扩展名仓库 V3.0.811 算法简析[原创]-软件逆向-看雪-安全社区|安全招聘|kanxue.com

最新回复 (13)
skyege 雪币： 229 活跃值： (70) 能力值： ( LV6，RANK：90 ) 在线值：发帖 10 回帖 555 粉丝 0 关注私信	skyege 2 2 楼 0047D8FB > 33C0 XOR EAX,EAX 0047D8FD . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX 0047D900 > B9 04000000 MOV ECX,4 0047D905 . 66:3BC1 CMP AX,CX 0047D908 . 0F8F D8010000 JG 扩展名仓.0047DAE6 0047D90E . 0FBFC0 MOVSX EAX,AX 0047D911 . 83F8 05 CMP EAX,5 0047D914 . 8985 C8FEFFFF MOV DWORD PTR SS:[EBP-138],EAX 0047D91A . 72 17 JB SHORT 扩展名仓.0047D933 0047D91C . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047D922 . 8B85 C8FEFFFF MOV EAX,DWORD PTR SS:[EBP-138] 0047D928 . 83F8 05 CMP EAX,5 0047D92B . 72 06 JB SHORT 扩展名仓.0047D933 0047D92D . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047D933 > A1 18514A00 MOV EAX,DWORD PTR DS:[4A5118] 0047D938 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74] 0047D93B . C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1 0047D942 . C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2 0047D949 . 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4] 〈----- 第 2 组假码 0047D94C . 52 PUSH EDX 0047D94D . 6A 01 PUSH 1 〈----- 取第 1 个 0047D94F . 51 PUSH ECX 0047D950 . FFD3 CALL EBX 0047D952 . 8BD0 MOV EDX,EAX 0047D954 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047D957 . FFD7 CALL EDI 0047D959 . 50 PUSH EAX 0047D95A . FFD6 CALL ESI 0047D95C . 8B55 BC MOV EDX,DWORD PTR SS:[EBP-44] 〈---- EDX 分别= 1F ，BD ，19 ，B7 ，2B 〈---- 这里是邮箱浮点运算后的几个值 0047D95F . 8B5D E0 MOV EBX,DWORD PTR SS:[EBP-20] 〈---- EBX 分别= E0 ，D7 ，87 ，2C ，8C 〈---- 这里是用户名计算后的几个值 0047D962 . 0FBFC8 MOVSX ECX,AX 〈---- ECX = 32 0047D965 . 8B85 C8FEFFFF MOV EAX,DWORD PTR SS:[EBP-138] 0047D96B . 8B1482 MOV EDX,DWORD PTR DS:[EDX+EAX4] 0047D96E . 031483 ADD EDX,DWORD PTR DS:[EBX+EAX4] 〈---- IF + E0 = FF ，BD + D7 = ………… 0047D971 . 66:8B45 EC MOV AX,WORD PTR SS:[EBP-14] 0047D975 . 0F80 B8090000 JO 扩展名仓.0047E333 0047D97B . 66:05 0700 ADD AX,7 〈--- AX = 7 0047D97F . 0F80 AE090000 JO 扩展名仓.0047E333 0047D985 . 66:6BC0 05 IMUL AX,AX,5 〈---- AX = 23 0047D989 . 0F80 A4090000 JO 扩展名仓.0047E333 0047D98F . 0FBFC0 MOVSX EAX,AX 0047D992 . 03D0 ADD EDX,EAX 〈---- 23 + FF = 122 ；这是第一次计算的时候 0047D994 . 0F80 99090000 JO 扩展名仓.0047E333 0047D99A . 03CA ADD ECX,EDX 〈---- 122 + 32 = 154 0047D99C . 0F80 91090000 JO 扩展名仓.0047E333 0047D9A2 . FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>] ; msvbvm60.__vbaI2I4 0047D9A8 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047D9AB . 8BD8 MOV EBX,EAX 0047D9AD . FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr 0047D9B3 . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74] 0047D9B6 . FF15 28104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>] ; msvbvm60.__vbaFreeVar 0047D9BC . 66:83FB 30 CMP BX,30 0047D9C0 . 7C 06 JL SHORT 扩展名仓.0047D9C8 0047D9C2 . 66:83FB 39 CMP BX,39 0047D9C6 . 7E 61 JLE SHORT 扩展名仓.0047DA29 0047D9C8 > 66:83FB 41 CMP BX,41 0047D9CC . 7C 06 JL SHORT 扩展名仓.0047D9D4 0047D9CE . 66:83FB 5A CMP BX,5A 0047D9D2 . 7E 55 JLE SHORT 扩展名仓.0047DA29 0047D9D4 > 66:8BC3 MOV AX,BX 0047D9D7 . 66:B9 5B00 MOV CX,5B 〈---- 5B 给 CX 0047D9DB . 66:99 CWD 0047D9DD . 66:F7F9 IDIV CX 〈----- 154 MOD 5B ，取余数 43 0047D9E0 . 8BDA MOV EBX,EDX 0047D9E2 . 66:83FB 0A CMP BX,0A 0047D9E6 . 7D 06 JGE SHORT 扩展名仓.0047D9EE 0047D9E8 . 66:83C3 30 ADD BX,30 0047D9EC . EB 35 JMP SHORT 扩展名仓.0047DA23 0047D9EE > 66:83FB 23 CMP BX,23 0047D9F2 . 7F 06 JG SHORT 扩展名仓.0047D9FA 0047D9F4 . 66:83C3 37 ADD BX,37 0047D9F8 . EB 29 JMP SHORT 扩展名仓.0047DA23 0047D9FA > 66:83FB 2A CMP BX,2A 0047D9FE . 7D 07 JGE SHORT 扩展名仓.0047DA07 0047DA00 . BB 4D000000 MOV EBX,4D 0047DA05 . EB 22 JMP SHORT 扩展名仓.0047DA29 0047DA07 > 66:83FB 30 CMP BX,30 0047DA0B . 7D 06 JGE SHORT 扩展名仓.0047DA13 0047DA0D . 66:83C3 1B ADD BX,1B 0047DA11 . EB 10 JMP SHORT 扩展名仓.0047DA23 0047DA13 > 66:83FB 39 CMP BX,39 0047DA17 . 7E 10 JLE SHORT 扩展名仓.0047DA29 0047DA19 . 66:83FB 41 CMP BX,41 0047DA1D . 7D 0A JGE SHORT 扩展名仓.0047DA29 0047DA1F . 66:83EB 07 SUB BX,7 0047DA23 > 0F80 0A090000 JO 扩展名仓.0047E333 0047DA29 > 8B15 18514A00 MOV EDX,DWORD PTR DS:[4A5118] 0047DA2F . 66:8B4D EC MOV CX,WORD PTR SS:[EBP-14] 0047DA33 . 83C2 0C ADD EDX,0C 0047DA36 . 66:83C1 01 ADD CX,1 0047DA3A . 8995 44FFFFFF MOV DWORD PTR SS:[EBP-BC],EDX 0047DA40 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047DA43 . 0F80 EA080000 JO 扩展名仓.0047E333 0047DA49 . 0FBFD1 MOVSX EDX,CX 0047DA4C . 50 PUSH EAX ; /Arg4 0047DA4D . 8D85 3CFFFFFF LEA EAX,DWORD PTR SS:[EBP-C4] ; \| 0047DA53 . 52 PUSH EDX ; \|Arg3 0047DA54 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] ; \| 0047DA5A . 50 PUSH EAX ; \|Arg2 0047DA5B . 51 PUSH ECX ; \|Arg1 0047DA5C . C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1 ; \| 0047DA63 . C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2 ; \| 0047DA6A . C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],4008 ; \| 0047DA74 . FF15 24114000 CALL DWORD PTR DS:[<&msvbvm60.rtcMidCharVar>] ; \rtcMidCharVar 〈---- 取第 4 组假码 0047DA7A . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047DA80 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] 0047DA83 . 52 PUSH EDX 0047DA84 . 50 PUSH EAX 0047DA85 . FF15 F8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal 0047DA8B . 50 PUSH EAX 0047DA8C . FFD6 CALL ESI 0047DA8E . 33C9 XOR ECX,ECX 0047DA90 . 66:3BD8 CMP BX,AX 〈---- 和 43 比较啦，在这里把 BX 的值逐个记起来就是第 4 组注册码了。 0047DA93 . 0F95C1 SETNE CL 0047DA96 . F7D9 NEG ECX 0047DA98 . 8BD9 MOV EBX,ECX 0047DA9A . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047DA9D . FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr 0047DAA3 . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047DAA9 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047DAAC . 52 PUSH EDX 0047DAAD . 50 PUSH EAX 0047DAAE . 6A 02 PUSH 2 0047DAB0 . FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList 0047DAB6 . 83C4 0C ADD ESP,0C 0047DAB9 . 66:85DB TEST BX,BX 0047DABC . 0F85 DD070000 JNZ 扩展名仓.0047E29F 0047DAC2 . 8B1D 1C114000 MOV EBX,DWORD PTR DS:[<&msvbvm60.rtcMidCharBstr>] ; msvbvm60.rtcMidCharBstr 0047DAC8 . B8 01000000 MOV EAX,1 0047DACD . 66:0345 EC ADD AX,WORD PTR SS:[EBP-14] 0047DAD1 . C745 CC FFFFF>MOV DWORD PTR SS:[EBP-34],-1 0047DAD8 . 0F80 55080000 JO 扩展名仓.0047E333 0047DADE . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX 0047DAE1 .^ E9 1AFEFFFF JMP 扩展名仓.0047D900 0047DAE6 > 33DB XOR EBX,EBX 0047DAE8 > B8 04000000 MOV EAX,4 0047DAED . 895D EC MOV DWORD PTR SS:[EBP-14],EBX 0047DAF0 . 66:3BD8 CMP BX,AX 0047DAF3 . 0F8F EC020000 JG 扩展名仓.0047DDE5 0047DAF9 . 66:85DB TEST BX,BX 0047DAFC . 0FBFFB MOVSX EDI,BX 0047DAFF . 7E 7D JLE SHORT 扩展名仓.0047DB7E 0047DB01 . 83FF 05 CMP EDI,5 0047DB04 . 72 06 JB SHORT 扩展名仓.0047DB0C 0047DB06 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DB0C > 66:83EB 01 SUB BX,1 0047DB10 . 0F80 1D080000 JO 扩展名仓.0047E333 0047DB16 . 0FBFDB MOVSX EBX,BX 0047DB19 . 83FB 05 CMP EBX,5 0047DB1C . 72 06 JB SHORT 扩展名仓.0047DB24 0047DB1E . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DB24 > 83FF 05 CMP EDI,5 0047DB27 . 72 06 JB SHORT 扩展名仓.0047DB2F 0047DB29 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DB2F > 8B0D 18514A00 MOV ECX,DWORD PTR DS:[4A5118] 0047DB35 . 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4] 0047DB38 . 52 PUSH EDX 0047DB39 . FFD6 CALL ESI 0047DB3B . 0FBFC8 MOVSX ECX,AX 0047DB3E . 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44] 0047DB41 . 8B1498 MOV EDX,DWORD PTR DS:[EAX+EBX4] 〈---- EDX 分别= 1F ，BD ，19 ，B7 ，〈---- 这里是邮箱浮点运算后的几个值 ,少了一个哦。 0047DB44 . 8B5D E0 MOV EBX,DWORD PTR SS:[EBP-20] 〈---- EBX 分别= D7 ，87 ，2C ，8C ，〈---- 这里是用户名计算后的几个值，顺序有点变化，少了一个哦。注意。 0047DB47 . 0314BB ADD EDX,DWORD PTR DS:[EBX+EDI4] 〈---- 加 0047DB4A . 8B1CB8 MOV EBX,DWORD PTR DS:[EAX+EDI4] 0047DB4D . 0F80 E0070000 JO 扩展名仓.0047E333 0047DB53 . 03D7 ADD EDX,EDI 0047DB55 . 0F80 D8070000 JO 扩展名仓.0047E333 0047DB5B . 2BD3 SUB EDX,EBX 0047DB5D . 0F80 D0070000 JO 扩展名仓.0047E333 0047DB63 . 03CA ADD ECX,EDX 0047DB65 . 0F80 C8070000 JO 扩展名仓.0047E333 0047DB6B . FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>] ; msvbvm60.__vbaI4Abs 0047DB71 . 8BC8 MOV ECX,EAX 0047DB73 . FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>] ; msvbvm60.__vbaI2I4 0047DB79 . 8B5D EC MOV EBX,DWORD PTR SS:[EBP-14] 0047DB7C . EB 5E JMP SHORT 扩展名仓.0047DBDC 0047DB7E > 83FF 05 CMP EDI,5 0047DB81 . 72 11 JB SHORT 扩展名仓.0047DB94 0047DB83 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DB89 . 83FF 05 CMP EDI,5 0047DB8C . 72 06 JB SHORT 扩展名仓.0047DB94 0047DB8E . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DB94 > A1 18514A00 MOV EAX,DWORD PTR DS:[4A5118] 0047DB99 . 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4] 〈---- 第 2 组假码 0047DB9C . 51 PUSH ECX 0047DB9D . FFD6 CALL ESI 0047DB9F . 0FBFD0 MOVSX EDX,AX 0047DBA2 . 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44] 0047DBA5 . 8B0CB8 MOV ECX,DWORD PTR DS:[EAX+EDI4] 0047DBA8 . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] 0047DBAB . 0FAFCF IMUL ECX,EDI 0047DBAE . 0F80 7F070000 JO 扩展名仓.0047E333 0047DBB4 . 