还是VB的－无忧全国计算机等级考试模拟软件二级JAVA－3[原创]-软件逆向-看雪-安全社区|安全招聘|kanxue.com

还是VB的－无忧全国计算机等级考试模拟软件二级JAVA－3[原创]

发表于: 2005-7-8 14:46 3530

还是VB的－无忧全国计算机等级考试模拟软件二级JAVA－3[原创]

MARCH

2005-7-8 14:46

3530

▲文件:5-668330.txt
-------------------------------------------------------------------------------
从668074调用,计算前26个字符的校验码.
00668330 > \55          PUSH EBP
00668331 .  8BEC       MOV EBP,ESP
00668333 .  83EC 0C    SUB ESP,0C
00668336 .  68 F67F4000 PUSH <JMP.&MSVBVM50.__vbaExceptHandler>  ;  SE handler installation
0066833B .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00668341 .  50          PUSH EAX
00668342 .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
00668349 .  81EC D0000000 SUB ESP,0D0
0066834F .  8B45 10    MOV EAX,DWORD PTR SS:[EBP+10]
00668352 .  53          PUSH EBX
00668353 .  56          PUSH ESI
00668354 .  8B35 74B56800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaUI>;  MSVBVM50.__vbaUI1I2
0066835A .  57          PUSH EDI
0066835B .  33DB       XOR EBX,EBX
0066835D .  B9 FF000000 MOV ECX,0FF
00668362 .  8965 F4    MOV DWORD PTR SS:[EBP-C],ESP
00668365 .  C745 F8 00754>MOV DWORD PTR SS:[EBP-8],ks.00407500
0066836C .  C645 E0 00 MOV BYTE PTR SS:[EBP-20],0
00668370 .  895D DC    MOV DWORD PTR SS:[EBP-24],EBX
00668373 .  885D D0    MOV BYTE PTR SS:[EBP-30],BL
00668376 .  895D B8    MOV DWORD PTR SS:[EBP-48],EBX
00668379 .  895D A8    MOV DWORD PTR SS:[EBP-58],EBX
0066837C .  895D 98    MOV DWORD PTR SS:[EBP-68],EBX
0066837F .  895D 88    MOV DWORD PTR SS:[EBP-78],EBX
00668382 .  899D 78FFFFFF MOV DWORD PTR SS:[EBP-88],EBX
00668388 .  899D 68FFFFFF MOV DWORD PTR SS:[EBP-98],EBX
0066838E .  899D 58FFFFFF MOV DWORD PTR SS:[EBP-A8],EBX
00668394 .  899D 48FFFFFF MOV DWORD PTR SS:[EBP-B8],EBX
0066839A .  899D 38FFFFFF MOV DWORD PTR SS:[EBP-C8],EBX
006683A0 .  8918       MOV DWORD PTR DS:[EAX],EBX
006683A2 .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaUI1I2>
006683A4 .  B9 FF000000 MOV ECX,0FF
006683A9 .  8845 D0    MOV BYTE PTR SS:[EBP-30],AL ;12f65c=0FFh
006683AC .  FFD6       CALL ESI
006683AE .  B9 81000000 MOV ECX,81
006683B3 .  8845 E0    MOV BYTE PTR SS:[EBP-20],AL ;12F66C=0FFh
006683B6 .  FFD6       CALL ESI
006683B8 .  B9 A0000000 MOV ECX,0A0
006683BD .  8845 E4    MOV BYTE PTR SS:[EBP-1C],AL
006683C0 .  FFD6       CALL ESI
006683C2 .  8B4D 0C    MOV ECX,DWORD PTR SS:[EBP+C]
006683C5 .  8845 CC    MOV BYTE PTR SS:[EBP-34],AL
006683C8 .  8B11       MOV EDX,DWORD PTR DS:[ECX]
006683CA .  52          PUSH EDX
006683CB .  6A 01       PUSH 1
006683CD .  FF15 D8B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaUboun>;  MSVBVM50.__vbaUbound
;取上标eax=19h=25d 字符个数
006683D3 .  8BC8       MOV ECX,EAX
006683D5 .  FF15 28B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaI2I4>>;  MSVBVM50.__vbaI2I4
006683DB .  8A4D E0    MOV CL,BYTE PTR SS:[EBP-20] ;cl=FFh
006683DE .  8985 2CFFFFFF MOV DWORD PTR SS:[EBP-D4],EAX
006683E4 .  8A45 D0    MOV AL,BYTE PTR SS:[EBP-30] ;al=FFh
006683E7 .  895D E8    MOV DWORD PTR SS:[EBP-18],EBX
006683EA >  8B7D E8    MOV EDI,DWORD PTR SS:[EBP-18]
;上行外循环开始外循环26次
006683ED .  66:3BBD 2CFFF>CMP DI,WORD PTR SS:[EBP-D4]
006683F4 .  0F8F D4000000 JG ks.006684CE
006683FA .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
006683FD .  8B12       MOV EDX,DWORD PTR DS:[EDX]
006683FF .  3BD3       CMP EDX,EBX
00668401 .  74 25       JE SHORT ks.00668428
00668403 .  66:833A 01 CMP WORD PTR DS:[EDX],1
00668407 .  75 1F       JNZ SHORT ks.00668428
00668409 .  0FBFDF       MOVSX EBX,DI
0066840C .  8B7A 14    MOV EDI,DWORD PTR DS:[EDX+14]
0066840F .  2BDF       SUB EBX,EDI
00668411 .  8B7A 10    MOV EDI,DWORD PTR DS:[EDX+10] ;edi=1ah=26d
00668414 .  3BDF       CMP EBX,EDI
00668416 .  72 0C       JB SHORT ks.00668424
00668418 .  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
0066841E .  8A4D E0    MOV CL,BYTE PTR SS:[EBP-20]
00668421 .  8A45 D0    MOV AL,BYTE PTR SS:[EBP-30]
00668424 >  8BD3       MOV EDX,EBX
00668426 .  EB 0E       JMP SHORT ks.00668436
00668428 >  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
0066842E .  8A4D E0    MOV CL,BYTE PTR SS:[EBP-20]
00668431 .  8BD0       MOV EDX,EAX
00668433 .  8A45 D0    MOV AL,BYTE PTR SS:[EBP-30]
00668436 >  8B7D 0C    MOV EDI,DWORD PTR SS:[EBP+C]
00668439 .  8B3F       MOV EDI,DWORD PTR DS:[EDI]
0066843B .  8B7F 0C    MOV EDI,DWORD PTR DS:[EDI+C]
0066843E .  8A1C17       MOV BL,BYTE PTR DS:[EDI+EDX];逐个取26个字符
;0016E238  47 37 4B 34 30 37 34 48 39 4D 35 4D 58 56 52 49  G7K4074H9M5MXVRI
;0016E248  34 30 38 36 44 36 37 54 52 46 AB AB AB AB AB AB  4086D67TRF???
00668441 .  32C3       XOR AL,BL ;取出后和AL即FFH异或保持在al
00668443 .  33FF       XOR EDI,EDI ;edi清零
00668445 .  8845 D0    MOV BYTE PTR SS:[EBP-30],AL
00668448 >  BA 07000000 MOV EDX,7 ;内循环7次
;上行内循环开始
0066844D .  66:3BFA    CMP DI,DX
00668450 .  7F 63       JG SHORT ks.006684B5
00668452 .  8AD9       MOV BL,CL
00668454 .  8845 D8    MOV BYTE PTR SS:[EBP-28],AL ;暂存AL到12f65c(初始为FFH)
00668457 .  D0E9       SHR CL,1 ;CL初始为FFh
00668459 .  66:0FB6C9    MOVZX CX,CL
0066845D .  FFD6       CALL ESI ;AX为CL右移一位后的值
0066845F .  8845 E0    MOV BYTE PTR SS:[EBP-20],AL ;保持到12f66c
00668462 .  8A45 D0    MOV AL,BYTE PTR SS:[EBP-30] ;12f65c=B8H
00668465 .  D0E8       SHR AL,1 ;AL=5CH
00668467 .  66:33C9    XOR CX,CX
0066846A .  8AC8       MOV CL,AL
0066846C .  FFD6       CALL ESI
0066846E .  80E3 01    AND BL,1 ;bl初始FFh,只取最低位
00668471 .  8845 D0    MOV BYTE PTR SS:[EBP-30],AL ;保存到12f65c
00668474 .  80FB 01    CMP BL,1
00668477 .  75 0C       JNZ SHORT ks.00668485
00668479 .  0C 80       OR AL,80 ;如果BL的bit0为0那么AL最高位置1 al=DCh
0066847B .  66:33C9    XOR CX,CX
0066847E .  8AC8       MOV CL,AL
00668480 .  FFD6       CALL ESI
00668482 .  8845 D0    MOV BYTE PTR SS:[EBP-30],AL ;保存到12f65c
00668485 >  8A4D D8    MOV CL,BYTE PTR SS:[EBP-28] ;取12f664,CL=B8h
00668488 .  80E1 01    AND CL,1 ;保留最低位
0066848B .  80F9 01    CMP CL,1 ;最低位是1吗?
0066848E .  8A4D E0    MOV CL,BYTE PTR SS:[EBP-20] ;保存到12f66c
00668491 .  75 10       JNZ SHORT ks.006684A3 ;不是1
00668493 .  8A5D CC    MOV BL,BYTE PTR SS:[EBP-34]
00668496 .  8A55 E4    MOV DL,BYTE PTR SS:[EBP-1C]
00668499 .  32CB       XOR CL,BL
0066849B .  32C2       XOR AL,DL
0066849D .  884D E0    MOV BYTE PTR SS:[EBP-20],CL
006684A0 .  8845 D0    MOV BYTE PTR SS:[EBP-30],AL
006684A3 >  BA 01000000 MOV EDX,1
006684A8 .  66:03D7    ADD DX,DI
006684AB .  0F80 54010000 JO ks.00668605
006684B1 .  8BFA       MOV EDI,EDX
006684B3 .^ EB 93       JMP SHORT ks.00668448
;内循环结束
006684B5 >  BA 01000000 MOV EDX,1
006684BA .  66:0355 E8 ADD DX,WORD PTR SS:[EBP-18]
006684BE .  33DB       XOR EBX,EBX
006684C0 .  0F80 3F010000 JO ks.00668605
006684C6 .  8955 E8    MOV DWORD PTR SS:[EBP-18],EDX
006684C9 .^ E9 1CFFFFFF JMP ks.006683EA
;外循环结束
;AX=CCh=204校验码后半部分"204" CX=7Dh=125校验码前半部分"125" DX=1Ah=26表示26个字符已取完
;最后12f65c=CCH 12f66c=7DH
006684CE >  8B35 8CB66800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaVa>;  MSVBVM50.__vbaVarDup
006684D4 .  8D95 58FFFFFF LEA EDX,DWORD PTR SS:[EBP-A8]
006684DA .  8D4D B8    LEA ECX,DWORD PTR SS:[EBP-48]
006684DD .  C785 60FFFFFF>MOV DWORD PTR SS:[EBP-A0],ks.0042872C ;  UNICODE "000"
006684E7 .  C785 58FFFFFF>MOV DWORD PTR SS:[EBP-A8],8
006684F1 .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaVarDup>
006684F3 .  8B3D 30B46800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.#660>]  ;  MSVBVM50.rtcVarFromFormatVar
006684F9 .  8D4D E0    LEA ECX,DWORD PTR SS:[EBP-20]
006684FC .  6A 01       PUSH 1
006684FE .  8D55 B8    LEA EDX,DWORD PTR SS:[EBP-48]
00668501 .  898D 70FFFFFF MOV DWORD PTR SS:[EBP-90],ECX
00668507 .  6A 01       PUSH 1
00668509 .  8D85 68FFFFFF LEA EAX,DWORD PTR SS:[EBP-98]
0066850F .  52          PUSH EDX
00668510 .  8D4D A8    LEA ECX,DWORD PTR SS:[EBP-58]
00668513 .  BB 11400000 MOV EBX,4011
00668518 .  50          PUSH EAX
00668519 .  51          PUSH ECX
0066851A .  899D 68FFFFFF MOV DWORD PTR SS:[EBP-98],EBX
00668520 .  FFD7       CALL EDI                               ;  <&MSVBVM50.#660>
00668522 .  8D95 38FFFFFF LEA EDX,DWORD PTR SS:[EBP-C8]
00668528 .  8D4D 98    LEA ECX,DWORD PTR SS:[EBP-68]
0066852B .  C785 40FFFFFF>MOV DWORD PTR SS:[EBP-C0],ks.0042872C ;  UNICODE "000"
00668535 .  C785 38FFFFFF>MOV DWORD PTR SS:[EBP-C8],8
0066853F .  FFD6       CALL ESI
00668541 .  8D55 D0    LEA EDX,DWORD PTR SS:[EBP-30]
00668544 .  6A 01       PUSH 1
00668546 .  8D45 98    LEA EAX,DWORD PTR SS:[EBP-68]
00668549 .  8995 50FFFFFF MOV DWORD PTR SS:[EBP-B0],EDX
0066854F .  6A 01       PUSH 1
00668551 .  8D8D 48FFFFFF LEA ECX,DWORD PTR SS:[EBP-B8]
00668557 .  50          PUSH EAX
00668558 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066855B .  51          PUSH ECX
0066855C .  52          PUSH EDX
0066855D .  899D 48FFFFFF MOV DWORD PTR SS:[EBP-B8],EBX
00668563 .  FFD7       CALL EDI
00668565 .  8D45 A8    LEA EAX,DWORD PTR SS:[EBP-58]
00668568 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066856B .  50          PUSH EAX
0066856C .  8D95 78FFFFFF LEA EDX,DWORD PTR SS:[EBP-88]
00668572 .  51          PUSH ECX
00668573 .  52          PUSH EDX
00668574 .  FF15 E4B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarCa>;  MSVBVM50.__vbaVarCat
0066857A .  50          PUSH EAX
0066857B .  FF15 DCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrVa>;  MSVBVM50.__vbaStrVarMove
;已经连接校验码
00668581 .  8BD0       MOV EDX,EAX
00668583 .  8D4D DC    LEA ECX,DWORD PTR SS:[EBP-24]
00668586 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066858C .  8D85 78FFFFFF LEA EAX,DWORD PTR SS:[EBP-88]
00668592 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
00668595 .  50          PUSH EAX
00668596 .  8D55 A8    LEA EDX,DWORD PTR SS:[EBP-58]
00668599 .  51          PUSH ECX
0066859A .  8D45 98    LEA EAX,DWORD PTR SS:[EBP-68]
0066859D .  52          PUSH EDX
0066859E .  8D4D B8    LEA ECX,DWORD PTR SS:[EBP-48]
006685A1 .  50          PUSH EAX
006685A2 .  51          PUSH ECX
006685A3 .  6A 05       PUSH 5
006685A5 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
006685AB .  83C4 18    ADD ESP,18
006685AE .  68 E8856600 PUSH ks.006685E8
006685B3 .  EB 32       JMP SHORT ks.006685E7
006685B5 .  F645 FC 04 TEST BYTE PTR SS:[EBP-4],4
006685B9 .  74 09       JE SHORT ks.006685C4
006685BB .  8D4D DC    LEA ECX,DWORD PTR SS:[EBP-24]
006685BE .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
006685C4 >  8D95 78FFFFFF LEA EDX,DWORD PTR SS:[EBP-88]
006685CA .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
006685CD .  52          PUSH EDX
006685CE .  8D4D 98    LEA ECX,DWORD PTR SS:[EBP-68]
006685D1 .  50          PUSH EAX
006685D2 .  8D55 A8    LEA EDX,DWORD PTR SS:[EBP-58]
006685D5 .  51          PUSH ECX
006685D6 .  8D45 B8    LEA EAX,DWORD PTR SS:[EBP-48]
006685D9 .  52          PUSH EDX
006685DA .  50          PUSH EAX
006685DB .  6A 05       PUSH 5
006685DD .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
006685E3 .  83C4 18    ADD ESP,18
006685E6 .  C3          RETN
006685E7 >  C3          RETN                                  ;  RET used as a jump to 006685E8
006685E8 >  8B4D 10    MOV ECX,DWORD PTR SS:[EBP+10]
006685EB .  8B55 DC    MOV EDX,DWORD PTR SS:[EBP-24]
006685EE .  5F          POP EDI
006685EF .  5E          POP ESI
006685F0 .  8911       MOV DWORD PTR DS:[ECX],EDX
006685F2 .  8B4D EC    MOV ECX,DWORD PTR SS:[EBP-14]
006685F5 .  33C0       XOR EAX,EAX
006685F7 .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
006685FE .  5B          POP EBX
006685FF .  8BE5       MOV ESP,EBP
00668601 .  5D          POP EBP
00668602 .  C2 0C00    RETN 0C
00668605 >  FF15 00B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaError>;  MSVBVM50.__vbaErrorOverflow
0066860B .  90          NOP
0066860C .  90          NOP
0066860D .  90          NOP
0066860E .  90          NOP
0066860F .  90          NOP
00668610 >  55          PUSH EBP
-------------------------------------------------------------------------------
▲文件:0-26ASC-XOR.txt 26个字符的异或过程
-------------------------------------------------------------------------------
al cl bl XORalbl 暂存al
FF(初) 47 B8 B8 (外循环开始设初值,只计算xor al,bl)
B8 FF(初) FF(从CL)
5C(SHR1) 7F(SHR1) 01(AND1) 5C(内循环1,SHR(B8,1),SHR(FF,1),AND(FF,1))
Bit0为1则AL Bit7置1=> DC(OR AL,80)
B8
00(AND B8,1)CL若为1,则有复杂操作
7F放入CL

3F(shrCL,1第2步)7F(第1步) (内2)
6E(shrDC,1) 01(AND 7F,1) 6E
Bit0为1则AL Bit7置1=> EE(OR AL,80)
00(AND DC,1)CL若为1,则有复杂操作
DC放入CL

1F(shrCL,1第2步)3F(第1步) (内3)
77(shrEE,1) 01(AND 3F,1)
Bit0为1则AL Bit7置1=> F7(OR AL,80)
00(EE放入CL,AND DC,1)CL若为1,则有复杂操作
1F放入CL

