-
-
[原创]PYG2006认证CRACKME算法分析+VB注册机
-
2007-1-1 07:04
-
【文章标题】: PYG2006认证CRACKME算法分析+VB注册机
【文章作者】: laomms
【软件名称】: [PYG]CrackMe
【软件大小】: 42.5K
【下载地址】: 附件
【加壳方式】: FSG 2.0
【保护方式】: KEYFILE+注册码
【编写语言】: VB6.0
【使用工具】: OD
【操作平台】: WINXP SP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
是去年四月份的笔记了,还在硬盘,乘着PYG2006认证CRACKME过期及2007年来临之际,当作07年的头篇帖子。
FSG 2.0加的壳,脱壳就不讲了,不难。
脱壳后运行自动退出,有自校检,解决自校检:
0040D837 /74 45 JE SHORT [PYG]Cra.0040D87E //大小检验,JMP
0040D91F . /74 5C JE SHORT pyg.0040D97D //名字检验,JMP
算法分析:
0040FCEA . 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C] ; 下断
0040FCED . 52 PUSH EDX ; 用户名
0040FCEE . 8D85 ECFDFFFF LEA EAX,DWORD PTR SS:[EBP-214]
0040FCF4 . 50 PUSH EAX ; 注册码
0040FCF5 . FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
0040FCFB . 50 PUSH EAX ; 用户名长度
0040FCFC . 8D8D 48FDFFFF LEA ECX,DWORD PTR SS:[EBP-2B8]
0040FD02 . 51 PUSH ECX ; 0,与0对比
0040FD03 . 8D95 DCFDFFFF LEA EDX,DWORD PTR SS:[EBP-224]
0040FD09 . 52 PUSH EDX ; 第三参数
0040FD0A . FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCmpNe>] ; MSVBVM60.__vbaVarCmpNe
0040FD10 . 50 PUSH EAX ; FFFF=-1,说明不等于0
0040FD11 . 8D85 D4FEFFFF LEA EAX,DWORD PTR SS:[EBP-12C]
0040FD17 . 50 PUSH EAX ; 邮箱
0040FD18 . 8D8D CCFDFFFF LEA ECX,DWORD PTR SS:[EBP-234]
0040FD1E . 51 PUSH ECX ; 215
0040FD1F . FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
0040FD25 . 50 PUSH EAX ; 邮箱长度
0040FD26 . 8D95 38FDFFFF LEA EDX,DWORD PTR SS:[EBP-2C8]
0040FD2C . 52 PUSH EDX
0040FD2D . 8D85 BCFDFFFF LEA EAX,DWORD PTR SS:[EBP-244]
0040FD33 . 50 PUSH EAX
0040FD34 . FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCmpNe>] ; MSVBVM60.__vbaVarCmpNe
0040FD3A . 50 PUSH EAX ; 比较
0040FD3B . 8D8D ACFDFFFF LEA ECX,DWORD PTR SS:[EBP-254]
0040FD41 . 51 PUSH ECX
0040FD42 . FF15 F4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAnd>] ; MSVBVM60.__vbaVarAnd
0040FD48 . 50 PUSH EAX
0040FD49 . 8D95 F4FEFFFF LEA EDX,DWORD PTR SS:[EBP-10C]
0040FD4F . 52 PUSH EDX ; 注册码
0040FD50 . 8D85 9CFDFFFF LEA EAX,DWORD PTR SS:[EBP-264]
0040FD56 . 50 PUSH EAX
0040FD57 . FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
0040FD5D . 50 PUSH EAX ; 注册码长度
0040FD5E . 8D8D 28FDFFFF LEA ECX,DWORD PTR SS:[EBP-2D8]
0040FD64 . 51 PUSH ECX
0040FD65 . 8D95 8CFDFFFF LEA EDX,DWORD PTR SS:[EBP-274]
0040FD6B . 52 PUSH EDX
0040FD6C . FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCmpNe>] ; MSVBVM60.__vbaVarCmpNe
0040FD72 . 50 PUSH EAX ; 是否为0
0040FD73 . 8D85 7CFDFFFF LEA EAX,DWORD PTR SS:[EBP-284]
0040FD79 . 50 PUSH EAX
0040FD7A . FF15 F4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAnd>]
0040FD80 . 50 PUSH EAX
0040FD81 . FF15 98104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaBoolVarNull>]
0040FD87 . 66:85C0 TEST AX,AX
0040FD8A 0F84 8D0E0000 JE unpack.00410C1D
0040FD90 . 6A 01 PUSH 1
0040FD92 . FF15 78104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaOnError>]
0040FD98 . B8 01000000 MOV EAX,1
0040FD9D . 8985 50FDFFFF MOV DWORD PTR SS:[EBP-2B0],EAX
0040FDA3 . 899D 48FDFFFF MOV DWORD PTR SS:[EBP-2B8],EBX
0040FDA9 . 8985 40FDFFFF MOV DWORD PTR SS:[EBP-2C0],EAX
0040FDAF . 899D 38FDFFFF MOV DWORD PTR SS:[EBP-2C8],EBX
0040FDB5 . 8D8D 48FDFFFF LEA ECX,DWORD PTR SS:[EBP-2B8]
0040FDBB . 51 PUSH ECX
0040FDBC . 8D95 C4FEFFFF LEA EDX,DWORD PTR SS:[EBP-13C]
0040FDC2 . 52 PUSH EDX ; 机器码
0040FDC3 . 8D85 ECFDFFFF LEA EAX,DWORD PTR SS:[EBP-214]
0040FDC9 . 50 PUSH EAX
0040FDCA . FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
0040FDD0 . 50 PUSH EAX ; 机器码长度
0040FDD1 . 8D8D 38FDFFFF LEA ECX,DWORD PTR SS:[EBP-2C8]
0040FDD7 . 51 PUSH ECX
0040FDD8 . 8D95 04FBFFFF LEA EDX,DWORD PTR SS:[EBP-4FC]
0040FDDE . 52 PUSH EDX
0040FDDF . 8D85 14FBFFFF LEA EAX,DWORD PTR SS:[EBP-4EC]
0040FDE5 . 50 PUSH EAX
0040FDE6 . 8D8D B4FEFFFF LEA ECX,DWORD PTR SS:[EBP-14C]
0040FDEC . 51 PUSH ECX
0040FDED . FF15 70104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarForInit>] ; 循环
0040FDF3 > 3BC7 CMP EAX,EDI
0040FDF5 . 0F84 07010000 JE unpack.0040FF02
0040FDFB . C785 F4FDFFFF>MOV DWORD PTR SS:[EBP-20C],1 ; 初始值为1
0040FE05 . 899D ECFDFFFF MOV DWORD PTR SS:[EBP-214],EBX
0040FE0B . 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
0040FE11 . 52 PUSH EDX
0040FE12 . 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
0040FE18 . 50 PUSH EAX
0040FE19 . FF15 88114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>] ; 将一个VARIANT转换为一个长整数
0040FE1F . 50 PUSH EAX
0040FE20 . 8D8D C4FEFFFF LEA ECX,DWORD PTR SS:[EBP-13C]
0040FE26 . 51 PUSH ECX ; 机器码
0040FE27 . 8D95 DCFDFFFF LEA EDX,DWORD PTR SS:[EBP-224]
0040FE2D . 52 PUSH EDX
0040FE2E . FF15 A4104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMidCharVar>]
0040FE34 . 8D95 DCFDFFFF LEA EDX,DWORD PTR SS:[EBP-224]
0040FE3A . 8D4D 84 LEA ECX,DWORD PTR SS:[EBP-7C]
0040FE3D . FFD6 CALL ESI
0040FE3F . 8D8D ECFDFFFF LEA ECX,DWORD PTR SS:[EBP-214]
0040FE45 . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>]
0040FE4B . B8 01000000 MOV EAX,1
0040FE50 . 8985 E4FDFFFF MOV DWORD PTR SS:[EBP-21C],EAX
0040FE56 . 899D DCFDFFFF MOV DWORD PTR SS:[EBP-224],EBX
0040FE5C . 8985 50FDFFFF MOV DWORD PTR SS:[EBP-2B0],EAX
0040FE62 . 899D 48FDFFFF MOV DWORD PTR SS:[EBP-2B8],EBX
0040FE68 . 8D85 DCFDFFFF LEA EAX,DWORD PTR SS:[EBP-224]
0040FE6E . 50 PUSH EAX ;
0040FE6F . 8D4D 84 LEA ECX,DWORD PTR SS:[EBP-7C]
0040FE72 . 51 PUSH ECX ; 逐个取机器码
0040FE73 . 8D95 48FDFFFF LEA EDX,DWORD PTR SS:[EBP-2B8]
0040FE79 . 52 PUSH EDX ; 1
0040FE7A . 8D85 ECFDFFFF LEA EAX,DWORD PTR SS:[EBP-214]
0040FE80 . 50 PUSH EAX ;
0040FE81 . FF15 90114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>] ; MSVBVM60.__vbaVarAdd
0040FE87 . 50 PUSH EAX ; 机器码+1
0040FE88 . FF15 88114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>] ; __vbaI4Var转长整型
0040FE8E . 50 PUSH EAX ; 机器码+1
0040FE8F . 8D8D 44FFFFFF LEA ECX,DWORD PTR SS:[EBP-BC]
0040FE95 . 51 PUSH ECX ; 字符串5201314896788888888888888888888888
0040FE96 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
0040FE9C . 52 PUSH EDX ;
0040FE9D . FF15 A4104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMidCharVar>] ; 按位置取字符串
0040FEA3 . 8D45 94 LEA EAX,DWORD PTR SS:[EBP-6C]
0040FEA6 . 50 PUSH EAX
0040FEA7 . 8D8D CCFDFFFF LEA ECX,DWORD PTR SS:[EBP-234]
0040FEAD . 51 PUSH ECX
0040FEAE . 8D95 BCFDFFFF LEA EDX,DWORD PTR SS:[EBP-244]
0040FEB4 . 52 PUSH EDX
0040FEB5 . FF15 34114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCat>] ; 连接各个字符
0040FEBB . 8BD0 MOV EDX,EAX
0040FEBD . 8D4D 94 LEA ECX,DWORD PTR SS:[EBP-6C]
0040FEC0 . FFD6 CALL ESI
0040FEC2 . 8D85 CCFDFFFF LEA EAX,DWORD PTR SS:[EBP-234]
0040FEC8 . 50 PUSH EAX
0040FEC9 . 8D8D DCFDFFFF LEA ECX,DWORD PTR SS:[EBP-224]
0040FECF . 51 PUSH ECX
0040FED0 . 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
0040FED6 . 52 PUSH EDX
0040FED7 . 6A 03 PUSH 3
0040FED9 . FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>]
0040FEDF . 83C4 10 ADD ESP,10
0040FEE2 . 8D85 04FBFFFF LEA EAX,DWORD PTR SS:[EBP-4FC]
0040FEE8 . 50 PUSH EAX
0040FEE9 . 8D8D 14FBFFFF LEA ECX,DWORD PTR SS:[EBP-4EC]
0040FEEF . 51 PUSH ECX
0040FEF0 . 8D95 B4FEFFFF LEA EDX,DWORD PTR SS:[EBP-14C]
0040FEF6 . 52 PUSH EDX
0040FEF7 . FF15 C8114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarForNext>] ; 循环
0040FEFD .^ E9 F1FEFFFF JMP unpack.0040FDF3
0040FF02 > B8 01000000 MOV EAX,1
总结:将机器码十进制数逐个加1在字符串5201314896788888888888888888888888中查找相应位置组成新码,
00410229 > \B8 01000000 MOV EAX,1
0041022E . 8985 50FDFFFF MOV DWORD PTR SS:[EBP-2B0],EAX
00410234 . 899D 48FDFFFF MOV DWORD PTR SS:[EBP-2B8],EBX
0041023A . 8985 40FDFFFF MOV DWORD PTR SS:[EBP-2C0],EAX
00410240 . 899D 38FDFFFF MOV DWORD PTR SS:[EBP-2C8],EBX
00410246 . 8D85 48FDFFFF LEA EAX,DWORD PTR SS:[EBP-2B8]
0041024C . 50 PUSH EAX
0041024D . 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-12C]
00410253 . 51 PUSH ECX
00410254 . 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
0041025A . 52 PUSH EDX
0041025B . FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
00410261 . 50 PUSH EAX
00410262 . 8D85 38FDFFFF LEA EAX,DWORD PTR SS:[EBP-2C8]
00410268 . 50 PUSH EAX
00410269 . 8D8D A4FAFFFF LEA ECX,DWORD PTR SS:[EBP-55C]
0041026F . 51 PUSH ECX
00410270 . 8D95 B4FAFFFF LEA EDX,DWORD PTR SS:[EBP-54C]
00410276 . 52 PUSH EDX
00410277 . 8D85 84FEFFFF LEA EAX,DWORD PTR SS:[EBP-17C]
0041027D . 50 PUSH EAX
0041027E . FF15 70104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarForInit>] ; MSVBVM60.__vbaVarForInit
00410284 > 3BC7 CMP EAX,EDI
00410286 . 0F84 F7000000 JE unpack.00410383
0041028C . C785 F4FDFFFF>MOV DWORD PTR SS:[EBP-20C],1
00410296 . 899D ECFDFFFF MOV DWORD PTR SS:[EBP-214],EBX
0041029C . 8D8D ECFDFFFF LEA ECX,DWORD PTR SS:[EBP-214]
004102A2 . 51 PUSH ECX ;
004102A3 . 8D95 84FEFFFF LEA EDX,DWORD PTR SS:[EBP-17C]
004102A9 . 52 PUSH EDX ;
004102AA . FF15 88114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var
004102B0 . 50 PUSH EAX ; EAX=2
004102B1 . 8D85 D4FEFFFF LEA EAX,DWORD PTR SS:[EBP-12C]
004102B7 . 50 PUSH EAX ; 邮箱
004102B8 . 8D8D DCFDFFFF LEA ECX,DWORD PTR SS:[EBP-224]
004102BE . 51 PUSH ECX
004102BF . FF15 A4104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMidCharVar>] ; MSVBVM60.rtcMidCharVar
004102C5 . 8D95 DCFDFFFF LEA EDX,DWORD PTR SS:[EBP-224] ; 逐个取邮箱ASCII码
004102CB . 52 PUSH EDX
004102CC . 8D85 0CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1F4]
004102D2 . 50 PUSH EAX ;
004102D3 . FF15 30114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
004102D9 . 50 PUSH EAX
004102DA . FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcAnsiValueBstr>] ; MSVBVM60.rtcAnsiValueBstr
004102E0 . 66:8985 40FDF>MOV WORD PTR SS:[EBP-2C0],AX ;
004102E7 . 899D 38FDFFFF MOV DWORD PTR SS:[EBP-2C8],EBX ;
004102ED . C785 30FDFFFF>MOV DWORD PTR SS:[EBP-2D0],3
004102F7 . 899D 28FDFFFF MOV DWORD PTR SS:[EBP-2D8],EBX
004102FD . 8D8D 14FFFFFF LEA ECX,DWORD PTR SS:[EBP-EC]
00410303 . 51 PUSH ECX
00410304 . 8D95 38FDFFFF LEA EDX,DWORD PTR SS:[EBP-2C8]
0041030A . 52 PUSH EDX ; 逐个取ASCII码
0041030B . 8D85 CCFDFFFF LEA EAX,DWORD PTR SS:[EBP-234]
00410311 . 50 PUSH EAX
00410312 . FF15 90114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>] ; MSVBVM60.__vbaVarAdd
00410318 . 50 PUSH EAX ; 累加
00410319 . 8D8D 28FDFFFF LEA ECX,DWORD PTR SS:[EBP-2D8]
0041031F . 51 PUSH ECX ; 3
00410320 . 8D95 BCFDFFFF LEA EDX,DWORD PTR SS:[EBP-244]
00410326 . 52 PUSH EDX