030CB8 ADD ECX,DWORD PTR DS:[EAX+EDI4] 0047DBB7 . 0F80 76070000 JO 扩展名仓.0047E333 0047DBBD . 83C1 4D ADD ECX,4D 0047DBC0 . 0F80 6D070000 JO 扩展名仓.0047E333 0047DBC6 . 2BCA SUB ECX,EDX 0047DBC8 . 0F80 65070000 JO 扩展名仓.0047E333 0047DBCE . FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>] ; msvbvm60.__vbaI4Abs 0047DBD4 . 8BC8 MOV ECX,EAX 0047DBD6 . FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>] ; msvbvm60.__vbaI2I4 0047DBDC > 66:3D 3000 CMP AX,30 0047DBE0 . 7C 06 JL SHORT 扩展名仓.0047DBE8 0047DBE2 . 66:3D 3900 CMP AX,39 0047DBE6 . 7E 0C JLE SHORT 扩展名仓.0047DBF4 0047DBE8 > 66:3D 6100 CMP AX,61 0047DBEC . 7C 5C JL SHORT 扩展名仓.0047DC4A 0047DBEE . 66:3D 7A00 CMP AX,7A 0047DBF2 . 7F 56 JG SHORT 扩展名仓.0047DC4A 0047DBF4 > 0FBFC8 MOVSX ECX,AX 0047DBF7 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74] 0047DBFA . 51 PUSH ECX ; /Arg2 0047DBFB . 52 PUSH EDX ; \|Arg1 0047DBFC . FF15 E0114000 CALL DWORD PTR DS:[<&msvbvm60.rtcVarBstrFromAnsi>] ; \rtcVarBstrFromAnsi 〈---直接取第 1 个 0047DC02 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047DC05 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] 0047DC0B . 50 PUSH EAX ; /Arg2 0047DC0C . 51 PUSH ECX ; \|Arg1 0047DC0D . FF15 3C114000 CALL DWORD PTR DS:[<&msvbvm60.rtcUpperCaseVar>] ; \rtcUpperCaseVar 0047DC13 . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047DC19 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] 0047DC1C . 52 PUSH EDX 0047DC1D . 50 PUSH EAX 0047DC1E . FF15 F8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal 0047DC24 . 50 PUSH EAX 0047DC25 . FFD6 CALL ESI 0047DC27 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047DC2A . 8BF8 MOV EDI,EAX 0047DC2C . FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr 0047DC32 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] 0047DC38 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74] 0047DC3B . 51 PUSH ECX 0047DC3C . 52 PUSH EDX 0047DC3D . 6A 02 PUSH 2 0047DC3F . FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList 0047DC45 . 83C4 0C ADD ESP,0C 0047DC48 . EB 76 JMP SHORT 扩展名仓.0047DCC0 0047DC4A > 66:99 CWD 0047DC4C . 66:B9 7B00 MOV CX,7B 0047DC50 . 66:F7F9 IDIV CX 0047DC53 . 8BFA MOV EDI,EDX 0047DC55 . 66:83FF 1A CMP DI,1A 0047DC59 . 7D 06 JGE SHORT 扩展名仓.0047DC61 0047DC5B . 66:83C7 61 ADD DI,61 0047DC5F . EB 59 JMP SHORT 扩展名仓.0047DCBA 0047DC61 > 66:83FF 23 CMP DI,23 0047DC65 . 7F 06 JG SHORT 扩展名仓.0047DC6D 0047DC67 . 66:83C7 16 ADD DI,16 0047DC6B . EB 4D JMP SHORT 扩展名仓.0047DCBA 0047DC6D > 66:83FF 24 CMP DI,24 0047DC71 . 7C 0C JL SHORT 扩展名仓.0047DC7F 0047DC73 . 66:83FF 30 CMP DI,30 0047DC77 . 7D 06 JGE SHORT 扩展名仓.0047DC7F 0047DC79 . 66:83C7 45 ADD DI,45 0047DC7D . EB 3B JMP SHORT 扩展名仓.0047DCBA 0047DC7F > 66:83FF 39 CMP DI,39 0047DC83 . 7E 06 JLE SHORT 扩展名仓.0047DC8B 0047DC85 . 66:83FF 42 CMP DI,42 0047DC89 . 7E 06 JLE SHORT 扩展名仓.0047DC91 0047DC8B > 66:83FF 4D CMP DI,4D 0047DC8F . 75 07 JNZ SHORT 扩展名仓.0047DC98 0047DC91 > BF 48000000 MOV EDI,48 0047DC96 . EB 28 JMP SHORT 扩展名仓.0047DCC0 0047DC98 > 66:83FF 42 CMP DI,42 0047DC9C . 7E 0C JLE SHORT 扩展名仓.0047DCAA 0047DC9E . 66:83FF 4D CMP DI,4D 0047DCA2 . 7D 0A JGE SHORT 扩展名仓.0047DCAE 0047DCA4 . 66:83EF 13 SUB DI,13 0047DCA8 . EB 10 JMP SHORT 扩展名仓.0047DCBA 0047DCAA > 66:83FF 4D CMP DI,4D 0047DCAE > 7E 10 JLE SHORT 扩展名仓.0047DCC0 0047DCB0 . 66:83FF 61 CMP DI,61 0047DCB4 . 7D 0A JGE SHORT 扩展名仓.0047DCC0 0047DCB6 . 66:83C7 15 ADD DI,15 0047DCBA > 0F80 73060000 JO 扩展名仓.0047E333 0047DCC0 > 0FBFD7 MOVSX EDX,DI 0047DCC3 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047DCC6 . 52 PUSH EDX ; /Arg2 0047DCC7 . 50 PUSH EAX ; \|Arg1 0047DCC8 . FF15 E0114000 CALL DWORD PTR DS:[<&msvbvm60.rtcVarBstrFromAnsi>] ; \rtcVarBstrFromAnsi 0047DCCE . 8B3D 3C114000 MOV EDI,DWORD PTR DS:[<&msvbvm60.rtcUpperCaseVar>] ; msvbvm60.rtcUpperCaseVar 0047DCD4 . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74] 0047DCD7 . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047DCDD . 51 PUSH ECX 0047DCDE . 52 PUSH EDX 0047DCDF . FFD7 CALL EDI ; <&msvbvm60.rtcUpperCaseVar> 0047DCE1 . A1 18514A00 MOV EAX,DWORD PTR DS:[4A5118] 〈--- EAX = 第 3 组的假码 0047DCE6 . 66:8BD3 MOV DX,BX 0047DCE9 . 83C0 08 ADD EAX,8 0047DCEC . 66:83C2 01 ADD DX,1 0047DCF0 . 8985 44FFFFFF MOV DWORD PTR SS:[EBP-BC],EAX 0047DCF6 . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94] 0047DCFC . 0F80 31060000 JO 扩展名仓.0047E333 0047DD02 . 0FBFC2 MOVSX EAX,DX 0047DD05 . 51 PUSH ECX ; /Arg4 0047DD06 . 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4] ; \| 0047DD0C . 50 PUSH EAX ; \|Arg3 0047DD0D . 8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4] ; \| 0047DD13 . 51 PUSH ECX ; \|Arg2 0047DD14 . 52 PUSH EDX ; \|Arg1 0047DD15 . C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],1 ; \| 0047DD1F . C785 6CFFFFFF>MOV DWORD PTR SS:[EBP-94],2 ; \| 0047DD29 . C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],4008 ; \| 0047DD33 . FF15 24114000 CALL DWORD PTR DS:[<&msvbvm60.rtcMidCharVar>] 〈---- 取的是第 3 组的假码 0047DD39 . 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4] 0047DD3F . 8D8D 4CFFFFFF LEA ECX,DWORD PTR SS:[EBP-B4] 0047DD45 . 50 PUSH EAX 0047DD46 . 51 PUSH ECX 0047DD47 . FFD7 CALL EDI ; <&msvbvm60.rtcUpperCaseVar> 0047DD49 . 8B3D F8114000 MOV EDI,DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal 0047DD4F . 8D95 4CFFFFFF LEA EDX,DWORD PTR SS:[EBP-B4] 0047DD55 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64] 0047DD58 . 52 PUSH EDX 0047DD59 . 50 PUSH EAX 0047DD5A . FFD7 CALL EDI ; <&msvbvm60.__vbaStrVarVal> 0047DD5C . 50 PUSH EAX 0047DD5D . FFD6 CALL ESI 0047DD5F . 66:8BD0 MOV DX,AX 0047DD62 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] 0047DD68 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] 0047DD6B . 51 PUSH ECX 0047DD6C . 50 PUSH EAX 0047DD6D . 66:8995 A6FEF>MOV WORD PTR SS:[EBP-15A],DX 0047DD74 . FFD7 CALL EDI ; <&msvbvm60.__vbaStrVarVal> 0047DD76 . 50 PUSH EAX 0047DD77 . FFD6 CALL ESI 0047DD79 . 66:8B95 A6FEF>MOV DX,WORD PTR SS:[EBP-15A] 0047DD80 . 33C9 XOR ECX,ECX 0047DD82 . 66:3BC2 CMP AX,DX 〈---- 比较啦。这里就是根据第 2 组假码的第 1 个，结合用户名和邮箱的 10 个值来推算出真正的第 3 组注册码。把 DX 的值记起来就是啦。 0047DD85 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64] 0047DD88 . 0F95C1 SETNE CL 0047DD8B . F7D9 NEG ECX 0047DD8D . 8BF9 MOV EDI,ECX 0047DD8F . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047DD92 . 50 PUSH EAX 0047DD93 . 51 PUSH ECX 0047DD94 . 6A 02 PUSH 2 0047DD96 . FF15 54124000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList 0047DD9C . 8D95 4CFFFFFF LEA EDX,DWORD PTR SS:[EBP-B4] 0047DDA2 . 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4] 0047DDA8 . 52 PUSH EDX 0047DDA9 . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94] 0047DDAF . 50 PUSH EAX 0047DDB0 . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047DDB6 . 51 PUSH ECX 0047DDB7 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047DDBA . 52 PUSH EDX 0047DDBB . 50 PUSH EAX 0047DDBC . 6A 05 PUSH 5 0047DDBE . FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList 0047DDC4 . 83C4 24 ADD ESP,24 0047DDC7 . 66:85FF TEST DI,DI 0047DDCA . 0F85 CF040000 JNZ 扩展名仓.0047E29F 0047DDD0 . B8 01000000 MOV EAX,1 0047DDD5 . 66:03C3 ADD AX,BX 0047DDD8 . 0F80 55050000 JO 扩展名仓.0047E333 0047DDDE . 8BD8 MOV EBX,EAX 0047DDE0 .^ E9 03FDFFFF JMP 扩展名仓.0047DAE8 0047DDE5 > 33DB XOR EBX,EBX 0047DDE7 > B8 04000000 MOV EAX,4 0047DDEC . 895D EC MOV DWORD PTR SS:[EBP-14],EBX 0047DDEF . 66:3BD8 CMP BX,AX 0047DDF2 . 0F8F 19030000 JG 扩展名仓.0047E111 0047DDF8 . 66:3BD8 CMP BX,AX 0047DDFB . 0FBFFB MOVSX EDI,BX 0047DDFE . 0F8D A0000000 JGE 扩展名仓.0047DEA4 0047DE04 . 83FF 05 CMP EDI,5 0047DE07 . 72 06 JB SHORT 扩展名仓.0047DE0F 0047DE09 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DE0F > 66:8BCB MOV CX,BX 0047DE12 . 66:83C1 01 ADD CX,1 0047DE16 . 0F80 17050000 JO 扩展名仓.0047E333 0047DE1C . 0FBFC1 MOVSX EAX,CX 0047DE1F . 83F8 05 CMP EAX,5 0047DE22 . 8985 1CFFFFFF MOV DWORD PTR SS:[EBP-E4],EAX 0047DE28 . 72 06 JB SHORT 扩展名仓.0047DE30 0047DE2A . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DE30 > 83FF 05 CMP EDI,5 0047DE33 . 72 06 JB SHORT 扩展名仓.0047DE3B 0047DE35 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DE3B > 8B15 18514A00 MOV EDX,DWORD PTR DS:[4A5118] 0047DE41 . 8B02 MOV EAX,DWORD PTR DS:[EDX] 〈---- 取第 1 组假码 0047DE43 . 50 PUSH EAX 0047DE44 . FFD6 CALL ESI 0047DE46 . 66:83EB 01 SUB BX,1 0047DE4A . 0F80 E3040000 JO 扩展名仓.0047E333 0047DE50 . 0FBFC8 MOVSX ECX,AX 0047DE53 . 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44] 0047DE56 . 0FBFD3 MOVSX EDX,BX 0047DE59 . 0FAF14B8 IMUL EDX,DWORD PTR DS:[EAX+EDI4] 0047DE5D . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] 0047DE60 . 8B9D 1CFFFFFF MOV EBX,DWORD PTR SS:[EBP-E4] 0047DE66 . 0F80 C7040000 JO 扩展名仓.0047E333 0047DE6C . 8B1C98 MOV EBX,DWORD PTR DS:[EAX+EBX4] 〈---- EBX 分别 =E0 ， D7 ，87 ，2C ，8C ，〈---- 这里是用户名计算后的几个值。 0047DE6F . 031CB8 ADD EBX,DWORD PTR DS:[EAX+EDI4] 〈---- 两两相加，就是 E0 + D7 ，D7 + 87 ，87 + 2C ，2C + 8C 0047DE72 . 0F80 BB040000 JO 扩展名仓.0047E333 0047DE78 . 03D3 ADD EDX,EBX 0047DE7A . 0F80 B3040000 JO 扩展名仓.0047E333 0047DE80 . 