这个过程太复杂了,直接逆推吧,先给26个字符,再推4个校验字符吧.
-------------------------------------------------------------------------------
▲文件:0-61D1A7.txt
-------------------------------------------------------------------------------
0061D154 8B1F          MOV EBX,DWORD PTR DS:[EDI]
0061D156 52             PUSH EDX
0061D157 50             PUSH EAX
0061D158 51             PUSH ECX
0061D159 8B4D 08       MOV ECX,DWORD PTR SS:[EBP+8]
0061D15C FF15 28B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaI2I4>>; MSVBVM50.__vbaI2I4
0061D162 50             PUSH EAX
0061D163 57             PUSH EDI
0061D164 FF53 24       CALL DWORD PTR DS:[EBX+24]
0061D167 3BC6          CMP EAX,ESI
0061D169 7D 13          JGE SHORT ks1.0061D17E
0061D16B 8B1D 40B46800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaHr>; MSVBVM50.__vbaHresultCheckObj
0061D171 6A 24          PUSH 24
0061D173 68 C4E94100    PUSH ks1.0041E9C4
0061D178 57             PUSH EDI
0061D179 50             PUSH EAX
0061D17A FFD3          CALL EBX
0061D17C EB 06          JMP SHORT ks1.0061D184
0061D17E 8B1D 40B46800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaHr>; MSVBVM50.__vbaHresultCheckObj
0061D184 66:3975 88    CMP WORD PTR SS:[EBP-78],SI
0061D188 75 16          JNZ SHORT ks1.0061D1A0
0061D18A 83C8 FF       OR EAX,FFFFFFFF
0061D18D 68 0ED56100    PUSH ks1.0061D50E
0061D192 8945 E4       MOV DWORD PTR SS:[EBP-1C],EAX
0061D195 66:A3 DCB06700  MOV WORD PTR DS:[67B0DC],AX
0061D19B E9 4F030000    JMP ks1.0061D4EF
0061D1A0 66:3935 DCB0670>CMP WORD PTR DS:[67B0DC],SI
0061D1A7 0F85 07030000 JNZ ks1.0061D4B4
0061D1AD 8B4D 14       MOV ECX,DWORD PTR SS:[EBP+14]
0061D1B0 8B45 18       MOV EAX,DWORD PTR SS:[EBP+18]
0061D1B3 66:3975 10    CMP WORD PTR SS:[EBP+10],SI
0061D1B7 66:C701 0100 MOV WORD PTR DS:[ECX],1
0061D1BC 66:C700 0100 MOV WORD PTR DS:[EAX],1
0061D1C1 0F84 E3020000 JE ks1.0061D4AA
0061D1C7 3935 28C76700 CMP DWORD PTR DS:[67C728],ESI
0061D1CD 75 10          JNZ SHORT ks1.0061D1DF
0061D1CF 68 28C76700    PUSH ks1.0067C728
0061D1D4 68 A0C84100    PUSH ks1.0041C8A0
0061D1D9 FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>; MSVBVM50.__vbaNew2
0061D1DF 8B3D 28C76700 MOV EDI,DWORD PTR DS:[67C728]
0061D1E5 8D45 CC       LEA EAX,DWORD PTR SS:[EBP-34]
0061D1E8 50             PUSH EAX
0061D1E9 57             PUSH EDI
0061D1EA 8B17          MOV EDX,DWORD PTR DS:[EDI]
0061D1EC FF52 14       CALL DWORD PTR DS:[EDX+14]
0061D1EF 3BC6          CMP EAX,ESI
0061D1F1 7D 0B          JGE SHORT ks1.0061D1FE
0061D1F3 6A 14          PUSH 14
0061D1F5 68 98C74100    PUSH ks1.0041C798
0061D1FA 57             PUSH EDI
0061D1FB 50             PUSH EAX
0061D1FC FFD3          CALL EBX
0061D1FE 8B45 CC       MOV EAX,DWORD PTR SS:[EBP-34]
0061D201 8D55 D8       LEA EDX,DWORD PTR SS:[EBP-28]
0061D204 52             PUSH EDX
0061D205 50             PUSH EAX
0061D206 8B08          MOV ECX,DWORD PTR DS:[EAX]
0061D208 8BF8          MOV EDI,EAX
0061D20A FF51 60       CALL DWORD PTR DS:[ECX+60]
0061D20D 3BC6          CMP EAX,ESI
0061D20F 7D 0B          JGE SHORT ks1.0061D21C
0061D211 6A 60          PUSH 60
0061D213 68 98E44100    PUSH ks1.0041E498
0061D218 57             PUSH EDI
0061D219 50             PUSH EAX
0061D21A FFD3          CALL EBX
0061D21C 83EC 10       SUB ESP,10
0061D21F B9 08000000    MOV ECX,8
0061D224 8BD4          MOV EDX,ESP
0061D226 8B5D 08       MOV EBX,DWORD PTR SS:[EBP+8]
0061D229 894D 9C       MOV DWORD PTR SS:[EBP-64],ECX
0061D22C B8 D4E54100    MOV EAX,ks1.0041E5D4
0061D231 890A          MOV DWORD PTR DS:[EDX],ECX
0061D233 8B4D A0       MOV ECX,DWORD PTR SS:[EBP-60]
0061D236 8945 A4       MOV DWORD PTR SS:[EBP-5C],EAX
0061D239 68 8CE24100    PUSH ks1.0041E28C                      ; UNICODE "NoAlert"
0061D23E 894A 04       MOV DWORD PTR DS:[EDX+4],ECX
0061D241 68 2CE74100    PUSH ks1.0041E72C                      ; UNICODE "Active"
0061D246 53             PUSH EBX
0061D247 8942 08       MOV DWORD PTR DS:[EDX+8],EAX
0061D24A 8B45 A8       MOV EAX,DWORD PTR SS:[EBP-58]
0061D24D 8942 0C       MOV DWORD PTR DS:[EDX+C],EAX
0061D250 FF15 BCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI4>; MSVBVM50.__vbaStrI4
0061D256 8B3D C8B66800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaSt>; MSVBVM50.__vbaStrMove
0061D25C 8BD0          MOV EDX,EAX
0061D25E 8D4D D4       LEA ECX,DWORD PTR SS:[EBP-2C]
0061D261 FFD7          CALL EDI
0061D263 50             PUSH EAX
0061D264 FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>; MSVBVM50.__vbaStrCat
0061D26A 8BD0          MOV EDX,EAX
0061D26C 8D4D D0       LEA ECX,DWORD PTR SS:[EBP-30]
0061D26F FFD7          CALL EDI
0061D271 8B4D D8       MOV ECX,DWORD PTR SS:[EBP-28]
0061D274 50             PUSH EAX
0061D275 51             PUSH ECX
0061D276 FF15 6CB66800 CALL DWORD PTR DS:[<&MSVBVM50.#689>]    ; MSVBVM50.rtcGetSetting
0061D27C 8BD0          MOV EDX,EAX
0061D27E 8D4D DC       LEA ECX,DWORD PTR SS:[EBP-24]
0061D281 FFD7          CALL EDI
0061D283 8D55 D0       LEA EDX,DWORD PTR SS:[EBP-30]
0061D286 8D45 D8       LEA EAX,DWORD PTR SS:[EBP-28]
0061D289 52             PUSH EDX
0061D28A 8D4D D4       LEA ECX,DWORD PTR SS:[EBP-2C]
0061D28D 50             PUSH EAX
0061D28E 51             PUSH ECX
0061D28F 6A 03          PUSH 3
0061D291 FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStrList
0061D297 83C4 10       ADD ESP,10
0061D29A 8D4D CC       LEA ECX,DWORD PTR SS:[EBP-34]
0061D29D FF15 14B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>; MSVBVM50.__vbaFreeObj
0061D2A3 8B55 DC       MOV EDX,DWORD PTR SS:[EBP-24]
0061D2A6 52             PUSH EDX
0061D2A7 68 D4E54100    PUSH ks1.0041E5D4
0061D2AC FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>; MSVBVM50.__vbaStrCmp
0061D2B2 85C0          TEST EAX,EAX
0061D2B4 0F85 FA010000 JNZ ks1.0061D4B4
0061D2BA 3935 B0B36700 CMP DWORD PTR DS:[67B3B0],ESI
0061D2C0 75 10          JNZ SHORT ks1.0061D2D2
0061D2C2 68 B0B36700    PUSH ks1.0067B3B0
0061D2C7 68 FCD44000    PUSH ks1.0040D4FC
0061D2CC FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>; MSVBVM50.__vbaNew2
0061D2D2 8B3D B0B36700 MOV EDI,DWORD PTR DS:[67B3B0]
0061D2D8 53             PUSH EBX
0061D2D9 57             PUSH EDI
0061D2DA 8B07          MOV EAX,DWORD PTR DS:[EDI]
0061D2DC FF90 00070000 CALL DWORD PTR DS:[EAX+700]
0061D2E2 3BC6          CMP EAX,ESI
0061D2E4 7D 12          JGE SHORT ks1.0061D2F8
0061D2E6 68 00070000    PUSH 700
0061D2EB 68 2C5D4200    PUSH ks1.00425D2C
0061D2F0 57             PUSH EDI
0061D2F1 50             PUSH EAX
0061D2F2 FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj
0061D2F8 3935 B0B36700 CMP DWORD PTR DS:[67B3B0],ESI
0061D2FE 75 10          JNZ SHORT ks1.0061D310
0061D300 68 B0B36700    PUSH ks1.0067B3B0
0061D305 68 FCD44000    PUSH ks1.0040D4FC
0061D30A FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>; MSVBVM50.__vbaNew2
0061D310 8B3D B0B36700 MOV EDI,DWORD PTR DS:[67B3B0]
0061D316 8D55 BC       LEA EDX,DWORD PTR SS:[EBP-44]
0061D319 52             PUSH EDX
0061D31A 57             PUSH EDI
0061D31B 8B0F          MOV ECX,DWORD PTR DS:[EDI]
0061D31D FF91 F8060000 CALL DWORD PTR DS:[ECX+6F8]
0061D323 3BC6          CMP EAX,ESI
0061D325 7D 12          JGE SHORT ks1.0061D339
0061D327 68 F8060000    PUSH 6F8
0061D32C 68 2C5D4200    PUSH ks1.00425D2C
0061D331 57             PUSH EDI
0061D332 50             PUSH EAX
0061D333 FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj
0061D339 8D45 BC       LEA EAX,DWORD PTR SS:[EBP-44]
0061D33C 8D4D 9C       LEA ECX,DWORD PTR SS:[EBP-64]
0061D33F 50             PUSH EAX
0061D340 51             PUSH ECX
0061D341 C745 A4 0100000>MOV DWORD PTR SS:[EBP-5C],1
0061D348 C745 9C 0280000>MOV DWORD PTR SS:[EBP-64],8002
0061D34F FF15 14B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarTs>; MSVBVM50.__vbaVarTstEq
0061D355 8D4D BC       LEA ECX,DWORD PTR SS:[EBP-44]
0061D358 8BF8          MOV EDI,EAX
0061D35A FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>; MSVBVM50.__vbaFreeVar
0061D360 66:3BFE       CMP DI,SI
0061D363 0F84 4B010000 JE ks1.0061D4B4
0061D369 3935 E0B16700 CMP DWORD PTR DS:[67B1E0],ESI
0061D36F 75 10          JNZ SHORT ks1.0061D381
0061D371 68 E0B16700    PUSH ks1.0067B1E0
0061D376 68 1C384100    PUSH ks1.0041381C
0061D37B FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>; MSVBVM50.__vbaNew2
0061D381 8B3D E0B16700 MOV EDI,DWORD PTR DS:[67B1E0]
0061D387 53             PUSH EBX
0061D388 57             PUSH EDI
0061D389 8B17          MOV EDX,DWORD PTR DS:[EDI]
0061D38B FF92 00070000 CALL DWORD PTR DS:[EDX+700]
0061D391 3BC6          CMP EAX,ESI
0061D393 7D 12          JGE SHORT ks1.0061D3A7
0061D395 68 00070000    PUSH 700
0061D39A 68 3CE84100    PUSH ks1.0041E83C
0061D39F 57             PUSH EDI
0061D3A0 50             PUSH EAX
0061D3A1 FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj
0061D3A7 3935 E0B16700 CMP DWORD PTR DS:[67B1E0],ESI
0061D3AD 75 10          JNZ SHORT ks1.0061D3BF
0061D3AF 68 E0B16700    PUSH ks1.0067B1E0
0061D3B4 68 1C384100    PUSH ks1.0041381C
0061D3B9 FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>; MSVBVM50.__vbaNew2
0061D3BF 8B3D E0B16700 MOV EDI,DWORD PTR DS:[67B1E0]
0061D3C5 83EC 10       SUB ESP,10
0061D3C8 8BDC          MOV EBX,ESP
0061D3CA B9 0A000000    MOV ECX,0A
0061D3CF 8B17          MOV EDX,DWORD PTR DS:[EDI]
0061D3D1 B8 04000280    MOV EAX,80020004
0061D3D6 890B          MOV DWORD PTR DS:[EBX],ECX
0061D3D8 8B4D 90       MOV ECX,DWORD PTR SS:[EBP-70]
0061D3DB 83EC 10       SUB ESP,10
0061D3DE C745 9C 0300000>MOV DWORD PTR SS:[EBP-64],3
0061D3E5 894B 04       MOV DWORD PTR DS:[EBX+4],ECX
0061D3E8 8BCC          MOV ECX,ESP
0061D3EA C745 A4 0100000>MOV DWORD PTR SS:[EBP-5C],1
0061D3F1 57             PUSH EDI
0061D3F2 8943 08       MOV DWORD PTR DS:[EBX+8],EAX
0061D3F5 8B45 98       MOV EAX,DWORD PTR SS:[EBP-68]
0061D3F8 8943 0C       MOV DWORD PTR DS:[EBX+C],EAX
0061D3FB 8B45 9C       MOV EAX,DWORD PTR SS:[EBP-64]
0061D3FE 8901          MOV DWORD PTR DS:[ECX],EAX
0061D400 8B45 A0       MOV EAX,DWORD PTR SS:[EBP-60]
0061D403 8941 04       MOV DWORD PTR DS:[ECX+4],EAX
0061D406 8B45 A4       MOV EAX,DWORD PTR SS:[EBP-5C]
0061D409 8941 08       MOV DWORD PTR DS:[ECX+8],EAX
0061D40C 8B45 A8       MOV EAX,DWORD PTR SS:[EBP-58]
0061D40F 8941 0C       MOV DWORD PTR DS:[ECX+C],EAX
0061D412 FF92 B0020000 CALL DWORD PTR DS:[EDX+2B0]
0061D418 3BC6          CMP EAX,ESI
0061D41A 7D 12          JGE SHORT ks1.0061D42E
0061D41C 68 B0020000    PUSH 2B0
0061D421 68 0CE84100    PUSH ks1.0041E80C
0061D426 57             PUSH EDI
0061D427 50             PUSH EAX
0061D428 FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj
0061D42E 8B7D EC       MOV EDI,DWORD PTR SS:[EBP-14]
0061D431 3BFE          CMP EDI,ESI
0061D433 75 12          JNZ SHORT ks1.0061D447
0061D435 8D4D EC       LEA ECX,DWORD PTR SS:[EBP-14]
0061D438 51             PUSH ECX
0061D439 68 D0924000    PUSH ks1.004092D0
0061D43E FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>; MSVBVM50.__vbaNew2
0061D444 8B7D EC       MOV EDI,DWORD PTR SS:[EBP-14]
0061D447 8B45 0C       MOV EAX,DWORD PTR SS:[EBP+C]
0061D44A 8B4D 18       MOV ECX,DWORD PTR SS:[EBP+18]
0061D44D 8B1F          MOV EBX,DWORD PTR DS:[EDI]
0061D44F 8D55 88       LEA EDX,DWORD PTR SS:[EBP-78]
0061D452 52             PUSH EDX
0061D453 8B55 14       MOV EDX,DWORD PTR SS:[EBP+14]
0061D456 50             PUSH EAX
0061D457 51             PUSH ECX
0061D458 8B4D 08       MOV ECX,DWORD PTR SS:[EBP+8]
0061D45B 52             PUSH EDX
0061D45C FF15 28B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaI2I4>>; MSVBVM50.__vbaI2I4
0061D462 50             PUSH EAX
0061D463 57             PUSH EDI
0061D464 FF53 24       CALL DWORD PTR DS:[EBX+24]
0061D467 3BC6          CMP EAX,ESI
0061D469 7D 0F          JGE SHORT ks1.0061D47A
0061D46B 6A 24          PUSH 24
0061D46D 68 C4E94100    PUSH ks1.0041E9C4
0061D472 57             PUSH EDI
0061D473 50             PUSH EAX
0061D474 FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj
0061D47A 66:3975 88    CMP WORD PTR SS:[EBP-78],SI
0061D47E 75 13          JNZ SHORT ks1.0061D493
0061D480 83C8 FF       OR EAX,FFFFFFFF
0061D483 68 0ED56100    PUSH ks1.0061D50E
0061D488 8945 E4       MOV DWORD PTR SS:[EBP-1C],EAX
0061D48B 66:A3 DCB06700  MOV WORD PTR DS:[67B0DC],AX
0061D491 EB 5C          JMP SHORT ks1.0061D4EF
0061D493 8B45 14       MOV EAX,DWORD PTR SS:[EBP+14]
0061D496 8B4D 18       MOV ECX,DWORD PTR SS:[EBP+18]
0061D499 68 0ED56100    PUSH ks1.0061D50E
0061D49E 66:C700 0100 MOV WORD PTR DS:[EAX],1
0061D4A3 66:C701 0100 MOV WORD PTR DS:[ECX],1
0061D4A8 EB 45          JMP SHORT ks1.0061D4EF
0061D4AA 66:C701 0100 MOV WORD PTR DS:[ECX],1
0061D4AF 66:C700 0100 MOV WORD PTR DS:[EAX],1
0061D4B4 68 0ED56100    PUSH ks1.0061D50E
0061D4B9 EB 34          JMP SHORT ks1.0061D4EF
0061D4BB 8D55 D0       LEA EDX,DWORD PTR SS:[EBP-30]
0061D4BE 8D45 D4       LEA EAX,DWORD PTR SS:[EBP-2C]
0061D4C1 52             PUSH EDX
0061D4C2 8D4D D8       LEA ECX,DWORD PTR SS:[EBP-28]
0061D4C5 50             PUSH EAX
0061D4C6 51             PUSH ECX
0061D4C7 6A 03          PUSH 3
0061D4C9 FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStrList
0061D4CF 83C4 10       ADD ESP,10
0061D4D2 8D4D CC       LEA ECX,DWORD PTR SS:[EBP-34]
0061D4D5 FF15 14B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>; MSVBVM50.__vbaFreeObj
0061D4DB 8D55 AC       LEA EDX,DWORD PTR SS:[EBP-54]
0061D4DE 8D45 BC       LEA EAX,DWORD PTR SS:[EBP-44]
0061D4E1 52             PUSH EDX
0061D4E2 50             PUSH EAX
0061D4E3 6A 02          PUSH 2
0061D4E5 FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>; MSVBVM50.__vbaFreeVarList
0061D4EB 83C4 0C       ADD ESP,0C
0061D4EE C3             RETN
0061D4EF 8B35 14B76800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaFr>; MSVBVM50.__vbaFreeObj
0061D4F5 8D4D EC       LEA ECX,DWORD PTR SS:[EBP-14]
0061D4F8 FFD6          CALL ESI
0061D4FA 8D4D E8       LEA ECX,DWORD PTR SS:[EBP-18]
0061D4FD FFD6          CALL ESI
0061D4FF 8D4D E0       LEA ECX,DWORD PTR SS:[EBP-20]
0061D502 FFD6          CALL ESI
0061D504 8D4D DC       LEA ECX,DWORD PTR SS:[EBP-24]
0061D507  - FF25 10B76800 JMP DWORD PTR DS:[<&MSVBVM50.__vbaFreeSt>; MSVBVM50.__vbaFreeStr
0061D50D C3             RETN
0061D50E 8B4D F0       MOV ECX,DWORD PTR SS:[EBP-10]
0061D511 66:8B45 E4    MOV AX,WORD PTR SS:[EBP-1C]
0061D515 5F             POP EDI
0061D516 5E             POP ESI
0061D517 64:890D 0000000>MOV DWORD PTR FS:[0],ECX
0061D51E 5B             POP EBX
0061D51F 8BE5          MOV ESP,EBP
0061D521 5D             POP EBP
0061D522 C2 1400       RETN 14
0061D525 90             NOP
0061D526 90             NOP
0061D527 90             NOP
0061D528 90             NOP
0061D529 90             NOP
-------------------------------------------------------------------------------
▲文件:0-668130.txt
-------------------------------------------------------------------------------
;处理"04" "61"的call ,从666F93调用,以"61"为例
00668130 > \55          PUSH EBP
00668131 .  8BEC       MOV EBP,ESP
00668133 .  83EC 08    SUB ESP,8
00668136 .  68 F67F4000 PUSH <JMP.&MSVBVM50.__vbaExceptHandler>  ;  SE handler installation
0066813B .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00668141 .  50          PUSH EAX
00668142 .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
00668149 .  83EC 48    SUB ESP,48
0066814C .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
0066814F .  53          PUSH EBX
00668150 .  56          PUSH ESI
00668151 .  57          PUSH EDI
00668152 .  33C0       XOR EAX,EAX
00668154 .  8D4D E8    LEA ECX,DWORD PTR SS:[EBP-18]
00668157 .  8965 F8    MOV DWORD PTR SS:[EBP-8],ESP
0066815A .  C745 FC F0744>MOV DWORD PTR SS:[EBP-4],ks1.004074F0
00668161 .  8945 EC    MOV DWORD PTR SS:[EBP-14],EAX
00668164 .  8945 E8    MOV DWORD PTR SS:[EBP-18],EAX
00668167 .  8945 E0    MOV DWORD PTR SS:[EBP-20],EAX
0066816A .  8945 D0    MOV DWORD PTR SS:[EBP-30],EAX
0066816D .  8945 C0    MOV DWORD PTR SS:[EBP-40],EAX
00668170 .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
00668176 .  8B45 E8    MOV EAX,DWORD PTR SS:[EBP-18]
00668179 .  8B35 D8B36800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaLe>;  MSVBVM50.__vbaLenBstr
0066817F .  50          PUSH EAX
00668180 .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaLenBstr>
00668182 .  83F8 02    CMP EAX,2
00668185 .  0F8F 55010000 JG ks1.006682E0
0066818B .  8B4D E8    MOV ECX,DWORD PTR SS:[EBP-18]
0066818E .  51          PUSH ECX
0066818F .  FFD6       CALL ESI
00668191 .  83F8 01    CMP EAX,1
00668194 .  75 1E       JNZ SHORT ks1.006681B4
00668196 .  8B55 E8    MOV EDX,DWORD PTR SS:[EBP-18]
00668199 .  68 D4E54100 PUSH ks1.0041E5D4
0066819E .  52          PUSH EDX
0066819F .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
006681A5 .  8B3D C8B66800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrMove
006681AB .  8BD0       MOV EDX,EAX
006681AD .  8D4D E8    LEA ECX,DWORD PTR SS:[EBP-18]
006681B0 .  FFD7       CALL EDI                               ;  <&MSVBVM50.__vbaStrMove>
006681B2 .  EB 06       JMP SHORT ks1.006681BA
006681B4 >  8B3D C8B66800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrMove
006681BA >  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
006681BD .  6A 01       PUSH 1
006681BF .  8D55 D0    LEA EDX,DWORD PTR SS:[EBP-30]
006681C2 .  8D45 E8    LEA EAX,DWORD PTR SS:[EBP-18]
006681C5 .  BE 08400000 MOV ESI,4008
006681CA .  51          PUSH ECX
006681CB .  52          PUSH EDX
006681CC .  8945 C8    MOV DWORD PTR SS:[EBP-38],EAX
006681CF .  8975 C0    MOV DWORD PTR SS:[EBP-40],ESI
006681D2 .  FF15 CCB66800 CALL DWORD PTR DS:[<&MSVBVM50.#619>]    ;  MSVBVM50.rtcRightCharVar
;取右边"1"
006681D8 .  8B1D DCB36800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrVarMove
006681DE .  8D45 D0    LEA EAX,DWORD PTR SS:[EBP-30]
006681E1 .  50          PUSH EAX
006681E2 .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaStrVarMove>
006681E4 .  8BD0       MOV EDX,EAX
006681E6 .  8D4D EC    LEA ECX,DWORD PTR SS:[EBP-14]
006681E9 .  FFD7       CALL EDI
006681EB .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
006681EE .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
006681F4 .  8D55 C0    LEA EDX,DWORD PTR SS:[EBP-40]
006681F7 .  8D4D EC    LEA ECX,DWORD PTR SS:[EBP-14]
006681FA .  52          PUSH EDX
006681FB .  894D C8    MOV DWORD PTR SS:[EBP-38],ECX
006681FE .  8975 C0    MOV DWORD PTR SS:[EBP-40],ESI          ;  数据在[ESI]
00668201 .  FF15 20B56800 CALL DWORD PTR DS:[<&MSVBVM50.#561>]    ;  MSVBVM50.rtcIsNumeric
;"1"是数字吗
00668207 .  66:85C0    TEST AX,AX
0066820A .  74 14       JE SHORT ks1.00668220
0066820C .  8B45 EC    MOV EAX,DWORD PTR SS:[EBP-14]
0066820F .  50          PUSH EAX
00668210 .  FF15 18B76800 CALL DWORD PTR DS:[<&MSVBVM50.#581>]    ;  MSVBVM50.rtcR8ValFromBstr
;转换为8字节浮点数
00668216 .  FF15 98B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFpI2>>;  MSVBVM50.__vbaFpI2
;转换为整数
0066821C .  8BF0       MOV ESI,EAX ;结果在AX=01 ,保存在SI备用
0066821E .  EB 17       JMP SHORT ks1.00668237
00668220 >  8B4D EC    MOV ECX,DWORD PTR SS:[EBP-14]
00668223 .  51          PUSH ECX
00668224 .  FF15 00B46800 CALL DWORD PTR DS:[<&MSVBVM50.#516>]    ;  MSVBVM50.rtcAnsiValueBstr
0066822A .  66:8BF0    MOV SI,AX
0066822D .  66:83EE 37 SUB SI,37 ;这里如果不是转换为数字,如"E"=>0Eh
00668231 .  0F80 F0000000 JO ks1.00668327
00668237 >  8D45 C0    LEA EAX,DWORD PTR SS:[EBP-40]
0066823A .  6A 01       PUSH 1
0066823C .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
0066823F .  8D55 E8    LEA EDX,DWORD PTR SS:[EBP-18]
00668242 .  50          PUSH EAX
00668243 .  51          PUSH ECX
00668244 .  8955 C8    MOV DWORD PTR SS:[EBP-38],EDX
00668247 .  C745 C0 08400>MOV DWORD PTR SS:[EBP-40],4008
0066824E .  FF15 B0B66800 CALL DWORD PTR DS:[<&MSVBVM50.#617>]    ;  MSVBVM50.rtcLeftCharVar
;取"6"
00668254 .  8D55 D0    LEA EDX,DWORD PTR SS:[EBP-30]
00668257 .  52          PUSH EDX
00668258 .  FFD3       CALL EBX
0066825A .  8BD0       MOV EDX,EAX
0066825C .  8D4D EC    LEA ECX,DWORD PTR SS:[EBP-14]
0066825F .  FFD7       CALL EDI
00668261 .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
00668264 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066826A .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066826D .  8D45 EC    LEA EAX,DWORD PTR SS:[EBP-14]
00668270 .  51          PUSH ECX
00668271 .  8945 C8    MOV DWORD PTR SS:[EBP-38],EAX
00668274 .  C745 C0 08400>MOV DWORD PTR SS:[EBP-40],4008
0066827B .  FF15 20B56800 CALL DWORD PTR DS:[<&MSVBVM50.#561>]    ;  MSVBVM50.rtcIsNumeric
00668281 .  66:85C0    TEST AX,AX
00668284 .  74 3C       JE SHORT ks1.006682C2
00668286 .  8B55 EC    MOV EDX,DWORD PTR SS:[EBP-14]
00668289 .  52          PUSH EDX
0066828A .  FF15 18B76800 CALL DWORD PTR DS:[<&MSVBVM50.#581>]    ;  MSVBVM50.rtcR8ValFromBstr
00668290 .  DD5D B8    FSTP QWORD PTR SS:[EBP-48]
00668293 .  DD45 B8    FLD QWORD PTR SS:[EBP-48]
00668296 .  DC0D 90744000 FMUL QWORD PTR DS:[407490] ;乘以36.0(十进制)=216 ,[407490]=36.0
0066829C .  0FBFC6       MOVSX EAX,SI
0066829F .  8945 B0    MOV DWORD PTR SS:[EBP-50],EAX
006682A2 .  DB45 B0    FILD DWORD PTR SS:[EBP-50]
006682A5 .  DD5D A8    FSTP QWORD PTR SS:[EBP-58]
006682A8 .  DC45 A8    FADD QWORD PTR SS:[EBP-58] ;在加刚刚保存在SI的1=217 ;十进制
006682AB .  DFE0       FSTSW AX
006682AD .  A8 0D       TEST AL,0D
006682AF .  75 71       JNZ SHORT ks1.00668322
006682B1 .  FF15 98B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFpI2>>;  MSVBVM50.__vbaFpI2
;转换为整型数,放在AX
006682B7 .  8945 E0    MOV DWORD PTR SS:[EBP-20],EAX
006682BA .  68 03836600 PUSH ks1.00668303
006682BF .  9B          WAIT
006682C0 .  EB 30       JMP SHORT ks1.006682F2
006682C2 >  8B4D EC    MOV ECX,DWORD PTR SS:[EBP-14]
006682C5 .  51          PUSH ECX
006682C6 .  FF15 00B46800 CALL DWORD PTR DS:[<&MSVBVM50.#516>]    ;  MSVBVM50.rtcAnsiValueBstr
006682CC .  66:2D 3700 SUB AX,37
006682D0 .  70 55       JO SHORT ks1.00668327
006682D2 .  66:6BC0 24 IMUL AX,AX,24
006682D6 .  70 4F       JO SHORT ks1.00668327
006682D8 .  66:03C6    ADD AX,SI
006682DB .  70 4A       JO SHORT ks1.00668327
006682DD .  8945 E0    MOV DWORD PTR SS:[EBP-20],EAX
006682E0 >  9B          WAIT
006682E1 .  68 03836600 PUSH ks1.00668303
006682E6 .  EB 0A       JMP SHORT ks1.006682F2
006682E8 .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
006682EB .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
006682F1 .  C3          RETN
006682F2 >  8B35 10B76800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaFr>;  MSVBVM50.__vbaFreeStr
006682F8 .  8D4D EC    LEA ECX,DWORD PTR SS:[EBP-14]
006682FB .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaFreeStr>
006682FD .  8D4D E8    LEA ECX,DWORD PTR SS:[EBP-18]
00668300 .  FFE6       JMP ESI
00668302 .  C3          RETN
00668303 .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
00668306 .  66:8B45 E0 MOV AX,WORD PTR SS:[EBP-20]
0066830A .  8B4D F0    MOV ECX,DWORD PTR SS:[EBP-10]
0066830D .  5F          POP EDI
0066830E .  66:8902    MOV WORD PTR DS:[EDX],AX
00668311 .  5E          POP ESI
00668312 .  33C0       XOR EAX,EAX
00668314 .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
0066831B .  5B          POP EBX
0066831C .  8BE5       MOV ESP,EBP
0066831E .  5D          POP EBP
0066831F .  C2 0C00    RETN 0C
00668322 >^ E9 D5FCD9FF JMP <JMP.&MSVBVM50.__vbaFPException>
00668327 >  FF15 00B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaError>;  MSVBVM50.__vbaErrorOverflow
0066832D .  90          NOP
0066832E .  90          NOP
0066832F .  90          NOP
00668330 >  55          PUSH EBP

总结:
程序变换输入的激活码,例如5084J-VX10H-0248M-TXZO7-O1J69-26M9I
G7K4074H9V5MXVR I4086D67TRF0461
取后4个字符并把他们转换为相应数值(例如"E"转换为0Eh),然后
"04"操作为4+0*36=4,  格式化为"004"
"61"操作为1+6*36=217,格式化为"217"
连接以上字符串得到"004217"即为得到的校验串.
这个"0461"实际是激活码开始的"5084"反过来"4805",再各字符ASC值减4得到"0461"
然后再取前26个字符进行复杂的异或操作,取得另一个校验码.再比较.(见5-668330.txt)

36*2=72
36*3=108
36*4=144
36*5=180
36*6=216
36*7=252

F755 0-BBBBB-CCCCC-DDDDD-O2222-33333
   O必须是O因为硬盘序列号为8
"037119"
037=1*36+1 "11"
119=3*36+11 "3B"

"113B"asc值加4=>"557F",反过来"F755"

