还是VB的－无忧全国计算机等级考试模拟软件二级JAVA－2[原创]-软件逆向-看雪-安全社区|安全招聘|kanxue.com

还是VB的－无忧全国计算机等级考试模拟软件二级JAVA－2[原创]

发表于: 2005-7-8 14:39 4944

还是VB的－无忧全国计算机等级考试模拟软件二级JAVA－2[原创]

MARCH

2005-7-8 14:39

4944

★较为详细过程,及产品序列号生成与激活码的格式
获得的产品ID号,每次都不一样:
T084J-VE10H-02Q8M-B2G89-2JRW3-58U36
3084J-VT10H-02G8M-W89MV-8BITC-PZS25
9084J-VJ10H-0288M-3J4AD-J5V1K-6BZKU
3084J-V710H-0228M-6784N-7X2LT-AL4U2
F084J-V710H-02D8M-O7T45-7WDJ7-94371
4084J-VW10H-0238M-7W9NQ-W145X-EOLXH
084J-V 10H-02 8M-
实际它是取我的硬盘序列号:"4JV10H8M"
asc值:52 74 86 49 48 72 56 77
格式化为:0# 即0字符个数,得到"084JV10H8M"
然后随机产生其他字符得到ID

激活码格式也为:
5084J-VX10H-0248M-TXZO7-X1J69-26M9I
51D48-V310H-02B8M-BBBBB-OBBBB-BBBBB
O(这个4DH-45H=8H,为HD.SN的长度)
激活码长度必须为35
检验时先去掉中间的-
5084JVX10H0248M TXZO7X1J6926M9I
然后首尾字符换
I9M6296J1X7OZXT M8420H01XVJ4805
字符表:..EFGHIJKLMN...UVWXYZ
然后将'I'的ASC码减2变成G,如果前面没有字符了,就循环回来,例如如果是1就变成9:
I9M62 96J1X 7OZXT得到:G7K40 74H9V 5MXVR
然后替换I9M6296J1X7OZXT M8420H01XVJ4805为
G7K4074H9V5MXVR M8420H01XVJ4805
再处理M8420H01XVJ4805,这一次减4
  得到I4086D67TRF0461
然后替换G7K4074H9V5MXVR M8420H01XVJ4805为(程序在666F21)
G7K4074H9V5MXVR I4086D67TRF0461
取后4个字符并把他们转换为相应数值(例如"E"转换为0Eh),然后
"04"操作为4+0*36=4,  格式化为"004"
"61"操作为1+6*36=217,格式化为"217"
连接以上字符串得到"004217"即为得到的校验串.
这个"0461"实际是激活码开始的"5084"反过来"4805",再各字符ASC值减4得到"0461"
然后再取前26个字符进行复杂的异或操作,取得另一个校验串.再比较.(见5-668330.txt)
为方便计算,我推出了数值,因为必须是:第一个数*36+第二个数
36*2=72
36*3=108
36*4=144
36*5=180
36*6=216
36*7=252
F755 0-BBBBB-CCCCC-DDDDD-O2222-33333
   O必须是O因为硬盘序列号为8
"037119"
037=1*36+1 "11"
119=3*36+11 "3B"
"113B"asc值加4=>"557F",反过来"F755"
校验成功,但是:
00667233 .  FF15 64B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarTs>;  MSVBVM50.__vbaVarTstNe
;这里监测出错了.
;好像拿下面两个字符串比较,必须相等,这里就过了.
;0012E95C 001D32F4  UNICODE "4JV10H8M"
;0012E960 001D3F2C  UNICODE "BBBBBYYY"
;0012EB40 0016C23C  UNICODE "11111-0000M-BBBBB-YYYYY-XXXXX-6113B"这是变换后的激活码
;BBBBBYYY应该是硬盘序列号才对
;字母表ABCDEFGHIJKLMNOPQRSTUVWXYZ 1234567890
;4JV10 H8M其中H8M是减4得到的,4JV10是减2得到的.
;H8M=>L2Q,4JV10=>6LX32反过来Q2L-23XL6
;F755 0-BBBBB-CC Q2L-23XL6 -O2222-33333
;F7550-BBBBB-CCQ2L-23XL6-O2222-33333
得到激活码:
F7550-BBBBB-CCQ2L-23XL6-O2222-33333
得到校验值为:225128这个校验码不行,改一下最后一个字符
F7550-BBBBB-CCQ2L-23XL6-O2222-33332得到校验码"156157"
重新计算前4个校验值的结果.
156=36*4+12 "4C"
157=36*4+13 "4D"
"4C4D"asc值加4,"8G8H",反过来"H8G8"
H8G80-BBBBB-CCQ2L-23XL6-O2222-33332
H8G8 0-BBBBB-CC Q2L-23XL6 -O 2222-33332
校验          硬盘序列号 ^校验硬盘序列号字符数
这样刚刚的监测也躲过了.
但是还有.

0066725F . |FF53 24    CALL DWORD PTR DS:[EBX+24]             ;  ks.00408C8A
;这个CALL 408C8A还要监测
刚刚输入的激活码"H8G80-BBBBB-CCQ2L-23XL6-O2222-33332"
处理后为: "011110000M4JV10H8MYYXXXXX64C4D"

0066764D .  66:3946 34 CMP WORD PTR DS:[ESI+34],AX ;刚刚第一个"0" 30h-46h算得的EAh和1(AX)比
00667651 .  7C 18       JL SHORT ks.0066766B ;这个好像都不可以跳,计算结果不能小于1
00667653 .  66:3946 36 CMP WORD PTR DS:[ESI+36],AX ;[174556]=25h 第1个"11"的校验码
00667657 .  7C 12       JL SHORT ks.0066766B ;校验计算结果不能小于1
00667659 .  66:3946 38 CMP WORD PTR DS:[ESI+38],AX ;[174558]=25h 第2个"11"的校验码
0066765D .  7C 0C       JL SHORT ks.0066766B ;校验计算结果不能小于1
0066765F .  66:3946 3A CMP WORD PTR DS:[ESI+3A],AX ;[17455A]=00h 第3个"00"的校验码
00667663 .  7C 06       JL SHORT ks.0066766B ;校验计算结果不能小于1
00667665 .  66:3946 3C CMP WORD PTR DS:[ESI+3C],AX ;[17455c]=00h 第4个"00"的校验码
00667669 .  7D 07       JGE SHORT ks.00667672 ;好像必须要跳了,校验计算结果不能小于1
0066766B >  C745 EC 00000>MOV DWORD PTR SS:[EBP-14],0
00667672 >  68 A0766600 PUSH ks.006676A0

;加密字符表"0 11 11 00 00 M4JV10H8MYYXXXXX64C4D"
;位置       0  1  2  3  4
;01111 0000M 4JV10 H8MYY XXXXX 64C4D
;^最小是"G"=47h
;1,2,3,4处的两个字符也是用第一个*36+第二个得到的校验码.
;H8G80-BBBBB-CCQ2L-23XL6-O2222-33332
;    ^    ^0处,最小也要是"I"=49h,49h-2=47h,47h-46h=1h才行
;    ^ ^这里本来就可以通过
;    2323就可以使3,4处通过
;H8G80-BBBBB-CCQ2L-23XL6-O2323-3434I这个激活码得到校验为"078048"
; ^这里改一下才可得到可用的校验串"078048"
;078=2*36+6 "26"
;048=1*36+12 "1C"
;"261C"asc码加4"605G",反过来"G506"
;得到激活码"G5060-BBBBB-CCQ2L-23XL6-O2323-3434I"
;但是提示"无法激活产品,请检查是否有此科目的激活码"
;看来还有检测
后面就复杂了.
还有取以下地方的值,并进行复杂的比较.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY\1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY\6]
c:\WINXP\system32\Microsoft\MSJET1.INI
c:\WINXP\system32\Microsoft\MSJET1.INI
其中1,6是算出来的.
这个我看的头都大了,实在不想在在VB的函数里转了,JMP来JMP去,晕了,仔细进入各CALL,然后观察那里会取以上地方的值,并计算,发现可疑的比较就下断点,再尝试改变跳转.结果发现.
============
0066AED2 . /0F85 B6050000 JNZ ks.0066B48E
0066AED8 . |66:8B55 0C MOV DX,WORD PTR SS:[EBP+C]
0066AEDC . |66:3955 D8 CMP WORD PTR SS:[EBP-28],DX
0066AEE0 . |74 0C       JE SHORT ks.0066AEEE                   ;  JMP ZZH(EB0C)
;改为JMP 66aeee即可
0066AEE2 . |C745 B8 EC030>MOV DWORD PTR SS:[EBP-48],3EC
0066AEE9 . |E9 DF050000 JMP ks.0066B4CD
0066AEEE > |BA 0C894200 MOV EDX,ks.0042890C                   ;  UNICODE "userinfo1"
0066AEF3 . |8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
============
0061D184 > \66:3975 88 CMP WORD PTR SS:[EBP-78],SI
0061D188 .  75 16       JNZ SHORT ks.0061D1A0                   ;  NO Jmp (SYS) EAX<=1 ZZH
;上行不要跳,改为MOV EAX,1,覆盖下行指令即可
0061D18A .  83C8 FF    OR EAX,FFFFFFFF
0061D18D .  68 0ED56100 PUSH ks.0061D50E                      ;  EAX<=1
0061D192 .  8945 E4    MOV DWORD PTR SS:[EBP-1C],EAX
0061D195 .  66:A3 DCB0670>MOV WORD PTR DS:[67B0DC],AX
0061D19B .  E9 4F030000 JMP ks.0061D4EF
0061D1A0 >  66:3935 DCB06>CMP WORD PTR DS:[67B0DC],SI
0061D1A7 .  0F85 07030000 JNZ ks.0061D4B4
0061D1AD .  8B4D 14    MOV ECX,DWORD PTR SS:[EBP+14]
这样就解除限制了.上机有10套题可用,笔试有5套题可用.

★更为详细的琐碎过程.
-------------------------------------------------------------------------------
▲文件:0.txt
-------------------------------------------------------------------------------
ID:
T084J-VE10H-02Q8M-B2G89-2JRW3-58U36
3084J-VT10H-02G8M-W89MV-8BITC-PZS25
9084J-VJ10H-0288M-3J4AD-J5V1K-6BZKU
3084J-V710H-0228M-6784N-7X2LT-AL4U2
F084J-V710H-02D8M-O7T45-7WDJ7-94371
4084J-VW10H-0238M-7W9NQ-W145X-EOLXH
084J-V 10H-02 8M-
硬盘序列号:4JV10H8M
asc:52 74 86 49 48 72 56 77
格式化为:0# 即0字符个数,得到084JV10H8M
然后随机产生其他字符得到ID

激活码格式也为:
5084J-VX10H-0248M-TXZO7-X1J69-26M9I
51D48-V310H-02B8M-BBBBB-OBBBB-BBBBB
O(这个4DH-45H=8H,为HD.SN的长度)
激活码长度必须为35
检验时先去掉中间的-
5084JVX10H0248M TXZO7X1J6926M9I
然后首尾字符换
I9M6296J1X7OZXT M8420H01XVJ4805

字符表:..EFGHIJKLMN...UVWXYZ
然后将'I'的ASC码减2变成G,如果前面没有字符了,就循环回来,例如如果是1就变成9:
I9M62 96J1X 7OZXT得到:G7K40 74H9V 5MXVR
然后替换I9M6296J1X7OZXT M8420H01XVJ4805为
G7K4074H9V5MXVR M8420H01XVJ4805
再处理M8420H01XVJ4805,这一次减4
  得到I4086D67TRF0461
然后替换G7K4074H9V5MXVR M8420H01XVJ4805为(程序在666F21)
G7K4074H9V5MXVR I4086D67TRF0461
再取以上字符第27字符开始的2字符"04"并分析是否是数字
再取以上字符第29字符开始的2字符"61"并分析是否是数字
然好像还有对4和另外一个数字217(0x9D)进行格式化的操作,格式化为000
(得到"004217")

再取左26个字符G7K4074H9V5MXVR I4086D67TRF
然后进行STRCONV把上述UNICODE转换成系统缺省代码页
十六进制代码为:
47 37 4B 34 30 37 34 48 39 56 35 4D 58 56 52 49 34 30 38 36 44 36 37 54 52 46
十进制为:

再进行复杂的运算得到数字字符串'246226'
66839F INTEGER->BYTE
6683CE UBOUND
66845A 开始复杂的INTEGER->BYTE
66851D FORMAT
668560 FORMAT
668088 LENSTR"246226"

进OD发现它拿前26个字符的asc码和0xFFh异或(XOR)

再跟跟:
006670FB .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
006670FE .  51          PUSH ECX
006670FF .  FFD7       CALL EDI
00667101 .  50          PUSH EAX
00667102 .  56          PUSH ESI
00667103 .  FF53 30    CALL DWORD PTR DS:[EBX+30]
00667106 .  8B55 C0    MOV EDX,DWORD PTR SS:[EBP-40]
00667109 .  52          PUSH EDX ;经过复杂运算得到的"246226"
0066710A .  8B45 D4    MOV EAX,DWORD PTR SS:[EBP-2C]
0066710D .  50          PUSH EAX ;正确校验码6位"004217"
0066710E .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp ;关键比较了,相等时EAX返回0
00667114 .  8BF8       MOV EDI,EAX
00667116 .  F7DF       NEG EDI
00667118 .  1BFF       SBB EDI,EDI
0066711A .  F7DF       NEG EDI
0066711C .  F7DF       NEG EDI
0066711E .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
00667121 .  51          PUSH ECX
00667122 .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
00667125 .  52          PUSH EDX
00667126 .  6A 02       PUSH 2
00667128 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066712E .  83C4 0C    ADD ESP,0C
00667131 .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
00667134 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066713A .  66:85FF    TEST DI,DI
0066713D .  0F85 38010000 JNZ ks.0066727B
00667143 .  C745 B8 01000>MOV DWORD PTR SS:[EBP-48],1
0066714A .  C745 B0 02000>MOV DWORD PTR SS:[EBP-50],2
00667151 .  8D45 C8    LEA EAX,DWORD PTR SS:[EBP-38]
=========
00667034 .  8D85 20FFFFFF LEA EAX,DWORD PTR SS:[EBP-E0]
0066703A .  50          PUSH EAX
0066703B .  FF15 30B46800 CALL DWORD PTR DS:[<&MSVBVM50.#660>]    ;  MSVBVM50.rtcVarFromFormatVar
00667041 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
00667047 .  51          PUSH ECX                               ;  生成004223 就是正确校验码
00667048 .  8D95 20FFFFFF LEA EDX,DWORD PTR SS:[EBP-E0]
0066704E .  52          PUSH EDX
0066704F .  8D85 10FFFFFF LEA EAX,DWORD PTR SS:[EBP-F0]
00667055 .  50          PUSH EAX
00667056 .  FF15 E4B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarCa>;  MSVBVM50.__vbaVarCat
0066705C .  50          PUSH EAX
0066705D .  FF15 DCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrVa>;  MSVBVM50.__vbaStrVarMove
00667063 .  8BD0       MOV EDX,EAX
00667065 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
00667068 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066706E .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
00667071 .  51          PUSH ECX
00667072 .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
00667075 .  52          PUSH EDX
00667076 .  6A 02       PUSH 2
00667078 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066707E .  83C4 0C    ADD ESP,0C
00667081 .  8D85 10FFFFFF LEA EAX,DWORD PTR SS:[EBP-F0]
00667087 .  50          PUSH EAX
00667088 .  8D8D 20FFFFFF LEA ECX,DWORD PTR SS:[EBP-E0]
0066708E .  51          PUSH ECX
0066708F .  8D95 70FFFFFF LEA EDX,DWORD PTR SS:[EBP-90]
00667095 .  52          PUSH EDX

++++++++++++++++++
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\china\class 的字符串dog="76DLEE"

%SYSTEM%\MICROSOFT\MSJET6.INI
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MSMCWY\6

vbExplorer,修改"激活码错误!"提示为"ActKeyError.zzh"
w32dasm找到:
* Possible StringData Ref from Code Obj ->"ActKeyError.zzh"
                              |
:00679720 C78574FFFFFFB0924200 mov dword ptr [ebp+FFFFFF74], 004292B0
:0067972A 89B56CFFFFFF          mov dword ptr [ebp+FFFFFF6C], esi
向前找到call的跳转表:
004143B8 .  816C24 04 3B0>SUB DWORD PTR SS:[ESP+4],3B
004143C0 .  E9 CB3E2600 JMP ks.00678290 ;点激活到这里
004143C5 .  816C24 04 4F0>SUB DWORD PTR SS:[ESP+4],4F
004143CD .  E9 0E432600 JMP ks.006786E0
004143D2 .  816C24 04 6B0>SUB DWORD PTR SS:[ESP+4],6B
004143DA .  E9 81442600 JMP ks.00678860
004143DF .  816C24 04 630>SUB DWORD PTR SS:[ESP+4],63
004143E7 .  E9 54452600 JMP ks.00678940
004143EC .  816C24 04 730>SUB DWORD PTR SS:[ESP+4],73
004143F4 .  E9 87472600 JMP ks.00678B80
004143F9 .  816C24 04 4B0>SUB DWORD PTR SS:[ESP+4],4B
00414401 .  E9 8A492600 JMP ks.00678D90
00414406 .  816C24 04 5B0>SUB DWORD PTR SS:[ESP+4],5B
0041440E .  E9 5D4A2600 JMP ks.00678E70
00414413 .  816C24 04 FFF>SUB DWORD PTR SS:[ESP+4],0FFFF
0041441B .  E9 F04C2600 JMP ks.00679110
00414420 .  816C24 04 FFF>SUB DWORD PTR SS:[ESP+4],0FFFF
00414428 .  E9 834F2600 JMP ks.006793B0
0041442D .  816C24 04 5F0>SUB DWORD PTR SS:[ESP+4],5F
00414435 .  E9 46542600 JMP ks.00679880
0041443A .  816C24 04 430>SUB DWORD PTR SS:[ESP+4],43
00414442 .  E9 A9542600 JMP ks.006798F0
00414447 .  816C24 04 FFF>SUB DWORD PTR SS:[ESP+4],0FFFF
0041444F .  E9 9C552600 JMP ks.006799F0
00414454 .  816C24 04 FFF>SUB DWORD PTR SS:[ESP+4],0FFFF
0041445C .  E9 FF552600 JMP ks.00679A60
----------
0067835E .  8D4D D8    LEA ECX,DWORD PTR SS:[EBP-28]
00678361 .  FF15 14B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>;  MSVBVM50.__vbaFreeObj
00678367 .  66:3BF3    CMP SI,BX
0067836A .  0F84 84020000 JE ks.006785F4 ;强制跳,提示激活码错
00678370 .  8B95 38FFFFFF MOV EDX,DWORD PTR SS:[EBP-C8]
00678376 .  57          PUSH EDI
-------------
00678434 .  52          PUSH EDX
00678435 .  50          PUSH EAX
00678436 .  57          PUSH EDI
00678437 .  FF91 20070000 CALL DWORD PTR DS:[ECX+720]
0067843D .  33D2       XOR EDX,EDX
0067843F .  66:83BD 54FFF>CMP WORD PTR SS:[EBP-AC],0FFFF
00678447 .  8D4D E8    LEA ECX,DWORD PTR SS:[EBP-18]
--------
00679511 .  8BF0       MOV ESI,EAX
00679513 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00679519 .  66:3BF3    CMP SI,BX
0067951C .  0F84 B6010000 JE ks.006796D8                         ;  no jmp
00679522 .  8B45 EC    MOV EAX,DWORD PTR SS:[EBP-14]
00679525 .  3BC3       CMP EAX,EBX
00679527 .  75 12       JNZ SHORT ks.0067953B
00679529 .  8D4D EC    LEA ECX,DWORD PTR SS:[EBP-14]
-----------
0067957B .  66:8B55 0C MOV DX,WORD PTR SS:[EBP+C]
0067957F .  66:3B55 D4 CMP DX,WORD PTR SS:[EBP-2C]
00679583 .  0F85 C2000000 JNZ ks.0067964B                         ;  no jmp
00679589 .  8D45 AC    LEA EAX,DWORD PTR SS:[EBP-54]
0067958C .  50          PUSH EAX
0067958D .  FF15 74B66800 CALL DWORD PTR DS:[<&MSVBVM50.#610>]    ;  MSVBVM50.rtcGetDateVar
00679593 .  8B7D CC    MOV EDI,DWORD PTR SS:[EBP-34]
---------
006784AE .  8BF0       MOV ESI,EAX
006784B0 .  FF52 60    CALL DWORD PTR DS:[EDX+60]
006784B3 .  3BC3       CMP EAX,EBX
006784B5 .  7D 0F       JGE SHORT ks.006784C6
006784B7 .  6A 60       PUSH 60
006784B9 .  68 98E44100 PUSH ks.0041E498
006784BE .  56          PUSH ESI
006784BF .  50          PUSH EAX
006784C0 .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
006784C6 >  68 544E4200 PUSH ks.00424E54                      ;  UNICODE "True"
006784CB .  E8 D05AFAFF CALL ks.0061DFA0
006784D0 .  8B35 C8B66800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrMove
006784D6 .  8BD0       MOV EDX,EAX
006784D8 .  8D4D DC    LEA ECX,DWORD PTR SS:[EBP-24]
006784DB .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaStrMove>
006784DD .  8B15 D4B06700 MOV EDX,DWORD PTR DS:[67B0D4]
006784E3 .  50          PUSH EAX
006784E4 .  68 40E74100 PUSH ks.0041E740                      ;  UNICODE "Actived"
006784E9 .  68 2CE74100 PUSH ks.0041E72C                      ;  UNICODE "Active"
006784EE .  52          PUSH EDX
006784EF .  FF15 BCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI4>;  MSVBVM50.__vbaStrI4
006784F5 .  8BD0       MOV EDX,EAX
006784F7 .  8D4D E4    LEA ECX,DWORD PTR SS:[EBP-1C]
006784FA .  FFD6       CALL ESI
006784FC .  50          PUSH EAX
006784FD .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
00678503 .  8BD0       MOV EDX,EAX
00678505 .  8D4D E0    LEA ECX,DWORD PTR SS:[EBP-20]
00678508 .  FFD6       CALL ESI
0067850A .  50          PUSH EAX
------------
00C76EA0 52             PUSH EDX
00C76EA1 C3             RETN
00C76EA2 0000          ADD BYTE PTR DS:[EAX],AL
00C76EA4 B4 64          MOV AH,64
00C76EA6 C700 68AC0000 MOV DWORD PTR DS:[EAX],0AC68
00C76EAC 008B C4508D44 ADD BYTE PTR DS:[EBX+448D50C4],CL
00C76EB2 24 0C          AND AL,0C
00C76EB4 50             PUSH EAX
00C76EB5 B9 FC720474    MOV ECX,740472FC
00C76EBA FFD1          CALL ECX
00C76EBC 59             POP ECX
00C76EBD 0BC0          OR EAX,EAX
00C76EBF 78 0C          JS SHORT 00C76ECD
00C76EC1 8B4424 04    MOV EAX,DWORD PTR SS:[ESP+4]
00C76EC5 8B00          MOV EAX,DWORD PTR DS:[EAX]
00C76EC7 FFA0 B0020000 JMP DWORD PTR DS:[EAX+2B0]
00C76ECD 5A             POP EDX
00C76ECE 03E1          ADD ESP,ECX
00C76ED0 52             PUSH EDX
00C76ED1 C3             RETN
00C76ED2 0000          ADD BYTE PTR DS:[EAX],AL
00C76ED4 E4 64          IN AL,64                               ; I/O 命令
00C76ED6 C700 68AD0000 MOV DWORD PTR DS:[EAX],0AD68