83C2 01 ADD EDX,1 0047DE83 . 0F80 AA040000 JO 扩展名仓.0047E333 0047DE89 . 03CA ADD ECX,EDX 0047DE8B . 0F80 A2040000 JO 扩展名仓.0047E333 0047DE91 . FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>] ; msvbvm60.__vbaI4Abs 0047DE97 . 8BC8 MOV ECX,EAX 0047DE99 . FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>] ; msvbvm60.__vbaI2I4 0047DE9F . 8B5D EC MOV EBX,DWORD PTR SS:[EBP-14] 0047DEA2 . EB 5E JMP SHORT 扩展名仓.0047DF02 0047DEA4 > 83FF 05 CMP EDI,5 0047DEA7 . 72 11 JB SHORT 扩展名仓.0047DEBA 0047DEA9 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DEAF . 83FF 05 CMP EDI,5 0047DEB2 . 72 06 JB SHORT 扩展名仓.0047DEBA 0047DEB4 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DEBA > 8B0D 18514A00 MOV ECX,DWORD PTR DS:[4A5118] 0047DEC0 . 8B11 MOV EDX,DWORD PTR DS:[ECX] 0047DEC2 . 52 PUSH EDX 0047DEC3 . FFD6 CALL ESI 0047DEC5 . 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20] 0047DEC8 . 8B55 BC MOV EDX,DWORD PTR SS:[EBP-44] 0047DECB . 0FBFC0 MOVSX EAX,AX 0047DECE . 8B0CB9 MOV ECX,DWORD PTR DS:[ECX+EDI4] 0047DED1 . 0FAFCF IMUL ECX,EDI 0047DED4 . 0F80 59040000 JO 扩展名仓.0047E333 0047DEDA . 030CBA ADD ECX,DWORD PTR DS:[EDX+EDI4] 0047DEDD . 0F80 50040000 JO 扩展名仓.0047E333 0047DEE3 . 83C1 4D ADD ECX,4D 0047DEE6 . 0F80 47040000 JO 扩展名仓.0047E333 0047DEEC . 2BC8 SUB ECX,EAX 0047DEEE . 0F80 3F040000 JO 扩展名仓.0047E333 0047DEF4 . FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>] ; msvbvm60.__vbaI4Abs 0047DEFA . 8BC8 MOV ECX,EAX 0047DEFC . FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>] ; msvbvm60.__vbaI2I4 0047DF02 > 66:3D 3000 CMP AX,30 0047DF06 . 7C 06 JL SHORT 扩展名仓.0047DF0E 0047DF08 . 66:3D 3900 CMP AX,39 0047DF0C . 7E 0C JLE SHORT 扩展名仓.0047DF1A 0047DF0E > 66:3D 6100 CMP AX,61 0047DF12 . 7C 5C JL SHORT 扩展名仓.0047DF70 0047DF14 . 66:3D 7A00 CMP AX,7A 0047DF18 . 7F 56 JG SHORT 扩展名仓.0047DF70 0047DF1A > 0FBFC0 MOVSX EAX,AX 0047DF1D . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74] 0047DF20 . 50 PUSH EAX ; /Arg2 0047DF21 . 51 PUSH ECX ; \|Arg1 0047DF22 . FF15 E0114000 CALL DWORD PTR DS:[<&msvbvm60.rtcVarBstrFromAnsi>] ; \rtcVarBstrFromAnsi 0047DF28 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74] 0047DF2B . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84] 0047DF31 . 52 PUSH EDX ; /Arg2 0047DF32 . 50 PUSH EAX ; \|Arg1 0047DF33 . FF15 3C114000 CALL DWORD PTR DS:[<&msvbvm60.rtcUpperCaseVar>] ; \rtcUpperCaseVar 0047DF39 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] 0047DF3F . 8D55 A0 LEA EDX,DWORD PTR SS:[EBP-60] 0047DF42 . 51 PUSH ECX 0047DF43 . 52 PUSH EDX 0047DF44 . FF15 F8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal 0047DF4A . 50 PUSH EAX 0047DF4B . FFD6 CALL ESI 0047DF4D . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047DF50 . 8BF8 MOV EDI,EAX 0047DF52 . FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr 0047DF58 . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84] 0047DF5E . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74] 0047DF61 . 50 PUSH EAX 0047DF62 . 51 PUSH ECX 0047DF63 . 6A 02 PUSH 2 0047DF65 . FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList 0047DF6B . 83C4 0C ADD ESP,0C 0047DF6E . EB 7C JMP SHORT 扩展名仓.0047DFEC 0047DF70 > 66:99 CWD 0047DF72 . 66:B9 7B00 MOV CX,7B 0047DF76 . 66:F7F9 IDIV CX 0047DF79 . 8BFA MOV EDI,EDX 0047DF7B . 66:83FF 09 CMP DI,9 0047DF7F . 7D 06 JGE SHORT 扩展名仓.0047DF87 0047DF81 . 66:83C7 30 ADD DI,30 0047DF85 . EB 5F JMP SHORT 扩展名仓.0047DFE6 0047DF87 > 66:83FF 22 CMP DI,22 0047DF8B . 7F 06 JG SHORT 扩展名仓.0047DF93 0047DF8D . 66:83C7 58 ADD DI,58 0047DF91 . EB 53 JMP SHORT 扩展名仓.0047DFE6 0047DF93 > 66:83FF 2C CMP DI,2C 0047DF97 . 7D 06 JGE SHORT 扩展名仓.0047DF9F 0047DF99 . 66:83C7 0D ADD DI,0D 0047DF9D . EB 47 JMP SHORT 扩展名仓.0047DFE6 0047DF9F > 66:83FF 30 CMP DI,30 0047DFA3 . 7C 06 JL SHORT 扩展名仓.0047DFAB 0047DFA5 . 66:83FF 4D CMP DI,4D 0047DFA9 . 75 07 JNZ SHORT 扩展名仓.0047DFB2 0047DFAB > BF 48000000 MOV EDI,48 0047DFB0 . EB 3A JMP SHORT 扩展名仓.0047DFEC 0047DFB2 > 66:83FF 39 CMP DI,39 0047DFB6 . 7E 0C JLE SHORT 扩展名仓.0047DFC4 0047DFB8 . 66:83FF 4C CMP DI,4C 0047DFBC . 7F 06 JG SHORT 扩展名仓.0047DFC4 0047DFBE . 66:83C7 2A ADD DI,2A 0047DFC2 . EB 22 JMP SHORT 扩展名仓.0047DFE6 0047DFC4 > 66:83FF 4D CMP DI,4D 0047DFC8 . 7E 0C JLE SHORT 扩展名仓.0047DFD6 0047DFCA . 66:83FF 57 CMP DI,57 0047DFCE . 7F 0C JG SHORT 扩展名仓.0047DFDC 0047DFD0 . 66:83EF 1E SUB DI,1E 0047DFD4 . EB 10 JMP SHORT 扩展名仓.0047DFE6 0047DFD6 > 66:83FF 57 CMP DI,57 0047DFDA . 7E 10 JLE SHORT 扩展名仓.0047DFEC 0047DFDC > 66:83FF 61 CMP DI,61 0047DFE0 . 7D 0A JGE SHORT 扩展名仓.0047DFEC 0047DFE2 . 66:83C7 11 ADD DI,11 0047DFE6 > 0F80 47030000 JO 扩展名仓.0047E333 0047DFEC > 0FBFD7 MOVSX EDX,DI 0047DFEF . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047DFF2 . 52 PUSH EDX ; /Arg2 0047DFF3 . 50 PUSH EAX ; \|Arg1 0047DFF4 . FF15 E0114000 CALL DWORD PTR DS:[<&msvbvm60.rtcVarBstrFromAnsi>] ; \rtcVarBstrFromAnsi 0047DFFA . 8B3D 3C114000 MOV EDI,DWORD PTR DS:[<&msvbvm60.rtcUpperCaseVar>] ; msvbvm60.rtcUpperCaseVar 0047E000 . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74] 0047E003 . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047E009 . 51 PUSH ECX 0047E00A . 52 PUSH EDX 0047E00B . FFD7 CALL EDI ; <&msvbvm60.rtcUpperCaseVar> 〈---- 转为大写 0047E00D . A1 18514A00 MOV EAX,DWORD PTR DS:[4A5118] 0047E012 . 66:8BD3 MOV DX,BX 0047E015 . 83C0 04 ADD EAX,4 0047E018 . 66:83C2 01 ADD DX,1 0047E01C . 8985 44FFFFFF MOV DWORD PTR SS:[EBP-BC],EAX 0047E022 . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94] 0047E028 . 0F80 05030000 JO 扩展名仓.0047E333 0047E02E . 0FBFC2 MOVSX EAX,DX 0047E031 . 51 PUSH ECX ; /Arg4 0047E032 . 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4] ; \| 0047E038 . 50 PUSH EAX ; \|Arg3 0047E039 . 8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4] ; \| 0047E03F . 51 PUSH ECX ; \|Arg2 0047E040 . 52 PUSH EDX ; \|Arg1 0047E041 . C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],1 ; \| 0047E04B . C785 6CFFFFFF>MOV DWORD PTR SS:[EBP-94],2 ; \| 0047E055 . C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],4008 ; \| 0047E05F . FF15 24114000 CALL DWORD PTR DS:[<&msvbvm60.rtcMidCharVar>] ; \rtcMidCharVar 0047E065 . 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4] 0047E06B . 8D8D 4CFFFFFF LEA ECX,DWORD PTR SS:[EBP-B4] 0047E071 . 50 PUSH EAX 0047E072 . 51 PUSH ECX 0047E073 . FFD7 CALL EDI ; <&msvbvm60.rtcUpperCaseVar> 0047E075 . 8B3D F8114000 MOV EDI,DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal 0047E07B . 8D95 4CFFFFFF LEA EDX,DWORD PTR SS:[EBP-B4] 0047E081 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64] 0047E084 . 52 PUSH EDX 0047E085 . 50 PUSH EAX 0047E086 . FFD7 CALL EDI ; <&msvbvm60.__vbaStrVarVal> 0047E088 . 50 PUSH EAX 0047E089 . FFD6 CALL ESI 0047E08B . 66:8BD0 MOV DX,AX 0047E08E . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] 0047E094 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] 0047E097 . 51 PUSH ECX 0047E098 . 50 PUSH EAX 0047E099 . 66:8995 A4FEF>MOV WORD PTR SS:[EBP-15C],DX 0047E0A0 . FFD7 CALL EDI ; <&msvbvm60.__vbaStrVarVal> 0047E0A2 . 50 PUSH EAX 0047E0A3 . FFD6 CALL ESI 0047E0A5 . 66:8B95 A4FEF>MOV DX,WORD PTR SS:[EBP-15C] 0047E0AC . 33C9 XOR ECX,ECX 0047E0AE . 66:3BC2 CMP AX,DX 〈---这里比较的是第 2 组的，把DX的值记起来。 0047E0B1 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64] 0047E0B4 . 0F95C1 SETNE CL 0047E0B7 . F7D9 NEG ECX 0047E0B9 . 8BF9 MOV EDI,ECX 0047E0BB . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047E0BE . 50 PUSH EAX 0047E0BF . 51 PUSH ECX 0047E0C0 . 6A 02 PUSH 2 0047E0C2 . FF15 54124000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList 0047E0C8 . 8D95 4CFFFFFF LEA EDX,DWORD PTR SS:[EBP-B4] 0047E0CE . 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4] 0047E0D4 . 52 PUSH EDX 0047E0D5 . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94] 0047E0DB . 50 PUSH EAX 0047E0DC . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047E0E2 . 51 PUSH ECX 0047E0E3 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047E0E6 . 52 PUSH EDX 0047E0E7 . 50 PUSH EAX 0047E0E8 . 6A 05 PUSH 5 0047E0EA . FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList 0047E0F0 . 83C4 24 ADD ESP,24 0047E0F3 . 66:85FF TEST DI,DI 0047E0F6 . 0F85 A3010000 JNZ 扩展名仓.0047E29F 0047E0FC . B8 01000000 MOV EAX,1 0047E101 . 66:03C3 ADD AX,BX 0047E104 . 0F80 29020000 JO 扩展名仓.0047E333 0047E10A . 8BD8 MOV EBX,EAX 0047E10C .^ E9 D6FCFFFF JMP 扩展名仓.0047DDE7 0047E111 > C785 D4FEFFFF>MOV DWORD PTR SS:[EBP-12C],4 0047E11B . C785 D8FEFFFF>MOV DWORD PTR SS:[EBP-128],1 0047E125 . 33DB XOR EBX,EBX 0047E127 > 66:3B9D D4FEF>CMP BX,WORD PTR SS:[EBP-12C] 0047E12E . 0F8F 72010000 JG 扩展名仓.0047E2A6 0047E134 . 0FBFFB MOVSX EDI,BX 0047E137 . 83FF 05 CMP EDI,5 0047E13A . 72 11 JB SHORT 扩展名仓.0047E14D 0047E13C . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047E142 . 83FF 05 CMP EDI,5 0047E145 . 72 06 JB SHORT 扩展名仓.0047E14D 0047E147 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047E14D > 8B4D BC MOV ECX,DWORD PTR SS:[EBP-44] 0047E150 . 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20] 0047E153 . 