[原创]webmasta's算法分析（VB简单）-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]webmasta's算法分析（VB简单）

2006-10-4 20:03 5326

[原创]webmasta's算法分析（VB简单）

bxm

2006-10-4 20:03

5326

【文章标题】: webmasta's算法分析（VB简单）
【文章作者】: bxm
【作者邮箱】: bxm78@163.com
【保护方式】: name,Code
【使用工具】: OD,peid,计算器
【操作平台】: winxp
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
  通过出错字符串下断：
  00402F44 .  E8 05E3FFFF call <jmp.&MSVBVM60.__vbaLenBstr>    ;  EAX返回Name长度
  00402F49 .  8985 98FEFFFF mov    [ebp-168], eax
  00402F4F .  C785 90FEFFFF>mov    dword ptr [ebp-170], 3
  00402F59 .  8D95 90FEFFFF lea    edx, [ebp-170]
  00402F5F .  8D8D 7CFFFFFF lea    ecx, [ebp-84]
  00402F65 .  E8 38E3FFFF call <jmp.&MSVBVM60.__vbaVarMove>
  00402F6A .  8D8D E8FEFFFF lea    ecx, [ebp-118]
  00402F70 .  E8 1BE3FFFF call <jmp.&MSVBVM60.__vbaFreeStr>
  00402F75 .  8D8D E0FEFFFF lea    ecx, [ebp-120]
  00402F7B .  E8 F8E2FFFF call <jmp.&MSVBVM60.__vbaFreeObj>
  00402F80 .  C785 98FEFFFF>mov    dword ptr [ebp-168], 40       ;  40H存入[ebp-168]
  00402F8A .  C785 90FEFFFF>mov    dword ptr [ebp-170], 2
  00402F94 .  8D85 7CFFFFFF lea    eax, [ebp-84]
  00402F9A .  50          push eax
  00402F9B .  8D85 90FEFFFF lea    eax, [ebp-170]
  00402FA1 .  50          push eax
  00402FA2 .  8D85 D0FEFFFF lea    eax, [ebp-130]
  00402FA8 .  50          push eax
  00402FA9 .  E8 9AE2FFFF call <jmp.&MSVBVM60.__vbaVarMul>    ;  Name长度*40H，结果记为A
  00402FAE .  8BD0       mov    edx, eax
  00402FB0 .  8D8D 7CFFFFFF lea    ecx, [ebp-84]
  00402FB6 .  E8 E7E2FFFF call <jmp.&MSVBVM60.__vbaVarMove>
  00402FBB .  C785 98FEFFFF>mov    dword ptr [ebp-168], 1F1       ;  1F1存入[ebp-168]
  00402FC5 .  C785 90FEFFFF>mov    dword ptr [ebp-170], 2
  00402FCF .  8D85 7CFFFFFF lea    eax, [ebp-84]
  00402FD5 .  50          push eax
  00402FD6 .  8D85 90FEFFFF lea    eax, [ebp-170]
  00402FDC .  50          push eax
  00402FDD .  8D85 D0FEFFFF lea    eax, [ebp-130]
  00402FE3 .  50          push eax
  00402FE4 .  E8 59E2FFFF call <jmp.&MSVBVM60.__vbaVarAdd>    ;  A+1F1,结果记为B
  00402FE9 .  8BD0       mov    edx, eax
  00402FEB .  8D8D 7CFFFFFF lea    ecx, [ebp-84]
  00402FF1 .  E8 ACE2FFFF call <jmp.&MSVBVM60.__vbaVarMove>
  00402FF6 .  C785 98FEFFFF>mov    dword ptr [ebp-168], 3F1       ;  3F1存入[ebp-168]
  00403000 .  C785 90FEFFFF>mov    dword ptr [ebp-170], 8002
  0040300A .  8D85 7CFFFFFF lea    eax, [ebp-84]
  00403010 .  50          push eax
  00403011 .  8D85 90FEFFFF lea    eax, [ebp-170]
  00403017 .  50          push eax
  00403018 .  E8 6DE2FFFF call <jmp.&MSVBVM60.__vbaVarTstNe> ;  B与3F1比较
  0040301D .  0FBFC0       movsx eax, ax
  00403020 .  85C0       test eax, eax
  00403022 .  0F84 E1000000 je    00403109                      ;  相等，跳，否则完蛋

  以上程序功能：
  Name长度*40H+1F1必须等于3F1，由此可得出Name长度必须为8。
  =================================================================