==========
0066AEC3 .  50          PUSH EAX
0066AEC4 .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
0066AECA >  66:83BD 3CFFF>CMP WORD PTR SS:[EBP-C4],0FFFF
0066AED2 .  0F85 B6050000 JNZ ks.0066B48E
0066AED8 .  66:8B55 0C MOV DX,WORD PTR SS:[EBP+C]
0066AEDC .  66:3955 D8 CMP WORD PTR SS:[EBP-28],DX
0066AEE0 .  74 0C       JE SHORT ks.0066AEEE
0066AEE2 .  C745 B8 EC030>MOV DWORD PTR SS:[EBP-48],3EC
0066AEE9 .  E9 DF050000 JMP ks.0066B4CD
0066AEEE >  BA 0C894200 MOV EDX,ks.0042890C                   ;  UNICODE "userinfo1"
0066AEF3 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AEF6 .  FFD3       CALL EBX
0066AEF8 .  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
0066AEFB .  50          PUSH EAX

00195134  46 00 41 00 42 00 51 00 50 00 46 00 44 00 4C 00  FABQPFDL
00195144  51 00 50 00 00 00                               QP.

FGMQP
FGMQP
GEE@XAXDB
DDDGGGMMM 44
FGBQP

25940
==========
00678290 > \55          PUSH EBP                               ;  ACT BTN PUSHED
00678291 .  8BEC       MOV EBP,ESP
00678293 .  83EC 0C    SUB ESP,0C
00678296 .  68 F67F4000 PUSH <JMP.&MSVBVM50.__vbaExceptHandler>  ;  SE handler installation
0067829B .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
006782A1 .  50          PUSH EAX
006782A2 .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
006782A9 .  81EC B8000000 SUB ESP,0B8
006782AF .  53          PUSH EBX
006782B0 .  56          PUSH ESI
006782B1 .  57          PUSH EDI

-------------------------------------------------------------------------------
▲文件:0start.txt
-------------------------------------------------------------------------------
ID:
T084J-VE10H-02Q8M-B2G89-2JRW3-58U36
3084J-VT10H-02G8M-W89MV-8BITC-PZS25
9084J-VJ10H-0288M-3J4AD-J5V1K-6BZKU
3084J-V710H-0228M-6784N-7X2LT-AL4U2
F084J-V710H-02D8M-O7T45-7WDJ7-94371
4084J-VW10H-0238M-7W9NQ-W145X-EOLXH
084J-V 10H-02 8M-
硬盘序列号:4JV10H8M
asc:52 74 86 49 48 72 56 77
格式化为:0# 即0字符个数,得到084JV10H8M
然后随机产生其他字符得到ID

激活码格式也为:
5084J-VX10H-0248M-TXZO7-X1J69-26M9I
51D48-V310H-02B8M-BBBBB-OBBBB-BBBBB
O(这个4DH-45H=8H,为HD.SN的长度)
激活码长度必须为35
检验时先去掉中间的-
5084JVX10H0248M TXZO7X1J6926M9I
然后首尾字符换
I9M6296J1X7OZXT M8420H01XVJ4805

字符表:..EFGHIJKLMN...UVWXYZ
然后将'I'的ASC码减2变成G,如果前面没有字符了,就循环回来,例如如果是1就变成9:
I9M62 96J1X 7OZXT得到:G7K40 74H9V 5MXVR
然后替换I9M6296J1X7OZXT M8420H01XVJ4805为
G7K4074H9V5MXVR M8420H01XVJ4805
再处理M8420H01XVJ4805,这一次减4
  得到I4086D67TRF0461
然后替换G7K4074H9V5MXVR M8420H01XVJ4805为(程序在666F21)
G7K4074H9V5MXVR I4086D67TRF0461
再取以上字符第27字符开始的2字符"04"并分析是否是数字
再取以上字符第29字符开始的2字符"61"并分析是否是数字
然好像还有对4和另外一个数字217(0x9D)进行格式化的操作,格式化为000
(得到"004217")

再取左26个字符G7K4074H9V5MXVR I4086D67TRF
然后进行STRCONV把上述UNICODE转换成系统缺省代码页
十六进制代码为:
47 37 4B 34 30 37 34 48 39 56 35 4D 58 56 52 49 34 30 38 36 44 36 37 54 52 46
十进制为:

再进行复杂的运算得到数字字符串'246226'
66839F INTEGER->BYTE
6683CE UBOUND
66845A 开始复杂的INTEGER->BYTE
66851D FORMAT
668560 FORMAT
668088 LENSTR"246226"

进OD发现它拿前26个字符的asc码和0xFFh异或(XOR)

再跟跟:
006670FB .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
006670FE .  51          PUSH ECX
006670FF .  FFD7       CALL EDI
00667101 .  50          PUSH EAX
00667102 .  56          PUSH ESI
00667103 .  FF53 30    CALL DWORD PTR DS:[EBX+30]
00667106 .  8B55 C0    MOV EDX,DWORD PTR SS:[EBP-40]
00667109 .  52          PUSH EDX ;经过复杂运算得到的"246226"
0066710A .  8B45 D4    MOV EAX,DWORD PTR SS:[EBP-2C]
0066710D .  50          PUSH EAX ;正确校验码6位"004217"
0066710E .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp ;关键比较了,相等时EAX返回0
00667114 .  8BF8       MOV EDI,EAX
00667116 .  F7DF       NEG EDI
00667118 .  1BFF       SBB EDI,EDI
0066711A .  F7DF       NEG EDI
0066711C .  F7DF       NEG EDI
0066711E .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
00667121 .  51          PUSH ECX
00667122 .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
00667125 .  52          PUSH EDX
00667126 .  6A 02       PUSH 2
00667128 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066712E .  83C4 0C    ADD ESP,0C
00667131 .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
00667134 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066713A .  66:85FF    TEST DI,DI
0066713D .  0F85 38010000 JNZ ks.0066727B
00667143 .  C745 B8 01000>MOV DWORD PTR SS:[EBP-48],1
0066714A .  C745 B0 02000>MOV DWORD PTR SS:[EBP-50],2
00667151 .  8D45 C8    LEA EAX,DWORD PTR SS:[EBP-38]
=========
00667034 .  8D85 20FFFFFF LEA EAX,DWORD PTR SS:[EBP-E0]
0066703A .  50          PUSH EAX
0066703B .  FF15 30B46800 CALL DWORD PTR DS:[<&MSVBVM50.#660>]    ;  MSVBVM50.rtcVarFromFormatVar
00667041 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
00667047 .  51          PUSH ECX                               ;  生成004223 就是正确校验码
00667048 .  8D95 20FFFFFF LEA EDX,DWORD PTR SS:[EBP-E0]
0066704E .  52          PUSH EDX
0066704F .  8D85 10FFFFFF LEA EAX,DWORD PTR SS:[EBP-F0]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
启动时验证已经输入的KEY
0066AA43 .  68 3C894200 PUSH ks.0042893C
0066AA48 .  8D45 94    LEA EAX,DWORD PTR SS:[EBP-6C]
0066AA4B .  50          PUSH EAX
0066AA4C .  FF15 48B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaAryCo>;  MSVBVM50.__vbaAryConstruct
0066AA52 .  C745 B8 E9030>MOV DWORD PTR SS:[EBP-48],3E9
0066AA59 .  6A 01       PUSH 1
0066AA5B .  FF15 84B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaOnErr>;  MSVBVM50.__vbaOnError
0066AA61 .  BA 64874200 MOV EDX,ks.00428764                   ;  UNICODE "userflag"
0066AA66 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AA69 .  8B1D 2CB66800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrCopy
0066AA6F .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaStrCopy>
0066AA71 .  8B4E 40    MOV ECX,DWORD PTR DS:[ESI+40]
0066AA74 .  898D FCFEFFFF MOV DWORD PTR SS:[EBP-104],ECX
0066AA7A .  8D55 80    LEA EDX,DWORD PTR SS:[EBP-80]
0066AA7D .  52          PUSH EDX
0066AA7E .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0066AA81 .  50          PUSH EAX
0066AA82 .  8B4D 0C    MOV ECX,DWORD PTR SS:[EBP+C]
0066AA85 .  51          PUSH ECX
0066AA86 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066AA8C .  8BD0       MOV EDX,EAX
0066AA8E .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AA91 .  8B35 C8B66800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrMove
0066AA97 .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaStrMove>
0066AA99 .  50          PUSH EAX
0066AA9A .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066AA9F .  68 02000080 PUSH 80000002
0066AAA4 .  57          PUSH EDI
0066AAA5 .  FF95 FCFEFFFF CALL DWORD PTR SS:[EBP-104]
0066AAAB .  8B55 80    MOV EDX,DWORD PTR SS:[EBP-80]
0066AAAE .  C745 80 00000>MOV DWORD PTR SS:[EBP-80],0
0066AAB5 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066AAB8 .  FFD6       CALL ESI
0066AABA .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066AABD .  52          PUSH EDX
0066AABE .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066AAC1 .  50          PUSH EAX
0066AAC2 .  6A 02       PUSH 2
0066AAC4 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066AACA .  83C4 0C    ADD ESP,0C
0066AACD .  8B4D C0    MOV ECX,DWORD PTR SS:[EBP-40]
0066AAD0 .  51          PUSH ECX
0066AAD1 .  68 A4B44100 PUSH ks.0041B4A4
0066AAD6 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066AADC .  85C0       TEST EAX,EAX
0066AADE .  0F85 B2000000 JNZ ks.0066AB96
0066AAE4 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066AAE7 .  52          PUSH EDX
0066AAE8 .  57          PUSH EDI
0066AAE9 .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AAEB .  FF50 50    CALL DWORD PTR DS:[EAX+50]
0066AAEE .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],5
0066AAF8 .  8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
0066AAFE .  50          PUSH EAX
0066AAFF .  8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
0066AB05 .  51          PUSH ECX
0066AB06 .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066AB09 .  52          PUSH EDX
0066AB0A .  68 7C874200 PUSH ks.0042877C                      ;  UNICODE "Microsoft\MSJET"
0066AB0F .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AB15 .  8BD0       MOV EDX,EAX
0066AB17 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AB1A .  FFD6       CALL ESI
0066AB1C .  50          PUSH EAX
0066AB1D .  8B45 0C    MOV EAX,DWORD PTR SS:[EBP+C]
0066AB20 .  50          PUSH EAX
0066AB21 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066AB27 .  8BD0       MOV EDX,EAX
0066AB29 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066AB2C .  FFD6       CALL ESI
0066AB2E .  50          PUSH EAX
0066AB2F .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AB35 .  8BD0       MOV EDX,EAX
0066AB37 .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066AB3D .  FFD6       CALL ESI
0066AB3F .  50          PUSH EAX
0066AB40 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
0066AB45 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AB4B .  8BD0       MOV EDX,EAX
0066AB4D .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066AB53 .  FFD6       CALL ESI
0066AB55 .  50          PUSH EAX
0066AB56 .  57          PUSH EDI
0066AB57 .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AB59 .  FF50 4C    CALL DWORD PTR DS:[EAX+4C]
0066AB5C .  8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
0066AB62 .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],0
0066AB6C .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066AB6F .  FFD6       CALL ESI
0066AB71 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066AB77 .  51          PUSH ECX
0066AB78 .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
0066AB7E .  52          PUSH EDX
0066AB7F .  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
0066AB82 .  50          PUSH EAX
0066AB83 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AB86 .  51          PUSH ECX
0066AB87 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066AB8A .  52          PUSH EDX
0066AB8B .  6A 05       PUSH 5
0066AB8D .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066AB93 .  83C4 18    ADD ESP,18
0066AB96 >  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AB98 .  8B40 60    MOV EAX,DWORD PTR DS:[EAX+60]
0066AB9B .  8985 F8FEFFFF MOV DWORD PTR SS:[EBP-108],EAX
0066ABA1 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066ABA4 .  51          PUSH ECX
0066ABA5 .  8B55 C0    MOV EDX,DWORD PTR SS:[EBP-40]
0066ABA8 .  52          PUSH EDX
0066ABA9 .  57          PUSH EDI
0066ABAA .  FFD0       CALL EAX
0066ABAC .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066ABAF .  C745 88 00000>MOV DWORD PTR SS:[EBP-78],0
0066ABB6 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066ABB9 .  FFD6       CALL ESI
0066ABBB .  8B45 C0    MOV EAX,DWORD PTR SS:[EBP-40]
0066ABBE .  50          PUSH EAX
0066ABBF .  FF15 18B76800 CALL DWORD PTR DS:[<&MSVBVM50.#581>]    ;  MSVBVM50.rtcR8ValFromBstr
0066ABC5 .  FF15 CCB46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFpR8>>;  MSVBVM50.__vbaFpR8
0066ABCB .  DC1D 18774000 FCOMP QWORD PTR DS:[407718]
0066ABD1 .  DFE0       FSTSW AX
0066ABD3 .  F6C4 40    TEST AH,40
0066ABD6 .  0F84 C4080000 JE ks.0066B4A0
0066ABDC .  BA B0874200 MOV EDX,ks.004287B0                   ;  UNICODE "userinfo"
0066ABE1 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066ABE4 .  FFD3       CALL EBX
0066ABE6 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066ABE9 .  51          PUSH ECX
0066ABEA .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066ABED .  52          PUSH EDX
0066ABEE .  8B45 0C    MOV EAX,DWORD PTR SS:[EBP+C]
0066ABF1 .  50          PUSH EAX
0066ABF2 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066ABF8 .  8BD0       MOV EDX,EAX
0066ABFA .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066ABFD .  FFD6       CALL ESI
0066ABFF .  50          PUSH EAX
0066AC00 .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066AC05 .  68 02000080 PUSH 80000002
0066AC0A .  57          PUSH EDI
0066AC0B .  FF95 FCFEFFFF CALL DWORD PTR SS:[EBP-104]
0066AC11 .  8B55 80    MOV EDX,DWORD PTR SS:[EBP-80]
;SS取得的USERINFO
;Stack SS:[0012F984]=0016D534, (UNICODE "
DEMA?X#FDE=XEG7M8XG;B7FXF$7D;X@D1AM @EMA?X#-;DE=XEGAM8X!-/:BX-D?CLXGC8L< @EMA?X#-DE=XEGAM8X!-/:BX:D?C")
;EDX=001497A8
0066AC14 .  C745 80 00000>MOV DWORD PTR SS:[EBP-80],0
0066AC1B .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
0066AC1E .  FFD6       CALL ESI
0066AC20 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AC23 .  51          PUSH ECX
0066AC24 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066AC27 .  52          PUSH EDX
0066AC28 .  6A 02       PUSH 2
0066AC2A .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066AC30 .  83C4 0C    ADD ESP,0C
0066AC33 .  8B45 AC    MOV EAX,DWORD PTR SS:[EBP-54]
0066AC36 .  50          PUSH EAX
0066AC37 .  68 A4B44100 PUSH ks.0041B4A4
0066AC3C .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066AC42 .  85C0       TEST EAX,EAX
0066AC44 .  0F85 D1000000 JNZ ks.0066AD1B
0066AC4A .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AC4D .  51          PUSH ECX
0066AC4E .  57          PUSH EDI
0066AC4F .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AC51 .  FF50 50    CALL DWORD PTR DS:[EAX+50]
0066AC54 .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],4
0066AC5E .  8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
0066AC64 .  52          PUSH EDX
0066AC65 .  8D85 3CFFFFFF LEA EAX,DWORD PTR SS:[EBP-C4]
0066AC6B .  50          PUSH EAX
0066AC6C .  8B4D 88    MOV ECX,DWORD PTR SS:[EBP-78]
0066AC6F .  51          PUSH ECX
0066AC70 .  68 7C874200 PUSH ks.0042877C                      ;  UNICODE "Microsoft\MSJET"
0066AC75 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AC7B .  8BD0       MOV EDX,EAX
0066AC7D .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AC80 .  FFD6       CALL ESI
0066AC82 .  50          PUSH EAX
0066AC83 .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
0066AC86 .  52          PUSH EDX
0066AC87 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066AC8D .  8BD0       MOV EDX,EAX
0066AC8F .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066AC92 .  FFD6       CALL ESI
0066AC94 .  50          PUSH EAX
0066AC95 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AC9B .  8BD0       MOV EDX,EAX
0066AC9D .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066ACA3 .  FFD6       CALL ESI
0066ACA5 .  50          PUSH EAX
0066ACA6 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
0066ACAB .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066ACB1 .  8BD0       MOV EDX,EAX
0066ACB3 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066ACB9 .  FFD6       CALL ESI
0066ACBB .  50          PUSH EAX
0066ACBC .  57          PUSH EDI
0066ACBD .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066ACBF .  FF50 4C    CALL DWORD PTR DS:[EAX+4C]
0066ACC2 .  8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
0066ACC8 .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],0
0066ACD2 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
0066ACD5 .  FFD6       CALL ESI
0066ACD7 .  8D85 78FFFFFF LEA EAX,DWORD PTR SS:[EBP-88]
0066ACDD .  50          PUSH EAX
0066ACDE .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066ACE4 .  51          PUSH ECX
0066ACE5 .  8D55 80    LEA EDX,DWORD PTR SS:[EBP-80]
0066ACE8 .  52          PUSH EDX
0066ACE9 .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0066ACEC .  50          PUSH EAX
0066ACED .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066ACF0 .  51          PUSH ECX
0066ACF1 .  6A 05       PUSH 5
0066ACF3 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066ACF9 .  83C4 18    ADD ESP,18
0066ACFC .  8B55 AC    MOV EDX,DWORD PTR SS:[EBP-54]
0066ACFF .  52          PUSH EDX
0066AD00 .  68 A4B44100 PUSH ks.0041B4A4
0066AD05 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066AD0B .  85C0       TEST EAX,EAX
0066AD0D .  75 0C       JNZ SHORT ks.0066AD1B
0066AD0F .  C745 B8 EC030>MOV DWORD PTR SS:[EBP-48],3EC
0066AD16 .  E9 B2070000 JMP ks.0066B4CD
0066AD1B >  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AD1D .  8B40 68    MOV EAX,DWORD PTR DS:[EAX+68]
0066AD20 .  8985 F4FEFFFF MOV DWORD PTR SS:[EBP-10C],EAX
0066AD26 .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066AD2C .  51          PUSH ECX
0066AD2D .  8D55 AC    LEA EDX,DWORD PTR SS:[EBP-54]
0066AD30 .  52          PUSH EDX
0066AD31 .  57          PUSH EDI
0066AD32 .  FFD0       CALL EAX
0066AD34 .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066AD3A .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066AD40 .  68 3C044200 PUSH ks.0042043C
0066AD45 .  8D45 DC    LEA EAX,DWORD PTR SS:[EBP-24]
0066AD48 .  50          PUSH EAX
0066AD49 .  8B4D AC    MOV ECX,DWORD PTR SS:[EBP-54]
;ecx="1084J-V310H-02B8M-2N7B3-3QB1N-51D48|5084J-VX10H-0248M-TXZO7-X1J69-26M9I|5084J-VX10H-0248M-TXZO7-O1J6"