8B0CB9 MOV ECX,DWORD PTR DS:[ECX+EDI4] 〈---- 那些值 0047E156 . 8B04BA MOV EAX,DWORD PTR DS:[EDX+EDI4] 0047E159 . 03C8 ADD ECX,EAX 〈---- 加起来 0047E15B . 66:8BC3 MOV AX,BX 0047E15E . 0F80 CF010000 JO 扩展名仓.0047E333 0047E164 . 66:05 0100 ADD AX,1 〈---- 递加 1 ，就是第 1 次是1 ，第 2 次就是 2 咯，…… 0047E168 . 0F80 C5010000 JO 扩展名仓.0047E333 0047E16E . 66:6BC0 07 IMUL AX,AX,7 〈---- 再乘于 7 ，第 1 次乘 1 ，第 2 次就是乘 2 咯，…… 0047E172 . 0F80 BB010000 JO 扩展名仓.0047E333 0047E178 . 0FBFD0 MOVSX EDX,AX 0047E17B . 03CA ADD ECX,EDX 〈---- 再加起来 0047E17D . 0F80 B0010000 JO 扩展名仓.0047E333 0047E183 . FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>] ; msvbvm60.__vbaI2I4 0047E189 . 8BF8 MOV EDI,EAX 0047E18B . 66:83FF 30 CMP DI,30 〈-----下面 4 个比较是判断是否在数字和大写字母的范围内，是的话就直接跳走了。 0047E18F . 7C 06 JL SHORT 扩展名仓.0047E197 0047E191 . 66:83FF 39 CMP DI,39 0047E195 . 7E 60 JLE SHORT 扩展名仓.0047E1F7 0047E197 > 66:83FF 41 CMP DI,41 0047E19B . 7C 06 JL SHORT 扩展名仓.0047E1A3 0047E19D . 66:83FF 5A CMP DI,5A 0047E1A1 . 7E 54 JLE SHORT 扩展名仓.0047E1F7 0047E1A3 > 66:8BC7 MOV AX,DI 0047E1A6 . 66:B9 5B00 MOV CX,5B 0047E1AA . 66:99 CWD 0047E1AC . 66:F7F9 IDIV CX 〈----- 否则将 MOD 5B ，取余数 0047E1AF . 8BFA MOV EDI,EDX 0047E1B1 . 66:83FF 1A CMP DI,1A 0047E1B5 . 7D 06 JGE SHORT 扩展名仓.0047E1BD 0047E1B7 . 66:83C7 41 ADD DI,41 0047E1BB . EB 34 JMP SHORT 扩展名仓.0047E1F1 0047E1BD > 66:83FF 23 CMP DI,23 0047E1C1 . 7F 06 JG SHORT 扩展名仓.0047E1C9 0047E1C3 . 66:83C7 16 ADD DI,16 0047E1C7 . EB 28 JMP SHORT 扩展名仓.0047E1F1 0047E1C9 > 66:83FF 28 CMP DI,28 0047E1CD . 7D 06 JGE SHORT 扩展名仓.0047E1D5 0047E1CF . 66:83C7 0F ADD DI,0F 0047E1D3 . EB 1C JMP SHORT 扩展名仓.0047E1F1 0047E1D5 > 66:83FF 30 CMP DI,30 0047E1D9 . 7D 06 JGE SHORT 扩展名仓.0047E1E1 0047E1DB . 66:83C7 1E ADD DI,1E 0047E1DF . EB 10 JMP SHORT 扩展名仓.0047E1F1 0047E1E1 > 66:83FF 39 CMP DI,39 0047E1E5 . 7E 10 JLE SHORT 扩展名仓.0047E1F7 0047E1E7 . 66:83FF 41 CMP DI,41 0047E1EB . 7D 0A JGE SHORT 扩展名仓.0047E1F7 0047E1ED . 66:83C7 11 ADD DI,11 0047E1F1 > 0F80 3C010000 JO 扩展名仓.0047E333 0047E1F7 > 8B15 18514A00 MOV EDX,DWORD PTR DS:[4A5118] 0047E1FD . 66:8BCB MOV CX,BX 0047E200 . 66:83C1 01 ADD CX,1 0047E204 . 8995 44FFFFFF MOV DWORD PTR SS:[EBP-BC],EDX 0047E20A . 0F80 23010000 JO 扩展名仓.0047E333 0047E210 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047E213 . C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1 0047E21A . 0FBFD1 MOVSX EDX,CX 0047E21D . 50 PUSH EAX ; /Arg4 0047E21E . 8D85 3CFFFFFF LEA EAX,DWORD PTR SS:[EBP-C4] ; \| 0047E224 . 52 PUSH EDX ; \|Arg3 0047E225 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] ; \| 0047E22B . 50 PUSH EAX ; \|Arg2 0047E22C . 51 PUSH ECX ; \|Arg1 0047E22D . C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2 ; \| 0047E234 . C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],4008 ; \| 0047E23E . FF15 24114000 CALL DWORD PTR DS:[<&msvbvm60.rtcMidCharVar>] ; \rtcMidCharVar 〈--- 取第 1 组假码 0047E244 . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047E24A . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] 0047E24D . 52 PUSH EDX 0047E24E . 50 PUSH EAX 0047E24F . FF15 F8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal 0047E255 . 50 PUSH EAX 0047E256 . FFD6 CALL ESI 0047E258 . 33C9 XOR ECX,ECX 0047E25A . 66:3BF8 CMP DI,AX 〈---比较第 1 组的。把 DX 的值记起来。 0047E25D . 0F95C1 SETNE CL 0047E260 . F7D9 NEG ECX 0047E262 . 8BF9 MOV EDI,ECX 0047E264 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047E267 . FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr 0047E26D . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047E273 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047E276 . 52 PUSH EDX 0047E277 . 50 PUSH EAX 0047E278 . 6A 02 PUSH 2 0047E27A . FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList 0047E280 . 83C4 0C ADD ESP,0C 0047E283 . 66:85FF TEST DI,DI 0047E286 . 75 17 JNZ SHORT 扩展名仓.0047E29F 0047E288 . 66:8B8D D8FEF>MOV CX,WORD PTR SS:[EBP-128] 0047E28F . 66:03CB ADD CX,BX 0047E292 . 0F80 9B000000 JO 扩展名仓.0047E333 0047E298 . 8BD9 MOV EBX,ECX 0047E29A .^ E9 88FEFFFF JMP 扩展名仓.0047E127 0047E29F > C745 CC 00000>MOV DWORD PTR SS:[EBP-34],0 0047E2A6 > 9B WAIT 0047E2A7 . 68 19E34700 PUSH 扩展名仓.0047E319 0047E2AC . EB 3C JMP SHORT 扩展名仓.0047E2EA 0047E2AE . 8D55 9C LEA EDX,DWORD PTR SS:[EBP-64] 0047E2B1 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] 0047E2B4 . 52 PUSH EDX 0047E2B5 . 50 PUSH EAX 0047E2B6 . 6A 02 PUSH 2 0047E2B8 . FF15 54124000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList 0047E2BE . 8D8D 4CFFFFFF LEA ECX,DWORD PTR SS:[EBP-B4] 0047E2C4 . 8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4] 0047E2CA . 51 PUSH ECX 0047E2CB . 8D85 6CFFFFFF LEA EAX,DWORD PTR SS:[EBP-94] 0047E2D1 . 52 PUSH EDX 0047E2D2 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] 0047E2D8 . 50 PUSH EAX 0047E2D9 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74] 0047E2DC . 51 PUSH ECX 0047E2DD . 52 PUSH EDX 0047E2DE . 6A 05 PUSH 5 0047E2E0 . FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList 0047E2E6 . 83C4 24 ADD ESP,24 0047E2E9 . C3 RETN --------------------------------------- The end ----------------------------------------------------- 名字：skyege 邮箱：skyege@tom.com 注册码：P6ZI3-XH4HL-OXUXD-EMK15-7CQPA 这是一个经典的“用户名（F）= 注册码”的软件，难度一般。注册码共 5 组，每组 5 个字符。注册成功后在 Extension .ini 中有 UserName=skyege Email=skyege@tom.com Code=P6ZI3XH4HLOXUXDEMK157CQPA 验证的过程是这样的： 1、验证第 5 组的第 1 个与第 2 组的第 2 个的关系 2、验证第 3 组的后 4 个与第 5 组的后 4 个的关系。 3、验证第 4 组注册码 4、验证第 3 组注册码 5、验证第 2 组注册码 6、验证第 1 组注册码所以逆过来，顺序颠倒就可以逆出真注册码了。程序先利用你输入的用户名和邮箱计算出 10 个值，这是它们的存放地址： 002243A0 E0 00 00 00 D7 00 00 00 87 00 00 00 2C 00 00 00 ?..?..?..,... 002243B0 8C 00 00 00 AB AB AB AB AB AB AB AB EE FE EE FE ?..????铪铪 002243C0 00 00 00 00 00 00 00 00 06 00 06 00 00 07 1C 00 ............ 002243D0 1F 00 00 00 BD 00 00 00 19 00 00 00 B7 00 00 00 ...?.....?.. 002243E0 2B 00 00 00 AB AB AB AB AB AB AB AB EE FE EE FE +...????铪铪 1、根据那 10 个值计算出第 1 组注册码 2、根据用户名的 5 个值和第 1 组注册码计算出第 2 组注册码 3、根据那 10 个值和第 2 组注册码计算出第 3 组注册码 4、根据那 10 个值和第 2 组注册码计算出第 4 组注册码 5、根据第 3 组的后 4 个计算出第 5 组注册码的后 4 个 6、根据第 2 组的第 2 个计算出第 5 组注册码的第 1 个至于如何计算看代码的注释,要表达清楚，恐怕成长篇大论了。断点地址模块激活反汇编注释 0047D6F4 扩展名仓关闭 CMP WORD PTR SS:[EBP-58],AX <--- 这里得到第 5 组的第 1 个注册码 0047D8B8 扩展名仓关闭 CMP WORD PTR SS:[EBP-58],AX <--- 这里得到第 5 组的后 4 个注册码 0047DA90 扩展名仓关闭 CMP BX,AX <--- 这里得到第 4 组注册码 0047DD82 扩展名仓关闭 CMP AX,DX <--- 这里得到第 3 组注册码 0047E0AE 扩展名仓关闭 CMP AX,DX <--- 这里得到第 2 组注册码 0047E25A 扩展名仓关闭 CMP DI,AX <--- 这里得到第 1 组注册码注册机：注册机的编写我觉得用高级语言真的很不适合，主要是在计算注册码的时候，都有 N 长的值的范围判断比较，特别是计算第 2 组的时候更麻烦。以为写成过程调用可以解决，但发现也是烦琐。加之本人编程能力不敢恭维，代码写得冗长垃圾，故不贴了。等哪天学了汇编再写吧。对用户名和邮箱的处理大家可以看一下（我只跟踪了用户名大于5的 ^_^）,错误遗漏之处请指教： Dim a, b, c, d, e '存放用邮箱计算得出的 5 个值 Dim h, i, j, k, l '存放用用户名计算得出的 5 个值 yhm = Trim(Text1.Text) '用户名 youxiang = UCase(Trim(Text2.Text)) '邮箱转化为大写形式 For i = 6 To Len(youxiang) If i Mod 2 = 0 Then temp = Asc(Mid(youxiang, i, 1)) + temp '累加 temp = temp - 5 '偶数位 - 5 Else temp = Asc(Mid(youxiang, i, 1)) + temp temp = temp + 7 '奇数位 + 7 End If Next temp = temp Mod 177 '取余数 a = temp - Asc(Mid(youxiang, 1, 1)) b = temp + Asc(Mid(youxiang, 2, 1)) c = temp - Asc(Mid(youxiang, 3, 1)) d = temp + Asc(Mid(youxiang, 4, 1)) e = temp - Asc(Mid(youxiang, 5, 1)) temp = 0 For i = 6 To Len(mz) '累加用户名6位以上的ASC值 temp = Asc(Mid(mz, i, 1)) + temp Next i = Asc(Mid(yhm, 2, 1)) + 7 + temp ' j = Asc(Mid(yhm, 3, 1)) + 14 ' + c k = Asc(Mid(yhm, 4, 1)) - 57 '- 39 l = Asc(Mid(yhm, 5, 1)) + 37 ' + 25 h = Asc(Mid(yhm, 1, 1)) + 7 + k + 167 '+ a7 h = h Mod 231 h = h + Asc(Mid(yhm, 1, 1)) + 7 2005-9-6 18:07 0
wenglingok 雪币： 671 活跃值： (723) 能力值： ( LV9，RANK：1060 ) 在线值：发帖 52 回帖 679 粉丝 1 关注私信	wenglingok 26 3 楼沙发，支持一下。 2005-9-6 18:30 0
小娃崽雪币： 383 活跃值： (41) 能力值： ( LV12，RANK：530 ) 在线值：发帖 42 回帖 283 粉丝 1 关注私信	小娃崽 13 4 楼顶起~!终于看到兄弟的帖子拉 2005-9-6 18:52 0
hrbx 雪币： 267 活跃值： (44) 能力值： ( LV9，RANK：330 ) 在线值：发帖 11 回帖 195 粉丝 1 关注私信	hrbx 8 5 楼呵呵，skyege兄的文章，支持一下，学习中 2005-9-6 19:02 0
lnn1123 雪币： 234 活跃值： (370) 能力值： ( LV9，RANK：530 ) 在线值：发帖 39 回帖 765 粉丝 0 关注私信	lnn1123 13 6 楼 2005-9-6 20:30 0
pendan2001 雪币： 61 活跃值： (160) 能力值： ( LV9，RANK：170 ) 在线值：发帖 25 回帖 1180 粉丝 0 关注私信	pendan2001 4 7 楼阁下有耐心啊 2005-9-6 21:19 0
skyege 雪币： 229 活跃值： (70) 能力值： ( LV6，RANK：90 ) 在线值：发帖 10 回帖 555 粉丝 0 关注私信	skyege 2 8 楼唉，就是太长了。不知道怎么弄短一点。 2005-9-6 21:47 0
dthexin 雪币： 215 活跃值： (82) 能力值： ( LV4，RANK：50 ) 在线值：发帖 5 回帖 32 粉丝 0 关注私信	dthexin 1 9 楼学习啊, 2005-9-7 07:44 0
夜凉如水雪币： 136 活跃值： (105) 能力值： ( LV9，RANK：140 ) 在线值：发帖 18 回帖 719 粉丝 1 关注私信	夜凉如水 3 10 楼学习了不过本人对算法还是不怎么喜欢 !1不过还是要顶你 !! 2005-9-7 12:05 0
yuqli 雪币： 214 活跃值： (70) 能力值： ( LV6，RANK：90 ) 在线值：发帖 3 回帖 59 粉丝 1 关注私信	yuqli 2 11 楼颜色不好看~~~ 有点恶心 2005-9-7 13:19 0
冷血书生雪币： 443 活跃值： (200) 能力值： ( LV9，RANK：1140 ) 在线值：发帖 53 回帖 1135 粉丝 2 关注私信	冷血书生 28 12 楼不顶实在是不行！严重支持的！ 2005-9-10 02:20 0
海栖靖雪币： 203 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 22 粉丝 0 关注私信	海栖靖 13 楼也难为skyege兄写这么长的文章了呵呵兄弟我也来顶一下 2005-9-19 01:35 0
dfui 雪币： 1263 活跃值： (607) 能力值： ( LV2，RANK：10 ) 在线值：发帖 32 回帖 218 粉丝 4 关注私信	dfui 14 楼天才出于什么…………怎么才能成为天才。跟着成功的人士。?听他们的声音。努力的补充知识。这就是天才与笨蛋的区别。 2005-9-19 13:53 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

