
.text:00469007 mov [ebp+var_15C], edx ; 保存到var_15c
.text:0046900D cmp [ebp+var_15C], 11h
.text:00469014 jnb short loc_469022
.text:00469016 mov [ebp+var_228], 0
.text:00469020 jmp short loc_46902E
.text:00469022 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00469022
.text:00469022 loc_469022: ; CODE XREF: sub_468060+FB4j
.text:00469022 call ds:__vbaGenerateBoundsError
.text:00469028 mov [ebp+var_228], eax
.text:0046902E
.text:0046902E loc_46902E: ; CODE XREF: sub_468060+FC0j
.text:0046902E mov [ebp+var_108], 1
.text:00469038 mov [ebp+var_110], 2
.text:00469042 lea eax, [ebp+var_F8]
.text:00469048 mov [ebp+var_128], eax
.text:0046904E mov [ebp+var_130], 4008h
.text:00469058 lea ecx, [ebp+var_110] ; 1
.text:0046905E push ecx
.text:0046905F movsx edx, [ebp+var_BC] ; 当前索引
.text:00469066 push edx
.text:00469067 lea eax, [ebp+var_130] ; 常量字符串
.text:0046906D push eax
.text:0046906E lea ecx, [ebp+var_120]
.text:00469074 push ecx
.text:00469075 call ds:rtcMidCharVar ; 取当前索引处一个字符
.text:0046907B movsx edx, [ebp+var_FC] ; 取变量var_fc
.text:00469082 mov [ebp+index_158], edx ; 保存到var_158
.text:00469088 cmp [ebp+index_158], 11h
.text:0046908F jnb short loc_46909D
.text:00469091 mov [ebp+var_22C], 0
.text:0046909B jmp short loc_4690A9
.text:0046909D ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046909D
.text:0046909D loc_46909D: ; CODE XREF: sub_468060+102Fj
.text:0046909D call ds:__vbaGenerateBoundsError
.text:004690A3 mov [ebp+var_22C], eax
.text:004690A9
.text:004690A9 loc_4690A9: ; CODE XREF: sub_468060+103Bj
.text:004690A9 lea eax, [ebp+var_120] ; 上面取出的一个字符
.text:004690AF push eax
.text:004690B0 lea ecx, [ebp+var_100]
.text:004690B6 push ecx
.text:004690B7 call ds:__vbaStrVarVal
.text:004690BD push eax
.text:004690BE call ds:rtcAnsiValueBstr
.text:004690C4 mov edx, [ebp+var_15C] ; var_fc
.text:004690CA mov ecx, [ebp+var_80] ; 数组3地址
.text:004690CD mov dx, [ecx+edx*2] ; 取数组3一个元素
.text:004690D1 add dx, ax ; 加常量字符串一个字符ascii值
.text:004690D4 jo loc_469788
.text:004690DA xor dx, 19h ; 异或&H19
.text:004690DE mov eax, [ebp+index_158] ; var_fc
.text:004690E4 mov ecx, [ebp+var_80] ; 数组3地址
.text:004690E7 mov [ecx+eax*2], dx ; 保存一个元素
.text:004690EB lea ecx, [ebp+var_100]
.text:004690F1 call ds:__vbaFreeStr
.text:004690F7 lea edx, [ebp+var_120]
.text:004690FD push edx
.text:004690FE lea eax, [ebp+var_110]
.text:00469104 push eax
.text:00469105 push 2
.text:00469107 call ds:__vbaFreeVarList
.text:0046910D add esp, 0Ch
.text:00469110 mov [ebp+var_4], 57h
.text:00469117 movsx ecx, [ebp+var_FC] ; 取var_fc
.text:0046911E mov [ebp+index_158], ecx ; 保存到var_158
.text:00469124 cmp [ebp+index_158], 11h
.text:0046912B jnb short loc_469139
.text:0046912D mov [ebp+var_230], 0
.text:00469137 jmp short loc_469145
.text:00469139 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00469139
.text:00469139 loc_469139: ; CODE XREF: sub_468060+10CBj
.text:00469139 call ds:__vbaGenerateBoundsError
.text:0046913F mov [ebp+var_230], eax
.text:00469145
.text:00469145 loc_469145: ; CODE XREF: sub_468060+10D7j
.text:00469145 mov edx, [ebp+index_158] ; var_fc
.text:0046914B mov eax, [ebp+var_80] ; 取数组3地址
.text:0046914E mov cx, [ebp+var_58] ; var_58
.text:00469152 add cx, [eax+edx*2] ; 取数组3一个元素
.text:00469156 jo loc_469788
.text:0046915C mov [ebp+var_58], cx ; 累加到var_58
.text:00469160 mov [ebp+var_4], 58h
.text:00469167 mov dx, [ebp+var_FC]
.text:0046916E add dx, 1
.text:00469172 jo loc_469788
.text:00469178 mov [ebp+var_FC], dx ; var_fc加1
.text:0046917F mov [ebp+var_4], 59h
.text:00469186 cmp [ebp+var_FC], 9
.text:0046918E jnz short loc_4691A0
.text:00469190 mov [ebp+var_4], 5Ah
.text:00469197 mov [ebp+var_FC], 1 ; var_fc等于9则赋值1
.text:004691A0
.text:004691A0 loc_4691A0: ; CODE XREF: sub_468060+112Ej
.text:004691A0 mov [ebp+var_4], 5Ch
.text:004691A7 jmp loc_468FCA
.text:004691AC ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004691AC
///////////////////////////////////////////////////////////////////////////////////////////
dim tmpchar as integer
dim arg0sum as integer
dim s1sum as integer
j = 1
for i = 1 to arg0len
tmpchar = asc(mid(arg0,i,1))
array5(j) = (array5(j) + tmpchar) xor &H12
arg0sum = arg0sum + array5(j)
j = j + 1
if j = 9 then j = 1
next i
for i = 1 to s1len
tmpchar = asc(mid(s1,i,1))
array3(j) = (array3(j) + tmpchar) xor &H19
s1sum = s1sum + array3(j)
j = j + 1
if j = 9 then j = 1
next i
//////////////////////////////////////////////////////////////////////////////////////
.text:004691AC loc_4691AC: ; CODE XREF: sub_468060+F93j
.text:004691AC mov [ebp+var_4], 5Dh
.text:004691B3 mov ax, [ebp+var_4C] ; 数组5累加和
.text:004691B7 add ax, [ebp+var_58] ; 数组3累加和
.text:004691BB jo loc_469788
.text:004691C1 and ax, 1FFh ; 相加后模512
.text:004691C5 jns short loc_4691CF
.text:004691C7 dec ax
.text:004691C9 or ax, 0FE00h
.text:004691CD inc ax
.text:004691CF
.text:004691CF loc_4691CF: ; CODE XREF: sub_468060+1165j
.text:004691CF mov [ebp+mysum_B4], ax ; 保存到var_b4
.text:004691D6 mov [ebp+var_4], 5Eh
.text:004691DD mov [ebp+var_FC], 1 ; 初值1
.text:004691E6 mov [ebp+var_4], 5Fh
.text:004691ED mov [ebp+var_F4], 1 ; 初值1
.text:004691F6 mov [ebp+var_4], 60h
.text:004691FD mov cx, [ebp+var_48] ; 取var_48
.text:00469201 mov [ebp+var_198], cx ; 保存到这里
.text:00469208 mov [ebp+var_194], 1 ; 初值1
.text:00469211 mov [ebp+var_BC], 1 ; 初值1
.text:0046921A jmp short loc_469237
.text:0046921C ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046921C
.text:0046921C loc_46921C: ; CODE XREF: sub_468060+1619j
.text:0046921C mov dx, [ebp+var_BC]
.text:00469223 add dx, [ebp+var_194]
.text:0046922A jo loc_469788
.text:00469230 mov [ebp+var_BC], dx ; 当前索引加1
.text:00469237
.text:00469237 loc_469237: ; CODE XREF: sub_468060+11BAj
.text:00469237 mov ax, [ebp+var_BC]
.text:0046923E cmp ax, [ebp+var_198] ; 大于var_48则跳
.text:00469245 jg loc_46967E
.text:0046924B mov [ebp+var_4], 61h
.text:00469252 movsx ecx, [ebp+var_BC] ; 取当前索引
.text:00469259 mov [ebp+var_15C], ecx ; 保存到这里
.text:0046925F cmp [ebp+var_15C], 11h
.text:00469266 jnb short loc_469274
.text:00469268 mov [ebp+var_234], 0
.text:00469272 jmp short loc_469280
.text:00469274 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00469274
.text:00469274 loc_469274: ; CODE XREF: sub_468060+1206j
.text:00469274 call ds:__vbaGenerateBoundsError
.text:0046927A mov [ebp+var_234], eax
.text:00469280
.text:00469280 loc_469280: ; CODE XREF: sub_468060+1212j
.text:00469280 movsx edx, [ebp+var_BC] ; 取当前索引
.text:00469287 mov [ebp+var_160], edx ; 保存到这里
.text:0046928D cmp [ebp+var_160], 11h
.text:00469294 jnb short loc_4692A2
.text:00469296 mov [ebp+var_238], 0
.text:004692A0 jmp short loc_4692AE
.text:004692A2 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004692A2
.text:004692A2 loc_4692A2: ; CODE XREF: sub_468060+1234j
.text:004692A2 call ds:__vbaGenerateBoundsError
.text:004692A8 mov [ebp+var_238], eax
.text:004692AE
.text:004692AE loc_4692AE: ; CODE XREF: sub_468060+1240j
.text:004692AE movsx eax, [ebp+var_BC] ; 取当前索引
.text:004692B5 mov [ebp+index_158], eax ; 保存到这里
.text:004692BB cmp [ebp+index_158], 11h
.text:004692C2 jnb short loc_4692D0
.text:004692C4 mov [ebp+var_23C], 0
.text:004692CE jmp short loc_4692DC
.text:004692D0 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004692D0
.text:004692D0 loc_4692D0: ; CODE XREF: sub_468060+1262j
.text:004692D0 call ds:__vbaGenerateBoundsError
.text:004692D6 mov [ebp+var_23C], eax
.text:004692DC
.text:004692DC loc_4692DC: ; CODE XREF: sub_468060+126Ej
.text:004692DC mov ecx, [ebp+var_15C] ; 当前索引
.text:004692E2 mov edx, [ebp+var_80] ; 数组3地址
.text:004692E5 mov eax, [ebp+var_160] ; 当前索引