0066AD4C .  51          PUSH ECX
0066AD4D .  57          PUSH EDI
0066AD4E .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AD50 .  FF50 64    CALL DWORD PTR DS:[EAX+64]
0066AD53 .  8B45 DC    MOV EAX,DWORD PTR SS:[EBP-24]
0066AD56 .  85C0       TEST EAX,EAX
0066AD58 .  74 31       JE SHORT ks.0066AD8B
0066AD5A .  66:8338 01 CMP WORD PTR DS:[EAX],1
0066AD5E .  75 2B       JNZ SHORT ks.0066AD8B
0066AD60 .  50          PUSH EAX
0066AD61 .  6A 01       PUSH 1
0066AD63 .  FF15 D8B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaUboun>;  MSVBVM50.__vbaUbound
0066AD69 .  8B4D DC    MOV ECX,DWORD PTR SS:[EBP-24]
0066AD6C .  2B41 14    SUB EAX,DWORD PTR DS:[ECX+14]
0066AD6F .  8985 34FFFFFF MOV DWORD PTR SS:[EBP-CC],EAX
0066AD75 .  3B41 10    CMP EAX,DWORD PTR DS:[ECX+10]
0066AD78 .  72 0C       JB SHORT ks.0066AD86
0066AD7A .  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
0066AD80 .  8B85 34FFFFFF MOV EAX,DWORD PTR SS:[EBP-CC]
0066AD86 >  C1E0 02    SHL EAX,2
0066AD89 .  EB 06       JMP SHORT ks.0066AD91
0066AD8B >  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
0066AD91 >  8B55 DC    MOV EDX,DWORD PTR SS:[EBP-24]
0066AD94 .  8B4A 0C    MOV ECX,DWORD PTR DS:[EDX+C]
0066AD97 .  8B1401       MOV EDX,DWORD PTR DS:[ECX+EAX]
0066AD9A .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
0066AD9D .  FFD3       CALL EBX
0066AD9F .  8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]
;Stack SS:[0012F9D8]=0016D62C, (UNICODE "5084J-VX10H-0248M-TXZO7-O1J69-26M9I")

0066ADA2 .  52          PUSH EDX
0066ADA3 .  68 A4B44100 PUSH ks.0041B4A4 ;41b4a4好像是空单元,用来比较字符串是否为空
0066ADA8 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066ADAE .  85C0       TEST EAX,EAX
0066ADB0 .  0F84 E1060000 JE ks.0066B497
0066ADB6 .  8B45 BC    MOV EAX,DWORD PTR SS:[EBP-44]
0066ADB9 .  85C0       TEST EAX,EAX
0066ADBB .  75 12       JNZ SHORT ks.0066ADCF
0066ADBD .  8D45 BC    LEA EAX,DWORD PTR SS:[EBP-44]
0066ADC0 .  50          PUSH EAX
0066ADC1 .  68 F88C4000 PUSH ks.00408CF8
0066ADC6 .  FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>;  MSVBVM50.__vbaNew2
0066ADCC .  8B45 BC    MOV EAX,DWORD PTR SS:[EBP-44]
0066ADCF >  8985 34FFFFFF MOV DWORD PTR SS:[EBP-CC],EAX
0066ADD5 .  8B08       MOV ECX,DWORD PTR DS:[EAX]
0066ADD7 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066ADDA .  52          PUSH EDX
0066ADDB .  50          PUSH EAX
0066ADDC .  FF51 1C    CALL DWORD PTR DS:[ECX+1C]
0066ADDF .  85C0       TEST EAX,EAX
0066ADE1 .  7D 15       JGE SHORT ks.0066ADF8
0066ADE3 .  6A 1C       PUSH 1C
0066ADE5 .  68 D4874200 PUSH ks.004287D4
0066ADEA .  8B8D 34FFFFFF MOV ECX,DWORD PTR SS:[EBP-CC]
0066ADF0 .  51          PUSH ECX
0066ADF1 .  50          PUSH EAX
0066ADF2 .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
0066ADF8 >  8B45 C4    MOV EAX,DWORD PTR SS:[EBP-3C]
0066ADFB .  85C0       TEST EAX,EAX
0066ADFD .  75 12       JNZ SHORT ks.0066AE11
0066ADFF .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
0066AE02 .  52          PUSH EDX
0066AE03 .  68 748B4000 PUSH ks.00408B74
0066AE08 .  FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>;  MSVBVM50.__vbaNew2
0066AE0E .  8B45 C4    MOV EAX,DWORD PTR SS:[EBP-3C]
0066AE11 >  8985 2CFFFFFF MOV DWORD PTR SS:[EBP-D4],EAX
0066AE17 .  8B08       MOV ECX,DWORD PTR DS:[EAX]
0066AE19 .  8D95 3CFFFFFF LEA EDX,DWORD PTR SS:[EBP-C4]
0066AE1F .  52          PUSH EDX
0066AE20 .  8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]
;ss=5084J-VX10H-0248M-TXZO7-O1J69-26M9I ;这是输入的激活码
0066AE23 .  52          PUSH EDX
0066AE24 .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
;ss='4JV10H8M'硬盘序列号
0066AE27 .  52          PUSH EDX
0066AE28 .  50          PUSH EAX
0066AE29 .  FF51 1C    CALL DWORD PTR DS:[ECX+1C]             ;  16e084出现004223
;应该是算字符的CALL,入口666ba0
0066AE2C .  85C0       TEST EAX,EAX
0066AE2E .  7D 15       JGE SHORT ks.0066AE45
0066AE30 .  6A 1C       PUSH 1C
0066AE32 .  68 00874200 PUSH ks.00428700
0066AE37 .  8B8D 2CFFFFFF MOV ECX,DWORD PTR SS:[EBP-D4]
0066AE3D .  51          PUSH ECX
0066AE3E .  50          PUSH EAX
0066AE3F .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
0066AE45 >  33D2       XOR EDX,EDX
0066AE47 .  66:83BD 3CFFF>CMP WORD PTR SS:[EBP-C4],0FFFF
0066AE4F .  0F94C2       SETE DL
0066AE52 .  F7DA       NEG EDX
0066AE54 .  8995 24FFFFFF MOV DWORD PTR SS:[EBP-DC],EDX
0066AE5A .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AE5D .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066AE63 .  66:83BD 24FFF>CMP WORD PTR SS:[EBP-DC],0
0066AE6B .  0F84 1D060000 JE ks.0066B48E
0066AE71 .  8B45 C4    MOV EAX,DWORD PTR SS:[EBP-3C]
0066AE74 .  85C0       TEST EAX,EAX
0066AE76 .  75 12       JNZ SHORT ks.0066AE8A
0066AE78 .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
0066AE7B .  50          PUSH EAX
0066AE7C .  68 748B4000 PUSH ks.00408B74
0066AE81 .  FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>;  MSVBVM50.__vbaNew2
0066AE87 .  8B45 C4    MOV EAX,DWORD PTR SS:[EBP-3C]
0066AE8A >  8985 34FFFFFF MOV DWORD PTR SS:[EBP-CC],EAX
0066AE90 .  8B08       MOV ECX,DWORD PTR DS:[EAX]
0066AE92 .  8D95 3CFFFFFF LEA EDX,DWORD PTR SS:[EBP-C4]
0066AE98 .  52          PUSH EDX
0066AE99 .  8D55 CC    LEA EDX,DWORD PTR SS:[EBP-34]
0066AE9C .  52          PUSH EDX
0066AE9D .  8D55 90    LEA EDX,DWORD PTR SS:[EBP-70]
0066AEA0 .  52          PUSH EDX
0066AEA1 .  8B55 14    MOV EDX,DWORD PTR SS:[EBP+14]
0066AEA4 .  52          PUSH EDX
0066AEA5 .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
0066AEA8 .  52          PUSH EDX
0066AEA9 .  8D55 D8    LEA EDX,DWORD PTR SS:[EBP-28]
0066AEAC .  52          PUSH EDX
0066AEAD .  50          PUSH EAX
0066AEAE .  FF51 20    CALL DWORD PTR DS:[ECX+20]
0066AEB1 .  85C0       TEST EAX,EAX
0066AEB3 .  7D 15       JGE SHORT ks.0066AECA
0066AEB5 .  6A 20       PUSH 20
0066AEB7 .  68 00874200 PUSH ks.00428700
0066AEBC .  8B8D 34FFFFFF MOV ECX,DWORD PTR SS:[EBP-CC]
0066AEC2 .  51          PUSH ECX
0066AEC3 .  50          PUSH EAX
0066AEC4 .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
0066AECA >  66:83BD 3CFFF>CMP WORD PTR SS:[EBP-C4],0FFFF
0066AED2 .  0F85 B6050000 JNZ ks.0066B48E
0066AED8 .  66:8B55 0C MOV DX,WORD PTR SS:[EBP+C]
0066AEDC .  66:3955 D8 CMP WORD PTR SS:[EBP-28],DX
0066AEE0 .  74 0C       JE SHORT ks.0066AEEE
0066AEE2 .  C745 B8 EC030>MOV DWORD PTR SS:[EBP-48],3EC
0066AEE9 .  E9 DF050000 JMP ks.0066B4CD
0066AEEE >  BA 0C894200 MOV EDX,ks.0042890C                   ;  UNICODE "userinfo1"
0066AEF3 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AEF6 .  FFD3       CALL EBX
0066AEF8 .  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
0066AEFB .  50          PUSH EAX
0066AEFC .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AEFF .  51          PUSH ECX
0066AF00 .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
0066AF03 .  52          PUSH EDX
0066AF04 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066AF0A .  8BD0       MOV EDX,EAX
0066AF0C .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AF0F .  FFD6       CALL ESI
0066AF11 .  50          PUSH EAX
0066AF12 .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066AF17 .  68 02000080 PUSH 80000002
0066AF1C .  57          PUSH EDI
0066AF1D .  FF95 FCFEFFFF CALL DWORD PTR SS:[EBP-104]
0066AF23 .  8B55 80    MOV EDX,DWORD PTR SS:[EBP-80]
0066AF26 .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066AF29 .  8D48 04    LEA ECX,DWORD PTR DS:[EAX+4]
0066AF2C .  FFD3       CALL EBX
0066AF2E .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066AF31 .  51          PUSH ECX
0066AF32 .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066AF35 .  52          PUSH EDX
0066AF36 .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066AF39 .  50          PUSH EAX
0066AF3A .  6A 03       PUSH 3
0066AF3C .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066AF42 .  83C4 10    ADD ESP,10
0066AF45 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AF48 .  51          PUSH ECX
0066AF49 .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066AF4C .  8B42 04    MOV EAX,DWORD PTR DS:[EDX+4]
0066AF4F .  50          PUSH EAX
0066AF50 .  57          PUSH EDI
0066AF51 .  FF95 F8FEFFFF CALL DWORD PTR SS:[EBP-108]
0066AF57 .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066AF5A .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066AF5D .  83C1 04    ADD ECX,4
0066AF60 .  FFD3       CALL EBX
0066AF62 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AF65 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066AF6B .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066AF6E .  8B42 04    MOV EAX,DWORD PTR DS:[EDX+4]
0066AF71 .  50          PUSH EAX
0066AF72 .  68 A4B44100 PUSH ks.0041B4A4
0066AF77 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066AF7D .  85C0       TEST EAX,EAX
0066AF7F .  0F84 09050000 JE ks.0066B48E
0066AF85 .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AF87 .  8B40 50    MOV EAX,DWORD PTR DS:[EAX+50]
0066AF8A .  8985 F0FEFFFF MOV DWORD PTR SS:[EBP-110],EAX
0066AF90 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AF93 .  51          PUSH ECX
0066AF94 .  57          PUSH EDI
0066AF95 .  FFD0       CALL EAX
0066AF97 .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],1
0066AFA1 .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AFA3 .  8B50 4C    MOV EDX,DWORD PTR DS:[EAX+4C]
0066AFA6 .  8995 ECFEFFFF MOV DWORD PTR SS:[EBP-114],EDX
0066AFAC .  8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
0066AFB2 .  50          PUSH EAX
0066AFB3 .  8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
0066AFB9 .  51          PUSH ECX
0066AFBA .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066AFBD .  52          PUSH EDX
0066AFBE .  68 7C874200 PUSH ks.0042877C                      ;  UNICODE "Microsoft\MSJET"
0066AFC3 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AFC9 .  8BD0       MOV EDX,EAX
0066AFCB .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AFCE .  FFD6       CALL ESI
0066AFD0 .  50          PUSH EAX
0066AFD1 .  8B45 0C    MOV EAX,DWORD PTR SS:[EBP+C]
0066AFD4 .  50          PUSH EAX
0066AFD5 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066AFDB .  8BD0       MOV EDX,EAX
0066AFDD .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066AFE0 .  FFD6       CALL ESI
0066AFE2 .  50          PUSH EAX
0066AFE3 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AFE9 .  8BD0       MOV EDX,EAX
0066AFEB .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066AFF1 .  FFD6       CALL ESI
0066AFF3 .  50          PUSH EAX
0066AFF4 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
0066AFF9 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AFFF .  8BD0       MOV EDX,EAX
0066B001 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066B007 .  FFD6       CALL ESI
0066B009 .  50          PUSH EAX
0066B00A .  57          PUSH EDI
0066B00B .  FF95 ECFEFFFF CALL DWORD PTR SS:[EBP-114]
0066B011 .  8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
0066B017 .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B01A .  83C1 08    ADD ECX,8
0066B01D .  FFD3       CALL EBX
0066B01F .  8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
0066B025 .  52          PUSH EDX
0066B026 .  8D85 78FFFFFF LEA EAX,DWORD PTR SS:[EBP-88]
0066B02C .  50          PUSH EAX
0066B02D .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066B033 .  51          PUSH ECX
0066B034 .  8D55 80    LEA EDX,DWORD PTR SS:[EBP-80]
0066B037 .  52          PUSH EDX
0066B038 .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0066B03B .  50          PUSH EAX
0066B03C .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B03F .  51          PUSH ECX
0066B040 .  6A 06       PUSH 6
0066B042 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066B048 .  83C4 1C    ADD ESP,1C
0066B04B .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066B04E .  52          PUSH EDX
0066B04F .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B052 .  8B48 08    MOV ECX,DWORD PTR DS:[EAX+8]
0066B055 .  51          PUSH ECX
0066B056 .  57          PUSH EDI
0066B057 .  FF95 F8FEFFFF CALL DWORD PTR SS:[EBP-108]
0066B05D .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066B060 .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B063 .  8D48 08    LEA ECX,DWORD PTR DS:[EAX+8]
0066B066 .  FFD3       CALL EBX
0066B068 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B06B .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066B071 .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B074 .  8B51 08    MOV EDX,DWORD PTR DS:[ECX+8]
0066B077 .  52          PUSH EDX
0066B078 .  68 A4B44100 PUSH ks.0041B4A4
0066B07D .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066B083 .  85C0       TEST EAX,EAX
0066B085 .  0F84 03040000 JE ks.0066B48E
0066B08B .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B08E .  8B48 04    MOV ECX,DWORD PTR DS:[EAX+4]
0066B091 .  51          PUSH ECX
0066B092 .  8B50 08    MOV EDX,DWORD PTR DS:[EAX+8]
0066B095 .  52          PUSH EDX
0066B096 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066B09C .  85C0       TEST EAX,EAX
0066B09E .  0F85 EA030000 JNZ ks.0066B48E
0066B0A4 .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B0A7 .  8B48 04    MOV ECX,DWORD PTR DS:[EAX+4]
0066B0AA .  51          PUSH ECX
0066B0AB .  FF15 18B76800 CALL DWORD PTR DS:[<&MSVBVM50.#581>]    ;  MSVBVM50.rtcR8ValFromBstr
0066B0B1 .  FF15 98B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFpI2>>;  MSVBVM50.__vbaFpI2
0066B0B7 .  8945 8C    MOV DWORD PTR SS:[EBP-74],EAX
0066B0BA .  BA A4B44100 MOV EDX,ks.0041B4A4
0066B0BF .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B0C2 .  8D48 04    LEA ECX,DWORD PTR DS:[EAX+4]
0066B0C5 .  FFD3       CALL EBX
0066B0C7 .  BA A4B44100 MOV EDX,ks.0041B4A4
0066B0CC .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B0CF .  83C1 08    ADD ECX,8
0066B0D2 .  FFD3       CALL EBX
0066B0D4 .  BA 24894200 MOV EDX,ks.00428924                   ;  UNICODE "userinfo2"
0066B0D9 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066B0DC .  FFD3       CALL EBX
0066B0DE .  8D55 80    LEA EDX,DWORD PTR SS:[EBP-80]
0066B0E1 .  52          PUSH EDX
0066B0E2 .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0066B0E5 .  50          PUSH EAX
0066B0E6 .  8B4D 0C    MOV ECX,DWORD PTR SS:[EBP+C]
0066B0E9 .  51          PUSH ECX
0066B0EA .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066B0F0 .  8BD0       MOV EDX,EAX
0066B0F2 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B0F5 .  FFD6       CALL ESI
0066B0F7 .  50          PUSH EAX
0066B0F8 .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066B0FD .  68 02000080 PUSH 80000002
0066B102 .  57          PUSH EDI
0066B103 .  FF95 FCFEFFFF CALL DWORD PTR SS:[EBP-104]
0066B109 .  8B55 80    MOV EDX,DWORD PTR SS:[EBP-80]
0066B10C .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B10F .  8D48 04    LEA ECX,DWORD PTR DS:[EAX+4]
0066B112 .  FFD3       CALL EBX
0066B114 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066B117 .  51          PUSH ECX
0066B118 .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066B11B .  52          PUSH EDX
0066B11C .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066B11F .  50          PUSH EAX
0066B120 .  6A 03       PUSH 3
0066B122 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066B128 .  83C4 10    ADD ESP,10
0066B12B .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B12E .  51          PUSH ECX
0066B12F .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066B132 .  8B42 04    MOV EAX,DWORD PTR DS:[EDX+4]
0066B135 .  50          PUSH EAX
0066B136 .  57          PUSH EDI
0066B137 .  FF95 F8FEFFFF CALL DWORD PTR SS:[EBP-108]
0066B13D .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066B140 .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B143 .  83C1 04    ADD ECX,4
0066B146 .  FFD3       CALL EBX
0066B148 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B14B .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066B151 .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066B154 .  8B42 04    MOV EAX,DWORD PTR DS:[EDX+4]
0066B157 .  50          PUSH EAX
0066B158 .  68 A4B44100 PUSH ks.0041B4A4
0066B15D .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066B163 .  85C0       TEST EAX,EAX
0066B165 .  0F84 23030000 JE ks.0066B48E
0066B16B .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B16E .  51          PUSH ECX
0066B16F .  57          PUSH EDI
0066B170 .  FF95 F0FEFFFF CALL DWORD PTR SS:[EBP-110]
0066B176 .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],2
0066B180 .  8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
0066B186 .  52          PUSH EDX
0066B187 .  8D85 3CFFFFFF LEA EAX,DWORD PTR SS:[EBP-C4]
0066B18D .  50          PUSH EAX
0066B18E .  8B4D 88    MOV ECX,DWORD PTR SS:[EBP-78]
0066B191 .  51          PUSH ECX
0066B192 .  68 7C874200 PUSH ks.0042877C                      ;  UNICODE "Microsoft\MSJET"
0066B197 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B19D .  8BD0       MOV EDX,EAX
0066B19F .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066B1A2 .  FFD6       CALL ESI
0066B1A4 .  50          PUSH EAX
0066B1A5 .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
0066B1A8 .  52          PUSH EDX
0066B1A9 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066B1AF .  8BD0       MOV EDX,EAX
0066B1B1 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066B1B4 .  FFD6       CALL ESI
0066B1B6 .  50          PUSH EAX
0066B1B7 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B1BD .  8BD0       MOV EDX,EAX
0066B1BF .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066B1C5 .  FFD6       CALL ESI
0066B1C7 .  50          PUSH EAX
0066B1C8 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
0066B1CD .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B1D3 .  8BD0       MOV EDX,EAX
0066B1D5 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066B1DB .  FFD6       CALL ESI
0066B1DD .  50          PUSH EAX
0066B1DE .  57          PUSH EDI
0066B1DF .  FF95 ECFEFFFF CALL DWORD PTR SS:[EBP-114]
0066B1E5 .  8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
0066B1EB .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B1EE .  8D48 08    LEA ECX,DWORD PTR DS:[EAX+8]
0066B1F1 .  FFD3       CALL EBX
0066B1F3 .  8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]
0066B1F9 .  51          PUSH ECX
0066B1FA .  8D95 78FFFFFF LEA EDX,DWORD PTR SS:[EBP-88]
0066B200 .  52          PUSH EDX
0066B201 .  8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
0066B207 .  50          PUSH EAX
0066B208 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066B20B .  51          PUSH ECX
0066B20C .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066B20F .  52          PUSH EDX
0066B210 .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066B213 .  50          PUSH EAX
0066B214 .  6A 06       PUSH 6
0066B216 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066B21C .  83C4 1C    ADD ESP,1C
0066B21F .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B222 .  51          PUSH ECX
0066B223 .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066B226 .  8B42 08    MOV EAX,DWORD PTR DS:[EDX+8]
0066B229 .  50          PUSH EAX
0066B22A .  57          PUSH EDI
0066B22B .  FF95 F8FEFFFF CALL DWORD PTR SS:[EBP-108]
0066B231 .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066B234 .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B237 .  83C1 08    ADD ECX,8
0066B23A .  FFD3       CALL EBX
0066B23C .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B23F .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066B245 .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066B248 .  8B42 08    MOV EAX,DWORD PTR DS:[EDX+8]
0066B24B .  50          PUSH EAX
0066B24C .  68 A4B44100 PUSH ks.0041B4A4
0066B251 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066B257 .  85C0       TEST EAX,EAX
0066B259 .  0F84 2F020000 JE ks.0066B48E
0066B25F .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B262 .  8B48 04    MOV ECX,DWORD PTR DS:[EAX+4]
0066B265 .  51          PUSH ECX
0066B266 .  8B50 08    MOV EDX,DWORD PTR DS:[EAX+8]
0066B269 .  52          PUSH EDX
0066B26A .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066B270 .  85C0       TEST EAX,EAX
0066B272 .  0F85 2F020000 JNZ ks.0066B4A7
0066B278 .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B27B .  8B48 04    MOV ECX,DWORD PTR DS:[EAX+4]
0066B27E .  51          PUSH ECX
0066B27F .  FF15 18B76800 CALL DWORD PTR DS:[<&MSVBVM50.#581>]    ;  MSVBVM50.rtcR8ValFromBstr
0066B285 .  FF15 98B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFpI2>>;  MSVBVM50.__vbaFpI2
0066B28B .  8945 B4    MOV DWORD PTR SS:[EBP-4C],EAX
0066B28E .  8B4D 8C    MOV ECX,DWORD PTR SS:[EBP-74]
0066B291 .  66:85C9    TEST CX,CX
0066B294 .  0F8E EB010000 JLE ks.0066B485
0066B29A .  66:85C0    TEST AX,AX
0066B29D .  0F8E E2010000 JLE ks.0066B485
0066B2A3 .  66:837D 18 FF CMP WORD PTR SS:[EBP+18],0FFFF
0066B2A8 .  0F85 CE010000 JNZ ks.0066B47C
0066B2AE .  66:49       DEC CX
0066B2B0 .  0F80 F7020000 JO ks.0066B5AD
0066B2B6 .  894D 8C    MOV DWORD PTR SS:[EBP-74],ECX
0066B2B9 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066B2BC .  52          PUSH EDX
0066B2BD .  57          PUSH EDI
0066B2BE .  FF95 F0FEFFFF CALL DWORD PTR SS:[EBP-110]
0066B2C4 .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],3
0066B2CE .  8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
0066B2D4 .  50          PUSH EAX
0066B2D5 .  8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
0066B2DB .  51          PUSH ECX
0066B2DC .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066B2DF .  52          PUSH EDX
0066B2E0 .  68 7C874200 PUSH ks.0042877C                      ;  UNICODE "Microsoft\MSJET"
0066B2E5 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B2EB .  8BD0       MOV EDX,EAX
0066B2ED .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066B2F0 .  FFD6       CALL ESI
0066B2F2 .  50          PUSH EAX
0066B2F3 .  8B45 0C    MOV EAX,DWORD PTR SS:[EBP+C]
0066B2F6 .  50          PUSH EAX
0066B2F7 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066B2FD .  8BD0       MOV EDX,EAX
0066B2FF .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066B302 .  FFD6       CALL ESI
0066B304 .  50          PUSH EAX
0066B305 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B30B .  8BD0       MOV EDX,EAX
0066B30D .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066B313 .  FFD6       CALL ESI
0066B315 .  50          PUSH EAX
0066B316 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
0066B31B .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B321 .  8BD0       MOV EDX,EAX
0066B323 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066B329 .  FFD6       CALL ESI
0066B32B .  50          PUSH EAX
0066B32C .  57          PUSH EDI
0066B32D .  FF95 ECFEFFFF CALL DWORD PTR SS:[EBP-114]
0066B333 .  8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
0066B339 .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B33C .  83C1 04    ADD ECX,4
0066B33F .  FFD3       CALL EBX
0066B341 .  8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
0066B347 .  52          PUSH EDX
0066B348 .  8D85 78FFFFFF LEA EAX,DWORD PTR SS:[EBP-88]
0066B34E .  50          PUSH EAX
0066B34F .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066B355 .  51          PUSH ECX
0066B356 .  8D55 80    LEA EDX,DWORD PTR SS:[EBP-80]
0066B359 .  52          PUSH EDX
0066B35A .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0066B35D .  50          PUSH EAX
0066B35E .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B361 .  51          PUSH ECX
0066B362 .  6A 06       PUSH 6
0066B364 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066B36A .  83C4 1C    ADD ESP,1C
0066B36D .  8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0]
0066B373 .  52          PUSH EDX
0066B374 .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B377 .  83C0 04    ADD EAX,4
0066B37A .  50          PUSH EAX
0066B37B .  57          PUSH EDI
0066B37C .  FF95 F4FEFFFF CALL DWORD PTR SS:[EBP-10C]
0066B382 .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B388 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066B38E .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B394 .  51          PUSH ECX
0066B395 .  FF15 74B66800 CALL DWORD PTR DS:[<&MSVBVM50.#610>]    ;  MSVBVM50.rtcGetDateVar
0066B39B .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066B39E .  8B42 04    MOV EAX,DWORD PTR DS:[EDX+4]
0066B3A1 .  50          PUSH EAX
0066B3A2 .  FF15 A0B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaDateS>;  MSVBVM50.__vbaDateStr
0066B3A8 .  DD9D 48FFFFFF FSTP QWORD PTR SS:[EBP-B8]
0066B3AE .  C785 40FFFFFF>MOV DWORD PTR SS:[EBP-C0],8007
0066B3B8 .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B3BE .  51          PUSH ECX
0066B3BF .  8D95 40FFFFFF LEA EDX,DWORD PTR SS:[EBP-C0]
0066B3C5 .  52          PUSH EDX
0066B3C6 .  FF15 64B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarTs>;  MSVBVM50.__vbaVarTstNe
0066B3CC .  8BD8       MOV EBX,EAX
0066B3CE .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B3D4 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066B3DA .  66:85DB    TEST BX,BX
0066B3DD .  74 0F       JE SHORT ks.0066B3EE
0066B3DF .  66:8B45 B4 MOV AX,WORD PTR SS:[EBP-4C]
0066B3E3 .  66:48       DEC AX
0066B3E5 .  0F80 C2010000 JO ks.0066B5AD
0066B3EB .  8945 B4    MOV DWORD PTR SS:[EBP-4C],EAX
0066B3EE >  8B4D 8C    MOV ECX,DWORD PTR SS:[EBP-74]
0066B3F1 .  51          PUSH ECX
0066B3F2 .  8B1D B0B36800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrI2
0066B3F8 .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaStrI2>
0066B3FA .  8BD0       MOV EDX,EAX
0066B3FC .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
0066B3FF .  FFD6       CALL ESI
0066B401 .  8B55 B4    MOV EDX,DWORD PTR SS:[EBP-4C]
0066B404 .  52          PUSH EDX
0066B405 .  FFD3       CALL EBX
0066B407 .  8BD0       MOV EDX,EAX
0066B409 .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
0066B40C .  FFD6       CALL ESI
0066B40E .  8D85 60FFFFFF LEA EAX,DWORD PTR SS:[EBP-A0]
0066B414 .  50          PUSH EAX
0066B415 .  FF15 74B66800 CALL DWORD PTR DS:[<&MSVBVM50.#610>]    ;  MSVBVM50.rtcGetDateVar
0066B41B .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B421 .  51          PUSH ECX
0066B422 .  FF15 04B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrEr>;  MSVBVM50.__vbaStrErrVarCopy
0066B428 .  8BD0       MOV EDX,EAX
0066B42A .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
0066B42D .  FFD6       CALL ESI
0066B42F .  8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0]
0066B435 .  52          PUSH EDX
0066B436 .  8D85 60FFFFFF LEA EAX,DWORD PTR SS:[EBP-A0]
0066B43C .  50          PUSH EAX
0066B43D .  6A 02       PUSH 2
0066B43F .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
0066B445 .  83C4 0C    ADD ESP,0C
0066B448 .  8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
0066B44E .  51          PUSH ECX
0066B44F .  8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]
0066B452 .  52          PUSH EDX
0066B453 .  8B45 0C    MOV EAX,DWORD PTR SS:[EBP+C]
0066B456 .  50          PUSH EAX
0066B457 .  8B4D C8    MOV ECX,DWORD PTR SS:[EBP-38]
0066B45A .  51          PUSH ECX
0066B45B .  8B55 D0    MOV EDX,DWORD PTR SS:[EBP-30]
0066B45E .  52          PUSH EDX
0066B45F .  8B45 B0    MOV EAX,DWORD PTR SS:[EBP-50]
0066B462 .  50          PUSH EAX
0066B463 .  57          PUSH EDI
0066B464 .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066B466 .  FF50 28    CALL DWORD PTR DS:[EAX+28]
0066B469 .  85C0       TEST EAX,EAX
0066B46B .  7D 0F       JGE SHORT ks.0066B47C
0066B46D .  6A 28       PUSH 28
0066B46F .  68 C4E94100 PUSH ks.0041E9C4
0066B474 .  57          PUSH EDI
0066B475 .  50          PUSH EAX
0066B476 .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
0066B47C >  C745 B8 00000>MOV DWORD PTR SS:[EBP-48],0
0066B483 .  EB 48       JMP SHORT ks.0066B4CD
0066B485 >  C745 B8 EA030>MOV DWORD PTR SS:[EBP-48],3EA
0066B48C .  EB 3F       JMP SHORT ks.0066B4CD
0066B48E >  C745 B8 EB030>MOV DWORD PTR SS:[EBP-48],3EB
0066B495 .  EB 10       JMP SHORT ks.0066B4A7
0066B497 >  C745 B8 EA030>MOV DWORD PTR SS:[EBP-48],3EA
0066B49E .  EB 07       JMP SHORT ks.0066B4A7
0066B4A0 >  C745 B8 E9030>MOV DWORD PTR SS:[EBP-48],3E9
0066B4A7 >  FF15 58B66800 CALL DWORD PTR DS:[<&MSVBVM50.#685>]    ;  MSVBVM50.rtcErrObj
0066B4AD .  50          PUSH EAX
0066B4AE .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066B4B4 .  51          PUSH ECX
0066B4B5 .  FF15 80B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaObjSe>;  MSVBVM50.__vbaObjSet
0066B4BB .  8B10       MOV EDX,DWORD PTR DS:[EAX]
0066B4BD .  50          PUSH EAX
0066B4BE .  FF52 48    CALL DWORD PTR DS:[EDX+48]
0066B4C1 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066B4C7 .  FF15 14B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>;  MSVBVM50.__vbaFreeObj
0066B4CD >  FF15 64B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaExitP>;  MSVBVM50.__vbaExitProc
0066B4D3 .  9B          WAIT
0066B4D4 .  68 84B56600 PUSH ks.0066B584
0066B4D9 .  EB 52       JMP SHORT ks.0066B52D
0066B4DB .  8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
0066B4E1 .  50          PUSH EAX
0066B4E2 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066B4E8 .  51          PUSH ECX
0066B4E9 .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
0066B4EF .  52          PUSH EDX
0066B4F0 .  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
0066B4F3 .  50          PUSH EAX
0066B4F4 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066B4F7 .  51          PUSH ECX
0066B4F8 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066B4FB .  52          PUSH EDX
0066B4FC .  6A 06       PUSH 6
0066B4FE .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066B504 .  83C4 1C    ADD ESP,1C
0066B507 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066B50D .  FF15 14B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>;  MSVBVM50.__vbaFreeObj
0066B513 .  8D85 50FFFFFF LEA EAX,DWORD PTR SS:[EBP-B0]
0066B519 .  50          PUSH EAX
0066B51A .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B520 .  51          PUSH ECX
0066B521 .  6A 02       PUSH 2
0066B523 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
0066B529 .  83C4 0C    ADD ESP,0C
0066B52C .  C3          RETN
0066B52D >  8D55 DC    LEA EDX,DWORD PTR SS:[EBP-24]
0066B530 .  52          PUSH EDX
0066B531 .  6A 00       PUSH 0
0066B533 .  8B3D 50B46800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaAr>;  MSVBVM50.__vbaAryDestruct
0066B539 .  FFD7       CALL EDI                               ;  <&MSVBVM50.__vbaAryDestruct>
0066B53B .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
0066B53E .  8B35 10B76800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaFr>;  MSVBVM50.__vbaFreeStr
0066B544 .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaFreeStr>
0066B546 .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
0066B549 .  FFD6       CALL ESI
0066B54B .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
0066B54E .  FFD6       CALL ESI
0066B550 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
0066B553 .  8B1D 14B76800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaFr>;  MSVBVM50.__vbaFreeObj
0066B559 .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaFreeObj>
0066B55B .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066B55E .  FFD6       CALL ESI
0066B560 .  8D4D BC    LEA ECX,DWORD PTR SS:[EBP-44]
0066B563 .  FFD3       CALL EBX
0066B565 .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
0066B568 .  FFD6       CALL ESI
0066B56A .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
0066B56D .  FFD6       CALL ESI
0066B56F .  8D45 94    LEA EAX,DWORD PTR SS:[EBP-6C]
0066B572 .  8985 38FFFFFF MOV DWORD PTR SS:[EBP-C8],EAX
0066B578 .  8D8D 38FFFFFF LEA ECX,DWORD PTR SS:[EBP-C8]
0066B57E .  51          PUSH ECX
0066B57F .  6A 00       PUSH 0
0066B581 .  FFD7       CALL EDI
0066B583 .  C3          RETN

