能力值:
( LV9,RANK:1170 )
|
-
-
2 楼
00402B7B . FF15 34104>call [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj
00402B81 > 8B55 88 mov edx, [ebp-78]
00402B84 . 52 push edx
00402B85 . 68 3422400>push 00402234
00402B8A . FF15 58104>call [<&MSVBVM60.__vbaStrCmp>] ; 用户名与0比较
00402B90 . 8BD8 mov ebx, eax
00402B92 . 8D4D 88 lea ecx, [ebp-78]
00402B95 . F7DB neg ebx
00402B97 . 1BDB sbb ebx, ebx
00402B99 . 43 inc ebx
00402B9A . F7DB neg ebx
00402B9C . FF15 CC104>call [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00402BA2 . 8D4D 84 lea ecx, [ebp-7C]
00402BA5 . FF15 D0104>call [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00402BAB . 66:85DB test bx, bx
00402BAE . 74 3F je short 00402BEF ; 如果用户名为空,不跳
00402BB0 . A1 1060400>mov eax, [406010]
00402BB5 . 85C0 test eax, eax
00402BB7 . 75 10 jnz short 00402BC9
00402BB9 . 68 1060400>push 00406010
00402BBE . 68 F823400>push 004023F8
00402BC3 . FF15 98104>call [<&MSVBVM60.__vbaNew2>] ; MSVBVM60.__vbaNew2
00402BC9 > 8B1D 10604>mov ebx, [406010]
00402BCF . 68 3C22400>push 0040223C
00402BD4 . 53 push ebx
00402BD5 . 8B03 mov eax, [ebx]
00402BD7 . FF50 54 call [eax+54]
00402BDA . 85C0 test eax, eax
00402BDC . DBE2 fclex
00402BDE . 7D 0F jge short 00402BEF
00402BE0 . 6A 54 push 54
00402BE2 . 68 C820400>push 004020C8
00402BE7 . 53 push ebx
00402BE8 . 50 push eax
00402BE9 . FF15 34104>call [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj
00402BEF > 8B0E mov ecx, [esi]
00402BF1 . 56 push esi
00402BF2 . FF91 08030>call [ecx+308]
00402BF8 . 8D55 84 lea edx, [ebp-7C]
00402BFB . 50 push eax
00402BFC . 52 push edx
00402BFD . FFD7 call edi
00402BFF . 8BD8 mov ebx, eax
00402C01 . 8D4D 88 lea ecx, [ebp-78]
00402C04 . 51 push ecx
00402C05 . 53 push ebx
00402C06 . 8B03 mov eax, [ebx]
00402C08 . FF90 A0000>call [eax+A0]
00402C0E . 85C0 test eax, eax
00402C10 . DBE2 fclex
00402C12 . 7D 12 jge short 00402C26
00402C14 . 68 A000000>push 0A0
00402C19 . 68 2022400>push 00402220
00402C1E . 53 push ebx
00402C1F . 50 push eax
00402C20 . FF15 34104>call [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj
00402C26 > 8B55 88 mov edx, [ebp-78]
00402C29 . 52 push edx
00402C2A . 68 3422400>push 00402234
00402C2F . FF15 58104>call [<&MSVBVM60.__vbaStrCmp>] ; 注册码与0比较
00402C35 . 8BD8 mov ebx, eax
00402C37 . 8D4D 88 lea ecx, [ebp-78]
00402C3A . F7DB neg ebx
00402C3C . 1BDB sbb ebx, ebx
00402C3E . 43 inc ebx
00402C3F . F7DB neg ebx
00402C41 . FF15 CC104>call [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00402C47 . 8D4D 84 lea ecx, [ebp-7C]
00402C4A . FF15 D0104>call [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00402C50 . 66:85DB test bx, bx
00402C53 . 74 3F je short 00402C94 ; 如果注册码为空,不跳
00402C55 . A1 1060400>mov eax, [406010]
