扩展名仓库 V3.0.811 算法简析[原创]-软件逆向-看雪-安全社区|安全招聘|kanxue.com

扩展名仓库 V3.0.811 算法简析[原创]

发表于: 2005-9-6 18:06 10135

扩展名仓库 V3.0.811 算法简析[原创]

skyege

2005-9-6 18:06

10135

破解者：skyege ( 05.9.5 夜 )
破解工具：OD ，PEID 0.93
破解平台：WINXP SP1
软件名称：扩展名仓库(原后缀名仓库) V3.0.811
软件大小：2.66 MB
软件语言：简体中文
软件类别：国产软件 / 共享版 / 文件管理
运行环境：Win9x,NT,2000,XP
添加时间：2005-8-12 15:16:32
联系人：manager@liansoft.net
开发商：http://www.liansoft.net/
下载统计：本日：16　本周：25　本月：50　总计：5082

软件简介：
文件扩展名（后缀名）查询，让您轻松获得近5000文件扩展名信息
系列软件功能有：扩展名查询，扩展名批量更改，扩展名学习。软件特色：1.模糊搜索，支持用"?"搜索 2.高级搜索 3.查看文件扩展名，支持文件拖拉操作 4.软件自动升级 5.用户和开发者交流。

PEID 测出壳是“ASPack 2.1 -> Alexey Solodovnikov”，手动脱掉。原来是 VB 的，而且不是P-CODE的 ^_^。好了，可以动手了。我们的目的是――没有蛀牙。oh ! no .是追注册码！搞清算法。
通过拦 rtcMsgBox 或者查找出错字符都可以找到下面关键的地方：

用户名：skyege
邮箱  ：skyege@tom.com
假码  ：12345-23456-34567-45678-56789

0047E6A0 > \55          PUSH EBP
0047E6A1 .  8BEC       MOV EBP,ESP
0047E6A3 .  83EC 18    SUB ESP,18
0047E6A6 .  68 364A4000 PUSH <JMP.&msvbvm60.__vbaExceptHandler>          ;  SE 句柄安装
0047E6AB .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0047E6B1 .  50          PUSH EAX
0047E6B2 .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
0047E6B9 .  B8 F8000000 MOV EAX,0F8
0047E6BE .  E8 6D63F8FF CALL <JMP.&msvbvm60.__vbaChkstk>
………………………………
………省略若干……………
………………………………
0047E863 .  FF15 3C104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaLenBstr>] 〈---- 测试是否输入了用户名
0047E869 .  85C0       TEST EAX,EAX
0047E86B .  75 40       JNZ SHORT 扩展名仓.0047E8AD
0047E86D .  E9 DB090000 JMP 扩展名仓.0047F24D 〈---- 直接前往出口，没有任何提示
………………………………
………省略若干……………
………………………………
0047E8AD > \C745 FC 0A000>MOV DWORD PTR SS:[EBP-4],0A
0047E8B4 .  E8 87FAFFFF CALL 扩展名仓.0047E340 〈---- 测试邮箱地址格式是否正确，有提示！
0047E8B9 .  0FBFD0       MOVSX EDX,AX
0047E8BC .  85D2       TEST EDX,EDX
0047E8BE .  0F85 B6000000 JNZ 扩展名仓.0047E97A 〈---- 不跳 OVER
………………………………
………省略若干……………
………………………………
0047EB0E > \C745 FC 12000>MOV DWORD PTR SS:[EBP-4],12
0047EB15 .  E8 36E0FFFF CALL 1.0047CB50 〈---- 算法 CALL ，经典语句
0047EB1A .  0FBFC8       MOVSX ECX,AX
0047EB1D .  85C9       TEST ECX,ECX
0047EB1F .  0F84 8C060000 JE 1.0047F1B1 〈---- 重要跳转，跳就 OVER
0047EB25 .  C745 FC 13000>MOV DWORD PTR SS:[EBP-4],13
0047EB2C .  C745 8C 04000>MOV DWORD PTR SS:[EBP-74],80020004
0047EB33 .  C745 84 0A000>MOV DWORD PTR SS:[EBP-7C],0A
0047EB3A .  C745 9C 04000>MOV DWORD PTR SS:[EBP-64],80020004
0047EB41 .  C745 94 0A000>MOV DWORD PTR SS:[EBP-6C],0A
0047EB48 .  C785 6CFFFFFF>MOV DWORD PTR SS:[EBP-94],1.0042E878
0047EB52 .  C785 64FFFFFF>MOV DWORD PTR SS:[EBP-9C],8
0047EB5C .  8D95 64FFFFFF LEA EDX,DWORD PTR SS:[EBP-9C]
0047EB62 .  8D4D A4    LEA ECX,DWORD PTR SS:[EBP-5C]
0047EB65 .  FF15 90124000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarDup>]
0047EB6B .  C785 7CFFFFFF>MOV DWORD PTR SS:[EBP-84],1.0042E854
0047EB75 .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],8
0047EB7F .  8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
0047EB85 .  8D4D B4    LEA ECX,DWORD PTR SS:[EBP-4C]
0047EB88 .  FF15 90124000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarDup>]
0047EB8E .  8D55 84    LEA EDX,DWORD PTR SS:[EBP-7C]
0047EB91 .  52          PUSH EDX
0047EB92 .  8D45 94    LEA EAX,DWORD PTR SS:[EBP-6C]
0047EB95 .  50          PUSH EAX
0047EB96 .  8D4D A4    LEA ECX,DWORD PTR SS:[EBP-5C]
0047EB99 .  51          PUSH ECX
0047EB9A .  6A 40       PUSH 40
0047EB9C .  8D55 B4    LEA EDX,DWORD PTR SS:[EBP-4C]
0047EB9F .  52          PUSH EDX
0047EBA0 .  FF15 D4104000 CALL DWORD PTR DS:[<&msvbvm60.rtcMsgBox>] 〈---天堂
………………………………
………省略若干……………
………………………………
0047F1B1 > \C745 FC 1E000>MOV DWORD PTR SS:[EBP-4],1E
0047F1B8 .  C745 8C 04000>MOV DWORD PTR SS:[EBP-74],80020004
0047F1BF .  C745 84 0A000>MOV DWORD PTR SS:[EBP-7C],0A
0047F1C6 .  C745 9C 04000>MOV DWORD PTR SS:[EBP-64],80020004
0047F1CD .  C745 94 0A000>MOV DWORD PTR SS:[EBP-6C],0A
0047F1D4 .  C785 6CFFFFFF>MOV DWORD PTR SS:[EBP-94],扩展名仓.0042E8B8
0047F1DE .  C785 64FFFFFF>MOV DWORD PTR SS:[EBP-9C],8
0047F1E8 .  8D95 64FFFFFF LEA EDX,DWORD PTR SS:[EBP-9C]
0047F1EE .  8D4D A4    LEA ECX,DWORD PTR SS:[EBP-5C]
0047F1F1 .  FF15 90124000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarDup>]
0047F1F7 .  C785 7CFFFFFF>MOV DWORD PTR SS:[EBP-84],扩展名仓.0042E88C
0047F201 .  C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],8
0047F20B .  8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
0047F211 .  8D4D B4    LEA ECX,DWORD PTR SS:[EBP-4C]
0047F214 .  FF15 90124000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarDup>]
0047F21A .  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
0047F21D .  50          PUSH EAX
0047F21E .  8D4D 94    LEA ECX,DWORD PTR SS:[EBP-6C]
0047F221 .  51          PUSH ECX
0047F222 .  8D55 A4    LEA EDX,DWORD PTR SS:[EBP-5C]
0047F225 .  52          PUSH EDX
0047F226 .  6A 10       PUSH 10
0047F228 .  8D45 B4    LEA EAX,DWORD PTR SS:[EBP-4C]
0047F22B .  50          PUSH EAX
0047F22C .  FF15 D4104000 CALL DWORD PTR DS:[<&msvbvm60.rtcMsgBox>] 〈----地狱