00410327 . FF15 6C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarXor>] ; MSVBVM60.__vbaVarXor
0041032D . 8BD0 MOV EDX,EAX ; 与3异或
0041032F . 8D8D 14FFFFFF LEA ECX,DWORD PTR SS:[EBP-EC]
00410335 . FFD6 CALL ESI
00410337 . 8D8D 0CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1F4]
0041033D . FF15 D4114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00410343 . 8D85 CCFDFFFF LEA EAX,DWORD PTR SS:[EBP-234]
00410349 . 50 PUSH EAX ; 计算结果
0041034A . 8D8D DCFDFFFF LEA ECX,DWORD PTR SS:[EBP-224]
00410350 . 51 PUSH ECX
00410351 . 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
00410357 . 52 PUSH EDX ;
00410358 . 6A 03 PUSH 3
0041035A . FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
00410360 . 83C4 10 ADD ESP,10
00410363 . 8D85 A4FAFFFF LEA EAX,DWORD PTR SS:[EBP-55C]
00410369 . 50 PUSH EAX ; 邮箱长度
0041036A . 8D8D B4FAFFFF LEA ECX,DWORD PTR SS:[EBP-54C]
00410370 . 51 PUSH ECX ; 1
00410371 . 8D95 84FEFFFF LEA EDX,DWORD PTR SS:[EBP-17C]
00410377 . 52 PUSH EDX
00410378 . FF15 C8114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarForNext>] ; MSVBVM60.__vbaVarForNext
0041037E .^ E9 01FFFFFF JMP unpack.00410284 ; 循环
00410383 > 8D45 B4 LEA EAX,DWORD PTR SS:[EBP-4C]
00410386 . 50 PUSH EAX ; 机器码的计算结果
总结:逐个取邮箱ASCII码,每个异或3后累加
00410387 . 8D8D 0CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1F4]
0041038D . 51 PUSH ECX
0041038E . FF15 30114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
00410394 . 50 PUSH EAX ; EAX=机器码的计算结果
00410395 . FF15 D8114000 CALL DWORD PTR DS:[<&MSVBVM60.rtcR8ValFromBstr>] ; MSVBVM60.rtcR8ValFromBstr
0041039B . DD9D 50FDFFFF FSTP QWORD PTR SS:[EBP-2B0]
004103A1 . C785 48FDFFFF>MOV DWORD PTR SS:[EBP-2B8],5
004103AB . 8D95 48FDFFFF LEA EDX,DWORD PTR SS:[EBP-2B8]
004103B1 . 52 PUSH EDX ; 取双精度浮点值
004103B2 . 8D85 14FFFFFF LEA EAX,DWORD PTR SS:[EBP-EC]
004103B8 . 50 PUSH EAX
004103B9 . 8D8D ECFDFFFF LEA ECX,DWORD PTR SS:[EBP-214]
004103BF . 51 PUSH ECX
004103C0 . FF15 90114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>] ; MSVBVM60.__vbaVarAdd
004103C6 . 50 PUSH EAX ;
004103C7 . 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
004103CA . 83C2 64 ADD EDX,64
004103CD . 52 PUSH EDX ;
004103CE . 8D85 DCFDFFFF LEA EAX,DWORD PTR SS:[EBP-224]
004103D4 . 50 PUSH EAX
004103D5 . FF15 90114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>] ; MSVBVM60.__vbaVarAdd
004103DB . 8BD0 MOV EDX,EAX ;
004103DD . 8D4D A4 LEA ECX,DWORD PTR SS:[EBP-5C]
004103E0 . FFD6 CALL ESI
004103E2 . 8D8D 0CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1F4]
004103E8 . FF15 D4114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
004103EE . 8D8D ECFDFFFF LEA ECX,DWORD PTR SS:[EBP-214]
004103F4 . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
004103FA . B8 01000000 MOV EAX,1
004103FF . 8985 50FDFFFF MOV DWORD PTR SS:[EBP-2B0],EAX
00410405 . 899D 48FDFFFF MOV DWORD PTR SS:[EBP-2B8],EBX
0041040B . 8985 40FDFFFF MOV DWORD PTR SS:[EBP-2C0],EAX
00410411 . 899D 38FDFFFF MOV DWORD PTR SS:[EBP-2C8],EBX
00410417 . 8D8D 48FDFFFF LEA ECX,DWORD PTR SS:[EBP-2B8]
0041041D . 51 PUSH ECX ; 1
0041041E . 8D55 A4 LEA EDX,DWORD PTR SS:[EBP-5C]
00410421 . 52 PUSH EDX ; 刚才浮点的计算结果
00410422 . 8D85 ECFDFFFF LEA EAX,DWORD PTR SS:[EBP-214]
00410428 . 50 PUSH EAX
00410429 . FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
0041042F . 50 PUSH EAX ; 取结果的长度
00410430 . 8D8D 38FDFFFF LEA ECX,DWORD PTR SS:[EBP-2C8]
00410436 . 51 PUSH ECX ; 1
00410437 . 8D95 84FAFFFF LEA EDX,DWORD PTR SS:[EBP-57C]
0041043D . 52 PUSH EDX ; 2
0041043E . 8D85 94FAFFFF LEA EAX,DWORD PTR SS:[EBP-56C]
00410444 . 50 PUSH EAX
00410445 . 8D8D 34FEFFFF LEA ECX,DWORD PTR SS:[EBP-1CC]
0041044B . 51 PUSH ECX
0041044C . FF15 70104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarForInit>] ; MSVBVM60.__vbaVarForInit
00410452 > 3BC7 CMP EAX,EDI ; 循环开始
00410454 . 0F84 27010000 JE unpack.00410581
0041045A . C785 F4FDFFFF>MOV DWORD PTR SS:[EBP-20C],1
00410464 . 899D ECFDFFFF MOV DWORD PTR SS:[EBP-214],EBX
0041046A . 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
00410470 . 52 PUSH EDX ; 1
00410471 . 8D85 34FEFFFF LEA EAX,DWORD PTR SS:[EBP-1CC]
00410477 . 50 PUSH EAX ; 1
00410478 . FF15 88114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var
0041047E . 50 PUSH EAX ; 1
0041047F . 8D8D C4FEFFFF LEA ECX,DWORD PTR SS:[EBP-13C]
00410485 . 51 PUSH ECX ; 取机器码679999333
00410486 . 8D95 DCFDFFFF LEA EDX,DWORD PTR SS:[EBP-224]
0041048C . 52 PUSH EDX
0041048D . FF15 A4104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMidCharVar>] ; MSVBVM60.rtcMidCharVar
00410493 . 8D95 DCFDFFFF LEA EDX,DWORD PTR SS:[EBP-224]
00410499 . 8D8D 54FEFFFF LEA ECX,DWORD PTR SS:[EBP-1AC]
0041049F . FFD6 CALL ESI
004104A1 . 8D8D ECFDFFFF LEA ECX,DWORD PTR SS:[EBP-214]
004104A7 . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
004104AD . 8D85 54FEFFFF LEA EAX,DWORD PTR SS:[EBP-1AC]
004104B3 . 8985 50FDFFFF MOV DWORD PTR SS:[EBP-2B0],EAX
004104B9 . B9 0C400000 MOV ECX,400C
004104BE . 898D 48FDFFFF MOV DWORD PTR SS:[EBP-2B8],ECX
004104C4 . 83EC 10 SUB ESP,10
004104C7 . 8BD4 MOV EDX,ESP
004104C9 . 890A MOV DWORD PTR DS:[EDX],ECX
004104CB . 8B8D 4CFDFFFF MOV ECX,DWORD PTR SS:[EBP-2B4]
004104D1 . 894A 04 MOV DWORD PTR DS:[EDX+4],ECX
004104D4 . 8942 08 MOV DWORD PTR DS:[EDX+8],EAX
004104D7 . 8B85 54FDFFFF MOV EAX,DWORD PTR SS:[EBP-2AC]
004104DD . 8942 0C MOV DWORD PTR DS:[EDX+C],EAX
004104E0 . 6A 01 PUSH 1
004104E2 . 8D8D 10FEFFFF LEA ECX,DWORD PTR SS:[EBP-1F0]
004104E8 . 51 PUSH ECX
004104E9 . 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
004104EF . 52 PUSH EDX
004104F0 . FF15 8C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarIndexLoad>] ; MSVBVM60.__vbaVarIndexLoad
004104F6 . 83C4 1C ADD ESP,1C
004104F9 . 50 PUSH EAX
004104FA . FF15 88114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var
00410500 . 50 PUSH EAX ; 转整形
00410501 . 8D85 DCFDFFFF LEA EAX,DWORD PTR SS:[EBP-224]
00410507 . 50 PUSH EAX
00410508 . FF15 20114000 CALL DWORD PTR DS:[<&MSVBVM60.rtcVarBstrFromAnsi>] ; MSVBVM60.rtcVarBstrFromAnsi
0041050E . 8D8D DCFDFFFF LEA ECX,DWORD PTR SS:[EBP-224]
00410514 . 51 PUSH ECX
00410515 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
0041051B . 52 PUSH EDX
0041051C . FF15 BC104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcUpperCaseVar>] ; MSVBVM60.rtcUpperCaseVar
00410522 . 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
00410525 . 50 PUSH EAX ;
00410526 . 8D8D CCFDFFFF LEA ECX,DWORD PTR SS:[EBP-234]
0041052C . 51 PUSH ECX
0041052D . 8D95 BCFDFFFF LEA EDX,DWORD PTR SS:[EBP-244]
00410533 . 52 PUSH EDX
00410534 . FF15 34114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCat>] ; MSVBVM60.__vbaVarCat
0041053A . 8BD0 MOV EDX,EAX ; 连接
0041053C . 8D4D A4 LEA ECX,DWORD PTR SS:[EBP-5C]
0041053F . FFD6 CALL ESI
00410541 . 8D85 CCFDFFFF LEA EAX,DWORD PTR SS:[EBP-234]
00410547 . 50 PUSH EAX
00410548 . 8D8D DCFDFFFF LEA ECX,DWORD PTR SS:[EBP-224]
0041054E . 51 PUSH ECX
0041054F . 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
00410555 . 52 PUSH EDX
00410556 . 6A 03 PUSH 3
00410558 . FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
0041055E . 83C4 10 ADD ESP,10
00410561 . 8D85 84FAFFFF LEA EAX,DWORD PTR SS:[EBP-57C]
00410567 . 50 PUSH EAX
00410568 . 8D8D 94FAFFFF LEA ECX,DWORD PTR SS:[EBP-56C]
0041056E . 51 PUSH ECX
0041056F . 8D95 34FEFFFF LEA EDX,DWORD PTR SS:[EBP-1CC]
00410575 . 52 PUSH EDX
00410576 . FF15 C8114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarForNext>] ; MSVBVM60.__vbaVarForNext
0041057C .^ E9 D1FEFFFF JMP unpack.00410452
00410581 > 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
00410584 . 50 PUSH EAX ; UNICODE "847823352YGBBBBNNN"
总结:将机器码的10进制数字逐个加1(=467299557)在字符串chinapygabcdefghijklmopqrstuvwxyza中查找相应位置合并后转成大写组成新码与刚才的计算结字符串相连
00410585 . 8D8D ECFDFFFF LEA ECX,DWORD PTR SS:[EBP-214]
0041058B . 51 PUSH ECX
0041058C . FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
00410592 . 8BD0 MOV EDX,EAX ; 字符串长度
00410594 . 8D8D 74FAFFFF LEA ECX,DWORD PTR SS:[EBP-58C]
0041059A . FFD6 CALL ESI
0041059C . C785 50FDFFFF>MOV DWORD PTR SS:[EBP-2B0],19
004105A6 . C785 48FDFFFF>MOV DWORD PTR SS:[EBP-2B8],8002
004105B0 . 8D95 74FAFFFF LEA EDX,DWORD PTR SS:[EBP-58C]
004105B6 . 52 PUSH EDX
004105B7 . 8D85 48FDFFFF LEA EAX,DWORD PTR SS:[EBP-2B8]
004105BD . 50 PUSH EAX
004105BE . FF15 90104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTstLt>] ; MSVBVM60.__vbaVarTstLt
004105C4 . 66:85C0 TEST AX,AX
004105C7 . 75 72 JNZ SHORT unpack.0041063B
004105C9 . C785 50FDFFFF>MOV DWORD PTR SS:[EBP-2B0],19
004105D3 . C785 48FDFFFF>MOV DWORD PTR SS:[EBP-2B8],8002
004105DD . 8D95 74FAFFFF LEA EDX,DWORD PTR SS:[EBP-58C]
004105E3 . 52 PUSH EDX
004105E4 . 8D85 48FDFFFF LEA EAX,DWORD PTR SS:[EBP-2B8]
004105EA . 50 PUSH EAX
004105EB . FF15 A4114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTstGe>] ; MSVBVM60.__vbaVarTstGe
004105F1 . 66:85C0 TEST AX,AX
004105F4 . 0F84 11010000 JE unpack.0041070B
004105FA . C785 F4FDFFFF>MOV DWORD PTR SS:[EBP-20C],18
00410604 . 899D ECFDFFFF MOV DWORD PTR SS:[EBP-214],EBX
0041060A . 8D8D ECFDFFFF LEA ECX,DWORD PTR SS:[EBP-214]
00410610 . 51 PUSH ECX
00410611 . 6A 01 PUSH 1
00410613 . 8D55 A4 LEA EDX,DWORD PTR SS:[EBP-5C]
00410616 . 52 PUSH EDX
00410617 . 8D85 DCFDFFFF LEA EAX,DWORD PTR SS:[EBP-224]
0041061D . 50 PUSH EAX
0041061E . FF15 A4104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMidCharVar>] ; MSVBVM60.rtcMidCharVar
00410624 . 8D95 DCFDFFFF LEA EDX,DWORD PTR SS:[EBP-224]
0041062A . 8D4D A4 LEA ECX,DWORD PTR SS:[EBP-5C]
0041062D . FFD6 CALL ESI
0041062F . 8D8D ECFDFFFF LEA ECX,DWORD PTR SS:[EBP-214]
00410635 . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
0041063B > C785 F4FDFFFF>MOV DWORD PTR SS:[EBP-20C],5 ; 5
00410645 . 899D ECFDFFFF MOV DWORD PTR SS:[EBP-214],EBX ; 2
0041064B . 8D8D ECFDFFFF LEA ECX,DWORD PTR SS:[EBP-214]
00410651 . 51 PUSH ECX
00410652 . 6A 01 PUSH 1
00410654 . 8D55 A4 LEA EDX,DWORD PTR SS:[EBP-5C]
00410657 . 52 PUSH EDX ; 847823352YGBBBBNNN
00410658 . 8D85 DCFDFFFF LEA EAX,DWORD PTR SS:[EBP-224]
0041065E . 50 PUSH EAX
0041065F . FF15 A4104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMidCharVar>] ; MSVBVM60.rtcMidCharVar
00410665 . C785 40FDFFFF>MOV DWORD PTR SS:[EBP-2C0],unpack.0040B7F8 ; 取5位字符串
0041066F . C785 38FDFFFF>MOV DWORD PTR SS:[EBP-2C8],8
00410679 . C785 C4FDFFFF>MOV DWORD PTR SS:[EBP-23C],14