校验成功,但是:
006671DB .  FF15 D8B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaLenBs>;  MSVBVM50.__vbaLenBstr
006671E1 .  8945 B8    MOV DWORD PTR SS:[EBP-48],EAX
006671E4 .  C745 B0 03000>MOV DWORD PTR SS:[EBP-50],3
006671EB .  8D55 C8    LEA EDX,DWORD PTR SS:[EBP-38]
006671EE .  8995 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EDX
006671F4 .  C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],4008
006671FE .  8D45 B0    LEA EAX,DWORD PTR SS:[EBP-50]
00667201 .  50          PUSH EAX
00667202 .  6A 0B       PUSH 0B
00667204 .  8D8D 00FFFFFF LEA ECX,DWORD PTR SS:[EBP-100]
0066720A .  51          PUSH ECX
0066720B .  8D55 A0    LEA EDX,DWORD PTR SS:[EBP-60]
0066720E .  52          PUSH EDX
0066720F .  FF15 E4B46800 CALL DWORD PTR DS:[<&MSVBVM50.#632>]    ;  MSVBVM50.rtcMidCharVar
00667215 .  8B45 D0    MOV EAX,DWORD PTR SS:[EBP-30]
00667218 .  8985 E8FEFFFF MOV DWORD PTR SS:[EBP-118],EAX
0066721E .  C785 E0FEFFFF>MOV DWORD PTR SS:[EBP-120],8008
00667228 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0066722B .  51          PUSH ECX
0066722C .  8D95 E0FEFFFF LEA EDX,DWORD PTR SS:[EBP-120]
00667232 .  52          PUSH EDX
00667233 .  FF15 64B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarTs>;  MSVBVM50.__vbaVarTstNe
;这里监测出错了.
;好像拿下面两个字符串比较,必须相等,这里就过了.
;0012E95C 001D32F4  UNICODE "4JV10H8M"
;0012E960 001D3F2C  UNICODE "BBBBBYYY"
;0012EB40 0016C23C  UNICODE "11111-0000M-BBBBB-YYYYY-XXXXX-6113B"这是变换后的激活码
;BBBBBYYY应该是硬盘序列号才对
;字母表ABCDEFGHIJKLMNOPQRSTUVWXYZ 1234567890
;4JV10 H8M其中H8M是减4得到的,4JV10是减2得到的.
;H8M=>L2Q,4JV10=>6LX32反过来Q2L-23XL6
;F755 0-BBBBB-CC Q2L-23XL6 -O2222-33333
;F7550-BBBBB-CCQ2L-23XL6-O2222-33333
00667239 .  8BF8       MOV EDI,EAX                            ;  eax=0
0066723B .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
0066723E .  50          PUSH EAX
0066723F .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
00667242 .  51          PUSH ECX
00667243 .  6A 02       PUSH 2
00667245 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
0066724B .  83C4 0C    ADD ESP,0C
0066724E .  66:85FF    TEST DI,DI
00667251 . /75 28       JNZ SHORT ks.0066727B ;跳走完蛋
00667253 . |8D95 8CFEFFFF LEA EDX,DWORD PTR SS:[EBP-174]
00667259 . |52          PUSH EDX
得到激活码:
F7550-BBBBB-CCQ2L-23XL6-O2222-33333
得到校验值为:225128这个校验码不行,改一下最后一个字符
F7550-BBBBB-CCQ2L-23XL6-O2222-33332得到校验码"156157"
156=36*4+12 "4C"
157=36*4+13 "4D"
"4C4D"asc值加4,"8G8H",反过来"H8G8"
H8G80-BBBBB-CCQ2L-23XL6-O2222-33332
H8G8 0-BBBBB-CC Q2L-23XL6 -O 2222-33332
校验          硬盘序列号 ^校验硬盘序列号字符数
这样刚刚的监测也躲过了.
但是还有.
0066725A . |8B45 C8    MOV EAX,DWORD PTR SS:[EBP-38]
0066725D . |50          PUSH EAX
0066725E . |56          PUSH ESI
0066725F . |FF53 24    CALL DWORD PTR DS:[EBX+24]             ;  ks.00408C8A
;这个CALL 408C8A还要监测
00667262 . |66:39BD 8CFEF>CMP WORD PTR SS:[EBP-174],DI
00667269 . |74 10       JE SHORT ks.0066727B
0066726B . |C745 D8 FFFFF>MOV DWORD PTR SS:[EBP-28],-1
00667272 . |EB 07       JMP SHORT ks.0066727B
00667274 . |C745 D8 00000>MOV DWORD PTR SS:[EBP-28],0
0066727B > \FF15 64B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaExitP>;  MSVBVM50.__vbaExitProc
00667281 .  68 0A736600 PUSH ks.0066730A
00667286 .  EB 60       JMP SHORT ks.006672E8
00667288 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066728B .  51          PUSH ECX

刚刚输入的激活码"H8G80-BBBBB-CCQ2L-23XL6-O2222-33332"
处理后为: "011110000M4JV10H8MYYXXXXX64C4D"
-------------------------------------------------------------------------------
▲文件:0-667400.txt
-------------------------------------------------------------------------------
0066725F . |FF53 24    CALL DWORD PTR DS:[EBX+24]             ;  ks.00408C8A调用一下代码:
刚刚输入的激活码"H8G80-BBBBB-CCQ2L-23XL6-O2222-33332"
处理后为: "011110000M4JV10H8MYYXXXXX64C4D"

