无忧全国计算机等级考试模拟软件二级JAVA[原创]-软件逆向-看雪-安全社区|安全招聘|kanxue.com

无忧全国计算机等级考试模拟软件二级JAVA[原创]

发表于: 2005-7-8 14:30 7506

无忧全国计算机等级考试模拟软件二级JAVA[原创]

MARCH

2005-7-8 14:30

7506

2005年上半年版  全国计算机等级考试模拟软件北京无忧电脑技术开发有限责任公司
网址：WWW.WUYOUSCHOOL.COM.CN
本来我想考一下，但是，唉，贪多嚼不烂啊，半途而废了。以后再说吧。出了这个副产品。

二级JAVA,不过从文件内容看,它的考试系列应该都用这个KS.EXE,真那么自信吗?
文件:KS.EXE 2,714,624bytes 2005-02-24 11:52:00(加参数y可进入练习模式) VB native程序
by zzhzihui@tom.com 学习研究勿作其他用途
(原来VB也可以编写比较牛的东西,连等考的考试系统都用VB写,我一直以为自己学VB没多大用)
工具:ollydbg,hiew

★最终方法:
最终得到的假激活码:G5060-BBBBB-CCQ2L-23XL6-O2323-3434I
0067956A .  50          PUSH EAX
0067956B .  FFD7       CALL EDI
0067956D >  66:83BD 38FFF>CMP WORD PTR SS:[EBP-C8],0FFFF
00679575 .  0F85 7D020000 JNZ ks.006797F8
0067957B .  66:8B55 0C MOV DX,WORD PTR SS:[EBP+C]
0067957F .  66:3B55 D4 CMP DX,WORD PTR SS:[EBP-2C]
00679583 .  0F85 C2000000 JNZ ks.0067964B ;  no jmp,跳走会显示无产品项目
;这样可以强制激活成功
00679589 .  8D45 AC    LEA EAX,DWORD PTR SS:[EBP-54]
0067958C .  50          PUSH EAX
0067958D .  FF15 74B66800 CALL DWORD PTR DS:[<&MSVBVM50.#610>]    ;  MSVBVM50.rtcGetDateVar
00679593 .  8B7D CC    MOV EDI,DWORD PTR SS:[EBP-34]
00679596 .  3BFB       CMP EDI,EBX
00679598 .  75 12       JNZ SHORT ks.006795AC
0067959A .  8D4D CC    LEA ECX,DWORD PTR SS:[EBP-34]
0067959D .  51          PUSH ECX
0067959E .  68 D0924000 PUSH ks.004092D0
这样会生成c:\WINXP\system32\Microsoft\MSJET1.INI文件,把它复制一份,改名为MSJET6.INI
注意:MSJETx.INI是最后的1是算出来的,会自动保存,但那个6却不能自动生成,怎样知道是6呢?可以在这里:
0066AB3F .  50          PUSH EAX
0066AB40 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
0066AB45 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
;这个操作可以看到6
0066AB4B .  8BD0       MOV EDX,EAX
0066AB4D .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]

实际上,程序下次启动时只访问那个带6的数据,带1的不访问,因为程序内部校验发现错误,生成了带1的数据,而下次抽题或启动检验时,却要访问带6的,这时没有,所以激活就失败了.

再加下面两个爆破就可以了,但是还有提示激活成功,可用x次..
其实在注册表里还有HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY\1
把它复制一个命名为HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY\6
即可去掉提示.
============
0066AED2 . /0F85 B6050000 JNZ ks.0066B48E
0066AED8 . |66:8B55 0C MOV DX,WORD PTR SS:[EBP+C]
0066AEDC . |66:3955 D8 CMP WORD PTR SS:[EBP-28],DX
0066AEE0 . |74 0C       JE SHORT ks.0066AEEE                   ;  JMP ZZH(EB0C)
;改为JMP 66aeee即可
0066AEE2 . |C745 B8 EC030>MOV DWORD PTR SS:[EBP-48],3EC
0066AEE9 . |E9 DF050000 JMP ks.0066B4CD
0066AEEE > |BA 0C894200 MOV EDX,ks.0042890C                   ;  UNICODE "userinfo1"
0066AEF3 . |8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
============
0061D184 > \66:3975 88 CMP WORD PTR SS:[EBP-78],SI
0061D188 .  75 16       JNZ SHORT ks.0061D1A0                   ;  NO Jmp (SYS) EAX<=1 ZZH
;上行不要跳,改为MOV EAX,1,覆盖下行指令即可
0061D18A .  83C8 FF    OR EAX,FFFFFFFF
0061D18D .  68 0ED56100 PUSH ks.0061D50E                      ;  EAX<=1
0061D192 .  8945 E4    MOV DWORD PTR SS:[EBP-1C],EAX
0061D195 .  66:A3 DCB0670>MOV WORD PTR DS:[67B0DC],AX
0061D19B .  E9 4F030000 JMP ks.0061D4EF
0061D1A0 >  66:3935 DCB06>CMP WORD PTR DS:[67B0DC],SI
0061D1A7 .  0F85 07030000 JNZ ks.0061D4B4
0061D1AD .  8B4D 14    MOV ECX,DWORD PTR SS:[EBP+14]
...
OK,CRACKED! 19:53 2005-4-22
重新注册方法请看文件:0-FINAL.txt

★通用注册
%SYSTEM%\PCINFO.DLL

导出函数:
GetDriveSerialNumberIn9X
GetDriveSerialNumberInNT
都是取硬盘序列号的,而软件是根据硬盘序列号来生成ID和激活码的,所以可以改造这个DLL,让它返回固定的序列号.这样就可以做通用的CRK.

那么,我们可以补丁主程序ks.exe:
0066DF7F .  0F84 98010000 JE ks.0066E11D;取得SMART版本失败,跳走,改为JMP让他永远调用DLL

然后修改PCINFO.DLL
把文件偏移 1000EFE0处修改为字符串"4JV10H8M"

PCINFO.GetDriveSerialNumberInNT函数:
1000152E  |> \C74424 04 E0EF0010  MOV DWORD PTR SS:[ESP+4],pcinfo.1000EFE0;ASCII "4JV10H8M"
;永远返回固定序列号
10001536  \.  C2 0400          RETN 4

PCINFO.GetDriveSerialNumberIn9X函数:
100012BE  |.  64:890D 00000000       MOV DWORD PTR FS:[0],ECX
100012C5  |.  81C4 88000000          ADD ESP,88
100012CB  \.  C2 0400                RETN 4
100012CE    8BFF                   MOV EDI,EDI ;这个被覆盖不知道有没有影响
修改为:
100012CB    /E9 5E020000             JMP PCINFOHK.1000152E

这样就可以保证在9X和NT下都会返回唯一的硬盘序列号.^_^

★较为详细过程,及产品序列号生成与激活码的格式
获得的产品ID号,每次都不一样:
T084J-VE10H-02Q8M-B2G89-2JRW3-58U36
3084J-VT10H-02G8M-W89MV-8BITC-PZS25
9084J-VJ10H-0288M-3J4AD-J5V1K-6BZKU
3084J-V710H-0228M-6784N-7X2LT-AL4U2
F084J-V710H-02D8M-O7T45-7WDJ7-94371
4084J-VW10H-0238M-7W9NQ-W145X-EOLXH
084J-V 10H-02 8M-
实际它是取我的硬盘序列号:"4JV10H8M"
asc值:52 74 86 49 48 72 56 77
格式化为:0# 即0字符个数,得到"084JV10H8M"
然后随机产生其他字符得到ID

激活码格式也为:
5084J-VX10H-0248M-TXZO7-X1J69-26M9I
51D48-V310H-02B8M-BBBBB-OBBBB-BBBBB
O(这个4DH-45H=8H,为HD.SN的长度)
激活码长度必须为35
检验时先去掉中间的-
5084JVX10H0248M TXZO7X1J6926M9I
然后首尾字符换
I9M6296J1X7OZXT M8420H01XVJ4805
字符表:..EFGHIJKLMN...UVWXYZ
然后将'I'的ASC码减2变成G,如果前面没有字符了,就循环回来,例如如果是1就变成9:
I9M62 96J1X 7OZXT得到:G7K40 74H9V 5MXVR
然后替换I9M6296J1X7OZXT M8420H01XVJ4805为
G7K4074H9V5MXVR M8420H01XVJ4805
再处理M8420H01XVJ4805,这一次减4
  得到I4086D67TRF0461
然后替换G7K4074H9V5MXVR M8420H01XVJ4805为(程序在666F21)
G7K4074H9V5MXVR I4086D67TRF0461
取后4个字符并把他们转换为相应数值(例如"E"转换为0Eh),然后
"04"操作为4+0*36=4,  格式化为"004"
"61"操作为1+6*36=217,格式化为"217"
连接以上字符串得到"004217"即为得到的校验串.
这个"0461"实际是激活码开始的"5084"反过来"4805",再各字符ASC值减4得到"0461"
然后再取前26个字符进行复杂的异或操作,取得另一个校验串.再比较.(见5-668330.txt)
为方便计算,我推出了数值,因为必须是:第一个数*36+第二个数
36*2=72
36*3=108
36*4=144
36*5=180
36*6=216
36*7=252
F755 0-BBBBB-CCCCC-DDDDD-O2222-33333
   O必须是O因为硬盘序列号为8
"037119"
037=1*36+1 "11"
119=3*36+11 "3B"
"113B"asc值加4=>"557F",反过来"F755"
校验成功,但是:
00667233 .  FF15 64B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarTs>;  MSVBVM50.__vbaVarTstNe
;这里监测出错了.
;好像拿下面两个字符串比较,必须相等,这里就过了.
;0012E95C 001D32F4  UNICODE "4JV10H8M"
;0012E960 001D3F2C  UNICODE "BBBBBYYY"
;0012EB40 0016C23C  UNICODE "11111-0000M-BBBBB-YYYYY-XXXXX-6113B"这是变换后的激活码
;BBBBBYYY应该是硬盘序列号才对
;字母表ABCDEFGHIJKLMNOPQRSTUVWXYZ 1234567890
;4JV10 H8M其中H8M是减4得到的,4JV10是减2得到的.
;H8M=>L2Q,4JV10=>6LX32反过来Q2L-23XL6
;F755 0-BBBBB-CC Q2L-23XL6 -O2222-33333
;F7550-BBBBB-CCQ2L-23XL6-O2222-33333
得到激活码:
F7550-BBBBB-CCQ2L-23XL6-O2222-33333
得到校验值为:225128这个校验码不行,改一下最后一个字符
F7550-BBBBB-CCQ2L-23XL6-O2222-33332得到校验码"156157"
重新计算前4个校验值的结果.
156=36*4+12 "4C"
157=36*4+13 "4D"
"4C4D"asc值加4,"8G8H",反过来"H8G8"
H8G80-BBBBB-CCQ2L-23XL6-O2222-33332
H8G8 0-BBBBB-CC Q2L-23XL6 -O 2222-33332
校验          硬盘序列号 ^校验硬盘序列号字符数
这样刚刚的监测也躲过了.
但是还有.

0066725F . |FF53 24    CALL DWORD PTR DS:[EBX+24]             ;  ks.00408C8A
;这个CALL 408C8A还要监测
刚刚输入的激活码"H8G80-BBBBB-CCQ2L-23XL6-O2222-33332"
处理后为: "011110000M4JV10H8MYYXXXXX64C4D"

0066764D .  66:3946 34 CMP WORD PTR DS:[ESI+34],AX ;刚刚第一个"0" 30h-46h算得的EAh和1(AX)比
00667651 .  7C 18       JL SHORT ks.0066766B ;这个好像都不可以跳,计算结果不能小于1
00667653 .  66:3946 36 CMP WORD PTR DS:[ESI+36],AX ;[174556]=25h 第1个"11"的校验码
00667657 .  7C 12       JL SHORT ks.0066766B ;校验计算结果不能小于1
00667659 .  66:3946 38 CMP WORD PTR DS:[ESI+38],AX ;[174558]=25h 第2个"11"的校验码
0066765D .  7C 0C       JL SHORT ks.0066766B ;校验计算结果不能小于1
0066765F .  66:3946 3A CMP WORD PTR DS:[ESI+3A],AX ;[17455A]=00h 第3个"00"的校验码
00667663 .  7C 06       JL SHORT ks.0066766B ;校验计算结果不能小于1
00667665 .  66:3946 3C CMP WORD PTR DS:[ESI+3C],AX ;[17455c]=00h 第4个"00"的校验码
00667669 .  7D 07       JGE SHORT ks.00667672 ;好像必须要跳了,校验计算结果不能小于1
0066766B >  C745 EC 00000>MOV DWORD PTR SS:[EBP-14],0
00667672 >  68 A0766600 PUSH ks.006676A0

;加密字符表"0 11 11 00 00 M4JV10H8MYYXXXXX64C4D"
;位置       0  1  2  3  4
;01111 0000M 4JV10 H8MYY XXXXX 64C4D
;^最小是"G"=47h
;1,2,3,4处的两个字符也是用第一个*36+第二个得到的校验码.
;H8G80-BBBBB-CCQ2L-23XL6-O2222-33332
;    ^    ^0处,最小也要是"I"=49h,49h-2=47h,47h-46h=1h才行
;    ^ ^这里本来就可以通过
;    2323就可以使3,4处通过
;H8G80-BBBBB-CCQ2L-23XL6-O2323-3434I这个激活码得到校验为"078048"
; ^这里改一下才可得到可用的校验串"078048"
;078=2*36+6 "26"
;048=1*36+12 "1C"
;"261C"asc码加4"605G",反过来"G506"
;得到激活码"G5060-BBBBB-CCQ2L-23XL6-O2323-3434I"
;但是提示"无法激活产品,请检查是否有此科目的激活码"
;看来还有检测
后面就复杂了.
还有取以下地方的值,并进行复杂的比较.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY\1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY\6]
c:\WINXP\system32\Microsoft\MSJET1.INI
c:\WINXP\system32\Microsoft\MSJET1.INI
其中1,6是算出来的.
这个我看的头都大了,实在不想在在VB的函数里转了,JMP来JMP去,晕了,仔细进入各CALL,然后观察那里会取以上地方的值,并计算,发现可疑的比较就下断点,再尝试改变跳转.结果发现.
============
0066AED2 . /0F85 B6050000 JNZ ks.0066B48E
0066AED8 . |66:8B55 0C MOV DX,WORD PTR SS:[EBP+C]
0066AEDC . |66:3955 D8 CMP WORD PTR SS:[EBP-28],DX
0066AEE0 . |74 0C       JE SHORT ks.0066AEEE                   ;  JMP ZZH(EB0C)
;改为JMP 66aeee即可
0066AEE2 . |C745 B8 EC030>MOV DWORD PTR SS:[EBP-48],3EC
0066AEE9 . |E9 DF050000 JMP ks.0066B4CD
0066AEEE > |BA 0C894200 MOV EDX,ks.0042890C                   ;  UNICODE "userinfo1"
0066AEF3 . |8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
============
0061D184 > \66:3975 88 CMP WORD PTR SS:[EBP-78],SI
0061D188 .  75 16       JNZ SHORT ks.0061D1A0                   ;  NO Jmp (SYS) EAX<=1 ZZH
;上行不要跳,改为MOV EAX,1,覆盖下行指令即可
0061D18A .  83C8 FF    OR EAX,FFFFFFFF
0061D18D .  68 0ED56100 PUSH ks.0061D50E                      ;  EAX<=1
0061D192 .  8945 E4    MOV DWORD PTR SS:[EBP-1C],EAX
0061D195 .  66:A3 DCB0670>MOV WORD PTR DS:[67B0DC],AX
0061D19B .  E9 4F030000 JMP ks.0061D4EF
0061D1A0 >  66:3935 DCB06>CMP WORD PTR DS:[67B0DC],SI
0061D1A7 .  0F85 07030000 JNZ ks.0061D4B4
0061D1AD .  8B4D 14    MOV ECX,DWORD PTR SS:[EBP+14]
这样就解除限制了.上机有10套题可用,笔试有5套题可用.

★更为详细的琐碎过程.
-------------------------------------------------------------------------------
▲文件:0.txt
-------------------------------------------------------------------------------
ID:
T084J-VE10H-02Q8M-B2G89-2JRW3-58U36
3084J-VT10H-02G8M-W89MV-8BITC-PZS25
9084J-VJ10H-0288M-3J4AD-J5V1K-6BZKU
3084J-V710H-0228M-6784N-7X2LT-AL4U2
F084J-V710H-02D8M-O7T45-7WDJ7-94371
4084J-VW10H-0238M-7W9NQ-W145X-EOLXH
084J-V 10H-02 8M-
硬盘序列号:4JV10H8M
asc:52 74 86 49 48 72 56 77
格式化为:0# 即0字符个数,得到084JV10H8M
然后随机产生其他字符得到ID

激活码格式也为:
5084J-VX10H-0248M-TXZO7-X1J69-26M9I
51D48-V310H-02B8M-BBBBB-OBBBB-BBBBB
O(这个4DH-45H=8H,为HD.SN的长度)
激活码长度必须为35
检验时先去掉中间的-
5084JVX10H0248M TXZO7X1J6926M9I
然后首尾字符换
I9M6296J1X7OZXT M8420H01XVJ4805

字符表:..EFGHIJKLMN...UVWXYZ
然后将'I'的ASC码减2变成G,如果前面没有字符了,就循环回来,例如如果是1就变成9:
I9M62 96J1X 7OZXT得到:G7K40 74H9V 5MXVR
然后替换I9M6296J1X7OZXT M8420H01XVJ4805为
G7K4074H9V5MXVR M8420H01XVJ4805
再处理M8420H01XVJ4805,这一次减4
  得到I4086D67TRF0461
然后替换G7K4074H9V5MXVR M8420H01XVJ4805为(程序在666F21)
G7K4074H9V5MXVR I4086D67TRF0461
再取以上字符第27字符开始的2字符"04"并分析是否是数字
再取以上字符第29字符开始的2字符"61"并分析是否是数字
然好像还有对4和另外一个数字217(0x9D)进行格式化的操作,格式化为000
(得到"004217")

再取左26个字符G7K4074H9V5MXVR I4086D67TRF
然后进行STRCONV把上述UNICODE转换成系统缺省代码页
十六进制代码为:
47 37 4B 34 30 37 34 48 39 56 35 4D 58 56 52 49 34 30 38 36 44 36 37 54 52 46
十进制为:

再进行复杂的运算得到数字字符串'246226'
66839F INTEGER->BYTE
6683CE UBOUND
66845A 开始复杂的INTEGER->BYTE
66851D FORMAT
668560 FORMAT
668088 LENSTR"246226"

进OD发现它拿前26个字符的asc码和0xFFh异或(XOR)

再跟跟:
006670FB .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
006670FE .  51          PUSH ECX
006670FF .  FFD7       CALL EDI
00667101 .  50          PUSH EAX
00667102 .  56          PUSH ESI
00667103 .  FF53 30    CALL DWORD PTR DS:[EBX+30]
00667106 .  8B55 C0    MOV EDX,DWORD PTR SS:[EBP-40]
00667109 .  52          PUSH EDX ;经过复杂运算得到的"246226"
0066710A .  8B45 D4    MOV EAX,DWORD PTR SS:[EBP-2C]
0066710D .  50          PUSH EAX ;正确校验码6位"004217"
0066710E .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp ;关键比较了,相等时EAX返回0
00667114 .  8BF8       MOV EDI,EAX
00667116 .  F7DF       NEG EDI
00667118 .  1BFF       SBB EDI,EDI
0066711A .  F7DF       NEG EDI
0066711C .  F7DF       NEG EDI
0066711E .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
00667121 .  51          PUSH ECX
00667122 .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
00667125 .  52          PUSH EDX
00667126 .  6A 02       PUSH 2
00667128 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066712E .  83C4 0C    ADD ESP,0C
00667131 .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
00667134 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066713A .  66:85FF    TEST DI,DI
0066713D .  0F85 38010000 JNZ ks.0066727B
00667143 .  C745 B8 01000>MOV DWORD PTR SS:[EBP-48],1
0066714A .  C745 B0 02000>MOV DWORD PTR SS:[EBP-50],2
00667151 .  8D45 C8    LEA EAX,DWORD PTR SS:[EBP-38]
=========
00667034 .  8D85 20FFFFFF LEA EAX,DWORD PTR SS:[EBP-E0]
0066703A .  50          PUSH EAX
0066703B .  FF15 30B46800 CALL DWORD PTR DS:[<&MSVBVM50.#660>]    ;  MSVBVM50.rtcVarFromFormatVar
00667041 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
00667047 .  51          PUSH ECX                               ;  生成004223 就是正确校验码
00667048 .  8D95 20FFFFFF LEA EDX,DWORD PTR SS:[EBP-E0]
0066704E .  52          PUSH EDX
0066704F .  8D85 10FFFFFF LEA EAX,DWORD PTR SS:[EBP-F0]
00667055 .  50          PUSH EAX
00667056 .  FF15 E4B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarCa>;  MSVBVM50.__vbaVarCat
0066705C .  50          PUSH EAX
0066705D .  FF15 DCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrVa>;  MSVBVM50.__vbaStrVarMove
00667063 .  8BD0       MOV EDX,EAX
00667065 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
00667068 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066706E .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
00667071 .  51          PUSH ECX
00667072 .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
00667075 .  52          PUSH EDX
00667076 .  6A 02       PUSH 2
00667078 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066707E .  83C4 0C    ADD ESP,0C
00667081 .  8D85 10FFFFFF LEA EAX,DWORD PTR SS:[EBP-F0]
00667087 .  50          PUSH EAX
00667088 .  8D8D 20FFFFFF LEA ECX,DWORD PTR SS:[EBP-E0]
0066708E .  51          PUSH ECX
0066708F .  8D95 70FFFFFF LEA EDX,DWORD PTR SS:[EBP-90]
00667095 .  52          PUSH EDX

++++++++++++++++++
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\china\class 的字符串dog="76DLEE"

%SYSTEM%\MICROSOFT\MSJET6.INI
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MSMCWY\6

vbExplorer,修改"激活码错误!"提示为"ActKeyError.zzh"
w32dasm找到:
* Possible StringData Ref from Code Obj ->"ActKeyError.zzh"
                              |
:00679720 C78574FFFFFFB0924200 mov dword ptr [ebp+FFFFFF74], 004292B0
:0067972A 89B56CFFFFFF          mov dword ptr [ebp+FFFFFF6C], esi
向前找到call的跳转表:
004143B8 .  816C24 04 3B0>SUB DWORD PTR SS:[ESP+4],3B
004143C0 .  E9 CB3E2600 JMP ks.00678290 ;点激活到这里
004143C5 .  816C24 04 4F0>SUB DWORD PTR SS:[ESP+4],4F
004143CD .  E9 0E432600 JMP ks.006786E0
004143D2 .  816C24 04 6B0>SUB DWORD PTR SS:[ESP+4],6B
004143DA .  E9 81442600 JMP ks.00678860
004143DF .  816C24 04 630>SUB DWORD PTR SS:[ESP+4],63
004143E7 .  E9 54452600 JMP ks.00678940
004143EC .  816C24 04 730>SUB DWORD PTR SS:[ESP+4],73
004143F4 .  E9 87472600 JMP ks.00678B80
004143F9 .  816C24 04 4B0>SUB DWORD PTR SS:[ESP+4],4B
00414401 .  E9 8A492600 JMP ks.00678D90
00414406 .  816C24 04 5B0>SUB DWORD PTR SS:[ESP+4],5B
0041440E .  E9 5D4A2600 JMP ks.00678E70
00414413 .  816C24 04 FFF>SUB DWORD PTR SS:[ESP+4],0FFFF
0041441B .  E9 F04C2600 JMP ks.00679110
00414420 .  816C24 04 FFF>SUB DWORD PTR SS:[ESP+4],0FFFF
00414428 .  E9 834F2600 JMP ks.006793B0
0041442D .  816C24 04 5F0>SUB DWORD PTR SS:[ESP+4],5F
00414435 .  E9 46542600 JMP ks.00679880
0041443A .  816C24 04 430>SUB DWORD PTR SS:[ESP+4],43
00414442 .  E9 A9542600 JMP ks.006798F0
00414447 .  816C24 04 FFF>SUB DWORD PTR SS:[ESP+4],0FFFF
0041444F .  E9 9C552600 JMP ks.006799F0
00414454 .  816C24 04 FFF>SUB DWORD PTR SS:[ESP+4],0FFFF
0041445C .  E9 FF552600 JMP ks.00679A60
----------
0067835E .  8D4D D8    LEA ECX,DWORD PTR SS:[EBP-28]
00678361 .  FF15 14B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>;  MSVBVM50.__vbaFreeObj
00678367 .  66:3BF3    CMP SI,BX
0067836A .  0F84 84020000 JE ks.006785F4 ;强制跳,提示激活码错
00678370 .  8B95 38FFFFFF MOV EDX,DWORD PTR SS:[EBP-C8]
00678376 .  57          PUSH EDI
-------------
00678434 .  52          PUSH EDX
00678435 .  50          PUSH EAX
00678436 .  57          PUSH EDI
00678437 .  FF91 20070000 CALL DWORD PTR DS:[ECX+720]
0067843D .  33D2       XOR EDX,EDX
0067843F .  66:83BD 54FFF>CMP WORD PTR SS:[EBP-AC],0FFFF
00678447 .  8D4D E8    LEA ECX,DWORD PTR SS:[EBP-18]
--------
00679511 .  8BF0       MOV ESI,EAX
00679513 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00679519 .  66:3BF3    CMP SI,BX
0067951C .  0F84 B6010000 JE ks.006796D8                         ;  no jmp
00679522 .  8B45 EC    MOV EAX,DWORD PTR SS:[EBP-14]
00679525 .  3BC3       CMP EAX,EBX
00679527 .  75 12       JNZ SHORT ks.0067953B
00679529 .  8D4D EC    LEA ECX,DWORD PTR SS:[EBP-14]
-----------
0067957B .  66:8B55 0C MOV DX,WORD PTR SS:[EBP+C]
0067957F .  66:3B55 D4 CMP DX,WORD PTR SS:[EBP-2C]
00679583 .  0F85 C2000000 JNZ ks.0067964B                         ;  no jmp
00679589 .  8D45 AC    LEA EAX,DWORD PTR SS:[EBP-54]
0067958C .  50          PUSH EAX
0067958D .  FF15 74B66800 CALL DWORD PTR DS:[<&MSVBVM50.#610>]    ;  MSVBVM50.rtcGetDateVar
00679593 .  8B7D CC    MOV EDI,DWORD PTR SS:[EBP-34]
---------
006784AE .  8BF0       MOV ESI,EAX
006784B0 .  FF52 60    CALL DWORD PTR DS:[EDX+60]
006784B3 .  3BC3       CMP EAX,EBX
006784B5 .  7D 0F       JGE SHORT ks.006784C6
006784B7 .  6A 60       PUSH 60
006784B9 .  68 98E44100 PUSH ks.0041E498
006784BE .  56          PUSH ESI
006784BF .  50          PUSH EAX
006784C0 .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
006784C6 >  68 544E4200 PUSH ks.00424E54                      ;  UNICODE "True"
006784CB .  E8 D05AFAFF CALL ks.0061DFA0
006784D0 .  8B35 C8B66800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrMove
006784D6 .  8BD0       MOV EDX,EAX
006784D8 .  8D4D DC    LEA ECX,DWORD PTR SS:[EBP-24]
006784DB .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaStrMove>
006784DD .  8B15 D4B06700 MOV EDX,DWORD PTR DS:[67B0D4]
006784E3 .  50          PUSH EAX
006784E4 .  68 40E74100 PUSH ks.0041E740                      ;  UNICODE "Actived"
006784E9 .  68 2CE74100 PUSH ks.0041E72C                      ;  UNICODE "Active"
006784EE .  52          PUSH EDX
006784EF .  FF15 BCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI4>;  MSVBVM50.__vbaStrI4
006784F5 .  8BD0       MOV EDX,EAX
006784F7 .  8D4D E4    LEA ECX,DWORD PTR SS:[EBP-1C]
006784FA .  FFD6       CALL ESI
006784FC .  50          PUSH EAX
006784FD .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
00678503 .  8BD0       MOV EDX,EAX
00678505 .  8D4D E0    LEA ECX,DWORD PTR SS:[EBP-20]
00678508 .  FFD6       CALL ESI
0067850A .  50          PUSH EAX
------------
00C76EA0 52             PUSH EDX
00C76EA1 C3             RETN
00C76EA2 0000          ADD BYTE PTR DS:[EAX],AL
00C76EA4 B4 64          MOV AH,64
00C76EA6 C700 68AC0000 MOV DWORD PTR DS:[EAX],0AC68
00C76EAC 008B C4508D44 ADD BYTE PTR DS:[EBX+448D50C4],CL
00C76EB2 24 0C          AND AL,0C
00C76EB4 50             PUSH EAX
00C76EB5 B9 FC720474    MOV ECX,740472FC
00C76EBA FFD1          CALL ECX
00C76EBC 59             POP ECX
00C76EBD 0BC0          OR EAX,EAX
00C76EBF 78 0C          JS SHORT 00C76ECD
00C76EC1 8B4424 04    MOV EAX,DWORD PTR SS:[ESP+4]
00C76EC5 8B00          MOV EAX,DWORD PTR DS:[EAX]
00C76EC7 FFA0 B0020000 JMP DWORD PTR DS:[EAX+2B0]
00C76ECD 5A             POP EDX
00C76ECE 03E1          ADD ESP,ECX
00C76ED0 52             PUSH EDX
00C76ED1 C3             RETN
00C76ED2 0000          ADD BYTE PTR DS:[EAX],AL
00C76ED4 E4 64          IN AL,64                               ; I/O 命令
00C76ED6 C700 68AD0000 MOV DWORD PTR DS:[EAX],0AD68

==========
0066AEC3 .  50          PUSH EAX
0066AEC4 .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
0066AECA >  66:83BD 3CFFF>CMP WORD PTR SS:[EBP-C4],0FFFF
0066AED2 .  0F85 B6050000 JNZ ks.0066B48E
0066AED8 .  66:8B55 0C MOV DX,WORD PTR SS:[EBP+C]
0066AEDC .  66:3955 D8 CMP WORD PTR SS:[EBP-28],DX
0066AEE0 .  74 0C       JE SHORT ks.0066AEEE
0066AEE2 .  C745 B8 EC030>MOV DWORD PTR SS:[EBP-48],3EC
0066AEE9 .  E9 DF050000 JMP ks.0066B4CD
0066AEEE >  BA 0C894200 MOV EDX,ks.0042890C                   ;  UNICODE "userinfo1"
0066AEF3 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AEF6 .  FFD3       CALL EBX
0066AEF8 .  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
0066AEFB .  50          PUSH EAX

00195134  46 00 41 00 42 00 51 00 50 00 46 00 44 00 4C 00  FABQPFDL
00195144  51 00 50 00 00 00                               QP.

FGMQP
FGMQP
GEE@XAXDB
DDDGGGMMM 44
FGBQP

25940
==========
00678290 > \55          PUSH EBP                               ;  ACT BTN PUSHED
00678291 .  8BEC       MOV EBP,ESP
00678293 .  83EC 0C    SUB ESP,0C
00678296 .  68 F67F4000 PUSH <JMP.&MSVBVM50.__vbaExceptHandler>  ;  SE handler installation
0067829B .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
006782A1 .  50          PUSH EAX
006782A2 .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
006782A9 .  81EC B8000000 SUB ESP,0B8
006782AF .  53          PUSH EBX
006782B0 .  56          PUSH ESI
006782B1 .  57          PUSH EDI

-------------------------------------------------------------------------------
▲文件:0start.txt
-------------------------------------------------------------------------------
ID:
T084J-VE10H-02Q8M-B2G89-2JRW3-58U36
3084J-VT10H-02G8M-W89MV-8BITC-PZS25
9084J-VJ10H-0288M-3J4AD-J5V1K-6BZKU
3084J-V710H-0228M-6784N-7X2LT-AL4U2
F084J-V710H-02D8M-O7T45-7WDJ7-94371
4084J-VW10H-0238M-7W9NQ-W145X-EOLXH
084J-V 10H-02 8M-
硬盘序列号:4JV10H8M
asc:52 74 86 49 48 72 56 77
格式化为:0# 即0字符个数,得到084JV10H8M
然后随机产生其他字符得到ID

激活码格式也为:
5084J-VX10H-0248M-TXZO7-X1J69-26M9I
51D48-V310H-02B8M-BBBBB-OBBBB-BBBBB
O(这个4DH-45H=8H,为HD.SN的长度)
激活码长度必须为35
检验时先去掉中间的-
5084JVX10H0248M TXZO7X1J6926M9I
然后首尾字符换
I9M6296J1X7OZXT M8420H01XVJ4805

字符表:..EFGHIJKLMN...UVWXYZ
然后将'I'的ASC码减2变成G,如果前面没有字符了,就循环回来,例如如果是1就变成9:
I9M62 96J1X 7OZXT得到:G7K40 74H9V 5MXVR
然后替换I9M6296J1X7OZXT M8420H01XVJ4805为
G7K4074H9V5MXVR M8420H01XVJ4805
再处理M8420H01XVJ4805,这一次减4
  得到I4086D67TRF0461
然后替换G7K4074H9V5MXVR M8420H01XVJ4805为(程序在666F21)
G7K4074H9V5MXVR I4086D67TRF0461
再取以上字符第27字符开始的2字符"04"并分析是否是数字
再取以上字符第29字符开始的2字符"61"并分析是否是数字
然好像还有对4和另外一个数字217(0x9D)进行格式化的操作,格式化为000
(得到"004217")

再取左26个字符G7K4074H9V5MXVR I4086D67TRF
然后进行STRCONV把上述UNICODE转换成系统缺省代码页
十六进制代码为:
47 37 4B 34 30 37 34 48 39 56 35 4D 58 56 52 49 34 30 38 36 44 36 37 54 52 46
十进制为:

再进行复杂的运算得到数字字符串'246226'
66839F INTEGER->BYTE
6683CE UBOUND
66845A 开始复杂的INTEGER->BYTE
66851D FORMAT
668560 FORMAT
668088 LENSTR"246226"

进OD发现它拿前26个字符的asc码和0xFFh异或(XOR)

再跟跟:
006670FB .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
006670FE .  51          PUSH ECX
006670FF .  FFD7       CALL EDI
00667101 .  50          PUSH EAX
00667102 .  56          PUSH ESI
00667103 .  FF53 30    CALL DWORD PTR DS:[EBX+30]
00667106 .  8B55 C0    MOV EDX,DWORD PTR SS:[EBP-40]
00667109 .  52          PUSH EDX ;经过复杂运算得到的"246226"
0066710A .  8B45 D4    MOV EAX,DWORD PTR SS:[EBP-2C]
0066710D .  50          PUSH EAX ;正确校验码6位"004217"
0066710E .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp ;关键比较了,相等时EAX返回0
00667114 .  8BF8       MOV EDI,EAX
00667116 .  F7DF       NEG EDI
00667118 .  1BFF       SBB EDI,EDI
0066711A .  F7DF       NEG EDI
0066711C .  F7DF       NEG EDI
0066711E .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
00667121 .  51          PUSH ECX
00667122 .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
00667125 .  52          PUSH EDX
00667126 .  6A 02       PUSH 2
00667128 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066712E .  83C4 0C    ADD ESP,0C
00667131 .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
00667134 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066713A .  66:85FF    TEST DI,DI
0066713D .  0F85 38010000 JNZ ks.0066727B
00667143 .  C745 B8 01000>MOV DWORD PTR SS:[EBP-48],1
0066714A .  C745 B0 02000>MOV DWORD PTR SS:[EBP-50],2
00667151 .  8D45 C8    LEA EAX,DWORD PTR SS:[EBP-38]
=========
00667034 .  8D85 20FFFFFF LEA EAX,DWORD PTR SS:[EBP-E0]
0066703A .  50          PUSH EAX
0066703B .  FF15 30B46800 CALL DWORD PTR DS:[<&MSVBVM50.#660>]    ;  MSVBVM50.rtcVarFromFormatVar
00667041 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
00667047 .  51          PUSH ECX                               ;  生成004223 就是正确校验码
00667048 .  8D95 20FFFFFF LEA EDX,DWORD PTR SS:[EBP-E0]
0066704E .  52          PUSH EDX
0066704F .  8D85 10FFFFFF LEA EAX,DWORD PTR SS:[EBP-F0]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
启动时验证已经输入的KEY
0066AA43 .  68 3C894200 PUSH ks.0042893C
0066AA48 .  8D45 94    LEA EAX,DWORD PTR SS:[EBP-6C]
0066AA4B .  50          PUSH EAX
0066AA4C .  FF15 48B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaAryCo>;  MSVBVM50.__vbaAryConstruct
0066AA52 .  C745 B8 E9030>MOV DWORD PTR SS:[EBP-48],3E9
0066AA59 .  6A 01       PUSH 1
0066AA5B .  FF15 84B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaOnErr>;  MSVBVM50.__vbaOnError
0066AA61 .  BA 64874200 MOV EDX,ks.00428764                   ;  UNICODE "userflag"
0066AA66 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AA69 .  8B1D 2CB66800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrCopy
0066AA6F .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaStrCopy>
0066AA71 .  8B4E 40    MOV ECX,DWORD PTR DS:[ESI+40]
0066AA74 .  898D FCFEFFFF MOV DWORD PTR SS:[EBP-104],ECX
0066AA7A .  8D55 80    LEA EDX,DWORD PTR SS:[EBP-80]
0066AA7D .  52          PUSH EDX
0066AA7E .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0066AA81 .  50          PUSH EAX
0066AA82 .  8B4D 0C    MOV ECX,DWORD PTR SS:[EBP+C]
0066AA85 .  51          PUSH ECX
0066AA86 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066AA8C .  8BD0       MOV EDX,EAX
0066AA8E .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AA91 .  8B35 C8B66800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrMove
0066AA97 .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaStrMove>
0066AA99 .  50          PUSH EAX
0066AA9A .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066AA9F .  68 02000080 PUSH 80000002
0066AAA4 .  57          PUSH EDI
0066AAA5 .  FF95 FCFEFFFF CALL DWORD PTR SS:[EBP-104]
0066AAAB .  8B55 80    MOV EDX,DWORD PTR SS:[EBP-80]
0066AAAE .  C745 80 00000>MOV DWORD PTR SS:[EBP-80],0
0066AAB5 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066AAB8 .  FFD6       CALL ESI
0066AABA .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066AABD .  52          PUSH EDX
0066AABE .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066AAC1 .  50          PUSH EAX
0066AAC2 .  6A 02       PUSH 2
0066AAC4 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066AACA .  83C4 0C    ADD ESP,0C
0066AACD .  8B4D C0    MOV ECX,DWORD PTR SS:[EBP-40]
0066AAD0 .  51          PUSH ECX
0066AAD1 .  68 A4B44100 PUSH ks.0041B4A4
0066AAD6 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066AADC .  85C0       TEST EAX,EAX
0066AADE .  0F85 B2000000 JNZ ks.0066AB96
0066AAE4 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066AAE7 .  52          PUSH EDX
0066AAE8 .  57          PUSH EDI
0066AAE9 .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AAEB .  FF50 50    CALL DWORD PTR DS:[EAX+50]
0066AAEE .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],5
0066AAF8 .  8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
0066AAFE .  50          PUSH EAX
0066AAFF .  8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
0066AB05 .  51          PUSH ECX
0066AB06 .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066AB09 .  52          PUSH EDX
0066AB0A .  68 7C874200 PUSH ks.0042877C                      ;  UNICODE "Microsoft\MSJET"
0066AB0F .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AB15 .  8BD0       MOV EDX,EAX
0066AB17 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AB1A .  FFD6       CALL ESI
0066AB1C .  50          PUSH EAX
0066AB1D .  8B45 0C    MOV EAX,DWORD PTR SS:[EBP+C]
0066AB20 .  50          PUSH EAX
0066AB21 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066AB27 .  8BD0       MOV EDX,EAX
0066AB29 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066AB2C .  FFD6       CALL ESI
0066AB2E .  50          PUSH EAX
0066AB2F .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AB35 .  8BD0       MOV EDX,EAX
0066AB37 .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066AB3D .  FFD6       CALL ESI
0066AB3F .  50          PUSH EAX
0066AB40 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
0066AB45 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AB4B .  8BD0       MOV EDX,EAX
0066AB4D .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066AB53 .  FFD6       CALL ESI
0066AB55 .  50          PUSH EAX
0066AB56 .  57          PUSH EDI
0066AB57 .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AB59 .  FF50 4C    CALL DWORD PTR DS:[EAX+4C]
0066AB5C .  8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
0066AB62 .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],0
0066AB6C .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066AB6F .  FFD6       CALL ESI
0066AB71 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066AB77 .  51          PUSH ECX
0066AB78 .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
0066AB7E .  52          PUSH EDX
0066AB7F .  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
0066AB82 .  50          PUSH EAX
0066AB83 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AB86 .  51          PUSH ECX
0066AB87 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066AB8A .  52          PUSH EDX
0066AB8B .  6A 05       PUSH 5
0066AB8D .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066AB93 .  83C4 18    ADD ESP,18
0066AB96 >  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AB98 .  8B40 60    MOV EAX,DWORD PTR DS:[EAX+60]
0066AB9B .  8985 F8FEFFFF MOV DWORD PTR SS:[EBP-108],EAX
0066ABA1 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066ABA4 .  51          PUSH ECX
0066ABA5 .  8B55 C0    MOV EDX,DWORD PTR SS:[EBP-40]
0066ABA8 .  52          PUSH EDX
0066ABA9 .  57          PUSH EDI
0066ABAA .  FFD0       CALL EAX
0066ABAC .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066ABAF .  C745 88 00000>MOV DWORD PTR SS:[EBP-78],0
0066ABB6 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066ABB9 .  FFD6       CALL ESI
0066ABBB .  8B45 C0    MOV EAX,DWORD PTR SS:[EBP-40]
0066ABBE .  50          PUSH EAX
0066ABBF .  FF15 18B76800 CALL DWORD PTR DS:[<&MSVBVM50.#581>]    ;  MSVBVM50.rtcR8ValFromBstr
0066ABC5 .  FF15 CCB46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFpR8>>;  MSVBVM50.__vbaFpR8
0066ABCB .  DC1D 18774000 FCOMP QWORD PTR DS:[407718]
0066ABD1 .  DFE0       FSTSW AX
0066ABD3 .  F6C4 40    TEST AH,40
0066ABD6 .  0F84 C4080000 JE ks.0066B4A0
0066ABDC .  BA B0874200 MOV EDX,ks.004287B0                   ;  UNICODE "userinfo"
0066ABE1 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066ABE4 .  FFD3       CALL EBX
0066ABE6 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066ABE9 .  51          PUSH ECX
0066ABEA .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066ABED .  52          PUSH EDX
0066ABEE .  8B45 0C    MOV EAX,DWORD PTR SS:[EBP+C]
0066ABF1 .  50          PUSH EAX
0066ABF2 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066ABF8 .  8BD0       MOV EDX,EAX
0066ABFA .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066ABFD .  FFD6       CALL ESI
0066ABFF .  50          PUSH EAX
0066AC00 .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066AC05 .  68 02000080 PUSH 80000002
0066AC0A .  57          PUSH EDI
0066AC0B .  FF95 FCFEFFFF CALL DWORD PTR SS:[EBP-104]
0066AC11 .  8B55 80    MOV EDX,DWORD PTR SS:[EBP-80]
;SS取得的USERINFO
;Stack SS:[0012F984]=0016D534, (UNICODE "
DEMA?X#FDE=XEG7M8XG;B7FXF$7D;X@D1AM @EMA?X#-;DE=XEGAM8X!-/:BX-D?CLXGC8L< @EMA?X#-DE=XEGAM8X!-/:BX:D?C")
;EDX=001497A8
0066AC14 .  C745 80 00000>MOV DWORD PTR SS:[EBP-80],0
0066AC1B .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
0066AC1E .  FFD6       CALL ESI
0066AC20 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AC23 .  51          PUSH ECX
0066AC24 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066AC27 .  52          PUSH EDX
0066AC28 .  6A 02       PUSH 2
0066AC2A .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066AC30 .  83C4 0C    ADD ESP,0C
0066AC33 .  8B45 AC    MOV EAX,DWORD PTR SS:[EBP-54]
0066AC36 .  50          PUSH EAX
0066AC37 .  68 A4B44100 PUSH ks.0041B4A4
0066AC3C .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066AC42 .  85C0       TEST EAX,EAX
0066AC44 .  0F85 D1000000 JNZ ks.0066AD1B
0066AC4A .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AC4D .  51          PUSH ECX
0066AC4E .  57          PUSH EDI
0066AC4F .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AC51 .  FF50 50    CALL DWORD PTR DS:[EAX+50]
0066AC54 .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],4
0066AC5E .  8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
0066AC64 .  52          PUSH EDX
0066AC65 .  8D85 3CFFFFFF LEA EAX,DWORD PTR SS:[EBP-C4]
0066AC6B .  50          PUSH EAX
0066AC6C .  8B4D 88    MOV ECX,DWORD PTR SS:[EBP-78]
0066AC6F .  51          PUSH ECX
0066AC70 .  68 7C874200 PUSH ks.0042877C                      ;  UNICODE "Microsoft\MSJET"
0066AC75 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AC7B .  8BD0       MOV EDX,EAX
0066AC7D .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AC80 .  FFD6       CALL ESI
0066AC82 .  50          PUSH EAX
0066AC83 .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
0066AC86 .  52          PUSH EDX
0066AC87 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066AC8D .  8BD0       MOV EDX,EAX
0066AC8F .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066AC92 .  FFD6       CALL ESI
0066AC94 .  50          PUSH EAX
0066AC95 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AC9B .  8BD0       MOV EDX,EAX
0066AC9D .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066ACA3 .  FFD6       CALL ESI
0066ACA5 .  50          PUSH EAX
0066ACA6 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
0066ACAB .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066ACB1 .  8BD0       MOV EDX,EAX
0066ACB3 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066ACB9 .  FFD6       CALL ESI
0066ACBB .  50          PUSH EAX
0066ACBC .  57          PUSH EDI
0066ACBD .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066ACBF .  FF50 4C    CALL DWORD PTR DS:[EAX+4C]
0066ACC2 .  8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
0066ACC8 .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],0
0066ACD2 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
0066ACD5 .  FFD6       CALL ESI
0066ACD7 .  8D85 78FFFFFF LEA EAX,DWORD PTR SS:[EBP-88]
0066ACDD .  50          PUSH EAX
0066ACDE .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066ACE4 .  51          PUSH ECX
0066ACE5 .  8D55 80    LEA EDX,DWORD PTR SS:[EBP-80]
0066ACE8 .  52          PUSH EDX
0066ACE9 .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0066ACEC .  50          PUSH EAX
0066ACED .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066ACF0 .  51          PUSH ECX
0066ACF1 .  6A 05       PUSH 5
0066ACF3 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066ACF9 .  83C4 18    ADD ESP,18
0066ACFC .  8B55 AC    MOV EDX,DWORD PTR SS:[EBP-54]
0066ACFF .  52          PUSH EDX
0066AD00 .  68 A4B44100 PUSH ks.0041B4A4
0066AD05 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066AD0B .  85C0       TEST EAX,EAX
0066AD0D .  75 0C       JNZ SHORT ks.0066AD1B
0066AD0F .  C745 B8 EC030>MOV DWORD PTR SS:[EBP-48],3EC
0066AD16 .  E9 B2070000 JMP ks.0066B4CD
0066AD1B >  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AD1D .  8B40 68    MOV EAX,DWORD PTR DS:[EAX+68]
0066AD20 .  8985 F4FEFFFF MOV DWORD PTR SS:[EBP-10C],EAX
0066AD26 .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066AD2C .  51          PUSH ECX
0066AD2D .  8D55 AC    LEA EDX,DWORD PTR SS:[EBP-54]
0066AD30 .  52          PUSH EDX
0066AD31 .  57          PUSH EDI
0066AD32 .  FFD0       CALL EAX
0066AD34 .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066AD3A .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066AD40 .  68 3C044200 PUSH ks.0042043C
0066AD45 .  8D45 DC    LEA EAX,DWORD PTR SS:[EBP-24]
0066AD48 .  50          PUSH EAX
0066AD49 .  8B4D AC    MOV ECX,DWORD PTR SS:[EBP-54]
;ecx="1084J-V310H-02B8M-2N7B3-3QB1N-51D48|5084J-VX10H-0248M-TXZO7-X1J69-26M9I|5084J-VX10H-0248M-TXZO7-O1J6"