*************************** 算法 CALL 1.0047CB50 *************************************

0047CB50 $  55          PUSH EBP
0047CB51 .  8BEC       MOV EBP,ESP
0047CB53 .  83EC 08    SUB ESP,8
0047CB56 .  68 364A4000 PUSH <JMP.&msvbvm60.__vbaExceptHandler>          ;  SE 句柄安装
0047CB5B .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0047CB61 .  50          PUSH EAX
0047CB62 .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
0047CB69 .  81EC 4C010000 SUB ESP,14C
0047CB6F .  53          PUSH EBX
0047CB70 .  56          PUSH ESI
0047CB71 .  57          PUSH EDI
0047CB72 .  8965 F8    MOV DWORD PTR SS:[EBP-8],ESP
0047CB75 .  C745 FC F82D4>MOV DWORD PTR SS:[EBP-4],扩展名仓.00402DF8
0047CB7C .  8B35 50114000 MOV ESI,DWORD PTR DS:[<&msvbvm60.__vbaAryConstruct2>
0047CB82 .  33C0       XOR EAX,EAX
0047CB84 .  8945 C8    MOV DWORD PTR SS:[EBP-38],EAX
0047CB87 .  8945 A4    MOV DWORD PTR SS:[EBP-5C],EAX
0047CB8A .  8945 A0    MOV DWORD PTR SS:[EBP-60],EAX
0047CB8D .  8945 9C    MOV DWORD PTR SS:[EBP-64],EAX
0047CB90 .  8945 8C    MOV DWORD PTR SS:[EBP-74],EAX
0047CB93 .  8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EAX
0047CB99 .  8985 6CFFFFFF MOV DWORD PTR SS:[EBP-94],EAX
0047CB9F .  8985 5CFFFFFF MOV DWORD PTR SS:[EBP-A4],EAX
0047CBA5 .  8985 4CFFFFFF MOV DWORD PTR SS:[EBP-B4],EAX
0047CBAB .  8985 3CFFFFFF MOV DWORD PTR SS:[EBP-C4],EAX
0047CBB1 .  8985 28FFFFFF MOV DWORD PTR SS:[EBP-D8],EAX
0047CBB7 .  8985 24FFFFFF MOV DWORD PTR SS:[EBP-DC],EAX
0047CBBD .  6A 03       PUSH 3
0047CBBF .  8D45 D4    LEA EAX,DWORD PTR SS:[EBP-2C]
0047CBC2 .  68 FCE74200 PUSH 扩展名仓.0042E7FC
0047CBC7 .  50          PUSH EAX
0047CBC8 .  FFD6       CALL ESI                                           ;  <&msvbvm60.__vbaAryConstruct2>
0047CBCA .  6A 03       PUSH 3
0047CBCC .  8D4D B0    LEA ECX,DWORD PTR SS:[EBP-50]
0047CBCF .  68 FCE74200 PUSH 扩展名仓.0042E7FC
0047CBD4 .  51          PUSH ECX
0047CBD5 .  FFD6       CALL ESI
-------------------------------- 对用户名的处理 --------------------------------
0047CBD7 .  A1 00514A00 MOV EAX,DWORD PTR DS:[4A5100] 〈---- 用户名
0047CBDC .  8B1D 1C114000 MOV EBX,DWORD PTR DS:[<&msvbvm60.rtcMidCharBstr>]
0047CBE2 .  8D55 8C    LEA EDX,DWORD PTR SS:[EBP-74]
0047CBE5 .  C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1 〈--参数 1
0047CBEC .  52          PUSH EDX
0047CBED .  6A 01       PUSH 1
0047CBEF .  50          PUSH EAX
0047CBF0 .  C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2
0047CBF7 .  FFD3       CALL EBX                                           ;  <&msvbvm60.rtcMidCharBstr> 〈----取用户名的第一个字符
0047CBF9 .  8B3D C8124000 MOV EDI,DWORD PTR DS:[<&msvbvm60.__vbaStrMove>]
0047CBFF .  8BD0       MOV EDX,EAX
0047CC01 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047CC04 .  FFD7       CALL EDI                                           ;  <&msvbvm60.__vbaStrMove>
0047CC06 .  8B35 60104000 MOV ESI,DWORD PTR DS:[<&msvbvm60.rtcAnsiValueBstr>] ;  msvbvm60.rtcAnsiValueBstr
0047CC0C .  50          PUSH EAX
0047CC0D .  FFD6       CALL ESI                                           ;  <&msvbvm60.rtcAnsiValueBstr> 〈--- 获得 ASC 值
0047CC0F .  66:99       CWD
0047CC11 .  66:B9 B100 MOV CX,0B1
0047CC15 .  66:F7F9    IDIV CX
0047CC18 .  66:8BCA    MOV CX,DX
0047CC1B .  66:83C1 07 ADD CX,7 〈---- CX = 第一个字符的 ASC 值，加上 7
0047CC1F .  0F80 0E170000 JO 扩展名仓.0047E333
0047CC25 .  FF15 74104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2Abs>]       ;  msvbvm60.__vbaI2Abs
0047CC2B .  0FBFD0       MOVSX EDX,AX
0047CC2E .  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
0047CC31 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047CC34 .  8910       MOV DWORD PTR DS:[EAX],EDX
0047CC36 .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]       ;  msvbvm60.__vbaFreeStr
0047CC3C .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047CC3F .  FF15 28104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>]       ;  msvbvm60.__vbaFreeVar
0047CC45 .  8B0D 00514A00 MOV ECX,DWORD PTR DS:[4A5100]
0047CC4B .  C745 CC FFFFF>MOV DWORD PTR SS:[EBP-34],-1
0047CC52 .  51          PUSH ECX
0047CC53 .  FF15 3C104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaLenBstr>] 〈----这里获得用户名的长度。
0047CC59 .  83F8 01    CMP EAX,1 〈---- 当用户名的长度等于 1 的时候的处理方式
0047CC5C .  75 76       JNZ SHORT 扩展名仓.0047CCD4
0047CC5E .  8B55 E0    MOV EDX,DWORD PTR SS:[EBP-20]
0047CC61 .  8B0A       MOV ECX,DWORD PTR DS:[EDX]
0047CC63 .  6BC9 02    IMUL ECX,ECX,2
0047CC66 .  0F80 C7160000 JO 扩展名仓.0047E333
0047CC6C .  83C1 11    ADD ECX,11
0047CC6F .  0F80 BE160000 JO 扩展名仓.0047E333
0047CC75 .  FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>]       ;  msvbvm60.__vbaI4Abs
0047CC7B .  8B4D E0    MOV ECX,DWORD PTR SS:[EBP-20]
0047CC7E .  8941 04    MOV DWORD PTR DS:[ECX+4],EAX
0047CC81 .  8B55 E0    MOV EDX,DWORD PTR SS:[EBP-20]
0047CC84 .  8B0A       MOV ECX,DWORD PTR DS:[EDX]
0047CC86 .  83C1 4D    ADD ECX,4D
0047CC89 .  0F80 A4160000 JO 扩展名仓.0047E333
0047CC8F .  FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>]       ;  msvbvm60.__vbaI4Abs
0047CC95 .  8B4D E0    MOV ECX,DWORD PTR SS:[EBP-20]
0047CC98 .  8941 08    MOV DWORD PTR DS:[ECX+8],EAX
0047CC9B .  8B55 E0    MOV EDX,DWORD PTR SS:[EBP-20]
0047CC9E .  8B0A       MOV ECX,DWORD PTR DS:[EDX]
0047CCA0 .  83E9 07    SUB ECX,7
0047CCA3 .  0F80 8A160000 JO 扩展名仓.0047E333
0047CCA9 .  FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>]       ;  msvbvm60.__vbaI4Abs
0047CCAF .  8B4D E0    MOV ECX,DWORD PTR SS:[EBP-20]
0047CCB2 .  8941 0C    MOV DWORD PTR DS:[ECX+C],EAX
0047CCB5 .  8B55 E0    MOV EDX,DWORD PTR SS:[EBP-20]
0047CCB8 .  8B0A       MOV ECX,DWORD PTR DS:[EDX]
0047CCBA .  83C1 07    ADD ECX,7
0047CCBD .  0F80 70160000 JO 扩展名仓.0047E333
0047CCC3 .  FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>]       ;  msvbvm60.__vbaI4Abs
0047CCC9 .  8B4D E0    MOV ECX,DWORD PTR SS:[EBP-20]
0047CCCC .  8941 10    MOV DWORD PTR DS:[ECX+10],EAX
0047CCCF .  E9 F0060000 JMP 扩展名仓.0047D3C4
0047CCD4 >  8B15 00514A00 MOV EDX,DWORD PTR DS:[4A5100]
0047CCDA .  52          PUSH EDX
0047CCDB .  FF15 3C104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaLenBstr>]       ;  msvbvm60.__vbaLenBstr
0047CCE1 .  83F8 02    CMP EAX,2 〈---- 当用户名的长度等于 2 的时候的处理方式
0047CCE4 .  0F85 AF000000 JNZ 扩展名仓.0047CD99
0047CCEA .  8B0D 00514A00 MOV ECX,DWORD PTR DS:[4A5100]
0047CCF0 .  8945 8C    MOV DWORD PTR SS:[EBP-74],EAX
0047CCF3 .  8D45 8C    LEA EAX,DWORD PTR SS:[EBP-74]
0047CCF6 .  C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1
0047CCFD .  50          PUSH EAX
0047CCFE .  6A 02       PUSH 2
0047CD00 .  51          PUSH ECX
0047CD01 .  FFD3       CALL EBX
0047CD03 .  8BD0       MOV EDX,EAX
0047CD05 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047CD08 .  FFD7       CALL EDI
0047CD0A .  50          PUSH EAX
0047CD0B .  FFD6       CALL ESI
0047CD0D .  66:99       CWD
0047CD0F .  66:B9 B100 MOV CX,0B1
0047CD13 .  66:F7F9    IDIV CX
0047CD16 .  66:8BCA    MOV CX,DX
0047CD19 .  66:83C1 11 ADD CX,11
0047CD1D .  0F80 10160000 JO 扩展名仓.0047E333
0047CD23 .  FF15 74104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2Abs>]       ;  msvbvm60.__vbaI2Abs
0047CD29 .  0FBFD0       MOVSX EDX,AX
0047CD2C .  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
0047CD2F .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047CD32 .  8950 04    MOV DWORD PTR DS:[EAX+4],EDX
0047CD35 .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]       ;  msvbvm60.__vbaFreeStr
0047CD3B .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047CD3E .  FF15 28104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>]       ;  msvbvm60.__vbaFreeVar
0047CD44 .  8B4D E0    MOV ECX,DWORD PTR SS:[EBP-20]
0047CD47 .  8B09       MOV ECX,DWORD PTR DS:[ECX]
0047CD49 .  83C1 1B    ADD ECX,1B
0047CD4C .  0F80 E1150000 JO 扩展名仓.0047E333
0047CD52 .  FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>]       ;  msvbvm60.__vbaI4Abs
0047CD58 .  8B55 E0    MOV EDX,DWORD PTR SS:[EBP-20]
0047CD5B .  8942 08    MOV DWORD PTR DS:[EDX+8],EAX
0047CD5E .  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
0047CD61 .  8B48 04    MOV ECX,DWORD PTR DS:[EAX+4]
0047CD64 .  83E9 2F    SUB ECX,2F
0047CD67 .  0F80 C6150000 JO 扩展名仓.0047E333
0047CD6D .  FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>]       ;  msvbvm60.__vbaI4Abs
0047CD73 .  8B4D E0    MOV ECX,DWORD PTR SS:[EBP-20]
0047CD76 .  8941 0C    MOV DWORD PTR DS:[ECX+C],EAX
0047CD79 .  8B55 E0    MOV EDX,DWORD PTR SS:[EBP-20]
0047CD7C .  8B4A 08    MOV ECX,DWORD PTR DS:[EDX+8]
0047CD7F .  83E9 11    SUB ECX,11
0047CD82 .  0F80 AB150000 JO 扩展名仓.0047E333
0047CD88 .  FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>]       ;  msvbvm60.__vbaI4Abs
0047CD8E .  8B4D E0    MOV ECX,DWORD PTR SS:[EBP-20]
0047CD91 .  8941 10    MOV DWORD PTR DS:[ECX+10],EAX
0047CD94 .  E9 2B060000 JMP 扩展名仓.0047D3C4
0047CD99 >  8B15 00514A00 MOV EDX,DWORD PTR DS:[4A5100]
0047CD9F .  52          PUSH EDX
0047CDA0 .  FF15 3C104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaLenBstr>]       ;  msvbvm60.__vbaLenBstr
0047CDA6 .  83F8 03    CMP EAX,3 〈---- 当用户名的长度等于 3 的时候的处理方式
0047CDA9 .  0F85 02010000 JNZ 扩展名仓.0047CEB1
0047CDAF .  8B0D 00514A00 MOV ECX,DWORD PTR DS:[4A5100]
0047CDB5 .  8D45 8C    LEA EAX,DWORD PTR SS:[EBP-74]
0047CDB8 .  50          PUSH EAX
0047CDB9 .  6A 02       PUSH 2
0047CDBB .  51          PUSH ECX
0047CDBC .  C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1
0047CDC3 .  C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2
0047CDCA .  FFD3       CALL EBX
0047CDCC .  8BD0       MOV EDX,EAX
0047CDCE .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047CDD1 .  FFD7       CALL EDI
0047CDD3 .  50          PUSH EAX
0047CDD4 .  FFD6       CALL ESI
0047CDD6 .  66:99       CWD
0047CDD8 .  66:B9 B100 MOV CX,0B1
0047CDDC .  66:F7F9    IDIV CX
0047CDDF .  66:8BCA    MOV CX,DX
0047CDE2 .  66:83C1 11 ADD CX,11
0047CDE6 .  0F80 47150000 JO 扩展名仓.0047E333
0047CDEC .  FF15 74104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2Abs>]       ;  msvbvm60.__vbaI2Abs
0047CDF2 .  0FBFD0       MOVSX EDX,AX
0047CDF5 .  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
0047CDF8 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047CDFB .  8950 04    MOV DWORD PTR DS:[EAX+4],EDX
0047CDFE .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]       ;  msvbvm60.__vbaFreeStr
0047CE04 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047CE07 .  FF15 28104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>]       ;  msvbvm60.__vbaFreeVar
0047CE0D .  8B15 00514A00 MOV EDX,DWORD PTR DS:[4A5100]
0047CE13 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047CE16 .  51          PUSH ECX
0047CE17 .  6A 03       PUSH 3
0047CE19 .  52          PUSH EDX
0047CE1A .  C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1
0047CE21 .  C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2
0047CE28 .  FFD3       CALL EBX
0047CE2A .  8BD0       MOV EDX,EAX
0047CE2C .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047CE2F .  FFD7       CALL EDI
0047CE31 .  50          PUSH EAX
0047CE32 .  FFD6       CALL ESI
0047CE34 .  66:99       CWD
0047CE36 .  66:B9 B100 MOV CX,0B1
0047CE3A .  66:F7F9    IDIV CX
0047CE3D .  66:8BCA    MOV CX,DX
0047CE40 .  66:83C1 07 ADD CX,7
0047CE44 .  0F80 E9140000 JO 扩展名仓.0047E333
0047CE4A .  FF15 74104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2Abs>]       ;  msvbvm60.__vbaI2Abs
0047CE50 .  0FBFD0       MOVSX EDX,AX
0047CE53 .  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
0047CE56 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047CE59 .  8950 08    MOV DWORD PTR DS:[EAX+8],EDX
0047CE5C .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]       ;  msvbvm60.__vbaFreeStr
0047CE62 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047CE65 .  FF15 28104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>]       ;  msvbvm60.__vbaFreeVar
0047CE6B .  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
0047CE6E .  8B48 04    MOV ECX,DWORD PTR DS:[EAX+4]
0047CE71 .  8B50 08    MOV EDX,DWORD PTR DS:[EAX+8]
0047CE74 .  83E9 25    SUB ECX,25
0047CE77 .  0F80 B6140000 JO 扩展名仓.0047E333
0047CE7D .  03CA       ADD ECX,EDX
0047CE7F .  0F80 AE140000 JO 扩展名仓.0047E333
0047CE85 .  FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>]       ;  msvbvm60.__vbaI4Abs
0047CE8B .  8B4D E0    MOV ECX,DWORD PTR SS:[EBP-20]
0047CE8E .  8941 0C    MOV DWORD PTR DS:[ECX+C],EAX
0047CE91 .  8B55 E0    MOV EDX,DWORD PTR SS:[EBP-20]
0047CE94 .  8B4A 08    MOV ECX,DWORD PTR DS:[EDX+8]
0047CE97 .  83E9 39    SUB ECX,39
0047CE9A .  0F80 93140000 JO 扩展名仓.0047E333
0047CEA0 .  FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>]       ;  msvbvm60.__vbaI4Abs
0047CEA6 .  8B4D E0    MOV ECX,DWORD PTR SS:[EBP-20]
0047CEA9 .  8941 10    MOV DWORD PTR DS:[ECX+10],EAX
0047CEAC .  E9 13050000 JMP 扩展名仓.0047D3C4
0047CEB1 >  8B15 00514A00 MOV EDX,DWORD PTR DS:[4A5100]
0047CEB7 .  52          PUSH EDX
0047CEB8 .  FF15 3C104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaLenBstr>]       ;  msvbvm60.__vbaLenBstr
0047CEBE .  83F8 04    CMP EAX,4 〈---- 当用户名的长度等于 4 的时候的处理方式
0047CEC1 .  0F85 B7010000 JNZ 扩展名仓.0047D07E
0047CEC7 .  8B15 00514A00 MOV EDX,DWORD PTR DS:[4A5100]
0047CECD .  B9 01000000 MOV ECX,1
0047CED2 .  894D 94    MOV DWORD PTR SS:[EBP-6C],ECX
0047CED5 .  894D 84    MOV DWORD PTR SS:[EBP-7C],ECX
0047CED8 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047CEDB .  B8 02000000 MOV EAX,2
0047CEE0 .  51          PUSH ECX
0047CEE1 .  50          PUSH EAX
0047CEE2 .  52          PUSH EDX
0047CEE3 .  8945 8C    MOV DWORD PTR SS:[EBP-74],EAX
0047CEE6 .  8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EAX
0047CEEC .  FFD3       CALL EBX
0047CEEE .  8BD0       MOV EDX,EAX
0047CEF0 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047CEF3 .  FFD7       CALL EDI
0047CEF5 .  50          PUSH EAX
0047CEF6 .  FFD6       CALL ESI
0047CEF8 .  66:99       CWD
0047CEFA .  66:B9 B100 MOV CX,0B1
0047CEFE .  66:F7F9    IDIV CX
0047CF01 .  8B0D 00514A00 MOV ECX,DWORD PTR DS:[4A5100]
0047CF07 .  8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
0047CF0D .  50          PUSH EAX
0047CF0E .  6A 04       PUSH 4
0047CF10 .  51          PUSH ECX
0047CF11 .  66:83C2 11 ADD DX,11
0047CF15 .  0F80 18140000 JO 扩展名仓.0047E333
0047CF1B .  66:8995 CEFEF>MOV WORD PTR SS:[EBP-132],DX
0047CF22 .  FFD3       CALL EBX
0047CF24 .  8BD0       MOV EDX,EAX
0047CF26 .  8D4D 9C    LEA ECX,DWORD PTR SS:[EBP-64]
0047CF29 .  FFD7       CALL EDI
0047CF2B .  50          PUSH EAX
0047CF2C .  FFD6       CALL ESI
0047CF2E .  66:99       CWD
0047CF30 .  66:B9 B100 MOV CX,0B1
0047CF34 .  66:F7F9    IDIV CX
0047CF37 .  66:8B85 CEFEF>MOV AX,WORD PTR SS:[EBP-132]
0047CF3E .  66:2BC2    SUB AX,DX
0047CF41 .  0F80 EC130000 JO 扩展名仓.0047E333
0047CF47 .  8BC8       MOV ECX,EAX
0047CF49 .  FF15 74104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2Abs>]       ;  msvbvm60.__vbaI2Abs
0047CF4F .  8B55 E0    MOV EDX,DWORD PTR SS:[EBP-20]
0047CF52 .  0FBFC8       MOVSX ECX,AX
0047CF55 .  894A 04    MOV DWORD PTR DS:[EDX+4],ECX
0047CF58 .  8D45 9C    LEA EAX,DWORD PTR SS:[EBP-64]
0047CF5B .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047CF5E .  50          PUSH EAX
0047CF5F .  51          PUSH ECX
0047CF60 .  6A 02       PUSH 2
0047CF62 .  FF15 54124000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStrList>] ;  msvbvm60.__vbaFreeStrList
0047CF68 .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
0047CF6E .  8D45 8C    LEA EAX,DWORD PTR SS:[EBP-74]
0047CF71 .  52          PUSH EDX
0047CF72 .  50          PUSH EAX
0047CF73 .  6A 02       PUSH 2
0047CF75 .  FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ;  msvbvm60.__vbaFreeVarList
0047CF7B .  8B15 00514A00 MOV EDX,DWORD PTR DS:[4A5100]
0047CF81 .  8B1D 1C114000 MOV EBX,DWORD PTR DS:[<&msvbvm60.rtcMidCharBstr>] ;  msvbvm60.rtcMidCharBstr
0047CF87 .  83C4 18    ADD ESP,18
0047CF8A .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047CF8D .  C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1
0047CF94 .  C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2
0047CF9B .  51          PUSH ECX
0047CF9C .  6A 03       PUSH 3
0047CF9E .  52          PUSH EDX
0047CF9F .  FFD3       CALL EBX                                           ;  <&msvbvm60.rtcMidCharBstr>
0047CFA1 .  8BD0       MOV EDX,EAX
0047CFA3 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047CFA6 .  FFD7       CALL EDI
0047CFA8 .  50          PUSH EAX
0047CFA9 .  FFD6       CALL ESI
0047CFAB .  66:99       CWD
0047CFAD .  66:B9 B100 MOV CX,0B1
0047CFB1 .  66:F7F9    IDIV CX
0047CFB4 .  66:8BCA    MOV CX,DX
0047CFB7 .  66:83C1 07 ADD CX,7
0047CFBB .  0F80 72130000 JO 扩展名仓.0047E333
0047CFC1 .  FF15 74104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2Abs>]       ;  msvbvm60.__vbaI2Abs
0047CFC7 .  0FBFD0       MOVSX EDX,AX
0047CFCA .  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
0047CFCD .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047CFD0 .  8950 08    MOV DWORD PTR DS:[EAX+8],EDX
0047CFD3 .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]       ;  msvbvm60.__vbaFreeStr
0047CFD9 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047CFDC .  FF15 28104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>]       ;  msvbvm60.__vbaFreeVar
0047CFE2 .  8B15 00514A00 MOV EDX,DWORD PTR DS:[4A5100]
0047CFE8 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047CFEB .  51          PUSH ECX
0047CFEC .  6A 04       PUSH 4
0047CFEE .  52          PUSH EDX
0047CFEF .  C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1
0047CFF6 .  C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2
0047CFFD .  FFD3       CALL EBX                                           ;  <&msvbvm60.rtcMidCharBstr>
0047CFFF .  8BD0       MOV EDX,EAX
0047D001 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D004 .  FFD7       CALL EDI
0047D006 .  50          PUSH EAX
0047D007 .  FFD6       CALL ESI
0047D009 .  66:99       CWD
0047D00B .  66:B9 B100 MOV CX,0B1
0047D00F .  66:F7F9    IDIV CX
0047D012 .  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
0047D015 .  0FBFCA       MOVSX ECX,DX
0047D018 .  8B50 04    MOV EDX,DWORD PTR DS:[EAX+4]
0047D01B .  83EA 25    SUB EDX,25
0047D01E .  0F80 0F130000 JO 扩展名仓.0047E333
0047D024 .  0350 08    ADD EDX,DWORD PTR DS:[EAX+8]
0047D027 .  0F80 06130000 JO 扩展名仓.0047E333
0047D02D .  03CA       ADD ECX,EDX
0047D02F .  0F80 FE120000 JO 扩展名仓.0047E333
0047D035 .  FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>]       ;  msvbvm60.__vbaI4Abs
0047D03B .  8B4D E0    MOV ECX,DWORD PTR SS:[EBP-20]
0047D03E .  8941 0C    MOV DWORD PTR DS:[ECX+C],EAX
0047D041 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D044 .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]       ;  msvbvm60.__vbaFreeStr
0047D04A .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047D04D .  FF15 28104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>]       ;  msvbvm60.__vbaFreeVar
0047D053 .  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
0047D056 .  8B48 08    MOV ECX,DWORD PTR DS:[EAX+8]
0047D059 .  8B50 0C    MOV EDX,DWORD PTR DS:[EAX+C]
0047D05C .  83C1 1B    ADD ECX,1B
0047D05F .  0F80 CE120000 JO 扩展名仓.0047E333
0047D065 .  03CA       ADD ECX,EDX
0047D067 .  0F80 C6120000 JO 扩展名仓.0047E333
0047D06D .  FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>]       ;  msvbvm60.__vbaI4Abs
0047D073 .  8B55 E0    MOV EDX,DWORD PTR SS:[EBP-20]
0047D076 .  8942 10    MOV DWORD PTR DS:[EDX+10],EAX
0047D079 .  E9 46030000 JMP 扩展名仓.0047D3C4
0047D07E >  A1 00514A00 MOV EAX,DWORD PTR DS:[4A5100]
0047D083 .  50          PUSH EAX
0047D084 .  FF15 3C104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaLenBstr>]       ;  msvbvm60.__vbaLenBstr
0047D08A .  83F8 05    CMP EAX,5 〈---- 当用户名的长度等于 5 的时候的处理方式
0047D08D .  0F85 F8000000 JNZ 扩展名仓.0047D18B
0047D093 .  8B15 00514A00 MOV EDX,DWORD PTR DS:[4A5100]
0047D099 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047D09C .  51          PUSH ECX
0047D09D .  6A 02       PUSH 2
0047D09F .  52          PUSH EDX
0047D0A0 .  C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1
0047D0A7 .  C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2
0047D0AE .  FFD3       CALL EBX
0047D0B0 .  8BD0       MOV EDX,EAX
0047D0B2 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D0B5 .  FFD7       CALL EDI
0047D0B7 .  50          PUSH EAX
0047D0B8 .  FFD6       CALL ESI
0047D0BA .  66:99       CWD
0047D0BC .  66:B9 B100 MOV CX,0B1
0047D0C0 .  66:F7F9    IDIV CX
0047D0C3 .  66:8BCA    MOV CX,DX
0047D0C6 .  66:83C1 07 ADD CX,7
0047D0CA .  0F80 63120000 JO 扩展名仓.0047E333