00667400 > \55          PUSH EBP
00667401 .  8BEC       MOV EBP,ESP
00667403 .  83EC 08    SUB ESP,8
00667406 .  68 F67F4000 PUSH <JMP.&MSVBVM50.__vbaExceptHandler>  ;  SE handler installation
0066740B .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00667411 .  50          PUSH EAX
00667412 .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
00667419 .  83EC 58    SUB ESP,58
0066741C .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
0066741F .  53          PUSH EBX
00667420 .  56          PUSH ESI
00667421 .  57          PUSH EDI
00667422 .  33C0       XOR EAX,EAX
00667424 .  8D4D E8    LEA ECX,DWORD PTR SS:[EBP-18]
00667427 .  8965 F8    MOV DWORD PTR SS:[EBP-8],ESP
0066742A .  C745 FC 30744>MOV DWORD PTR SS:[EBP-4],ks.00407430
00667431 .  8945 E8    MOV DWORD PTR SS:[EBP-18],EAX
00667434 .  8945 E4    MOV DWORD PTR SS:[EBP-1C],EAX
00667437 .  8945 D4    MOV DWORD PTR SS:[EBP-2C],EAX
0066743A .  8945 C4    MOV DWORD PTR SS:[EBP-3C],EAX
0066743D .  8945 B4    MOV DWORD PTR SS:[EBP-4C],EAX
00667440 .  8945 A0    MOV DWORD PTR SS:[EBP-60],EAX
00667443 .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
00667449 .  8B3D E4B46800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.#632>]  ;  MSVBVM50.rtcMidCharVar
0066744F .  8D45 E8    LEA EAX,DWORD PTR SS:[EBP-18]
00667452 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
00667455 .  8945 BC    MOV DWORD PTR SS:[EBP-44],EAX
00667458 .  51          PUSH ECX
00667459 .  8D55 B4    LEA EDX,DWORD PTR SS:[EBP-4C]
0066745C .  6A 01       PUSH 1
0066745E .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
00667461 .  52          PUSH EDX
00667462 .  50          PUSH EAX
00667463 .  C745 EC FFFFF>MOV DWORD PTR SS:[EBP-14],-1
0066746A .  C745 DC 01000>MOV DWORD PTR SS:[EBP-24],1
00667471 .  C745 D4 02000>MOV DWORD PTR SS:[EBP-2C],2
00667478 .  C745 B4 08400>MOV DWORD PTR SS:[EBP-4C],4008
0066747F .  FFD7       CALL EDI                               ;  <&MSVBVM50.#632>
;取加密串"011110000M4JV10H8MYYXXXXX64C4D"中的"0"
00667481 .  8B1D DCB56800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrVarVal
00667487 .  8B75 08    MOV ESI,DWORD PTR SS:[EBP+8]
0066748A .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
0066748D .  8D55 E4    LEA EDX,DWORD PTR SS:[EBP-1C]
00667490 .  51          PUSH ECX
00667491 .  52          PUSH EDX
00667492 .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaStrVarVal>
00667494 .  50          PUSH EAX
00667495 .  FF15 00B46800 CALL DWORD PTR DS:[<&MSVBVM50.#516>]    ;  MSVBVM50.rtcAnsiValueBstr
;转换"0"为30h
0066749B .  66:2D 4600 SUB AX,46
;减去46h
0066749F .  8D4D E4    LEA ECX,DWORD PTR SS:[EBP-1C]
006674A2 .  0F80 17020000 JO ks.006676BF
006674A8 .  66:8946 34 MOV WORD PTR DS:[ESI+34],AX
006674AC .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
006674B2 .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
006674B5 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
006674B8 .  50          PUSH EAX
006674B9 .  51          PUSH ECX
006674BA .  6A 02       PUSH 2
006674BC .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
006674C2 .  83C4 0C    ADD ESP,0C
006674C5 .  8D55 E8    LEA EDX,DWORD PTR SS:[EBP-18]
006674C8 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
006674CB .  B8 02000000 MOV EAX,2
006674D0 .  8955 BC    MOV DWORD PTR SS:[EBP-44],EDX
006674D3 .  51          PUSH ECX
006674D4 .  8945 DC    MOV DWORD PTR SS:[EBP-24],EAX
006674D7 .  8945 D4    MOV DWORD PTR SS:[EBP-2C],EAX
006674DA .  50          PUSH EAX
006674DB .  8D55 B4    LEA EDX,DWORD PTR SS:[EBP-4C]
006674DE .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
006674E1 .  52          PUSH EDX
006674E2 .  50          PUSH EAX
006674E3 .  C745 B4 08400>MOV DWORD PTR SS:[EBP-4C],4008
006674EA .  FFD7       CALL EDI
;取"011110000M4JV10H8MYYXXXXX64C4D" MID(,2,2)得"11"
006674EC .  8B0E       MOV ECX,DWORD PTR DS:[ESI]
006674EE .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
006674F1 .  50          PUSH EAX
006674F2 .  8B51 34    MOV EDX,DWORD PTR DS:[ECX+34]
006674F5 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
006674F8 .  8955 98    MOV DWORD PTR SS:[EBP-68],EDX
006674FB .  8D55 E4    LEA EDX,DWORD PTR SS:[EBP-1C]
006674FE .  51          PUSH ECX
006674FF .  52          PUSH EDX
00667500 .  FFD3       CALL EBX
00667502 .  50          PUSH EAX
00667503 .  56          PUSH ESI
00667504 .  FF55 98    CALL DWORD PTR SS:[EBP-68]
;复杂计算CALL,处理"11"
;其实也是调用668130像处理"04","61"一样计算校验码.
00667507 .  66:8B45 A0 MOV AX,WORD PTR SS:[EBP-60]
0066750B .  8D4D E4    LEA ECX,DWORD PTR SS:[EBP-1C]
0066750E .  66:8946 36 MOV WORD PTR DS:[ESI+36],AX ;保存计算"11"得到的校验码25h(37)到174556
00667512 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00667518 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
0066751B .  8D55 D4    LEA EDX,DWORD PTR SS:[EBP-2C]
0066751E .  51          PUSH ECX
0066751F .  52          PUSH EDX
00667520 .  6A 02       PUSH 2
00667522 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
00667528 .  B8 02000000 MOV EAX,2
0066752D .  83C4 0C    ADD ESP,0C
00667530 .  8945 DC    MOV DWORD PTR SS:[EBP-24],EAX
00667533 .  8945 D4    MOV DWORD PTR SS:[EBP-2C],EAX
00667536 .  8D45 E8    LEA EAX,DWORD PTR SS:[EBP-18]
00667539 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
0066753C .  8945 BC    MOV DWORD PTR SS:[EBP-44],EAX
0066753F .  51          PUSH ECX
00667540 .  8D55 B4    LEA EDX,DWORD PTR SS:[EBP-4C]
00667543 .  6A 04       PUSH 4
00667545 .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
00667548 .  52          PUSH EDX
00667549 .  50          PUSH EAX
0066754A .  C745 B4 08400>MOV DWORD PTR SS:[EBP-4C],4008
00667551 .  FFD7       CALL EDI
;取"011110000M4JV10H8MYYXXXXX64C4D" MID(,4,2)得下一个"11"
00667553 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
00667556 .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
00667559 .  51          PUSH ECX
0066755A .  8D45 E4    LEA EAX,DWORD PTR SS:[EBP-1C]
0066755D .  52          PUSH EDX
0066755E .  50          PUSH EAX
0066755F .  FFD3       CALL EBX
00667561 .  50          PUSH EAX
00667562 .  56          PUSH ESI
00667563 .  FF55 98    CALL DWORD PTR SS:[EBP-68]
;计算另一个"11"的校验码,25h
00667566 .  66:8B4D A0 MOV CX,WORD PTR SS:[EBP-60]
0066756A .  66:894E 38 MOV WORD PTR DS:[ESI+38],CX
;25h入CX后保存到174558
0066756E .  8D4D E4    LEA ECX,DWORD PTR SS:[EBP-1C]
00667571 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00667577 .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
0066757A .  8D45 D4    LEA EAX,DWORD PTR SS:[EBP-2C]
0066757D .  52          PUSH EDX
0066757E .  50          PUSH EAX
0066757F .  6A 02       PUSH 2
00667581 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
00667587 .  83C4 0C    ADD ESP,0C
0066758A .  B8 02000000 MOV EAX,2
0066758F .  8D4D E8    LEA ECX,DWORD PTR SS:[EBP-18]
00667592 .  8D55 D4    LEA EDX,DWORD PTR SS:[EBP-2C]
00667595 .  8945 DC    MOV DWORD PTR SS:[EBP-24],EAX
00667598 .  8945 D4    MOV DWORD PTR SS:[EBP-2C],EAX
0066759B .  894D BC    MOV DWORD PTR SS:[EBP-44],ECX
0066759E .  52          PUSH EDX
0066759F .  8D45 B4    LEA EAX,DWORD PTR SS:[EBP-4C]
006675A2 .  6A 06       PUSH 6
006675A4 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
006675A7 .  50          PUSH EAX
006675A8 .  51          PUSH ECX
006675A9 .  C745 B4 08400>MOV DWORD PTR SS:[EBP-4C],4008
006675B0 .  FFD7       CALL EDI
;取"0 11 11 00 00M4JV10H8MYYXXXXX64C4D" MID(,6,2)得下一个"00"
006675B2 .  8D55 A0    LEA EDX,DWORD PTR SS:[EBP-60]
006675B5 .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
006675B8 .  52          PUSH EDX
006675B9 .  8D4D E4    LEA ECX,DWORD PTR SS:[EBP-1C]
006675BC .  50          PUSH EAX
006675BD .  51          PUSH ECX
006675BE .  FFD3       CALL EBX
006675C0 .  50          PUSH EAX
006675C1 .  56          PUSH ESI
006675C2 .  FF55 98    CALL DWORD PTR SS:[EBP-68] ;计算"00"校验码得0h
006675C5 .  66:8B55 A0 MOV DX,WORD PTR SS:[EBP-60]
006675C9 .  8D4D E4    LEA ECX,DWORD PTR SS:[EBP-1C]
006675CC .  66:8956 3A MOV WORD PTR DS:[ESI+3A],DX ;保存到17455A
006675D0 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
006675D6 .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
006675D9 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
006675DC .  50          PUSH EAX
006675DD .  51          PUSH ECX
006675DE .  6A 02       PUSH 2
006675E0 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
006675E6 .  B8 02000000 MOV EAX,2
006675EB .  83C4 0C    ADD ESP,0C
006675EE .  8945 DC    MOV DWORD PTR SS:[EBP-24],EAX
006675F1 .  8945 D4    MOV DWORD PTR SS:[EBP-2C],EAX
006675F4 .  8D55 E8    LEA EDX,DWORD PTR SS:[EBP-18]
006675F7 .  8D45 D4    LEA EAX,DWORD PTR SS:[EBP-2C]
006675FA .  8955 BC    MOV DWORD PTR SS:[EBP-44],EDX
006675FD .  50          PUSH EAX
006675FE .  8D4D B4    LEA ECX,DWORD PTR SS:[EBP-4C]
00667601 .  6A 08       PUSH 8
00667603 .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
00667606 .  51          PUSH ECX
00667607 .  52          PUSH EDX
00667608 .  C745 B4 08400>MOV DWORD PTR SS:[EBP-4C],4008
0066760F .  FFD7       CALL EDI
;取"0 11 11 00 00 M4JV10H8MYYXXXXX64C4D" MID(,8,2)得下一个"00"
00667611 .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
00667614 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
00667617 .  50          PUSH EAX
00667618 .  8D55 E4    LEA EDX,DWORD PTR SS:[EBP-1C]
0066761B .  51          PUSH ECX
0066761C .  52          PUSH EDX
0066761D .  FFD3       CALL EBX
0066761F .  50          PUSH EAX
00667620 .  56          PUSH ESI
00667621 .  FF55 98    CALL DWORD PTR SS:[EBP-68] ;计算"00"校验码得0h
00667624 .  66:8B45 A0 MOV AX,WORD PTR SS:[EBP-60]
00667628 .  8D4D E4    LEA ECX,DWORD PTR SS:[EBP-1C]
0066762B .  66:8946 3C MOV WORD PTR DS:[ESI+3C],AX ;保存到17455C
0066762F .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00667635 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
00667638 .  8D55 D4    LEA EDX,DWORD PTR SS:[EBP-2C]
0066763B .  51          PUSH ECX
0066763C .  52          PUSH EDX
0066763D .  6A 02       PUSH 2
0066763F .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
00667645 .  B8 01000000 MOV EAX,1
0066764A .  83C4 0C    ADD ESP,0C
;加密字符表"0 11 11 00 00 M4JV10H8MYYXXXXX64C4D"
;位置       0  1  2  3  4
;01111 0000M 4JV10 H8MYY XXXXX 64C4D
;^最小是"G"=47h
;H8G80-BBBBB-CCQ2L-23XL6-O2222-33332
;    ^最小也要是"I"=49h,49h-2=47h,47h-46h=1h才行
;    2323就可以使3,4处通过
;H8G80-BBBBB-CCQ2L-23XL6-O2323-3434I这个激活码得到校验为"078048"
;078=2*36+6 "26"
;048=1*36+12 "1C"
;"261C"asc码加4"605G",反过来"G506"
;得到激活码"G5060-BBBBB-CCQ2L-23XL6-O2323-3434I"
;但是提示"无法激活产品,请检查是否有此科目的激活码"
;看来还有检测
0066764D .  66:3946 34 CMP WORD PTR DS:[ESI+34],AX ;刚刚第一个"0" 30h-46h算得的EAh和1(AX)比
00667651 .  7C 18       JL SHORT ks.0066766B ;这个好像都不可以跳,计算结果不能小于1
00667653 .  66:3946 36 CMP WORD PTR DS:[ESI+36],AX ;[174556]=25h 第1个"11"的校验码
00667657 .  7C 12       JL SHORT ks.0066766B ;校验计算结果不能小于1
00667659 .  66:3946 38 CMP WORD PTR DS:[ESI+38],AX ;[174558]=25h 第2个"11"的校验码
0066765D .  7C 0C       JL SHORT ks.0066766B ;校验计算结果不能小于1
0066765F .  66:3946 3A CMP WORD PTR DS:[ESI+3A],AX ;[17455A]=00h 第3个"00"的校验码
00667663 .  7C 06       JL SHORT ks.0066766B ;校验计算结果不能小于1
00667665 .  66:3946 3C CMP WORD PTR DS:[ESI+3C],AX ;[17455c]=00h 第4个"00"的校验码
00667669 .  7D 07       JGE SHORT ks.00667672 ;好像必须要跳了,校验计算结果不能小于1
0066766B >  C745 EC 00000>MOV DWORD PTR SS:[EBP-14],0
00667672 >  68 A0766600 PUSH ks.006676A0
00667677 .  EB 1D       JMP SHORT ks.00667696
00667679 .  8D4D E4    LEA ECX,DWORD PTR SS:[EBP-1C]
0066767C .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00667682 .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
00667685 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
00667688 .  50          PUSH EAX
00667689 .  51          PUSH ECX
0066768A .  6A 02       PUSH 2
0066768C .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
00667692 .  83C4 0C    ADD ESP,0C
00667695 .  C3          RETN
00667696 >  8D4D E8    LEA ECX,DWORD PTR SS:[EBP-18]
00667699 .- FF25 10B76800 JMP DWORD PTR DS:[<&MSVBVM50.__vbaFreeSt>;  MSVBVM50.__vbaFreeStr
0066769F .  C3          RETN
006676A0 .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
006676A3 .  66:8B45 EC MOV AX,WORD PTR SS:[EBP-14]
006676A7 .  8B4D F0    MOV ECX,DWORD PTR SS:[EBP-10]
006676AA .  5F          POP EDI
006676AB .  66:8902    MOV WORD PTR DS:[EDX],AX
006676AE .  5E          POP ESI
006676AF .  33C0       XOR EAX,EAX
006676B1 .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
006676B8 .  5B          POP EBX
006676B9 .  8BE5       MOV ESP,EBP
006676BB .  5D          POP EBP
006676BC .  C2 0C00    RETN 0C
006676BF >  FF15 00B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaError>;  MSVBVM50.__vbaErrorOverflow
006676C5 .  90          NOP
006676C6 .  90          NOP
006676C7 .  90          NOP
-------------------------------------------------------------------------------
▲文件:0-6793B0.txt
-------------------------------------------------------------------------------
006793B0 > \55          PUSH EBP
006793B1 .  8BEC       MOV EBP,ESP
006793B3 .  83EC 08    SUB ESP,8
006793B6 .  68 F67F4000 PUSH <JMP.&MSVBVM50.__vbaExceptHandler>  ;  SE handler installation
006793BB .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
006793C1 .  50          PUSH EAX
006793C2 .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
006793C9 .  81EC D0000000 SUB ESP,0D0
006793CF .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
006793D2 .  53          PUSH EBX
006793D3 .  56          PUSH ESI
006793D4 .  57          PUSH EDI
006793D5 .  33DB       XOR EBX,EBX
006793D7 .  8D4D E4    LEA ECX,DWORD PTR SS:[EBP-1C]
006793DA .  8965 F8    MOV DWORD PTR SS:[EBP-8],ESP
006793DD .  C745 FC 487F4>MOV DWORD PTR SS:[EBP-4],ks.00407F48
006793E4 .  895D EC    MOV DWORD PTR SS:[EBP-14],EBX
006793E7 .  895D E8    MOV DWORD PTR SS:[EBP-18],EBX
006793EA .  895D E4    MOV DWORD PTR SS:[EBP-1C],EBX
006793ED .  895D E0    MOV DWORD PTR SS:[EBP-20],EBX
006793F0 .  895D DC    MOV DWORD PTR SS:[EBP-24],EBX
006793F3 .  895D D8    MOV DWORD PTR SS:[EBP-28],EBX
006793F6 .  895D D4    MOV DWORD PTR SS:[EBP-2C],EBX
006793F9 .  895D D0    MOV DWORD PTR SS:[EBP-30],EBX
006793FC .  895D CC    MOV DWORD PTR SS:[EBP-34],EBX
006793FF .  895D C8    MOV DWORD PTR SS:[EBP-38],EBX
00679402 .  895D C4    MOV DWORD PTR SS:[EBP-3C],EBX
00679405 .  895D C0    MOV DWORD PTR SS:[EBP-40],EBX
00679408 .  895D BC    MOV DWORD PTR SS:[EBP-44],EBX
0067940B .  895D AC    MOV DWORD PTR SS:[EBP-54],EBX
0067940E .  895D 9C    MOV DWORD PTR SS:[EBP-64],EBX
00679411 .  895D 8C    MOV DWORD PTR SS:[EBP-74],EBX
00679414 .  899D 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EBX
0067941A .  899D 6CFFFFFF MOV DWORD PTR SS:[EBP-94],EBX
00679420 .  899D 5CFFFFFF MOV DWORD PTR SS:[EBP-A4],EBX
00679426 .  899D 38FFFFFF MOV DWORD PTR SS:[EBP-C8],EBX
0067942C .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
00679432 .  8B45 CC    MOV EAX,DWORD PTR SS:[EBP-34]
00679435 .  3BC3       CMP EAX,EBX
00679437 .  75 12       JNZ SHORT ks.0067944B
00679439 .  8D45 CC    LEA EAX,DWORD PTR SS:[EBP-34]
0067943C .  50          PUSH EAX
0067943D .  68 D0924000 PUSH ks.004092D0
00679442 .  FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>;  MSVBVM50.__vbaNew2
00679448 .  8B45 CC    MOV EAX,DWORD PTR SS:[EBP-34]
0067944B >  8B08       MOV ECX,DWORD PTR DS:[EAX]
0067944D .  8D95 38FFFFFF LEA EDX,DWORD PTR SS:[EBP-C8]
00679453 .  52          PUSH EDX
00679454 .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
00679457 .  52          PUSH EDX
00679458 .  8B55 E4    MOV EDX,DWORD PTR SS:[EBP-1C]
0067945B .  52          PUSH EDX
0067945C .  50          PUSH EAX
0067945D .  8BF0       MOV ESI,EAX
0067945F .  FF51 30    CALL DWORD PTR DS:[ECX+30]
00679462 .  3BC3       CMP EAX,EBX
00679464 .  7D 13       JGE SHORT ks.00679479
00679466 .  8B3D 40B46800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaHr>;  MSVBVM50.__vbaHresultCheckObj
0067946C .  6A 30       PUSH 30
0067946E .  68 C4E94100 PUSH ks.0041E9C4
00679473 .  56          PUSH ESI
00679474 .  50          PUSH EAX
00679475 .  FFD7       CALL EDI                               ;  <&MSVBVM50.__vbaHresultCheckObj>
00679477 .  EB 06       JMP SHORT ks.0067947F
00679479 >  8B3D 40B46800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaHr>;  MSVBVM50.__vbaHresultCheckObj
0067947F >  66:399D 38FFF>CMP WORD PTR SS:[EBP-C8],BX
00679486 .  0F85 D9020000 JNZ ks.00679765
0067948C .  8B45 C8    MOV EAX,DWORD PTR SS:[EBP-38]
0067948F .  3BC3       CMP EAX,EBX
00679491 .  75 12       JNZ SHORT ks.006794A5
00679493 .  8D45 C8    LEA EAX,DWORD PTR SS:[EBP-38]
00679496 .  50          PUSH EAX
00679497 .  68 F88C4000 PUSH ks.00408CF8
0067949C .  FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>;  MSVBVM50.__vbaNew2
006794A2 .  8B45 C8    MOV EAX,DWORD PTR SS:[EBP-38]
006794A5 >  8B08       MOV ECX,DWORD PTR DS:[EAX]
006794A7 .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
006794AA .  52          PUSH EDX
006794AB .  50          PUSH EAX
006794AC .  8BF0       MOV ESI,EAX
006794AE .  FF51 1C    CALL DWORD PTR DS:[ECX+1C]
;很复杂的CALL,好像使取硬盘序列号,还有其他操作,好像还比较msjet.ini中的内容
006794B1 .  3BC3       CMP EAX,EBX
006794B3 .  7D 0B       JGE SHORT ks.006794C0
006794B5 .  6A 1C       PUSH 1C
006794B7 .  68 D4874200 PUSH ks.004287D4
006794BC .  56          PUSH ESI
006794BD .  50          PUSH EAX
006794BE .  FFD7       CALL EDI
006794C0 >  8B45 EC    MOV EAX,DWORD PTR SS:[EBP-14]
006794C3 .  3BC3       CMP EAX,EBX
006794C5 .  75 12       JNZ SHORT ks.006794D9
006794C7 .  8D45 EC    LEA EAX,DWORD PTR SS:[EBP-14]
006794CA .  50          PUSH EAX
006794CB .  68 748B4000 PUSH ks.00408B74
006794D0 .  FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>;  MSVBVM50.__vbaNew2
006794D6 .  8B45 EC    MOV EAX,DWORD PTR SS:[EBP-14]
006794D9 >  8B08       MOV ECX,DWORD PTR DS:[EAX]
006794DB .  8D95 38FFFFFF LEA EDX,DWORD PTR SS:[EBP-C8]
006794E1 .  52          PUSH EDX
006794E2 .  8B55 E4    MOV EDX,DWORD PTR SS:[EBP-1C]
006794E5 .  52          PUSH EDX
006794E6 .  8B55 C4    MOV EDX,DWORD PTR SS:[EBP-3C]
006794E9 .  52          PUSH EDX
006794EA .  50          PUSH EAX
006794EB .  8BF0       MOV ESI,EAX
006794ED .  FF51 1C    CALL DWORD PTR DS:[ECX+1C]
;这个CALL会调用计算校验码,并比较的部分
006794F0 .  3BC3       CMP EAX,EBX
006794F2 .  7D 0B       JGE SHORT ks.006794FF
006794F4 .  6A 1C       PUSH 1C
006794F6 .  68 00874200 PUSH ks.00428700
006794FB .  56          PUSH ESI
006794FC .  50          PUSH EAX
006794FD .  FFD7       CALL EDI
006794FF >  33C0       XOR EAX,EAX
00679501 .  66:83BD 38FFF>CMP WORD PTR SS:[EBP-C8],0FFFF
00679509 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
0067950C .  0F94C0       SETE AL
0067950F .  F7D8       NEG EAX
00679511 .  8BF0       MOV ESI,EAX
00679513 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00679519 .  66:3BF3    CMP SI,BX
0067951C .  0F84 B6010000 JE ks.006796D8                         ;  no jmp
00679522 .  8B45 EC    MOV EAX,DWORD PTR SS:[EBP-14]
00679525 .  3BC3       CMP EAX,EBX
00679527 .  75 12       JNZ SHORT ks.0067953B
00679529 .  8D4D EC    LEA ECX,DWORD PTR SS:[EBP-14]
0067952C .  51          PUSH ECX
0067952D .  68 748B4000 PUSH ks.00408B74
00679532 .  FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>;  MSVBVM50.__vbaNew2
00679538 .  8B45 EC    MOV EAX,DWORD PTR SS:[EBP-14]
0067953B >  8D8D 38FFFFFF LEA ECX,DWORD PTR SS:[EBP-C8]
00679541 .  8B10       MOV EDX,DWORD PTR DS:[EAX]
00679543 .  51          PUSH ECX
00679544 .  8D4D E0    LEA ECX,DWORD PTR SS:[EBP-20]
00679547 .  51          PUSH ECX
00679548 .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
0067954B .  51          PUSH ECX
0067954C .  8D4D E8    LEA ECX,DWORD PTR SS:[EBP-18]
0067954F .  51          PUSH ECX
00679550 .  8D4D DC    LEA ECX,DWORD PTR SS:[EBP-24]
00679553 .  51          PUSH ECX
00679554 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
00679557 .  51          PUSH ECX
00679558 .  50          PUSH EAX
00679559 .  8BF0       MOV ESI,EAX
0067955B .  FF52 20    CALL DWORD PTR DS:[EDX+20]
0067955E .  3BC3       CMP EAX,EBX
00679560 .  7D 0B       JGE SHORT ks.0067956D
00679562 .  6A 20       PUSH 20
00679564 .  68 00874200 PUSH ks.00428700
00679569 .  56          PUSH ESI
0067956A .  50          PUSH EAX
0067956B .  FFD7       CALL EDI
0067956D >  66:83BD 38FFF>CMP WORD PTR SS:[EBP-C8],0FFFF
00679575 .  0F85 7D020000 JNZ ks.006797F8
0067957B .  66:8B55 0C MOV DX,WORD PTR SS:[EBP+C]
0067957F .  66:3B55 D4 CMP DX,WORD PTR SS:[EBP-2C]
00679583 .  0F85 C2000000 JNZ ks.0067964B                         ;  no jmp
00679589 .  8D45 AC    LEA EAX,DWORD PTR SS:[EBP-54]
0067958C .  50          PUSH EAX
0067958D .  FF15 74B66800 CALL DWORD PTR DS:[<&MSVBVM50.#610>]    ;  MSVBVM50.rtcGetDateVar
00679593 .  8B7D CC    MOV EDI,DWORD PTR SS:[EBP-34]
00679596 .  3BFB       CMP EDI,EBX
00679598 .  75 12       JNZ SHORT ks.006795AC
0067959A .  8D4D CC    LEA ECX,DWORD PTR SS:[EBP-34]
0067959D .  51          PUSH ECX
0067959E .  68 D0924000 PUSH ks.004092D0
006795A3 .  FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>;  MSVBVM50.__vbaNew2
006795A9 .  8B7D CC    MOV EDI,DWORD PTR SS:[EBP-34]
006795AC >  8B45 E4    MOV EAX,DWORD PTR SS:[EBP-1C]
006795AF .  8B4D D4    MOV ECX,DWORD PTR SS:[EBP-2C]
006795B2 .  8B1F       MOV EBX,DWORD PTR DS:[EDI]
006795B4 .  8D95 38FFFFFF LEA EDX,DWORD PTR SS:[EBP-C8]
006795BA .  52          PUSH EDX
006795BB .  50          PUSH EAX
006795BC .  8D55 AC    LEA EDX,DWORD PTR SS:[EBP-54]
006795BF .  51          PUSH ECX
006795C0 .  52          PUSH EDX
006795C1 .  FF15 04B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrEr>;  MSVBVM50.__vbaStrErrVarCopy
006795C7 .  8B35 C8B66800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrMove
006795CD .  8BD0       MOV EDX,EAX
006795CF .  8D4D BC    LEA ECX,DWORD PTR SS:[EBP-44]
006795D2 .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaStrMove>
006795D4 .  50          PUSH EAX
006795D5 .  8B45 D0    MOV EAX,DWORD PTR SS:[EBP-30]
006795D8 .  50          PUSH EAX
006795D9 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
006795DF .  8BD0       MOV EDX,EAX
006795E1 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
006795E4 .  FFD6       CALL ESI
006795E6 .  8B4D E0    MOV ECX,DWORD PTR SS:[EBP-20]
006795E9 .  50          PUSH EAX
006795EA .  51          PUSH ECX
006795EB .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
006795F1 .  8BD0       MOV EDX,EAX
006795F3 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
006795F6 .  FFD6       CALL ESI
006795F8 .  50          PUSH EAX
006795F9 .  57          PUSH EDI
006795FA .  FF53 28    CALL DWORD PTR DS:[EBX+28] ;写入注册表,INI
006795FD .  85C0       TEST EAX,EAX
006795FF .  7D 0F       JGE SHORT ks.00679610
00679601 .  6A 28       PUSH 28
00679603 .  68 C4E94100 PUSH ks.0041E9C4
00679608 .  57          PUSH EDI
00679609 .  50          PUSH EAX
0067960A .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
00679610 >  8D55 BC    LEA EDX,DWORD PTR SS:[EBP-44]
00679613 .  8D45 C0    LEA EAX,DWORD PTR SS:[EBP-40]
00679616 .  52          PUSH EDX
00679617 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
0067961A .  50          PUSH EAX
0067961B .  51          PUSH ECX
0067961C .  6A 03       PUSH 3
0067961E .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
00679624 .  83C4 10    ADD ESP,10
00679627 .  8D55 AC    LEA EDX,DWORD PTR SS:[EBP-54]
0067962A .  8D45 AC    LEA EAX,DWORD PTR SS:[EBP-54]
0067962D .  52          PUSH EDX
0067962E .  50          PUSH EAX
0067962F .  6A 02       PUSH 2
00679631 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
00679637 .  83C4 0C    ADD ESP,0C
0067963A .  C745 D8 FFFFF>MOV DWORD PTR SS:[EBP-28],-1
00679641 .  68 54986700 PUSH ks.00679854
00679646 .  E9 EA010000 JMP ks.00679835
0067964B >  8B3D 8CB66800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaVa>;  MSVBVM50.__vbaVarDup
00679651 .  B9 04000280 MOV ECX,80020004
00679656 .  894D 84    MOV DWORD PTR SS:[EBP-7C],ECX
00679659 .  B8 0A000000 MOV EAX,0A
0067965E .  894D 94    MOV DWORD PTR SS:[EBP-6C],ECX
00679661 .  BE 08000000 MOV ESI,8
00679666 .  8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]
0067966C .  8D4D 9C    LEA ECX,DWORD PTR SS:[EBP-64]
0067966F .  8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EAX
00679675 .  8945 8C    MOV DWORD PTR SS:[EBP-74],EAX
00679678 .  C785 64FFFFFF>MOV DWORD PTR SS:[EBP-9C],ks.00428E7C
00679682 .  89B5 5CFFFFFF MOV DWORD PTR SS:[EBP-A4],ESI
00679688 .  FFD7       CALL EDI                               ;  <&MSVBVM50.__vbaVarDup>
0067968A .  8D95 6CFFFFFF LEA EDX,DWORD PTR SS:[EBP-94]
00679690 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
00679693 .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],ks.00429280
0067969D .  89B5 6CFFFFFF MOV DWORD PTR SS:[EBP-94],ESI
006796A3 .  FFD7       CALL EDI
006796A5 .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
006796AB .  8D55 8C    LEA EDX,DWORD PTR SS:[EBP-74]
006796AE .  51          PUSH ECX
006796AF .  8D45 9C    LEA EAX,DWORD PTR SS:[EBP-64]
006796B2 .  52          PUSH EDX
006796B3 .  50          PUSH EAX
006796B4 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
006796B7 .  6A 30       PUSH 30
006796B9 .  51          PUSH ECX
006796BA .  FF15 7CB46800 CALL DWORD PTR DS:[<&MSVBVM50.#595>]    ;  MSVBVM50.rtcMsgBox
006796C0 .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
006796C6 .  8D45 8C    LEA EAX,DWORD PTR SS:[EBP-74]
006796C9 .  52          PUSH EDX
006796CA .  8D4D 9C    LEA ECX,DWORD PTR SS:[EBP-64]
006796CD .  50          PUSH EAX
006796CE .  8D55 AC    LEA EDX,DWORD PTR SS:[EBP-54]
006796D1 .  51          PUSH ECX
006796D2 .  52          PUSH EDX
006796D3 .  E9 15010000 JMP ks.006797ED
006796D8 >  8B3D 8CB66800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaVa>;  MSVBVM50.__vbaVarDup
006796DE .  B9 04000280 MOV ECX,80020004
006796E3 .  894D 84    MOV DWORD PTR SS:[EBP-7C],ECX
006796E6 .  B8 0A000000 MOV EAX,0A
006796EB .  894D 94    MOV DWORD PTR SS:[EBP-6C],ECX
006796EE .  BE 08000000 MOV ESI,8
006796F3 .  8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]
006796F9 .  8D4D 9C    LEA ECX,DWORD PTR SS:[EBP-64]
006796FC .  8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EAX
00679702 .  8945 8C    MOV DWORD PTR SS:[EBP-74],EAX
00679705 .  C785 64FFFFFF>MOV DWORD PTR SS:[EBP-9C],ks.00428E7C
0067970F .  89B5 5CFFFFFF MOV DWORD PTR SS:[EBP-A4],ESI
00679715 .  FFD7       CALL EDI                               ;  <&MSVBVM50.__vbaVarDup>
00679717 .  8D95 6CFFFFFF LEA EDX,DWORD PTR SS:[EBP-94]
0067971D .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
00679720 .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],ks.004292B0 ;  UNICODE "ActKeyError.zzh"
0067972A .  89B5 6CFFFFFF MOV DWORD PTR SS:[EBP-94],ESI
00679730 .  FFD7       CALL EDI
00679732 .  8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
00679738 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0067973B .  50          PUSH EAX
0067973C .  8D55 9C    LEA EDX,DWORD PTR SS:[EBP-64]
0067973F .  51          PUSH ECX
00679740 .  52          PUSH EDX
00679741 .  8D45 AC    LEA EAX,DWORD PTR SS:[EBP-54]
00679744 .  6A 30       PUSH 30
00679746 .  50          PUSH EAX
00679747 .  FF15 7CB46800 CALL DWORD PTR DS:[<&MSVBVM50.#595>]    ;  MSVBVM50.rtcMsgBox
0067974D .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
00679753 .  8D55 8C    LEA EDX,DWORD PTR SS:[EBP-74]
00679756 .  51          PUSH ECX
00679757 .  8D45 9C    LEA EAX,DWORD PTR SS:[EBP-64]
0067975A .  52          PUSH EDX
0067975B .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
0067975E .  50          PUSH EAX
0067975F .  51          PUSH ECX
00679760 .  E9 88000000 JMP ks.006797ED
00679765 >  8B3D 8CB66800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaVa>;  MSVBVM50.__vbaVarDup
0067976B .  B9 04000280 MOV ECX,80020004
00679770 .  894D 84    MOV DWORD PTR SS:[EBP-7C],ECX
00679773 .  B8 0A000000 MOV EAX,0A
00679778 .  894D 94    MOV DWORD PTR SS:[EBP-6C],ECX
0067977B .  BE 08000000 MOV ESI,8
00679780 .  8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]
00679786 .  8D4D 9C    LEA ECX,DWORD PTR SS:[EBP-64]
00679789 .  8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EAX
0067978F .  8945 8C    MOV DWORD PTR SS:[EBP-74],EAX
00679792 .  C785 64FFFFFF>MOV DWORD PTR SS:[EBP-9C],ks.00428E7C
0067979C .  89B5 5CFFFFFF MOV DWORD PTR SS:[EBP-A4],ESI
006797A2 .  FFD7       CALL EDI                               ;  <&MSVBVM50.__vbaVarDup>
006797A4 .  8D95 6CFFFFFF LEA EDX,DWORD PTR SS:[EBP-94]
006797AA .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
006797AD .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],ks.004292DC ;  UNICODE "KeyIs used!zzh"
006797B7 .  89B5 6CFFFFFF MOV DWORD PTR SS:[EBP-94],ESI
006797BD .  FFD7       CALL EDI
006797BF .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
006797C5 .  8D45 8C    LEA EAX,DWORD PTR SS:[EBP-74]
006797C8 .  52          PUSH EDX
006797C9 .  8D4D 9C    LEA ECX,DWORD PTR SS:[EBP-64]
006797CC .  50          PUSH EAX
006797CD .  51          PUSH ECX
006797CE .  8D55 AC    LEA EDX,DWORD PTR SS:[EBP-54]
006797D1 .  6A 30       PUSH 30
006797D3 .  52          PUSH EDX
006797D4 .  FF15 7CB46800 CALL DWORD PTR DS:[<&MSVBVM50.#595>]    ;  MSVBVM50.rtcMsgBox
006797DA .  8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
006797E0 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
006797E3 .  50          PUSH EAX
006797E4 .  8D55 9C    LEA EDX,DWORD PTR SS:[EBP-64]
006797E7 .  51          PUSH ECX
006797E8 .  8D45 AC    LEA EAX,DWORD PTR SS:[EBP-54]
006797EB .  52          PUSH EDX
006797EC .  50          PUSH EAX
006797ED >  6A 04       PUSH 4
006797EF .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
006797F5 .  83C4 14    ADD ESP,14
006797F8 >  68 54986700 PUSH ks.00679854
006797FD .  EB 36       JMP SHORT ks.00679835
006797FF .  8D4D BC    LEA ECX,DWORD PTR SS:[EBP-44]
00679802 .  8D55 C0    LEA EDX,DWORD PTR SS:[EBP-40]
00679805 .  51          PUSH ECX
00679806 .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
00679809 .  52          PUSH EDX
0067980A .  50          PUSH EAX
0067980B .  6A 03       PUSH 3
0067980D .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
00679813 .  83C4 10    ADD ESP,10
00679816 .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0067981C .  8D55 8C    LEA EDX,DWORD PTR SS:[EBP-74]
0067981F .  8D45 9C    LEA EAX,DWORD PTR SS:[EBP-64]
00679822 .  51          PUSH ECX
00679823 .  52          PUSH EDX
00679824 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
00679827 .  50          PUSH EAX
00679828 .  51          PUSH ECX
00679829 .  6A 04       PUSH 4
0067982B .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
00679831 .  83C4 14    ADD ESP,14
00679834 .  C3          RETN
00679835 >  8B35 14B76800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaFr>;  MSVBVM50.__vbaFreeObj
0067983B .  8D4D EC    LEA ECX,DWORD PTR SS:[EBP-14]
0067983E .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaFreeObj>
00679840 .  8D4D E4    LEA ECX,DWORD PTR SS:[EBP-1C]
00679843 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00679849 .  8D4D CC    LEA ECX,DWORD PTR SS:[EBP-34]
0067984C .  FFD6       CALL ESI
0067984E .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
00679851 .  FFE6       JMP ESI
00679853 .  C3          RETN
00679854 .  8B55 14    MOV EDX,DWORD PTR SS:[EBP+14]
00679857 .  66:8B45 D8 MOV AX,WORD PTR SS:[EBP-28]
0067985B .  8B4D F0    MOV ECX,DWORD PTR SS:[EBP-10]
0067985E .  5F          POP EDI
0067985F .  66:8902    MOV WORD PTR DS:[EDX],AX
00679862 .  5E          POP ESI
00679863 .  33C0       XOR EAX,EAX
00679865 .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
0067986C .  5B          POP EBX
0067986D .  8BE5       MOV ESP,EBP
0067986F .  5D          POP EBP
00679870 .  C2 1000    RETN 10
-------------------------------------------------------------------------------
▲文件:0-66A9A0.txt
-------------------------------------------------------------------------------
0066A9A0 > \55          PUSH EBP
0066A9A1 .  8BEC       MOV EBP,ESP
0066A9A3 .  83EC 14    SUB ESP,14
0066A9A6 .  68 F67F4000 PUSH <JMP.&MSVBVM50.__vbaExceptHandler>  ;  SE handler installation
0066A9AB .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0066A9B1 .  50          PUSH EAX
0066A9B2 .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
0066A9B9 .  81EC F8000000 SUB ESP,0F8
0066A9BF .  53          PUSH EBX
0066A9C0 .  56          PUSH ESI
0066A9C1 .  57          PUSH EDI
0066A9C2 .  8965 EC    MOV DWORD PTR SS:[EBP-14],ESP
0066A9C5 .  C745 F0 F0764>MOV DWORD PTR SS:[EBP-10],ks.004076F0
0066A9CC .  33DB       XOR EBX,EBX
0066A9CE .  895D F4    MOV DWORD PTR SS:[EBP-C],EBX
0066A9D1 .  895D F8    MOV DWORD PTR SS:[EBP-8],EBX
0066A9D4 .  8B7D 08    MOV EDI,DWORD PTR SS:[EBP+8]
0066A9D7 .  8B37       MOV ESI,DWORD PTR DS:[EDI]
0066A9D9 .  57          PUSH EDI
0066A9DA .  FF56 04    CALL DWORD PTR DS:[ESI+4]
0066A9DD .  895D DC    MOV DWORD PTR SS:[EBP-24],EBX
0066A9E0 .  895D D8    MOV DWORD PTR SS:[EBP-28],EBX
0066A9E3 .  895D D4    MOV DWORD PTR SS:[EBP-2C],EBX
0066A9E6 .  895D D0    MOV DWORD PTR SS:[EBP-30],EBX
0066A9E9 .  895D CC    MOV DWORD PTR SS:[EBP-34],EBX
0066A9EC .  895D C8    MOV DWORD PTR SS:[EBP-38],EBX
0066A9EF .  895D C4    MOV DWORD PTR SS:[EBP-3C],EBX
0066A9F2 .  895D C0    MOV DWORD PTR SS:[EBP-40],EBX
0066A9F5 .  895D BC    MOV DWORD PTR SS:[EBP-44],EBX
0066A9F8 .  895D B8    MOV DWORD PTR SS:[EBP-48],EBX
0066A9FB .  895D B0    MOV DWORD PTR SS:[EBP-50],EBX
0066A9FE .  895D AC    MOV DWORD PTR SS:[EBP-54],EBX
0066AA01 .  895D 90    MOV DWORD PTR SS:[EBP-70],EBX
0066AA04 .  895D 88    MOV DWORD PTR SS:[EBP-78],EBX
0066AA07 .  895D 84    MOV DWORD PTR SS:[EBP-7C],EBX
0066AA0A .  895D 80    MOV DWORD PTR SS:[EBP-80],EBX
0066AA0D .  899D 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EBX
0066AA13 .  899D 78FFFFFF MOV DWORD PTR SS:[EBP-88],EBX
0066AA19 .  899D 74FFFFFF MOV DWORD PTR SS:[EBP-8C],EBX
0066AA1F .  899D 70FFFFFF MOV DWORD PTR SS:[EBP-90],EBX
0066AA25 .  899D 60FFFFFF MOV DWORD PTR SS:[EBP-A0],EBX
0066AA2B .  899D 50FFFFFF MOV DWORD PTR SS:[EBP-B0],EBX
0066AA31 .  899D 40FFFFFF MOV DWORD PTR SS:[EBP-C0],EBX
0066AA37 .  899D 3CFFFFFF MOV DWORD PTR SS:[EBP-C4],EBX
0066AA3D .  899D 38FFFFFF MOV DWORD PTR SS:[EBP-C8],EBX
0066AA43 .  68 3C894200 PUSH ks.0042893C
0066AA48 .  8D45 94    LEA EAX,DWORD PTR SS:[EBP-6C]
0066AA4B .  50          PUSH EAX
0066AA4C .  FF15 48B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaAryCo>;  MSVBVM50.__vbaAryConstruct
0066AA52 .  C745 B8 E9030>MOV DWORD PTR SS:[EBP-48],3E9
0066AA59 .  6A 01       PUSH 1
0066AA5B .  FF15 84B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaOnErr>;  MSVBVM50.__vbaOnError
0066AA61 .  BA 64874200 MOV EDX,ks.00428764                   ;  UNICODE "userflag"
0066AA66 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AA69 .  8B1D 2CB66800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrCopy
0066AA6F .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaStrCopy>
0066AA71 .  8B4E 40    MOV ECX,DWORD PTR DS:[ESI+40]
0066AA74 .  898D FCFEFFFF MOV DWORD PTR SS:[EBP-104],ECX
0066AA7A .  8D55 80    LEA EDX,DWORD PTR SS:[EBP-80]
0066AA7D .  52          PUSH EDX
0066AA7E .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0066AA81 .  50          PUSH EAX
0066AA82 .  8B4D 0C    MOV ECX,DWORD PTR SS:[EBP+C]
0066AA85 .  51          PUSH ECX
0066AA86 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066AA8C .  8BD0       MOV EDX,EAX
0066AA8E .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AA91 .  8B35 C8B66800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrMove
0066AA97 .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaStrMove>
0066AA99 .  50          PUSH EAX
0066AA9A .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066AA9F .  68 02000080 PUSH 80000002
0066AAA4 .  57          PUSH EDI
0066AAA5 .  FF95 FCFEFFFF CALL DWORD PTR SS:[EBP-104]
0066AAAB .  8B55 80    MOV EDX,DWORD PTR SS:[EBP-80]
0066AAAE .  C745 80 00000>MOV DWORD PTR SS:[EBP-80],0
0066AAB5 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066AAB8 .  FFD6       CALL ESI
0066AABA .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066AABD .  52          PUSH EDX
0066AABE .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066AAC1 .  50          PUSH EAX
0066AAC2 .  6A 02       PUSH 2
0066AAC4 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066AACA .  83C4 0C    ADD ESP,0C
0066AACD .  8B4D C0    MOV ECX,DWORD PTR SS:[EBP-40]
0066AAD0 .  51          PUSH ECX
0066AAD1 .  68 A4B44100 PUSH ks.0041B4A4
0066AAD6 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066AADC .  85C0       TEST EAX,EAX
0066AADE .  0F85 B2000000 JNZ ks.0066AB96
0066AAE4 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066AAE7 .  52          PUSH EDX
0066AAE8 .  57          PUSH EDI
0066AAE9 .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AAEB .  FF50 50    CALL DWORD PTR DS:[EAX+50]
0066AAEE .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],5
0066AAF8 .  8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
0066AAFE .  50          PUSH EAX
0066AAFF .  8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
0066AB05 .  51          PUSH ECX
0066AB06 .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066AB09 .  52          PUSH EDX
0066AB0A .  68 7C874200 PUSH ks.0042877C                      ;  UNICODE "Microsoft\MSJET"
0066AB0F .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AB15 .  8BD0       MOV EDX,EAX
0066AB17 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AB1A .  FFD6       CALL ESI
0066AB1C .  50          PUSH EAX
0066AB1D .  8B45 0C    MOV EAX,DWORD PTR SS:[EBP+C]
0066AB20 .  50          PUSH EAX
0066AB21 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066AB27 .  8BD0       MOV EDX,EAX
0066AB29 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066AB2C .  FFD6       CALL ESI
0066AB2E .  50          PUSH EAX
0066AB2F .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AB35 .  8BD0       MOV EDX,EAX
0066AB37 .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066AB3D .  FFD6       CALL ESI
0066AB3F .  50          PUSH EAX
0066AB40 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
0066AB45 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AB4B .  8BD0       MOV EDX,EAX
0066AB4D .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066AB53 .  FFD6       CALL ESI
0066AB55 .  50          PUSH EAX
0066AB56 .  57          PUSH EDI
0066AB57 .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AB59 .  FF50 4C    CALL DWORD PTR DS:[EAX+4C]
0066AB5C .  8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
0066AB62 .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],0
0066AB6C .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066AB6F .  FFD6       CALL ESI
0066AB71 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066AB77 .  51          PUSH ECX
0066AB78 .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
0066AB7E .  52          PUSH EDX
0066AB7F .  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
0066AB82 .  50          PUSH EAX
0066AB83 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AB86 .  51          PUSH ECX
0066AB87 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066AB8A .  52          PUSH EDX
0066AB8B .  6A 05       PUSH 5
0066AB8D .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066AB93 .  83C4 18    ADD ESP,18
0066AB96 >  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AB98 .  8B40 60    MOV EAX,DWORD PTR DS:[EAX+60]
0066AB9B .  8985 F8FEFFFF MOV DWORD PTR SS:[EBP-108],EAX
0066ABA1 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066ABA4 .  51          PUSH ECX
0066ABA5 .  8B55 C0    MOV EDX,DWORD PTR SS:[EBP-40]
0066ABA8 .  52          PUSH EDX
0066ABA9 .  57          PUSH EDI
0066ABAA .  FFD0       CALL EAX
0066ABAC .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066ABAF .  C745 88 00000>MOV DWORD PTR SS:[EBP-78],0
0066ABB6 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066ABB9 .  FFD6       CALL ESI
0066ABBB .  8B45 C0    MOV EAX,DWORD PTR SS:[EBP-40]
0066ABBE .  50          PUSH EAX
0066ABBF .  FF15 18B76800 CALL DWORD PTR DS:[<&MSVBVM50.#581>]    ;  MSVBVM50.rtcR8ValFromBstr
0066ABC5 .  FF15 CCB46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFpR8>>;  MSVBVM50.__vbaFpR8
0066ABCB .  DC1D 18774000 FCOMP QWORD PTR DS:[407718]
0066ABD1 .  DFE0       FSTSW AX
0066ABD3 .  F6C4 40    TEST AH,40
0066ABD6 .  0F84 C4080000 JE ks.0066B4A0
0066ABDC .  BA B0874200 MOV EDX,ks.004287B0                   ;  UNICODE "userinfo"
0066ABE1 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066ABE4 .  FFD3       CALL EBX
0066ABE6 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066ABE9 .  51          PUSH ECX
0066ABEA .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066ABED .  52          PUSH EDX
0066ABEE .  8B45 0C    MOV EAX,DWORD PTR SS:[EBP+C]
0066ABF1 .  50          PUSH EAX
0066ABF2 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066ABF8 .  8BD0       MOV EDX,EAX
0066ABFA .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066ABFD .  FFD6       CALL ESI
0066ABFF .  50          PUSH EAX
0066AC00 .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066AC05 .  68 02000080 PUSH 80000002
0066AC0A .  57          PUSH EDI
0066AC0B .  FF95 FCFEFFFF CALL DWORD PTR SS:[EBP-104]
0066AC11 .  8B55 80    MOV EDX,DWORD PTR SS:[EBP-80]
0066AC14 .  C745 80 00000>MOV DWORD PTR SS:[EBP-80],0
0066AC1B .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
0066AC1E .  FFD6       CALL ESI
0066AC20 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AC23 .  51          PUSH ECX
0066AC24 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066AC27 .  52          PUSH EDX
0066AC28 .  6A 02       PUSH 2
0066AC2A .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066AC30 .  83C4 0C    ADD ESP,0C
0066AC33 .  8B45 AC    MOV EAX,DWORD PTR SS:[EBP-54]
0066AC36 .  50          PUSH EAX
0066AC37 .  68 A4B44100 PUSH ks.0041B4A4
0066AC3C .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066AC42 .  85C0       TEST EAX,EAX
0066AC44 .  0F85 D1000000 JNZ ks.0066AD1B
0066AC4A .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AC4D .  51          PUSH ECX
0066AC4E .  57          PUSH EDI
0066AC4F .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AC51 .  FF50 50    CALL DWORD PTR DS:[EAX+50]
0066AC54 .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],4
0066AC5E .  8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
0066AC64 .  52          PUSH EDX
0066AC65 .  8D85 3CFFFFFF LEA EAX,DWORD PTR SS:[EBP-C4]
0066AC6B .  50          PUSH EAX
0066AC6C .  8B4D 88    MOV ECX,DWORD PTR SS:[EBP-78]
0066AC6F .  51          PUSH ECX
0066AC70 .  68 7C874200 PUSH ks.0042877C                      ;  UNICODE "Microsoft\MSJET"
0066AC75 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AC7B .  8BD0       MOV EDX,EAX
0066AC7D .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AC80 .  FFD6       CALL ESI
0066AC82 .  50          PUSH EAX
0066AC83 .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
0066AC86 .  52          PUSH EDX
0066AC87 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066AC8D .  8BD0       MOV EDX,EAX
0066AC8F .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066AC92 .  FFD6       CALL ESI
0066AC94 .  50          PUSH EAX
0066AC95 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AC9B .  8BD0       MOV EDX,EAX
0066AC9D .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066ACA3 .  FFD6       CALL ESI
0066ACA5 .  50          PUSH EAX
0066ACA6 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
0066ACAB .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066ACB1 .  8BD0       MOV EDX,EAX
0066ACB3 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066ACB9 .  FFD6       CALL ESI
0066ACBB .  50          PUSH EAX
0066ACBC .  57          PUSH EDI
0066ACBD .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066ACBF .  FF50 4C    CALL DWORD PTR DS:[EAX+4C]
0066ACC2 .  8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
0066ACC8 .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],0
0066ACD2 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
0066ACD5 .  FFD6       CALL ESI
0066ACD7 .  8D85 78FFFFFF LEA EAX,DWORD PTR SS:[EBP-88]
0066ACDD .  50          PUSH EAX
0066ACDE .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066ACE4 .  51          PUSH ECX
0066ACE5 .  8D55 80    LEA EDX,DWORD PTR SS:[EBP-80]
0066ACE8 .  52          PUSH EDX
0066ACE9 .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0066ACEC .  50          PUSH EAX
0066ACED .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066ACF0 .  51          PUSH ECX
0066ACF1 .  6A 05       PUSH 5
0066ACF3 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066ACF9 .  83C4 18    ADD ESP,18
0066ACFC .  8B55 AC    MOV EDX,DWORD PTR SS:[EBP-54]
0066ACFF .  52          PUSH EDX
0066AD00 .  68 A4B44100 PUSH ks.0041B4A4
0066AD05 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066AD0B .  85C0       TEST EAX,EAX
0066AD0D .  75 0C       JNZ SHORT ks.0066AD1B
0066AD0F .  C745 B8 EC030>MOV DWORD PTR SS:[EBP-48],3EC
0066AD16 .  E9 B2070000 JMP ks.0066B4CD
0066AD1B >  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AD1D .  8B40 68    MOV EAX,DWORD PTR DS:[EAX+68]
0066AD20 .  8985 F4FEFFFF MOV DWORD PTR SS:[EBP-10C],EAX
0066AD26 .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066AD2C .  51          PUSH ECX
0066AD2D .  8D55 AC    LEA EDX,DWORD PTR SS:[EBP-54]
0066AD30 .  52          PUSH EDX
0066AD31 .  57          PUSH EDI
0066AD32 .  FFD0       CALL EAX
0066AD34 .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066AD3A .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066AD40 .  68 3C044200 PUSH ks.0042043C
0066AD45 .  8D45 DC    LEA EAX,DWORD PTR SS:[EBP-24]
0066AD48 .  50          PUSH EAX
0066AD49 .  8B4D AC    MOV ECX,DWORD PTR SS:[EBP-54]
0066AD4C .  51          PUSH ECX
0066AD4D .  57          PUSH EDI
0066AD4E .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AD50 .  FF50 64    CALL DWORD PTR DS:[EAX+64]
0066AD53 .  8B45 DC    MOV EAX,DWORD PTR SS:[EBP-24]
0066AD56 .  85C0       TEST EAX,EAX
0066AD58 .  74 31       JE SHORT ks.0066AD8B
0066AD5A .  66:8338 01 CMP WORD PTR DS:[EAX],1
0066AD5E .  75 2B       JNZ SHORT ks.0066AD8B
0066AD60 .  50          PUSH EAX
0066AD61 .  6A 01       PUSH 1
0066AD63 .  FF15 D8B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaUboun>;  MSVBVM50.__vbaUbound
0066AD69 .  8B4D DC    MOV ECX,DWORD PTR SS:[EBP-24]
0066AD6C .  2B41 14    SUB EAX,DWORD PTR DS:[ECX+14]
0066AD6F .  8985 34FFFFFF MOV DWORD PTR SS:[EBP-CC],EAX
0066AD75 .  3B41 10    CMP EAX,DWORD PTR DS:[ECX+10]
0066AD78 .  72 0C       JB SHORT ks.0066AD86
0066AD7A .  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
0066AD80 .  8B85 34FFFFFF MOV EAX,DWORD PTR SS:[EBP-CC]
0066AD86 >  C1E0 02    SHL EAX,2
0066AD89 .  EB 06       JMP SHORT ks.0066AD91
0066AD8B >  FF15 00B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaGener>;  MSVBVM50.__vbaGenerateBoundsError
0066AD91 >  8B55 DC    MOV EDX,DWORD PTR SS:[EBP-24]
0066AD94 .  8B4A 0C    MOV ECX,DWORD PTR DS:[EDX+C]
0066AD97 .  8B1401       MOV EDX,DWORD PTR DS:[ECX+EAX]
0066AD9A .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
0066AD9D .  FFD3       CALL EBX
0066AD9F .  8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]
0066ADA2 .  52          PUSH EDX
0066ADA3 .  68 A4B44100 PUSH ks.0041B4A4
0066ADA8 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066ADAE .  85C0       TEST EAX,EAX
0066ADB0 .  0F84 E1060000 JE ks.0066B497
0066ADB6 .  8B45 BC    MOV EAX,DWORD PTR SS:[EBP-44]
0066ADB9 .  85C0       TEST EAX,EAX
0066ADBB .  75 12       JNZ SHORT ks.0066ADCF
0066ADBD .  8D45 BC    LEA EAX,DWORD PTR SS:[EBP-44]
0066ADC0 .  50          PUSH EAX
0066ADC1 .  68 F88C4000 PUSH ks.00408CF8
0066ADC6 .  FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>;  MSVBVM50.__vbaNew2
0066ADCC .  8B45 BC    MOV EAX,DWORD PTR SS:[EBP-44]
0066ADCF >  8985 34FFFFFF MOV DWORD PTR SS:[EBP-CC],EAX
0066ADD5 .  8B08       MOV ECX,DWORD PTR DS:[EAX]
0066ADD7 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066ADDA .  52          PUSH EDX
0066ADDB .  50          PUSH EAX
0066ADDC .  FF51 1C    CALL DWORD PTR DS:[ECX+1C]
0066ADDF .  85C0       TEST EAX,EAX
0066ADE1 .  7D 15       JGE SHORT ks.0066ADF8
0066ADE3 .  6A 1C       PUSH 1C
0066ADE5 .  68 D4874200 PUSH ks.004287D4
0066ADEA .  8B8D 34FFFFFF MOV ECX,DWORD PTR SS:[EBP-CC]
0066ADF0 .  51          PUSH ECX
0066ADF1 .  50          PUSH EAX
0066ADF2 .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
0066ADF8 >  8B45 C4    MOV EAX,DWORD PTR SS:[EBP-3C]
0066ADFB .  85C0       TEST EAX,EAX
0066ADFD .  75 12       JNZ SHORT ks.0066AE11
0066ADFF .  8D55 C4    LEA EDX,DWORD PTR SS:[EBP-3C]
0066AE02 .  52          PUSH EDX
0066AE03 .  68 748B4000 PUSH ks.00408B74
0066AE08 .  FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>;  MSVBVM50.__vbaNew2
0066AE0E .  8B45 C4    MOV EAX,DWORD PTR SS:[EBP-3C]
0066AE11 >  8985 2CFFFFFF MOV DWORD PTR SS:[EBP-D4],EAX
0066AE17 .  8B08       MOV ECX,DWORD PTR DS:[EAX]
0066AE19 .  8D95 3CFFFFFF LEA EDX,DWORD PTR SS:[EBP-C4]
0066AE1F .  52          PUSH EDX
0066AE20 .  8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]
0066AE23 .  52          PUSH EDX
0066AE24 .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066AE27 .  52          PUSH EDX
0066AE28 .  50          PUSH EAX
0066AE29 .  FF51 1C    CALL DWORD PTR DS:[ECX+1C]             ;  16e084出现004223
0066AE2C .  85C0       TEST EAX,EAX
0066AE2E .  7D 15       JGE SHORT ks.0066AE45
0066AE30 .  6A 1C       PUSH 1C
0066AE32 .  68 00874200 PUSH ks.00428700
0066AE37 .  8B8D 2CFFFFFF MOV ECX,DWORD PTR SS:[EBP-D4]
0066AE3D .  51          PUSH ECX
0066AE3E .  50          PUSH EAX
0066AE3F .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
0066AE45 >  33D2       XOR EDX,EDX
0066AE47 .  66:83BD 3CFFF>CMP WORD PTR SS:[EBP-C4],0FFFF
0066AE4F .  0F94C2       SETE DL
0066AE52 .  F7DA       NEG EDX
0066AE54 .  8995 24FFFFFF MOV DWORD PTR SS:[EBP-DC],EDX
0066AE5A .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AE5D .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066AE63 .  66:83BD 24FFF>CMP WORD PTR SS:[EBP-DC],0
0066AE6B .  0F84 1D060000 JE ks.0066B48E
0066AE71 .  8B45 C4    MOV EAX,DWORD PTR SS:[EBP-3C]
0066AE74 .  85C0       TEST EAX,EAX
0066AE76 .  75 12       JNZ SHORT ks.0066AE8A
0066AE78 .  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
0066AE7B .  50          PUSH EAX
0066AE7C .  68 748B4000 PUSH ks.00408B74
0066AE81 .  FF15 18B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>;  MSVBVM50.__vbaNew2
0066AE87 .  8B45 C4    MOV EAX,DWORD PTR SS:[EBP-3C]
0066AE8A >  8985 34FFFFFF MOV DWORD PTR SS:[EBP-CC],EAX
0066AE90 .  8B08       MOV ECX,DWORD PTR DS:[EAX]
0066AE92 .  8D95 3CFFFFFF LEA EDX,DWORD PTR SS:[EBP-C4]
0066AE98 .  52          PUSH EDX
0066AE99 .  8D55 CC    LEA EDX,DWORD PTR SS:[EBP-34]
0066AE9C .  52          PUSH EDX
0066AE9D .  8D55 90    LEA EDX,DWORD PTR SS:[EBP-70]
0066AEA0 .  52          PUSH EDX
0066AEA1 .  8B55 14    MOV EDX,DWORD PTR SS:[EBP+14]
0066AEA4 .  52          PUSH EDX
0066AEA5 .  8B55 10    MOV EDX,DWORD PTR SS:[EBP+10]
0066AEA8 .  52          PUSH EDX
0066AEA9 .  8D55 D8    LEA EDX,DWORD PTR SS:[EBP-28]
0066AEAC .  52          PUSH EDX
0066AEAD .  50          PUSH EAX
0066AEAE .  FF51 20    CALL DWORD PTR DS:[ECX+20]
0066AEB1 .  85C0       TEST EAX,EAX
0066AEB3 .  7D 15       JGE SHORT ks.0066AECA
0066AEB5 .  6A 20       PUSH 20
0066AEB7 .  68 00874200 PUSH ks.00428700
0066AEBC .  8B8D 34FFFFFF MOV ECX,DWORD PTR SS:[EBP-CC]
0066AEC2 .  51          PUSH ECX
0066AEC3 .  50          PUSH EAX
0066AEC4 .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
0066AECA >  66:83BD 3CFFF>CMP WORD PTR SS:[EBP-C4],0FFFF
0066AED2 .  0F85 B6050000 JNZ ks.0066B48E
0066AED8 .  66:8B55 0C MOV DX,WORD PTR SS:[EBP+C]
0066AEDC .  66:3955 D8 CMP WORD PTR SS:[EBP-28],DX
0066AEE0 .  74 0C       JE SHORT ks.0066AEEE
0066AEE2 .  C745 B8 EC030>MOV DWORD PTR SS:[EBP-48],3EC
0066AEE9 .  E9 DF050000 JMP ks.0066B4CD
0066AEEE >  BA 0C894200 MOV EDX,ks.0042890C                   ;  UNICODE "userinfo1"
0066AEF3 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AEF6 .  FFD3       CALL EBX
0066AEF8 .  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
0066AEFB .  50          PUSH EAX
0066AEFC .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AEFF .  51          PUSH ECX
0066AF00 .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
0066AF03 .  52          PUSH EDX
0066AF04 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066AF0A .  8BD0       MOV EDX,EAX
0066AF0C .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AF0F .  FFD6       CALL ESI
0066AF11 .  50          PUSH EAX
0066AF12 .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066AF17 .  68 02000080 PUSH 80000002
0066AF1C .  57          PUSH EDI
0066AF1D .  FF95 FCFEFFFF CALL DWORD PTR SS:[EBP-104]
0066AF23 .  8B55 80    MOV EDX,DWORD PTR SS:[EBP-80]
0066AF26 .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066AF29 .  8D48 04    LEA ECX,DWORD PTR DS:[EAX+4]
0066AF2C .  FFD3       CALL EBX
0066AF2E .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066AF31 .  51          PUSH ECX
0066AF32 .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066AF35 .  52          PUSH EDX
0066AF36 .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066AF39 .  50          PUSH EAX
0066AF3A .  6A 03       PUSH 3
0066AF3C .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066AF42 .  83C4 10    ADD ESP,10
0066AF45 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AF48 .  51          PUSH ECX
0066AF49 .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066AF4C .  8B42 04    MOV EAX,DWORD PTR DS:[EDX+4]
0066AF4F .  50          PUSH EAX
0066AF50 .  57          PUSH EDI
0066AF51 .  FF95 F8FEFFFF CALL DWORD PTR SS:[EBP-108] ;CALL到66c100
0066AF57 .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066AF5A .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066AF5D .  83C1 04    ADD ECX,4
0066AF60 .  FFD3       CALL EBX
0066AF62 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AF65 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066AF6B .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066AF6E .  8B42 04    MOV EAX,DWORD PTR DS:[EDX+4]
0066AF71 .  50          PUSH EAX
0066AF72 .  68 A4B44100 PUSH ks.0041B4A4
0066AF77 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066AF7D .  85C0       TEST EAX,EAX
0066AF7F .  0F84 09050000 JE ks.0066B48E
0066AF85 .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AF87 .  8B40 50    MOV EAX,DWORD PTR DS:[EAX+50]
0066AF8A .  8985 F0FEFFFF MOV DWORD PTR SS:[EBP-110],EAX
0066AF90 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066AF93 .  51          PUSH ECX
0066AF94 .  57          PUSH EDI
0066AF95 .  FFD0       CALL EAX
0066AF97 .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],1
0066AFA1 .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066AFA3 .  8B50 4C    MOV EDX,DWORD PTR DS:[EAX+4C]
0066AFA6 .  8995 ECFEFFFF MOV DWORD PTR SS:[EBP-114],EDX
0066AFAC .  8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
0066AFB2 .  50          PUSH EAX
0066AFB3 .  8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
0066AFB9 .  51          PUSH ECX
0066AFBA .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066AFBD .  52          PUSH EDX
0066AFBE .  68 7C874200 PUSH ks.0042877C                      ;  UNICODE "Microsoft\MSJET"
0066AFC3 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AFC9 .  8BD0       MOV EDX,EAX
0066AFCB .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066AFCE .  FFD6       CALL ESI
0066AFD0 .  50          PUSH EAX
0066AFD1 .  8B45 0C    MOV EAX,DWORD PTR SS:[EBP+C]
0066AFD4 .  50          PUSH EAX
0066AFD5 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066AFDB .  8BD0       MOV EDX,EAX
0066AFDD .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066AFE0 .  FFD6       CALL ESI
0066AFE2 .  50          PUSH EAX
0066AFE3 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AFE9 .  8BD0       MOV EDX,EAX
0066AFEB .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066AFF1 .  FFD6       CALL ESI
0066AFF3 .  50          PUSH EAX
0066AFF4 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
0066AFF9 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066AFFF .  8BD0       MOV EDX,EAX
0066B001 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066B007 .  FFD6       CALL ESI
0066B009 .  50          PUSH EAX
0066B00A .  57          PUSH EDI
0066B00B .  FF95 ECFEFFFF CALL DWORD PTR SS:[EBP-114]
0066B011 .  8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
0066B017 .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B01A .  83C1 08    ADD ECX,8
0066B01D .  FFD3       CALL EBX
0066B01F .  8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
0066B025 .  52          PUSH EDX
0066B026 .  8D85 78FFFFFF LEA EAX,DWORD PTR SS:[EBP-88]
0066B02C .  50          PUSH EAX
0066B02D .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066B033 .  51          PUSH ECX
0066B034 .  8D55 80    LEA EDX,DWORD PTR SS:[EBP-80]
0066B037 .  52          PUSH EDX
0066B038 .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0066B03B .  50          PUSH EAX
0066B03C .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B03F .  51          PUSH ECX
0066B040 .  6A 06       PUSH 6
0066B042 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066B048 .  83C4 1C    ADD ESP,1C
0066B04B .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066B04E .  52          PUSH EDX
0066B04F .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B052 .  8B48 08    MOV ECX,DWORD PTR DS:[EAX+8]
0066B055 .  51          PUSH ECX
0066B056 .  57          PUSH EDI
0066B057 .  FF95 F8FEFFFF CALL DWORD PTR SS:[EBP-108]