00410683 . 899D BCFDFFFF MOV DWORD PTR SS:[EBP-244],EBX
00410689 . 8D8D BCFDFFFF LEA ECX,DWORD PTR SS:[EBP-244]
0041068F . 51 PUSH ECX
00410690 . 6A 06 PUSH 6
00410692 . 8D55 A4 LEA EDX,DWORD PTR SS:[EBP-5C]
00410695 . 52 PUSH EDX ; 847823352YGBBBBNNN
00410696 . 8D85 ACFDFFFF LEA EAX,DWORD PTR SS:[EBP-254]
0041069C . 50 PUSH EAX
0041069D . FF15 A4104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMidCharVar>] ; MSVBVM60.rtcMidCharVar
004106A3 . 8D8D DCFDFFFF LEA ECX,DWORD PTR SS:[EBP-224] ; 取14H位
004106A9 . 51 PUSH ECX ;
004106AA . 8D95 38FDFFFF LEA EDX,DWORD PTR SS:[EBP-2C8]
004106B0 . 52 PUSH EDX ;
004106B1 . 8D85 CCFDFFFF LEA EAX,DWORD PTR SS:[EBP-234]
004106B7 . 50 PUSH EAX ; 3352YGBBBBNNN
004106B8 . FF15 90114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>] ; 加
004106BE . 50 PUSH EAX ; 84782-
004106BF . 8D8D ACFDFFFF LEA ECX,DWORD PTR SS:[EBP-254]
004106C5 . 51 PUSH ECX ; 3352YGBBBBNNN
004106C6 . 8D95 9CFDFFFF LEA EDX,DWORD PTR SS:[EBP-264]
004106CC . 52 PUSH EDX ; 9
004106CD . FF15 90114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>] ; 加
004106D3 . 8BD0 MOV EDX,EAX ; 84782-3352YGBBBBNNN
004106D5 . 8D8D 74FEFFFF LEA ECX,DWORD PTR SS:[EBP-18C]
004106DB . FFD6 CALL ESI
004106DD . 8D85 ACFDFFFF LEA EAX,DWORD PTR SS:[EBP-254]
004106E3 . 50 PUSH EAX ; 3352YGBBBBNNN
004106E4 . 8D8D CCFDFFFF LEA ECX,DWORD PTR SS:[EBP-234]
004106EA . 51 PUSH ECX ; 84782-
004106EB . 8D95 BCFDFFFF LEA EDX,DWORD PTR SS:[EBP-244]
004106F1 . 52 PUSH EDX ; 14
004106F2 . 8D85 DCFDFFFF LEA EAX,DWORD PTR SS:[EBP-224]
004106F8 . 50 PUSH EAX ; 84782
004106F9 . 8D8D ECFDFFFF LEA ECX,DWORD PTR SS:[EBP-214]
004106FF . 51 PUSH ECX ; 5
总结:将字符串前5位和后13位用“-”号连起来
00410700 . 6A 05 PUSH 5
00410702 . FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>] ; 释放出变量所占的内存
00410708 . 83C4 18 ADD ESP,18
0041070B > 89BD 50FDFFFF MOV DWORD PTR SS:[EBP-2B0],EDI
00410711 . B8 02800000 MOV EAX,8002
00410716 . 8985 48FDFFFF MOV DWORD PTR SS:[EBP-2B8],EAX
0041071C . C785 40FDFFFF>MOV DWORD PTR SS:[EBP-2C0],8
00410726 . 899D 38FDFFFF MOV DWORD PTR SS:[EBP-2C8],EBX
0041072C . 89BD 30FDFFFF MOV DWORD PTR SS:[EBP-2D0],EDI
00410732 . 8985 28FDFFFF MOV DWORD PTR SS:[EBP-2D8],EAX
00410738 . 8D95 F4FEFFFF LEA EDX,DWORD PTR SS:[EBP-10C]
0041073E . 52 PUSH EDX ; 假注册码987654321
0041073F . 8D85 ECFDFFFF LEA EAX,DWORD PTR SS:[EBP-214]
00410745 . 50 PUSH EAX
00410746 . FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
0041074C . 50 PUSH EAX ; 注册码长度
0041074D . 8D8D 48FDFFFF LEA ECX,DWORD PTR SS:[EBP-2B8]
00410753 . 51 PUSH ECX ; 是否为0
00410754 . 8D95 DCFDFFFF LEA EDX,DWORD PTR SS:[EBP-224]
0041075A . 52 PUSH EDX
0041075B . FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCmpNe>] ; MSVBVM60.__vbaVarCmpNe
00410761 . 50 PUSH EAX ; -1
00410762 . 8D85 F4FEFFFF LEA EAX,DWORD PTR SS:[EBP-10C]
00410768 . 50 PUSH EAX ; 注册码987654321
00410769 . 8D8D CCFDFFFF LEA ECX,DWORD PTR SS:[EBP-234]
0041076F . 51 PUSH ECX ; 84782-
00410770 . FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
00410776 . 50 PUSH EAX ; 注册码长度
00410777 . 8D95 74FEFFFF LEA EDX,DWORD PTR SS:[EBP-18C]
0041077D . 52 PUSH EDX ; 84782-3352YGBBBBNNN
0041077E . 8D85 BCFDFFFF LEA EAX,DWORD PTR SS:[EBP-244]
00410784 . 50 PUSH EAX
00410785 . FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
0041078B . 50 PUSH EAX ; 长度
0041078C . 8D8D 38FDFFFF LEA ECX,DWORD PTR SS:[EBP-2C8]
00410792 . 51 PUSH ECX ; 8
00410793 . 8D95 ACFDFFFF LEA EDX,DWORD PTR SS:[EBP-254]
00410799 . 52 PUSH EDX
0041079A . FF15 90114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>] ; MSVBVM60.__vbaVarAdd
004107A0 . 50 PUSH EAX ; 1B
004107A1 . 8D85 9CFDFFFF LEA EAX,DWORD PTR SS:[EBP-264]
004107A7 . 50 PUSH EAX
004107A8 . FF15 8C114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCmpEq>] ; MSVBVM60.__vbaVarCmpEq
004107AE . 50 PUSH EAX ; 0B
004107AF . 8D8D 8CFDFFFF LEA ECX,DWORD PTR SS:[EBP-274]
004107B5 . 51 PUSH ECX
004107B6 . FF15 F4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAnd>] ; MSVBVM60.__vbaVarAnd
004107BC . 50 PUSH EAX
004107BD . 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C]
004107C0 . 52 PUSH EDX ; 用户名
004107C1 . 8D85 7CFDFFFF LEA EAX,DWORD PTR SS:[EBP-284]
004107C7 . 50 PUSH EAX
004107C8 . FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
004107CE . 50 PUSH EAX
004107CF . 8D8D 28FDFFFF LEA ECX,DWORD PTR SS:[EBP-2D8]
004107D5 . 51 PUSH ECX
004107D6 . 8D95 6CFDFFFF LEA EDX,DWORD PTR SS:[EBP-294]
004107DC . 52 PUSH EDX
004107DD . FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCmpNe>] ; MSVBVM60.__vbaVarCmpNe
004107E3 . 50 PUSH EAX ; 0B
004107E4 . 8D85 5CFDFFFF LEA EAX,DWORD PTR SS:[EBP-2A4]
004107EA . 50 PUSH EAX ; 00
004107EB . FF15 F4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAnd>] ; MSVBVM60.__vbaVarAnd
004107F1 . 50 PUSH EAX ; 0B
004107F2 . FF15 98104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaBoolVarNull>] ; 判断所取字符是否为数字
004107F8 . 66:8985 30FBF>MOV WORD PTR SS:[EBP-4D0],AX ; 0
004107FF . 8D8D ACFDFFFF LEA ECX,DWORD PTR SS:[EBP-254] ; 03
00410805 . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
0041080B . 66:39BD 30FBF>CMP WORD PTR SS:[EBP-4D0],DI ; 0
00410812 0F84 05040000 JE unpack.00410C1D ; 不能跳
00410818 . C785 50FDFFFF>MOV DWORD PTR SS:[EBP-2B0],1
0040DA24 . 6A 01 PUSH 1
0040DA26 . 8D8D E0FEFFFF LEA ECX,DWORD PTR SS:[EBP-120]
0040DA2C . 51 PUSH ECX
0040DA2D . 8D95 C0FEFFFF LEA EDX,DWORD PTR SS:[EBP-140]
0040DA33 . 52 PUSH EDX
0040DA34 . 8B1D A4104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.rtcMidC>; MSVBVM60.rtcMidCharVar
0040DA3A . FFD3 CALL EBX ; <&MSVBVM60.rtcMidCharVar>
0040DA3C . 8D85 C0FEFFFF LEA EAX,DWORD PTR SS:[EBP-140]
0040DA42 . 50 PUSH EAX ; "D:\"
0040DA43 . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarMove
0040DA49 . 8BD0 MOV EDX,EAX ; EAX=00143A84, (UNICODE "D:\")
0040DA4B . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
0040DA4E . FF15 B0114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0040DA54 . 8D8D F4FEFFFF LEA ECX,DWORD PTR SS:[EBP-10C]
0040DA5A . FF15 D0114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
0040DA60 . 8D8D C0FEFFFF LEA ECX,DWORD PTR SS:[EBP-140]
0040DA66 . 51 PUSH ECX ; "D:\"
0040DA67 . 8D95 D0FEFFFF LEA EDX,DWORD PTR SS:[EBP-130]
0040DA6D . 52 PUSH EDX
0040DA6E . 8D85 E0FEFFFF LEA EAX,DWORD PTR SS:[EBP-120]
0040DA74 . 50 PUSH EAX
0040DA75 . 6A 03 PUSH 3
0040DA77 . FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0040DA7D . 83C4 10 ADD ESP,10
0040DA80 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
0040DA83 . 51 PUSH ECX
0040DA84 . E8 973D0000 CALL [PYG]Cra.00411820 ; 取硬盘特征码
0040DA89 . 8945 A8 MOV DWORD PTR SS:[EBP-58],EAX ; EAX=6C22C2BD
0040DA8C . C785 E8FEFFFF>MOV DWORD PTR SS:[EBP-118],6
0040DA96 . 89BD E0FEFFFF MOV DWORD PTR SS:[EBP-120],EDI
0040DA9C . 8D55 A8 LEA EDX,DWORD PTR SS:[EBP-58]
0040DA9F . 8995 94FEFFFF MOV DWORD PTR SS:[EBP-16C],EDX
0040DAA5 . C785 8CFEFFFF>MOV DWORD PTR SS:[EBP-174],4003
0040DAAF . 8D85 E0FEFFFF LEA EAX,DWORD PTR SS:[EBP-120]
0040DAB5 . 50 PUSH EAX
0040DAB6 . 6A 01 PUSH 1
0040DAB8 . 8D8D 8CFEFFFF LEA ECX,DWORD PTR SS:[EBP-174]
0040DABE . 51 PUSH ECX
0040DABF . 8D95 D0FEFFFF LEA EDX,DWORD PTR SS:[EBP-130]
0040DAC5 . 52 PUSH EDX
0040DAC6 . FFD3 CALL EBX
0040DAC8 . 8D95 D0FEFFFF LEA EDX,DWORD PTR SS:[EBP-130] ; 181421(6C22C2BD转十进制取6位)
0040DACE . 8D4D 84 LEA ECX,DWORD PTR SS:[EBP-7C]
0040DAD1 . 8B35 14104000 MOV ESI,DWORD PTR DS:[<&MSVBVM60.__vbaVa>; MSVBVM60.__vbaVarMove
0040DAD7 . FFD6 CALL ESI ; <&MSVBVM60.__vbaVarMove>
0040DAD9 . 8D8D E0FEFFFF LEA ECX,DWORD PTR SS:[EBP-120]
0040DADF . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
0040DDC9 . FF15 88114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
0040DDCF . 8B8D 1CFFFFFF MOV ECX,DWORD PTR SS:[EBP-E4] ; 0
0040DDD5 . 2B41 14 SUB EAX,DWORD PTR DS:[ECX+14]
0040DDD8 . 8985 DCFDFFFF MOV DWORD PTR SS:[EBP-224],EAX
0040DDDE . 3B41 10 CMP EAX,DWORD PTR DS:[ECX+10] ; 3
0040DDE1 . 72 06 JB SHORT [PYG]Cra.0040DDE9
0040DDE3 . FF15 B8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGener>; MSVBVM60.__vbaGenerateBoundsError
0040DDE9 > 8B85 DCFDFFFF MOV EAX,DWORD PTR SS:[EBP-224]
0040DDEF . C1E0 04 SHL EAX,4
0040DDF2 . EB 06 JMP SHORT [PYG]Cra.0040DDFA
0040DDF4 > FF15 B8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGener>; MSVBVM60.__vbaGenerateBoundsError
0040DDFA > 8B8D 1CFFFFFF MOV ECX,DWORD PTR SS:[EBP-E4]
0040DE00 . 8B51 0C MOV EDX,DWORD PTR DS:[ECX+C]
0040DE03 . 03D0 ADD EDX,EAX
0040DE05 . 52 PUSH EDX
0040DE06 . FF15 88114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
0040DE0C . 50 PUSH EAX ; 转整数
总结:取crackme所在盘符序列号前六位,对换前后三位参与密钥计算。
0040DE0D . 8D85 E0FEFFFF LEA EAX,DWORD PTR SS:[EBP-120]
0040DE13 . 50 PUSH EAX
0040DE14 . FF15 20114000 CALL DWORD PTR DS:[<&MSVBVM60.rtcVarBstr>; MSVBVM60.rtcVarBstrFromAnsi
0040DE1A . 8D8D 8CFEFFFF LEA ECX,DWORD PTR SS:[EBP-174]
0040DE20 . 51 PUSH ECX ; UNICODE "c:"
0040DE21 . 8D95 E0FEFFFF LEA EDX,DWORD PTR SS:[EBP-120]
0040DE27 . 52 PUSH EDX
0040DE28 . 8D85 D0FEFFFF LEA EAX,DWORD PTR SS:[EBP-130]
0040DE2E . 50 PUSH EAX
0040DE2F . FF15 34114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCa>; MSVBVM60.__vbaVarCat
0040DE35 . 50 PUSH EAX ; 1443B4
0040DE36 . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarMove
0040DE3C . 8BD0 MOV EDX,EAX
0040DE3E . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0040DE41 . FF15 B0114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0040DE47 . 8D8D D0FEFFFF LEA ECX,DWORD PTR SS:[EBP-130]
0040DE4D . 51 PUSH ECX ; UNICODE "c:"
0040DE4E . 8D95 E0FEFFFF LEA EDX,DWORD PTR SS:[EBP-120]
0040DE54 . 52 PUSH EDX
0040DE55 . 57 PUSH EDI
0040DE56 . FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0040DE5C . 83C4 0C ADD ESP,0C
0040DE5F . 8D85 9CFDFFFF LEA EAX,DWORD PTR SS:[EBP-264]
0040DE65 . 50 PUSH EAX ; 130002
0040DE66 . 8D8D ACFDFFFF LEA ECX,DWORD PTR SS:[EBP-254]
0040DE6C . 51 PUSH ECX ; 130001
0040DE6D . 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
0040DE70 . 52 PUSH EDX
0040DE71 . FF15 C8114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarFo>; MSVBVM60.__vbaVarForNext
0040DE77 .^ E9 1EFFFFFF JMP [PYG]Cra.0040DD9A
0040DE7C > 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50] ; (UNICODE "c:\")
0040DE7F . 8985 94FEFFFF MOV DWORD PTR SS:[EBP-16C],EAX