0047D0D0 .  FF15 74104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2Abs>]       ;  msvbvm60.__vbaI2Abs
0047D0D6 .  0FBFD0       MOVSX EDX,AX
0047D0D9 .  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
0047D0DC .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D0DF .  8950 04    MOV DWORD PTR DS:[EAX+4],EDX
0047D0E2 .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]       ;  msvbvm60.__vbaFreeStr
0047D0E8 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047D0EB .  FF15 28104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>]       ;  msvbvm60.__vbaFreeVar
0047D0F1 .  8B15 00514A00 MOV EDX,DWORD PTR DS:[4A5100]
0047D0F7 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047D0FA .  51          PUSH ECX
0047D0FB .  6A 03       PUSH 3
0047D0FD .  52          PUSH EDX
0047D0FE .  C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1
0047D105 .  C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2
0047D10C .  FFD3       CALL EBX
0047D10E .  8BD0       MOV EDX,EAX
0047D110 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D113 .  FFD7       CALL EDI
0047D115 .  50          PUSH EAX
0047D116 .  FFD6       CALL ESI
0047D118 .  66:99       CWD
0047D11A .  66:B9 B100 MOV CX,0B1
0047D11E .  66:F7F9    IDIV CX
0047D121 .  66:8BCA    MOV CX,DX
0047D124 .  66:83C1 11 ADD CX,11
0047D128 .  0F80 05120000 JO 扩展名仓.0047E333
0047D12E .  FF15 74104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2Abs>]       ;  msvbvm60.__vbaI2Abs
0047D134 .  0FBFD0       MOVSX EDX,AX
0047D137 .  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
0047D13A .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D13D .  8950 08    MOV DWORD PTR DS:[EAX+8],EDX
0047D140 .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]       ;  msvbvm60.__vbaFreeStr
0047D146 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047D149 .  FF15 28104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>]       ;  msvbvm60.__vbaFreeVar
0047D14F .  8B15 00514A00 MOV EDX,DWORD PTR DS:[4A5100]
0047D155 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047D158 .  51          PUSH ECX
0047D159 .  6A 04       PUSH 4
0047D15B .  52          PUSH EDX
0047D15C .  C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1
0047D163 .  C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2
0047D16A .  FFD3       CALL EBX
0047D16C .  8BD0       MOV EDX,EAX
0047D16E .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D171 .  FFD7       CALL EDI
0047D173 .  50          PUSH EAX
0047D174 .  FFD6       CALL ESI
0047D176 .  66:99       CWD
0047D178 .  66:B9 B100 MOV CX,0B1
0047D17C .  66:F7F9    IDIV CX
0047D17F .  66:8BCA    MOV CX,DX
0047D182 .  66:83C1 1B ADD CX,1B
0047D186 .  E9 B4010000 JMP 扩展名仓.0047D33F
0047D18B >  8B0D 00514A00 MOV ECX,DWORD PTR DS:[4A5100]
0047D191 .  51          PUSH ECX
0047D192 .  FF15 3C104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaLenBstr>]       ;  msvbvm60.__vbaLenBstr
0047D198 .  83F8 05    CMP EAX,5 〈---- 当用户名的长度大于 5 的时候的处理方式
0047D19B .  0F8E 23020000 JLE 扩展名仓.0047D3C4
0047D1A1 .  8B15 00514A00 MOV EDX,DWORD PTR DS:[4A5100]
0047D1A7 .  52          PUSH EDX
0047D1A8 .  FF15 3C104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaLenBstr>]
0047D1AE .  8BC8       MOV ECX,EAX 〈---- 将用户名的长度给 ECX
0047D1B0 .  FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>]
0047D1B6 .  8985 0CFFFFFF MOV DWORD PTR SS:[EBP-F4],EAX
0047D1BC .  C745 EC 06000>MOV DWORD PTR SS:[EBP-14],6 〈---- 把 6 放进去
0047D1C3 >  66:8B85 0CFFF>MOV AX,WORD PTR SS:[EBP-F4]
0047D1CA .  66:3945 EC CMP WORD PTR SS:[EBP-14],AX 〈----  比较下用户名的长度会不会大于 6 ，意思就是从第 6 位开始取，这是个循环嘛
0047D1CE .  7F 69       JG SHORT 扩展名仓.0047D239
0047D1D0 .  0FBF55 EC    MOVSX EDX,WORD PTR SS:[EBP-14] 〈---- 用户名 skyege
0047D1D4 .  A1 00514A00 MOV EAX,DWORD PTR DS:[4A5100] 〈---- 6
0047D1D9 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047D1DC .  51          PUSH ECX
0047D1DD .  52          PUSH EDX
0047D1DE .  50          PUSH EAX
0047D1DF .  C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1
0047D1E6 .  C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2
0047D1ED .  FFD3       CALL EBX 〈---- msvbvm60.rtcMidCharBstr
0047D1EF .  8BD0       MOV EDX,EAX
0047D1F1 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D1F4 .  FFD7       CALL EDI
0047D1F6 .  50          PUSH EAX
0047D1F7 .  FFD6       CALL ESI 〈---- msvbvm60.rtcAnsiValueBstr
0047D1F9 .  66:99       CWD
0047D1FB .  66:B9 B100 MOV CX,0B1
0047D1FF .  66:F7F9    IDIV CX
0047D202 .  8B45 C8    MOV EAX,DWORD PTR SS:[EBP-38]
0047D205 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D208 .  0FBFD2       MOVSX EDX,DX 〈---- 取得的ASC值，EDX = 65
0047D20B .  03D0       ADD EDX,EAX 〈---- 累加，就是把第 6 位开始的ASC值累加起来。因为 skyege 只有 6 位，所以就没有累加了
0047D20D .  0F80 20110000 JO 扩展名仓.0047E333
0047D213 .  8955 C8    MOV DWORD PTR SS:[EBP-38],EDX
0047D216 .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]       ;  msvbvm60.__vbaFreeStr
0047D21C .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047D21F .  FF15 28104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>]       ;  msvbvm60.__vbaFreeVar
0047D225 .  B8 01000000 MOV EAX,1
0047D22A .  66:0345 EC ADD AX,WORD PTR SS:[EBP-14] 〈---- 计数器
0047D22E .  0F80 FF100000 JO 扩展名仓.0047E333
0047D234 .  8945 EC    MOV DWORD PTR SS:[EBP-14],EAX
0047D237 .^ EB 8A       JMP SHORT 扩展名仓.0047D1C3 〈---- 循环
0047D239 >  8B45 C8    MOV EAX,DWORD PTR SS:[EBP-38]
0047D23C .  B9 9D000000 MOV ECX,9D
0047D241 .  99          CDQ
0047D242 .  F7F9       IDIV ECX
0047D244 .  A1 00514A00 MOV EAX,DWORD PTR DS:[4A5100] 〈--- 累加值，这里 = 65 啦
0047D249 .  C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1
0047D250 .  C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2
0047D257 .  8955 C8    MOV DWORD PTR SS:[EBP-38],EDX
0047D25A .  8D55 8C    LEA EDX,DWORD PTR SS:[EBP-74]
0047D25D .  52          PUSH EDX
0047D25E .  6A 02       PUSH 2 〈---- 取用户名的第 2 位
0047D260 .  50          PUSH EAX
0047D261 .  FFD3       CALL EBX
0047D263 .  8BD0       MOV EDX,EAX
0047D265 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D268 .  FFD7       CALL EDI
0047D26A .  50          PUSH EAX
0047D26B .  FFD6       CALL ESI
0047D26D .  66:99       CWD
0047D26F .  66:B9 B100 MOV CX,0B1
0047D273 .  66:F7F9    IDIV CX
0047D276 .  66:83C2 07 ADD DX,7 〈--- DX = 6B ，加上 7 ，结果 = 72
0047D27A .  0F80 B3100000 JO 扩展名仓.0047E333
0047D280 .  0FBFCA       MOVSX ECX,DX
0047D283 .  034D C8    ADD ECX,DWORD PTR SS:[EBP-38] 〈---- 72 + 65 = D7 <-----设为值 B
0047D286 .  0F80 A7100000 JO 扩展名仓.0047E333
0047D28C .  FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>]       ;  msvbvm60.__vbaI4Abs
0047D292 .  8B55 E0    MOV EDX,DWORD PTR SS:[EBP-20]
0047D295 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D298 .  8942 04    MOV DWORD PTR DS:[EDX+4],EAX
0047D29B .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]       ;  msvbvm60.__vbaFreeStr
0047D2A1 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047D2A4 .  FF15 28104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>]       ;  msvbvm60.__vbaFreeVar
0047D2AA .  8B0D 00514A00 MOV ECX,DWORD PTR DS:[4A5100]
0047D2B0 .  8D45 8C    LEA EAX,DWORD PTR SS:[EBP-74]
0047D2B3 .  50          PUSH EAX
0047D2B4 .  6A 03       PUSH 3 〈---- 取用户名的第 3 位
0047D2B6 .  51          PUSH ECX
0047D2B7 .  C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1
0047D2BE .  C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2
0047D2C5 .  FFD3       CALL EBX
0047D2C7 .  8BD0       MOV EDX,EAX
0047D2C9 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D2CC .  FFD7       CALL EDI
0047D2CE .  50          PUSH EAX
0047D2CF .  FFD6       CALL ESI
0047D2D1 .  66:99       CWD
0047D2D3 .  66:B9 B100 MOV CX,0B1
0047D2D7 .  66:F7F9    IDIV CX
0047D2DA .  66:8BCA    MOV CX,DX
0047D2DD .  66:83C1 0E ADD CX,0E 〈---- 79 + E = 87 <-----设为值 C
0047D2E1 .  0F80 4C100000 JO 扩展名仓.0047E333
0047D2E7 .  FF15 74104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2Abs>]       ;  msvbvm60.__vbaI2Abs
0047D2ED .  0FBFD0       MOVSX EDX,AX
0047D2F0 .  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
0047D2F3 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D2F6 .  8950 08    MOV DWORD PTR DS:[EAX+8],EDX
0047D2F9 .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]       ;  msvbvm60.__vbaFreeStr
0047D2FF .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047D302 .  FF15 28104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>]       ;  msvbvm60.__vbaFreeVar
0047D308 .  8B15 00514A00 MOV EDX,DWORD PTR DS:[4A5100]
0047D30E .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047D311 .  51          PUSH ECX
0047D312 .  6A 04       PUSH 4 〈---- 取用户名的第 4 位
0047D314 .  52          PUSH EDX
0047D315 .  C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1
0047D31C .  C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2
0047D323 .  FFD3       CALL EBX
0047D325 .  8BD0       MOV EDX,EAX
0047D327 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D32A .  FFD7       CALL EDI
0047D32C .  50          PUSH EAX
0047D32D .  FFD6       CALL ESI
0047D32F .  66:99       CWD
0047D331 .  66:B9 B100 MOV CX,0B1
0047D335 .  66:F7F9    IDIV CX
0047D338 .  66:8BCA    MOV CX,DX
0047D33B .  66:83E9 39 SUB CX,39 〈----- 65 - 39 = 2C <-----设为值 D
0047D33F >  0F80 EE0F0000 JO 扩展名仓.0047E333
0047D345 .  FF15 74104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2Abs>]       ;  msvbvm60.__vbaI2Abs
0047D34B .  0FBFD0       MOVSX EDX,AX
0047D34E .  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
0047D351 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D354 .  8950 0C    MOV DWORD PTR DS:[EAX+C],EDX
0047D357 .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]       ;  msvbvm60.__vbaFreeStr
0047D35D .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047D360 .  FF15 28104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>]       ;  msvbvm60.__vbaFreeVar
0047D366 .  8B15 00514A00 MOV EDX,DWORD PTR DS:[4A5100]
0047D36C .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047D36F .  51          PUSH ECX
0047D370 .  6A 05       PUSH 5 〈---- 取用户名的第 5 位
0047D372 .  52          PUSH EDX
0047D373 .  C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1
0047D37A .  C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2
0047D381 .  FFD3       CALL EBX
0047D383 .  8BD0       MOV EDX,EAX
0047D385 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D388 .  FFD7       CALL EDI
0047D38A .  50          PUSH EAX
0047D38B .  FFD6       CALL ESI
0047D38D .  66:99       CWD
0047D38F .  66:B9 B100 MOV CX,0B1
0047D393 .  66:F7F9    IDIV CX
0047D396 .  66:8BCA    MOV CX,DX
0047D399 .  66:83C1 25 ADD CX,25 〈----- 67 + 25 = 8C <-----设为值 E
0047D39D .  0F80 900F0000 JO 扩展名仓.0047E333
0047D3A3 .  FF15 74104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2Abs>]       ;  msvbvm60.__vbaI2Abs
0047D3A9 .  0FBFD0       MOVSX EDX,AX
0047D3AC .  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
0047D3AF .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D3B2 .  8950 10    MOV DWORD PTR DS:[EAX+10],EDX
0047D3B5 .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]       ;  msvbvm60.__vbaFreeStr
0047D3BB .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047D3BE .  FF15 28104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>]       ;  msvbvm60.__vbaFreeVar
0047D3C4 >  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
0047D3C7 .  8B08       MOV ECX,DWORD PTR DS:[EAX] 〈---- 7A  ，就是第 1 位计算的值
0047D3C9 .  8B40 0C    MOV EAX,DWORD PTR DS:[EAX+C] 〈---- 2C  ，就是第 4 位计算的值
0047D3CC .  03C1       ADD EAX,ECX 〈---- 7A + 2C = A6
0047D3CE .  B9 E7000000 MOV ECX,0E7 〈---- 赋值ECX = E7
0047D3D3 .  0F80 5A0F0000 JO 扩展名仓.0047E333
0047D3D9 .  05 A7000000 ADD EAX,0A7 〈---- A6 + A7 = 14D
0047D3DE .  0F80 4F0F0000 JO 扩展名仓.0047E333
0047D3E4 .  99          CDQ
0047D3E5 .  F7F9       IDIV ECX 〈---- 14D MOD E7 ，取余数，= 66
0047D3E7 .  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20] 〈---- 7A  ，就是第 1 位计算的值
0047D3EA .  0310       ADD EDX,DWORD PTR DS:[EAX] 〈---- 7A + 66 = E0 <-----设为值 A
0047D3EC .  0F80 410F0000 JO 扩展名仓.0047E333
0047D3F2 .  8910       MOV DWORD PTR DS:[EAX],EDX
-------------------------------- 对邮箱的处理 --------------------------------
0047D3F4 .  A1 04514A00 MOV EAX,DWORD PTR DS:[4A5104] 〈---- 邮箱地址：SKYEGE@TOM.COM ，一律转换为大写
0047D3F9 .  8D55 8C    LEA EDX,DWORD PTR SS:[EBP-74]
0047D3FC .  C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1
0047D403 .  52          PUSH EDX
0047D404 .  6A 01       PUSH 1 〈---- 取邮箱的第 1 位
0047D406 .  50          PUSH EAX
0047D407 .  C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2
0047D40E .  FFD3       CALL EBX
0047D410 .  8BD0       MOV EDX,EAX
0047D412 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D415 .  FFD7       CALL EDI
0047D417 .  50          PUSH EAX
0047D418 .  FFD6       CALL ESI
0047D41A .  66:99       CWD
0047D41C .  66:B9 B100 MOV CX,0B1
0047D420 .  66:F7F9    IDIV CX
0047D423 .  8BCA       MOV ECX,EDX
0047D425 .  FF15 74104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2Abs>]
0047D42B .  0FBFD0       MOVSX EDX,AX 〈---- EDX = 53
0047D42E .  8B45 BC    MOV EAX,DWORD PTR SS:[EBP-44]
0047D431 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D434 .  8910       MOV DWORD PTR DS:[EAX],EDX
0047D436 .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]       ;  msvbvm60.__vbaFreeStr
0047D43C .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047D43F .  FF15 28104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>]       ;  msvbvm60.__vbaFreeVar
0047D445 .  8B0D 04514A00 MOV ECX,DWORD PTR DS:[4A5104]
0047D44B .  51          PUSH ECX
0047D44C .  FF15 3C104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaLenBstr>] 〈---- 获取邮箱的长度
0047D452 .  8BC8       MOV ECX,EAX 〈---- 把值给 ECX = E （14个嘛）
0047D454 .  FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>]
0047D45A .  C745 EC 06000>MOV DWORD PTR SS:[EBP-14],6 〈---- 参数 6 ，表示从第 6 位开始取
0047D461 .  8985 04FFFFFF MOV DWORD PTR SS:[EBP-FC],EAX
0047D467 .  8B45 EC    MOV EAX,DWORD PTR SS:[EBP-14]
0047D46A >  66:3B85 04FFF>CMP AX,WORD PTR SS:[EBP-FC] 〈---- 以下的循环是：设值X = 0，（偶数位 + X）- 5 ，值给 X ，然后，（奇数位 + X ）+ 7 ，值得给 X
0047D471 .  0F8F B5000000 JG 扩展名仓.0047D52C
0047D477 .  66:25 0100 AND AX,1
0047D47B .  79 08       JNS SHORT 扩展名仓.0047D485
0047D47D .  66:48       DEC AX
0047D47F .  66:0D FEFF OR AX,0FFFE
0047D483 .  66:40       INC AX
0047D485 >  C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1
0047D48C .  C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2
0047D493 .  75 38       JNZ SHORT 扩展名仓.0047D4CD
0047D495 .  0FBF45 EC    MOVSX EAX,WORD PTR SS:[EBP-14]
0047D499 .  8B0D 04514A00 MOV ECX,DWORD PTR DS:[4A5104]
0047D49F .  8D55 8C    LEA EDX,DWORD PTR SS:[EBP-74]
0047D4A2 .  52          PUSH EDX
0047D4A3 .  50          PUSH EAX
0047D4A4 .  51          PUSH ECX
0047D4A5 .  FFD3       CALL EBX 〈---- 取值
0047D4A7 .  8BD0       MOV EDX,EAX
0047D4A9 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D4AC .  FFD7       CALL EDI
0047D4AE .  50          PUSH EAX
0047D4AF .  FFD6       CALL ESI
0047D4B1 .  8B4D A4    MOV ECX,DWORD PTR SS:[EBP-5C]
0047D4B4 .  0FBFD0       MOVSX EDX,AX 〈---- EDX = 值
0047D4B7 .  03D1       ADD EDX,ECX 〈---- 相加
0047D4B9 .  0F80 740E0000 JO 扩展名仓.0047E333
0047D4BF .  83EA 05    SUB EDX,5 〈---- 再减 5
0047D4C2 .  0F80 6B0E0000 JO 扩展名仓.0047E333
0047D4C8 .  8955 A4    MOV DWORD PTR SS:[EBP-5C],EDX
0047D4CB .  EB 36       JMP SHORT 扩展名仓.0047D503 〈--- 跳走
0047D4CD >  0FBF4D EC    MOVSX ECX,WORD PTR SS:[EBP-14]
0047D4D1 .  8B15 04514A00 MOV EDX,DWORD PTR DS:[4A5104]
0047D4D7 .  8D45 8C    LEA EAX,DWORD PTR SS:[EBP-74]
0047D4DA .  50          PUSH EAX
0047D4DB .  51          PUSH ECX
0047D4DC .  52          PUSH EDX
0047D4DD .  FFD3       CALL EBX
0047D4DF .  8BD0       MOV EDX,EAX
0047D4E1 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D4E4 .  FFD7       CALL EDI
0047D4E6 .  50          PUSH EAX
0047D4E7 .  FFD6       CALL ESI
0047D4E9 .  8B55 A4    MOV EDX,DWORD PTR SS:[EBP-5C]
0047D4EC .  0FBFC0       MOVSX EAX,AX
0047D4EF .  03C2       ADD EAX,EDX 〈--- 相加
0047D4F1 .  0F80 3C0E0000 JO 扩展名仓.0047E333
0047D4F7 .  83C0 07    ADD EAX,7 〈--- 再加 7
0047D4FA .  0F80 330E0000 JO 扩展名仓.0047E333
0047D500 .  8945 A4    MOV DWORD PTR SS:[EBP-5C],EAX
0047D503 >  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D506 .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]       ;  msvbvm60.__vbaFreeStr
0047D50C .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047D50F .  FF15 28104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>]       ;  msvbvm60.__vbaFreeVar
0047D515 .  B8 01000000 MOV EAX,1
0047D51A .  66:0345 EC ADD AX,WORD PTR SS:[EBP-14]
0047D51E .  0F80 0F0E0000 JO 扩展名仓.0047E333
0047D524 .  8945 EC    MOV DWORD PTR SS:[EBP-14],EAX
0047D527 .^ E9 3EFFFFFF JMP 扩展名仓.0047D46A 〈----- 循环
0047D52C >  8B45 A4    MOV EAX,DWORD PTR SS:[EBP-5C] 〈----- 循环完所得到的值放到 EAX = 285
0047D52F .  B9 B1000000 MOV ECX,0B1 〈----- ECX = B1
0047D534 .  99          CDQ
0047D535 .  F7F9       IDIV ECX 〈----- 取余数 285 MOD B1 = 72
0047D537 .  B8 01000000 MOV EAX,1
0047D53C .  8945 EC    MOV DWORD PTR SS:[EBP-14],EAX
0047D53F .  8955 A4    MOV DWORD PTR SS:[EBP-5C],EDX 〈----- EDX =72
0047D542 >  B9 05000000 MOV ECX,5 〈------ 第 5 位以下的进行浮点运算。
0047D547 .  66:3BC1    CMP AX,CX
0047D54A .  0F8F E4000000 JG 扩展名仓.0047D634
0047D550 .  66:2D 0100 SUB AX,1 〈------ 计数器，- 1
0047D554 .  C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1
0047D55B .  0F80 D20D0000 JO 扩展名仓.0047E333
0047D561 .  0FBFC0       MOVSX EAX,AX
0047D564 .  3BC1       CMP EAX,ECX
0047D566 .  C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2
0047D56D .  8985 20FFFFFF MOV DWORD PTR SS:[EBP-E0],EAX
0047D573 .  72 06       JB SHORT 扩展名仓.0047D57B
0047D575 .  FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>;  msvbvm60.__vbaGenerateBoundsError
0047D57B >  0FBF45 EC    MOVSX EAX,WORD PTR SS:[EBP-14]
0047D57F .  8D55 8C    LEA EDX,DWORD PTR SS:[EBP-74]
0047D582 .  8985 C8FEFFFF MOV DWORD PTR SS:[EBP-138],EAX
0047D588 .  52          PUSH EDX
0047D589 .  50          PUSH EAX
0047D58A .  A1 04514A00 MOV EAX,DWORD PTR DS:[4A5104]
0047D58F .  50          PUSH EAX
0047D590 .  FFD3       CALL EBX 〈---- 按顺序从第 1 个开始取到第 5 个
0047D592 .  8BD0       MOV EDX,EAX
0047D594 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D597 .  FFD7       CALL EDI
0047D599 .  50          PUSH EAX
0047D59A .  FFD6       CALL ESI
0047D59C .  0FBFC8       MOVSX ECX,AX
0047D59F .  898D C4FEFFFF MOV DWORD PTR SS:[EBP-13C],ECX
0047D5A5 .  DB85 C4FEFFFF FILD DWORD PTR SS:[EBP-13C] 〈----- 逐个保存
0047D5AB .  DD9D BCFEFFFF FSTP QWORD PTR SS:[EBP-144]
0047D5B1 .  DB85 C8FEFFFF FILD DWORD PTR SS:[EBP-138] 〈---- 保存的是位数，这里其实是用来决定下面 115 是正数还是负数的。奇数为负，偶数为正
0047D5B7 .  DD9D B4FEFFFF FSTP QWORD PTR SS:[EBP-14C]
0047D5BD .  8B95 B8FEFFFF MOV EDX,DWORD PTR SS:[EBP-148]
0047D5C3 .  8B85 B4FEFFFF MOV EAX,DWORD PTR SS:[EBP-14C]
0047D5C9 .  52          PUSH EDX                                           ; /Arg4
0047D5CA .  50          PUSH EAX                                           ; |Arg3
0047D5CB .  68 0000F0BF PUSH BFF00000                                     ; |Arg2 = BFF00000
0047D5D0 .  6A 00       PUSH 0                                           ; |Arg1 = 00000000
0047D5D2 .  FF15 5C124000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPowerR8>]       ; \__vbaPowerR8
0047D5D8 .  DB45 A4    FILD DWORD PTR SS:[EBP-5C] 〈---- 114  就是上面求余的值 72
0047D5DB .  DD9D ACFEFFFF FSTP QWORD PTR SS:[EBP-154]
0047D5E1 .  DC8D ACFEFFFF FMUL QWORD PTR SS:[EBP-154] 〈---- 相乘  ，乘于 -1 或者 +1
0047D5E7 .  DC85 BCFEFFFF FADD QWORD PTR SS:[EBP-144] 〈---- 再相加
0047D5ED .  D9E1       FABS
0047D5EF .  DFE0       FSTSW AX
0047D5F1 .  A8 0D       TEST AL,0D
0047D5F3 .  0F85 350D0000 JNZ 扩展名仓.0047E32E
0047D5F9 .  FF15 AC124000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFpI4>] 〈---- 转化为整数，去掉小数，以 16 进制输出
0047D5FF .  8B4D BC    MOV ECX,DWORD PTR SS:[EBP-44]
0047D602 .  8B95 20FFFFFF MOV EDX,DWORD PTR SS:[EBP-E0]
0047D608 .  890491       MOV DWORD PTR DS:[ECX+EDX*4],EAX 〈------- 这里循环 5 次得到值：1F ，BD ，19 ，B7 ，2B  放到内存 002243A0 开始的地方 ,这些值很重要，参加计算的，分别设为 H ， I ， J ， K ， L
0047D60B .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D60E .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]       ;  msvbvm60.__vbaFreeStr
0047D614 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047D617 .  FF15 28104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>]       ;  msvbvm60.__vbaFreeVar
0047D61D .  B8 01000000 MOV EAX,1
0047D622 .  66:0345 EC ADD AX,WORD PTR SS:[EBP-14]
0047D626 .  0F80 070D0000 JO 扩展名仓.0047E333
0047D62C .  8945 EC    MOV DWORD PTR SS:[EBP-14],EAX
0047D62F .^ E9 0EFFFFFF JMP 扩展名仓.0047D542 〈----- 循环
0047D634 >  A1 18514A00 MOV EAX,DWORD PTR DS:[4A5118]