skyege

雪币： 229

活跃值： (70)

能力值：

( LV6，RANK：90 )

在线值：

发帖

10

回帖

555

粉丝

0

关注

私信

skyege 2: 2 楼

0047D8FB >  33C0       XOR EAX,EAX
0047D8FD .  8945 EC    MOV DWORD PTR SS:[EBP-14],EAX
0047D900 >  B9 04000000 MOV ECX,4
0047D905 .  66:3BC1    CMP AX,CX
0047D908 .  0F8F D8010000 JG 扩展名仓.0047DAE6
0047D90E .  0FBFC0       MOVSX EAX,AX
0047D911 .  83F8 05    CMP EAX,5
0047D914 .  8985 C8FEFFFF MOV DWORD PTR SS:[EBP-138],EAX
0047D91A .  72 17       JB SHORT 扩展名仓.0047D933
0047D91C .  FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>;  msvbvm60.__vbaGenerateBoundsError
0047D922 .  8B85 C8FEFFFF MOV EAX,DWORD PTR SS:[EBP-138]
0047D928 .  83F8 05    CMP EAX,5
0047D92B .  72 06       JB SHORT 扩展名仓.0047D933
0047D92D .  FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>;  msvbvm60.__vbaGenerateBoundsError
0047D933 >  A1 18514A00 MOV EAX,DWORD PTR DS:[4A5118]
0047D938 .  8D55 8C    LEA EDX,DWORD PTR SS:[EBP-74]
0047D93B .  C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1
0047D942 .  C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2
0047D949 .  8B48 04    MOV ECX,DWORD PTR DS:[EAX+4] 〈----- 第 2 组假码
0047D94C .  52          PUSH EDX
0047D94D .  6A 01       PUSH 1 〈----- 取第 1 个
0047D94F .  51          PUSH ECX
0047D950 .  FFD3       CALL EBX
0047D952 .  8BD0       MOV EDX,EAX
0047D954 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D957 .  FFD7       CALL EDI
0047D959 .  50          PUSH EAX
0047D95A .  FFD6       CALL ESI
0047D95C .  8B55 BC    MOV EDX,DWORD PTR SS:[EBP-44] 〈---- EDX 分别= 1F ，BD ，19 ，B7 ，2B 〈---- 这里是邮箱浮点运算后的几个值
0047D95F .  8B5D E0    MOV EBX,DWORD PTR SS:[EBP-20] 〈---- EBX 分别= E0 ，D7 ，87 ，2C ，8C 〈---- 这里是用户名计算后的几个值
0047D962 .  0FBFC8       MOVSX ECX,AX 〈---- ECX = 32
0047D965 .  8B85 C8FEFFFF MOV EAX,DWORD PTR SS:[EBP-138]
0047D96B .  8B1482       MOV EDX,DWORD PTR DS:[EDX+EAX*4]
0047D96E .  031483       ADD EDX,DWORD PTR DS:[EBX+EAX*4] 〈---- IF + E0 = FF ，BD + D7 = …………
0047D971 .  66:8B45 EC MOV AX,WORD PTR SS:[EBP-14]
0047D975 .  0F80 B8090000 JO 扩展名仓.0047E333
0047D97B .  66:05 0700 ADD AX,7 〈--- AX = 7
0047D97F .  0F80 AE090000 JO 扩展名仓.0047E333
0047D985 .  66:6BC0 05 IMUL AX,AX,5 〈---- AX = 23
0047D989 .  0F80 A4090000 JO 扩展名仓.0047E333
0047D98F .  0FBFC0       MOVSX EAX,AX
0047D992 .  03D0       ADD EDX,EAX 〈---- 23 + FF = 122 ；这是第一次计算的时候
0047D994 .  0F80 99090000 JO 扩展名仓.0047E333
0047D99A .  03CA       ADD ECX,EDX 〈---- 122 + 32 = 154
0047D99C .  0F80 91090000 JO 扩展名仓.0047E333
0047D9A2 .  FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>]          ;  msvbvm60.__vbaI2I4
0047D9A8 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D9AB .  8BD8       MOV EBX,EAX
0047D9AD .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]       ;  msvbvm60.__vbaFreeStr
0047D9B3 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047D9B6 .  FF15 28104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>]       ;  msvbvm60.__vbaFreeVar
0047D9BC .  66:83FB 30 CMP BX,30
0047D9C0 .  7C 06       JL SHORT 扩展名仓.0047D9C8
0047D9C2 .  66:83FB 39 CMP BX,39
0047D9C6 .  7E 61       JLE SHORT 扩展名仓.0047DA29
0047D9C8 >  66:83FB 41 CMP BX,41
0047D9CC .  7C 06       JL SHORT 扩展名仓.0047D9D4
0047D9CE .  66:83FB 5A CMP BX,5A
0047D9D2 .  7E 55       JLE SHORT 扩展名仓.0047DA29
0047D9D4 >  66:8BC3    MOV AX,BX
0047D9D7 .  66:B9 5B00 MOV CX,5B 〈---- 5B 给 CX
0047D9DB .  66:99       CWD
0047D9DD .  66:F7F9    IDIV CX 〈----- 154 MOD 5B ，取余数 43
0047D9E0 .  8BDA       MOV EBX,EDX
0047D9E2 .  66:83FB 0A CMP BX,0A
0047D9E6 .  7D 06       JGE SHORT 扩展名仓.0047D9EE
0047D9E8 .  66:83C3 30 ADD BX,30
0047D9EC .  EB 35       JMP SHORT 扩展名仓.0047DA23
0047D9EE >  66:83FB 23 CMP BX,23
0047D9F2 .  7F 06       JG SHORT 扩展名仓.0047D9FA
0047D9F4 .  66:83C3 37 ADD BX,37
0047D9F8 .  EB 29       JMP SHORT 扩展名仓.0047DA23
0047D9FA >  66:83FB 2A CMP BX,2A
0047D9FE .  7D 07       JGE SHORT 扩展名仓.0047DA07
0047DA00 .  BB 4D000000 MOV EBX,4D
0047DA05 .  EB 22       JMP SHORT 扩展名仓.0047DA29
0047DA07 >  66:83FB 30 CMP BX,30
0047DA0B .  7D 06       JGE SHORT 扩展名仓.0047DA13
0047DA0D .  66:83C3 1B ADD BX,1B
0047DA11 .  EB 10       JMP SHORT 扩展名仓.0047DA23
0047DA13 >  66:83FB 39 CMP BX,39
0047DA17 .  7E 10       JLE SHORT 扩展名仓.0047DA29
0047DA19 .  66:83FB 41 CMP BX,41
0047DA1D .  7D 0A       JGE SHORT 扩展名仓.0047DA29
0047DA1F .  66:83EB 07 SUB BX,7
0047DA23 >  0F80 0A090000 JO 扩展名仓.0047E333
0047DA29 >  8B15 18514A00 MOV EDX,DWORD PTR DS:[4A5118]
0047DA2F .  66:8B4D EC MOV CX,WORD PTR SS:[EBP-14]
0047DA33 .  83C2 0C    ADD EDX,0C
0047DA36 .  66:83C1 01 ADD CX,1
0047DA3A .  8995 44FFFFFF MOV DWORD PTR SS:[EBP-BC],EDX
0047DA40 .  8D45 8C    LEA EAX,DWORD PTR SS:[EBP-74]
0047DA43 .  0F80 EA080000 JO 扩展名仓.0047E333
0047DA49 .  0FBFD1       MOVSX EDX,CX
0047DA4C .  50          PUSH EAX                                           ; /Arg4
0047DA4D .  8D85 3CFFFFFF LEA EAX,DWORD PTR SS:[EBP-C4]                      ; |
0047DA53 .  52          PUSH EDX                                           ; |Arg3
0047DA54 .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]                      ; |
0047DA5A .  50          PUSH EAX                                           ; |Arg2
0047DA5B .  51          PUSH ECX                                           ; |Arg1
0047DA5C .  C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1                      ; |
0047DA63 .  C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2                      ; |
0047DA6A .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],4008                   ; |
0047DA74 .  FF15 24114000 CALL DWORD PTR DS:[<&msvbvm60.rtcMidCharVar>]    ; \rtcMidCharVar 〈---- 取第 4 组假码
0047DA7A .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
0047DA80 .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
0047DA83 .  52          PUSH EDX
0047DA84 .  50          PUSH EAX
0047DA85 .  FF15 F8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>]    ;  msvbvm60.__vbaStrVarVal
0047DA8B .  50          PUSH EAX
0047DA8C .  FFD6       CALL ESI
0047DA8E .  33C9       XOR ECX,ECX
0047DA90 .  66:3BD8    CMP BX,AX 〈---- 和 43 比较啦，在这里把 BX 的值逐个记起来就是第 4 组注册码了。
0047DA93 .  0F95C1       SETNE CL
0047DA96 .  F7D9       NEG ECX
0047DA98 .  8BD9       MOV EBX,ECX
0047DA9A .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047DA9D .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]       ;  msvbvm60.__vbaFreeStr
0047DAA3 .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
0047DAA9 .  8D45 8C    LEA EAX,DWORD PTR SS:[EBP-74]
0047DAAC .  52          PUSH EDX
0047DAAD .  50          PUSH EAX
0047DAAE .  6A 02       PUSH 2
0047DAB0 .  FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ;  msvbvm60.__vbaFreeVarList
0047DAB6 .  83C4 0C    ADD ESP,0C
0047DAB9 .  66:85DB    TEST BX,BX
0047DABC .  0F85 DD070000 JNZ 扩展名仓.0047E29F
0047DAC2 .  8B1D 1C114000 MOV EBX,DWORD PTR DS:[<&msvbvm60.rtcMidCharBstr>] ;  msvbvm60.rtcMidCharBstr
0047DAC8 .  B8 01000000 MOV EAX,1
0047DACD .  66:0345 EC ADD AX,WORD PTR SS:[EBP-14]
0047DAD1 .  C745 CC FFFFF>MOV DWORD PTR SS:[EBP-34],-1
0047DAD8 .  0F80 55080000 JO 扩展名仓.0047E333
0047DADE .  8945 EC    MOV DWORD PTR SS:[EBP-14],EAX
0047DAE1 .^ E9 1AFEFFFF JMP 扩展名仓.0047D900
0047DAE6 >  33DB       XOR EBX,EBX
0047DAE8 >  B8 04000000 MOV EAX,4
0047DAED .  895D EC    MOV DWORD PTR SS:[EBP-14],EBX
0047DAF0 .  66:3BD8    CMP BX,AX
0047DAF3 .  0F8F EC020000 JG 扩展名仓.0047DDE5
0047DAF9 .  66:85DB    TEST BX,BX
0047DAFC .  0FBFFB       MOVSX EDI,BX
0047DAFF .  7E 7D       JLE SHORT 扩展名仓.0047DB7E
0047DB01 .  83FF 05    CMP EDI,5
0047DB04 .  72 06       JB SHORT 扩展名仓.0047DB0C
0047DB06 .  FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>;  msvbvm60.__vbaGenerateBoundsError
0047DB0C >  66:83EB 01 SUB BX,1
0047DB10 .  0F80 1D080000 JO 扩展名仓.0047E333
0047DB16 .  0FBFDB       MOVSX EBX,BX
0047DB19 .  83FB 05    CMP EBX,5
0047DB1C .  72 06       JB SHORT 扩展名仓.0047DB24
0047DB1E .  FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>;  msvbvm60.__vbaGenerateBoundsError
0047DB24 >  83FF 05    CMP EDI,5
0047DB27 .  72 06       JB SHORT 扩展名仓.0047DB2F
0047DB29 .  FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>;  msvbvm60.__vbaGenerateBoundsError
0047DB2F >  8B0D 18514A00 MOV ECX,DWORD PTR DS:[4A5118]
0047DB35 .  8B51 04    MOV EDX,DWORD PTR DS:[ECX+4]
0047DB38 .  52          PUSH EDX
0047DB39 .  FFD6       CALL ESI
0047DB3B .  0FBFC8       MOVSX ECX,AX
0047DB3E .  8B45 BC    MOV EAX,DWORD PTR SS:[EBP-44]
0047DB41 .  8B1498       MOV EDX,DWORD PTR DS:[EAX+EBX*4] 〈---- EDX 分别= 1F ，BD ，19 ，B7 ，〈---- 这里是邮箱浮点运算后的几个值 ,少了一个哦。
0047DB44 .  8B5D E0    MOV EBX,DWORD PTR SS:[EBP-20] 〈---- EBX 分别= D7 ，87 ，2C ，8C ，〈---- 这里是用户名计算后的几个值，顺序有点变化，少了一个哦。注意。
0047DB47 .  0314BB       ADD EDX,DWORD PTR DS:[EBX+EDI*4] 〈---- 加
0047DB4A .  8B1CB8       MOV EBX,DWORD PTR DS:[EAX+EDI*4]
0047DB4D .  0F80 E0070000 JO 扩展名仓.0047E333
0047DB53 .  03D7       ADD EDX,EDI
0047DB55 .  0F80 D8070000 JO 扩展名仓.0047E333
0047DB5B .  2BD3       SUB EDX,EBX
0047DB5D .  0F80 D0070000 JO 扩展名仓.0047E333
0047DB63 .  03CA       ADD ECX,EDX
0047DB65 .  0F80 C8070000 JO 扩展名仓.0047E333
0047DB6B .  FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>]       ;  msvbvm60.__vbaI4Abs
0047DB71 .  8BC8       MOV ECX,EAX
0047DB73 .  FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>]          ;  msvbvm60.__vbaI2I4
0047DB79 .  8B5D EC    MOV EBX,DWORD PTR SS:[EBP-14]
0047DB7C .  EB 5E       JMP SHORT 扩展名仓.0047DBDC
0047DB7E >  83FF 05    CMP EDI,5
0047DB81 .  72 11       JB SHORT 扩展名仓.0047DB94
0047DB83 .  FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>;  msvbvm60.__vbaGenerateBoundsError
0047DB89 .  83FF 05    CMP EDI,5
0047DB8C .  72 06       JB SHORT 扩展名仓.0047DB94
0047DB8E .  FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>;  msvbvm60.__vbaGenerateBoundsError
0047DB94 >  A1 18514A00 MOV EAX,DWORD PTR DS:[4A5118]
0047DB99 .  8B48 04    MOV ECX,DWORD PTR DS:[EAX+4] 〈---- 第 2 组假码
0047DB9C .  51          PUSH ECX
0047DB9D .  FFD6       CALL ESI
0047DB9F .  0FBFD0       MOVSX EDX,AX
0047DBA2 .  8B45 BC    MOV EAX,DWORD PTR SS:[EBP-44]
0047DBA5 .  8B0CB8       MOV ECX,DWORD PTR DS:[EAX+EDI*4]
0047DBA8 .  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
0047DBAB .  0FAFCF       IMUL ECX,EDI
0047DBAE .  0F80 7F070000 JO 扩展名仓.0047E333
0047DBB4 .  030CB8       ADD ECX,DWORD PTR DS:[EAX+EDI*4]
0047DBB7 .  0F80 76070000 JO 扩展名仓.0047E333
0047DBBD .  83C1 4D    ADD ECX,4D
0047DBC0 .  0F80 6D070000 JO 扩展名仓.0047E333
0047DBC6 .  2BCA       SUB ECX,EDX
0047DBC8 .  0F80 65070000 JO 扩展名仓.0047E333
0047DBCE .  FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>]       ;  msvbvm60.__vbaI4Abs
0047DBD4 .  8BC8       MOV ECX,EAX
0047DBD6 .  FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>]          ;  msvbvm60.__vbaI2I4
0047DBDC >  66:3D 3000 CMP AX,30
0047DBE0 .  7C 06       JL SHORT 扩展名仓.0047DBE8
0047DBE2 .  66:3D 3900 CMP AX,39
0047DBE6 .  7E 0C       JLE SHORT 扩展名仓.0047DBF4
0047DBE8 >  66:3D 6100 CMP AX,61
0047DBEC .  7C 5C       JL SHORT 扩展名仓.0047DC4A
0047DBEE .  66:3D 7A00 CMP AX,7A
0047DBF2 .  7F 56       JG SHORT 扩展名仓.0047DC4A
0047DBF4 >  0FBFC8       MOVSX ECX,AX
0047DBF7 .  8D55 8C    LEA EDX,DWORD PTR SS:[EBP-74]
0047DBFA .  51          PUSH ECX                                           ; /Arg2
0047DBFB .  52          PUSH EDX                                           ; |Arg1
0047DBFC .  FF15 E0114000 CALL DWORD PTR DS:[<&msvbvm60.rtcVarBstrFromAnsi>]  ; \rtcVarBstrFromAnsi 〈---直接取第 1 个
0047DC02 .  8D45 8C    LEA EAX,DWORD PTR SS:[EBP-74]
0047DC05 .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0047DC0B .  50          PUSH EAX                                           ; /Arg2
0047DC0C .  51          PUSH ECX                                           ; |Arg1
0047DC0D .  FF15 3C114000 CALL DWORD PTR DS:[<&msvbvm60.rtcUpperCaseVar>]    ; \rtcUpperCaseVar
0047DC13 .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
0047DC19 .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
0047DC1C .  52          PUSH EDX
0047DC1D .  50          PUSH EAX
0047DC1E .  FF15 F8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>]    ;  msvbvm60.__vbaStrVarVal
0047DC24 .  50          PUSH EAX
0047DC25 .  FFD6       CALL ESI
0047DC27 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047DC2A .  8BF8       MOV EDI,EAX
0047DC2C .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]       ;  msvbvm60.__vbaFreeStr
0047DC32 .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0047DC38 .  8D55 8C    LEA EDX,DWORD PTR SS:[EBP-74]
0047DC3B .  51          PUSH ECX
0047DC3C .  52          PUSH EDX
0047DC3D .  6A 02       PUSH 2
0047DC3F .  FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ;  msvbvm60.__vbaFreeVarList