....
00666F84 .  8D85 50FFFFFF LEA EAX,DWORD PTR SS:[EBP-B0]
00666F8A .  50          PUSH EAX
00666F8B .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
00666F8E .  51          PUSH ECX
00666F8F .  FFD7       CALL EDI
00666F91 .  50          PUSH EAX
00666F92 .  56          PUSH ESI
00666F93 .  FF53 34    CALL DWORD PTR DS:[EBX+34]
00666F96 .  C785 D8FEFFFF>MOV DWORD PTR SS:[EBP-128],ks.0042872C ;  UNICODE "000"
00666FA0 .  C785 D0FEFFFF>MOV DWORD PTR SS:[EBP-130],8
00666FAA .  8D95 D0FEFFFF LEA EDX,DWORD PTR SS:[EBP-130]
00666FB0 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
00666FB3 .  FF15 8CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarDu>;  MSVBVM50.__vbaVarDup
00666FB9 .  66:8B95 8CFEF>MOV DX,WORD PTR SS:[EBP-174]
00666FC0 .  66:8955 98 MOV WORD PTR SS:[EBP-68],DX
00666FC4 .  C745 90 02000>MOV DWORD PTR SS:[EBP-70],2
00666FCB .  6A 01       PUSH 1
00666FCD .  6A 01       PUSH 1
00666FCF .  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
00666FD2 .  50          PUSH EAX
00666FD3 .  8D4D 90    LEA ECX,DWORD PTR SS:[EBP-70]
00666FD6 .  51          PUSH ECX
00666FD7 .  8D95 70FFFFFF LEA EDX,DWORD PTR SS:[EBP-90]
00666FDD .  52          PUSH EDX
00666FDE .  FF15 30B46800 CALL DWORD PTR DS:[<&MSVBVM50.#660>]    ;  MSVBVM50.rtcVarFromFormatVar
00666FE4 .  C785 98FEFFFF>MOV DWORD PTR SS:[EBP-168],ks.0042872C ;  UNICODE "000"
00666FEE .  C785 90FEFFFF>MOV DWORD PTR SS:[EBP-170],8
00666FF8 .  8D95 90FEFFFF LEA EDX,DWORD PTR SS:[EBP-170]
00666FFE .  8D8D 30FFFFFF LEA ECX,DWORD PTR SS:[EBP-D0]
00667004 .  FF15 8CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarDu>;  MSVBVM50.__vbaVarDup
0066700A .  66:8B85 88FEF>MOV AX,WORD PTR SS:[EBP-178] ;12F754=>0D9H=217
00667011 .  66:8985 48FFF>MOV WORD PTR SS:[EBP-B8],AX
00667018 .  C785 40FFFFFF>MOV DWORD PTR SS:[EBP-C0],2
00667022 .  6A 01       PUSH 1
00667024 .  6A 01       PUSH 1
00667026 .  8D8D 30FFFFFF LEA ECX,DWORD PTR SS:[EBP-D0]
0066702C .  51          PUSH ECX
0066702D .  8D95 40FFFFFF LEA EDX,DWORD PTR SS:[EBP-C0]
00667033 .  52          PUSH EDX
-------------------------------------------------------------------------------
▲文件:1-666BA0.txt
-------------------------------------------------------------------------------
00666BA0.....
00666BF2 .  897D B0    MOV DWORD PTR SS:[EBP-50],EDI
00666BF5 .  897D A0    MOV DWORD PTR SS:[EBP-60],EDI
00666BF8 .  897D 90    MOV DWORD PTR SS:[EBP-70],EDI
00666BFB .  897D 80    MOV DWORD PTR SS:[EBP-80],EDI
00666BFE .  89BD 70FFFFFF MOV DWORD PTR SS:[EBP-90],EDI
00666C04 .  89BD 60FFFFFF MOV DWORD PTR SS:[EBP-A0],EDI
00666C0A .  89BD 50FFFFFF MOV DWORD PTR SS:[EBP-B0],EDI
00666C10 .  89BD 40FFFFFF MOV DWORD PTR SS:[EBP-C0],EDI
00666C16 .  89BD 30FFFFFF MOV DWORD PTR SS:[EBP-D0],EDI
00666C1C .  89BD 20FFFFFF MOV DWORD PTR SS:[EBP-E0],EDI
00666C22 .  89BD 10FFFFFF MOV DWORD PTR SS:[EBP-F0],EDI
00666C28 .  89BD 00FFFFFF MOV DWORD PTR SS:[EBP-100],EDI
00666C2E .  89BD E0FEFFFF MOV DWORD PTR SS:[EBP-120],EDI
00666C34 .  89BD D0FEFFFF MOV DWORD PTR SS:[EBP-130],EDI
00666C3A .  89BD C0FEFFFF MOV DWORD PTR SS:[EBP-140],EDI
00666C40 .  89BD 90FEFFFF MOV DWORD PTR SS:[EBP-170],EDI
00666C46 .  89BD 8CFEFFFF MOV DWORD PTR SS:[EBP-174],EDI
00666C4C .  89BD 88FEFFFF MOV DWORD PTR SS:[EBP-178],EDI
00666C52 .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
00666C55 .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
00666C58 .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
00666C5E .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
00666C61 .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
00666C64 .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
00666C6A .  6A 01       PUSH 1
00666C6C .  FF15 84B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaOnErr>;  MSVBVM50.__vbaOnError
00666C72 .  8D45 C8    LEA EAX,DWORD PTR SS:[EBP-38]
00666C75 .  8985 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EAX
00666C7B .  C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],4008
00666C85 .  8D8D 00FFFFFF LEA ECX,DWORD PTR SS:[EBP-100]
00666C8B .  51          PUSH ECX
00666C8C .  8D55 B0    LEA EDX,DWORD PTR SS:[EBP-50]
00666C8F .  52          PUSH EDX
00666C90 .  FF15 F8B46800 CALL DWORD PTR DS:[<&MSVBVM50.#528>]    ;  MSVBVM50.rtcUpperCaseVar
00666C96 .  8D45 B0    LEA EAX,DWORD PTR SS:[EBP-50]
00666C99 .  50          PUSH EAX
00666C9A .  FF15 DCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrVa>;  MSVBVM50.__vbaStrVarMove
00666CA0 .  8BD0       MOV EDX,EAX
;eax=5084J-VX10H-0248M-TXZO7-O1J69-26M9I ;这是输入的激活码
00666CA2 .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
00666CA5 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
00666CAB .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
00666CAE .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
00666CB4 .  8B4D C8    MOV ECX,DWORD PTR SS:[EBP-38]
00666CB7 .  51          PUSH ECX
00666CB8 .  FF15 D8B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaLenBs>;  MSVBVM50.__vbaLenBstr
00666CBE .  83F8 23    CMP EAX,23 ;是23h=35个字符吗?
00666CC1 .  0F85 B4050000 JNZ ks.0066727B ;不是就不对
00666CC7 .  C785 8CFEFFFF>MOV DWORD PTR SS:[EBP-174],-1
00666CD1 .  8D95 8CFEFFFF LEA EDX,DWORD PTR SS:[EBP-174]
00666CD7 .  52          PUSH EDX
00666CD8 .  68 9C414200 PUSH ks.0042419C ;42419c=2Dh就是字符"-"
00666CDD .  8D45 E0    LEA EAX,DWORD PTR SS:[EBP-20]
00666CE0 .  50          PUSH EAX
00666CE1 .  8B4D C8    MOV ECX,DWORD PTR SS:[EBP-38]
00666CE4 .  51          PUSH ECX
00666CE5 .  56          PUSH ESI
00666CE6 .  FF53 40    CALL DWORD PTR DS:[EBX+40]
;复杂运算CALL 入口:668ef0
00666CE9 .  8B55 E0    MOV EDX,DWORD PTR SS:[EBP-20]
00666CEC .  52          PUSH EDX
00666CED .  6A 01       PUSH 1
00666CEF .  8B1D D8B56800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaUb>;  MSVBVM50.__vbaUbound
00666CF5 .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaUbound>
00666CF7 .  83F8 06    CMP EAX,6
00666CFA .  0F85 7B050000 JNZ ks.0066727B
00666D00 .  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
00666D03 .  50          PUSH EAX
00666D04 .  6A 01       PUSH 1
00666D06 .  FFD3       CALL EBX
00666D08 .  8BC8       MOV ECX,EAX
00666D0A .  FF15 28B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaI2I4>>;  MSVBVM50.__vbaI2I4
00666D10 .  8985 7CFEFFFF MOV DWORD PTR SS:[EBP-184],EAX
00666D16 .  BB 01000000 MOV EBX,1
00666D1B .  895D DC    MOV DWORD PTR SS:[EBP-24],EBX
__>00666D1E >  66:3B9D 7CFEF>CMP BX,WORD PTR SS:[EBP-184]
00666D25 .  7F 61       JG SHORT ks.00666D88
00666D27 .  8B4D E0    MOV ECX,DWORD PTR SS:[EBP-20]
00666D2A .  3BCF       CMP ECX,EDI
00666D2C .  74 26       JE SHORT ks.00666D54
00666D2E .  66:8339 01 CMP WORD PTR DS:[ECX],1
00666D32 .  75 20       JNZ SHORT ks.00666D54
00666D34 .  0FBFDB       MOVSX EBX,BX
00666D37 .  2B59 14    SUB EBX,DWORD PTR DS:[ECX+14]
00666D3A .  3B59 10    CMP EBX,DWORD PTR DS:[ECX+10]
00666D3D .  72 09       JB SHORT ks.00666D48
00666D3F .  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
00666D45 .  8B4D E0    MOV ECX,DWORD PTR SS:[EBP-20]
00666D48 >  8D049D 000000>LEA EAX,DWORD PTR DS:[EBX*4]
00666D4F .  8B5D DC    MOV EBX,DWORD PTR SS:[EBP-24]
00666D52 .  EB 09       JMP SHORT ks.00666D5D
00666D54 >  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
00666D5A .  8B4D E0    MOV ECX,DWORD PTR SS:[EBP-20]
00666D5D >  8B49 0C    MOV ECX,DWORD PTR DS:[ECX+C]
00666D60 .  8B1401       MOV EDX,DWORD PTR DS:[ECX+EAX]
00666D63 .  52          PUSH EDX
00666D64 .  FF15 D8B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaLenBs>;  MSVBVM50.__vbaLenBstr
;len "5084J"
00666D6A .  83F8 05    CMP EAX,5 ;是5个字符吗?
00666D6D .  0F85 08050000 JNZ ks.0066727B
00666D73 .  B8 01000000 MOV EAX,1
00666D78 .  66:03C3    ADD AX,BX
00666D7B .  0F80 B2050000 JO ks.00667333
00666D81 .  8945 DC    MOV DWORD PTR SS:[EBP-24],EAX
00666D84 .  8BD8       MOV EBX,EAX
__>00666D86 .^ EB 96       JMP SHORT ks.00666D1E ;循环检查每6个字符里的字符是否为5个
00666D88 >  66:897E 34 MOV WORD PTR DS:[ESI+34],DI
00666D8C .  66:897E 36 MOV WORD PTR DS:[ESI+36],DI
00666D90 .  66:897E 38 MOV WORD PTR DS:[ESI+38],DI
00666D94 .  66:897E 3A MOV WORD PTR DS:[ESI+3A],DI
00666D98 .  66:897E 3C MOV WORD PTR DS:[ESI+3C],DI
00666D9C .  8B1E       MOV EBX,DWORD PTR DS:[ESI]
00666D9E .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
00666DA1 .  50          PUSH EAX
00666DA2 .  6A 01       PUSH 1
00666DA4 .  68 A4B44100 PUSH ks.0041B4A4
00666DA9 .  68 9C414200 PUSH ks.0042419C
00666DAE .  8B4D C8    MOV ECX,DWORD PTR SS:[EBP-38]
;Stack SS:[0012F894]=0016D9B4, (UNICODE "5084J-VX10H-0248M-TXZO7-O1J69-26M9I")
00666DB1 .  51          PUSH ECX
00666DB2 .  56          PUSH ESI
00666DB3 .  FF53 44    CALL DWORD PTR DS:[EBX+44] ;call到669405
00666DB6 .  8D55 C0    LEA EDX,DWORD PTR SS:[EBP-40]
00666DB9 .  52          PUSH EDX
00666DBA .  8B45 C4    MOV EAX,DWORD PTR SS:[EBP-3C]
00666DBD .  50          PUSH EAX
;EAX=0016C344  UNICODE "5084JVX10H0248MTXZO7O1J6926M9I" 去掉了'-'
00666DBE .  56          PUSH ESI
00666DBF .  FF53 28    CALL DWORD PTR DS:[EBX+28]
00666DC2 .  8B55 C0    MOV EDX,DWORD PTR SS:[EBP-40]
00666DC5 .  897D C0    MOV DWORD PTR SS:[EBP-40],EDI
00666DC8 .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
00666DCB .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
00666DD1 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
00666DD4 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00666DDA .  C745 B8 0F000>MOV DWORD PTR SS:[EBP-48],0F
00666DE1 .  C745 B0 02000>MOV DWORD PTR SS:[EBP-50],2
00666DE8 .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
00666DEB .  898D 08FFFFFF MOV DWORD PTR SS:[EBP-F8],ECX
00666DF1 .  C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],4008
00666DFB .  8D55 B0    LEA EDX,DWORD PTR SS:[EBP-50]
00666DFE .  52          PUSH EDX
00666DFF .  6A 01       PUSH 1
00666E01 .  8D85 00FFFFFF LEA EAX,DWORD PTR SS:[EBP-100]
00666E07 .  50          PUSH EAX
00666E08 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
00666E0B .  51          PUSH ECX
00666E0C .  FF15 E4B46800 CALL DWORD PTR DS:[<&MSVBVM50.#632>]    ;  MSVBVM50.rtcMidCharVar
;取左0FH(15)个字符UNICODE "I9M6296J1O7OZXTM8420H01XVJ4805"
;I9M6296J1O7OZXT,结果在[esp-20]
00666E12 .  8D55 C0    LEA EDX,DWORD PTR SS:[EBP-40]
;EDX=1Eh=30
00666E15 .  52          PUSH EDX
00666E16 .  6A FE       PUSH -2
00666E18 .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
00666E1B .  50          PUSH EAX
00666E1C .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
00666E1F .  51          PUSH ECX
00666E20 .  8B3D DCB56800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrVarVal
00666E26 .  FFD7       CALL EDI                               ;  <&MSVBVM50.__vbaStrVarVal>
;EAX=0016B9D4  UNICODE "I9M6296J1O7OZXT"翻转后的前半部分
00666E28 .  50          PUSH EAX
00666E29 .  56          PUSH ESI
00666E2A .  FF53 2C    CALL DWORD PTR DS:[EBX+2C]
00666E2D .  8D55 C8    LEA EDX,DWORD PTR SS:[EBP-38]
;edx=0016B98C  UNICODE "G7K4074H9M5MXVR"翻转后的后半部分
00666E30 .  52          PUSH EDX
00666E31 .  6A 01       PUSH 1
00666E33 .  6A 0F       PUSH 0F
00666E35 .  8B45 C0    MOV EAX,DWORD PTR SS:[EBP-40]
00666E38 .  50          PUSH EAX
00666E39 .  6A 00       PUSH 0
00666E3B .  FF15 08B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaMidSt>;  MSVBVM50.__vbaMidStmtBstr
00666E41 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
00666E44 .  51          PUSH ECX
00666E45 .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
00666E48 .  52          PUSH EDX
00666E49 .  6A 02       PUSH 2
00666E4B .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
00666E51 .  83C4 0C    ADD ESP,0C
00666E54 .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
00666E57 .  50          PUSH EAX
00666E58 .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
00666E5B .  51          PUSH ECX
00666E5C .  6A 02       PUSH 2
00666E5E .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
00666E64 .  83C4 0C    ADD ESP,0C
00666E67 .  C745 B8 04000>MOV DWORD PTR SS:[EBP-48],80020004
00666E6E .  C745 B0 0A000>MOV DWORD PTR SS:[EBP-50],0A
00666E75 .  8D55 C8    LEA EDX,DWORD PTR SS:[EBP-38]
00666E78 .  8995 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EDX
00666E7E .  C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],4008
00666E88 .  8D45 B0    LEA EAX,DWORD PTR SS:[EBP-50]
00666E8B .  50          PUSH EAX
00666E8C .  6A 10       PUSH 10
00666E8E .  8D8D 00FFFFFF LEA ECX,DWORD PTR SS:[EBP-100]
00666E94 .  51          PUSH ECX
00666E95 .  8D55 A0    LEA EDX,DWORD PTR SS:[EBP-60]
00666E98 .  52          PUSH EDX
00666E99 .  FF15 E4B46800 CALL DWORD PTR DS:[<&MSVBVM50.#632>]    ;  MSVBVM50.rtcMidCharVar
;取UNICODE "G7K4074H9M5MXVRM8420H01XVJ4805"右8个字符M8420H01XVJ4805,结果在[esp-20]
;EDX=1E=30
00666E9F .  8D45 C0    LEA EAX,DWORD PTR SS:[EBP-40]
00666EA2 .  50          PUSH EAX
00666EA3 .  6A FC       PUSH -4
00666EA5 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
00666EA8 .  51          PUSH ECX
00666EA9 .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
00666EAC .  52          PUSH EDX
00666EAD .  FFD7       CALL EDI
00666EAF .  50          PUSH EAX
00666EB0 .  56          PUSH ESI
00666EB1 .  FF53 2C    CALL DWORD PTR DS:[EBX+2C]
00666EB4 .  8D45 C8    LEA EAX,DWORD PTR SS:[EBP-38]
;EDX=0016B9D4  UNICODE "I4086D67TRF0461"
00666EB7 .  50          PUSH EAX
00666EB8 .  6A 10       PUSH 10
00666EBA .  68 FFFFFF3F PUSH 3FFFFFFF
00666EBF .  8B4D C0    MOV ECX,DWORD PTR SS:[EBP-40]
00666EC2 .  51          PUSH ECX
00666EC3 .  6A 00       PUSH 0
00666EC5 .  FF15 08B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaMidSt>;  MSVBVM50.__vbaMidStmtBstr
00666ECB .  8D55 C0    LEA EDX,DWORD PTR SS:[EBP-40]
00666ECE .  52          PUSH EDX
00666ECF .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
00666ED2 .  50          PUSH EAX
00666ED3 .  6A 02       PUSH 2
00666ED5 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
00666EDB .  83C4 0C    ADD ESP,0C
00666EDE .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
00666EE1 .  51          PUSH ECX
00666EE2 .  8D55 B0    LEA EDX,DWORD PTR SS:[EBP-50]
00666EE5 .  52          PUSH EDX
00666EE6 .  6A 02       PUSH 2
00666EE8 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
00666EEE .  83C4 0C    ADD ESP,0C
00666EF1 .  B8 02000000 MOV EAX,2
00666EF6 .  8945 B8    MOV DWORD PTR SS:[EBP-48],EAX
00666EF9 .  8945 B0    MOV DWORD PTR SS:[EBP-50],EAX
00666EFC .  8D45 C8    LEA EAX,DWORD PTR SS:[EBP-38]
00666EFF .  8985 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EAX
00666F05 .  C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],4008
00666F0F .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
00666F12 .  51          PUSH ECX
00666F13 .  6A 1B       PUSH 1B
00666F15 .  8D95 00FFFFFF LEA EDX,DWORD PTR SS:[EBP-100]
00666F1B .  52          PUSH EDX
00666F1C .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
00666F1F .  50          PUSH EAX
00666F20 .  FF15 E4B46800 CALL DWORD PTR DS:[<&MSVBVM50.#632>]    ;  MSVBVM50.rtcMidCharVar
;EDX=04应该是"I4086D67TRF0461"中倒数后3,4位"04"变的
;不对应该是取上字符串的"04",结果在[esp-20]
00666F26 .  8D8D 8CFEFFFF LEA ECX,DWORD PTR SS:[EBP-174]
00666F2C .  51          PUSH ECX
00666F2D .  8D55 A0    LEA EDX,DWORD PTR SS:[EBP-60]
00666F30 .  52          PUSH EDX
00666F31 .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
;EAX=156994 UNICODE"04"
00666F34 .  50          PUSH EAX
00666F35 .  FFD7       CALL EDI
00666F37 .  50          PUSH EAX
00666F38 .  56          PUSH ESI
00666F39 .  FF53 34    CALL DWORD PTR DS:[EBX+34] ;判断"04"是否是数字,并转换为数字
00666F3C .  B8 02000000 MOV EAX,2
00666F41 .  8985 68FFFFFF MOV DWORD PTR SS:[EBP-98],EAX
00666F47 .  8985 60FFFFFF MOV DWORD PTR SS:[EBP-A0],EAX
00666F4D .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
00666F50 .  898D C8FEFFFF MOV DWORD PTR SS:[EBP-138],ECX
00666F56 .  C785 C0FEFFFF>MOV DWORD PTR SS:[EBP-140],4008
00666F60 .  8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0]
00666F66 .  52          PUSH EDX
00666F67 .  6A 1D       PUSH 1D
00666F69 .  8D85 C0FEFFFF LEA EAX,DWORD PTR SS:[EBP-140]
00666F6F .  50          PUSH EAX
00666F70 .  8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0]
00666F76 .  51          PUSH ECX
00666F77 .  FF15 E4B46800 CALL DWORD PTR DS:[<&MSVBVM50.#632>]    ;  MSVBVM50.rtcMidCharVar
00666F7D .  8D95 88FEFFFF LEA EDX,DWORD PTR SS:[EBP-178]
00666F83 .  52          PUSH EDX
00666F84 .  8D85 50FFFFFF LEA EAX,DWORD PTR SS:[EBP-B0]
00666F8A .  50          PUSH EAX
00666F8B .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
00666F8E .  51          PUSH ECX
00666F8F .  FFD7       CALL EDI
;EAX=16DBBC UNICODE"61"
00666F91 .  50          PUSH EAX
00666F92 .  56          PUSH ESI
00666F93 .  FF53 34    CALL DWORD PTR DS:[EBX+34] ;call668130
;判断"61"是否是数字,如果不是则-37h变为数字,例如"E"不是数字,ASC码为45h,45h-37h=0Eh,0E即为结果