.text:004692EB mov esi, [ebp+var_34] ; 数组1地址
.text:004692EE mov cx, [edx+ecx*2] ; 取数组3一个元素
.text:004692F2 xor cx, [esi+eax*2] ; 和数组1一个元素异或
.text:004692F6 mov edx, [ebp+index_158] ; 当前索引
.text:004692FC mov eax, [ebp+var_80] ; 数组3地址
.text:004692FF mov [eax+edx*2], cx ; 保存到数组3
.text:00469303 mov [ebp+var_4], 62h
.text:0046930A movsx ecx, [ebp+var_BC] ; 取当前索引
.text:00469311 mov [ebp+index_158], ecx ; 保存到这里
.text:00469317 cmp [ebp+index_158], 11h
.text:0046931E jnb short loc_46932C
.text:00469320 mov [ebp+var_240], 0
.text:0046932A jmp short loc_469338
.text:0046932C ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046932C
.text:0046932C loc_46932C: ; CODE XREF: sub_468060+12BEj
.text:0046932C call ds:__vbaGenerateBoundsError
.text:00469332 mov [ebp+var_240], eax
.text:00469338
.text:00469338 loc_469338: ; CODE XREF: sub_468060+12CAj
.text:00469338 movsx edx, [ebp+var_BC] ; 取当前索引
.text:0046933F mov [ebp+var_15C], edx ; 保存到这里
.text:00469345 cmp [ebp+var_15C], 11h
.text:0046934C jnb short loc_46935A
.text:0046934E mov [ebp+var_244], 0
.text:00469358 jmp short loc_469366
.text:0046935A ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046935A
.text:0046935A loc_46935A: ; CODE XREF: sub_468060+12ECj
.text:0046935A call ds:__vbaGenerateBoundsError
.text:00469360 mov [ebp+var_244], eax
.text:00469366
.text:00469366 loc_469366: ; CODE XREF: sub_468060+12F8j
.text:00469366 mov eax, [ebp+index_158] ; 当前索引
.text:0046936C mov ecx, [ebp+var_D0] ; 数组5地址
.text:00469372 mov edx, [ebp+var_15C] ; 当前索引
.text:00469378 mov esi, [ebp+var_80] ; 数组3地址
.text:0046937B mov ax, [ecx+eax*2] ; 取数组5一个元素
.text:0046937F xor ax, [esi+edx*2] ; 和数组3一个元素异或
.text:00469383 mov cx, ax
.text:00469386 and cx, 1FFh ; 模512
.text:0046938B jns short loc_469396
.text:0046938D dec cx
.text:0046938F or cx, 0FE00h
.text:00469394 inc cx
.text:00469396
.text:00469396 loc_469396: ; CODE XREF: sub_468060+132Bj
.text:00469396 sub cx, [ebp+mysum_B4] ; 减去var_b4
.text:0046939D jo loc_469788
.text:004693A3 call ds:__vbaI2Abs ; 取绝对值
.text:004693A9 mov word ptr [ebp+var_E8], ax ; 保存到var_e8
.text:004693B0 mov [ebp+var_4], 63h
.text:004693B7 cmp [ebp+var_EC], 3
.text:004693BF jnz loc_4695D5 ; var_ec不等于3则跳
.text:004693C5 mov [ebp+var_4], 64h
.text:004693CC cmp word ptr [ebp+var_E8], 10h
.text:004693D4 jge loc_46948D ; 绝对值大于等于16则跳
.text:004693DA mov [ebp+var_4], 65h
.text:004693E1 mov [ebp+var_138], offset a0 ; "0"
.text:004693EB mov [ebp+var_140], 8 ; var_140 = "0"
.text:004693F5 lea ecx, [ebp+var_E8]
.text:004693FB mov [ebp+var_128], ecx
.text:00469401 mov [ebp+var_130], 4002h
.text:0046940B lea edx, [ebp+var_130] ; 绝对值
.text:00469411 push edx
.text:00469412 lea eax, [ebp+var_110]
.text:00469418 push eax
.text:00469419 call ds:rtcHexVarFromVar ; Hex(绝对值)
.text:0046941F lea ecx, [ebp+var_50] ; var_50
.text:00469422 push ecx
.text:00469423 movsx edx, [ebp+var_FC] ; 位置
.text:0046942A push edx
.text:0046942B push 2 ; 长度
.text:0046942D lea eax, [ebp+var_140] ; "0"
.text:00469433 push eax
.text:00469434 lea ecx, [ebp+var_110] ; 绝对值转成的十六进制字符串
.text:0046943A push ecx
.text:0046943B lea edx, [ebp+var_120]
.text:00469441 push edx
.text:00469442 call ds:__vbaVarCat
.text:00469448 push eax
.text:00469449 call ds:__vbaStrVarMove
.text:0046944F mov edx, eax
.text:00469451 lea ecx, [ebp+var_100] ; 保存到这里
.text:00469457 call ds:__vbaStrMove
.text:0046945D push eax
.text:0046945E push 0
.text:00469460 call ds:__vbaMidStmtBstr ; Mid(var50,var_fc,2) = "0" & hex(绝对值)
.text:00469466 lea ecx, [ebp+var_100]
.text:0046946C call ds:__vbaFreeStr
.text:00469472 lea eax, [ebp+var_120]
.text:00469478 push eax
.text:00469479 lea ecx, [ebp+var_110]
.text:0046947F push ecx
.text:00469480 push 2
.text:00469482 call ds:__vbaFreeVarList
.text:00469488 add esp, 0Ch
.text:0046948B jmp short loc_469508
.text:0046948D ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046948D
.text:0046948D loc_46948D: ; CODE XREF: sub_468060+1374j
.text:0046948D mov [ebp+var_4], 67h
.text:00469494 lea edx, [ebp+var_E8] ; 取绝对值
.text:0046949A mov [ebp+var_128], edx
.text:004694A0 mov [ebp+var_130], 4002h
.text:004694AA lea eax, [ebp+var_130]
.text:004694B0 push eax
.text:004694B1 lea ecx, [ebp+var_110]
.text:004694B7 push ecx
.text:004694B8 call ds:rtcHexVarFromVar ; Hex(绝对值)
.text:004694BE lea edx, [ebp+var_50]
.text:004694C1 push edx
.text:004694C2 movsx eax, [ebp+var_FC] ; 位置
.text:004694C9 push eax
.text:004694CA push 2 ; 长度
.text:004694CC lea ecx, [ebp+var_110]
.text:004694D2 push ecx
.text:004694D3 call ds:__vbaStrVarMove
.text:004694D9 mov edx, eax
.text:004694DB lea ecx, [ebp+var_100]
.text:004694E1 call ds:__vbaStrMove
.text:004694E7 push eax
.text:004694E8 push 0
.text:004694EA call ds:__vbaMidStmtBstr ; mid(var50,var_fc,2) = hex(绝对值)
.text:004694F0 lea ecx, [ebp+var_100]
.text:004694F6 call ds:__vbaFreeStr
.text:004694FC lea ecx, [ebp+var_110]
.text:00469502 call ds:__vbaFreeVar
.text:00469508
.text:00469508 loc_469508: ; CODE XREF: sub_468060+142Bj
.text:00469508 mov [ebp+var_4], 69h
.text:0046950F cmp [ebp+var_F4], 2
.text:00469517 jnz short loc_469571 ; var_f4不等于2则跳
.text:00469519 cmp [ebp+var_FC], 12h
.text:00469521 jge short loc_469571 ; var_fc大于等于18则跳
.text:00469523 mov [ebp+var_4], 6Ah
.text:0046952A mov dx, [ebp+var_FC]
.text:00469531 add dx, 1
.text:00469535 jo loc_469788
.text:0046953B mov [ebp+var_FC], dx ; var_fc加1
.text:00469542 mov [ebp+var_4], 6Bh
.text:00469549 lea eax, [ebp+var_50]
.text:0046954C push eax
.text:0046954D mov cx, [ebp+var_FC] ; 取var_fc
.text:00469554 add cx, 1 ; 加1
.text:00469558 jo loc_469788
.text:0046955E movsx edx, cx ; 保存到edx
.text:00469561 push edx
.text:00469562 push 1
.text:00469564 push offset asc_40D030 ; "-"
.text:00469569 push 0
.text:0046956B call ds:__vbaMidStmtBstr ; mid(var_50,var_fc+1,1) = "-"
.text:00469571
.text:00469571 loc_469571: ; CODE XREF: sub_468060+14B7j
.text:00469571 ; sub_468060+14C1j
.text:00469571 mov [ebp+var_4], 6Dh
.text:00469578 mov ax, [ebp+var_FC]
.text:0046957F add ax, 2
.text:00469583 jo loc_469788
.text:00469589 mov [ebp+var_FC], ax ; var_fc 加2
.text:00469590 mov [ebp+var_4], 6Eh
.text:00469597 mov cx, [ebp+var_F4]
.text:0046959E add cx, 1
.text:004695A2 jo loc_469788
.text:004695A8 mov [ebp+var_F4], cx ; var_f4 加1
.text:004695AF mov [ebp+var_4], 6Fh
.text:004695B6 cmp [ebp+var_F4], 3
.text:004695BE jnz short loc_4695D0
.text:004695C0 mov [ebp+var_4], 70h
.text:004695C7 mov [ebp+var_F4], 1 ; var_f4等于3则赋值1
.text:004695D0
.text:004695D0 loc_4695D0: ; CODE XREF: sub_468060+155Ej
.text:004695D0 jmp loc_469672
.text:004695D5 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004695D5
.text:004695D5 loc_4695D5: ; CODE XREF: sub_468060+135Fj
.text:004695D5 mov [ebp+var_4], 73h
.text:004695DC movsx edx, word ptr [ebp+var_E8] ; 取绝对值
.text:004695E3 mov [ebp+index_158], edx ; 保存到var_158
.text:004695E9 cmp [ebp+index_158], 201h
.text:004695F3 jnb short loc_469601
.text:004695F5 mov [ebp+var_248], 0
.text:004695FF jmp short loc_46960D
.text:00469601 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00469601
.text:00469601 loc_469601: ; CODE XREF: sub_468060+1593j
.text:00469601 call ds:__vbaGenerateBoundsError
.text:00469607 mov [ebp+var_248], eax
.text:0046960D
.text:0046960D loc_46960D: ; CODE XREF: sub_468060+159Fj
.text:0046960D mov eax, [ebp+index_158] ; 绝对值
.text:00469613 mov ecx, [ebp+var_64] ; 数组2地址
.text:00469616 movsx edx, word ptr [ecx+eax*2] ; 取数组2一个元素
.text:0046961A push edx
.text:0046961B lea eax, [ebp+var_110]
.text:00469621 push eax
.text:00469622 call ds:rtcVarBstrFromAnsi
.text:00469628 lea ecx, [ebp+var_50] ; 源字符串
