Handbook 网站上的一个VB P-Code crackme-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

最新回复 (4)
呱叽呱叽雪币： 253 活跃值： (27) 能力值： ( LV4，RANK：50 ) 在线值：发帖 7 回帖 49 粉丝 1 关注私信	呱叽呱叽 1 2 楼运算过程: :004054F4 处先取硬盘序列号16进制形式，我这里是160C3147，然后接下来取一位算一位，运算过后连接起来就是了，具体过程(有些乱)：暴破我使用了两种方式，应该还有其它方法吧 [Command2.Click] :00405388 6C0800 ILdRf ;Push DWORD [STACK_0008] :0040538B FD9C78FF FStAdNoPop ; :0040538F 051100 ImpAdLdRf ;Push ptr :00405392 241200 NewIfNullPr ;[Pop] [SR] *********Reference To:Global.UnLoad \| :00405395 0D10001300 VCallHresult ;Call ptr_00404E18 :0040539A 1A78FF FFree1Ad ;Push [LOCAL_0088]; Call [[[LOCAL_0088]]+8]; [[LOCAL_0088]]=0 :0040539D FCC813 End ; [Command1.Click] :0040556C 0002 LargeBos ;IDE beginning of line with 02 byte codes :0040556E 0005 LargeBos ;IDE beginning of line with 05 byte codes :00405570 4BFFFF OnErrorGoto ; :00405573 003F LargeBos ;IDE beginning of line with 3F byte codes :00405575 28D4FE0100 LitVarI2 ;PushVarInteger 0001 :0040557A F501000000 LitI4 ;Push 00000001 :0040557F 080800 FLdPr ;[SR]=[STACK_0008] :00405582 063400 MemLdRfVar ;Push [SR]+STACK_0034 :00405585 4DF4FE0840 CVarRef ; :0040558A 04C4FE FLdRfVar ;Push LOCAL_013C ******Reference To->msvbvm50.rtcMidCharVar \| :0040558D 0A06001000 ImpAdCallFPR4 ;Call ptr_00401012; check stack 0010; Push EAX :00405592 04C4FE FLdRfVar ;Push LOCAL_013C :00405595 FDFEC0FE CStrVarVal ; ;取"160C3147"(Unicode)第一位，转数值型，为1 *******Reference To->msvbvm50.rtcAnsiValueBstr \| :00405599 0B07000400 ImpAdCallI2 ;Call ptr_00401018; check stack 0004; Push EAX :0040559E F402 LitI2_Byte ;Push 02 :004055A0 B1 MulI2 ; ;312=62 :004055A1 44B0FE CVarI2 ; :004055A4 FCF66CFF FStVar ; :004055A8 2FC0FE FFree1Str ;SysFreeString [LOCAL_0140]; [LOCAL_0140]=0 :004055AB 360400D4FEC4FE FFreeVar ;Free 0004/2 variants :004055B2 004C LargeBos ;IDE beginning of line with 4C byte codes :004055B4 28D4FE0100 LitVarI2 ;PushVarInteger 0001 :004055B9 F502000000 LitI4 ;Push 00000002 :004055BE 080800 FLdPr ;[SR]=[STACK_0008] :004055C1 063400 MemLdRfVar ;Push [SR]+STACK_0034 :004055C4 4DF4FE0840 CVarRef ; :004055C9 04C4FE FLdRfVar ;Push LOCAL_013C ********Reference To->msvbvm50.rtcMidCharVar \| :004055CC 0A06001000 ImpAdCallFPR4 ;Call ptr_00401012; check stack 0010; Push EAX :004055D1 04C4FE FLdRfVar ;Push LOCAL_013C :004055D4 FDFEC0FE CStrVarVal ; ;取"160C3147"(Unicode)第二位，转数值型，为6 ******Reference To->msvbvm50.rtcAnsiValueBstr \| :004055D8 0B07000400 ImpAdCallI2 ;Call ptr_00401018; check stack 0004; Push EAX :004055DD 4490FE CVarI2 ; :004055E0 046CFF FLdRfVar ;Push LOCAL_0094 :004055E3 28B0FE0200 LitVarI2 ;PushVarInteger 0002 :004055E8 FBBCA0FE DivVar ; ;36-32=4; :004055EC FB9480FE AddVar ; :004055F0 FCF65CFF FStVar ; :004055F4 2FC0FE FFree1Str ;SysFreeString [LOCAL_0140]; [LOCAL_0140]=0 :004055F7 360400D4FEC4FE FFreeVar ;Free 0004/2 variants :004055FE 003F LargeBos ;IDE beginning of line with 3F byte codes :00405600 28D4FE0100 LitVarI2 ;PushVarInteger 0001 :00405605 F503000000 LitI4 ;Push 00000003 :0040560A 080800 FLdPr ;[SR]=[STACK_0008] :0040560D 063400 MemLdRfVar ;Push [SR]+STACK_0034 :00405610 4DF4FE0840 CVarRef ; :00405615 04C4FE FLdRfVar ;Push LOCAL_013C ******Reference To->msvbvm50.rtcMidCharVar \| :00405618 0A06001000 ImpAdCallFPR4 ;Call ptr_00401012; check stack 0010; Push EAX :0040561D 04C4FE FLdRfVar ;Push LOCAL_013C :00405620 FDFEC0FE CStrVarVal ; ;取"160C3147"(Unicode)第三位，转数值型，为0 ******Reference To->msvbvm50.rtcAnsiValueBstr \| :00405624 0B07000400 ImpAdCallI2 ;Call ptr_00401018; check stack 0004; Push EAX :00405629 F40E LitI2_Byte ;Push 0E :0040562B A9 AddI2 ; ;30+E=3E :0040562C 44B0FE CVarI2 ; :0040562F FCF64CFF FStVar ; :00405633 2FC0FE FFree1Str ;SysFreeString [LOCAL_0140]; [LOCAL_0140]=0 :00405636 360400D4FEC4FE FFreeVar ;Free 0004/2 variants :0040563D 003F LargeBos ;IDE beginning of line with 3F byte codes :0040563F 28D4FE0100 LitVarI2 ;PushVarInteger 0001 :00405644 F504000000 LitI4 ;Push 00000004 :00405649 080800 FLdPr ;[SR]=[STACK_0008] :0040564C 063400 MemLdRfVar ;Push [SR]+STACK_0034 :0040564F 4DF4FE0840 CVarRef ; :00405654 04C4FE FLdRfVar ;Push LOCAL_013C ******Reference To->msvbvm50.rtcMidCharVar \| :00405657 0A06001000 ImpAdCallFPR4 ;Call ptr_00401012; check stack 0010; Push EAX :0040565C 04C4FE FLdRfVar ;Push LOCAL_013C :0040565F FDFEC0FE CStrVarVal ; ;取"160C3147"(Unicode)第四位，转数值型，为C ******Reference To->msvbvm50.rtcAnsiValueBstr \| :00405663 0B07000400 ImpAdCallI2 ;Call ptr_00401018; check stack 0004; Push EAX :00405668 F40A LitI2_Byte ;Push 0A :0040566A A9 AddI2 ; ;43+A=4D(M) :0040566B 44B0FE CVarI2 ; :0040566E FCF63CFF FStVar ; :00405672 2FC0FE FFree1Str ;SysFreeString [LOCAL_0140]; [LOCAL_0140]=0 :00405675 360400D4FEC4FE FFreeVar ;Free 0004/2 variants :0040567C 003F LargeBos ;IDE beginning of line with 3F byte codes :0040567E 28D4FE0100 LitVarI2 ;PushVarInteger 0001 :00405683 F505000000 LitI4 ;Push 00000005 :00405688 080800 FLdPr ;[SR]=[STACK_0008] :0040568B 063400 MemLdRfVar ;Push [SR]+STACK_0034 :0040568E 4DF4FE0840 CVarRef ; :00405693 04C4FE FLdRfVar ;Push LOCAL_013C ******Reference To->msvbvm50.rtcMidCharVar \| :00405696 0A06001000 ImpAdCallFPR4 ;Call ptr_00401012; check stack 0010; Push EAX :0040569B 04C4FE FLdRfVar ;Push LOCAL_013C :0040569E FDFEC0FE CStrVarVal ; ;取"160C3147"(Unicode)第五位，转数值型，为3 ******Reference To->msvbvm50.rtcAnsiValueBstr \| :004056A2 0B07000400 