0066AD4C .  51          PUSH ECX
0066AD4D .  57          PUSH EDI
0066AD4E .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AD50 .  FF50 64    CALL DWORD PTR DS:[EAX+64]
0066AD53 .  8B45 DC    MOV EAX,DWORD PTR SS:[EBP-24]
0066AD56 .  85C0       TEST EAX,EAX
0066AD58 .  74 31       JE SHORT ks.0066AD8B
0066AD5A .  66:8338 01 CMP WORD PTR DS:[EAX],1
0066AD5E .  75 2B       JNZ SHORT ks.0066AD8B
0066AD60 .  50          PUSH EAX
0066AD61 .  6A 01       PUSH 1
0066AD63 .  FF15 D8B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaUboun>;  MSVBVM50.__vbaUbound
0066AD69 .  8B4D DC    MOV ECX,DWORD PTR SS:[EBP-24]
0066AD6C .  2B41 14    SUB EAX,DWORD PTR DS:[ECX+14]
0066AD6F .  8985 34FFFFFF MOV DWORD PTR SS:[EBP-CC],EAX
0066AD75 .  3B41 10    CMP EAX,DWORD PTR DS:[ECX+10]
0066AD78 .  72 0C       JB SHORT ks.0066AD86
0066AD7A .  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
0066AD80 .  8B85 34FFFFFF MOV EAX,DWORD PTR SS:[EBP-CC]
0066AD86 >  C1E0 02    SHL EAX,2
0066AD89 .  EB 06       JMP SHORT ks.0066AD91
0066AD8B >  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
0066AD91 >  8B55 DC    MOV EDX,DWORD PTR SS:[EBP-24]
0066AD94 .  8B4A 0C    MOV ECX,DWORD PTR DS:[EDX+C]
0066AD97 .  8B1401       MOV EDX,DWORD PTR DS:[ECX+EAX]
0066AD9A .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
0066AD9D .  FFD3       CALL EBX
0066AD9F .  8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]
;Stack SS:[0012F9D8]=0016D62C, (UNICODE "5084J-VX10H-0248M-TXZO7-O1J69-26M9I")

0066ADA2 .  52          PUSH EDX
0066ADA3 .  68 A4B44100 PUSH ks.0041B4A4 ;41b4a4好像是空单元,用来比较字符串是否为空
0066ADA8 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066ADAE .  85C0       TEST EAX,EAX
0066ADB0 .  0F84 E1060000 JE ks.0066B497
0066ADB6 .  8B45 BC    MOV EAX,DWORD PTR SS:[EBP-44]
0066ADB9 .  85C0       TEST EAX,EAX
0066ADBB .  75 12       JNZ SHORT ks.0066ADCF
0066ADBD .  8D45 BC    LEA EAX,DWORD PTR SS:[EBP-44]
0066ADC0 .  50          PUSH EAX
0066ADC1 .  68 F88C4000 PUSH ks.00408CF8
0066ADC6 .  FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>;  MSVBVM50.__vbaNew2
0066ADCC .  8B45 BC    MOV EAX,DWORD PTR SS:[EBP-44]
0066ADCF >  8985 34FFFFFF MOV DWORD PTR SS:[EBP-CC],EAX
0066ADD5 .  8B08       MOV ECX,DWORD PTR DS:[EAX]
0066ADD7 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066ADDA .  52          PUSH EDX
0066ADDB .  50          PUSH EAX
0066ADDC .  FF51 1C    CALL DWORD PTR DS:[ECX+1C]
0066ADDF .  85C0       TEST EAX,EAX
0066ADE1 .  7D 15       JGE SHORT ks.0066ADF8
0066ADE3 .  6A 1C       PUSH 1C
0066ADE5 .  68 D4874200 PUSH ks.004287D4
0066ADEA .  8B8D 34FFFFFF MOV ECX,DWORD PTR SS:[EBP-CC]
0066ADF0 .  51          PUSH ECX
0066ADF1 .  50          PUSH EAX
0066ADF2 .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
0066ADF8 >  8B45 C4    MOV EAX,DWORD PTR SS:[EBP-3C]
0066ADFB .  85C0       TEST EAX,EAX
0066ADFD .  75 12       JNZ SHORT ks.0066AE11
0066ADFF .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
0066AE02 .  52          PUSH EDX
0066AE03 .  68 748B4000 PUSH ks.00408B74
0066AE08 .  FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>;  MSVBVM50.__vbaNew2
0066AE0E .  8B45 C4    MOV EAX,DWORD PTR SS:[EBP-3C]
0066AE11 >  8985 2CFFFFFF MOV DWORD PTR SS:[EBP-D4],EAX
0066AE17 .  8B08       MOV ECX,DWORD PTR DS:[EAX]
0066AE19 .  8D95 3CFFFFFF LEA EDX,DWORD PTR SS:[EBP-C4]
0066AE1F .  52          PUSH EDX
0066AE20 .  8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]
;ss=5084J-VX10H-0248M-TXZO7-O1J69-26M9I ;这是输入的激活码
0066AE23 .  52          PUSH EDX
0066AE24 .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
;ss='4JV10H8M'硬盘序列号
0066AE27 .  52          PUSH EDX
0066AE28 .  50          PUSH EAX
0066AE29 .  FF51 1C    CALL DWORD PTR DS:[ECX+1C]             ;  16e084出现004223
;应该是算字符的CALL,入口666ba0
0066AE2C .  85C0       TEST EAX,EAX
0066AE2E .  7D 15       JGE SHORT ks.0066AE45
0066AE30 .  6A 1C       PUSH 1C
0066AE32 .  68 00874200 PUSH ks.00428700
0066AE37 .  8B8D 2CFFFFFF MOV ECX,DWORD PTR SS:[EBP-D4]
0066AE3D .  51          PUSH ECX
0066AE3E .  50          PUSH EAX
0066AE3F .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
0066AE45 >  33D2       XOR EDX,EDX
0066AE47 .  66:83BD 3CFFF>CMP WORD PTR SS:[EBP-C4],0FFFF
0066AE4F .  0F94C2       SETE DL
0066AE52 .  F7DA       NEG EDX
0066AE54 .  8995 24FFFFFF MOV DWORD PTR SS:[EBP-DC],EDX
0066AE5A .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AE5D .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066AE63 .  66:83BD 24FFF>CMP WORD PTR SS:[EBP-DC],0
0066AE6B .  0F84 1D060000 JE ks.0066B48E
0066AE71 .  8B45 C4    MOV EAX,DWORD PTR SS:[EBP-3C]
0066AE74 .  85C0       TEST EAX,EAX
0066AE76 .  75 12       JNZ SHORT ks.0066AE8A
0066AE78 .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
0066AE7B .  50          PUSH EAX
0066AE7C .  68 748B4000 PUSH ks.00408B74
0066AE81 .  FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>;  MSVBVM50.__vbaNew2
0066AE87 .  8B45 C4    MOV EAX,DWORD PTR SS:[EBP-3C]
0066AE8A >  8985 34FFFFFF MOV DWORD PTR SS:[EBP-CC],EAX
0066AE90 .  8B08       MOV ECX,DWORD PTR DS:[EAX]
0066AE92 .  8D95 3CFFFFFF LEA EDX,DWORD PTR SS:[EBP-C4]
0066AE98 .  52          PUSH EDX
0066AE99 .  8D55 CC    LEA EDX,DWORD PTR SS:[EBP-34]
0066AE9C .  52          PUSH EDX
0066AE9D .  8D55 90    LEA EDX,DWORD PTR SS:[EBP-70]
0066AEA0 .  52          PUSH EDX
0066AEA1 .  8B55 14    MOV EDX,DWORD PTR SS:[EBP+14]
0066AEA4 .  52          PUSH EDX
0066AEA5 .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
0066AEA8 .  52          PUSH EDX
0066AEA9 .  8D55 D8    LEA EDX,DWORD PTR SS:[EBP-28]
0066AEAC .  52          PUSH EDX
0066AEAD .  50          PUSH EAX
0066AEAE .  FF51 20    CALL DWORD PTR DS:[ECX+20]
0066AEB1 .  85C0       TEST EAX,EAX
0066AEB3 .  7D 15       JGE SHORT ks.0066AECA
0066AEB5 .  6A 20       PUSH 20
0066AEB7 .  68 00874200 PUSH ks.00428700
0066AEBC .  8B8D 34FFFFFF MOV ECX,DWORD PTR SS:[EBP-CC]
0066AEC2 .  51          PUSH ECX
0066AEC3 .  50          PUSH EAX
0066AEC4 .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
0066AECA >  66:83BD 3CFFF>CMP WORD PTR SS:[EBP-C4],0FFFF
0066AED2 .  0F85 B6050000 JNZ ks.0066B48E
0066AED8 .  66:8B55 0C MOV DX,WORD PTR SS:[EBP+C]
0066AEDC .  66:3955 D8 CMP WORD PTR SS:[EBP-28],DX
0066AEE0 .  74 0C       JE SHORT ks.0066AEEE
0066AEE2 .  C745 B8 EC030>MOV DWORD PTR SS:[EBP-48],3EC
0066AEE9 .  E9 DF050000 JMP ks.0066B4CD
0066AEEE >  BA 0C894200 MOV EDX,ks.0042890C                   ;  UNICODE "userinfo1"
0066AEF3 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AEF6 .  FFD3       CALL EBX
0066AEF8 .  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
0066AEFB .  50          PUSH EAX
0066AEFC .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AEFF .  51          PUSH ECX
0066AF00 .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
0066AF03 .  52          PUSH EDX
0066AF04 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066AF0A .  8BD0       MOV EDX,EAX
0066AF0C .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AF0F .  FFD6       CALL ESI
0066AF11 .  50          PUSH EAX
0066AF12 .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066AF17 .  68 02000080 PUSH 80000002
0066AF1C .  57          PUSH EDI
0066AF1D .  FF95 FCFEFFFF CALL DWORD PTR SS:[EBP-104]
0066AF23 .  8B55 80    MOV EDX,DWORD PTR SS:[EBP-80]
0066AF26 .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066AF29 .  8D48 04    LEA ECX,DWORD PTR DS:[EAX+4]
0066AF2C .  FFD3       CALL EBX
0066AF2E .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066AF31 .  51          PUSH ECX
0066AF32 .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066AF35 .  52          PUSH EDX
0066AF36 .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066AF39 .  50          PUSH EAX
0066AF3A .  6A 03       PUSH 3
0066AF3C .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066AF42 .  83C4 10    ADD ESP,10
0066AF45 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AF48 .  51          PUSH ECX
0066AF49 .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066AF4C .  8B42 04    MOV EAX,DWORD PTR DS:[EDX+4]
0066AF4F .  50          PUSH EAX
0066AF50 .  57          PUSH EDI
0066AF51 .  FF95 F8FEFFFF CALL DWORD PTR SS:[EBP-108]
0066AF57 .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066AF5A .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066AF5D .  83C1 04    ADD ECX,4
0066AF60 .  FFD3       CALL EBX
0066AF62 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AF65 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066AF6B .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066AF6E .  8B42 04    MOV EAX,DWORD PTR DS:[EDX+4]
0066AF71 .  50          PUSH EAX
0066AF72 .  68 A4B44100 PUSH ks.0041B4A4
0066AF77 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066AF7D .  85C0       TEST EAX,EAX
0066AF7F .  0F84 09050000 JE ks.0066B48E
0066AF85 .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AF87 .  8B40 50    MOV EAX,DWORD PTR DS:[EAX+50]
0066AF8A .  8985 F0FEFFFF MOV DWORD PTR SS:[EBP-110],EAX
0066AF90 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AF93 .  51          PUSH ECX
0066AF94 .  57          PUSH EDI
0066AF95 .  FFD0       CALL EAX
0066AF97 .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],1
0066AFA1 .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AFA3 .  8B50 4C    MOV EDX,DWORD PTR DS:[EAX+4C]
0066AFA6 .  8995 ECFEFFFF MOV DWORD PTR SS:[EBP-114],EDX
0066AFAC .  8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
0066AFB2 .  50          PUSH EAX
0066AFB3 .  8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
0066AFB9 .  51          PUSH ECX
0066AFBA .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066AFBD .  52          PUSH EDX
0066AFBE .  68 7C874200 PUSH ks.0042877C                      ;  UNICODE "Microsoft\MSJET"
0066AFC3 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AFC9 .  8BD0       MOV EDX,EAX
0066AFCB .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AFCE .  FFD6       CALL ESI
0066AFD0 .  50          PUSH EAX
0066AFD1 .  8B45 0C    MOV EAX,DWORD PTR SS:[EBP+C]
0066AFD4 .  50          PUSH EAX
0066AFD5 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066AFDB .  8BD0       MOV EDX,EAX
0066AFDD .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066AFE0 .  FFD6       CALL ESI
0066AFE2 .  50          PUSH EAX
0066AFE3 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AFE9 .  8BD0       MOV EDX,EAX
0066AFEB .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066AFF1 .  FFD6       CALL ESI
0066AFF3 .  50          PUSH EAX
0066AFF4 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
0066AFF9 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AFFF .  8BD0       MOV EDX,EAX
0066B001 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066B007 .  FFD6       CALL ESI
0066B009 .  50          PUSH EAX
0066B00A .  57          PUSH EDI
0066B00B .  FF95 ECFEFFFF CALL DWORD PTR SS:[EBP-114]
0066B011 .  8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
0066B017 .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B01A .  83C1 08    ADD ECX,8
0066B01D .  FFD3       CALL EBX
0066B01F .  8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
0066B025 .  52          PUSH EDX
0066B026 .  8D85 78FFFFFF LEA EAX,DWORD PTR SS:[EBP-88]
0066B02C .  50          PUSH EAX
0066B02D .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066B033 .  51          PUSH ECX
0066B034 .  8D55 80    LEA EDX,DWORD PTR SS:[EBP-80]
0066B037 .  52          PUSH EDX
0066B038 .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0066B03B .  50          PUSH EAX
0066B03C .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B03F .  51          PUSH ECX
0066B040 .  6A 06       PUSH 6
0066B042 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066B048 .  83C4 1C    ADD ESP,1C
0066B04B .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066B04E .  52          PUSH EDX
0066B04F .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B052 .  8B48 08    MOV ECX,DWORD PTR DS:[EAX+8]
0066B055 .  51          PUSH ECX
0066B056 .  57          PUSH EDI
0066B057 .  FF95 F8FEFFFF CALL DWORD PTR SS:[EBP-108]
0066B05D .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066B060 .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B063 .  8D48 08    LEA ECX,DWORD PTR DS:[EAX+8]
0066B066 .  FFD3       CALL EBX
0066B068 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B06B .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066B071 .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B074 .  8B51 08    MOV EDX,DWORD PTR DS:[ECX+8]
0066B077 .  52          PUSH EDX
0066B078 .  68 A4B44100 PUSH ks.0041B4A4
0066B07D .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066B083 .  85C0       TEST EAX,EAX
0066B085 .  0F84 03040000 JE ks.0066B48E
0066B08B .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B08E .  8B48 04    MOV ECX,DWORD PTR DS:[EAX+4]
0066B091 .  51          PUSH ECX
0066B092 .  8B50 08    MOV EDX,DWORD PTR DS:[EAX+8]
0066B095 .  52          PUSH EDX
0066B096 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066B09C .  85C0       TEST EAX,EAX
0066B09E .  0F85 EA030000 JNZ ks.0066B48E
0066B0A4 .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B0A7 .  8B48 04    MOV ECX,DWORD PTR DS:[EAX+4]
0066B0AA .  51          PUSH ECX
0066B0AB .  FF15 18B76800 CALL DWORD PTR DS:[<&MSVBVM50.#581>]    ;  MSVBVM50.rtcR8ValFromBstr
0066B0B1 .  FF15 98B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFpI2>>;  MSVBVM50.__vbaFpI2
0066B0B7 .  8945 8C    MOV DWORD PTR SS:[EBP-74],EAX
0066B0BA .  BA A4B44100 MOV EDX,ks.0041B4A4
0066B0BF .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B0C2 .  8D48 04    LEA ECX,DWORD PTR DS:[EAX+4]
0066B0C5 .  FFD3       CALL EBX
0066B0C7 .  BA A4B44100 MOV EDX,ks.0041B4A4
0066B0CC .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B0CF .  83C1 08    ADD ECX,8
0066B0D2 .  FFD3       CALL EBX
0066B0D4 .  BA 24894200 MOV EDX,ks.00428924                   ;  UNICODE "userinfo2"
0066B0D9 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066B0DC .  FFD3       CALL EBX
0066B0DE .  8D55 80    LEA EDX,DWORD PTR SS:[EBP-80]
0066B0E1 .  52          PUSH EDX
0066B0E2 .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0066B0E5 .  50          PUSH EAX
0066B0E6 .  8B4D 0C    MOV ECX,DWORD PTR SS:[EBP+C]
0066B0E9 .  51          PUSH ECX
0066B0EA .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066B0F0 .  8BD0       MOV EDX,EAX
0066B0F2 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B0F5 .  FFD6       CALL ESI
0066B0F7 .  50          PUSH EAX
0066B0F8 .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066B0FD .  68 02000080 PUSH 80000002
0066B102 .  57          PUSH EDI
0066B103 .  FF95 FCFEFFFF CALL DWORD PTR SS:[EBP-104]
0066B109 .  8B55 80    MOV EDX,DWORD PTR SS:[EBP-80]
0066B10C .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B10F .  8D48 04    LEA ECX,DWORD PTR DS:[EAX+4]
0066B112 .  FFD3       CALL EBX
0066B114 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066B117 .  51          PUSH ECX
0066B118 .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066B11B .  52          PUSH EDX
0066B11C .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066B11F .  50          PUSH EAX
0066B120 .  6A 03       PUSH 3
0066B122 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066B128 .  83C4 10    ADD ESP,10
0066B12B .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B12E .  51          PUSH ECX
0066B12F .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066B132 .  8B42 04    MOV EAX,DWORD PTR DS:[EDX+4]
0066B135 .  50          PUSH EAX
0066B136 .  57          PUSH EDI
0066B137 .  FF95 F8FEFFFF CALL DWORD PTR SS:[EBP-108]
0066B13D .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066B140 .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B143 .  83C1 04    ADD ECX,4
0066B146 .  FFD3       CALL EBX
0066B148 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B14B .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066B151 .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066B154 .  8B42 04    MOV EAX,DWORD PTR DS:[EDX+4]
0066B157 .  50          PUSH EAX
0066B158 .  68 A4B44100 PUSH ks.0041B4A4
0066B15D .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066B163 .  85C0       TEST EAX,EAX
0066B165 .  0F84 23030000 JE ks.0066B48E
0066B16B .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B16E .  51          PUSH ECX
0066B16F .  57          PUSH EDI
0066B170 .  FF95 F0FEFFFF CALL DWORD PTR SS:[EBP-110]
0066B176 .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],2
0066B180 .  8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
0066B186 .  52          PUSH EDX
0066B187 .  8D85 3CFFFFFF LEA EAX,DWORD PTR SS:[EBP-C4]
0066B18D .  50          PUSH EAX
0066B18E .  8B4D 88    MOV ECX,DWORD PTR SS:[EBP-78]
0066B191 .  51          PUSH ECX
0066B192 .  68 7C874200 PUSH ks.0042877C                      ;  UNICODE "Microsoft\MSJET"
0066B197 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B19D .  8BD0       MOV EDX,EAX
0066B19F .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066B1A2 .  FFD6       CALL ESI
0066B1A4 .  50          PUSH EAX
0066B1A5 .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
0066B1A8 .  52          PUSH EDX
0066B1A9 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066B1AF .  8BD0       MOV EDX,EAX
0066B1B1 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066B1B4 .  FFD6       CALL ESI
0066B1B6 .  50          PUSH EAX
0066B1B7 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B1BD .  8BD0       MOV EDX,EAX
0066B1BF .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066B1C5 .  FFD6       CALL ESI
0066B1C7 .  50          PUSH EAX
0066B1C8 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
0066B1CD .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B1D3 .  8BD0       MOV EDX,EAX
0066B1D5 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066B1DB .  FFD6       CALL ESI
0066B1DD .  50          PUSH EAX
0066B1DE .  57          PUSH EDI
0066B1DF .  FF95 ECFEFFFF CALL DWORD PTR SS:[EBP-114]
0066B1E5 .  8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
0066B1EB .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B1EE .  8D48 08    LEA ECX,DWORD PTR DS:[EAX+8]
0066B1F1 .  FFD3       CALL EBX
0066B1F3 .  8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]
0066B1F9 .  51          PUSH ECX
0066B1FA .  8D95 78FFFFFF LEA EDX,DWORD PTR SS:[EBP-88]
0066B200 .  52          PUSH EDX
0066B201 .  8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
0066B207 .  50          PUSH EAX
0066B208 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066B20B .  51          PUSH ECX
0066B20C .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066B20F .  52          PUSH EDX
0066B210 .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066B213 .  50          PUSH EAX
0066B214 .  6A 06       PUSH 6
0066B216 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066B21C .  83C4 1C    ADD ESP,1C
0066B21F .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B222 .  51          PUSH ECX
0066B223 .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066B226 .  8B42 08    MOV EAX,DWORD PTR DS:[EDX+8]
0066B229 .  50          PUSH EAX
0066B22A .  57          PUSH EDI
0066B22B .  FF95 F8FEFFFF CALL DWORD PTR SS:[EBP-108]
0066B231 .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066B234 .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B237 .  83C1 08    ADD ECX,8
0066B23A .  FFD3       CALL EBX
0066B23C .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B23F .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066B245 .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066B248 .  8B42 08    MOV EAX,DWORD PTR DS:[EDX+8]
0066B24B .  50          PUSH EAX
0066B24C .  68 A4B44100 PUSH ks.0041B4A4
0066B251 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066B257 .  85C0       TEST EAX,EAX
0066B259 .  0F84 2F020000 JE ks.0066B48E
0066B25F .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B262 .  8B48 04    MOV ECX,DWORD PTR DS:[EAX+4]
0066B265 .  51          PUSH ECX
0066B266 .  8B50 08    MOV EDX,DWORD PTR DS:[EAX+8]
0066B269 .  52          PUSH EDX
0066B26A .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066B270 .  85C0       TEST EAX,EAX
0066B272 .  0F85 2F020000 JNZ ks.0066B4A7
0066B278 .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B27B .  8B48 04    MOV ECX,DWORD PTR DS:[EAX+4]
0066B27E .  51          PUSH ECX
0066B27F .  FF15 18B76800 CALL DWORD PTR DS:[<&MSVBVM50.#581>]    ;  MSVBVM50.rtcR8ValFromBstr
0066B285 .  FF15 98B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFpI2>>;  MSVBVM50.__vbaFpI2
0066B28B .  8945 B4    MOV DWORD PTR SS:[EBP-4C],EAX
0066B28E .  8B4D 8C    MOV ECX,DWORD PTR SS:[EBP-74]
0066B291 .  66:85C9    TEST CX,CX
0066B294 .  0F8E EB010000 JLE ks.0066B485
0066B29A .  66:85C0    TEST AX,AX
0066B29D .  0F8E E2010000 JLE ks.0066B485
0066B2A3 .  66:837D 18 FF CMP WORD PTR SS:[EBP+18],0FFFF
0066B2A8 .  0F85 CE010000 JNZ ks.0066B47C
0066B2AE .  66:49       DEC CX
0066B2B0 .  0F80 F7020000 JO ks.0066B5AD
0066B2B6 .  894D 8C    MOV DWORD PTR SS:[EBP-74],ECX
0066B2B9 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066B2BC .  52          PUSH EDX
0066B2BD .  57          PUSH EDI
0066B2BE .  FF95 F0FEFFFF CALL DWORD PTR SS:[EBP-110]
0066B2C4 .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],3
0066B2CE .  8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
0066B2D4 .  50          PUSH EAX
0066B2D5 .  8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
0066B2DB .  51          PUSH ECX
0066B2DC .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066B2DF .  52          PUSH EDX
0066B2E0 .  68 7C874200 PUSH ks.0042877C                      ;  UNICODE "Microsoft\MSJET"
0066B2E5 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B2EB .  8BD0       MOV EDX,EAX
0066B2ED .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066B2F0 .  FFD6       CALL ESI
0066B2F2 .  50          PUSH EAX
0066B2F3 .  8B45 0C    MOV EAX,DWORD PTR SS:[EBP+C]
0066B2F6 .  50          PUSH EAX
0066B2F7 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066B2FD .  8BD0       MOV EDX,EAX
0066B2FF .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066B302 .  FFD6       CALL ESI
0066B304 .  50          PUSH EAX
0066B305 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B30B .  8BD0       MOV EDX,EAX
0066B30D .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066B313 .  FFD6       CALL ESI
0066B315 .  50          PUSH EAX
0066B316 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
0066B31B .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B321 .  8BD0       MOV EDX,EAX
0066B323 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066B329 .  FFD6       CALL ESI
0066B32B .  50          PUSH EAX
0066B32C .  57          PUSH EDI
0066B32D .  FF95 ECFEFFFF CALL DWORD PTR SS:[EBP-114]
0066B333 .  8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
0066B339 .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B33C .  83C1 04    ADD ECX,4
0066B33F .  FFD3       CALL EBX
0066B341 .  8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
0066B347 .  52          PUSH EDX
0066B348 .  8D85 78FFFFFF LEA EAX,DWORD PTR SS:[EBP-88]
0066B34E .  50          PUSH EAX
0066B34F .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066B355 .  51          PUSH ECX
0066B356 .  8D55 80    LEA EDX,DWORD PTR SS:[EBP-80]
0066B359 .  52          PUSH EDX
0066B35A .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0066B35D .  50          PUSH EAX
0066B35E .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B361 .  51          PUSH ECX
0066B362 .  6A 06       PUSH 6
0066B364 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066B36A .  83C4 1C    ADD ESP,1C
0066B36D .  8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0]
0066B373 .  52          PUSH EDX
0066B374 .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B377 .  83C0 04    ADD EAX,4
0066B37A .  50          PUSH EAX
0066B37B .  57          PUSH EDI
0066B37C .  FF95 F4FEFFFF CALL DWORD PTR SS:[EBP-10C]
0066B382 .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B388 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066B38E .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B394 .  51          PUSH ECX
0066B395 .  FF15 74B66800 CALL DWORD PTR DS:[<&MSVBVM50.#610>]    ;  MSVBVM50.rtcGetDateVar
0066B39B .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066B39E .  8B42 04    MOV EAX,DWORD PTR DS:[EDX+4]
0066B3A1 .  50          PUSH EAX
0066B3A2 .  FF15 A0B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaDateS>;  MSVBVM50.__vbaDateStr
0066B3A8 .  DD9D 48FFFFFF FSTP QWORD PTR SS:[EBP-B8]
0066B3AE .  C785 40FFFFFF>MOV DWORD PTR SS:[EBP-C0],8007
0066B3B8 .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B3BE .  51          PUSH ECX
0066B3BF .  8D95 40FFFFFF LEA EDX,DWORD PTR SS:[EBP-C0]
0066B3C5 .  52          PUSH EDX
0066B3C6 .  FF15 64B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarTs>;  MSVBVM50.__vbaVarTstNe
0066B3CC .  8BD8       MOV EBX,EAX
0066B3CE .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B3D4 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066B3DA .  66:85DB    TEST BX,BX
0066B3DD .  74 0F       JE SHORT ks.0066B3EE
0066B3DF .  66:8B45 B4 MOV AX,WORD PTR SS:[EBP-4C]
0066B3E3 .  66:48       DEC AX
0066B3E5 .  0F80 C2010000 JO ks.0066B5AD
0066B3EB .  8945 B4    MOV DWORD PTR SS:[EBP-4C],EAX
0066B3EE >  8B4D 8C    MOV ECX,DWORD PTR SS:[EBP-74]
0066B3F1 .  51          PUSH ECX
0066B3F2 .  8B1D B0B36800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrI2
0066B3F8 .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaStrI2>
0066B3FA .  8BD0       MOV EDX,EAX
0066B3FC .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
0066B3FF .  FFD6       CALL ESI
0066B401 .  8B55 B4    MOV EDX,DWORD PTR SS:[EBP-4C]
0066B404 .  52          PUSH EDX
0066B405 .  FFD3       CALL EBX
0066B407 .  8BD0       MOV EDX,EAX
0066B409 .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
0066B40C .  FFD6       CALL ESI
0066B40E .  8D85 60FFFFFF LEA EAX,DWORD PTR SS:[EBP-A0]
0066B414 .  50          PUSH EAX
0066B415 .  FF15 74B66800 CALL DWORD PTR DS:[<&MSVBVM50.#610>]    ;  MSVBVM50.rtcGetDateVar
0066B41B .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B421 .  51          PUSH ECX
0066B422 .  FF15 04B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrEr>;  MSVBVM50.__vbaStrErrVarCopy
0066B428 .  8BD0       MOV EDX,EAX
0066B42A .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
0066B42D .  FFD6       CALL ESI
0066B42F .  8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0]
0066B435 .  52          PUSH EDX
0066B436 .  8D85 60FFFFFF LEA EAX,DWORD PTR SS:[EBP-A0]
0066B43C .  50          PUSH EAX
0066B43D .  6A 02       PUSH 2
0066B43F .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
0066B445 .  83C4 0C    ADD ESP,0C
0066B448 .  8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
0066B44E .  51          PUSH ECX
0066B44F .  8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]
0066B452 .  52          PUSH EDX
0066B453 .  8B45 0C    MOV EAX,DWORD PTR SS:[EBP+C]
0066B456 .  50          PUSH EAX
0066B457 .  8B4D C8    MOV ECX,DWORD PTR SS:[EBP-38]
0066B45A .  51          PUSH ECX
0066B45B .  8B55 D0    MOV EDX,DWORD PTR SS:[EBP-30]
0066B45E .  52          PUSH EDX
0066B45F .  8B45 B0    MOV EAX,DWORD PTR SS:[EBP-50]
0066B462 .  50          PUSH EAX
0066B463 .  57          PUSH EDI
0066B464 .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066B466 .  FF50 28    CALL DWORD PTR DS:[EAX+28]
0066B469 .  85C0       TEST EAX,EAX
0066B46B .  7D 0F       JGE SHORT ks.0066B47C
0066B46D .  6A 28       PUSH 28
0066B46F .  68 C4E94100 PUSH ks.0041E9C4
0066B474 .  57          PUSH EDI
0066B475 .  50          PUSH EAX
0066B476 .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
0066B47C >  C745 B8 00000>MOV DWORD PTR SS:[EBP-48],0
0066B483 .  EB 48       JMP SHORT ks.0066B4CD
0066B485 >  C745 B8 EA030>MOV DWORD PTR SS:[EBP-48],3EA
0066B48C .  EB 3F       JMP SHORT ks.0066B4CD
0066B48E >  C745 B8 EB030>MOV DWORD PTR SS:[EBP-48],3EB
0066B495 .  EB 10       JMP SHORT ks.0066B4A7
0066B497 >  C745 B8 EA030>MOV DWORD PTR SS:[EBP-48],3EA
0066B49E .  EB 07       JMP SHORT ks.0066B4A7
0066B4A0 >  C745 B8 E9030>MOV DWORD PTR SS:[EBP-48],3E9
0066B4A7 >  FF15 58B66800 CALL DWORD PTR DS:[<&MSVBVM50.#685>]    ;  MSVBVM50.rtcErrObj
0066B4AD .  50          PUSH EAX
0066B4AE .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066B4B4 .  51          PUSH ECX
0066B4B5 .  FF15 80B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaObjSe>;  MSVBVM50.__vbaObjSet
0066B4BB .  8B10       MOV EDX,DWORD PTR DS:[EAX]
0066B4BD .  50          PUSH EAX
0066B4BE .  FF52 48    CALL DWORD PTR DS:[EDX+48]
0066B4C1 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066B4C7 .  FF15 14B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>;  MSVBVM50.__vbaFreeObj
0066B4CD >  FF15 64B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaExitP>;  MSVBVM50.__vbaExitProc
0066B4D3 .  9B          WAIT
0066B4D4 .  68 84B56600 PUSH ks.0066B584
0066B4D9 .  EB 52       JMP SHORT ks.0066B52D
0066B4DB .  8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
0066B4E1 .  50          PUSH EAX
0066B4E2 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066B4E8 .  51          PUSH ECX
0066B4E9 .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
0066B4EF .  52          PUSH EDX
0066B4F0 .  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
0066B4F3 .  50          PUSH EAX
0066B4F4 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066B4F7 .  51          PUSH ECX
0066B4F8 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066B4FB .  52          PUSH EDX
0066B4FC .  6A 06       PUSH 6
0066B4FE .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066B504 .  83C4 1C    ADD ESP,1C
0066B507 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066B50D .  FF15 14B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>;  MSVBVM50.__vbaFreeObj
0066B513 .  8D85 50FFFFFF LEA EAX,DWORD PTR SS:[EBP-B0]
0066B519 .  50          PUSH EAX
0066B51A .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B520 .  51          PUSH ECX
0066B521 .  6A 02       PUSH 2
0066B523 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
0066B529 .  83C4 0C    ADD ESP,0C
0066B52C .  C3          RETN
0066B52D >  8D55 DC    LEA EDX,DWORD PTR SS:[EBP-24]
0066B530 .  52          PUSH EDX
0066B531 .  6A 00       PUSH 0
0066B533 .  8B3D 50B46800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaAr>;  MSVBVM50.__vbaAryDestruct
0066B539 .  FFD7       CALL EDI                               ;  <&MSVBVM50.__vbaAryDestruct>
0066B53B .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
0066B53E .  8B35 10B76800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaFr>;  MSVBVM50.__vbaFreeStr
0066B544 .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaFreeStr>
0066B546 .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
0066B549 .  FFD6       CALL ESI
0066B54B .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
0066B54E .  FFD6       CALL ESI
0066B550 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
0066B553 .  8B1D 14B76800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaFr>;  MSVBVM50.__vbaFreeObj
0066B559 .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaFreeObj>
0066B55B .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066B55E .  FFD6       CALL ESI
0066B560 .  8D4D BC    LEA ECX,DWORD PTR SS:[EBP-44]
0066B563 .  FFD3       CALL EBX
0066B565 .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
0066B568 .  FFD6       CALL ESI
0066B56A .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
0066B56D .  FFD6       CALL ESI
0066B56F .  8D45 94    LEA EAX,DWORD PTR SS:[EBP-6C]
0066B572 .  8985 38FFFFFF MOV DWORD PTR SS:[EBP-C8],EAX
0066B578 .  8D8D 38FFFFFF LEA ECX,DWORD PTR SS:[EBP-C8]
0066B57E .  51          PUSH ECX
0066B57F .  6A 00       PUSH 0
0066B581 .  FFD7       CALL EDI
0066B583 .  C3          RETN