00402C5A . 85C0 test eax, eax
00402C5C . 75 10 jnz short 00402C6E
00402C5E . 68 1060400>push 00406010
00402C63 . 68 F823400>push 004023F8
00402C68 . FF15 98104>call [<&MSVBVM60.__vbaNew2>] ; MSVBVM60.__vbaNew2
00402C6E > 8B1D 10604>mov ebx, [406010]
00402C74 . 68 5422400>push 00402254
00402C79 . 53 push ebx
00402C7A . 8B03 mov eax, [ebx]
00402C7C . FF50 54 call [eax+54]
00402C7F . 85C0 test eax, eax
00402C81 . DBE2 fclex
00402C83 . 7D 0F jge short 00402C94
00402C85 . 6A 54 push 54
00402C87 . 68 C820400>push 004020C8
00402C8C . 53 push ebx
00402C8D . 50 push eax
00402C8E . FF15 34104>call [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj
00402C94 > 8D5E 34 lea ebx, [esi+34]
00402C97 . 8D95 30FFF>lea edx, [ebp-D0]
00402C9D . 8BCB mov ecx, ebx
00402C9F . C785 38FFF>mov dword ptr [ebp-C8], 0
00402CA9 . C785 30FFF>mov dword ptr [ebp-D0], 2
00402CB3 . FF15 10104>call [<&MSVBVM60.__vbaVarMove>] ; MSVBVM60.__vbaVarMove
00402CB9 . 8B0E mov ecx, [esi]
00402CBB . 56 push esi
00402CBC . FF91 0C030>call [ecx+30C]
00402CC2 . 8D55 84 lea edx, [ebp-7C]
00402CC5 . 50 push eax
00402CC6 . 52 push edx
00402CC7 . FFD7 call edi
00402CC9 . 8B08 mov ecx, [eax]
00402CCB . 8D55 88 lea edx, [ebp-78]
00402CCE . 52 push edx
00402CCF . 50 push eax
00402CD0 . 8985 0CFFF>mov [ebp-F4], eax
00402CD6 . FF91 A0000>call [ecx+A0]
00402CDC . 85C0 test eax, eax
00402CDE . DBE2 fclex
00402CE0 . 7D 18 jge short 00402CFA
00402CE2 . 8B8D 0CFFF>mov ecx, [ebp-F4]
00402CE8 . 68 A000000>push 0A0
00402CED . 68 2022400>push 00402220
00402CF2 . 51 push ecx
00402CF3 . 50 push eax
00402CF4 . FF15 34104>call [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj
00402CFA > 8B55 88 mov edx, [ebp-78]
00402CFD . 8D8E 80000>lea ecx, [esi+80]
00402D03 . FF15 A4104>call [<&MSVBVM60.__vbaStrCopy>] ; MSVBVM60.__vbaStrCopy
00402D09 . 8D4D 88 lea ecx, [ebp-78]
00402D0C . FF15 CC104>call [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00402D12 . 8D4D 84 lea ecx, [ebp-7C]
00402D15 . FF15 D0104>call [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00402D1B . 8B96 80000>mov edx, [esi+80] ; 用户名入EDX
00402D21 . 52 push edx
00402D22 . FF15 18104>call [<&MSVBVM60.__vbaLenBstr>] ; EAX返回用户名的长度
00402D28 . 83E8 02 sub eax, 2 ; EAX-2,结果记为L
00402D2B . 8D4E 6C lea ecx, [esi+6C]
00402D2E . 0F80 511F0>jo 00404C85 ; 溢出,跳
00402D34 . 8D95 30FFF>lea edx, [ebp-D0]
00402D3A . 8985 38FFF>mov [ebp-C8], eax
00402D40 . C785 30FFF>mov dword ptr [ebp-D0], 3
00402D4A . FF15 10104>call [<&MSVBVM60.__vbaVarMove>] ; MSVBVM60.__vbaVarMove
00402D50 . B8 0200000>mov eax, 2
00402D55 . 8D8D 70FFF>lea ecx, [ebp-90]
00402D5B . 8985 38FFF>mov [ebp-C8], eax
00402D61 . 8985 30FFF>mov [ebp-D0], eax
00402D67 . 8D46 6C lea eax, [esi+6C]
