-
-
[原创] 一个 BumpyFlea's CrackMe 的破解分析(总共有5个关卡)(使用了P-Code的编译方式)
-
发表于: 2007-12-29 14:51
-
【文章标题】: 一个 BumpyFlea's CrackMe 的破解分析+(总共有5个关卡)+(使用了P-Code的编译方式)
【文章作者】: CuteSnail
【作者QQ号】: 121567771
【作者声明】: 只是感兴趣的自娱自乐,没有其他目的。失误之处还要敬请诸位大侠赐教!
-------------------------------------------------------------------------------
【详细过程】
程序用了VB6的 P-Code 方式编译,因此使用了 VBExplorer 1.1 来静态反编译;使用了 WKTVBDE 4.1 来动态跟踪(从第3关开始):
||===||
||第1关: Remove Me (NAG窗口的爆破),代码见下面的分析:
||===||
[Form.Load]
:00404C6C 27FCFE LitVar ;PushVar LOCAL_0104
:00404C6F 271CFF LitVar ;PushVar LOCAL_00E4
******Possible String Ref To->"Remove Me"
|
:00404C72 3A4CFF1400 LitVarStr ;PushVarString ptr_00402920
:00404C77 4E3CFF FStVarCopyObj ;[LOCAL_00C4]=vbaVarDup(Pop)
:00404C7A 043CFF FLdRfVar ;Push LOCAL_00C4
:00404C7D F530000000 LitI4 ;Push 00000030
******Possible String Ref To->"This is a nag, U need to Remove Me"
|
:00404C82 3A6CFF1500 LitVarStr ;PushVarString ptr_004028D4
:00404C87 4E5CFF FStVarCopyObj ;[LOCAL_00A4]=vbaVarDup(Pop)
:00404C8A 045CFF FLdRfVar ;Push LOCAL_00A4
**********Reference To->msvbvm60.rtcMsgBox
|
:00404C8D 0A0D001400 ImpAdCallFPR4 ;//很明显,就是这里弹出了NAG的对话框!//
:00404C92 3608005CFF3CFF1C FFreeVar ;Free 0008/2 variants
:00404C9D F400 LitI2_Byte ;Push 00
:00404C9F 21 FLdPrThis ;[SR]=[stack2]
:00404CA0 0FFC02 VCallAd ;Return the control index 01
:00404CA3 19F8FE FStAdFunc ;
:00404CA6 08F8FE FLdPr ;[SR]=[LOCAL_0108]
:后面的代码省略。。。
从上面可以知道,00404C8D 处的 ImpAdCallFPR4 命令就是弹出NAG对话框的命名,只要将它跳过,就OK了;而P-Code的jmp/je/jne命令则分别对应是如下:
(正常格式) (P-Code格式)
jmp xxXX <=> Branch xxXX ;以机器码1E开头; 机器码长度为3,后2位机器码放跳转的长度; xxXX为跳转地址,xx表示地位,XX表示高位.
je xxXX <=> BranchT xxXX ;以机器码1D开头; 机器码长度为3,其余同上.
jne xxXX <=> BranchF xxXX ;以机器码1C开头; 机器码长度为3,其余同上.