00666F96 .  C785 D8FEFFFF>MOV DWORD PTR SS:[EBP-128],ks.0042872C ;  UNICODE "000"
00666FA0 .  C785 D0FEFFFF>MOV DWORD PTR SS:[EBP-130],8
00666FAA .  8D95 D0FEFFFF LEA EDX,DWORD PTR SS:[EBP-130]
00666FB0 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
00666FB3 .  FF15 8CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarDu>;  MSVBVM50.__vbaVarDup
00666FB9 .  66:8B95 8CFEF>MOV DX,WORD PTR SS:[EBP-174]
;DX=04H
00666FC0 .  66:8955 98 MOV WORD PTR SS:[EBP-68],DX
00666FC4 .  C745 90 02000>MOV DWORD PTR SS:[EBP-70],2
00666FCB .  6A 01       PUSH 1
00666FCD .  6A 01       PUSH 1
00666FCF .  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
00666FD2 .  50          PUSH EAX
00666FD3 .  8D4D 90    LEA ECX,DWORD PTR SS:[EBP-70]
00666FD6 .  51          PUSH ECX
00666FD7 .  8D95 70FFFFFF LEA EDX,DWORD PTR SS:[EBP-90]
00666FDD .  52          PUSH EDX
00666FDE .  FF15 30B46800 CALL DWORD PTR DS:[<&MSVBVM50.#660>]    ;  MSVBVM50.rtcVarFromFormatVar
00666FE4 .  C785 98FEFFFF>MOV DWORD PTR SS:[EBP-168],ks.0042872C ;  UNICODE "000"
00666FEE .  C785 90FEFFFF>MOV DWORD PTR SS:[EBP-170],8
00666FF8 .  8D95 90FEFFFF LEA EDX,DWORD PTR SS:[EBP-170]
00666FFE .  8D8D 30FFFFFF LEA ECX,DWORD PTR SS:[EBP-D0]
00667004 .  FF15 8CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarDu>;  MSVBVM50.__vbaVarDup
;Stack SS:[0012F754]=00D9=217 为校验码的一部分
0066700A .  66:8B85 88FEF>MOV AX,WORD PTR SS:[EBP-178]
00667011 .  66:8985 48FFF>MOV WORD PTR SS:[EBP-B8],AX
00667018 .  C785 40FFFFFF>MOV DWORD PTR SS:[EBP-C0],2
00667022 .  6A 01       PUSH 1
00667024 .  6A 01       PUSH 1
00667026 .  8D8D 30FFFFFF LEA ECX,DWORD PTR SS:[EBP-D0]
0066702C .  51          PUSH ECX
0066702D .  8D95 40FFFFFF LEA EDX,DWORD PTR SS:[EBP-C0]
00667033 .  52          PUSH EDX
00667034 .  8D85 20FFFFFF LEA EAX,DWORD PTR SS:[EBP-E0]
0066703A .  50          PUSH EAX
0066703B .  FF15 30B46800 CALL DWORD PTR DS:[<&MSVBVM50.#660>]    ;  MSVBVM50.rtcVarFromFormatVar
;上面函数的数字该在ebp-0b8
00667041 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
00667047 .  51          PUSH ECX                               ;  将要生成校验码
00667048 .  8D95 20FFFFFF LEA EDX,DWORD PTR SS:[EBP-E0]
0066704E .  52          PUSH EDX
0066704F .  8D85 10FFFFFF LEA EAX,DWORD PTR SS:[EBP-F0]
00667055 .  50          PUSH EAX
00667056 .  FF15 E4B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarCa>;  MSVBVM50.__vbaVarCat
0066705C .  50          PUSH EAX
0066705D .  FF15 DCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrVa>;  MSVBVM50.__vbaStrVarMove
;EAX=16E1C4 UNICODE"004217"
00667063 .  8BD0       MOV EDX,EAX
00667065 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
00667068 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066706E .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
00667071 .  51          PUSH ECX
00667072 .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
00667075 .  52          PUSH EDX
00667076 .  6A 02       PUSH 2
00667078 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066707E .  83C4 0C    ADD ESP,0C
00667081 .  8D85 10FFFFFF LEA EAX,DWORD PTR SS:[EBP-F0]
00667087 .  50          PUSH EAX
00667088 .  8D8D 20FFFFFF LEA ECX,DWORD PTR SS:[EBP-E0]
0066708E .  51          PUSH ECX
0066708F .  8D95 70FFFFFF LEA EDX,DWORD PTR SS:[EBP-90]
00667095 .  52          PUSH EDX
00667096 .  8D85 30FFFFFF LEA EAX,DWORD PTR SS:[EBP-D0]
0066709C .  50          PUSH EAX
0066709D .  8D8D 40FFFFFF LEA ECX,DWORD PTR SS:[EBP-C0]
006670A3 .  51          PUSH ECX
006670A4 .  8D95 50FFFFFF LEA EDX,DWORD PTR SS:[EBP-B0]
006670AA .  52          PUSH EDX
006670AB .  8D85 60FFFFFF LEA EAX,DWORD PTR SS:[EBP-A0]
006670B1 .  50          PUSH EAX
006670B2 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
006670B5 .  51          PUSH ECX
006670B6 .  8D55 90    LEA EDX,DWORD PTR SS:[EBP-70]
006670B9 .  52          PUSH EDX
006670BA .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
006670BD .  50          PUSH EAX
006670BE .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
006670C1 .  51          PUSH ECX
006670C2 .  6A 0B       PUSH 0B
006670C4 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
006670CA .  83C4 30    ADD ESP,30
006670CD .  8D55 C8    LEA EDX,DWORD PTR SS:[EBP-38]
006670D0 .  8995 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EDX
006670D6 .  C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],4008
006670E0 .  6A 1A       PUSH 1A
006670E2 .  8D85 00FFFFFF LEA EAX,DWORD PTR SS:[EBP-100]
006670E8 .  50          PUSH EAX
006670E9 .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
006670EC .  51          PUSH ECX
006670ED .  FF15 B0B66800 CALL DWORD PTR DS:[<&MSVBVM50.#617>]    ;  MSVBVM50.rtcLeftCharVar
006670F3 .  8D55 C0    LEA EDX,DWORD PTR SS:[EBP-40]
006670F6 .  52          PUSH EDX
006670F7 .  8D45 B0    LEA EAX,DWORD PTR SS:[EBP-50]
006670FA .  50          PUSH EAX
006670FB .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
006670FE .  51          PUSH ECX
006670FF .  FFD7       CALL EDI
00667101 .  50          PUSH EAX
;EAX=0016B9D4, (UNICODE "G7K4074H9M5MXVRI4086D67TRF")左26个字符
00667102 .  56          PUSH ESI
00667103 .  FF53 30    CALL DWORD PTR DS:[EBX+30] ;关键CALL也许是算正确校验码的东东667fc0
00667106 .  8B55 C0    MOV EDX,DWORD PTR SS:[EBP-40]
;EDX=1569CC UNICODE"125204"
00667109 .  52          PUSH EDX
0066710A .  8B45 D4    MOV EAX,DWORD PTR SS:[EBP-2C]
0066710D .  50          PUSH EAX
0066710E .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
;关键比较 EAX后4字符得到的校验码,EDX前26个字符得到的校验码
00667114 .  8BF8       MOV EDI,EAX
00667116 .  F7DF       NEG EDI
00667118 .  1BFF       SBB EDI,EDI
0066711A .  F7DF       NEG EDI
0066711C .  F7DF       NEG EDI
0066711E .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
00667121 .  51          PUSH ECX
00667122 .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
00667125 .  52          PUSH EDX
00667126 .  6A 02       PUSH 2
00667128 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066712E .  83C4 0C    ADD ESP,0C
00667131 .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
00667134 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066713A .  66:85FF    TEST DI,DI
0066713D    0F85 38010000 JNZ ks.0066727B ;不能跳,相等时EAX=0 则DI=0
00667143 .  C745 B8 01000>MOV DWORD PTR SS:[EBP-48],1
0066714A .  C745 B0 02000>MOV DWORD PTR SS:[EBP-50],2
00667151 .  8D45 C8    LEA EAX,DWORD PTR SS:[EBP-38]
00667154 .  8985 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EAX
0066715A .  C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],4008
00667164 .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
00667167 .  51          PUSH ECX
00667168 .  6A 0A       PUSH 0A
0066716A .  8D95 00FFFFFF LEA EDX,DWORD PTR SS:[EBP-100]
00667170 .  52          PUSH EDX
00667171 .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
00667174 .  50          PUSH EAX
00667175 .  FF15 E4B46800 CALL DWORD PTR DS:[<&MSVBVM50.#632>]    ;  MSVBVM50.rtcMidCharVar
;取"G7K4074H9M5MXVRI4086D67TRF 0461"从第1个开始的第10个字符"M" (由SMARTCHECK得到)start=1,length=10
0066717B .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0066717E .  51          PUSH ECX
0066717F .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
00667182 .  52          PUSH EDX
00667183 .  FF15 DCB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrVa>;  MSVBVM50.__vbaStrVarVal
00667189    50          PUSH EAX
0066718A    FF15 00B46800 CALL DWORD PTR DS:[<&MSVBVM50.#516>]    ;  MSVBVM50.rtcAnsiValueBstr
;取激活码第10个字符变换后的ASC码
00667190    66:2D 4500 SUB AX,45
;减45h
00667194 .  0F80 99010000 JO ks.00667333
0066719A .  0FBFF8       MOVSX EDI,AX
0066719D .  8B45 D0    MOV EAX,DWORD PTR SS:[EBP-30]
006671A0 .  50          PUSH EAX
006671A1 .  FF15 D8B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaLenBs>;  MSVBVM50.__vbaLenBstr
;算硬盘序列号字符个数
006671A7 .  33C9       XOR ECX,ECX
006671A9    3BC7       CMP EAX,EDI
;看看硬盘序列号字符个数于AX减到的值是否一样,这里我的硬盘序列号为8个字符,所以退出那个激活字符为O
006671AB .  0F95C1       SETNE CL
006671AE .  F7D9       NEG ECX
006671B0 .  8BF9       MOV EDI,ECX
006671B2 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
006671B5 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
006671BB .  8D55 A0    LEA EDX,DWORD PTR SS:[EBP-60]
006671BE .  52          PUSH EDX
006671BF .  8D45 B0    LEA EAX,DWORD PTR SS:[EBP-50]
006671C2 .  50          PUSH EAX
006671C3 .  6A 02       PUSH 2
006671C5 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
006671CB .  83C4 0C    ADD ESP,0C
006671CE .  66:85FF    TEST DI,DI
006671D1 .  0F85 A4000000 JNZ ks.0066727B
006671D7 .  8B4D D0    MOV ECX,DWORD PTR SS:[EBP-30]
006671DA .  51          PUSH ECX
006671DB .  FF15 D8B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaLenBs>;  MSVBVM50.__vbaLenBstr
006671E1 .  8945 B8    MOV DWORD PTR SS:[EBP-48],EAX
006671E4 .  C745 B0 03000>MOV DWORD PTR SS:[EBP-50],3
006671EB .  8D55 C8    LEA EDX,DWORD PTR SS:[EBP-38]
006671EE .  8995 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EDX
006671F4 .  C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],4008
006671FE .  8D45 B0    LEA EAX,DWORD PTR SS:[EBP-50]
00667201 .  50          PUSH EAX
00667202 .  6A 0B       PUSH 0B
00667204 .  8D8D 00FFFFFF LEA ECX,DWORD PTR SS:[EBP-100]
0066720A .  51          PUSH ECX
0066720B .  8D55 A0    LEA EDX,DWORD PTR SS:[EBP-60]
0066720E .  52          PUSH EDX
0066720F .  FF15 E4B46800 CALL DWORD PTR DS:[<&MSVBVM50.#632>]    ;  MSVBVM50.rtcMidCharVar
;取"G7K4074H9M5MXVRI408 6 D67TRF 0461"start=8,length=11字符"6" (由SMARTCHECK得到)
00667215 .  8B45 D0    MOV EAX,DWORD PTR SS:[EBP-30]
00667218 .  8985 E8FEFFFF MOV DWORD PTR SS:[EBP-118],EAX
0066721E .  C785 E0FEFFFF>MOV DWORD PTR SS:[EBP-120],8008
00667228 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0066722B .  51          PUSH ECX
0066722C .  8D95 E0FEFFFF LEA EDX,DWORD PTR SS:[EBP-120]
00667232 .  52          PUSH EDX
00667233 .  FF15 64B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarTs>;  MSVBVM50.__vbaVarTstNe
;不知道这个call做了什么,让EAX返回-1
00667239    8BF8       MOV EDI,EAX
0066723B    8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
0066723E    50          PUSH EAX
0066723F .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
00667242 .  51          PUSH ECX
00667243 .  6A 02       PUSH 2
00667245 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
0066724B .  83C4 0C    ADD ESP,0C
0066724E    66:85FF    TEST DI,DI
00667251    75 28       JNZ SHORT ks.0066727B
00667253 .  8D95 8CFEFFFF LEA EDX,DWORD PTR SS:[EBP-174]
00667259 .  52          PUSH EDX
0066725A .  8B45 C8    MOV EAX,DWORD PTR SS:[EBP-38]
0066725D .  50          PUSH EAX
0066725E .  56          PUSH ESI
0066725F .  FF53 24    CALL DWORD PTR DS:[EBX+24]
00667262 .  66:39BD 8CFEF>CMP WORD PTR SS:[EBP-174],DI
00667269 .  74 10       JE SHORT ks.0066727B ;jmp如何?
0066726B .  C745 D8 FFFFF>MOV DWORD PTR SS:[EBP-28],-1
00667272 .  EB 07       JMP SHORT ks.0066727B
00667274 .  C745 D8 00000>MOV DWORD PTR SS:[EBP-28],0
0066727B >  FF15 64B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaExitP>;  MSVBVM50.__vbaExitProc
00667281 .  68 0A736600 PUSH ks.0066730A
00667286 .  EB 60       JMP SHORT ks.006672E8
00667288 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066728B .  51          PUSH ECX
0066728C .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
0066728F .  52          PUSH EDX
00667290 .  6A 02       PUSH 2
00667292 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
00667298 .  83C4 0C    ADD ESP,0C
0066729B .  8D85 10FFFFFF LEA EAX,DWORD PTR SS:[EBP-F0]
006672A1 .  50          PUSH EAX
006672A2 .  8D8D 20FFFFFF LEA ECX,DWORD PTR SS:[EBP-E0]
006672A8 .  51          PUSH ECX
006672A9 .  8D95 30FFFFFF LEA EDX,DWORD PTR SS:[EBP-D0]
006672AF .  52          PUSH EDX
006672B0 .  8D85 40FFFFFF LEA EAX,DWORD PTR SS:[EBP-C0]
006672B6 .  50          PUSH EAX
006672B7 .  8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0]
006672BD .  51          PUSH ECX
006672BE .  8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0]
006672C4 .  52          PUSH EDX
006672C5 .  8D85 70FFFFFF LEA EAX,DWORD PTR SS:[EBP-90]
006672CB .  50          PUSH EAX
006672CC .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
006672CF .  51          PUSH ECX
006672D0 .  8D55 90    LEA EDX,DWORD PTR SS:[EBP-70]
006672D3 .  52          PUSH EDX
006672D4 .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
006672D7 .  50          PUSH EAX
006672D8 .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
006672DB .  51          PUSH ECX
006672DC .  6A 0B       PUSH 0B
006672DE .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
006672E4 .  83C4 30    ADD ESP,30
006672E7 .  C3          RETN
006672E8 >  8D55 E0    LEA EDX,DWORD PTR SS:[EBP-20]
006672EB .  52          PUSH EDX
006672EC .  6A 00       PUSH 0
006672EE .  FF15 50B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaAryDe>;  MSVBVM50.__vbaAryDestruct
006672F4 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
006672F7 .  8B35 10B76800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaFr>;  MSVBVM50.__vbaFreeStr
006672FD .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaFreeStr>
006672FF .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
00667302 .  FFD6       CALL ESI
00667304 .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
00667307 .  FFE6       JMP ESI
00667309 .  C3          RETN
0066730A .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066730D .  8B08       MOV ECX,DWORD PTR DS:[EAX]
0066730F .  50          PUSH EAX
00667310 .  FF51 08    CALL DWORD PTR DS:[ECX+8]
00667313 .  8B55 14    MOV EDX,DWORD PTR SS:[EBP+14]
00667316 .  66:8B45 D8 MOV AX,WORD PTR SS:[EBP-28]
0066731A .  66:8902    MOV WORD PTR DS:[EDX],AX
0066731D .  8B45 F4    MOV EAX,DWORD PTR SS:[EBP-C]
00667320 .  8B4D E4    MOV ECX,DWORD PTR SS:[EBP-1C]
00667323 .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
0066732A .  5F          POP EDI
0066732B .  5E          POP ESI
0066732C .  5B          POP EBX
0066732D .  8BE5       MOV ESP,EBP
0066732F .  5D          POP EBP
00667330 .  C2 1000    RETN 10
.............
0066761D FFD3          CALL EBX
0066761F 50             PUSH EAX
00667620 56             PUSH ESI
00667621 FF55 98       CALL DWORD PTR SS:[EBP-68]
00667624 66:8B45 A0    MOV AX,WORD PTR SS:[EBP-60] ;读12f6b4=26dh
00667628 8D4D E4       LEA ECX,DWORD PTR SS:[EBP-1C]
0066762B 66:8946 3C    MOV WORD PTR DS:[ESI+3C],AX
0066762F FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStr
00667635 8D4D C4       LEA ECX,DWORD PTR SS:[EBP-3C]
00667638 8D55 D4       LEA EDX,DWORD PTR SS:[EBP-2C]
0066763B 51             PUSH ECX
0066763C 52             PUSH EDX
0066763D 6A 02          PUSH 2
0066763F FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>; MSVBVM50.__vbaFreeVarList
00667645 B8 01000000    MOV EAX,1
0066764A 83C4 0C       ADD ESP,0C
0066764D 66:3946 34    CMP WORD PTR DS:[ESI+34],AX
00667651 7C 18          JL SHORT ks1.0066766B
00667653 66:3946 36    CMP WORD PTR DS:[ESI+36],AX
00667657 7C 12          JL SHORT ks1.0066766B
00667659 66:3946 38    CMP WORD PTR DS:[ESI+38],AX
0066765D 7C 0C          JL SHORT ks1.0066766B
0066765F 66:3946 3A    CMP WORD PTR DS:[ESI+3A],AX
00667663 7C 06          JL SHORT ks1.0066766B
00667665 66:3946 3C    CMP WORD PTR DS:[ESI+3C],AX
00667669 7D 07          JGE SHORT ks1.00667672
0066766B C745 EC 0000000>MOV DWORD PTR SS:[EBP-14],0
00667672 68 A0766600    PUSH ks1.006676A0
00667677 EB 1D          JMP SHORT ks1.00667696
00667679 8D4D E4       LEA ECX,DWORD PTR SS:[EBP-1C]
0066767C FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStr
00667682 8D45 C4       LEA EAX,DWORD PTR SS:[EBP-3C]
00667685 8D4D D4       LEA ECX,DWORD PTR SS:[EBP-2C]
00667688 50             PUSH EAX
00667689 51             PUSH ECX
0066768A 6A 02          PUSH 2
0066768C FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>; MSVBVM50.__vbaFreeVarList
00667692 83C4 0C       ADD ESP,0C
00667695 C3             RETN
00667696 8D4D E8       LEA ECX,DWORD PTR SS:[EBP-18]
00667699  - FF25 10B76800 JMP DWORD PTR DS:[<&MSVBVM50.__vbaFreeSt>; MSVBVM50.__vbaFreeStr
0066769F C3             RETN
006676A0 8B55 10       MOV EDX,DWORD PTR SS:[EBP+10]
006676A3 66:8B45 EC    MOV AX,WORD PTR SS:[EBP-14]
006676A7 8B4D F0       MOV ECX,DWORD PTR SS:[EBP-10]
006676AA 5F             POP EDI
006676AB 66:8902       MOV WORD PTR DS:[EDX],AX
006676AE 5E             POP ESI
006676AF 33C0          XOR EAX,EAX
006676B1 64:890D 0000000>MOV DWORD PTR FS:[0],ECX
006676B8 5B             POP EBX
006676B9 8BE5          MOV ESP,EBP
006676BB 5D             POP EBP
006676BC C2 0C00       RETN 0C
006676BF FF15 00B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaError>; MSVBVM50.__vbaErrorOverflow
006676C5 90             NOP
006676C6 90             NOP