....
00666F84 .  8D85 50FFFFFF LEA EAX,DWORD PTR SS:[EBP-B0]
00666F8A .  50          PUSH EAX
00666F8B .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
00666F8E .  51          PUSH ECX
00666F8F .  FFD7       CALL EDI
00666F91 .  50          PUSH EAX
00666F92 .  56          PUSH ESI
00666F93 .  FF53 34    CALL DWORD PTR DS:[EBX+34]
00666F96 .  C785 D8FEFFFF>MOV DWORD PTR SS:[EBP-128],ks.0042872C ;  UNICODE "000"
00666FA0 .  C785 D0FEFFFF>MOV DWORD PTR SS:[EBP-130],8
00666FAA .  8D95 D0FEFFFF LEA EDX,DWORD PTR SS:[EBP-130]
00666FB0 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
00666FB3 .  FF15 8CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarDu>;  MSVBVM50.__vbaVarDup
00666FB9 .  66:8B95 8CFEF>MOV DX,WORD PTR SS:[EBP-174]
00666FC0 .  66:8955 98 MOV WORD PTR SS:[EBP-68],DX
00666FC4 .  C745 90 02000>MOV DWORD PTR SS:[EBP-70],2
00666FCB .  6A 01       PUSH 1
00666FCD .  6A 01       PUSH 1
00666FCF .  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
00666FD2 .  50          PUSH EAX
00666FD3 .  8D4D 90    LEA ECX,DWORD PTR SS:[EBP-70]
00666FD6 .  51          PUSH ECX
00666FD7 .  8D95 70FFFFFF LEA EDX,DWORD PTR SS:[EBP-90]
00666FDD .  52          PUSH EDX
00666FDE .  FF15 30B46800 CALL DWORD PTR DS:[<&MSVBVM50.#660>]    ;  MSVBVM50.rtcVarFromFormatVar
00666FE4 .  C785 98FEFFFF>MOV DWORD PTR SS:[EBP-168],ks.0042872C ;  UNICODE "000"
00666FEE .  C785 90FEFFFF>MOV DWORD PTR SS:[EBP-170],8
00666FF8 .  8D95 90FEFFFF LEA EDX,DWORD PTR SS:[EBP-170]
00666FFE .  8D8D 30FFFFFF LEA ECX,DWORD PTR SS:[EBP-D0]
00667004 .  FF15 8CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarDu>;  MSVBVM50.__vbaVarDup
0066700A .  66:8B85 88FEF>MOV AX,WORD PTR SS:[EBP-178] ;12F754=>0D9H=217
00667011 .  66:8985 48FFF>MOV WORD PTR SS:[EBP-B8],AX
00667018 .  C785 40FFFFFF>MOV DWORD PTR SS:[EBP-C0],2
00667022 .  6A 01       PUSH 1
00667024 .  6A 01       PUSH 1
00667026 .  8D8D 30FFFFFF LEA ECX,DWORD PTR SS:[EBP-D0]
0066702C .  51          PUSH ECX
0066702D .  8D95 40FFFFFF LEA EDX,DWORD PTR SS:[EBP-C0]
00667033 .  52          PUSH EDX
-------------------------------------------------------------------------------
▲文件:1-666BA0.txt
-------------------------------------------------------------------------------
00666BA0.....
00666BF2 .  897D B0    MOV DWORD PTR SS:[EBP-50],EDI
00666BF5 .  897D A0    MOV DWORD PTR SS:[EBP-60],EDI
00666BF8 .  897D 90    MOV DWORD PTR SS:[EBP-70],EDI
00666BFB .  897D 80    MOV DWORD PTR SS:[EBP-80],EDI
00666BFE .  89BD 70FFFFFF MOV DWORD PTR SS:[EBP-90],EDI
00666C04 .  89BD 60FFFFFF MOV DWORD PTR SS:[EBP-A0],EDI
00666C0A .  89BD 50FFFFFF MOV DWORD PTR SS:[EBP-B0],EDI
00666C10 .  89BD 40FFFFFF MOV DWORD PTR SS:[EBP-C0],EDI
00666C16 .  89BD 30FFFFFF MOV DWORD PTR SS:[EBP-D0],EDI
00666C1C .  89BD 20FFFFFF MOV DWORD PTR SS:[EBP-E0],EDI
00666C22 .  89BD 10FFFFFF MOV DWORD PTR SS:[EBP-F0],EDI
00666C28 .  89BD 00FFFFFF MOV DWORD PTR SS:[EBP-100],EDI
00666C2E .  89BD E0FEFFFF MOV DWORD PTR SS:[EBP-120],EDI
00666C34 .  89BD D0FEFFFF MOV DWORD PTR SS:[EBP-130],EDI
00666C3A .  89BD C0FEFFFF MOV DWORD PTR SS:[EBP-140],EDI
00666C40 .  89BD 90FEFFFF MOV DWORD PTR SS:[EBP-170],EDI
00666C46 .  89BD 8CFEFFFF MOV DWORD PTR SS:[EBP-174],EDI
00666C4C .  89BD 88FEFFFF MOV DWORD PTR SS:[EBP-178],EDI
00666C52 .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
00666C55 .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
00666C58 .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
00666C5E .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
00666C61 .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
00666C64 .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
00666C6A .  6A 01       PUSH 1
00666C6C .  FF15 84B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaOnErr>;  MSVBVM50.__vbaOnError
00666C72 .  8D45 C8    LEA EAX,DWORD PTR SS:[EBP-38]
00666C75 .  8985 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EAX
00666C7B .  C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],4008
00666C85 .  8D8D 00FFFFFF LEA ECX,DWORD PTR SS:[EBP-100]
00666C8B .  51          PUSH ECX
00666C8C .  8D55 B0    LEA EDX,DWORD PTR SS:[EBP-50]
00666C8F .  52          PUSH EDX
00666C90 .  FF15 F8B46800 CALL DWORD PTR DS:[<&MSVBVM50.#528>]    ;  MSVBVM50.rtcUpperCaseVar
00666C96 .  8D45 B0    LEA EAX,DWORD PTR SS:[EBP-50]
00666C99 .  50          PUSH EAX
00666C9A .  FF15 DCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrVa>;  MSVBVM50.__vbaStrVarMove
00666CA0 .  8BD0       MOV EDX,EAX
;eax=5084J-VX10H-0248M-TXZO7-O1J69-26M9I ;这是输入的激活码
00666CA2 .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
00666CA5 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
00666CAB .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
00666CAE .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
00666CB4 .  8B4D C8    MOV ECX,DWORD PTR SS:[EBP-38]
00666CB7 .  51          PUSH ECX
00666CB8 .  FF15 D8B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaLenBs>;  MSVBVM50.__vbaLenBstr
00666CBE .  83F8 23    CMP EAX,23 ;是23h=35个字符吗?
00666CC1 .  0F85 B4050000 JNZ ks.0066727B ;不是就不对
00666CC7 .  C785 8CFEFFFF>MOV DWORD PTR SS:[EBP-174],-1
00666CD1 .  8D95 8CFEFFFF LEA EDX,DWORD PTR SS:[EBP-174]
00666CD7 .  52          PUSH EDX
00666CD8 .  68 9C414200 PUSH ks.0042419C ;42419c=2Dh就是字符"-"
00666CDD .  8D45 E0    LEA EAX,DWORD PTR SS:[EBP-20]
00666CE0 .  50          PUSH EAX
00666CE1 .  8B4D C8    MOV ECX,DWORD PTR SS:[EBP-38]
00666CE4 .  51          PUSH ECX
00666CE5 .  56          PUSH ESI
00666CE6 .  FF53 40    CALL DWORD PTR DS:[EBX+40]
;复杂运算CALL 入口:668ef0
00666CE9 .  8B55 E0    MOV EDX,DWORD PTR SS:[EBP-20]
00666CEC .  52          PUSH EDX
00666CED .  6A 01       PUSH 1
00666CEF .  8B1D D8B56800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaUb>;  MSVBVM50.__vbaUbound
00666CF5 .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaUbound>
00666CF7 .  83F8 06    CMP EAX,6
00666CFA .  0F85 7B050000 JNZ ks.0066727B
00666D00 .  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
00666D03 .  50          PUSH EAX
00666D04 .  6A 01       PUSH 1
00666D06 .  FFD3       CALL EBX
00666D08 .  8BC8       MOV ECX,EAX
00666D0A .  FF15 28B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaI2I4>>;  MSVBVM50.__vbaI2I4
00666D10 .  8985 7CFEFFFF MOV DWORD PTR SS:[EBP-184],EAX
00666D16 .  BB 01000000 MOV EBX,1
00666D1B .  895D DC    MOV DWORD PTR SS:[EBP-24],EBX
__>00666D1E >  66:3B9D 7CFEF>CMP BX,WORD PTR SS:[EBP-184]
00666D25 .  7F 61       JG SHORT ks.00666D88
00666D27 .  8B4D E0    MOV ECX,DWORD PTR SS:[EBP-20]
00666D2A .  3BCF       CMP ECX,EDI
00666D2C .  74 26       JE SHORT ks.00666D54
00666D2E .  66:8339 01 CMP WORD PTR DS:[ECX],1
00666D32 .  75 20       JNZ SHORT ks.00666D54
00666D34 .  0FBFDB       MOVSX EBX,BX
00666D37 .  2B59 14    SUB EBX,DWORD PTR DS:[ECX+14]
00666D3A .  3B59 10    CMP EBX,DWORD PTR DS:[ECX+10]
00666D3D .  72 09       JB SHORT ks.00666D48
00666D3F .  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
00666D45 .  8B4D E0    MOV ECX,DWORD PTR SS:[EBP-20]
00666D48 >  8D049D 000000>LEA EAX,DWORD PTR DS:[EBX*4]
00666D4F .  8B5D DC    MOV EBX,DWORD PTR SS:[EBP-24]
00666D52 .  EB 09       JMP SHORT ks.00666D5D
00666D54 >  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
00666D5A .  8B4D E0    MOV ECX,DWORD PTR SS:[EBP-20]
00666D5D >  8B49 0C    MOV ECX,DWORD PTR DS:[ECX+C]
00666D60 .  8B1401       MOV EDX,DWORD PTR DS:[ECX+EAX]
00666D63 .  52          PUSH EDX
00666D64 .  FF15 D8B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaLenBs>;  MSVBVM50.__vbaLenBstr
;len "5084J"
00666D6A .  83F8 05    CMP EAX,5 ;是5个字符吗?
00666D6D .  0F85 08050000 JNZ ks.0066727B
00666D73 .  B8 01000000 MOV EAX,1
00666D78 .  66:03C3    ADD AX,BX
00666D7B .  0F80 B2050000 JO ks.00667333
00666D81 .  8945 DC    MOV DWORD PTR SS:[EBP-24],EAX
00666D84 .  8BD8       MOV EBX,EAX
__>00666D86 .^ EB 96       JMP SHORT ks.00666D1E ;循环检查每6个字符里的字符是否为5个
00666D88 >  66:897E 34 MOV WORD PTR DS:[ESI+34],DI
00666D8C .  66:897E 36 MOV WORD PTR DS:[ESI+36],DI
00666D90 .  66:897E 38 MOV WORD PTR DS:[ESI+38],DI
00666D94 .  66:897E 3A MOV WORD PTR DS:[ESI+3A],DI
00666D98 .  66:897E 3C MOV WORD PTR DS:[ESI+3C],DI
00666D9C .  8B1E       MOV EBX,DWORD PTR DS:[ESI]
00666D9E .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
00666DA1 .  50          PUSH EAX
00666DA2 .  6A 01       PUSH 1
00666DA4 .  68 A4B44100 PUSH ks.0041B4A4
00666DA9 .  68 9C414200 PUSH ks.0042419C
00666DAE .  8B4D C8    MOV ECX,DWORD PTR SS:[EBP-38]
;Stack SS:[0012F894]=0016D9B4, (UNICODE "5084J-VX10H-0248M-TXZO7-O1J69-26M9I")
00666DB1 .  51          PUSH ECX
00666DB2 .  56          PUSH ESI
00666DB3 .  FF53 44    CALL DWORD PTR DS:[EBX+44] ;call到669405
00666DB6 .  8D55 C0    LEA EDX,DWORD PTR SS:[EBP-40]
00666DB9 .  52          PUSH EDX
00666DBA .  8B45 C4    MOV EAX,DWORD PTR SS:[EBP-3C]
00666DBD .  50          PUSH EAX
;EAX=0016C344  UNICODE "5084JVX10H0248MTXZO7O1J6926M9I" 去掉了'-'
00666DBE .  56          PUSH ESI
00666DBF .  FF53 28    CALL DWORD PTR DS:[EBX+28]
00666DC2 .  8B55 C0    MOV EDX,DWORD PTR SS:[EBP-40]
00666DC5 .  897D C0    MOV DWORD PTR SS:[EBP-40],EDI
00666DC8 .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
00666DCB .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
00666DD1 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
00666DD4 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00666DDA .  C745 B8 0F000>MOV DWORD PTR SS:[EBP-48],0F
00666DE1 .  C745 B0 02000>MOV DWORD PTR SS:[EBP-50],2
00666DE8 .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
00666DEB .  898D 08FFFFFF MOV DWORD PTR SS:[EBP-F8],ECX
00666DF1 .  C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],4008
00666DFB .  8D55 B0    LEA EDX,DWORD PTR SS:[EBP-50]
00666DFE .  52          PUSH EDX
00666DFF .  6A 01       PUSH 1
00666E01 .  8D85 00FFFFFF LEA EAX,DWORD PTR SS:[EBP-100]
00666E07 .  50          PUSH EAX
00666E08 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
00666E0B .  51          PUSH ECX
00666E0C .  FF15 E4B46800 CALL DWORD PTR DS:[<&MSVBVM50.#632>]    ;  MSVBVM50.rtcMidCharVar
;取左0FH(15)个字符UNICODE "I9M6296J1O7OZXTM8420H01XVJ4805"
;I9M6296J1O7OZXT,结果在[esp-20]
00666E12 .  8D55 C0    LEA EDX,DWORD PTR SS:[EBP-40]
;EDX=1Eh=30
00666E15 .  52          PUSH EDX
00666E16 .  6A FE       PUSH -2
00666E18 .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
00666E1B .  50          PUSH EAX
00666E1C .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
00666E1F .  51          PUSH ECX
00666E20 .  8B3D DCB56800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrVarVal
00666E26 .  FFD7       CALL EDI                               ;  <&MSVBVM50.__vbaStrVarVal>
;EAX=0016B9D4  UNICODE "I9M6296J1O7OZXT"翻转后的前半部分
00666E28 .  50          PUSH EAX
00666E29 .  56          PUSH ESI
00666E2A .  FF53 2C    CALL DWORD PTR DS:[EBX+2C]
00666E2D .  8D55 C8    LEA EDX,DWORD PTR SS:[EBP-38]
;edx=0016B98C  UNICODE "G7K4074H9M5MXVR"翻转后的后半部分
00666E30 .  52          PUSH EDX
00666E31 .  6A 01       PUSH 1
00666E33 .  6A 0F       PUSH 0F
00666E35 .  8B45 C0    MOV EAX,DWORD PTR SS:[EBP-40]
00666E38 .  50          PUSH EAX
00666E39 .  6A 00       PUSH 0
00666E3B .  FF15 08B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaMidSt>;  MSVBVM50.__vbaMidStmtBstr
00666E41 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
00666E44 .  51          PUSH ECX
00666E45 .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
00666E48 .  52          PUSH EDX
00666E49 .  6A 02       PUSH 2
00666E4B .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
00666E51 .  83C4 0C    ADD ESP,0C
00666E54 .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
00666E57 .  50          PUSH EAX
00666E58 .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
00666E5B .  51          PUSH ECX
00666E5C .  6A 02       PUSH 2
00666E5E .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
00666E64 .  83C4 0C    ADD ESP,0C
00666E67 .  C745 B8 04000>MOV DWORD PTR SS:[EBP-48],80020004
00666E6E .  C745 B0 0A000>MOV DWORD PTR SS:[EBP-50],0A
00666E75 .  8D55 C8    LEA EDX,DWORD PTR SS:[EBP-38]
00666E78 .  8995 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EDX
00666E7E .  C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],4008
00666E88 .  8D45 B0    LEA EAX,DWORD PTR SS:[EBP-50]
00666E8B .  50          PUSH EAX
00666E8C .  6A 10       PUSH 10
00666E8E .  8D8D 00FFFFFF LEA ECX,DWORD PTR SS:[EBP-100]
00666E94 .  51          PUSH ECX
00666E95 .  8D55 A0    LEA EDX,DWORD PTR SS:[EBP-60]
00666E98 .  52          PUSH EDX
00666E99 .  FF15 E4B46800 CALL DWORD PTR DS:[<&MSVBVM50.#632>]    ;  MSVBVM50.rtcMidCharVar
;取UNICODE "G7K4074H9M5MXVRM8420H01XVJ4805"右8个字符M8420H01XVJ4805,结果在[esp-20]
;EDX=1E=30
00666E9F .  8D45 C0    LEA EAX,DWORD PTR SS:[EBP-40]
00666EA2 .  50          PUSH EAX
00666EA3 .  6A FC       PUSH -4
00666EA5 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
00666EA8 .  51          PUSH ECX
00666EA9 .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
00666EAC .  52          PUSH EDX
00666EAD .  FFD7       CALL EDI
00666EAF .  50          PUSH EAX
00666EB0 .  56          PUSH ESI
00666EB1 .  FF53 2C    CALL DWORD PTR DS:[EBX+2C]
00666EB4 .  8D45 C8    LEA EAX,DWORD PTR SS:[EBP-38]
;EDX=0016B9D4  UNICODE "I4086D67TRF0461"
00666EB7 .  50          PUSH EAX
00666EB8 .  6A 10       PUSH 10
00666EBA .  68 FFFFFF3F PUSH 3FFFFFFF
00666EBF .  8B4D C0    MOV ECX,DWORD PTR SS:[EBP-40]
00666EC2 .  51          PUSH ECX
00666EC3 .  6A 00       PUSH 0
00666EC5 .  FF15 08B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaMidSt>;  MSVBVM50.__vbaMidStmtBstr
00666ECB .  8D55 C0    LEA EDX,DWORD PTR SS:[EBP-40]
00666ECE .  52          PUSH EDX
00666ECF .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
00666ED2 .  50          PUSH EAX
00666ED3 .  6A 02       PUSH 2
00666ED5 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
00666EDB .  83C4 0C    ADD ESP,0C
00666EDE .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
00666EE1 .  51          PUSH ECX
00666EE2 .  8D55 B0    LEA EDX,DWORD PTR SS:[EBP-50]
00666EE5 .  52          PUSH EDX
00666EE6 .  6A 02       PUSH 2
00666EE8 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
00666EEE .  83C4 0C    ADD ESP,0C
00666EF1 .  B8 02000000 MOV EAX,2
00666EF6 .  8945 B8    MOV DWORD PTR SS:[EBP-48],EAX
00666EF9 .  8945 B0    MOV DWORD PTR SS:[EBP-50],EAX
00666EFC .  8D45 C8    LEA EAX,DWORD PTR SS:[EBP-38]
00666EFF .  8985 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EAX
00666F05 .  C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],4008
00666F0F .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
00666F12 .  51          PUSH ECX
00666F13 .  6A 1B       PUSH 1B
00666F15 .  8D95 00FFFFFF LEA EDX,DWORD PTR SS:[EBP-100]
00666F1B .  52          PUSH EDX
00666F1C .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
00666F1F .  50          PUSH EAX
00666F20 .  FF15 E4B46800 CALL DWORD PTR DS:[<&MSVBVM50.#632>]    ;  MSVBVM50.rtcMidCharVar
;EDX=04应该是"I4086D67TRF0461"中倒数后3,4位"04"变的
;不对应该是取上字符串的"04",结果在[esp-20]
00666F26 .  8D8D 8CFEFFFF LEA ECX,DWORD PTR SS:[EBP-174]
00666F2C .  51          PUSH ECX
00666F2D .  8D55 A0    LEA EDX,DWORD PTR SS:[EBP-60]
00666F30 .  52          PUSH EDX
00666F31 .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
;EAX=156994 UNICODE"04"
00666F34 .  50          PUSH EAX
00666F35 .  FFD7       CALL EDI
00666F37 .  50          PUSH EAX
00666F38 .  56          PUSH ESI
00666F39 .  FF53 34    CALL DWORD PTR DS:[EBX+34] ;判断"04"是否是数字,并转换为数字
00666F3C .  B8 02000000 MOV EAX,2
00666F41 .  8985 68FFFFFF MOV DWORD PTR SS:[EBP-98],EAX
00666F47 .  8985 60FFFFFF MOV DWORD PTR SS:[EBP-A0],EAX
00666F4D .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
00666F50 .  898D C8FEFFFF MOV DWORD PTR SS:[EBP-138],ECX
00666F56 .  C785 C0FEFFFF>MOV DWORD PTR SS:[EBP-140],4008
00666F60 .  8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0]
00666F66 .  52          PUSH EDX
00666F67 .  6A 1D       PUSH 1D
00666F69 .  8D85 C0FEFFFF LEA EAX,DWORD PTR SS:[EBP-140]
00666F6F .  50          PUSH EAX
00666F70 .  8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0]
00666F76 .  51          PUSH ECX
00666F77 .  FF15 E4B46800 CALL DWORD PTR DS:[<&MSVBVM50.#632>]    ;  MSVBVM50.rtcMidCharVar
00666F7D .  8D95 88FEFFFF LEA EDX,DWORD PTR SS:[EBP-178]
00666F83 .  52          PUSH EDX
00666F84 .  8D85 50FFFFFF LEA EAX,DWORD PTR SS:[EBP-B0]
00666F8A .  50          PUSH EAX
00666F8B .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
00666F8E .  51          PUSH ECX
00666F8F .  FFD7       CALL EDI
;EAX=16DBBC UNICODE"61"
00666F91 .  50          PUSH EAX
00666F92 .  56          PUSH ESI
00666F93 .  FF53 34    CALL DWORD PTR DS:[EBX+34] ;call668130
;判断"61"是否是数字,如果不是则-37h变为数字,例如"E"不是数字,ASC码为45h,45h-37h=0Eh,0E即为结果
00666F96 .  C785 D8FEFFFF>MOV DWORD PTR SS:[EBP-128],ks.0042872C ;  UNICODE "000"
00666FA0 .  C785 D0FEFFFF>MOV DWORD PTR SS:[EBP-130],8
00666FAA .  8D95 D0FEFFFF LEA EDX,DWORD PTR SS:[EBP-130]
00666FB0 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
00666FB3 .  FF15 8CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarDu>;  MSVBVM50.__vbaVarDup
00666FB9 .  66:8B95 8CFEF>MOV DX,WORD PTR SS:[EBP-174]
;DX=04H
00666FC0 .  66:8955 98 MOV WORD PTR SS:[EBP-68],DX
00666FC4 .  C745 90 02000>MOV DWORD PTR SS:[EBP-70],2
00666FCB .  6A 01       PUSH 1
00666FCD .  6A 01       PUSH 1
00666FCF .  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
00666FD2 .  50          PUSH EAX
00666FD3 .  8D4D 90    LEA ECX,DWORD PTR SS:[EBP-70]
00666FD6 .  51          PUSH ECX
00666FD7 .  8D95 70FFFFFF LEA EDX,DWORD PTR SS:[EBP-90]
00666FDD .  52          PUSH EDX
00666FDE .  FF15 30B46800 CALL DWORD PTR DS:[<&MSVBVM50.#660>]    ;  MSVBVM50.rtcVarFromFormatVar
00666FE4 .  C785 98FEFFFF>MOV DWORD PTR SS:[EBP-168],ks.0042872C ;  UNICODE "000"
00666FEE .  C785 90FEFFFF>MOV DWORD PTR SS:[EBP-170],8
00666FF8 .  8D95 90FEFFFF LEA EDX,DWORD PTR SS:[EBP-170]
00666FFE .  8D8D 30FFFFFF LEA ECX,DWORD PTR SS:[EBP-D0]
00667004 .  FF15 8CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarDu>;  MSVBVM50.__vbaVarDup
;Stack SS:[0012F754]=00D9=217 为校验码的一部分
0066700A .  66:8B85 88FEF>MOV AX,WORD PTR SS:[EBP-178]
00667011 .  66:8985 48FFF>MOV WORD PTR SS:[EBP-B8],AX
00667018 .  C785 40FFFFFF>MOV DWORD PTR SS:[EBP-C0],2
00667022 .  6A 01       PUSH 1
00667024 .  6A 01       PUSH 1
00667026 .  8D8D 30FFFFFF LEA ECX,DWORD PTR SS:[EBP-D0]
0066702C .  51          PUSH ECX
0066702D .  8D95 40FFFFFF LEA EDX,DWORD PTR SS:[EBP-C0]
00667033 .  52          PUSH EDX
00667034 .  8D85 20FFFFFF LEA EAX,DWORD PTR SS:[EBP-E0]
0066703A .  50          PUSH EAX
0066703B .  FF15 30B46800 CALL DWORD PTR DS:[<&MSVBVM50.#660>]    ;  MSVBVM50.rtcVarFromFormatVar
;上面函数的数字该在ebp-0b8
00667041 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
00667047 .  51          PUSH ECX                               ;  将要生成校验码
00667048 .  8D95 20FFFFFF LEA EDX,DWORD PTR SS:[EBP-E0]
0066704E .  52          PUSH EDX
0066704F .  8D85 10FFFFFF LEA EAX,DWORD PTR SS:[EBP-F0]
00667055 .  50          PUSH EAX
00667056 .  FF15 E4B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarCa>;  MSVBVM50.__vbaVarCat
0066705C .  50          PUSH EAX
0066705D .  FF15 DCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrVa>;  MSVBVM50.__vbaStrVarMove
;EAX=16E1C4 UNICODE"004217"
00667063 .  8BD0       MOV EDX,EAX
00667065 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
00667068 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066706E .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
00667071 .  51          PUSH ECX
00667072 .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
00667075 .  52          PUSH EDX
00667076 .  6A 02       PUSH 2
00667078 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066707E .  83C4 0C    ADD ESP,0C
00667081 .  8D85 10FFFFFF LEA EAX,DWORD PTR SS:[EBP-F0]
00667087 .  50          PUSH EAX
00667088 .  8D8D 20FFFFFF LEA ECX,DWORD PTR SS:[EBP-E0]
0066708E .  51          PUSH ECX
0066708F .  8D95 70FFFFFF LEA EDX,DWORD PTR SS:[EBP-90]
00667095 .  52          PUSH EDX
00667096 .  8D85 30FFFFFF LEA EAX,DWORD PTR SS:[EBP-D0]
0066709C .  50          PUSH EAX
0066709D .  8D8D 40FFFFFF LEA ECX,DWORD PTR SS:[EBP-C0]
006670A3 .  51          PUSH ECX
006670A4 .  8D95 50FFFFFF LEA EDX,DWORD PTR SS:[EBP-B0]
006670AA .  52          PUSH EDX
006670AB .  8D85 60FFFFFF LEA EAX,DWORD PTR SS:[EBP-A0]
006670B1 .  50          PUSH EAX
006670B2 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
006670B5 .  51          PUSH ECX
006670B6 .  8D55 90    LEA EDX,DWORD PTR SS:[EBP-70]
006670B9 .  52          PUSH EDX
006670BA .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
006670BD .  50          PUSH EAX
006670BE .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
006670C1 .  51          PUSH ECX
006670C2 .  6A 0B       PUSH 0B
006670C4 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
006670CA .  83C4 30    ADD ESP,30
006670CD .  8D55 C8    LEA EDX,DWORD PTR SS:[EBP-38]
006670D0 .  8995 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EDX
006670D6 .  C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],4008
006670E0 .  6A 1A       PUSH 1A
006670E2 .  8D85 00FFFFFF LEA EAX,DWORD PTR SS:[EBP-100]
006670E8 .  50          PUSH EAX
006670E9 .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
006670EC .  51          PUSH ECX
006670ED .  FF15 B0B66800 CALL DWORD PTR DS:[<&MSVBVM50.#617>]    ;  MSVBVM50.rtcLeftCharVar
006670F3 .  8D55 C0    LEA EDX,DWORD PTR SS:[EBP-40]
006670F6 .  52          PUSH EDX
006670F7 .  8D45 B0    LEA EAX,DWORD PTR SS:[EBP-50]
006670FA .  50          PUSH EAX
006670FB .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
006670FE .  51          PUSH ECX
006670FF .  FFD7       CALL EDI
00667101 .  50          PUSH EAX
;EAX=0016B9D4, (UNICODE "G7K4074H9M5MXVRI4086D67TRF")左26个字符
00667102 .  56          PUSH ESI
00667103 .  FF53 30    CALL DWORD PTR DS:[EBX+30] ;关键CALL也许是算正确校验码的东东667fc0
00667106 .  8B55 C0    MOV EDX,DWORD PTR SS:[EBP-40]
;EDX=1569CC UNICODE"125204"
00667109 .  52          PUSH EDX
0066710A .  8B45 D4    MOV EAX,DWORD PTR SS:[EBP-2C]
0066710D .  50          PUSH EAX
0066710E .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
;关键比较 EAX后4字符得到的校验码,EDX前26个字符得到的校验码
00667114 .  8BF8       MOV EDI,EAX
00667116 .  F7DF       NEG EDI
00667118 .  1BFF       SBB EDI,EDI
0066711A .  F7DF       NEG EDI
0066711C .  F7DF       NEG EDI
0066711E .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
00667121 .  51          PUSH ECX
00667122 .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
00667125 .  52          PUSH EDX
00667126 .  6A 02       PUSH 2
00667128 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066712E .  83C4 0C    ADD ESP,0C
00667131 .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
00667134 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066713A .  66:85FF    TEST DI,DI
0066713D    0F85 38010000 JNZ ks.0066727B ;不能跳,相等时EAX=0 则DI=0
00667143 .  C745 B8 01000>MOV DWORD PTR SS:[EBP-48],1
0066714A .  C745 B0 02000>MOV DWORD PTR SS:[EBP-50],2
00667151 .  8D45 C8    LEA EAX,DWORD PTR SS:[EBP-38]
00667154 .  8985 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EAX
0066715A .  C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],4008
00667164 .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
00667167 .  51          PUSH ECX
00667168 .  6A 0A       PUSH 0A
0066716A .  8D95 00FFFFFF LEA EDX,DWORD PTR SS:[EBP-100]
00667170 .  52          PUSH EDX
00667171 .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
00667174 .  50          PUSH EAX
00667175 .  FF15 E4B46800 CALL DWORD PTR DS:[<&MSVBVM50.#632>]    ;  MSVBVM50.rtcMidCharVar
;取"G7K4074H9M5MXVRI4086D67TRF 0461"从第1个开始的第10个字符"M" (由SMARTCHECK得到)start=1,length=10
0066717B .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0066717E .  51          PUSH ECX
0066717F .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
00667182 .  52          PUSH EDX
00667183 .  FF15 DCB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrVa>;  MSVBVM50.__vbaStrVarVal
00667189    50          PUSH EAX
0066718A    FF15 00B46800 CALL DWORD PTR DS:[<&MSVBVM50.#516>]    ;  MSVBVM50.rtcAnsiValueBstr
;取激活码第10个字符变换后的ASC码
00667190    66:2D 4500 SUB AX,45
;减45h
00667194 .  0F80 99010000 JO ks.00667333
0066719A .  0FBFF8       MOVSX EDI,AX
0066719D .  8B45 D0    MOV EAX,DWORD PTR SS:[EBP-30]
006671A0 .  50          PUSH EAX
006671A1 .  FF15 D8B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaLenBs>;  MSVBVM50.__vbaLenBstr
;算硬盘序列号字符个数
006671A7 .  33C9       XOR ECX,ECX
006671A9    3BC7       CMP EAX,EDI
;看看硬盘序列号字符个数于AX减到的值是否一样,这里我的硬盘序列号为8个字符,所以退出那个激活字符为O
006671AB .  0F95C1       SETNE CL
006671AE .  F7D9       NEG ECX
006671B0 .  8BF9       MOV EDI,ECX
006671B2 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
006671B5 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
006671BB .  8D55 A0    LEA EDX,DWORD PTR SS:[EBP-60]
006671BE .  52          PUSH EDX
006671BF .  8D45 B0    LEA EAX,DWORD PTR SS:[EBP-50]
006671C2 .  50          PUSH EAX
006671C3 .  6A 02       PUSH 2
006671C5 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
006671CB .  83C4 0C    ADD ESP,0C
006671CE .  66:85FF    TEST DI,DI
006671D1 .  0F85 A4000000 JNZ ks.0066727B
006671D7 .  8B4D D0    MOV ECX,DWORD PTR SS:[EBP-30]
006671DA .  51          PUSH ECX
006671DB .  FF15 D8B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaLenBs>;  MSVBVM50.__vbaLenBstr
006671E1 .  8945 B8    MOV DWORD PTR SS:[EBP-48],EAX
006671E4 .  C745 B0 03000>MOV DWORD PTR SS:[EBP-50],3
006671EB .  8D55 C8    LEA EDX,DWORD PTR SS:[EBP-38]
006671EE .  8995 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EDX
006671F4 .  C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],4008
006671FE .  8D45 B0    LEA EAX,DWORD PTR SS:[EBP-50]
00667201 .  50          PUSH EAX
00667202 .  6A 0B       PUSH 0B
00667204 .  8D8D 00FFFFFF LEA ECX,DWORD PTR SS:[EBP-100]
0066720A .  51          PUSH ECX
0066720B .  8D55 A0    LEA EDX,DWORD PTR SS:[EBP-60]
0066720E .  52          PUSH EDX
0066720F .  FF15 E4B46800 CALL DWORD PTR DS:[<&MSVBVM50.#632>]    ;  MSVBVM50.rtcMidCharVar
;取"G7K4074H9M5MXVRI408 6 D67TRF 0461"start=8,length=11字符"6" (由SMARTCHECK得到)
00667215 .  8B45 D0    MOV EAX,DWORD PTR SS:[EBP-30]
00667218 .  8985 E8FEFFFF MOV DWORD PTR SS:[EBP-118],EAX
0066721E .  C785 E0FEFFFF>MOV DWORD PTR SS:[EBP-120],8008
00667228 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0066722B .  51          PUSH ECX
0066722C .  8D95 E0FEFFFF LEA EDX,DWORD PTR SS:[EBP-120]
00667232 .  52          PUSH EDX
00667233 .  FF15 64B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarTs>;  MSVBVM50.__vbaVarTstNe
;不知道这个call做了什么,让EAX返回-1
00667239    8BF8       MOV EDI,EAX
0066723B    8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
0066723E    50          PUSH EAX
0066723F .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
00667242 .  51          PUSH ECX
00667243 .  6A 02       PUSH 2
00667245 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
0066724B .  83C4 0C    ADD ESP,0C
0066724E    66:85FF    TEST DI,DI
00667251    75 28       JNZ SHORT ks.0066727B
00667253 .  8D95 8CFEFFFF LEA EDX,DWORD PTR SS:[EBP-174]
00667259 .  52          PUSH EDX
0066725A .  8B45 C8    MOV EAX,DWORD PTR SS:[EBP-38]
0066725D .  50          PUSH EAX
0066725E .  56          PUSH ESI
0066725F .  FF53 24    CALL DWORD PTR DS:[EBX+24]
00667262 .  66:39BD 8CFEF>CMP WORD PTR SS:[EBP-174],DI
00667269 .  74 10       JE SHORT ks.0066727B ;jmp如何?
0066726B .  C745 D8 FFFFF>MOV DWORD PTR SS:[EBP-28],-1
00667272 .  EB 07       JMP SHORT ks.0066727B
00667274 .  C745 D8 00000>MOV DWORD PTR SS:[EBP-28],0
0066727B >  FF15 64B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaExitP>;  MSVBVM50.__vbaExitProc
00667281 .  68 0A736600 PUSH ks.0066730A
00667286 .  EB 60       JMP SHORT ks.006672E8
00667288 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066728B .  51          PUSH ECX
0066728C .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
0066728F .  52          PUSH EDX
00667290 .  6A 02       PUSH 2
00667292 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
00667298 .  83C4 0C    ADD ESP,0C
0066729B .  8D85 10FFFFFF LEA EAX,DWORD PTR SS:[EBP-F0]
006672A1 .  50          PUSH EAX
006672A2 .  8D8D 20FFFFFF LEA ECX,DWORD PTR SS:[EBP-E0]
006672A8 .  51          PUSH ECX
006672A9 .  8D95 30FFFFFF LEA EDX,DWORD PTR SS:[EBP-D0]
006672AF .  52          PUSH EDX
006672B0 .  8D85 40FFFFFF LEA EAX,DWORD PTR SS:[EBP-C0]
006672B6 .  50          PUSH EAX
006672B7 .  8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0]
006672BD .  51          PUSH ECX
006672BE .  8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0]
006672C4 .  52          PUSH EDX
006672C5 .  8D85 70FFFFFF LEA EAX,DWORD PTR SS:[EBP-90]
006672CB .  50          PUSH EAX
006672CC .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
006672CF .  51          PUSH ECX
006672D0 .  8D55 90    LEA EDX,DWORD PTR SS:[EBP-70]
006672D3 .  52          PUSH EDX
006672D4 .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
006672D7 .  50          PUSH EAX
006672D8 .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
006672DB .  51          PUSH ECX
006672DC .  6A 0B       PUSH 0B
006672DE .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
006672E4 .  83C4 30    ADD ESP,30
006672E7 .  C3          RETN
006672E8 >  8D55 E0    LEA EDX,DWORD PTR SS:[EBP-20]
006672EB .  52          PUSH EDX
006672EC .  6A 00       PUSH 0
006672EE .  FF15 50B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaAryDe>;  MSVBVM50.__vbaAryDestruct
006672F4 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
006672F7 .  8B35 10B76800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaFr>;  MSVBVM50.__vbaFreeStr
006672FD .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaFreeStr>
006672FF .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
00667302 .  FFD6       CALL ESI
00667304 .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
00667307 .  FFE6       JMP ESI
00667309 .  C3          RETN
0066730A .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066730D .  8B08       MOV ECX,DWORD PTR DS:[EAX]
0066730F .  50          PUSH EAX
00667310 .  FF51 08    CALL DWORD PTR DS:[ECX+8]
00667313 .  8B55 14    MOV EDX,DWORD PTR SS:[EBP+14]
00667316 .  66:8B45 D8 MOV AX,WORD PTR SS:[EBP-28]
0066731A .  66:8902    MOV WORD PTR DS:[EDX],AX
0066731D .  8B45 F4    MOV EAX,DWORD PTR SS:[EBP-C]
00667320 .  8B4D E4    MOV ECX,DWORD PTR SS:[EBP-1C]
00667323 .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
0066732A .  5F          POP EDI
0066732B .  5E          POP ESI
0066732C .  5B          POP EBX
0066732D .  8BE5       MOV ESP,EBP
0066732F .  5D          POP EBP
00667330 .  C2 1000    RETN 10
.............
0066761D FFD3          CALL EBX
0066761F 50             PUSH EAX
00667620 56             PUSH ESI
00667621 FF55 98       CALL DWORD PTR SS:[EBP-68]
00667624 66:8B45 A0    MOV AX,WORD PTR SS:[EBP-60] ;读12f6b4=26dh
00667628 8D4D E4       LEA ECX,DWORD PTR SS:[EBP-1C]
0066762B 66:8946 3C    MOV WORD PTR DS:[ESI+3C],AX
0066762F FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStr
00667635 8D4D C4       LEA ECX,DWORD PTR SS:[EBP-3C]
00667638 8D55 D4       LEA EDX,DWORD PTR SS:[EBP-2C]
0066763B 51             PUSH ECX
0066763C 52             PUSH EDX
0066763D 6A 02          PUSH 2
0066763F FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>; MSVBVM50.__vbaFreeVarList
00667645 B8 01000000    MOV EAX,1
0066764A 83C4 0C       ADD ESP,0C
0066764D 66:3946 34    CMP WORD PTR DS:[ESI+34],AX
00667651 7C 18          JL SHORT ks1.0066766B
00667653 66:3946 36    CMP WORD PTR DS:[ESI+36],AX
00667657 7C 12          JL SHORT ks1.0066766B
00667659 66:3946 38    CMP WORD PTR DS:[ESI+38],AX
0066765D 7C 0C          JL SHORT ks1.0066766B
0066765F 66:3946 3A    CMP WORD PTR DS:[ESI+3A],AX
00667663 7C 06          JL SHORT ks1.0066766B
00667665 66:3946 3C    CMP WORD PTR DS:[ESI+3C],AX
00667669 7D 07          JGE SHORT ks1.00667672
0066766B C745 EC 0000000>MOV DWORD PTR SS:[EBP-14],0
00667672 68 A0766600    PUSH ks1.006676A0
00667677 EB 1D          JMP SHORT ks1.00667696
00667679 8D4D E4       LEA ECX,DWORD PTR SS:[EBP-1C]
0066767C FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStr
00667682 8D45 C4       LEA EAX,DWORD PTR SS:[EBP-3C]
00667685 8D4D D4       LEA ECX,DWORD PTR SS:[EBP-2C]
00667688 50             PUSH EAX
00667689 51             PUSH ECX
0066768A 6A 02          PUSH 2
0066768C FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>; MSVBVM50.__vbaFreeVarList
00667692 83C4 0C       ADD ESP,0C
00667695 C3             RETN
00667696 8D4D E8       LEA ECX,DWORD PTR SS:[EBP-18]
00667699  - FF25 10B76800 JMP DWORD PTR DS:[<&MSVBVM50.__vbaFreeSt>; MSVBVM50.__vbaFreeStr
0066769F C3             RETN
006676A0 8B55 10       MOV EDX,DWORD PTR SS:[EBP+10]
006676A3 66:8B45 EC    MOV AX,WORD PTR SS:[EBP-14]
006676A7 8B4D F0       MOV ECX,DWORD PTR SS:[EBP-10]
006676AA 5F             POP EDI
006676AB 66:8902       MOV WORD PTR DS:[EDX],AX
006676AE 5E             POP ESI
006676AF 33C0          XOR EAX,EAX
006676B1 64:890D 0000000>MOV DWORD PTR FS:[0],ECX
006676B8 5B             POP EBX
006676B9 8BE5          MOV ESP,EBP
006676BB 5D             POP EBP
006676BC C2 0C00       RETN 0C
006676BF FF15 00B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaError>; MSVBVM50.__vbaErrorOverflow
006676C5 90             NOP
006676C6 90             NOP