故将上面的:
:00404C8D 0A0D001400 ImpAdCallFPR4 ;这里弹出NAG的对话框
这行命令的机器码:“0A0D001400” 用16进制编辑软件(如:010 Editor)定位到地址00404C8D后,
将其先修改为: “1E00000000”,然后再用VBExplorer来反编译,便发现该处变为如下的命令了:
:00404C8D 1E0000 Branch ;ESI=00404C6C //注意这句中 ESI 的数值大小
:00404C90 0000 LargeBos ;被修改的地方,机器码仍然为3+2=5的总长度
从上面可以看到 ESI=00404C6C 这句,而要强制跳转的地方便是紧跟上面语句之后的00404C92处的语句,故用 00404C92 - 00404C6C = 26(十进制38),知道了要跳的长度为16进制的26,因此将上面修改后的机器码“1E00000000”的1E后面的长度 0000 修改为 2600 (26放前面,是因为寄存器中是低位放前面,高位放后面),即变为:“1E26000000”便OK了!运行程序,NAG窗口被爆破了,呵呵。
||===||
||第2关: Level 1 Menu: Password (Password的寻找),代码见下面的分析:
||===||
[Password.Change]
:00404D64 0474FF FLdRfVar
:00404D67 21 FLdPrThis
:00404D68 0F9003 VCallAd
:00404D6B 1978FF FStAdFunc
:00404D6E 0878FF FLdPr
***********Reference To:[propget]TextBox.Text ;得到输入的PassWord
|
:00404D71 0DA0000A00 VCallHresult ;Call ptr_00402734
:00404D76 6C74FF ILdRf
******Possible String Ref To->"123454321" ;//假的注册码
|
:00404D79 1B1700 LitStr
:00404D7C FB30 EqStr
:00404D7E 2F74FF FFree1Str
:00404D81 1A78FF FFree1Ad
:00404D84 1C5400 BranchF ;If Pop=0 then ESI=00404DB8//这里需要跳走
:00404D87 27F4FE LitVar
:00404D8A 2714FF LitVar
******Possible String Ref To->"Almost" ;//假注册对话框的标题
|
:00404D8D 3A44FF1800 LitVarStr
:00404D92 4E34FF FStVarCopyObj
:00404D95 0434FF FLdRfVar
:00404D98 F500000000 LitI4
******Possible String Ref To->"Nice try. I also Use this number. Unfortunatly it ain't the password."
| ;//假注册对话框的内容
:00404D9D 3A64FF1900 LitVarStr
:00404DA2 4E54FF FStVarCopyObj
:00404DA5 0454FF FLdRfVar
**********Reference To->msvbvm60.rtcMsgBox
|
:00404DA8 0A0D001400 ImpAdCallFPR4 ;弹出假注册的对话框
:00404DAD 36080054FF34FF14 FFreeVar
:00404DB8 0474FF FLdRfVar ;Push LOCAL_008C
:00404DBB 21 FLdPrThis
:00404DBC 0F9003 VCallAd
:00404DBF 1978FF FStAdFunc
:00404DC2 0878FF FLdPr
***********Reference To:[propget]TextBox.Text ;得到输入的PassWord
|
:00404DC5 0DA0000A00 VCallHresult
:00404DCA 6C74FF ILdRf
******Possible String Ref To->"bUmPy FlEa 1799" ;真正的PassWord,明码固定的比较
|
:00404DCD 1B1A00 LitStr
:00404DD0 FB30 EqStr
:00404DD2 2F74FF FFree1Str
:00404DD5 1A78FF FFree1Ad
:00404DD8 1CA800 BranchF ;If Pop=0 then ESI=00404E0C//关键比较,不能跳走
:00404DDB 27F4FE LitVar
:00404DDE 2714FF LitVar
******Possible String Ref To->"Congratz" ;//成功的注册对话框的标题
|
:00404DE1 3A44FF1B00 LitVarStr
:00404DE6 4E34FF FStVarCopyObj
:00404DE9 0434FF FLdRfVar
:00404DEC F500000000 LitI4
******Possible String Ref To->"Congradulations. You found the correct Password"
| ;//成功的注册对话框的内容
:00404DF1 3A64FF1C00 LitVarStr
:00404DF6 4E54FF FStVarCopyObj
:00404DF9 0454FF FLdRfVar
**********Reference To->msvbvm60.rtcMsgBox
|
:00404DFC 0A0D001400 ImpAdCallFPR4 ;弹出成功的注册对话框
:00404E01 36080054FF34FF14 FFreeVar
:00404E0C 0474FF FLdRfVar ;Push LOCAL_008C
:00404E0F 21 FLdPrThis