.text:0046962B push ecx
.text:0046962C movsx edx, [ebp+var_BC] ; 当前索引作为位置
.text:00469633 push edx
.text:00469634 push 1 ; 长度
.text:00469636 lea eax, [ebp+var_110]
.text:0046963C push eax
.text:0046963D call ds:__vbaStrVarMove
.text:00469643 mov edx, eax
.text:00469645 lea ecx, [ebp+var_100] ; 数组2的一个元素
.text:0046964B call ds:__vbaStrMove
.text:00469651 push eax
.text:00469652 push 0
.text:00469654 call ds:__vbaMidStmtBstr ; mid(var_50,var_bc,1) = array2(绝对值)
.text:0046965A lea ecx, [ebp+var_100]
.text:00469660 call ds:__vbaFreeStr
.text:00469666 lea ecx, [ebp+var_110]
.text:0046966C call ds:__vbaFreeVar
.text:00469672
.text:00469672 loc_469672: ; CODE XREF: sub_468060+1570j
.text:00469672 mov [ebp+var_4], 75h
.text:00469679 jmp loc_46921C
.text:0046967E ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046967E
.text:0046967E loc_46967E: ; CODE XREF: sub_468060+11E5j
.text:0046967E mov [ebp+var_4], 76h
.text:00469685 mov edx, [ebp+var_50]
.text:00469688 lea ecx, [ebp+var_B0] ; 结果拷贝到这里
.text:0046968E call ds:__vbaStrCopy
.text:00469694 wait
.text:00469695 push offset loc_46976F
.text:0046969A jmp short loc_4696D8
.text:0046969C ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046969C mov ecx, [ebp+var_10]
.text:0046969F and ecx, 4
.text:004696A2 test ecx, ecx
.text:004696A4 jz short loc_4696B2
.text:004696A6 lea ecx, [ebp+var_B0]
.text:004696AC call ds:__vbaFreeStr
.text:004696B2
.text:004696B2 loc_4696B2: ; CODE XREF: sub_468060+1644j
.text:004696B2 lea ecx, [ebp+var_100]
.text:004696B8 call ds:__vbaFreeStr
.text:004696BE lea edx, [ebp+var_120]
.text:004696C4 push edx
.text:004696C5 lea eax, [ebp+var_110]
.text:004696CB push eax
.text:004696CC push 2
.text:004696CE call ds:__vbaFreeVarList
.text:004696D4 add esp, 0Ch
.text:004696D7 retn
.text:004696D8 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004696D8
.text:004696D8 loc_4696D8: ; CODE XREF: sub_468060+163Aj
.text:004696D8 lea ecx, [ebp+array1_40]
.text:004696DB mov [ebp+var_144], ecx
.text:004696E1 lea edx, [ebp+var_144]
.text:004696E7 push edx
.text:004696E8 push 0
.text:004696EA call ds:__vbaAryDestruct
.text:004696F0 lea ecx, [ebp+var_50]
.text:004696F3 call ds:__vbaFreeStr
.text:004696F9 lea eax, [ebp+array2_70]
.text:004696FC mov [ebp+var_148], eax
.text:00469702 lea ecx, [ebp+var_148]
.text:00469708 push ecx
.text:00469709 push 0
.text:0046970B call ds:__vbaAryDestruct
.text:00469711 lea edx, [ebp+array3_8C]
.text:00469717 mov [ebp+var_14C], edx
.text:0046971D lea eax, [ebp+var_14C]
.text:00469723 push eax
.text:00469724 push 0
.text:00469726 call ds:__vbaAryDestruct
.text:0046972C lea ecx, [ebp+array4_A8]
.text:00469732 mov [ebp+var_150], ecx
.text:00469738 lea edx, [ebp+var_150]
.text:0046973E push edx
.text:0046973F push 0
.text:00469741 call ds:__vbaAryDestruct
.text:00469747 lea eax, [ebp+array5_DC]
.text:0046974D mov [ebp+var_154], eax
.text:00469753 lea ecx, [ebp+var_154]
.text:00469759 push ecx
.text:0046975A push 0
.text:0046975C call ds:__vbaAryDestruct
.text:00469762 lea ecx, [ebp+var_F8]
.text:00469768 call ds:__vbaFreeStr
.text:0046976E retn
.text:0046976F ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046976F
.text:0046976F loc_46976F: ; DATA XREF: sub_468060+1635o
.text:0046976F mov eax, [ebp+var_B0] ; 返回结果
.text:00469775 mov ecx, [ebp+var_20]
.text:00469778 mov large fs:0, ecx
.text:0046977F pop edi
.text:00469780 pop esi
.text:00469781 pop ebx
.text:00469782 mov esp, ebp
.text:00469784 pop ebp
.text:00469785 retn 8
.text:00469785 sub_468060 endp
.text:00469785
.text:00469788 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00469788
.text:00469788 loc_469788: ; CODE XREF: sub_468060+5ADj
.text:00469788 ; sub_468060+657j
.text:00469788 ; sub_468060+68Dj
.text:00469788 ; sub_468060+8ADj
.text:00469788 ; sub_468060+94Bj ...
.text:00469788 call ds:__vbaErrorOverflow
/////////////////////////////////////////////////////////////////////////////////////////
dim mysum as integer
dim var_fc as integer
dim var_f4 as integer
mysum = (arg0sum + s1sum) mod 512
var_fc = 1
var_f4 = 1
for i = 1 to var_48
array3(i) = array3(i) xor array1(i)
tmpchar = (array5(i) xor array3(i)) mod 512 - mysum
tmpchar = abs(tmpchar)
if var_ec = 3 then
if tmpchar < 16 then
Mid(var50,var_fc,2) = ("0" & hex(tmpchar))
else
mid(var50,var_fc,2) = hex(tmpchar)
end if
if var_f4 = 2 and var_fc < 18 then
var_fc = var_fc + 1
mid(var_50,var_fc+1,1) = "-"
end if
var_fc = var_fc + 2
var_f4 = var_f4 + 1
if var_f4 = 3 then var_f4 = 1
else
mid(var_50,i,1) = chr(array2(tmpchar))
end if
next i
//////////////////////////////////////////////////////////////////////////////////
看来得整理一下:
function fun468060(byval arg0 as string,byval arg1 as integer) as string
'数组下标基于0
dim array1(16) as integer
dim array2(512) as integer
dim array3(16) as integer
dim array4(512) as integer
dim array5(16) as integer
dim s1 as string
dim s1len as long
dim arg0len as long
dim var_ec as integer
dim i as integer
dim tmpsum as integer
dim tmpvar as integer
dim var_48 as integer
dim var_50 as string
dim j as integer
dim tmpi as integer
dim tmpj as integer
dim isd as boolean
dim tmpchar as integer
dim arg0sum as integer
dim s1sum as integer
dim mysum as integer
dim var_fc as integer
dim var_f4 as integer
s1 = "lxhsxyloveforever"
arg0len = len(arg0)
s1len = len(s1)
if arg1 <= 0 then
var_ec = 2
else
var_ec = arg1
endif
array1(1) = &h28
array1(2) = &h53
array1(3) = &h84
array1(4) = &h45
array1(5) = &hed
array1(6) = &h25
array1(7) = &h76
array1(8) = &h37
array1(9) = &h17
array1(10) = &h5b
array1(11) = &hf2
array1(12) = &h2f
array1(13) = &h82
array1(14) = &h3b
array1(15) = &h47
array1(16) = &ha8
for i = 0 to 512
array4(i) = i
next i
tmpsum = 0
for i = 0 to 512
tmpsum = (tmpsum + i) mod 256
tmpvar = array4(i)
array4(i) = array4(tmpsum)
array4(tmpsum) = tmpvar
next i
if var_ec = 1 then
var_50 = string(16," ")
var_48 = 16
tmpi = 0
for i = 0 to 512
j = array4(i)
array2(j) = tmpi + &h30
tmpi = tmpi + 1
if tmpi = 10 then tmpi = 0
next i
elseif var_ec = 2 then
var_50 = string(16," ")
var_48 = 16
isd = false
tmpi = 0
tmpj = 0
for i = 0 to 512
if isd then
j = array4(i)
array2(j) = tmpi + &h30
tmpi = tmpi + 1
if tmpi = 10 then tmpi = 0
isd = false
else
j = array4(i)
array2(j) = tmpj + &h41
tmpj = tmpj + 1
if tmpj = 26 then tmpj = 0
isd = true
endif
next i
else
var_50 = string(19," ")
var_48 = 8
endif
j = 1
for i = 1 to arg0len
tmpchar = asc(mid(arg0,i,1))
array5(j) = (array5(j) + tmpchar) xor &H12
arg0sum = arg0sum + array5(j)
j = j + 1
if j = 9 then j = 1
next i
for i = 1 to s1len
tmpchar = asc(mid(s1,i,1))
array3(j) = (array3(j) + tmpchar) xor &H19
s1sum = s1sum + array3(j)
j = j + 1
if j = 9 then j = 1
next i
mysum = (arg0sum + s1sum) mod 512
var_fc = 1
var_f4 = 1
for i = 1 to var_48
array3(i) = array3(i) xor array1(i)
tmpchar = (array5(i) xor array3(i)) mod 512 - mysum
tmpchar = abs(tmpchar)
if var_ec = 3 then
if tmpchar < 16 then
Mid(var50,var_fc,2) = ("0" & hex(tmpchar))
else
mid(var50,var_fc,2) = hex(tmpchar)
end if
if var_f4 = 2 and var_fc < 18 then
var_fc = var_fc + 1
mid(var_50,var_fc+1,1) = "-"
end if
var_fc = var_fc + 2
var_f4 = var_f4 + 1
if var_f4 = 3 then var_f4 = 1
else
mid(var_50,i,1) = chr(array2(tmpchar))
end if
next i
fun468060 = var_50
end function
下面该看看对用户名做第一次变换的函数fun4678D0了。由于这个函数
里使用了浮点数,为了省去麻烦。我用long型等价代替了。
text:004678D0 strFun1_4678D0 proc near ; CODE XREF: sub_464EF0+D6p
.text:004678D0
.text:004678D0 var_54 = qword ptr -54h
.text:004678D0 var_4C = dword ptr -4Ch
.text:004678D0 var_40 = qword ptr -40h
.text:004678D0 var_38 = qword ptr -38h
.text:004678D0 var_30 = qword ptr -30h
