[求助]这些指令的具体含义-¥付费问答-看雪-安全社区|安全招聘|kanxue.com

最新回复 (2)
莫程桂NP 雪币： 213 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 11 回帖 86 粉丝 0 关注私信	莫程桂NP 1 2007-11-30 15:37 2 楼 0 F开头的应该是浮点数指令吧
狼头雪币： 192 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 6 回帖 39 粉丝 0 关注私信	狼头 2007-11-30 15:41 3 楼 0 这个是我的分析：这个就是Crackme区发的第一个练手的 0040240E CALL EDI ; <&MSVBVM60.__vbaStrMove> 00402410 LEA ECX,DWORD PTR SS:[EBP-3C] 00402413 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj 00402419 MOV EAX,DWORD PTR SS:[EBP-34] 0040241C PUSH EAX ; 得到用户名字符串并且入栈在0012F514 中 0040241D CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr 00402423 MOV ECX,EAX 00402425 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4 0040242B MOV DWORD PTR SS:[EBP-30],EAX ; BP-30表示字符串长度 0040242E CMP AX,3 ; 用户名要大于3个 00402432 JL KeyGenMe.00402605 00402438 MOV ECX,DWORD PTR DS:[ESI] ; MAIN.004032F0 ->cx 906B0066 0040243A PUSH ESI ; 把 0014D9C8 入栈到0012F4FC处 0040243B CALL DWORD PTR DS:[ECX+30C] 00402441 PUSH EAX 00402442 LEA EDX,DWORD PTR SS:[EBP-3C] ; 把栈段地址0012F5D4 给DX 00402445 PUSH EDX ; 把0012F5D4 放到0012F514处 00402446 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet 0040244C MOV ESI,EAX ; 把字符串内容给SI 0040244E MOV EAX,DWORD PTR DS:[ESI] 00402450 LEA ECX,DWORD PTR SS:[EBP-38] 00402453 PUSH ECX ; 把0012F5D8 入栈到0012F514处 00402454 PUSH ESI ; 把00E217FC入栈到0012F510处 00402455 CALL DWORD PTR DS:[EAX+A0] 0040245B FCLEX ; 清除异常 0040245D CMP EAX,EBX 0040245F JGE SHORT KeyGenMe.00402473 00402461 PUSH 0A0 00402466 PUSH KeyGenMe.00401C40 0040246B PUSH ESI 0040246C PUSH EAX 0040246D CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheckO>; MSVBVM60.__vbaHresultCheckObj 00402473 MOV EDX,DWORD PTR SS:[EBP-38] ; 把密码字符串给DX 00402476 MOV DWORD PTR SS:[EBP-38],EBX 00402479 LEA ECX,DWORD PTR SS:[EBP-24] 0040247C CALL EDI 0040247E LEA ECX,DWORD PTR SS:[EBP-3C] 00402481 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj 00402487 MOV EDX,DWORD PTR SS:[EBP-24] 0040248A PUSH EDX 0040248B CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr 00402491 MOV ECX,EAX 00402493 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4 00402499 CMP AX,BX ; 比较密码个数 0040249C JE KeyGenMe.00402605 004024A2 MOV EDI,1 004024A7 MOV ESI,EDI 004024A9 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarLis>; MSVBVM60.__vbaFreeVarList 004024AF CMP SI,WORD PTR SS:[EBP-30] ; SI与用户名位数比较 SI必须大于它 004024B3 JG KeyGenMe.0040254C 004024B9 MOV DWORD PTR SS:[EBP-44],1 004024C0 MOV DWORD PTR SS:[EBP-4C],2 004024C7 LEA EAX,DWORD PTR SS:[EBP-34] ; 把用户名在堆栈段的位置给AX 004024CA MOV DWORD PTR SS:[EBP-84],EAX 004024D0 MOV DWORD PTR SS:[EBP-8C],4008 004024DA LEA ECX,DWORD PTR SS:[EBP-4C] ; BP-4C的位置给CX 004024DD PUSH ECX ; CX入栈 004024DE MOVSX EDX,SI ; 先符号扩展,再传送 004024E1 PUSH EDX ; DX入栈 004024E2 LEA EAX,DWORD PTR SS:[EBP-8C] ; 把4008存放位置给AX 004024E8 PUSH EAX ; AX 入栈 004024E9 LEA ECX,DWORD PTR SS:[EBP-5C] ; 0012F5B4位置给CX 004024EC PUSH ECX ; CX入栈 004024ED CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; 把CX->AX ；CX=0；DX+1 然后清除栈段 004024F3 LEA EDX,DWORD PTR SS:[EBP-5C] ; 0012F5B4 给DX 004024F6 PUSH EDX 004024F7 LEA EAX,DWORD PTR SS:[EBP-38] ; 0012F5D8 给AX 004024FA PUSH EAX 004024FB CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVarVal>] ; AX->CX AX=00155B54 清除堆栈段 00402501 PUSH EAX ; AX 入栈 00402502 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr 00402508 IMUL AX,SI 0040250C JO KeyGenMe.00402671 00402512 MOVSX ECX,AX ; AX ->CX 00402515 ADD ECX,EDI 00402517 JO KeyGenMe.00402671 0040251D MOV EDI,ECX ; cx->di 0040251F LEA ECX,DWORD PTR SS:[EBP-38] ; 0012F5D8 ->cx 00402522 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; AX清0 00402528 LEA EDX,DWORD PTR SS:[EBP-5C] 0040252B PUSH EDX ; 0012F5B4 ->dx 0040252C LEA EAX,DWORD PTR SS:[EBP-4C] ; 0012F5C4 ->AX 0040252F PUSH EAX 00402530 PUSH 2 00402532 CALL EBX 00402534 ADD ESP,0C 00402537 MOV EAX,1 0040253C ADD AX,SI 0040253F JO KeyGenMe.00402671 00402545 MOV ESI,EAX ; SI=1+SI 00402547 JMP KeyGenMe.004024AF 0040254C IMUL EDI,EDI,17496 00402552 JO KeyGenMe.00402671 00402558 MOV DWORD PTR SS:[EBP-28],EDI 0040255B FILD DWORD PTR SS:[EBP-28] ; 装入整数到ST 0040255E FSTP QWORD PTR SS:[EBP-EC] 00402564 MOV ECX,DWORD PTR SS:[EBP-24] ; 密码给CX 00402567 PUSH ECX 00402568 CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str 0040256E FCOMP QWORD PTR SS:[EBP-EC] 00402574 FSTSW AX 00402576 TEST AH,40 ; AH必须为40到4F 00402579 JE KeyGenMe.00402605 ; 这里只要用NOP填充就OK 0040257F MOV ECX,80020004 00402584 MOV DWORD PTR SS:[EBP-74],ECX 00402587 MOV EAX,0A 0040258C MOV DWORD PTR SS:[EBP-7C],EAX 0040258F MOV DWORD PTR SS:[EBP-64],ECX 00402592 MOV DWORD PTR SS:[EBP-6C],EAX 00402595 MOV DWORD PTR SS:[EBP-94],KeyGenMe.00401C74 ; UNICODE "Congratulations" 0040259F MOV EDI,8
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复

最新回复 (2)
莫程桂NP 雪币： 213 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 11 回帖 86 粉丝 0 关注私信	莫程桂NP 1 2007-11-30 15:37 2 楼 0 F开头的应该是浮点数指令吧
狼头雪币： 192 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 6 回帖 39 粉丝 0 关注私信	狼头 2007-11-30 15:41 3 楼 0 这个是我的分析：这个就是Crackme区发的第一个练手的 0040240E CALL EDI ; <&MSVBVM60.__vbaStrMove> 00402410 LEA ECX,DWORD PTR SS:[EBP-3C] 00402413 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj 00402419 MOV EAX,DWORD PTR SS:[EBP-34] 0040241C PUSH EAX ; 得到用户名字符串并且入栈在0012F514 中 0040241D CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr 00402423 MOV ECX,EAX 00402425 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4 0040242B MOV DWORD PTR SS:[EBP-30],EAX ; BP-30表示字符串长度 0040242E CMP AX,3 ; 用户名要大于3个 00402432 JL KeyGenMe.00402605 00402438 MOV ECX,DWORD PTR DS:[ESI] ; MAIN.004032F0 ->cx 906B0066 0040243A PUSH ESI ; 把 0014D9C8 入栈到0012F4FC处 0040243B CALL DWORD PTR DS:[ECX+30C] 00402441 PUSH EAX 00402442 LEA EDX,DWORD PTR SS:[EBP-3C] ; 把栈段地址0012F5D4 给DX 00402445 PUSH EDX ; 把0012F5D4 放到0012F514处 00402446 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet 0040244C MOV ESI,EAX ; 把字符串内容给SI 0040244E MOV EAX,DWORD PTR DS:[ESI] 00402450 LEA ECX,DWORD PTR SS:[EBP-38] 00402453 PUSH ECX ; 把0012F5D8 入栈到0012F514处 00402454 PUSH ESI ; 把00E217FC入栈到0012F510处 00402455 CALL DWORD PTR DS:[EAX+A0] 0040245B FCLEX ; 清除异常 0040245D CMP EAX,EBX 0040245F JGE SHORT KeyGenMe.00402473 00402461 PUSH 0A0 00402466 PUSH KeyGenMe.00401C40 0040246B PUSH ESI 0040246C PUSH EAX 0040246D CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheckO>; MSVBVM60.