0066B05D .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066B060 .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B063 .  8D48 08    LEA ECX,DWORD PTR DS:[EAX+8]
0066B066 .  FFD3       CALL EBX
0066B068 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B06B .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066B071 .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B074 .  8B51 08    MOV EDX,DWORD PTR DS:[ECX+8]
0066B077 .  52          PUSH EDX
0066B078 .  68 A4B44100 PUSH ks.0041B4A4
0066B07D .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066B083 .  85C0       TEST EAX,EAX
0066B085 .  0F84 03040000 JE ks.0066B48E
0066B08B .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B08E .  8B48 04    MOV ECX,DWORD PTR DS:[EAX+4]
0066B091 .  51          PUSH ECX
0066B092 .  8B50 08    MOV EDX,DWORD PTR DS:[EAX+8]
0066B095 .  52          PUSH EDX
0066B096 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066B09C .  85C0       TEST EAX,EAX
0066B09E .  0F85 EA030000 JNZ ks.0066B48E
0066B0A4 .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B0A7 .  8B48 04    MOV ECX,DWORD PTR DS:[EAX+4]
0066B0AA .  51          PUSH ECX
0066B0AB .  FF15 18B76800 CALL DWORD PTR DS:[<&MSVBVM50.#581>]    ;  MSVBVM50.rtcR8ValFromBstr
0066B0B1 .  FF15 98B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFpI2>>;  MSVBVM50.__vbaFpI2
0066B0B7 .  8945 8C    MOV DWORD PTR SS:[EBP-74],EAX
0066B0BA .  BA A4B44100 MOV EDX,ks.0041B4A4
0066B0BF .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B0C2 .  8D48 04    LEA ECX,DWORD PTR DS:[EAX+4]
0066B0C5 .  FFD3       CALL EBX
0066B0C7 .  BA A4B44100 MOV EDX,ks.0041B4A4
0066B0CC .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B0CF .  83C1 08    ADD ECX,8
0066B0D2 .  FFD3       CALL EBX
0066B0D4 .  BA 24894200 MOV EDX,ks.00428924                   ;  UNICODE "userinfo2"
0066B0D9 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066B0DC .  FFD3       CALL EBX
0066B0DE .  8D55 80    LEA EDX,DWORD PTR SS:[EBP-80]
0066B0E1 .  52          PUSH EDX
0066B0E2 .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0066B0E5 .  50          PUSH EAX
0066B0E6 .  8B4D 0C    MOV ECX,DWORD PTR SS:[EBP+C]
0066B0E9 .  51          PUSH ECX
0066B0EA .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066B0F0 .  8BD0       MOV EDX,EAX
0066B0F2 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B0F5 .  FFD6       CALL ESI
0066B0F7 .  50          PUSH EAX
0066B0F8 .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066B0FD .  68 02000080 PUSH 80000002
0066B102 .  57          PUSH EDI
0066B103 .  FF95 FCFEFFFF CALL DWORD PTR SS:[EBP-104]
0066B109 .  8B55 80    MOV EDX,DWORD PTR SS:[EBP-80]
0066B10C .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B10F .  8D48 04    LEA ECX,DWORD PTR DS:[EAX+4]
0066B112 .  FFD3       CALL EBX
0066B114 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066B117 .  51          PUSH ECX
0066B118 .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066B11B .  52          PUSH EDX
0066B11C .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066B11F .  50          PUSH EAX
0066B120 .  6A 03       PUSH 3
0066B122 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066B128 .  83C4 10    ADD ESP,10
0066B12B .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B12E .  51          PUSH ECX
0066B12F .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066B132 .  8B42 04    MOV EAX,DWORD PTR DS:[EDX+4]
0066B135 .  50          PUSH EAX
0066B136 .  57          PUSH EDI
0066B137 .  FF95 F8FEFFFF CALL DWORD PTR SS:[EBP-108]
0066B13D .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066B140 .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B143 .  83C1 04    ADD ECX,4
0066B146 .  FFD3       CALL EBX
0066B148 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B14B .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066B151 .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066B154 .  8B42 04    MOV EAX,DWORD PTR DS:[EDX+4]
0066B157 .  50          PUSH EAX
0066B158 .  68 A4B44100 PUSH ks.0041B4A4
0066B15D .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066B163 .  85C0       TEST EAX,EAX
0066B165 .  0F84 23030000 JE ks.0066B48E
0066B16B .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B16E .  51          PUSH ECX
0066B16F .  57          PUSH EDI
0066B170 .  FF95 F0FEFFFF CALL DWORD PTR SS:[EBP-110]
0066B176 .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],2
0066B180 .  8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
0066B186 .  52          PUSH EDX
0066B187 .  8D85 3CFFFFFF LEA EAX,DWORD PTR SS:[EBP-C4]
0066B18D .  50          PUSH EAX
0066B18E .  8B4D 88    MOV ECX,DWORD PTR SS:[EBP-78]
0066B191 .  51          PUSH ECX
0066B192 .  68 7C874200 PUSH ks.0042877C                      ;  UNICODE "Microsoft\MSJET"
0066B197 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B19D .  8BD0       MOV EDX,EAX
0066B19F .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066B1A2 .  FFD6       CALL ESI
0066B1A4 .  50          PUSH EAX
0066B1A5 .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
0066B1A8 .  52          PUSH EDX
0066B1A9 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066B1AF .  8BD0       MOV EDX,EAX
0066B1B1 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066B1B4 .  FFD6       CALL ESI
0066B1B6 .  50          PUSH EAX
0066B1B7 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B1BD .  8BD0       MOV EDX,EAX
0066B1BF .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066B1C5 .  FFD6       CALL ESI
0066B1C7 .  50          PUSH EAX
0066B1C8 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
;又是MSJET1.INI
0066B1CD .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B1D3 .  8BD0       MOV EDX,EAX
0066B1D5 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066B1DB .  FFD6       CALL ESI
0066B1DD .  50          PUSH EAX
0066B1DE .  57          PUSH EDI
0066B1DF .  FF95 ECFEFFFF CALL DWORD PTR SS:[EBP-114]
0066B1E5 .  8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
0066B1EB .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B1EE .  8D48 08    LEA ECX,DWORD PTR DS:[EAX+8]
0066B1F1 .  FFD3       CALL EBX
0066B1F3 .  8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]
0066B1F9 .  51          PUSH ECX
0066B1FA .  8D95 78FFFFFF LEA EDX,DWORD PTR SS:[EBP-88]
0066B200 .  52          PUSH EDX
0066B201 .  8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
0066B207 .  50          PUSH EAX
0066B208 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066B20B .  51          PUSH ECX
0066B20C .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066B20F .  52          PUSH EDX
0066B210 .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066B213 .  50          PUSH EAX
0066B214 .  6A 06       PUSH 6
0066B216 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066B21C .  83C4 1C    ADD ESP,1C
0066B21F .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B222 .  51          PUSH ECX
0066B223 .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066B226 .  8B42 08    MOV EAX,DWORD PTR DS:[EDX+8]
0066B229 .  50          PUSH EAX
0066B22A .  57          PUSH EDI
0066B22B .  FF95 F8FEFFFF CALL DWORD PTR SS:[EBP-108]
0066B231 .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066B234 .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B237 .  83C1 08    ADD ECX,8
0066B23A .  FFD3       CALL EBX
0066B23C .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B23F .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066B245 .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066B248 .  8B42 08    MOV EAX,DWORD PTR DS:[EDX+8]
0066B24B .  50          PUSH EAX
0066B24C .  68 A4B44100 PUSH ks.0041B4A4
0066B251 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066B257 .  85C0       TEST EAX,EAX
0066B259 .  0F84 2F020000 JE ks.0066B48E
0066B25F .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B262 .  8B48 04    MOV ECX,DWORD PTR DS:[EAX+4]
0066B265 .  51          PUSH ECX
0066B266 .  8B50 08    MOV EDX,DWORD PTR DS:[EAX+8]
0066B269 .  52          PUSH EDX
0066B26A .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066B270 .  85C0       TEST EAX,EAX
0066B272 .  0F85 2F020000 JNZ ks.0066B4A7
0066B278 .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B27B .  8B48 04    MOV ECX,DWORD PTR DS:[EAX+4]
0066B27E .  51          PUSH ECX
0066B27F .  FF15 18B76800 CALL DWORD PTR DS:[<&MSVBVM50.#581>]    ;  MSVBVM50.rtcR8ValFromBstr
0066B285 .  FF15 98B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFpI2>>;  MSVBVM50.__vbaFpI2
0066B28B .  8945 B4    MOV DWORD PTR SS:[EBP-4C],EAX
0066B28E .  8B4D 8C    MOV ECX,DWORD PTR SS:[EBP-74]
0066B291 .  66:85C9    TEST CX,CX
0066B294 .  0F8E EB010000 JLE ks.0066B485
0066B29A .  66:85C0    TEST AX,AX
0066B29D .  0F8E E2010000 JLE ks.0066B485
0066B2A3 .  66:837D 18 FF CMP WORD PTR SS:[EBP+18],0FFFF
0066B2A8 .  0F85 CE010000 JNZ ks.0066B47C
0066B2AE .  66:49       DEC CX
0066B2B0 .  0F80 F7020000 JO ks.0066B5AD
0066B2B6 .  894D 8C    MOV DWORD PTR SS:[EBP-74],ECX
0066B2B9 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066B2BC .  52          PUSH EDX
0066B2BD .  57          PUSH EDI
0066B2BE .  FF95 F0FEFFFF CALL DWORD PTR SS:[EBP-110]
0066B2C4 .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],3
0066B2CE .  8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
0066B2D4 .  50          PUSH EAX
0066B2D5 .  8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
0066B2DB .  51          PUSH ECX
0066B2DC .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066B2DF .  52          PUSH EDX
0066B2E0 .  68 7C874200 PUSH ks.0042877C                      ;  UNICODE "Microsoft\MSJET"
0066B2E5 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B2EB .  8BD0       MOV EDX,EAX
0066B2ED .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066B2F0 .  FFD6       CALL ESI
0066B2F2 .  50          PUSH EAX
0066B2F3 .  8B45 0C    MOV EAX,DWORD PTR SS:[EBP+C]
0066B2F6 .  50          PUSH EAX
0066B2F7 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066B2FD .  8BD0       MOV EDX,EAX
0066B2FF .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066B302 .  FFD6       CALL ESI
0066B304 .  50          PUSH EAX
0066B305 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B30B .  8BD0       MOV EDX,EAX
0066B30D .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066B313 .  FFD6       CALL ESI
0066B315 .  50          PUSH EAX
0066B316 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
0066B31B .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B321 .  8BD0       MOV EDX,EAX
0066B323 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066B329 .  FFD6       CALL ESI
0066B32B .  50          PUSH EAX
0066B32C .  57          PUSH EDI
0066B32D .  FF95 ECFEFFFF CALL DWORD PTR SS:[EBP-114]
0066B333 .  8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
0066B339 .  8B4D A0    MOV ECX,DWORD PTR SS:[EBP-60]
0066B33C .  83C1 04    ADD ECX,4
0066B33F .  FFD3       CALL EBX
0066B341 .  8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
0066B347 .  52          PUSH EDX
0066B348 .  8D85 78FFFFFF LEA EAX,DWORD PTR SS:[EBP-88]
0066B34E .  50          PUSH EAX
0066B34F .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0066B355 .  51          PUSH ECX
0066B356 .  8D55 80    LEA EDX,DWORD PTR SS:[EBP-80]
0066B359 .  52          PUSH EDX
0066B35A .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0066B35D .  50          PUSH EAX
0066B35E .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B361 .  51          PUSH ECX
0066B362 .  6A 06       PUSH 6
0066B364 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066B36A .  83C4 1C    ADD ESP,1C
0066B36D .  8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0]
0066B373 .  52          PUSH EDX
0066B374 .  8B45 A0    MOV EAX,DWORD PTR SS:[EBP-60]
0066B377 .  83C0 04    ADD EAX,4
0066B37A .  50          PUSH EAX
0066B37B .  57          PUSH EDI
0066B37C .  FF95 F4FEFFFF CALL DWORD PTR SS:[EBP-10C]
0066B382 .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B388 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066B38E .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B394 .  51          PUSH ECX
0066B395 .  FF15 74B66800 CALL DWORD PTR DS:[<&MSVBVM50.#610>]    ;  MSVBVM50.rtcGetDateVar
0066B39B .  8B55 A0    MOV EDX,DWORD PTR SS:[EBP-60]
0066B39E .  8B42 04    MOV EAX,DWORD PTR DS:[EDX+4]
0066B3A1 .  50          PUSH EAX
0066B3A2 .  FF15 A0B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaDateS>;  MSVBVM50.__vbaDateStr
0066B3A8 .  DD9D 48FFFFFF FSTP QWORD PTR SS:[EBP-B8]
0066B3AE .  C785 40FFFFFF>MOV DWORD PTR SS:[EBP-C0],8007
0066B3B8 .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B3BE .  51          PUSH ECX
0066B3BF .  8D95 40FFFFFF LEA EDX,DWORD PTR SS:[EBP-C0]
0066B3C5 .  52          PUSH EDX
0066B3C6 .  FF15 64B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaVarTs>;  MSVBVM50.__vbaVarTstNe
0066B3CC .  8BD8       MOV EBX,EAX
0066B3CE .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B3D4 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066B3DA .  66:85DB    TEST BX,BX
0066B3DD .  74 0F       JE SHORT ks.0066B3EE
0066B3DF .  66:8B45 B4 MOV AX,WORD PTR SS:[EBP-4C]
0066B3E3 .  66:48       DEC AX
0066B3E5 .  0F80 C2010000 JO ks.0066B5AD
0066B3EB .  8945 B4    MOV DWORD PTR SS:[EBP-4C],EAX
0066B3EE >  8B4D 8C    MOV ECX,DWORD PTR SS:[EBP-74]
0066B3F1 .  51          PUSH ECX
0066B3F2 .  8B1D B0B36800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrI2
0066B3F8 .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaStrI2>
0066B3FA .  8BD0       MOV EDX,EAX
0066B3FC .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
0066B3FF .  FFD6       CALL ESI
0066B401 .  8B55 B4    MOV EDX,DWORD PTR SS:[EBP-4C]
0066B404 .  52          PUSH EDX
0066B405 .  FFD3       CALL EBX
0066B407 .  8BD0       MOV EDX,EAX
0066B409 .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
0066B40C .  FFD6       CALL ESI
0066B40E .  8D85 60FFFFFF LEA EAX,DWORD PTR SS:[EBP-A0]
0066B414 .  50          PUSH EAX
0066B415 .  FF15 74B66800 CALL DWORD PTR DS:[<&MSVBVM50.#610>]    ;  MSVBVM50.rtcGetDateVar
0066B41B .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B421 .  51          PUSH ECX
0066B422 .  FF15 04B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrEr>;  MSVBVM50.__vbaStrErrVarCopy
0066B428 .  8BD0       MOV EDX,EAX
0066B42A .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
0066B42D .  FFD6       CALL ESI
0066B42F .  8D95 60FFFFFF LEA EDX,DWORD PTR SS:[EBP-A0]
0066B435 .  52          PUSH EDX
0066B436 .  8D85 60FFFFFF LEA EAX,DWORD PTR SS:[EBP-A0]
0066B43C .  50          PUSH EAX
0066B43D .  6A 02       PUSH 2
0066B43F .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
0066B445 .  83C4 0C    ADD ESP,0C
0066B448 .  8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
0066B44E .  51          PUSH ECX
0066B44F .  8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]
0066B452 .  52          PUSH EDX
0066B453 .  8B45 0C    MOV EAX,DWORD PTR SS:[EBP+C]
0066B456 .  50          PUSH EAX
0066B457 .  8B4D C8    MOV ECX,DWORD PTR SS:[EBP-38]
0066B45A .  51          PUSH ECX
0066B45B .  8B55 D0    MOV EDX,DWORD PTR SS:[EBP-30]
0066B45E .  52          PUSH EDX
0066B45F .  8B45 B0    MOV EAX,DWORD PTR SS:[EBP-50]
0066B462 .  50          PUSH EAX
0066B463 .  57          PUSH EDI
0066B464 .  8B07       MOV EAX,DWORD PTR DS:[EDI]
0066B466 .  FF50 28    CALL DWORD PTR DS:[EAX+28]
0066B469 .  85C0       TEST EAX,EAX
0066B46B .  7D 0F       JGE SHORT ks.0066B47C
0066B46D .  6A 28       PUSH 28
0066B46F .  68 C4E94100 PUSH ks.0041E9C4
0066B474 .  57          PUSH EDI
0066B475 .  50          PUSH EAX
0066B476 .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
0066B47C >  C745 B8 00000>MOV DWORD PTR SS:[EBP-48],0
0066B483 .  EB 48       JMP SHORT ks.0066B4CD
0066B485 >  C745 B8 EA030>MOV DWORD PTR SS:[EBP-48],3EA
0066B48C .  EB 3F       JMP SHORT ks.0066B4CD
0066B48E >  C745 B8 EB030>MOV DWORD PTR SS:[EBP-48],3EB
0066B495 .  EB 10       JMP SHORT ks.0066B4A7
0066B497 >  C745 B8 EA030>MOV DWORD PTR SS:[EBP-48],3EA
0066B49E .  EB 07       JMP SHORT ks.0066B4A7
0066B4A0 >  C745 B8 E9030>MOV DWORD PTR SS:[EBP-48],3E9
0066B4A7 >  FF15 58B66800 CALL DWORD PTR DS:[<&MSVBVM50.#685>]    ;  MSVBVM50.rtcErrObj
0066B4AD .  50          PUSH EAX
0066B4AE .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066B4B4 .  51          PUSH ECX
0066B4B5 .  FF15 80B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaObjSe>;  MSVBVM50.__vbaObjSet
0066B4BB .  8B10       MOV EDX,DWORD PTR DS:[EAX]
0066B4BD .  50          PUSH EAX
0066B4BE .  FF52 48    CALL DWORD PTR DS:[EDX+48]
0066B4C1 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066B4C7 .  FF15 14B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>;  MSVBVM50.__vbaFreeObj
0066B4CD >  FF15 64B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaExitP>;  MSVBVM50.__vbaExitProc
0066B4D3 .  9B          WAIT
0066B4D4 .  68 84B56600 PUSH ks.0066B584
0066B4D9 .  EB 52       JMP SHORT ks.0066B52D
0066B4DB .  8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
0066B4E1 .  50          PUSH EAX
0066B4E2 .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
0066B4E8 .  51          PUSH ECX
0066B4E9 .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
0066B4EF .  52          PUSH EDX
0066B4F0 .  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
0066B4F3 .  50          PUSH EAX
0066B4F4 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066B4F7 .  51          PUSH ECX
0066B4F8 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066B4FB .  52          PUSH EDX
0066B4FC .  6A 06       PUSH 6
0066B4FE .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066B504 .  83C4 1C    ADD ESP,1C
0066B507 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066B50D .  FF15 14B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>;  MSVBVM50.__vbaFreeObj
0066B513 .  8D85 50FFFFFF LEA EAX,DWORD PTR SS:[EBP-B0]
0066B519 .  50          PUSH EAX
0066B51A .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B520 .  51          PUSH ECX
0066B521 .  6A 02       PUSH 2
0066B523 .  FF15 ECB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVarList
0066B529 .  83C4 0C    ADD ESP,0C
0066B52C .  C3          RETN
0066B52D >  8D55 DC    LEA EDX,DWORD PTR SS:[EBP-24]
0066B530 .  52          PUSH EDX
0066B531 .  6A 00       PUSH 0
0066B533 .  8B3D 50B46800 MOV EDI,DWORD PTR DS:[<&MSVBVM50.__vbaAr>;  MSVBVM50.__vbaAryDestruct
0066B539 .  FFD7       CALL EDI                               ;  <&MSVBVM50.__vbaAryDestruct>
0066B53B .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
0066B53E .  8B35 10B76800 MOV ESI,DWORD PTR DS:[<&MSVBVM50.__vbaFr>;  MSVBVM50.__vbaFreeStr
0066B544 .  FFD6       CALL ESI                               ;  <&MSVBVM50.__vbaFreeStr>
0066B546 .  8D4D D0    LEA ECX,DWORD PTR SS:[EBP-30]
0066B549 .  FFD6       CALL ESI
0066B54B .  8D4D C8    LEA ECX,DWORD PTR SS:[EBP-38]
0066B54E .  FFD6       CALL ESI
0066B550 .  8D4D C4    LEA ECX,DWORD PTR SS:[EBP-3C]
0066B553 .  8B1D 14B76800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaFr>;  MSVBVM50.__vbaFreeObj
0066B559 .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaFreeObj>
0066B55B .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066B55E .  FFD6       CALL ESI
0066B560 .  8D4D BC    LEA ECX,DWORD PTR SS:[EBP-44]
0066B563 .  FFD3       CALL EBX
0066B565 .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
0066B568 .  FFD6       CALL ESI
0066B56A .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
0066B56D .  FFD6       CALL ESI
0066B56F .  8D45 94    LEA EAX,DWORD PTR SS:[EBP-6C]
0066B572 .  8985 38FFFFFF MOV DWORD PTR SS:[EBP-C8],EAX
0066B578 .  8D8D 38FFFFFF LEA ECX,DWORD PTR SS:[EBP-C8]
0066B57E .  51          PUSH ECX
0066B57F .  6A 00       PUSH 0
0066B581 .  FFD7       CALL EDI
0066B583 .  C3          RETN
0066B584 .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066B587 .  8B10       MOV EDX,DWORD PTR DS:[EAX]
0066B589 .  50          PUSH EAX
0066B58A .  FF52 08    CALL DWORD PTR DS:[EDX+8]
0066B58D .  8B45 1C    MOV EAX,DWORD PTR SS:[EBP+1C]
0066B590 .  66:8B4D B8 MOV CX,WORD PTR SS:[EBP-48]
0066B594 .  66:8908    MOV WORD PTR DS:[EAX],CX
0066B597 .  8B45 F4    MOV EAX,DWORD PTR SS:[EBP-C]
0066B59A .  8B4D E4    MOV ECX,DWORD PTR SS:[EBP-1C]
0066B59D .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
0066B5A4 .  5F          POP EDI
0066B5A5 .  5E          POP ESI
0066B5A6 .  5B          POP EBX
0066B5A7 .  8BE5       MOV ESP,EBP
0066B5A9 .  5D          POP EBP
0066B5AA .  C2 1800    RETN 18
0066B5AD >  FF15 00B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaError>;  MSVBVM50.__vbaErrorOverflow
0066B5B3 .  90          NOP
0066B5B4 .  90          NOP
0066B5B5 .  90          NOP
0066B5B6 .  90          NOP
0066B5B7 .  90          NOP
0066B5B8 .  90          NOP
0066B5B9 .  90          NOP
======
从66af51 call
0066C100 > \55          PUSH EBP
0066C101 .  8BEC       MOV EBP,ESP
0066C103 .  83EC 08    SUB ESP,8
0066C106 .  68 F67F4000 PUSH <JMP.&MSVBVM50.__vbaExceptHandler>  ;  SE handler installation
0066C10B .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0066C111 .  50          PUSH EAX
0066C112 .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
0066C119 .  83EC 14    SUB ESP,14
0066C11C .  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
0066C11F .  53          PUSH EBX
0066C120 .  8B1D 2CB66800 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrCopy
;"FGLQPFDMQP" userinfo1的数据
0066C126 .  56          PUSH ESI
0066C127 .  57          PUSH EDI
0066C128 .  8D4D EC    LEA ECX,DWORD PTR SS:[EBP-14]
0066C12B .  8965 F8    MOV DWORD PTR SS:[EBP-8],ESP
0066C12E .  C745 FC F0774>MOV DWORD PTR SS:[EBP-4],ks.004077F0
0066C135 .  C745 EC 00000>MOV DWORD PTR SS:[EBP-14],0
0066C13C .  C745 E8 00000>MOV DWORD PTR SS:[EBP-18],0
0066C143 .  C745 E4 00000>MOV DWORD PTR SS:[EBP-1C],0
0066C14A .  FFD3       CALL EBX                               ;  <&MSVBVM50.__vbaStrCopy>
0066C14C .  8B45 10    MOV EAX,DWORD PTR SS:[EBP+10]
0066C14F .  8B75 08    MOV ESI,DWORD PTR SS:[EBP+8]
0066C152 .  8D55 E4    LEA EDX,DWORD PTR SS:[EBP-1C]
0066C155 .  8B0E       MOV ECX,DWORD PTR DS:[ESI]
0066C157 .  C700 00000000 MOV DWORD PTR DS:[EAX],0
0066C15D .  52          PUSH EDX
0066C15E .  8D45 EC    LEA EAX,DWORD PTR SS:[EBP-14]
0066C161 .  68 8C894200 PUSH ks.0042898C                      ;  UNICODE "bjSchool"
0066C166 .  50          PUSH EAX
0066C167 .  56          PUSH ESI
0066C168 .  FF51 20    CALL DWORD PTR DS:[ECX+20]
0066C16B .  85C0       TEST EAX,EAX
0066C16D .  7D 0F       JGE SHORT ks.0066C17E
0066C16F .  6A 20       PUSH 20
0066C171 .  68 C4E94100 PUSH ks.0041E9C4
0066C176 .  56          PUSH ESI
0066C177 .  50          PUSH EAX
0066C178 .  FF15 40B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
0066C17E >  8B55 EC    MOV EDX,DWORD PTR SS:[EBP-14]
0066C181 .  8D4D E8    LEA ECX,DWORD PTR SS:[EBP-18]
0066C184 .  FFD3       CALL EBX
0066C186 .  68 A1C16600 PUSH ks.0066C1A1
0066C18B .  EB 0A       JMP SHORT ks.0066C197
0066C18D .  8D4D E8    LEA ECX,DWORD PTR SS:[EBP-18]
0066C190 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066C196 .  C3          RETN
0066C197 >  8D4D EC    LEA ECX,DWORD PTR SS:[EBP-14]
0066C19A .- FF25 10B76800 JMP DWORD PTR DS:[<&MSVBVM50.__vbaFreeSt>;  MSVBVM50.__vbaFreeStr
0066C1A0 .  C3          RETN
0066C1A1 .  8B4D 10    MOV ECX,DWORD PTR SS:[EBP+10]
0066C1A4 .  8B55 E8    MOV EDX,DWORD PTR SS:[EBP-18]
0066C1A7 .  5F          POP EDI
0066C1A8 .  5E          POP ESI
0066C1A9 .  8911       MOV DWORD PTR DS:[ECX],EDX
0066C1AB .  8B4D F0    MOV ECX,DWORD PTR SS:[EBP-10]
0066C1AE .  33C0       XOR EAX,EAX
0066C1B0 .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
0066C1B7 .  5B          POP EBX
0066C1B8 .  8BE5       MOV ESP,EBP
0066C1BA .  5D          POP EBP
0066C1BB .  C2 0C00    RETN 0C
-------------------------------------------------------------------------------
▲文件:0-66B790.txt
-------------------------------------------------------------------------------
0066B72F .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066B735 .  50          PUSH EAX
0066B736 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B73C .  8BD0       MOV EDX,EAX
0066B73E .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066B741 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066B747 .  50          PUSH EAX
0066B748 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
0066B74D .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B753 .  8BD0       MOV EDX,EAX
0066B755 .  8D4D D8    LEA ECX,DWORD PTR SS:[EBP-28]
0066B758 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066B75E .  8D55 80    LEA EDX,DWORD PTR SS:[EBP-80]
0066B761 .  52          PUSH EDX
0066B762 .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0066B765 .  50          PUSH EAX
0066B766 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B769 .  51          PUSH ECX
0066B76A .  6A 03       PUSH 3
0066B76C .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066B772 .  83C4 10    ADD ESP,10
0066B775 .  C745 FC 06000>MOV DWORD PTR SS:[EBP-4],6
0066B77C .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066B77F .  52          PUSH EDX
0066B780 .  8B45 90    MOV EAX,DWORD PTR SS:[EBP-70]
0066B783 .  50          PUSH EAX
0066B784 .  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]
0066B787 .  8B11       MOV EDX,DWORD PTR DS:[ECX]
0066B789 .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066B78C .  50          PUSH EAX
0066B78D .  FF52 5C    CALL DWORD PTR DS:[EDX+5C]
;访问"C:\WINXP\System32\Microsoft\MSJET6.INI"
内容如下:
FGCQPFGGQPFDDQP
FFEQPFD@QPFDEQP
GEE@XAXGE
@EMA?X#-DE=XEGAM8X!-/:BX:D?CLXGC8L<
FGBQP
;得到:
0066B790 .  8B4D 88    MOV ECX,DWORD PTR SS:[EBP-78]
0066B793 .  898D 38FFFFFF MOV DWORD PTR SS:[EBP-C8],ECX
0066B799 .  C745 88 00000>MOV DWORD PTR SS:[EBP-78],0
0066B7A0 .  8B95 38FFFFFF MOV EDX,DWORD PTR SS:[EBP-C8]
0066B7A6 .  8D4D 90    LEA ECX,DWORD PTR SS:[EBP-70]
0066B7A9 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066B7AF .  C745 FC 07000>MOV DWORD PTR SS:[EBP-4],7
0066B7B6 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066B7B9 .  52          PUSH EDX
0066B7BA .  8B45 C0    MOV EAX,DWORD PTR SS:[EBP-40]
0066B7BD .  50          PUSH EAX
0066B7BE .  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]
0066B7C1 .  8B11       MOV EDX,DWORD PTR DS:[ECX]
0066B7C3 .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066B7C6 .  50          PUSH EAX
0066B7C7 .  FF52 5C    CALL DWORD PTR DS:[EDX+5C]
0066B7CA .  8B4D 88    MOV ECX,DWORD PTR SS:[EBP-78]
;得到:"FGLQPFDMQP"
0066B7CD .  898D 34FFFFFF MOV DWORD PTR SS:[EBP-CC],ECX
0066B7D3 .  C745 88 00000>MOV DWORD PTR SS:[EBP-78],0
0066B7DA .  8B95 34FFFFFF MOV EDX,DWORD PTR SS:[EBP-CC]
0066B7E0 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066B7E3 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066B7E9 .  C745 FC 08000>MOV DWORD PTR SS:[EBP-4],8
0066B7F0 .  66:C785 5CFFF>MOV WORD PTR SS:[EBP-A4],4
0066B7F9 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066B7FC .  52          PUSH EDX
0066B7FD .  8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4]
0066B803 .  50          PUSH EAX
0066B804 .  8B4D D8    MOV ECX,DWORD PTR SS:[EBP-28]
0066B807 .  51          PUSH ECX
0066B808 .  8B55 08    MOV EDX,DWORD PTR SS:[EBP+8]
0066B80B .  8B02       MOV EAX,DWORD PTR DS:[EDX]
0066B80D .  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]
0066B810 .  51          PUSH ECX
0066B811 .  FF50 4C    CALL DWORD PTR DS:[EAX+4C]
;得到"@EMA?X#-DE=XEGAM8X!-/:BX:D?CLXGC8L<"
;
0066B814 .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066B817 .  8995 30FFFFFF MOV DWORD PTR SS:[EBP-D0],EDX
0066B81D .  C745 88 00000>MOV DWORD PTR SS:[EBP-78],0
0066B824 .  8B95 30FFFFFF MOV EDX,DWORD PTR SS:[EBP-D0]
0066B82A .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
0066B82D .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066B833 .  C745 FC 09000>MOV DWORD PTR SS:[EBP-4],9
0066B83A .  8D85 70FFFFFF LEA EAX,DWORD PTR SS:[EBP-90]
0066B840 .  50          PUSH EAX
0066B841 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
0066B844 .  51          PUSH ECX
0066B845 .  8B55 08    MOV EDX,DWORD PTR SS:[EBP+8]
0066B848 .  8B02       MOV EAX,DWORD PTR DS:[EDX]
0066B84A .  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]
0066B84D .  51          PUSH ECX
0066B84E .  FF50 68    CALL DWORD PTR DS:[EAX+68]
0066B851 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066B857 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066B85D .  C745 FC 0A000>MOV DWORD PTR SS:[EBP-4],0A
0066B864 .  6A 01       PUSH 1
0066B866 .  8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]
;得到上次输入的激活码"5084J-VX10H-0248M-TXZO7-O1J69-26M9I"
0066B869 .  52          PUSH EDX
0066B86A .  8B45 CC    MOV EAX,DWORD PTR SS:[EBP-34]
;得到最近输入的激活码"G5060-BBBBB-CCQ2L-23XL6-O2323-3434I"
0066B86D .  50          PUSH EAX
0066B86E .  6A 01       PUSH 1
0066B870 .  FF15 10B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaInStr>;  MSVBVM50.__vbaInStr
;最近激活码转换为小写字符在[ESP-20]
0066B876 .  33DB       XOR EBX,EBX
0066B878 .  85C0       TEST EAX,EAX
0066B87A .  0F9FC3       SETG BL
0066B87D .  8B4D D4    MOV ECX,DWORD PTR SS:[EBP-2C]
;上次激活码
0066B880 .  51          PUSH ECX
0066B881 .  68 A4B44100 PUSH ks.0041B4A4
0066B886 .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
0066B88C .  F7D8       NEG EAX
0066B88E .  1BC0       SBB EAX,EAX
0066B890 .  40          INC EAX
0066B891 .  0BD8       OR EBX,EAX
0066B893 .  85DB       TEST EBX,EBX
0066B895 .  75 40       JNZ SHORT ks.0066B8D7
0066B897 .  C745 FC 0B000>MOV DWORD PTR SS:[EBP-4],0B
0066B89E .  8B55 D4    MOV EDX,DWORD PTR SS:[EBP-2C]
;上次激活码
0066B8A1 .  52          PUSH EDX
0066B8A2 .  68 3C044200 PUSH ks.0042043C
0066B8A7 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066B8AD .  8BD0       MOV EDX,EAX
;得到字符串"5084J-VX10H-0248M-TXZO7-O1J69-26M9I|"
0066B8AF .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B8B2 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066B8B8 .  50          PUSH EAX
0066B8B9 .  8B45 CC    MOV EAX,DWORD PTR SS:[EBP-34]
0066B8BC .  50          PUSH EAX
0066B8BD .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
;得到字符串"5084J-VX10H-0248M-TXZO7-O1J69-26M9I|G5060-BBBBB-CCQ2L-23XL6-O2323-3434I"
0066B8C3 .  8BD0       MOV EDX,EAX
0066B8C5 .  8D4D CC    LEA ECX,DWORD PTR SS:[EBP-34]
0066B8C8 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066B8CE .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B8D1 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066B8D7 >  C745 FC 0D000>MOV DWORD PTR SS:[EBP-4],0D
0066B8DE .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066B8E4 .  51          PUSH ECX
0066B8E5 .  8D55 CC    LEA EDX,DWORD PTR SS:[EBP-34]
0066B8E8 .  52          PUSH EDX
0066B8E9 .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066B8EC .  8B08       MOV ECX,DWORD PTR DS:[EAX]
0066B8EE .  8B55 08    MOV EDX,DWORD PTR SS:[EBP+8]
0066B8F1 .  52          PUSH EDX
0066B8F2 .  FF51 68    CALL DWORD PTR DS:[ECX+68]
;加密以上字符串得到:
"@EMA?X#-DE=XEGAM8X!-/:BX:D?CLXGC8L< 2@ECEX77777X66$G9XGF-9CX:GFGFXFAFA<")
0066B8F5 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066B8FB .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066B901 .  C745 FC 0E000>MOV DWORD PTR SS:[EBP-4],0E
0066B908 .  8D45 D8    LEA EAX,DWORD PTR SS:[EBP-28]
0066B90B .  8985 68FFFFFF MOV DWORD PTR SS:[EBP-98],EAX
0066B911 .  C785 60FFFFFF>MOV DWORD PTR SS:[EBP-A0],4008
0066B91B .  6A 00       PUSH 0
0066B91D .  8D8D 60FFFFFF LEA ECX,DWORD PTR SS:[EBP-A0]
0066B923 .  51          PUSH ECX
0066B924 .  FF15 F8B56800 CALL DWORD PTR DS:[<&MSVBVM50.#645>]    ;  MSVBVM50.rtcDir
0066B92A .  8BD0       MOV EDX,EAX
0066B92C .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B92F .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066B935 .  50          PUSH EAX
0066B936 .  68 A4B44100 PUSH ks.0041B4A4
0066B93B .  FF15 0CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
;比较MSJET6.INI和MSJET6.INI
0066B941 .  F7D8       NEG EAX
0066B943 .  1BC0       SBB EAX,EAX
0066B945 .  F7D8       NEG EAX
0066B947 .  F7D8       NEG EAX
0066B949 .  66:8985 54FFF>MOV WORD PTR SS:[EBP-AC],AX
0066B950 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B953 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066B959 .  0FBF95 54FFFF>MOVSX EDX,WORD PTR SS:[EBP-AC]
0066B960 .  85D2       TEST EDX,EDX
0066B962 .  0F84 8E000000 JE ks.0066B9F6
0066B968 .  C745 FC 0F000>MOV DWORD PTR SS:[EBP-4],0F
0066B96F .  6A 00       PUSH 0
0066B971 .  6A 00       PUSH 0
0066B973 .  6A 03       PUSH 3
0066B975 .  6A 00       PUSH 0
0066B977 .  6A 03       PUSH 3
0066B979 .  68 00000040 PUSH 40000000
0066B97E .  8B45 D8    MOV EAX,DWORD PTR SS:[EBP-28]
0066B981 .  50          PUSH EAX
0066B982 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B985 .  51          PUSH ECX
0066B986 .  FF15 90B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrTo>;  MSVBVM50.__vbaStrToAnsi
0066B98C .  50          PUSH EAX
0066B98D .  E8 4E14DBFF CALL ks.0041CDE0
0066B992 .  8985 58FFFFFF MOV DWORD PTR SS:[EBP-A8],EAX
0066B998 .  FF15 38B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaSetSy>;  MSVBVM50.__vbaSetSystemError
0066B99E .  8B55 88    MOV EDX,DWORD PTR SS:[EBP-78]
0066B9A1 .  52          PUSH EDX
0066B9A2 .  8D45 D8    LEA EAX,DWORD PTR SS:[EBP-28]
0066B9A5 .  50          PUSH EAX
0066B9A6 .  FF15 9CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrTo>;  MSVBVM50.__vbaStrToUnicode
0066B9AC .  8B8D 58FFFFFF MOV ECX,DWORD PTR SS:[EBP-A8]
0066B9B2 .  894D C4    MOV DWORD PTR SS:[EBP-3C],ECX
0066B9B5 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066B9B8 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066B9BE .  C745 FC 10000>MOV DWORD PTR SS:[EBP-4],10
0066B9C5 .  8D55 9C    LEA EDX,DWORD PTR SS:[EBP-64]
0066B9C8 .  52          PUSH EDX
0066B9C9 .  8D45 A8    LEA EAX,DWORD PTR SS:[EBP-58]
0066B9CC .  50          PUSH EAX
0066B9CD .  8D4D B8    LEA ECX,DWORD PTR SS:[EBP-48]
0066B9D0 .  51          PUSH ECX
0066B9D1 .  8B55 C4    MOV EDX,DWORD PTR SS:[EBP-3C]
0066B9D4 .  52          PUSH EDX
0066B9D5 .  E8 5634DBFF CALL ks.0041EE30
0066B9DA .  FF15 38B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaSetSy>;  MSVBVM50.__vbaSetSystemError
0066B9E0 .  C745 FC 11000>MOV DWORD PTR SS:[EBP-4],11
0066B9E7 .  8B45 C4    MOV EAX,DWORD PTR SS:[EBP-3C]
0066B9EA .  50          PUSH EAX
0066B9EB .  E8 2C14DBFF CALL ks.0041CE1C
0066B9F0 .  FF15 38B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaSetSy>;  MSVBVM50.__vbaSetSystemError
0066B9F6 >  C745 FC 13000>MOV DWORD PTR SS:[EBP-4],13
0066B9FD .  8B4D 90    MOV ECX,DWORD PTR SS:[EBP-70]
0066BA00 .  898D 68FFFFFF MOV DWORD PTR SS:[EBP-98],ECX
0066BA06 .  C785 60FFFFFF>MOV DWORD PTR SS:[EBP-A0],8
0066BA10 .  8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]
0066BA16 .  52          PUSH EDX
0066BA17 .  B8 10000000 MOV EAX,10
0066BA1C .  E8 CFC5D9FF CALL <JMP.&MSVBVM50.__vbaChkstk>
0066BA21 .  8BC4       MOV EAX,ESP
0066BA23 .  8B8D 60FFFFFF MOV ECX,DWORD PTR SS:[EBP-A0]
0066BA29 .  8908       MOV DWORD PTR DS:[EAX],ECX
0066BA2B .  8B95 64FFFFFF MOV EDX,DWORD PTR SS:[EBP-9C]
0066BA31 .  8950 04    MOV DWORD PTR DS:[EAX+4],EDX
0066BA34 .  8B8D 68FFFFFF MOV ECX,DWORD PTR SS:[EBP-98]
0066BA3A .  8948 08    MOV DWORD PTR DS:[EAX+8],ECX
0066BA3D .  8B95 6CFFFFFF MOV EDX,DWORD PTR SS:[EBP-94]
0066BA43 .  8950 0C    MOV DWORD PTR DS:[EAX+C],EDX
0066BA46 .  68 0C894200 PUSH ks.0042890C                      ;  UNICODE "userinfo1"
0066BA4B .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066BA50 .  68 CCE54100 PUSH ks.0041E5CC
0066BA55 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066BA5B .  8BD0       MOV EDX,EAX
0066BA5D .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066BA60 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BA66 .  50          PUSH EAX
0066BA67 .  66:8B45 18 MOV AX,WORD PTR SS:[EBP+18]
0066BA6B .  50          PUSH EAX
0066BA6C .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066BA72 .  8BD0       MOV EDX,EAX
0066BA74 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066BA77 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BA7D .  50          PUSH EAX
0066BA7E .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066BA84 .  8BD0       MOV EDX,EAX
0066BA86 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066BA89 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BA8F .  50          PUSH EAX
0066BA90 .  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]
0066BA93 .  8B11       MOV EDX,DWORD PTR DS:[ECX]
0066BA95 .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066BA98 .  50          PUSH EAX
0066BA99 .  FF52 44    CALL DWORD PTR DS:[EDX+44]
0066BA9C .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066BA9F .  51          PUSH ECX
0066BAA0 .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066BAA3 .  52          PUSH EDX
0066BAA4 .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066BAA7 .  50          PUSH EAX
0066BAA8 .  6A 03       PUSH 3
0066BAAA .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066BAB0 .  83C4 10    ADD ESP,10
0066BAB3 .  C745 FC 14000>MOV DWORD PTR SS:[EBP-4],14
0066BABA .  8B4D C0    MOV ECX,DWORD PTR SS:[EBP-40]
0066BABD .  898D 68FFFFFF MOV DWORD PTR SS:[EBP-98],ECX
0066BAC3 .  C785 60FFFFFF>MOV DWORD PTR SS:[EBP-A0],8
0066BACD .  8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]
0066BAD3 .  52          PUSH EDX
0066BAD4 .  B8 10000000 MOV EAX,10
0066BAD9 .  E8 12C5D9FF CALL <JMP.&MSVBVM50.__vbaChkstk>
0066BADE .  8BC4       MOV EAX,ESP
0066BAE0 .  8B8D 60FFFFFF MOV ECX,DWORD PTR SS:[EBP-A0]
0066BAE6 .  8908       MOV DWORD PTR DS:[EAX],ECX
0066BAE8 .  8B95 64FFFFFF MOV EDX,DWORD PTR SS:[EBP-9C]
0066BAEE .  8950 04    MOV DWORD PTR DS:[EAX+4],EDX
0066BAF1 .  8B8D 68FFFFFF MOV ECX,DWORD PTR SS:[EBP-98]
0066BAF7 .  8948 08    MOV DWORD PTR DS:[EAX+8],ECX
0066BAFA .  8B95 6CFFFFFF MOV EDX,DWORD PTR SS:[EBP-94]
0066BB00 .  8950 0C    MOV DWORD PTR DS:[EAX+C],EDX
0066BB03 .  68 24894200 PUSH ks.00428924                      ;  UNICODE "userinfo2"
0066BB08 .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066BB0D .  68 CCE54100 PUSH ks.0041E5CC
0066BB12 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066BB18 .  8BD0       MOV EDX,EAX
0066BB1A .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066BB1D .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BB23 .  50          PUSH EAX
0066BB24 .  66:8B45 18 MOV AX,WORD PTR SS:[EBP+18]
0066BB28 .  50          PUSH EAX
0066BB29 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066BB2F .  8BD0       MOV EDX,EAX
0066BB31 .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066BB34 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BB3A .  50          PUSH EAX
0066BB3B .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066BB41 .  8BD0       MOV EDX,EAX
0066BB43 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066BB46 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BB4C .  50          PUSH EAX
0066BB4D .  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]
0066BB50 .  8B11       MOV EDX,DWORD PTR DS:[ECX]
0066BB52 .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066BB55 .  50          PUSH EAX
0066BB56 .  FF52 44    CALL DWORD PTR DS:[EDX+44]
0066BB59 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066BB5C .  51          PUSH ECX
0066BB5D .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066BB60 .  52          PUSH EDX
0066BB61 .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066BB64 .  50          PUSH EAX
0066BB65 .  6A 03       PUSH 3
0066BB67 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066BB6D .  83C4 10    ADD ESP,10
0066BB70 .  C745 FC 15000>MOV DWORD PTR SS:[EBP-4],15
0066BB77 .  BA D4D34100 MOV EDX,ks.0041D3D4
0066BB7C .  8D4D A4    LEA ECX,DWORD PTR SS:[EBP-5C]
0066BB7F .  FF15 2CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCo>;  MSVBVM50.__vbaStrCopy
0066BB85 .  C745 FC 16000>MOV DWORD PTR SS:[EBP-4],16
0066BB8C .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066BB8F .  51          PUSH ECX
0066BB90 .  8B55 A4    MOV EDX,DWORD PTR SS:[EBP-5C]
0066BB93 .  52          PUSH EDX
0066BB94 .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066BB97 .  8B08       MOV ECX,DWORD PTR DS:[EAX]
0066BB99 .  8B55 08    MOV EDX,DWORD PTR SS:[EBP+8]
0066BB9C .  52          PUSH EDX
0066BB9D .  FF51 5C    CALL DWORD PTR DS:[ECX+5C]
0066BBA0 .  8B45 88    MOV EAX,DWORD PTR SS:[EBP-78]
0066BBA3 .  8985 2CFFFFFF MOV DWORD PTR SS:[EBP-D4],EAX
0066BBA9 .  C745 88 00000>MOV DWORD PTR SS:[EBP-78],0
0066BBB0 .  8B95 2CFFFFFF MOV EDX,DWORD PTR SS:[EBP-D4]
0066BBB6 .  8D4D A4    LEA ECX,DWORD PTR SS:[EBP-5C]
0066BBB9 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BBBF .  C745 FC 17000>MOV DWORD PTR SS:[EBP-4],17
0066BBC6 .  8B4D A4    MOV ECX,DWORD PTR SS:[EBP-5C]
0066BBC9 .  898D 68FFFFFF MOV DWORD PTR SS:[EBP-98],ECX
0066BBCF .  C785 60FFFFFF>MOV DWORD PTR SS:[EBP-A0],8
0066BBD9 .  8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]
0066BBDF .  52          PUSH EDX
0066BBE0 .  B8 10000000 MOV EAX,10
0066BBE5 .  E8 06C4D9FF CALL <JMP.&MSVBVM50.__vbaChkstk>
0066BBEA .  8BC4       MOV EAX,ESP
0066BBEC .  8B8D 60FFFFFF MOV ECX,DWORD PTR SS:[EBP-A0]
0066BBF2 .  8908       MOV DWORD PTR DS:[EAX],ECX
0066BBF4 .  8B95 64FFFFFF MOV EDX,DWORD PTR SS:[EBP-9C]
0066BBFA .  8950 04    MOV DWORD PTR DS:[EAX+4],EDX
0066BBFD .  8B8D 68FFFFFF MOV ECX,DWORD PTR SS:[EBP-98]
0066BC03 .  8948 08    MOV DWORD PTR DS:[EAX+8],ECX
0066BC06 .  8B95 6CFFFFFF MOV EDX,DWORD PTR SS:[EBP-94]
0066BC0C .  8950 0C    MOV DWORD PTR DS:[EAX+C],EDX
0066BC0F .  68 64874200 PUSH ks.00428764                      ;  UNICODE "userflag"
0066BC14 .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066BC19 .  68 CCE54100 PUSH ks.0041E5CC
0066BC1E .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066BC24 .  8BD0       MOV EDX,EAX
0066BC26 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066BC29 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BC2F .  50          PUSH EAX
0066BC30 .  66:8B45 18 MOV AX,WORD PTR SS:[EBP+18]
0066BC34 .  50          PUSH EAX
0066BC35 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066BC3B .  8BD0       MOV EDX,EAX
0066BC3D .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066BC40 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BC46 .  50          PUSH EAX
0066BC47 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066BC4D .  8BD0       MOV EDX,EAX
0066BC4F .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066BC52 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BC58 .  50          PUSH EAX
0066BC59 .  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]
0066BC5C .  8B11       MOV EDX,DWORD PTR DS:[ECX]
0066BC5E .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066BC61 .  50          PUSH EAX
0066BC62 .  FF52 44    CALL DWORD PTR DS:[EDX+44]
0066BC65 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066BC68 .  51          PUSH ECX
0066BC69 .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066BC6C .  52          PUSH EDX
0066BC6D .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066BC70 .  50          PUSH EAX
0066BC71 .  6A 03       PUSH 3
0066BC73 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066BC79 .  83C4 10    ADD ESP,10
0066BC7C .  C745 FC 18000>MOV DWORD PTR SS:[EBP-4],18
0066BC83 .  8B4D CC    MOV ECX,DWORD PTR SS:[EBP-34]
0066BC86 .  898D 68FFFFFF MOV DWORD PTR SS:[EBP-98],ECX
;得到"@EMA?X#-DE=XEGAM8X!-/:BX:D?CLXGC8L< 2@ECEX77777X66$G9XGF-9CX:GFGFXFAFA<"
0066BC8C .  C785 60FFFFFF>MOV DWORD PTR SS:[EBP-A0],8
0066BC96 .  8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]
0066BC9C .  52          PUSH EDX
0066BC9D .  B8 10000000 MOV EAX,10
0066BCA2 .  E8 49C3D9FF CALL <JMP.&MSVBVM50.__vbaChkstk>
0066BCA7 .  8BC4       MOV EAX,ESP
0066BCA9 .  8B8D 60FFFFFF MOV ECX,DWORD PTR SS:[EBP-A0]
;得到"@EMA?X#-DE=XEGAM8X!-/:BX:D?CLXGC8L< 2@ECEX77777X66$G9XGF-9CX:GFGFXFAFA<"
0066BCAF .  8908       MOV DWORD PTR DS:[EAX],ECX
0066BCB1 .  8B95 64FFFFFF MOV EDX,DWORD PTR SS:[EBP-9C]
0066BCB7 .  8950 04    MOV DWORD PTR DS:[EAX+4],EDX
0066BCBA .  8B8D 68FFFFFF MOV ECX,DWORD PTR SS:[EBP-98]
0066BCC0 .  8948 08    MOV DWORD PTR DS:[EAX+8],ECX
0066BCC3 .  8B95 6CFFFFFF MOV EDX,DWORD PTR SS:[EBP-94]
0066BCC9 .  8950 0C    MOV DWORD PTR DS:[EAX+C],EDX
0066BCCC .  68 B0874200 PUSH ks.004287B0                      ;  UNICODE "userinfo"
0066BCD1 .  68 84B54100 PUSH ks.0041B584                      ;  UNICODE "SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY"
0066BCD6 .  68 CCE54100 PUSH ks.0041E5CC
0066BCDB .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066BCE1 .  8BD0       MOV EDX,EAX
0066BCE3 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066BCE6 .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BCEC .  50          PUSH EAX
0066BCED .  66:8B45 18 MOV AX,WORD PTR SS:[EBP+18]
0066BCF1 .  50          PUSH EAX
0066BCF2 .  FF15 B0B36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI2>;  MSVBVM50.__vbaStrI2
0066BCF8 .  8BD0       MOV EDX,EAX
0066BCFA .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066BCFD .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BD03 .  50          PUSH EAX
0066BD04 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
0066BD0A .  8BD0       MOV EDX,EAX
0066BD0C .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066BD0F .  FF15 C8B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0066BD15 .  50          PUSH EAX
0066BD16 .  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]
0066BD19 .  8B11       MOV EDX,DWORD PTR DS:[ECX]
0066BD1B .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066BD1E .  50          PUSH EAX
0066BD1F .  FF52 44    CALL DWORD PTR DS:[EDX+44]
;保存在注册表中
0066BD22 .  8D4D 80    LEA ECX,DWORD PTR SS:[EBP-80]
0066BD25 .  51          PUSH ECX
0066BD26 .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0066BD29 .  52          PUSH EDX
0066BD2A .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066BD2D .  50          PUSH EAX
0066BD2E .  6A 03       PUSH 3
0066BD30 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066BD36 .  83C4 10    ADD ESP,10
0066BD39 .  C745 FC 19000>MOV DWORD PTR SS:[EBP-4],19
0066BD40 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066BD46 .  51          PUSH ECX
0066BD47 .  8D55 B0    LEA EDX,DWORD PTR SS:[EBP-50]
0066BD4A .  52          PUSH EDX
0066BD4B .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066BD4E .  8B08       MOV ECX,DWORD PTR DS:[EAX]
0066BD50 .  8B55 08    MOV EDX,DWORD PTR SS:[EBP+8]
0066BD53 .  52          PUSH EDX
0066BD54 .  FF51 68    CALL DWORD PTR DS:[ECX+68]
0066BD57 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066BD5D .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066BD63 .  C745 FC 1A000>MOV DWORD PTR SS:[EBP-4],1A
0066BD6A .  8D85 70FFFFFF LEA EAX,DWORD PTR SS:[EBP-90]
0066BD70 .  50          PUSH EAX
0066BD71 .  FF15 74B66800 CALL DWORD PTR DS:[<&MSVBVM50.#610>]    ;  MSVBVM50.rtcGetDateVar
0066BD77 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066BD7D .  51          PUSH ECX
0066BD7E .  FF15 E8B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaDateV>;  MSVBVM50.__vbaDateVar
0066BD84 .  DD5D 94    FSTP QWORD PTR SS:[EBP-6C]
0066BD87 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066BD8D .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066BD93 .  C745 FC 1B000>MOV DWORD PTR SS:[EBP-4],1B
0066BD9A .  68 70894200 PUSH ks.00428970                      ;  UNICODE "2001-10-01"
0066BD9F .  FF15 A0B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaDateS>;  MSVBVM50.__vbaDateStr
0066BDA5 .  DD9D 78FFFFFF FSTP QWORD PTR SS:[EBP-88]
0066BDAB .  C785 70FFFFFF>MOV DWORD PTR SS:[EBP-90],7
0066BDB5 .  8D95 70FFFFFF LEA EDX,DWORD PTR SS:[EBP-90]
0066BDBB .  52          PUSH EDX
0066BDBC .  FF15 FCB66800 CALL DWORD PTR DS:[<&MSVBVM50.#548>]    ;  MSVBVM50.rtcSetDateVar
0066BDC2 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066BDC8 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066BDCE .  C745 FC 1C000>MOV DWORD PTR SS:[EBP-4],1C
0066BDD5 .  C785 78FFFFFF>MOV DWORD PTR SS:[EBP-88],80020004
0066BDDF .  C785 70FFFFFF>MOV DWORD PTR SS:[EBP-90],0A
0066BDE9 .  8D85 70FFFFFF LEA EAX,DWORD PTR SS:[EBP-90]
0066BDEF .  50          PUSH EAX
0066BDF0 .  FF15 08B66800 CALL DWORD PTR DS:[<&MSVBVM50.#648>]    ;  MSVBVM50.rtcFreeFile
0066BDF6 .  66:8945 DC MOV WORD PTR SS:[EBP-24],AX
0066BDFA .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066BE00 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066BE06 .  C745 FC 1D000>MOV DWORD PTR SS:[EBP-4],1D
0066BE0D .  8B4D D8    MOV ECX,DWORD PTR SS:[EBP-28]
0066BE10 .  51          PUSH ECX
0066BE11 .  66:8B55 DC MOV DX,WORD PTR SS:[EBP-24]
0066BE15 .  52          PUSH EDX
0066BE16 .  6A FF       PUSH -1
0066BE18 .  6A 02       PUSH 2
0066BE1A .  FF15 04B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFileO>;  MSVBVM50.__vbaFileOpen
;开始写入MSJET6.INI
0066BE20 .  C745 FC 1E000>MOV DWORD PTR SS:[EBP-4],1E
0066BE27 .  8B45 90    MOV EAX,DWORD PTR SS:[EBP-70]
0066BE2A .  50          PUSH EAX
0066BE2B .  66:8B4D DC MOV CX,WORD PTR SS:[EBP-24]
0066BE2F .  51          PUSH ECX
0066BE30 .  68 E41B4200 PUSH ks.00421BE4
0066BE35 .  FF15 98B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaPrint>;  MSVBVM50.__vbaPrintFile
0066BE3B .  83C4 0C    ADD ESP,0C
0066BE3E .  C745 FC 1F000>MOV DWORD PTR SS:[EBP-4],1F
0066BE45 .  8B55 C0    MOV EDX,DWORD PTR SS:[EBP-40]
0066BE48 .  52          PUSH EDX
0066BE49 .  66:8B45 DC MOV AX,WORD PTR SS:[EBP-24]
0066BE4D .  50          PUSH EAX
0066BE4E .  68 E41B4200 PUSH ks.00421BE4
0066BE53 .  FF15 98B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaPrint>;  MSVBVM50.__vbaPrintFile
0066BE59 .  83C4 0C    ADD ESP,0C
0066BE5C .  C745 FC 20000>MOV DWORD PTR SS:[EBP-4],20
0066BE63 .  8B4D B0    MOV ECX,DWORD PTR SS:[EBP-50]
0066BE66 .  51          PUSH ECX
0066BE67 .  66:8B55 DC MOV DX,WORD PTR SS:[EBP-24]
0066BE6B .  52          PUSH EDX
0066BE6C .  68 E41B4200 PUSH ks.00421BE4
0066BE71 .  FF15 98B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaPrint>;  MSVBVM50.__vbaPrintFile
0066BE77 .  83C4 0C    ADD ESP,0C
0066BE7A .  C745 FC 21000>MOV DWORD PTR SS:[EBP-4],21
0066BE81 .  8B45 CC    MOV EAX,DWORD PTR SS:[EBP-34]
0066BE84 .  50          PUSH EAX
0066BE85 .  66:8B4D DC MOV CX,WORD PTR SS:[EBP-24]
0066BE89 .  51          PUSH ECX
0066BE8A .  68 E41B4200 PUSH ks.00421BE4
0066BE8F .  FF15 98B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaPrint>;  MSVBVM50.__vbaPrintFile
0066BE95 .  83C4 0C    ADD ESP,0C
0066BE98 .  C745 FC 22000>MOV DWORD PTR SS:[EBP-4],22
0066BE9F .  8B55 A4    MOV EDX,DWORD PTR SS:[EBP-5C]
0066BEA2 .  52          PUSH EDX
0066BEA3 .  66:8B45 DC MOV AX,WORD PTR SS:[EBP-24]
0066BEA7 .  50          PUSH EAX
0066BEA8 .  68 E41B4200 PUSH ks.00421BE4
0066BEAD .  FF15 98B56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaPrint>;  MSVBVM50.__vbaPrintFile
0066BEB3 .  83C4 0C    ADD ESP,0C
0066BEB6 .  C745 FC 23000>MOV DWORD PTR SS:[EBP-4],23
0066BEBD .  66:8B4D DC MOV CX,WORD PTR SS:[EBP-24]
0066BEC1 .  51          PUSH ECX
0066BEC2 .  FF15 F0B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFileC>;  MSVBVM50.__vbaFileClose
0066BEC8 .  C745 FC 24000>MOV DWORD PTR SS:[EBP-4],24
0066BECF .  8B55 94    MOV EDX,DWORD PTR SS:[EBP-6C]
0066BED2 .  8995 78FFFFFF MOV DWORD PTR SS:[EBP-88],EDX
0066BED8 .  8B45 98    MOV EAX,DWORD PTR SS:[EBP-68]
0066BEDB .  8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EAX
0066BEE1 .  C785 70FFFFFF>MOV DWORD PTR SS:[EBP-90],7
0066BEEB .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066BEF1 .  51          PUSH ECX
0066BEF2 .  FF15 FCB66800 CALL DWORD PTR DS:[<&MSVBVM50.#548>]    ;  MSVBVM50.rtcSetDateVar
0066BEF8 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066BEFE .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066BF04 .  C745 FC 25000>MOV DWORD PTR SS:[EBP-4],25
0066BF0B .  6A 00       PUSH 0
0066BF0D .  6A 00       PUSH 0
0066BF0F .  6A 03       PUSH 3
0066BF11 .  6A 00       PUSH 0
0066BF13 .  6A 03       PUSH 3
0066BF15 .  68 00000040 PUSH 40000000
0066BF1A .  8B55 D8    MOV EDX,DWORD PTR SS:[EBP-28]
0066BF1D .  52          PUSH EDX
0066BF1E .  8D45 88    LEA EAX,DWORD PTR SS:[EBP-78]
0066BF21 .  50          PUSH EAX
0066BF22 .  FF15 90B66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrTo>;  MSVBVM50.__vbaStrToAnsi
0066BF28 .  50          PUSH EAX
0066BF29 .  E8 B20EDBFF CALL ks.0041CDE0
0066BF2E .  8985 58FFFFFF MOV DWORD PTR SS:[EBP-A8],EAX
0066BF34 .  FF15 38B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaSetSy>;  MSVBVM50.__vbaSetSystemError
0066BF3A .  8B4D 88    MOV ECX,DWORD PTR SS:[EBP-78]
0066BF3D .  51          PUSH ECX
0066BF3E .  8D55 D8    LEA EDX,DWORD PTR SS:[EBP-28]
0066BF41 .  52          PUSH EDX
0066BF42 .  FF15 9CB56800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrTo>;  MSVBVM50.__vbaStrToUnicode
0066BF48 .  8B85 58FFFFFF MOV EAX,DWORD PTR SS:[EBP-A8]
0066BF4E .  8945 C4    MOV DWORD PTR SS:[EBP-3C],EAX
0066BF51 .  8D4D 88    LEA ECX,DWORD PTR SS:[EBP-78]
0066BF54 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066BF5A .  C745 FC 26000>MOV DWORD PTR SS:[EBP-4],26
0066BF61 .  8D4D 9C    LEA ECX,DWORD PTR SS:[EBP-64]
0066BF64 .  51          PUSH ECX
0066BF65 .  8D55 A8    LEA EDX,DWORD PTR SS:[EBP-58]
0066BF68 .  52          PUSH EDX
0066BF69 .  8D45 B8    LEA EAX,DWORD PTR SS:[EBP-48]
0066BF6C .  50          PUSH EAX
0066BF6D .  8B4D C4    MOV ECX,DWORD PTR SS:[EBP-3C]
0066BF70 .  51          PUSH ECX
0066BF71 .  E8 FA2EDBFF CALL ks.0041EE70
0066BF76 .  FF15 38B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaSetSy>;  MSVBVM50.__vbaSetSystemError
0066BF7C .  C745 FC 27000>MOV DWORD PTR SS:[EBP-4],27
0066BF83 .  8B55 C4    MOV EDX,DWORD PTR SS:[EBP-3C]
0066BF86 .  52          PUSH EDX
0066BF87 .  E8 900EDBFF CALL ks.0041CE1C
0066BF8C .  FF15 38B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaSetSy>;  MSVBVM50.__vbaSetSystemError
0066BF92 .  9B          WAIT
0066BF93 .  68 13C06600 PUSH ks.0066C013
0066BF98 .  EB 24       JMP SHORT ks.0066BFBE
0066BF9A .  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
0066BF9D .  50          PUSH EAX
0066BF9E .  8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
0066BFA1 .  51          PUSH ECX
0066BFA2 .  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
0066BFA5 .  52          PUSH EDX
0066BFA6 .  6A 03       PUSH 3
0066BFA8 .  FF15 3CB66800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
0066BFAE .  83C4 10    ADD ESP,10
0066BFB1 .  8D8D 70FFFFFF LEA ECX,DWORD PTR SS:[EBP-90]
0066BFB7 .  FF15 CCB36800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeV>;  MSVBVM50.__vbaFreeVar
0066BFBD .  C3          RETN
0066BFBE >  8D4D D8    LEA ECX,DWORD PTR SS:[EBP-28]
0066BFC1 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066BFC7 .  8D4D D4    LEA ECX,DWORD PTR SS:[EBP-2C]
0066BFCA .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066BFD0 .  8D4D CC    LEA ECX,DWORD PTR SS:[EBP-34]
0066BFD3 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066BFD9 .  8D4D C0    LEA ECX,DWORD PTR SS:[EBP-40]
0066BFDC .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066BFE2 .  8D45 B4    LEA EAX,DWORD PTR SS:[EBP-4C]
0066BFE5 .  50          PUSH EAX
0066BFE6 .  6A 00       PUSH 0
0066BFE8 .  FF15 50B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaAryDe>;  MSVBVM50.__vbaAryDestruct
0066BFEE .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
0066BFF1 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066BFF7 .  8D4D A4    LEA ECX,DWORD PTR SS:[EBP-5C]
0066BFFA .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066C000 .  8D4D 90    LEA ECX,DWORD PTR SS:[EBP-70]
0066C003 .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066C009 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0066C00C .  FF15 10B76800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
0066C012 .  C3          RETN
0066C013 .  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]
0066C016 .  8B11       MOV EDX,DWORD PTR DS:[ECX]
0066C018 .  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
0066C01B .  50          PUSH EAX
0066C01C .  FF52 08    CALL DWORD PTR DS:[EDX+8]
0066C01F .  8B4D 20    MOV ECX,DWORD PTR SS:[EBP+20]
0066C022 .  66:8B55 C8 MOV DX,WORD PTR SS:[EBP-38]
0066C026 .  66:8911    MOV WORD PTR DS:[ECX],DX
0066C029 .  8B45 F0    MOV EAX,DWORD PTR SS:[EBP-10]
0066C02C .  8B4D E0    MOV ECX,DWORD PTR SS:[EBP-20]
0066C02F .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
0066C036 .  5F          POP EDI
0066C037 .  5E          POP ESI
0066C038 .  5B          POP EBX
0066C039 .  8BE5       MOV ESP,EBP
0066C03B .  5D          POP EBP
0066C03C .  C2 1C00    RETN 1C
0066C03F    CC          INT3
-------------------------------------------------------------------------------
▲文件:0-REG.txt 注册表文件
-------------------------------------------------------------------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY\6]
"userinfo1"="FGLQPFDMQP"
"userinfo2"="FGLQPFDMQP"
"userflag"="FGBQP"
"userinfo"="2@ECEX77777X66$G9XGF-9CX:GFGFXFAFA<"
;或者[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY\1]
-------------------------------------------------------------------------------
▲文件:0-INI.txt c:\WINXP\system32\Microsoft\MSJET1.INI(或MSJET6.INT)的内容
-------------------------------------------------------------------------------
FGLQPFDMQP
FGLQPFDMQP
GEE@XAXGG
2@ECEX77777X66$G9XGF-9CX:GFGFXFAFA<
FGBQP
-------------------------------------------------------------------------------
▲文件:0-FINAL.txt
-------------------------------------------------------------------------------
最终得到的假激活码:G5060-BBBBB-CCQ2L-23XL6-O2323-3434I