0047DC45 .  83C4 0C    ADD ESP,0C
0047DC48 .  EB 76       JMP SHORT 扩展名仓.0047DCC0
0047DC4A >  66:99       CWD
0047DC4C .  66:B9 7B00 MOV CX,7B
0047DC50 .  66:F7F9    IDIV CX
0047DC53 .  8BFA       MOV EDI,EDX
0047DC55 .  66:83FF 1A CMP DI,1A
0047DC59 .  7D 06       JGE SHORT 扩展名仓.0047DC61
0047DC5B .  66:83C7 61 ADD DI,61
0047DC5F .  EB 59       JMP SHORT 扩展名仓.0047DCBA
0047DC61 >  66:83FF 23 CMP DI,23
0047DC65 .  7F 06       JG SHORT 扩展名仓.0047DC6D
0047DC67 .  66:83C7 16 ADD DI,16
0047DC6B .  EB 4D       JMP SHORT 扩展名仓.0047DCBA
0047DC6D >  66:83FF 24 CMP DI,24
0047DC71 .  7C 0C       JL SHORT 扩展名仓.0047DC7F
0047DC73 .  66:83FF 30 CMP DI,30
0047DC77 .  7D 06       JGE SHORT 扩展名仓.0047DC7F
0047DC79 .  66:83C7 45 ADD DI,45
0047DC7D .  EB 3B       JMP SHORT 扩展名仓.0047DCBA
0047DC7F >  66:83FF 39 CMP DI,39
0047DC83 .  7E 06       JLE SHORT 扩展名仓.0047DC8B
0047DC85 .  66:83FF 42 CMP DI,42
0047DC89 .  7E 06       JLE SHORT 扩展名仓.0047DC91
0047DC8B >  66:83FF 4D CMP DI,4D
0047DC8F .  75 07       JNZ SHORT 扩展名仓.0047DC98
0047DC91 >  BF 48000000 MOV EDI,48
0047DC96 .  EB 28       JMP SHORT 扩展名仓.0047DCC0
0047DC98 >  66:83FF 42 CMP DI,42
0047DC9C .  7E 0C       JLE SHORT 扩展名仓.0047DCAA
0047DC9E .  66:83FF 4D CMP DI,4D
0047DCA2 .  7D 0A       JGE SHORT 扩展名仓.0047DCAE
0047DCA4 .  66:83EF 13 SUB DI,13
0047DCA8 .  EB 10       JMP SHORT 扩展名仓.0047DCBA
0047DCAA >  66:83FF 4D CMP DI,4D
0047DCAE >  7E 10       JLE SHORT 扩展名仓.0047DCC0
0047DCB0 .  66:83FF 61 CMP DI,61
0047DCB4 .  7D 0A       JGE SHORT 扩展名仓.0047DCC0
0047DCB6 .  66:83C7 15 ADD DI,15
0047DCBA >  0F80 73060000 JO 扩展名仓.0047E333
0047DCC0 >  0FBFD7       MOVSX EDX,DI
0047DCC3 .  8D45 8C    LEA EAX,DWORD PTR SS:[EBP-74]
0047DCC6 .  52          PUSH EDX                                           ; /Arg2
0047DCC7 .  50          PUSH EAX                                           ; |Arg1
0047DCC8 .  FF15 E0114000 CALL DWORD PTR DS:[<&msvbvm60.rtcVarBstrFromAnsi>]  ; \rtcVarBstrFromAnsi
0047DCCE .  8B3D 3C114000 MOV EDI,DWORD PTR DS:[<&msvbvm60.rtcUpperCaseVar>]  ;  msvbvm60.rtcUpperCaseVar
0047DCD4 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047DCD7 .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
0047DCDD .  51          PUSH ECX
0047DCDE .  52          PUSH EDX
0047DCDF .  FFD7       CALL EDI                                           ;  <&msvbvm60.rtcUpperCaseVar>
0047DCE1 .  A1 18514A00 MOV EAX,DWORD PTR DS:[4A5118] 〈--- EAX = 第 3 组的假码
0047DCE6 .  66:8BD3    MOV DX,BX
0047DCE9 .  83C0 08    ADD EAX,8
0047DCEC .  66:83C2 01 ADD DX,1
0047DCF0 .  8985 44FFFFFF MOV DWORD PTR SS:[EBP-BC],EAX
0047DCF6 .  8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
0047DCFC .  0F80 31060000 JO 扩展名仓.0047E333
0047DD02 .  0FBFC2       MOVSX EAX,DX
0047DD05 .  51          PUSH ECX                                           ; /Arg4
0047DD06 .  8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]                      ; |
0047DD0C .  50          PUSH EAX                                           ; |Arg3
0047DD0D .  8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]                      ; |
0047DD13 .  51          PUSH ECX                                           ; |Arg2
0047DD14 .  52          PUSH EDX                                           ; |Arg1
0047DD15 .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],1                      ; |
0047DD1F .  C785 6CFFFFFF>MOV DWORD PTR SS:[EBP-94],2                      ; |
0047DD29 .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],4008                   ; |
0047DD33 .  FF15 24114000 CALL DWORD PTR DS:[<&msvbvm60.rtcMidCharVar>] 〈---- 取的是第 3 组的假码
0047DD39 .  8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4]
0047DD3F .  8D8D 4CFFFFFF LEA ECX,DWORD PTR SS:[EBP-B4]
0047DD45 .  50          PUSH EAX
0047DD46 .  51          PUSH ECX
0047DD47 .  FFD7       CALL EDI                                           ;  <&msvbvm60.rtcUpperCaseVar>
0047DD49 .  8B3D F8114000 MOV EDI,DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>] ;  msvbvm60.__vbaStrVarVal
0047DD4F .  8D95 4CFFFFFF LEA EDX,DWORD PTR SS:[EBP-B4]
0047DD55 .  8D45 9C    LEA EAX,DWORD PTR SS:[EBP-64]
0047DD58 .  52          PUSH EDX
0047DD59 .  50          PUSH EAX
0047DD5A .  FFD7       CALL EDI                                           ;  <&msvbvm60.__vbaStrVarVal>
0047DD5C .  50          PUSH EAX
0047DD5D .  FFD6       CALL ESI
0047DD5F .  66:8BD0    MOV DX,AX
0047DD62 .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0047DD68 .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
0047DD6B .  51          PUSH ECX
0047DD6C .  50          PUSH EAX
0047DD6D .  66:8995 A6FEF>MOV WORD PTR SS:[EBP-15A],DX
0047DD74 .  FFD7       CALL EDI                                           ;  <&msvbvm60.__vbaStrVarVal>
0047DD76 .  50          PUSH EAX
0047DD77 .  FFD6       CALL ESI
0047DD79 .  66:8B95 A6FEF>MOV DX,WORD PTR SS:[EBP-15A]
0047DD80 .  33C9       XOR ECX,ECX
0047DD82 .  66:3BC2    CMP AX,DX 〈---- 比较啦。这里就是根据第 2 组假码的第 1 个，结合用户名和邮箱的 10 个值来推算出真正的第 3 组注册码。把 DX 的值记起来就是啦。
0047DD85 .  8D45 9C    LEA EAX,DWORD PTR SS:[EBP-64]
0047DD88 .  0F95C1       SETNE CL
0047DD8B .  F7D9       NEG ECX
0047DD8D .  8BF9       MOV EDI,ECX
0047DD8F .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047DD92 .  50          PUSH EAX
0047DD93 .  51          PUSH ECX
0047DD94 .  6A 02       PUSH 2
0047DD96 .  FF15 54124000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStrList>] ;  msvbvm60.__vbaFreeStrList
0047DD9C .  8D95 4CFFFFFF LEA EDX,DWORD PTR SS:[EBP-B4]
0047DDA2 .  8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4]
0047DDA8 .  52          PUSH EDX
0047DDA9 .  8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
0047DDAF .  50          PUSH EAX
0047DDB0 .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
0047DDB6 .  51          PUSH ECX
0047DDB7 .  8D45 8C    LEA EAX,DWORD PTR SS:[EBP-74]
0047DDBA .  52          PUSH EDX
0047DDBB .  50          PUSH EAX
0047DDBC .  6A 05       PUSH 5
0047DDBE .  FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ;  msvbvm60.__vbaFreeVarList
0047DDC4 .  83C4 24    ADD ESP,24
0047DDC7 .  66:85FF    TEST DI,DI
0047DDCA .  0F85 CF040000 JNZ 扩展名仓.0047E29F
0047DDD0 .  B8 01000000 MOV EAX,1
0047DDD5 .  66:03C3    ADD AX,BX
0047DDD8 .  0F80 55050000 JO 扩展名仓.0047E333
0047DDDE .  8BD8       MOV EBX,EAX
0047DDE0 .^ E9 03FDFFFF JMP 扩展名仓.0047DAE8
0047DDE5 >  33DB       XOR EBX,EBX
0047DDE7 >  B8 04000000 MOV EAX,4
0047DDEC .  895D EC    MOV DWORD PTR SS:[EBP-14],EBX
0047DDEF .  66:3BD8    CMP BX,AX
0047DDF2 .  0F8F 19030000 JG 扩展名仓.0047E111
0047DDF8 .  66:3BD8    CMP BX,AX
0047DDFB .  0FBFFB       MOVSX EDI,BX
0047DDFE .  0F8D A0000000 JGE 扩展名仓.0047DEA4
0047DE04 .  83FF 05    CMP EDI,5
0047DE07 .  72 06       JB SHORT 扩展名仓.0047DE0F
0047DE09 .  FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>;  msvbvm60.__vbaGenerateBoundsError
0047DE0F >  66:8BCB    MOV CX,BX
0047DE12 .  66:83C1 01 ADD CX,1
0047DE16 .  0F80 17050000 JO 扩展名仓.0047E333
0047DE1C .  0FBFC1       MOVSX EAX,CX
0047DE1F .  83F8 05    CMP EAX,5
0047DE22 .  8985 1CFFFFFF MOV DWORD PTR SS:[EBP-E4],EAX
0047DE28 .  72 06       JB SHORT 扩展名仓.0047DE30
0047DE2A .  FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>;  msvbvm60.__vbaGenerateBoundsError
0047DE30 >  83FF 05    CMP EDI,5
0047DE33 .  72 06       JB SHORT 扩展名仓.0047DE3B
0047DE35 .  FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>;  msvbvm60.__vbaGenerateBoundsError
0047DE3B >  8B15 18514A00 MOV EDX,DWORD PTR DS:[4A5118]
0047DE41 .  8B02       MOV EAX,DWORD PTR DS:[EDX] 〈---- 取第 1 组假码
0047DE43 .  50          PUSH EAX
0047DE44 .  FFD6       CALL ESI
0047DE46 .  66:83EB 01 SUB BX,1
0047DE4A .  0F80 E3040000 JO 扩展名仓.0047E333
0047DE50 .  0FBFC8       MOVSX ECX,AX
0047DE53 .  8B45 BC    MOV EAX,DWORD PTR SS:[EBP-44]
0047DE56 .  0FBFD3       MOVSX EDX,BX
0047DE59 .  0FAF14B8    IMUL EDX,DWORD PTR DS:[EAX+EDI*4]
0047DE5D .  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
0047DE60 .  8B9D 1CFFFFFF MOV EBX,DWORD PTR SS:[EBP-E4]
0047DE66 .  0F80 C7040000 JO 扩展名仓.0047E333
0047DE6C .  8B1C98       MOV EBX,DWORD PTR DS:[EAX+EBX*4] 〈---- EBX 分别 =E0 ， D7 ，87 ，2C ，8C ，〈---- 这里是用户名计算后的几个值。
0047DE6F .  031CB8       ADD EBX,DWORD PTR DS:[EAX+EDI*4] 〈---- 两两相加，就是 E0 + D7 ，D7 + 87 ，87 + 2C ，2C + 8C
0047DE72 .  0F80 BB040000 JO 扩展名仓.0047E333
0047DE78 .  03D3       ADD EDX,EBX
0047DE7A .  0F80 B3040000 JO 扩展名仓.0047E333
0047DE80 .  83C2 01    ADD EDX,1
0047DE83 .  0F80 AA040000 JO 扩展名仓.0047E333
0047DE89 .  03CA       ADD ECX,EDX
0047DE8B .  0F80 A2040000 JO 扩展名仓.0047E333
0047DE91 .  FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>]       ;  msvbvm60.__vbaI4Abs
0047DE97 .  8BC8       MOV ECX,EAX
0047DE99 .  FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>]          ;  msvbvm60.__vbaI2I4
0047DE9F .  8B5D EC    MOV EBX,DWORD PTR SS:[EBP-14]
0047DEA2 .  EB 5E       JMP SHORT 扩展名仓.0047DF02
0047DEA4 >  83FF 05    CMP EDI,5
0047DEA7 .  72 11       JB SHORT 扩展名仓.0047DEBA
0047DEA9 .  FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>;  msvbvm60.__vbaGenerateBoundsError
0047DEAF .  83FF 05    CMP EDI,5
0047DEB2 .  72 06       JB SHORT 扩展名仓.0047DEBA
0047DEB4 .  FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>;  msvbvm60.__vbaGenerateBoundsError
0047DEBA >  8B0D 18514A00 MOV ECX,DWORD PTR DS:[4A5118]
0047DEC0 .  8B11       MOV EDX,DWORD PTR DS:[ECX]
0047DEC2 .  52          PUSH EDX
0047DEC3 .  FFD6       CALL ESI
0047DEC5 .  8B4D E0    MOV ECX,DWORD PTR SS:[EBP-20]
0047DEC8 .  8B55 BC    MOV EDX,DWORD PTR SS:[EBP-44]
0047DECB .  0FBFC0       MOVSX EAX,AX
0047DECE .  8B0CB9       MOV ECX,DWORD PTR DS:[ECX+EDI*4]
0047DED1 .  0FAFCF       IMUL ECX,EDI
0047DED4 .  0F80 59040000 JO 扩展名仓.0047E333
0047DEDA .  030CBA       ADD ECX,DWORD PTR DS:[EDX+EDI*4]
0047DEDD .  0F80 50040000 JO 扩展名仓.0047E333
0047DEE3 .  83C1 4D    ADD ECX,4D
0047DEE6 .  0F80 47040000 JO 扩展名仓.0047E333
0047DEEC .  2BC8       SUB ECX,EAX
0047DEEE .  0F80 3F040000 JO 扩展名仓.0047E333
0047DEF4 .  FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>]       ;  msvbvm60.__vbaI4Abs
0047DEFA .  8BC8       MOV ECX,EAX
0047DEFC .  FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>]          ;  msvbvm60.__vbaI2I4
0047DF02 >  66:3D 3000 CMP AX,30
0047DF06 .  7C 06       JL SHORT 扩展名仓.0047DF0E
0047DF08 .  66:3D 3900 CMP AX,39
0047DF0C .  7E 0C       JLE SHORT 扩展名仓.0047DF1A
0047DF0E >  66:3D 6100 CMP AX,61
0047DF12 .  7C 5C       JL SHORT 扩展名仓.0047DF70
0047DF14 .  66:3D 7A00 CMP AX,7A
0047DF18 .  7F 56       JG SHORT 扩展名仓.0047DF70
0047DF1A >  0FBFC0       MOVSX EAX,AX
0047DF1D .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047DF20 .  50          PUSH EAX                                           ; /Arg2
0047DF21 .  51          PUSH ECX                                           ; |Arg1
0047DF22 .  FF15 E0114000 CALL DWORD PTR DS:[<&msvbvm60.rtcVarBstrFromAnsi>]  ; \rtcVarBstrFromAnsi
0047DF28 .  8D55 8C    LEA EDX,DWORD PTR SS:[EBP-74]
0047DF2B .  8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
0047DF31 .  52          PUSH EDX                                           ; /Arg2
0047DF32 .  50          PUSH EAX                                           ; |Arg1
0047DF33 .  FF15 3C114000 CALL DWORD PTR DS:[<&msvbvm60.rtcUpperCaseVar>]    ; \rtcUpperCaseVar
0047DF39 .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0047DF3F .  8D55 A0    LEA EDX,DWORD PTR SS:[EBP-60]
0047DF42 .  51          PUSH ECX
0047DF43 .  52          PUSH EDX
0047DF44 .  FF15 F8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>]    ;  msvbvm60.__vbaStrVarVal
0047DF4A .  50          PUSH EAX
0047DF4B .  FFD6       CALL ESI
0047DF4D .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047DF50 .  8BF8       MOV EDI,EAX
0047DF52 .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]       ;  msvbvm60.__vbaFreeStr
0047DF58 .  8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
0047DF5E .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047DF61 .  50          PUSH EAX
0047DF62 .  51          PUSH ECX
0047DF63 .  6A 02       PUSH 2
0047DF65 .  FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ;  msvbvm60.__vbaFreeVarList
0047DF6B .  83C4 0C    ADD ESP,0C
0047DF6E .  EB 7C       JMP SHORT 扩展名仓.0047DFEC
0047DF70 >  66:99       CWD
0047DF72 .  66:B9 7B00 MOV CX,7B
0047DF76 .  66:F7F9    IDIV CX
0047DF79 .  8BFA       MOV EDI,EDX
0047DF7B .  66:83FF 09 CMP DI,9
0047DF7F .  7D 06       JGE SHORT 扩展名仓.0047DF87
0047DF81 .  66:83C7 30 ADD DI,30
0047DF85 .  EB 5F       JMP SHORT 扩展名仓.0047DFE6
0047DF87 >  66:83FF 22 CMP DI,22
0047DF8B .  7F 06       JG SHORT 扩展名仓.0047DF93
0047DF8D .  66:83C7 58 ADD DI,58
0047DF91 .  EB 53       JMP SHORT 扩展名仓.0047DFE6