............
0066828A FF15 18B76800 CALL DWORD PTR DS:[<&MSVBVM50.#581>]    ; MSVBVM50.rtcR8ValFromBstr
00668290 DD5D B8       FSTP QWORD PTR SS:[EBP-48]
00668293 DD45 B8       FLD QWORD PTR SS:[EBP-48]
00668296 DC0D 90744000 FMUL QWORD PTR DS:[407490]
0066829C 0FBFC6       MOVSX EAX,SI
0066829F 8945 B0       MOV DWORD PTR SS:[EBP-50],EAX
006682A2 DB45 B0       FILD DWORD PTR SS:[EBP-50]
006682A5 DD5D A8       FSTP QWORD PTR SS:[EBP-58]
006682A8 DC45 A8       FADD QWORD PTR SS:[EBP-58]
006682AB DFE0          FSTSW AX
006682AD A8 0D          TEST AL,0D
006682AF 75 71          JNZ SHORT ks1.00668322
006682B1 FF15 98B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFpI2>>; MSVBVM50.__vbaFpI2
006682B7 8945 E0       MOV DWORD PTR SS:[EBP-20],EAX
006682BA 68 03836600    PUSH ks1.00668303
006682BF 9B             WAIT
006682C0 EB 30          JMP SHORT ks1.006682F2
006682C2 8B4D EC       MOV ECX,DWORD PTR SS:[EBP-14]
006682C5 51             PUSH ECX
006682C6 FF15 00B46800 CALL DWORD PTR DS:[<&MSVBVM50.#516>]    ; MSVBVM50.rtcAnsiValueBstr
;ax=48h就是"H"
006682CC 66:2D 3700    SUB AX,37
006682D0 70 55          JO SHORT ks1.00668327
006682D2 66:6BC0 24    IMUL AX,AX,24
006682D6 70 4F          JO SHORT ks1.00668327
006682D8 66:03C6       ADD AX,SI
006682DB 70 4A          JO SHORT ks1.00668327
006682DD 8945 E0       MOV DWORD PTR SS:[EBP-20],EAX ;计算后EAX=26Dh
006682E0 9B             WAIT
006682E1 68 03836600    PUSH ks1.00668303
006682E6 EB 0A          JMP SHORT ks1.006682F2
006682E8 8D4D D0       LEA ECX,DWORD PTR SS:[EBP-30]
006682EB FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>; MSVBVM50.__vbaFreeVar
006682F1 C3             RETN
006682F2 8B35 10B76800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaFr>; MSVBVM50.__vbaFreeStr
006682F8 8D4D EC       LEA ECX,DWORD PTR SS:[EBP-14]
006682FB FFD6          CALL ESI
006682FD 8D4D E8       LEA ECX,DWORD PTR SS:[EBP-18]
00668300 FFE6          JMP ESI
00668302 C3             RETN
00668303 8B55 10       MOV EDX,DWORD PTR SS:[EBP+10]
00668306 66:8B45 E0    MOV AX,WORD PTR SS:[EBP-20]
0066830A 8B4D F0       MOV ECX,DWORD PTR SS:[EBP-10]
0066830D 5F             POP EDI
0066830E 66:8902       MOV WORD PTR DS:[EDX],AX
00668311 5E             POP ESI
00668312 33C0          XOR EAX,EAX
00668314 64:890D 0000000>MOV DWORD PTR FS:[0],ECX
0066831B 5B             POP EBX
0066831C 8BE5          MOV ESP,EBP
0066831E 5D             POP EBP
0066831F C2 0C00       RETN 0C
00668322  ^ E9 D5FCD9FF    JMP <JMP.&MSVBVM50.__vbaFPException>
00668327 FF15 00B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaError>; MSVBVM50.__vbaErrorOverflow
0066832D 90             NOP
0066832E 90             NOP
-------------------------------------------------------------------------------
▲文件:2-668EF0.txt
-------------------------------------------------------------------------------
不知道这个CALL干什么,返回666ba0
00668EF0 > \55          PUSH EBP
00668EF1 .  8BEC       MOV EBP,ESP
00668EF3 .  83EC 18    SUB ESP,18
00668EF6 .  68 F67F4000 PUSH <JMP.&MSVBVM50.__vbaExceptHandler>  ;  SE handler installation
00668EFB .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00668F01 .  50          PUSH EAX
00668F02 .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
00668F09 .  B8 70000000 MOV EAX,70
00668F0E .  E8 DDF0D9FF CALL <JMP.&MSVBVM50.__vbaChkstk>
00668F13 .  53          PUSH EBX
00668F14 .  56          PUSH ESI
00668F15 .  57          PUSH EDI
00668F16 .  8965 E8    MOV DWORD PTR SS:[EBP-18],ESP
00668F19 .  C745 EC 20754>MOV DWORD PTR SS:[EBP-14],ks.00407520
00668F20 .  C745 F0 00000>MOV DWORD PTR SS:[EBP-10],0
00668F27 .  C745 F4 00000>MOV DWORD PTR SS:[EBP-C],0
00668F2E .  C745 FC 01000>MOV DWORD PTR SS:[EBP-4],1
00668F35 .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
00668F38 .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
00668F3B .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
00668F41 .  8B55 14    MOV EDX,DWORD PTR SS:[EBP+14] ;输入激活字符
00668F44 .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
00668F47 .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
00668F4D .  C745 FC 02000>MOV DWORD PTR SS:[EBP-4],2
00668F54 .  C745 FC 03000>MOV DWORD PTR SS:[EBP-4],3
00668F5B .  C745 DC 00000>MOV DWORD PTR SS:[EBP-24],0
00668F62 .  C745 FC 04000>MOV DWORD PTR SS:[EBP-4],4
00668F69 .  C745 FC 05000>MOV DWORD PTR SS:[EBP-4],5
00668F70 .  C745 D4 00000>MOV DWORD PTR SS:[EBP-2C],0
00668F77 .  C745 FC 06000>MOV DWORD PTR SS:[EBP-4],6
00668F7E .  C745 FC 07000>MOV DWORD PTR SS:[EBP-4],7
00668F85 .  C745 D8 00000>MOV DWORD PTR SS:[EBP-28],0
00668F8C .  C745 FC 08000>MOV DWORD PTR SS:[EBP-4],8
00668F93 .  6A FF       PUSH -1
00668F95 .  FF15 84B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaOnErr>;  MSVBVM50.__vbaOnError
00668F9B .  C745 FC 09000>MOV DWORD PTR SS:[EBP-4],9
00668FA2 .  FF15 58B66800 CALL DWORD PTR DS:[<&MSVBVM50.#685>]    ;  MSVBVM50.rtcErrObj
00668FA8 .  50          PUSH EAX
00668FA9 .  8D45 BC    LEA EAX,DWORD PTR SS:[EBP-44]
00668FAC .  50          PUSH EAX
00668FAD .  FF15 80B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaObjSe>;  MSVBVM50.__vbaObjSet
00668FB3 .  8945 80    MOV DWORD PTR SS:[EBP-80],EAX
00668FB6 .  8B4D 80    MOV ECX,DWORD PTR SS:[EBP-80]
00668FB9 .  8B11       MOV EDX,DWORD PTR DS:[ECX]
00668FBB .  8B45 80    MOV EAX,DWORD PTR SS:[EBP-80]
00668FBE .  50          PUSH EAX
00668FBF .  FF52 48    CALL DWORD PTR DS:[EDX+48]
00668FC2 .  8D4D BC    LEA ECX,DWORD PTR SS:[EBP-44]
00668FC5 .  FF15 14B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>;  MSVBVM50.__vbaFreeObj
00668FCB .  C745 FC 0A000>MOV DWORD PTR SS:[EBP-4],0A
00668FD2 .  6A 00       PUSH 0
00668FD4 .  6A 08       PUSH 8
00668FD6 .  6A 01       PUSH 1
00668FD8 .  6A 00       PUSH 0
00668FDA .  8B4D 10    MOV ECX,DWORD PTR SS:[EBP+10]
00668FDD .  51          PUSH ECX
00668FDE .  6A 04       PUSH 4
00668FE0 .  68 00010000 PUSH 100
00668FE5 .  FF15 44B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaRedim>;  MSVBVM50.__vbaRedimPreserve
00668FEB .  83C4 1C    ADD ESP,1C
00668FEE >  C745 FC 0C000>MOV DWORD PTR SS:[EBP-4],0C
00668FF5 .  8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]
00668FF8 .  83C2 01    ADD EDX,1
00668FFB .  0F80 48030000 JO ks.00669349
00669001 .  8955 D4    MOV DWORD PTR SS:[EBP-2C],EDX
00669004 .  C745 FC 0D000>MOV DWORD PTR SS:[EBP-4],0D
0066900B .  837D D4 08 CMP DWORD PTR SS:[EBP-2C],8
0066900F .  7E 25       JLE SHORT ks.00669036
00669011 .  C745 FC 0E000>MOV DWORD PTR SS:[EBP-4],0E
00669018 .  6A 00       PUSH 0
0066901A .  8B45 D4    MOV EAX,DWORD PTR SS:[EBP-2C]
0066901D .  50          PUSH EAX
0066901E .  6A 01       PUSH 1
00669020 .  6A 00       PUSH 0
00669022 .  8B4D 10    MOV ECX,DWORD PTR SS:[EBP+10]
00669025 .  51          PUSH ECX
00669026 .  6A 04       PUSH 4
00669028 .  68 00010000 PUSH 100
0066902D .  FF15 44B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaRedim>;  MSVBVM50.__vbaRedimPreserve
00669033 .  83C4 1C    ADD ESP,1C
00669036 >  C745 FC 10000>MOV DWORD PTR SS:[EBP-4],10
0066903D .  8B55 DC    MOV EDX,DWORD PTR SS:[EBP-24]
00669040 .  83C2 01    ADD EDX,1
00669043 .  0F80 00030000 JO ks.00669349
00669049 .  52          PUSH EDX
0066904A .  8B45 D0    MOV EAX,DWORD PTR SS:[EBP-30] ;输入激活字符串
0066904D .  50          PUSH EAX
0066904E .  8B4D C8    MOV ECX,DWORD PTR SS:[EBP-38] ;ECX=2DH 字符"-"
00669051 .  51          PUSH ECX
00669052 .  6A 01       PUSH 1
00669054 .  FF15 10B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaInStr>;  MSVBVM50.__vbaInStr
0066905A .  8945 CC    MOV DWORD PTR SS:[EBP-34],EAX
0066905D .  C745 FC 11000>MOV DWORD PTR SS:[EBP-4],11
00669064 .  837D CC 00 CMP DWORD PTR SS:[EBP-34],0
00669068 .  0F85 05010000 JNZ ks.00669173
0066906E .  C745 FC 12000>MOV DWORD PTR SS:[EBP-4],12
00669075 .  8B55 D0    MOV EDX,DWORD PTR SS:[EBP-30]
00669078 .  52          PUSH EDX
00669079 .  FF15 D8B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaLenBs>;  MSVBVM50.__vbaLenBstr
0066907F .  8945 B4    MOV DWORD PTR SS:[EBP-4C],EAX
00669082 .  C745 AC 03000>MOV DWORD PTR SS:[EBP-54],3
00669089 .  8B45 10    MOV EAX,DWORD PTR SS:[EBP+10]
0066908C .  8338 00    CMP DWORD PTR DS:[EAX],0
0066908F .  74 4C       JE SHORT ks.006690DD
00669091 .  8B4D 10    MOV ECX,DWORD PTR SS:[EBP+10]
00669094 .  8B11       MOV EDX,DWORD PTR DS:[ECX]
00669096 .  66:833A 01 CMP WORD PTR DS:[EDX],1
0066909A .  75 41       JNZ SHORT ks.006690DD
0066909C .  8B45 10    MOV EAX,DWORD PTR SS:[EBP+10]
0066909F .  8B08       MOV ECX,DWORD PTR DS:[EAX]
006690A1 .  8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]
006690A4 .  2B51 14    SUB EDX,DWORD PTR DS:[ECX+14]
006690A7 .  8955 98    MOV DWORD PTR SS:[EBP-68],EDX
006690AA .  8B45 10    MOV EAX,DWORD PTR SS:[EBP+10]
006690AD .  8B08       MOV ECX,DWORD PTR DS:[EAX]
006690AF .  8B55 98    MOV EDX,DWORD PTR SS:[EBP-68]
006690B2 .  3B51 10    CMP EDX,DWORD PTR DS:[ECX+10]
006690B5 .  73 0C       JNB SHORT ks.006690C3
006690B7 .  C785 7CFFFFFF>MOV DWORD PTR SS:[EBP-84],0
006690C1 .  EB 0C       JMP SHORT ks.006690CF
006690C3 >  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
006690C9 .  8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EAX
006690CF >  8B45 98    MOV EAX,DWORD PTR SS:[EBP-68]
006690D2 .  C1E0 02    SHL EAX,2
006690D5 .  8985 78FFFFFF MOV DWORD PTR SS:[EBP-88],EAX
006690DB .  EB 0C       JMP SHORT ks.006690E9
006690DD >  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
006690E3 .  8985 78FFFFFF MOV DWORD PTR SS:[EBP-88],EAX
006690E9 >  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
006690EC .  51          PUSH ECX
006690ED .  8B55 DC    MOV EDX,DWORD PTR SS:[EBP-24]
006690F0 .  83C2 01    ADD EDX,1
006690F3 .  0F80 50020000 JO ks.00669349
006690F9 .  52          PUSH EDX
006690FA .  8B45 D0    MOV EAX,DWORD PTR SS:[EBP-30]
006690FD .  50          PUSH EAX
006690FE .  FF15 D8B46800 CALL DWORD PTR DS:[<&MSVBVM50.#631>]    ;  MSVBVM50.rtcMidCharBstr
00669104 .  8BD0       MOV EDX,EAX
00669106 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
00669109 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066910F .  50          PUSH EAX
00669110 .  FF15 14B46800 CALL DWORD PTR DS:[<&MSVBVM50.#519>]    ;  MSVBVM50.rtcTrimBstr
00669116 .  8BD0       MOV EDX,EAX
00669118 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066911B .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
00669121 .  8BD0       MOV EDX,EAX
00669123 .  8B4D 10    MOV ECX,DWORD PTR SS:[EBP+10]
00669126 .  8B01       MOV EAX,DWORD PTR DS:[ECX]
00669128 .  8B48 0C    MOV ECX,DWORD PTR DS:[EAX+C]
0066912B .  038D 78FFFFFF ADD ECX,DWORD PTR SS:[EBP-88]
00669131 .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
00669137 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066913A .  51          PUSH ECX
0066913B .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
0066913E .  52          PUSH EDX
0066913F .  6A 02       PUSH 2
00669141 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
00669147 .  83C4 0C    ADD ESP,0C
0066914A .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
0066914D .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
00669153 .  C745 FC 13000>MOV DWORD PTR SS:[EBP-4],13
0066915A .  8B45 D8    MOV EAX,DWORD PTR SS:[EBP-28]
0066915D .  83C0 01    ADD EAX,1
00669160 .  0F80 E3010000 JO ks.00669349
00669166 .  8945 D8    MOV DWORD PTR SS:[EBP-28],EAX
00669169 .  E9 1D010000 JMP ks.0066928B
0066916E .  E9 F0000000 JMP ks.00669263
00669173 >  C745 FC 16000>MOV DWORD PTR SS:[EBP-4],16
0066917A .  8B4D CC    MOV ECX,DWORD PTR SS:[EBP-34]
0066917D .  2B4D DC    SUB ECX,DWORD PTR SS:[EBP-24]
00669180 .  0F80 C3010000 JO ks.00669349
00669186 .  83E9 01    SUB ECX,1
00669189 .  0F80 BA010000 JO ks.00669349
0066918F .  894D B4    MOV DWORD PTR SS:[EBP-4C],ECX
00669192 .  C745 AC 03000>MOV DWORD PTR SS:[EBP-54],3
00669199 .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
0066919C .  833A 00    CMP DWORD PTR DS:[EDX],0
0066919F .  74 4C       JE SHORT ks.006691ED
006691A1 .  8B45 10    MOV EAX,DWORD PTR SS:[EBP+10]
006691A4 .  8B08       MOV ECX,DWORD PTR DS:[EAX]
006691A6 .  66:8339 01 CMP WORD PTR DS:[ECX],1
006691AA .  75 41       JNZ SHORT ks.006691ED
006691AC .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
006691AF .  8B02       MOV EAX,DWORD PTR DS:[EDX]
006691B1 .  8B4D D4    MOV ECX,DWORD PTR SS:[EBP-2C]
006691B4 .  2B48 14    SUB ECX,DWORD PTR DS:[EAX+14]
006691B7 .  894D 98    MOV DWORD PTR SS:[EBP-68],ECX
006691BA .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
006691BD .  8B02       MOV EAX,DWORD PTR DS:[EDX]
006691BF .  8B4D 98    MOV ECX,DWORD PTR SS:[EBP-68]
006691C2 .  3B48 10    CMP ECX,DWORD PTR DS:[EAX+10]
006691C5 .  73 0C       JNB SHORT ks.006691D3
006691C7 .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],0
006691D1 .  EB 0C       JMP SHORT ks.006691DF
006691D3 >  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
006691D9 .  8985 74FFFFFF MOV DWORD PTR SS:[EBP-8C],EAX
006691DF >  8B55 98    MOV EDX,DWORD PTR SS:[EBP-68]
006691E2 .  C1E2 02    SHL EDX,2
006691E5 .  8995 70FFFFFF MOV DWORD PTR SS:[EBP-90],EDX
006691EB .  EB 0C       JMP SHORT ks.006691F9
006691ED >  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
006691F3 .  8985 70FFFFFF MOV DWORD PTR SS:[EBP-90],EAX
006691F9 >  8D45 AC    LEA EAX,DWORD PTR SS:[EBP-54]
006691FC .  50          PUSH EAX
006691FD .  8B4D DC    MOV ECX,DWORD PTR SS:[EBP-24]
00669200 .  83C1 01    ADD ECX,1
00669203 .  0F80 40010000 JO ks.00669349
00669209 .  51          PUSH ECX
0066920A .  8B55 D0    MOV EDX,DWORD PTR SS:[EBP-30]
0066920D .  52          PUSH EDX
0066920E .  FF15 D8B46800 CALL DWORD PTR DS:[<&MSVBVM50.#631>]    ;  MSVBVM50.rtcMidCharBstr
00669214 .  8BD0       MOV EDX,EAX
00669216 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
00669219 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066921F .  50          PUSH EAX
00669220 .  FF15 14B46800 CALL DWORD PTR DS:[<&MSVBVM50.#519>]    ;  MSVBVM50.rtcTrimBstr
00669226 .  8BD0       MOV EDX,EAX
00669228 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066922B .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
00669231 .  8BD0       MOV EDX,EAX
00669233 .  8B45 10    MOV EAX,DWORD PTR SS:[EBP+10]
00669236 .  8B08       MOV ECX,DWORD PTR DS:[EAX]
00669238 .  8B49 0C    MOV ECX,DWORD PTR DS:[ECX+C]
0066923B .  038D 70FFFFFF ADD ECX,DWORD PTR SS:[EBP-90]
00669241 .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
00669247 .  8D55 C0    LEA EDX,DWORD PTR SS:[EBP-40]
0066924A .  52          PUSH EDX
0066924B .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
0066924E .  50          PUSH EAX
0066924F .  6A 02       PUSH 2
00669251 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
00669257 .  83C4 0C    ADD ESP,0C
0066925A .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
0066925D .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
00669263 >  C745 FC 18000>MOV DWORD PTR SS:[EBP-4],18
0066926A .  8B4D D8    MOV ECX,DWORD PTR SS:[EBP-28]
0066926D .  83C1 01    ADD ECX,1
00669270 .  0F80 D3000000 JO ks.00669349
00669276 .  894D D8    MOV DWORD PTR SS:[EBP-28],ECX
00669279 .  C745 FC 19000>MOV DWORD PTR SS:[EBP-4],19
00669280 .  8B55 CC    MOV EDX,DWORD PTR SS:[EBP-34]
00669283 .  8955 DC    MOV DWORD PTR SS:[EBP-24],EDX
00669286 .^ E9 63FDFFFF JMP ks.00668FEE
0066928B >  C745 FC 1B000>MOV DWORD PTR SS:[EBP-4],1B
00669292 .  8B45 18    MOV EAX,DWORD PTR SS:[EBP+18]
00669295 .  66:8338 FF CMP WORD PTR DS:[EAX],0FFFF
00669299 .  75 27       JNZ SHORT ks.006692C2
0066929B .  C745 FC 1C000>MOV DWORD PTR SS:[EBP-4],1C
006692A2 .  6A 00       PUSH 0
006692A4 .  8B4D D8    MOV ECX,DWORD PTR SS:[EBP-28]
006692A7 .  51          PUSH ECX
006692A8 .  6A 01       PUSH 1
006692AA .  6A 00       PUSH 0
006692AC .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
006692AF .  52          PUSH EDX
006692B0 .  6A 04       PUSH 4
006692B2 .  68 00010000 PUSH 100
006692B7 .  FF15 44B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaRedim>;  MSVBVM50.__vbaRedimPreserve
006692BD .  83C4 1C    ADD ESP,1C
006692C0 .  EB 32       JMP SHORT ks.006692F4
006692C2 >  C745 FC 1E000>MOV DWORD PTR SS:[EBP-4],1E
006692C9 .  837D D4 08 CMP DWORD PTR SS:[EBP-2C],8
006692CD .  7C 25       JL SHORT ks.006692F4
006692CF .  C745 FC 1F000>MOV DWORD PTR SS:[EBP-4],1F
006692D6 .  6A 00       PUSH 0
006692D8 .  8B45 D4    MOV EAX,DWORD PTR SS:[EBP-2C]
006692DB .  50          PUSH EAX
006692DC .  6A 01       PUSH 1
006692DE .  6A 00       PUSH 0
006692E0 .  8B4D 10    MOV ECX,DWORD PTR SS:[EBP+10]
006692E3 .  51          PUSH ECX
006692E4 .  6A 04       PUSH 4
006692E6 .  68 00010000 PUSH 100
006692EB .  FF15 44B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaRedim>;  MSVBVM50.__vbaRedimPreserve
006692F1 .  83C4 1C    ADD ESP,1C
006692F4 >  68 34936600 PUSH ks.00669334
006692F9 .  EB 26       JMP SHORT ks.00669321
006692FB .  8D55 C0    LEA EDX,DWORD PTR SS:[EBP-40]
006692FE .  52          PUSH EDX
006692FF .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
00669302 .  50          PUSH EAX
00669303 .  6A 02       PUSH 2
00669305 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066930B .  83C4 0C    ADD ESP,0C
0066930E .  8D4D BC    LEA ECX,DWORD PTR SS:[EBP-44]
00669311 .  FF15 14B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>;  MSVBVM50.__vbaFreeObj
00669317 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
0066931A .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
00669320 .  C3          RETN
00669321 >  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
00669324 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066932A .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
0066932D .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00669333 .  C3          RETN
00669334 .  33C0       XOR EAX,EAX
00669336 .  8B4D E0    MOV ECX,DWORD PTR SS:[EBP-20]
00669339 .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
00669340 .  5F          POP EDI
00669341 .  5E          POP ESI
00669342 .  5B          POP EBX
00669343 .  8BE5       MOV ESP,EBP
00669345 .  5D          POP EBP
00669346 .  C2 1400    RETN 14
00669349 >  FF15 00B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaError>;  MSVBVM50.__vbaErrorOverflow
-------------------------------------------------------------------------------
▲文件:3-669405.txt
-------------------------------------------------------------------------------
到669405 ,调用者666db3
00669399 .  8975 84    MOV DWORD PTR SS:[EBP-7C],ESI
0066939C .  89B5 74FFFFFF MOV DWORD PTR SS:[EBP-8C],ESI
006693A2 .  89B5 70FFFFFF MOV DWORD PTR SS:[EBP-90],ESI
006693A8 .  89B5 64FFFFFF MOV DWORD PTR SS:[EBP-9C],ESI
006693AE .  89B5 60FFFFFF MOV DWORD PTR SS:[EBP-A0],ESI
006693B4 .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
006693B7 .  8D4D DC    LEA ECX,DWORD PTR SS:[EBP-24]
006693BA .  8B1D 2CB66800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrCopy
006693C0 .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaStrCopy>
006693C2 .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
006693C5 .  8D4D B8    LEA ECX,DWORD PTR SS:[EBP-48]
006693C8 .  FFD3       CALL EBX
006693CA .  8B55 14    MOV EDX,DWORD PTR SS:[EBP+14]
006693CD .  8D4D D8    LEA ECX,DWORD PTR SS:[EBP-28]
006693D0 .  FFD3       CALL EBX
006693D2 .  8B45 1C    MOV EAX,DWORD PTR SS:[EBP+1C]
006693D5 .  8930       MOV DWORD PTR DS:[EAX],ESI
006693D7 .  68 54204200 PUSH ks.00422054
006693DC .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
006693DF .  51          PUSH ECX
006693E0 .  FF15 48B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaAryCo>;  MSVBVM50.__vbaAryConstruct
006693E6 .  6A 01       PUSH 1
006693E8 .  FF15 84B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaOnErr>;  MSVBVM50.__vbaOnError
006693EE .  8B55 B8    MOV EDX,DWORD PTR SS:[EBP-48]
006693F1 .  8D8D 64FFFFFF LEA ECX,DWORD PTR SS:[EBP-9C]
006693F7 .  FFD3       CALL EBX
006693F9 .  8B95 64FFFFFF MOV EDX,DWORD PTR SS:[EBP-9C]
006693FF .  52          PUSH EDX ;这里是"-"
00669400 .  68 48204200 PUSH ks.00422048                      ;  UNICODE "^p"
00669405 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066940B .  85C0       TEST EAX,EAX
0066940D .  75 55       JNZ SHORT ks.00669464
0066940F .  6A 0D       PUSH 0D
00669411 .  8D45 A4    LEA EAX,DWORD PTR SS:[EBP-5C]
00669414 .  50          PUSH EAX
00669415 .  8B35 C0B56800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.#608>]  ;  MSVBVM50.rtcVarBstrFromAnsi
0066941B .  FFD6       CALL ESI                               ;  <&MSVBVM50.#608>
0066941D .  6A 0A       PUSH 0A
0066941F .  8D4D 94    LEA ECX,DWORD PTR SS:[EBP-6C]
00669422 .  51          PUSH ECX
00669423 .  FFD6       CALL ESI
00669425 .  8D55 A4    LEA EDX,DWORD PTR SS:[EBP-5C]
00669428 .  52          PUSH EDX
00669429 .  8D45 94    LEA EAX,DWORD PTR SS:[EBP-6C]
0066942C .  50          PUSH EAX
0066942D .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
00669430 .  51          PUSH ECX
00669431 .  FF15 E4B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarCa>;  MSVBVM50.__vbaVarCat
00669437 .  50          PUSH EAX
00669438 .  FF15 DCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrVa>;  MSVBVM50.__vbaStrVarMove
0066943E .  8BD0       MOV EDX,EAX
00669440 .  8D4D B8    LEA ECX,DWORD PTR SS:[EBP-48]
00669443 .  8B3D C8B66800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrMove
00669449 .  FFD7       CALL EDI                               ;  <&MSVBVM50.__vbaStrMove>
0066944B .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066944E .  52          PUSH EDX
0066944F .  8D45 94    LEA EAX,DWORD PTR SS:[EBP-6C]
00669452 .  50          PUSH EAX
00669453 .  8D4D A4    LEA ECX,DWORD PTR SS:[EBP-5C]
00669456 .  51          PUSH ECX
00669457 .  6A 03       PUSH 3
00669459 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
0066945F .  83C4 10    ADD ESP,10
00669462 .  EB 0C       JMP SHORT ks.00669470
00669464 >  8B3D C8B66800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrMove
0066946A .  8B35 C0B56800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.#608>]  ;  MSVBVM50.rtcVarBstrFromAnsi
00669470 >  8B55 D8    MOV EDX,DWORD PTR SS:[EBP-28]
00669473 .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
00669479 .  FFD3       CALL EBX
0066947B .  8B95 60FFFFFF MOV EDX,DWORD PTR SS:[EBP-A0]
00669481 .  52          PUSH EDX
00669482 .  68 48204200 PUSH ks.00422048                      ;  UNICODE "^p"
00669487 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066948D .  85C0       TEST EAX,EAX
0066948F .  75 47       JNZ SHORT ks.006694D8
00669491 .  6A 0D       PUSH 0D
00669493 .  8D45 A4    LEA EAX,DWORD PTR SS:[EBP-5C]
00669496 .  50          PUSH EAX
00669497 .  FFD6       CALL ESI
00669499 .  6A 0A       PUSH 0A
0066949B .  8D4D 94    LEA ECX,DWORD PTR SS:[EBP-6C]
0066949E .  51          PUSH ECX
0066949F .  FFD6       CALL ESI
006694A1 .  8D55 A4    LEA EDX,DWORD PTR SS:[EBP-5C]
006694A4 .  52          PUSH EDX
006694A5 .  8D45 94    LEA EAX,DWORD PTR SS:[EBP-6C]
006694A8 .  50          PUSH EAX
006694A9 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
006694AC .  51          PUSH ECX
006694AD .  FF15 E4B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarCa>;  MSVBVM50.__vbaVarCat
006694B3 .  50          PUSH EAX
006694B4 .  FF15 DCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrVa>;  MSVBVM50.__vbaStrVarMove
006694BA .  8BD0       MOV EDX,EAX
006694BC .  8D4D D8    LEA ECX,DWORD PTR SS:[EBP-28]
006694BF .  FFD7       CALL EDI
006694C1 .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
006694C4 .  52          PUSH EDX
006694C5 .  8D45 94    LEA EAX,DWORD PTR SS:[EBP-6C]
006694C8 .  50          PUSH EAX
006694C9 .  8D4D A4    LEA ECX,DWORD PTR SS:[EBP-5C]
006694CC .  51          PUSH ECX
006694CD .  6A 03       PUSH 3
006694CF .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
006694D5 .  83C4 10    ADD ESP,10
006694D8 >  6A 01       PUSH 1
006694DA .  8B55 DC    MOV EDX,DWORD PTR SS:[EBP-24]
006694DD .  52          PUSH EDX
006694DE .  8B45 B8    MOV EAX,DWORD PTR SS:[EBP-48]
006694E1 .  50          PUSH EAX
006694E2 .  8B4D 18    MOV ECX,DWORD PTR SS:[EBP+18]
006694E5 .  51          PUSH ECX
006694E6 .  FF15 10B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaInStr>;  MSVBVM50.__vbaInStr
006694EC .  8BF0       MOV ESI,EAX
006694EE .  83FE 01    CMP ESI,1
006694F1 .  0F8C 53010000 JL ks.0066964A
006694F7 .  8B1D 10B76800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaFr>;  MSVBVM50.__vbaFreeStr
006694FD >  8D55 DC    LEA EDX,DWORD PTR SS:[EBP-24]
00669500 .  8995 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EDX
00669506 .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],4008
00669510 .  8BC6       MOV EAX,ESI
00669512 .  48          DEC EAX
00669513 .  0F80 F3010000 JO ks.0066970C
00669519 .  50          PUSH EAX
0066951A .  8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]
00669520 .  51          PUSH ECX
00669521 .  8D55 A4    LEA EDX,DWORD PTR SS:[EBP-5C]
00669524 .  52          PUSH EDX
00669525 .  FF15 B0B66800 CALL DWORD PTR DS:[<&MSVBVM50.#617>]    ;  MSVBVM50.rtcLeftCharVar
0066952B .  8D45 A4    LEA EAX,DWORD PTR SS:[EBP-5C]
0066952E .  50          PUSH EAX
0066952F .  FF15 DCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrVa>;  MSVBVM50.__vbaStrVarMove
00669535 .  8BD0       MOV EDX,EAX
00669537 .  8D4D B4    LEA ECX,DWORD PTR SS:[EBP-4C]
0066953A .  FFD7       CALL EDI
0066953C .  8BD0       MOV EDX,EAX
0066953E .  8B4D CC    MOV ECX,DWORD PTR SS:[EBP-34]
00669541 .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
00669547 .  8D4D B4    LEA ECX,DWORD PTR SS:[EBP-4C]
0066954A .  FFD3       CALL EBX
0066954C .  8D4D A4    LEA ECX,DWORD PTR SS:[EBP-5C]
0066954F .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
00669555 .  8D4D DC    LEA ECX,DWORD PTR SS:[EBP-24]
00669558 .  898D 7CFFFFFF MOV DWORD PTR SS:[EBP-84],ECX
0066955E .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],4008
00669568 .  8B55 DC    MOV EDX,DWORD PTR SS:[EBP-24]
0066956B .  52          PUSH EDX
0066956C .  8B1D D8B36800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaLe>;  MSVBVM50.__vbaLenBstr
00669572 .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaLenBstr>
00669574 .  8BD0       MOV EDX,EAX
00669576 .  2BD6       SUB EDX,ESI
00669578 .  0F80 8E010000 JO ks.0066970C
0066957E .  8B45 B8    MOV EAX,DWORD PTR SS:[EBP-48]
00669581 .  50          PUSH EAX
00669582 .  8995 4CFFFFFF MOV DWORD PTR SS:[EBP-B4],EDX
00669588 .  FFD3       CALL EBX
0066958A .  8B8D 4CFFFFFF MOV ECX,DWORD PTR SS:[EBP-B4]
00669590 .  2BC8       SUB ECX,EAX
00669592 .  0F80 74010000 JO ks.0066970C
00669598 .  41          INC ECX
00669599 .  0F80 6D010000 JO ks.0066970C
0066959F .  51          PUSH ECX
006695A0 .  8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
006695A6 .  52          PUSH EDX
006695A7 .  8D45 A4    LEA EAX,DWORD PTR SS:[EBP-5C]
006695AA .  50          PUSH EAX
006695AB .  FF15 CCB66800 CALL DWORD PTR DS:[<&MSVBVM50.#619>]    ;  MSVBVM50.rtcRightCharVar
006695B1 .  8D4D A4    LEA ECX,DWORD PTR SS:[EBP-5C]
006695B4 .  51          PUSH ECX
006695B5 .  FF15 DCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrVa>;  MSVBVM50.__vbaStrVarMove
006695BB .  8BD0       MOV EDX,EAX
006695BD .  8D4D B4    LEA ECX,DWORD PTR SS:[EBP-4C]
006695C0 .  FFD7       CALL EDI
006695C2 .  8BD0       MOV EDX,EAX
006695C4 .  8B45 CC    MOV EAX,DWORD PTR SS:[EBP-34]
006695C7 .  8D48 04    LEA ECX,DWORD PTR DS:[EAX+4]
006695CA .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
006695D0 .  8D4D B4    LEA ECX,DWORD PTR SS:[EBP-4C]
006695D3 .  8B1D 10B76800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaFr>;  MSVBVM50.__vbaFreeStr
006695D9 .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaFreeStr>
006695DB .  8D4D A4    LEA ECX,DWORD PTR SS:[EBP-5C]
006695DE .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
006695E4 .  8B4D CC    MOV ECX,DWORD PTR SS:[EBP-34]
006695E7 .  8B11       MOV EDX,DWORD PTR DS:[ECX]
006695E9 .  52          PUSH EDX
006695EA .  8B45 D8    MOV EAX,DWORD PTR SS:[EBP-28]
006695ED .  50          PUSH EAX
006695EE .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
006695F4 .  8BD0       MOV EDX,EAX
006695F6 .  8D4D B4    LEA ECX,DWORD PTR SS:[EBP-4C]
006695F9 .  FFD7       CALL EDI
006695FB .  50          PUSH EAX
006695FC .  8B4D CC    MOV ECX,DWORD PTR SS:[EBP-34]
006695FF .  8B51 04    MOV EDX,DWORD PTR DS:[ECX+4]
00669602 .  52          PUSH EDX
00669603 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
00669609 .  8BD0       MOV EDX,EAX
0066960B .  8D4D DC    LEA ECX,DWORD PTR SS:[EBP-24]
0066960E .  FFD7       CALL EDI
00669610 .  8D4D B4    LEA ECX,DWORD PTR SS:[EBP-4C]
00669613 .  FFD3       CALL EBX
00669615 .  8B45 D8    MOV EAX,DWORD PTR SS:[EBP-28]
00669618 .  50          PUSH EAX
00669619 .  FF15 D8B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaLenBs>;  MSVBVM50.__vbaLenBstr
0066961F .  03C6       ADD EAX,ESI
00669621 .  0F80 E5000000 JO ks.0066970C
00669627 .  50          PUSH EAX
00669628 .  8B4D DC    MOV ECX,DWORD PTR SS:[EBP-24]
0066962B .  51          PUSH ECX
0066962C .  8B55 B8    MOV EDX,DWORD PTR SS:[EBP-48]
0066962F .  52          PUSH EDX
00669630 .  8B45 18    MOV EAX,DWORD PTR SS:[EBP+18]
00669633 .  50          PUSH EAX
00669634 .  FF15 10B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaInStr>;  MSVBVM50.__vbaInStr
0066963A .  8BF0       MOV ESI,EAX
0066963C .  85F6       TEST ESI,ESI
0066963E .^ 0F8F B9FEFFFF JG ks.006694FD
00669644 .  8B1D 2CB66800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrCopy
0066964A >  8B55 DC    MOV EDX,DWORD PTR SS:[EBP-24]
0066964D .  8D4D BC    LEA ECX,DWORD PTR SS:[EBP-44]
00669650 .  FFD3       CALL EBX
00669652 .  FF15 64B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaExitP>;  MSVBVM50.__vbaExitProc
00669658 .  68 EF966600 PUSH ks.006696EF
0066965D .  EB 49       JMP SHORT ks.006696A8
0066965F .  8B55 DC    MOV EDX,DWORD PTR SS:[EBP-24]
00669662 .  8D4D BC    LEA ECX,DWORD PTR SS:[EBP-44]
00669665 .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
0066966B .  FF15 64B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaExitP>;  MSVBVM50.__vbaExitProc
00669671 .  68 EF966600 PUSH ks.006696EF
00669676 .  EB 30       JMP SHORT ks.006696A8
00669678 .  F645 F4 04 TEST BYTE PTR SS:[EBP-C],4
0066967C .  74 09       JE SHORT ks.00669687
0066967E .  8D4D BC    LEA ECX,DWORD PTR SS:[EBP-44]
00669681 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00669687 >  8D4D B4    LEA ECX,DWORD PTR SS:[EBP-4C]
0066968A .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00669690 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
00669693 .  51          PUSH ECX
00669694 .  8D55 94    LEA EDX,DWORD PTR SS:[EBP-6C]
00669697 .  52          PUSH EDX
00669698 .  8D45 A4    LEA EAX,DWORD PTR SS:[EBP-5C]
0066969B .  50          PUSH EAX
0066969C .  6A 03       PUSH 3
0066969E .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
006696A4 .  83C4 10    ADD ESP,10
006696A7 .  C3          RETN
006696A8 >  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
006696AE .  51          PUSH ECX
006696AF .  8D95 64FFFFFF LEA EDX,DWORD PTR SS:[EBP-9C]
006696B5 .  52          PUSH EDX
006696B6 .  6A 02       PUSH 2
006696B8 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
006696BE .  83C4 0C    ADD ESP,0C
006696C1 .  8D4D DC    LEA ECX,DWORD PTR SS:[EBP-24]
006696C4 .  8B35 10B76800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaFr>;  MSVBVM50.__vbaFreeStr
006696CA .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaFreeStr>
006696CC .  8D4D D8    LEA ECX,DWORD PTR SS:[EBP-28]
006696CF .  FFD6       CALL ESI
006696D1 .  8D45 C0    LEA EAX,DWORD PTR SS:[EBP-40]
006696D4 .  8985 70FFFFFF MOV DWORD PTR SS:[EBP-90],EAX
006696DA .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
006696E0 .  51          PUSH ECX
006696E1 .  6A 00       PUSH 0
006696E3 .  FF15 50B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaAryDe>;  MSVBVM50.__vbaAryDestruct
006696E9 .  8D4D B8    LEA ECX,DWORD PTR SS:[EBP-48]
006696EC .  FFE6       JMP ESI
006696EE .  C3          RETN
006696EF .  8B55 1C    MOV EDX,DWORD PTR SS:[EBP+1C]
006696F2 .  8B45 BC    MOV EAX,DWORD PTR SS:[EBP-44]
006696F5 .  8902       MOV DWORD PTR DS:[EDX],EAX
006696F7 .  33C0       XOR EAX,EAX
006696F9 .  8B4D E4    MOV ECX,DWORD PTR SS:[EBP-1C]
006696FC .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
00669703 .  5F          POP EDI
00669704 .  5E          POP ESI
00669705 .  5B          POP EBX
00669706 .  8BE5       MOV ESP,EBP
00669708 .  5D          POP EBP
00669709 .  C2 1800    RETN 18
0066970C >  FF15 00B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaError>;  MSVBVM50.__vbaErrorOverflow
00669712 .  90          NOP
00669713 .  90          NOP
-------------------------------------------------------------------------------
▲文件:4-667FC0.txt
-------------------------------------------------------------------------------
00667FC0 > \55          PUSH EBP
00667FC1 .  8BEC       MOV EBP,ESP
00667FC3 .  83EC 14    SUB ESP,14
00667FC6 .  68 F67F4000 PUSH <JMP.&MSVBVM50.__vbaExceptHandler>  ;  SE handler installation
00667FCB .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00667FD1 .  50          PUSH EAX
00667FD2 .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
00667FD9 .  83EC 4C    SUB ESP,4C
00667FDC .  53          PUSH EBX
00667FDD .  56          PUSH ESI
00667FDE .  57          PUSH EDI
00667FDF .  8965 EC    MOV DWORD PTR SS:[EBP-14],ESP
00667FE2 .  C745 F0 C8744>MOV DWORD PTR SS:[EBP-10],ks.004074C8
00667FE9 .  33F6       XOR ESI,ESI
00667FEB .  8975 F4    MOV DWORD PTR SS:[EBP-C],ESI
00667FEE .  8975 F8    MOV DWORD PTR SS:[EBP-8],ESI
00667FF1 .  8975 DC    MOV DWORD PTR SS:[EBP-24],ESI
00667FF4 .  8975 D8    MOV DWORD PTR SS:[EBP-28],ESI
00667FF7 .  8975 D4    MOV DWORD PTR SS:[EBP-2C],ESI
00667FFA .  8975 D0    MOV DWORD PTR SS:[EBP-30],ESI
00667FFD .  8975 C0    MOV DWORD PTR SS:[EBP-40],ESI
00668000 .  8975 BC    MOV DWORD PTR SS:[EBP-44],ESI
00668003 .  8975 AC    MOV DWORD PTR SS:[EBP-54],ESI
00668006 .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
00668009 .  8D4D DC    LEA ECX,DWORD PTR SS:[EBP-24]
0066800C .  8B3D 2CB66800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrCopy
00668012 .  FFD7       CALL EDI                               ;  <&MSVBVM50.__vbaStrCopy>
00668014 .  8B45 10    MOV EAX,DWORD PTR SS:[EBP+10]
00668017 .  8930       MOV DWORD PTR DS:[EAX],ESI
00668019 .  6A 01       PUSH 1
0066801B .  FF15 84B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaOnErr>;  MSVBVM50.__vbaOnError
00668021 .  8D4D DC    LEA ECX,DWORD PTR SS:[EBP-24]
00668024 .  894D B4    MOV DWORD PTR SS:[EBP-4C],ECX
00668027 .  C745 AC 08400>MOV DWORD PTR SS:[EBP-54],4008
0066802E .  68 80000000 PUSH 80
00668033 .  8D55 AC    LEA EDX,DWORD PTR SS:[EBP-54]
00668036 .  52          PUSH EDX
00668037 .  8D45 C0    LEA EAX,DWORD PTR SS:[EBP-40]
0066803A .  50          PUSH EAX
0066803B .  FF15 F8B36800 CALL DWORD PTR DS:[<&MSVBVM50.#622>]    ;  MSVBVM50.rtcStrConvVar
;先将26个UNICODE字符转换为ASC字符
00668041 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
00668044 .  51          PUSH ECX
00668045 .  8D55 BC    LEA EDX,DWORD PTR SS:[EBP-44]
00668048 .  52          PUSH EDX
00668049 .  FF15 0CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVar2V>;  MSVBVM50.__vbaVar2Vec
0066804F .  8D45 BC    LEA EAX,DWORD PTR SS:[EBP-44]
00668052 .  50          PUSH EAX
00668053 .  8D4D D8    LEA ECX,DWORD PTR SS:[EBP-28]
00668056 .  51          PUSH ECX
00668057 .  FF15 C8B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaAryMo>;  MSVBVM50.__vbaAryMove
0066805D .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
00668060 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
00668066 .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
00668069 .  8B10       MOV EDX,DWORD PTR DS:[EAX]
0066806B .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
0066806E .  51          PUSH ECX
0066806F .  8D4D D8    LEA ECX,DWORD PTR SS:[EBP-28]
00668072 .  51          PUSH ECX
00668073 .  50          PUSH EAX
00668074 .  FF52 38    CALL DWORD PTR DS:[EDX+38] ;这里!!!call 668330
00668077 .  8B55 D0    MOV EDX,DWORD PTR SS:[EBP-30]
0066807A .  8975 D0    MOV DWORD PTR SS:[EBP-30],ESI
0066807D .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
00668080 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
00668086 .  8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]
00668089 .  52          PUSH EDX
0066808A .  FF15 D8B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaLenBs>;  MSVBVM50.__vbaLenBstr
00668090 .  83F8 06    CMP EAX,6
00668093 .  74 25       JE SHORT ks.006680BA
00668095 .  BA A4B44100 MOV EDX,ks.0041B4A4
0066809A .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
0066809D .  FFD7       CALL EDI
0066809F .  FF15 64B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaExitP>;  MSVBVM50.__vbaExitProc
006680A5 .  68 0B816600 PUSH ks.0066810B
006680AA .  EB 49       JMP SHORT ks.006680F5
006680AC .  BA A4B44100 MOV EDX,ks.0041B4A4
006680B1 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
006680B4 .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
006680BA >  FF15 64B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaExitP>;  MSVBVM50.__vbaExitProc
006680C0 .  68 0B816600 PUSH ks.0066810B
006680C5 .  EB 2E       JMP SHORT ks.006680F5
006680C7 .  F645 F4 04 TEST BYTE PTR SS:[EBP-C],4
006680CB .  74 09       JE SHORT ks.006680D6
006680CD .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
006680D0 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
006680D6 >  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
006680D9 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
006680DF .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
006680E2 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
006680E8 .  8D45 BC    LEA EAX,DWORD PTR SS:[EBP-44]
006680EB .  50          PUSH EAX
006680EC .  6A 00       PUSH 0
006680EE .  FF15 50B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaAryDe>;  MSVBVM50.__vbaAryDestruct
006680F4 .  C3          RETN
006680F5 >  8D4D DC    LEA ECX,DWORD PTR SS:[EBP-24]
006680F8 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
006680FE .  8D4D D8    LEA ECX,DWORD PTR SS:[EBP-28]
00668101 .  51          PUSH ECX
00668102 .  6A 00       PUSH 0
00668104 .  FF15 50B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaAryDe>;  MSVBVM50.__vbaAryDestruct
0066810A .  C3          RETN
0066810B .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
0066810E .  8B45 D4    MOV EAX,DWORD PTR SS:[EBP-2C]
00668111 .  8902       MOV DWORD PTR DS:[EDX],EAX
00668113 .  33C0       XOR EAX,EAX
00668115 .  8B4D E4    MOV ECX,DWORD PTR SS:[EBP-1C]
00668118 .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
0066811F .  5F          POP EDI
00668120 .  5E          POP ESI
00668121 .  5B          POP EBX
00668122 .  8BE5       MOV ESP,EBP
00668124 .  5D          POP EBP
00668125 .  C2 0C00    RETN 0C
-------------------------------------------------------------------------------
▲文件:5-668330.txt
-------------------------------------------------------------------------------
从668074调用,计算前26个字符的校验码.
00668330 > \55          PUSH EBP
00668331 .  8BEC       MOV EBP,ESP
00668333 .  83EC 0C    SUB ESP,0C
00668336 .  68 F67F4000 PUSH <JMP.&MSVBVM50.__vbaExceptHandler>  ;  SE handler installation
0066833B .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00668341 .  50          PUSH EAX
00668342 .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
00668349 .  81EC D0000000 SUB ESP,0D0
0066834F .  8B45 10    MOV EAX,DWORD PTR SS:[EBP+10]
00668352 .  53          PUSH EBX
00668353 .  56          PUSH ESI
00668354 .  8B35 74B56800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaUI>;  MSVBVM50.__vbaUI1I2
0066835A .  57          PUSH EDI
0066835B .  33DB       XOR EBX,EBX
0066835D .  B9 FF000000 MOV ECX,0FF
00668362 .  8965 F4    MOV DWORD PTR SS:[EBP-C],ESP
00668365 .  C745 F8 00754>MOV DWORD PTR SS:[EBP-8],ks.00407500
0066836C .  C645 E0 00 MOV BYTE PTR SS:[EBP-20],0
00668370 .  895D DC    MOV DWORD PTR SS:[EBP-24],EBX
00668373 .  885D D0    MOV BYTE PTR SS:[EBP-30],BL
00668376 .  895D B8    MOV DWORD PTR SS:[EBP-48],EBX
00668379 .  895D A8    MOV DWORD PTR SS:[EBP-58],EBX
0066837C .  895D 98    MOV DWORD PTR SS:[EBP-68],EBX
0066837F .  895D 88    MOV DWORD PTR SS:[EBP-78],EBX
00668382 .  899D 78FFFFFF MOV DWORD PTR SS:[EBP-88],EBX
00668388 .  899D 68FFFFFF MOV DWORD PTR SS:[EBP-98],EBX
0066838E .  899D 58FFFFFF MOV DWORD PTR SS:[EBP-A8],EBX
00668394 .  899D 48FFFFFF MOV DWORD PTR SS:[EBP-B8],EBX
0066839A .  899D 38FFFFFF MOV DWORD PTR SS:[EBP-C8],EBX
006683A0 .  8918       MOV DWORD PTR DS:[EAX],EBX
006683A2 .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaUI1I2>
006683A4 .  B9 FF000000 MOV ECX,0FF
006683A9 .  8845 D0    MOV BYTE PTR SS:[EBP-30],AL ;12f65c=0FFh
006683AC .  FFD6       CALL ESI
006683AE .  B9 81000000 MOV ECX,81
006683B3 .  8845 E0    MOV BYTE PTR SS:[EBP-20],AL ;12F66C=0FFh
006683B6 .  FFD6       CALL ESI
006683B8 .  B9 A0000000 MOV ECX,0A0
006683BD .  8845 E4    MOV BYTE PTR SS:[EBP-1C],AL
006683C0 .  FFD6       CALL ESI
006683C2 .  8B4D 0C    MOV ECX,DWORD PTR SS:[EBP+C]
006683C5 .  8845 CC    MOV BYTE PTR SS:[EBP-34],AL
006683C8 .  8B11       MOV EDX,DWORD PTR DS:[ECX]
006683CA .  52          PUSH EDX
006683CB .  6A 01       PUSH 1
006683CD .  FF15 D8B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaUboun>;  MSVBVM50.__vbaUbound
;取上标eax=19h=25d 字符个数
006683D3 .  8BC8       MOV ECX,EAX
006683D5 .  FF15 28B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaI2I4>>;  MSVBVM50.__vbaI2I4
006683DB .  8A4D E0    MOV CL,BYTE PTR SS:[EBP-20] ;cl=FFh
006683DE .  8985 2CFFFFFF MOV DWORD PTR SS:[EBP-D4],EAX
006683E4 .  8A45 D0    MOV AL,BYTE PTR SS:[EBP-30] ;al=FFh
006683E7 .  895D E8    MOV DWORD PTR SS:[EBP-18],EBX
006683EA >  8B7D E8    MOV EDI,DWORD PTR SS:[EBP-18]
;上行外循环开始外循环26次
006683ED .  66:3BBD 2CFFF>CMP DI,WORD PTR SS:[EBP-D4]
006683F4 .  0F8F D4000000 JG ks.006684CE
006683FA .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
006683FD .  8B12       MOV EDX,DWORD PTR DS:[EDX]
006683FF .  3BD3       CMP EDX,EBX
00668401 .  74 25       JE SHORT ks.00668428
00668403 .  66:833A 01 CMP WORD PTR DS:[EDX],1
00668407 .  75 1F       JNZ SHORT ks.00668428
00668409 .  0FBFDF       MOVSX EBX,DI
0066840C .  8B7A 14    MOV EDI,DWORD PTR DS:[EDX+14]
0066840F .  2BDF       SUB EBX,EDI
00668411 .  8B7A 10    MOV EDI,DWORD PTR DS:[EDX+10] ;edi=1ah=26d
00668414 .  3BDF       CMP EBX,EDI
00668416 .  72 0C       JB SHORT ks.00668424
00668418 .  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
0066841E .  8A4D E0    MOV CL,BYTE PTR SS:[EBP-20]
00668421 .  8A45 D0    MOV AL,BYTE PTR SS:[EBP-30]
00668424 >  8BD3       MOV EDX,EBX
00668426 .  EB 0E       JMP SHORT ks.00668436
00668428 >  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
0066842E .  8A4D E0    MOV CL,BYTE PTR SS:[EBP-20]
00668431 .  8BD0       MOV EDX,EAX
00668433 .  8A45 D0    MOV AL,BYTE PTR SS:[EBP-30]
00668436 >  8B7D 0C    MOV EDI,DWORD PTR SS:[EBP+C]
00668439 .  8B3F       MOV EDI,DWORD PTR DS:[EDI]
0066843B .  8B7F 0C    MOV EDI,DWORD PTR DS:[EDI+C]
0066843E .  8A1C17       MOV BL,BYTE PTR DS:[EDI+EDX];逐个取26个字符
;0016E238  47 37 4B 34 30 37 34 48 39 4D 35 4D 58 56 52 49  G7K4074H9M5MXVRI
;0016E248  34 30 38 36 44 36 37 54 52 46 AB AB AB AB AB AB  4086D67TRF???
00668441 .  32C3       XOR AL,BL ;取出后和AL即FFH异或保持在al
00668443 .  33FF       XOR EDI,EDI ;edi清零
00668445 .  8845 D0    MOV BYTE PTR SS:[EBP-30],AL
00668448 >  BA 07000000 MOV EDX,7 ;内循环7次
;上行内循环开始
0066844D .  66:3BFA    CMP DI,DX
00668450 .  7F 63       JG SHORT ks.006684B5
00668452 .  8AD9       MOV BL,CL
00668454 .  8845 D8    MOV BYTE PTR SS:[EBP-28],AL ;暂存AL到12f65c(初始为FFH)
00668457 .  D0E9       SHR CL,1 ;CL初始为FFh
00668459 .  66:0FB6C9    MOVZX CX,CL
0066845D .  FFD6       CALL ESI ;AX为CL右移一位后的值
0066845F .  8845 E0    MOV BYTE PTR SS:[EBP-20],AL ;保持到12f66c
00668462 .  8A45 D0    MOV AL,BYTE PTR SS:[EBP-30] ;12f65c=B8H
00668465 .  D0E8       SHR AL,1 ;AL=5CH
00668467 .  66:33C9    XOR CX,CX
0066846A .  8AC8       MOV CL,AL
0066846C .  FFD6       CALL ESI
0066846E .  80E3 01    AND BL,1 ;bl初始FFh,只取最低位
00668471 .  8845 D0    MOV BYTE PTR SS:[EBP-30],AL ;保存到12f65c
00668474 .  80FB 01    CMP BL,1
00668477 .  75 0C       JNZ SHORT ks.00668485
00668479 .  0C 80       OR AL,80 ;如果BL的bit0为0那么AL最高位置1 al=DCh
0066847B .  66:33C9    XOR CX,CX
0066847E .  8AC8       MOV CL,AL
00668480 .  FFD6       CALL ESI
00668482 .  8845 D0    MOV BYTE PTR SS:[EBP-30],AL ;保存到12f65c
00668485 >  8A4D D8    MOV CL,BYTE PTR SS:[EBP-28] ;取12f664,CL=B8h
00668488 .  80E1 01    AND CL,1 ;保留最低位
0066848B .  80F9 01    CMP CL,1 ;最低位是1吗?
0066848E .  8A4D E0    MOV CL,BYTE PTR SS:[EBP-20] ;保存到12f66c
00668491 .  75 10       JNZ SHORT ks.006684A3 ;不是1
00668493 .  8A5D CC    MOV BL,BYTE PTR SS:[EBP-34]
00668496 .  8A55 E4    MOV DL,BYTE PTR SS:[EBP-1C]
00668499 .  32CB       XOR CL,BL
0066849B .  32C2       XOR AL,DL
0066849D .  884D E0    MOV BYTE PTR SS:[EBP-20],CL
006684A0 .  8845 D0    MOV BYTE PTR SS:[EBP-30],AL
006684A3 >  BA 01000000 MOV EDX,1
006684A8 .  66:03D7    ADD DX,DI
006684AB .  0F80 54010000 JO ks.00668605
006684B1 .  8BFA       MOV EDI,EDX
006684B3 .^ EB 93       JMP SHORT ks.00668448
;内循环结束
006684B5 >  BA 01000000 MOV EDX,1
006684BA .  66:0355 E8 ADD DX,WORD PTR SS:[EBP-18]
006684BE .  33DB       XOR EBX,EBX
006684C0 .  0F80 3F010000 JO ks.00668605
006684C6 .  8955 E8    MOV DWORD PTR SS:[EBP-18],EDX
006684C9 .^ E9 1CFFFFFF JMP ks.006683EA
;外循环结束
;AX=CCh=204校验码后半部分"204" CX=7Dh=125校验码前半部分"125" DX=1Ah=26表示26个字符已取完
;最后12f65c=CCH 12f66c=7DH
006684CE >  8B35 8CB66800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaVa>;  MSVBVM50.__vbaVarDup
006684D4 .  8D95 58FFFFFF LEA EDX,DWORD PTR SS:[EBP-A8]
006684DA .  8D4D B8    LEA ECX,DWORD PTR SS:[EBP-48]
006684DD .  C785 60FFFFFF>MOV DWORD PTR SS:[EBP-A0],ks.0042872C ;  UNICODE "000"
006684E7 .  C785 58FFFFFF>MOV DWORD PTR SS:[EBP-A8],8
006684F1 .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaVarDup>
006684F3 .  8B3D 30B46800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.#660>]  ;  MSVBVM50.rtcVarFromFormatVar
006684F9 .  8D4D E0    LEA ECX,DWORD PTR SS:[EBP-20]
006684FC .  6A 01       PUSH 1
006684FE .  8D55 B8    LEA EDX,DWORD PTR SS:[EBP-48]
00668501 .  898D 70FFFFFF MOV DWORD PTR SS:[EBP-90],ECX
00668507 .  6A 01       PUSH 1
00668509 .  8D85 68FFFFFF LEA EAX,DWORD PTR SS:[EBP-98]
0066850F .  52          PUSH EDX
00668510 .  8D4D A8    LEA ECX,DWORD PTR SS:[EBP-58]
00668513 .  BB 11400000 MOV EBX,4011
00668518 .  50          PUSH EAX
00668519 .  51          PUSH ECX
0066851A .  899D 68FFFFFF MOV DWORD PTR SS:[EBP-98],EBX
00668520 .  FFD7       CALL EDI                               ;  <&MSVBVM50.#660>
00668522 .  8D95 38FFFFFF LEA EDX,DWORD PTR SS:[EBP-C8]
00668528 .  8D4D 98    LEA ECX,DWORD PTR SS:[EBP-68]
0066852B .  C785 40FFFFFF>MOV DWORD PTR SS:[EBP-C0],ks.0042872C ;  UNICODE "000"
00668535 .  C785 38FFFFFF>MOV DWORD PTR SS:[EBP-C8],8
0066853F .  FFD6       CALL ESI
00668541 .  8D55 D0    LEA EDX,DWORD PTR SS:[EBP-30]
00668544 .  6A 01       PUSH 1
00668546 .  8D45 98    LEA EAX,DWORD PTR SS:[EBP-68]
00668549 .  8995 50FFFFFF MOV DWORD PTR SS:[EBP-B0],EDX
0066854F .  6A 01       PUSH 1
00668551 .  8D8D 48FFFFFF LEA ECX,DWORD PTR SS:[EBP-B8]
00668557 .  50          PUSH EAX
00668558 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066855B .  51          PUSH ECX
0066855C .  52          PUSH EDX
0066855D .  899D 48FFFFFF MOV DWORD PTR SS:[EBP-B8],EBX
00668563 .  FFD7       CALL EDI
00668565 .  8D45 A8    LEA EAX,DWORD PTR SS:[EBP-58]
00668568 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066856B .  50          PUSH EAX
0066856C .  8D95 78FFFFFF LEA EDX,DWORD PTR SS:[EBP-88]
00668572 .  51          PUSH ECX
00668573 .  52          PUSH EDX
00668574 .  FF15 E4B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarCa>;  MSVBVM50.__vbaVarCat
0066857A .  50          PUSH EAX
0066857B .  FF15 DCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrVa>;  MSVBVM50.__vbaStrVarMove
;已经连接校验码
00668581 .  8BD0       MOV EDX,EAX
00668583 .  8D4D DC    LEA ECX,DWORD PTR SS:[EBP-24]
00668586 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066858C .  8D85 78FFFFFF LEA EAX,DWORD PTR SS:[EBP-88]
00668592 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
00668595 .  50          PUSH EAX
00668596 .  8D55 A8    LEA EDX,DWORD PTR SS:[EBP-58]
00668599 .  51          PUSH ECX
0066859A .  8D45 98    LEA EAX,DWORD PTR SS:[EBP-68]
0066859D .  52          PUSH EDX
0066859E .  8D4D B8    LEA ECX,DWORD PTR SS:[EBP-48]
006685A1 .  50          PUSH EAX
006685A2 .  51          PUSH ECX
006685A3 .  6A 05       PUSH 5
006685A5 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
006685AB .  83C4 18    ADD ESP,18
006685AE .  68 E8856600 PUSH ks.006685E8
006685B3 .  EB 32       JMP SHORT ks.006685E7
006685B5 .  F645 FC 04 TEST BYTE PTR SS:[EBP-4],4
006685B9 .  74 09       JE SHORT ks.006685C4
006685BB .  8D4D DC    LEA ECX,DWORD PTR SS:[EBP-24]
006685BE .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
006685C4 >  8D95 78FFFFFF LEA EDX,DWORD PTR SS:[EBP-88]
006685CA .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
006685CD .  52          PUSH EDX
006685CE .  8D4D 98    LEA ECX,DWORD PTR SS:[EBP-68]
006685D1 .  50          PUSH EAX
006685D2 .  8D55 A8    LEA EDX,DWORD PTR SS:[EBP-58]
006685D5 .  51          PUSH ECX
006685D6 .  8D45 B8    LEA EAX,DWORD PTR SS:[EBP-48]
006685D9 .  52          PUSH EDX
006685DA .  50          PUSH EAX
006685DB .  6A 05       PUSH 5
006685DD .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
006685E3 .  83C4 18    ADD ESP,18
006685E6 .  C3          RETN
006685E7 >  C3          RETN                                  ;  RET used as a jump to 006685E8
006685E8 >  8B4D 10    MOV ECX,DWORD PTR SS:[EBP+10]
006685EB .  8B55 DC    MOV EDX,DWORD PTR SS:[EBP-24]
006685EE .  5F          POP EDI
006685EF .  5E          POP ESI
006685F0 .  8911       MOV DWORD PTR DS:[ECX],EDX
006685F2 .  8B4D EC    MOV ECX,DWORD PTR SS:[EBP-14]
006685F5 .  33C0       XOR EAX,EAX
006685F7 .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
006685FE .  5B          POP EBX
006685FF .  8BE5       MOV ESP,EBP
00668601 .  5D          POP EBP
00668602 .  C2 0C00    RETN 0C
00668605 >  FF15 00B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaError>;  MSVBVM50.__vbaErrorOverflow
0066860B .  90          NOP
0066860C .  90          NOP
0066860D .  90          NOP
0066860E .  90          NOP
0066860F .  90          NOP
00668610 >  55          PUSH EBP
-------------------------------------------------------------------------------
▲文件:0-26ASC-XOR.txt 26个字符的异或过程
-------------------------------------------------------------------------------
al cl bl XORalbl 暂存al
FF(初) 47 B8 B8 (外循环开始设初值,只计算xor al,bl)
B8 FF(初) FF(从CL)
5C(SHR1) 7F(SHR1) 01(AND1) 5C(内循环1,SHR(B8,1),SHR(FF,1),AND(FF,1))
Bit0为1则AL Bit7置1=> DC(OR AL,80)
B8
00(AND B8,1)CL若为1,则有复杂操作
7F放入CL