ImpAdCallI2 ;Call ptr_00401018; check stack 0004; Push EAX :004056A7 F414 LitI2_Byte ;Push 14 :004056A9 A9 AddI2 ; ;33+14＝47(G) :004056AA 44B0FE CVarI2 ; :004056AD FCF62CFF FStVar ; :004056B1 2FC0FE FFree1Str ;SysFreeString [LOCAL_0140]; [LOCAL_0140]=0 :004056B4 360400D4FEC4FE FFreeVar ;Free 0004/2 variants :004056BB 003F LargeBos ;IDE beginning of line with 3F byte codes :004056BD 28D4FE0100 LitVarI2 ;PushVarInteger 0001 :004056C2 F506000000 LitI4 ;Push 00000006 :004056C7 080800 FLdPr ;[SR]=[STACK_0008] :004056CA 063400 MemLdRfVar ;Push [SR]+STACK_0034 :004056CD 4DF4FE0840 CVarRef ; :004056D2 04C4FE FLdRfVar ;Push LOCAL_013C ******Reference To->msvbvm50.rtcMidCharVar \| :004056D5 0A06001000 ImpAdCallFPR4 ;Call ptr_00401012; check stack 0010; Push EAX :004056DA 04C4FE FLdRfVar ;Push LOCAL_013C :004056DD FDFEC0FE CStrVarVal ; ;取"160C3147"(Unicode)第六位，转数值型，为1 ******Reference To->msvbvm50.rtcAnsiValueBstr \| :004056E1 0B07000400 ImpAdCallI2 ;Call ptr_00401018; check stack 0004; Push EAX :004056E6 F41E LitI2_Byte ;Push 1E :004056E8 A9 AddI2 ; ;31+1E=4F(O) :004056E9 44B0FE CVarI2 ; :004056EC FCF61CFF FStVar ; :004056F0 2FC0FE FFree1Str ;SysFreeString [LOCAL_0140]; [LOCAL_0140]=0 :004056F3 360400D4FEC4FE FFreeVar ;Free 0004/2 variants :004056FA 004C LargeBos ;IDE beginning of line with 4C byte codes :004056FC 28D4FE0100 LitVarI2 ;PushVarInteger 0001 :00405701 F507000000 LitI4 ;Push 00000007 :00405706 080800 FLdPr ;[SR]=[STACK_0008] :00405709 063400 MemLdRfVar ;Push [SR]+STACK_0034 :0040570C 4DF4FE0840 CVarRef ; :00405711 04C4FE FLdRfVar ;Push LOCAL_013C ******Reference To->msvbvm50.rtcMidCharVar \| :00405714 0A06001000 ImpAdCallFPR4 ;Call ptr_00401012; check stack 0010; Push EAX :00405719 04C4FE FLdRfVar ;Push LOCAL_013C :0040571C FDFEC0FE CStrVarVal ; ;取"160C3147"(Unicode)第七位，转数值型，为4 ******Reference To->msvbvm50.rtcAnsiValueBstr \| :00405720 0B07000400 ImpAdCallI2 ;Call ptr_00401018; check stack 0004; Push EAX :00405725 4490FE CVarI2 ; :00405728 041CFF FLdRfVar ;Push LOCAL_00E4 :0040572B 28B0FE1E00 LitVarI2 ;PushVarInteger 001E :00405730 FB9CA0FE SubVar ; //34-1E=16 :00405734 FB9480FE AddVar ; :00405738 FCF60CFF FStVar ; :0040573C 2FC0FE FFree1Str ;SysFreeString [LOCAL_0140]; [LOCAL_0140]=0 :0040573F 360400D4FEC4FE FFreeVar ;Free 0004/2 variants :00405746 003B LargeBos ;IDE beginning of line with 3B byte codes :00405748 28D4FE0100 LitVarI2 ;PushVarInteger 0001 :0040574D F508000000 LitI4 ;Push 00000008 :00405752 080800 FLdPr ;[SR]=[STACK_0008] :00405755 063400 MemLdRfVar ;Push [SR]+STACK_0034 :00405758 4DF4FE0840 CVarRef ; :0040575D 04C4FE FLdRfVar ;Push LOCAL_013C ******Reference To->msvbvm50.rtcMidCharVar \| :00405760 0A06001000 ImpAdCallFPR4 ;Call ptr_00401012; check stack 0010; Push EAX :00405765 04C4FE FLdRfVar ;Push LOCAL_013C :00405768 FDFEC0FE CStrVarVal ; ;取"160C3147"(Unicode)第八位，转数值型，为7 *******Reference To->msvbvm50.rtcAnsiValueBstr \| :0040576C 0B07000400 ImpAdCallI2 ;Call ptr_00401018; check stack 0004; Push EAX :00405771 F402 LitI2_Byte ;Push 02 :00405773 B1 MulI2 ; ;372=6e(n) :00405774 700AFF FStI2 ;Pop WORD [LOCAL_00F6] :00405777 2FC0FE FFree1Str ;SysFreeString [LOCAL_0140]; [LOCAL_0140]=0 :0040577A 360400D4FEC4FE FFreeVar ;Free 0004/2 variants :00405781 00A4 LargeBos ;IDE beginning of line with A4 byte codes :00405783 046CFF FLdRfVar ;Push LOCAL_0094 :00405786 FC22 CI4Var ;vbaI4Var ********Reference To->msvbvm50.rtcBstrFromAnsi \| :00405788 0B08000400 ImpAdCallI2 ;Call ptr_0040101E; check stack 0004; Push EAX :0040578D 23C0FE FStStrNoPop ;SysFreeString [LOCAL_0140]; [LOCAL_0140]=[stack] :00405790 045CFF FLdRfVar ;Push LOCAL_00A4 :00405793 FC22 CI4Var ;vbaI4Var ******Reference To->msvbvm50.rtcBstrFromAnsi \| :00405795 0B08000400 ImpAdCallI2 ;Call ptr_0040101E; check stack 0004; Push EAX :0040579A 237CFE FStStrNoPop ;SysFreeString [LOCAL_0184]; [LOCAL_0184]=[stack] :0040579D 2A ConcatStr ;vbaStrCat ;"b"+"g"="bg" :0040579E 2378FE FStStrNoPop ;SysFreeString [LOCAL_0188]; [LOCAL_0188]=[stack] :004057A1 044CFF FLdRfVar ;Push LOCAL_00B4 :004057A4 FC22 CI4Var ;vbaI4Var ******Reference To->msvbvm50.rtcBstrFromAnsi \| :004057A6 0B08000400 ImpAdCallI2 ;Call ptr_0040101E; check stack 0004; Push EAX :004057AB 2374FE FStStrNoPop ;SysFreeString [LOCAL_018C]; [LOCAL_018C]=[stack] :004057AE 2A ConcatStr ;vbaStrCat ;"bg"+">"="bg>" :004057AF 2370FE FStStrNoPop ;SysFreeString [LOCAL_0190]; [LOCAL_0190]=[stack] :004057B2 043CFF FLdRfVar ;Push LOCAL_00C4 :004057B5 FC22 CI4Var ;vbaI4Var ******Reference To->msvbvm50.rtcBstrFromAnsi \| :004057B7 0B08000400 ImpAdCallI2 ;Call ptr_0040101E; check stack 0004; Push EAX :004057BC 236CFE FStStrNoPop ;SysFreeString [LOCAL_0194]; [LOCAL_0194]=[stack] :004057BF 2A ConcatStr ;vbaStrCat ;"bg>"+"M"="bg>M" :004057C0 2368FE FStStrNoPop ;SysFreeString [LOCAL_0198]; [LOCAL_0198]=[stack] :004057C3 042CFF FLdRfVar ;Push LOCAL_00D4 :004057C6 FC22 CI4Var ;vbaI4Var ******Reference To->msvbvm50.rtcBstrFromAnsi \| :004057C8 0B08000400 ImpAdCallI2 ;Call ptr_0040101E; check stack 0004; Push EAX :004057CD 2364FE FStStrNoPop ;SysFreeString [LOCAL_019C]; [LOCAL_019C]=[stack] :004057D0 2A ConcatStr ;vbaStrCat ;"bg>M"+"G" :004057D1 2360FE FStStrNoPop ;SysFreeString [LOCAL_01A0]; [LOCAL_01A0]=[stack] :004057D4 041CFF FLdRfVar ;Push LOCAL_00E4 :004057D7 FC22 CI4Var ;vbaI4Var ******Reference To->msvbvm50.rtcBstrFromAnsi \| :004057D9 0B08000400 ImpAdCallI2 ;Call ptr_0040101E; check stack 0004; Push EAX :004057DE 235CFE FStStrNoPop ;SysFreeString [LOCAL_01A4]; [LOCAL_01A4]=[stack] :004057E1 2A ConcatStr ;vbaStrCat ;"bg>MG"+"O"="bg>MGO" :004057E2 2358FE FStStrNoPop ;SysFreeString [LOCAL_01A8]; [LOCAL_01A8]=[stack] :004057E5 040CFF FLdRfVar ;Push LOCAL_00F4 :004057E8 FC22 CI4Var ;vbaI4Var ******Reference To->msvbvm50.rtcBstrFromAnsi \| :004057EA 0B08000400 ImpAdCallI2 ;Call ptr_0040101E; check stack 0004; Push EAX :004057EF 2354FE FStStrNoPop ;SysFreeString [LOCAL_01AC]; [LOCAL_01AC]=[stack] :004057F2 2A ConcatStr ;vbaStrCat ;"bg>MGO"+"e"="bg>MGOe" :004057F3 2350FE FStStrNoPop ;SysFreeString [LOCAL_01B0]; [LOCAL_01B0]=[stack] :004057F6 6B0AFF FLdI2 ;Push WORD [LOCAL_00F6] :004057F9 E7 CI4UI1 ; ******Reference To->msvbvm50.rtcBstrFromAnsi \| :004057FA 0B08000400 ImpAdCallI2 ;Call ptr_0040101E; check stack 0004; Push EAX :004057FF 234CFE FStStrNoPop ;SysFreeString [LOCAL_01B4]; [LOCAL_01B4]=[stack] :00405802 2A ConcatStr ;vbaStrCat ;"bg>MGOe"+"n"="bg>MGOen" :00405803 3104FF FStStr ;SysFreeString [LOCAL_00FC]; [LOCAL_00FC]=Pop :00405806 321C00C0FE7CFE78 FFreeStr ;Do SysFreeString [arg_n]; [arg_n]=0 001C/2 times ~ arg :00405825 0025 LargeBos ;IDE beginning of line with 25 byte codes :00405827 6C04FF ILdRf ;Push DWORD [LOCAL_00FC] :0040582A 04C0FE FLdRfVar ;Push LOCAL_0140 :0040582D 21 FLdPrThis ;[SR]=[stack2] :0040582E 0F0403 VCallAd ;Return the control index 03 :00405831 1948FE FStAdFunc ; :00405834 0848FE FLdPr ;[SR]=[LOCAL_01B8] *******Reference To:[propget]TextBox.Text \| :00405837 0DA0000900 VCallHresult ;Call ptr_00404D74 :0040583C 6CC0FE ILdRf ;Push DWORD [LOCAL_0140] :0040583F FB30 EqStr ; ;比较"bg>MGOen"=="lovemelovemydogs",不等就跳,并设text.tex1="" :00405841 2FC0FE FFree1Str ;SysFreeString [LOCAL_0140]; [LOCAL_0140]=0 :00405844 1A48FE FFree1Ad ;Push [LOCAL_01B8]; Call [[[LOCAL_01B8]]+8]; [[LOCAL_01B8]]=0 :00405847 1C3303 BranchF ;If Pop=0 then ESI=0040589F ;方法1：暴破1C改1D ;方法2：1C3303改1CDE02 :0040584A 0010 LargeBos ;IDE beginning of line with 10 byte codes **Possible String Ref To->"JB_Duc Crackmes. Registrado." \| :0040584C 1B0A00 LitStr ;Push ptr_00404D88 :0040584F 050B00 ImpAdLdRf ;Push ptr :00405852 240C00 NewIfNullPr ;[Pop] [SR] :00405855 0D54000D00 VCallHresult ;Call ptr_00404B14 :0040585A 0009 LargeBos ;IDE beginning of line with 09 byte codes :0040585C 21 FLdPrThis ;[SR]=[stack2] :0040585D 0F0403 VCallAd ;Return the control index 03 :00405860 1944FE FStAdFunc ; :00405863 000D LargeBos ;IDE beginning of line with 0D byte codes **Possible String Ref To->"Has sido Registrado" \| :00405865 1B0E00 LitStr ;Push ptr_00404DC8 :00405868 0844FE FLdPr ;[SR]=[LOCAL_01BC] *******Reference To:[propput]TextBox.Text \| :0040586B 0DA4000900 VCallHresult ;Call ptr_00404D74 :00405870 000C LargeBos ;IDE beginning of line with 0C byte codes :00405872 F400 LitI2_Byte ;Push 00 :00405874 0844FE FLdPr ;[SR]=[LOCAL_01BC] *******Reference To:[propput]TextBox.Enabled \| :00405877 0D8C000900 VCallHresult ;Call ptr_00404D74 :0040587C 0008 LargeBos ;IDE beginning of line with 08 byte codes :0040587E FC63 LitNothing ;Push 0 :00405880 FCF844FE FStAd ; :00405884 0016 LargeBos ;IDE beginning of line with 16 byte codes :00405886 F400 LitI2_Byte ;Push 00 :00405888 21 FLdPrThis ;[SR]=[stack2] :00405889 0F0003 VCallAd ;Return the control index 02 :0040588C 1948FE FStAdFunc ; :0040588F 0848FE FLdPr ;[SR]=[LOCAL_01B8] *******Reference To:[propput]CommandButton.Enabled \| :00405892 0D8C000F00 VCallHresult ;Call ptr_00404DF0 :00405897 1A48FE FFree1Ad ;Push [LOCAL_01B8]; Call [[[LOCAL_01B8]]+8]; [[LOCAL_01B8]]=0 :0040589A 0005 LargeBos ;IDE beginning of line with 05 byte codes :0040589C 1E4C03 Branch ;ESI=004058B8 :0040589F 0002 LargeBos ;IDE beginning of line with 02 byte codes :004058A1 0017 LargeBos ;IDE beginning of line with 17 byte codes **Possible String Ref To->"" \| :004058A3 1B1000 LitStr ;Push ptr_00404E04 :004058A6 21 FLdPrThis ;[SR]=[stack2] :004058A7 0F0403 VCallAd ;Return the control index 03 :004058AA 1948FE FStAdFunc ; :004058AD 0848FE FLdPr ;[SR]=[LOCAL_01B8] *******Reference To:[propput]TextBox.Text \| :004058B0 0DA4000900 VCallHresult ;Call ptr_00404D74 :004058B5 1A48FE FFree1Ad ;Push [LOCAL_01B8]; Call [[[LOCAL_01B8]]+8]; [[LOCAL_01B8]]=0 :004058B8 0000 LargeBos ;IDE beginning of line with 00 byte codes :004058BA 13 ExitProcHresult ; [Form.Load] :00405434 0002 LargeBos ;IDE beginning of line with 02 byte codes :00405436 0033 LargeBos ;IDE beginning of line with 33 byte codes :00405438 27FCFE LitVar ;PushVar LOCAL_0104 :0040543B 271CFF LitVar ;PushVar LOCAL_00E4 **Possible String Ref To->"Crackme2" \| :0040543E 3A4CFF0000 LitVarStr ;PushVarString ptr_00404D48 :00405443 4E3CFF FStVarCopyObj ;[LOCAL_00C4]=vbaVarDup(Pop) :00405446 043CFF FLdRfVar ;Push LOCAL_00C4 :00405449 F540000000 LitI4 ;Push 00000040 **Possible String Ref To->"Sㄥlo se admitirㄥ como soluci?n un Key Gen. Adelante!!!" \| :0040544E 3A6CFF0100 LitVarStr ;PushVarString ptr_00404CD4 :00405453 4E5CFF FStVarCopyObj ;[LOCAL_00A4]=vbaVarDup(Pop) :00405456 045CFF FLdRfVar ;Push LOCAL_00A4 ******Reference To->msvbvm50.rtcMsgBox \| :00405459 0A02001400 ImpAdCallFPR4 ;Call ptr_00401006; check stack 0014; Push EAX :0040545E 3608005CFF3CFF1C FFreeVar ;Free 0008/2 variants :00405469 0005 LargeBos ;IDE