0047DF93 >  66:83FF 2C CMP DI,2C
0047DF97 .  7D 06       JGE SHORT 扩展名仓.0047DF9F
0047DF99 .  66:83C7 0D ADD DI,0D
0047DF9D .  EB 47       JMP SHORT 扩展名仓.0047DFE6
0047DF9F >  66:83FF 30 CMP DI,30
0047DFA3 .  7C 06       JL SHORT 扩展名仓.0047DFAB
0047DFA5 .  66:83FF 4D CMP DI,4D
0047DFA9 .  75 07       JNZ SHORT 扩展名仓.0047DFB2
0047DFAB >  BF 48000000 MOV EDI,48
0047DFB0 .  EB 3A       JMP SHORT 扩展名仓.0047DFEC
0047DFB2 >  66:83FF 39 CMP DI,39
0047DFB6 .  7E 0C       JLE SHORT 扩展名仓.0047DFC4
0047DFB8 .  66:83FF 4C CMP DI,4C
0047DFBC .  7F 06       JG SHORT 扩展名仓.0047DFC4
0047DFBE .  66:83C7 2A ADD DI,2A
0047DFC2 .  EB 22       JMP SHORT 扩展名仓.0047DFE6
0047DFC4 >  66:83FF 4D CMP DI,4D
0047DFC8 .  7E 0C       JLE SHORT 扩展名仓.0047DFD6
0047DFCA .  66:83FF 57 CMP DI,57
0047DFCE .  7F 0C       JG SHORT 扩展名仓.0047DFDC
0047DFD0 .  66:83EF 1E SUB DI,1E
0047DFD4 .  EB 10       JMP SHORT 扩展名仓.0047DFE6
0047DFD6 >  66:83FF 57 CMP DI,57
0047DFDA .  7E 10       JLE SHORT 扩展名仓.0047DFEC
0047DFDC >  66:83FF 61 CMP DI,61
0047DFE0 .  7D 0A       JGE SHORT 扩展名仓.0047DFEC
0047DFE2 .  66:83C7 11 ADD DI,11
0047DFE6 >  0F80 47030000 JO 扩展名仓.0047E333
0047DFEC >  0FBFD7       MOVSX EDX,DI
0047DFEF .  8D45 8C    LEA EAX,DWORD PTR SS:[EBP-74]
0047DFF2 .  52          PUSH EDX                                           ; /Arg2
0047DFF3 .  50          PUSH EAX                                           ; |Arg1
0047DFF4 .  FF15 E0114000 CALL DWORD PTR DS:[<&msvbvm60.rtcVarBstrFromAnsi>]  ; \rtcVarBstrFromAnsi
0047DFFA .  8B3D 3C114000 MOV EDI,DWORD PTR DS:[<&msvbvm60.rtcUpperCaseVar>]  ;  msvbvm60.rtcUpperCaseVar
0047E000 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047E003 .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
0047E009 .  51          PUSH ECX
0047E00A .  52          PUSH EDX
0047E00B .  FFD7       CALL EDI                                           ;  <&msvbvm60.rtcUpperCaseVar> 〈---- 转为大写
0047E00D .  A1 18514A00 MOV EAX,DWORD PTR DS:[4A5118]
0047E012 .  66:8BD3    MOV DX,BX
0047E015 .  83C0 04    ADD EAX,4
0047E018 .  66:83C2 01 ADD DX,1
0047E01C .  8985 44FFFFFF MOV DWORD PTR SS:[EBP-BC],EAX
0047E022 .  8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
0047E028 .  0F80 05030000 JO 扩展名仓.0047E333
0047E02E .  0FBFC2       MOVSX EAX,DX
0047E031 .  51          PUSH ECX                                           ; /Arg4
0047E032 .  8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]                      ; |
0047E038 .  50          PUSH EAX                                           ; |Arg3
0047E039 .  8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]                      ; |
0047E03F .  51          PUSH ECX                                           ; |Arg2
0047E040 .  52          PUSH EDX                                           ; |Arg1
0047E041 .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],1                      ; |
0047E04B .  C785 6CFFFFFF>MOV DWORD PTR SS:[EBP-94],2                      ; |
0047E055 .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],4008                   ; |
0047E05F .  FF15 24114000 CALL DWORD PTR DS:[<&msvbvm60.rtcMidCharVar>]    ; \rtcMidCharVar
0047E065 .  8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4]
0047E06B .  8D8D 4CFFFFFF LEA ECX,DWORD PTR SS:[EBP-B4]
0047E071 .  50          PUSH EAX
0047E072 .  51          PUSH ECX
0047E073 .  FFD7       CALL EDI                                           ;  <&msvbvm60.rtcUpperCaseVar>
0047E075 .  8B3D F8114000 MOV EDI,DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>] ;  msvbvm60.__vbaStrVarVal
0047E07B .  8D95 4CFFFFFF LEA EDX,DWORD PTR SS:[EBP-B4]
0047E081 .  8D45 9C    LEA EAX,DWORD PTR SS:[EBP-64]
0047E084 .  52          PUSH EDX
0047E085 .  50          PUSH EAX
0047E086 .  FFD7       CALL EDI                                           ;  <&msvbvm60.__vbaStrVarVal>
0047E088 .  50          PUSH EAX
0047E089 .  FFD6       CALL ESI
0047E08B .  66:8BD0    MOV DX,AX
0047E08E .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0047E094 .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
0047E097 .  51          PUSH ECX
0047E098 .  50          PUSH EAX
0047E099 .  66:8995 A4FEF>MOV WORD PTR SS:[EBP-15C],DX
0047E0A0 .  FFD7       CALL EDI                                           ;  <&msvbvm60.__vbaStrVarVal>
0047E0A2 .  50          PUSH EAX
0047E0A3 .  FFD6       CALL ESI
0047E0A5 .  66:8B95 A4FEF>MOV DX,WORD PTR SS:[EBP-15C]
0047E0AC .  33C9       XOR ECX,ECX
0047E0AE .  66:3BC2    CMP AX,DX 〈---这里比较的是第 2 组的，把DX的值记起来。
0047E0B1 .  8D45 9C    LEA EAX,DWORD PTR SS:[EBP-64]
0047E0B4 .  0F95C1       SETNE CL
0047E0B7 .  F7D9       NEG ECX
0047E0B9 .  8BF9       MOV EDI,ECX
0047E0BB .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047E0BE .  50          PUSH EAX
0047E0BF .  51          PUSH ECX
0047E0C0 .  6A 02       PUSH 2
0047E0C2 .  FF15 54124000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStrList>] ;  msvbvm60.__vbaFreeStrList
0047E0C8 .  8D95 4CFFFFFF LEA EDX,DWORD PTR SS:[EBP-B4]
0047E0CE .  8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4]
0047E0D4 .  52          PUSH EDX
0047E0D5 .  8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
0047E0DB .  50          PUSH EAX
0047E0DC .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
0047E0E2 .  51          PUSH ECX
0047E0E3 .  8D45 8C    LEA EAX,DWORD PTR SS:[EBP-74]
0047E0E6 .  52          PUSH EDX
0047E0E7 .  50          PUSH EAX
0047E0E8 .  6A 05       PUSH 5
0047E0EA .  FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ;  msvbvm60.__vbaFreeVarList
0047E0F0 .  83C4 24    ADD ESP,24
0047E0F3 .  66:85FF    TEST DI,DI
0047E0F6 .  0F85 A3010000 JNZ 扩展名仓.0047E29F
0047E0FC .  B8 01000000 MOV EAX,1
0047E101 .  66:03C3    ADD AX,BX
0047E104 .  0F80 29020000 JO 扩展名仓.0047E333
0047E10A .  8BD8       MOV EBX,EAX
0047E10C .^ E9 D6FCFFFF JMP 扩展名仓.0047DDE7
0047E111 >  C785 D4FEFFFF>MOV DWORD PTR SS:[EBP-12C],4
0047E11B .  C785 D8FEFFFF>MOV DWORD PTR SS:[EBP-128],1
0047E125 .  33DB       XOR EBX,EBX
0047E127 >  66:3B9D D4FEF>CMP BX,WORD PTR SS:[EBP-12C]
0047E12E .  0F8F 72010000 JG 扩展名仓.0047E2A6
0047E134 .  0FBFFB       MOVSX EDI,BX
0047E137 .  83FF 05    CMP EDI,5
0047E13A .  72 11       JB SHORT 扩展名仓.0047E14D
0047E13C .  FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>;  msvbvm60.__vbaGenerateBoundsError
0047E142 .  83FF 05    CMP EDI,5
0047E145 .  72 06       JB SHORT 扩展名仓.0047E14D
0047E147 .  FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>;  msvbvm60.__vbaGenerateBoundsError
0047E14D >  8B4D BC    MOV ECX,DWORD PTR SS:[EBP-44]
0047E150 .  8B55 E0    MOV EDX,DWORD PTR SS:[EBP-20]
0047E153 .  8B0CB9       MOV ECX,DWORD PTR DS:[ECX+EDI*4] 〈---- 那些值
0047E156 .  8B04BA       MOV EAX,DWORD PTR DS:[EDX+EDI*4]
0047E159 .  03C8       ADD ECX,EAX 〈---- 加起来
0047E15B .  66:8BC3    MOV AX,BX
0047E15E .  0F80 CF010000 JO 扩展名仓.0047E333
0047E164 .  66:05 0100 ADD AX,1 〈---- 递加 1 ，就是第 1 次是1 ，第 2 次就是 2 咯，……
0047E168 .  0F80 C5010000 JO 扩展名仓.0047E333
0047E16E .  66:6BC0 07 IMUL AX,AX,7 〈---- 再乘于 7 ，第 1 次乘 1 ，第 2 次就是乘 2 咯，……
0047E172 .  0F80 BB010000 JO 扩展名仓.0047E333
0047E178 .  0FBFD0       MOVSX EDX,AX
0047E17B .  03CA       ADD ECX,EDX 〈---- 再加起来
0047E17D .  0F80 B0010000 JO 扩展名仓.0047E333
0047E183 .  FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>]          ;  msvbvm60.__vbaI2I4
0047E189 .  8BF8       MOV EDI,EAX
0047E18B .  66:83FF 30 CMP DI,30 〈-----下面 4 个比较是判断是否在数字和大写字母的范围内，是的话就直接跳走了。
0047E18F .  7C 06       JL SHORT 扩展名仓.0047E197
0047E191 .  66:83FF 39 CMP DI,39
0047E195 .  7E 60       JLE SHORT 扩展名仓.0047E1F7
0047E197 >  66:83FF 41 CMP DI,41
0047E19B .  7C 06       JL SHORT 扩展名仓.0047E1A3
0047E19D .  66:83FF 5A CMP DI,5A
0047E1A1 .  7E 54       JLE SHORT 扩展名仓.0047E1F7
0047E1A3 >  66:8BC7    MOV AX,DI
0047E1A6 .  66:B9 5B00 MOV CX,5B
0047E1AA .  66:99       CWD
0047E1AC .  66:F7F9    IDIV CX 〈----- 否则将 MOD 5B ，取余数
0047E1AF .  8BFA       MOV EDI,EDX
0047E1B1 .  66:83FF 1A CMP DI,1A
0047E1B5 .  7D 06       JGE SHORT 扩展名仓.0047E1BD
0047E1B7 .  66:83C7 41 ADD DI,41
0047E1BB .  EB 34       JMP SHORT 扩展名仓.0047E1F1
0047E1BD >  66:83FF 23 CMP DI,23
0047E1C1 .  7F 06       JG SHORT 扩展名仓.0047E1C9
0047E1C3 .  66:83C7 16 ADD DI,16
0047E1C7 .  EB 28       JMP SHORT 扩展名仓.0047E1F1
0047E1C9 >  66:83FF 28 CMP DI,28
0047E1CD .  7D 06       JGE SHORT 扩展名仓.0047E1D5
0047E1CF .  66:83C7 0F ADD DI,0F
0047E1D3 .  EB 1C       JMP SHORT 扩展名仓.0047E1F1
0047E1D5 >  66:83FF 30 CMP DI,30
0047E1D9 .  7D 06       JGE SHORT 扩展名仓.0047E1E1
0047E1DB .  66:83C7 1E ADD DI,1E
0047E1DF .  EB 10       JMP SHORT 扩展名仓.0047E1F1
0047E1E1 >  66:83FF 39 CMP DI,39
0047E1E5 .  7E 10       JLE SHORT 扩展名仓.0047E1F7
0047E1E7 .  66:83FF 41 CMP DI,41
0047E1EB .  7D 0A       JGE SHORT 扩展名仓.0047E1F7
0047E1ED .  66:83C7 11 ADD DI,11
0047E1F1 >  0F80 3C010000 JO 扩展名仓.0047E333
0047E1F7 >  8B15 18514A00 MOV EDX,DWORD PTR DS:[4A5118]
0047E1FD .  66:8BCB    MOV CX,BX
0047E200 .  66:83C1 01 ADD CX,1
0047E204 .  8995 44FFFFFF MOV DWORD PTR SS:[EBP-BC],EDX
0047E20A .  0F80 23010000 JO 扩展名仓.0047E333
0047E210 .  8D45 8C    LEA EAX,DWORD PTR SS:[EBP-74]
0047E213 .  C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1
0047E21A .  0FBFD1       MOVSX EDX,CX
0047E21D .  50          PUSH EAX                                           ; /Arg4
0047E21E .  8D85 3CFFFFFF LEA EAX,DWORD PTR SS:[EBP-C4]                      ; |
0047E224 .  52          PUSH EDX                                           ; |Arg3
0047E225 .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]                      ; |
0047E22B .  50          PUSH EAX                                           ; |Arg2
0047E22C .  51          PUSH ECX                                           ; |Arg1
0047E22D .  C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2                      ; |
0047E234 .  C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],4008                   ; |
0047E23E .  FF15 24114000 CALL DWORD PTR DS:[<&msvbvm60.rtcMidCharVar>]    ; \rtcMidCharVar 〈--- 取第 1 组假码
0047E244 .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
0047E24A .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
0047E24D .  52          PUSH EDX
0047E24E .  50          PUSH EAX
0047E24F .  FF15 F8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>]    ;  msvbvm60.__vbaStrVarVal
0047E255 .  50          PUSH EAX
0047E256 .  FFD6       CALL ESI
0047E258 .  33C9       XOR ECX,ECX
0047E25A .  66:3BF8    CMP DI,AX 〈---比较第 1 组的。把 DX 的值记起来。
0047E25D .  0F95C1       SETNE CL
0047E260 .  F7D9       NEG ECX
0047E262 .  8BF9       MOV EDI,ECX
0047E264 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047E267 .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]       ;  msvbvm60.__vbaFreeStr
0047E26D .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
0047E273 .  8D45 8C    LEA EAX,DWORD PTR SS:[EBP-74]
0047E276 .  52          PUSH EDX
0047E277 .  50          PUSH EAX
0047E278 .  6A 02       PUSH 2
0047E27A .  FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ;  msvbvm60.__vbaFreeVarList
0047E280 .  83C4 0C    ADD ESP,0C
0047E283 .  66:85FF    TEST DI,DI
0047E286 .  75 17       JNZ SHORT 扩展名仓.0047E29F
0047E288 .  66:8B8D D8FEF>MOV CX,WORD PTR SS:[EBP-128]
0047E28F .  66:03CB    ADD CX,BX
0047E292 .  0F80 9B000000 JO 扩展名仓.0047E333
0047E298 .  8BD9       MOV EBX,ECX
0047E29A .^ E9 88FEFFFF JMP 扩展名仓.0047E127
0047E29F >  C745 CC 00000>MOV DWORD PTR SS:[EBP-34],0
0047E2A6 >  9B          WAIT
0047E2A7 .  68 19E34700 PUSH 扩展名仓.0047E319
0047E2AC .  EB 3C       JMP SHORT 扩展名仓.0047E2EA
0047E2AE .  8D55 9C    LEA EDX,DWORD PTR SS:[EBP-64]
0047E2B1 .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
0047E2B4 .  52          PUSH EDX
0047E2B5 .  50          PUSH EAX
0047E2B6 .  6A 02       PUSH 2
0047E2B8 .  FF15 54124000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStrList>] ;  msvbvm60.__vbaFreeStrList
0047E2BE .  8D8D 4CFFFFFF LEA ECX,DWORD PTR SS:[EBP-B4]
0047E2C4 .  8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]
0047E2CA .  51          PUSH ECX
0047E2CB .  8D85 6CFFFFFF LEA EAX,DWORD PTR SS:[EBP-94]
0047E2D1 .  52          PUSH EDX
0047E2D2 .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0047E2D8 .  50          PUSH EAX
0047E2D9 .  8D55 8C    LEA EDX,DWORD PTR SS:[EBP-74]
0047E2DC .  51          PUSH ECX
0047E2DD .  52          PUSH EDX
0047E2DE .  6A 05       PUSH 5
0047E2E0 .  FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ;  msvbvm60.__vbaFreeVarList
0047E2E6 .  83C4 24    ADD ESP,24
0047E2E9 .  C3          RETN
--------------------------------------- The end -----------------------------------------------------
名字：skyege
邮箱：skyege@tom.com
注册码：P6ZI3-XH4HL-OXUXD-EMK15-7CQPA