3F(shrCL,1第2步)7F(第1步) (内2)
6E(shrDC,1) 01(AND 7F,1) 6E
Bit0为1则AL Bit7置1=> EE(OR AL,80)
00(AND DC,1)CL若为1,则有复杂操作
DC放入CL

1F(shrCL,1第2步)3F(第1步) (内3)
77(shrEE,1) 01(AND 3F,1)
Bit0为1则AL Bit7置1=> F7(OR AL,80)
00(EE放入CL,AND DC,1)CL若为1,则有复杂操作
1F放入CL

这个过程太复杂了,直接逆推吧,先给26个字符,再推4个校验字符吧.
-------------------------------------------------------------------------------
▲文件:0-61D1A7.txt
-------------------------------------------------------------------------------
0061D154 8B1F          MOV EBX,DWORD PTR DS:[EDI]
0061D156 52             PUSH EDX
0061D157 50             PUSH EAX
0061D158 51             PUSH ECX
0061D159 8B4D 08       MOV ECX,DWORD PTR SS:[EBP+8]
0061D15C FF15 28B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaI2I4>>; MSVBVM50.__vbaI2I4
0061D162 50             PUSH EAX
0061D163 57             PUSH EDI
0061D164 FF53 24       CALL DWORD PTR DS:[EBX+24]
0061D167 3BC6          CMP EAX,ESI
0061D169 7D 13          JGE SHORT ks1.0061D17E
0061D16B 8B1D 40B46800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaHr>; MSVBVM50.__vbaHresultCheckObj
0061D171 6A 24          PUSH 24
0061D173 68 C4E94100    PUSH ks1.0041E9C4
0061D178 57             PUSH EDI
0061D179 50             PUSH EAX
0061D17A FFD3          CALL EBX
0061D17C EB 06          JMP SHORT ks1.0061D184
0061D17E 8B1D 40B46800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaHr>; MSVBVM50.__vbaHresultCheckObj
0061D184 66:3975 88    CMP WORD PTR SS:[EBP-78],SI
0061D188 75 16          JNZ SHORT ks1.0061D1A0
0061D18A 83C8 FF       OR EAX,FFFFFFFF
0061D18D 68 0ED56100    PUSH ks1.0061D50E
0061D192 8945 E4       MOV DWORD PTR SS:[EBP-1C],EAX
0061D195 66:A3 DCB06700  MOV WORD PTR DS:[67B0DC],AX
0061D19B E9 4F030000    JMP ks1.0061D4EF
0061D1A0 66:3935 DCB0670>CMP WORD PTR DS:[67B0DC],SI
0061D1A7 0F85 07030000 JNZ ks1.0061D4B4
0061D1AD 8B4D 14       MOV ECX,DWORD PTR SS:[EBP+14]
0061D1B0 8B45 18       MOV EAX,DWORD PTR SS:[EBP+18]
0061D1B3 66:3975 10    CMP WORD PTR SS:[EBP+10],SI
0061D1B7 66:C701 0100 MOV WORD PTR DS:[ECX],1
0061D1BC 66:C700 0100 MOV WORD PTR DS:[EAX],1
0061D1C1 0F84 E3020000 JE ks1.0061D4AA
0061D1C7 3935 28C76700 CMP DWORD PTR DS:[67C728],ESI
0061D1CD 75 10          JNZ SHORT ks1.0061D1DF
0061D1CF 68 28C76700    PUSH ks1.0067C728
0061D1D4 68 A0C84100    PUSH ks1.0041C8A0
0061D1D9 FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>; MSVBVM50.__vbaNew2
0061D1DF 8B3D 28C76700 MOV EDI,DWORD PTR DS:[67C728]
0061D1E5 8D45 CC       LEA EAX,DWORD PTR SS:[EBP-34]
0061D1E8 50             PUSH EAX
0061D1E9 57             PUSH EDI
0061D1EA 8B17          MOV EDX,DWORD PTR DS:[EDI]
0061D1EC FF52 14       CALL DWORD PTR DS:[EDX+14]
0061D1EF 3BC6          CMP EAX,ESI
0061D1F1 7D 0B          JGE SHORT ks1.0061D1FE
0061D1F3 6A 14          PUSH 14
0061D1F5 68 98C74100    PUSH ks1.0041C798
0061D1FA 57             PUSH EDI
0061D1FB 50             PUSH EAX
0061D1FC FFD3          CALL EBX
0061D1FE 8B45 CC       MOV EAX,DWORD PTR SS:[EBP-34]
0061D201 8D55 D8       LEA EDX,DWORD PTR SS:[EBP-28]
0061D204 52             PUSH EDX
0061D205 50             PUSH EAX
0061D206 8B08          MOV ECX,DWORD PTR DS:[EAX]
0061D208 8BF8          MOV EDI,EAX
0061D20A FF51 60       CALL DWORD PTR DS:[ECX+60]
0061D20D 3BC6          CMP EAX,ESI
0061D20F 7D 0B          JGE SHORT ks1.0061D21C
0061D211 6A 60          PUSH 60
0061D213 68 98E44100    PUSH ks1.0041E498
0061D218 57             PUSH EDI
0061D219 50             PUSH EAX
0061D21A FFD3          CALL EBX
0061D21C 83EC 10       SUB ESP,10
0061D21F B9 08000000    MOV ECX,8
0061D224 8BD4          MOV EDX,ESP
0061D226 8B5D 08       MOV EBX,DWORD PTR SS:[EBP+8]
0061D229 894D 9C       MOV DWORD PTR SS:[EBP-64],ECX
0061D22C B8 D4E54100    MOV EAX,ks1.0041E5D4
0061D231 890A          MOV DWORD PTR DS:[EDX],ECX
0061D233 8B4D A0       MOV ECX,DWORD PTR SS:[EBP-60]
0061D236 8945 A4       MOV DWORD PTR SS:[EBP-5C],EAX
0061D239 68 8CE24100    PUSH ks1.0041E28C                      ; UNICODE "NoAlert"
0061D23E 894A 04       MOV DWORD PTR DS:[EDX+4],ECX
0061D241 68 2CE74100    PUSH ks1.0041E72C                      ; UNICODE "Active"
0061D246 53             PUSH EBX
0061D247 8942 08       MOV DWORD PTR DS:[EDX+8],EAX
0061D24A 8B45 A8       MOV EAX,DWORD PTR SS:[EBP-58]
0061D24D 8942 0C       MOV DWORD PTR DS:[EDX+C],EAX
0061D250 FF15 BCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI4>; MSVBVM50.__vbaStrI4
0061D256 8B3D C8B66800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaSt>; MSVBVM50.__vbaStrMove
0061D25C 8BD0          MOV EDX,EAX
0061D25E 8D4D D4       LEA ECX,DWORD PTR SS:[EBP-2C]
0061D261 FFD7          CALL EDI
0061D263 50             PUSH EAX
0061D264 FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>; MSVBVM50.__vbaStrCat
0061D26A 8BD0          MOV EDX,EAX
0061D26C 8D4D D0       LEA ECX,DWORD PTR SS:[EBP-30]
0061D26F FFD7          CALL EDI
0061D271 8B4D D8       MOV ECX,DWORD PTR SS:[EBP-28]
0061D274 50             PUSH EAX
0061D275 51             PUSH ECX
0061D276 FF15 6CB66800 CALL DWORD PTR DS:[<&MSVBVM50.#689>]    ; MSVBVM50.rtcGetSetting
0061D27C 8BD0          MOV EDX,EAX
0061D27E 8D4D DC       LEA ECX,DWORD PTR SS:[EBP-24]
0061D281 FFD7          CALL EDI
0061D283 8D55 D0       LEA EDX,DWORD PTR SS:[EBP-30]
0061D286 8D45 D8       LEA EAX,DWORD PTR SS:[EBP-28]
0061D289 52             PUSH EDX
0061D28A 8D4D D4       LEA ECX,DWORD PTR SS:[EBP-2C]
0061D28D 50             PUSH EAX
0061D28E 51             PUSH ECX
0061D28F 6A 03          PUSH 3
0061D291 FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStrList
0061D297 83C4 10       ADD ESP,10
0061D29A 8D4D CC       LEA ECX,DWORD PTR SS:[EBP-34]
0061D29D FF15 14B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>; MSVBVM50.__vbaFreeObj
0061D2A3 8B55 DC       MOV EDX,DWORD PTR SS:[EBP-24]
0061D2A6 52             PUSH EDX
0061D2A7 68 D4E54100    PUSH ks1.0041E5D4
0061D2AC FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>; MSVBVM50.__vbaStrCmp
0061D2B2 85C0          TEST EAX,EAX
0061D2B4 0F85 FA010000 JNZ ks1.0061D4B4
0061D2BA 3935 B0B36700 CMP DWORD PTR DS:[67B3B0],ESI
0061D2C0 75 10          JNZ SHORT ks1.0061D2D2
0061D2C2 68 B0B36700    PUSH ks1.0067B3B0
0061D2C7 68 FCD44000    PUSH ks1.0040D4FC
0061D2CC FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>; MSVBVM50.__vbaNew2
0061D2D2 8B3D B0B36700 MOV EDI,DWORD PTR DS:[67B3B0]
0061D2D8 53             PUSH EBX
0061D2D9 57             PUSH EDI
0061D2DA 8B07          MOV EAX,DWORD PTR DS:[EDI]
0061D2DC FF90 00070000 CALL DWORD PTR DS:[EAX+700]
0061D2E2 3BC6          CMP EAX,ESI
0061D2E4 7D 12          JGE SHORT ks1.0061D2F8
0061D2E6 68 00070000    PUSH 700
0061D2EB 68 2C5D4200    PUSH ks1.00425D2C
0061D2F0 57             PUSH EDI
0061D2F1 50             PUSH EAX
0061D2F2 FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj
0061D2F8 3935 B0B36700 CMP DWORD PTR DS:[67B3B0],ESI
0061D2FE 75 10          JNZ SHORT ks1.0061D310
0061D300 68 B0B36700    PUSH ks1.0067B3B0
0061D305 68 FCD44000    PUSH ks1.0040D4FC
0061D30A FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>; MSVBVM50.__vbaNew2
0061D310 8B3D B0B36700 MOV EDI,DWORD PTR DS:[67B3B0]
0061D316 8D55 BC       LEA EDX,DWORD PTR SS:[EBP-44]
0061D319 52             PUSH EDX
0061D31A 57             PUSH EDI
0061D31B 8B0F          MOV ECX,DWORD PTR DS:[EDI]
0061D31D FF91 F8060000 CALL DWORD PTR DS:[ECX+6F8]
0061D323 3BC6          CMP EAX,ESI
0061D325 7D 12          JGE SHORT ks1.0061D339
0061D327 68 F8060000    PUSH 6F8
0061D32C 68 2C5D4200    PUSH ks1.00425D2C
0061D331 57             PUSH EDI
0061D332 50             PUSH EAX
0061D333 FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj
0061D339 8D45 BC       LEA EAX,DWORD PTR SS:[EBP-44]
0061D33C 8D4D 9C       LEA ECX,DWORD PTR SS:[EBP-64]
0061D33F 50             PUSH EAX
0061D340 51             PUSH ECX
0061D341 C745 A4 0100000>MOV DWORD PTR SS:[EBP-5C],1
0061D348 C745 9C 0280000>MOV DWORD PTR SS:[EBP-64],8002
0061D34F FF15 14B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarTs>; MSVBVM50.__vbaVarTstEq
0061D355 8D4D BC       LEA ECX,DWORD PTR SS:[EBP-44]
0061D358 8BF8          MOV EDI,EAX
0061D35A FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>; MSVBVM50.__vbaFreeVar
0061D360 66:3BFE       CMP DI,SI
0061D363 0F84 4B010000 JE ks1.0061D4B4
0061D369 3935 E0B16700 CMP DWORD PTR DS:[67B1E0],ESI
0061D36F 75 10          JNZ SHORT ks1.0061D381
0061D371 68 E0B16700    PUSH ks1.0067B1E0
0061D376 68 1C384100    PUSH ks1.0041381C
0061D37B FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>; MSVBVM50.__vbaNew2
0061D381 8B3D E0B16700 MOV EDI,DWORD PTR DS:[67B1E0]
0061D387 53             PUSH EBX
0061D388 57             PUSH EDI
0061D389 8B17          MOV EDX,DWORD PTR DS:[EDI]
0061D38B FF92 00070000 CALL DWORD PTR DS:[EDX+700]
0061D391 3BC6          CMP EAX,ESI
0061D393 7D 12          JGE SHORT ks1.0061D3A7
0061D395 68 00070000    PUSH 700
0061D39A 68 3CE84100    PUSH ks1.0041E83C
0061D39F 57             PUSH EDI
0061D3A0 50             PUSH EAX
0061D3A1 FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj
0061D3A7 3935 E0B16700 CMP DWORD PTR DS:[67B1E0],ESI
0061D3AD 75 10          JNZ SHORT ks1.0061D3BF
0061D3AF 68 E0B16700    PUSH ks1.0067B1E0
0061D3B4 68 1C384100    PUSH ks1.0041381C
0061D3B9 FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>; MSVBVM50.__vbaNew2
0061D3BF 8B3D E0B16700 MOV EDI,DWORD PTR DS:[67B1E0]
0061D3C5 83EC 10       SUB ESP,10
0061D3C8 8BDC          MOV EBX,ESP
0061D3CA B9 0A000000    MOV ECX,0A
0061D3CF 8B17          MOV EDX,DWORD PTR DS:[EDI]
0061D3D1 B8 04000280    MOV EAX,80020004
0061D3D6 890B          MOV DWORD PTR DS:[EBX],ECX
0061D3D8 8B4D 90       MOV ECX,DWORD PTR SS:[EBP-70]
0061D3DB 83EC 10       SUB ESP,10
0061D3DE C745 9C 0300000>MOV DWORD PTR SS:[EBP-64],3
0061D3E5 894B 04       MOV DWORD PTR DS:[EBX+4],ECX
0061D3E8 8BCC          MOV ECX,ESP
0061D3EA C745 A4 0100000>MOV DWORD PTR SS:[EBP-5C],1
0061D3F1 57             PUSH EDI
0061D3F2 8943 08       MOV DWORD PTR DS:[EBX+8],EAX
0061D3F5 8B45 98       MOV EAX,DWORD PTR SS:[EBP-68]
0061D3F8 8943 0C       MOV DWORD PTR DS:[EBX+C],EAX
0061D3FB 8B45 9C       MOV EAX,DWORD PTR SS:[EBP-64]
0061D3FE 8901          MOV DWORD PTR DS:[ECX],EAX
0061D400 8B45 A0       MOV EAX,DWORD PTR SS:[EBP-60]
0061D403 8941 04       MOV DWORD PTR DS:[ECX+4],EAX
0061D406 8B45 A4       MOV EAX,DWORD PTR SS:[EBP-5C]
0061D409 8941 08       MOV DWORD PTR DS:[ECX+8],EAX
0061D40C 8B45 A8       MOV EAX,DWORD PTR SS:[EBP-58]
0061D40F 8941 0C       MOV DWORD PTR DS:[ECX+C],EAX
0061D412 FF92 B0020000 CALL DWORD PTR DS:[EDX+2B0]
0061D418 3BC6          CMP EAX,ESI
0061D41A 7D 12          JGE SHORT ks1.0061D42E
0061D41C 68 B0020000    PUSH 2B0
0061D421 68 0CE84100    PUSH ks1.0041E80C
0061D426 57             PUSH EDI
0061D427 50             PUSH EAX
0061D428 FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj
0061D42E 8B7D EC       MOV EDI,DWORD PTR SS:[EBP-14]
0061D431 3BFE          CMP EDI,ESI
0061D433 75 12          JNZ SHORT ks1.0061D447
0061D435 8D4D EC       LEA ECX,DWORD PTR SS:[EBP-14]
0061D438 51             PUSH ECX
0061D439 68 D0924000    PUSH ks1.004092D0
0061D43E FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>; MSVBVM50.__vbaNew2
0061D444 8B7D EC       MOV EDI,DWORD PTR SS:[EBP-14]
0061D447 8B45 0C       MOV EAX,DWORD PTR SS:[EBP+C]
0061D44A 8B4D 18       MOV ECX,DWORD PTR SS:[EBP+18]
0061D44D 8B1F          MOV EBX,DWORD PTR DS:[EDI]
0061D44F 8D55 88       LEA EDX,DWORD PTR SS:[EBP-78]
0061D452 52             PUSH EDX
0061D453 8B55 14       MOV EDX,DWORD PTR SS:[EBP+14]
0061D456 50             PUSH EAX
0061D457 51             PUSH ECX
0061D458 8B4D 08       MOV ECX,DWORD PTR SS:[EBP+8]
0061D45B 52             PUSH EDX
0061D45C FF15 28B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaI2I4>>; MSVBVM50.__vbaI2I4
0061D462 50             PUSH EAX
0061D463 57             PUSH EDI
0061D464 FF53 24       CALL DWORD PTR DS:[EBX+24]
0061D467 3BC6          CMP EAX,ESI
0061D469 7D 0F          JGE SHORT ks1.0061D47A
0061D46B 6A 24          PUSH 24
0061D46D 68 C4E94100    PUSH ks1.0041E9C4
0061D472 57             PUSH EDI
0061D473 50             PUSH EAX
0061D474 FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj
0061D47A 66:3975 88    CMP WORD PTR SS:[EBP-78],SI
0061D47E 75 13          JNZ SHORT ks1.0061D493
0061D480 83C8 FF       OR EAX,FFFFFFFF
0061D483 68 0ED56100    PUSH ks1.0061D50E
0061D488 8945 E4       MOV DWORD PTR SS:[EBP-1C],EAX
0061D48B 66:A3 DCB06700  MOV WORD PTR DS:[67B0DC],AX
0061D491 EB 5C          JMP SHORT ks1.0061D4EF
0061D493 8B45 14       MOV EAX,DWORD PTR SS:[EBP+14]
0061D496 8B4D 18       MOV ECX,DWORD PTR SS:[EBP+18]
0061D499 68 0ED56100    PUSH ks1.0061D50E
0061D49E 66:C700 0100 MOV WORD PTR DS:[EAX],1
0061D4A3 66:C701 0100 MOV WORD PTR DS:[ECX],1
0061D4A8 EB 45          JMP SHORT ks1.0061D4EF
0061D4AA 66:C701 0100 MOV WORD PTR DS:[ECX],1
0061D4AF 66:C700 0100 MOV WORD PTR DS:[EAX],1
0061D4B4 68 0ED56100    PUSH ks1.0061D50E
0061D4B9 EB 34          JMP SHORT ks1.0061D4EF
0061D4BB 8D55 D0       LEA EDX,DWORD PTR SS:[EBP-30]
0061D4BE 8D45 D4       LEA EAX,DWORD PTR SS:[EBP-2C]
0061D4C1 52             PUSH EDX
0061D4C2 8D4D D8       LEA ECX,DWORD PTR SS:[EBP-28]
0061D4C5 50             PUSH EAX
0061D4C6 51             PUSH ECX
0061D4C7 6A 03          PUSH 3
0061D4C9 FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStrList
0061D4CF 83C4 10       ADD ESP,10
0061D4D2 8D4D CC       LEA ECX,DWORD PTR SS:[EBP-34]
0061D4D5 FF15 14B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>; MSVBVM50.__vbaFreeObj
0061D4DB 8D55 AC       LEA EDX,DWORD PTR SS:[EBP-54]
0061D4DE 8D45 BC       LEA EAX,DWORD PTR SS:[EBP-44]
0061D4E1 52             PUSH EDX
0061D4E2 50             PUSH EAX
0061D4E3 6A 02          PUSH 2
0061D4E5 FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>; MSVBVM50.__vbaFreeVarList
0061D4EB 83C4 0C       ADD ESP,0C
0061D4EE C3             RETN
0061D4EF 8B35 14B76800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaFr>; MSVBVM50.__vbaFreeObj
0061D4F5 8D4D EC       LEA ECX,DWORD PTR SS:[EBP-14]
0061D4F8 FFD6          CALL ESI
0061D4FA 8D4D E8       LEA ECX,DWORD PTR SS:[EBP-18]
0061D4FD FFD6          CALL ESI
0061D4FF 8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]
0061D502 FFD6          CALL ESI
0061D504 8D4D DC       LEA ECX,DWORD PTR SS:[EBP-24]
0061D507  - FF25 10B76800 JMP DWORD PTR DS:[<&MSVBVM50.__vbaFreeSt>; MSVBVM50.__vbaFreeStr
0061D50D C3             RETN
0061D50E 8B4D F0       MOV ECX,DWORD PTR SS:[EBP-10]
0061D511 66:8B45 E4    MOV AX,WORD PTR SS:[EBP-1C]
0061D515 5F             POP EDI
0061D516 5E             POP ESI
0061D517 64:890D 0000000>MOV DWORD PTR FS:[0],ECX
0061D51E 5B             POP EBX
0061D51F 8BE5          MOV ESP,EBP
0061D521 5D             POP EBP
0061D522 C2 1400       RETN 14
0061D525 90             NOP
0061D526 90             NOP
0061D527 90             NOP
0061D528 90             NOP
0061D529 90             NOP
-------------------------------------------------------------------------------
▲文件:0-668130.txt
-------------------------------------------------------------------------------
;处理"04" "61"的call ,从666F93调用,以"61"为例
00668130 > \55          PUSH EBP
00668131 .  8BEC       MOV EBP,ESP
00668133 .  83EC 08    SUB ESP,8
00668136 .  68 F67F4000 PUSH <JMP.&MSVBVM50.__vbaExceptHandler>  ;  SE handler installation
0066813B .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00668141 .  50          PUSH EAX
00668142 .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
00668149 .  83EC 48    SUB ESP,48
0066814C .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
0066814F .  53          PUSH EBX
00668150 .  56          PUSH ESI
00668151 .  57          PUSH EDI
00668152 .  33C0       XOR EAX,EAX
00668154 .  8D4D E8    LEA ECX,DWORD PTR SS:[EBP-18]
00668157 .  8965 F8    MOV DWORD PTR SS:[EBP-8],ESP
0066815A .  C745 FC F0744>MOV DWORD PTR SS:[EBP-4],ks1.004074F0
00668161 .  8945 EC    MOV DWORD PTR SS:[EBP-14],EAX
00668164 .  8945 E8    MOV DWORD PTR SS:[EBP-18],EAX
00668167 .  8945 E0    MOV DWORD PTR SS:[EBP-20],EAX
0066816A .  8945 D0    MOV DWORD PTR SS:[EBP-30],EAX
0066816D .  8945 C0    MOV DWORD PTR SS:[EBP-40],EAX
00668170 .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
00668176 .  8B45 E8    MOV EAX,DWORD PTR SS:[EBP-18]
00668179 .  8B35 D8B36800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaLe>;  MSVBVM50.__vbaLenBstr
0066817F .  50          PUSH EAX
00668180 .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaLenBstr>
00668182 .  83F8 02    CMP EAX,2
00668185 .  0F8F 55010000 JG ks1.006682E0
0066818B .  8B4D E8    MOV ECX,DWORD PTR SS:[EBP-18]
0066818E .  51          PUSH ECX
0066818F .  FFD6       CALL ESI
00668191 .  83F8 01    CMP EAX,1
00668194 .  75 1E       JNZ SHORT ks1.006681B4
00668196 .  8B55 E8    MOV EDX,DWORD PTR SS:[EBP-18]
00668199 .  68 D4E54100 PUSH ks1.0041E5D4
0066819E .  52          PUSH EDX
0066819F .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
006681A5 .  8B3D C8B66800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrMove
006681AB .  8BD0       MOV EDX,EAX
006681AD .  8D4D E8    LEA ECX,DWORD PTR SS:[EBP-18]
006681B0 .  FFD7       CALL EDI                               ;  <&MSVBVM50.__vbaStrMove>
006681B2 .  EB 06       JMP SHORT ks1.006681BA
006681B4 >  8B3D C8B66800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrMove
006681BA >  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
006681BD .  6A 01       PUSH 1
006681BF .  8D55 D0    LEA EDX,DWORD PTR SS:[EBP-30]
006681C2 .  8D45 E8    LEA EAX,DWORD PTR SS:[EBP-18]
006681C5 .  BE 08400000 MOV ESI,4008
006681CA .  51          PUSH ECX
006681CB .  52          PUSH EDX
006681CC .  8945 C8    MOV DWORD PTR SS:[EBP-38],EAX
006681CF .  8975 C0    MOV DWORD PTR SS:[EBP-40],ESI
006681D2 .  FF15 CCB66800 CALL DWORD PTR DS:[<&MSVBVM50.#619>]    ;  MSVBVM50.rtcRightCharVar
;取右边"1"
006681D8 .  8B1D DCB36800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrVarMove
006681DE .  8D45 D0    LEA EAX,DWORD PTR SS:[EBP-30]
006681E1 .  50          PUSH EAX
006681E2 .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaStrVarMove>
006681E4 .  8BD0       MOV EDX,EAX
006681E6 .  8D4D EC    LEA ECX,DWORD PTR SS:[EBP-14]
006681E9 .  FFD7       CALL EDI
006681EB .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
006681EE .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
006681F4 .  8D55 C0    LEA EDX,DWORD PTR SS:[EBP-40]
006681F7 .  8D4D EC    LEA ECX,DWORD PTR SS:[EBP-14]
006681FA .  52          PUSH EDX
006681FB .  894D C8    MOV DWORD PTR SS:[EBP-38],ECX
006681FE .  8975 C0    MOV DWORD PTR SS:[EBP-40],ESI          ;  数据在[ESI]
00668201 .  FF15 20B56800 CALL DWORD PTR DS:[<&MSVBVM50.#561>]    ;  MSVBVM50.rtcIsNumeric
;"1"是数字吗
00668207 .  66:85C0    TEST AX,AX
0066820A .  74 14       JE SHORT ks1.00668220
0066820C .  8B45 EC    MOV EAX,DWORD PTR SS:[EBP-14]
0066820F .  50          PUSH EAX
00668210 .  FF15 18B76800 CALL DWORD PTR DS:[<&MSVBVM50.#581>]    ;  MSVBVM50.rtcR8ValFromBstr
;转换为8字节浮点数
00668216 .  FF15 98B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFpI2>>;  MSVBVM50.__vbaFpI2
;转换为整数
0066821C .  8BF0       MOV ESI,EAX ;结果在AX=01 ,保存在SI备用
0066821E .  EB 17       JMP SHORT ks1.00668237
00668220 >  8B4D EC    MOV ECX,DWORD PTR SS:[EBP-14]
00668223 .  51          PUSH ECX
00668224 .  FF15 00B46800 CALL DWORD PTR DS:[<&MSVBVM50.#516>]    ;  MSVBVM50.rtcAnsiValueBstr
0066822A .  66:8BF0    MOV SI,AX
0066822D .  66:83EE 37 SUB SI,37 ;这里如果不是转换为数字,如"E"=>0Eh
00668231 .  0F80 F0000000 JO ks1.00668327
00668237 >  8D45 C0    LEA EAX,DWORD PTR SS:[EBP-40]
0066823A .  6A 01       PUSH 1
0066823C .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
0066823F .  8D55 E8    LEA EDX,DWORD PTR SS:[EBP-18]
00668242 .  50          PUSH EAX
00668243 .  51          PUSH ECX
00668244 .  8955 C8    MOV DWORD PTR SS:[EBP-38],EDX
00668247 .  C745 C0 08400>MOV DWORD PTR SS:[EBP-40],4008
0066824E .  FF15 B0B66800 CALL DWORD PTR DS:[<&MSVBVM50.#617>]    ;  MSVBVM50.rtcLeftCharVar
;取"6"
00668254 .  8D55 D0    LEA EDX,DWORD PTR SS:[EBP-30]
00668257 .  52          PUSH EDX
00668258 .  FFD3       CALL EBX
0066825A .  8BD0       MOV EDX,EAX
0066825C .  8D4D EC    LEA ECX,DWORD PTR SS:[EBP-14]
0066825F .  FFD7       CALL EDI
00668261 .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
00668264 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066826A .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066826D .  8D45 EC    LEA EAX,DWORD PTR SS:[EBP-14]
00668270 .  51          PUSH ECX
00668271 .  8945 C8    MOV DWORD PTR SS:[EBP-38],EAX
00668274 .  C745 C0 08400>MOV DWORD PTR SS:[EBP-40],4008
0066827B .  FF15 20B56800 CALL DWORD PTR DS:[<&MSVBVM50.#561>]    ;  MSVBVM50.rtcIsNumeric
00668281 .  66:85C0    TEST AX,AX
00668284 .  74 3C       JE SHORT ks1.006682C2
00668286 .  8B55 EC    MOV EDX,DWORD PTR SS:[EBP-14]
00668289 .  52          PUSH EDX
0066828A .  FF15 18B76800 CALL DWORD PTR DS:[<&MSVBVM50.#581>]    ;  MSVBVM50.rtcR8ValFromBstr
00668290 .  DD5D B8    FSTP QWORD PTR SS:[EBP-48]
00668293 .  DD45 B8    FLD QWORD PTR SS:[EBP-48]
00668296 .  DC0D 90744000 FMUL QWORD PTR DS:[407490] ;乘以36.0(十进制)=216 ,[407490]=36.0
0066829C .  0FBFC6       MOVSX EAX,SI
0066829F .  8945 B0    MOV DWORD PTR SS:[EBP-50],EAX
006682A2 .  DB45 B0    FILD DWORD PTR SS:[EBP-50]
006682A5 .  DD5D A8    FSTP QWORD PTR SS:[EBP-58]
006682A8 .  DC45 A8    FADD QWORD PTR SS:[EBP-58] ;在加刚刚保存在SI的1=217 ;十进制
006682AB .  DFE0       FSTSW AX
006682AD .  A8 0D       TEST AL,0D
006682AF .  75 71       JNZ SHORT ks1.00668322
006682B1 .  FF15 98B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFpI2>>;  MSVBVM50.__vbaFpI2
;转换为整型数,放在AX
006682B7 .  8945 E0    MOV DWORD PTR SS:[EBP-20],EAX
006682BA .  68 03836600 PUSH ks1.00668303
006682BF .  9B          WAIT
006682C0 .  EB 30       JMP SHORT ks1.006682F2
006682C2 >  8B4D EC    MOV ECX,DWORD PTR SS:[EBP-14]
006682C5 .  51          PUSH ECX
006682C6 .  FF15 00B46800 CALL DWORD PTR DS:[<&MSVBVM50.#516>]    ;  MSVBVM50.rtcAnsiValueBstr
006682CC .  66:2D 3700 SUB AX,37
006682D0 .  70 55       JO SHORT ks1.00668327
006682D2 .  66:6BC0 24 IMUL AX,AX,24
006682D6 .  70 4F       JO SHORT ks1.00668327
006682D8 .  66:03C6    ADD AX,SI
006682DB .  70 4A       JO SHORT ks1.00668327
006682DD .  8945 E0    MOV DWORD PTR SS:[EBP-20],EAX
006682E0 >  9B          WAIT
006682E1 .  68 03836600 PUSH ks1.00668303
006682E6 .  EB 0A       JMP SHORT ks1.006682F2
006682E8 .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
006682EB .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
006682F1 .  C3          RETN
006682F2 >  8B35 10B76800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaFr>;  MSVBVM50.__vbaFreeStr
006682F8 .  8D4D EC    LEA ECX,DWORD PTR SS:[EBP-14]
006682FB .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaFreeStr>
006682FD .  8D4D E8    LEA ECX,DWORD PTR SS:[EBP-18]
00668300 .  FFE6       JMP ESI
00668302 .  C3          RETN
00668303 .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
00668306 .  66:8B45 E0 MOV AX,WORD PTR SS:[EBP-20]
0066830A .  8B4D F0    MOV ECX,DWORD PTR SS:[EBP-10]
0066830D .  5F          POP EDI
0066830E .  66:8902    MOV WORD PTR DS:[EDX],AX
00668311 .  5E          POP ESI
00668312 .  33C0       XOR EAX,EAX
00668314 .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
0066831B .  5B          POP EBX
0066831C .  8BE5       MOV ESP,EBP
0066831E .  5D          POP EBP
0066831F .  C2 0C00    RETN 0C
00668322 >^ E9 D5FCD9FF JMP <JMP.&MSVBVM50.__vbaFPException>
00668327 >  FF15 00B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaError>;  MSVBVM50.__vbaErrorOverflow
0066832D .  90          NOP
0066832E .  90          NOP
0066832F .  90          NOP
00668330 >  55          PUSH EBP

总结:
程序变换输入的激活码,例如5084J-VX10H-0248M-TXZO7-O1J69-26M9I
G7K4074H9V5MXVR I4086D67TRF0461
取后4个字符并把他们转换为相应数值(例如"E"转换为0Eh),然后
"04"操作为4+0*36=4,  格式化为"004"
"61"操作为1+6*36=217,格式化为"217"
连接以上字符串得到"004217"即为得到的校验串.
这个"0461"实际是激活码开始的"5084"反过来"4805",再各字符ASC值减4得到"0461"
然后再取前26个字符进行复杂的异或操作,取得另一个校验码.再比较.(见5-668330.txt)

36*2=72
36*3=108
36*4=144
36*5=180
36*6=216
36*7=252

F755 0-BBBBB-CCCCC-DDDDD-O2222-33333
   O必须是O因为硬盘序列号为8
"037119"
037=1*36+1 "11"
119=3*36+11 "3B"

"113B"asc值加4=>"557F",反过来"F755"

校验成功,但是:
006671DB .  FF15 D8B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaLenBs>;  MSVBVM50.__vbaLenBstr
006671E1 .  8945 B8    MOV DWORD PTR SS:[EBP-48],EAX
006671E4 .  C745 B0 03000>MOV DWORD PTR SS:[EBP-50],3
006671EB .  8D55 C8    LEA EDX,DWORD PTR SS:[EBP-38]
006671EE .  8995 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EDX
006671F4 .  C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],4008
006671FE .  8D45 B0    LEA EAX,DWORD PTR SS:[EBP-50]
00667201 .  50          PUSH EAX
00667202 .  6A 0B       PUSH 0B
00667204 .  8D8D 00FFFFFF LEA ECX,DWORD PTR SS:[EBP-100]
0066720A .  51          PUSH ECX
0066720B .  8D55 A0    LEA EDX,DWORD PTR SS:[EBP-60]
0066720E .  52          PUSH EDX
0066720F .  FF15 E4B46800 CALL DWORD PTR DS:[<&MSVBVM50.#632>]    ;  MSVBVM50.rtcMidCharVar
00667215 .  8B45 D0    MOV EAX,DWORD PTR SS:[EBP-30]
00667218 .  8985 E8FEFFFF MOV DWORD PTR SS:[EBP-118],EAX
0066721E .  C785 E0FEFFFF>MOV DWORD PTR SS:[EBP-120],8008
00667228 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0066722B .  51          PUSH ECX
0066722C .  8D95 E0FEFFFF LEA EDX,DWORD PTR SS:[EBP-120]
00667232 .  52          PUSH EDX
00667233 .  FF15 64B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarTs>;  MSVBVM50.__vbaVarTstNe
;这里监测出错了.
;好像拿下面两个字符串比较,必须相等,这里就过了.
;0012E95C 001D32F4  UNICODE "4JV10H8M"
;0012E960 001D3F2C  UNICODE "BBBBBYYY"
;0012EB40 0016C23C  UNICODE "11111-0000M-BBBBB-YYYYY-XXXXX-6113B"这是变换后的激活码
;BBBBBYYY应该是硬盘序列号才对
;字母表ABCDEFGHIJKLMNOPQRSTUVWXYZ 1234567890
;4JV10 H8M其中H8M是减4得到的,4JV10是减2得到的.
;H8M=>L2Q,4JV10=>6LX32反过来Q2L-23XL6
;F755 0-BBBBB-CC Q2L-23XL6 -O2222-33333
;F7550-BBBBB-CCQ2L-23XL6-O2222-33333
00667239 .  8BF8       MOV EDI,EAX                            ;  eax=0
0066723B .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
0066723E .  50          PUSH EAX
0066723F .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
00667242 .  51          PUSH ECX
00667243 .  6A 02       PUSH 2
00667245 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
0066724B .  83C4 0C    ADD ESP,0C
0066724E .  66:85FF    TEST DI,DI
00667251 . /75 28       JNZ SHORT ks.0066727B ;跳走完蛋
00667253 . |8D95 8CFEFFFF LEA EDX,DWORD PTR SS:[EBP-174]
00667259 . |52          PUSH EDX
得到激活码:
F7550-BBBBB-CCQ2L-23XL6-O2222-33333
得到校验值为:225128这个校验码不行,改一下最后一个字符
F7550-BBBBB-CCQ2L-23XL6-O2222-33332得到校验码"156157"
156=36*4+12 "4C"
157=36*4+13 "4D"
"4C4D"asc值加4,"8G8H",反过来"H8G8"
H8G80-BBBBB-CCQ2L-23XL6-O2222-33332
H8G8 0-BBBBB-CC Q2L-23XL6 -O 2222-33332
校验          硬盘序列号 ^校验硬盘序列号字符数
这样刚刚的监测也躲过了.
但是还有.
0066725A . |8B45 C8    MOV EAX,DWORD PTR SS:[EBP-38]
0066725D . |50          PUSH EAX
0066725E . |56          PUSH ESI
0066725F . |FF53 24    CALL DWORD PTR DS:[EBX+24]             ;  ks.00408C8A
;这个CALL 408C8A还要监测
00667262 . |66:39BD 8CFEF>CMP WORD PTR SS:[EBP-174],DI
00667269 . |74 10       JE SHORT ks.0066727B
0066726B . |C745 D8 FFFFF>MOV DWORD PTR SS:[EBP-28],-1
00667272 . |EB 07       JMP SHORT ks.0066727B
00667274 . |C745 D8 00000>MOV DWORD PTR SS:[EBP-28],0
0066727B > \FF15 64B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaExitP>;  MSVBVM50.__vbaExitProc
00667281 .  68 0A736600 PUSH ks.0066730A
00667286 .  EB 60       JMP SHORT ks.006672E8
00667288 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066728B .  51          PUSH ECX

刚刚输入的激活码"H8G80-BBBBB-CCQ2L-23XL6-O2222-33332"
处理后为: "011110000M4JV10H8MYYXXXXX64C4D"
-------------------------------------------------------------------------------
▲文件:0-667400.txt
-------------------------------------------------------------------------------
0066725F . |FF53 24    CALL DWORD PTR DS:[EBX+24]             ;  ks.00408C8A调用一下代码:
刚刚输入的激活码"H8G80-BBBBB-CCQ2L-23XL6-O2222-33332"
处理后为: "011110000M4JV10H8MYYXXXXX64C4D"