  表：
  !QAZ1aqzWSX2swxEDC3dec$RFV4frvTGB5gtbYHN6hyn&UJM7jumIK8ki(OL9lo)P0p/


  00403109 > \C785 98FEFFFF>mov    dword ptr [ebp-168], 004026AC          ;  !QAZ1aqzWSX2swxEDC3dec$RFV4frvTGB5gtbYHN6hyn&UJM7jumIK8ki(OL9lo)P0p/
  00403113 .  C785 90FEFFFF>mov    dword ptr [ebp-170], 8
  0040311D .  8D95 90FEFFFF lea    edx, [ebp-170]
  00403123 .  8D4D AC    lea    ecx, [ebp-54]
  00403126 .  E8 11E1FFFF call <jmp.&MSVBVM60.__vbaVarCopy>
  0040312B .  C785 98FEFFFF>mov    dword ptr [ebp-168], 1
  00403135 .  C785 90FEFFFF>mov    dword ptr [ebp-170], 2
  0040313F .  8B45 08    mov    eax, [ebp+8]
  00403142 .  8B00       mov    eax, [eax]
  00403144 .  FF75 08    push dword ptr [ebp+8]
  00403147 .  FF90 08030000 call [eax+308]
  0040314D .  50          push eax
  0040314E .  8D85 E0FEFFFF lea    eax, [ebp-120]
  00403154 .  50          push eax
  00403155 .  E8 2AE1FFFF call <jmp.&MSVBVM60.__vbaObjSet>
  0040315A .  8985 4CFEFFFF mov    [ebp-1B4], eax
  00403160 .  8D85 E8FEFFFF lea    eax, [ebp-118]
  00403166 .  50          push eax
  00403167 .  8B85 4CFEFFFF mov    eax, [ebp-1B4]
  0040316D .  8B00       mov    eax, [eax]
  0040316F .  FFB5 4CFEFFFF push dword ptr [ebp-1B4]
  00403175 .  FF90 A0000000 call [eax+A0]
  0040317B .  DBE2       fclex
  0040317D .  8985 48FEFFFF mov    [ebp-1B8], eax
  00403183 .  83BD 48FEFFFF>cmp    dword ptr [ebp-1B8], 0
  0040318A .  7D 23       jge    short 004031AF
  0040318C .  68 A0000000 push 0A0
  00403191 .  68 C0224000 push 004022C0
  00403196 .  FFB5 4CFEFFFF push dword ptr [ebp-1B4]
  0040319C .  FFB5 48FEFFFF push dword ptr [ebp-1B8]
  004031A2 .  E8 D7E0FFFF call <jmp.&MSVBVM60.__vbaHresultCheckObj>
  004031A7 .  8985 ECFDFFFF mov    [ebp-214], eax
  004031AD .  EB 07       jmp    short 004031B6
  004031AF >  83A5 ECFDFFFF>and    dword ptr [ebp-214], 0
  004031B6 >  FFB5 E8FEFFFF push dword ptr [ebp-118]
  004031BC .  E8 8DE0FFFF call <jmp.&MSVBVM60.__vbaLenBstr>
  004031C1 .  8985 88FEFFFF mov    [ebp-178], eax
  004031C7 .  C785 80FEFFFF>mov    dword ptr [ebp-180], 3
  004031D1 .  C785 78FEFFFF>mov    dword ptr [ebp-188], 1
  004031DB .  C785 70FEFFFF>mov    dword ptr [ebp-190], 2
  004031E5 .  8D85 90FEFFFF lea    eax, [ebp-170]
  004031EB .  50          push eax                                  ;  步长为1
  004031EC .  8D85 80FEFFFF lea    eax, [ebp-180]
  004031F2 .  50          push eax                                  ;  终值为8
  004031F3 .  8D85 70FEFFFF lea    eax, [ebp-190]
  004031F9 .  50          push eax                                  ;  初值为1
  004031FA .  8D85 28FEFFFF lea    eax, [ebp-1D8]
  00403200 .  50          push eax
  00403201 .  8D85 38FEFFFF lea    eax, [ebp-1C8]
  00403207 .  50          push eax
  00403208 .  8D45 CC    lea    eax, [ebp-34]
  0040320B .  50          push eax
  0040320C .  E8 25E0FFFF call <jmp.&MSVBVM60.__vbaVarForInit>
  00403211 .  8985 FCFDFFFF mov    [ebp-204], eax
  00403217 .  8D8D E8FEFFFF lea    ecx, [ebp-118]
  0040321D .  E8 6EE0FFFF call <jmp.&MSVBVM60.__vbaFreeStr>
  00403222 .  8D8D E0FEFFFF lea    ecx, [ebp-120]
  00403228 .  E8 4BE0FFFF call <jmp.&MSVBVM60.__vbaFreeObj>
  0040322D .  E9 78050000 jmp    004037AA
  00403232 >  8B45 08    mov    eax, [ebp+8]
  00403235 .  8B00       mov    eax, [eax]
  00403237 .  FF75 08    push dword ptr [ebp+8]
  0040323A .  FF90 08030000 call [eax+308]
  00403240 .  50          push eax
  00403241 .  8D85 E0FEFFFF lea    eax, [ebp-120]
  00403247 .  50          push eax
  00403248 .  E8 37E0FFFF call <jmp.&MSVBVM60.__vbaObjSet>
  0040324D .  8985 4CFEFFFF mov    [ebp-1B4], eax
  00403253 .  8D85 E8FEFFFF lea    eax, [ebp-118]
  00403259 .  50          push eax
  0040325A .  8B85 4CFEFFFF mov    eax, [ebp-1B4]
  00403260 .  8B00       mov    eax, [eax]