-------------------------------- 开始对假码的处理 -----------------------------------
0047D639 .  6A 01       PUSH 1
0047D63B .  8B48 10    MOV ECX,DWORD PTR DS:[EAX+10] 〈----- 取第 5 组假码就是 56789
0047D63E .  51          PUSH ECX
0047D63F .  FF15 A4124000 CALL DWORD PTR DS:[<&msvbvm60.rtcLeftCharBstr>] 〈---- 取左边第 1 个
0047D645 .  8BD0       MOV EDX,EAX
0047D647 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D64A .  FFD7       CALL EDI
0047D64C .  50          PUSH EAX
0047D64D .  FFD6       CALL ESI
0047D64F .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D652 .  8945 A8    MOV DWORD PTR SS:[EBP-58],EAX 〈---- 35
0047D655 .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]
0047D65B .  66:837D A8 41 CMP WORD PTR SS:[EBP-58],41 〈---- 一大堆的判断条件，就是用来判断数字还是字母，大小写的处理
0047D660 .  7C 1A       JL SHORT 扩展名仓.0047D67C 〈---- 小于 41 的时候
0047D662 .  66:837D A8 4A CMP WORD PTR SS:[EBP-58],4A
0047D667 .  7F 13       JG SHORT 扩展名仓.0047D67C
0047D669 .  66:8B55 A8 MOV DX,WORD PTR SS:[EBP-58]
0047D66D .  66:83EA 11 SUB DX,11
0047D671 .  0F80 BC0C0000 JO 扩展名仓.0047E333
0047D677 .  8955 A8    MOV DWORD PTR SS:[EBP-58],EDX
0047D67A .  EB 4C       JMP SHORT 扩展名仓.0047D6C8
0047D67C >  8B45 A8    MOV EAX,DWORD PTR SS:[EBP-58]
0047D67F .  66:3D 3000 CMP AX,30
0047D683 .  7C 0C       JL SHORT 扩展名仓.0047D691 〈----- 小于 30 的时候
0047D685 .  66:3D 3900 CMP AX,39
0047D689 .  7F 06       JG SHORT 扩展名仓.0047D691 〈----- 大于 39 的时候
0047D68B .  66:05 1100 ADD AX,11 〈----- 其实意思就是说：是数字就加上 11
0047D68F .  EB 2E       JMP SHORT 扩展名仓.0047D6BF
0047D691 >  66:3D 4A00 CMP AX,4A
0047D695 .  7E 06       JLE SHORT 扩展名仓.0047D69D
0047D697 .  66:3D 4C00 CMP AX,4C
0047D69B .  7E 2B       JLE SHORT 扩展名仓.0047D6C8
0047D69D >  66:3D 5400 CMP AX,54
0047D6A1 .  7C 0C       JL SHORT 扩展名仓.0047D6AF
0047D6A3 .  66:3D 5A00 CMP AX,5A
0047D6A7 .  7F 06       JG SHORT 扩展名仓.0047D6AF
0047D6A9 .  66:2D 0700 SUB AX,7
0047D6AD .  EB 10       JMP SHORT 扩展名仓.0047D6BF
0047D6AF >  66:3D 4D00 CMP AX,4D
0047D6B3 .  7C 13       JL SHORT 扩展名仓.0047D6C8
0047D6B5 .  66:3D 5300 CMP AX,53
0047D6B9 .  7F 0D       JG SHORT 扩展名仓.0047D6C8
0047D6BB .  66:05 0700 ADD AX,7
0047D6BF >  0F80 6E0C0000 JO 扩展名仓.0047E333
0047D6C5 .  8945 A8    MOV DWORD PTR SS:[EBP-58],EAX 〈---- EAX =46
0047D6C8 >  8B0D 18514A00 MOV ECX,DWORD PTR DS:[4A5118]
0047D6CE .  8D45 8C    LEA EAX,DWORD PTR SS:[EBP-74]
0047D6D1 .  C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1
0047D6D8 .  C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2
0047D6DF .  8B51 04    MOV EDX,DWORD PTR DS:[ECX+4] 〈----- 取第 2 组假码，就是 23456
0047D6E2 .  50          PUSH EAX
0047D6E3 .  6A 02       PUSH 2 〈----- 取第 2 个
0047D6E5 .  52          PUSH EDX
0047D6E6 .  FFD3       CALL EBX
0047D6E8 .  8BD0       MOV EDX,EAX
0047D6EA .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D6ED .  FFD7       CALL EDI
0047D6EF .  50          PUSH EAX
0047D6F0 .  FFD6       CALL ESI
0047D6F2 .  33C9       XOR ECX,ECX
0047D6F4 .  66:3945 A8 CMP WORD PTR SS:[EBP-58],AX 〈---- 比较啦。AX = 33 ，SS:[EBP-58] = 46 。也就是说第 5 组的第 1 个加上 11 ，必须等于第 2 组的第 2 个。哈哈，得到条件 1。（当然，这只是我的）
0047D6F8 .  0F95C1       SETNE CL
0047D6FB .  F7D9       NEG ECX
0047D6FD .  898D 1CFFFFFF MOV DWORD PTR SS:[EBP-E4],ECX
0047D703 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D706 .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]       ;  msvbvm60.__vbaFreeStr
0047D70C .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047D70F .  FF15 28104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>]       ;  msvbvm60.__vbaFreeVar
0047D715 .  66:83BD 1CFFF>CMP WORD PTR SS:[EBP-E4],0
0047D71D .  0F85 7C0B0000 JNZ 扩展名仓.0047E29F 〈---- 不相等就跳，跳就 OVER 。呵呵
0047D723 .  C785 F4FEFFFF>MOV DWORD PTR SS:[EBP-10C],3
0047D72D .  33C0       XOR EAX,EAX
0047D72F >  66:3B85 F4FEF>CMP AX,WORD PTR SS:[EBP-10C]
0047D736 .  8945 EC    MOV DWORD PTR SS:[EBP-14],EAX
0047D739 .  0F8F BC010000 JG 扩展名仓.0047D8FB
0047D73F .  B8 02000000 MOV EAX,2
0047D744 .  B9 01000000 MOV ECX,1
0047D749 .  8945 8C    MOV DWORD PTR SS:[EBP-74],EAX
0047D74C .  8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EAX
0047D752 .  66:8B45 EC MOV AX,WORD PTR SS:[EBP-14]
0047D756 .  894D 94    MOV DWORD PTR SS:[EBP-6C],ECX
0047D759 .  66:03C1    ADD AX,CX
0047D75C .  894D 84    MOV DWORD PTR SS:[EBP-7C],ECX
0047D75F .  0F80 CE0B0000 JO 扩展名仓.0047E333
0047D765 .  0FBFC8       MOVSX ECX,AX
0047D768 .  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
0047D76E .  52          PUSH EDX
0047D76F .  51          PUSH ECX
0047D770 .  68 E4E64200 PUSH 扩展名仓.0042E6E4                               ;  UNICODE "Liansoft"
0047D775 .  FFD3       CALL EBX 〈----- 取固定字符 Liansoft 的第 1 ， 2 ，3 ，…… 个，得到 4C 69  61 6E  73  6F  66  74
0047D777 .  8BD0       MOV EDX,EAX
0047D779 .  8D4D 9C    LEA ECX,DWORD PTR SS:[EBP-64]
0047D77C .  FFD7       CALL EDI
0047D77E .  50          PUSH EAX
0047D77F .  FFD6       CALL ESI
0047D781 .  66:8985 A8FEF>MOV WORD PTR SS:[EBP-158],AX
0047D788 .  A1 18514A00 MOV EAX,DWORD PTR DS:[4A5118]
0047D78D .  8D55 8C    LEA EDX,DWORD PTR SS:[EBP-74]
0047D790 .  8B48 08    MOV ECX,DWORD PTR DS:[EAX+8] 〈---- 取第 3 组加码，就是 34567 〈--这里根据第 3 组来推算第 5 组
0047D793 .  52          PUSH EDX
0047D794 .  6A 02       PUSH 2 〈---- 取第 2 个，得到的是 34
0047D796 .  51          PUSH ECX
0047D797 .  FFD3       CALL EBX
0047D799 .  8BD0       MOV EDX,EAX
0047D79B .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D79E .  FFD7       CALL EDI
0047D7A0 .  50          PUSH EAX
0047D7A1 .  FFD6       CALL ESI
0047D7A3 .  66:8B4D EC MOV CX,WORD PTR SS:[EBP-14]
0047D7A7 .  66:8BD0    MOV DX,AX
0047D7AA .  66:8B85 A8FEF>MOV AX,WORD PTR SS:[EBP-158]
0047D7B1 .  66:03C2    ADD AX,DX 〈---- 加起来，34 + 4C =80 ，34 + 69 = 9D ，……
0047D7B4 .  8D55 9C    LEA EDX,DWORD PTR SS:[EBP-64]
0047D7B7 .  0F80 760B0000 JO 扩展名仓.0047E333
0047D7BD .  66:6BC9 07 IMUL CX,CX,7
0047D7C1 .  0F80 6C0B0000 JO 扩展名仓.0047E333
0047D7C7 .  66:03C1    ADD AX,CX
0047D7CA .  52          PUSH EDX
0047D7CB .  0F80 620B0000 JO 扩展名仓.0047E333
0047D7D1 .  8945 A8    MOV DWORD PTR SS:[EBP-58],EAX
0047D7D4 .  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
0047D7D7 .  50          PUSH EAX
0047D7D8 .  6A 02       PUSH 2
0047D7DA .  FF15 54124000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStrList>] ;  msvbvm60.__vbaFreeStrList
0047D7E0 .  8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
0047D7E6 .  8D55 8C    LEA EDX,DWORD PTR SS:[EBP-74]
0047D7E9 .  51          PUSH ECX
0047D7EA .  52          PUSH EDX
0047D7EB .  6A 02       PUSH 2
0047D7ED .  FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ;  msvbvm60.__vbaFreeVarList
0047D7F3 .  8B45 A8    MOV EAX,DWORD PTR SS:[EBP-58]
0047D7F6 .  83C4 18    ADD ESP,18
0047D7F9 .  66:837D A8 30 CMP WORD PTR SS:[EBP-58],30
0047D7FE .  7C 06       JL SHORT 扩展名仓.0047D806
0047D800 .  66:3D 3900 CMP AX,39
0047D804 .  7E 76       JLE SHORT 扩展名仓.0047D87C
0047D806 >  66:3D 4100 CMP AX,41
0047D80A .  7C 06       JL SHORT 扩展名仓.0047D812
0047D80C .  66:3D 5A00 CMP AX,5A
0047D810 .  7E 6A       JLE SHORT 扩展名仓.0047D87C
0047D812 >  66:99       CWD
0047D814 .  66:B9 4D00 MOV CX,4D
0047D818 .  66:F7F9    IDIV CX
0047D81B .  66:83FA 07 CMP DX,7
0047D81F .  8955 A8    MOV DWORD PTR SS:[EBP-58],EDX
0047D822 .  7F 06       JG SHORT 扩展名仓.0047D82A
0047D824 .  66:83C2 31 ADD DX,31
0047D828 .  EB 49       JMP SHORT 扩展名仓.0047D873
0047D82A >  66:83FA 21 CMP DX,21
0047D82E .  7F 06       JG SHORT 扩展名仓.0047D836
0047D830 .  66:83C2 39 ADD DX,39
0047D834 .  EB 3D       JMP SHORT 扩展名仓.0047D873
0047D836 >  66:83FA 27 CMP DX,27
0047D83A .  7D 1B       JGE SHORT 扩展名仓.0047D857
0047D83C .  66:83E2 01 AND DX,1
0047D840 .  79 08       JNS SHORT 扩展名仓.0047D84A
0047D842 .  66:4A       DEC DX
0047D844 .  66:83CA FE OR DX,0FFFE
0047D848 .  66:42       INC DX
0047D84A >  66:F7DA    NEG DX
0047D84D .  1BD2       SBB EDX,EDX
0047D84F .  83E2 FB    AND EDX,FFFFFFFB
0047D852 .  83C2 4D    ADD EDX,4D
0047D855 .  EB 22       JMP SHORT 扩展名仓.0047D879
0047D857 >  66:83FA 30 CMP DX,30
0047D85B .  7D 06       JGE SHORT 扩展名仓.0047D863
0047D85D .  66:83C2 23 ADD DX,23
0047D861 .  EB 10       JMP SHORT 扩展名仓.0047D873
0047D863 >  66:83FA 39 CMP DX,39
0047D867 .  7E 13       JLE SHORT 扩展名仓.0047D87C
0047D869 .  66:83FA 41 CMP DX,41
0047D86D .  7D 0D       JGE SHORT 扩展名仓.0047D87C
0047D86F .  66:83EA 07 SUB DX,7
0047D873 >  0F80 BA0A0000 JO 扩展名仓.0047E333
0047D879 >  8955 A8    MOV DWORD PTR SS:[EBP-58],EDX
0047D87C >  66:8B45 EC MOV AX,WORD PTR SS:[EBP-14]
0047D880 .  8D55 8C    LEA EDX,DWORD PTR SS:[EBP-74]
0047D883 .  66:05 0200 ADD AX,2
0047D887 .  52          PUSH EDX
0047D888 .  8B15 18514A00 MOV EDX,DWORD PTR DS:[4A5118]
0047D88E .  C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1
0047D895 .  0F80 980A0000 JO 扩展名仓.0047E333
0047D89B .  0FBFC8       MOVSX ECX,AX
0047D89E .  C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2 〈----- 先取第 2 个，然后第 3 ，第 4 ，…… ，也就是说这个循环是验证第 5 组后 4 位的。
0047D8A5 .  8B42 10    MOV EAX,DWORD PTR DS:[EDX+10] 〈----- 取第 5 组假码，就是 56789
0047D8A8 .  51          PUSH ECX
0047D8A9 .  50          PUSH EAX
0047D8AA .  FFD3       CALL EBX
0047D8AC .  8BD0       MOV EDX,EAX
0047D8AE .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D8B1 .  FFD7       CALL EDI
0047D8B3 .  50          PUSH EAX
0047D8B4 .  FFD6       CALL ESI
0047D8B6 .  33C9       XOR ECX,ECX
0047D8B8 .  66:3945 A8 CMP WORD PTR SS:[EBP-58],AX 〈----- 比较啦。条件 2 ：就是说第 3 组的每个ASC分别加上对应的字符"Liansoft"的ASC，处理必须等于第 5 组
0047D8BC .  0F95C1       SETNE CL
0047D8BF .  F7D9       NEG ECX
0047D8C1 .  898D 1CFFFFFF MOV DWORD PTR SS:[EBP-E4],ECX
0047D8C7 .  8D4D A0    LEA ECX,DWORD PTR SS:[EBP-60]
0047D8CA .  FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>]       ;  msvbvm60.__vbaFreeStr
0047D8D0 .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
0047D8D3 .  FF15 28104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>]       ;  msvbvm60.__vbaFreeVar
0047D8D9 .  66:83BD 1CFFF>CMP WORD PTR SS:[EBP-E4],0
0047D8E1 .  0F85 B8090000 JNZ 扩展名仓.0047E29F 〈----- 跳就 OVER 咯。
0047D8E7 .  B8 01000000 MOV EAX,1
0047D8EC .  66:0345 EC ADD AX,WORD PTR SS:[EBP-14]
0047D8F0 .  0F80 3D0A0000 JO 扩展名仓.0047E333
0047D8F6 .^ E9 34FEFFFF JMP 扩展名仓.0047D72F 〈---- 大循环