00402D6A . 50 push eax
00402D6B . 8D85 30FFF>lea eax, [ebp-D0]
00402D71 . 50 push eax
00402D72 . 51 push ecx
00402D73 . FF15 70104>call [<&MSVBVM60.__vbaVarMul>] ; L*2=A
00402D79 . 8BD0 mov edx, eax
00402D7B . 8D4D AC lea ecx, [ebp-54]
00402D7E . FF15 10104>call [<&MSVBVM60.__vbaVarMove>] ; MSVBVM60.__vbaVarMove
00402D84 . 8D46 6C lea eax, [esi+6C]
00402D87 . 50 push eax
00402D88 . FF15 8C104>call [<&MSVBVM60.__vbaI2Var>] ; MSVBVM60.__vbaI2Var
00402D8E . 8985 F8FEF>mov [ebp-108], eax
00402D94 . 66:C746 7C>mov word ptr [esi+7C], 1
00402D9A > 66:8B46 7C mov ax, [esi+7C]
00402D9E . 66:3B85 F8>cmp ax, [ebp-108] ; 循环次数控制,次数为用户名长度-2
00402DA5 . 0F8F 63010>jg 00402F0E
00402DAB . 8D8E 80000>lea ecx, [esi+80]
00402DB1 . 8D95 70FFF>lea edx, [ebp-90]
00402DB7 . 0FBFC0 movsx eax, ax
00402DBA . 898D 38FFF>mov [ebp-C8], ecx
00402DC0 . 52 push edx
00402DC1 . 8D8D 30FFF>lea ecx, [ebp-D0]
00402DC7 . 50 push eax
00402DC8 . 8D95 60FFF>lea edx, [ebp-A0]
00402DCE . 51 push ecx
00402DCF . 52 push edx
00402DD0 . C785 78FFF>mov dword ptr [ebp-88], 1
00402DDA . C785 70FFF>mov dword ptr [ebp-90], 2
00402DE4 . C785 30FFF>mov dword ptr [ebp-D0], 4008
00402DEE . FF15 4C104>call [<&MSVBVM60.#632>] ; 依次得到用户名的每个字符
00402DF4 . 8D85 60FFF>lea eax, [ebp-A0]
00402DFA . 8D4D 88 lea ecx, [ebp-78]
00402DFD . 50 push eax
00402DFE . 51 push ecx
00402DFF . FF15 88104>call [<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
00402E05 . 50 push eax
00402E06 . FF15 2C104>call [<&MSVBVM60.#516>] ; EAX返回上一步得到字符的ASCII码
00402E0C . 66:8985 18>mov [ebp-E8], ax
00402E13 . 8D95 10FFF>lea edx, [ebp-F0]
00402E19 . 53 push ebx
00402E1A . 8D85 50FFF>lea eax, [ebp-B0]
00402E20 . 52 push edx
00402E21 . 50 push eax
00402E22 . C785 10FFF>mov dword ptr [ebp-F0], 2
00402E2C . FF15 B4104>call [<&MSVBVM60.__vbaVarAdd>] ; 累加
00402E32 . 8BD0 mov edx, eax
00402E34 . 8BCB mov ecx, ebx
00402E36 . FF15 10104>call [<&MSVBVM60.__vbaVarMove>] ; MSVBVM60.__vbaVarMove
00402E3C . 8D4D 88 lea ecx, [ebp-78]
00402E3F . FF15 CC104>call [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00402E45 . 8D8D 50FFF>lea ecx, [ebp-B0]
00402E4B . 8D95 60FFF>lea edx, [ebp-A0]
00402E51 . 51 push ecx
00402E52 . 8D85 70FFF>lea eax, [ebp-90]
00402E58 . 52 push edx
00402E59 . 50 push eax
00402E5A . 6A 03 push 3
00402E5C . FF15 1C104>call [<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
00402E62 . 66:8B46 7C mov ax, [esi+7C]
00402E66 . B9 0200000>mov ecx, 2
00402E6B . 83C4 10 add esp, 10
00402E6E . 898D 30FFF>mov [ebp-D0], ecx
00402E74 . 898D 20FFF>mov [ebp-E0], ecx
00402E7A . 898D 10FFF>mov [ebp-F0], ecx
00402E80 . 8D8D 30FFF>lea ecx, [ebp-D0]
00402E86 . 53 push ebx
00402E87 . 8D95 70FFF>lea edx, [ebp-90]
00402E8D . 51 push ecx