  00403262 .  FFB5 4CFEFFFF push dword ptr [ebp-1B4]
  00403268 .  FF90 A0000000 call [eax+A0]
  0040326E .  DBE2       fclex
  00403270 .  8985 48FEFFFF mov    [ebp-1B8], eax
  00403276 .  83BD 48FEFFFF>cmp    dword ptr [ebp-1B8], 0
  0040327D .  7D 23       jge    short 004032A2
  0040327F .  68 A0000000 push 0A0
  00403284 .  68 C0224000 push 004022C0
  00403289 .  FFB5 4CFEFFFF push dword ptr [ebp-1B4]
  0040328F .  FFB5 48FEFFFF push dword ptr [ebp-1B8]
  00403295 .  E8 E4DFFFFF call <jmp.&MSVBVM60.__vbaHresultCheckObj>
  0040329A .  8985 E8FDFFFF mov    [ebp-218], eax
  004032A0 .  EB 07       jmp    short 004032A9
  004032A2 >  83A5 E8FDFFFF>and    dword ptr [ebp-218], 0
  004032A9 >  C785 C8FEFFFF>mov    dword ptr [ebp-138], 1
  004032B3 .  C785 C0FEFFFF>mov    dword ptr [ebp-140], 2
  004032BD .  8B85 E8FEFFFF mov    eax, [ebp-118]
  004032C3 .  8985 F8FDFFFF mov    [ebp-208], eax
  004032C9 .  83A5 E8FEFFFF>and    dword ptr [ebp-118], 0
  004032D0 .  8B85 F8FDFFFF mov    eax, [ebp-208]
  004032D6 .  8985 D8FEFFFF mov    [ebp-128], eax
  004032DC .  C785 D0FEFFFF>mov    dword ptr [ebp-130], 8
  004032E6 .  8D85 C0FEFFFF lea    eax, [ebp-140]
  004032EC .  50          push eax
  004032ED .  8D45 CC    lea    eax, [ebp-34]
  004032F0 .  50          push eax
  004032F1 .  E8 28DFFFFF call <jmp.&MSVBVM60.__vbaI4Var>
  004032F6 .  50          push eax
  004032F7 .  8D85 D0FEFFFF lea    eax, [ebp-130]
  004032FD .  50          push eax
  004032FE .  8D85 B0FEFFFF lea    eax, [ebp-150]
  00403304 .  50          push eax
  00403305 .  E8 1ADFFFFF call <jmp.&MSVBVM60.#632>
  0040330A .  8D85 B0FEFFFF lea    eax, [ebp-150]
  00403310 .  50          push eax
  00403311 .  8D85 E4FEFFFF lea    eax, [ebp-11C]
  00403317 .  50          push eax
  00403318 .  E8 0DDFFFFF call <jmp.&MSVBVM60.__vbaStrVarVal>
  0040331D .  50          push eax
  0040331E .  E8 0DDFFFFF call <jmp.&MSVBVM60.#516>                   ;  EAX依次返回name的每个字符
  00403323 .  66:8985 88FEF>mov    [ebp-178], ax
  0040332A .  C785 80FEFFFF>mov    dword ptr [ebp-180], 2
  00403334 .  8D95 80FEFFFF lea    edx, [ebp-180]
  0040333A .  8D8D 4CFFFFFF lea    ecx, [ebp-B4]
  00403340 .  E8 5DDFFFFF call <jmp.&MSVBVM60.__vbaVarMove>
  00403345 .  8D8D E4FEFFFF lea    ecx, [ebp-11C]
  0040334B .  E8 40DFFFFF call <jmp.&MSVBVM60.__vbaFreeStr>
  00403350 .  8D8D E0FEFFFF lea    ecx, [ebp-120]
  00403356 .  E8 1DDFFFFF call <jmp.&MSVBVM60.__vbaFreeObj>
  0040335B .  8D85 B0FEFFFF lea    eax, [ebp-150]
  00403361 .  50          push eax
  00403362 .  8D85 C0FEFFFF lea    eax, [ebp-140]
  00403368 .  50          push eax
  00403369 .  8D85 D0FEFFFF lea    eax, [ebp-130]
  0040336F .  50          push eax
  00403370 .  6A 03       push 3
  00403372 .  E8 E9DEFFFF call <jmp.&MSVBVM60.__vbaFreeVarList>
  00403377 .  83C4 10    add    esp, 10
  0040337A .  8D85 4CFFFFFF lea    eax, [ebp-B4]
  00403380 .  50          push eax
  00403381 .  E8 98DEFFFF call <jmp.&MSVBVM60.__vbaI4Var>
  00403386 .  50          push eax
  00403387 .  8D85 D0FEFFFF lea    eax, [ebp-130]
  0040338D .  50          push eax
  0040338E .  E8 85DEFFFF call <jmp.&MSVBVM60.#608>
  00403393 .  8D95 D0FEFFFF lea    edx, [ebp-130]
  00403399 .  8D8D ECFEFFFF lea    ecx, [ebp-114]
  0040339F .  E8 FEDEFFFF call <jmp.&MSVBVM60.__vbaVarMove>
  004033A4 .  6A 01       push 1
  004033A6 .  8D45 AC    lea    eax, [ebp-54]
  004033A9 .  50          push eax
  004033AA .  8D85 ECFEFFFF lea    eax, [ebp-114]
  004033B0 .  50          push eax
  004033B1 .  6A 00       push 0
  004033B3 .  8D85 D0FEFFFF lea    eax, [ebp-130]
  004033B9 .  50          push eax
  004033BA .  E8 53DEFFFF call <jmp.&MSVBVM60.__vbaInStrVar>          ;  此函数返回取出的字符在表中的位置，记为C
  004033BF .  8BD0       mov    edx, eax