beginning of line with 05 byte codes :0040546B 4BFFFF OnErrorGoto ; :0040546E 0008 LargeBos ;IDE beginning of line with 08 byte codes **Possible String Ref To->"c:\" \| :00405470 1B0300 LitStr ;Push ptr_00404D60 :00405473 43E4FE FStStrCopy ;[LOCAL_011C]=SysAllocStringByteLen(Pop, [Pop-4]); SysFreeString Pop :00405476 0079 LargeBos ;IDE beginning of line with 79 byte codes :00405478 F500000000 LitI4 ;Push 00000000 :0040547D F400 LitI2_Byte ;Push 00 :0040547F FBFD CStrUI1 ;vbaStrI2 :00405481 23C4FE FStStrNoPop ;SysFreeString [LOCAL_013C]; [LOCAL_013C]=[stack] :00405484 04C0FE FLdRfVar ;Push LOCAL_0140 :00405487 34 CStr2Ansi ;vbaStrToAnsi :00405488 6CC0FE ILdRf ;Push DWORD [LOCAL_0140] :0040548B F500000000 LitI4 ;Push 00000000 :00405490 59C8FE PopTmpLdAdStr ; :00405493 F500000000 LitI4 ;Push 00000000 :00405498 59CCFE PopTmpLdAdStr ; :0040549B 04ECFE FLdRfVar ;Push LOCAL_0114 :0040549E FC22 CI4Var ;vbaI4Var :004054A0 59D0FE PopTmpLdAdStr ; :004054A3 F500000000 LitI4 ;Push 00000000 :004054A8 F400 LitI2_Byte ;Push 00 :004054AA FBFD CStrUI1 ;vbaStrI2 :004054AC 23D8FE FStStrNoPop ;SysFreeString [LOCAL_0128]; [LOCAL_0128]=[stack] :004054AF 04D4FE FLdRfVar ;Push LOCAL_012C :004054B2 34 CStr2Ansi ;vbaStrToAnsi :004054B3 6CD4FE ILdRf ;Push DWORD [LOCAL_012C] :004054B6 6CE4FE ILdRf ;Push DWORD [LOCAL_011C] :004054B9 04DCFE FLdRfVar ;Push LOCAL_0124 :004054BC 34 CStr2Ansi ;vbaStrToAnsi :004054BD 6CDCFE ILdRf ;Push DWORD [LOCAL_0124] *******Reference To:Kernel32.GetVolumeInformationA \| :004054C0 5E04002000 ImpAdCallI2 ;Call ptr_00404C6C; check stack 0020; Push EAX :004054C5 71BCFE FStR4 ;Pop DWORD [LOCAL_0144] :004054C8 3C SetLastSystemError ;Kernel GetLastError :004054C9 6CDCFE ILdRf ;Push DWORD [LOCAL_0124] :004054CC 04E4FE FLdRfVar ;Push LOCAL_011C :004054CF FC58 CStr2Uni ;vbaStrToUnicode :004054D1 6CD0FE ILdRf ;Push DWORD [LOCAL_0130] :004054D4 FD696CFF CVarI4 ; :004054D8 FD00ECFE FStVarCopy ;[LOCAL_0114]=vbaVarCopy(Pop) :004054DC 6CBCFE ILdRf ;Push DWORD [LOCAL_0144] :004054DF 71E8FE FStR4 ;Pop DWORD [LOCAL_0118] :004054E2 320A00DCFED8FED4 FFreeStr ;Do SysFreeString [arg_n]; [arg_n]=0 000A/2 times ~ arg :004054EF 000D LargeBos ;IDE beginning of line with 0D byte codes :004054F1 04ECFE FLdRfVar ;Push LOCAL_0114 *******Reference To->msvbvm50.rtcHexBstrFromVar \| :004054F4 0B05000400 ImpAdCallI2 ;Call ptr_0040100C; check stack 0004; Push EAX ;"1 6 0 C 3 1 4 7"(Unicode),这里是我的硬盘序列号"369897799"的hex形式，幸好我记得清楚 :004054F9 31E0FE FStStr ;SysFreeString [LOCAL_0120]; [LOCAL_0120]=Pop :004054FC 000C LargeBos ;IDE beginning of line with 0C byte codes :004054FE 6CE0FE ILdRf ;Push DWORD [LOCAL_0120] :00405501 080800 FLdPr ;[SR]=[STACK_0008] :00405504 FD913400 MemStStrCopy ;[SR]+0034=SysAllocStringByteLen(Pop, [Pop-4]); SysFreeString Pop :00405508 0000 LargeBos ;IDE beginning of line with 00 byte codes :0040550A 13 ExitProcHresult ; [Form.Unload] :0040530C FC63 LitNothing ;Push 0 :0040530E 3D1400 CastAd ;Push vbaCastObj(Pop, [FUN+00144]) :00405311 FDBF0B00 ImpAdStAdFunc ; :00405315 13 ExitProcHresult ; :00405316 60 CStrVarTmp ; command1.click事件 WkTVDebug显示的执行过程： Stack dump is enabled and relative to ESP<-EBP. Freeing Addrs: 0063F8C8h 0063F8A8h 0063F888h 0063F868h 0040547F: FD CStrUI1 004054AA: FD CStrUI1 FStStr -> '160C3147' Breakpoint reached. Freeing Addrs: 0063F2B0h 0063F2A0h Freeing Addrs: 0063F2B0h 0063F2A0h Freeing Addrs: 0063F2B0h 0063F2A0h Freeing Addrs: 0063F2B0h 0063F2A0h Freeing Addrs: 0063F2B0h 0063F2A0h Freeing Addrs: 0063F2B0h 0063F2A0h Freeing Addrs: 0063F2B0h 0063F2A0h Freeing Addrs: 0063F2B0h 0063F2A0h FStStrNoPop -> 'b' FStStrNoPop -> 'g' 0040579A: 23 FStStrNoPop 0040579D: 2A ConcatStr 004057A6: 0B ImpAdCallI2 rtcBstrFromAnsi on address 798CBCE6h Concat->'bg' + '>' FStStrNoPop -> 'bg>' 004057B7: 0B ImpAdCallI2 rtcBstrFromAnsi on address 798CBCE6h Concat->'bg>' + 'M' FStStrNoPop -> 'bg>M' 004057C8: 0B ImpAdCallI2 rtcBstrFromAnsi on address 798CBCE6h 004057CD: 23 FStStrNoPop 004057D0: 2A ConcatStr 004057D9: 0B ImpAdCallI2 rtcBstrFromAnsi on address 798CBCE6h Concat->'bg>MG' + 'O' FStStrNoPop -> 'bg>MGO' 004057EA: 0B ImpAdCallI2 rtcBstrFromAnsi on address 798CBCE6h Concat->'bg>MGO' + 'e' FStStrNoPop -> 'bg>MGOe' FStStrNoPop -> 'n' Concat->'bg>MGOe' + 'n' 蛮简单的一题，作者思维太过定式，序列号取一位算一位，后面几步看看静态反汇编也猜个八九不离十 2004-12-18 17:04 0
cAtEyE 雪币： 225 活跃值： (145) 能力值： ( LV6，RANK：90 ) 在线值：发帖 10 回帖 64 粉丝 0 关注私信	cAtEyE 2 3 楼不错，能分析到此程度！辛苦了！学习中。。。 :D 2004-12-20 09:51 0
cAtEyE 雪币： 225 活跃值： (145) 能力值： ( LV6，RANK：90 ) 在线值：发帖 10 回帖 64 粉丝 0 关注私信	cAtEyE 2 4 楼我分析时，command1.click事件 WkTVDebug显示的执行过程： Freeing Addrs: 0012F3B0h 0012F3A0h FStStrNoPop -> '`' FStStrNoPop -> '' Concat->'`' + '' FStStrNoPop -> '`' FStStrNoPop -> '' Concat->'`' + '' FStStrNoPop -> '`' FStStrNoPop -> '' Concat->'`' + '' FStStrNoPop -> '`' FStStrNoPop -> '' Concat->'`' + '' FStStrNoPop -> '`' FStStrNoPop -> '' Concat->'`' + '' FStStrNoPop -> '`' FStStrNoPop -> '' Concat->'`' + '' FStStrNoPop -> '`' FStStrNoPop -> '' Concat->'`' + '' FStStr -> '`' 怎么会这样，也不见硬盘序列号什么的，郁闷啊，会不会和CPU类型有关：VIA Samuel 2 公司的破电脑该换了。 2004-12-20 10:06 0
呱叽呱叽雪币： 253 活跃值： (27) 能力值： ( LV4，RANK：50 ) 在线值：发帖 7 回帖 49 粉丝 1 关注私信	呱叽呱叽 1 5 楼最初由 cAtEyE 发布我分析时，command1.click事件 WkTVDebug显示的执行过程： Freeing Addrs: 0012F3B0h 0012F3A0h FStStrNoPop -> '`' FStStrNoPop -> '' ........ 反汇编后看一下函数基本心里有数了，分析的有点乱，注册机懒得做了:D 2004-12-20 18:21 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (4)