:00404E10 0F9003 VCallAd
:00404E13 1978FF FStAdFunc
:00404E16 0878FF FLdPr
***********Reference To:[propget]TextBox.Text
|
:00404E19 0DA0000A00 VCallHresult ;得到输入的PassWord
:00404E1E 6C74FF ILdRf
:00404E21 4A FnLenStr
:00404E22 F519000000 LitI4
:00404E27 E0 GeI4
:00404E28 2F74FF FFree1Str
:00404E2B 1A78FF FFree1Ad
:00404E2E 1CFE00 BranchF ;If Pop=0 then ESI=00404E62 //PassWord不长,则不提示
:00404E31 27F4FE LitVar
:00404E34 2714FF LitVar
******Possible String Ref To->"Password isn't this long"
|
:00404E37 3A44FF1D00 LitVarStr ;PassWord太长的提示标题
:00404E3C 4E34FF FStVarCopyObj
:00404E3F 0434FF FLdRfVar
:00404E42 F500000000 LitI4
******Possible String Ref To->"Your Password is a little too long"
|
:00404E47 3A64FF1E00 LitVarStr ;PassWord太长的提示内容
:00404E4C 4E54FF FStVarCopyObj
:00404E4F 0454FF FLdRfVar
**********Reference To->msvbvm60.rtcMsgBox
|
:00404E52 0A0D001400 ImpAdCallFPR4 ;PassWord太长的提示对话框
:00404E57 36080054FF34FF14 FFreeVar
:00404E62 13 ExitProcHresult ;
从上面的分析,便可以很轻松的得到真正正确的PassWord为:bUmPy FlEa 1799
然后,开始进入第3关。
||===||
||第3关: Level 1 Menu: Enable Me (启用屏蔽的菜单),见下面的修改:
||===||
用16进制编辑软件(如:010 Editor)打开该CrackMe后,搜索字符串'Enable Me',找到后,将它后面紧跟的(1BC2处开始)机器码:
00 05 修改为:
00 06
即可!(因为:05=表示禁用; 06=表示启用,呵呵 ;)
||===||
||第4关: Level 2 Menu: Serial Code (注册名/注册码的检测),代码见下面的分析(VBExplorer1.1配合WKTVBDE4.1的分析):
||===||
[Check.Click]
:00405220 0002 LargeBos ;IDE beginning of line with 02 byte codes
:00405222 0005 LargeBos ;IDE beginning of line with 05 byte codes
:00405224 4BFFFF OnErrorGoto
:00405227 0027 LargeBos ;IDE beginning of line with 27 byte codes
:00405229 0474FF FLdRfVar
:0040522C 21 FLdPrThis
:0040522D 0F2003 VCallAd
:00405230 1978FF FStAdFunc
:00405233 0878FF FLdPr
***********Reference To:[propget]TextBox.Text
|
:00405236 0DA0000A00 VCallHresult ;得到注册名
:0040523B 6C74FF ILdRf
:0040523E 4A FnLenStr ;得到其长度
:0040523F F506000000 LitI4 ;装入数值6
:00405244 D6 LeI4
:00405245 2F74FF FFree1Str
:00405248 1A78FF FFree1Ad ;与6比较
:0040524B 1C6400 BranchF ;If Pop=0 then ESI=00405284 //大于跳走
:0040524E 0033 LargeBos ;IDE beginning of line with 33 byte codes
:00405250 27F4FE LitVar
:00405253 2714FF LitVar
******Possible String Ref To->"Try again"
|
:00405256 3A44FF0B00 LitVarStr ;注册名长度不符的提示标题
:0040525B 4E34FF FStVarCopyObj
:0040525E 0434FF FLdRfVar
:00405261 F500000000 LitI4
******Possible String Ref To->"Name must be greater than 6 characters"
|
:00405266 3A64FF0C00 LitVarStr ;注册名长度不符的提示内容
:0040526B 4E54FF FStVarCopyObj
:0040526E 0454FF FLdRfVar
**********Reference To->msvbvm60.rtcMsgBox
|
:00405271 0A0D001400 ImpAdCallFPR4 ;注册名长度不符的提示对话框
:00405276 36080054FF34FF14 FFreeVar
:00405281 1EC101 Branch ;跳走,失败
:00405284 0025 LargeBos ;注册名长度大于6,来到这里:
:00405286 0474FF FLdRfVar
:00405289 21 FLdPrThis