0040DE85 . C785 8CFEFFFF>MOV DWORD PTR SS:[EBP-174],8 ; 8
0040DE8F . 8D95 8CFEFFFF LEA EDX,DWORD PTR SS:[EBP-174]
0040DE95 . 8D8D 54FFFFFF LEA ECX,DWORD PTR SS:[EBP-AC]
0040DE9B . FF15 9C114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCo>; MSVBVM60.__vbaVarCopy
0040DEA1 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0040DEA4 . 51 PUSH ECX
0040DEA5 . E8 76390000 CALL [PYG]Cra.00411820 ; 关键CALL
0040DEAA . 8985 94FEFFFF MOV DWORD PTR SS:[EBP-16C],EAX ; EAX=15391EDE
0040DEB0 . C785 8CFEFFFF>MOV DWORD PTR SS:[EBP-174],3
0040DFDC . 8B9D DCFDFFFF MOV EBX,DWORD PTR SS:[EBP-224]
0040DFE2 . 53 PUSH EBX
0040DFE3 . FF92 A4000000 CALL DWORD PTR DS:[EDX+A4]
0040DFE9 . DBE2 FCLEX
0040DFEB . 85C0 TEST EAX,EAX
0040DFED . 0F8D 0B010000 JGE [PYG]Cra.0040E0FE
0040DFF3 . E9 F4000000 JMP [PYG]Cra.0040E0EC
0040DFF8 > C785 94FEFFFF>MOV DWORD PTR SS:[EBP-16C],1E240 ; 123456
0040E002 . C785 8CFEFFFF>MOV DWORD PTR SS:[EBP-174],3 ; 3
0040E00C . 8D55 B4 LEA EDX,DWORD PTR SS:[EBP-4C]
0040E00F . 52 PUSH EDX ; 15391EDE
0040E010 . 8D85 8CFEFFFF LEA EAX,DWORD PTR SS:[EBP-174]
0040E016 . 50 PUSH EAX ; 1E240h=123456
0040E017 . 8D8D E0FEFFFF LEA ECX,DWORD PTR SS:[EBP-120]
0040E01D . 51 PUSH ECX
0040E01E . FF15 90114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAd>; MSVBVM60.__vbaVarAdd
0040E024 . 8BD0 MOV EDX,EAX ; 153B011E转十进制
0040E026 . 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]
0040E02C . FFD6 CALL ESI
0040E02E . 8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
0040E034 . 52 PUSH EDX
0040E035 . 8D85 08FFFFFF LEA EAX,DWORD PTR SS:[EBP-F8]
0040E03B . 50 PUSH EAX
0040E03C . FF15 30114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
0040E042 . 50 PUSH EAX ; 算出机器码"356188446"
总结:C盘序列号+123456=软件机器码
0040E043 . FF15 D8114000 CALL DWORD PTR DS:[<&MSVBVM60.rtcR8ValFr>; MSVBVM60.rtcR8ValFromBstr
0040E049 . DD9D E0FDFFFF FSTP QWORD PTR SS:[EBP-220] ; 转浮点
0040E04F . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0040E052 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
0040E054 . 50 PUSH EAX
0040E055 . FF91 00030000 CALL DWORD PTR DS:[ECX+300]
0040E05B . 50 PUSH EAX
0040E05C . 8D95 F4FEFFFF LEA EDX,DWORD PTR SS:[EBP-10C]
0040E062 . 52 PUSH EDX
0040E063 . FF15 7C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
0040E069 . 8985 DCFDFFFF MOV DWORD PTR SS:[EBP-224],EAX
0040E06F . C785 D8FEFFFF>MOV DWORD PTR SS:[EBP-128],9 ; 9
0040E079 . 89BD D0FEFFFF MOV DWORD PTR SS:[EBP-130],EDI
0040E07F . 8B85 E0FDFFFF MOV EAX,DWORD PTR SS:[EBP-220]
0040E085 . 8985 E8FEFFFF MOV DWORD PTR SS:[EBP-118],EAX
0040E08B . 8B8D E4FDFFFF MOV ECX,DWORD PTR SS:[EBP-21C]
0040E091 . 898D ECFEFFFF MOV DWORD PTR SS:[EBP-114],ECX
0040E097 . C785 E0FEFFFF>MOV DWORD PTR SS:[EBP-120],5 ; 5
0040E0A1 . 8D95 D0FEFFFF LEA EDX,DWORD PTR SS:[EBP-130]
0040E0A7 . 52 PUSH EDX ; 9
0040E0A8 . 6A 01 PUSH 1
0040E0AA . 8D85 E0FEFFFF LEA EAX,DWORD PTR SS:[EBP-120]
0040E0B0 . 50 PUSH EAX ; 356188446
0040E0B1 . 8D8D C0FEFFFF LEA ECX,DWORD PTR SS:[EBP-140]
0040E0B7 . 51 PUSH ECX ; "D:\"
0040E0B8 . FFD3 CALL EBX
0040E0BA . 8B95 DCFDFFFF MOV EDX,DWORD PTR SS:[EBP-224]
0040E0C0 . 8B1A MOV EBX,DWORD PTR DS:[EDX]
0040E0C2 . 8D85 C0FEFFFF LEA EAX,DWORD PTR SS:[EBP-140]
0040E0C8 . 50 PUSH EAX ; 1
0040E0C9 . 8D8D 04FFFFFF LEA ECX,DWORD PTR SS:[EBP-FC]
0040E0CF . 51 PUSH ECX
0040E0D0 . FF15 30114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
0040E0D6 . 50 PUSH EAX ; EAX=001444A4, (UNICODE "356188446")
0040E0D7 . 8BD3 MOV EDX,EBX
0040E0D9 . 8B9D DCFDFFFF MOV EBX,DWORD PTR SS:[EBP-224]
0040E16F . FF15 D0114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
0040E175 . 89BD 94FEFFFF MOV DWORD PTR SS:[EBP-16C],EDI
0040E17B . 89BD 8CFEFFFF MOV DWORD PTR SS:[EBP-174],EDI
0040E181 . C785 84FEFFFF>MOV DWORD PTR SS:[EBP-17C],75BCD15 ; 123456789
0040E18B . C785 7CFEFFFF>MOV DWORD PTR SS:[EBP-184],3 ; 3
0040E195 . 8D45 B4 LEA EAX,DWORD PTR SS:[EBP-4C]
0040E198 . 50 PUSH EAX ; 15391EDE
0040E199 . 8D8D E0FEFFFF LEA ECX,DWORD PTR SS:[EBP-120]
0040E19F . 51 PUSH ECX ; 356188446
0040E1A0 . FF15 74114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarNo>; MSVBVM60.__vbaVarNot
0040E1A6 . 50 PUSH EAX ; 356188446
0040E1A7 . 8D95 8CFEFFFF LEA EDX,DWORD PTR SS:[EBP-174]
0040E1AD . 52 PUSH EDX ; 2
0040E1AE . 8D85 D0FEFFFF LEA EAX,DWORD PTR SS:[EBP-130]
0040E1B4 . 50 PUSH EAX
0040E1B5 . FF15 18114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDi>; MSVBVM60.__vbaVarDiv
0040E1BB . 50 PUSH EAX ; -178032495.50000000000
0040E1BC . 8D8D C0FEFFFF LEA ECX,DWORD PTR SS:[EBP-140]
0040E1C2 . 51 PUSH ECX ; 356188446
0040E1C3 . FF15 5C114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarIn>; MSVBVM60.__vbaVarInt
0040E1C9 . 50 PUSH EAX ; -178032496.00000000000
0040E1CA . 8D95 7CFEFFFF LEA EDX,DWORD PTR SS:[EBP-184]
0040E1D0 . 52 PUSH EDX ; 075BCD15
0040E1D1 . 8D85 B0FEFFFF LEA EAX,DWORD PTR SS:[EBP-150]
0040E1D7 . 50 PUSH EAX
0040E1D8 . FF15 90114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAd>; MSVBVM60.__vbaVarAdd
0040E1DE . 83EC 10 SUB ESP,10 ; -54575707.000000000000
0040E1E1 . 8BCC MOV ECX,ESP
0040E1E3 . 8B10 MOV EDX,DWORD PTR DS:[EAX] ; 5
0040E1E5 . 8911 MOV DWORD PTR DS:[ECX],EDX
0040E1E7 . 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4]
0040E1EA . 8951 04 MOV DWORD PTR DS:[ECX+4],EDX ; 31
0040E1ED . 8B50 08 MOV EDX,DWORD PTR DS:[EAX+8]
0040E1F0 . 8951 08 MOV DWORD PTR DS:[ECX+8],EDX
0040E1F3 . 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
0040E1F6 . 8941 0C MOV DWORD PTR DS:[ECX+C],EAX
0040E1F9 . 6A 01 PUSH 1
0040E1FB . 68 34B64000 PUSH [PYG]Cra.0040B634 ; UNICODE "YUN"
0040E200 . 8D43 44 LEA EAX,DWORD PTR DS:[EBX+44]
0040E203 . 50 PUSH EAX ; LTA
0040E204 . 8D8D A0FEFFFF LEA ECX,DWORD PTR SS:[EBP-160]
0040E20A . 51 PUSH ECX ; E180DC55E8EBA7135D1214EF4A46512C
0040E20B . FF15 A0114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarLa>; MSVBVM60.__vbaVarLateMemCallLd
0040E211 . 83C4 20 ADD ESP,20 ; 取MD5:-54575707
0040E214 . 8BD0 MOV EDX,EAX ; E180DC55E8EBA7135D1214EF4A46512C
总结:机器码+123456,取反,除2(小数点四舍五入转成长整数),加123456789,取MD5值
0040E216 . 8D4B 54 LEA ECX,DWORD PTR DS:[EBX+54]
0040E219 . FFD6 CALL ESI
0040E21B . 8D95 A0FEFFFF LEA EDX,DWORD PTR SS:[EBP-160]
0040E221 . 52 PUSH EDX
0040E222 . 8D85 B0FEFFFF LEA EAX,DWORD PTR SS:[EBP-150]
0040E228 . 50 PUSH EAX ; 743523914.00000000000
0040E229 . 57 PUSH EDI
0040E22A . FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
举例算法总结:
1、机器码的由来:C盘序列号+123456。
如我的C盘序列号是356064990, 机器码=123456+356064990=356188446
2、注册码的后8位:
字符串1=5201314896788888888888888888888888
字符串2=chinapygabcdefghijklmopqrstuvwxyza
字符串3需要计算:机器码+123456,取反,除2(小数点四舍五入转成长整数),加123456789,取MD5值
即:356188446+123456,取反=-356064991,除2=178032496+123456789=54575707,取MD5得到字符串3=E180DC55E8EBA7135D1214EF4A46512C。
取字符串3中的第5位后的8位,即DC55E8EB,做为注册码的后8位。
3、密钥算法:取crackme所在盘符序列号前六位=181421,对换前后三位=421181,我这里crackme在D盘,序列号为:1814217405,KEY=20041201*18+421181=361162799
4、邮箱:逐个取邮箱ASCII码,每个异或3后累加得到结果5A0H(1440)。
6、将机器码的10进制数字逐个加1(=467299557)在字符串5201314896788888888888888888888888中查找相应位置合并后组成新码(=114299334),
转浮点,加邮箱的计算结果,加KEY码。
即:浮点计算结果114299334+1440(邮箱)+361162799(KEY)=475463573
7、将机器码的10进制数字逐个加1(=467299557)在字符串chinapygabcdefghijklmopqrstuvwxyza中查找相应位置合并后转成大写组成新码(=NPYHAAAAY),
与6中的计算结果相连得到:475463573NPYHAAAAY,前面取5位后面取后面取13位用-号连起来=47546-3573NPYHAAAAY,
8、注册码计算过程:逐个取注册码ASCII码+4+位置数转成字符,前面19位要与特征码1(47546-3573NPYHAAAAY)相同,后8位为7中的结果47546-3573NPYHAAAAY。
逆运算得到注册码:
47546-3573NPYHAAAAY转ASCII=34373534362D333537334E5059484141414159减4减每位字符串的顺序号=2F312E2C2D2328292A253F4048362E2D2C2B42,
转成字符为/1.,-#()*%?@H6.-,+B,则注册码为/1.,-#()*%?@H6.-,+BDC55E8EB。
算法注册机源码:
'判断EMAIL的合法性
Public Function isEmail(ByVal str As String) As Boolean
isEmail = str Like "[A-Za-z0-9_]*@[A-Za-z0-9_]*.[A-Za-z0-9_]*"
End Function
Private Sub Form_Load()
If Dir(App.Path & "\[PYG]CrackMe") = "" Then
MsgBox "注册[PYG]CrackMe时,请将[PYG]CrackMe置于注册机所在盘符!", 48, "友情提示"
End If
End Sub
'算法过程
Private Sub Label1_Click()
Dim driver, VolName, Fsys As String
Dim volNumber, MCM, FSF As Long
Dim res As Long
Dim jqm As Long
Dim ysm1 As String
Dim jqm2, jqm3, email, tzm1, tzm2, tzm3, tzm4, tzm5
driver = Left(App.Path, 3) ' 获取当前盘符
res = GetVolumeInformation(driver, VolName, 127, volNumber, MCM, FSF, Fsys, 127)
jqm = Val(volNumber)
s1 = "5201314896788888888888888888888888"
s2 = "chinapygabcdefghijklmopqrstuvwxyza"
If Text2.Text = "" Then
MsgBox "虽然用户名不参加运算,还是请留下你的大名!", 48, "友情提示"
Else
If Text3.Text = "" Then
MsgBox "邮箱号不能为空!", 64, "注意"
Else
If isEmail(Text3.Text) = False Then
MsgBox " 请检查EMAIL格式"
Else
For i = 1 To Len(Text1.Text)
jqm2 = jqm2 & Mid(s1, (Mid(Text1.Text, i, 1) + 1), 1)
jqm3 = jqm3 & UCase(Mid(s2, (Mid(Text1.Text, i, 1) + 1), 1))
Next
For j = 1 To Len(Text3.Text)
email = email + Asc(Mid(Text3.Text, j, 1)) Xor 3
Next
a = Not (Text1.Text - 123456)
ysm1 = CLng(Val(a) / 2) + &H75BCD15
S3 = UCase(MD5(ysm1, 32))
tzm1 = Mid(jqm, 4, 3) & Mid(jqm, 1, 3)
tzm2 = 20041201 * 18 + Val(tzm1)
tzm3 = CLng(jqm2 + email + tzm2) & jqm3
tzm4 = Left(tzm3, 5) & "-" & Right(tzm3, 13)
For M = 1 To Len(tzm4)
tzm5 = tzm5 & (Chr(Asc(Mid(tzm4, M, 1)) - M - 4))
Next
End If
End If
End If
Text4.Text = tzm5 & Mid(S3, 5, 8)
End Sub
Private Sub Label4_Click()
Form2.Show
End Sub
Private Sub Label5_Click()
Unload Me
End Sub
'密钥计算
Private Sub Label6_Click()
Dim driver, VolName, Fsys As String
Dim volNumber, MCM, FSF As Long
driver = "c:\"
Dim res As Long
Dim jqm1 As Long
Dim a, tzm1 As Double
Dim ysm1 As String
driver = Left(App.Path, 3) ' 获取当前盘符
res = GetVolumeInformation(driver, VolName, 127, volNumber, MCM, FSF, Fsys, 127)
my = 20041201 * 18 + Val(Mid(volNumber, 4, 3) & Mid(volNumber, 1, 3))
inforstr = Val(my) & Chr(10) & "请在安装目录新建一个文本文件," & Chr(10) & "写入密钥后保存为PYG2006.key。"
MsgBox inforstr, vbInformation, "你的密钥是:"
End Sub
'机器码由来
Private Sub Text2_GotFocus()
Dim driver, VolName, Fsys As String
Dim volNumber, MCM, FSF As Long
Dim res As Long
Dim jqm As Long
driver = "c:\"
res = GetVolumeInformation(driver, VolName, 127, volNumber, MCM, FSF, Fsys, 127)
Text1.Text = volNumber + &H1E240
End Sub
Private Sub Text4_GotFocus()
Text4.SelStart = 0
Text4.SelLength = Len(Text4.Text)
End Sub
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年1月1日
【文章作者】: laomms
【软件名称】: [PYG]CrackMe
【软件大小】: 42.5K
【下载地址】: 附件
【加壳方式】: FSG 2.0
【保护方式】: KEYFILE+注册码
【编写语言】: VB6.0
【使用工具】: OD