.text:004678D0 var_28 = qword ptr -28h
.text:004678D0 var_20 = dword ptr -20h
.text:004678D0 var_1C = dword ptr -1Ch
.text:004678D0 var_C = dword ptr -0Ch
.text:004678D0 var_8 = dword ptr -8
.text:004678D0 arg_0 = dword ptr 8
.text:004678D0
.text:004678D0 push ebp
.text:004678D1 mov ebp, esp
.text:004678D3 sub esp, 0Ch
.text:004678D6 push offset loc_4020A6
.text:004678DB mov eax, large fs:0
.text:004678E1 push eax
.text:004678E2 mov large fs:0, esp
.text:004678E9 sub esp, 40h
.text:004678EC push ebx
.text:004678ED push esi
.text:004678EE push edi
.text:004678EF mov [ebp+var_C], esp
.text:004678F2 mov [ebp+var_8], offset dword_401DD8
.text:004678F9 xor eax, eax
.text:004678FB mov [ebp+var_1C], eax
.text:004678FE mov [ebp+var_20], eax
.text:00467901 mov dword ptr [ebp+var_28], eax
.text:00467904 mov dword ptr [ebp+var_28+4], eax
.text:00467907 call sub_467F80 ; 初始化一张全局表
.text:0046790C mov esi, [ebp+arg_0] ; 取用户名
.text:0046790F push esi
.text:00467910 call sub_467CD0 ; 转换成36进制实数
.text:00467915 fstp [ebp+var_30] ; 保存结果
.text:00467918 push esi ; 取用户名
.text:00467919 call sub_467CD0 ; 转换成36进制实数
.text:0046791E fstp [ebp+var_38] ; 保存结果
.text:00467921 mov edx, offset aFfg ; "ffg"
.text:00467926 lea ecx, [ebp+var_20]
.text:00467929 call ds:__vbaStrCopy ; 拷贝"ffg"
.text:0046792F lea eax, [ebp+var_20]
.text:00467932 push eax
.text:00467933 call sub_467CD0 ; 转换成36进制实数
.text:00467938 fstp [ebp+var_40] ; 结果在这里 6666.0
.text:0046793B fld [ebp+var_40]
.text:0046793E mov esi, ds:__vbaFpI4
.text:00467944 call esi ; __vbaFpI4
.text:00467946 fld [ebp+var_38]
.text:00467949 mov edi, eax ; 变换成整数 6666
.text:0046794B call esi ; __vbaFpI4 ; 用户名变换的结果转换成整数
.text:0046794D cdq
.text:0046794E idiv edi ; 除以 6666
.text:00467950 lea ecx, [ebp+var_28]
.text:00467953 push ecx
.text:00467954 mov [ebp+var_4C], edx ; 保存余数
.text:00467957 fild [ebp+var_4C]
.text:0046795A fstp [ebp+var_54]
.text:0046795D fld [ebp+var_54]
.text:00467960 fadd [ebp+var_30] ; 加上第一次变换的结果
.text:00467963 fstp [ebp+var_28] ; 这里是:用户名变换的结果 mod 6666 加上 用户名变换的结果
.text:00467966 fnstsw ax
.text:00467968 test al, 0Dh
.text:0046796A jnz short loc_4679BD
.text:0046796C call ToInt36_4679D0 ; 这里是转换成36进制数,36进制数用那个全局数组表示
.text:00467971 mov edx, eax
.text:00467973 lea ecx, [ebp+var_1C]
.text:00467976 call ds:__vbaStrMove
.text:0046797C lea ecx, [ebp+var_20]
.text:0046797F call ds:__vbaFreeStr
.text:00467985 wait
.text:00467986 push offset loc_4679A7
.text:0046798B jmp short locret_4679A6
.text:0046798D ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046798D test byte ptr [ebp-4], 4
.text:00467991 jz short loc_46799C
.text:00467993 lea ecx, [ebp-1Ch]
.text:00467996 call ds:__vbaFreeStr
.text:0046799C
.text:0046799C loc_46799C: ; CODE XREF: strFun1_4678D0+C1j
.text:0046799C lea ecx, [ebp+var_20]
.text:0046799F call ds:__vbaFreeStr
.text:004679A5 retn
.text:004679A6 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004679A6
.text:004679A6 locret_4679A6: ; CODE XREF: strFun1_4678D0+BBj
.text:004679A6 retn
.text:004679A7 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004679A7
.text:004679A7 loc_4679A7: ; DATA XREF: strFun1_4678D0+B6o
.text:004679A7 mov ecx, [ebp-14h]
.text:004679AA mov eax, [ebp-1Ch]
.text:004679AD pop edi
.text:004679AE pop esi
.text:004679AF mov large fs:0, ecx
.text:004679B6 pop ebx
.text:004679B7 mov esp, ebp
.text:004679B9 pop ebp
.text:004679BA retn 4
.text:004679BD ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004679BD
.text:004679BD loc_4679BD: ; CODE XREF: strFun1_4678D0+9Aj
.text:004679BD jmp loc_4020AC
.text:004679BD strFun1_4678D0 endp
////////////////////////////////////////////////////////////////////////////////////////////
function fun4678d0(a as string) as string
dim tmpl as long
fun1
tmpl = fun2(a) + fun2(a) mod fun2("ffg")
fun4678d0 = fun3(tmpl)
end function
////////////////////////////////////////////////////////////////////////////////////////////
下面是fun4678d0用到的子函数:
================================================================================================
text:00467F80 sub_467F80 proc near ; CODE XREF: strFun1_4678D0+37p
.text:00467F80
.text:00467F80 var_44 = dword ptr -44h
.text:00467F80 var_3C = dword ptr -3Ch
.text:00467F80 var_34 = dword ptr -34h
.text:00467F80 var_30 = dword ptr -30h
.text:00467F80 var_20 = dword ptr -20h
.text:00467F80 var_10 = dword ptr -10h
.text:00467F80 var_8 = dword ptr -8
.text:00467F80 var_4 = dword ptr -4
.text:00467F80
.text:00467F80 push ebp
.text:00467F81 mov ebp, esp
.text:00467F83 sub esp, 8
.text:00467F86 push offset loc_4020A6
.text:00467F8B mov eax, large fs:0
.text:00467F91 push eax
.text:00467F92 mov large fs:0, esp
.text:00467F99 sub esp, 38h
.text:00467F9C push ebx
.text:00467F9D push esi
.text:00467F9E push edi
.text:00467F9F mov [ebp+var_8], esp
.text:00467FA2 mov [ebp+var_4], offset dword_401E18
.text:00467FA9 xor esi, esi
.text:00467FAB lea edx, [ebp+var_44]
.text:00467FAE lea ecx, [ebp+var_20]
.text:00467FB1 mov [ebp+var_20], esi
.text:00467FB4 mov [ebp+var_30], esi
.text:00467FB7 mov [ebp+var_34], esi
.text:00467FBA mov [ebp+var_3C], offset aAbcdefghijklmn ; "abcdefghijklmnopqrstuvwxyz1234567890"
.text:00467FC1 mov [ebp+var_44], 8
.text:00467FC8 call ds:__vbaVarDup
.text:00467FCE push esi
.text:00467FCF lea eax, [ebp+var_20]
.text:00467FD2 push 80h
.text:00467FD7 lea ecx, [ebp+var_30]
.text:00467FDA push eax
.text:00467FDB push ecx
.text:00467FDC call ds:rtcStrConvVar2
.text:00467FE2 lea edx, [ebp+var_30]
.text:00467FE5 lea eax, [ebp+var_34]
.text:00467FE8 push edx
.text:00467FE9 push eax
.text:00467FEA call ds:__vbaVar2Vec
.text:00467FF0 lea ecx, [ebp+var_34]
.text:00467FF3 push ecx
.text:00467FF4 push offset array_46B040
.text:00467FF9 call ds:__vbaAryMove
.text:00467FFF lea edx, [ebp+var_30]
.text:00468002 lea eax, [ebp+var_20]
.text:00468005 push edx
.text:00468006 push eax
.text:00468007 push 2
.text:00468009 call ds:__vbaFreeVarList
.text:0046800F add esp, 0Ch
.text:00468012 mov ecx, 24h
.text:00468017 call ds:__vbaUI1I2
.text:0046801D mov byte_46B044, al
.text:00468022 push offset loc_46804A
.text:00468027 jmp short locret_468049
.text:00468029 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468029 lea ecx, [ebp+var_30]
.text:0046802C lea edx, [ebp+var_20]
.text:0046802F push ecx
.text:00468030 push edx
.text:00468031 push 2
.text:00468033 call ds:__vbaFreeVarList
.text:00468039 add esp, 0Ch
.text:0046803C lea eax, [ebp+var_34]
.text:0046803F push eax
.text:00468040 push 0
.text:00468042 call ds:__vbaAryDestruct
.text:00468048 retn
.text:00468049 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00468049
.text:00468049 locret_468049: ; CODE XREF: sub_467F80+A7j
.text:00468049 retn
.text:0046804A ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0046804A
.text:0046804A loc_46804A: ; DATA XREF: sub_467F80+A2o
.text:0046804A mov ecx, [ebp+var_10]
.text:0046804D pop edi
.text:0046804E pop esi
.text:0046804F mov large fs:0, ecx
.text:00468056 pop ebx
.text:00468057 mov esp, ebp
.text:00468059 pop ebp
.text:0046805A retn
.text:0046805A sub_467F80 endp
////////////////////////////////////////////////////////////////////////
dim qarray() as byte
dim qarraylen
function fun1()
dim tmp as string
tmp = "abcdefghijklmnopqrstuvwxyz1234567890"
qarray = strconv(tmp,vbFromUnicode)
qarraylen = 36
end function
////////////////////////////////////////////////////////////////////////
.text:00467CD0 sub_467CD0 proc near ; CODE XREF: sub_463CE0+54p
.text:00467CD0 ; sub_463CE0+78p
.text:00467CD0 ; sub_464170+54p
.text:00467CD0 ; sub_464170+78p
.text:00467CD0 ; sub_464260+54p ...