0067956A .  50          PUSH EAX
0067956B .  FFD7       CALL EDI
0067956D >  66:83BD 38FFF>CMP WORD PTR SS:[EBP-C8],0FFFF
00679575 .  0F85 7D020000 JNZ ks.006797F8
0067957B .  66:8B55 0C MOV DX,WORD PTR SS:[EBP+C]
0067957F .  66:3B55 D4 CMP DX,WORD PTR SS:[EBP-2C]
00679583 .  0F85 C2000000 JNZ ks.0067964B ;  no jmp,跳走会显示无产品项目
;这样可以强制激活成功
00679589 .  8D45 AC    LEA EAX,DWORD PTR SS:[EBP-54]
0067958C .  50          PUSH EAX
0067958D .  FF15 74B66800 CALL DWORD PTR DS:[<&MSVBVM50.#610>]    ;  MSVBVM50.rtcGetDateVar
00679593 .  8B7D CC    MOV EDI,DWORD PTR SS:[EBP-34]
00679596 .  3BFB       CMP EDI,EBX
00679598 .  75 12       JNZ SHORT ks.006795AC
0067959A .  8D4D CC    LEA ECX,DWORD PTR SS:[EBP-34]
0067959D .  51          PUSH ECX
0067959E .  68 D0924000 PUSH ks.004092D0
这样会生成c:\WINXP\system32\Microsoft\MSJET1.INI文件,把它复制一份,改名为MSJET6.INI
注意:MSJETx.INI是最后的1是算出来的,会自动保存,但那个6却不能自动生成,怎样知道是6呢?可以在这里:
0066AB3F .  50          PUSH EAX
0066AB40 .  68 A0874200 PUSH ks.004287A0                      ;  UNICODE ".INI"
0066AB45 .  FF15 20B46800 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCa>;  MSVBVM50.__vbaStrCat
;这个操作可以看到6
0066AB4B .  8BD0       MOV EDX,EAX
0066AB4D .  8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]