:0040528A 0F1C03 VCallAd
:0040528D 1978FF FStAdFunc
:00405290 0878FF FLdPr
***********Reference To:[propget]TextBox.Text
|
:00405293 0DA0000A00 VCallHresult ;得到注册码
:00405298 6C74FF ILdRf
******Possible String Ref To->""
|
:0040529B 1B0E00 LitStr
:0040529E FB30 EqStr
:004052A0 2F74FF FFree1Str
:004052A3 1A78FF FFree1Ad ;是否为空
:004052A6 1CBF00 BranchF ;If Pop=0 then ESI=004052DF //不为空,跳走
:004052A9 0033 LargeBos
:004052AB 27F4FE LitVar
:004052AE 2714FF LitVar
******Possible String Ref To->"Might help"
|
:004052B1 3A44FF0F00 LitVarStr ;注册码不符的提示标题
:004052B6 4E34FF FStVarCopyObj
:004052B9 0434FF FLdRfVar
:004052BC F500000000 LitI4
******Possible String Ref To->"Please enter a serial code"
|
:004052C1 3A64FF1000 LitVarStr ;注册码不符的提示内容
:004052C6 4E54FF FStVarCopyObj
:004052C9 0454FF FLdRfVar
**********Reference To->msvbvm60.rtcMsgBox
|
:004052CC 0A0D001400 ImpAdCallFPR4 ;注册码不符的提示对话框
:004052D1 36080054FF34FF14 FFreeVar
:004052DC 1EC101 Branch ;跳走,失败
:004052DF 0041 LargeBos ;注册码符合要求,来到这里//在WKTVBDE中这里下断,F8键跟进://
:004052E1 0474FF FLdRfVar
:004052E4 21 FLdPrThis
:004052E5 0F1C03 VCallAd
:004052E8 1978FF FStAdFunc
:004052EB 0878FF FLdPr
***********Reference To:[propget]TextBox.Text
|
:004052EE 0DA0000A00 VCallHresult ;得到注册名
:004052F3 6C74FF ILdRf
:004052F6 F35243 LitI2
:004052F9 FBFD CStrUI1 ;转换为10进制字符码值
:004052FB 23F0FE FStStrNoPop
:004052FE 080800 FLdPr
:00405301 893400 MemLdI2
:00405304 FBFD CStrUI1 ;再次转换?
:00405306 23ECFE FStStrNoPop
:00405309 2A ConcatStr ;连接字符//得到完全的注册码
:0040530A 23E8FE FStStrNoPop
:0040530D FB3D NeStr
:0040530F 320800F0FEECFE74 FFreeStr
:0040531A 1A78FF FFree1Ad ;关键比较
:0040531D 1C4D01 BranchF ;If Pop=0 then ESI=0040536D //跳走,成功
:00405320 0033 LargeBos
:00405322 27F4FE LitVar
:00405325 2714FF LitVar
******Possible String Ref To->"Try again"
|
:00405328 3A44FF0B00 LitVarStr ;注册码错误提示标题
:0040532D 4E34FF FStVarCopyObj
:00405330 0434FF FLdRfVar
:00405333 F500000000 LitI4
******Possible String Ref To->"Soz, but that ain't the correct serial"
|
:00405338 3A64FF1100 LitVarStr ;注册码错误提示内容
:0040533D 4E54FF FStVarCopyObj
:00405340 0454FF FLdRfVar
**********Reference To->msvbvm60.rtcMsgBox
|
:00405343 0A0D001400 ImpAdCallFPR4 ;注册码错误提示对话框
:00405348 36080054FF34FF14 FFreeVar
:00405353 0017 LargeBos
******Possible String Ref To->""
|
:00405355 1B0E00 LitStr
:00405358 21 FLdPrThis
:00405359 0F1C03 VCallAd
:0040535C 1978FF FStAdFunc
:0040535F 0878FF FLdPr
***********Reference To:[propput]TextBox.Text
|
:00405362 0DA4000A00 VCallHresult ;清空注册码
:00405367 1A78FF FFree1Ad
:0040536A 1EC101 Branch ;失败,从这里跳走
:0040536D 0041 LargeBos ;前面成功,便来到这里
:0040536F 0474FF FLdRfVar
:00405372 21 FLdPrThis
:00405373 0F1C03 VCallAd
:00405376 1978FF FStAdFunc
:00405379 0878FF FLdPr