.text:00467CD0
.text:00467CD0 var_D0 = qword ptr -0D0h
.text:00467CD0 var_C8 = dword ptr -0C8h
.text:00467CD0 var_C4 = dword ptr -0C4h
.text:00467CD0 var_C0 = dword ptr -0C0h
.text:00467CD0 var_BC = dword ptr -0BCh
.text:00467CD0 var_B4 = qword ptr -0B4h
.text:00467CD0 var_AC = qword ptr -0ACh
.text:00467CD0 var_A4 = qword ptr -0A4h
.text:00467CD0 var_9C = qword ptr -9Ch
.text:00467CD0 var_80 = dword ptr -80h
.text:00467CD0 var_78 = dword ptr -78h
.text:00467CD0 var_70 = dword ptr -70h
.text:00467CD0 var_60 = dword ptr -60h
.text:00467CD0 var_58 = dword ptr -58h
.text:00467CD0 var_50 = dword ptr -50h
.text:00467CD0 var_4C = qword ptr -4Ch
.text:00467CD0 var_44 = qword ptr -44h
.text:00467CD0 var_38 = qword ptr -38h
.text:00467CD0 var_30 = qword ptr -30h
.text:00467CD0 var_28 = dword ptr -28h
.text:00467CD0 var_24 = dword ptr -24h
.text:00467CD0 var_20 = qword ptr -20h
.text:00467CD0 var_18 = qword ptr -18h
.text:00467CD0 var_8 = dword ptr -8
.text:00467CD0 var_4 = dword ptr -4
.text:00467CD0 arg_0 = dword ptr 8
.text:00467CD0
.text:00467CD0 push ebp
.text:00467CD1 mov ebp, esp
.text:00467CD3 sub esp, 8
.text:00467CD6 push offset loc_4020A6
.text:00467CDB mov eax, large fs:0
.text:00467CE1 push eax
.text:00467CE2 mov large fs:0, esp
.text:00467CE9 sub esp, 0C0h
.text:00467CEF push ebx
.text:00467CF0 push esi
.text:00467CF1 push edi
.text:00467CF2 mov [ebp+var_8], esp
.text:00467CF5 mov [ebp+var_4], offset dword_401E08
.text:00467CFC mov ebx, [ebp+arg_0] ; 用户名
.text:00467CFF mov esi, ds:__vbaLenBstr
.text:00467D05 xor edi, edi
.text:00467D07 mov eax, [ebx]
.text:00467D09 mov dword ptr [ebp+var_38], edi
.text:00467D0C push eax
.text:00467D0D mov dword ptr [ebp+var_38+4], edi
.text:00467D10 mov dword ptr [ebp+var_4C], edi
.text:00467D13 mov dword ptr [ebp+var_4C+4], edi
.text:00467D16 mov [ebp+var_50], edi
.text:00467D19 mov [ebp+var_60], edi
.text:00467D1C mov [ebp+var_70], edi
.text:00467D1F mov [ebp+var_80], edi
.text:00467D22 call esi ; __vbaLenBstr ; 取长度
.text:00467D24 mov ecx, [ebx]
.text:00467D26 mov [ebp+var_BC], eax
.text:00467D2C fild [ebp+var_BC]
.text:00467D32 push ecx
.text:00467D33 fstp [ebp+var_30] ; 长度转换成实数放在这里
.text:00467D36 call esi ; __vbaLenBstr
.text:00467D38 mov [ebp+var_C0], eax ; 长度以整数形式放在这里
.text:00467D3E mov esi, 3FF00000h ; 1.0
.text:00467D43 fild [ebp+var_C0]
.text:00467D49 mov dword ptr [ebp+var_9C], edi
.text:00467D4F mov dword ptr [ebp+var_18], edi
.text:00467D52 mov edi, ds:__vbaFpI4
.text:00467D58 mov dword ptr [ebp+var_9C+4], esi
.text:00467D5E fstp [ebp+var_A4] ; 用户名长度
.text:00467D64 mov dword ptr [ebp+var_18+4], esi ; 循环变量,初值为1.0
.text:00467D67
.text:00467D67 loc_467D67: ; CODE XREF: sub_467CD0+24Bj
.text:00467D67 fld [ebp+var_18]
.text:00467D6A fcomp [ebp+var_A4] ; 比较循环是否结束
.text:00467D70 fnstsw ax
.text:00467D72 test ah, 41h
.text:00467D75 jz loc_467F20 ; 用户名长度小于1则退出
.text:00467D7B fld [ebp+var_18]
.text:00467D7E lea edx, [ebp+var_60] ; 1
.text:00467D81 mov [ebp+var_58], 1
.text:00467D88 push edx
.text:00467D89 mov [ebp+var_60], 2
.text:00467D90 mov [ebp+var_78], ebx
.text:00467D93 mov [ebp+var_80], 4008h
.text:00467D9A call edi ; __vbaFpI4
.text:00467D9C push eax
.text:00467D9D lea eax, [ebp+var_80]
.text:00467DA0 lea ecx, [ebp+var_70]
.text:00467DA3 push eax
.text:00467DA4 push ecx
.text:00467DA5 call ds:rtcMidCharVar ; 取用户名一个字节
.text:00467DAB lea edx, [ebp+var_70]
.text:00467DAE lea eax, [ebp+var_50]
.text:00467DB1 push edx
.text:00467DB2 push eax
.text:00467DB3 call ds:__vbaStrVarVal
.text:00467DB9 push eax
.text:00467DBA call ds:rtcAnsiValueBstr ; 取ascii值
.text:00467DC0 mov ecx, eax
.text:00467DC2 call ds:__vbaUI1I2 ; 转换成字节
.text:00467DC8 lea ecx, [ebp+var_50]
.text:00467DCB mov bl, al
.text:00467DCD call ds:__vbaFreeStr
.text:00467DD3 lea ecx, [ebp+var_70]
.text:00467DD6 lea edx, [ebp+var_60]
.text:00467DD9 push ecx
.text:00467DDA push edx
.text:00467DDB push 2
.text:00467DDD call ds:__vbaFreeVarList
.text:00467DE3 movzx ax, byte_46B044 ; 取全局数组长度
.text:00467DEB add esp, 0Ch
.text:00467DEE sub ax, 1 ; 减1
.text:00467DF2 jo loc_467F6D
.text:00467DF8 movsx ecx, ax
.text:00467DFB mov [ebp+var_C4], ecx ; 保存在这里
.text:00467E01 mov ecx, array_46B040 ; 取全局数组地址
.text:00467E07 fild [ebp+var_C4]
.text:00467E0D xor eax, eax
.text:00467E0F mov dword ptr [ebp+var_AC+4], esi
.text:00467E15 mov dword ptr [ebp+var_AC], eax
.text:00467E1B mov dword ptr [ebp+var_20], eax
.text:00467E1E fstp [ebp+var_B4]
.text:00467E24 mov dword ptr [ebp+var_20+4], eax
.text:00467E27
.text:00467E27 loc_467E27: ; CODE XREF: sub_467CD0+1C4j
.text:00467E27 fld [ebp+var_20]
.text:00467E2A fcomp [ebp+var_B4]
.text:00467E30 fnstsw ax
.text:00467E32 test ah, 41h
.text:00467E35 jz short loc_467EA2
.text:00467E37 test ecx, ecx
.text:00467E39 jz short loc_467E6A
.text:00467E3B cmp word ptr [ecx], 1 ; 比较是否是一维数组
.text:00467E3F jnz short loc_467E6A
.text:00467E41 fld [ebp+var_20]
.text:00467E44 call edi ; __vbaFpI4
.text:00467E46 mov ecx, array_46B040
.text:00467E4C mov esi, eax
.text:00467E4E mov edx, [ecx+14h] ; 取数组下标
.text:00467E51 mov eax, [ecx+10h] ; 取数组长度
.text:00467E54 sub esi, edx
.text:00467E56 cmp esi, eax ; 这里是取数组元素时的边界检查
.text:00467E58 jb short loc_467E66
.text:00467E5A call ds:__vbaGenerateBoundsError
.text:00467E60 mov ecx, array_46B040
.text:00467E66
.text:00467E66 loc_467E66: ; CODE XREF: sub_467CD0+188j
.text:00467E66 mov eax, esi
.text:00467E68 jmp short loc_467E76
.text:00467E6A ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00467E6A
.text:00467E6A loc_467E6A: ; CODE XREF: sub_467CD0+169j
.text:00467E6A ; sub_467CD0+16Fj
.text:00467E6A call ds:__vbaGenerateBoundsError
.text:00467E70 mov ecx, array_46B040
.text:00467E76
.text:00467E76 loc_467E76: ; CODE XREF: sub_467CD0+198j
.text:00467E76 mov edx, [ecx+0Ch] ; 取数组元素地址
.text:00467E79 cmp bl, [edx+eax] ; 用户名一个字符和数组一个元素比较
.text:00467E7C jz short loc_467E96
.text:00467E7E fld [ebp+var_AC] ; 不等则索引加1
.text:00467E84 fadd [ebp+var_20]
.text:00467E87 fstp [ebp+var_20]
.text:00467E8A fnstsw ax
.text:00467E8C test al, 0Dh
.text:00467E8E jnz loc_467F68
.text:00467E94 jmp short loc_467E27
.text:00467E96 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00467E96
.text:00467E96 loc_467E96: ; CODE XREF: sub_467CD0+1ACj
.text:00467E96 mov eax, dword ptr [ebp+var_20] ; 相等则保存索引
.text:00467E99 mov ecx, dword ptr [ebp+var_20+4]