再加下面两个爆破就可以了,但是还有提示激活成功,可用x次..
其实在注册表里还有HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY\1
把它复制一个命名为HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MsMCWY\6即可
============
0066AED2 . /0F85 B6050000 JNZ ks.0066B48E
0066AED8 . |66:8B55 0C MOV DX,WORD PTR SS:[EBP+C]
0066AEDC . |66:3955 D8 CMP WORD PTR SS:[EBP-28],DX
0066AEE0 . |74 0C       JE SHORT ks.0066AEEE                   ;  JMP ZZH(EB0C)
;改为JMP 66aeee即可
0066AEE2 . |C745 B8 EC030>MOV DWORD PTR SS:[EBP-48],3EC
0066AEE9 . |E9 DF050000 JMP ks.0066B4CD
0066AEEE > |BA 0C894200 MOV EDX,ks.0042890C                   ;  UNICODE "userinfo1"
0066AEF3 . |8D4D 84    LEA ECX,DWORD PTR SS:[EBP-7C]
============
0061D184 > \66:3975 88 CMP WORD PTR SS:[EBP-78],SI
0061D188 .  75 16       JNZ SHORT ks.0061D1A0                   ;  NO Jmp (SYS) EAX<=1 ZZH
;上行不要跳,改为MOV EAX,1,覆盖下行指令即可
0061D18A .  83C8 FF    OR EAX,FFFFFFFF
0061D18D .  68 0ED56100 PUSH ks.0061D50E                      ;  EAX<=1
0061D192 .  8945 E4    MOV DWORD PTR SS:[EBP-1C],EAX
0061D195 .  66:A3 DCB0670>MOV WORD PTR DS:[67B0DC],AX
0061D19B .  E9 4F030000 JMP ks.0061D4EF
0061D1A0 >  66:3935 DCB06>CMP WORD PTR DS:[67B0DC],SI
0061D1A7 .  0F85 07030000 JNZ ks.0061D4B4
0061D1AD .  8B4D 14    MOV ECX,DWORD PTR SS:[EBP+14]
...
OK,CRACKED! 19:53 2005-4-22