00667400 > \55          PUSH EBP
00667401 .  8BEC       MOV EBP,ESP
00667403 .  83EC 08    SUB ESP,8
00667406 .  68 F67F4000 PUSH <JMP.&MSVBVM50.__vbaExceptHandler>  ;  SE handler installation
0066740B .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00667411 .  50          PUSH EAX
00667412 .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
00667419 .  83EC 58    SUB ESP,58
0066741C .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
0066741F .  53          PUSH EBX
00667420 .  56          PUSH ESI
00667421 .  57          PUSH EDI
00667422 .  33C0       XOR EAX,EAX
00667424 .  8D4D E8    LEA ECX,DWORD PTR SS:[EBP-18]
00667427 .  8965 F8    MOV DWORD PTR SS:[EBP-8],ESP
0066742A .  C745 FC 30744>MOV DWORD PTR SS:[EBP-4],ks.00407430
00667431 .  8945 E8    MOV DWORD PTR SS:[EBP-18],EAX
00667434 .  8945 E4    MOV DWORD PTR SS:[EBP-1C],EAX
00667437 .  8945 D4    MOV DWORD PTR SS:[EBP-2C],EAX
0066743A .  8945 C4    MOV DWORD PTR SS:[EBP-3C],EAX
0066743D .  8945 B4    MOV DWORD PTR SS:[EBP-4C],EAX
00667440 .  8945 A0    MOV DWORD PTR SS:[EBP-60],EAX
00667443 .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
00667449 .  8B3D E4B46800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.#632>]  ;  MSVBVM50.rtcMidCharVar
0066744F .  8D45 E8    LEA EAX,DWORD PTR SS:[EBP-18]
00667452 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
00667455 .  8945 BC    MOV DWORD PTR SS:[EBP-44],EAX
00667458 .  51          PUSH ECX
00667459 .  8D55 B4    LEA EDX,DWORD PTR SS:[EBP-4C]
0066745C .  6A 01       PUSH 1
0066745E .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
00667461 .  52          PUSH EDX
00667462 .  50          PUSH EAX
00667463 .  C745 EC FFFFF>MOV DWORD PTR SS:[EBP-14],-1
0066746A .  C745 DC 01000>MOV DWORD PTR SS:[EBP-24],1
00667471 .  C745 D4 02000>MOV DWORD PTR SS:[EBP-2C],2
00667478 .  C745 B4 08400>MOV DWORD PTR SS:[EBP-4C],4008
0066747F .  FFD7       CALL EDI                               ;  <&MSVBVM50.#632>
;取加密串"011110000M4JV10H8MYYXXXXX64C4D"中的"0"
00667481 .  8B1D DCB56800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrVarVal
00667487 .  8B75 08    MOV ESI,DWORD PTR SS:[EBP+8]
0066748A .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
0066748D .  8D55 E4    LEA EDX,DWORD PTR SS:[EBP-1C]
00667490 .  51          PUSH ECX
00667491 .  52          PUSH EDX
00667492 .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaStrVarVal>
00667494 .  50          PUSH EAX
00667495 .  FF15 00B46800 CALL DWORD PTR DS:[<&MSVBVM50.#516>]    ;  MSVBVM50.rtcAnsiValueBstr
;转换"0"为30h
0066749B .  66:2D 4600 SUB AX,46
;减去46h
0066749F .  8D4D E4    LEA ECX,DWORD PTR SS:[EBP-1C]
006674A2 .  0F80 17020000 JO ks.006676BF
006674A8 .  66:8946 34 MOV WORD PTR DS:[ESI+34],AX
006674AC .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
006674B2 .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
006674B5 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
006674B8 .  50          PUSH EAX
006674B9 .  51          PUSH ECX
006674BA .  6A 02       PUSH 2
006674BC .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
006674C2 .  83C4 0C    ADD ESP,0C
006674C5 .  8D55 E8    LEA EDX,DWORD PTR SS:[EBP-18]
006674C8 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
006674CB .  B8 02000000 MOV EAX,2
006674D0 .  8955 BC    MOV DWORD PTR SS:[EBP-44],EDX
006674D3 .  51          PUSH ECX
006674D4 .  8945 DC    MOV DWORD PTR SS:[EBP-24],EAX
006674D7 .  8945 D4    MOV DWORD PTR SS:[EBP-2C],EAX
006674DA .  50          PUSH EAX
006674DB .  8D55 B4    LEA EDX,DWORD PTR SS:[EBP-4C]
006674DE .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
006674E1 .  52          PUSH EDX
006674E2 .  50          PUSH EAX
006674E3 .  C745 B4 08400>MOV DWORD PTR SS:[EBP-4C],4008
006674EA .  FFD7       CALL EDI
;取"011110000M4JV10H8MYYXXXXX64C4D" MID(,2,2)得"11"
006674EC .  8B0E       MOV ECX,DWORD PTR DS:[ESI]
006674EE .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
006674F1 .  50          PUSH EAX
006674F2 .  8B51 34    MOV EDX,DWORD PTR DS:[ECX+34]
006674F5 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
006674F8 .  8955 98    MOV DWORD PTR SS:[EBP-68],EDX
006674FB .  8D55 E4    LEA EDX,DWORD PTR SS:[EBP-1C]
006674FE .  51          PUSH ECX
006674FF .  52          PUSH EDX
00667500 .  FFD3       CALL EBX
00667502 .  50          PUSH EAX
00667503 .  56          PUSH ESI
00667504 .  FF55 98    CALL DWORD PTR SS:[EBP-68]
;复杂计算CALL,处理"11"
;其实也是调用668130像处理"04","61"一样计算校验码.
00667507 .  66:8B45 A0 MOV AX,WORD PTR SS:[EBP-60]
0066750B .  8D4D E4    LEA ECX,DWORD PTR SS:[EBP-1C]
0066750E .  66:8946 36 MOV WORD PTR DS:[ESI+36],AX ;保存计算"11"得到的校验码25h(37)到174556
00667512 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00667518 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
0066751B .  8D55 D4    LEA EDX,DWORD PTR SS:[EBP-2C]
0066751E .  51          PUSH ECX
0066751F .  52          PUSH EDX
00667520 .  6A 02       PUSH 2
00667522 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
00667528 .  B8 02000000 MOV EAX,2
0066752D .  83C4 0C    ADD ESP,0C
00667530 .  8945 DC    MOV DWORD PTR SS:[EBP-24],EAX
00667533 .  8945 D4    MOV DWORD PTR SS:[EBP-2C],EAX
00667536 .  8D45 E8    LEA EAX,DWORD PTR SS:[EBP-18]
00667539 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
0066753C .  8945 BC    MOV DWORD PTR SS:[EBP-44],EAX
0066753F .  51          PUSH ECX
00667540 .  8D55 B4    LEA EDX,DWORD PTR SS:[EBP-4C]
00667543 .  6A 04       PUSH 4
00667545 .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
00667548 .  52          PUSH EDX
00667549 .  50          PUSH EAX
0066754A .  C745 B4 08400>MOV DWORD PTR SS:[EBP-4C],4008
00667551 .  FFD7       CALL EDI
;取"011110000M4JV10H8MYYXXXXX64C4D" MID(,4,2)得下一个"11"
00667553 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
00667556 .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
00667559 .  51          PUSH ECX
0066755A .  8D45 E4    LEA EAX,DWORD PTR SS:[EBP-1C]
0066755D .  52          PUSH EDX
0066755E .  50          PUSH EAX
0066755F .  FFD3       CALL EBX
00667561 .  50          PUSH EAX
00667562 .  56          PUSH ESI
00667563 .  FF55 98    CALL DWORD PTR SS:[EBP-68]
;计算另一个"11"的校验码,25h
00667566 .  66:8B4D A0 MOV CX,WORD PTR SS:[EBP-60]
0066756A .  66:894E 38 MOV WORD PTR DS:[ESI+38],CX
;25h入CX后保存到174558
0066756E .  8D4D E4    LEA ECX,DWORD PTR SS:[EBP-1C]
00667571 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00667577 .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
0066757A .  8D45 D4    LEA EAX,DWORD PTR SS:[EBP-2C]
0066757D .  52          PUSH EDX
0066757E .  50          PUSH EAX
0066757F .  6A 02       PUSH 2
00667581 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
00667587 .  83C4 0C    ADD ESP,0C
0066758A .  B8 02000000 MOV EAX,2
0066758F .  8D4D E8    LEA ECX,DWORD PTR SS:[EBP-18]
00667592 .  8D55 D4    LEA EDX,DWORD PTR SS:[EBP-2C]
00667595 .  8945 DC    MOV DWORD PTR SS:[EBP-24],EAX
00667598 .  8945 D4    MOV DWORD PTR SS:[EBP-2C],EAX
0066759B .  894D BC    MOV DWORD PTR SS:[EBP-44],ECX
0066759E .  52          PUSH EDX
0066759F .  8D45 B4    LEA EAX,DWORD PTR SS:[EBP-4C]
006675A2 .  6A 06       PUSH 6
006675A4 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
006675A7 .  50          PUSH EAX
006675A8 .  51          PUSH ECX
006675A9 .  C745 B4 08400>MOV DWORD PTR SS:[EBP-4C],4008
006675B0 .  FFD7       CALL EDI
;取"0 11 11 00 00M4JV10H8MYYXXXXX64C4D" MID(,6,2)得下一个"00"
006675B2 .  8D55 A0    LEA EDX,DWORD PTR SS:[EBP-60]
006675B5 .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
006675B8 .  52          PUSH EDX
006675B9 .  8D4D E4    LEA ECX,DWORD PTR SS:[EBP-1C]
006675BC .  50          PUSH EAX
006675BD .  51          PUSH ECX
006675BE .  FFD3       CALL EBX
006675C0 .  50          PUSH EAX
006675C1 .  56          PUSH ESI
006675C2 .  FF55 98    CALL DWORD PTR SS:[EBP-68] ;计算"00"校验码得0h
006675C5 .  66:8B55 A0 MOV DX,WORD PTR SS:[EBP-60]
006675C9 .  8D4D E4    LEA ECX,DWORD PTR SS:[EBP-1C]
006675CC .  66:8956 3A MOV WORD PTR DS:[ESI+3A],DX ;保存到17455A
006675D0 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
006675D6 .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
006675D9 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
006675DC .  50          PUSH EAX
006675DD .  51          PUSH ECX
006675DE .  6A 02       PUSH 2
006675E0 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
006675E6 .  B8 02000000 MOV EAX,2
006675EB .  83C4 0C    ADD ESP,0C
006675EE .  8945 DC    MOV DWORD PTR SS:[EBP-24],EAX
006675F1 .  8945 D4    MOV DWORD PTR SS:[EBP-2C],EAX
006675F4 .  8D55 E8    LEA EDX,DWORD PTR SS:[EBP-18]
006675F7 .  8D45 D4    LEA EAX,DWORD PTR SS:[EBP-2C]
006675FA .  8955 BC    MOV DWORD PTR SS:[EBP-44],EDX
006675FD .  50          PUSH EAX
006675FE .  8D4D B4    LEA ECX,DWORD PTR SS:[EBP-4C]
00667601 .  6A 08       PUSH 8
00667603 .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
00667606 .  51          PUSH ECX
00667607 .  52          PUSH EDX
00667608 .  C745 B4 08400>MOV DWORD PTR SS:[EBP-4C],4008
0066760F .  FFD7       CALL EDI
;取"0 11 11 00 00 M4JV10H8MYYXXXXX64C4D" MID(,8,2)得下一个"00"
00667611 .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
00667614 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
00667617 .  50          PUSH EAX
00667618 .  8D55 E4    LEA EDX,DWORD PTR SS:[EBP-1C]
0066761B .  51          PUSH ECX
0066761C .  52          PUSH EDX
0066761D .  FFD3       CALL EBX
0066761F .  50          PUSH EAX
00667620 .  56          PUSH ESI
00667621 .  FF55 98    CALL DWORD PTR SS:[EBP-68] ;计算"00"校验码得0h
00667624 .  66:8B45 A0 MOV AX,WORD PTR SS:[EBP-60]
00667628 .  8D4D E4    LEA ECX,DWORD PTR SS:[EBP-1C]
0066762B .  66:8946 3C MOV WORD PTR DS:[ESI+3C],AX ;保存到17455C
0066762F .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00667635 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
00667638 .  8D55 D4    LEA EDX,DWORD PTR SS:[EBP-2C]
0066763B .  51          PUSH ECX
0066763C .  52          PUSH EDX
0066763D .  6A 02       PUSH 2
0066763F .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
00667645 .  B8 01000000 MOV EAX,1
0066764A .  83C4 0C    ADD ESP,0C
;加密字符表"0 11 11 00 00 M4JV10H8MYYXXXXX64C4D"
;位置       0  1  2  3  4
;01111 0000M 4JV10 H8MYY XXXXX 64C4D
;^最小是"G"=47h
;H8G80-BBBBB-CCQ2L-23XL6-O2222-33332
;    ^最小也要是"I"=49h,49h-2=47h,47h-46h=1h才行
;    2323就可以使3,4处通过
;H8G80-BBBBB-CCQ2L-23XL6-O2323-3434I这个激活码得到校验为"078048"
;078=2*36+6 "26"
;048=1*36+12 "1C"
;"261C"asc码加4"605G",反过来"G506"
;得到激活码"G5060-BBBBB-CCQ2L-23XL6-O2323-3434I"
;但是提示"无法激活产品,请检查是否有此科目的激活码"
;看来还有检测
0066764D .  66:3946 34 CMP WORD PTR DS:[ESI+34],AX ;刚刚第一个"0" 30h-46h算得的EAh和1(AX)比
00667651 .  7C 18       JL SHORT ks.0066766B ;这个好像都不可以跳,计算结果不能小于1
00667653 .  66:3946 36 CMP WORD PTR DS:[ESI+36],AX ;[174556]=25h 第1个"11"的校验码
00667657 .  7C 12       JL SHORT ks.0066766B ;校验计算结果不能小于1
00667659 .  66:3946 38 CMP WORD PTR DS:[ESI+38],AX ;[174558]=25h 第2个"11"的校验码
0066765D .  7C 0C       JL SHORT ks.0066766B ;校验计算结果不能小于1
0066765F .  66:3946 3A CMP WORD PTR DS:[ESI+3A],AX ;[17455A]=00h 第3个"00"的校验码
00667663 .  7C 06       JL SHORT ks.0066766B ;校验计算结果不能小于1
00667665 .  66:3946 3C CMP WORD PTR DS:[ESI+3C],AX ;[17455c]=00h 第4个"00"的校验码
00667669 .  7D 07       JGE SHORT ks.00667672 ;好像必须要跳了,校验计算结果不能小于1
0066766B >  C745 EC 00000>MOV DWORD PTR SS:[EBP-14],0
00667672 >  68 A0766600 PUSH ks.006676A0
00667677 .  EB 1D       JMP SHORT ks.00667696
00667679 .  8D4D E4    LEA ECX,DWORD PTR SS:[EBP-1C]
0066767C .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00667682 .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
00667685 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
00667688 .  50          PUSH EAX
00667689 .  51          PUSH ECX
0066768A .  6A 02       PUSH 2
0066768C .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
00667692 .  83C4 0C    ADD ESP,0C
00667695 .  C3          RETN
00667696 >  8D4D E8    LEA ECX,DWORD PTR SS:[EBP-18]
00667699 .- FF25 10B76800 JMP DWORD PTR DS:[<&MSVBVM50.__vbaFreeSt>;  MSVBVM50.__vbaFreeStr
0066769F .  C3          RETN
006676A0 .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
006676A3 .  66:8B45 EC MOV AX,WORD PTR SS:[EBP-14]
006676A7 .  8B4D F0    MOV ECX,DWORD PTR SS:[EBP-10]
006676AA .  5F          POP EDI
006676AB .  66:8902    MOV WORD PTR DS:[EDX],AX
006676AE .  5E          POP ESI
006676AF .  33C0       XOR EAX,EAX
006676B1 .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
006676B8 .  5B          POP EBX
006676B9 .  8BE5       MOV ESP,EBP
006676BB .  5D          POP EBP
006676BC .  C2 0C00    RETN 0C
006676BF >  FF15 00B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaError>;  MSVBVM50.__vbaErrorOverflow
006676C5 .  90          NOP
006676C6 .  90          NOP
006676C7 .  90          NOP
-------------------------------------------------------------------------------
▲文件:0-6793B0.txt
-------------------------------------------------------------------------------
006793B0 > \55          PUSH EBP
006793B1 .  8BEC       MOV EBP,ESP
006793B3 .  83EC 08    SUB ESP,8
006793B6 .  68 F67F4000 PUSH <JMP.&MSVBVM50.__vbaExceptHandler>  ;  SE handler installation
006793BB .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
006793C1 .  50          PUSH EAX
006793C2 .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
006793C9 .  81EC D0000000 SUB ESP,0D0
006793CF .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
006793D2 .  53          PUSH EBX
006793D3 .  56          PUSH ESI
006793D4 .  57          PUSH EDI
006793D5 .  33DB       XOR EBX,EBX
006793D7 .  8D4D E4    LEA ECX,DWORD PTR SS:[EBP-1C]
006793DA .  8965 F8    MOV DWORD PTR SS:[EBP-8],ESP
006793DD .  C745 FC 487F4>MOV DWORD PTR SS:[EBP-4],ks.00407F48
006793E4 .  895D EC    MOV DWORD PTR SS:[EBP-14],EBX
006793E7 .  895D E8    MOV DWORD PTR SS:[EBP-18],EBX
006793EA .  895D E4    MOV DWORD PTR SS:[EBP-1C],EBX
006793ED .  895D E0    MOV DWORD PTR SS:[EBP-20],EBX
006793F0 .  895D DC    MOV DWORD PTR SS:[EBP-24],EBX
006793F3 .  895D D8    MOV DWORD PTR SS:[EBP-28],EBX
006793F6 .  895D D4    MOV DWORD PTR SS:[EBP-2C],EBX
006793F9 .  895D D0    MOV DWORD PTR SS:[EBP-30],EBX
006793FC .  895D CC    MOV DWORD PTR SS:[EBP-34],EBX
006793FF .  895D C8    MOV DWORD PTR SS:[EBP-38],EBX
00679402 .  895D C4    MOV DWORD PTR SS:[EBP-3C],EBX
00679405 .  895D C0    MOV DWORD PTR SS:[EBP-40],EBX
00679408 .  895D BC    MOV DWORD PTR SS:[EBP-44],EBX
0067940B .  895D AC    MOV DWORD PTR SS:[EBP-54],EBX
0067940E .  895D 9C    MOV DWORD PTR SS:[EBP-64],EBX
00679411 .  895D 8C    MOV DWORD PTR SS:[EBP-74],EBX
00679414 .  899D 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EBX
0067941A .  899D 6CFFFFFF MOV DWORD PTR SS:[EBP-94],EBX
00679420 .  899D 5CFFFFFF MOV DWORD PTR SS:[EBP-A4],EBX
00679426 .  899D 38FFFFFF MOV DWORD PTR SS:[EBP-C8],EBX
0067942C .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
00679432 .  8B45 CC    MOV EAX,DWORD PTR SS:[EBP-34]
00679435 .  3BC3       CMP EAX,EBX
00679437 .  75 12       JNZ SHORT ks.0067944B
00679439 .  8D45 CC    LEA EAX,DWORD PTR SS:[EBP-34]
0067943C .  50          PUSH EAX
0067943D .  68 D0924000 PUSH ks.004092D0
00679442 .  FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>;  MSVBVM50.__vbaNew2
00679448 .  8B45 CC    MOV EAX,DWORD PTR SS:[EBP-34]
0067944B >  8B08       MOV ECX,DWORD PTR DS:[EAX]
0067944D .  8D95 38FFFFFF LEA EDX,DWORD PTR SS:[EBP-C8]
00679453 .  52          PUSH EDX
00679454 .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
00679457 .  52          PUSH EDX
00679458 .  8B55 E4    MOV EDX,DWORD PTR SS:[EBP-1C]
0067945B .  52          PUSH EDX
0067945C .  50          PUSH EAX
0067945D .  8BF0       MOV ESI,EAX
0067945F .  FF51 30    CALL DWORD PTR DS:[ECX+30]
00679462 .  3BC3       CMP EAX,EBX
00679464 .  7D 13       JGE SHORT ks.00679479
00679466 .  8B3D 40B46800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaHr>;  MSVBVM50.__vbaHresultCheckObj
0067946C .  6A 30       PUSH 30
0067946E .  68 C4E94100 PUSH ks.0041E9C4
00679473 .  56          PUSH ESI
00679474 .  50          PUSH EAX
00679475 .  FFD7       CALL EDI                               ;  <&MSVBVM50.__vbaHresultCheckObj>
00679477 .  EB 06       JMP SHORT ks.0067947F
00679479 >  8B3D 40B46800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaHr>;  MSVBVM50.__vbaHresultCheckObj
0067947F >  66:399D 38FFF>CMP WORD PTR SS:[EBP-C8],BX
00679486 .  0F85 D9020000 JNZ ks.00679765
0067948C .  8B45 C8    MOV EAX,DWORD PTR SS:[EBP-38]
0067948F .  3BC3       CMP EAX,EBX
00679491 .  75 12       JNZ SHORT ks.006794A5
00679493 .  8D45 C8    LEA EAX,DWORD PTR SS:[EBP-38]
00679496 .  50          PUSH EAX
00679497 .  68 F88C4000 PUSH ks.00408CF8
0067949C .  FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>;  MSVBVM50.__vbaNew2
006794A2 .  8B45 C8    MOV EAX,DWORD PTR SS:[EBP-38]
006794A5 >  8B08       MOV ECX,DWORD PTR DS:[EAX]
006794A7 .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
006794AA .  52          PUSH EDX
006794AB .  50          PUSH EAX
006794AC .  8BF0       MOV ESI,EAX
006794AE .  FF51 1C    CALL DWORD PTR DS:[ECX+1C]
;很复杂的CALL,好像使取硬盘序列号,还有其他操作,好像还比较msjet.ini中的内容
006794B1 .  3BC3       CMP EAX,EBX
006794B3 .  7D 0B       JGE SHORT ks.006794C0
006794B5 .  6A 1C       PUSH 1C
006794B7 .  68 D4874200 PUSH ks.004287D4
006794BC .  56          PUSH ESI
006794BD .  50          PUSH EAX
006794BE .  FFD7       CALL EDI
006794C0 >  8B45 EC    MOV EAX,DWORD PTR SS:[EBP-14]
006794C3 .  3BC3       CMP EAX,EBX
006794C5 .  75 12       JNZ SHORT ks.006794D9
006794C7 .  8D45 EC    LEA EAX,DWORD PTR SS:[EBP-14]
006794CA .  50          PUSH EAX
006794CB .  68 748B4000 PUSH ks.00408B74
006794D0 .  FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>;  MSVBVM50.__vbaNew2
006794D6 .  8B45 EC    MOV EAX,DWORD PTR SS:[EBP-14]
006794D9 >  8B08       MOV ECX,DWORD PTR DS:[EAX]
006794DB .  8D95 38FFFFFF LEA EDX,DWORD PTR SS:[EBP-C8]
006794E1 .  52          PUSH EDX
006794E2 .  8B55 E4    MOV EDX,DWORD PTR SS:[EBP-1C]
006794E5 .  52          PUSH EDX
006794E6 .  8B55 C4    MOV EDX,DWORD PTR SS:[EBP-3C]
006794E9 .  52          PUSH EDX
006794EA .  50          PUSH EAX
006794EB .  8BF0       MOV ESI,EAX
006794ED .  FF51 1C    CALL DWORD PTR DS:[ECX+1C]
;这个CALL会调用计算校验码,并比较的部分
006794F0 .  3BC3       CMP EAX,EBX
006794F2 .  7D 0B       JGE SHORT ks.006794FF
006794F4 .  6A 1C       PUSH 1C
006794F6 .  68 00874200 PUSH ks.00428700
006794FB .  56          PUSH ESI
006794FC .  50          PUSH EAX
006794FD .  FFD7       CALL EDI
006794FF >  33C0       XOR EAX,EAX
00679501 .  66:83BD 38FFF>CMP WORD PTR SS:[EBP-C8],0FFFF
00679509 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
0067950C .  0F94C0       SETE AL
0067950F .  F7D8       NEG EAX
00679511 .  8BF0       MOV ESI,EAX
00679513 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00679519 .  66:3BF3    CMP SI,BX
0067951C .  0F84 B6010000 JE ks.006796D8                         ;  no jmp
00679522 .  8B45 EC    MOV EAX,DWORD PTR SS:[EBP-14]
00679525 .  3BC3       CMP EAX,EBX
00679527 .  75 12       JNZ SHORT ks.0067953B
00679529 .  8D4D EC    LEA ECX,DWORD PTR SS:[EBP-14]
0067952C .  51          PUSH ECX
0067952D .  68 748B4000 PUSH ks.00408B74
00679532 .  FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>;  MSVBVM50.__vbaNew2
00679538 .  8B45 EC    MOV EAX,DWORD PTR SS:[EBP-14]
0067953B >  8D8D 38FFFFFF LEA ECX,DWORD PTR SS:[EBP-C8]
00679541 .  8B10       MOV EDX,DWORD PTR DS:[EAX]
00679543 .  51          PUSH ECX
00679544 .  8D4D E0    LEA ECX,DWORD PTR SS:[EBP-20]
00679547 .  51          PUSH ECX
00679548 .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
0067954B .  51          PUSH ECX
0067954C .  8D4D E8    LEA ECX,DWORD PTR SS:[EBP-18]
0067954F .  51          PUSH ECX
00679550 .  8D4D DC    LEA ECX,DWORD PTR SS:[EBP-24]
00679553 .  51          PUSH ECX
00679554 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
00679557 .  51          PUSH ECX
00679558 .  50          PUSH EAX
00679559 .  8BF0       MOV ESI,EAX
0067955B .  FF52 20    CALL DWORD PTR DS:[EDX+20]
0067955E .  3BC3       CMP EAX,EBX
00679560 .  7D 0B       JGE SHORT ks.0067956D
00679562 .  6A 20       PUSH 20
00679564 .  68 00874200 PUSH ks.00428700
00679569 .  56          PUSH ESI
0067956A .  50          PUSH EAX
0067956B .  FFD7       CALL EDI
0067956D >  66:83BD 38FFF>CMP WORD PTR SS:[EBP-C8],0FFFF
00679575 .  0F85 7D020000 JNZ ks.006797F8
0067957B .  66:8B55 0C MOV DX,WORD PTR SS:[EBP+C]
0067957F .  66:3B55 D4 CMP DX,WORD PTR SS:[EBP-2C]
00679583 .  0F85 C2000000 JNZ ks.0067964B                         ;  no jmp
00679589 .  8D45 AC    LEA EAX,DWORD PTR SS:[EBP-54]
0067958C .  50          PUSH EAX
0067958D .  FF15 74B66800 CALL DWORD PTR DS:[<&MSVBVM50.#610>]    ;  MSVBVM50.rtcGetDateVar
00679593 .  8B7D CC    MOV EDI,DWORD PTR SS:[EBP-34]
00679596 .  3BFB       CMP EDI,EBX
00679598 .  75 12       JNZ SHORT ks.006795AC
0067959A .  8D4D CC    LEA ECX,DWORD PTR SS:[EBP-34]
0067959D .  51          PUSH ECX
0067959E .  68 D0924000 PUSH ks.004092D0
006795A3 .  FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>;  MSVBVM50.__vbaNew2
006795A9 .  8B7D CC    MOV EDI,DWORD PTR SS:[EBP-34]
006795AC >  8B45 E4    MOV EAX,DWORD PTR SS:[EBP-1C]
006795AF .  8B4D D4    MOV ECX,DWORD PTR SS:[EBP-2C]
006795B2 .  8B1F       MOV EBX,DWORD PTR DS:[EDI]
006795B4 .  8D95 38FFFFFF LEA EDX,DWORD PTR SS:[EBP-C8]
006795BA .  52          PUSH EDX
006795BB .  50          PUSH EAX
006795BC .  8D55 AC    LEA EDX,DWORD PTR SS:[EBP-54]
006795BF .  51          PUSH ECX
006795C0 .  52          PUSH EDX
006795C1 .  FF15 04B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrEr>;  MSVBVM50.__vbaStrErrVarCopy
006795C7 .  8B35 C8B66800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrMove
006795CD .  8BD0       MOV EDX,EAX
006795CF .  8D4D BC    LEA ECX,DWORD PTR SS:[EBP-44]
006795D2 .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaStrMove>
006795D4 .  50          PUSH EAX
006795D5 .  8B45 D0    MOV EAX,DWORD PTR SS:[EBP-30]
006795D8 .  50          PUSH EAX
006795D9 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
006795DF .  8BD0       MOV EDX,EAX
006795E1 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
006795E4 .  FFD6       CALL ESI
006795E6 .  8B4D E0    MOV ECX,DWORD PTR SS:[EBP-20]
006795E9 .  50          PUSH EAX
006795EA .  51          PUSH ECX
006795EB .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
006795F1 .  8BD0       MOV EDX,EAX
006795F3 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
006795F6 .  FFD6       CALL ESI
006795F8 .  50          PUSH EAX
006795F9 .  57          PUSH EDI
006795FA .  FF53 28    CALL DWORD PTR DS:[EBX+28] ;写入注册表,INI
006795FD .  85C0       TEST EAX,EAX
006795FF .  7D 0F       JGE SHORT ks.00679610
00679601 .  6A 28       PUSH 28
00679603 .  68 C4E94100 PUSH ks.0041E9C4
00679608 .  57          PUSH EDI
00679609 .  50          PUSH EAX
0067960A .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
00679610 >  8D55 BC    LEA EDX,DWORD PTR SS:[EBP-44]
00679613 .  8D45 C0    LEA EAX,DWORD PTR SS:[EBP-40]
00679616 .  52          PUSH EDX
00679617 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
0067961A .  50          PUSH EAX
0067961B .  51          PUSH ECX
0067961C .  6A 03       PUSH 3
0067961E .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
00679624 .  83C4 10    ADD ESP,10
00679627 .  8D55 AC    LEA EDX,DWORD PTR SS:[EBP-54]
0067962A .  8D45 AC    LEA EAX,DWORD PTR SS:[EBP-54]
0067962D .  52          PUSH EDX
0067962E .  50          PUSH EAX
0067962F .  6A 02       PUSH 2
00679631 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
00679637 .  83C4 0C    ADD ESP,0C
0067963A .  C745 D8 FFFFF>MOV DWORD PTR SS:[EBP-28],-1
00679641 .  68 54986700 PUSH ks.00679854
00679646 .  E9 EA010000 JMP ks.00679835
0067964B >  8B3D 8CB66800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaVa>;  MSVBVM50.__vbaVarDup
00679651 .  B9 04000280 MOV ECX,80020004
00679656 .  894D 84    MOV DWORD PTR SS:[EBP-7C],ECX
00679659 .  B8 0A000000 MOV EAX,0A
0067965E .  894D 94    MOV DWORD PTR SS:[EBP-6C],ECX
00679661 .  BE 08000000 MOV ESI,8
00679666 .  8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]
0067966C .  8D4D 9C    LEA ECX,DWORD PTR SS:[EBP-64]
0067966F .  8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EAX
00679675 .  8945 8C    MOV DWORD PTR SS:[EBP-74],EAX
00679678 .  C785 64FFFFFF>MOV DWORD PTR SS:[EBP-9C],ks.00428E7C
00679682 .  89B5 5CFFFFFF MOV DWORD PTR SS:[EBP-A4],ESI
00679688 .  FFD7       CALL EDI                               ;  <&MSVBVM50.__vbaVarDup>
0067968A .  8D95 6CFFFFFF LEA EDX,DWORD PTR SS:[EBP-94]
00679690 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
00679693 .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],ks.00429280
0067969D .  89B5 6CFFFFFF MOV DWORD PTR SS:[EBP-94],ESI
006796A3 .  FFD7       CALL EDI
006796A5 .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
006796AB .  8D55 8C    LEA EDX,DWORD PTR SS:[EBP-74]
006796AE .  51          PUSH ECX
006796AF .  8D45 9C    LEA EAX,DWORD PTR SS:[EBP-64]
006796B2 .  52          PUSH EDX
006796B3 .  50          PUSH EAX
006796B4 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
006796B7 .  6A 30       PUSH 30
006796B9 .  51          PUSH ECX
006796BA .  FF15 7CB46800 CALL DWORD PTR DS:[<&MSVBVM50.#595>]    ;  MSVBVM50.rtcMsgBox
006796C0 .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
006796C6 .  8D45 8C    LEA EAX,DWORD PTR SS:[EBP-74]
006796C9 .  52          PUSH EDX
006796CA .  8D4D 9C    LEA ECX,DWORD PTR SS:[EBP-64]
006796CD .  50          PUSH EAX
006796CE .  8D55 AC    LEA EDX,DWORD PTR SS:[EBP-54]
006796D1 .  51          PUSH ECX
006796D2 .  52          PUSH EDX
006796D3 .  E9 15010000 JMP ks.006797ED
006796D8 >  8B3D 8CB66800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaVa>;  MSVBVM50.__vbaVarDup
006796DE .  B9 04000280 MOV ECX,80020004
006796E3 .  894D 84    MOV DWORD PTR SS:[EBP-7C],ECX
006796E6 .  B8 0A000000 MOV EAX,0A
006796EB .  894D 94    MOV DWORD PTR SS:[EBP-6C],ECX
006796EE .  BE 08000000 MOV ESI,8
006796F3 .  8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]
006796F9 .  8D4D 9C    LEA ECX,DWORD PTR SS:[EBP-64]
006796FC .  8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EAX
00679702 .  8945 8C    MOV DWORD PTR SS:[EBP-74],EAX
00679705 .  C785 64FFFFFF>MOV DWORD PTR SS:[EBP-9C],ks.00428E7C
0067970F .  89B5 5CFFFFFF MOV DWORD PTR SS:[EBP-A4],ESI
00679715 .  FFD7       CALL EDI                               ;  <&MSVBVM50.__vbaVarDup>
00679717 .  8D95 6CFFFFFF LEA EDX,DWORD PTR SS:[EBP-94]
0067971D .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
00679720 .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],ks.004292B0 ;  UNICODE "ActKeyError.zzh"
0067972A .  89B5 6CFFFFFF MOV DWORD PTR SS:[EBP-94],ESI
00679730 .  FFD7       CALL EDI
00679732 .  8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
00679738 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0067973B .  50          PUSH EAX
0067973C .  8D55 9C    LEA EDX,DWORD PTR SS:[EBP-64]
0067973F .  51          PUSH ECX
00679740 .  52          PUSH EDX
00679741 .  8D45 AC    LEA EAX,DWORD PTR SS:[EBP-54]
00679744 .  6A 30       PUSH 30
00679746 .  50          PUSH EAX
00679747 .  FF15 7CB46800 CALL DWORD PTR DS:[<&MSVBVM50.#595>]    ;  MSVBVM50.rtcMsgBox
0067974D .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
00679753 .  8D55 8C    LEA EDX,DWORD PTR SS:[EBP-74]
00679756 .  51          PUSH ECX
00679757 .  8D45 9C    LEA EAX,DWORD PTR SS:[EBP-64]
0067975A .  52          PUSH EDX
0067975B .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
0067975E .  50          PUSH EAX
0067975F .  51          PUSH ECX
00679760 .  E9 88000000 JMP ks.006797ED
00679765 >  8B3D 8CB66800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaVa>;  MSVBVM50.__vbaVarDup
0067976B .  B9 04000280 MOV ECX,80020004
00679770 .  894D 84    MOV DWORD PTR SS:[EBP-7C],ECX
00679773 .  B8 0A000000 MOV EAX,0A
00679778 .  894D 94    MOV DWORD PTR SS:[EBP-6C],ECX
0067977B .  BE 08000000 MOV ESI,8
00679780 .  8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]
00679786 .  8D4D 9C    LEA ECX,DWORD PTR SS:[EBP-64]
00679789 .  8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EAX
0067978F .  8945 8C    MOV DWORD PTR SS:[EBP-74],EAX
00679792 .  C785 64FFFFFF>MOV DWORD PTR SS:[EBP-9C],ks.00428E7C
0067979C .  89B5 5CFFFFFF MOV DWORD PTR SS:[EBP-A4],ESI
006797A2 .  FFD7       CALL EDI                               ;  <&MSVBVM50.__vbaVarDup>
006797A4 .  8D95 6CFFFFFF LEA EDX,DWORD PTR SS:[EBP-94]
006797AA .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
006797AD .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],ks.004292DC ;  UNICODE "KeyIs used!zzh"
006797B7 .  89B5 6CFFFFFF MOV DWORD PTR SS:[EBP-94],ESI
006797BD .  FFD7       CALL EDI
006797BF .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
006797C5 .  8D45 8C    LEA EAX,DWORD PTR SS:[EBP-74]
006797C8 .  52          PUSH EDX
006797C9 .  8D4D 9C    LEA ECX,DWORD PTR SS:[EBP-64]
006797CC .  50          PUSH EAX
006797CD .  51          PUSH ECX
006797CE .  8D55 AC    LEA EDX,DWORD PTR SS:[EBP-54]
006797D1 .  6A 30       PUSH 30
006797D3 .  52          PUSH EDX
006797D4 .  FF15 7CB46800 CALL DWORD PTR DS:[<&MSVBVM50.#595>]    ;  MSVBVM50.rtcMsgBox
006797DA .  8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
006797E0 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
006797E3 .  50          PUSH EAX
006797E4 .  8D55 9C    LEA EDX,DWORD PTR SS:[EBP-64]
006797E7 .  51          PUSH ECX
006797E8 .  8D45 AC    LEA EAX,DWORD PTR SS:[EBP-54]
006797EB .  52          PUSH EDX
006797EC .  50          PUSH EAX
006797ED >  6A 04       PUSH 4
006797EF .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
006797F5 .  83C4 14    ADD ESP,14
006797F8 >  68 54986700 PUSH ks.00679854
006797FD .  EB 36       JMP SHORT ks.00679835
006797FF .  8D4D BC    LEA ECX,DWORD PTR SS:[EBP-44]
00679802 .  8D55 C0    LEA EDX,DWORD PTR SS:[EBP-40]
00679805 .  51          PUSH ECX
00679806 .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
00679809 .  52          PUSH EDX
0067980A .  50          PUSH EAX
0067980B .  6A 03       PUSH 3
0067980D .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
00679813 .  83C4 10    ADD ESP,10
00679816 .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0067981C .  8D55 8C    LEA EDX,DWORD PTR SS:[EBP-74]
0067981F .  8D45 9C    LEA EAX,DWORD PTR SS:[EBP-64]
00679822 .  51          PUSH ECX
00679823 .  52          PUSH EDX
00679824 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
00679827 .  50          PUSH EAX
00679828 .  51          PUSH ECX
00679829 .  6A 04       PUSH 4
0067982B .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
00679831 .  83C4 14    ADD ESP,14
00679834 .  C3          RETN
00679835 >  8B35 14B76800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaFr>;  MSVBVM50.__vbaFreeObj
0067983B .  8D4D EC    LEA ECX,DWORD PTR SS:[EBP-14]
0067983E .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaFreeObj>
00679840 .  8D4D E4    LEA ECX,DWORD PTR SS:[EBP-1C]
00679843 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00679849 .  8D4D CC    LEA ECX,DWORD PTR SS:[EBP-34]
0067984C .  FFD6       CALL ESI
0067984E .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
00679851 .  FFE6       JMP ESI
00679853 .  C3          RETN
00679854 .  8B55 14    MOV EDX,DWORD PTR SS:[EBP+14]
00679857 .  66:8B45 D8 MOV AX,WORD PTR SS:[EBP-28]
0067985B .  8B4D F0    MOV ECX,DWORD PTR SS:[EBP-10]
0067985E .  5F          POP EDI
0067985F .  66:8902    MOV WORD PTR DS:[EDX],AX
00679862 .  5E          POP ESI
00679863 .  33C0       XOR EAX,EAX
00679865 .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
0067986C .  5B          POP EBX
0067986D .  8BE5       MOV ESP,EBP
0067986F .  5D          POP EBP
00679870 .  C2 1000    RETN 10
-------------------------------------------------------------------------------
▲文件:0-66A9A0.txt
-------------------------------------------------------------------------------
0066A9A0 > \55          PUSH EBP
0066A9A1 .  8BEC       MOV EBP,ESP
0066A9A3 .  83EC 14    SUB ESP,14
0066A9A6 .  68 F67F4000 PUSH <JMP.&MSVBVM50.__vbaExceptHandler>  ;  SE handler installation
0066A9AB .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0066A9B1 .  50          PUSH EAX
0066A9B2 .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
0066A9B9 .  81EC F8000000 SUB ESP,0F8
0066A9BF .  53          PUSH EBX
0066A9C0 .  56          PUSH ESI
0066A9C1 .  57          PUSH EDI
0066A9C2 .  8965 EC    MOV DWORD PTR SS:[EBP-14],ESP
0066A9C5 .  C745 F0 F0764>MOV DWORD PTR SS:[EBP-10],ks.004076F0
0066A9CC .  33DB       XOR EBX,EBX
0066A9CE .  895D F4    MOV DWORD PTR SS:[EBP-C],EBX
0066A9D1 .  895D F8    MOV DWORD PTR SS:[EBP-8],EBX
0066A9D4 .  8B7D 08    MOV EDI,DWORD PTR SS:[EBP+8]
0066A9D7 .  8B37       MOV ESI,DWORD PTR DS:[EDI]
0066A9D9 .  57          PUSH EDI
0066A9DA .  FF56 04    CALL DWORD PTR DS:[ESI+4]
0066A9DD .  895D DC    MOV DWORD PTR SS:[EBP-24],EBX
0066A9E0 .  895D D8    MOV DWORD PTR SS:[EBP-28],EBX
0066A9E3 .  895D D4    MOV DWORD PTR SS:[EBP-2C],EBX
0066A9E6 .  895D D0    MOV DWORD PTR SS:[EBP-30],EBX
0066A9E9 .  895D CC    MOV DWORD PTR SS:[EBP-34],EBX
0066A9EC .  895D C8    MOV DWORD PTR SS:[EBP-38],EBX
0066A9EF .  895D C4    MOV DWORD PTR SS:[EBP-3C],EBX
0066A9F2 .  895D C0    MOV DWORD PTR SS:[EBP-40],EBX
0066A9F5 .  895D BC    MOV DWORD PTR SS:[EBP-44],EBX
0066A9F8 .  895D B8    MOV DWORD PTR SS:[EBP-48],EBX
0066A9FB .  895D B0    MOV DWORD PTR SS:[EBP-50],EBX
0066A9FE .  895D AC    MOV DWORD PTR SS:[EBP-54],EBX
0066AA01 .  895D 90    MOV DWORD PTR SS:[EBP-70],EBX
0066AA04 .  895D 88    MOV DWORD PTR SS:[EBP-78],EBX
0066AA07 .  895D 84    MOV DWORD PTR SS:[EBP-7C],EBX
0066AA0A .  895D 80    MOV DWORD PTR SS:[EBP-80],EBX
0066AA0D .  899D 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EBX
0066AA13 .  899D 78FFFFFF MOV DWORD PTR SS:[EBP-88],EBX
0066AA19 .  899D 74FFFFFF MOV DWORD PTR SS:[EBP-8C],EBX
0066AA1F .  899D 70FFFFFF MOV DWORD PTR SS:[EBP-90],EBX
0066AA25 .  899D 60FFFFFF MOV DWORD PTR SS:[EBP-A0],EBX
0066AA2B .  899D 50FFFFFF MOV DWORD PTR SS:[EBP-B0],EBX
0066AA31 .  899D 40FFFFFF MOV DWORD PTR SS:[EBP-C0],EBX
0066AA37 .  899D 3CFFFFFF MOV DWORD PTR SS:[EBP-C4],EBX
0066AA3D .  899D 38FFFFFF MOV DWORD PTR SS:[EBP-C8],EBX
0066AA43 .  68 3C894200 PUSH ks.0042893C
0066AA48 .  8D45 94    LEA EAX,DWORD PTR SS:[EBP-6C]
0066AA4B .  50          PUSH EAX
0066AA4C .  FF15 48B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaAryCo>;  MSVBVM50.__vbaAryConstruct
0066AA52 .  C745 B8 E9030>MOV DWORD PTR SS:[EBP-48],3E9
0066AA59 .  6A 01       PUSH 1
0066AA5B .  FF15 84B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaOnErr>;  MSVBVM50.__vbaOnError
0066AA61 .  BA 64874200 MOV EDX,ks.00428764                   ;  UNICODE "userflag"
0066AA66 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AA69 .  8B1D 2CB66800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrCopy
0066AA6F .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaStrCopy>
0066AA71 .  8B4E 40    MOV ECX,DWORD PTR DS:[ESI+40]
0066AA74 .  898D FCFEFFFF MOV DWORD PTR SS:[EBP-104],ECX
0066AA7A .  8D55 80    LEA EDX,DWORD PTR SS:[EBP-80]
0066AA7D .  52          PUSH EDX
0066AA7E .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0066AA81 .  50          PUSH EAX
0066AA82 .  8B4D 0C    MOV ECX,DWORD PTR SS:[EBP+C]
0066AA85 .  51          PUSH ECX
0066AA86 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066AA8C .  8BD0       MOV EDX,EAX
0066AA8E .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AA91 .  8B35 C8B66800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrMove
0066AA97 .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaStrMove>
0066AA99 .  50          PUSH EAX
0066AA9A .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066AA9F .  68 02000080 PUSH 80000002
0066AAA4 .  57          PUSH EDI
0066AAA5 .  FF95 FCFEFFFF CALL DWORD PTR SS:[EBP-104]
0066AAAB .  8B55 80    MOV EDX,DWORD PTR SS:[EBP-80]
0066AAAE .  C745 80 00000>MOV DWORD PTR SS:[EBP-80],0
0066AAB5 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066AAB8 .  FFD6       CALL ESI
0066AABA .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066AABD .  52          PUSH EDX
0066AABE .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066AAC1 .  50          PUSH EAX
0066AAC2 .  6A 02       PUSH 2
0066AAC4 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066AACA .  83C4 0C    ADD ESP,0C
0066AACD .  8B4D C0    MOV ECX,DWORD PTR SS:[EBP-40]
0066AAD0 .  51          PUSH ECX
0066AAD1 .  68 A4B44100 PUSH ks.0041B4A4
0066AAD6 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066AADC .  85C0       TEST EAX,EAX
0066AADE .  0F85 B2000000 JNZ ks.0066AB96
0066AAE4 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066AAE7 .  52          PUSH EDX
0066AAE8 .  57          PUSH EDI
0066AAE9 .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AAEB .  FF50 50    CALL DWORD PTR DS:[EAX+50]
0066AAEE .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],5
0066AAF8 .  8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
0066AAFE .  50          PUSH EAX
0066AAFF .  8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
0066AB05 .  51          PUSH ECX
0066AB06 .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066AB09 .  52          PUSH EDX
0066AB0A .  68 7C874200 PUSH ks.0042877C                      ;  UNICODE "Microsoft\MSJET"
0066AB0F .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AB15 .  8BD0       MOV EDX,EAX
0066AB17 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AB1A .  FFD6       CALL ESI
0066AB1C .  50          PUSH EAX
0066AB1D .  8B45 0C    MOV EAX,DWORD PTR SS:[EBP+C]
0066AB20 .  50          PUSH EAX
0066AB21 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066AB27 .  8BD0       MOV EDX,EAX
0066AB29 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066AB2C .  FFD6       CALL ESI
0066AB2E .  50          PUSH EAX
0066AB2F .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AB35 .  8BD0       MOV EDX,EAX
0066AB37 .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066AB3D .  FFD6       CALL ESI
0066AB3F .  50          PUSH EAX
0066AB40 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
0066AB45 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AB4B .  8BD0       MOV EDX,EAX
0066AB4D .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066AB53 .  FFD6       CALL ESI
0066AB55 .  50          PUSH EAX
0066AB56 .  57          PUSH EDI
0066AB57 .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AB59 .  FF50 4C    CALL DWORD PTR DS:[EAX+4C]
0066AB5C .  8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
0066AB62 .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],0
0066AB6C .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066AB6F .  FFD6       CALL ESI
0066AB71 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066AB77 .  51          PUSH ECX
0066AB78 .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
0066AB7E .  52          PUSH EDX
0066AB7F .  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
0066AB82 .  50          PUSH EAX
0066AB83 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AB86 .  51          PUSH ECX
0066AB87 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066AB8A .  52          PUSH EDX
0066AB8B .  6A 05       PUSH 5
0066AB8D .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066AB93 .  83C4 18    ADD ESP,18
0066AB96 >  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AB98 .  8B40 60    MOV EAX,DWORD PTR DS:[EAX+60]
0066AB9B .  8985 F8FEFFFF MOV DWORD PTR SS:[EBP-108],EAX
0066ABA1 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066ABA4 .  51          PUSH ECX
0066ABA5 .  8B55 C0    MOV EDX,DWORD PTR SS:[EBP-40]
0066ABA8 .  52          PUSH EDX
0066ABA9 .  57          PUSH EDI
0066ABAA .  FFD0       CALL EAX
0066ABAC .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066ABAF .  C745 88 00000>MOV DWORD PTR SS:[EBP-78],0
0066ABB6 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066ABB9 .  FFD6       CALL ESI
0066ABBB .  8B45 C0    MOV EAX,DWORD PTR SS:[EBP-40]
0066ABBE .  50          PUSH EAX
0066ABBF .  FF15 18B76800 CALL DWORD PTR DS:[<&MSVBVM50.#581>]    ;  MSVBVM50.rtcR8ValFromBstr
0066ABC5 .  FF15 CCB46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFpR8>>;  MSVBVM50.__vbaFpR8
0066ABCB .  DC1D 18774000 FCOMP QWORD PTR DS:[407718]
0066ABD1 .  DFE0       FSTSW AX
0066ABD3 .  F6C4 40    TEST AH,40
0066ABD6 .  0F84 C4080000 JE ks.0066B4A0
0066ABDC .  BA B0874200 MOV EDX,ks.004287B0                   ;  UNICODE "userinfo"
0066ABE1 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066ABE4 .  FFD3       CALL EBX
0066ABE6 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066ABE9 .  51          PUSH ECX
0066ABEA .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066ABED .  52          PUSH EDX
0066ABEE .  8B45 0C    MOV EAX,DWORD PTR SS:[EBP+C]
0066ABF1 .  50          PUSH EAX
0066ABF2 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066ABF8 .  8BD0       MOV EDX,EAX
0066ABFA .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066ABFD .  FFD6       CALL ESI
0066ABFF .  50          PUSH EAX
0066AC00 .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066AC05 .  68 02000080 PUSH 80000002
0066AC0A .  57          PUSH EDI
0066AC0B .  FF95 FCFEFFFF CALL DWORD PTR SS:[EBP-104]
0066AC11 .  8B55 80    MOV EDX,DWORD PTR SS:[EBP-80]
0066AC14 .  C745 80 00000>MOV DWORD PTR SS:[EBP-80],0
0066AC1B .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
0066AC1E .  FFD6       CALL ESI
0066AC20 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AC23 .  51          PUSH ECX
0066AC24 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066AC27 .  52          PUSH EDX
0066AC28 .  6A 02       PUSH 2
0066AC2A .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066AC30 .  83C4 0C    ADD ESP,0C
0066AC33 .  8B45 AC    MOV EAX,DWORD PTR SS:[EBP-54]
0066AC36 .  50          PUSH EAX
0066AC37 .  68 A4B44100 PUSH ks.0041B4A4
0066AC3C .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066AC42 .  85C0       TEST EAX,EAX
0066AC44 .  0F85 D1000000 JNZ ks.0066AD1B
0066AC4A .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AC4D .  51          PUSH ECX
0066AC4E .  57          PUSH EDI
0066AC4F .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AC51 .  FF50 50    CALL DWORD PTR DS:[EAX+50]
0066AC54 .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],4
0066AC5E .  8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
0066AC64 .  52          PUSH EDX
0066AC65 .  8D85 3CFFFFFF LEA EAX,DWORD PTR SS:[EBP-C4]
0066AC6B .  50          PUSH EAX
0066AC6C .  8B4D 88    MOV ECX,DWORD PTR SS:[EBP-78]
0066AC6F .  51          PUSH ECX
0066AC70 .  68 7C874200 PUSH ks.0042877C                      ;  UNICODE "Microsoft\MSJET"
0066AC75 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AC7B .  8BD0       MOV EDX,EAX
0066AC7D .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AC80 .  FFD6       CALL ESI
0066AC82 .  50          PUSH EAX
0066AC83 .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
0066AC86 .  52          PUSH EDX
0066AC87 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066AC8D .  8BD0       MOV EDX,EAX
0066AC8F .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066AC92 .  FFD6       CALL ESI
0066AC94 .  50          PUSH EAX
0066AC95 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AC9B .  8BD0       MOV EDX,EAX
0066AC9D .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066ACA3 .  FFD6       CALL ESI
0066ACA5 .  50          PUSH EAX
0066ACA6 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
0066ACAB .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066ACB1 .  8BD0       MOV EDX,EAX
0066ACB3 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066ACB9 .  FFD6       CALL ESI
0066ACBB .  50          PUSH EAX
0066ACBC .  57          PUSH EDI
0066ACBD .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066ACBF .  FF50 4C    CALL DWORD PTR DS:[EAX+4C]
0066ACC2 .  8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
0066ACC8 .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],0
0066ACD2 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
0066ACD5 .  FFD6       CALL ESI
0066ACD7 .  8D85 78FFFFFF LEA EAX,DWORD PTR SS:[EBP-88]
0066ACDD .  50          PUSH EAX
0066ACDE .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066ACE4 .  51          PUSH ECX
0066ACE5 .  8D55 80    LEA EDX,DWORD PTR SS:[EBP-80]
0066ACE8 .  52          PUSH EDX
0066ACE9 .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0066ACEC .  50          PUSH EAX
0066ACED .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066ACF0 .  51          PUSH ECX
0066ACF1 .  6A 05       PUSH 5
0066ACF3 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066ACF9 .  83C4 18    ADD ESP,18
0066ACFC .  8B55 AC    MOV EDX,DWORD PTR SS:[EBP-54]
0066ACFF .  52          PUSH EDX
0066AD00 .  68 A4B44100 PUSH ks.0041B4A4
0066AD05 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066AD0B .  85C0       TEST EAX,EAX
0066AD0D .  75 0C       JNZ SHORT ks.0066AD1B
0066AD0F .  C745 B8 EC030>MOV DWORD PTR SS:[EBP-48],3EC
0066AD16 .  E9 B2070000 JMP ks.0066B4CD
0066AD1B >  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AD1D .  8B40 68    MOV EAX,DWORD PTR DS:[EAX+68]
0066AD20 .  8985 F4FEFFFF MOV DWORD PTR SS:[EBP-10C],EAX
0066AD26 .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066AD2C .  51          PUSH ECX
0066AD2D .  8D55 AC    LEA EDX,DWORD PTR SS:[EBP-54]
0066AD30 .  52          PUSH EDX
0066AD31 .  57          PUSH EDI
0066AD32 .  FFD0       CALL EAX
0066AD34 .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066AD3A .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066AD40 .  68 3C044200 PUSH ks.0042043C
0066AD45 .  8D45 DC    LEA EAX,DWORD PTR SS:[EBP-24]
0066AD48 .  50          PUSH EAX
0066AD49 .  8B4D AC    MOV ECX,DWORD PTR SS:[EBP-54]
0066AD4C .  51          PUSH ECX
0066AD4D .  57          PUSH EDI
0066AD4E .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AD50 .  FF50 64    CALL DWORD PTR DS:[EAX+64]
0066AD53 .  8B45 DC    MOV EAX,DWORD PTR SS:[EBP-24]
0066AD56 .  85C0       TEST EAX,EAX
0066AD58 .  74 31       JE SHORT ks.0066AD8B
0066AD5A .  66:8338 01 CMP WORD PTR DS:[EAX],1
0066AD5E .  75 2B       JNZ SHORT ks.0066AD8B
0066AD60 .  50          PUSH EAX
0066AD61 .  6A 01       PUSH 1
0066AD63 .  FF15 D8B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaUboun>;  MSVBVM50.__vbaUbound
0066AD69 .  8B4D DC    MOV ECX,DWORD PTR SS:[EBP-24]
0066AD6C .  2B41 14    SUB EAX,DWORD PTR DS:[ECX+14]
0066AD6F .  8985 34FFFFFF MOV DWORD PTR SS:[EBP-CC],EAX
0066AD75 .  3B41 10    CMP EAX,DWORD PTR DS:[ECX+10]
0066AD78 .  72 0C       JB SHORT ks.0066AD86
0066AD7A .  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
0066AD80 .  8B85 34FFFFFF MOV EAX,DWORD PTR SS:[EBP-CC]
0066AD86 >  C1E0 02    SHL EAX,2
0066AD89 .  EB 06       JMP SHORT ks.0066AD91
0066AD8B >  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
0066AD91 >  8B55 DC    MOV EDX,DWORD PTR SS:[EBP-24]
0066AD94 .  8B4A 0C    MOV ECX,DWORD PTR DS:[EDX+C]
0066AD97 .  8B1401       MOV EDX,DWORD PTR DS:[ECX+EAX]
0066AD9A .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
0066AD9D .  FFD3       CALL EBX
0066AD9F .  8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]
0066ADA2 .  52          PUSH EDX
0066ADA3 .  68 A4B44100 PUSH ks.0041B4A4
0066ADA8 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066ADAE .  85C0       TEST EAX,EAX
0066ADB0 .  0F84 E1060000 JE ks.0066B497
0066ADB6 .  8B45 BC    MOV EAX,DWORD PTR SS:[EBP-44]
0066ADB9 .  85C0       TEST EAX,EAX
0066ADBB .  75 12       JNZ SHORT ks.0066ADCF
0066ADBD .  8D45 BC    LEA EAX,DWORD PTR SS:[EBP-44]
0066ADC0 .  50          PUSH EAX
0066ADC1 .  68 F88C4000 PUSH ks.00408CF8
0066ADC6 .  FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>;  MSVBVM50.__vbaNew2
0066ADCC .  8B45 BC    MOV EAX,DWORD PTR SS:[EBP-44]
0066ADCF >  8985 34FFFFFF MOV DWORD PTR SS:[EBP-CC],EAX
0066ADD5 .  8B08       MOV ECX,DWORD PTR DS:[EAX]
0066ADD7 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066ADDA .  52          PUSH EDX
0066ADDB .  50          PUSH EAX
0066ADDC .  FF51 1C    CALL DWORD PTR DS:[ECX+1C]
0066ADDF .  85C0       TEST EAX,EAX
0066ADE1 .  7D 15       JGE SHORT ks.0066ADF8
0066ADE3 .  6A 1C       PUSH 1C
0066ADE5 .  68 D4874200 PUSH ks.004287D4
0066ADEA .  8B8D 34FFFFFF MOV ECX,DWORD PTR SS:[EBP-CC]
0066ADF0 .  51          PUSH ECX
0066ADF1 .  50          PUSH EAX
0066ADF2 .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
0066ADF8 >  8B45 C4    MOV EAX,DWORD PTR SS:[EBP-3C]
0066ADFB .  85C0       TEST EAX,EAX
0066ADFD .  75 12       JNZ SHORT ks.0066AE11
0066ADFF .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
0066AE02 .  52          PUSH EDX
0066AE03 .  68 748B4000 PUSH ks.00408B74
0066AE08 .  FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>;  MSVBVM50.__vbaNew2
0066AE0E .  8B45 C4    MOV EAX,DWORD PTR SS:[EBP-3C]
0066AE11 >  8985 2CFFFFFF MOV DWORD PTR SS:[EBP-D4],EAX
0066AE17 .  8B08       MOV ECX,DWORD PTR DS:[EAX]
0066AE19 .  8D95 3CFFFFFF LEA EDX,DWORD PTR SS:[EBP-C4]
0066AE1F .  52          PUSH EDX
0066AE20 .  8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]
0066AE23 .  52          PUSH EDX
0066AE24 .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066AE27 .  52          PUSH EDX
0066AE28 .  50          PUSH EAX
0066AE29 .  FF51 1C    CALL DWORD PTR DS:[ECX+1C]             ;  16e084出现004223
0066AE2C .  85C0       TEST EAX,EAX
0066AE2E .  7D 15       JGE SHORT ks.0066AE45
0066AE30 .  6A 1C       PUSH 1C
0066AE32 .  68 00874200 PUSH ks.00428700
0066AE37 .  8B8D 2CFFFFFF MOV ECX,DWORD PTR SS:[EBP-D4]
0066AE3D .  51          PUSH ECX
0066AE3E .  50          PUSH EAX
0066AE3F .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
0066AE45 >  33D2       XOR EDX,EDX
0066AE47 .  66:83BD 3CFFF>CMP WORD PTR SS:[EBP-C4],0FFFF
0066AE4F .  0F94C2       SETE DL
0066AE52 .  F7DA       NEG EDX
0066AE54 .  8995 24FFFFFF MOV DWORD PTR SS:[EBP-DC],EDX
0066AE5A .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AE5D .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066AE63 .  66:83BD 24FFF>CMP WORD PTR SS:[EBP-DC],0
0066AE6B .  0F84 1D060000 JE ks.0066B48E
0066AE71 .  8B45 C4    MOV EAX,DWORD PTR SS:[EBP-3C]
0066AE74 .  85C0       TEST EAX,EAX
0066AE76 .  75 12       JNZ SHORT ks.0066AE8A
0066AE78 .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
0066AE7B .  50          PUSH EAX
0066AE7C .  68 748B4000 PUSH ks.00408B74
0066AE81 .  FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>;  MSVBVM50.__vbaNew2
0066AE87 .  8B45 C4    MOV EAX,DWORD PTR SS:[EBP-3C]
0066AE8A >  8985 34FFFFFF MOV DWORD PTR SS:[EBP-CC],EAX
0066AE90 .  8B08       MOV ECX,DWORD PTR DS:[EAX]
0066AE92 .  8D95 3CFFFFFF LEA EDX,DWORD PTR SS:[EBP-C4]
0066AE98 .  52          PUSH EDX
0066AE99 .  8D55 CC    LEA EDX,DWORD PTR SS:[EBP-34]
0066AE9C .  52          PUSH EDX
0066AE9D .  8D55 90    LEA EDX,DWORD PTR SS:[EBP-70]
0066AEA0 .  52          PUSH EDX
0066AEA1 .  8B55 14    MOV EDX,DWORD PTR SS:[EBP+14]
0066AEA4 .  52          PUSH EDX
0066AEA5 .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
0066AEA8 .  52          PUSH EDX
0066AEA9 .  8D55 D8    LEA EDX,DWORD PTR SS:[EBP-28]
0066AEAC .  52          PUSH EDX
0066AEAD .  50          PUSH EAX
0066AEAE .  FF51 20    CALL DWORD PTR DS:[ECX+20]
0066AEB1 .  85C0       TEST EAX,EAX
0066AEB3 .  7D 15       JGE SHORT ks.0066AECA
0066AEB5 .  6A 20       PUSH 20
0066AEB7 .  68 00874200 PUSH ks.00428700
0066AEBC .  8B8D 34FFFFFF MOV ECX,DWORD PTR SS:[EBP-CC]
0066AEC2 .  51          PUSH ECX
0066AEC3 .  50          PUSH EAX
0066AEC4 .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
0066AECA >  66:83BD 3CFFF>CMP WORD PTR SS:[EBP-C4],0FFFF
0066AED2 .  0F85 B6050000 JNZ ks.0066B48E
0066AED8 .  66:8B55 0C MOV DX,WORD PTR SS:[EBP+C]
0066AEDC .  66:3955 D8 CMP WORD PTR SS:[EBP-28],DX
0066AEE0 .  74 0C       JE SHORT ks.0066AEEE
0066AEE2 .  C745 B8 EC030>MOV DWORD PTR SS:[EBP-48],3EC
0066AEE9 .  E9 DF050000 JMP ks.0066B4CD
0066AEEE >  BA 0C894200 MOV EDX,ks.0042890C                   ;  UNICODE "userinfo1"
0066AEF3 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AEF6 .  FFD3       CALL EBX
0066AEF8 .  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
0066AEFB .  50          PUSH EAX
0066AEFC .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AEFF .  51          PUSH ECX
0066AF00 .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
0066AF03 .  52          PUSH EDX
0066AF04 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066AF0A .  8BD0       MOV EDX,EAX
0066AF0C .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AF0F .  FFD6       CALL ESI
0066AF11 .  50          PUSH EAX
0066AF12 .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066AF17 .  68 02000080 PUSH 80000002
0066AF1C .  57          PUSH EDI
0066AF1D .  FF95 FCFEFFFF CALL DWORD PTR SS:[EBP-104]
0066AF23 .  8B55 80    MOV EDX,DWORD PTR SS:[EBP-80]
0066AF26 .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066AF29 .  8D48 04    LEA ECX,DWORD PTR DS:[EAX+4]
0066AF2C .  FFD3       CALL EBX
0066AF2E .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066AF31 .  51          PUSH ECX
0066AF32 .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066AF35 .  52          PUSH EDX
0066AF36 .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066AF39 .  50          PUSH EAX
0066AF3A .  6A 03       PUSH 3
0066AF3C .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066AF42 .  83C4 10    ADD ESP,10
0066AF45 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AF48 .  51          PUSH ECX
0066AF49 .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066AF4C .  8B42 04    MOV EAX,DWORD PTR DS:[EDX+4]
0066AF4F .  50          PUSH EAX
0066AF50 .  57          PUSH EDI
0066AF51 .  FF95 F8FEFFFF CALL DWORD PTR SS:[EBP-108] ;CALL到66c100
0066AF57 .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066AF5A .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066AF5D .  83C1 04    ADD ECX,4
0066AF60 .  FFD3       CALL EBX
0066AF62 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AF65 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066AF6B .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066AF6E .  8B42 04    MOV EAX,DWORD PTR DS:[EDX+4]
0066AF71 .  50          PUSH EAX
0066AF72 .  68 A4B44100 PUSH ks.0041B4A4
0066AF77 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066AF7D .  85C0       TEST EAX,EAX
0066AF7F .  0F84 09050000 JE ks.0066B48E
0066AF85 .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AF87 .  8B40 50    MOV EAX,DWORD PTR DS:[EAX+50]
0066AF8A .  8985 F0FEFFFF MOV DWORD PTR SS:[EBP-110],EAX
0066AF90 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AF93 .  51          PUSH ECX
0066AF94 .  57          PUSH EDI
0066AF95 .  FFD0       CALL EAX
0066AF97 .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],1
0066AFA1 .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AFA3 .  8B50 4C    MOV EDX,DWORD PTR DS:[EAX+4C]
0066AFA6 .  8995 ECFEFFFF MOV DWORD PTR SS:[EBP-114],EDX
0066AFAC .  8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
0066AFB2 .  50          PUSH EAX
0066AFB3 .  8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
0066AFB9 .  51          PUSH ECX
0066AFBA .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066AFBD .  52          PUSH EDX
0066AFBE .  68 7C874200 PUSH ks.0042877C                      ;  UNICODE "Microsoft\MSJET"
0066AFC3 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AFC9 .  8BD0       MOV EDX,EAX
0066AFCB .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AFCE .  FFD6       CALL ESI
0066AFD0 .  50          PUSH EAX
0066AFD1 .  8B45 0C    MOV EAX,DWORD PTR SS:[EBP+C]
0066AFD4 .  50          PUSH EAX
0066AFD5 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066AFDB .  8BD0       MOV EDX,EAX
0066AFDD .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066AFE0 .  FFD6       CALL ESI
0066AFE2 .  50          PUSH EAX
0066AFE3 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AFE9 .  8BD0       MOV EDX,EAX
0066AFEB .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066AFF1 .  FFD6       CALL ESI
0066AFF3 .  50          PUSH EAX
0066AFF4 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
0066AFF9 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AFFF .  8BD0       MOV EDX,EAX
0066B001 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066B007 .  FFD6       CALL ESI
0066B009 .  50          PUSH EAX
0066B00A .  57          PUSH EDI
0066B00B .  FF95 ECFEFFFF CALL DWORD PTR SS:[EBP-114]
0066B011 .  8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
0066B017 .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B01A .  83C1 08    ADD ECX,8
0066B01D .  FFD3       CALL EBX
0066B01F .  8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
0066B025 .  52          PUSH EDX
0066B026 .  8D85 78FFFFFF LEA EAX,DWORD PTR SS:[EBP-88]
0066B02C .  50          PUSH EAX
0066B02D .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066B033 .  51          PUSH ECX
0066B034 .  8D55 80    LEA EDX,DWORD PTR SS:[EBP-80]
0066B037 .  52          PUSH EDX
0066B038 .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0066B03B .  50          PUSH EAX
0066B03C .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B03F .  51          PUSH ECX
0066B040 .  6A 06       PUSH 6
0066B042 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066B048 .  83C4 1C    ADD ESP,1C
0066B04B .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066B04E .  52          PUSH EDX
0066B04F .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B052 .  8B48 08    MOV ECX,DWORD PTR DS:[EAX+8]
0066B055 .  51          PUSH ECX
0066B056 .  57          PUSH EDI
0066B057 .  FF95 F8FEFFFF CALL DWORD PTR SS:[EBP-108]
0066B05D .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066B060 .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B063 .  8D48 08    LEA ECX,DWORD PTR DS:[EAX+8]
0066B066 .  FFD3       CALL EBX
0066B068 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B06B .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066B071 .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B074 .  8B51 08    MOV EDX,DWORD PTR DS:[ECX+8]
0066B077 .  52          PUSH EDX
0066B078 .  68 A4B44100 PUSH ks.0041B4A4
0066B07D .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066B083 .  85C0       TEST EAX,EAX
0066B085 .  0F84 03040000 JE ks.0066B48E
0066B08B .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B08E .  8B48 04    MOV ECX,DWORD PTR DS:[EAX+4]
0066B091 .  51          PUSH ECX
0066B092 .  8B50 08    MOV EDX,DWORD PTR DS:[EAX+8]
0066B095 .  52          PUSH EDX
0066B096 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066B09C .  85C0       TEST EAX,EAX
0066B09E .  0F85 EA030000 JNZ ks.0066B48E
0066B0A4 .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B0A7 .  8B48 04    MOV ECX,DWORD PTR DS:[EAX+4]
0066B0AA .  51          PUSH ECX
0066B0AB .  FF15 18B76800 CALL DWORD PTR DS:[<&MSVBVM50.#581>]    ;  MSVBVM50.rtcR8ValFromBstr
0066B0B1 .  FF15 98B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFpI2>>;  MSVBVM50.__vbaFpI2
0066B0B7 .  8945 8C    MOV DWORD PTR SS:[EBP-74],EAX
0066B0BA .  BA A4B44100 MOV EDX,ks.0041B4A4
0066B0BF .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B0C2 .  8D48 04    LEA ECX,DWORD PTR DS:[EAX+4]
0066B0C5 .  FFD3       CALL EBX
0066B0C7 .  BA A4B44100 MOV EDX,ks.0041B4A4
0066B0CC .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B0CF .  83C1 08    ADD ECX,8
0066B0D2 .  FFD3       CALL EBX
0066B0D4 .  BA 24894200 MOV EDX,ks.00428924                   ;  UNICODE "userinfo2"
0066B0D9 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066B0DC .  FFD3       CALL EBX
0066B0DE .  8D55 80    LEA EDX,DWORD PTR SS:[EBP-80]
0066B0E1 .  52          PUSH EDX
0066B0E2 .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0066B0E5 .  50          PUSH EAX
0066B0E6 .  8B4D 0C    MOV ECX,DWORD PTR SS:[EBP+C]
0066B0E9 .  51          PUSH ECX
0066B0EA .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066B0F0 .  8BD0       MOV EDX,EAX
0066B0F2 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B0F5 .  FFD6       CALL ESI
0066B0F7 .  50          PUSH EAX
0066B0F8 .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066B0FD .  68 02000080 PUSH 80000002
0066B102 .  57          PUSH EDI
0066B103 .  FF95 FCFEFFFF CALL DWORD PTR SS:[EBP-104]
0066B109 .  8B55 80    MOV EDX,DWORD PTR SS:[EBP-80]
0066B10C .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B10F .  8D48 04    LEA ECX,DWORD PTR DS:[EAX+4]
0066B112 .  FFD3       CALL EBX
0066B114 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066B117 .  51          PUSH ECX
0066B118 .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066B11B .  52          PUSH EDX
0066B11C .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066B11F .  50          PUSH EAX
0066B120 .  6A 03       PUSH 3
0066B122 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066B128 .  83C4 10    ADD ESP,10
0066B12B .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B12E .  51          PUSH ECX
0066B12F .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066B132 .  8B42 04    MOV EAX,DWORD PTR DS:[EDX+4]
0066B135 .  50          PUSH EAX
0066B136 .  57          PUSH EDI
0066B137 .  FF95 F8FEFFFF CALL DWORD PTR SS:[EBP-108]
0066B13D .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066B140 .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B143 .  83C1 04    ADD ECX,4
0066B146 .  FFD3       CALL EBX
0066B148 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B14B .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066B151 .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066B154 .  8B42 04    MOV EAX,DWORD PTR DS:[EDX+4]
0066B157 .  50          PUSH EAX
0066B158 .  68 A4B44100 PUSH ks.0041B4A4
0066B15D .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066B163 .  85C0       TEST EAX,EAX
0066B165 .  0F84 23030000 JE ks.0066B48E
0066B16B .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B16E .  51          PUSH ECX
0066B16F .  57          PUSH EDI
0066B170 .  FF95 F0FEFFFF CALL DWORD PTR SS:[EBP-110]
0066B176 .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],2
0066B180 .  8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
0066B186 .  52          PUSH EDX
0066B187 .  8D85 3CFFFFFF LEA EAX,DWORD PTR SS:[EBP-C4]
0066B18D .  50          PUSH EAX
0066B18E .  8B4D 88    MOV ECX,DWORD PTR SS:[EBP-78]
0066B191 .  51          PUSH ECX
0066B192 .  68 7C874200 PUSH ks.0042877C                      ;  UNICODE "Microsoft\MSJET"
0066B197 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B19D .  8BD0       MOV EDX,EAX
0066B19F .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066B1A2 .  FFD6       CALL ESI
0066B1A4 .  50          PUSH EAX
0066B1A5 .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
0066B1A8 .  52          PUSH EDX
0066B1A9 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066B1AF .  8BD0       MOV EDX,EAX
0066B1B1 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066B1B4 .  FFD6       CALL ESI
0066B1B6 .  50          PUSH EAX
0066B1B7 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B1BD .  8BD0       MOV EDX,EAX
0066B1BF .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066B1C5 .  FFD6       CALL ESI
0066B1C7 .  50          PUSH EAX
0066B1C8 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
;又是MSJET1.INI
0066B1CD .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B1D3 .  8BD0       MOV EDX,EAX
0066B1D5 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066B1DB .  FFD6       CALL ESI
0066B1DD .  50          PUSH EAX
0066B1DE .  57          PUSH EDI
0066B1DF .  FF95 ECFEFFFF CALL DWORD PTR SS:[EBP-114]
0066B1E5 .  8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
0066B1EB .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B1EE .  8D48 08    LEA ECX,DWORD PTR DS:[EAX+8]
0066B1F1 .  FFD3       CALL EBX
0066B1F3 .  8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]
0066B1F9 .  51          PUSH ECX
0066B1FA .  8D95 78FFFFFF LEA EDX,DWORD PTR SS:[EBP-88]
0066B200 .  52          PUSH EDX
0066B201 .  8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
0066B207 .  50          PUSH EAX
0066B208 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066B20B .  51          PUSH ECX
0066B20C .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066B20F .  52          PUSH EDX
0066B210 .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066B213 .  50          PUSH EAX
0066B214 .  6A 06       PUSH 6
0066B216 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066B21C .  83C4 1C    ADD ESP,1C
0066B21F .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B222 .  51          PUSH ECX
0066B223 .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066B226 .  8B42 08    MOV EAX,DWORD PTR DS:[EDX+8]
0066B229 .  50          PUSH EAX
0066B22A .  57          PUSH EDI
0066B22B .  FF95 F8FEFFFF CALL DWORD PTR SS:[EBP-108]
0066B231 .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066B234 .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B237 .  83C1 08    ADD ECX,8
0066B23A .  FFD3       CALL EBX
0066B23C .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B23F .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066B245 .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066B248 .  8B42 08    MOV EAX,DWORD PTR DS:[EDX+8]
0066B24B .  50          PUSH EAX
0066B24C .  68 A4B44100 PUSH ks.0041B4A4
0066B251 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066B257 .  85C0       TEST EAX,EAX
0066B259 .  0F84 2F020000 JE ks.0066B48E
0066B25F .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B262 .  8B48 04    MOV ECX,DWORD PTR DS:[EAX+4]
0066B265 .  51          PUSH ECX
0066B266 .  8B50 08    MOV EDX,DWORD PTR DS:[EAX+8]
0066B269 .  52          PUSH EDX
0066B26A .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066B270 .  85C0       TEST EAX,EAX
0066B272 .  0F85 2F020000 JNZ ks.0066B4A7
0066B278 .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B27B .  8B48 04    MOV ECX,DWORD PTR DS:[EAX+4]
0066B27E .  51          PUSH ECX
0066B27F .  FF15 18B76800 CALL DWORD PTR DS:[<&MSVBVM50.#581>]    ;  MSVBVM50.rtcR8ValFromBstr
0066B285 .  FF15 98B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFpI2>>;  MSVBVM50.__vbaFpI2
0066B28B .  8945 B4    MOV DWORD PTR SS:[EBP-4C],EAX
0066B28E .  8B4D 8C    MOV ECX,DWORD PTR SS:[EBP-74]
0066B291 .  66:85C9    TEST CX,CX
0066B294 .  0F8E EB010000 JLE ks.0066B485
0066B29A .  66:85C0    TEST AX,AX
0066B29D .  0F8E E2010000 JLE ks.0066B485
0066B2A3 .  66:837D 18 FF CMP WORD PTR SS:[EBP+18],0FFFF
0066B2A8 .  0F85 CE010000 JNZ ks.0066B47C
0066B2AE .  66:49       DEC CX
0066B2B0 .  0F80 F7020000 JO ks.0066B5AD
0066B2B6 .  894D 8C    MOV DWORD PTR SS:[EBP-74],ECX
0066B2B9 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066B2BC .  52          PUSH EDX
0066B2BD .  57          PUSH EDI
0066B2BE .  FF95 F0FEFFFF CALL DWORD PTR SS:[EBP-110]
0066B2C4 .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],3
0066B2CE .  8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
0066B2D4 .  50          PUSH EAX
0066B2D5 .  8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
0066B2DB .  51          PUSH ECX
0066B2DC .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066B2DF .  52          PUSH EDX
0066B2E0 .  68 7C874200 PUSH ks.0042877C                      ;  UNICODE "Microsoft\MSJET"
0066B2E5 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B2EB .  8BD0       MOV EDX,EAX
0066B2ED .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066B2F0 .  FFD6       CALL ESI
0066B2F2 .  50          PUSH EAX
0066B2F3 .  8B45 0C    MOV EAX,DWORD PTR SS:[EBP+C]
0066B2F6 .  50          PUSH EAX
0066B2F7 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066B2FD .  8BD0       MOV EDX,EAX
0066B2FF .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066B302 .  FFD6       CALL ESI
0066B304 .  50          PUSH EAX
0066B305 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B30B .  8BD0       MOV EDX,EAX
0066B30D .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066B313 .  FFD6       CALL ESI
0066B315 .  50          PUSH EAX
0066B316 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
0066B31B .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B321 .  8BD0       MOV EDX,EAX
0066B323 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066B329 .  FFD6       CALL ESI
0066B32B .  50          PUSH EAX
0066B32C .  57          PUSH EDI
0066B32D .  FF95 ECFEFFFF CALL DWORD PTR SS:[EBP-114]
0066B333 .  8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
0066B339 .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B33C .  83C1 04    ADD ECX,4
0066B33F .  FFD3       CALL EBX
0066B341 .  8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
0066B347 .  52          PUSH EDX
0066B348 .  8D85 78FFFFFF LEA EAX,DWORD PTR SS:[EBP-88]
0066B34E .  50          PUSH EAX
0066B34F .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066B355 .  51          PUSH ECX
0066B356 .  8D55 80    LEA EDX,DWORD PTR SS:[EBP-80]
0066B359 .  52          PUSH EDX
0066B35A .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0066B35D .  50          PUSH EAX
0066B35E .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B361 .  51          PUSH ECX
0066B362 .  6A 06       PUSH 6
0066B364 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066B36A .  83C4 1C    ADD ESP,1C
0066B36D .  8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0]
0066B373 .  52          PUSH EDX
0066B374 .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B377 .  83C0 04    ADD EAX,4
0066B37A .  50          PUSH EAX
0066B37B .  57          PUSH EDI
0066B37C .  FF95 F4FEFFFF CALL DWORD PTR SS:[EBP-10C]
0066B382 .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B388 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066B38E .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B394 .  51          PUSH ECX
0066B395 .  FF15 74B66800 CALL DWORD PTR DS:[<&MSVBVM50.#610>]    ;  MSVBVM50.rtcGetDateVar
0066B39B .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066B39E .  8B42 04    MOV EAX,DWORD PTR DS:[EDX+4]
0066B3A1 .  50          PUSH EAX
0066B3A2 .  FF15 A0B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaDateS>;  MSVBVM50.__vbaDateStr
0066B3A8 .  DD9D 48FFFFFF FSTP QWORD PTR SS:[EBP-B8]
0066B3AE .  C785 40FFFFFF>MOV DWORD PTR SS:[EBP-C0],8007
0066B3B8 .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B3BE .  51          PUSH ECX
0066B3BF .  8D95 40FFFFFF LEA EDX,DWORD PTR SS:[EBP-C0]
0066B3C5 .  52          PUSH EDX
0066B3C6 .  FF15 64B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarTs>;  MSVBVM50.__vbaVarTstNe
0066B3CC .  8BD8       MOV EBX,EAX
0066B3CE .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B3D4 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066B3DA .  66:85DB    TEST BX,BX
0066B3DD .  74 0F       JE SHORT ks.0066B3EE
0066B3DF .  66:8B45 B4 MOV AX,WORD PTR SS:[EBP-4C]
0066B3E3 .  66:48       DEC AX
0066B3E5 .  0F80 C2010000 JO ks.0066B5AD
0066B3EB .  8945 B4    MOV DWORD PTR SS:[EBP-4C],EAX
0066B3EE >  8B4D 8C    MOV ECX,DWORD PTR SS:[EBP-74]
0066B3F1 .  51          PUSH ECX
0066B3F2 .  8B1D B0B36800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrI2
0066B3F8 .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaStrI2>
0066B3FA .  8BD0       MOV EDX,EAX
0066B3FC .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
0066B3FF .  FFD6       CALL ESI
0066B401 .  8B55 B4    MOV EDX,DWORD PTR SS:[EBP-4C]
0066B404 .  52          PUSH EDX
0066B405 .  FFD3       CALL EBX
0066B407 .  8BD0       MOV EDX,EAX
0066B409 .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
0066B40C .  FFD6       CALL ESI
0066B40E .  8D85 60FFFFFF LEA EAX,DWORD PTR SS:[EBP-A0]
0066B414 .  50          PUSH EAX
0066B415 .  FF15 74B66800 CALL DWORD PTR DS:[<&MSVBVM50.#610>]    ;  MSVBVM50.rtcGetDateVar
0066B41B .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B421 .  51          PUSH ECX
0066B422 .  FF15 04B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrEr>;  MSVBVM50.__vbaStrErrVarCopy
0066B428 .  8BD0       MOV EDX,EAX
0066B42A .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
0066B42D .  FFD6       CALL ESI
0066B42F .  8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0]
0066B435 .  52          PUSH EDX
0066B436 .  8D85 60FFFFFF LEA EAX,DWORD PTR SS:[EBP-A0]
0066B43C .  50          PUSH EAX
0066B43D .  6A 02       PUSH 2
0066B43F .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
0066B445 .  83C4 0C    ADD ESP,0C
0066B448 .  8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
0066B44E .  51          PUSH ECX
0066B44F .  8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]
0066B452 .  52          PUSH EDX
0066B453 .  8B45 0C    MOV EAX,DWORD PTR SS:[EBP+C]
0066B456 .  50          PUSH EAX
0066B457 .  8B4D C8    MOV ECX,DWORD PTR SS:[EBP-38]
0066B45A .  51          PUSH ECX
0066B45B .  8B55 D0    MOV EDX,DWORD PTR SS:[EBP-30]
0066B45E .  52          PUSH EDX
0066B45F .  8B45 B0    MOV EAX,DWORD PTR SS:[EBP-50]
0066B462 .  50          PUSH EAX
0066B463 .  57          PUSH EDI
0066B464 .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066B466 .  FF50 28    CALL DWORD PTR DS:[EAX+28]
0066B469 .  85C0       TEST EAX,EAX
0066B46B .  7D 0F       JGE SHORT ks.0066B47C
0066B46D .  6A 28       PUSH 28
0066B46F .  68 C4E94100 PUSH ks.0041E9C4
0066B474 .  57          PUSH EDI
0066B475 .  50          PUSH EAX
0066B476 .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
0066B47C >  C745 B8 00000>MOV DWORD PTR SS:[EBP-48],0
0066B483 .  EB 48       JMP SHORT ks.0066B4CD
0066B485 >  C745 B8 EA030>MOV DWORD PTR SS:[EBP-48],3EA
0066B48C .  EB 3F       JMP SHORT ks.0066B4CD
0066B48E >  C745 B8 EB030>MOV DWORD PTR SS:[EBP-48],3EB
0066B495 .  EB 10       JMP SHORT ks.0066B4A7
0066B497 >  C745 B8 EA030>MOV DWORD PTR SS:[EBP-48],3EA
0066B49E .  EB 07       JMP SHORT ks.0066B4A7
0066B4A0 >  C745 B8 E9030>MOV DWORD PTR SS:[EBP-48],3E9
0066B4A7 >  FF15 58B66800 CALL DWORD PTR DS:[<&MSVBVM50.#685>]    ;  MSVBVM50.rtcErrObj
0066B4AD .  50          PUSH EAX
0066B4AE .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066B4B4 .  51          PUSH ECX
0066B4B5 .  FF15 80B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaObjSe>;  MSVBVM50.__vbaObjSet
0066B4BB .  8B10       MOV EDX,DWORD PTR DS:[EAX]
0066B4BD .  50          PUSH EAX
0066B4BE .  FF52 48    CALL DWORD PTR DS:[EDX+48]
0066B4C1 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066B4C7 .  FF15 14B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>;  MSVBVM50.__vbaFreeObj
0066B4CD >  FF15 64B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaExitP>;  MSVBVM50.__vbaExitProc
0066B4D3 .  9B          WAIT
0066B4D4 .  68 84B56600 PUSH ks.0066B584
0066B4D9 .  EB 52       JMP SHORT ks.0066B52D
0066B4DB .  8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
0066B4E1 .  50          PUSH EAX
0066B4E2 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066B4E8 .  51          PUSH ECX
0066B4E9 .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
0066B4EF .  52          PUSH EDX
0066B4F0 .  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
0066B4F3 .  50          PUSH EAX
0066B4F4 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066B4F7 .  51          PUSH ECX
0066B4F8 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066B4FB .  52          PUSH EDX
0066B4FC .  6A 06       PUSH 6
0066B4FE .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066B504 .  83C4 1C    ADD ESP,1C
0066B507 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066B50D .  FF15 14B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>;  MSVBVM50.__vbaFreeObj
0066B513 .  8D85 50FFFFFF LEA EAX,DWORD PTR SS:[EBP-B0]
0066B519 .  50          PUSH EAX
0066B51A .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B520 .  51          PUSH ECX
0066B521 .  6A 02       PUSH 2
0066B523 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
0066B529 .  83C4 0C    ADD ESP,0C
0066B52C .  C3          RETN
0066B52D >  8D55 DC    LEA EDX,DWORD PTR SS:[EBP-24]
0066B530 .  52          PUSH EDX
0066B531 .  6A 00       PUSH 0
0066B533 .  8B3D 50B46800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaAr>;  MSVBVM50.__vbaAryDestruct
0066B539 .  FFD7       CALL EDI                               ;  <&MSVBVM50.__vbaAryDestruct>
0066B53B .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
0066B53E .  8B35 10B76800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaFr>;  MSVBVM50.__vbaFreeStr
0066B544 .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaFreeStr>
0066B546 .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
0066B549 .  FFD6       CALL ESI
0066B54B .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
0066B54E .  FFD6       CALL ESI
0066B550 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
0066B553 .  8B1D 14B76800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaFr>;  MSVBVM50.__vbaFreeObj
0066B559 .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaFreeObj>
0066B55B .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066B55E .  FFD6       CALL ESI
0066B560 .  8D4D BC    LEA ECX,DWORD PTR SS:[EBP-44]
0066B563 .  FFD3       CALL EBX
0066B565 .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
0066B568 .  FFD6       CALL ESI
0066B56A .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
0066B56D .  FFD6       CALL ESI
0066B56F .  8D45 94    LEA EAX,DWORD PTR SS:[EBP-6C]
0066B572 .  8985 38FFFFFF MOV DWORD PTR SS:[EBP-C8],EAX
0066B578 .  8D8D 38FFFFFF LEA ECX,DWORD PTR SS:[EBP-C8]
0066B57E .  51          PUSH ECX
0066B57F .  6A 00       PUSH 0
0066B581 .  FFD7       CALL EDI
0066B583 .  C3          RETN
0066B584 .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066B587 .  8B10       MOV EDX,DWORD PTR DS:[EAX]
0066B589 .  50          PUSH EAX
0066B58A .  FF52 08    CALL DWORD PTR DS:[EDX+8]
0066B58D .  8B45 1C    MOV EAX,DWORD PTR SS:[EBP+1C]
0066B590 .  66:8B4D B8 MOV CX,WORD PTR SS:[EBP-48]
0066B594 .  66:8908    MOV WORD PTR DS:[EAX],CX
0066B597 .  8B45 F4    MOV EAX,DWORD PTR SS:[EBP-C]
0066B59A .  8B4D E4    MOV ECX,DWORD PTR SS:[EBP-1C]
0066B59D .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
0066B5A4 .  5F          POP EDI
0066B5A5 .  5E          POP ESI
0066B5A6 .  5B          POP EBX
0066B5A7 .  8BE5       MOV ESP,EBP
0066B5A9 .  5D          POP EBP
0066B5AA .  C2 1800    RETN 18
0066B5AD >  FF15 00B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaError>;  MSVBVM50.__vbaErrorOverflow
0066B5B3 .  90          NOP
0066B5B4 .  90          NOP
0066B5B5 .  90          NOP
0066B5B6 .  90          NOP
0066B5B7 .  90          NOP
0066B5B8 .  90          NOP
0066B5B9 .  90          NOP
======
从66af51 call
0066C100 > \55          PUSH EBP
0066C101 .  8BEC       MOV EBP,ESP
0066C103 .  83EC 08    SUB ESP,8
0066C106 .  68 F67F4000 PUSH <JMP.&MSVBVM50.__vbaExceptHandler>  ;  SE handler installation
0066C10B .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0066C111 .  50          PUSH EAX
0066C112 .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
0066C119 .  83EC 14    SUB ESP,14
0066C11C .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
0066C11F .  53          PUSH EBX
0066C120 .  8B1D 2CB66800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrCopy
;"FGLQPFDMQP" userinfo1的数据
0066C126 .  56          PUSH ESI
0066C127 .  57          PUSH EDI
0066C128 .  8D4D EC    LEA ECX,DWORD PTR SS:[EBP-14]
0066C12B .  8965 F8    MOV DWORD PTR SS:[EBP-8],ESP
0066C12E .  C745 FC F0774>MOV DWORD PTR SS:[EBP-4],ks.004077F0
0066C135 .  C745 EC 00000>MOV DWORD PTR SS:[EBP-14],0
0066C13C .  C745 E8 00000>MOV DWORD PTR SS:[EBP-18],0
0066C143 .  C745 E4 00000>MOV DWORD PTR SS:[EBP-1C],0
0066C14A .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaStrCopy>
0066C14C .  8B45 10    MOV EAX,DWORD PTR SS:[EBP+10]
0066C14F .  8B75 08    MOV ESI,DWORD PTR SS:[EBP+8]
0066C152 .  8D55 E4    LEA EDX,DWORD PTR SS:[EBP-1C]
0066C155 .  8B0E       MOV ECX,DWORD PTR DS:[ESI]
0066C157 .  C700 00000000 MOV DWORD PTR DS:[EAX],0
0066C15D .  52          PUSH EDX
0066C15E .  8D45 EC    LEA EAX,DWORD PTR SS:[EBP-14]
0066C161 .  68 8C894200 PUSH ks.0042898C                      ;  UNICODE "bjSchool"
0066C166 .  50          PUSH EAX
0066C167 .  56          PUSH ESI
0066C168 .  FF51 20    CALL DWORD PTR DS:[ECX+20]
0066C16B .  85C0       TEST EAX,EAX
0066C16D .  7D 0F       JGE SHORT ks.0066C17E
0066C16F .  6A 20       PUSH 20
0066C171 .  68 C4E94100 PUSH ks.0041E9C4
0066C176 .  56          PUSH ESI
0066C177 .  50          PUSH EAX
0066C178 .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
0066C17E >  8B55 EC    MOV EDX,DWORD PTR SS:[EBP-14]
0066C181 .  8D4D E8    LEA ECX,DWORD PTR SS:[EBP-18]
0066C184 .  FFD3       CALL EBX
0066C186 .  68 A1C16600 PUSH ks.0066C1A1
0066C18B .  EB 0A       JMP SHORT ks.0066C197
0066C18D .  8D4D E8    LEA ECX,DWORD PTR SS:[EBP-18]
0066C190 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066C196 .  C3          RETN
0066C197 >  8D4D EC    LEA ECX,DWORD PTR SS:[EBP-14]
0066C19A .- FF25 10B76800 JMP DWORD PTR DS:[<&MSVBVM50.__vbaFreeSt>;  MSVBVM50.__vbaFreeStr
0066C1A0 .  C3          RETN
0066C1A1 .  8B4D 10    MOV ECX,DWORD PTR SS:[EBP+10]
0066C1A4 .  8B55 E8    MOV EDX,DWORD PTR SS:[EBP-18]
0066C1A7 .  5F          POP EDI
0066C1A8 .  5E          POP ESI
0066C1A9 .  8911       MOV DWORD PTR DS:[ECX],EDX
0066C1AB .  8B4D F0    MOV ECX,DWORD PTR SS:[EBP-10]
0066C1AE .  33C0       XOR EAX,EAX
0066C1B0 .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
0066C1B7 .  5B          POP EBX
0066C1B8 .  8BE5       MOV ESP,EBP
0066C1BA .  5D          POP EBP
0066C1BB .  C2 0C00    RETN 0C
-------------------------------------------------------------------------------
▲文件:0-66B790.txt
-------------------------------------------------------------------------------
0066B72F .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066B735 .  50          PUSH EAX
0066B736 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B73C .  8BD0       MOV EDX,EAX
0066B73E .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066B741 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066B747 .  50          PUSH EAX
0066B748 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
0066B74D .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B753 .  8BD0       MOV EDX,EAX
0066B755 .  8D4D D8    LEA ECX,DWORD PTR SS:[EBP-28]
0066B758 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066B75E .  8D55 80    LEA EDX,DWORD PTR SS:[EBP-80]
0066B761 .  52          PUSH EDX
0066B762 .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0066B765 .  50          PUSH EAX
0066B766 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B769 .  51          PUSH ECX
0066B76A .  6A 03       PUSH 3
0066B76C .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066B772 .  83C4 10    ADD ESP,10
0066B775 .  C745 FC 06000>MOV DWORD PTR SS:[EBP-4],6
0066B77C .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066B77F .  52          PUSH EDX
0066B780 .  8B45 90    MOV EAX,DWORD PTR SS:[EBP-70]
0066B783 .  50          PUSH EAX
0066B784 .  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]
0066B787 .  8B11       MOV EDX,DWORD PTR DS:[ECX]
0066B789 .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066B78C .  50          PUSH EAX
0066B78D .  FF52 5C    CALL DWORD PTR DS:[EDX+5C]
;访问"C:\WINXP\System32\Microsoft\MSJET6.INI"
内容如下:
FGCQPFGGQPFDDQP
FFEQPFD@QPFDEQP
GEE@XAXGE
@EMA?X#-DE=XEGAM8X!-/:BX:D?CLXGC8L<
FGBQP
;得到:
0066B790 .  8B4D 88    MOV ECX,DWORD PTR SS:[EBP-78]
0066B793 .  898D 38FFFFFF MOV DWORD PTR SS:[EBP-C8],ECX
0066B799 .  C745 88 00000>MOV DWORD PTR SS:[EBP-78],0
0066B7A0 .  8B95 38FFFFFF MOV EDX,DWORD PTR SS:[EBP-C8]
0066B7A6 .  8D4D 90    LEA ECX,DWORD PTR SS:[EBP-70]
0066B7A9 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066B7AF .  C745 FC 07000>MOV DWORD PTR SS:[EBP-4],7
0066B7B6 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066B7B9 .  52          PUSH EDX
0066B7BA .  8B45 C0    MOV EAX,DWORD PTR SS:[EBP-40]
0066B7BD .  50          PUSH EAX
0066B7BE .  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]
0066B7C1 .  8B11       MOV EDX,DWORD PTR DS:[ECX]
0066B7C3 .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066B7C6 .  50          PUSH EAX
0066B7C7 .  FF52 5C    CALL DWORD PTR DS:[EDX+5C]
0066B7CA .  8B4D 88    MOV ECX,DWORD PTR SS:[EBP-78]
;得到:"FGLQPFDMQP"
0066B7CD .  898D 34FFFFFF MOV DWORD PTR SS:[EBP-CC],ECX
0066B7D3 .  C745 88 00000>MOV DWORD PTR SS:[EBP-78],0
0066B7DA .  8B95 34FFFFFF MOV EDX,DWORD PTR SS:[EBP-CC]
0066B7E0 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066B7E3 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066B7E9 .  C745 FC 08000>MOV DWORD PTR SS:[EBP-4],8
0066B7F0 .  66:C785 5CFFF>MOV WORD PTR SS:[EBP-A4],4
0066B7F9 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066B7FC .  52          PUSH EDX
0066B7FD .  8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4]
0066B803 .  50          PUSH EAX
0066B804 .  8B4D D8    MOV ECX,DWORD PTR SS:[EBP-28]
0066B807 .  51          PUSH ECX
0066B808 .  8B55 08    MOV EDX,DWORD PTR SS:[EBP+8]
0066B80B .  8B02       MOV EAX,DWORD PTR DS:[EDX]
0066B80D .  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]
0066B810 .  51          PUSH ECX
0066B811 .  FF50 4C    CALL DWORD PTR DS:[EAX+4C]
;得到"@EMA?X#-DE=XEGAM8X!-/:BX:D?CLXGC8L<"
;
0066B814 .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066B817 .  8995 30FFFFFF MOV DWORD PTR SS:[EBP-D0],EDX
0066B81D .  C745 88 00000>MOV DWORD PTR SS:[EBP-78],0
0066B824 .  8B95 30FFFFFF MOV EDX,DWORD PTR SS:[EBP-D0]
0066B82A .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
0066B82D .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066B833 .  C745 FC 09000>MOV DWORD PTR SS:[EBP-4],9
0066B83A .  8D85 70FFFFFF LEA EAX,DWORD PTR SS:[EBP-90]
0066B840 .  50          PUSH EAX
0066B841 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
0066B844 .  51          PUSH ECX
0066B845 .  8B55 08    MOV EDX,DWORD PTR SS:[EBP+8]
0066B848 .  8B02       MOV EAX,DWORD PTR DS:[EDX]
0066B84A .  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]
0066B84D .  51          PUSH ECX
0066B84E .  FF50 68    CALL DWORD PTR DS:[EAX+68]
0066B851 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066B857 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066B85D .  C745 FC 0A000>MOV DWORD PTR SS:[EBP-4],0A
0066B864 .  6A 01       PUSH 1
0066B866 .  8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]
;得到上次输入的激活码"5084J-VX10H-0248M-TXZO7-O1J69-26M9I"
0066B869 .  52          PUSH EDX
0066B86A .  8B45 CC    MOV EAX,DWORD PTR SS:[EBP-34]
;得到最近输入的激活码"G5060-BBBBB-CCQ2L-23XL6-O2323-3434I"
0066B86D .  50          PUSH EAX
0066B86E .  6A 01       PUSH 1
0066B870 .  FF15 10B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaInStr>;  MSVBVM50.__vbaInStr
;最近激活码转换为小写字符在[ESP-20]
0066B876 .  33DB       XOR EBX,EBX
0066B878 .  85C0       TEST EAX,EAX
0066B87A .  0F9FC3       SETG BL
0066B87D .  8B4D D4    MOV ECX,DWORD PTR SS:[EBP-2C]
;上次激活码
0066B880 .  51          PUSH ECX
0066B881 .  68 A4B44100 PUSH ks.0041B4A4
0066B886 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066B88C .  F7D8       NEG EAX
0066B88E .  1BC0       SBB EAX,EAX
0066B890 .  40          INC EAX
0066B891 .  0BD8       OR EBX,EAX
0066B893 .  85DB       TEST EBX,EBX
0066B895 .  75 40       JNZ SHORT ks.0066B8D7
0066B897 .  C745 FC 0B000>MOV DWORD PTR SS:[EBP-4],0B
0066B89E .  8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]
;上次激活码
0066B8A1 .  52          PUSH EDX
0066B8A2 .  68 3C044200 PUSH ks.0042043C
0066B8A7 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B8AD .  8BD0       MOV EDX,EAX
;得到字符串"5084J-VX10H-0248M-TXZO7-O1J69-26M9I|"
0066B8AF .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B8B2 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066B8B8 .  50          PUSH EAX
0066B8B9 .  8B45 CC    MOV EAX,DWORD PTR SS:[EBP-34]
0066B8BC .  50          PUSH EAX
0066B8BD .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
;得到字符串"5084J-VX10H-0248M-TXZO7-O1J69-26M9I|G5060-BBBBB-CCQ2L-23XL6-O2323-3434I"
0066B8C3 .  8BD0       MOV EDX,EAX
0066B8C5 .  8D4D CC    LEA ECX,DWORD PTR SS:[EBP-34]
0066B8C8 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066B8CE .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B8D1 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066B8D7 >  C745 FC 0D000>MOV DWORD PTR SS:[EBP-4],0D
0066B8DE .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066B8E4 .  51          PUSH ECX
0066B8E5 .  8D55 CC    LEA EDX,DWORD PTR SS:[EBP-34]
0066B8E8 .  52          PUSH EDX
0066B8E9 .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066B8EC .  8B08       MOV ECX,DWORD PTR DS:[EAX]
0066B8EE .  8B55 08    MOV EDX,DWORD PTR SS:[EBP+8]
0066B8F1 .  52          PUSH EDX
0066B8F2 .  FF51 68    CALL DWORD PTR DS:[ECX+68]
;加密以上字符串得到:
"@EMA?X#-DE=XEGAM8X!-/:BX:D?CLXGC8L< 2@ECEX77777X66$G9XGF-9CX:GFGFXFAFA<")
0066B8F5 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066B8FB .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066B901 .  C745 FC 0E000>MOV DWORD PTR SS:[EBP-4],0E
0066B908 .  8D45 D8    LEA EAX,DWORD PTR SS:[EBP-28]
0066B90B .  8985 68FFFFFF MOV DWORD PTR SS:[EBP-98],EAX
0066B911 .  C785 60FFFFFF>MOV DWORD PTR SS:[EBP-A0],4008
0066B91B .  6A 00       PUSH 0
0066B91D .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B923 .  51          PUSH ECX
0066B924 .  FF15 F8B56800 CALL DWORD PTR DS:[<&MSVBVM50.#645>]    ;  MSVBVM50.rtcDir
0066B92A .  8BD0       MOV EDX,EAX
0066B92C .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B92F .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066B935 .  50          PUSH EAX
0066B936 .  68 A4B44100 PUSH ks.0041B4A4
0066B93B .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
;比较MSJET6.INI和MSJET6.INI
0066B941 .  F7D8       NEG EAX
0066B943 .  1BC0       SBB EAX,EAX
0066B945 .  F7D8       NEG EAX
0066B947 .  F7D8       NEG EAX
0066B949 .  66:8985 54FFF>MOV WORD PTR SS:[EBP-AC],AX
0066B950 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B953 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066B959 .  0FBF95 54FFFF>MOVSX EDX,WORD PTR SS:[EBP-AC]
0066B960 .  85D2       TEST EDX,EDX
0066B962 .  0F84 8E000000 JE ks.0066B9F6
0066B968 .  C745 FC 0F000>MOV DWORD PTR SS:[EBP-4],0F
0066B96F .  6A 00       PUSH 0
0066B971 .  6A 00       PUSH 0
0066B973 .  6A 03       PUSH 3
0066B975 .  6A 00       PUSH 0
0066B977 .  6A 03       PUSH 3
0066B979 .  68 00000040 PUSH 40000000
0066B97E .  8B45 D8    MOV EAX,DWORD PTR SS:[EBP-28]
0066B981 .  50          PUSH EAX
0066B982 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B985 .  51          PUSH ECX
0066B986 .  FF15 90B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrTo>;  MSVBVM50.__vbaStrToAnsi
0066B98C .  50          PUSH EAX
0066B98D .  E8 4E14DBFF CALL ks.0041CDE0
0066B992 .  8985 58FFFFFF MOV DWORD PTR SS:[EBP-A8],EAX
0066B998 .  FF15 38B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaSetSy>;  MSVBVM50.__vbaSetSystemError
0066B99E .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066B9A1 .  52          PUSH EDX
0066B9A2 .  8D45 D8    LEA EAX,DWORD PTR SS:[EBP-28]
0066B9A5 .  50          PUSH EAX
0066B9A6 .  FF15 9CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrTo>;  MSVBVM50.__vbaStrToUnicode
0066B9AC .  8B8D 58FFFFFF MOV ECX,DWORD PTR SS:[EBP-A8]
0066B9B2 .  894D C4    MOV DWORD PTR SS:[EBP-3C],ECX
0066B9B5 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B9B8 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066B9BE .  C745 FC 10000>MOV DWORD PTR SS:[EBP-4],10
0066B9C5 .  8D55 9C    LEA EDX,DWORD PTR SS:[EBP-64]
0066B9C8 .  52          PUSH EDX
0066B9C9 .  8D45 A8    LEA EAX,DWORD PTR SS:[EBP-58]
0066B9CC .  50          PUSH EAX
0066B9CD .  8D4D B8    LEA ECX,DWORD PTR SS:[EBP-48]
0066B9D0 .  51          PUSH ECX
0066B9D1 .  8B55 C4    MOV EDX,DWORD PTR SS:[EBP-3C]
0066B9D4 .  52          PUSH EDX
0066B9D5 .  E8 5634DBFF CALL ks.0041EE30
0066B9DA .  FF15 38B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaSetSy>;  MSVBVM50.__vbaSetSystemError
0066B9E0 .  C745 FC 11000>MOV DWORD PTR SS:[EBP-4],11
0066B9E7 .  8B45 C4    MOV EAX,DWORD PTR SS:[EBP-3C]
0066B9EA .  50          PUSH EAX
0066B9EB .  E8 2C14DBFF CALL ks.0041CE1C
0066B9F0 .  FF15 38B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaSetSy>;  MSVBVM50.__vbaSetSystemError
0066B9F6 >  C745 FC 13000>MOV DWORD PTR SS:[EBP-4],13
0066B9FD .  8B4D 90    MOV ECX,DWORD PTR SS:[EBP-70]
0066BA00 .  898D 68FFFFFF MOV DWORD PTR SS:[EBP-98],ECX
0066BA06 .  C785 60FFFFFF>MOV DWORD PTR SS:[EBP-A0],8
0066BA10 .  8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]
0066BA16 .  52          PUSH EDX
0066BA17 .  B8 10000000 MOV EAX,10
0066BA1C .  E8 CFC5D9FF CALL <JMP.&MSVBVM50.__vbaChkstk>
0066BA21 .  8BC4       MOV EAX,ESP
0066BA23 .  8B8D 60FFFFFF MOV ECX,DWORD PTR SS:[EBP-A0]
0066BA29 .  8908       MOV DWORD PTR DS:[EAX],ECX
0066BA2B .  8B95 64FFFFFF MOV EDX,DWORD PTR SS:[EBP-9C]
0066BA31 .  8950 04    MOV DWORD PTR DS:[EAX+4],EDX
0066BA34 .  8B8D 68FFFFFF MOV ECX,DWORD PTR SS:[EBP-98]
0066BA3A .  8948 08    MOV DWORD PTR DS:[EAX+8],ECX
0066BA3D .  8B95 6CFFFFFF MOV EDX,DWORD PTR SS:[EBP-94]
0066BA43 .  8950 0C    MOV DWORD PTR DS:[EAX+C],EDX
0066BA46 .  68 0C894200 PUSH ks.0042890C                      ;  UNICODE "userinfo1"
0066BA4B .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066BA50 .  68 CCE54100 PUSH ks.0041E5CC
0066BA55 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066BA5B .  8BD0       MOV EDX,EAX
0066BA5D .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066BA60 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BA66 .  50          PUSH EAX
0066BA67 .  66:8B45 18 MOV AX,WORD PTR SS:[EBP+18]
0066BA6B .  50          PUSH EAX
0066BA6C .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066BA72 .  8BD0       MOV EDX,EAX
0066BA74 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066BA77 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BA7D .  50          PUSH EAX
0066BA7E .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066BA84 .  8BD0       MOV EDX,EAX
0066BA86 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066BA89 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BA8F .  50          PUSH EAX
0066BA90 .  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]
0066BA93 .  8B11       MOV EDX,DWORD PTR DS:[ECX]
0066BA95 .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066BA98 .  50          PUSH EAX
0066BA99 .  FF52 44    CALL DWORD PTR DS:[EDX+44]
0066BA9C .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066BA9F .  51          PUSH ECX
0066BAA0 .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066BAA3 .  52          PUSH EDX
0066BAA4 .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066BAA7 .  50          PUSH EAX
0066BAA8 .  6A 03       PUSH 3
0066BAAA .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066BAB0 .  83C4 10    ADD ESP,10
0066BAB3 .  C745 FC 14000>MOV DWORD PTR SS:[EBP-4],14
0066BABA .  8B4D C0    MOV ECX,DWORD PTR SS:[EBP-40]
0066BABD .  898D 68FFFFFF MOV DWORD PTR SS:[EBP-98],ECX
0066BAC3 .  C785 60FFFFFF>MOV DWORD PTR SS:[EBP-A0],8
0066BACD .  8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]
0066BAD3 .  52          PUSH EDX
0066BAD4 .  B8 10000000 MOV EAX,10
0066BAD9 .  E8 12C5D9FF CALL <JMP.&MSVBVM50.__vbaChkstk>
0066BADE .  8BC4       MOV EAX,ESP
0066BAE0 .  8B8D 60FFFFFF MOV ECX,DWORD PTR SS:[EBP-A0]
0066BAE6 .  8908       MOV DWORD PTR DS:[EAX],ECX
0066BAE8 .  8B95 64FFFFFF MOV EDX,DWORD PTR SS:[EBP-9C]
0066BAEE .  8950 04    MOV DWORD PTR DS:[EAX+4],EDX
0066BAF1 .  8B8D 68FFFFFF MOV ECX,DWORD PTR SS:[EBP-98]
0066BAF7 .  8948 08    MOV DWORD PTR DS:[EAX+8],ECX
0066BAFA .  8B95 6CFFFFFF MOV EDX,DWORD PTR SS:[EBP-94]
0066BB00 .  8950 0C    MOV DWORD PTR DS:[EAX+C],EDX
0066BB03 .  68 24894200 PUSH ks.00428924                      ;  UNICODE "userinfo2"
0066BB08 .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066BB0D .  68 CCE54100 PUSH ks.0041E5CC
0066BB12 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066BB18 .  8BD0       MOV EDX,EAX
0066BB1A .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066BB1D .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BB23 .  50          PUSH EAX
0066BB24 .  66:8B45 18 MOV AX,WORD PTR SS:[EBP+18]
0066BB28 .  50          PUSH EAX
0066BB29 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066BB2F .  8BD0       MOV EDX,EAX
0066BB31 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066BB34 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BB3A .  50          PUSH EAX
0066BB3B .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066BB41 .  8BD0       MOV EDX,EAX
0066BB43 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066BB46 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BB4C .  50          PUSH EAX
0066BB4D .  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]
0066BB50 .  8B11       MOV EDX,DWORD PTR DS:[ECX]
0066BB52 .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066BB55 .  50          PUSH EAX
0066BB56 .  FF52 44    CALL DWORD PTR DS:[EDX+44]
0066BB59 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066BB5C .  51          PUSH ECX
0066BB5D .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066BB60 .  52          PUSH EDX
0066BB61 .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066BB64 .  50          PUSH EAX
0066BB65 .  6A 03       PUSH 3
0066BB67 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066BB6D .  83C4 10    ADD ESP,10
0066BB70 .  C745 FC 15000>MOV DWORD PTR SS:[EBP-4],15
0066BB77 .  BA D4D34100 MOV EDX,ks.0041D3D4
0066BB7C .  8D4D A4    LEA ECX,DWORD PTR SS:[EBP-5C]
0066BB7F .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
0066BB85 .  C745 FC 16000>MOV DWORD PTR SS:[EBP-4],16
0066BB8C .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066BB8F .  51          PUSH ECX
0066BB90 .  8B55 A4    MOV EDX,DWORD PTR SS:[EBP-5C]
0066BB93 .  52          PUSH EDX
0066BB94 .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066BB97 .  8B08       MOV ECX,DWORD PTR DS:[EAX]
0066BB99 .  8B55 08    MOV EDX,DWORD PTR SS:[EBP+8]
0066BB9C .  52          PUSH EDX
0066BB9D .  FF51 5C    CALL DWORD PTR DS:[ECX+5C]
0066BBA0 .  8B45 88    MOV EAX,DWORD PTR SS:[EBP-78]
0066BBA3 .  8985 2CFFFFFF MOV DWORD PTR SS:[EBP-D4],EAX
0066BBA9 .  C745 88 00000>MOV DWORD PTR SS:[EBP-78],0
0066BBB0 .  8B95 2CFFFFFF MOV EDX,DWORD PTR SS:[EBP-D4]
0066BBB6 .  8D4D A4    LEA ECX,DWORD PTR SS:[EBP-5C]
0066BBB9 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BBBF .  C745 FC 17000>MOV DWORD PTR SS:[EBP-4],17
0066BBC6 .  8B4D A4    MOV ECX,DWORD PTR SS:[EBP-5C]
0066BBC9 .  898D 68FFFFFF MOV DWORD PTR SS:[EBP-98],ECX
0066BBCF .  C785 60FFFFFF>MOV DWORD PTR SS:[EBP-A0],8
0066BBD9 .  8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]
0066BBDF .  52          PUSH EDX
0066BBE0 .  B8 10000000 MOV EAX,10
0066BBE5 .  E8 06C4D9FF CALL <JMP.&MSVBVM50.__vbaChkstk>
0066BBEA .  8BC4       MOV EAX,ESP
0066BBEC .  8B8D 60FFFFFF MOV ECX,DWORD PTR SS:[EBP-A0]
0066BBF2 .  8908       MOV DWORD PTR DS:[EAX],ECX
0066BBF4 .  8B95 64FFFFFF MOV EDX,DWORD PTR SS:[EBP-9C]
0066BBFA .  8950 04    MOV DWORD PTR DS:[EAX+4],EDX
0066BBFD .  8B8D 68FFFFFF MOV ECX,DWORD PTR SS:[EBP-98]
0066BC03 .  8948 08    MOV DWORD PTR DS:[EAX+8],ECX
0066BC06 .  8B95 6CFFFFFF MOV EDX,DWORD PTR SS:[EBP-94]
0066BC0C .  8950 0C    MOV DWORD PTR DS:[EAX+C],EDX
0066BC0F .  68 64874200 PUSH ks.00428764                      ;  UNICODE "userflag"
0066BC14 .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066BC19 .  68 CCE54100 PUSH ks.0041E5CC
0066BC1E .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066BC24 .  8BD0       MOV EDX,EAX
0066BC26 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066BC29 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BC2F .  50          PUSH EAX
0066BC30 .  66:8B45 18 MOV AX,WORD PTR SS:[EBP+18]
0066BC34 .  50          PUSH EAX
0066BC35 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066BC3B .  8BD0       MOV EDX,EAX
0066BC3D .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066BC40 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BC46 .  50          PUSH EAX
0066BC47 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066BC4D .  8BD0       MOV EDX,EAX
0066BC4F .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066BC52 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BC58 .  50          PUSH EAX
0066BC59 .  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]
0066BC5C .  8B11       MOV EDX,DWORD PTR DS:[ECX]
0066BC5E .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066BC61 .  50          PUSH EAX
0066BC62 .  FF52 44    CALL DWORD PTR DS:[EDX+44]
0066BC65 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066BC68 .  51          PUSH ECX
0066BC69 .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066BC6C .  52          PUSH EDX
0066BC6D .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066BC70 .  50          PUSH EAX
0066BC71 .  6A 03       PUSH 3
0066BC73 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066BC79 .  83C4 10    ADD ESP,10
0066BC7C .  C745 FC 18000>MOV DWORD PTR SS:[EBP-4],18
0066BC83 .  8B4D CC    MOV ECX,DWORD PTR SS:[EBP-34]
0066BC86 .  898D 68FFFFFF MOV DWORD PTR SS:[EBP-98],ECX
;得到"@EMA?X#-DE=XEGAM8X!-/:BX:D?CLXGC8L< 2@ECEX77777X66$G9XGF-9CX:GFGFXFAFA<"
0066BC8C .  C785 60FFFFFF>MOV DWORD PTR SS:[EBP-A0],8
0066BC96 .  8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]
0066BC9C .  52          PUSH EDX
0066BC9D .  B8 10000000 MOV EAX,10
0066BCA2 .  E8 49C3D9FF CALL <JMP.&MSVBVM50.__vbaChkstk>
0066BCA7 .  8BC4       MOV EAX,ESP
0066BCA9 .  8B8D 60FFFFFF MOV ECX,DWORD PTR SS:[EBP-A0]
;得到"@EMA?X#-DE=XEGAM8X!-/:BX:D?CLXGC8L< 2@ECEX77777X66$G9XGF-9CX:GFGFXFAFA<"
0066BCAF .  8908       MOV DWORD PTR DS:[EAX],ECX
0066BCB1 .  8B95 64FFFFFF MOV EDX,DWORD PTR SS:[EBP-9C]
0066BCB7 .  8950 04    MOV DWORD PTR DS:[EAX+4],EDX
0066BCBA .  8B8D 68FFFFFF MOV ECX,DWORD PTR SS:[EBP-98]
0066BCC0 .  8948 08    MOV DWORD PTR DS:[EAX+8],ECX
0066BCC3 .  8B95 6CFFFFFF MOV EDX,DWORD PTR SS:[EBP-94]
0066BCC9 .  8950 0C    MOV DWORD PTR DS:[EAX+C],EDX
0066BCCC .  68 B0874200 PUSH ks.004287B0                      ;  UNICODE "userinfo"
0066BCD1 .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066BCD6 .  68 CCE54100 PUSH ks.0041E5CC
0066BCDB .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066BCE1 .  8BD0       MOV EDX,EAX
0066BCE3 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066BCE6 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BCEC .  50          PUSH EAX
0066BCED .  66:8B45 18 MOV AX,WORD PTR SS:[EBP+18]
0066BCF1 .  50          PUSH EAX
0066BCF2 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066BCF8 .  8BD0       MOV EDX,EAX
0066BCFA .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066BCFD .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BD03 .  50          PUSH EAX
0066BD04 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066BD0A .  8BD0       MOV EDX,EAX
0066BD0C .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066BD0F .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BD15 .  50          PUSH EAX
0066BD16 .  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]
0066BD19 .  8B11       MOV EDX,DWORD PTR DS:[ECX]
0066BD1B .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066BD1E .  50          PUSH EAX
0066BD1F .  FF52 44    CALL DWORD PTR DS:[EDX+44]
;保存在注册表中
0066BD22 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066BD25 .  51          PUSH ECX
0066BD26 .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066BD29 .  52          PUSH EDX
0066BD2A .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066BD2D .  50          PUSH EAX
0066BD2E .  6A 03       PUSH 3
0066BD30 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066BD36 .  83C4 10    ADD ESP,10
0066BD39 .  C745 FC 19000>MOV DWORD PTR SS:[EBP-4],19
0066BD40 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066BD46 .  51          PUSH ECX
0066BD47 .  8D55 B0    LEA EDX,DWORD PTR SS:[EBP-50]
0066BD4A .  52          PUSH EDX
0066BD4B .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066BD4E .  8B08       MOV ECX,DWORD PTR DS:[EAX]
0066BD50 .  8B55 08    MOV EDX,DWORD PTR SS:[EBP+8]
0066BD53 .  52          PUSH EDX
0066BD54 .  FF51 68    CALL DWORD PTR DS:[ECX+68]
0066BD57 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066BD5D .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066BD63 .  C745 FC 1A000>MOV DWORD PTR SS:[EBP-4],1A
0066BD6A .  8D85 70FFFFFF LEA EAX,DWORD PTR SS:[EBP-90]
0066BD70 .  50          PUSH EAX
0066BD71 .  FF15 74B66800 CALL DWORD PTR DS:[<&MSVBVM50.#610>]    ;  MSVBVM50.rtcGetDateVar
0066BD77 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066BD7D .  51          PUSH ECX
0066BD7E .  FF15 E8B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaDateV>;  MSVBVM50.__vbaDateVar
0066BD84 .  DD5D 94    FSTP QWORD PTR SS:[EBP-6C]
0066BD87 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066BD8D .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066BD93 .  C745 FC 1B000>MOV DWORD PTR SS:[EBP-4],1B
0066BD9A .  68 70894200 PUSH ks.00428970                      ;  UNICODE "2001-10-01"
0066BD9F .  FF15 A0B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaDateS>;  MSVBVM50.__vbaDateStr
0066BDA5 .  DD9D 78FFFFFF FSTP QWORD PTR SS:[EBP-88]
0066BDAB .  C785 70FFFFFF>MOV DWORD PTR SS:[EBP-90],7
0066BDB5 .  8D95 70FFFFFF LEA EDX,DWORD PTR SS:[EBP-90]
0066BDBB .  52          PUSH EDX
0066BDBC .  FF15 FCB66800 CALL DWORD PTR DS:[<&MSVBVM50.#548>]    ;  MSVBVM50.rtcSetDateVar
0066BDC2 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066BDC8 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066BDCE .  C745 FC 1C000>MOV DWORD PTR SS:[EBP-4],1C
0066BDD5 .  C785 78FFFFFF>MOV DWORD PTR SS:[EBP-88],80020004
0066BDDF .  C785 70FFFFFF>MOV DWORD PTR SS:[EBP-90],0A
0066BDE9 .  8D85 70FFFFFF LEA EAX,DWORD PTR SS:[EBP-90]
0066BDEF .  50          PUSH EAX
0066BDF0 .  FF15 08B66800 CALL DWORD PTR DS:[<&MSVBVM50.#648>]    ;  MSVBVM50.rtcFreeFile
0066BDF6 .  66:8945 DC MOV WORD PTR SS:[EBP-24],AX
0066BDFA .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066BE00 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066BE06 .  C745 FC 1D000>MOV DWORD PTR SS:[EBP-4],1D
0066BE0D .  8B4D D8    MOV ECX,DWORD PTR SS:[EBP-28]
0066BE10 .  51          PUSH ECX
0066BE11 .  66:8B55 DC MOV DX,WORD PTR SS:[EBP-24]
0066BE15 .  52          PUSH EDX
0066BE16 .  6A FF       PUSH -1
0066BE18 .  6A 02       PUSH 2
0066BE1A .  FF15 04B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFileO>;  MSVBVM50.__vbaFileOpen
;开始写入MSJET6.INI
0066BE20 .  C745 FC 1E000>MOV DWORD PTR SS:[EBP-4],1E
0066BE27 .  8B45 90    MOV EAX,DWORD PTR SS:[EBP-70]
0066BE2A .  50          PUSH EAX
0066BE2B .  66:8B4D DC MOV CX,WORD PTR SS:[EBP-24]
0066BE2F .  51          PUSH ECX
0066BE30 .  68 E41B4200 PUSH ks.00421BE4
0066BE35 .  FF15 98B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaPrint>;  MSVBVM50.__vbaPrintFile
0066BE3B .  83C4 0C    ADD ESP,0C
0066BE3E .  C745 FC 1F000>MOV DWORD PTR SS:[EBP-4],1F
0066BE45 .  8B55 C0    MOV EDX,DWORD PTR SS:[EBP-40]
0066BE48 .  52          PUSH EDX
0066BE49 .  66:8B45 DC MOV AX,WORD PTR SS:[EBP-24]
0066BE4D .  50          PUSH EAX
0066BE4E .  68 E41B4200 PUSH ks.00421BE4
0066BE53 .  FF15 98B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaPrint>;  MSVBVM50.__vbaPrintFile
0066BE59 .  83C4 0C    ADD ESP,0C
0066BE5C .  C745 FC 20000>MOV DWORD PTR SS:[EBP-4],20
0066BE63 .  8B4D B0    MOV ECX,DWORD PTR SS:[EBP-50]
0066BE66 .  51          PUSH ECX
0066BE67 .  66:8B55 DC MOV DX,WORD PTR SS:[EBP-24]
0066BE6B .  52          PUSH EDX
0066BE6C .  68 E41B4200 PUSH ks.00421BE4
0066BE71 .  FF15 98B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaPrint>;  MSVBVM50.__vbaPrintFile
0066BE77 .  83C4 0C    ADD ESP,0C
0066BE7A .  C745 FC 21000>MOV DWORD PTR SS:[EBP-4],21
0066BE81 .  8B45 CC    MOV EAX,DWORD PTR SS:[EBP-34]
0066BE84 .  50          PUSH EAX
0066BE85 .  66:8B4D DC MOV CX,WORD PTR SS:[EBP-24]
0066BE89 .  51          PUSH ECX
0066BE8A .  68 E41B4200 PUSH ks.00421BE4
0066BE8F .  FF15 98B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaPrint>;  MSVBVM50.__vbaPrintFile
0066BE95 .  83C4 0C    ADD ESP,0C
0066BE98 .  C745 FC 22000>MOV DWORD PTR SS:[EBP-4],22
0066BE9F .  8B55 A4    MOV EDX,DWORD PTR SS:[EBP-5C]
0066BEA2 .  52          PUSH EDX
0066BEA3 .  66:8B45 DC MOV AX,WORD PTR SS:[EBP-24]
0066BEA7 .  50          PUSH EAX
0066BEA8 .  68 E41B4200 PUSH ks.00421BE4
0066BEAD .  FF15 98B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaPrint>;  MSVBVM50.__vbaPrintFile
0066BEB3 .  83C4 0C    ADD ESP,0C
0066BEB6 .  C745 FC 23000>MOV DWORD PTR SS:[EBP-4],23
0066BEBD .  66:8B4D DC MOV CX,WORD PTR SS:[EBP-24]
0066BEC1 .  51          PUSH ECX
0066BEC2 .  FF15 F0B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFileC>;  MSVBVM50.__vbaFileClose
0066BEC8 .  C745 FC 24000>MOV DWORD PTR SS:[EBP-4],24
0066BECF .  8B55 94    MOV EDX,DWORD PTR SS:[EBP-6C]
0066BED2 .  8995 78FFFFFF MOV DWORD PTR SS:[EBP-88],EDX
0066BED8 .  8B45 98    MOV EAX,DWORD PTR SS:[EBP-68]
0066BEDB .  8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EAX
0066BEE1 .  C785 70FFFFFF>MOV DWORD PTR SS:[EBP-90],7
0066BEEB .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066BEF1 .  51          PUSH ECX
0066BEF2 .  FF15 FCB66800 CALL DWORD PTR DS:[<&MSVBVM50.#548>]    ;  MSVBVM50.rtcSetDateVar
0066BEF8 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066BEFE .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066BF04 .  C745 FC 25000>MOV DWORD PTR SS:[EBP-4],25
0066BF0B .  6A 00       PUSH 0
0066BF0D .  6A 00       PUSH 0
0066BF0F .  6A 03       PUSH 3
0066BF11 .  6A 00       PUSH 0
0066BF13 .  6A 03       PUSH 3
0066BF15 .  68 00000040 PUSH 40000000
0066BF1A .  8B55 D8    MOV EDX,DWORD PTR SS:[EBP-28]
0066BF1D .  52          PUSH EDX
0066BF1E .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066BF21 .  50          PUSH EAX
0066BF22 .  FF15 90B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrTo>;  MSVBVM50.__vbaStrToAnsi
0066BF28 .  50          PUSH EAX
0066BF29 .  E8 B20EDBFF CALL ks.0041CDE0
0066BF2E .  8985 58FFFFFF MOV DWORD PTR SS:[EBP-A8],EAX
0066BF34 .  FF15 38B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaSetSy>;  MSVBVM50.__vbaSetSystemError
0066BF3A .  8B4D 88    MOV ECX,DWORD PTR SS:[EBP-78]
0066BF3D .  51          PUSH ECX
0066BF3E .  8D55 D8    LEA EDX,DWORD PTR SS:[EBP-28]
0066BF41 .  52          PUSH EDX
0066BF42 .  FF15 9CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrTo>;  MSVBVM50.__vbaStrToUnicode
0066BF48 .  8B85 58FFFFFF MOV EAX,DWORD PTR SS:[EBP-A8]
0066BF4E .  8945 C4    MOV DWORD PTR SS:[EBP-3C],EAX
0066BF51 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066BF54 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066BF5A .  C745 FC 26000>MOV DWORD PTR SS:[EBP-4],26
0066BF61 .  8D4D 9C    LEA ECX,DWORD PTR SS:[EBP-64]
0066BF64 .  51          PUSH ECX
0066BF65 .  8D55 A8    LEA EDX,DWORD PTR SS:[EBP-58]
0066BF68 .  52          PUSH EDX
0066BF69 .  8D45 B8    LEA EAX,DWORD PTR SS:[EBP-48]
0066BF6C .  50          PUSH EAX
0066BF6D .  8B4D C4    MOV ECX,DWORD PTR SS:[EBP-3C]
0066BF70 .  51          PUSH ECX
0066BF71 .  E8 FA2EDBFF CALL ks.0041EE70
0066BF76 .  FF15 38B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaSetSy>;  MSVBVM50.__vbaSetSystemError
0066BF7C .  C745 FC 27000>MOV DWORD PTR SS:[EBP-4],27
0066BF83 .  8B55 C4    MOV EDX,DWORD PTR SS:[EBP-3C]
0066BF86 .  52          PUSH EDX
0066BF87 .  E8 900EDBFF CALL ks.0041CE1C
0066BF8C .  FF15 38B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaSetSy>;  MSVBVM50.__vbaSetSystemError
0066BF92 .  9B          WAIT
0066BF93 .  68 13C06600 PUSH ks.0066C013
0066BF98 .  EB 24       JMP SHORT ks.0066BFBE
0066BF9A .  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
0066BF9D .  50          PUSH EAX
0066BF9E .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066BFA1 .  51          PUSH ECX
0066BFA2 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066BFA5 .  52          PUSH EDX
0066BFA6 .  6A 03       PUSH 3
0066BFA8 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066BFAE .  83C4 10    ADD ESP,10
0066BFB1 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066BFB7 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066BFBD .  C3          RETN
0066BFBE >  8D4D D8    LEA ECX,DWORD PTR SS:[EBP-28]
0066BFC1 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066BFC7 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
0066BFCA .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066BFD0 .  8D4D CC    LEA ECX,DWORD PTR SS:[EBP-34]
0066BFD3 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066BFD9 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066BFDC .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066BFE2 .  8D45 B4    LEA EAX,DWORD PTR SS:[EBP-4C]
0066BFE5 .  50          PUSH EAX
0066BFE6 .  6A 00       PUSH 0
0066BFE8 .  FF15 50B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaAryDe>;  MSVBVM50.__vbaAryDestruct
0066BFEE .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
0066BFF1 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066BFF7 .  8D4D A4    LEA ECX,DWORD PTR SS:[EBP-5C]
0066BFFA .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066C000 .  8D4D 90    LEA ECX,DWORD PTR SS:[EBP-70]
0066C003 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066C009 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0066C00C .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066C012 .  C3          RETN
0066C013 .  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]
0066C016 .  8B11       MOV EDX,DWORD PTR DS:[ECX]
0066C018 .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066C01B .  50          PUSH EAX
0066C01C .  FF52 08    CALL DWORD PTR DS:[EDX+8]
0066C01F .  8B4D 20    MOV ECX,DWORD PTR SS:[EBP+20]
0066C022 .  66:8B55 C8 MOV DX,WORD PTR SS:[EBP-38]
0066C026 .  66:8911    MOV WORD PTR DS:[ECX],DX
0066C029 .  8B45 F0    MOV EAX,DWORD PTR SS:[EBP-10]
0066C02C .  8B4D E0    MOV ECX,DWORD PTR SS:[EBP-20]
0066C02F .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
0066C036 .  5F          POP EDI
0066C037 .  5E          POP ESI
0066C038 .  5B          POP EBX
0066C039 .  8BE5       MOV ESP,EBP
0066C03B .  5D          POP EBP
0066C03C .  C2 1C00    RETN 1C
0066C03F    CC          INT3
-------------------------------------------------------------------------------
▲文件:0-REG.txt 注册表文件
-------------------------------------------------------------------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY\6]
"userinfo1"="FGLQPFDMQP"
"userinfo2"="FGLQPFDMQP"
"userflag"="FGBQP"
"userinfo"="2@ECEX77777X66$G9XGF-9CX:GFGFXFAFA<"
;或者[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY\1]
-------------------------------------------------------------------------------
▲文件:0-INI.txt c:\WINXP\system32\Microsoft\MSJET1.INI(或MSJET6.INT)的内容
-------------------------------------------------------------------------------
FGLQPFDMQP
FGLQPFDMQP
GEE@XAXGG
2@ECEX77777X66$G9XGF-9CX:GFGFXFAFA<
FGBQP
-------------------------------------------------------------------------------
▲文件:0-FINAL.txt
-------------------------------------------------------------------------------
最终得到的假激活码:G5060-BBBBB-CCQ2L-23XL6-O2323-3434I