............
0066828A FF15 18B76800 CALL DWORD PTR DS:[<&MSVBVM50.#581>]    ; MSVBVM50.rtcR8ValFromBstr
00668290 DD5D B8       FSTP QWORD PTR SS:[EBP-48]
00668293 DD45 B8       FLD QWORD PTR SS:[EBP-48]
00668296 DC0D 90744000 FMUL QWORD PTR DS:[407490]
0066829C 0FBFC6       MOVSX EAX,SI
0066829F 8945 B0       MOV DWORD PTR SS:[EBP-50],EAX
006682A2 DB45 B0       FILD DWORD PTR SS:[EBP-50]
006682A5 DD5D A8       FSTP QWORD PTR SS:[EBP-58]
006682A8 DC45 A8       FADD QWORD PTR SS:[EBP-58]
006682AB DFE0          FSTSW AX
006682AD A8 0D          TEST AL,0D
006682AF 75 71          JNZ SHORT ks1.00668322
006682B1 FF15 98B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFpI2>>; MSVBVM50.__vbaFpI2
006682B7 8945 E0       MOV DWORD PTR SS:[EBP-20],EAX
006682BA 68 03836600    PUSH ks1.00668303
006682BF 9B             WAIT
006682C0 EB 30          JMP SHORT ks1.006682F2
006682C2 8B4D EC       MOV ECX,DWORD PTR SS:[EBP-14]
006682C5 51             PUSH ECX
006682C6 FF15 00B46800 CALL DWORD PTR DS:[<&MSVBVM50.#516>]    ; MSVBVM50.rtcAnsiValueBstr
;ax=48h就是"H"
006682CC 66:2D 3700    SUB AX,37
006682D0 70 55          JO SHORT ks1.00668327
006682D2 66:6BC0 24    IMUL AX,AX,24
006682D6 70 4F          JO SHORT ks1.00668327
006682D8 66:03C6       ADD AX,SI
006682DB 70 4A          JO SHORT ks1.00668327
006682DD 8945 E0       MOV DWORD PTR SS:[EBP-20],EAX ;计算后EAX=26Dh
006682E0 9B             WAIT
006682E1 68 03836600    PUSH ks1.00668303
006682E6 EB 0A          JMP SHORT ks1.006682F2
006682E8 8D4D D0       LEA ECX,DWORD PTR SS:[EBP-30]
006682EB FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>; MSVBVM50.__vbaFreeVar
006682F1 C3             RETN
006682F2 8B35 10B76800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaFr>; MSVBVM50.__vbaFreeStr
006682F8 8D4D EC       LEA ECX,DWORD PTR SS:[EBP-14]
006682FB FFD6          CALL ESI
006682FD 8D4D E8       LEA ECX,DWORD PTR SS:[EBP-18]
00668300 FFE6          JMP ESI
00668302 C3             RETN
00668303 8B55 10       MOV EDX,DWORD PTR SS:[EBP+10]
00668306 66:8B45 E0    MOV AX,WORD PTR SS:[EBP-20]
0066830A 8B4D F0       MOV ECX,DWORD PTR SS:[EBP-10]
0066830D 5F             POP EDI
0066830E 66:8902       MOV WORD PTR DS:[EDX],AX
00668311 5E             POP ESI
00668312 33C0          XOR EAX,EAX
00668314 64:890D 0000000>MOV DWORD PTR FS:[0],ECX
0066831B 5B             POP EBX
0066831C 8BE5          MOV ESP,EBP
0066831E 5D             POP EBP
0066831F C2 0C00       RETN 0C
00668322  ^ E9 D5FCD9FF    JMP <JMP.&MSVBVM50.__vbaFPException>
00668327 FF15 00B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaError>; MSVBVM50.__vbaErrorOverflow
0066832D 90             NOP
0066832E 90             NOP
-------------------------------------------------------------------------------
▲文件:2-668EF0.txt
-------------------------------------------------------------------------------
不知道这个CALL干什么,返回666ba0
00668EF0 > \55          PUSH EBP
00668EF1 .  8BEC       MOV EBP,ESP
00668EF3 .  83EC 18    SUB ESP,18
00668EF6 .  68 F67F4000 PUSH <JMP.&MSVBVM50.__vbaExceptHandler>  ;  SE handler installation
00668EFB .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00668F01 .  50          PUSH EAX
00668F02 .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
00668F09 .  B8 70000000 MOV EAX,70
00668F0E .  E8 DDF0D9FF CALL <JMP.&MSVBVM50.__vbaChkstk>
00668F13 .  53          PUSH EBX
00668F14 .  56          PUSH ESI
00668F15 .  57          PUSH EDI
00668F16 .  8965 E8    MOV DWORD PTR SS:[EBP-18],ESP
00668F19 .  C745 EC 20754>MOV DWORD PTR SS:[EBP-14],ks.00407520
00668F20 .  C745 F0 00000>MOV DWORD PTR SS:[EBP-10],0
00668F27 .  C745 F4 00000>MOV DWORD PTR SS:[EBP-C],0
00668F2E .  C745 FC 01000>MOV DWORD PTR SS:[EBP-4],1
00668F35 .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
00668F38 .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
00668F3B .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
00668F41 .  8B55 14    MOV EDX,DWORD PTR SS:[EBP+14] ;输入激活字符
00668F44 .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
00668F47 .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
00668F4D .  C745 FC 02000>MOV DWORD PTR SS:[EBP-4],2
00668F54 .  C745 FC 03000>MOV DWORD PTR SS:[EBP-4],3
00668F5B .  C745 DC 00000>MOV DWORD PTR SS:[EBP-24],0
00668F62 .  C745 FC 04000>MOV DWORD PTR SS:[EBP-4],4
00668F69 .  C745 FC 05000>MOV DWORD PTR SS:[EBP-4],5
00668F70 .  C745 D4 00000>MOV DWORD PTR SS:[EBP-2C],0
00668F77 .  C745 FC 06000>MOV DWORD PTR SS:[EBP-4],6
00668F7E .  C745 FC 07000>MOV DWORD PTR SS:[EBP-4],7
00668F85 .  C745 D8 00000>MOV DWORD PTR SS:[EBP-28],0
00668F8C .  C745 FC 08000>MOV DWORD PTR SS:[EBP-4],8
00668F93 .  6A FF       PUSH -1
00668F95 .  FF15 84B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaOnErr>;  MSVBVM50.__vbaOnError
00668F9B .  C745 FC 09000>MOV DWORD PTR SS:[EBP-4],9
00668FA2 .  FF15 58B66800 CALL DWORD PTR DS:[<&MSVBVM50.#685>]    ;  MSVBVM50.rtcErrObj
00668FA8 .  50          PUSH EAX
00668FA9 .  8D45 BC    LEA EAX,DWORD PTR SS:[EBP-44]
00668FAC .  50          PUSH EAX
00668FAD .  FF15 80B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaObjSe>;  MSVBVM50.__vbaObjSet
00668FB3 .  8945 80    MOV DWORD PTR SS:[EBP-80],EAX
00668FB6 .  8B4D 80    MOV ECX,DWORD PTR SS:[EBP-80]
00668FB9 .  8B11       MOV EDX,DWORD PTR DS:[ECX]
00668FBB .  8B45 80    MOV EAX,DWORD PTR SS:[EBP-80]
00668FBE .  50          PUSH EAX
00668FBF .  FF52 48    CALL DWORD PTR DS:[EDX+48]
00668FC2 .  8D4D BC    LEA ECX,DWORD PTR SS:[EBP-44]
00668FC5 .  FF15 14B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>;  MSVBVM50.__vbaFreeObj
00668FCB .  C745 FC 0A000>MOV DWORD PTR SS:[EBP-4],0A
00668FD2 .  6A 00       PUSH 0
00668FD4 .  6A 08       PUSH 8
00668FD6 .  6A 01       PUSH 1
00668FD8 .  6A 00       PUSH 0
00668FDA .  8B4D 10    MOV ECX,DWORD PTR SS:[EBP+10]
00668FDD .  51          PUSH ECX
00668FDE .  6A 04       PUSH 4
00668FE0 .  68 00010000 PUSH 100
00668FE5 .  FF15 44B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaRedim>;  MSVBVM50.__vbaRedimPreserve
00668FEB .  83C4 1C    ADD ESP,1C
00668FEE >  C745 FC 0C000>MOV DWORD PTR SS:[EBP-4],0C
00668FF5 .  8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]
00668FF8 .  83C2 01    ADD EDX,1
00668FFB .  0F80 48030000 JO ks.00669349
00669001 .  8955 D4    MOV DWORD PTR SS:[EBP-2C],EDX
00669004 .  C745 FC 0D000>MOV DWORD PTR SS:[EBP-4],0D
0066900B .  837D D4 08 CMP DWORD PTR SS:[EBP-2C],8
0066900F .  7E 25       JLE SHORT ks.00669036
00669011 .  C745 FC 0E000>MOV DWORD PTR SS:[EBP-4],0E
00669018 .  6A 00       PUSH 0
0066901A .  8B45 D4    MOV EAX,DWORD PTR SS:[EBP-2C]
0066901D .  50          PUSH EAX
0066901E .  6A 01       PUSH 1
00669020 .  6A 00       PUSH 0
00669022 .  8B4D 10    MOV ECX,DWORD PTR SS:[EBP+10]
00669025 .  51          PUSH ECX
00669026 .  6A 04       PUSH 4
00669028 .  68 00010000 PUSH 100
0066902D .  FF15 44B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaRedim>;  MSVBVM50.__vbaRedimPreserve
00669033 .  83C4 1C    ADD ESP,1C
00669036 >  C745 FC 10000>MOV DWORD PTR SS:[EBP-4],10
0066903D .  8B55 DC    MOV EDX,DWORD PTR SS:[EBP-24]
00669040 .  83C2 01    ADD EDX,1
00669043 .  0F80 00030000 JO ks.00669349
00669049 .  52          PUSH EDX
0066904A .  8B45 D0    MOV EAX,DWORD PTR SS:[EBP-30] ;输入激活字符串
0066904D .  50          PUSH EAX
0066904E .  8B4D C8    MOV ECX,DWORD PTR SS:[EBP-38] ;ECX=2DH 字符"-"
00669051 .  51          PUSH ECX
00669052 .  6A 01       PUSH 1
00669054 .  FF15 10B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaInStr>;  MSVBVM50.__vbaInStr
0066905A .  8945 CC    MOV DWORD PTR SS:[EBP-34],EAX
0066905D .  C745 FC 11000>MOV DWORD PTR SS:[EBP-4],11
00669064 .  837D CC 00 CMP DWORD PTR SS:[EBP-34],0
00669068 .  0F85 05010000 JNZ ks.00669173
0066906E .  C745 FC 12000>MOV DWORD PTR SS:[EBP-4],12
00669075 .  8B55 D0    MOV EDX,DWORD PTR SS:[EBP-30]
00669078 .  52          PUSH EDX
00669079 .  FF15 D8B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaLenBs>;  MSVBVM50.__vbaLenBstr
0066907F .  8945 B4    MOV DWORD PTR SS:[EBP-4C],EAX
00669082 .  C745 AC 03000>MOV DWORD PTR SS:[EBP-54],3
00669089 .  8B45 10    MOV EAX,DWORD PTR SS:[EBP+10]
0066908C .  8338 00    CMP DWORD PTR DS:[EAX],0
0066908F .  74 4C       JE SHORT ks.006690DD
00669091 .  8B4D 10    MOV ECX,DWORD PTR SS:[EBP+10]
00669094 .  8B11       MOV EDX,DWORD PTR DS:[ECX]
00669096 .  66:833A 01 CMP WORD PTR DS:[EDX],1
0066909A .  75 41       JNZ SHORT ks.006690DD
0066909C .  8B45 10    MOV EAX,DWORD PTR SS:[EBP+10]
0066909F .  8B08       MOV ECX,DWORD PTR DS:[EAX]
006690A1 .  8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]
006690A4 .  2B51 14    SUB EDX,DWORD PTR DS:[ECX+14]
006690A7 .  8955 98    MOV DWORD PTR SS:[EBP-68],EDX
006690AA .  8B45 10    MOV EAX,DWORD PTR SS:[EBP+10]
006690AD .  8B08       MOV ECX,DWORD PTR DS:[EAX]
006690AF .  8B55 98    MOV EDX,DWORD PTR SS:[EBP-68]
006690B2 .  3B51 10    CMP EDX,DWORD PTR DS:[ECX+10]
006690B5 .  73 0C       JNB SHORT ks.006690C3
006690B7 .  C785 7CFFFFFF>MOV DWORD PTR SS:[EBP-84],0
006690C1 .  EB 0C       JMP SHORT ks.006690CF
006690C3 >  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
006690C9 .  8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EAX
006690CF >  8B45 98    MOV EAX,DWORD PTR SS:[EBP-68]
006690D2 .  C1E0 02    SHL EAX,2
006690D5 .  8985 78FFFFFF MOV DWORD PTR SS:[EBP-88],EAX
006690DB .  EB 0C       JMP SHORT ks.006690E9
006690DD >  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
006690E3 .  8985 78FFFFFF MOV DWORD PTR SS:[EBP-88],EAX
006690E9 >  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
006690EC .  51          PUSH ECX
006690ED .  8B55 DC    MOV EDX,DWORD PTR SS:[EBP-24]
006690F0 .  83C2 01    ADD EDX,1
006690F3 .  0F80 50020000 JO ks.00669349
006690F9 .  52          PUSH EDX
006690FA .  8B45 D0    MOV EAX,DWORD PTR SS:[EBP-30]
006690FD .  50          PUSH EAX
006690FE .  FF15 D8B46800 CALL DWORD PTR DS:[<&MSVBVM50.#631>]    ;  MSVBVM50.rtcMidCharBstr
00669104 .  8BD0       MOV EDX,EAX
00669106 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
00669109 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066910F .  50          PUSH EAX
00669110 .  FF15 14B46800 CALL DWORD PTR DS:[<&MSVBVM50.#519>]    ;  MSVBVM50.rtcTrimBstr
00669116 .  8BD0       MOV EDX,EAX
00669118 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066911B .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
00669121 .  8BD0       MOV EDX,EAX
00669123 .  8B4D 10    MOV ECX,DWORD PTR SS:[EBP+10]
00669126 .  8B01       MOV EAX,DWORD PTR DS:[ECX]
00669128 .  8B48 0C    MOV ECX,DWORD PTR DS:[EAX+C]
0066912B .  038D 78FFFFFF ADD ECX,DWORD PTR SS:[EBP-88]
00669131 .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
00669137 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066913A .  51          PUSH ECX
0066913B .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
0066913E .  52          PUSH EDX
0066913F .  6A 02       PUSH 2
00669141 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
00669147 .  83C4 0C    ADD ESP,0C
0066914A .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
0066914D .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
00669153 .  C745 FC 13000>MOV DWORD PTR SS:[EBP-4],13
0066915A .  8B45 D8    MOV EAX,DWORD PTR SS:[EBP-28]
0066915D .  83C0 01    ADD EAX,1
00669160 .  0F80 E3010000 JO ks.00669349
00669166 .  8945 D8    MOV DWORD PTR SS:[EBP-28],EAX
00669169 .  E9 1D010000 JMP ks.0066928B
0066916E .  E9 F0000000 JMP ks.00669263
00669173 >  C745 FC 16000>MOV DWORD PTR SS:[EBP-4],16
0066917A .  8B4D CC    MOV ECX,DWORD PTR SS:[EBP-34]
0066917D .  2B4D DC    SUB ECX,DWORD PTR SS:[EBP-24]
00669180 .  0F80 C3010000 JO ks.00669349
00669186 .  83E9 01    SUB ECX,1
00669189 .  0F80 BA010000 JO ks.00669349
0066918F .  894D B4    MOV DWORD PTR SS:[EBP-4C],ECX
00669192 .  C745 AC 03000>MOV DWORD PTR SS:[EBP-54],3
00669199 .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
0066919C .  833A 00    CMP DWORD PTR DS:[EDX],0
0066919F .  74 4C       JE SHORT ks.006691ED
006691A1 .  8B45 10    MOV EAX,DWORD PTR SS:[EBP+10]
006691A4 .  8B08       MOV ECX,DWORD PTR DS:[EAX]
006691A6 .  66:8339 01 CMP WORD PTR DS:[ECX],1
006691AA .  75 41       JNZ SHORT ks.006691ED
006691AC .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
006691AF .  8B02       MOV EAX,DWORD PTR DS:[EDX]
006691B1 .  8B4D D4    MOV ECX,DWORD PTR SS:[EBP-2C]
006691B4 .  2B48 14    SUB ECX,DWORD PTR DS:[EAX+14]
006691B7 .  894D 98    MOV DWORD PTR SS:[EBP-68],ECX
006691BA .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
006691BD .  8B02       MOV EAX,DWORD PTR DS:[EDX]
006691BF .  8B4D 98    MOV ECX,DWORD PTR SS:[EBP-68]
006691C2 .  3B48 10    CMP ECX,DWORD PTR DS:[EAX+10]
006691C5 .  73 0C       JNB SHORT ks.006691D3
006691C7 .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],0
006691D1 .  EB 0C       JMP SHORT ks.006691DF
006691D3 >  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
006691D9 .  8985 74FFFFFF MOV DWORD PTR SS:[EBP-8C],EAX
006691DF >  8B55 98    MOV EDX,DWORD PTR SS:[EBP-68]
006691E2 .  C1E2 02    SHL EDX,2
006691E5 .  8995 70FFFFFF MOV DWORD PTR SS:[EBP-90],EDX
006691EB .  EB 0C       JMP SHORT ks.006691F9
006691ED >  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
006691F3 .  8985 70FFFFFF MOV DWORD PTR SS:[EBP-90],EAX
006691F9 >  8D45 AC    LEA EAX,DWORD PTR SS:[EBP-54]
006691FC .  50          PUSH EAX
006691FD .  8B4D DC    MOV ECX,DWORD PTR SS:[EBP-24]
00669200 .  83C1 01    ADD ECX,1
00669203 .  0F80 40010000 JO ks.00669349
00669209 .  51          PUSH ECX
0066920A .  8B55 D0    MOV EDX,DWORD PTR SS:[EBP-30]
0066920D .  52          PUSH EDX
0066920E .  FF15 D8B46800 CALL DWORD PTR DS:[<&MSVBVM50.#631>]    ;  MSVBVM50.rtcMidCharBstr
00669214 .  8BD0       MOV EDX,EAX
00669216 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
00669219 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066921F .  50          PUSH EAX
00669220 .  FF15 14B46800 CALL DWORD PTR DS:[<&MSVBVM50.#519>]    ;  MSVBVM50.rtcTrimBstr
00669226 .  8BD0       MOV EDX,EAX
00669228 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066922B .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
00669231 .  8BD0       MOV EDX,EAX
00669233 .  8B45 10    MOV EAX,DWORD PTR SS:[EBP+10]
00669236 .  8B08       MOV ECX,DWORD PTR DS:[EAX]
00669238 .  8B49 0C    MOV ECX,DWORD PTR DS:[ECX+C]
0066923B .  038D 70FFFFFF ADD ECX,DWORD PTR SS:[EBP-90]
00669241 .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
00669247 .  8D55 C0    LEA EDX,DWORD PTR SS:[EBP-40]
0066924A .  52          PUSH EDX
0066924B .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
0066924E .  50          PUSH EAX
0066924F .  6A 02       PUSH 2
00669251 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
00669257 .  83C4 0C    ADD ESP,0C
0066925A .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
0066925D .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
00669263 >  C745 FC 18000>MOV DWORD PTR SS:[EBP-4],18
0066926A .  8B4D D8    MOV ECX,DWORD PTR SS:[EBP-28]
0066926D .  83C1 01    ADD ECX,1
00669270 .  0F80 D3000000 JO ks.00669349
00669276 .  894D D8    MOV DWORD PTR SS:[EBP-28],ECX
00669279 .  C745 FC 19000>MOV DWORD PTR SS:[EBP-4],19
00669280 .  8B55 CC    MOV EDX,DWORD PTR SS:[EBP-34]
00669283 .  8955 DC    MOV DWORD PTR SS:[EBP-24],EDX
00669286 .^ E9 63FDFFFF JMP ks.00668FEE
0066928B >  C745 FC 1B000>MOV DWORD PTR SS:[EBP-4],1B
00669292 .  8B45 18    MOV EAX,DWORD PTR SS:[EBP+18]
00669295 .  66:8338 FF CMP WORD PTR DS:[EAX],0FFFF
00669299 .  75 27       JNZ SHORT ks.006692C2
0066929B .  C745 FC 1C000>MOV DWORD PTR SS:[EBP-4],1C
006692A2 .  6A 00       PUSH 0
006692A4 .  8B4D D8    MOV ECX,DWORD PTR SS:[EBP-28]
006692A7 .  51          PUSH ECX
006692A8 .  6A 01       PUSH 1
006692AA .  6A 00       PUSH 0
006692AC .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
006692AF .  52          PUSH EDX
006692B0 .  6A 04       PUSH 4
006692B2 .  68 00010000 PUSH 100
006692B7 .  FF15 44B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaRedim>;  MSVBVM50.__vbaRedimPreserve
006692BD .  83C4 1C    ADD ESP,1C
006692C0 .  EB 32       JMP SHORT ks.006692F4
006692C2 >  C745 FC 1E000>MOV DWORD PTR SS:[EBP-4],1E
006692C9 .  837D D4 08 CMP DWORD PTR SS:[EBP-2C],8
006692CD .  7C 25       JL SHORT ks.006692F4
006692CF .  C745 FC 1F000>MOV DWORD PTR SS:[EBP-4],1F
006692D6 .  6A 00       PUSH 0
006692D8 .  8B45 D4    MOV EAX,DWORD PTR SS:[EBP-2C]
006692DB .  50          PUSH EAX
006692DC .  6A 01       PUSH 1
006692DE .  6A 00       PUSH 0
006692E0 .  8B4D 10    MOV ECX,DWORD PTR SS:[EBP+10]
006692E3 .  51          PUSH ECX
006692E4 .  6A 04       PUSH 4
006692E6 .  68 00010000 PUSH 100
006692EB .  FF15 44B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaRedim>;  MSVBVM50.__vbaRedimPreserve
006692F1 .  83C4 1C    ADD ESP,1C
006692F4 >  68 34936600 PUSH ks.00669334
006692F9 .  EB 26       JMP SHORT ks.00669321
006692FB .  8D55 C0    LEA EDX,DWORD PTR SS:[EBP-40]
006692FE .  52          PUSH EDX
006692FF .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
00669302 .  50          PUSH EAX
00669303 .  6A 02       PUSH 2
00669305 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066930B .  83C4 0C    ADD ESP,0C
0066930E .  8D4D BC    LEA ECX,DWORD PTR SS:[EBP-44]
00669311 .  FF15 14B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>;  MSVBVM50.__vbaFreeObj
00669317 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
0066931A .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
00669320 .  C3          RETN
00669321 >  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
00669324 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066932A .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
0066932D .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00669333 .  C3          RETN
00669334 .  33C0       XOR EAX,EAX
00669336 .  8B4D E0    MOV ECX,DWORD PTR SS:[EBP-20]
00669339 .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
00669340 .  5F          POP EDI
00669341 .  5E          POP ESI
00669342 .  5B          POP EBX
00669343 .  8BE5       MOV ESP,EBP
00669345 .  5D          POP EBP
00669346 .  C2 1400    RETN 14
00669349 >  FF15 00B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaError>;  MSVBVM50.__vbaErrorOverflow
-------------------------------------------------------------------------------
▲文件:3-669405.txt
-------------------------------------------------------------------------------
到669405 ,调用者666db3
00669399 .  8975 84    MOV DWORD PTR SS:[EBP-7C],ESI
0066939C .  89B5 74FFFFFF MOV DWORD PTR SS:[EBP-8C],ESI
006693A2 .  89B5 70FFFFFF MOV DWORD PTR SS:[EBP-90],ESI
006693A8 .  89B5 64FFFFFF MOV DWORD PTR SS:[EBP-9C],ESI
006693AE .  89B5 60FFFFFF MOV DWORD PTR SS:[EBP-A0],ESI
006693B4 .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
006693B7 .  8D4D DC    LEA ECX,DWORD PTR SS:[EBP-24]
006693BA .  8B1D 2CB66800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrCopy
006693C0 .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaStrCopy>
006693C2 .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
006693C5 .  8D4D B8    LEA ECX,DWORD PTR SS:[EBP-48]
006693C8 .  FFD3       CALL EBX
006693CA .  8B55 14    MOV EDX,DWORD PTR SS:[EBP+14]
006693CD .  8D4D D8    LEA ECX,DWORD PTR SS:[EBP-28]
006693D0 .  FFD3       CALL EBX
006693D2 .  8B45 1C    MOV EAX,DWORD PTR SS:[EBP+1C]
006693D5 .  8930       MOV DWORD PTR DS:[EAX],ESI
006693D7 .  68 54204200 PUSH ks.00422054
006693DC .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
006693DF .  51          PUSH ECX
006693E0 .  FF15 48B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaAryCo>;  MSVBVM50.__vbaAryConstruct