  004033C1 .  8D8D 1CFFFFFF lea    ecx, [ebp-E4]
  004033C7 .  E8 D6DEFFFF call <jmp.&MSVBVM60.__vbaVarMove>
  004033CC .  83A5 98FEFFFF>and    dword ptr [ebp-168], 0
  004033D3 .  C785 90FEFFFF>mov    dword ptr [ebp-170], 8002
  004033DD .  8D85 1CFFFFFF lea    eax, [ebp-E4]
  004033E3 .  50          push eax
  004033E4 .  8D85 90FEFFFF lea    eax, [ebp-170]
  004033EA .  50          push eax
  004033EB .  E8 1CDEFFFF call <jmp.&MSVBVM60.__vbaVarTstEq>
  004033F0 .  0FBFC0       movsx eax, ax
  004033F3 .  85C0       test eax, eax
  004033F5 .  0F84 E1000000 je    004034DC
  004033FB .  C785 A8FEFFFF>mov    dword ptr [ebp-158], 80020004
  00403405 .  C785 A0FEFFFF>mov    dword ptr [ebp-160], 0A
  0040340F .  C785 B8FEFFFF>mov    dword ptr [ebp-148], 80020004
  00403419 .  C785 B0FEFFFF>mov    dword ptr [ebp-150], 0A
  00403423 .  C785 88FEFFFF>mov    dword ptr [ebp-178], 004023BC          ;  error
  0040342D .  C785 80FEFFFF>mov    dword ptr [ebp-180], 8
  00403437 .  8D95 80FEFFFF lea    edx, [ebp-180]
  0040343D .  8D8D C0FEFFFF lea    ecx, [ebp-140]
  00403443 .  E8 1EDEFFFF call <jmp.&MSVBVM60.__vbaVarDup>
  00403448 .  C785 98FEFFFF>mov    dword ptr [ebp-168], 004022D4          ;  user name or registration code is incorrect, please call technical support if you have purchased a lsd v1.0 key!
  00403452 .  C785 90FEFFFF>mov    dword ptr [ebp-170], 8
  0040345C .  8D95 90FEFFFF lea    edx, [ebp-170]
  00403462 .  8D8D D0FEFFFF lea    ecx, [ebp-130]
  00403468 .  E8 F9DDFFFF call <jmp.&MSVBVM60.__vbaVarDup>
  0040346D .  8D85 A0FEFFFF lea    eax, [ebp-160]
  00403473 .  50          push eax
  00403474 .  8D85 B0FEFFFF lea    eax, [ebp-150]
  0040347A .  50          push eax
  0040347B .  8D85 C0FEFFFF lea    eax, [ebp-140]
  00403481 .  50          push eax
  00403482 .  6A 00       push 0
  00403484 .  8D85 D0FEFFFF lea    eax, [ebp-130]
  0040348A .  50          push eax
  0040348B .  E8 DCDDFFFF call <jmp.&MSVBVM60.#595>
  00403490 .  8985 58FEFFFF mov    [ebp-1A8], eax
  00403496 .  C785 50FEFFFF>mov    dword ptr [ebp-1B0], 3
  004034A0 .  8D95 50FEFFFF lea    edx, [ebp-1B0]
  004034A6 .  8D8D 2CFFFFFF lea    ecx, [ebp-D4]
  004034AC .  E8 F1DDFFFF call <jmp.&MSVBVM60.__vbaVarMove>
  004034B1 .  8D85 A0FEFFFF lea    eax, [ebp-160]
  004034B7 .  50          push eax
  004034B8 .  8D85 B0FEFFFF lea    eax, [ebp-150]
  004034BE .  50          push eax
  004034BF .  8D85 C0FEFFFF lea    eax, [ebp-140]
  004034C5 .  50          push eax
  004034C6 .  8D85 D0FEFFFF lea    eax, [ebp-130]
  004034CC .  50          push eax
  004034CD .  6A 04       push 4
  004034CF .  E8 8CDDFFFF call <jmp.&MSVBVM60.__vbaFreeVarList>
  004034D4 .  83C4 14    add    esp, 14
  004034D7 .  E9 A1050000 jmp    00403A7D
  004034DC >  C785 98FEFFFF>mov    dword ptr [ebp-168], 2
  004034E6 .  C785 90FEFFFF>mov    dword ptr [ebp-170], 2
  004034F0 .  8D85 1CFFFFFF lea    eax, [ebp-E4]
  004034F6 .  50          push eax
  004034F7 .  8D45 AC    lea    eax, [ebp-54]
  004034FA .  50          push eax
  004034FB .  8D85 D0FEFFFF lea    eax, [ebp-130]
  00403501 .  50          push eax
  00403502 .  E8 F3DCFFFF call <jmp.&MSVBVM60.__vbaLenVar>          ;  [EAX+8]返回表的长度，即44H，记为D
  00403507 .  50          push eax
  00403508 .  8D85 90FEFFFF lea    eax, [ebp-170]
  0040350E .  50          push eax
  0040350F .  8D85 C0FEFFFF lea    eax, [ebp-140]
  00403515 .  50          push eax
  00403516 .  E8 E5DCFFFF call <jmp.&MSVBVM60.__vbaVarSub>          ;  D-2，结果记为E
  0040351B .  50          push eax
  0040351C .  E8 E5DCFFFF call <jmp.&MSVBVM60.__vbaVarTstGt>          ;  C>E ?
  00403521 .  0FBFC0       movsx eax, ax
  00403524 .  85C0       test eax, eax
  00403526 .  74 45       je    short 0040356D                         ;  条件不成立时，跳