0067956A .  50          PUSH EAX
0067956B .  FFD7       CALL EDI
0067956D >  66:83BD 38FFF>CMP WORD PTR SS:[EBP-C8],0FFFF
00679575 .  0F85 7D020000 JNZ ks.006797F8
0067957B .  66:8B55 0C MOV DX,WORD PTR SS:[EBP+C]
0067957F .  66:3B55 D4 CMP DX,WORD PTR SS:[EBP-2C]
00679583 .  0F85 C2000000 JNZ ks.0067964B ;  no jmp,跳走会显示无产品项目
;这样可以强制激活成功
00679589 .  8D45 AC    LEA EAX,DWORD PTR SS:[EBP-54]
0067958C .  50          PUSH EAX
0067958D .  FF15 74B66800 CALL DWORD PTR DS:[<&MSVBVM50.#610>]    ;  MSVBVM50.rtcGetDateVar
00679593 .  8B7D CC    MOV EDI,DWORD PTR SS:[EBP-34]
00679596 .  3BFB       CMP EDI,EBX
00679598 .  75 12       JNZ SHORT ks.006795AC
0067959A .  8D4D CC    LEA ECX,DWORD PTR SS:[EBP-34]
0067959D .  51          PUSH ECX
0067959E .  68 D0924000 PUSH ks.004092D0
这样会生成c:\WINXP\system32\Microsoft\MSJET1.INI文件,把它复制一份,改名为MSJET6.INI
注意:MSJETx.INI是最后的1是算出来的,会自动保存,但那个6却不能自动生成,怎样知道是6呢?可以在这里:
0066AB3F .  50          PUSH EAX
0066AB40 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
0066AB45 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
;这个操作可以看到6
0066AB4B .  8BD0       MOV EDX,EAX
0066AB4D .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]