***********Reference To:[propget]TextBox.Text
|
:0040537C 0DA0000A00 VCallHresult
:00405381 6C74FF ILdRf
:00405384 F35243 LitI2
:00405387 FBFD CStrUI1
:00405389 23F0FE FStStrNoPop
:0040538C 080800 FLdPr
:0040538F 893400 MemLdI2
:00405392 FBFD CStrUI1
:00405394 23ECFE FStStrNoPop
:00405397 2A ConcatStr
:00405398 23E8FE FStStrNoPop
:0040539B FB30 EqStr
:0040539D 320800F0FEECFE74 FFreeStr
:004053A8 1A78FF FFree1Ad
:004053AB 1CC101 BranchF ;If Pop=0 then ESI=004053E1 //跳走,失败
:004053AE 0033 LargeBos
:004053B0 27F4FE LitVar
:004053B3 2714FF LitVar
******Possible String Ref To->"Congradz"
|
:004053B6 3A44FF1200 LitVarStr ;注册码正确提示标题
:004053BB 4E34FF FStVarCopyObj
:004053BE 0434FF FLdRfVar
:004053C1 F500000000 LitI4
******Possible String Ref To->"Well Done. Now generate a keygen"
|
:004053C6 3A64FF1300 LitVarStr ;注册码正确提示内容
:004053CB 4E54FF FStVarCopyObj
:004053CE 0454FF FLdRfVar
**********Reference To->msvbvm60.rtcMsgBox
|
:004053D1 0A0D001400 ImpAdCallFPR4 ;注册码正确提示对话框
:004053D6 36080054FF34FF14 FFreeVar
:004053E1 0002 LargeBos
:004053E3 0000 LargeBos
:004053E5 13 ExitProcHresult
:004053E6 0000 LargeBos
经过上面的分析后,知道了注册码是由固定字符串‘17234’连接上注册名的运算结果后得到的,注册名的运算通过在WKTVBDE中分析后,大致算法用pascal语言表示,就是:
//////////////////////////////////////
program keygen;
var
name : string;
i, tmp : integer;
begin
write('name:');
readln(name);
tmp := 0;
for i := 1 to length(name) do
tmp := tmp + ord(name[i]) * (i-1);
writeln('Serial: 17234', tmp);
readln;
end.
//////////////////////////////////////
够简单吧,嘿嘿,放上一组注册信息:
Name: CuteSnail
Serial Code: 172343715
||===||
||第5关: Level 3 Menu: Solve The Patterns (框框条条的很奇怪的检测),代码见下面的分析:
||===||
[Chec2.Click]
:0040543C 0476FF FLdRfVar ;开始分析:
:0040543F 21 FLdPrThis
:00405440 0F7003 VCallAd ;第1个选择框的状态(在WKTVBDE中定位)
:00405443 1978FF FStAdFunc
:00405446 0878FF FLdPr
***********Reference To:[propget]CheckBox.Value
|
:00405449 0DE0000200 VCallHresult
:0040544E 6B76FF FLdI2
:00405451 F401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了
:00405453 C6 EqI2 ;检测是否被选上!
:00405454 046EFF FLdRfVar
:00405457 21 FLdPrThis
:00405458 0F5C03 VCallAd ;第6个选择框的状态(排列顺序为:从上倒下,从左到右)
:0040545B 1970FF FStAdFunc
:0040545E 0870FF FLdPr
***********Reference To:[propget]CheckBox.Value
|
:00405461 0DE0000200 VCallHresult
:00405466 6B6EFF FLdI2
:00405469 F401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了
:0040546B C6 EqI2 ;检测是否被选上!
:0040546C C4 AndI4
:0040546D 0466FF FLdRfVar
:00405470 21 FLdPrThis
:00405471 0F4803 VCallAd ;第11个选择框的状态
:00405474 1968FF FStAdFunc
:00405477 0868FF FLdPr
***********Reference To:[propget]CheckBox.Value
|
:0040547A 0DE0000200 VCallHresult
:0040547F 6B66FF FLdI2
:00405482 F401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了
:00405484 C6 EqI2 ;检测是否被选上!