【操作平台】: WINXP SP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
是去年四月份的笔记了,还在硬盘,乘着PYG2006认证CRACKME过期及2007年来临之际,当作07年的头篇帖子。
FSG 2.0加的壳,脱壳就不讲了,不难。
脱壳后运行自动退出,有自校检,解决自校检:
0040D837 /74 45 JE SHORT [PYG]Cra.0040D87E //大小检验,JMP
0040D91F . /74 5C JE SHORT pyg.0040D97D //名字检验,JMP
算法分析:
0040FCEA . 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C] ; 下断
0040FCED . 52 PUSH EDX ; 用户名
0040FCEE . 8D85 ECFDFFFF LEA EAX,DWORD PTR SS:[EBP-214]
0040FCF4 . 50 PUSH EAX ; 注册码
0040FCF5 . FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
0040FCFB . 50 PUSH EAX ; 用户名长度
0040FCFC . 8D8D 48FDFFFF LEA ECX,DWORD PTR SS:[EBP-2B8]
0040FD02 . 51 PUSH ECX ; 0,与0对比
0040FD03 . 8D95 DCFDFFFF LEA EDX,DWORD PTR SS:[EBP-224]
0040FD09 . 52 PUSH EDX ; 第三参数
0040FD0A . FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCmpNe>] ; MSVBVM60.__vbaVarCmpNe
0040FD10 . 50 PUSH EAX ; FFFF=-1,说明不等于0
0040FD11 . 8D85 D4FEFFFF LEA EAX,DWORD PTR SS:[EBP-12C]
0040FD17 . 50 PUSH EAX ; 邮箱
0040FD18 . 8D8D CCFDFFFF LEA ECX,DWORD PTR SS:[EBP-234]
0040FD1E . 51 PUSH ECX ; 215
0040FD1F . FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
0040FD25 . 50 PUSH EAX ; 邮箱长度
0040FD26 . 8D95 38FDFFFF LEA EDX,DWORD PTR SS:[EBP-2C8]
0040FD2C . 52 PUSH EDX
0040FD2D . 8D85 BCFDFFFF LEA EAX,DWORD PTR SS:[EBP-244]
0040FD33 . 50 PUSH EAX
0040FD34 . FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCmpNe>] ; MSVBVM60.__vbaVarCmpNe
0040FD3A . 50 PUSH EAX ; 比较
0040FD3B . 8D8D ACFDFFFF LEA ECX,DWORD PTR SS:[EBP-254]
0040FD41 . 51 PUSH ECX
0040FD42 . FF15 F4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAnd>] ; MSVBVM60.__vbaVarAnd
0040FD48 . 50 PUSH EAX
0040FD49 . 8D95 F4FEFFFF LEA EDX,DWORD PTR SS:[EBP-10C]
0040FD4F . 52 PUSH EDX ; 注册码
0040FD50 . 8D85 9CFDFFFF LEA EAX,DWORD PTR SS:[EBP-264]
0040FD56 . 50 PUSH EAX
0040FD57 . FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
0040FD5D . 50 PUSH EAX ; 注册码长度
0040FD5E . 8D8D 28FDFFFF LEA ECX,DWORD PTR SS:[EBP-2D8]
0040FD64 . 51 PUSH ECX
0040FD65 . 8D95 8CFDFFFF LEA EDX,DWORD PTR SS:[EBP-274]
0040FD6B . 52 PUSH EDX
0040FD6C . FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCmpNe>] ; MSVBVM60.__vbaVarCmpNe
0040FD72 . 50 PUSH EAX ; 是否为0
0040FD73 . 8D85 7CFDFFFF LEA EAX,DWORD PTR SS:[EBP-284]
0040FD79 . 50 PUSH EAX
0040FD7A . FF15 F4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAnd>]
0040FD80 . 50 PUSH EAX
0040FD81 . FF15 98104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaBoolVarNull>]
0040FD87 . 66:85C0 TEST AX,AX
0040FD8A 0F84 8D0E0000 JE unpack.00410C1D
0040FD90 . 6A 01 PUSH 1
0040FD92 . FF15 78104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaOnError>]
0040FD98 . B8 01000000 MOV EAX,1
0040FD9D . 8985 50FDFFFF MOV DWORD PTR SS:[EBP-2B0],EAX
0040FDA3 . 899D 48FDFFFF MOV DWORD PTR SS:[EBP-2B8],EBX
0040FDA9 . 8985 40FDFFFF MOV DWORD PTR SS:[EBP-2C0],EAX
0040FDAF . 899D 38FDFFFF MOV DWORD PTR SS:[EBP-2C8],EBX
0040FDB5 . 8D8D 48FDFFFF LEA ECX,DWORD PTR SS:[EBP-2B8]
0040FDBB . 51 PUSH ECX
0040FDBC . 8D95 C4FEFFFF LEA EDX,DWORD PTR SS:[EBP-13C]
0040FDC2 . 52 PUSH EDX ; 机器码
0040FDC3 . 8D85 ECFDFFFF LEA EAX,DWORD PTR SS:[EBP-214]
0040FDC9 . 50 PUSH EAX
0040FDCA . FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
0040FDD0 . 50 PUSH EAX ; 机器码长度
0040FDD1 . 8D8D 38FDFFFF LEA ECX,DWORD PTR SS:[EBP-2C8]
0040FDD7 . 51 PUSH ECX
0040FDD8 . 8D95 04FBFFFF LEA EDX,DWORD PTR SS:[EBP-4FC]
0040FDDE . 52 PUSH EDX
0040FDDF . 8D85 14FBFFFF LEA EAX,DWORD PTR SS:[EBP-4EC]
0040FDE5 . 50 PUSH EAX
0040FDE6 . 8D8D B4FEFFFF LEA ECX,DWORD PTR SS:[EBP-14C]
0040FDEC . 51 PUSH ECX
0040FDED . FF15 70104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarForInit>] ; 循环
0040FDF3 > 3BC7 CMP EAX,EDI
0040FDF5 . 0F84 07010000 JE unpack.0040FF02
0040FDFB . C785 F4FDFFFF>MOV DWORD PTR SS:[EBP-20C],1 ; 初始值为1
0040FE05 . 899D ECFDFFFF MOV DWORD PTR SS:[EBP-214],EBX
0040FE0B . 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
0040FE11 . 52 PUSH EDX
0040FE12 . 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
0040FE18 . 50 PUSH EAX
0040FE19 . FF15 88114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>] ; 将一个VARIANT转换为一个长整数
0040FE1F . 50 PUSH EAX
0040FE20 . 8D8D C4FEFFFF LEA ECX,DWORD PTR SS:[EBP-13C]
0040FE26 . 51 PUSH ECX ; 机器码
0040FE27 . 8D95 DCFDFFFF LEA EDX,DWORD PTR SS:[EBP-224]
0040FE2D . 52 PUSH EDX
0040FE2E . FF15 A4104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMidCharVar>]
0040FE34 . 8D95 DCFDFFFF LEA EDX,DWORD PTR SS:[EBP-224]
0040FE3A . 8D4D 84 LEA ECX,DWORD PTR SS:[EBP-7C]
0040FE3D . FFD6 CALL ESI
0040FE3F . 8D8D ECFDFFFF LEA ECX,DWORD PTR SS:[EBP-214]
0040FE45 . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>]
0040FE4B . B8 01000000 MOV EAX,1
0040FE50 . 8985 E4FDFFFF MOV DWORD PTR SS:[EBP-21C],EAX
0040FE56 . 899D DCFDFFFF MOV DWORD PTR SS:[EBP-224],EBX
0040FE5C . 8985 50FDFFFF MOV DWORD PTR SS:[EBP-2B0],EAX
0040FE62 . 899D 48FDFFFF MOV DWORD PTR SS:[EBP-2B8],EBX
0040FE68 . 8D85 DCFDFFFF LEA EAX,DWORD PTR SS:[EBP-224]
0040FE6E . 50 PUSH EAX ;
0040FE6F . 8D4D 84 LEA ECX,DWORD PTR SS:[EBP-7C]
0040FE72 . 51 PUSH ECX ; 逐个取机器码
0040FE73 . 8D95 48FDFFFF LEA EDX,DWORD PTR SS:[EBP-2B8]
0040FE79 . 52 PUSH EDX ; 1
0040FE7A . 8D85 ECFDFFFF LEA EAX,DWORD PTR SS:[EBP-214]
0040FE80 . 50 PUSH EAX ;
0040FE81 . FF15 90114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>] ; MSVBVM60.__vbaVarAdd
0040FE87 . 50 PUSH EAX ; 机器码+1
0040FE88 . FF15 88114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>] ; __vbaI4Var转长整型
0040FE8E . 50 PUSH EAX ; 机器码+1
0040FE8F . 8D8D 44FFFFFF LEA ECX,DWORD PTR SS:[EBP-BC]
0040FE95 . 51 PUSH ECX ; 字符串5201314896788888888888888888888888
0040FE96 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
0040FE9C . 52 PUSH EDX ;
0040FE9D . FF15 A4104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMidCharVar>] ; 按位置取字符串
0040FEA3 . 8D45 94 LEA EAX,DWORD PTR SS:[EBP-6C]
0040FEA6 . 50 PUSH EAX
0040FEA7 . 8D8D CCFDFFFF LEA ECX,DWORD PTR SS:[EBP-234]
0040FEAD . 51 PUSH ECX
0040FEAE . 8D95 BCFDFFFF LEA EDX,DWORD PTR SS:[EBP-244]
0040FEB4 . 52 PUSH EDX
0040FEB5 . FF15 34114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCat>] ; 连接各个字符
0040FEBB . 8BD0 MOV EDX,EAX
0040FEBD . 8D4D 94 LEA ECX,DWORD PTR SS:[EBP-6C]
0040FEC0 . FFD6 CALL ESI
0040FEC2 . 8D85 CCFDFFFF LEA EAX,DWORD PTR SS:[EBP-234]
0040FEC8 . 50 PUSH EAX
0040FEC9 . 8D8D DCFDFFFF LEA ECX,DWORD PTR SS:[EBP-224]
0040FECF . 51 PUSH ECX
0040FED0 . 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
0040FED6 . 52 PUSH EDX
0040FED7 . 6A 03 PUSH 3
0040FED9 . FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>]
0040FEDF . 83C4 10 ADD ESP,10
0040FEE2 . 8D85 04FBFFFF LEA EAX,DWORD PTR SS:[EBP-4FC]
0040FEE8 . 50 PUSH EAX
0040FEE9 . 8D8D 14FBFFFF LEA ECX,DWORD PTR SS:[EBP-4EC]
0040FEEF . 51 PUSH ECX
0040FEF0 . 8D95 B4FEFFFF LEA EDX,DWORD PTR SS:[EBP-14C]
0040FEF6 . 52 PUSH EDX
0040FEF7 . FF15 C8114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarForNext>] ; 循环
0040FEFD .^ E9 F1FEFFFF JMP unpack.0040FDF3
0040FF02 > B8 01000000 MOV EAX,1
总结:将机器码十进制数逐个加1在字符串5201314896788888888888888888888888中查找相应位置组成新码,
00410229 > \B8 01000000 MOV EAX,1
0041022E . 8985 50FDFFFF MOV DWORD PTR SS:[EBP-2B0],EAX
00410234 . 899D 48FDFFFF MOV DWORD PTR SS:[EBP-2B8],EBX
0041023A . 8985 40FDFFFF MOV DWORD PTR SS:[EBP-2C0],EAX
00410240 . 899D 38FDFFFF MOV DWORD PTR SS:[EBP-2C8],EBX
00410246 . 8D85 48FDFFFF LEA EAX,DWORD PTR SS:[EBP-2B8]
0041024C . 50 PUSH EAX
0041024D . 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-12C]
00410253 . 51 PUSH ECX
00410254 . 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
0041025A . 52 PUSH EDX
0041025B . FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
00410261 . 50 PUSH EAX
00410262 . 8D85 38FDFFFF LEA EAX,DWORD PTR SS:[EBP-2C8]
00410268 . 50 PUSH EAX
00410269 . 8D8D A4FAFFFF LEA ECX,DWORD PTR SS:[EBP-55C]
0041026F . 51 PUSH ECX
00410270 . 8D95 B4FAFFFF LEA EDX,DWORD PTR SS:[EBP-54C]
00410276 . 52 PUSH EDX
00410277 . 8D85 84FEFFFF LEA EAX,DWORD PTR SS:[EBP-17C]
0041027D . 50 PUSH EAX
0041027E . FF15 70104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarForInit>] ; MSVBVM60.__vbaVarForInit
00410284 > 3BC7 CMP EAX,EDI
00410286 . 0F84 F7000000 JE unpack.00410383
0041028C . C785 F4FDFFFF>MOV DWORD PTR SS:[EBP-20C],1
00410296 . 899D ECFDFFFF MOV DWORD PTR SS:[EBP-214],EBX
0041029C . 8D8D ECFDFFFF LEA ECX,DWORD PTR SS:[EBP-214]
004102A2 . 51 PUSH ECX ;
004102A3 . 8D95 84FEFFFF LEA EDX,DWORD PTR SS:[EBP-17C]
004102A9 . 52 PUSH EDX ;
004102AA . FF15 88114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var
004102B0 . 50 PUSH EAX ; EAX=2
004102B1 . 8D85 D4FEFFFF LEA EAX,DWORD PTR SS:[EBP-12C]
004102B7 . 50 PUSH EAX ; 邮箱
004102B8 . 8D8D DCFDFFFF LEA ECX,DWORD PTR SS:[EBP-224]
004102BE . 51 PUSH ECX
004102BF . FF15 A4104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMidCharVar>] ; MSVBVM60.rtcMidCharVar
004102C5 . 8D95 DCFDFFFF LEA EDX,DWORD PTR SS:[EBP-224] ; 逐个取邮箱ASCII码
004102CB . 52 PUSH EDX
004102CC . 8D85 0CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1F4]
004102D2 . 50 PUSH EAX ;
004102D3 . FF15 30114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
004102D9 . 50 PUSH EAX
004102DA . FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcAnsiValueBstr>] ; MSVBVM60.rtcAnsiValueBstr
004102E0 . 66:8985 40FDF>MOV WORD PTR SS:[EBP-2C0],AX ;
004102E7 . 899D 38FDFFFF MOV DWORD PTR SS:[EBP-2C8],EBX ;
004102ED . C785 30FDFFFF>MOV DWORD PTR SS:[EBP-2D0],3
004102F7 . 899D 28FDFFFF MOV DWORD PTR SS:[EBP-2D8],EBX
004102FD . 8D8D 14FFFFFF LEA ECX,DWORD PTR SS:[EBP-EC]
00410303 . 51 PUSH ECX
00410304 . 8D95 38FDFFFF LEA EDX,DWORD PTR SS:[EBP-2C8]
0041030A . 52 PUSH EDX ; 逐个取ASCII码
0041030B . 8D85 CCFDFFFF LEA EAX,DWORD PTR SS:[EBP-234]
00410311 . 50 PUSH EAX
00410312 . FF15 90114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>] ; MSVBVM60.__vbaVarAdd
00410318 . 50 PUSH EAX ; 累加
00410319 . 8D8D 28FDFFFF LEA ECX,DWORD PTR SS:[EBP-2D8]
0041031F . 51 PUSH ECX ; 3
00410320 . 8D95 BCFDFFFF LEA EDX,DWORD PTR SS:[EBP-244]
00410326 . 52 PUSH EDX
00410327 . FF15 6C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarXor>] ; MSVBVM60.__vbaVarXor
0041032D . 8BD0 MOV EDX,EAX ; 与3异或
0041032F . 8D8D 14FFFFFF LEA ECX,DWORD PTR SS:[EBP-EC]
00410335 . FFD6 CALL ESI
00410337 . 8D8D 0CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1F4]