__vbaHresultCheckObj 00402473 MOV EDX,DWORD PTR SS:[EBP-38] ; 把密码字符串给DX 00402476 MOV DWORD PTR SS:[EBP-38],EBX 00402479 LEA ECX,DWORD PTR SS:[EBP-24] 0040247C CALL EDI 0040247E LEA ECX,DWORD PTR SS:[EBP-3C] 00402481 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj 00402487 MOV EDX,DWORD PTR SS:[EBP-24] 0040248A PUSH EDX 0040248B CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr 00402491 MOV ECX,EAX 00402493 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4 00402499 CMP AX,BX ; 比较密码个数 0040249C JE KeyGenMe.00402605 004024A2 MOV EDI,1 004024A7 MOV ESI,EDI 004024A9 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarLis>; MSVBVM60.__vbaFreeVarList 004024AF CMP SI,WORD PTR SS:[EBP-30] ; SI与用户名位数比较 SI必须大于它 004024B3 JG KeyGenMe.0040254C 004024B9 MOV DWORD PTR SS:[EBP-44],1 004024C0 MOV DWORD PTR SS:[EBP-4C],2 004024C7 LEA EAX,DWORD PTR SS:[EBP-34] ; 把用户名在堆栈段的位置给AX 004024CA MOV DWORD PTR SS:[EBP-84],EAX 004024D0 MOV DWORD PTR SS:[EBP-8C],4008 004024DA LEA ECX,DWORD PTR SS:[EBP-4C] ; BP-4C的位置给CX 004024DD PUSH ECX ; CX入栈 004024DE MOVSX EDX,SI ; 先符号扩展,再传送 004024E1 PUSH EDX ; DX入栈 004024E2 LEA EAX,DWORD PTR SS:[EBP-8C] ; 把4008存放位置给AX 004024E8 PUSH EAX ; AX 入栈 004024E9 LEA ECX,DWORD PTR SS:[EBP-5C] ; 0012F5B4位置给CX 004024EC PUSH ECX ; CX入栈 004024ED CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; 把CX->AX ；CX=0；DX+1 然后清除栈段 004024F3 LEA EDX,DWORD PTR SS:[EBP-5C] ; 0012F5B4 给DX 004024F6 PUSH EDX 004024F7 LEA EAX,DWORD PTR SS:[EBP-38] ; 0012F5D8 给AX 004024FA PUSH EAX 004024FB CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVarVal>] ; AX->CX AX=00155B54 清除堆栈段 00402501 PUSH EAX ; AX 入栈 00402502 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr 00402508 IMUL AX,SI 0040250C JO KeyGenMe.00402671 00402512 MOVSX ECX,AX ; AX ->CX 00402515 ADD ECX,EDI 00402517 JO KeyGenMe.00402671 0040251D MOV EDI,ECX ; cx->di 0040251F LEA ECX,DWORD PTR SS:[EBP-38] ; 0012F5D8 ->cx 00402522 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; AX清0 00402528 LEA EDX,DWORD PTR SS:[EBP-5C] 0040252B PUSH EDX ; 0012F5B4 ->dx 0040252C LEA EAX,DWORD PTR SS:[EBP-4C] ; 0012F5C4 ->AX 0040252F PUSH EAX 00402530 PUSH 2 00402532 CALL EBX 00402534 ADD ESP,0C 00402537 MOV EAX,1 0040253C ADD AX,SI 0040253F JO KeyGenMe.00402671 00402545 MOV ESI,EAX ; SI=1+SI 00402547 JMP KeyGenMe.004024AF 0040254C IMUL EDI,EDI,17496 00402552 JO KeyGenMe.00402671 00402558 MOV DWORD PTR SS:[EBP-28],EDI 0040255B FILD DWORD PTR SS:[EBP-28] ; 装入整数到ST 0040255E FSTP QWORD PTR SS:[EBP-EC] 00402564 MOV ECX,DWORD PTR SS:[EBP-24] ; 密码给CX 00402567 PUSH ECX 00402568 CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str 0040256E FCOMP QWORD PTR SS:[EBP-EC] 00402574 FSTSW AX 00402576 TEST AH,40 ; AH必须为40到4F 00402579 JE KeyGenMe.00402605 ; 这里只要用NOP填充就OK 0040257F MOV ECX,80020004 00402584 MOV DWORD PTR SS:[EBP-74],ECX 00402587 MOV EAX,0A 0040258C MOV DWORD PTR SS:[EBP-7C],EAX 0040258F MOV DWORD PTR SS:[EBP-64],ECX 00402592 MOV DWORD PTR SS:[EBP-6C],EAX 00402595 MOV DWORD PTR SS:[EBP-94],KeyGenMe.00401C74 ; UNICODE "Congratulations" 0040259F MOV EDI,8
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复

[旧帖] [求助]这些指令的具体含义 0.00雪花