呱叽呱叽雪币： 253 活跃值： (27) 能力值： ( LV4，RANK：50 ) 在线值：发帖 7 回帖 49 粉丝 1 关注私信	呱叽呱叽 1 2 楼运算过程: :004054F4 处先取硬盘序列号16进制形式，我这里是160C3147，然后接下来取一位算一位，运算过后连接起来就是了，具体过程(有些乱)：暴破我使用了两种方式，应该还有其它方法吧 [Command2.Click] :00405388 6C0800 ILdRf ;Push DWORD [STACK_0008] :0040538B FD9C78FF FStAdNoPop ; :0040538F 051100 ImpAdLdRf ;Push ptr :00405392 241200 NewIfNullPr ;[Pop] [SR] *********Reference To:Global.UnLoad \| :00405395 0D10001300 VCallHresult ;Call ptr_00404E18 :0040539A 1A78FF FFree1Ad ;Push [LOCAL_0088]; Call [[[LOCAL_0088]]+8]; [[LOCAL_0088]]=0 :0040539D FCC813 End ; [Command1.Click] :0040556C 0002 LargeBos ;IDE beginning of line with 02 byte codes :0040556E 0005 LargeBos ;IDE beginning of line with 05 byte codes :00405570 4BFFFF OnErrorGoto ; :00405573 003F LargeBos ;IDE beginning of line with 3F byte codes :00405575 28D4FE0100 LitVarI2 ;PushVarInteger 0001 :0040557A F501000000 LitI4 ;Push 00000001 :0040557F 080800 FLdPr ;[SR]=[STACK_0008] :00405582 063400 MemLdRfVar ;Push [SR]+STACK_0034 :00405585 4DF4FE0840 CVarRef ; :0040558A 04C4FE FLdRfVar ;Push LOCAL_013C ******Reference To->msvbvm50.rtcMidCharVar \| :0040558D 0A06001000 ImpAdCallFPR4 ;Call ptr_00401012; check stack 0010; Push EAX :00405592 04C4FE FLdRfVar ;Push LOCAL_013C :00405595 FDFEC0FE CStrVarVal ; ;取"160C3147"(Unicode)第一位，转数值型，为1 *******Reference To->msvbvm50.rtcAnsiValueBstr \| :00405599 0B07000400 ImpAdCallI2 ;Call ptr_00401018; check stack 0004; Push EAX :0040559E F402 LitI2_Byte ;Push 02 :004055A0 B1 MulI2 ; ;312=62 :004055A1 44B0FE CVarI2 ; :004055A4 FCF66CFF FStVar ; :004055A8 2FC0FE FFree1Str ;SysFreeString [LOCAL_0140]; [LOCAL_0140]=0 :004055AB 360400D4FEC4FE FFreeVar ;Free 0004/2 variants :004055B2 004C LargeBos ;IDE beginning of line with 4C byte codes :004055B4 28D4FE0100 LitVarI2 ;PushVarInteger 0001 :004055B9 F502000000 LitI4 ;Push 00000002 :004055BE 080800 FLdPr ;[SR]=[STACK_0008] :004055C1 063400 MemLdRfVar ;Push [SR]+STACK_0034 :004055C4 4DF4FE0840 CVarRef ; :004055C9 04C4FE FLdRfVar ;Push LOCAL_013C ********Reference To->msvbvm50.rtcMidCharVar \| :004055CC 0A06001000 ImpAdCallFPR4 ;Call ptr_00401012; check stack 0010; Push EAX :004055D1 04C4FE FLdRfVar ;Push LOCAL_013C :004055D4 FDFEC0FE CStrVarVal ; ;取"160C3147"(Unicode)第二位，转数值型，为6 ******Reference To->msvbvm50.rtcAnsiValueBstr \| :004055D8 0B07000400 ImpAdCallI2 ;Call ptr_00401018; check stack 0004; Push EAX :004055DD 4490FE CVarI2 ; :004055E0 046CFF FLdRfVar ;Push LOCAL_0094 :004055E3 28B0FE0200 LitVarI2 ;PushVarInteger 0002 :004055E8 FBBCA0FE DivVar ; ;36-32=4; :004055EC FB9480FE AddVar ; :004055F0 FCF65CFF FStVar ; :004055F4 2FC0FE FFree1Str ;SysFreeString [LOCAL_0140]; [LOCAL_0140]=0 :004055F7 360400D4FEC4FE FFreeVar ;Free 0004/2 variants :004055FE 003F LargeBos ;IDE beginning of line with 3F byte codes :00405600 28D4FE0100 LitVarI2 ;PushVarInteger 0001 :00405605 F503000000 LitI4 ;Push 00000003 :0040560A 080800 FLdPr ;[SR]=[STACK_0008] :0040560D 063400 MemLdRfVar ;Push [SR]+STACK_0034 :00405610 4DF4FE0840 CVarRef ; :00405615 04C4FE FLdRfVar ;Push LOCAL_013C ******Reference To->msvbvm50.rtcMidCharVar \| :00405618 0A06001000 ImpAdCallFPR4 ;Call ptr_00401012; check stack 0010; Push EAX :0040561D 04C4FE FLdRfVar ;Push LOCAL_013C :00405620 FDFEC0FE CStrVarVal ; ;取"160C3147"(Unicode)第三位，转数值型，为0 ******Reference To->msvbvm50.rtcAnsiValueBstr \| :00405624 0B07000400 ImpAdCallI2 ;Call ptr_00401018; check stack 0004; Push EAX :00405629 F40E LitI2_Byte ;Push 0E :0040562B A9 AddI2 ; ;30+E=3E :0040562C 44B0FE CVarI2 ; :0040562F FCF64CFF FStVar ; :00405633 2FC0FE FFree1Str ;SysFreeString [LOCAL_0140]; [LOCAL_0140]=0 :00405636 360400D4FEC4FE FFreeVar ;Free 0004/2 variants :0040563D 003F LargeBos ;IDE beginning of line with 3F byte codes :0040563F 28D4FE0100 LitVarI2 ;PushVarInteger 0001 :00405644 F504000000 LitI4 ;Push 00000004 :00405649 080800 FLdPr ;[SR]=[STACK_0008] :0040564C 063400 MemLdRfVar ;Push [SR]+STACK_0034 :0040564F 4DF4FE0840 CVarRef ; :00405654 04C4FE FLdRfVar ;Push LOCAL_013C ******Reference To->msvbvm50.rtcMidCharVar \| :00405657 0A06001000 ImpAdCallFPR4 ;Call ptr_00401012; check stack 0010; Push EAX :0040565C 04C4FE FLdRfVar ;Push LOCAL_013C :0040565F FDFEC0FE CStrVarVal ; ;取"160C3147"(Unicode)第四位，转数值型，为C ******Reference To->msvbvm50.rtcAnsiValueBstr \| :00405663 0B07000400 ImpAdCallI2 ;Call ptr_00401018; check stack 0004; Push EAX :00405668 F40A LitI2_Byte ;Push 0A :0040566A A9 AddI2 ; ;43+A=4D(M) :0040566B 44B0FE CVarI2 ; :0040566E FCF63CFF FStVar ; :00405672 2FC0FE FFree1Str ;SysFreeString [LOCAL_0140]; [LOCAL_0140]=0 :00405675 360400D4FEC4FE FFreeVar ;Free 0004/2 variants :0040567C 003F LargeBos ;IDE beginning of line with 3F byte codes :0040567E 28D4FE0100 LitVarI2 ;PushVarInteger 0001 :00405683 F505000000 LitI4 ;Push 00000005 :00405688 080800 FLdPr ;[SR]=[STACK_0008] :0040568B 063400 MemLdRfVar ;Push [SR]+STACK_0034 :0040568E 4DF4FE0840 CVarRef ; :00405693 04C4FE FLdRfVar ;Push LOCAL_013C ******Reference To->msvbvm50.rtcMidCharVar \| :00405696 0A06001000 ImpAdCallFPR4 ;Call ptr_00401012; check stack 0010; Push EAX :0040569B 04C4FE FLdRfVar ;Push LOCAL_013C :0040569E FDFEC0FE CStrVarVal ; ;取"160C3147"(Unicode)第五位，转数值型，为3 ******Reference To->msvbvm50.rtcAnsiValueBstr \| :004056A2 0B07000400 ImpAdCallI2 ;Call ptr_00401018; check stack 0004; Push