0041033D . FF15 D4114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00410343 . 8D85 CCFDFFFF LEA EAX,DWORD PTR SS:[EBP-234]
00410349 . 50 PUSH EAX ; 计算结果
0041034A . 8D8D DCFDFFFF LEA ECX,DWORD PTR SS:[EBP-224]
00410350 . 51 PUSH ECX
00410351 . 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
00410357 . 52 PUSH EDX ;
00410358 . 6A 03 PUSH 3
0041035A . FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
00410360 . 83C4 10 ADD ESP,10
00410363 . 8D85 A4FAFFFF LEA EAX,DWORD PTR SS:[EBP-55C]
00410369 . 50 PUSH EAX ; 邮箱长度
0041036A . 8D8D B4FAFFFF LEA ECX,DWORD PTR SS:[EBP-54C]
00410370 . 51 PUSH ECX ; 1
00410371 . 8D95 84FEFFFF LEA EDX,DWORD PTR SS:[EBP-17C]
00410377 . 52 PUSH EDX
00410378 . FF15 C8114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarForNext>] ; MSVBVM60.__vbaVarForNext
0041037E .^ E9 01FFFFFF JMP unpack.00410284 ; 循环
00410383 > 8D45 B4 LEA EAX,DWORD PTR SS:[EBP-4C]
00410386 . 50 PUSH EAX ; 机器码的计算结果
总结:逐个取邮箱ASCII码,每个异或3后累加
00410387 . 8D8D 0CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1F4]
0041038D . 51 PUSH ECX
0041038E . FF15 30114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
00410394 . 50 PUSH EAX ; EAX=机器码的计算结果
00410395 . FF15 D8114000 CALL DWORD PTR DS:[<&MSVBVM60.rtcR8ValFromBstr>] ; MSVBVM60.rtcR8ValFromBstr
0041039B . DD9D 50FDFFFF FSTP QWORD PTR SS:[EBP-2B0]
004103A1 . C785 48FDFFFF>MOV DWORD PTR SS:[EBP-2B8],5
004103AB . 8D95 48FDFFFF LEA EDX,DWORD PTR SS:[EBP-2B8]
004103B1 . 52 PUSH EDX ; 取双精度浮点值
004103B2 . 8D85 14FFFFFF LEA EAX,DWORD PTR SS:[EBP-EC]
004103B8 . 50 PUSH EAX
004103B9 . 8D8D ECFDFFFF LEA ECX,DWORD PTR SS:[EBP-214]
004103BF . 51 PUSH ECX
004103C0 . FF15 90114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>] ; MSVBVM60.__vbaVarAdd
004103C6 . 50 PUSH EAX ;
004103C7 . 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
004103CA . 83C2 64 ADD EDX,64
004103CD . 52 PUSH EDX ;
004103CE . 8D85 DCFDFFFF LEA EAX,DWORD PTR SS:[EBP-224]
004103D4 . 50 PUSH EAX
004103D5 . FF15 90114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>] ; MSVBVM60.__vbaVarAdd
004103DB . 8BD0 MOV EDX,EAX ;
004103DD . 8D4D A4 LEA ECX,DWORD PTR SS:[EBP-5C]
004103E0 . FFD6 CALL ESI
004103E2 . 8D8D 0CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1F4]
004103E8 . FF15 D4114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
004103EE . 8D8D ECFDFFFF LEA ECX,DWORD PTR SS:[EBP-214]
004103F4 . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
004103FA . B8 01000000 MOV EAX,1
004103FF . 8985 50FDFFFF MOV DWORD PTR SS:[EBP-2B0],EAX
00410405 . 899D 48FDFFFF MOV DWORD PTR SS:[EBP-2B8],EBX
0041040B . 8985 40FDFFFF MOV DWORD PTR SS:[EBP-2C0],EAX
00410411 . 899D 38FDFFFF MOV DWORD PTR SS:[EBP-2C8],EBX
00410417 . 8D8D 48FDFFFF LEA ECX,DWORD PTR SS:[EBP-2B8]
0041041D . 51 PUSH ECX ; 1
0041041E . 8D55 A4 LEA EDX,DWORD PTR SS:[EBP-5C]
00410421 . 52 PUSH EDX ; 刚才浮点的计算结果
00410422 . 8D85 ECFDFFFF LEA EAX,DWORD PTR SS:[EBP-214]
00410428 . 50 PUSH EAX
00410429 . FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
0041042F . 50 PUSH EAX ; 取结果的长度
00410430 . 8D8D 38FDFFFF LEA ECX,DWORD PTR SS:[EBP-2C8]
00410436 . 51 PUSH ECX ; 1
00410437 . 8D95 84FAFFFF LEA EDX,DWORD PTR SS:[EBP-57C]
0041043D . 52 PUSH EDX ; 2
0041043E . 8D85 94FAFFFF LEA EAX,DWORD PTR SS:[EBP-56C]
00410444 . 50 PUSH EAX
00410445 . 8D8D 34FEFFFF LEA ECX,DWORD PTR SS:[EBP-1CC]
0041044B . 51 PUSH ECX
0041044C . FF15 70104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarForInit>] ; MSVBVM60.__vbaVarForInit
00410452 > 3BC7 CMP EAX,EDI ; 循环开始
00410454 . 0F84 27010000 JE unpack.00410581
0041045A . C785 F4FDFFFF>MOV DWORD PTR SS:[EBP-20C],1
00410464 . 899D ECFDFFFF MOV DWORD PTR SS:[EBP-214],EBX
0041046A . 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
00410470 . 52 PUSH EDX ; 1
00410471 . 8D85 34FEFFFF LEA EAX,DWORD PTR SS:[EBP-1CC]
00410477 . 50 PUSH EAX ; 1
00410478 . FF15 88114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var
0041047E . 50 PUSH EAX ; 1
0041047F . 8D8D C4FEFFFF LEA ECX,DWORD PTR SS:[EBP-13C]
00410485 . 51 PUSH ECX ; 取机器码679999333
00410486 . 8D95 DCFDFFFF LEA EDX,DWORD PTR SS:[EBP-224]
0041048C . 52 PUSH EDX
0041048D . FF15 A4104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMidCharVar>] ; MSVBVM60.rtcMidCharVar
00410493 . 8D95 DCFDFFFF LEA EDX,DWORD PTR SS:[EBP-224]
00410499 . 8D8D 54FEFFFF LEA ECX,DWORD PTR SS:[EBP-1AC]
0041049F . FFD6 CALL ESI
004104A1 . 8D8D ECFDFFFF LEA ECX,DWORD PTR SS:[EBP-214]
004104A7 . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
004104AD . 8D85 54FEFFFF LEA EAX,DWORD PTR SS:[EBP-1AC]
004104B3 . 8985 50FDFFFF MOV DWORD PTR SS:[EBP-2B0],EAX
004104B9 . B9 0C400000 MOV ECX,400C
004104BE . 898D 48FDFFFF MOV DWORD PTR SS:[EBP-2B8],ECX
004104C4 . 83EC 10 SUB ESP,10
004104C7 . 8BD4 MOV EDX,ESP
004104C9 . 890A MOV DWORD PTR DS:[EDX],ECX
004104CB . 8B8D 4CFDFFFF MOV ECX,DWORD PTR SS:[EBP-2B4]
004104D1 . 894A 04 MOV DWORD PTR DS:[EDX+4],ECX
004104D4 . 8942 08 MOV DWORD PTR DS:[EDX+8],EAX
004104D7 . 8B85 54FDFFFF MOV EAX,DWORD PTR SS:[EBP-2AC]
004104DD . 8942 0C MOV DWORD PTR DS:[EDX+C],EAX
004104E0 . 6A 01 PUSH 1
004104E2 . 8D8D 10FEFFFF LEA ECX,DWORD PTR SS:[EBP-1F0]
004104E8 . 51 PUSH ECX
004104E9 . 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
004104EF . 52 PUSH EDX
004104F0 . FF15 8C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarIndexLoad>] ; MSVBVM60.__vbaVarIndexLoad
004104F6 . 83C4 1C ADD ESP,1C
004104F9 . 50 PUSH EAX
004104FA . FF15 88114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var
00410500 . 50 PUSH EAX ; 转整形
00410501 . 8D85 DCFDFFFF LEA EAX,DWORD PTR SS:[EBP-224]
00410507 . 50 PUSH EAX
00410508 . FF15 20114000 CALL DWORD PTR DS:[<&MSVBVM60.rtcVarBstrFromAnsi>] ; MSVBVM60.rtcVarBstrFromAnsi
0041050E . 8D8D DCFDFFFF LEA ECX,DWORD PTR SS:[EBP-224]
00410514 . 51 PUSH ECX
00410515 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
0041051B . 52 PUSH EDX
0041051C . FF15 BC104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcUpperCaseVar>] ; MSVBVM60.rtcUpperCaseVar
00410522 . 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
00410525 . 50 PUSH EAX ;
00410526 . 8D8D CCFDFFFF LEA ECX,DWORD PTR SS:[EBP-234]
0041052C . 51 PUSH ECX
0041052D . 8D95 BCFDFFFF LEA EDX,DWORD PTR SS:[EBP-244]
00410533 . 52 PUSH EDX
00410534 . FF15 34114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCat>] ; MSVBVM60.__vbaVarCat
0041053A . 8BD0 MOV EDX,EAX ; 连接
0041053C . 8D4D A4 LEA ECX,DWORD PTR SS:[EBP-5C]
0041053F . FFD6 CALL ESI
00410541 . 8D85 CCFDFFFF LEA EAX,DWORD PTR SS:[EBP-234]
00410547 . 50 PUSH EAX
00410548 . 8D8D DCFDFFFF LEA ECX,DWORD PTR SS:[EBP-224]
0041054E . 51 PUSH ECX
0041054F . 8D95 ECFDFFFF LEA EDX,DWORD PTR SS:[EBP-214]
00410555 . 52 PUSH EDX
00410556 . 6A 03 PUSH 3
00410558 . FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
0041055E . 83C4 10 ADD ESP,10
00410561 . 8D85 84FAFFFF LEA EAX,DWORD PTR SS:[EBP-57C]
00410567 . 50 PUSH EAX
00410568 . 8D8D 94FAFFFF LEA ECX,DWORD PTR SS:[EBP-56C]
0041056E . 51 PUSH ECX
0041056F . 8D95 34FEFFFF LEA EDX,DWORD PTR SS:[EBP-1CC]
00410575 . 52 PUSH EDX
00410576 . FF15 C8114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarForNext>] ; MSVBVM60.__vbaVarForNext
0041057C .^ E9 D1FEFFFF JMP unpack.00410452
00410581 > 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
00410584 . 50 PUSH EAX ; UNICODE "847823352YGBBBBNNN"
总结:将机器码的10进制数字逐个加1(=467299557)在字符串chinapygabcdefghijklmopqrstuvwxyza中查找相应位置合并后转成大写组成新码与刚才的计算结字符串相连
00410585 . 8D8D ECFDFFFF LEA ECX,DWORD PTR SS:[EBP-214]
0041058B . 51 PUSH ECX
0041058C . FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
00410592 . 8BD0 MOV EDX,EAX ; 字符串长度
00410594 . 8D8D 74FAFFFF LEA ECX,DWORD PTR SS:[EBP-58C]
0041059A . FFD6 CALL ESI
0041059C . C785 50FDFFFF>MOV DWORD PTR SS:[EBP-2B0],19
004105A6 . C785 48FDFFFF>MOV DWORD PTR SS:[EBP-2B8],8002
004105B0 . 8D95 74FAFFFF LEA EDX,DWORD PTR SS:[EBP-58C]
004105B6 . 52 PUSH EDX
004105B7 . 8D85 48FDFFFF LEA EAX,DWORD PTR SS:[EBP-2B8]
004105BD . 50 PUSH EAX
004105BE . FF15 90104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTstLt>] ; MSVBVM60.__vbaVarTstLt
004105C4 . 66:85C0 TEST AX,AX
004105C7 . 75 72 JNZ SHORT unpack.0041063B
004105C9 . C785 50FDFFFF>MOV DWORD PTR SS:[EBP-2B0],19
004105D3 . C785 48FDFFFF>MOV DWORD PTR SS:[EBP-2B8],8002
004105DD . 8D95 74FAFFFF LEA EDX,DWORD PTR SS:[EBP-58C]
004105E3 . 52 PUSH EDX
004105E4 . 8D85 48FDFFFF LEA EAX,DWORD PTR SS:[EBP-2B8]
004105EA . 50 PUSH EAX
004105EB . FF15 A4114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTstGe>] ; MSVBVM60.__vbaVarTstGe
004105F1 . 66:85C0 TEST AX,AX
004105F4 . 0F84 11010000 JE unpack.0041070B
004105FA . C785 F4FDFFFF>MOV DWORD PTR SS:[EBP-20C],18
00410604 . 899D ECFDFFFF MOV DWORD PTR SS:[EBP-214],EBX
0041060A . 8D8D ECFDFFFF LEA ECX,DWORD PTR SS:[EBP-214]
00410610 . 51 PUSH ECX
00410611 . 6A 01 PUSH 1
00410613 . 8D55 A4 LEA EDX,DWORD PTR SS:[EBP-5C]
00410616 . 52 PUSH EDX
00410617 . 8D85 DCFDFFFF LEA EAX,DWORD PTR SS:[EBP-224]
0041061D . 50 PUSH EAX
0041061E . FF15 A4104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMidCharVar>] ; MSVBVM60.rtcMidCharVar
00410624 . 8D95 DCFDFFFF LEA EDX,DWORD PTR SS:[EBP-224]
0041062A . 8D4D A4 LEA ECX,DWORD PTR SS:[EBP-5C]
0041062D . FFD6 CALL ESI
0041062F . 8D8D ECFDFFFF LEA ECX,DWORD PTR SS:[EBP-214]
00410635 . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
0041063B > C785 F4FDFFFF>MOV DWORD PTR SS:[EBP-20C],5 ; 5
00410645 . 899D ECFDFFFF MOV DWORD PTR SS:[EBP-214],EBX ; 2
0041064B . 8D8D ECFDFFFF LEA ECX,DWORD PTR SS:[EBP-214]
00410651 . 51 PUSH ECX
00410652 . 6A 01 PUSH 1
00410654 . 8D55 A4 LEA EDX,DWORD PTR SS:[EBP-5C]
00410657 . 52 PUSH EDX ; 847823352YGBBBBNNN
00410658 . 8D85 DCFDFFFF LEA EAX,DWORD PTR SS:[EBP-224]
0041065E . 50 PUSH EAX
0041065F . FF15 A4104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMidCharVar>] ; MSVBVM60.rtcMidCharVar
00410665 . C785 40FDFFFF>MOV DWORD PTR SS:[EBP-2C0],unpack.0040B7F8 ; 取5位字符串
0041066F . C785 38FDFFFF>MOV DWORD PTR SS:[EBP-2C8],8
00410679 . C785 C4FDFFFF>MOV DWORD PTR SS:[EBP-23C],14
00410683 . 899D BCFDFFFF MOV DWORD PTR SS:[EBP-244],EBX
00410689 . 8D8D BCFDFFFF LEA ECX,DWORD PTR SS:[EBP-244]
0041068F . 51 PUSH ECX
00410690 . 6A 06 PUSH 6
00410692 . 8D55 A4 LEA EDX,DWORD PTR SS:[EBP-5C]