:00405485 C4 AndI4
:00405486 045EFF FLdRfVar
:00405489 21 FLdPrThis
:0040548A 0F3403 VCallAd ;第16个选择框的状态
:0040548D 1960FF FStAdFunc
:00405490 0860FF FLdPr
***********Reference To:[propget]CheckBox.Value
|
:00405493 0DE0000200 VCallHresult
:00405498 6B5EFF FLdI2
:0040549B F401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了
:0040549D C6 EqI2 ;检测是否被选上!
:0040549E C4 AndI4
:0040549F 0456FF FLdRfVar
:004054A2 21 FLdPrThis
:004054A3 0F6C03 VCallAd ;第2个选择框的状态
:004054A6 1958FF FStAdFunc
:004054A9 0858FF FLdPr
***********Reference To:[propget]CheckBox.Value
|
:004054AC 0DE0000200 VCallHresult
:004054B1 6B56FF FLdI2
:004054B4 F401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了
:004054B6 C6 EqI2 ;检测是否被选上!
:004054B7 C4 AndI4
:004054B8 044EFF FLdRfVar
:004054BB 21 FLdPrThis
:004054BC 0F5003 VCallAd ;第9个选择框的状态
:004054BF 1950FF FStAdFunc
:004054C2 0850FF FLdPr
***********Reference To:[propget]CheckBox.Value
|
:004054C5 0DE0000200 VCallHresult
:004054CA 6B4EFF FLdI2
:004054CD F401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了
:004054CF C6 EqI2 ;检测是否被选上!
:004054D0 C4 AndI4
:004054D1 0446FF FLdRfVar
:004054D4 21 FLdPrThis
:004054D5 0F3C03 VCallAd ;第14个选择框的状态
:004054D8 1948FF FStAdFunc
:004054DB 0848FF FLdPr
***********Reference To:[propget]CheckBox.Value
|
:004054DE 0DE0000200 VCallHresult
:004054E3 6B46FF FLdI2
:004054E6 F401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了
:004054E8 C6 EqI2 ;检测是否被选上!
:004054E9 C4 AndI4
:004054EA 043EFF FLdRfVar
:004054ED 21 FLdPrThis
:004054EE 0F6403 VCallAd ;第4个选择框的状态
:004054F1 1940FF FStAdFunc
:004054F4 0840FF FLdPr
***********Reference To:[propget]CheckBox.Value
|
:004054F7 0DE0000200 VCallHresult
:004054FC 6B3EFF FLdI2
:004054FF F401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了
:00405501 C6 EqI2 ;检测是否被选上!
:00405502 C4 AndI4
:00405503 0436FF FLdRfVar
:00405506 21 FLdPrThis
:00405507 0F5403 VCallAd ;第8个选择框的状态
:0040550A 1938FF FStAdFunc
:0040550D 0838FF FLdPr
***********Reference To:[propget]CheckBox.Value
|
:00405510 0DE0000200 VCallHresult
:00405515 6B36FF FLdI2
:00405518 F400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上
:0040551A C6 EqI2 ;检测是否被选上!
:0040551B C4 AndI4
:0040551C 042EFF FLdRfVar
:0040551F 21 FLdPrThis
:00405520 0F6803 VCallAd ;第3个选择框的状态
:00405523 1930FF FStAdFunc
:00405526 0830FF FLdPr
***********Reference To:[propget]CheckBox.Value
|
:00405529 0DE0000200 VCallHresult
:0040552E 6B2EFF FLdI2
:00405531 F400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上
:00405533 C6 EqI2 ;检测是否被选上!
:00405534 C4 AndI4
:00405535 0426FF FLdRfVar
:00405538 21 FLdPrThis
:00405539 0F6003 VCallAd ;第5个选择框的状态
:0040553C 1928FF FStAdFunc
:0040553F 0828FF FLdPr
***********Reference To:[propget]CheckBox.Value
|
:00405542 0DE0000200 VCallHresult
:00405547 6B26FF FLdI2
:0040554A F400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上
:0040554C C6 EqI2 ;检测是否被选上!