EAX :004056A7 F414 LitI2_Byte ;Push 14 :004056A9 A9 AddI2 ; ;33+14＝47(G) :004056AA 44B0FE CVarI2 ; :004056AD FCF62CFF FStVar ; :004056B1 2FC0FE FFree1Str ;SysFreeString [LOCAL_0140]; [LOCAL_0140]=0 :004056B4 360400D4FEC4FE FFreeVar ;Free 0004/2 variants :004056BB 003F LargeBos ;IDE beginning of line with 3F byte codes :004056BD 28D4FE0100 LitVarI2 ;PushVarInteger 0001 :004056C2 F506000000 LitI4 ;Push 00000006 :004056C7 080800 FLdPr ;[SR]=[STACK_0008] :004056CA 063400 MemLdRfVar ;Push [SR]+STACK_0034 :004056CD 4DF4FE0840 CVarRef ; :004056D2 04C4FE FLdRfVar ;Push LOCAL_013C ******Reference To->msvbvm50.rtcMidCharVar \| :004056D5 0A06001000 ImpAdCallFPR4 ;Call ptr_00401012; check stack 0010; Push EAX :004056DA 04C4FE FLdRfVar ;Push LOCAL_013C :004056DD FDFEC0FE CStrVarVal ; ;取"160C3147"(Unicode)第六位，转数值型，为1 ******Reference To->msvbvm50.rtcAnsiValueBstr \| :004056E1 0B07000400 ImpAdCallI2 ;Call ptr_00401018; check stack 0004; Push EAX :004056E6 F41E LitI2_Byte ;Push 1E :004056E8 A9 AddI2 ; ;31+1E=4F(O) :004056E9 44B0FE CVarI2 ; :004056EC FCF61CFF FStVar ; :004056F0 2FC0FE FFree1Str ;SysFreeString [LOCAL_0140]; [LOCAL_0140]=0 :004056F3 360400D4FEC4FE FFreeVar ;Free 0004/2 variants :004056FA 004C LargeBos ;IDE beginning of line with 4C byte codes :004056FC 28D4FE0100 LitVarI2 ;PushVarInteger 0001 :00405701 F507000000 LitI4 ;Push 00000007 :00405706 080800 FLdPr ;[SR]=[STACK_0008] :00405709 063400 MemLdRfVar ;Push [SR]+STACK_0034 :0040570C 4DF4FE0840 CVarRef ; :00405711 04C4FE FLdRfVar ;Push LOCAL_013C ******Reference To->msvbvm50.rtcMidCharVar \| :00405714 0A06001000 ImpAdCallFPR4 ;Call ptr_00401012; check stack 0010; Push EAX :00405719 04C4FE FLdRfVar ;Push LOCAL_013C :0040571C FDFEC0FE CStrVarVal ; ;取"160C3147"(Unicode)第七位，转数值型，为4 ******Reference To->msvbvm50.rtcAnsiValueBstr \| :00405720 0B07000400 ImpAdCallI2 ;Call ptr_00401018; check stack 0004; Push EAX :00405725 4490FE CVarI2 ; :00405728 041CFF FLdRfVar ;Push LOCAL_00E4 :0040572B 28B0FE1E00 LitVarI2 ;PushVarInteger 001E :00405730 FB9CA0FE SubVar ; //34-1E=16 :00405734 FB9480FE AddVar ; :00405738 FCF60CFF FStVar ; :0040573C 2FC0FE FFree1Str ;SysFreeString [LOCAL_0140]; [LOCAL_0140]=0 :0040573F 360400D4FEC4FE FFreeVar ;Free 0004/2 variants :00405746 003B LargeBos ;IDE beginning of line with 3B byte codes :00405748 28D4FE0100 LitVarI2 ;PushVarInteger 0001 :0040574D F508000000 LitI4 ;Push 00000008 :00405752 080800 FLdPr ;[SR]=[STACK_0008] :00405755 063400 MemLdRfVar ;Push [SR]+STACK_0034 :00405758 4DF4FE0840 CVarRef ; :0040575D 04C4FE FLdRfVar ;Push LOCAL_013C ******Reference To->msvbvm50.rtcMidCharVar \| :00405760 0A06001000 ImpAdCallFPR4 ;Call ptr_00401012; check stack 0010; Push EAX :00405765 04C4FE FLdRfVar ;Push LOCAL_013C :00405768 FDFEC0FE CStrVarVal ; ;取"160C3147"(Unicode)第八位，转数值型，为7 *******Reference To->msvbvm50.rtcAnsiValueBstr \| :0040576C 0B07000400 ImpAdCallI2 ;Call ptr_00401018; check stack 0004; Push EAX :00405771 F402 LitI2_Byte ;Push 02 :00405773 B1 MulI2 ; ;372=6e(n) :00405774 700AFF FStI2 ;Pop WORD [LOCAL_00F6] :00405777 2FC0FE FFree1Str ;SysFreeString [LOCAL_0140]; [LOCAL_0140]=0 :0040577A 360400D4FEC4FE FFreeVar ;Free 0004/2 variants :00405781 00A4 LargeBos ;IDE beginning of line with A4 byte codes :00405783 046CFF FLdRfVar ;Push LOCAL_0094 :00405786 FC22 CI4Var ;vbaI4Var ********Reference To->msvbvm50.rtcBstrFromAnsi \| :00405788 0B08000400 ImpAdCallI2 ;Call ptr_0040101E; check stack 0004; Push EAX :0040578D 23C0FE FStStrNoPop ;SysFreeString [LOCAL_0140]; [LOCAL_0140]=[stack] :00405790 045CFF FLdRfVar ;Push LOCAL_00A4 :00405793 FC22 CI4Var ;vbaI4Var ******Reference To->msvbvm50.rtcBstrFromAnsi \| :00405795 0B08000400 ImpAdCallI2 ;Call ptr_0040101E; check stack 0004; Push EAX :0040579A 237CFE FStStrNoPop ;SysFreeString [LOCAL_0184]; [LOCAL_0184]=[stack] :0040579D 2A ConcatStr ;vbaStrCat ;"b"+"g"="bg" :0040579E 2378FE FStStrNoPop ;SysFreeString [LOCAL_0188]; [LOCAL_0188]=[stack] :004057A1 044CFF FLdRfVar ;Push LOCAL_00B4 :004057A4 FC22 CI4Var ;vbaI4Var ******Reference To->msvbvm50.rtcBstrFromAnsi \| :004057A6 0B08000400 ImpAdCallI2 ;Call ptr_0040101E; check stack 0004; Push EAX :004057AB 2374FE FStStrNoPop ;SysFreeString [LOCAL_018C]; [LOCAL_018C]=[stack] :004057AE 2A ConcatStr ;vbaStrCat ;"bg"+">"="bg>" :004057AF 2370FE FStStrNoPop ;SysFreeString [LOCAL_0190]; [LOCAL_0190]=[stack] :004057B2 043CFF FLdRfVar ;Push LOCAL_00C4 :004057B5 FC22 CI4Var ;vbaI4Var ******Reference To->msvbvm50.rtcBstrFromAnsi \| :004057B7 0B08000400 ImpAdCallI2 ;Call ptr_0040101E; check stack 0004; Push EAX :004057BC 236CFE FStStrNoPop ;SysFreeString [LOCAL_0194]; [LOCAL_0194]=[stack] :004057BF 2A ConcatStr ;vbaStrCat ;"bg>"+"M"="bg>M" :004057C0 2368FE FStStrNoPop ;SysFreeString [LOCAL_0198]; [LOCAL_0198]=[stack] :004057C3 042CFF FLdRfVar ;Push LOCAL_00D4 :004057C6 FC22 CI4Var ;vbaI4Var ******Reference To->msvbvm50.rtcBstrFromAnsi \| :004057C8 0B08000400 ImpAdCallI2 ;Call ptr_0040101E; check stack 0004; Push EAX :004057CD 2364FE FStStrNoPop ;SysFreeString [LOCAL_019C]; [LOCAL_019C]=[stack] :004057D0 2A ConcatStr ;vbaStrCat ;"bg>M"+"G" :004057D1 2360FE FStStrNoPop ;SysFreeString [LOCAL_01A0]; [LOCAL_01A0]=[stack] :004057D4 041CFF FLdRfVar ;Push LOCAL_00E4 :004057D7 FC22 CI4Var ;vbaI4Var ******Reference To->msvbvm50.rtcBstrFromAnsi \| :004057D9 0B08000400 ImpAdCallI2 ;Call