这是一个经典的“用户名（F）= 注册码”的软件，难度一般。注册码共 5 组，每组 5 个字符。注册成功后在 Extension .ini 中有
UserName=skyege
Email=skyege@tom.com
Code=P6ZI3XH4HLOXUXDEMK157CQPA

验证的过程是这样的：
1、验证第 5 组的第 1 个与第 2 组的第 2 个的关系
2、验证第 3 组的后 4 个与第 5 组的后 4 个的关系。
3、验证第 4 组注册码
4、验证第 3 组注册码
5、验证第 2 组注册码
6、验证第 1 组注册码

所以逆过来，顺序颠倒就可以逆出真注册码了。程序先利用你输入的用户名和邮箱计算出 10 个值，这是它们的存放地址：

002243A0  E0 00 00 00 D7 00 00 00 87 00 00 00 2C 00 00 00  ?..?..?..,...
002243B0  8C 00 00 00 AB AB AB AB AB AB AB AB EE FE EE FE  ?..????铪铪
002243C0  00 00 00 00 00 00 00 00 06 00 06 00 00 07 1C 00  ............
002243D0  1F 00 00 00 BD 00 00 00 19 00 00 00 B7 00 00 00  ...?.....?..
002243E0  2B 00 00 00 AB AB AB AB AB AB AB AB EE FE EE FE  +...????铪铪

1、根据那 10 个值计算出第 1 组注册码
2、根据用户名的 5 个值和第 1 组注册码计算出第 2 组注册码
3、根据那 10 个值和第 2 组注册码计算出第 3 组注册码
4、根据那 10 个值和第 2 组注册码计算出第 4 组注册码
5、根据第 3 组的后 4 个计算出第 5 组注册码的后 4 个
6、根据第 2 组的第 2 个计算出第 5 组注册码的第 1 个
至于如何计算看代码的注释,要表达清楚，恐怕成长篇大论了。

断点地址    模块    激活          反汇编                               注释
0047D6F4 扩展名仓    关闭       CMP WORD PTR SS:[EBP-58],AX <--- 这里得到第 5 组的第 1 个注册码
0047D8B8 扩展名仓    关闭       CMP WORD PTR SS:[EBP-58],AX <--- 这里得到第 5 组的后 4 个注册码
0047DA90 扩展名仓    关闭       CMP BX,AX <--- 这里得到第 4 组注册码
0047DD82 扩展名仓    关闭       CMP AX,DX <--- 这里得到第 3 组注册码
0047E0AE 扩展名仓    关闭       CMP AX,DX <--- 这里得到第 2 组注册码
0047E25A 扩展名仓    关闭       CMP DI,AX <--- 这里得到第 1 组注册码

注册机：注册机的编写我觉得用高级语言真的很不适合，主要是在计算注册码的时候，都有 N 长的值的范围判断比较，特别是计算第 2 组的时候更麻烦。以为写成过程调用可以解决，但发现也是烦琐。加之本人编程能力不敢恭维，代码写得冗长垃圾，故不贴了。等哪天学了汇编再写吧。对用户名和邮箱的处理大家可以看一下（我只跟踪了用户名大于5的 ^_^）,错误遗漏之处请指教：

      Dim a, b, c, d, e                            '存放用邮箱计算得出的 5 个值
      Dim h, i, j, k, l                            '存放用用户名计算得出的 5 个值

      yhm = Trim(Text1.Text)                         '用户名
      youxiang = UCase(Trim(Text2.Text))             '邮箱转化为大写形式

      For i = 6 To Len(youxiang)
            If i Mod 2 = 0 Then
                     temp = Asc(Mid(youxiang, i, 1)) + temp    '累加
                     temp = temp - 5                               '偶数位 - 5
            Else
                     temp = Asc(Mid(youxiang, i, 1)) + temp
                     temp = temp + 7                               '奇数位 + 7
            End If
      Next
      temp = temp Mod 177          '取余数

      a = temp - Asc(Mid(youxiang, 1, 1))
      b = temp + Asc(Mid(youxiang, 2, 1))
      c = temp - Asc(Mid(youxiang, 3, 1))
      d = temp + Asc(Mid(youxiang, 4, 1))
      e = temp - Asc(Mid(youxiang, 5, 1))

      temp = 0
      For i = 6 To Len(mz)                   '累加用户名6位以上的ASC值
            temp = Asc(Mid(mz, i, 1)) + temp
      Next
      i = Asc(Mid(yhm, 2, 1)) + 7 + temp             '
      j = Asc(Mid(yhm, 3, 1)) + 14                   ' + c
      k = Asc(Mid(yhm, 4, 1)) - 57                   '- 39
      l = Asc(Mid(yhm, 5, 1)) + 37                   ' + 25
      h = Asc(Mid(yhm, 1, 1)) + 7 + k + 167             '+ a7
      h = h Mod 231
      h = h + Asc(Mid(yhm, 1, 1)) + 7

2005-9-6 18:07

0