  00403528 .  C785 98FEFFFF>mov    dword ptr [ebp-168], 2
  00403532 .  C785 90FEFFFF>mov    dword ptr [ebp-170], 2
  0040353C .  8D45 AC    lea    eax, [ebp-54]
  0040353F .  50          push eax
  00403540 .  8D85 D0FEFFFF lea    eax, [ebp-130]
  00403546 .  50          push eax
  00403547 .  E8 AEDCFFFF call <jmp.&MSVBVM60.__vbaLenVar>
  0040354C .  50          push eax
  0040354D .  8D85 90FEFFFF lea    eax, [ebp-170]
  00403553 .  50          push eax
  00403554 .  8D85 C0FEFFFF lea    eax, [ebp-140]
  0040355A .  50          push eax
  0040355B .  E8 A0DCFFFF call <jmp.&MSVBVM60.__vbaVarSub>          ;  如果大于42H，则把C-2，即C=42H
  00403560 .  8BD0       mov    edx, eax
  00403562 .  8D8D 1CFFFFFF lea    ecx, [ebp-E4]
  00403568 .  E8 35DDFFFF call <jmp.&MSVBVM60.__vbaVarMove>
  0040356D >  C785 98FEFFFF>mov    dword ptr [ebp-168], 3
  00403577 .  C785 90FEFFFF>mov    dword ptr [ebp-170], 8002
  00403581 .  8D85 1CFFFFFF lea    eax, [ebp-E4]
  00403587 .  50          push eax
  00403588 .  8D85 90FEFFFF lea    eax, [ebp-170]
  0040358E .  50          push eax
  0040358F .  E8 60DCFFFF call <jmp.&MSVBVM60.__vbaVarTstLt>          ;  C<3 ？
  00403594 .  0FBFC0       movsx eax, ax
  00403597 .  85C0       test eax, eax
  00403599 .  74 25       je    short 004035C0                         ;  条件不成立时，跳
  0040359B .  C785 98FEFFFF>mov    dword ptr [ebp-168], 3                ;  如果小于3，则把C赋值为3
  004035A5 .  C785 90FEFFFF>mov    dword ptr [ebp-170], 2
  004035AF .  8D95 90FEFFFF lea    edx, [ebp-170]
  004035B5 .  8D8D 1CFFFFFF lea    ecx, [ebp-E4]
  004035BB .  E8 E2DCFFFF call <jmp.&MSVBVM60.__vbaVarMove>
  004035C0 >  8D85 4CFFFFFF lea    eax, [ebp-B4]
  004035C6 .  50          push eax
  004035C7 .  8D85 1CFFFFFF lea    eax, [ebp-E4]
  004035CD .  50          push eax
  004035CE .  8D85 D0FEFFFF lea    eax, [ebp-130]
  004035D4 .  50          push eax
  004035D5 .  E8 6EDCFFFF call <jmp.&MSVBVM60.__vbaVarMul>          ;  Name的每个字符*C
  004035DA .  8BD0       mov    edx, eax
  004035DC .  8D8D 4CFFFFFF lea    ecx, [ebp-B4]
  004035E2 .  E8 BBDCFFFF call <jmp.&MSVBVM60.__vbaVarMove>
  004035E7 .  8D85 3CFFFFFF lea    eax, [ebp-C4]
  004035ED .  50          push eax
  004035EE .  8D85 4CFFFFFF lea    eax, [ebp-B4]
  004035F4 .  50          push eax
  004035F5 .  8D85 D0FEFFFF lea    eax, [ebp-130]
  004035FB .  50          push eax
  004035FC .  E8 41DCFFFF call <jmp.&MSVBVM60.__vbaVarAdd>          ;  累加 Name的每个字符*C，设最终结果为F
  00403601 .  8BD0       mov    edx, eax
  00403603 .  8D8D 3CFFFFFF lea    ecx, [ebp-C4]
  00403609 .  E8 94DCFFFF call <jmp.&MSVBVM60.__vbaVarMove>
  0040360E .  C785 C8FEFFFF>mov    dword ptr [ebp-138], 1
  00403618 .  C785 C0FEFFFF>mov    dword ptr [ebp-140], 2
  00403622 .  C785 98FEFFFF>mov    dword ptr [ebp-168], 1
  0040362C .  C785 90FEFFFF>mov    dword ptr [ebp-170], 2
  00403636 .  8D85 C0FEFFFF lea    eax, [ebp-140]
  0040363C .  50          push eax
  0040363D .  8D85 1CFFFFFF lea    eax, [ebp-E4]
  00403643 .  50          push eax
  00403644 .  8D85 90FEFFFF lea    eax, [ebp-170]
  0040364A .  50          push eax
  0040364B .  8D85 D0FEFFFF lea    eax, [ebp-130]
  00403651 .  50          push eax
  00403652 .  E8 EBDBFFFF call <jmp.&MSVBVM60.__vbaVarAdd>          ;  C+1
  00403657 .  50          push eax
  00403658 .  E8 C1DBFFFF call <jmp.&MSVBVM60.__vbaI4Var>
  0040365D .  50          push eax
  0040365E .  8D45 AC    lea    eax, [ebp-54]
  00403661 .  50          push eax
  00403662 .  8D85 B0FEFFFF lea    eax, [ebp-150]
  00403668 .  50          push eax
  00403669 .  E8 B6DBFFFF call <jmp.&MSVBVM60.#632>                   ;  取表中的字符
  0040366E .  8D95 B0FEFFFF lea    edx, [ebp-150]
  00403674 .  8D8D 0CFFFFFF lea    ecx, [ebp-F4]