ptr_0040101E; check stack 0004; Push EAX :004057DE 235CFE FStStrNoPop ;SysFreeString [LOCAL_01A4]; [LOCAL_01A4]=[stack] :004057E1 2A ConcatStr ;vbaStrCat ;"bg>MG"+"O"="bg>MGO" :004057E2 2358FE FStStrNoPop ;SysFreeString [LOCAL_01A8]; [LOCAL_01A8]=[stack] :004057E5 040CFF FLdRfVar ;Push LOCAL_00F4 :004057E8 FC22 CI4Var ;vbaI4Var ******Reference To->msvbvm50.rtcBstrFromAnsi \| :004057EA 0B08000400 ImpAdCallI2 ;Call ptr_0040101E; check stack 0004; Push EAX :004057EF 2354FE FStStrNoPop ;SysFreeString [LOCAL_01AC]; [LOCAL_01AC]=[stack] :004057F2 2A ConcatStr ;vbaStrCat ;"bg>MGO"+"e"="bg>MGOe" :004057F3 2350FE FStStrNoPop ;SysFreeString [LOCAL_01B0]; [LOCAL_01B0]=[stack] :004057F6 6B0AFF FLdI2 ;Push WORD [LOCAL_00F6] :004057F9 E7 CI4UI1 ; ******Reference To->msvbvm50.rtcBstrFromAnsi \| :004057FA 0B08000400 ImpAdCallI2 ;Call ptr_0040101E; check stack 0004; Push EAX :004057FF 234CFE FStStrNoPop ;SysFreeString [LOCAL_01B4]; [LOCAL_01B4]=[stack] :00405802 2A ConcatStr ;vbaStrCat ;"bg>MGOe"+"n"="bg>MGOen" :00405803 3104FF FStStr ;SysFreeString [LOCAL_00FC]; [LOCAL_00FC]=Pop :00405806 321C00C0FE7CFE78 FFreeStr ;Do SysFreeString [arg_n]; [arg_n]=0 001C/2 times ~ arg :00405825 0025 LargeBos ;IDE beginning of line with 25 byte codes :00405827 6C04FF ILdRf ;Push DWORD [LOCAL_00FC] :0040582A 04C0FE FLdRfVar ;Push LOCAL_0140 :0040582D 21 FLdPrThis ;[SR]=[stack2] :0040582E 0F0403 VCallAd ;Return the control index 03 :00405831 1948FE FStAdFunc ; :00405834 0848FE FLdPr ;[SR]=[LOCAL_01B8] *******Reference To:[propget]TextBox.Text \| :00405837 0DA0000900 VCallHresult ;Call ptr_00404D74 :0040583C 6CC0FE ILdRf ;Push DWORD [LOCAL_0140] :0040583F FB30 EqStr ; ;比较"bg>MGOen"=="lovemelovemydogs",不等就跳,并设text.tex1="" :00405841 2FC0FE FFree1Str ;SysFreeString [LOCAL_0140]; [LOCAL_0140]=0 :00405844 1A48FE FFree1Ad ;Push [LOCAL_01B8]; Call [[[LOCAL_01B8]]+8]; [[LOCAL_01B8]]=0 :00405847 1C3303 BranchF ;If Pop=0 then ESI=0040589F ;方法1：暴破1C改1D ;方法2：1C3303改1CDE02 :0040584A 0010 LargeBos ;IDE beginning of line with 10 byte codes **Possible String Ref To->"JB_Duc Crackmes. Registrado." \| :0040584C 1B0A00 LitStr ;Push ptr_00404D88 :0040584F 050B00 ImpAdLdRf ;Push ptr :00405852 240C00 NewIfNullPr ;[Pop] [SR] :00405855 0D54000D00 VCallHresult ;Call ptr_00404B14 :0040585A 0009 LargeBos ;IDE beginning of line with 09 byte codes :0040585C 21 FLdPrThis ;[SR]=[stack2] :0040585D 0F0403 VCallAd ;Return the control index 03 :00405860 1944FE FStAdFunc ; :00405863 000D LargeBos ;IDE beginning of line with 0D byte codes **Possible String Ref To->"Has sido Registrado" \| :00405865 1B0E00 LitStr ;Push ptr_00404DC8 :00405868 0844FE FLdPr ;[SR]=[LOCAL_01BC] *******Reference To:[propput]TextBox.Text \| :0040586B 0DA4000900 VCallHresult ;Call ptr_00404D74 :00405870 000C LargeBos ;IDE beginning of line with 0C byte codes :00405872 F400 LitI2_Byte ;Push 00 :00405874 0844FE FLdPr ;[SR]=[LOCAL_01BC] *******Reference To:[propput]TextBox.Enabled \| :00405877 0D8C000900 VCallHresult ;Call ptr_00404D74 :0040587C 0008 LargeBos ;IDE beginning of line with 08 byte codes :0040587E FC63 LitNothing ;Push 0 :00405880 FCF844FE FStAd ; :00405884 0016 LargeBos ;IDE beginning of line with 16 byte codes :00405886 F400 LitI2_Byte ;Push 00 :00405888 21 FLdPrThis ;[SR]=[stack2] :00405889 0F0003 VCallAd ;Return the control index 02 :0040588C 1948FE FStAdFunc ; :0040588F 0848FE FLdPr ;[SR]=[LOCAL_01B8] *******Reference To:[propput]CommandButton.Enabled \| :00405892 0D8C000F00 VCallHresult ;Call ptr_00404DF0 :00405897 1A48FE FFree1Ad ;Push [LOCAL_01B8]; Call [[[LOCAL_01B8]]+8]; [[LOCAL_01B8]]=0 :0040589A 0005 LargeBos ;IDE beginning of line with 05 byte codes :0040589C 1E4C03 Branch ;ESI=004058B8 :0040589F 0002 LargeBos ;IDE beginning of line with 02 byte codes :004058A1 0017 LargeBos ;IDE beginning of line with 17 byte codes **Possible String Ref To->"" \| :004058A3 1B1000 LitStr ;Push ptr_00404E04 :004058A6 21 FLdPrThis ;[SR]=[stack2] :004058A7 0F0403 VCallAd ;Return the control index 03 :004058AA 1948FE FStAdFunc ; :004058AD 0848FE FLdPr ;[SR]=[LOCAL_01B8] *******Reference To:[propput]TextBox.Text \| :004058B0 0DA4000900 VCallHresult ;Call ptr_00404D74 :004058B5 1A48FE FFree1Ad ;Push [LOCAL_01B8]; Call [[[LOCAL_01B8]]+8]; [[LOCAL_01B8]]=0 :004058B8 0000 LargeBos ;IDE beginning of line with 00 byte codes :004058BA 13 ExitProcHresult ; [Form.Load] :00405434 0002 LargeBos ;IDE beginning of line with 02 byte codes :00405436 0033 LargeBos ;IDE beginning of line with 33 byte codes :00405438 27FCFE LitVar ;PushVar LOCAL_0104 :0040543B 271CFF LitVar ;PushVar LOCAL_00E4 **Possible String Ref To->"Crackme2" \| :0040543E 3A4CFF0000 LitVarStr ;PushVarString ptr_00404D48 :00405443 4E3CFF FStVarCopyObj ;[LOCAL_00C4]=vbaVarDup(Pop) :00405446 043CFF FLdRfVar ;Push LOCAL_00C4 :00405449 F540000000 LitI4 ;Push 00000040 **Possible String Ref To->"Sㄥlo se admitirㄥ como soluci?n un Key Gen. Adelante!!!" \| :0040544E 3A6CFF0100 LitVarStr ;PushVarString ptr_00404CD4 :00405453 4E5CFF FStVarCopyObj ;[LOCAL_00A4]=vbaVarDup(Pop) :00405456 045CFF FLdRfVar ;Push LOCAL_00A4 ******Reference To->msvbvm50.rtcMsgBox \| :00405459 0A02001400 ImpAdCallFPR4 ;Call ptr_00401006; check stack 0014; Push EAX :0040545E 3608005CFF3CFF1C FFreeVar ;Free 0008/2 variants :00405469 0005 LargeBos ;IDE beginning of line with 05 byte codes :0040546B 