再加下面两个爆破就可以了,但是还有提示激活成功,可用x次..
其实在注册表里还有HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY\1
把它复制一个命名为HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY\6即可
============
0066AED2 . /0F85 B6050000 JNZ ks.0066B48E
0066AED8 . |66:8B55 0C MOV DX,WORD PTR SS:[EBP+C]
0066AEDC . |66:3955 D8 CMP WORD PTR SS:[EBP-28],DX
0066AEE0 . |74 0C       JE SHORT ks.0066AEEE                   ;  JMP ZZH(EB0C)
;改为JMP 66aeee即可
0066AEE2 . |C745 B8 EC030>MOV DWORD PTR SS:[EBP-48],3EC
0066AEE9 . |E9 DF050000 JMP ks.0066B4CD
0066AEEE > |BA 0C894200 MOV EDX,ks.0042890C                   ;  UNICODE "userinfo1"
0066AEF3 . |8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
============
0061D184 > \66:3975 88 CMP WORD PTR SS:[EBP-78],SI
0061D188 .  75 16       JNZ SHORT ks.0061D1A0                   ;  NO Jmp (SYS) EAX<=1 ZZH
;上行不要跳,改为MOV EAX,1,覆盖下行指令即可
0061D18A .  83C8 FF    OR EAX,FFFFFFFF
0061D18D .  68 0ED56100 PUSH ks.0061D50E                      ;  EAX<=1
0061D192 .  8945 E4    MOV DWORD PTR SS:[EBP-1C],EAX
0061D195 .  66:A3 DCB0670>MOV WORD PTR DS:[67B0DC],AX
0061D19B .  E9 4F030000 JMP ks.0061D4EF
0061D1A0 >  66:3935 DCB06>CMP WORD PTR DS:[67B0DC],SI
0061D1A7 .  0F85 07030000 JNZ ks.0061D4B4
0061D1AD .  8B4D 14    MOV ECX,DWORD PTR SS:[EBP+14]
...
OK,CRACKED! 19:53 2005-4-22

开始与2005-4-18,好累啊.但愿我可以以此考过二级JAVA,为SUN认证打下基础.郁闷啊,考了三级又倒回来考二级.

4-26 20:18
★关于通用激活方法(因为激活是依赖于第一块硬盘序列号的,所以必须得到固定序列号,上述方法才万能)
%SYSTEM%\PCINFO.DLL
导出函数:
GetDriveSerialNumberIn9X
GetDriveSerialNumberInNT
都是取硬盘序列号的,而软件是根据硬盘序列号来生成ID和激活码的,所以可以改造这个DLL,让它返回固定的序列号.这样就可以做通用的CRK.
在VB中测验时,要更改文件名为WYPCINFO.DLL
这样声明:
Private Declare Function GetDriveSerialNumberInNT Lib "WYPCINFO" (ByVal SN As String) As String
调用如下:
Dim a As String, HDSN As String
HDSN = Space(255)
GetDriveSerialNumberInNT (HDSN)
不过这样生成的序列号带有多余的空格.

但是好像主程序并没有调用这个DLL啊,跟跟主程序KS.EXE看看怎么回事.
0066DF65 .  53          PUSH EBX
0066DF66 .  68 80400700 PUSH 74080
0066DF6B .  51          PUSH ECX
0066DF6C .  E8 CB11DBFF CALL ks.0041F13C;;调用DeviceIoControl,取得硬盘SMART_VERSION
0066DF71 .  8985 68FEFFFF MOV DWORD PTR SS:[EBP-198],EAX ;如果取得成功则EAX为非0
0066DF77 .  FFD7       CALL EDI
0066DF79 .  399D 68FEFFFF CMP DWORD PTR SS:[EBP-198],EBX
;ebx=0,若eax=0表示取得硬盘SMART_VERSION失败
0066DF7F .  0F84 98010000 JE ks.0066E11D ;取得SMART版本失败,则跳走
....
0066DFE3 .  52          PUSH EDX ;否则会到这里
0066DFE4 .  8B55 E0    MOV EDX,DWORD PTR SS:[EBP-20]
0066DFE7 .  6A 00       PUSH 0
0066DFE9 .  8846 56    MOV BYTE PTR DS:[ESI+56],AL
0066DFEC .  68 10020000 PUSH 210
0066DFF1 .  8D46 50    LEA EAX,DWORD PTR DS:[ESI+50]
0066DFF4 .  51          PUSH ECX
0066DFF5 .  6A 20       PUSH 20
0066DFF7 .  50          PUSH EAX
0066DFF8 .  68 88C00700 PUSH 7C088
0066DFFD .  52          PUSH EDX
0066DFFE .  C700 00020000 MOV DWORD PTR DS:[EAX],200
0066E004 .  E8 3311DBFF CALL ks.0041F13C ;调用DeviceIoControl,取得硬盘SMART_RCV_DRIVE_DATA
;这样就取得了关于硬盘序列号在内的很多数据
;堆栈及转存
0012F490 0066E009  /CALL 到 DeviceIoControl 来自 ks.0066E004
0012F494 00000174  |hDevice = 00000174
0012F498 0007C088  |IoControlCode = SMART_RCV_DRIVE_DATA
0012F49C 0016DF88  |InBuffer = 0016DF88
0012F4A0 00000020  |InBufferSize = 20 (32.)
0012F4A4 0016DFA8  |OutBuffer = 0016DFA8
0012F4A8 00000210  |OutBufferSize = 210 (528.)
0012F4AC 00000000  |pBytesReturned = NULL
0012F4B0 0012F504  \pOverlapped = 0012F504

这是得到的数据:
0016DFA8  00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
0016DFB8  5A 0C FF 3F 37 C8 10 00 00 00 00 00 3F 00 00 00  Z.?7?.....?...
0016DFC8  00 00 00 00 4A 34 31 56 48 30 4D 38 20 20 20 20  ....J41VH0M8
0016DFD8  20 20 20 20 20 20 20 20 00 00 00 10 04 00 2E 38       .....8
0016DFE8  31 30 20 20 20 20 54 53 38 33 30 30 31 31 20 41  10 TS830011 A
0016DFF8  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
0016E008  20 20 20 20 20 20 20 20 20 20 20 20 20 20 10 80             ?

0066E009 .  8985 68FEFFFF MOV DWORD PTR SS:[EBP-198],EAX
0066E00F .  FFD7       CALL EDI
0066E011 .  8B85 68FEFFFF MOV EAX,DWORD PTR SS:[EBP-198]
0066E017 .  85C0       TEST EAX,EAX
0066E019 .  7F 15       JG SHORT ks.0066E030
0066E01B .  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]

然后进一步处理,得到序列号.

当取得SMART版本错误会到这里:
...
0066E1B3 .  C2 0800    RETN 8
返回后,然后调用PCINFO.DLL取得序列号.

那么,我们可以补丁:
0066DF7F .  0F84 98010000 JE ks.0066E11D ;取得SMART版本失败,则跳走,改为JMP让他永远调用DLL

然后修改PCINFO.DLL
PCINFO.GetDriveSerialNumberInNT函数:
1000152E  |> \C74424 04 E0EF0010  MOV DWORD PTR SS:[ESP+4],pcinfo.1000EFE0;ASCII "4JV10H8M"
;永远返回固定序列号
10001536  \.  C2 0400          RETN 4

PCINFO.GetDriveSerialNumberIn9X函数:
100012BE  |.  64:890D 00000000       MOV DWORD PTR FS:[0],ECX
100012C5  |.  81C4 88000000          ADD ESP,88
100012CB  \.  C2 0400                RETN 4
100012CE    8BFF                   MOV EDI,EDI ;这个被覆盖不知道有没有影响
修改为:
100012CB    /E9 5E020000             JMP PCINFOHK.1000152E

这样就可以保证在9X和NT下都会返回唯一的硬盘序列号.^_^
当然也可以修改KS.EXE,但是修改VB程序实在是太麻烦了.

好了,这样就可以用得到的假激活码,强制激活,并且通用.

也可以尝试写一个替代DLL.

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持

最新回复 (1)
shuair 雪币： 151 活跃值： (66) 能力值： ( LV6，RANK：90 ) 在线值：发帖 14 回帖 220 粉丝 0 关注私信	shuair 2 2 楼汗.好乱... 2005-7-9 08:43 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

MARCH

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
shuair 雪币： 151 活跃值： (66) 能力值： ( LV6，RANK：90 ) 在线值：发帖 14 回帖 220 粉丝 0 关注私信	shuair 2 2 楼汗.好乱... 2005-7-9 08:43 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复