开始与2005-4-18,好累啊.但愿我可以以此考过二级JAVA,为SUN认证打下基础.郁闷啊,考了三级又倒回来考二级.

4-26 20:18
★关于通用激活方法(因为激活是依赖于第一块硬盘序列号的,所以必须得到固定序列号,上述方法才万能)
%SYSTEM%\PCINFO.DLL
导出函数:
GetDriveSerialNumberIn9X
GetDriveSerialNumberInNT
都是取硬盘序列号的,而软件是根据硬盘序列号来生成ID和激活码的,所以可以改造这个DLL,让它返回固定的序列号.这样就可以做通用的CRK.
在VB中测验时,要更改文件名为WYPCINFO.DLL
这样声明:
Private Declare Function GetDriveSerialNumberInNT Lib "WYPCINFO" (ByVal SN As String) As String
调用如下:
Dim a As String, HDSN As String
HDSN = Space(255)
GetDriveSerialNumberInNT (HDSN)
不过这样生成的序列号带有多余的空格.

但是好像主程序并没有调用这个DLL啊,跟跟主程序KS.EXE看看怎么回事.
0066DF65 .  53          PUSH EBX
0066DF66 .  68 80400700 PUSH 74080
0066DF6B .  51          PUSH ECX
0066DF6C .  E8 CB11DBFF CALL ks.0041F13C;;调用DeviceIoControl,取得硬盘SMART_VERSION
0066DF71 .  8985 68FEFFFF MOV DWORD PTR SS:[EBP-198],EAX ;如果取得成功则EAX为非0
0066DF77 .  FFD7       CALL EDI
0066DF79 .  399D 68FEFFFF CMP DWORD PTR SS:[EBP-198],EBX
;ebx=0,若eax=0表示取得硬盘SMART_VERSION失败
0066DF7F .  0F84 98010000 JE ks.0066E11D ;取得SMART版本失败,则跳走
....
0066DFE3 .  52          PUSH EDX ;否则会到这里
0066DFE4 .  8B55 E0    MOV EDX,DWORD PTR SS:[EBP-20]
0066DFE7 .  6A 00       PUSH 0
0066DFE9 .  8846 56    MOV BYTE PTR DS:[ESI+56],AL
0066DFEC .  68 10020000 PUSH 210
0066DFF1 .  8D46 50    LEA EAX,DWORD PTR DS:[ESI+50]
0066DFF4 .  51          PUSH ECX
0066DFF5 .  6A 20       PUSH 20
0066DFF7 .  50          PUSH EAX
0066DFF8 .  68 88C00700 PUSH 7C088
0066DFFD .  52          PUSH EDX
0066DFFE .  C700 00020000 MOV DWORD PTR DS:[EAX],200
0066E004 .  E8 3311DBFF CALL ks.0041F13C ;调用DeviceIoControl,取得硬盘SMART_RCV_DRIVE_DATA
;这样就取得了关于硬盘序列号在内的很多数据
;堆栈及转存
0012F490 0066E009  /CALL 到 DeviceIoControl 来自 ks.0066E004
0012F494 00000174  |hDevice = 00000174
0012F498 0007C088  |IoControlCode = SMART_RCV_DRIVE_DATA
0012F49C 0016DF88  |InBuffer = 0016DF88
0012F4A0 00000020  |InBufferSize = 20 (32.)
0012F4A4 0016DFA8  |OutBuffer = 0016DFA8
0012F4A8 00000210  |OutBufferSize = 210 (528.)
0012F4AC 00000000  |pBytesReturned = NULL
0012F4B0 0012F504  \pOverlapped = 0012F504

这是得到的数据:
0016DFA8  00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
0016DFB8  5A 0C FF 3F 37 C8 10 00 00 00 00 00 3F 00 00 00  Z.?7?.....?...
0016DFC8  00 00 00 00 4A 34 31 56 48 30 4D 38 20 20 20 20  ....J41VH0M8
0016DFD8  20 20 20 20 20 20 20 20 00 00 00 10 04 00 2E 38       .....8
0016DFE8  31 30 20 20 20 20 54 53 38 33 30 30 31 31 20 41  10 TS830011 A
0016DFF8  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
0016E008  20 20 20 20 20 20 20 20 20 20 20 20 20 20 10 80             ?

0066E009 .  8985 68FEFFFF MOV DWORD PTR SS:[EBP-198],EAX
0066E00F .  FFD7       CALL EDI
0066E011 .  8B85 68FEFFFF MOV EAX,DWORD PTR SS:[EBP-198]
0066E017 .  85C0       TEST EAX,EAX
0066E019 .  7F 15       JG SHORT ks.0066E030
0066E01B .  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]

然后进一步处理,得到序列号.

当取得SMART版本错误会到这里:
...
0066E1B3 .  C2 0800    RETN 8
返回后,然后调用PCINFO.DLL取得序列号.

那么,我们可以补丁:
0066DF7F .  0F84 98010000 JE ks.0066E11D ;取得SMART版本失败,则跳走,改为JMP让他永远调用DLL

然后修改PCINFO.DLL
PCINFO.GetDriveSerialNumberInNT函数:
1000152E  |> \C74424 04 E0EF0010  MOV DWORD PTR SS:[ESP+4],pcinfo.1000EFE0;ASCII "4JV10H8M"
;永远返回固定序列号
10001536  \.  C2 0400          RETN 4

PCINFO.GetDriveSerialNumberIn9X函数:
100012BE  |.  64:890D 00000000       MOV DWORD PTR FS:[0],ECX
100012C5  |.  81C4 88000000          ADD ESP,88
100012CB  \.  C2 0400                RETN 4
100012CE    8BFF                   MOV EDI,EDI ;这个被覆盖不知道有没有影响
修改为:
100012CB    /E9 5E020000             JMP PCINFOHK.1000152E

这样就可以保证在9X和NT下都会返回唯一的硬盘序列号.^_^
当然也可以修改KS.EXE,但是修改VB程序实在是太麻烦了.

好了,这样就可以用得到的假激活码,强制激活,并且通用.

也可以尝试写一个替代DLL.

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持