.text:00467E9C mov dword ptr [ebp+var_4C], eax
.text:00467E9F mov dword ptr [ebp+var_4C+4], ecx
.text:00467EA2
.text:00467EA2 loc_467EA2: ; CODE XREF: sub_467CD0+165j
.text:00467EA2 fld [ebp+var_30] ; 用户名长度
.text:00467EA5 fsub [ebp+var_18] ; 减去循环变量。循环变量初值为1
.text:00467EA8 xor edx, edx
.text:00467EAA sub esp, 8
.text:00467EAD mov dl, byte_46B044
.text:00467EB3 fnstsw ax
.text:00467EB5 test al, 0Dh
.text:00467EB7 jnz loc_467F68
.text:00467EBD fstp qword ptr [esp] ; 保存在这里
.text:00467EC0 mov [ebp+var_C8], edx
.text:00467EC6 fild [ebp+var_C8]
.text:00467ECC fstp [ebp+var_D0] ; 保存全局数组长度36
.text:00467ED2 mov eax, dword ptr [ebp+var_D0+4]
.text:00467ED8 mov ecx, dword ptr [ebp+var_D0]
.text:00467EDE push eax
.text:00467EDF push ecx
.text:00467EE0 call ds:__vbaPowerR8 ; 求乘方 36^(len(username)-循环变量)
.text:00467EE6 fmul [ebp+var_4C] ; 乘以用户名在数组中的索引值
.text:00467EE9 mov ebx, [ebp+arg_0]
.text:00467EEC mov esi, 3FF00000h
.text:00467EF1 fstp [ebp+var_44] ; 临时保存结果
.text:00467EF4 fnstsw ax
.text:00467EF6 test al, 0Dh
.text:00467EF8 jnz short loc_467F68
.text:00467EFA fld [ebp+var_44]
.text:00467EFD fadd [ebp+var_38] ; 结果累加到这里
.text:00467F00 fstp [ebp+var_38]
.text:00467F03 fnstsw ax
.text:00467F05 test al, 0Dh
.text:00467F07 jnz short loc_467F68
.text:00467F09 fld [ebp+var_9C] ; 1.0
.text:00467F0F fadd [ebp+var_18]
.text:00467F12 fstp [ebp+var_18]
.text:00467F15 fnstsw ax
.text:00467F17 test al, 0Dh
.text:00467F19 jnz short loc_467F68
.text:00467F1B jmp loc_467D67
.text:00467F20 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00467F20
.text:00467F20 loc_467F20: ; CODE XREF: sub_467CD0+A5j
.text:00467F20 mov edx, dword ptr [ebp+var_38]
.text:00467F23 mov eax, dword ptr [ebp+var_38+4]
.text:00467F26 mov [ebp+var_28], edx
.text:00467F29 mov [ebp+var_24], eax
.text:00467F2C wait
.text:00467F2D push offset loc_467F52
.text:00467F32 jmp short locret_467F51
.text:00467F34 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00467F34 lea ecx, [ebp-50h]
.text:00467F37 call ds:__vbaFreeStr
.text:00467F3D lea ecx, [ebp+var_70]
.text:00467F40 lea edx, [ebp+var_60]
.text:00467F43 push ecx
.text:00467F44 push edx
.text:00467F45 push 2
.text:00467F47 call ds:__vbaFreeVarList
.text:00467F4D add esp, 0Ch
.text:00467F50 retn
.text:00467F51 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00467F51
.text:00467F51 locret_467F51: ; CODE XREF: sub_467CD0+262j
.text:00467F51 retn
.text:00467F52 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00467F52
.text:00467F52 loc_467F52: ; DATA XREF: sub_467CD0+25Do
.text:00467F52 mov ecx, [ebp-10h]
.text:00467F55 pop edi
.text:00467F56 fld qword ptr [ebp-28h]
.text:00467F59 pop esi
.text:00467F5A mov large fs:0, ecx
.text:00467F61 pop ebx
.text:00467F62 mov esp, ebp
.text:00467F64 pop ebp
.text:00467F65 retn 4
.text:00467F68 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00467F68
.text:00467F68 loc_467F68: ; CODE XREF: sub_467CD0+1BEj
.text:00467F68 ; sub_467CD0+1E7j
.text:00467F68 ; sub_467CD0+228j
.text:00467F68 ; sub_467CD0+237j
.text:00467F68 ; sub_467CD0+249j
.text:00467F68 jmp loc_4020AC
.text:00467F6D ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00467F6D
.text:00467F6D loc_467F6D: ; CODE XREF: sub_467CD0+122j
.text:00467F6D call ds:__vbaErrorOverflow
///////////////////////////////////////////////////////////////////////////////////////////
**** 下面是功能等价逆向 ****
function fun2(byval s as string) as long
dim r as long
dim slen as integer
dim i as integer
dim j as integer
dim cc as byte
dim myindex as integer
myindex = 0
for i = 1 to len(s)
cc = asc(mid(s,i,1))
j = 0
do while j <= 35
if qarray(j) = cc then
myindex = j
exit do
endif
j = j + 1
loop
r = r + 36 ^ (len(s) - i) * myindex
next i
fun2 = r
end function
///////////////////////////////////////////////////////////////////////////////////////////
text:004679D0 ToInt36_4679D0 proc near ; CODE XREF: strFun1_4678D0+9Cp
.text:004679D0
.text:004679D0 var_68 = qword ptr -68h
.text:004679D0 var_60 = dword ptr -60h
.text:004679D0 var_5C = qword ptr -5Ch
.text:004679D0 var_54 = qword ptr -54h
.text:004679D0 var_4C = qword ptr -4Ch
.text:004679D0 var_44 = qword ptr -44h
.text:004679D0 var_3C = dword ptr -3Ch
.text:004679D0 var_30 = dword ptr -30h
.text:004679D0 var_2C = qword ptr -2Ch
.text:004679D0 var_24 = qword ptr -24h
.text:004679D0 var_1C = dword ptr -1Ch
.text:004679D0 var_18 = dword ptr -18h
.text:004679D0 var_C = dword ptr -0Ch
.text:004679D0 var_8 = dword ptr -8
.text:004679D0 arg_0 = dword ptr 8
.text:004679D0
.text:004679D0 push ebp
.text:004679D1 mov ebp, esp
.text:004679D3 sub esp, 0Ch
.text:004679D6 push offset loc_4020A6
.text:004679DB mov eax, large fs:0
.text:004679E1 push eax
.text:004679E2 mov large fs:0, esp
.text:004679E9 sub esp, 54h
.text:004679EC push ebx
.text:004679ED push esi
.text:004679EE push edi
.text:004679EF mov [ebp+var_C], esp
.text:004679F2 mov [ebp+var_8], offset dword_401DE8
.text:004679F9 xor eax, eax
.text:004679FB mov [ebp+var_18], eax
.text:004679FE mov [ebp+var_1C], eax
.text:00467A01 mov dword ptr [ebp+var_24], eax
.text:00467A04 mov dword ptr [ebp+var_24+4], eax
.text:00467A07 mov [ebp+var_30], eax
.text:00467A0A mov eax, [ebp+arg_0]
.text:00467A0D mov ecx, [eax]
.text:00467A0F mov edx, [eax+4]
.text:00467A12 mov dword ptr [ebp+var_2C], ecx ; 保存传递进来的实数
.text:00467A15 mov dword ptr [ebp+var_2C+4], edx
.text:00467A18 mov edx, offset dword_40C390
.text:00467A1D lea ecx, [ebp+var_1C] ; 初始化一个字符串变量
.text:00467A20 call ds:__vbaStrCopy
.text:00467A26 mov esi, ds:__vbaStrMove
.text:00467A2C mov edi, ds:__vbaStrCat
.text:00467A32 mov ebx, ds:__vbaFreeStr
.text:00467A38
.text:00467A38 loc_467A38: ; CODE XREF: ToInt36_4679D0+16Aj
.text:00467A38 mov cl, byte_46B044 ; 全局数组的长度 36
.text:00467A3E xor eax, eax
.text:00467A40 mov al, cl
.text:00467A42 mov [ebp+var_3C], eax
.text:00467A45 fild [ebp+var_3C]
.text:00467A48 fstp [ebp+var_44] ; 全局数组的长度
.text:00467A4B fld [ebp+var_2C] ; 传递进来的参数
.text:00467A4E fcomp [ebp+var_44]
.text:00467A51 fnstsw ax
.text:00467A53 test ah, 1
.text:00467A56 jnz loc_467B3F ; 参数小于36则跳
.text:00467A5C xor edx, edx
.text:00467A5E mov dl, cl
.text:00467A60 mov [ebp+var_3C], edx
.text:00467A63 fild [ebp+var_3C] ; 36
.text:00467A66 fstp [ebp+var_4C] ; 36.0
.text:00467A69 fld [ebp+var_2C]
.text:00467A6C cmp dword_46B000, 0