4BFFFF OnErrorGoto ; :0040546E 0008 LargeBos ;IDE beginning of line with 08 byte codes **Possible String Ref To->"c:\" \| :00405470 1B0300 LitStr ;Push ptr_00404D60 :00405473 43E4FE FStStrCopy ;[LOCAL_011C]=SysAllocStringByteLen(Pop, [Pop-4]); SysFreeString Pop :00405476 0079 LargeBos ;IDE beginning of line with 79 byte codes :00405478 F500000000 LitI4 ;Push 00000000 :0040547D F400 LitI2_Byte ;Push 00 :0040547F FBFD CStrUI1 ;vbaStrI2 :00405481 23C4FE FStStrNoPop ;SysFreeString [LOCAL_013C]; [LOCAL_013C]=[stack] :00405484 04C0FE FLdRfVar ;Push LOCAL_0140 :00405487 34 CStr2Ansi ;vbaStrToAnsi :00405488 6CC0FE ILdRf ;Push DWORD [LOCAL_0140] :0040548B F500000000 LitI4 ;Push 00000000 :00405490 59C8FE PopTmpLdAdStr ; :00405493 F500000000 LitI4 ;Push 00000000 :00405498 59CCFE PopTmpLdAdStr ; :0040549B 04ECFE FLdRfVar ;Push LOCAL_0114 :0040549E FC22 CI4Var ;vbaI4Var :004054A0 59D0FE PopTmpLdAdStr ; :004054A3 F500000000 LitI4 ;Push 00000000 :004054A8 F400 LitI2_Byte ;Push 00 :004054AA FBFD CStrUI1 ;vbaStrI2 :004054AC 23D8FE FStStrNoPop ;SysFreeString [LOCAL_0128]; [LOCAL_0128]=[stack] :004054AF 04D4FE FLdRfVar ;Push LOCAL_012C :004054B2 34 CStr2Ansi ;vbaStrToAnsi :004054B3 6CD4FE ILdRf ;Push DWORD [LOCAL_012C] :004054B6 6CE4FE ILdRf ;Push DWORD [LOCAL_011C] :004054B9 04DCFE FLdRfVar ;Push LOCAL_0124 :004054BC 34 CStr2Ansi ;vbaStrToAnsi :004054BD 6CDCFE ILdRf ;Push DWORD [LOCAL_0124] *******Reference To:Kernel32.GetVolumeInformationA \| :004054C0 5E04002000 ImpAdCallI2 ;Call ptr_00404C6C; check stack 0020; Push EAX :004054C5 71BCFE FStR4 ;Pop DWORD [LOCAL_0144] :004054C8 3C SetLastSystemError ;Kernel GetLastError :004054C9 6CDCFE ILdRf ;Push DWORD [LOCAL_0124] :004054CC 04E4FE FLdRfVar ;Push LOCAL_011C :004054CF FC58 CStr2Uni ;vbaStrToUnicode :004054D1 6CD0FE ILdRf ;Push DWORD [LOCAL_0130] :004054D4 FD696CFF CVarI4 ; :004054D8 FD00ECFE FStVarCopy ;[LOCAL_0114]=vbaVarCopy(Pop) :004054DC 6CBCFE ILdRf ;Push DWORD [LOCAL_0144] :004054DF 71E8FE FStR4 ;Pop DWORD [LOCAL_0118] :004054E2 320A00DCFED8FED4 FFreeStr ;Do SysFreeString [arg_n]; [arg_n]=0 000A/2 times ~ arg :004054EF 000D LargeBos ;IDE beginning of line with 0D byte codes :004054F1 04ECFE FLdRfVar ;Push LOCAL_0114 *******Reference To->msvbvm50.rtcHexBstrFromVar \| :004054F4 0B05000400 ImpAdCallI2 ;Call ptr_0040100C; check stack 0004; Push EAX ;"1 6 0 C 3 1 4 7"(Unicode),这里是我的硬盘序列号"369897799"的hex形式，幸好我记得清楚 :004054F9 31E0FE FStStr ;SysFreeString [LOCAL_0120]; [LOCAL_0120]=Pop :004054FC 000C LargeBos ;IDE beginning of line with 0C byte codes :004054FE 6CE0FE ILdRf ;Push DWORD [LOCAL_0120] :00405501 080800 FLdPr ;[SR]=[STACK_0008] :00405504 FD913400 MemStStrCopy ;[SR]+0034=SysAllocStringByteLen(Pop, [Pop-4]); SysFreeString Pop :00405508 0000 LargeBos ;IDE beginning of line with 00 byte codes :0040550A 13 ExitProcHresult ; [Form.Unload] :0040530C FC63 LitNothing ;Push 0 :0040530E 3D1400 CastAd ;Push vbaCastObj(Pop, [FUN+00144]) :00405311 FDBF0B00 ImpAdStAdFunc ; :00405315 13 ExitProcHresult ; :00405316 60 CStrVarTmp ; command1.click事件 WkTVDebug显示的执行过程： Stack dump is enabled and relative to ESP<-EBP. Freeing Addrs: 0063F8C8h 0063F8A8h 0063F888h 0063F868h 0040547F: FD CStrUI1 004054AA: FD CStrUI1 FStStr -> '160C3147' Breakpoint reached. Freeing Addrs: 0063F2B0h 0063F2A0h Freeing Addrs: 0063F2B0h 0063F2A0h Freeing Addrs: 0063F2B0h 0063F2A0h Freeing Addrs: 0063F2B0h 0063F2A0h Freeing Addrs: 0063F2B0h 0063F2A0h Freeing Addrs: 0063F2B0h 0063F2A0h Freeing Addrs: 0063F2B0h 0063F2A0h Freeing Addrs: 0063F2B0h 0063F2A0h FStStrNoPop -> 'b' FStStrNoPop -> 'g' 0040579A: 23 FStStrNoPop 0040579D: 2A ConcatStr 004057A6: 0B ImpAdCallI2 rtcBstrFromAnsi on address 798CBCE6h Concat->'bg' + '>' FStStrNoPop -> 'bg>' 004057B7: 0B ImpAdCallI2 rtcBstrFromAnsi on address 798CBCE6h Concat->'bg>' + 'M' FStStrNoPop -> 'bg>M' 004057C8: 0B ImpAdCallI2 rtcBstrFromAnsi on address 798CBCE6h 004057CD: 23 FStStrNoPop 004057D0: 2A ConcatStr 004057D9: 0B ImpAdCallI2 rtcBstrFromAnsi on address 798CBCE6h Concat->'bg>MG' + 'O' FStStrNoPop -> 'bg>MGO' 004057EA: 0B ImpAdCallI2 rtcBstrFromAnsi on address 798CBCE6h Concat->'bg>MGO' + 'e' FStStrNoPop -> 'bg>MGOe' FStStrNoPop -> 'n' Concat->'bg>MGOe' + 'n' 蛮简单的一题，作者思维太过定式，序列号取一位算一位，后面几步看看静态反汇编也猜个八九不离十 2004-12-18 17:04 0
cAtEyE 雪币： 225 活跃值： (145) 能力值： ( LV6，RANK：90 ) 在线值：发帖 10 回帖 64 粉丝 0 关注私信	cAtEyE 2 3 楼不错，能分析到此程度！辛苦了！学习中。。。 :D 2004-12-20 09:51 0
cAtEyE 雪币： 225 活跃值： (145) 能力值： ( LV6，RANK：90 ) 在线值：发帖 10 回帖 64 粉丝 0 关注私信	cAtEyE 2 4 楼我分析时，command1.click事件 WkTVDebug显示的执行过程： Freeing Addrs: 0012F3B0h 0012F3A0h FStStrNoPop -> '`' FStStrNoPop -> '' Concat->'`' + '' FStStrNoPop -> '`' FStStrNoPop -> '' Concat->'`' + '' FStStrNoPop -> '`' FStStrNoPop -> '' Concat->'`' + '' FStStrNoPop -> '`' FStStrNoPop -> '' Concat->'`' + '' FStStrNoPop -> '`' FStStrNoPop -> '' Concat->'`' + '' FStStrNoPop -> '`' FStStrNoPop -> '' Concat->'`' + '' FStStrNoPop -> '`' FStStrNoPop -> '' Concat->'`' + '' FStStr -> '`' 怎么会这样，也不见硬盘序列号什么的，郁闷啊，会不会和CPU类型有关：VIA Samuel 2 公司的破电脑该换了。 2004-12-20 10:06 0
呱叽呱叽雪币： 253 活跃值： (27) 能力值： ( LV4，RANK：50 ) 在线值：发帖 7 回帖 49 粉丝 1 关注私信	呱叽呱叽 1 5 楼最初由 cAtEyE 发布我分析时，command1.click事件 WkTVDebug显示的执行过程： Freeing Addrs: 0012F3B0h 0012F3A0h FStStrNoPop -> '`' FStStrNoPop -> '' ........ 反汇编后看一下函数基本心里有数了，分析的有点乱，注册机懒得做了:D 2004-12-20 18:21 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复