[课程]Android-CTF解题方法汇总！

收藏・0

免费・7

支持

最新回复 (13)
skyege 雪币： 229 活跃值： (70) 能力值： ( LV6，RANK：90 ) 在线值：发帖 10 回帖 555 粉丝 0 关注私信	skyege 2 2 楼 0047D8FB > 33C0 XOR EAX,EAX 0047D8FD . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX 0047D900 > B9 04000000 MOV ECX,4 0047D905 . 66:3BC1 CMP AX,CX 0047D908 . 0F8F D8010000 JG 扩展名仓.0047DAE6 0047D90E . 0FBFC0 MOVSX EAX,AX 0047D911 . 83F8 05 CMP EAX,5 0047D914 . 8985 C8FEFFFF MOV DWORD PTR SS:[EBP-138],EAX 0047D91A . 72 17 JB SHORT 扩展名仓.0047D933 0047D91C . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047D922 . 8B85 C8FEFFFF MOV EAX,DWORD PTR SS:[EBP-138] 0047D928 . 83F8 05 CMP EAX,5 0047D92B . 72 06 JB SHORT 扩展名仓.0047D933 0047D92D . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047D933 > A1 18514A00 MOV EAX,DWORD PTR DS:[4A5118] 0047D938 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74] 0047D93B . C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1 0047D942 . C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2 0047D949 . 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4] 〈----- 第 2 组假码 0047D94C . 52 PUSH EDX 0047D94D . 6A 01 PUSH 1 〈----- 取第 1 个 0047D94F . 51 PUSH ECX 0047D950 . FFD3 CALL EBX 0047D952 . 8BD0 MOV EDX,EAX 0047D954 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047D957 . FFD7 CALL EDI 0047D959 . 50 PUSH EAX 0047D95A . FFD6 CALL ESI 0047D95C . 8B55 BC MOV EDX,DWORD PTR SS:[EBP-44] 〈---- EDX 分别= 1F ，BD ，19 ，B7 ，2B 〈---- 这里是邮箱浮点运算后的几个值 0047D95F . 8B5D E0 MOV EBX,DWORD PTR SS:[EBP-20] 〈---- EBX 分别= E0 ，D7 ，87 ，2C ，8C 〈---- 这里是用户名计算后的几个值 0047D962 . 0FBFC8 MOVSX ECX,AX 〈---- ECX = 32 0047D965 . 8B85 C8FEFFFF MOV EAX,DWORD PTR SS:[EBP-138] 0047D96B . 8B1482 MOV EDX,DWORD PTR DS:[EDX+EAX4] 0047D96E . 031483 ADD EDX,DWORD PTR DS:[EBX+EAX4] 〈---- IF + E0 = FF ，BD + D7 = ………… 0047D971 . 66:8B45 EC MOV AX,WORD PTR SS:[EBP-14] 0047D975 . 0F80 B8090000 JO 扩展名仓.0047E333 0047D97B . 66:05 0700 ADD AX,7 〈--- AX = 7 0047D97F . 0F80 AE090000 JO 扩展名仓.0047E333 0047D985 . 66:6BC0 05 IMUL AX,AX,5 〈---- AX = 23 0047D989 . 0F80 A4090000 JO 扩展名仓.0047E333 0047D98F . 0FBFC0 MOVSX EAX,AX 0047D992 . 03D0 ADD EDX,EAX 〈---- 23 + FF = 122 ；这是第一次计算的时候 0047D994 . 0F80 99090000 JO 扩展名仓.0047E333 0047D99A . 03CA ADD ECX,EDX 〈---- 122 + 32 = 154 0047D99C . 0F80 91090000 JO 扩展名仓.0047E333 0047D9A2 . FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>] ; msvbvm60.__vbaI2I4 0047D9A8 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047D9AB . 8BD8 MOV EBX,EAX 0047D9AD . FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr 0047D9B3 . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74] 0047D9B6 . FF15 28104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>] ; msvbvm60.__vbaFreeVar 0047D9BC . 66:83FB 30 CMP BX,30 0047D9C0 . 7C 06 JL SHORT 扩展名仓.0047D9C8 0047D9C2 . 66:83FB 39 CMP BX,39 0047D9C6 . 7E 61 JLE SHORT 扩展名仓.0047DA29 0047D9C8 > 66:83FB 41 CMP BX,41 0047D9CC . 7C 06 JL SHORT 扩展名仓.0047D9D4 0047D9CE . 66:83FB 5A CMP BX,5A 0047D9D2 . 7E 55 JLE SHORT 扩展名仓.0047DA29 0047D9D4 > 66:8BC3 MOV AX,BX 0047D9D7 . 66:B9 5B00 MOV CX,5B 〈---- 5B 给 CX 0047D9DB . 66:99 CWD 0047D9DD . 66:F7F9 IDIV CX 〈----- 154 MOD 5B ，取余数 43 0047D9E0 . 8BDA MOV EBX,EDX 0047D9E2 . 66:83FB 0A CMP BX,0A 0047D9E6 . 7D 06 JGE SHORT 扩展名仓.0047D9EE 0047D9E8 . 66:83C3 30 ADD BX,30 0047D9EC . EB 35 JMP SHORT 扩展名仓.0047DA23 0047D9EE > 66:83FB 23 CMP BX,23 0047D9F2 . 7F 06 JG SHORT 扩展名仓.0047D9FA 0047D9F4 . 66:83C3 37 ADD BX,37 0047D9F8 . EB 29 JMP SHORT 扩展名仓.0047DA23 0047D9FA > 66:83FB 2A CMP BX,2A 0047D9FE . 7D 07 JGE SHORT 扩展名仓.0047DA07 0047DA00 . BB 4D000000 MOV EBX,4D 0047DA05 . EB 22 JMP SHORT 扩展名仓.0047DA29 0047DA07 > 66:83FB 30 CMP BX,30 0047DA0B . 7D 06 JGE SHORT 扩展名仓.0047DA13 0047DA0D . 66:83C3 1B ADD BX,1B 0047DA11 . EB 10 JMP SHORT 扩展名仓.0047DA23 0047DA13 > 66:83FB 39 CMP BX,39 0047DA17 . 7E 10 JLE SHORT 扩展名仓.0047DA29 0047DA19 . 66:83FB 41 CMP BX,41 0047DA1D . 7D 0A JGE SHORT 扩展名仓.0047DA29 0047DA1F . 66:83EB 07 SUB BX,7 0047DA23 > 0F80 0A090000 JO 扩展名仓.0047E333 0047DA29 > 8B15 18514A00 MOV EDX,DWORD PTR DS:[4A5118] 0047DA2F . 66:8B4D EC MOV CX,WORD PTR SS:[EBP-14] 0047DA33 . 83C2 0C ADD EDX,0C 0047DA36 . 66:83C1 01 ADD CX,1 0047DA3A . 8995 44FFFFFF MOV DWORD PTR SS:[EBP-BC],EDX 0047DA40 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047DA43 . 0F80 EA080000 JO 扩展名仓.0047E333 0047DA49 . 0FBFD1 MOVSX EDX,CX 0047DA4C . 50 PUSH EAX ; /Arg4 0047DA4D . 8D85 3CFFFFFF LEA EAX,DWORD PTR SS:[EBP-C4] ; \| 0047DA53 . 52 PUSH EDX ; \|Arg3 0047DA54 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] ; \| 0047DA5A . 50 PUSH EAX ; \|Arg2 0047DA5B . 51 PUSH ECX ; \|Arg1 0047DA5C . C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1 ; \| 0047DA63 . C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2 ; \| 0047DA6A . C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],4008 ; \| 0047DA74 . FF15 24114000 CALL DWORD PTR DS:[<&msvbvm60.rtcMidCharVar>] ; \rtcMidCharVar 〈---- 取第 4 组假码 0047DA7A . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047DA80 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] 0047DA83 . 52 PUSH EDX 0047DA84 . 50 PUSH EAX 0047DA85 . FF15 F8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal 0047DA8B . 50 PUSH EAX 0047DA8C . FFD6 CALL ESI 0047DA8E . 33C9 XOR ECX,ECX 0047DA90 . 66:3BD8 CMP BX,AX 〈---- 和 43 比较啦，在这里把 BX 的值逐个记起来就是第 4 组注册码了。 0047DA93 . 0F95C1 SETNE CL 0047DA96 . F7D9 NEG ECX 0047DA98 . 8BD9 MOV EBX,ECX 0047DA9A . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047DA9D . FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr 0047DAA3 . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047DAA9 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047DAAC . 52 PUSH EDX 0047DAAD . 50 PUSH EAX 0047DAAE . 6A 02 PUSH 2 0047DAB0 . FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList 0047DAB6 . 83C4 0C ADD ESP,0C 0047DAB9 . 66:85DB TEST BX,BX 0047DABC . 0F85 DD070000 JNZ 扩展名仓.0047E29F 0047DAC2 . 8B1D 1C114000 MOV EBX,DWORD PTR DS:[<&msvbvm60.rtcMidCharBstr>] ; msvbvm60.rtcMidCharBstr 0047DAC8 . B8 01000000 MOV EAX,1 0047DACD . 66:0345 EC ADD AX,WORD PTR SS:[EBP-14] 0047DAD1 . C745 CC FFFFF>MOV DWORD PTR SS:[EBP-34],-1 0047DAD8 . 0F80 55080000 JO 扩展名仓.0047E333 0047DADE . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX 0047DAE1 .^ E9 1AFEFFFF JMP 扩展名仓.0047D900 0047DAE6 > 33DB XOR EBX,EBX 0047DAE8 > B8 04000000 MOV EAX,4 0047DAED . 895D EC MOV DWORD PTR SS:[EBP-14],EBX 0047DAF0 . 66:3BD8 CMP BX,AX 0047DAF3 . 0F8F EC020000 JG 扩展名仓.0047DDE5 0047DAF9 . 66:85DB TEST BX,BX 0047DAFC . 0FBFFB MOVSX EDI,BX 0047DAFF . 7E 7D JLE SHORT 扩展名仓.0047DB7E 0047DB01 . 83FF 05 CMP EDI,5 0047DB04 . 72 06 JB SHORT 扩展名仓.0047DB0C 0047DB06 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DB0C > 66:83EB 01 SUB BX,1 0047DB10 . 0F80 1D080000 JO 扩展名仓.0047E333 0047DB16 . 0FBFDB MOVSX EBX,BX 0047DB19 . 83FB 05 CMP EBX,5 0047DB1C . 72 06 JB SHORT 扩展名仓.0047DB24 0047DB1E . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DB24 > 83FF 05 CMP EDI,5 0047DB27 . 72 06 JB SHORT 扩展名仓.0047DB2F 0047DB29 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DB2F > 8B0D 18514A00 MOV ECX,DWORD PTR DS:[4A5118] 0047DB35 . 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4] 0047DB38 . 52 PUSH EDX 0047DB39 . FFD6 CALL ESI 0047DB3B . 0FBFC8 MOVSX ECX,AX 0047DB3E . 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44] 0047DB41 . 8B1498 MOV EDX,DWORD PTR DS:[EAX+EBX4] 〈---- EDX 分别= 1F ，BD ，19 ，B7 ，〈---- 这里是邮箱浮点运算后的几个值 ,少了一个哦。 0047DB44 . 8B5D E0 MOV EBX,DWORD PTR SS:[EBP-20] 〈---- EBX 分别= D7 ，87 ，2C ，8C ，〈---- 这里是用户名计算后的几个值，顺序有点变化，少了一个哦。注意。 0047DB47 . 0314BB ADD EDX,DWORD PTR DS:[EBX+EDI4] 〈---- 加 0047DB4A . 8B1CB8 MOV EBX,DWORD PTR DS:[EAX+EDI4] 0047DB4D . 0F80 E0070000 JO 扩展名仓.0047E333 0047DB53 . 03D7 ADD EDX,EDI 0047DB55 . 0F80 D8070000 JO 扩展名仓.0047E333 0047DB5B . 2BD3 SUB EDX,EBX 0047DB5D . 0F80 D0070000 JO 扩展名仓.0047E333 0047DB63 . 03CA ADD ECX,EDX 0047DB65 . 0F80 C8070000 JO 扩展名仓.0047E333 0047DB6B . FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>] ; msvbvm60.__vbaI4Abs 0047DB71 . 8BC8 MOV ECX,EAX 0047DB73 . FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>] ; msvbvm60.__vbaI2I4 0047DB79 . 8B5D EC MOV EBX,DWORD PTR SS:[EBP-14] 0047DB7C . EB 5E JMP SHORT 扩展名仓.0047DBDC 0047DB7E > 83FF 05 CMP EDI,5 0047DB81 . 72 11 JB SHORT 扩展名仓.0047DB94 0047DB83 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DB89 . 83FF 05 CMP EDI,5 0047DB8C . 72 06 JB SHORT 扩展名仓.0047DB94 0047DB8E . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DB94 > A1 18514A00 MOV EAX,DWORD PTR DS:[4A5118] 0047DB99 . 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4] 〈---- 第 2 组假码 0047DB9C . 51 PUSH ECX 0047DB9D . FFD6 CALL ESI 0047DB9F . 0FBFD0 MOVSX EDX,AX 0047DBA2 . 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44] 0047DBA5 . 8B0CB8 MOV ECX,DWORD PTR DS:[EAX+EDI4] 0047DBA8 . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] 0047DBAB . 0FAFCF IMUL ECX,EDI 0047DBAE . 0F80 7F070000 JO 扩展名仓.0047E333 0047DBB4 . 030CB8 ADD ECX,DWORD PTR DS:[EAX+EDI4] 0047DBB7 . 0F80 76070000 JO 扩展名仓.0047E333 0047DBBD . 83C1 4D ADD ECX,4D 0047DBC0 . 0F80 6D070000 JO 扩展名仓.0047E333 0047DBC6 . 2BCA SUB ECX,EDX 0047DBC8 . 0F80 65070000 JO 扩展名仓.0047E333 0047DBCE . FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>] ; msvbvm60.__vbaI4Abs 0047DBD4 . 8BC8 MOV ECX,EAX 0047DBD6 . FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>] ; msvbvm60.__vbaI2I4 0047DBDC > 66:3D 3000 CMP AX,30 0047DBE0 . 7C 06 JL SHORT 扩展名仓.0047DBE8 0047DBE2 . 66:3D 3900 CMP AX,39 0047DBE6 . 7E 0C JLE SHORT 扩展名仓.0047DBF4 0047DBE8 > 66:3D 6100 CMP AX,61 0047DBEC . 7C 5C JL SHORT 扩展名仓.0047DC4A 0047DBEE . 66:3D 7A00 CMP AX,7A 0047DBF2 . 7F 56 JG SHORT 扩展名仓.0047DC4A 0047DBF4 > 0FBFC8 MOVSX ECX,AX 0047DBF7 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74] 0047DBFA . 51 PUSH ECX ; /Arg2 0047DBFB . 52 PUSH EDX ; \|Arg1 0047DBFC . FF15 E0114000 CALL DWORD PTR DS:[<&msvbvm60.rtcVarBstrFromAnsi>] ; \rtcVarBstrFromAnsi 〈---直接取第 1 个 0047DC02 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047DC05 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] 0047DC0B . 50 PUSH EAX ; /Arg2 0047DC0C . 51 PUSH ECX ; \|Arg1 0047DC0D . FF15 3C114000 CALL DWORD PTR DS:[<&msvbvm60.rtcUpperCaseVar>] ; \rtcUpperCaseVar 0047DC13 . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047DC19 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] 0047DC1C . 52 PUSH EDX 0047DC1D . 50 PUSH EAX 0047DC1E . FF15 F8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal 0047DC24 . 50 PUSH EAX 0047DC25 . FFD6 CALL ESI 0047DC27 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047DC2A . 8BF8 MOV EDI,EAX 0047DC2C . FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr 0047DC32 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] 0047DC38 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74] 0047DC3B . 51 PUSH ECX 0047DC3C . 52 PUSH EDX 0047DC3D . 6A 02 PUSH 2 0047DC3F . FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList 0047DC45 . 83C4 0C ADD ESP,0C 0047DC48 . EB 76 JMP SHORT 扩展名仓.0047DCC0 0047DC4A > 66:99 CWD 0047DC4C . 66:B9 7B00 MOV CX,7B 0047DC50 . 66:F7F9 IDIV CX 0047DC53 . 8BFA MOV EDI,EDX 0047DC55 . 66:83FF 1A CMP DI,1A 0047DC59 . 7D 06 JGE SHORT 扩展名仓.0047DC61 0047DC5B . 66:83C7 61 ADD DI,61 0047DC5F . EB 59 JMP SHORT 扩展名仓.0047DCBA 0047DC61 > 66:83FF 23 CMP DI,23 0047DC65 . 7F 06 JG SHORT 扩展名仓.0047DC6D 0047DC67 . 66:83C7 16 ADD DI,16 0047DC6B . EB 4D JMP SHORT 扩展名仓.0047DCBA 0047DC6D > 66:83FF 24 CMP DI,24 0047DC71 . 7C 0C JL SHORT 扩展名仓.0047DC7F 0047DC73 . 66:83FF 30 CMP DI,30 0047DC77 . 7D 06 JGE SHORT 扩展名仓.0047DC7F 0047DC79 . 66:83C7 45 ADD DI,45 0047DC7D . EB 3B JMP SHORT 扩展名仓.0047DCBA 0047DC7F > 66:83FF 39 CMP DI,39 0047DC83 . 7E 06 JLE SHORT 扩展名仓.0047DC8B 0047DC85 . 66:83FF 42 CMP DI,42 0047DC89 . 7E 06 JLE SHORT 扩展名仓.0047DC91 0047DC8B > 66:83FF 4D CMP DI,4D 0047DC8F . 75 07 JNZ SHORT 扩展名仓.0047DC98 0047DC91 > BF 48000000 MOV EDI,48 0047DC96 . EB 28 JMP SHORT 扩展名仓.0047DCC0 0047DC98 > 66:83FF 42 CMP DI,42 0047DC9C . 7E 0C JLE SHORT 扩展名仓.0047DCAA 0047DC9E . 66:83FF 4D CMP DI,4D 0047DCA2 . 7D 0A JGE SHORT 扩展名仓.0047DCAE 0047DCA4 . 66:83EF 13 SUB DI,13 0047DCA8 . EB 10 JMP SHORT 扩展名仓.0047DCBA 0047DCAA > 66:83FF 4D CMP DI,4D 0047DCAE > 7E 10 JLE SHORT 扩展名仓.0047DCC0 0047DCB0 . 66:83FF 61 CMP DI,61 0047DCB4 . 7D 0A JGE SHORT 扩展名仓.0047DCC0 0047DCB6 . 66:83C7 15 ADD DI,15 0047DCBA > 0F80 73060000 JO 扩展名仓.0047E333 0047DCC0 > 0FBFD7 MOVSX EDX,DI 0047DCC3 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047DCC6 . 52 PUSH EDX ; /Arg2 0047DCC7 . 50 PUSH EAX ; \|Arg1 0047DCC8 . FF15 E0114000 CALL DWORD PTR DS:[<&msvbvm60.rtcVarBstrFromAnsi>] ; \rtcVarBstrFromAnsi 0047DCCE . 8B3D 3C114000 MOV EDI,DWORD PTR DS:[<&msvbvm60.rtcUpperCaseVar>] ; msvbvm60.rtcUpperCaseVar 0047DCD4 . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74] 0047DCD7 . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047DCDD . 51 PUSH ECX 0047DCDE . 52 PUSH EDX 0047DCDF . FFD7 CALL EDI ; <&msvbvm60.rtcUpperCaseVar> 0047DCE1 . A1 18514A00 MOV EAX,DWORD PTR DS:[4A5118] 〈--- EAX = 第 3 组的假码 0047DCE6 . 66:8BD3 MOV DX,BX 0047DCE9 . 83C0 08 ADD EAX,8 0047DCEC . 66:83C2 01 ADD DX,1 0047DCF0 . 8985 44FFFFFF MOV DWORD PTR SS:[EBP-BC],EAX 0047DCF6 . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94] 0047DCFC . 0F80 31060000 JO 扩展名仓.0047E333 0047DD02 . 0FBFC2 MOVSX EAX,DX 0047DD05 . 51 PUSH ECX ; /Arg4 0047DD06 . 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4] ; \| 0047DD0C . 50 PUSH EAX ; \|Arg3 0047DD0D . 8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4] ; \| 0047DD13 . 51 PUSH ECX ; \|Arg2 0047DD14 . 52 PUSH EDX ; \|Arg1 0047DD15 . C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],1 ; \| 0047DD1F . C785 6CFFFFFF>MOV DWORD PTR SS:[EBP-94],2 ; \| 0047DD29 . C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],4008 ; \| 0047DD33 . FF15 24114000 CALL DWORD PTR DS:[<&msvbvm60.rtcMidCharVar>] 〈---- 取的是第 3 组的假码 0047DD39 . 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4] 0047DD3F . 8D8D 4CFFFFFF LEA ECX,DWORD PTR SS:[EBP-B4] 0047DD45 . 50 PUSH EAX 0047DD46 . 51 PUSH ECX 0047DD47 . FFD7 CALL EDI ; <&msvbvm60.rtcUpperCaseVar> 0047DD49 . 8B3D F8114000 MOV EDI,DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal 0047DD4F . 8D95 4CFFFFFF LEA EDX,DWORD PTR SS:[EBP-B4] 0047DD55 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64] 0047DD58 . 52 PUSH EDX 0047DD59 . 50 PUSH EAX 0047DD5A . FFD7 CALL EDI ; <&msvbvm60.__vbaStrVarVal> 0047DD5C . 50 PUSH EAX 0047DD5D . FFD6 CALL ESI 0047DD5F . 66:8BD0 MOV DX,AX 0047DD62 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] 0047DD68 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] 0047DD6B . 51 PUSH ECX 0047DD6C . 50 PUSH EAX 0047DD6D . 66:8995 A6FEF>MOV WORD PTR SS:[EBP-15A],DX 0047DD74 . FFD7 CALL EDI ; <&msvbvm60.__vbaStrVarVal> 0047DD76 . 50 PUSH EAX 0047DD77 . FFD6 CALL ESI 0047DD79 . 66:8B95 A6FEF>MOV DX,WORD PTR SS:[EBP-15A] 0047DD80 . 33C9 XOR ECX,ECX 0047DD82 . 66:3BC2 CMP AX,DX 〈---- 比较啦。这里就是根据第 2 组假码的第 1 个，结合用户名和邮箱的 10 个值来推算出真正的第 3 组注册码。把 DX 的值记起来就是啦。 0047DD85 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64] 0047DD88 . 0F95C1 SETNE CL 0047DD8B . F7D9 NEG ECX 0047DD8D . 8BF9 MOV EDI,ECX 0047DD8F . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047DD92 . 50 PUSH EAX 0047DD93 . 51 PUSH ECX 0047DD94 . 6A 02 PUSH 2 0047DD96 . FF15 54124000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList 0047DD9C . 8D95 4CFFFFFF LEA EDX,DWORD PTR SS:[EBP-B4] 0047DDA2 . 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4] 0047DDA8 . 52 PUSH EDX 0047DDA9 . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94] 0047DDAF . 50 PUSH EAX 0047DDB0 . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047DDB6 . 51 PUSH ECX 0047DDB7 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047DDBA . 52 PUSH EDX 0047DDBB . 50 PUSH EAX 0047DDBC . 6A 05 PUSH 5 0047DDBE . FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList 0047DDC4 . 83C4 24 ADD ESP,24 0047DDC7 . 66:85FF TEST DI,DI 0047DDCA . 0F85 CF040000 JNZ 扩展名仓.0047E29F 0047DDD0 . B8 01000000 MOV EAX,1 0047DDD5 . 66:03C3 ADD AX,BX 0047DDD8 . 0F80 55050000 JO 扩展名仓.0047E333 0047DDDE . 8BD8 MOV EBX,EAX 0047DDE0 .^ E9 03FDFFFF JMP 扩展名仓.0047DAE8 0047DDE5 > 33DB XOR EBX,EBX 0047DDE7 > B8 04000000 MOV EAX,4 0047DDEC . 895D EC MOV DWORD PTR SS:[EBP-14],EBX 0047DDEF . 66:3BD8 CMP BX,AX 0047DDF2 . 0F8F 19030000 JG 扩展名仓.0047E111 0047DDF8 . 66:3BD8 CMP BX,AX 0047DDFB . 0FBFFB MOVSX EDI,BX 0047DDFE . 0F8D A0000000 JGE 扩展名仓.0047DEA4 0047DE04 . 83FF 05 CMP EDI,5 0047DE07 . 72 06 JB SHORT 扩展名仓.0047DE0F 0047DE09 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DE0F > 66:8BCB MOV CX,BX 0047DE12 . 66:83C1 01 ADD CX,1 0047DE16 . 0F80 17050000 JO 扩展名仓.0047E333 0047DE1C . 0FBFC1 MOVSX EAX,CX 0047DE1F . 83F8 05 CMP EAX,5 0047DE22 . 8985 1CFFFFFF MOV DWORD PTR SS:[EBP-E4],EAX 0047DE28 . 72 06 JB SHORT 扩展名仓.0047DE30 0047DE2A . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DE30 > 83FF 05 CMP EDI,5 0047DE33 . 72 06 JB SHORT 扩展名仓.0047DE3B 0047DE35 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DE3B > 8B15 18514A00 MOV EDX,DWORD PTR DS:[4A5118] 0047DE41 . 8B02 MOV EAX,DWORD PTR DS:[EDX] 〈---- 取第 1 组假码 0047DE43 . 50 PUSH EAX 0047DE44 . FFD6 CALL ESI 0047DE46 . 66:83EB 01 SUB BX,1 0047DE4A . 0F80 E3040000 JO 扩展名仓.0047E333 0047DE50 . 0FBFC8 MOVSX ECX,AX 0047DE53 . 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44] 0047DE56 . 0FBFD3 MOVSX EDX,BX 0047DE59 . 0FAF14B8 IMUL EDX,DWORD PTR DS:[EAX+EDI4] 0047DE5D . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] 0047DE60 . 8B9D 1CFFFFFF MOV EBX,DWORD PTR SS:[EBP-E4] 0047DE66 . 0F80 C7040000 JO 扩展名仓.0047E333 0047DE6C . 8B1C98 MOV EBX,DWORD PTR DS:[EAX+EBX4] 〈---- EBX 分别 =E0 ， D7 ，87 ，2C ，8C ，〈---- 这里是用户名计算后的几个值。 0047DE6F . 031CB8 ADD EBX,DWORD PTR DS:[EAX+EDI4] 〈---- 两两相加，就是 E0 + D7 ，D7 + 87 ，87 + 2C ，2C + 8C 0047DE72 . 0F80 BB040000 JO 扩展名仓.0047E333 0047DE78 . 03D3 ADD EDX,EBX 0047DE7A . 0F80 B3040000 JO 扩展名仓.0047E333 0047DE80 . 