  0040367A .  E8 23DCFFFF call <jmp.&MSVBVM60.__vbaVarMove>
  0040367F .  8D85 C0FEFFFF lea    eax, [ebp-140]
  00403685 .  50          push eax
  00403686 .  8D85 D0FEFFFF lea    eax, [ebp-130]
  0040368C .  50          push eax
  0040368D .  6A 02       push 2
  0040368F .  E8 CCDBFFFF call <jmp.&MSVBVM60.__vbaFreeVarList>
  00403694 .  83C4 0C    add    esp, 0C
  00403697 .  C785 C8FEFFFF>mov    dword ptr [ebp-138], 1
  004036A1 .  C785 C0FEFFFF>mov    dword ptr [ebp-140], 2
  004036AB .  C785 98FEFFFF>mov    dword ptr [ebp-168], 1
  004036B5 .  C785 90FEFFFF>mov    dword ptr [ebp-170], 2
  004036BF .  8D85 C0FEFFFF lea    eax, [ebp-140]
  004036C5 .  50          push eax
  004036C6 .  8D85 1CFFFFFF lea    eax, [ebp-E4]
  004036CC .  50          push eax
  004036CD .  8D85 90FEFFFF lea    eax, [ebp-170]
  004036D3 .  50          push eax
  004036D4 .  8D85 D0FEFFFF lea    eax, [ebp-130]
  004036DA .  50          push eax
  004036DB .  E8 20DBFFFF call <jmp.&MSVBVM60.__vbaVarSub>          ;  C-1
  004036E0 .  50          push eax
  004036E1 .  E8 38DBFFFF call <jmp.&MSVBVM60.__vbaI4Var>
  004036E6 .  50          push eax
  004036E7 .  8D45 AC    lea    eax, [ebp-54]
  004036EA .  50          push eax
  004036EB .  8D85 B0FEFFFF lea    eax, [ebp-150]
  004036F1 .  50          push eax
  004036F2 .  E8 2DDBFFFF call <jmp.&MSVBVM60.#632>                   ;  取表中的字符
  004036F7 .  8D95 B0FEFFFF lea    edx, [ebp-150]
  004036FD .  8D8D FCFEFFFF lea    ecx, [ebp-104]
  00403703 .  E8 9ADBFFFF call <jmp.&MSVBVM60.__vbaVarMove>
  00403708 .  8D8D C0FEFFFF lea    ecx, [ebp-140]
  0040370E .  E8 5FDBFFFF call <jmp.&MSVBVM60.__vbaFreeVar>
  00403713 .  8D85 0CFFFFFF lea    eax, [ebp-F4]
  00403719 .  50          push eax
  0040371A .  8D85 D0FEFFFF lea    eax, [ebp-130]
  00403720 .  50          push eax
  00403721 .  E8 AADAFFFF call <jmp.&MSVBVM60.#522>
  00403726 .  8D85 FCFEFFFF lea    eax, [ebp-104]
  0040372C .  50          push eax
  0040372D .  8D85 B0FEFFFF lea    eax, [ebp-150]
  00403733 .  50          push eax
  00403734 .  E8 97DAFFFF call <jmp.&MSVBVM60.#522>
  00403739 .  8D45 8C    lea    eax, [ebp-74]
  0040373C .  50          push eax
  0040373D .  8D85 D0FEFFFF lea    eax, [ebp-130]
  00403743 .  50          push eax
  00403744 .  8D85 C0FEFFFF lea    eax, [ebp-140]
  0040374A .  50          push eax
  0040374B .  E8 9EDAFFFF call <jmp.&MSVBVM60.__vbaVarCat>          ;  连接第一次取得的字符
  00403750 .  50          push eax
  00403751 .  8D85 B0FEFFFF lea    eax, [ebp-150]
  00403757 .  50          push eax
  00403758 .  8D85 A0FEFFFF lea    eax, [ebp-160]
  0040375E .  50          push eax
  0040375F .  E8 8ADAFFFF call <jmp.&MSVBVM60.__vbaVarCat>          ;  连接第二次取得的字符
  00403764 .  8BD0       mov    edx, eax
  00403766 .  8D4D 8C    lea    ecx, [ebp-74]
  00403769 .  E8 34DBFFFF call <jmp.&MSVBVM60.__vbaVarMove>
  0040376E .  8D85 B0FEFFFF lea    eax, [ebp-150]
  00403774 .  50          push eax
  00403775 .  8D85 C0FEFFFF lea    eax, [ebp-140]
  0040377B .  50          push eax
  0040377C .  8D85 D0FEFFFF lea    eax, [ebp-130]
  00403782 .  50          push eax
  00403783 .  6A 03       push 3
  00403785 .  E8 D6DAFFFF call <jmp.&MSVBVM60.__vbaFreeVarList>
  0040378A .  83C4 10    add    esp, 10
  0040378D .  8D85 28FEFFFF lea    eax, [ebp-1D8]
  00403793 .  50          push eax
  00403794 .  8D85 38FEFFFF lea    eax, [ebp-1C8]
  0040379A .  50          push eax
  0040379B .  8D45 CC    lea    eax, [ebp-34]
  0040379E .  50          push eax
  0040379F .  E8 44DAFFFF call <jmp.&MSVBVM60.__vbaVarForNext>
  004037A4 .  8985 FCFDFFFF mov    [ebp-204], eax
  004037AA >  83BD FCFDFFFF>cmp    dword ptr [ebp-204], 0
  004037B1 .^ 0F85 7BFAFFFF jnz    00403232                               ;  循环