006693E6 .  6A 01       PUSH 1
006693E8 .  FF15 84B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaOnErr>;  MSVBVM50.__vbaOnError
006693EE .  8B55 B8    MOV EDX,DWORD PTR SS:[EBP-48]
006693F1 .  8D8D 64FFFFFF LEA ECX,DWORD PTR SS:[EBP-9C]
006693F7 .  FFD3       CALL EBX
006693F9 .  8B95 64FFFFFF MOV EDX,DWORD PTR SS:[EBP-9C]
006693FF .  52          PUSH EDX ;这里是"-"
00669400 .  68 48204200 PUSH ks.00422048                      ;  UNICODE "^p"
00669405 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066940B .  85C0       TEST EAX,EAX
0066940D .  75 55       JNZ SHORT ks.00669464
0066940F .  6A 0D       PUSH 0D
00669411 .  8D45 A4    LEA EAX,DWORD PTR SS:[EBP-5C]
00669414 .  50          PUSH EAX
00669415 .  8B35 C0B56800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.#608>]  ;  MSVBVM50.rtcVarBstrFromAnsi
0066941B .  FFD6       CALL ESI                               ;  <&MSVBVM50.#608>
0066941D .  6A 0A       PUSH 0A
0066941F .  8D4D 94    LEA ECX,DWORD PTR SS:[EBP-6C]
00669422 .  51          PUSH ECX
00669423 .  FFD6       CALL ESI
00669425 .  8D55 A4    LEA EDX,DWORD PTR SS:[EBP-5C]
00669428 .  52          PUSH EDX
00669429 .  8D45 94    LEA EAX,DWORD PTR SS:[EBP-6C]
0066942C .  50          PUSH EAX
0066942D .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
00669430 .  51          PUSH ECX
00669431 .  FF15 E4B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarCa>;  MSVBVM50.__vbaVarCat
00669437 .  50          PUSH EAX
00669438 .  FF15 DCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrVa>;  MSVBVM50.__vbaStrVarMove
0066943E .  8BD0       MOV EDX,EAX
00669440 .  8D4D B8    LEA ECX,DWORD PTR SS:[EBP-48]
00669443 .  8B3D C8B66800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrMove
00669449 .  FFD7       CALL EDI                               ;  <&MSVBVM50.__vbaStrMove>
0066944B .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066944E .  52          PUSH EDX
0066944F .  8D45 94    LEA EAX,DWORD PTR SS:[EBP-6C]
00669452 .  50          PUSH EAX
00669453 .  8D4D A4    LEA ECX,DWORD PTR SS:[EBP-5C]
00669456 .  51          PUSH ECX
00669457 .  6A 03       PUSH 3
00669459 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
0066945F .  83C4 10    ADD ESP,10
00669462 .  EB 0C       JMP SHORT ks.00669470
00669464 >  8B3D C8B66800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrMove
0066946A .  8B35 C0B56800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.#608>]  ;  MSVBVM50.rtcVarBstrFromAnsi
00669470 >  8B55 D8    MOV EDX,DWORD PTR SS:[EBP-28]
00669473 .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
00669479 .  FFD3       CALL EBX
0066947B .  8B95 60FFFFFF MOV EDX,DWORD PTR SS:[EBP-A0]
00669481 .  52          PUSH EDX
00669482 .  68 48204200 PUSH ks.00422048                      ;  UNICODE "^p"
00669487 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066948D .  85C0       TEST EAX,EAX
0066948F .  75 47       JNZ SHORT ks.006694D8
00669491 .  6A 0D       PUSH 0D
00669493 .  8D45 A4    LEA EAX,DWORD PTR SS:[EBP-5C]
00669496 .  50          PUSH EAX
00669497 .  FFD6       CALL ESI
00669499 .  6A 0A       PUSH 0A
0066949B .  8D4D 94    LEA ECX,DWORD PTR SS:[EBP-6C]
0066949E .  51          PUSH ECX
0066949F .  FFD6       CALL ESI
006694A1 .  8D55 A4    LEA EDX,DWORD PTR SS:[EBP-5C]
006694A4 .  52          PUSH EDX
006694A5 .  8D45 94    LEA EAX,DWORD PTR SS:[EBP-6C]
006694A8 .  50          PUSH EAX
006694A9 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
006694AC .  51          PUSH ECX
006694AD .  FF15 E4B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarCa>;  MSVBVM50.__vbaVarCat
006694B3 .  50          PUSH EAX
006694B4 .  FF15 DCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrVa>;  MSVBVM50.__vbaStrVarMove
006694BA .  8BD0       MOV EDX,EAX
006694BC .  8D4D D8    LEA ECX,DWORD PTR SS:[EBP-28]
006694BF .  FFD7       CALL EDI
006694C1 .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
006694C4 .  52          PUSH EDX
006694C5 .  8D45 94    LEA EAX,DWORD PTR SS:[EBP-6C]
006694C8 .  50          PUSH EAX
006694C9 .  8D4D A4    LEA ECX,DWORD PTR SS:[EBP-5C]
006694CC .  51          PUSH ECX
006694CD .  6A 03       PUSH 3
006694CF .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
006694D5 .  83C4 10    ADD ESP,10
006694D8 >  6A 01       PUSH 1
006694DA .  8B55 DC    MOV EDX,DWORD PTR SS:[EBP-24]
006694DD .  52          PUSH EDX
006694DE .  8B45 B8    MOV EAX,DWORD PTR SS:[EBP-48]
006694E1 .  50          PUSH EAX
006694E2 .  8B4D 18    MOV ECX,DWORD PTR SS:[EBP+18]
006694E5 .  51          PUSH ECX
006694E6 .  FF15 10B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaInStr>;  MSVBVM50.__vbaInStr
006694EC .  8BF0       MOV ESI,EAX
006694EE .  83FE 01    CMP ESI,1
006694F1 .  0F8C 53010000 JL ks.0066964A
006694F7 .  8B1D 10B76800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaFr>;  MSVBVM50.__vbaFreeStr
006694FD >  8D55 DC    LEA EDX,DWORD PTR SS:[EBP-24]
00669500 .  8995 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EDX
00669506 .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],4008
00669510 .  8BC6       MOV EAX,ESI
00669512 .  48          DEC EAX
00669513 .  0F80 F3010000 JO ks.0066970C
00669519 .  50          PUSH EAX
0066951A .  8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]
00669520 .  51          PUSH ECX
00669521 .  8D55 A4    LEA EDX,DWORD PTR SS:[EBP-5C]
00669524 .  52          PUSH EDX
00669525 .  FF15 B0B66800 CALL DWORD PTR DS:[<&MSVBVM50.#617>]    ;  MSVBVM50.rtcLeftCharVar
0066952B .  8D45 A4    LEA EAX,DWORD PTR SS:[EBP-5C]
0066952E .  50          PUSH EAX
0066952F .  FF15 DCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrVa>;  MSVBVM50.__vbaStrVarMove
00669535 .  8BD0       MOV EDX,EAX
00669537 .  8D4D B4    LEA ECX,DWORD PTR SS:[EBP-4C]
0066953A .  FFD7       CALL EDI
0066953C .  8BD0       MOV EDX,EAX
0066953E .  8B4D CC    MOV ECX,DWORD PTR SS:[EBP-34]
00669541 .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
00669547 .  8D4D B4    LEA ECX,DWORD PTR SS:[EBP-4C]
0066954A .  FFD3       CALL EBX
0066954C .  8D4D A4    LEA ECX,DWORD PTR SS:[EBP-5C]
0066954F .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
00669555 .  8D4D DC    LEA ECX,DWORD PTR SS:[EBP-24]
00669558 .  898D 7CFFFFFF MOV DWORD PTR SS:[EBP-84],ECX
0066955E .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],4008
00669568 .  8B55 DC    MOV EDX,DWORD PTR SS:[EBP-24]
0066956B .  52          PUSH EDX
0066956C .  8B1D D8B36800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaLe>;  MSVBVM50.__vbaLenBstr
00669572 .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaLenBstr>
00669574 .  8BD0       MOV EDX,EAX
00669576 .  2BD6       SUB EDX,ESI
00669578 .  0F80 8E010000 JO ks.0066970C
0066957E .  8B45 B8    MOV EAX,DWORD PTR SS:[EBP-48]
00669581 .  50          PUSH EAX
00669582 .  8995 4CFFFFFF MOV DWORD PTR SS:[EBP-B4],EDX
00669588 .  FFD3       CALL EBX
0066958A .  8B8D 4CFFFFFF MOV ECX,DWORD PTR SS:[EBP-B4]
00669590 .  2BC8       SUB ECX,EAX
00669592 .  0F80 74010000 JO ks.0066970C
00669598 .  41          INC ECX
00669599 .  0F80 6D010000 JO ks.0066970C
0066959F .  51          PUSH ECX
006695A0 .  8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
006695A6 .  52          PUSH EDX
006695A7 .  8D45 A4    LEA EAX,DWORD PTR SS:[EBP-5C]
006695AA .  50          PUSH EAX
006695AB .  FF15 CCB66800 CALL DWORD PTR DS:[<&MSVBVM50.#619>]    ;  MSVBVM50.rtcRightCharVar
006695B1 .  8D4D A4    LEA ECX,DWORD PTR SS:[EBP-5C]
006695B4 .  51          PUSH ECX
006695B5 .  FF15 DCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrVa>;  MSVBVM50.__vbaStrVarMove
006695BB .  8BD0       MOV EDX,EAX
006695BD .  8D4D B4    LEA ECX,DWORD PTR SS:[EBP-4C]
006695C0 .  FFD7       CALL EDI
006695C2 .  8BD0       MOV EDX,EAX
006695C4 .  8B45 CC    MOV EAX,DWORD PTR SS:[EBP-34]
006695C7 .  8D48 04    LEA ECX,DWORD PTR DS:[EAX+4]
006695CA .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
006695D0 .  8D4D B4    LEA ECX,DWORD PTR SS:[EBP-4C]
006695D3 .  8B1D 10B76800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaFr>;  MSVBVM50.__vbaFreeStr
006695D9 .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaFreeStr>
006695DB .  8D4D A4    LEA ECX,DWORD PTR SS:[EBP-5C]
006695DE .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
006695E4 .  8B4D CC    MOV ECX,DWORD PTR SS:[EBP-34]
006695E7 .  8B11       MOV EDX,DWORD PTR DS:[ECX]
006695E9 .  52          PUSH EDX
006695EA .  8B45 D8    MOV EAX,DWORD PTR SS:[EBP-28]
006695ED .  50          PUSH EAX
006695EE .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
006695F4 .  8BD0       MOV EDX,EAX
006695F6 .  8D4D B4    LEA ECX,DWORD PTR SS:[EBP-4C]
006695F9 .  FFD7       CALL EDI
006695FB .  50          PUSH EAX
006695FC .  8B4D CC    MOV ECX,DWORD PTR SS:[EBP-34]
006695FF .  8B51 04    MOV EDX,DWORD PTR DS:[ECX+4]
00669602 .  52          PUSH EDX
00669603 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
00669609 .  8BD0       MOV EDX,EAX
0066960B .  8D4D DC    LEA ECX,DWORD PTR SS:[EBP-24]
0066960E .  FFD7       CALL EDI
00669610 .  8D4D B4    LEA ECX,DWORD PTR SS:[EBP-4C]
00669613 .  FFD3       CALL EBX
00669615 .  8B45 D8    MOV EAX,DWORD PTR SS:[EBP-28]
00669618 .  50          PUSH EAX
00669619 .  FF15 D8B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaLenBs>;  MSVBVM50.__vbaLenBstr
0066961F .  03C6       ADD EAX,ESI
00669621 .  0F80 E5000000 JO ks.0066970C
00669627 .  50          PUSH EAX
00669628 .  8B4D DC    MOV ECX,DWORD PTR SS:[EBP-24]
0066962B .  51          PUSH ECX
0066962C .  8B55 B8    MOV EDX,DWORD PTR SS:[EBP-48]
0066962F .  52          PUSH EDX
00669630 .  8B45 18    MOV EAX,DWORD PTR SS:[EBP+18]
00669633 .  50          PUSH EAX
00669634 .  FF15 10B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaInStr>;  MSVBVM50.__vbaInStr
0066963A .  8BF0       MOV ESI,EAX
0066963C .  85F6       TEST ESI,ESI
0066963E .^ 0F8F B9FEFFFF JG ks.006694FD
00669644 .  8B1D 2CB66800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrCopy
0066964A >  8B55 DC    MOV EDX,DWORD PTR SS:[EBP-24]
0066964D .  8D4D BC    LEA ECX,DWORD PTR SS:[EBP-44]
00669650 .  FFD3       CALL EBX
00669652 .  FF15 64B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaExitP>;  MSVBVM50.__vbaExitProc
00669658 .  68 EF966600 PUSH ks.006696EF
0066965D .  EB 49       JMP SHORT ks.006696A8
0066965F .  8B55 DC    MOV EDX,DWORD PTR SS:[EBP-24]
00669662 .  8D4D BC    LEA ECX,DWORD PTR SS:[EBP-44]
00669665 .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
0066966B .  FF15 64B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaExitP>;  MSVBVM50.__vbaExitProc
00669671 .  68 EF966600 PUSH ks.006696EF
00669676 .  EB 30       JMP SHORT ks.006696A8
00669678 .  F645 F4 04 TEST BYTE PTR SS:[EBP-C],4
0066967C .  74 09       JE SHORT ks.00669687
0066967E .  8D4D BC    LEA ECX,DWORD PTR SS:[EBP-44]
00669681 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00669687 >  8D4D B4    LEA ECX,DWORD PTR SS:[EBP-4C]
0066968A .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00669690 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
00669693 .  51          PUSH ECX
00669694 .  8D55 94    LEA EDX,DWORD PTR SS:[EBP-6C]
00669697 .  52          PUSH EDX
00669698 .  8D45 A4    LEA EAX,DWORD PTR SS:[EBP-5C]
0066969B .  50          PUSH EAX
0066969C .  6A 03       PUSH 3
0066969E .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
006696A4 .  83C4 10    ADD ESP,10
006696A7 .  C3          RETN
006696A8 >  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
006696AE .  51          PUSH ECX
006696AF .  8D95 64FFFFFF LEA EDX,DWORD PTR SS:[EBP-9C]
006696B5 .  52          PUSH EDX
006696B6 .  6A 02       PUSH 2
006696B8 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
006696BE .  83C4 0C    ADD ESP,0C
006696C1 .  8D4D DC    LEA ECX,DWORD PTR SS:[EBP-24]
006696C4 .  8B35 10B76800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaFr>;  MSVBVM50.__vbaFreeStr
006696CA .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaFreeStr>
006696CC .  8D4D D8    LEA ECX,DWORD PTR SS:[EBP-28]
006696CF .  FFD6       CALL ESI
006696D1 .  8D45 C0    LEA EAX,DWORD PTR SS:[EBP-40]
006696D4 .  8985 70FFFFFF MOV DWORD PTR SS:[EBP-90],EAX
006696DA .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
006696E0 .  51          PUSH ECX
006696E1 .  6A 00       PUSH 0
006696E3 .  FF15 50B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaAryDe>;  MSVBVM50.__vbaAryDestruct
006696E9 .  8D4D B8    LEA ECX,DWORD PTR SS:[EBP-48]
006696EC .  FFE6       JMP ESI
006696EE .  C3          RETN
006696EF .  8B55 1C    MOV EDX,DWORD PTR SS:[EBP+1C]
006696F2 .  8B45 BC    MOV EAX,DWORD PTR SS:[EBP-44]
006696F5 .  8902       MOV DWORD PTR DS:[EDX],EAX
006696F7 .  33C0       XOR EAX,EAX
006696F9 .  8B4D E4    MOV ECX,DWORD PTR SS:[EBP-1C]
006696FC .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
00669703 .  5F          POP EDI
00669704 .  5E          POP ESI
00669705 .  5B          POP EBX
00669706 .  8BE5       MOV ESP,EBP
00669708 .  5D          POP EBP
00669709 .  C2 1800    RETN 18
0066970C >  FF15 00B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaError>;  MSVBVM50.__vbaErrorOverflow
00669712 .  90          NOP
00669713 .  90          NOP
-------------------------------------------------------------------------------
▲文件:4-667FC0.txt
-------------------------------------------------------------------------------
00667FC0 > \55          PUSH EBP
00667FC1 .  8BEC       MOV EBP,ESP
00667FC3 .  83EC 14    SUB ESP,14
00667FC6 .  68 F67F4000 PUSH <JMP.&MSVBVM50.__vbaExceptHandler>  ;  SE handler installation
00667FCB .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00667FD1 .  50          PUSH EAX
00667FD2 .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
00667FD9 .  83EC 4C    SUB ESP,4C
00667FDC .  53          PUSH EBX
00667FDD .  56          PUSH ESI
00667FDE .  57          PUSH EDI
00667FDF .  8965 EC    MOV DWORD PTR SS:[EBP-14],ESP
00667FE2 .  C745 F0 C8744>MOV DWORD PTR SS:[EBP-10],ks.004074C8
00667FE9 .  33F6       XOR ESI,ESI
00667FEB .  8975 F4    MOV DWORD PTR SS:[EBP-C],ESI
00667FEE .  8975 F8    MOV DWORD PTR SS:[EBP-8],ESI
00667FF1 .  8975 DC    MOV DWORD PTR SS:[EBP-24],ESI
00667FF4 .  8975 D8    MOV DWORD PTR SS:[EBP-28],ESI
00667FF7 .  8975 D4    MOV DWORD PTR SS:[EBP-2C],ESI
00667FFA .  8975 D0    MOV DWORD PTR SS:[EBP-30],ESI
00667FFD .  8975 C0    MOV DWORD PTR SS:[EBP-40],ESI
00668000 .  8975 BC    MOV DWORD PTR SS:[EBP-44],ESI
00668003 .  8975 AC    MOV DWORD PTR SS:[EBP-54],ESI
00668006 .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
00668009 .  8D4D DC    LEA ECX,DWORD PTR SS:[EBP-24]
0066800C .  8B3D 2CB66800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrCopy
00668012 .  FFD7       CALL EDI                               ;  <&MSVBVM50.__vbaStrCopy>
00668014 .  8B45 10    MOV EAX,DWORD PTR SS:[EBP+10]
00668017 .  8930       MOV DWORD PTR DS:[EAX],ESI
00668019 .  6A 01       PUSH 1
0066801B .  FF15 84B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaOnErr>;  MSVBVM50.__vbaOnError
00668021 .  8D4D DC    LEA ECX,DWORD PTR SS:[EBP-24]
00668024 .  894D B4    MOV DWORD PTR SS:[EBP-4C],ECX
00668027 .  C745 AC 08400>MOV DWORD PTR SS:[EBP-54],4008
0066802E .  68 80000000 PUSH 80
00668033 .  8D55 AC    LEA EDX,DWORD PTR SS:[EBP-54]
00668036 .  52          PUSH EDX
00668037 .  8D45 C0    LEA EAX,DWORD PTR SS:[EBP-40]
0066803A .  50          PUSH EAX
0066803B .  FF15 F8B36800 CALL DWORD PTR DS:[<&MSVBVM50.#622>]    ;  MSVBVM50.rtcStrConvVar
;先将26个UNICODE字符转换为ASC字符
00668041 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
00668044 .  51          PUSH ECX
00668045 .  8D55 BC    LEA EDX,DWORD PTR SS:[EBP-44]
00668048 .  52          PUSH EDX
00668049 .  FF15 0CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVar2V>;  MSVBVM50.__vbaVar2Vec
0066804F .  8D45 BC    LEA EAX,DWORD PTR SS:[EBP-44]
00668052 .  50          PUSH EAX
00668053 .  8D4D D8    LEA ECX,DWORD PTR SS:[EBP-28]
00668056 .  51          PUSH ECX
00668057 .  FF15 C8B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaAryMo>;  MSVBVM50.__vbaAryMove
0066805D .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
00668060 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
00668066 .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
00668069 .  8B10       MOV EDX,DWORD PTR DS:[EAX]
0066806B .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
0066806E .  51          PUSH ECX
0066806F .  8D4D D8    LEA ECX,DWORD PTR SS:[EBP-28]
00668072 .  51          PUSH ECX
00668073 .  50          PUSH EAX
00668074 .  FF52 38    CALL DWORD PTR DS:[EDX+38] ;这里!!!call 668330
00668077 .  8B55 D0    MOV EDX,DWORD PTR SS:[EBP-30]
0066807A .  8975 D0    MOV DWORD PTR SS:[EBP-30],ESI
0066807D .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
00668080 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
00668086 .  8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]
00668089 .  52          PUSH EDX
0066808A .  FF15 D8B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaLenBs>;  MSVBVM50.__vbaLenBstr
00668090 .  83F8 06    CMP EAX,6
00668093 .  74 25       JE SHORT ks.006680BA
00668095 .  BA A4B44100 MOV EDX,ks.0041B4A4
0066809A .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
0066809D .  FFD7       CALL EDI
0066809F .  FF15 64B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaExitP>;  MSVBVM50.__vbaExitProc
006680A5 .  68 0B816600 PUSH ks.0066810B
006680AA .  EB 49       JMP SHORT ks.006680F5
006680AC .  BA A4B44100 MOV EDX,ks.0041B4A4
006680B1 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
006680B4 .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
006680BA >  FF15 64B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaExitP>;  MSVBVM50.__vbaExitProc
006680C0 .  68 0B816600 PUSH ks.0066810B
006680C5 .  EB 2E       JMP SHORT ks.006680F5
006680C7 .  F645 F4 04 TEST BYTE PTR SS:[EBP-C],4
006680CB .  74 09       JE SHORT ks.006680D6
006680CD .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
006680D0 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
006680D6 >  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
006680D9 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
006680DF .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
006680E2 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
006680E8 .  8D45 BC    LEA EAX,DWORD PTR SS:[EBP-44]
006680EB .  50          PUSH EAX
006680EC .  6A 00       PUSH 0
006680EE .  FF15 50B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaAryDe>;  MSVBVM50.__vbaAryDestruct
006680F4 .  C3          RETN
006680F5 >  8D4D DC    LEA ECX,DWORD PTR SS:[EBP-24]
006680F8 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
006680FE .  8D4D D8    LEA ECX,DWORD PTR SS:[EBP-28]
00668101 .  51          PUSH ECX
00668102 .  6A 00       PUSH 0
00668104 .  FF15 50B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaAryDe>;  MSVBVM50.__vbaAryDestruct
0066810A .  C3          RETN
0066810B .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
0066810E .  8B45 D4    MOV EAX,DWORD PTR SS:[EBP-2C]
00668111 .  8902       MOV DWORD PTR DS:[EDX],EAX
00668113 .  33C0       XOR EAX,EAX
00668115 .  8B4D E4    MOV ECX,DWORD PTR SS:[EBP-1C]
00668118 .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
0066811F .  5F          POP EDI
00668120 .  5E          POP ESI
00668121 .  5B          POP EBX
00668122 .  8BE5       MOV ESP,EBP
00668124 .  5D          POP EBP
00668125 .  C2 0C00    RETN 0C
-------------------------------------------------------------------------------