:0040554D C4 AndI4
:0040554E 041EFF FLdRfVar
:00405551 21 FLdPrThis
:00405552 0F5803 VCallAd ;第7个选择框的状态
:00405555 1920FF FStAdFunc
:00405558 0820FF FLdPr
***********Reference To:[propget]CheckBox.Value
|
:0040555B 0DE0000200 VCallHresult
:00405560 6B1EFF FLdI2
:00405563 F400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上
:00405565 C6 EqI2 ;检测是否被选上!
:00405566 C4 AndI4
:00405567 0416FF FLdRfVar
:0040556A 21 FLdPrThis
:0040556B 0F4C03 VCallAd ;第10个选择框的状态
:0040556E 1918FF FStAdFunc
:00405571 0818FF FLdPr
***********Reference To:[propget]CheckBox.Value
|
:00405574 0DE0000200 VCallHresult
:00405579 6B16FF FLdI2
:0040557C F400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上
:0040557E C6 EqI2 ;检测是否被选上!
:0040557F C4 AndI4
:00405580 040EFF FLdRfVar
:00405583 21 FLdPrThis
:00405584 0F4403 VCallAd ;第12个选择框的状态
:00405587 1910FF FStAdFunc
:0040558A 0810FF FLdPr
***********Reference To:[propget]CheckBox.Value
|
:0040558D 0DE0000200 VCallHresult
:00405592 6B0EFF FLdI2
:00405595 F400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上
:00405597 C6 EqI2 ;检测是否被选上!
:00405598 C4 AndI4
:00405599 0406FF FLdRfVar
:0040559C 21 FLdPrThis
:0040559D 0F4003 VCallAd ;第13个选择框的状态
:004055A0 1908FF FStAdFunc
:004055A3 0808FF FLdPr
***********Reference To:[propget]CheckBox.Value
|
:004055A6 0DE0000200 VCallHresult
:004055AB 6B06FF FLdI2
:004055AE F400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上
:004055B0 C6 EqI2 ;检测是否被选上!
:004055B1 C4 AndI4
:004055B2 04FEFE FLdRfVar
:004055B5 21 FLdPrThis
:004055B6 0F3803 VCallAd ;第15个选择框的状态
:004055B9 1900FF FStAdFunc
:004055BC 0800FF FLdPr
***********Reference To:[propget]CheckBox.Value
|
:004055BF 0DE0000200 VCallHresult ;第16个选择框的状态
:004055C4 6BFEFE FLdI2
:004055C7 F400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上
:004055C9 C6 EqI2 ;检测是否被选上!
:004055CA C4 AndI4
:004055CB 29200078FF70FF68 FFreeAd
:004055EE 1CC101 BranchF ;关键跳转,符合上面的条件,便不跳走
******Possible String Ref To->"true"
|
:004055F1 3ADCFE0300 LitVarStr
:004055F6 FD00ECFE FStVarCopy
:004055FA 1ECA01 Branch ;跳走
******Possible String Ref To->"false"
|
:004055FD 3ADCFE0400 LitVarStr
:00405602 FD00ECFE FStVarCopy
:00405606 21 FLdPrThis ;跳来到这里(当符合上面的要求时)
:00405607 0FBC03 VCallAd ;得到滑动条1的状态
:0040560A 1978FF FStAdFunc
:0040560D 0878FF FLdPr
:00405610 61CCFE0B000000 LateIdLdVar
:00405617 FC22 CI4Var
:00405619 F503000000 LitI4 ;Push 00000003 //压入数值3
:0040561E C7 EqI4 ;Push (Pop1 == Pop2) //两者比较是否一样
:0040561F 21 FLdPrThis
:00405620 0FB803 VCallAd ;得到滑动条2的状态
:00405623 1970FF FStAdFunc
:00405626 0870FF FLdPr
:00405629 61BCFE0B000000 LateIdLdVar
:00405630 FC22 CI4Var
:00405632 F508000000 LitI4 ;Push 00000008 //压入数值8
:00405637 C7 EqI4 ;Push (Pop1 == Pop2) //两者比较是否一样
:00405638 C4 AndI4
:00405639 29040078FF70FF FFreeAd