  输入name:bxm78032  得到的字符串为YtEwIujMkKpPdCsX
  ==================================================================================
  004037B7 .  C785 98FEFFFF>mov    dword ptr [ebp-168], 1
  004037C1 .  C785 90FEFFFF>mov    dword ptr [ebp-170], 2
  004037CB .  C785 88FEFFFF>mov    dword ptr [ebp-178], 1
  004037D5 .  C785 80FEFFFF>mov    dword ptr [ebp-180], 2
  004037DF .  8D85 90FEFFFF lea    eax, [ebp-170]
  004037E5 .  50          push eax
  004037E6 .  8D45 8C    lea    eax, [ebp-74]
  004037E9 .  50          push eax
  004037EA .  8D85 D0FEFFFF lea    eax, [ebp-130]
  004037F0 .  50          push eax
  004037F1 .  E8 04DAFFFF call <jmp.&MSVBVM60.__vbaLenVar>          ;  EAX返回上次连接后字符串的长度，应该为10H
  004037F6 .  50          push eax
  004037F7 .  8D85 80FEFFFF lea    eax, [ebp-180]
  004037FD .  50          push eax
  004037FE .  8D85 08FEFFFF lea    eax, [ebp-1F8]
  00403804 .  50          push eax
  00403805 .  8D85 18FEFFFF lea    eax, [ebp-1E8]
  0040380B .  50          push eax
  0040380C .  8D85 6CFFFFFF lea    eax, [ebp-94]
  00403812 .  50          push eax
  00403813 .  E8 1EDAFFFF call <jmp.&MSVBVM60.__vbaVarForInit>
  00403818 .  8985 F4FDFFFF mov    [ebp-20C], eax
  0040381E .  E9 D2000000 jmp    004038F5
  00403823 >  C785 98FEFFFF>mov    dword ptr [ebp-168], 2
  0040382D .  C785 90FEFFFF>mov    dword ptr [ebp-170], 2
  00403837 .  8D85 6CFFFFFF lea    eax, [ebp-94]
  0040383D .  50          push eax
  0040383E .  8D85 90FEFFFF lea    eax, [ebp-170]
  00403844 .  50          push eax
  00403845 .  8D85 D0FEFFFF lea    eax, [ebp-130]
  0040384B .  50          push eax
  0040384C .  E8 F1D9FFFF call <jmp.&MSVBVM60.__vbaVarAdd>          ;  当前字符指针+2
  00403851 .  8BD0       mov    edx, eax
  00403853 .  8D8D 6CFFFFFF lea    ecx, [ebp-94]
  00403859 .  E8 44DAFFFF call <jmp.&MSVBVM60.__vbaVarMove>
  0040385E .  C785 D8FEFFFF>mov    dword ptr [ebp-128], 2
  00403868 .  C785 D0FEFFFF>mov    dword ptr [ebp-130], 2
  00403872 .  8D85 D0FEFFFF lea    eax, [ebp-130]
  00403878 .  50          push eax
  00403879 .  8D85 6CFFFFFF lea    eax, [ebp-94]
  0040387F .  50          push eax
  00403880 .  E8 99D9FFFF call <jmp.&MSVBVM60.__vbaI4Var>
  00403885 .  50          push eax
  00403886 .  8D45 8C    lea    eax, [ebp-74]
  00403889 .  50          push eax
  0040388A .  8D85 C0FEFFFF lea    eax, [ebp-140]
  00403890 .  50          push eax
  00403891 .  E8 8ED9FFFF call <jmp.&MSVBVM60.#632>                   ;  取当前指针的两个字符
  00403896 .  8D85 5CFFFFFF lea    eax, [ebp-A4]
  0040389C .  50          push eax
  0040389D .  8D85 C0FEFFFF lea    eax, [ebp-140]
  004038A3 .  50          push eax
  004038A4 .  8D85 B0FEFFFF lea    eax, [ebp-150]
  004038AA .  50          push eax
  004038AB .  E8 3ED9FFFF call <jmp.&MSVBVM60.__vbaVarCat>          ;  连接
  004038B0 .  8BD0       mov    edx, eax
  004038B2 .  8D8D 5CFFFFFF lea    ecx, [ebp-A4]
  004038B8 .  E8 E5D9FFFF call <jmp.&MSVBVM60.__vbaVarMove>
  004038BD .  8D85 C0FEFFFF lea    eax, [ebp-140]
  004038C3 .  50          push eax
  004038C4 .  8D85 D0FEFFFF lea    eax, [ebp-130]
  004038CA .  50          push eax
  004038CB .  6A 02       push 2
  004038CD .  E8 8ED9FFFF call <jmp.&MSVBVM60.__vbaFreeVarList>
  004038D2 .  83C4 0C    add    esp, 0C
  004038D5 .  8D85 08FEFFFF lea    eax, [ebp-1F8]
  004038DB .  50          push eax
  004038DC .  8D85 18FEFFFF lea    eax, [ebp-1E8]
  004038E2 .  50          push eax
  004038E3 .  8D85 6CFFFFFF lea    eax, [ebp-94]
  004038E9 .  50          push eax
  004038EA .  E8 F9D8FFFF call <jmp.&MSVBVM60.__vbaVarForNext>
  004038EF .  8985 F4FDFFFF mov    [ebp-20C], eax
  004038F5 >  83BD F4FDFFFF>cmp    dword ptr [ebp-20C], 0
  004038FC .^ 0F85 21FFFFFF jnz    00403823