00410695 . 52 PUSH EDX ; 847823352YGBBBBNNN
00410696 . 8D85 ACFDFFFF LEA EAX,DWORD PTR SS:[EBP-254]
0041069C . 50 PUSH EAX
0041069D . FF15 A4104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMidCharVar>] ; MSVBVM60.rtcMidCharVar
004106A3 . 8D8D DCFDFFFF LEA ECX,DWORD PTR SS:[EBP-224] ; 取14H位
004106A9 . 51 PUSH ECX ;
004106AA . 8D95 38FDFFFF LEA EDX,DWORD PTR SS:[EBP-2C8]
004106B0 . 52 PUSH EDX ;
004106B1 . 8D85 CCFDFFFF LEA EAX,DWORD PTR SS:[EBP-234]
004106B7 . 50 PUSH EAX ; 3352YGBBBBNNN
004106B8 . FF15 90114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>] ; 加
004106BE . 50 PUSH EAX ; 84782-
004106BF . 8D8D ACFDFFFF LEA ECX,DWORD PTR SS:[EBP-254]
004106C5 . 51 PUSH ECX ; 3352YGBBBBNNN
004106C6 . 8D95 9CFDFFFF LEA EDX,DWORD PTR SS:[EBP-264]
004106CC . 52 PUSH EDX ; 9
004106CD . FF15 90114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>] ; 加
004106D3 . 8BD0 MOV EDX,EAX ; 84782-3352YGBBBBNNN
004106D5 . 8D8D 74FEFFFF LEA ECX,DWORD PTR SS:[EBP-18C]
004106DB . FFD6 CALL ESI
004106DD . 8D85 ACFDFFFF LEA EAX,DWORD PTR SS:[EBP-254]
004106E3 . 50 PUSH EAX ; 3352YGBBBBNNN
004106E4 . 8D8D CCFDFFFF LEA ECX,DWORD PTR SS:[EBP-234]
004106EA . 51 PUSH ECX ; 84782-
004106EB . 8D95 BCFDFFFF LEA EDX,DWORD PTR SS:[EBP-244]
004106F1 . 52 PUSH EDX ; 14
004106F2 . 8D85 DCFDFFFF LEA EAX,DWORD PTR SS:[EBP-224]
004106F8 . 50 PUSH EAX ; 84782
004106F9 . 8D8D ECFDFFFF LEA ECX,DWORD PTR SS:[EBP-214]
004106FF . 51 PUSH ECX ; 5
总结:将字符串前5位和后13位用“-”号连起来
00410700 . 6A 05 PUSH 5
00410702 . FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>] ; 释放出变量所占的内存
00410708 . 83C4 18 ADD ESP,18
0041070B > 89BD 50FDFFFF MOV DWORD PTR SS:[EBP-2B0],EDI
00410711 . B8 02800000 MOV EAX,8002
00410716 . 8985 48FDFFFF MOV DWORD PTR SS:[EBP-2B8],EAX
0041071C . C785 40FDFFFF>MOV DWORD PTR SS:[EBP-2C0],8
00410726 . 899D 38FDFFFF MOV DWORD PTR SS:[EBP-2C8],EBX
0041072C . 89BD 30FDFFFF MOV DWORD PTR SS:[EBP-2D0],EDI
00410732 . 8985 28FDFFFF MOV DWORD PTR SS:[EBP-2D8],EAX
00410738 . 8D95 F4FEFFFF LEA EDX,DWORD PTR SS:[EBP-10C]
0041073E . 52 PUSH EDX ; 假注册码987654321
0041073F . 8D85 ECFDFFFF LEA EAX,DWORD PTR SS:[EBP-214]
00410745 . 50 PUSH EAX
00410746 . FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
0041074C . 50 PUSH EAX ; 注册码长度
0041074D . 8D8D 48FDFFFF LEA ECX,DWORD PTR SS:[EBP-2B8]
00410753 . 51 PUSH ECX ; 是否为0
00410754 . 8D95 DCFDFFFF LEA EDX,DWORD PTR SS:[EBP-224]
0041075A . 52 PUSH EDX
0041075B . FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCmpNe>] ; MSVBVM60.__vbaVarCmpNe
00410761 . 50 PUSH EAX ; -1
00410762 . 8D85 F4FEFFFF LEA EAX,DWORD PTR SS:[EBP-10C]
00410768 . 50 PUSH EAX ; 注册码987654321
00410769 . 8D8D CCFDFFFF LEA ECX,DWORD PTR SS:[EBP-234]
0041076F . 51 PUSH ECX ; 84782-
00410770 . FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
00410776 . 50 PUSH EAX ; 注册码长度
00410777 . 8D95 74FEFFFF LEA EDX,DWORD PTR SS:[EBP-18C]
0041077D . 52 PUSH EDX ; 84782-3352YGBBBBNNN
0041077E . 8D85 BCFDFFFF LEA EAX,DWORD PTR SS:[EBP-244]
00410784 . 50 PUSH EAX
00410785 . FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
0041078B . 50 PUSH EAX ; 长度
0041078C . 8D8D 38FDFFFF LEA ECX,DWORD PTR SS:[EBP-2C8]
00410792 . 51 PUSH ECX ; 8
00410793 . 8D95 ACFDFFFF LEA EDX,DWORD PTR SS:[EBP-254]
00410799 . 52 PUSH EDX
0041079A . FF15 90114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>] ; MSVBVM60.__vbaVarAdd
004107A0 . 50 PUSH EAX ; 1B
004107A1 . 8D85 9CFDFFFF LEA EAX,DWORD PTR SS:[EBP-264]
004107A7 . 50 PUSH EAX
004107A8 . FF15 8C114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCmpEq>] ; MSVBVM60.__vbaVarCmpEq
004107AE . 50 PUSH EAX ; 0B
004107AF . 8D8D 8CFDFFFF LEA ECX,DWORD PTR SS:[EBP-274]
004107B5 . 51 PUSH ECX
004107B6 . FF15 F4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAnd>] ; MSVBVM60.__vbaVarAnd
004107BC . 50 PUSH EAX
004107BD . 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C]
004107C0 . 52 PUSH EDX ; 用户名
004107C1 . 8D85 7CFDFFFF LEA EAX,DWORD PTR SS:[EBP-284]
004107C7 . 50 PUSH EAX
004107C8 . FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
004107CE . 50 PUSH EAX
004107CF . 8D8D 28FDFFFF LEA ECX,DWORD PTR SS:[EBP-2D8]
004107D5 . 51 PUSH ECX
004107D6 . 8D95 6CFDFFFF LEA EDX,DWORD PTR SS:[EBP-294]
004107DC . 52 PUSH EDX
004107DD . FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCmpNe>] ; MSVBVM60.__vbaVarCmpNe
004107E3 . 50 PUSH EAX ; 0B
004107E4 . 8D85 5CFDFFFF LEA EAX,DWORD PTR SS:[EBP-2A4]
004107EA . 50 PUSH EAX ; 00
004107EB . FF15 F4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAnd>] ; MSVBVM60.__vbaVarAnd
004107F1 . 50 PUSH EAX ; 0B
004107F2 . FF15 98104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaBoolVarNull>] ; 判断所取字符是否为数字
004107F8 . 66:8985 30FBF>MOV WORD PTR SS:[EBP-4D0],AX ; 0
004107FF . 8D8D ACFDFFFF LEA ECX,DWORD PTR SS:[EBP-254] ; 03
00410805 . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
0041080B . 66:39BD 30FBF>CMP WORD PTR SS:[EBP-4D0],DI ; 0
00410812 0F84 05040000 JE unpack.00410C1D ; 不能跳
00410818 . C785 50FDFFFF>MOV DWORD PTR SS:[EBP-2B0],1
0040DA24 . 6A 01 PUSH 1
0040DA26 . 8D8D E0FEFFFF LEA ECX,DWORD PTR SS:[EBP-120]
0040DA2C . 51 PUSH ECX
0040DA2D . 8D95 C0FEFFFF LEA EDX,DWORD PTR SS:[EBP-140]
0040DA33 . 52 PUSH EDX
0040DA34 . 8B1D A4104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.rtcMidC>; MSVBVM60.rtcMidCharVar
0040DA3A . FFD3 CALL EBX ; <&MSVBVM60.rtcMidCharVar>
0040DA3C . 8D85 C0FEFFFF LEA EAX,DWORD PTR SS:[EBP-140]
0040DA42 . 50 PUSH EAX ; "D:\"
0040DA43 . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarMove
0040DA49 . 8BD0 MOV EDX,EAX ; EAX=00143A84, (UNICODE "D:\")
0040DA4B . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
0040DA4E . FF15 B0114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0040DA54 . 8D8D F4FEFFFF LEA ECX,DWORD PTR SS:[EBP-10C]
0040DA5A . FF15 D0114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
0040DA60 . 8D8D C0FEFFFF LEA ECX,DWORD PTR SS:[EBP-140]
0040DA66 . 51 PUSH ECX ; "D:\"
0040DA67 . 8D95 D0FEFFFF LEA EDX,DWORD PTR SS:[EBP-130]
0040DA6D . 52 PUSH EDX
0040DA6E . 8D85 E0FEFFFF LEA EAX,DWORD PTR SS:[EBP-120]
0040DA74 . 50 PUSH EAX
0040DA75 . 6A 03 PUSH 3
0040DA77 . FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0040DA7D . 83C4 10 ADD ESP,10
0040DA80 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
0040DA83 . 51 PUSH ECX
0040DA84 . E8 973D0000 CALL [PYG]Cra.00411820 ; 取硬盘特征码
0040DA89 . 8945 A8 MOV DWORD PTR SS:[EBP-58],EAX ; EAX=6C22C2BD
0040DA8C . C785 E8FEFFFF>MOV DWORD PTR SS:[EBP-118],6
0040DA96 . 89BD E0FEFFFF MOV DWORD PTR SS:[EBP-120],EDI
0040DA9C . 8D55 A8 LEA EDX,DWORD PTR SS:[EBP-58]
0040DA9F . 8995 94FEFFFF MOV DWORD PTR SS:[EBP-16C],EDX
0040DAA5 . C785 8CFEFFFF>MOV DWORD PTR SS:[EBP-174],4003
0040DAAF . 8D85 E0FEFFFF LEA EAX,DWORD PTR SS:[EBP-120]
0040DAB5 . 50 PUSH EAX
0040DAB6 . 6A 01 PUSH 1
0040DAB8 . 8D8D 8CFEFFFF LEA ECX,DWORD PTR SS:[EBP-174]
0040DABE . 51 PUSH ECX
0040DABF . 8D95 D0FEFFFF LEA EDX,DWORD PTR SS:[EBP-130]
0040DAC5 . 52 PUSH EDX
0040DAC6 . FFD3 CALL EBX
0040DAC8 . 8D95 D0FEFFFF LEA EDX,DWORD PTR SS:[EBP-130] ; 181421(6C22C2BD转十进制取6位)
0040DACE . 8D4D 84 LEA ECX,DWORD PTR SS:[EBP-7C]
0040DAD1 . 8B35 14104000 MOV ESI,DWORD PTR DS:[<&MSVBVM60.__vbaVa>; MSVBVM60.__vbaVarMove
0040DAD7 . FFD6 CALL ESI ; <&MSVBVM60.__vbaVarMove>
0040DAD9 . 8D8D E0FEFFFF LEA ECX,DWORD PTR SS:[EBP-120]
0040DADF . FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
0040DDC9 . FF15 88114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
0040DDCF . 8B8D 1CFFFFFF MOV ECX,DWORD PTR SS:[EBP-E4] ; 0
0040DDD5 . 2B41 14 SUB EAX,DWORD PTR DS:[ECX+14]
0040DDD8 . 8985 DCFDFFFF MOV DWORD PTR SS:[EBP-224],EAX
0040DDDE . 3B41 10 CMP EAX,DWORD PTR DS:[ECX+10] ; 3
0040DDE1 . 72 06 JB SHORT [PYG]Cra.0040DDE9
0040DDE3 . FF15 B8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGener>; MSVBVM60.__vbaGenerateBoundsError
0040DDE9 > 8B85 DCFDFFFF MOV EAX,DWORD PTR SS:[EBP-224]
0040DDEF . C1E0 04 SHL EAX,4
0040DDF2 . EB 06 JMP SHORT [PYG]Cra.0040DDFA
0040DDF4 > FF15 B8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGener>; MSVBVM60.__vbaGenerateBoundsError
0040DDFA > 8B8D 1CFFFFFF MOV ECX,DWORD PTR SS:[EBP-E4]
0040DE00 . 8B51 0C MOV EDX,DWORD PTR DS:[ECX+C]
0040DE03 . 03D0 ADD EDX,EAX
0040DE05 . 52 PUSH EDX
0040DE06 . FF15 88114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
0040DE0C . 50 PUSH EAX ; 转整数
总结:取crackme所在盘符序列号前六位,对换前后三位参与密钥计算。
0040DE0D . 8D85 E0FEFFFF LEA EAX,DWORD PTR SS:[EBP-120]
0040DE13 . 50 PUSH EAX
0040DE14 . FF15 20114000 CALL DWORD PTR DS:[<&MSVBVM60.rtcVarBstr>; MSVBVM60.rtcVarBstrFromAnsi
0040DE1A . 8D8D 8CFEFFFF LEA ECX,DWORD PTR SS:[EBP-174]
0040DE20 . 51 PUSH ECX ; UNICODE "c:"
0040DE21 . 8D95 E0FEFFFF LEA EDX,DWORD PTR SS:[EBP-120]
0040DE27 . 52 PUSH EDX
0040DE28 . 8D85 D0FEFFFF LEA EAX,DWORD PTR SS:[EBP-130]
0040DE2E . 50 PUSH EAX
0040DE2F . FF15 34114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCa>; MSVBVM60.__vbaVarCat
0040DE35 . 50 PUSH EAX ; 1443B4
0040DE36 . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarMove
0040DE3C . 8BD0 MOV EDX,EAX
0040DE3E . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0040DE41 . FF15 B0114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0040DE47 . 8D8D D0FEFFFF LEA ECX,DWORD PTR SS:[EBP-130]
0040DE4D . 51 PUSH ECX ; UNICODE "c:"
0040DE4E . 8D95 E0FEFFFF LEA EDX,DWORD PTR SS:[EBP-120]
0040DE54 . 52 PUSH EDX
0040DE55 . 57 PUSH EDI
0040DE56 . FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0040DE5C . 83C4 0C ADD ESP,0C
0040DE5F . 8D85 9CFDFFFF LEA EAX,DWORD PTR SS:[EBP-264]
0040DE65 . 50 PUSH EAX ; 130002
0040DE66 . 8D8D ACFDFFFF LEA ECX,DWORD PTR SS:[EBP-254]
0040DE6C . 51 PUSH ECX ; 130001
0040DE6D . 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
0040DE70 . 52 PUSH EDX
0040DE71 . FF15 C8114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarFo>; MSVBVM60.__vbaVarForNext
0040DE77 .^ E9 1EFFFFFF JMP [PYG]Cra.0040DD9A
0040DE7C > 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50] ; (UNICODE "c:\")
0040DE7F . 8985 94FEFFFF MOV DWORD PTR SS:[EBP-16C],EAX
0040DE85 . C785 8CFEFFFF>MOV DWORD PTR SS:[EBP-174],8 ; 8
0040DE8F . 8D95 8CFEFFFF LEA EDX,DWORD PTR SS:[EBP-174]
0040DE95 . 8D8D 54FFFFFF LEA ECX,DWORD PTR SS:[EBP-AC]
0040DE9B . FF15 9C114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCo>; MSVBVM60.__vbaVarCopy