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持

最新回复 (4)
kyc 雪币： 389 活跃值： (912) 能力值： ( LV9，RANK：770 ) 在线值：发帖 43 回帖 550 粉丝 2 关注私信	kyc 19 2 楼节省点空间吧,实在是没耐性看了. 2005-7-8 16:01 0
shuair 雪币： 151 活跃值： (66) 能力值： ( LV6，RANK：90 ) 在线值：发帖 14 回帖 220 粉丝 0 关注私信	shuair 2 3 楼确实,没有耐性看下去...分析的细心值得学习,但确实不能上大雅之堂.---一个字乱, 2005-7-9 08:57 0
qfejj 雪币： 261 活跃值： (162) 能力值： ( LV13，RANK：320 ) 在线值：发帖 11 回帖 139 粉丝 1 关注私信	qfejj 7 4 楼如过你研究一下他们公司的光盘版，去了starforce3做成硬盘版，就没必要写这么多了。 2005-7-10 00:28 0
dragon123 雪币： 210 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 8 粉丝 1 关注私信	dragon123 5 楼不知楼主破的是那个版本的，最新的下半年的软件已经与上半年的不同了，改变了方法，搂主能否给写写看看？？ 2005-7-14 11:32 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

MARCH

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (4)
kyc 雪币： 389 活跃值： (912) 能力值： ( LV9，RANK：770 ) 在线值：发帖 43 回帖 550 粉丝 2 关注私信	kyc 19 2 楼节省点空间吧,实在是没耐性看了. 2005-7-8 16:01 0
shuair 雪币： 151 活跃值： (66) 能力值： ( LV6，RANK：90 ) 在线值：发帖 14 回帖 220 粉丝 0 关注私信	shuair 2 3 楼确实,没有耐性看下去...分析的细心值得学习,但确实不能上大雅之堂.---一个字乱, 2005-7-9 08:57 0
qfejj 雪币： 261 活跃值： (162) 能力值： ( LV13，RANK：320 ) 在线值：发帖 11 回帖 139 粉丝 1 关注私信	qfejj 7 4 楼如过你研究一下他们公司的光盘版，去了starforce3做成硬盘版，就没必要写这么多了。 2005-7-10 00:28 0
dragon123 雪币： 210 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 8 粉丝 1 关注私信	dragon123 5 楼不知楼主破的是那个版本的，最新的下半年的软件已经与上半年的不同了，改变了方法，搂主能否给写写看看？？ 2005-7-14 11:32 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复