  此段程序功能：取上面所得字符的第3、4、6、7、9、10、12、13、15、16个字符，重新连接，我的为EwujkKPdsX
  ============================================================

  下面的程序段就是把EwujkKPdsX与字符'-'和累加和F的十进制连接，即成正确的注册码，并与假码比较，相等，则成功。

  附可用的一组信息：
  name:bxm78032
  Code:EwujkKPdsX-21606
  附件里有注册机。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!

                                                   2006年10月03日下午 11:15:42

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

上传的附件：

lsdv1point0.rar （376.76kb，11次下载）

收藏・0

免费・7

打赏

最新回复 (7)
llydd 雪币： 380 活跃值： (101) 能力值： ( LV13，RANK：370 ) 在线值：发帖 41 回帖 264 粉丝 5 关注私信	llydd 9 2006-10-4 20:25 2 楼 0 bxm不会放假了专门在研究pj吧
bxm 雪币： 461 活跃值： (93) 能力值： ( LV9，RANK：1170 ) 在线值：发帖 41 回帖 306 粉丝 1 关注私信	bxm 29 2006-10-4 21:11 3 楼 0 最初由 llydd* 发布* bxm不会放假了专门在研究pj吧十一7天假期,随便玩一玩
KAN 雪币： 263 活跃值： (10) 能力值： ( LV9，RANK：250 ) 在线值：发帖 11 回帖 589 粉丝 0 关注私信	KAN 6 2006-10-4 22:44 4 楼 0 10.1 你们就放假，我可忙得要命，有空帮你写个 V6 专版
bxm 雪币： 461 活跃值： (93) 能力值： ( LV9，RANK：1170 ) 在线值：发帖 41 回帖 306 粉丝 1 关注私信	bxm 29 2006-10-4 22:49 5 楼 0 感谢KAN,我的水平还差得很呢,大家在一起多交流交流.
KAN 雪币： 263 活跃值： (10) 能力值： ( LV9，RANK：250 ) 在线值：发帖 11 回帖 589 粉丝 0 关注私信	KAN 6 2006-10-4 23:12 6 楼 0 ^_^ 你比我强太多了，想你学习啊
bfqyygy 雪币： 338 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 1 回帖 523 粉丝 0 关注私信	bfqyygy 1 2006-10-5 11:30 7 楼 0 VB的好文章!!
coldpine 雪币： 256 活跃值： (10) 能力值： ( LV9，RANK：250 ) 在线值：发帖 19 回帖 94 粉丝 0 关注私信	coldpine 6 2006-10-5 16:22 8 楼 0 不太熟悉vb 向楼主学习！！！
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复

bxm

发帖

306

回帖

1170

RANK

关注

私信

他的文章

[原创]bxm第8个CrackMe,高手飘过

[原创]forgot's CRACKME 1994算法分析

[原创]**处理系统5.7注册算法分析+注册机源代码

[原创]我的第7个CrackMe

[原创]bxm的第6个CrackMe

关于我们

联系我们

企业服务

看雪公众号

最新回复 (7)
llydd 雪币： 380 活跃值： (101) 能力值： ( LV13，RANK：370 ) 在线值：发帖 41 回帖 264 粉丝 5 关注私信	llydd 9 2006-10-4 20:25 2 楼 0 bxm不会放假了专门在研究pj吧
bxm 雪币： 461 活跃值： (93) 能力值： ( LV9，RANK：1170 ) 在线值：发帖 41 回帖 306 粉丝 1 关注私信	bxm 29 2006-10-4 21:11 3 楼 0 最初由 llydd* 发布* bxm不会放假了专门在研究pj吧十一7天假期,随便玩一玩
KAN 雪币： 263 活跃值： (10) 能力值： ( LV9，RANK：250 ) 在线值：发帖 11 回帖 589 粉丝 0 关注私信	KAN 6 2006-10-4 22:44 4 楼 0 10.1 你们就放假，我可忙得要命，有空帮你写个 V6 专版
bxm 雪币： 461 活跃值： (93) 能力值： ( LV9，RANK：1170 ) 在线值：发帖 41 回帖 306 粉丝 1 关注私信	bxm 29 2006-10-4 22:49 5 楼 0 感谢KAN,我的水平还差得很呢,大家在一起多交流交流.
KAN 雪币： 263 活跃值： (10) 能力值： ( LV9，RANK：250 ) 在线值：发帖 11 回帖 589 粉丝 0 关注私信	KAN 6 2006-10-4 23:12 6 楼 0 ^_^ 你比我强太多了，想你学习啊
bfqyygy 雪币： 338 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 1 回帖 523 粉丝 0 关注私信	bfqyygy 1 2006-10-5 11:30 7 楼 0 VB的好文章!!
coldpine 雪币： 256 活跃值： (10) 能力值： ( LV9，RANK：250 ) 在线值：发帖 19 回帖 94 粉丝 0 关注私信	coldpine 6 2006-10-5 16:22 8 楼 0 不太熟悉vb 向楼主学习！！！
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复