0040DEA1 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
0040DEA4 . 51 PUSH ECX
0040DEA5 . E8 76390000 CALL [PYG]Cra.00411820 ; 关键CALL
0040DEAA . 8985 94FEFFFF MOV DWORD PTR SS:[EBP-16C],EAX ; EAX=15391EDE
0040DEB0 . C785 8CFEFFFF>MOV DWORD PTR SS:[EBP-174],3
0040DFDC . 8B9D DCFDFFFF MOV EBX,DWORD PTR SS:[EBP-224]
0040DFE2 . 53 PUSH EBX
0040DFE3 . FF92 A4000000 CALL DWORD PTR DS:[EDX+A4]
0040DFE9 . DBE2 FCLEX
0040DFEB . 85C0 TEST EAX,EAX
0040DFED . 0F8D 0B010000 JGE [PYG]Cra.0040E0FE
0040DFF3 . E9 F4000000 JMP [PYG]Cra.0040E0EC
0040DFF8 > C785 94FEFFFF>MOV DWORD PTR SS:[EBP-16C],1E240 ; 123456
0040E002 . C785 8CFEFFFF>MOV DWORD PTR SS:[EBP-174],3 ; 3
0040E00C . 8D55 B4 LEA EDX,DWORD PTR SS:[EBP-4C]
0040E00F . 52 PUSH EDX ; 15391EDE
0040E010 . 8D85 8CFEFFFF LEA EAX,DWORD PTR SS:[EBP-174]
0040E016 . 50 PUSH EAX ; 1E240h=123456
0040E017 . 8D8D E0FEFFFF LEA ECX,DWORD PTR SS:[EBP-120]
0040E01D . 51 PUSH ECX
0040E01E . FF15 90114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAd>; MSVBVM60.__vbaVarAdd
0040E024 . 8BD0 MOV EDX,EAX ; 153B011E转十进制
0040E026 . 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]
0040E02C . FFD6 CALL ESI
0040E02E . 8D95 74FFFFFF LEA EDX,DWORD PTR SS:[EBP-8C]
0040E034 . 52 PUSH EDX
0040E035 . 8D85 08FFFFFF LEA EAX,DWORD PTR SS:[EBP-F8]
0040E03B . 50 PUSH EAX
0040E03C . FF15 30114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
0040E042 . 50 PUSH EAX ; 算出机器码"356188446"
总结:C盘序列号+123456=软件机器码
0040E043 . FF15 D8114000 CALL DWORD PTR DS:[<&MSVBVM60.rtcR8ValFr>; MSVBVM60.rtcR8ValFromBstr
0040E049 . DD9D E0FDFFFF FSTP QWORD PTR SS:[EBP-220] ; 转浮点
0040E04F . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0040E052 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
0040E054 . 50 PUSH EAX
0040E055 . FF91 00030000 CALL DWORD PTR DS:[ECX+300]
0040E05B . 50 PUSH EAX
0040E05C . 8D95 F4FEFFFF LEA EDX,DWORD PTR SS:[EBP-10C]
0040E062 . 52 PUSH EDX
0040E063 . FF15 7C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
0040E069 . 8985 DCFDFFFF MOV DWORD PTR SS:[EBP-224],EAX
0040E06F . C785 D8FEFFFF>MOV DWORD PTR SS:[EBP-128],9 ; 9
0040E079 . 89BD D0FEFFFF MOV DWORD PTR SS:[EBP-130],EDI
0040E07F . 8B85 E0FDFFFF MOV EAX,DWORD PTR SS:[EBP-220]
0040E085 . 8985 E8FEFFFF MOV DWORD PTR SS:[EBP-118],EAX
0040E08B . 8B8D E4FDFFFF MOV ECX,DWORD PTR SS:[EBP-21C]
0040E091 . 898D ECFEFFFF MOV DWORD PTR SS:[EBP-114],ECX
0040E097 . C785 E0FEFFFF>MOV DWORD PTR SS:[EBP-120],5 ; 5
0040E0A1 . 8D95 D0FEFFFF LEA EDX,DWORD PTR SS:[EBP-130]
0040E0A7 . 52 PUSH EDX ; 9
0040E0A8 . 6A 01 PUSH 1
0040E0AA . 8D85 E0FEFFFF LEA EAX,DWORD PTR SS:[EBP-120]
0040E0B0 . 50 PUSH EAX ; 356188446
0040E0B1 . 8D8D C0FEFFFF LEA ECX,DWORD PTR SS:[EBP-140]
0040E0B7 . 51 PUSH ECX ; "D:\"
0040E0B8 . FFD3 CALL EBX
0040E0BA . 8B95 DCFDFFFF MOV EDX,DWORD PTR SS:[EBP-224]
0040E0C0 . 8B1A MOV EBX,DWORD PTR DS:[EDX]
0040E0C2 . 8D85 C0FEFFFF LEA EAX,DWORD PTR SS:[EBP-140]
0040E0C8 . 50 PUSH EAX ; 1
0040E0C9 . 8D8D 04FFFFFF LEA ECX,DWORD PTR SS:[EBP-FC]
0040E0CF . 51 PUSH ECX
0040E0D0 . FF15 30114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
0040E0D6 . 50 PUSH EAX ; EAX=001444A4, (UNICODE "356188446")
0040E0D7 . 8BD3 MOV EDX,EBX
0040E0D9 . 8B9D DCFDFFFF MOV EBX,DWORD PTR SS:[EBP-224]
0040E16F . FF15 D0114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
0040E175 . 89BD 94FEFFFF MOV DWORD PTR SS:[EBP-16C],EDI
0040E17B . 89BD 8CFEFFFF MOV DWORD PTR SS:[EBP-174],EDI
0040E181 . C785 84FEFFFF>MOV DWORD PTR SS:[EBP-17C],75BCD15 ; 123456789
0040E18B . C785 7CFEFFFF>MOV DWORD PTR SS:[EBP-184],3 ; 3
0040E195 . 8D45 B4 LEA EAX,DWORD PTR SS:[EBP-4C]
0040E198 . 50 PUSH EAX ; 15391EDE
0040E199 . 8D8D E0FEFFFF LEA ECX,DWORD PTR SS:[EBP-120]
0040E19F . 51 PUSH ECX ; 356188446
0040E1A0 . FF15 74114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarNo>; MSVBVM60.__vbaVarNot
0040E1A6 . 50 PUSH EAX ; 356188446
0040E1A7 . 8D95 8CFEFFFF LEA EDX,DWORD PTR SS:[EBP-174]
0040E1AD . 52 PUSH EDX ; 2
0040E1AE . 8D85 D0FEFFFF LEA EAX,DWORD PTR SS:[EBP-130]
0040E1B4 . 50 PUSH EAX
0040E1B5 . FF15 18114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDi>; MSVBVM60.__vbaVarDiv
0040E1BB . 50 PUSH EAX ; -178032495.50000000000
0040E1BC . 8D8D C0FEFFFF LEA ECX,DWORD PTR SS:[EBP-140]
0040E1C2 . 51 PUSH ECX ; 356188446
0040E1C3 . FF15 5C114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarIn>; MSVBVM60.__vbaVarInt
0040E1C9 . 50 PUSH EAX ; -178032496.00000000000
0040E1CA . 8D95 7CFEFFFF LEA EDX,DWORD PTR SS:[EBP-184]
0040E1D0 . 52 PUSH EDX ; 075BCD15
0040E1D1 . 8D85 B0FEFFFF LEA EAX,DWORD PTR SS:[EBP-150]
0040E1D7 . 50 PUSH EAX
0040E1D8 . FF15 90114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAd>; MSVBVM60.__vbaVarAdd
0040E1DE . 83EC 10 SUB ESP,10 ; -54575707.000000000000
0040E1E1 . 8BCC MOV ECX,ESP
0040E1E3 . 8B10 MOV EDX,DWORD PTR DS:[EAX] ; 5
0040E1E5 . 8911 MOV DWORD PTR DS:[ECX],EDX
0040E1E7 . 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4]
0040E1EA . 8951 04 MOV DWORD PTR DS:[ECX+4],EDX ; 31
0040E1ED . 8B50 08 MOV EDX,DWORD PTR DS:[EAX+8]
0040E1F0 . 8951 08 MOV DWORD PTR DS:[ECX+8],EDX
0040E1F3 . 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
0040E1F6 . 8941 0C MOV DWORD PTR DS:[ECX+C],EAX
0040E1F9 . 6A 01 PUSH 1
0040E1FB . 68 34B64000 PUSH [PYG]Cra.0040B634 ; UNICODE "YUN"
0040E200 . 8D43 44 LEA EAX,DWORD PTR DS:[EBX+44]
0040E203 . 50 PUSH EAX ; LTA
0040E204 . 8D8D A0FEFFFF LEA ECX,DWORD PTR SS:[EBP-160]
0040E20A . 51 PUSH ECX ; E180DC55E8EBA7135D1214EF4A46512C
0040E20B . FF15 A0114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarLa>; MSVBVM60.__vbaVarLateMemCallLd
0040E211 . 83C4 20 ADD ESP,20 ; 取MD5:-54575707
0040E214 . 8BD0 MOV EDX,EAX ; E180DC55E8EBA7135D1214EF4A46512C
总结:机器码+123456,取反,除2(小数点四舍五入转成长整数),加123456789,取MD5值
0040E216 . 8D4B 54 LEA ECX,DWORD PTR DS:[EBX+54]
0040E219 . FFD6 CALL ESI
0040E21B . 8D95 A0FEFFFF LEA EDX,DWORD PTR SS:[EBP-160]
0040E221 . 52 PUSH EDX
0040E222 . 8D85 B0FEFFFF LEA EAX,DWORD PTR SS:[EBP-150]
0040E228 . 50 PUSH EAX ; 743523914.00000000000
0040E229 . 57 PUSH EDI
0040E22A . FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
举例算法总结:
1、机器码的由来:C盘序列号+123456。
如我的C盘序列号是356064990, 机器码=123456+356064990=356188446
2、注册码的后8位:
字符串1=5201314896788888888888888888888888
字符串2=chinapygabcdefghijklmopqrstuvwxyza
字符串3需要计算:机器码+123456,取反,除2(小数点四舍五入转成长整数),加123456789,取MD5值
即:356188446+123456,取反=-356064991,除2=178032496+123456789=54575707,取MD5得到字符串3=E180DC55E8EBA7135D1214EF4A46512C。
取字符串3中的第5位后的8位,即DC55E8EB,做为注册码的后8位。
3、密钥算法:取crackme所在盘符序列号前六位=181421,对换前后三位=421181,我这里crackme在D盘,序列号为:1814217405,KEY=20041201*18+421181=361162799
4、邮箱:逐个取邮箱ASCII码,每个异或3后累加得到结果5A0H(1440)。
6、将机器码的10进制数字逐个加1(=467299557)在字符串5201314896788888888888888888888888中查找相应位置合并后组成新码(=114299334),
转浮点,加邮箱的计算结果,加KEY码。
即:浮点计算结果114299334+1440(邮箱)+361162799(KEY)=475463573
7、将机器码的10进制数字逐个加1(=467299557)在字符串chinapygabcdefghijklmopqrstuvwxyza中查找相应位置合并后转成大写组成新码(=NPYHAAAAY),
与6中的计算结果相连得到:475463573NPYHAAAAY,前面取5位后面取后面取13位用-号连起来=47546-3573NPYHAAAAY,
8、注册码计算过程:逐个取注册码ASCII码+4+位置数转成字符,前面19位要与特征码1(47546-3573NPYHAAAAY)相同,后8位为7中的结果47546-3573NPYHAAAAY。
逆运算得到注册码:
47546-3573NPYHAAAAY转ASCII=34373534362D333537334E5059484141414159减4减每位字符串的顺序号=2F312E2C2D2328292A253F4048362E2D2C2B42,
转成字符为/1.,-#()*%?@H6.-,+B,则注册码为/1.,-#()*%?@H6.-,+BDC55E8EB。
算法注册机源码:
'判断EMAIL的合法性
Public Function isEmail(ByVal str As String) As Boolean
isEmail = str Like "[A-Za-z0-9_]*@[A-Za-z0-9_]*.[A-Za-z0-9_]*"
End Function
Private Sub Form_Load()
If Dir(App.Path & "\[PYG]CrackMe") = "" Then
MsgBox "注册[PYG]CrackMe时,请将[PYG]CrackMe置于注册机所在盘符!", 48, "友情提示"
End If
End Sub
'算法过程
Private Sub Label1_Click()
Dim driver, VolName, Fsys As String
Dim volNumber, MCM, FSF As Long
Dim res As Long
Dim jqm As Long
Dim ysm1 As String
Dim jqm2, jqm3, email, tzm1, tzm2, tzm3, tzm4, tzm5
driver = Left(App.Path, 3) ' 获取当前盘符
res = GetVolumeInformation(driver, VolName, 127, volNumber, MCM, FSF, Fsys, 127)
jqm = Val(volNumber)
s1 = "5201314896788888888888888888888888"
s2 = "chinapygabcdefghijklmopqrstuvwxyza"
If Text2.Text = "" Then
MsgBox "虽然用户名不参加运算,还是请留下你的大名!", 48, "友情提示"
Else
If Text3.Text = "" Then
MsgBox "邮箱号不能为空!", 64, "注意"
Else
If isEmail(Text3.Text) = False Then
MsgBox " 请检查EMAIL格式"
Else
For i = 1 To Len(Text1.Text)
jqm2 = jqm2 & Mid(s1, (Mid(Text1.Text, i, 1) + 1), 1)
jqm3 = jqm3 & UCase(Mid(s2, (Mid(Text1.Text, i, 1) + 1), 1))
Next
For j = 1 To Len(Text3.Text)
email = email + Asc(Mid(Text3.Text, j, 1)) Xor 3
Next
a = Not (Text1.Text - 123456)
ysm1 = CLng(Val(a) / 2) + &H75BCD15
S3 = UCase(MD5(ysm1, 32))
tzm1 = Mid(jqm, 4, 3) & Mid(jqm, 1, 3)
tzm2 = 20041201 * 18 + Val(tzm1)
tzm3 = CLng(jqm2 + email + tzm2) & jqm3
tzm4 = Left(tzm3, 5) & "-" & Right(tzm3, 13)
For M = 1 To Len(tzm4)
tzm5 = tzm5 & (Chr(Asc(Mid(tzm4, M, 1)) - M - 4))
Next
End If
End If
End If
Text4.Text = tzm5 & Mid(S3, 5, 8)
End Sub
Private Sub Label4_Click()
Form2.Show
End Sub
Private Sub Label5_Click()
Unload Me
End Sub
'密钥计算
Private Sub Label6_Click()
Dim driver, VolName, Fsys As String
Dim volNumber, MCM, FSF As Long
driver = "c:\"
Dim res As Long
Dim jqm1 As Long
Dim a, tzm1 As Double
Dim ysm1 As String
driver = Left(App.Path, 3) ' 获取当前盘符
res = GetVolumeInformation(driver, VolName, 127, volNumber, MCM, FSF, Fsys, 127)
my = 20041201 * 18 + Val(Mid(volNumber, 4, 3) & Mid(volNumber, 1, 3))
inforstr = Val(my) & Chr(10) & "请在安装目录新建一个文本文件," & Chr(10) & "写入密钥后保存为PYG2006.key。"
MsgBox inforstr, vbInformation, "你的密钥是:"
End Sub
'机器码由来
Private Sub Text2_GotFocus()
Dim driver, VolName, Fsys As String
Dim volNumber, MCM, FSF As Long
Dim res As Long
Dim jqm As Long
driver = "c:\"
res = GetVolumeInformation(driver, VolName, 127, volNumber, MCM, FSF, Fsys, 127)
Text1.Text = volNumber + &H1E240
End Sub
Private Sub Text4_GotFocus()
Text4.SelStart = 0
Text4.SelLength = Len(Text4.Text)
End Sub
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年1月1日
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
|
|
|
|
|
下手好快....
顶你一下 这是我的注册机(因为易语言写的所以大了一点)  不好意思 |
|
|
牛啊,咱要好好学习一下!2007年的PYG认证题也出来了
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2006 的我也是痛苦中搞定的,刚下了 2007 的,比这个简单了,一把年纪了,不想加入了,不过还是支持飘云,支持 PYG,我在那里学到了东西,也下载了好多软件
|
|
|
|
|
|
最初由 KAN 发布 2007那个运算非常非常之多。想作出注册机来不是这么容易的。我也想不通飘云老大干嘛弄个都是明码比较的来。 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