.text:00467A73 jnz short loc_467A7A
.text:00467A75 fdiv [ebp+var_4C] ; 参数除以 36.0
.text:00467A78 jmp short loc_467A85
.text:00467A7A ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00467A7A
.text:00467A7A loc_467A7A: ; CODE XREF: ToInt36_4679D0+A3j
.text:00467A7A push dword ptr [ebp+var_4C+4]
.text:00467A7D push dword ptr [ebp+var_4C]
.text:00467A80 call _adj_fdiv_m64
.text:00467A85
.text:00467A85 loc_467A85: ; CODE XREF: ToInt36_4679D0+A8j
.text:00467A85 fnstsw ax
.text:00467A87 test al, 0Dh
.text:00467A89 jnz loc_467BBB
.text:00467A8F call ds:__vbaFPInt ; 结果截断成整数
.text:00467A95 fild [ebp+var_3C] ; 36
.text:00467A98 fstp [ebp+var_54]
.text:00467A9B fmul [ebp+var_54] ; 乘以36.0
.text:00467A9E fsubr [ebp+var_2C] ; 减去 参数 然后取绝对值
.text:00467AA1 fstp [ebp+var_24]
.text:00467AA4 fnstsw ax
.text:00467AA6 test al, 0Dh
.text:00467AA8 jnz loc_467BBB
.text:00467AAE fld [ebp+var_24] ; 这里其实是 模36的余数 ******
.text:00467AB1 fcomp ds:dbl_401B08
.text:00467AB7 fnstsw ax
.text:00467AB9 test ah, 1
.text:00467ABC jz short loc_467AD7 ; 结果 大于等于 0 则跳
.text:00467ABE fild [ebp+var_3C]
.text:00467AC1 fstp [ebp+var_5C]
.text:00467AC4 fld [ebp+var_5C]
.text:00467AC7 fadd [ebp+var_24] ; 结果如果为负数则加36
.text:00467ACA fstp [ebp+var_24]
.text:00467ACD fnstsw ax
.text:00467ACF test al, 0Dh
.text:00467AD1 jnz loc_467BBB
.text:00467AD7
.text:00467AD7 loc_467AD7: ; CODE XREF: ToInt36_4679D0+ECj
.text:00467AD7 lea eax, [ebp+var_24]
.text:00467ADA push eax
.text:00467ADB call LookupTable_467BC0 ; 以参数为索引取一个字符
.text:00467AE0 mov edx, eax
.text:00467AE2 lea ecx, [ebp+var_30]
.text:00467AE5 call esi ; __vbaStrMove
.text:00467AE7 mov ecx, [ebp+var_1C] ; 连接到这里
.text:00467AEA push eax
.text:00467AEB push ecx
.text:00467AEC call edi ; __vbaStrCat
.text:00467AEE mov edx, eax
.text:00467AF0 lea ecx, [ebp+var_1C]
.text:00467AF3 call esi ; __vbaStrMove
.text:00467AF5 lea ecx, [ebp+var_30]
.text:00467AF8 call ebx ; __vbaFreeStr
.text:00467AFA xor edx, edx
.text:00467AFC mov dl, byte_46B044
.text:00467B02 mov [ebp+var_60], edx
.text:00467B05 fild [ebp+var_60]
.text:00467B08 fstp [ebp+var_68]
.text:00467B0B fld [ebp+var_2C] ; 加载参数
.text:00467B0E cmp dword_46B000, 0
.text:00467B15 jnz short loc_467B1C
.text:00467B17 fdiv [ebp+var_68] ; 除以36.0
.text:00467B1A jmp short loc_467B27
.text:00467B1C ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00467B1C
.text:00467B1C loc_467B1C: ; CODE XREF: ToInt36_4679D0+145j
.text:00467B1C push dword ptr [ebp+var_68+4]
.text:00467B1F push dword ptr [ebp+var_68]
.text:00467B22 call _adj_fdiv_m64
.text:00467B27
.text:00467B27 loc_467B27: ; CODE XREF: ToInt36_4679D0+14Aj
.text:00467B27 fnstsw ax
.text:00467B29 test al, 0Dh
.text:00467B2B jnz loc_467BBB
.text:00467B31 call ds:__vbaFPInt ; 截断成整数
.text:00467B37 fstp [ebp+var_2C] ; 保存结果
.text:00467B3A jmp loc_467A38
.text:00467B3F ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00467B3F
.text:00467B3F loc_467B3F: ; CODE XREF: ToInt36_4679D0+86j
.text:00467B3F mov eax, dword ptr [ebp+var_2C] ; 小于36则直接查表
.text:00467B42 mov ecx, dword ptr [ebp+var_2C+4]
.text:00467B45 lea edx, [ebp+var_24]
.text:00467B48 mov dword ptr [ebp+var_24], eax
.text:00467B4B push edx
.text:00467B4C mov dword ptr [ebp+var_24+4], ecx
.text:00467B4F call LookupTable_467BC0
.text:00467B54 mov edx, eax
.text:00467B56 lea ecx, [ebp+var_30]
.text:00467B59 call esi ; __vbaStrMove
.text:00467B5B push eax
.text:00467B5C mov eax, [ebp+var_1C]
.text:00467B5F push eax
.text:00467B60 call edi ; __vbaStrCat
.text:00467B62 mov edx, eax
.text:00467B64 lea ecx, [ebp+var_1C]
.text:00467B67 call esi ; __vbaStrMove
.text:00467B69 lea ecx, [ebp+var_30]
.text:00467B6C call ebx ; __vbaFreeStr
.text:00467B6E mov edx, [ebp+var_1C]
.text:00467B71 lea ecx, [ebp+var_18]
.text:00467B74 call ds:__vbaStrCopy
.text:00467B7A wait
.text:00467B7B push offset loc_467BA5
.text:00467B80 jmp short loc_467B9B
.text:00467B82 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00467B82 test byte ptr [ebp-4], 4
.text:00467B86 jz short loc_467B91
.text:00467B88 lea ecx, [ebp-18h]
.text:00467B8B call ds:__vbaFreeStr
.text:00467B91
.text:00467B91 loc_467B91: ; CODE XREF: ToInt36_4679D0+1B6j
.text:00467B91 lea ecx, [ebp+var_30]
.text:00467B94 call ds:__vbaFreeStr
.text:00467B9A retn
.text:00467B9B ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00467B9B
.text:00467B9B loc_467B9B: ; CODE XREF: ToInt36_4679D0+1B0j
.text:00467B9B lea ecx, [ebp+var_1C]
.text:00467B9E call ds:__vbaFreeStr
.text:00467BA4 retn
.text:00467BA5 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00467BA5
.text:00467BA5 loc_467BA5: ; DATA XREF: ToInt36_4679D0+1ABo
.text:00467BA5 mov ecx, [ebp-14h]
.text:00467BA8 mov eax, [ebp-18h]
.text:00467BAB pop edi
.text:00467BAC pop esi
.text:00467BAD mov large fs:0, ecx
.text:00467BB4 pop ebx
.text:00467BB5 mov esp, ebp
.text:00467BB7 pop ebp
.text:00467BB8 retn 4
.text:00467BBB ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00467BBB
.text:00467BBB loc_467BBB: ; CODE XREF: ToInt36_4679D0+B9j
.text:00467BBB ; ToInt36_4679D0+D8j
.text:00467BBB ; ToInt36_4679D0+101j
.text:00467BBB ; ToInt36_4679D0+15Bj
.text:00467BBB jmp loc_4020AC
.text:00467BBB ToInt36_4679D0 endp
////////////////////////////////////////////////////////////////////////////////////////////
**** 这里是等价逆向 ****
Function fun3(ByVal arg0 As Long) As String
Dim i As Integer
Dim r As String
Do While arg0 >= 36
i = arg0 Mod 36
arg0 = (arg0 - i) / 36
r = Chr(qarray(i)) & r
Loop
r = Chr(qarray(arg0)) & r
fun3 = r
End Function
////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////
最后完整的代码如下:
注意数组的下标是基于0的
dim qarray() as byte
dim qarraylen
function fun464ef0(byval myname as string,byval mycode as string) as boolean
dim myarray1(16) as integer
dim myarray2(512) as integer
dim myarray3(16) as integer
dim myarray4(512) as integer
dim myarray5(16) as integer
dim mynamestr as string
dim mynamestr2 as string
dim slen1 as integer
dim slen2 as integer
dim var_e8 as integer
dim i as integer
dim tmpchar as integer
dim var_bc as integer
dim var_50 as string
dim var_48 as integer
dim var_e0 as integer
dim j as integer
dim var_28 as integer
dim var_c0 as boolean
dim var_fc as integer
dim tmpint as integer
dim s1sum as integer
dim s2sum as integer
dim var_b0 as integer
dim var_e4 as integer
dim var_f0 as integer
mynamestr = fun4678D0(myname)