00402E8E . 52 push edx
00402E8F . 66:8985 38>mov [ebp-C8], ax
00402E96 . C785 28FFF>mov dword ptr [ebp-D8], 1
00402EA0 . 66:8985 18>mov [ebp-E8], ax
00402EA7 . FF15 70104>call [<&MSVBVM60.__vbaVarMul>] ; 累加和与循环次数相乘,结果记为C
00402EAD . 50 push eax
00402EAE . 8D45 AC lea eax, [ebp-54]
00402EB1 . 8D8D 20FFF>lea ecx, [ebp-E0]
00402EB7 . 50 push eax
00402EB8 . 8D95 60FFF>lea edx, [ebp-A0]
00402EBE . 51 push ecx
00402EBF . 52 push edx
00402EC0 . FF15 00104>call [<&MSVBVM60.__vbaVarSub>] ; 此函数的返回结果为:A-1=B
00402EC6 . 50 push eax
00402EC7 . 8D85 50FFF>lea eax, [ebp-B0]
00402ECD . 50 push eax
00402ECE . FF15 70104>call [<&MSVBVM60.__vbaVarMul>] ; C*B=D
00402ED4 . 8D8D 10FFF>lea ecx, [ebp-F0]
00402EDA . 50 push eax
00402EDB . 8D95 40FFF>lea edx, [ebp-C0]
00402EE1 . 51 push ecx
00402EE2 . 52 push edx
00402EE3 . FF15 20104>call [<&MSVBVM60.__vbaVarIdiv>] ; D/循环次数
00402EE9 . 8BD0 mov edx, eax
00402EEB . 8BCB mov ecx, ebx
00402EED . FF15 10104>call [<&MSVBVM60.__vbaVarMove>] ; MSVBVM60.__vbaVarMove
00402EF3 . 66:8B4E 7C mov cx, [esi+7C]
00402EF7 . B8 0100000>mov eax, 1
00402EFC . 66:03C8 add cx, ax
00402EFF . 0F80 801D0>jo 00404C85
00402F05 . 66:894E 7C mov [esi+7C], cx
00402F09 .^ E9 8CFEFFF>jmp 00402D9A ; 循环
===============================================================================
以上代码功能:
loop=用户名长度-2;
temp1=loop*2-1;
sum=0;
for(i=1;i<=loop;i++)
{ sum+=用户名[i];
sum=sum*i*temp1;
sum/=i;
}
00402F4F > \8B55 88 mov edx, [ebp-78] ; 注册码入EDX
00402F52 . 52 push edx
00402F53 . FF15 D4104000 call [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
00402F59 . FF15 B8104000 call [<&MSVBVM60.__vbaFpI4>] ; 把注册码转换成十六进制的数放入EAX
00402F5F . 99 cdq ; 符号扩展
00402F60 . 2BC2 sub eax, edx ; EAX-EDX
00402F62 . 8D4D 88 lea ecx, [ebp-78]
00402F65 . D1F8 sar eax, 1 ; EAX右移1位,结果记为A
00402F67 . 8985 ECFEFFFF mov [ebp-114], eax
00402F6D . DB85 ECFEFFFF fild dword ptr [ebp-114] ; 装入ST0
00402F73 . DD5E 64 fstp qword ptr [esi+64]
00402F76 . FF15 CC104000 call [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00402F7C . 8D4D 84 lea ecx, [ebp-7C]
00402F7F . FF15 D0104000 call [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00402F85 . DD46 64 fld qword ptr [esi+64]
00402F88 . FF15 B8104000 call [<&MSVBVM60.__vbaFpI4>] ; EAX返回A
00402F8E . 99 cdq
00402F8F . B9 64000000 mov ecx, 64
00402F94 . C785 30FFFFFF>mov dword ptr [ebp-D0], 3
00402F9E . F7F9 idiv ecx ; EAX/64H
00402FA0 . 8D4E 44 lea ecx, [esi+44]
00402FA3 . 8995 38FFFFFF mov [ebp-C8], edx ; 存余数入[ebp-C8],余数记为B
00402FA9 . 8D95 30FFFFFF lea edx, [ebp-D0]
00402FAF . FF15 10104000 call [<&MSVBVM60.__vbaVarMove>] ; MSVBVM60.__vbaVarMove
00402FB5 . DD46 64 fld qword ptr [esi+64]
00402FB8 . FF15 B8104000 call [<&MSVBVM60.__vbaFpI4>] ; MSVBVM60.__vbaFpI4