83C2 01 ADD EDX,1 0047DE83 . 0F80 AA040000 JO 扩展名仓.0047E333 0047DE89 . 03CA ADD ECX,EDX 0047DE8B . 0F80 A2040000 JO 扩展名仓.0047E333 0047DE91 . FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>] ; msvbvm60.__vbaI4Abs 0047DE97 . 8BC8 MOV ECX,EAX 0047DE99 . FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>] ; msvbvm60.__vbaI2I4 0047DE9F . 8B5D EC MOV EBX,DWORD PTR SS:[EBP-14] 0047DEA2 . EB 5E JMP SHORT 扩展名仓.0047DF02 0047DEA4 > 83FF 05 CMP EDI,5 0047DEA7 . 72 11 JB SHORT 扩展名仓.0047DEBA 0047DEA9 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DEAF . 83FF 05 CMP EDI,5 0047DEB2 . 72 06 JB SHORT 扩展名仓.0047DEBA 0047DEB4 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DEBA > 8B0D 18514A00 MOV ECX,DWORD PTR DS:[4A5118] 0047DEC0 . 8B11 MOV EDX,DWORD PTR DS:[ECX] 0047DEC2 . 52 PUSH EDX 0047DEC3 . FFD6 CALL ESI 0047DEC5 . 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20] 0047DEC8 . 8B55 BC MOV EDX,DWORD PTR SS:[EBP-44] 0047DECB . 0FBFC0 MOVSX EAX,AX 0047DECE . 8B0CB9 MOV ECX,DWORD PTR DS:[ECX+EDI4] 0047DED1 . 0FAFCF IMUL ECX,EDI 0047DED4 . 0F80 59040000 JO 扩展名仓.0047E333 0047DEDA . 030CBA ADD ECX,DWORD PTR DS:[EDX+EDI4] 0047DEDD . 0F80 50040000 JO 扩展名仓.0047E333 0047DEE3 . 83C1 4D ADD ECX,4D 0047DEE6 . 0F80 47040000 JO 扩展名仓.0047E333 0047DEEC . 2BC8 SUB ECX,EAX 0047DEEE . 0F80 3F040000 JO 扩展名仓.0047E333 0047DEF4 . FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>] ; msvbvm60.__vbaI4Abs 0047DEFA . 8BC8 MOV ECX,EAX 0047DEFC . FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>] ; msvbvm60.__vbaI2I4 0047DF02 > 66:3D 3000 CMP AX,30 0047DF06 . 7C 06 JL SHORT 扩展名仓.0047DF0E 0047DF08 . 66:3D 3900 CMP AX,39 0047DF0C . 7E 0C JLE SHORT 扩展名仓.0047DF1A 0047DF0E > 66:3D 6100 CMP AX,61 0047DF12 . 7C 5C JL SHORT 扩展名仓.0047DF70 0047DF14 . 66:3D 7A00 CMP AX,7A 0047DF18 . 7F 56 JG SHORT 扩展名仓.0047DF70 0047DF1A > 0FBFC0 MOVSX EAX,AX 0047DF1D . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74] 0047DF20 . 50 PUSH EAX ; /Arg2 0047DF21 . 51 PUSH ECX ; \|Arg1 0047DF22 . FF15 E0114000 CALL DWORD PTR DS:[<&msvbvm60.rtcVarBstrFromAnsi>] ; \rtcVarBstrFromAnsi 0047DF28 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74] 0047DF2B . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84] 0047DF31 . 52 PUSH EDX ; /Arg2 0047DF32 . 50 PUSH EAX ; \|Arg1 0047DF33 . FF15 3C114000 CALL DWORD PTR DS:[<&msvbvm60.rtcUpperCaseVar>] ; \rtcUpperCaseVar 0047DF39 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] 0047DF3F . 8D55 A0 LEA EDX,DWORD PTR SS:[EBP-60] 0047DF42 . 51 PUSH ECX 0047DF43 . 52 PUSH EDX 0047DF44 . FF15 F8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal 0047DF4A . 50 PUSH EAX 0047DF4B . FFD6 CALL ESI 0047DF4D . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047DF50 . 8BF8 MOV EDI,EAX 0047DF52 . FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr 0047DF58 . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84] 0047DF5E . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74] 0047DF61 . 50 PUSH EAX 0047DF62 . 51 PUSH ECX 0047DF63 . 6A 02 PUSH 2 0047DF65 . FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList 0047DF6B . 83C4 0C ADD ESP,0C 0047DF6E . EB 7C JMP SHORT 扩展名仓.0047DFEC 0047DF70 > 66:99 CWD 0047DF72 . 66:B9 7B00 MOV CX,7B 0047DF76 . 66:F7F9 IDIV CX 0047DF79 . 8BFA MOV EDI,EDX 0047DF7B . 66:83FF 09 CMP DI,9 0047DF7F . 7D 06 JGE SHORT 扩展名仓.0047DF87 0047DF81 . 66:83C7 30 ADD DI,30 0047DF85 . EB 5F JMP SHORT 扩展名仓.0047DFE6 0047DF87 > 66:83FF 22 CMP DI,22 0047DF8B . 7F 06 JG SHORT 扩展名仓.0047DF93 0047DF8D . 66:83C7 58 ADD DI,58 0047DF91 . EB 53 JMP SHORT 扩展名仓.0047DFE6 0047DF93 > 66:83FF 2C CMP DI,2C 0047DF97 . 7D 06 JGE SHORT 扩展名仓.0047DF9F 0047DF99 . 66:83C7 0D ADD DI,0D 0047DF9D . EB 47 JMP SHORT 扩展名仓.0047DFE6 0047DF9F > 66:83FF 30 CMP DI,30 0047DFA3 . 7C 06 JL SHORT 扩展名仓.0047DFAB 0047DFA5 . 66:83FF 4D CMP DI,4D 0047DFA9 . 75 07 JNZ SHORT 扩展名仓.0047DFB2 0047DFAB > BF 48000000 MOV EDI,48 0047DFB0 . EB 3A JMP SHORT 扩展名仓.0047DFEC 0047DFB2 > 66:83FF 39 CMP DI,39 0047DFB6 . 7E 0C JLE SHORT 扩展名仓.0047DFC4 0047DFB8 . 66:83FF 4C CMP DI,4C 0047DFBC . 7F 06 JG SHORT 扩展名仓.0047DFC4 0047DFBE . 66:83C7 2A ADD DI,2A 0047DFC2 . EB 22 JMP SHORT 扩展名仓.0047DFE6 0047DFC4 > 66:83FF 4D CMP DI,4D 0047DFC8 . 7E 0C JLE SHORT 扩展名仓.0047DFD6 0047DFCA . 66:83FF 57 CMP DI,57 0047DFCE . 7F 0C JG SHORT 扩展名仓.0047DFDC 0047DFD0 . 66:83EF 1E SUB DI,1E 0047DFD4 . EB 10 JMP SHORT 扩展名仓.0047DFE6 0047DFD6 > 66:83FF 57 CMP DI,57 0047DFDA . 7E 10 JLE SHORT 扩展名仓.0047DFEC 0047DFDC > 66:83FF 61 CMP DI,61 0047DFE0 . 7D 0A JGE SHORT 扩展名仓.0047DFEC 0047DFE2 . 66:83C7 11 ADD DI,11 0047DFE6 > 0F80 47030000 JO 扩展名仓.0047E333 0047DFEC > 0FBFD7 MOVSX EDX,DI 0047DFEF . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047DFF2 . 52 PUSH EDX ; /Arg2 0047DFF3 . 50 PUSH EAX ; \|Arg1 0047DFF4 . FF15 E0114000 CALL DWORD PTR DS:[<&msvbvm60.rtcVarBstrFromAnsi>] ; \rtcVarBstrFromAnsi 0047DFFA . 8B3D 3C114000 MOV EDI,DWORD PTR DS:[<&msvbvm60.rtcUpperCaseVar>] ; msvbvm60.rtcUpperCaseVar 0047E000 . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74] 0047E003 . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047E009 . 51 PUSH ECX 0047E00A . 52 PUSH EDX 0047E00B . FFD7 CALL EDI ; <&msvbvm60.rtcUpperCaseVar> 〈---- 转为大写 0047E00D . A1 18514A00 MOV EAX,DWORD PTR DS:[4A5118] 0047E012 . 66:8BD3 MOV DX,BX 0047E015 . 83C0 04 ADD EAX,4 0047E018 . 66:83C2 01 ADD DX,1 0047E01C . 8985 44FFFFFF MOV DWORD PTR SS:[EBP-BC],EAX 0047E022 . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94] 0047E028 . 0F80 05030000 JO 扩展名仓.0047E333 0047E02E . 0FBFC2 MOVSX EAX,DX 0047E031 . 51 PUSH ECX ; /Arg4 0047E032 . 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4] ; \| 0047E038 . 50 PUSH EAX ; \|Arg3 0047E039 . 8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4] ; \| 0047E03F . 51 PUSH ECX ; \|Arg2 0047E040 . 52 PUSH EDX ; \|Arg1 0047E041 . C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],1 ; \| 0047E04B . C785 6CFFFFFF>MOV DWORD PTR SS:[EBP-94],2 ; \| 0047E055 . C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],4008 ; \| 0047E05F . FF15 24114000 CALL DWORD PTR DS:[<&msvbvm60.rtcMidCharVar>] ; \rtcMidCharVar 0047E065 . 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4] 0047E06B . 8D8D 4CFFFFFF LEA ECX,DWORD PTR SS:[EBP-B4] 0047E071 . 50 PUSH EAX 0047E072 . 51 PUSH ECX 0047E073 . FFD7 CALL EDI ; <&msvbvm60.rtcUpperCaseVar> 0047E075 . 8B3D F8114000 MOV EDI,DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal 0047E07B . 8D95 4CFFFFFF LEA EDX,DWORD PTR SS:[EBP-B4] 0047E081 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64] 0047E084 . 52 PUSH EDX 0047E085 . 50 PUSH EAX 0047E086 . FFD7 CALL EDI ; <&msvbvm60.__vbaStrVarVal> 0047E088 . 50 PUSH EAX 0047E089 . FFD6 CALL ESI 0047E08B . 66:8BD0 MOV DX,AX 0047E08E . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] 0047E094 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] 0047E097 . 51 PUSH ECX 0047E098 . 50 PUSH EAX 0047E099 . 66:8995 A4FEF>MOV WORD PTR SS:[EBP-15C],DX 0047E0A0 . FFD7 CALL EDI ; <&msvbvm60.__vbaStrVarVal> 0047E0A2 . 50 PUSH EAX 0047E0A3 . FFD6 CALL ESI 0047E0A5 . 66:8B95 A4FEF>MOV DX,WORD PTR SS:[EBP-15C] 0047E0AC . 33C9 XOR ECX,ECX 0047E0AE . 66:3BC2 CMP AX,DX 〈---这里比较的是第 2 组的，把DX的值记起来。 0047E0B1 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64] 0047E0B4 . 0F95C1 SETNE CL 0047E0B7 . F7D9 NEG ECX 0047E0B9 . 8BF9 MOV EDI,ECX 0047E0BB . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047E0BE . 50 PUSH EAX 0047E0BF . 51 PUSH ECX 0047E0C0 . 6A 02 PUSH 2 0047E0C2 . FF15 54124000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList 0047E0C8 . 8D95 4CFFFFFF LEA EDX,DWORD PTR SS:[EBP-B4] 0047E0CE . 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4] 0047E0D4 . 52 PUSH EDX 0047E0D5 . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94] 0047E0DB . 50 PUSH EAX 0047E0DC . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047E0E2 . 51 PUSH ECX 0047E0E3 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047E0E6 . 52 PUSH EDX 0047E0E7 . 50 PUSH EAX 0047E0E8 . 6A 05 PUSH 5 0047E0EA . FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList 0047E0F0 . 83C4 24 ADD ESP,24 0047E0F3 . 66:85FF TEST DI,DI 0047E0F6 . 0F85 A3010000 JNZ 扩展名仓.0047E29F 0047E0FC . B8 01000000 MOV EAX,1 0047E101 . 66:03C3 ADD AX,BX 0047E104 . 0F80 29020000 JO 扩展名仓.0047E333 0047E10A . 8BD8 MOV EBX,EAX 0047E10C .^ E9 D6FCFFFF JMP 扩展名仓.0047DDE7 0047E111 > C785 D4FEFFFF>MOV DWORD PTR SS:[EBP-12C],4 0047E11B . C785 D8FEFFFF>MOV DWORD PTR SS:[EBP-128],1 0047E125 . 33DB XOR EBX,EBX 0047E127 > 66:3B9D D4FEF>CMP BX,WORD PTR SS:[EBP-12C] 0047E12E . 0F8F 72010000 JG 扩展名仓.0047E2A6 0047E134 . 0FBFFB MOVSX EDI,BX 0047E137 . 83FF 05 CMP EDI,5 0047E13A . 72 11 JB SHORT 扩展名仓.0047E14D 0047E13C . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047E142 . 83FF 05 CMP EDI,5 0047E145 . 72 06 JB SHORT 扩展名仓.0047E14D 0047E147 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047E14D > 8B4D BC MOV ECX,DWORD PTR SS:[EBP-44] 0047E150 . 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20] 0047E153 . 8B0CB9 MOV ECX,DWORD PTR DS:[ECX+EDI4] 〈---- 那些值 0047E156 . 8B04BA MOV EAX,DWORD PTR DS:[EDX+EDI4] 0047E159 . 03C8 ADD ECX,EAX 〈---- 加起来 0047E15B . 66:8BC3 MOV AX,BX 0047E15E . 0F80 CF010000 JO 扩展名仓.0047E333 0047E164 . 66:05 0100 ADD AX,1 〈---- 递加 1 ，就是第 1 次是1 ，第 2 次就是 2 咯，…… 0047E168 . 0F80 C5010000 JO 扩展名仓.0047E333 0047E16E . 66:6BC0 07 IMUL AX,AX,7 〈---- 再乘于 7 ，第 1 次乘 1 ，第 2 次就是乘 2 咯，…… 0047E172 . 0F80 BB010000 JO 扩展名仓.0047E333 0047E178 . 0FBFD0 MOVSX EDX,AX 0047E17B . 03CA ADD ECX,EDX 〈---- 再加起来 0047E17D . 0F80 B0010000 JO 扩展名仓.0047E333 0047E183 . FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>] ; msvbvm60.__vbaI2I4 0047E189 . 8BF8 MOV EDI,EAX 0047E18B . 66:83FF 30 CMP DI,30 〈-----下面 4 个比较是判断是否在数字和大写字母的范围内，是的话就直接跳走了。 0047E18F . 7C 06 JL SHORT 扩展名仓.0047E197 0047E191 . 66:83FF 39 CMP DI,39 0047E195 . 7E 60 JLE SHORT 扩展名仓.0047E1F7 0047E197 > 66:83FF 41 CMP DI,41 0047E19B . 7C 06 JL SHORT 扩展名仓.0047E1A3 0047E19D . 66:83FF 5A CMP DI,5A 0047E1A1 . 7E 54 JLE SHORT 扩展名仓.0047E1F7 0047E1A3 > 66:8BC7 MOV AX,DI 0047E1A6 . 66:B9 5B00 MOV CX,5B 0047E1AA . 66:99 CWD 0047E1AC . 66:F7F9 IDIV CX 〈----- 否则将 MOD 5B ，取余数 0047E1AF . 8BFA MOV EDI,EDX 0047E1B1 . 66:83FF 1A CMP DI,1A 0047E1B5 . 7D 06 JGE SHORT 扩展名仓.0047E1BD 0047E1B7 . 66:83C7 41 ADD DI,41 0047E1BB . EB 34 JMP SHORT 扩展名仓.0047E1F1 0047E1BD > 66:83FF 23 CMP DI,23 0047E1C1 . 7F 06 JG SHORT 扩展名仓.0047E1C9 0047E1C3 . 66:83C7 16 ADD DI,16 0047E1C7 . EB 28 JMP SHORT 扩展名仓.0047E1F1 0047E1C9 > 66:83FF 28 CMP DI,28 0047E1CD . 7D 06 JGE SHORT 扩展名仓.0047E1D5 0047E1CF . 66:83C7 0F ADD DI,0F 0047E1D3 . EB 1C JMP SHORT 扩展名仓.0047E1F1 0047E1D5 > 66:83FF 30 CMP DI,30 0047E1D9 . 7D 06 JGE SHORT 扩展名仓.0047E1E1 0047E1DB . 66:83C7 1E ADD DI,1E 0047E1DF . EB 10 JMP SHORT 扩展名仓.0047E1F1 0047E1E1 > 66:83FF 39 CMP DI,39 0047E1E5 . 7E 10 JLE SHORT 扩展名仓.0047E1F7 0047E1E7 . 66:83FF 41 CMP DI,41 0047E1EB . 7D 0A JGE SHORT 扩展名仓.0047E1F7 0047E1ED . 66:83C7 11 ADD DI,11 0047E1F1 > 0F80 3C010000 JO 扩展名仓.0047E333 0047E1F7 > 8B15 18514A00 MOV EDX,DWORD PTR DS:[4A5118] 0047E1FD . 66:8BCB MOV CX,BX 0047E200 . 66:83C1 01 ADD CX,1 0047E204 . 8995 44FFFFFF MOV DWORD PTR SS:[EBP-BC],EDX 0047E20A . 0F80 23010000 JO 扩展名仓.0047E333 0047E210 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047E213 . C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1 0047E21A . 0FBFD1 MOVSX EDX,CX 0047E21D . 50 PUSH EAX ; /Arg4 0047E21E . 8D85 3CFFFFFF LEA EAX,DWORD PTR SS:[EBP-C4] ; \| 0047E224 . 52 PUSH EDX ; \|Arg3 0047E225 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] ; \| 0047E22B . 50 PUSH EAX ; \|Arg2 0047E22C . 51 PUSH ECX ; \|Arg1 0047E22D . C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2 ; \| 0047E234 . C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],4008 ; \| 0047E23E . FF15 24114000 CALL DWORD PTR DS:[<&msvbvm60.rtcMidCharVar>] ; \rtcMidCharVar 〈--- 取第 1 组假码 0047E244 . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047E24A . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] 0047E24D . 52 PUSH EDX 0047E24E . 50 PUSH EAX 0047E24F . FF15 F8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal 0047E255 . 50 PUSH EAX 0047E256 . FFD6 CALL ESI 0047E258 . 33C9 XOR ECX,ECX 0047E25A . 66:3BF8 CMP DI,AX 〈---比较第 1 组的。把 DX 的值记起来。 0047E25D . 0F95C1 SETNE CL 0047E260 . F7D9 NEG ECX 0047E262 . 8BF9 MOV EDI,ECX 0047E264 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047E267 . FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr 0047E26D . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047E273 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047E276 . 52 PUSH EDX 0047E277 . 50 PUSH EAX 0047E278 . 6A 02 PUSH 2 0047E27A . FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList 0047E280 . 83C4 0C ADD ESP,0C 0047E283 . 66:85FF TEST DI,DI 0047E286 . 75 17 JNZ SHORT 扩展名仓.0047E29F 0047E288 . 66:8B8D D8FEF>MOV CX,WORD PTR SS:[EBP-128] 0047E28F . 66:03CB ADD CX,BX 0047E292 . 0F80 9B000000 JO 扩展名仓.0047E333 0047E298 . 8BD9 MOV EBX,ECX 0047E29A .^ E9 88FEFFFF JMP 扩展名仓.0047E127 0047E29F > C745 CC 00000>MOV DWORD PTR SS:[EBP-34],0 0047E2A6 > 9B WAIT 0047E2A7 . 68 19E34700 PUSH 扩展名仓.0047E319 0047E2AC . EB 3C JMP SHORT 扩展名仓.0047E2EA 0047E2AE . 8D55 9C LEA EDX,DWORD PTR SS:[EBP-64] 0047E2B1 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] 0047E2B4 . 52 PUSH EDX 0047E2B5 . 50 PUSH EAX 0047E2B6 . 6A 02 PUSH 2 0047E2B8 . FF15 54124000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList 0047E2BE . 8D8D 4CFFFFFF LEA ECX,DWORD PTR SS:[EBP-B4] 0047E2C4 . 8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4] 0047E2CA . 51 PUSH ECX 0047E2CB . 8D85 6CFFFFFF LEA EAX,DWORD PTR SS:[EBP-94] 0047E2D1 . 52 PUSH EDX 0047E2D2 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] 0047E2D8 . 50 PUSH EAX 0047E2D9 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74] 0047E2DC . 51 PUSH ECX 0047E2DD . 52 PUSH EDX 0047E2DE . 6A 05 PUSH 5 0047E2E0 . FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList 0047E2E6 . 83C4 24 ADD ESP,24 0047E2E9 . C3 RETN --------------------------------------- The end ----------------------------------------------------- 名字：skyege 邮箱：skyege@tom.com 注册码：P6ZI3-XH4HL-OXUXD-EMK15-7CQPA 这是一个经典的“用户名（F）= 注册码”的软件，难度一般。注册码共 5 组，每组 5 个字符。注册成功后在 Extension .ini 中有 UserName=skyege Email=skyege@tom.com Code=P6ZI3XH4HLOXUXDEMK157CQPA 验证的过程是这样的： 1、验证第 5 组的第 1 个与第 2 组的第 2 个的关系 2、验证第 3 组的后 4 个与第 5 组的后 4 个的关系。 3、验证第 4 组注册码 4、验证第 3 组注册码 5、验证第 2 组注册码 6、验证第 1 组注册码所以逆过来，顺序颠倒就可以逆出真注册码了。程序先利用你输入的用户名和邮箱计算出 10 个值，这是它们的存放地址： 002243A0 E0 00 00 00 D7 00 00 00 87 00 00 00 2C 00 00 00 ?..?..?..,... 002243B0 8C 00 00 00 AB AB AB AB AB AB AB AB EE FE EE FE ?..????铪铪 002243C0 00 00 00 00 00 00 00 00 06 00 06 00 00 07 1C 00 ............ 002243D0 1F 00 00 00 BD 00 00 00 19 00 00 00 B7 00 00 00 ...?.....?.. 002243E0 2B 00 00 00 AB AB AB AB AB AB AB AB EE FE EE FE +...????铪铪 1、根据那 10 个值计算出第 1 组注册码 2、根据用户名的 5 个值和第 1 组注册码计算出第 2 组注册码 3、根据那 10 个值和第 2 组注册码计算出第 3 组注册码 4、根据那 10 个值和第 2 组注册码计算出第 4 组注册码 5、根据第 3 组的后 4 个计算出第 5 组注册码的后 4 个 6、根据第 2 组的第 2 个计算出第 5 组注册码的第 1 个至于如何计算看代码的注释,要表达清楚，恐怕成长篇大论了。断点地址模块激活反汇编注释 0047D6F4 扩展名仓关闭 CMP WORD PTR SS:[EBP-58],AX <--- 这里得到第 5 组的第 1 个注册码 0047D8B8 扩展名仓关闭 CMP WORD PTR SS:[EBP-58],AX <--- 这里得到第 5 组的后 4 个注册码 0047DA90 扩展名仓关闭 CMP BX,AX <--- 这里得到第 4 组注册码 0047DD82 扩展名仓关闭 CMP AX,DX <--- 这里得到第 3 组注册码 0047E0AE 扩展名仓关闭 CMP AX,DX <--- 这里得到第 2 组注册码 0047E25A 扩展名仓关闭 CMP DI,AX <--- 这里得到第 1 组注册码注册机：注册机的编写我觉得用高级语言真的很不适合，主要是在计算注册码的时候，都有 N 长的值的范围判断比较，特别是计算第 2 组的时候更麻烦。以为写成过程调用可以解决，但发现也是烦琐。加之本人编程能力不敢恭维，代码写得冗长垃圾，故不贴了。等哪天学了汇编再写吧。对用户名和邮箱的处理大家可以看一下（我只跟踪了用户名大于5的 ^_^）,错误遗漏之处请指教： Dim a, b, c, d, e '存放用邮箱计算得出的 5 个值 Dim h, i, j, k, l '存放用用户名计算得出的 5 个值 yhm = Trim(Text1.Text) '用户名 youxiang = UCase(Trim(Text2.Text)) '邮箱转化为大写形式 For i = 6 To Len(youxiang) If i Mod 2 = 0 Then temp = Asc(Mid(youxiang, i, 1)) + temp '累加 temp = temp - 5 '偶数位 - 5 Else temp = Asc(Mid(youxiang, i, 1)) + temp temp = temp + 7 '奇数位 + 7 End If Next temp = temp Mod 177 '取余数 a = temp - Asc(Mid(youxiang, 1, 1)) b = temp + Asc(Mid(youxiang, 2, 1)) c = temp - Asc(Mid(youxiang, 3, 1)) d = temp + Asc(Mid(youxiang, 4, 1)) e = temp - Asc(Mid(youxiang, 5, 1)) temp = 0 For i = 6 To Len(mz) '累加用户名6位以上的ASC值 temp = Asc(Mid(mz, i, 1)) + temp Next i = Asc(Mid(yhm, 2, 1)) + 7 + temp ' j = Asc(Mid(yhm, 3, 1)) + 14 ' + c k = Asc(Mid(yhm, 4, 1)) - 57 '- 39 l = Asc(Mid(yhm, 5, 1)) + 37 ' + 25 h = Asc(Mid(yhm, 1, 1)) + 7 + k + 167 '+ a7 h = h Mod 231 h = h + Asc(Mid(yhm, 1, 1)) + 7 2005-9-6 18:07 0
wenglingok 雪币： 671 活跃值： (723) 能力值： ( LV9，RANK：1060 ) 在线值：发帖 52 回帖 679 粉丝 1 关注私信	wenglingok 26 3 楼沙发，支持一下。 2005-9-6 18:30 0
小娃崽雪币： 383 活跃值： (41) 能力值： ( LV12，RANK：530 ) 在线值：发帖 42 回帖 283 粉丝 1 关注私信	小娃崽 13 4 楼顶起~!终于看到兄弟的帖子拉 2005-9-6 18:52 0
hrbx 雪币： 267 活跃值： (44) 能力值： ( LV9，RANK：330 ) 在线值：发帖 11 回帖 195 粉丝 1 关注私信	hrbx 8 5 楼呵呵，skyege兄的文章，支持一下，学习中 2005-9-6 19:02 0
lnn1123 雪币： 234 活跃值： (370) 能力值： ( LV9，RANK：530 ) 在线值：发帖 39 回帖 765 粉丝 0 关注私信	lnn1123 13 6 楼 2005-9-6 20:30 0
pendan2001 雪币： 61 活跃值： (160) 能力值： ( LV9，RANK：170 ) 在线值：发帖 25 回帖 1180 粉丝 0 关注私信	pendan2001 4 7 楼阁下有耐心啊 2005-9-6 21:19 0
skyege 雪币： 229 活跃值： (70) 能力值： ( LV6，RANK：90 ) 在线值：发帖 10 回帖 555 粉丝 0 关注私信	skyege 2 8 楼唉，就是太长了。不知道怎么弄短一点。 2005-9-6 21:47 0
dthexin 雪币： 215 活跃值： (82) 能力值： ( LV4，RANK：50 ) 在线值：发帖 5 回帖 32 粉丝 0 关注私信	dthexin 1 9 楼学习啊, 2005-9-7 07:44 0
夜凉如水雪币： 136 活跃值： (105) 能力值： ( LV9，RANK：140 ) 在线值：发帖 18 回帖 719 粉丝 1 关注私信	夜凉如水 3 10 楼学习了不过本人对算法还是不怎么喜欢 !1不过还是要顶你 !! 2005-9-7 12:05 0
yuqli 雪币： 214 活跃值： (70) 能力值： ( LV6，RANK：90 ) 在线值：发帖 3 回帖 59 粉丝 1 关注私信	yuqli 2 11 楼颜色不好看~~~ 有点恶心 2005-9-7 13:19 0
冷血书生雪币： 443 活跃值： (200) 能力值： ( LV9，RANK：1140 ) 在线值：发帖 53 回帖 1135 粉丝 2 关注私信	冷血书生 28 12 楼不顶实在是不行！严重支持的！ 2005-9-10 02:20 0
海栖靖雪币： 203 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 22 粉丝 0 关注私信	海栖靖 13 楼也难为skyege兄写这么长的文章了呵呵兄弟我也来顶一下 2005-9-19 01:35 0
dfui 雪币： 1267 活跃值： (567) 能力值： ( LV2，RANK：10 ) 在线值：发帖 32 回帖 216 粉丝 2 关注私信	dfui 14 楼天才出于什么…………怎么才能成为天才。跟着成功的人士。?听他们的声音。努力的补充知识。这就是天才与笨蛋的区别。 2005-9-19 13:53 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