:00405640 360400CCFEBCFE FFreeVar
:00405647 1C1A02 BranchF ;关键跳转,符合上面的条件,便不跳走
******Possible String Ref To->"true"
|
:0040564A 3ADCFE0300 LitVarStr
:0040564F FD00ACFE FStVarCopy
:00405653 1E2302 Branch ;跳走
******Possible String Ref To->"false"
|
:00405656 3ADCFE0400 LitVarStr
:0040565B FD00ACFE FStVarCopy
:0040565F 04ECFE FLdRfVar ;跳来到这里(当符合上面的要求时)
******Possible String Ref To->"true"
|
:00405662 3ADCFE0300 LitVarStr
:00405667 5D HardType
:00405668 FB2FCCFE EqVar
:0040566C 04ACFE FLdRfVar
******Possible String Ref To->"false"
|
:0040566F 3A9CFE0400 LitVarStr
:00405674 5D HardType
:00405675 FB2FBCFE EqVar
:00405679 FB278CFE AndVar
:0040567D FF1B CBoolVarNull
:0040567F 1C5B02 BranchF ;关键跳转,符合上面的条件,跳走
******Possible String Ref To->"Almost there, now just get the slider values"
|
:00405682 1B0500 LitStr ;这是快要成功的提示
:00405685 21 FLdPrThis
:00405686 0F7403 VCallAd
:00405689 1978FF FStAdFunc
:0040568C 0878FF FLdPr
***********Reference To:[propput]Label.Caption
|
:0040568F 0D54000600 VCallHresult
:00405694 1A78FF FFree1Ad
:00405697 04ECFE FLdRfVar ;跳来到这里(当符合上面的要求时)
******Possible String Ref To->"false"
|
:0040569A 3ADCFE0400 LitVarStr
:0040569F 5D HardType
:004056A0 FB2FCCFE EqVar
:004056A4 04ACFE FLdRfVar
******Possible String Ref To->"true"
|
:004056A7 3A9CFE0300 LitVarStr
:004056AC 5D HardType
:004056AD FB2FBCFE EqVar
:004056B1 FB278CFE AndVar
:004056B5 FF1B CBoolVarNull
:004056B7 1C9302 BranchF ;关键跳转,符合上面的条件,跳走
******Possible String Ref To->"Almost there, now just get the boxes right"
|
:004056BA 1B0700 LitStr ;这是快要成功的提示
:004056BD 21 FLdPrThis
:004056BE 0F7403 VCallAd
:004056C1 1978FF FStAdFunc
:004056C4 0878FF FLdPr
***********Reference To:[propput]Label.Caption
|
:004056C7 0D54000600 VCallHresult
:004056CC 1A78FF FFree1Ad
:004056CF 04ECFE FLdRfVar ;跳来到这里(当符合上面的要求时)
******Possible String Ref To->"true"
|
:004056D2 3ADCFE0300 LitVarStr
:004056D7 5D HardType
:004056D8 FB2FCCFE EqVar
:004056DC 04ACFE FLdRfVar
******Possible String Ref To->"true"
|
:004056DF 3A9CFE0300 LitVarStr
:004056E4 5D HardType
:004056E5 FB2FBCFE EqVar
:004056E9 FB278CFE AndVar
:004056ED FF1B CBoolVarNull
:004056EF 1CCB02 BranchF ;关键跳转,符合上面的条件,便不跳走
******Possible String Ref To->"Congradulations, you figured it out"
|
:004056F2 1B0800 LitStr ;注册成功的提示
:004056F5 21 FLdPrThis
:004056F6 0F7403 VCallAd
:004056F9 1978FF FStAdFunc
:004056FC 0878FF FLdPr
:后面的代码省略。。。
从上面的比较来看,有8处的CheckBox状态检测是Push 01,剩下的8处便是Push 00,因此需要有8个CheckBox选择框需要被选上,它们分别是:第1、6、11、16、2、9、14、4位置的CheckBox选择框,而8、3、5、7、10、12、13、15位置的选择框则不能被选上;上面的第一根滑动条的数值必须是3,下面的第二根滑动条的数值必须是8,符合上面的这些要求,便注册成功了,哈哈^_^
-----------------------------------------------------------------------------------
【版权声明】: 本文由 CuteSnail 原创, 转载请注明作者并保持文章的完整性, 谢谢! 再见!!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