mynamestr2 = fun468060(mynamestr,0)
slen1 = len(mynamestr)
slen2 = len(mynamestr2)
var_e8 = 2
myarray1(1) = &h2a
myarray1(2) = &h2e
myarray1(3) = &h30
myarray1(4) = &h2d
myarray1(5) = &h2c
myarray1(6) = &h27
myarray1(7) = &h2a
myarray1(8) = &h4c
myarray1(9) = &h42
myarray1(10) = &h44
myarray1(11) = &h7c
myarray1(12) = &h82
myarray1(13) = &h73
myarray1(14) = &h50
myarray1(15) = &h66
myarray1(16) = &h67
for i = 0 to 512
myarray4(i) = i
next i
for i = 0 to 512
var_bc = (var_bc + i) mod 256
tmpchar = myarray4(i)
myarray4(i) = myarray4(var_bc)
myarray4(var_bc) = tmpchar
next i
if var_e8 = 1 then
var_48 = 16
var_e0 = 0
var_50 = string(16," ")
for i = 0 to 512
j = myarray4(i)
myarray2(j) = var_e0 + &h30
var_e0 = var_e0 + 1
if var_e0 = 10 then var_e0 = 0
next i
elseif var_e8 = 2 then
var_48 = 16
var_e0 = 0
var_28 = 0
var_50 = string(16," ")
var_c0 = false
for i = 0 to 512
if var_c0 then
j = myarray4(i)
myarray2(j) = var_e0 + &h30
var_e0 = var_e0 + 1
if var_e0 = 10 then var_e0 = 0
var_c0 = false
else
j = myarray4(i)
myarray2(j) = var_28 + &h41
var_28 = var_28 + 1
if var_28 = 26 then var_28 = 0
var_c0 = true
end if
next i
else
var_48 = 8
var_50 = string(19," ")
end if
var_fc = 1
for i = 1 to slen1
tmpint = asc(mid(mynamestr,i,1))
myarray5(var_fc) = (myarray5(var_fc) + tmpint) xor &h12
s1sum = s1sum + myarray5(var_fc)
var_fc = var_fc + 1
if var_fc = 9 then var_fc = 1
next i
for i = 1 to slen2
tmpint = asc(mid(mynamestr2,i,1))
myarray3(var_fc) = (myarray3(var_fc) + tmpint) xor &h19
s2sum = s2sum + myarray3(var_fc)
var_fc = var_fc + 1
if var_fc = 9 then var_fc = 1
next i
var_fc = 1
var_f0 = 1
var_b0 = (s1sum + s2sum) mod 512
for i = 1 to var_48
myarray3(i) = myarray3(i) xor myarray1(i)
var_e4 = abs((myarray5(i) xor myarray3(i)) mod 512 - var_b0)
if var_e8 = 3 then
if var_e4 < 16 then
mid(var_50,var_fc,2) = ("0" & hex(var_e4))
else
mid(var_50,var_fc,2) = hex(var_e4)
end if
if var_f0 = 2 and var_fc < 18 then
var_fc = var_fc + 1
mid(var_50,var_fc+1,1) = "-"
end if
var_fc = var_fc + 2
var_f0 = var_f0 + 1
if var_f0 = 3 then var_f0 = 1
else
mid(var_50,i,1) = chr(myarray2(var_e4))
end if
next i
if strcomp(var_50,mycode) = 0 and strcomp(myname,mynamestr) = 0 then
fun464ef0 = true
else
fun464ef0 = false
end if
end function
function fun468060(byval arg0 as string,byval arg1 as integer) as string
dim array1(16) as integer
dim array2(512) as integer
dim array3(16) as integer
dim array4(512) as integer
dim array5(16) as integer
dim s1 as string
dim s1len as long
dim arg0len as long
dim var_ec as integer
dim i as integer
dim tmpsum as integer
dim tmpvar as integer
dim var_48 as integer
dim var_50 as string
dim j as integer
dim tmpi as integer
dim tmpj as integer
dim isd as boolean
dim tmpchar as integer
dim arg0sum as integer
dim s1sum as integer
dim mysum as integer
dim var_fc as integer
dim var_f4 as integer
s1 = "lxhsxyloveforever"
arg0len = len(arg0)
s1len = len(s1)
if arg1 <= 0 then
var_ec = 2
else
var_ec = arg1
endif
array1(1) = &h28
array1(2) = &h53
array1(3) = &h84
array1(4) = &h45
array1(5) = &hed
array1(6) = &h25
array1(7) = &h76
array1(8) = &h37
array1(9) = &h17
array1(10) = &h5b
array1(11) = &hf2
array1(12) = &h2f
array1(13) = &h82
array1(14) = &h3b
array1(15) = &h47
array1(16) = &ha8
for i = 0 to 512
array4(i) = i
next i
tmpsum = 0
for i = 0 to 512
tmpsum = (tmpsum + i) mod 256
tmpvar = array4(i)
array4(i) = array4(tmpsum)
array4(tmpsum) = tmpvar
next i
if var_ec = 1 then
var_50 = string(16," ")
var_48 = 16
tmpi = 0
for i = 0 to 512
j = array4(i)
array2(j) = tmpi + &h30
tmpi = tmpi + 1
if tmpi = 10 then tmpi = 0
next i
elseif var_ec = 2 then
var_50 = string(16," ")
var_48 = 16
isd = false
tmpi = 0
tmpj = 0
for i = 0 to 512
if isd then
j = array4(i)
array2(j) = tmpi + &h30
tmpi = tmpi + 1
if tmpi = 10 then tmpi = 0
isd = false
else
j = array4(i)
array2(j) = tmpj + &h41
tmpj = tmpj + 1
if tmpj = 26 then tmpj = 0
isd = true
endif
next i
else
var_50 = string(19," ")
var_48 = 8
endif
j = 1
for i = 1 to arg0len
tmpchar = asc(mid(arg0,i,1))
array5(j) = (array5(j) + tmpchar) xor &H12
arg0sum = arg0sum + array5(j)
j = j + 1
if j = 9 then j = 1
next i
for i = 1 to s1len
tmpchar = asc(mid(s1,i,1))
array3(j) = (array3(j) + tmpchar) xor &H19
s1sum = s1sum + array3(j)
j = j + 1
if j = 9 then j = 1
next i
mysum = (arg0sum + s1sum) mod 512
var_fc = 1
var_f4 = 1
for i = 1 to var_48
array3(i) = array3(i) xor array1(i)
tmpchar = (array5(i) xor array3(i)) mod 512 - mysum
tmpchar = abs(tmpchar)
if var_ec = 3 then
if tmpchar < 16 then
Mid(var50,var_fc,2) = ("0" & hex(tmpchar))
else
mid(var50,var_fc,2) = hex(tmpchar)
end if
if var_f4 = 2 and var_fc < 18 then
var_fc = var_fc + 1
mid(var_50,var_fc+1,1) = "-"
end if
var_fc = var_fc + 2
var_f4 = var_f4 + 1
if var_f4 = 3 then var_f4 = 1
else
mid(var_50,i,1) = chr(array2(tmpchar))
end if
next i
fun468060 = var_50
end function
function fun4678d0(byval a as string) as string
dim tmpl as long
fun1
tmpl = fun2(a) + fun2(a) mod fun2("ffg")
fun4678d0 = fun3(tmpl)
end function
function fun1()
dim tmp as string
tmp = "abcdefghijklmnopqrstuvwxyz1234567890"
qarray = strconv(tmp,vbFromUnicode)
qarraylen = 36
end function
function fun2(byval s as string) as long
dim r as long
dim slen as integer
dim i as integer
dim j as integer
dim cc as byte
dim myindex as integer
myindex = 0
for i = 1 to len(s)
cc = asc(mid(s,i,1))
j = 0
do while j <= 35
if qarray(j) = cc then
myindex = j
exit do
endif
j = j + 1
loop
r = r + 36 ^ (len(s) - i) * myindex
next i
fun2 = r
end function
Function fun3(ByVal arg0 As Long) As String
Dim i As Integer
Dim r As String
Do While arg0 >= 36
i = arg0 Mod 36
arg0 = (arg0 - i) / 36
r = Chr(qarray(i)) & r
Loop
r = Chr(qarray(arg0)) & r
fun3 = r
End Function
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////
如果您还在耐心的看。我真的很感激。:) 下面给出注册信息:
从上面可以看出,函数fun4678d0看起来应该是这个样子的:
36进制(用户名)+ 36进制(用户名) mod 36进制("ffg")
要求结果仍然是 36进制(用户名)。
这实际上只有 36进制(用户名) mod 36进制("ffg") = 0
的用户名才能注册成功。
下面给出两组注册信息,其余的可以类推:
注册名:a
注册码:TXC10CD0M14D4Y4Q
注册名:ffg
注册码:684557FMJ285QQB6
///////////////////////////////////////////////////////////////////
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
|
|
|---|---|
|
|
好文,顶了
|
|
|
支持猛龙!!
|
|
|
顶,支持~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
呵呵,支持兼学习一下~
|
|
|
好长啊,学习
|
|
|
强悍.~~
佩服~~~  
|
|
|
编程不错的说。
|
|
|
历害.敬佩
|
|
|
IDA的代码看不习惯!~
|
|
|