skyege

发帖

555

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (13)
skyege 雪币： 229 活跃值： (70) 能力值： ( LV6，RANK：90 ) 在线值：发帖 10 回帖 555 粉丝 0 关注私信	skyege 2 2 楼 0047D8FB > 33C0 XOR EAX,EAX 0047D8FD . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX 0047D900 > B9 04000000 MOV ECX,4 0047D905 . 66:3BC1 CMP AX,CX 0047D908 . 0F8F D8010000 JG 扩展名仓.0047DAE6 0047D90E . 0FBFC0 MOVSX EAX,AX 0047D911 . 83F8 05 CMP EAX,5 0047D914 . 8985 C8FEFFFF MOV DWORD PTR SS:[EBP-138],EAX 0047D91A . 72 17 JB SHORT 扩展名仓.0047D933 0047D91C . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047D922 . 8B85 C8FEFFFF MOV EAX,DWORD PTR SS:[EBP-138] 0047D928 . 83F8 05 CMP EAX,5 0047D92B . 72 06 JB SHORT 扩展名仓.0047D933 0047D92D . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047D933 > A1 18514A00 MOV EAX,DWORD PTR DS:[4A5118] 0047D938 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74] 0047D93B . C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1 0047D942 . C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2 0047D949 . 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4] 〈----- 第 2 组假码 0047D94C . 52 PUSH EDX 0047D94D . 6A 01 PUSH 1 〈----- 取第 1 个 0047D94F . 51 PUSH ECX 0047D950 . FFD3 CALL EBX 0047D952 . 8BD0 MOV EDX,EAX 0047D954 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047D957 . FFD7 CALL EDI 0047D959 . 50 PUSH EAX 0047D95A . FFD6 CALL ESI 0047D95C . 8B55 BC MOV EDX,DWORD PTR SS:[EBP-44] 〈---- EDX 分别= 1F ，BD ，19 ，B7 ，2B 〈---- 这里是邮箱浮点运算后的几个值 0047D95F . 8B5D E0 MOV EBX,DWORD PTR SS:[EBP-20] 〈---- EBX 分别= E0 ，D7 ，87 ，2C ，8C 〈---- 这里是用户名计算后的几个值 0047D962 . 0FBFC8 MOVSX ECX,AX 〈---- ECX = 32 0047D965 . 8B85 C8FEFFFF MOV EAX,DWORD PTR SS:[EBP-138] 0047D96B . 8B1482 MOV EDX,DWORD PTR DS:[EDX+EAX4] 0047D96E . 031483 ADD EDX,DWORD PTR DS:[EBX+EAX4] 〈---- IF + E0 = FF ，BD + D7 = ………… 0047D971 . 66:8B45 EC MOV AX,WORD PTR SS:[EBP-14] 0047D975 . 0F80 B8090000 JO 扩展名仓.0047E333 0047D97B . 66:05 0700 ADD AX,7 〈--- AX = 7 0047D97F . 0F80 AE090000 JO 扩展名仓.0047E333 0047D985 . 66:6BC0 05 IMUL AX,AX,5 〈---- AX = 23 0047D989 . 0F80 A4090000 JO 扩展名仓.0047E333 0047D98F . 0FBFC0 MOVSX EAX,AX 0047D992 . 03D0 ADD EDX,EAX 〈---- 23 + FF = 122 ；这是第一次计算的时候 0047D994 . 0F80 99090000 JO 扩展名仓.0047E333 0047D99A . 03CA ADD ECX,EDX 〈---- 122 + 32 = 154 0047D99C . 0F80 91090000 JO 扩展名仓.0047E333 0047D9A2 . FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>] ; msvbvm60.__vbaI2I4 0047D9A8 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047D9AB . 8BD8 MOV EBX,EAX 0047D9AD . FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr 0047D9B3 . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74] 0047D9B6 . FF15 28104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>] ; msvbvm60.__vbaFreeVar 0047D9BC . 66:83FB 30 CMP BX,30 0047D9C0 . 7C 06 JL SHORT 扩展名仓.0047D9C8 0047D9C2 . 66:83FB 39 CMP BX,39 0047D9C6 . 7E 61 JLE SHORT 扩展名仓.0047DA29 0047D9C8 > 66:83FB 41 CMP BX,41 0047D9CC . 7C 06 JL SHORT 扩展名仓.0047D9D4 0047D9CE . 66:83FB 5A CMP BX,5A 0047D9D2 . 7E 55 JLE SHORT 扩展名仓.0047DA29 0047D9D4 > 66:8BC3 MOV AX,BX 0047D9D7 . 66:B9 5B00 MOV CX,5B 〈---- 5B 给 CX 0047D9DB . 66:99 CWD 0047D9DD . 66:F7F9 IDIV CX 〈----- 154 MOD 5B ，取余数 43 0047D9E0 . 8BDA MOV EBX,EDX 0047D9E2 . 66:83FB 0A CMP BX,0A 0047D9E6 . 7D 06 JGE SHORT 扩展名仓.0047D9EE 0047D9E8 . 66:83C3 30 ADD BX,30 0047D9EC . EB 35 JMP SHORT 扩展名仓.0047DA23 0047D9EE > 66:83FB 23 CMP BX,23 0047D9F2 . 7F 06 JG SHORT 扩展名仓.0047D9FA 0047D9F4 . 66:83C3 37 ADD BX,37 0047D9F8 . EB 29 JMP SHORT 扩展名仓.0047DA23 0047D9FA > 66:83FB 2A CMP BX,2A 0047D9FE . 7D 07 JGE SHORT 扩展名仓.0047DA07 0047DA00 . BB 4D000000 MOV EBX,4D 0047DA05 . EB 22 JMP SHORT 扩展名仓.0047DA29 0047DA07 > 66:83FB 30 CMP BX,30 0047DA0B . 7D 06 JGE SHORT 扩展名仓.0047DA13 0047DA0D . 66:83C3 1B ADD BX,1B 0047DA11 . EB 10 JMP SHORT 扩展名仓.0047DA23 0047DA13 > 66:83FB 39 CMP BX,39 0047DA17 . 7E 10 JLE SHORT 扩展名仓.0047DA29 0047DA19 . 66:83FB 41 CMP BX,41 0047DA1D . 7D 0A JGE SHORT 扩展名仓.0047DA29 0047DA1F . 66:83EB 07 SUB BX,7 0047DA23 > 0F80 0A090000 JO 扩展名仓.0047E333 0047DA29 > 8B15 18514A00 MOV EDX,DWORD PTR DS:[4A5118] 0047DA2F . 66:8B4D EC MOV CX,WORD PTR SS:[EBP-14] 0047DA33 . 83C2 0C ADD EDX,0C 0047DA36 . 66:83C1 01 ADD CX,1 0047DA3A . 8995 44FFFFFF MOV DWORD PTR SS:[EBP-BC],EDX 0047DA40 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047DA43 . 0F80 EA080000 JO 扩展名仓.0047E333 0047DA49 . 0FBFD1 MOVSX EDX,CX 0047DA4C . 50 PUSH EAX ; /Arg4 0047DA4D . 8D85 3CFFFFFF LEA EAX,DWORD PTR SS:[EBP-C4] ; \| 0047DA53 . 52 PUSH EDX ; \|Arg3 0047DA54 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] ; \| 0047DA5A . 50 PUSH EAX ; \|Arg2 0047DA5B . 51 PUSH ECX ; \|Arg1 0047DA5C . C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1 ; \| 0047DA63 . C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2 ; \| 0047DA6A . C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],4008 ; \| 0047DA74 . FF15 24114000 CALL DWORD PTR DS:[<&msvbvm60.rtcMidCharVar>] ; \rtcMidCharVar 〈---- 取第 4 组假码 0047DA7A . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047DA80 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] 0047DA83 . 52 PUSH EDX 0047DA84 . 50 PUSH EAX 0047DA85 . FF15 F8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal 0047DA8B . 50 PUSH EAX 0047DA8C . FFD6 CALL ESI 0047DA8E . 33C9 XOR ECX,ECX 0047DA90 . 66:3BD8 CMP BX,AX 〈---- 和 43 比较啦，在这里把 BX 的值逐个记起来就是第 4 组注册码了。 0047DA93 . 0F95C1 SETNE CL 0047DA96 . F7D9 NEG ECX 0047DA98 . 8BD9 MOV EBX,ECX 0047DA9A . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047DA9D . FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr 0047DAA3 . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047DAA9 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047DAAC . 52 PUSH EDX 0047DAAD . 50 PUSH EAX 0047DAAE . 6A 02 PUSH 2 0047DAB0 . FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList 0047DAB6 . 83C4 0C ADD ESP,0C 0047DAB9 . 66:85DB TEST BX,BX 0047DABC . 0F85 DD070000 JNZ 扩展名仓.0047E29F 0047DAC2 . 8B1D 1C114000 MOV EBX,DWORD PTR DS:[<&msvbvm60.rtcMidCharBstr>] ; msvbvm60.rtcMidCharBstr 0047DAC8 . B8 01000000 MOV EAX,1 0047DACD . 66:0345 EC ADD AX,WORD PTR SS:[EBP-14] 0047DAD1 . C745 CC FFFFF>MOV DWORD PTR SS:[EBP-34],-1 0047DAD8 . 0F80 55080000 JO 扩展名仓.0047E333 0047DADE . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX 0047DAE1 .^ E9 1AFEFFFF JMP 扩展名仓.0047D900 0047DAE6 > 33DB XOR EBX,EBX 0047DAE8 > B8 04000000 MOV EAX,4 0047DAED . 895D EC MOV DWORD PTR SS:[EBP-14],EBX 0047DAF0 . 66:3BD8 CMP BX,AX 0047DAF3 . 0F8F EC020000 JG 扩展名仓.0047DDE5 0047DAF9 . 66:85DB TEST BX,BX 0047DAFC . 0FBFFB MOVSX EDI,BX 0047DAFF . 7E 7D JLE SHORT 扩展名仓.0047DB7E 0047DB01 . 83FF 05 CMP EDI,5 0047DB04 . 72 06 JB SHORT 扩展名仓.0047DB0C 0047DB06 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DB0C > 66:83EB 01 SUB BX,1 0047DB10 . 0F80 1D080000 JO 扩展名仓.0047E333 0047DB16 . 0FBFDB MOVSX EBX,BX 0047DB19 . 83FB 05 CMP EBX,5 0047DB1C . 72 06 JB SHORT 扩展名仓.0047DB24 0047DB1E . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DB24 > 83FF 05 CMP EDI,5 0047DB27 . 72 06 JB SHORT 扩展名仓.0047DB2F 0047DB29 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DB2F > 8B0D 18514A00 MOV ECX,DWORD PTR DS:[4A5118] 0047DB35 . 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4] 0047DB38 . 52 PUSH EDX 0047DB39 . FFD6 CALL ESI 0047DB3B . 0FBFC8 MOVSX ECX,AX 0047DB3E . 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44] 0047DB41 . 8B1498 MOV EDX,DWORD PTR DS:[EAX+EBX4] 〈---- EDX 分别= 1F ，BD ，19 ，B7 ，〈---- 这里是邮箱浮点运算后的几个值 ,少了一个哦。 0047DB44 . 8B5D E0 MOV EBX,DWORD PTR SS:[EBP-20] 〈---- EBX 分别= D7 ，87 ，2C ，8C ，〈---- 这里是用户名计算后的几个值，顺序有点变化，少了一个哦。注意。 0047DB47 . 0314BB ADD EDX,DWORD PTR DS:[EBX+EDI4] 〈---- 加 0047DB4A . 8B1CB8 MOV EBX,DWORD PTR DS:[EAX+EDI4] 0047DB4D . 0F80 E0070000 JO 扩展名仓.0047E333 0047DB53 . 03D7 ADD EDX,EDI 0047DB55 . 0F80 D8070000 JO 扩展名仓.0047E333 0047DB5B . 2BD3 SUB EDX,EBX 0047DB5D . 0F80 D0070000 JO 扩展名仓.0047E333 0047DB63 . 03CA ADD ECX,EDX 0047DB65 . 0F80 C8070000 JO 扩展名仓.0047E333 0047DB6B . FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>] ; msvbvm60.__vbaI4Abs 0047DB71 . 8BC8 MOV ECX,EAX 0047DB73 . FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>] ; msvbvm60.__vbaI2I4 0047DB79 . 8B5D EC MOV EBX,DWORD PTR SS:[EBP-14] 0047DB7C . EB 5E JMP SHORT 扩展名仓.0047DBDC 0047DB7E > 83FF 05 CMP EDI,5 0047DB81 . 72 11 JB SHORT 扩展名仓.0047DB94 0047DB83 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DB89 . 83FF 05 CMP EDI,5 0047DB8C . 72 06 JB SHORT 扩展名仓.0047DB94 0047DB8E . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DB94 > A1 18514A00 MOV EAX,DWORD PTR DS:[4A5118] 0047DB99 . 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4] 〈---- 第 2 组假码 0047DB9C . 51 PUSH ECX 0047DB9D . FFD6 CALL ESI 0047DB9F . 0FBFD0 MOVSX EDX,AX 0047DBA2 . 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44] 0047DBA5 . 8B0CB8 MOV ECX,DWORD PTR DS:[EAX+EDI4] 0047DBA8 . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] 0047DBAB . 0FAFCF IMUL ECX,EDI 0047DBAE . 0F80 7F070000 JO 扩展名仓.0047E333 0047DBB4 . 030CB8 ADD ECX,DWORD PTR DS:[EAX+EDI4] 0047DBB7 . 0F80 76070000 JO 扩展名仓.0047E333 0047DBBD . 83C1 4D ADD ECX,4D 0047DBC0 . 0F80 6D070000 JO 扩展名仓.0047E333 0047DBC6 . 2BCA SUB ECX,EDX 0047DBC8 . 0F80 65070000 JO 扩展名仓.0047E333 0047DBCE . FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>] ; msvbvm60.__vbaI4Abs 0047DBD4 . 8BC8 MOV ECX,EAX 0047DBD6 . FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>] ; msvbvm60.__vbaI2I4 0047DBDC > 66:3D 3000 CMP AX,30 0047DBE0 . 7C 06 JL SHORT 扩展名仓.0047DBE8 0047DBE2 . 66:3D 3900 CMP AX,39 0047DBE6 . 7E 0C JLE SHORT 扩展名仓.0047DBF4 0047DBE8 > 66:3D 6100 CMP AX,61 0047DBEC . 7C 5C JL SHORT 扩展名仓.0047DC4A 0047DBEE . 66:3D 7A00 CMP AX,7A 0047DBF2 . 7F 56 JG SHORT 扩展名仓.0047DC4A 0047DBF4 > 0FBFC8 MOVSX ECX,AX 0047DBF7 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74] 0047DBFA . 51 PUSH ECX ; /Arg2 0047DBFB . 52 PUSH EDX ; \|Arg1 0047DBFC . FF15 E0114000 CALL DWORD PTR DS:[<&msvbvm60.rtcVarBstrFromAnsi>] ; \rtcVarBstrFromAnsi 〈---直接取第 1 个 0047DC02 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047DC05 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] 0047DC0B . 50 PUSH EAX ; /Arg2 0047DC0C . 51 PUSH ECX ; \|Arg1 0047DC0D . FF15 3C114000 CALL DWORD PTR DS:[<&msvbvm60.rtcUpperCaseVar>] ; \rtcUpperCaseVar 0047DC13 . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047DC19 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] 0047DC1C . 52 PUSH EDX 0047DC1D . 50 PUSH EAX 0047DC1E . FF15 F8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal 0047DC24 . 50 PUSH EAX 0047DC25 . FFD6 CALL ESI 0047DC27 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047DC2A . 8BF8 MOV EDI,EAX 0047DC2C . FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr 0047DC32 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] 0047DC38 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74] 0047DC3B . 51 PUSH ECX 0047DC3C . 52 PUSH EDX 0047DC3D . 6A 02 PUSH 2 0047DC3F . FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList 0047DC45 . 83C4 0C ADD ESP,0C 0047DC48 . EB 76 JMP SHORT 扩展名仓.0047DCC0 0047DC4A > 66:99 CWD 0047DC4C . 66:B9 7B00 MOV CX,7B 0047DC50 . 66:F7F9 IDIV CX 0047DC53 . 8BFA MOV EDI,EDX 0047DC55 . 66:83FF 1A CMP DI,1A 0047DC59 . 7D 06 JGE SHORT 扩展名仓.0047DC61 0047DC5B . 66:83C7 61 ADD DI,61 0047DC5F . EB 59 JMP SHORT 扩展名仓.0047DCBA 0047DC61 > 66:83FF 23 CMP DI,23 0047DC65 . 7F 06 JG SHORT 扩展名仓.0047DC6D 0047DC67 . 66:83C7 16 ADD DI,16 0047DC6B . EB 4D JMP SHORT 扩展名仓.0047DCBA 0047DC6D > 66:83FF 24 CMP DI,24 0047DC71 . 7C 0C JL SHORT 扩展名仓.0047DC7F 0047DC73 . 66:83FF 30 CMP DI,30 0047DC77 . 7D 06 JGE SHORT 扩展名仓.0047DC7F 0047DC79 . 66:83C7 45 ADD DI,45 0047DC7D . EB 3B JMP SHORT 扩展名仓.0047DCBA 0047DC7F > 66:83FF 39 CMP DI,39 0047DC83 . 7E 06 JLE SHORT 扩展名仓.0047DC8B 0047DC85 . 66:83FF 42 CMP DI,42 0047DC89 . 7E 06 JLE SHORT 扩展名仓.0047DC91 0047DC8B > 66:83FF 4D CMP DI,4D 0047DC8F . 75 07 JNZ SHORT 扩展名仓.0047DC98 0047DC91 > BF 48000000 MOV EDI,48 0047DC96 . EB 28 JMP SHORT 扩展名仓.0047DCC0 0047DC98 > 66:83FF 42 CMP DI,42 0047DC9C . 7E 0C JLE SHORT 扩展名仓.0047DCAA 0047DC9E . 66:83FF 4D CMP DI,4D 0047DCA2 . 7D 0A JGE SHORT 扩展名仓.0047DCAE 0047DCA4 . 66:83EF 13 SUB DI,13 0047DCA8 . EB 10 JMP SHORT 扩展名仓.0047DCBA 0047DCAA > 66:83FF 4D CMP DI,4D 0047DCAE > 7E 10 JLE SHORT 扩展名仓.0047DCC0 0047DCB0 . 66:83FF 61 CMP DI,61 0047DCB4 . 7D 0A JGE SHORT 扩展名仓.0047DCC0 0047DCB6 . 66:83C7 15 ADD DI,15 0047DCBA > 0F80 73060000 JO 扩展名仓.0047E333 0047DCC0 > 0FBFD7 MOVSX EDX,DI 0047DCC3 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047DCC6 . 52 PUSH EDX ; /Arg2 0047DCC7 . 50 PUSH EAX ; \|Arg1 0047DCC8 . FF15 E0114000 CALL DWORD PTR DS:[<&msvbvm60.rtcVarBstrFromAnsi>] ; \rtcVarBstrFromAnsi 0047DCCE . 8B3D 3C114000 MOV EDI,DWORD PTR DS:[<&msvbvm60.rtcUpperCaseVar>] ; msvbvm60.rtcUpperCaseVar 0047DCD4 . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74] 0047DCD7 . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047DCDD . 51 PUSH ECX 0047DCDE . 52 PUSH EDX 0047DCDF . FFD7 CALL EDI ; <&msvbvm60.rtcUpperCaseVar> 0047DCE1 . A1 18514A00 MOV EAX,DWORD PTR DS:[4A5118] 〈--- EAX = 第 3 组的假码 0047DCE6 . 66:8BD3 MOV DX,BX 0047DCE9 . 83C0 08 ADD EAX,8 0047DCEC . 66:83C2 01 ADD DX,1 0047DCF0 . 8985 44FFFFFF MOV DWORD PTR SS:[EBP-BC],EAX 0047DCF6 . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94] 0047DCFC . 0F80 31060000 JO 扩展名仓.0047E333 0047DD02 . 0FBFC2 MOVSX EAX,DX 0047DD05 . 51 PUSH ECX ; /Arg4 0047DD06 . 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4] ; \| 0047DD0C . 50 PUSH EAX ; \|Arg3 0047DD0D . 8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4] ; \| 0047DD13 . 51 PUSH ECX ; \|Arg2 0047DD14 . 52 PUSH EDX ; \|Arg1 0047DD15 . C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],1 ; \| 0047DD1F . C785 6CFFFFFF>MOV DWORD PTR SS:[EBP-94],2 ; \| 0047DD29 . C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],4008 ; \| 0047DD33 . FF15 24114000 CALL DWORD PTR DS:[<&msvbvm60.rtcMidCharVar>] 〈---- 取的是第 3 组的假码 0047DD39 . 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4] 0047DD3F . 8D8D 4CFFFFFF LEA ECX,DWORD PTR SS:[EBP-B4] 0047DD45 . 50 PUSH EAX 0047DD46 . 51 PUSH ECX 0047DD47 . FFD7 CALL EDI ; <&msvbvm60.rtcUpperCaseVar> 0047DD49 . 8B3D F8114000 MOV EDI,DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal 0047DD4F . 8D95 4CFFFFFF LEA EDX,DWORD PTR SS:[EBP-B4] 0047DD55 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64] 0047DD58 . 52 PUSH EDX 0047DD59 . 50 PUSH EAX 0047DD5A . FFD7 CALL EDI ; <&msvbvm60.__vbaStrVarVal> 0047DD5C . 50 PUSH EAX 0047DD5D . FFD6 CALL ESI 0047DD5F . 66:8BD0 MOV DX,AX 0047DD62 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] 0047DD68 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] 0047DD6B . 51 PUSH ECX 0047DD6C . 50 PUSH EAX 0047DD6D . 66:8995 A6FEF>MOV WORD PTR SS:[EBP-15A],DX 0047DD74 . FFD7 CALL EDI ; <&msvbvm60.__vbaStrVarVal> 0047DD76 . 50 PUSH EAX 0047DD77 . FFD6 CALL ESI 0047DD79 . 66:8B95 A6FEF>MOV DX,WORD PTR SS:[EBP-15A] 0047DD80 . 33C9 XOR ECX,ECX 0047DD82 . 66:3BC2 CMP AX,DX 〈---- 比较啦。这里就是根据第 2 组假码的第 1 个，结合用户名和邮箱的 10 个值来推算出真正的第 3 组注册码。把 DX 的值记起来就是啦。 0047DD85 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64] 0047DD88 . 0F95C1 SETNE CL 0047DD8B . F7D9 NEG ECX 0047DD8D . 8BF9 MOV EDI,ECX 0047DD8F . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047DD92 . 50 PUSH EAX 0047DD93 . 51 PUSH ECX 0047DD94 . 6A 02 PUSH 2 0047DD96 . FF15 54124000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList 0047DD9C . 8D95 4CFFFFFF LEA EDX,DWORD PTR SS:[EBP-B4] 0047DDA2 . 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4] 0047DDA8 . 52 PUSH EDX 0047DDA9 . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94] 0047DDAF . 50 PUSH EAX 0047DDB0 . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047DDB6 . 51 PUSH ECX 0047DDB7 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047DDBA . 52 PUSH EDX 0047DDBB . 50 PUSH EAX 0047DDBC . 6A 05 PUSH 5 0047DDBE . FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList 0047DDC4 . 83C4 24 ADD ESP,24 0047DDC7 . 66:85FF TEST DI,DI 0047DDCA . 0F85 CF040000 JNZ 扩展名仓.0047E29F 0047DDD0 . B8 01000000 MOV EAX,1 0047DDD5 . 66:03C3 ADD AX,BX 0047DDD8 . 0F80 55050000 JO 扩展名仓.0047E333 0047DDDE . 8BD8 MOV EBX,EAX 0047DDE0 .^ E9 03FDFFFF JMP 扩展名仓.0047DAE8 0047DDE5 > 33DB XOR EBX,EBX 0047DDE7 > B8 04000000 MOV EAX,4 0047DDEC . 895D EC MOV DWORD PTR SS:[EBP-14],EBX 0047DDEF . 66:3BD8 CMP BX,AX 0047DDF2 . 0F8F 19030000 JG 扩展名仓.0047E111 0047DDF8 . 66:3BD8 CMP BX,AX 0047DDFB . 0FBFFB MOVSX EDI,BX 0047DDFE . 0F8D A0000000 JGE 扩展名仓.0047DEA4 0047DE04 . 83FF 05 CMP EDI,5 0047DE07 . 72 06 JB SHORT 扩展名仓.0047DE0F 0047DE09 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DE0F > 66:8BCB MOV CX,BX 0047DE12 . 66:83C1 01 ADD CX,1 0047DE16 . 0F80 17050000 JO 扩展名仓.0047E333 0047DE1C . 0FBFC1 MOVSX EAX,CX 0047DE1F . 83F8 05 CMP EAX,5 0047DE22 . 8985 1CFFFFFF MOV DWORD PTR SS:[EBP-E4],EAX 0047DE28 . 72 06 JB SHORT 扩展名仓.0047DE30 0047DE2A . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DE30 > 83FF 05 CMP EDI,5 0047DE33 . 72 06 JB SHORT 扩展名仓.0047DE3B 0047DE35 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DE3B > 8B15 18514A00 MOV EDX,DWORD PTR DS:[4A5118] 0047DE41 . 8B02 MOV EAX,DWORD PTR DS:[EDX] 〈---- 取第 1 组假码 0047DE43 . 50 PUSH EAX 0047DE44 . FFD6 CALL ESI 0047DE46 . 66:83EB 01 SUB BX,1 0047DE4A . 0F80 E3040000 JO 扩展名仓.0047E333 0047DE50 . 0FBFC8 MOVSX ECX,AX 0047DE53 . 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44] 0047DE56 . 0FBFD3 MOVSX EDX,BX 0047DE59 . 0FAF14B8 IMUL EDX,DWORD PTR DS:[EAX+EDI4] 0047DE5D . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] 0047DE60 . 8B9D 1CFFFFFF MOV EBX,DWORD PTR SS:[EBP-E4] 0047DE66 . 0F80 C7040000 JO 扩展名仓.0047E333 0047DE6C . 8B1C98 MOV EBX,DWORD PTR DS:[EAX+EBX4] 〈---- EBX 分别 =E0 ， D7 ，87 ，2C ，8C ，〈---- 这里是用户名计算后的几个值。 0047DE6F . 031CB8 ADD EBX,DWORD PTR DS:[EAX+EDI4] 〈---- 两两相加，就是 E0 + D7 ，D7 + 87 ，87 + 2C ，2C + 8C 0047DE72 . 0F80 BB040000 JO 扩展名仓.0047E333 0047DE78 . 03D3 ADD EDX,EBX 0047DE7A . 0F80 B3040000 JO 扩展名仓.0047E333 0047DE80 . 83C2 01 ADD EDX,1 0047DE83 . 