00402FBE . 8BC8 mov ecx, eax ; A入ECX
00402FC0 . B8 1F85EB51 mov eax, 51EB851F ; 51EB851F入EAX
00402FC5 . F7E9 imul ecx ; EAX*ECX
00402FC7 . C1FA 05 sar edx, 5 ; 积的高32位算术右移5位
00402FCA . 8BC2 mov eax, edx ; EDX入EAX
00402FCC . 53 push ebx
00402FCD . C1E8 1F shr eax, 1F ; EAX逻辑右移1F位
00402FD0 . 03D0 add edx, eax ; EDX+EAX
00402FD2 . C785 30FFFFFF>mov dword ptr [ebp-D0], 5
00402FDC . 8995 E8FEFFFF mov [ebp-118], edx ; EDX存入[ebp-118]
===================================
00403020 . 8D8D 30FFFFFF lea ecx, [ebp-D0]
00403026 . 51 push ecx
00403027 . 52 push edx
00403028 . 8985 38FFFFFF mov [ebp-C8], eax
0040302E . FF15 00104000 call [<&MSVBVM60.__vbaVarSub>] ; 看不懂到底是谁减谁
00403034 . 50 push eax
00403035 . 8D46 44 lea eax, [esi+44]
00403038 . 50 push eax
00403039 . 8D85 60FFFFFF lea eax, [ebp-A0]
0040303F . 50 push eax
00403040 . FF15 20104000 call [<&MSVBVM60.__vbaVarIdiv>] ; 整除,也看不懂谁整除谁
00403046 . 8D8D 20FFFFFF lea ecx, [ebp-E0]
0040304C . 50 push eax
0040304D . 51 push ecx
0040304E . FF15 5C104000 call [<&MSVBVM60.__vbaVarTstEq>] ; MSVBVM60.__vbaVarTstEq
00403054 . 66:85C0 test ax, ax
00403057 . A1 10604000 mov eax, [406010]
0040305C . 74 2D je short 0040308B
0040305E . 85C0 test eax, eax
00403060 . 75 10 jnz short 00403072
00403062 . 68 10604000 push 00406010
00403067 . 68 F8234000 push 004023F8
0040306C . FF15 98104000 call [<&MSVBVM60.__vbaNew2>] ; MSVBVM60.__vbaNew2
00403072 > 8B1D 10604000 mov ebx, [406010]
00403078 . 68 6C224000 push 0040226C ; 恭喜你
上面的减与整除用OD跟踪,结果看不懂,好像不对,也不知是不是我跟错,请高手解答一下.
|
能力值:
( LV9,RANK:1170 )
|
-
-
4 楼
00403020 . 8D8D 30FFFFFF lea ecx, [ebp-D0]
00403026 . 51 push ecx
00403027 . 52 push edx
00403028 . 8985 38FFFFFF mov [ebp-C8], eax
0040302E . FF15 00104000 call [<&MSVBVM60.__vbaVarSub>] ; 用户名运算结果-C
00403034 . 50 push eax
00403035 . 8D46 44 lea eax, [esi+44]
00403038 . 50 push eax
00403039 . 8D85 60FFFFFF lea eax, [ebp-A0]
0040303F . 50 push eax
00403040 . FF15 20104000 call [<&MSVBVM60.__vbaVarIdiv>] ; 整除,5\B
00403046 . 8D8D 20FFFFFF lea ecx, [ebp-E0]
0040304C . 50 push eax
0040304D . 51 push ecx
0040304E . FF15 5C104000 call [<&MSVBVM60.__vbaVarTstEq>] ; 整除结果与1比较是否相等
00403054 . 66:85C0 test ax, ax
00403057 . A1 10604000 mov eax, [406010]
0040305C 74 2D je short 0040308B
0040305E . 85C0 test eax, eax
00403060 . 75 10 jnz short 00403072
00403062 . 68 10604000 push 00406010
00403067 . 68 F8234000 push 004023F8
0040306C . FF15 98104000 call [<&MSVBVM60.__vbaNew2>] ; MSVBVM60.__vbaNew2
00403072 > 8B1D 10604000 mov ebx, [406010]
00403078 . 68 6C224000 push 0040226C ; 恭喜你
======================================================
算法小结:
(用户名运算结果-5)*64H+5,然后左移1位,即得注册码,如
用户名:bxm78
注册码:3158010 或3158011
感谢楼主提示.
|
典型的菜鸟写来玩玩
),不要爆破,算法就几行