0F80 AA040000 JO 扩展名仓.0047E333 0047DE89 . 03CA ADD ECX,EDX 0047DE8B . 0F80 A2040000 JO 扩展名仓.0047E333 0047DE91 . FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>] ; msvbvm60.__vbaI4Abs 0047DE97 . 8BC8 MOV ECX,EAX 0047DE99 . FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>] ; msvbvm60.__vbaI2I4 0047DE9F . 8B5D EC MOV EBX,DWORD PTR SS:[EBP-14] 0047DEA2 . EB 5E JMP SHORT 扩展名仓.0047DF02 0047DEA4 > 83FF 05 CMP EDI,5 0047DEA7 . 72 11 JB SHORT 扩展名仓.0047DEBA 0047DEA9 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DEAF . 83FF 05 CMP EDI,5 0047DEB2 . 72 06 JB SHORT 扩展名仓.0047DEBA 0047DEB4 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047DEBA > 8B0D 18514A00 MOV ECX,DWORD PTR DS:[4A5118] 0047DEC0 . 8B11 MOV EDX,DWORD PTR DS:[ECX] 0047DEC2 . 52 PUSH EDX 0047DEC3 . FFD6 CALL ESI 0047DEC5 . 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20] 0047DEC8 . 8B55 BC MOV EDX,DWORD PTR SS:[EBP-44] 0047DECB . 0FBFC0 MOVSX EAX,AX 0047DECE . 8B0CB9 MOV ECX,DWORD PTR DS:[ECX+EDI4] 0047DED1 . 0FAFCF IMUL ECX,EDI 0047DED4 . 0F80 59040000 JO 扩展名仓.0047E333 0047DEDA . 030CBA ADD ECX,DWORD PTR DS:[EDX+EDI4] 0047DEDD . 0F80 50040000 JO 扩展名仓.0047E333 0047DEE3 . 83C1 4D ADD ECX,4D 0047DEE6 . 0F80 47040000 JO 扩展名仓.0047E333 0047DEEC . 2BC8 SUB ECX,EAX 0047DEEE . 0F80 3F040000 JO 扩展名仓.0047E333 0047DEF4 . FF15 CC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI4Abs>] ; msvbvm60.__vbaI4Abs 0047DEFA . 8BC8 MOV ECX,EAX 0047DEFC . FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>] ; msvbvm60.__vbaI2I4 0047DF02 > 66:3D 3000 CMP AX,30 0047DF06 . 7C 06 JL SHORT 扩展名仓.0047DF0E 0047DF08 . 66:3D 3900 CMP AX,39 0047DF0C . 7E 0C JLE SHORT 扩展名仓.0047DF1A 0047DF0E > 66:3D 6100 CMP AX,61 0047DF12 . 7C 5C JL SHORT 扩展名仓.0047DF70 0047DF14 . 66:3D 7A00 CMP AX,7A 0047DF18 . 7F 56 JG SHORT 扩展名仓.0047DF70 0047DF1A > 0FBFC0 MOVSX EAX,AX 0047DF1D . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74] 0047DF20 . 50 PUSH EAX ; /Arg2 0047DF21 . 51 PUSH ECX ; \|Arg1 0047DF22 . FF15 E0114000 CALL DWORD PTR DS:[<&msvbvm60.rtcVarBstrFromAnsi>] ; \rtcVarBstrFromAnsi 0047DF28 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74] 0047DF2B . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84] 0047DF31 . 52 PUSH EDX ; /Arg2 0047DF32 . 50 PUSH EAX ; \|Arg1 0047DF33 . FF15 3C114000 CALL DWORD PTR DS:[<&msvbvm60.rtcUpperCaseVar>] ; \rtcUpperCaseVar 0047DF39 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] 0047DF3F . 8D55 A0 LEA EDX,DWORD PTR SS:[EBP-60] 0047DF42 . 51 PUSH ECX 0047DF43 . 52 PUSH EDX 0047DF44 . FF15 F8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal 0047DF4A . 50 PUSH EAX 0047DF4B . FFD6 CALL ESI 0047DF4D . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047DF50 . 8BF8 MOV EDI,EAX 0047DF52 . FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr 0047DF58 . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84] 0047DF5E . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74] 0047DF61 . 50 PUSH EAX 0047DF62 . 51 PUSH ECX 0047DF63 . 6A 02 PUSH 2 0047DF65 . FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList 0047DF6B . 83C4 0C ADD ESP,0C 0047DF6E . EB 7C JMP SHORT 扩展名仓.0047DFEC 0047DF70 > 66:99 CWD 0047DF72 . 66:B9 7B00 MOV CX,7B 0047DF76 . 66:F7F9 IDIV CX 0047DF79 . 8BFA MOV EDI,EDX 0047DF7B . 66:83FF 09 CMP DI,9 0047DF7F . 7D 06 JGE SHORT 扩展名仓.0047DF87 0047DF81 . 66:83C7 30 ADD DI,30 0047DF85 . EB 5F JMP SHORT 扩展名仓.0047DFE6 0047DF87 > 66:83FF 22 CMP DI,22 0047DF8B . 7F 06 JG SHORT 扩展名仓.0047DF93 0047DF8D . 66:83C7 58 ADD DI,58 0047DF91 . EB 53 JMP SHORT 扩展名仓.0047DFE6 0047DF93 > 66:83FF 2C CMP DI,2C 0047DF97 . 7D 06 JGE SHORT 扩展名仓.0047DF9F 0047DF99 . 66:83C7 0D ADD DI,0D 0047DF9D . EB 47 JMP SHORT 扩展名仓.0047DFE6 0047DF9F > 66:83FF 30 CMP DI,30 0047DFA3 . 7C 06 JL SHORT 扩展名仓.0047DFAB 0047DFA5 . 66:83FF 4D CMP DI,4D 0047DFA9 . 75 07 JNZ SHORT 扩展名仓.0047DFB2 0047DFAB > BF 48000000 MOV EDI,48 0047DFB0 . EB 3A JMP SHORT 扩展名仓.0047DFEC 0047DFB2 > 66:83FF 39 CMP DI,39 0047DFB6 . 7E 0C JLE SHORT 扩展名仓.0047DFC4 0047DFB8 . 66:83FF 4C CMP DI,4C 0047DFBC . 7F 06 JG SHORT 扩展名仓.0047DFC4 0047DFBE . 66:83C7 2A ADD DI,2A 0047DFC2 . EB 22 JMP SHORT 扩展名仓.0047DFE6 0047DFC4 > 66:83FF 4D CMP DI,4D 0047DFC8 . 7E 0C JLE SHORT 扩展名仓.0047DFD6 0047DFCA . 66:83FF 57 CMP DI,57 0047DFCE . 7F 0C JG SHORT 扩展名仓.0047DFDC 0047DFD0 . 66:83EF 1E SUB DI,1E 0047DFD4 . EB 10 JMP SHORT 扩展名仓.0047DFE6 0047DFD6 > 66:83FF 57 CMP DI,57 0047DFDA . 7E 10 JLE SHORT 扩展名仓.0047DFEC 0047DFDC > 66:83FF 61 CMP DI,61 0047DFE0 . 7D 0A JGE SHORT 扩展名仓.0047DFEC 0047DFE2 . 66:83C7 11 ADD DI,11 0047DFE6 > 0F80 47030000 JO 扩展名仓.0047E333 0047DFEC > 0FBFD7 MOVSX EDX,DI 0047DFEF . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047DFF2 . 52 PUSH EDX ; /Arg2 0047DFF3 . 50 PUSH EAX ; \|Arg1 0047DFF4 . FF15 E0114000 CALL DWORD PTR DS:[<&msvbvm60.rtcVarBstrFromAnsi>] ; \rtcVarBstrFromAnsi 0047DFFA . 8B3D 3C114000 MOV EDI,DWORD PTR DS:[<&msvbvm60.rtcUpperCaseVar>] ; msvbvm60.rtcUpperCaseVar 0047E000 . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74] 0047E003 . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047E009 . 51 PUSH ECX 0047E00A . 52 PUSH EDX 0047E00B . FFD7 CALL EDI ; <&msvbvm60.rtcUpperCaseVar> 〈---- 转为大写 0047E00D . A1 18514A00 MOV EAX,DWORD PTR DS:[4A5118] 0047E012 . 66:8BD3 MOV DX,BX 0047E015 . 83C0 04 ADD EAX,4 0047E018 . 66:83C2 01 ADD DX,1 0047E01C . 8985 44FFFFFF MOV DWORD PTR SS:[EBP-BC],EAX 0047E022 . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94] 0047E028 . 0F80 05030000 JO 扩展名仓.0047E333 0047E02E . 0FBFC2 MOVSX EAX,DX 0047E031 . 51 PUSH ECX ; /Arg4 0047E032 . 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4] ; \| 0047E038 . 50 PUSH EAX ; \|Arg3 0047E039 . 8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4] ; \| 0047E03F . 51 PUSH ECX ; \|Arg2 0047E040 . 52 PUSH EDX ; \|Arg1 0047E041 . C785 74FFFFFF>MOV DWORD PTR SS:[EBP-8C],1 ; \| 0047E04B . C785 6CFFFFFF>MOV DWORD PTR SS:[EBP-94],2 ; \| 0047E055 . C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],4008 ; \| 0047E05F . FF15 24114000 CALL DWORD PTR DS:[<&msvbvm60.rtcMidCharVar>] ; \rtcMidCharVar 0047E065 . 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4] 0047E06B . 8D8D 4CFFFFFF LEA ECX,DWORD PTR SS:[EBP-B4] 0047E071 . 50 PUSH EAX 0047E072 . 51 PUSH ECX 0047E073 . FFD7 CALL EDI ; <&msvbvm60.rtcUpperCaseVar> 0047E075 . 8B3D F8114000 MOV EDI,DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal 0047E07B . 8D95 4CFFFFFF LEA EDX,DWORD PTR SS:[EBP-B4] 0047E081 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64] 0047E084 . 52 PUSH EDX 0047E085 . 50 PUSH EAX 0047E086 . FFD7 CALL EDI ; <&msvbvm60.__vbaStrVarVal> 0047E088 . 50 PUSH EAX 0047E089 . FFD6 CALL ESI 0047E08B . 66:8BD0 MOV DX,AX 0047E08E . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] 0047E094 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] 0047E097 . 51 PUSH ECX 0047E098 . 50 PUSH EAX 0047E099 . 66:8995 A4FEF>MOV WORD PTR SS:[EBP-15C],DX 0047E0A0 . FFD7 CALL EDI ; <&msvbvm60.__vbaStrVarVal> 0047E0A2 . 50 PUSH EAX 0047E0A3 . FFD6 CALL ESI 0047E0A5 . 66:8B95 A4FEF>MOV DX,WORD PTR SS:[EBP-15C] 0047E0AC . 33C9 XOR ECX,ECX 0047E0AE . 66:3BC2 CMP AX,DX 〈---这里比较的是第 2 组的，把DX的值记起来。 0047E0B1 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64] 0047E0B4 . 0F95C1 SETNE CL 0047E0B7 . F7D9 NEG ECX 0047E0B9 . 8BF9 MOV EDI,ECX 0047E0BB . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047E0BE . 50 PUSH EAX 0047E0BF . 51 PUSH ECX 0047E0C0 . 6A 02 PUSH 2 0047E0C2 . FF15 54124000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList 0047E0C8 . 8D95 4CFFFFFF LEA EDX,DWORD PTR SS:[EBP-B4] 0047E0CE . 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4] 0047E0D4 . 52 PUSH EDX 0047E0D5 . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94] 0047E0DB . 50 PUSH EAX 0047E0DC . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047E0E2 . 51 PUSH ECX 0047E0E3 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047E0E6 . 52 PUSH EDX 0047E0E7 . 50 PUSH EAX 0047E0E8 . 6A 05 PUSH 5 0047E0EA . FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList 0047E0F0 . 83C4 24 ADD ESP,24 0047E0F3 . 66:85FF TEST DI,DI 0047E0F6 . 0F85 A3010000 JNZ 扩展名仓.0047E29F 0047E0FC . B8 01000000 MOV EAX,1 0047E101 . 66:03C3 ADD AX,BX 0047E104 . 0F80 29020000 JO 扩展名仓.0047E333 0047E10A . 8BD8 MOV EBX,EAX 0047E10C .^ E9 D6FCFFFF JMP 扩展名仓.0047DDE7 0047E111 > C785 D4FEFFFF>MOV DWORD PTR SS:[EBP-12C],4 0047E11B . C785 D8FEFFFF>MOV DWORD PTR SS:[EBP-128],1 0047E125 . 33DB XOR EBX,EBX 0047E127 > 66:3B9D D4FEF>CMP BX,WORD PTR SS:[EBP-12C] 0047E12E . 0F8F 72010000 JG 扩展名仓.0047E2A6 0047E134 . 0FBFFB MOVSX EDI,BX 0047E137 . 83FF 05 CMP EDI,5 0047E13A . 72 11 JB SHORT 扩展名仓.0047E14D 0047E13C . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047E142 . 83FF 05 CMP EDI,5 0047E145 . 72 06 JB SHORT 扩展名仓.0047E14D 0047E147 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaGenerateBoundsEr>; msvbvm60.__vbaGenerateBoundsError 0047E14D > 8B4D BC MOV ECX,DWORD PTR SS:[EBP-44] 0047E150 . 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20] 0047E153 . 8B0CB9 MOV ECX,DWORD PTR DS:[ECX+EDI4] 〈---- 那些值 0047E156 . 8B04BA MOV EAX,DWORD PTR DS:[EDX+EDI4] 0047E159 . 03C8 ADD ECX,EAX 〈---- 加起来 0047E15B . 66:8BC3 MOV AX,BX 0047E15E . 0F80 CF010000 JO 扩展名仓.0047E333 0047E164 . 66:05 0100 ADD AX,1 〈---- 递加 1 ，就是第 1 次是1 ，第 2 次就是 2 咯，…… 0047E168 . 0F80 C5010000 JO 扩展名仓.0047E333 0047E16E . 66:6BC0 07 IMUL AX,AX,7 〈---- 再乘于 7 ，第 1 次乘 1 ，第 2 次就是乘 2 咯，…… 0047E172 . 0F80 BB010000 JO 扩展名仓.0047E333 0047E178 . 0FBFD0 MOVSX EDX,AX 0047E17B . 03CA ADD ECX,EDX 〈---- 再加起来 0047E17D . 0F80 B0010000 JO 扩展名仓.0047E333 0047E183 . FF15 64114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>] ; msvbvm60.__vbaI2I4 0047E189 . 8BF8 MOV EDI,EAX 0047E18B . 66:83FF 30 CMP DI,30 〈-----下面 4 个比较是判断是否在数字和大写字母的范围内，是的话就直接跳走了。 0047E18F . 7C 06 JL SHORT 扩展名仓.0047E197 0047E191 . 66:83FF 39 CMP DI,39 0047E195 . 7E 60 JLE SHORT 扩展名仓.0047E1F7 0047E197 > 66:83FF 41 CMP DI,41 0047E19B . 7C 06 JL SHORT 扩展名仓.0047E1A3 0047E19D . 66:83FF 5A CMP DI,5A 0047E1A1 . 7E 54 JLE SHORT 扩展名仓.0047E1F7 0047E1A3 > 66:8BC7 MOV AX,DI 0047E1A6 . 66:B9 5B00 MOV CX,5B 0047E1AA . 66:99 CWD 0047E1AC . 66:F7F9 IDIV CX 〈----- 否则将 MOD 5B ，取余数 0047E1AF . 8BFA MOV EDI,EDX 0047E1B1 . 66:83FF 1A CMP DI,1A 0047E1B5 . 7D 06 JGE SHORT 扩展名仓.0047E1BD 0047E1B7 . 66:83C7 41 ADD DI,41 0047E1BB . EB 34 JMP SHORT 扩展名仓.0047E1F1 0047E1BD > 66:83FF 23 CMP DI,23 0047E1C1 . 7F 06 JG SHORT 扩展名仓.0047E1C9 0047E1C3 . 66:83C7 16 ADD DI,16 0047E1C7 . EB 28 JMP SHORT 扩展名仓.0047E1F1 0047E1C9 > 66:83FF 28 CMP DI,28 0047E1CD . 7D 06 JGE SHORT 扩展名仓.0047E1D5 0047E1CF . 66:83C7 0F ADD DI,0F 0047E1D3 . EB 1C JMP SHORT 扩展名仓.0047E1F1 0047E1D5 > 66:83FF 30 CMP DI,30 0047E1D9 . 7D 06 JGE SHORT 扩展名仓.0047E1E1 0047E1DB . 66:83C7 1E ADD DI,1E 0047E1DF . EB 10 JMP SHORT 扩展名仓.0047E1F1 0047E1E1 > 66:83FF 39 CMP DI,39 0047E1E5 . 7E 10 JLE SHORT 扩展名仓.0047E1F7 0047E1E7 . 66:83FF 41 CMP DI,41 0047E1EB . 7D 0A JGE SHORT 扩展名仓.0047E1F7 0047E1ED . 66:83C7 11 ADD DI,11 0047E1F1 > 0F80 3C010000 JO 扩展名仓.0047E333 0047E1F7 > 8B15 18514A00 MOV EDX,DWORD PTR DS:[4A5118] 0047E1FD . 66:8BCB MOV CX,BX 0047E200 . 66:83C1 01 ADD CX,1 0047E204 . 8995 44FFFFFF MOV DWORD PTR SS:[EBP-BC],EDX 0047E20A . 0F80 23010000 JO 扩展名仓.0047E333 0047E210 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047E213 . C745 94 01000>MOV DWORD PTR SS:[EBP-6C],1 0047E21A . 0FBFD1 MOVSX EDX,CX 0047E21D . 50 PUSH EAX ; /Arg4 0047E21E . 8D85 3CFFFFFF LEA EAX,DWORD PTR SS:[EBP-C4] ; \| 0047E224 . 52 PUSH EDX ; \|Arg3 0047E225 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] ; \| 0047E22B . 50 PUSH EAX ; \|Arg2 0047E22C . 51 PUSH ECX ; \|Arg1 0047E22D . C745 8C 02000>MOV DWORD PTR SS:[EBP-74],2 ; \| 0047E234 . C785 3CFFFFFF>MOV DWORD PTR SS:[EBP-C4],4008 ; \| 0047E23E . FF15 24114000 CALL DWORD PTR DS:[<&msvbvm60.rtcMidCharVar>] ; \rtcMidCharVar 〈--- 取第 1 组假码 0047E244 . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047E24A . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] 0047E24D . 52 PUSH EDX 0047E24E . 50 PUSH EAX 0047E24F . FF15 F8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal 0047E255 . 50 PUSH EAX 0047E256 . FFD6 CALL ESI 0047E258 . 33C9 XOR ECX,ECX 0047E25A . 66:3BF8 CMP DI,AX 〈---比较第 1 组的。把 DX 的值记起来。 0047E25D . 0F95C1 SETNE CL 0047E260 . F7D9 NEG ECX 0047E262 . 8BF9 MOV EDI,ECX 0047E264 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 0047E267 . FF15 04134000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr 0047E26D . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84] 0047E273 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74] 0047E276 . 52 PUSH EDX 0047E277 . 50 PUSH EAX 0047E278 . 6A 02 PUSH 2 0047E27A . FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList 0047E280 . 83C4 0C ADD ESP,0C 0047E283 . 66:85FF TEST DI,DI 0047E286 . 75 17 JNZ SHORT 扩展名仓.0047E29F 0047E288 . 66:8B8D D8FEF>MOV CX,WORD PTR SS:[EBP-128] 0047E28F . 66:03CB ADD CX,BX 0047E292 . 0F80 9B000000 JO 扩展名仓.0047E333 0047E298 . 8BD9 MOV EBX,ECX 0047E29A .^ E9 88FEFFFF JMP 扩展名仓.0047E127 0047E29F > C745 CC 00000>MOV DWORD PTR SS:[EBP-34],0 0047E2A6 > 9B WAIT 0047E2A7 . 68 19E34700 PUSH 扩展名仓.0047E319 0047E2AC . EB 3C JMP SHORT 扩展名仓.0047E2EA 0047E2AE . 8D55 9C LEA EDX,DWORD PTR SS:[EBP-64] 0047E2B1 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] 0047E2B4 . 52 PUSH EDX 0047E2B5 . 50 PUSH EAX 0047E2B6 . 6A 02 PUSH 2 0047E2B8 . FF15 54124000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList 0047E2BE . 8D8D 4CFFFFFF LEA ECX,DWORD PTR SS:[EBP-B4] 0047E2C4 . 8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4] 0047E2CA . 51 PUSH ECX 0047E2CB . 8D85 6CFFFFFF LEA EAX,DWORD PTR SS:[EBP-94] 0047E2D1 . 52 PUSH EDX 0047E2D2 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84] 0047E2D8 . 50 PUSH EAX 0047E2D9 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74] 0047E2DC . 51 PUSH ECX 0047E2DD . 52 PUSH EDX 0047E2DE . 6A 05 PUSH 5 0047E2E0 . FF15 44104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList 0047E2E6 . 83C4 24 ADD ESP,24 0047E2E9 . C3 RETN --------------------------------------- The end ----------------------------------------------------- 名字：skyege 邮箱：skyege@tom.com 注册码：P6ZI3-XH4HL-OXUXD-EMK15-7CQPA 这是一个经典的“用户名（F）= 注册码”的软件，难度一般。注册码共 5 组，每组 5 个字符。注册成功后在 Extension .ini 中有 UserName=skyege Email=skyege@tom.com Code=P6ZI3XH4HLOXUXDEMK157CQPA 验证的过程是这样的： 1、验证第 5 组的第 1 个与第 2 组的第 2 个的关系 2、验证第 3 组的后 4 个与第 5 组的后 4 个的关系。 3、验证第 4 组注册码 4、验证第 3 组注册码 5、验证第 2 组注册码 6、验证第 1 组注册码所以逆过来，顺序颠倒就可以逆出真注册码了。程序先利用你输入的用户名和邮箱计算出 10 个值，这是它们的存放地址： 002243A0 E0 00 00 00 D7 00 00 00 87 00 00 00 2C 00 00 00 ?..?..?..,... 002243B0 8C 00 00 00 AB AB AB AB AB AB AB AB EE FE EE FE ?..????铪铪 002243C0 00 00 00 00 00 00 00 00 06 00 06 00 00 07 1C 00 ............ 002243D0 1F 00 00 00 BD 00 00 00 19 00 00 00 B7 00 00 00 ...?.....?.. 002243E0 2B 00 00 00 AB AB AB AB AB AB AB AB EE FE EE FE +...????铪铪 1、根据那 10 个值计算出第 1 组注册码 2、根据用户名的 5 个值和第 1 组注册码计算出第 2 组注册码 3、根据那 10 个值和第 2 组注册码计算出第 3 组注册码 4、根据那 10 个值和第 2 组注册码计算出第 4 组注册码 5、根据第 3 组的后 4 个计算出第 5 组注册码的后 4 个 6、根据第 2 组的第 2 个计算出第 5 组注册码的第 1 个至于如何计算看代码的注释,要表达清楚，恐怕成长篇大论了。断点地址模块激活反汇编注释 0047D6F4 扩展名仓关闭 CMP WORD PTR SS:[EBP-58],AX <--- 这里得到第 5 组的第 1 个注册码 0047D8B8 扩展名仓关闭 CMP WORD PTR SS:[EBP-58],AX <--- 这里得到第 5 组的后 4 个注册码 0047DA90 扩展名仓关闭 CMP BX,AX <--- 这里得到第 4 组注册码 0047DD82 扩展名仓关闭 CMP AX,DX <--- 这里得到第 3 组注册码 0047E0AE 扩展名仓关闭 CMP AX,DX <--- 这里得到第 2 组注册码 0047E25A 扩展名仓关闭 CMP DI,AX <--- 这里得到第 1 组注册码注册机：注册机的编写我觉得用高级语言真的很不适合，主要是在计算注册码的时候，都有 N 长的值的范围判断比较，特别是计算第 2 组的时候更麻烦。以为写成过程调用可以解决，但发现也是烦琐。加之本人编程能力不敢恭维，代码写得冗长垃圾，故不贴了。等哪天学了汇编再写吧。对用户名和邮箱的处理大家可以看一下（我只跟踪了用户名大于5的 ^_^）,错误遗漏之处请指教： Dim a, b, c, d, e '存放用邮箱计算得出的 5 个值 Dim h, i, j, k, l '存放用用户名计算得出的 5 个值 yhm = Trim(Text1.Text) '用户名 youxiang = UCase(Trim(Text2.Text)) '邮箱转化为大写形式 For i = 6 To Len(youxiang) If i Mod 2 = 0 Then temp = Asc(Mid(youxiang, i, 1)) + temp '累加 temp = temp - 5 '偶数位 - 5 Else temp = Asc(Mid(youxiang, i, 1)) + temp temp = temp + 7 '奇数位 + 7 End If Next temp = temp Mod 177 '取余数 a = temp - Asc(Mid(youxiang, 1, 1)) b = temp + Asc(Mid(youxiang, 2, 1)) c = temp - Asc(Mid(youxiang, 3, 1)) d = temp + Asc(Mid(youxiang, 4, 1)) e = temp - Asc(Mid(youxiang, 5, 1)) temp = 0 For i = 6 To Len(mz) '累加用户名6位以上的ASC值 temp = Asc(Mid(mz, i, 1)) + temp Next i = Asc(Mid(yhm, 2, 1)) + 7 + temp ' j = Asc(Mid(yhm, 3, 1)) + 14 ' + c k = Asc(Mid(yhm, 4, 1)) - 57 '- 39 l = Asc(Mid(yhm, 5, 1)) + 37 ' + 25 h = Asc(Mid(yhm, 1, 1)) + 7 + k + 167 '+ a7 h = h Mod 231 h = h + Asc(Mid(yhm, 1, 1)) + 7 2005-9-6 18:07 0
wenglingok 雪币： 671 活跃值： (723) 能力值： ( LV9，RANK：1060 ) 在线值：发帖 52 回帖 679 粉丝 1 关注私信	wenglingok 26 3 楼沙发，支持一下。 2005-9-6 18:30 0
小娃崽雪币： 383 活跃值： (41) 能力值： ( LV12，RANK：530 ) 在线值：发帖 42 回帖 283 粉丝 1 关注私信	小娃崽 13 4 楼顶起~!终于看到兄弟的帖子拉 2005-9-6 18:52 0
hrbx 雪币： 267 活跃值： (44) 能力值： ( LV9，RANK：330 ) 在线值：发帖 11 回帖 195 粉丝 1 关注私信	hrbx 8 5 楼呵呵，skyege兄的文章，支持一下，学习中 2005-9-6 19:02 0
lnn1123 雪币： 234 活跃值： (370) 能力值： ( LV9，RANK：530 ) 在线值：发帖 39 回帖 765 粉丝 0 关注私信	lnn1123 13 6 楼 2005-9-6 20:30 0
pendan2001 雪币： 61 活跃值： (160) 能力值： ( LV9，RANK：170 ) 在线值：发帖 25 回帖 1180 粉丝 0 关注私信	pendan2001 4 7 楼阁下有耐心啊 2005-9-6 21:19 0
skyege 雪币： 229 活跃值： (70) 能力值： ( LV6，RANK：90 ) 在线值：发帖 10 回帖 555 粉丝 0 关注私信	skyege 2 8 楼唉，就是太长了。不知道怎么弄短一点。 2005-9-6 21:47 0
dthexin 雪币： 215 活跃值： (82) 能力值： ( LV4，RANK：50 ) 在线值：发帖 5 回帖 32 粉丝 0 关注私信	dthexin 1 9 楼学习啊, 2005-9-7 07:44 0
夜凉如水雪币： 136 活跃值： (105) 能力值： ( LV9，RANK：140 ) 在线值：发帖 18 回帖 719 粉丝 1 关注私信	夜凉如水 3 10 楼学习了不过本人对算法还是不怎么喜欢 !1不过还是要顶你 !! 2005-9-7 12:05 0
yuqli 雪币： 214 活跃值： (70) 能力值： ( LV6，RANK：90 ) 在线值：发帖 3 回帖 59 粉丝 1 关注私信	yuqli 2 11 楼颜色不好看~~~ 有点恶心 2005-9-7 13:19 0
冷血书生雪币： 443 活跃值： (200) 能力值： ( LV9，RANK：1140 ) 在线值：发帖 53 回帖 1135 粉丝 2 关注私信	冷血书生 28 12 楼不顶实在是不行！严重支持的！ 2005-9-10 02:20 0
海栖靖雪币： 203 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 22 粉丝 0 关注私信	海栖靖 13 楼也难为skyege兄写这么长的文章了呵呵兄弟我也来顶一下 2005-9-19 01:35 0
dfui 雪币： 1267 活跃值： (567) 能力值： ( LV2，RANK：10 ) 在线值：发帖 32 回帖 216 粉丝 2 关注私信	dfui 14 楼天才出于什么…………怎么才能成为天才。跟着成功的人士。?听他们的声音。努力的补充知识。这就是天才与笨蛋的区别。 2005-9-19 13:53 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复