标题:化学品电子手册3.0破解分析
链接:http://www.unpack.cn/viewthread.php?tid=20502
贴者:noirlucifer
日期:2007-12-20 16:06
本人学习vb程序不久,还有许多问题,所以希望哪位大侠看了此文后能回答我几个问题,不甚感激!
问题1:最后比较注册码正确与否是在一个for循环中,只要满足一次就算注册成功,也就是有几组注册码
而这些注册码是有先前算出的16进制书中选3个连接而成的,我想知道怎么选的,这些16进制数的空间分布是怎么样的?
问题2:在用户名运算的那一段中.为什么会读到空字符?详见下问分析,还有就是用户名运算那段的含义不是特别清楚,能不能说下流程.
由于以上两个问题所以还没有办法写出注册机,因为水平有限,文章中的不足之处还请不吝指正,谢谢!下面开始我的分析:
首先运行程序,按帮助菜单下的注册按扭,出现注册对话框,填入用户名(大于6位),产品id(必需位10位数字),和注册码,按注册,无反应.vbdecompile反编译无响应(总是这样,哪位解释下为什么),然后用vbde反编译,找到注册过程的地址.然后od载入,前面找到的地址下断,F9运行.填入如下信息:
用户名:noirlucifer
产品id:1234567890
注册码:12345-67890-abcde
按注册按扭停在00450FA0
00450FA0 > \55 push ebp
00450FA1 . 8BEC mov ebp, esp
00450FA3 . 83EC 0C sub esp, 0C
00450FA6 . 68 C6234000 push ; SE 处理程序安装
00450FAB . 64:A1 0000000>mov eax, dword ptr fs:[0]
00450FB1 . 50 push eax
00450FB2 . 64:8925 00000>mov dword ptr fs:[0], esp
00450FB9 . 81EC AC020000 sub esp, 2AC
00450FBF . 53 push ebx
00450FC0 . 56 push esi
00450FC1 . 57 push edi
00450FC2 . 8965 F4 mov dword ptr [ebp-C], esp
00450FC5 . C745 F8 C8174>mov dword ptr [ebp-8], 004017C8
00450FCC . 8B75 08 mov esi, dword ptr [ebp+8]
00450FCF . 8BC6 mov eax, esi
单步往下,跳过有些初始化代码直到,现在开始分析,代码有些长,需要点耐心..
0045120A . 50 push eax
0045120B . 8D85 38FFFFFF lea eax, dword ptr [ebp-C8]
00451211 . 50 push eax
00451212 . FF15 94104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
00451218 . 8BD8 mov ebx, eax
0045121A . 8D95 58FFFFFF lea edx, dword ptr [ebp-A8]
00451220 . 52 push edx
00451221 . 53 push ebx
00451222 . 8B0B mov ecx, dword ptr [ebx]
00451224 . FF91 A0000000 call dword ptr [ecx+A0] //取用户名
0045122A . 3BC7 cmp eax, edi
0045122C . DBE2 fclex
0045122E . 7D 12 jge short 00451242
00451230 . 68 A0000000 push 0A0
00451235 . 68 40054100 push 00410540
0045123A . 53 push ebx
0045123B . 50 push eax
0045123C . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00451242 > 8B06 mov eax, dword ptr [esi]
00451244 . 56 push esi
00451245 . FF90 00030000 call dword ptr [eax+300]
0045124B . 8D8D 34FFFFFF lea ecx, dword ptr [ebp-CC]
00451251 . 50 push eax
00451252 . 51 push ecx
00451253 . FF15 94104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
00451259 . 8BD8 mov ebx, eax
0045125B . 8D85 54FFFFFF lea eax, dword ptr [ebp-AC]
00451261 . 50 push eax
00451262 . 53 push ebx
00451263 . 8B13 mov edx, dword ptr [ebx]
00451265 . FF92 A0000000 call dword ptr [edx+A0] ; MSVBVM60.6603BF8D //取product id
0045126B . 3BC7 cmp eax, edi
0045126D . DBE2 fclex
0045126F . 7D 12 jge short 00451283
00451271 . 68 A0000000 push 0A0
00451276 . 68 40054100 push 00410540
0045127B . 53 push ebx
0045127C . 50 push eax
0045127D . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00451283 > 8B0E mov ecx, dword ptr [esi]
00451285 . 56 push esi
00451286 . FF91 FC020000 call dword ptr [ecx+2FC]
0045128C . 8D95 30FFFFFF lea edx, dword ptr [ebp-D0]
00451292 . 50 push eax
00451293 . 52 push edx
00451294 . FF15 94104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
0045129A . 8BD8 mov ebx, eax
0045129C . 8D8D 50FFFFFF lea ecx, dword ptr [ebp-B0]
004512A2 . 51 push ecx
004512A3 . 53 push ebx
004512A4 . 8B03 mov eax, dword ptr [ebx]
004512A6 . FF90 A0000000 call dword ptr [eax+A0] //取注册码
004512AC . 3BC7 cmp eax, edi
004512AE . DBE2 fclex
004512B0 . 7D 12 jge short 004512C4
004512B2 . 68 A0000000 push 0A0
004512B7 . 68 40054100 push 00410540
004512BC . 53 push ebx
004512BD . 50 push eax
004512BE . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
004512C4 > 8B16 mov edx, dword ptr [esi]
004512C6 . 56 push esi
004512C7 . FF92 00030000 call dword ptr [edx+300]
004512CD . 50 push eax
004512CE . 8D85 2CFFFFFF lea eax, dword ptr [ebp-D4]
004512D4 . 50 push eax
004512D5 . FF15 94104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
004512DB . 8BD8 mov ebx, eax
004512DD . 8D95 4CFFFFFF lea edx, dword ptr [ebp-B4]
004512E3 . 52 push edx
004512E4 . 53 push ebx
004512E5 . 8B0B mov ecx, dword ptr [ebx]
004512E7 . FF91 A0000000 call dword ptr [ecx+A0]
004512ED . 3BC7 cmp eax, edi
004512EF . DBE2 fclex
004512F1 . 7D 12 jge short 00451305
004512F3 . 68 A0000000 push 0A0
004512F8 . 68 40054100 push 00410540
004512FD . 53 push ebx
004512FE . 50 push eax
004512FF . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00451305 > 8B06 mov eax, dword ptr [esi]
00451307 . 56 push esi
00451308 . FF90 0C030000 call dword ptr [eax+30C]
0045130E . 8D8D 28FFFFFF lea ecx, dword ptr [ebp-D8]
00451314 . 50 push eax
00451315 . 51 push ecx
00451316 . FF15 94104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
0045131C . 8BF0 mov esi, eax
0045131E . 8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
00451324 . 50 push eax
00451325 . 56 push esi
00451326 . 8B16 mov edx, dword ptr [esi]
00451328 . FF92 A0000000 call dword ptr [edx+A0]
0045132E . 3BC7 cmp eax, edi
00451330 . DBE2 fclex
00451332 . 7D 12 jge short 00451346
00451334 . 68 A0000000 push 0A0
00451339 . 68 40054100 push 00410540
0045133E . 56 push esi
0045133F . 50 push eax
00451340 . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00451346 > 8B8D 50FFFFFF mov ecx, dword ptr [ebp-B0]
0045134C . 8B1D F4104000 mov ebx, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrCmp
00451352 . 51 push ecx
00451353 . 68 E4E54000 push 0040E5E4
00451358 . FFD3 call ebx ; <&MSVBVM60.__vbaStrCmp> //判断注册码是否为空
0045135A . 8B95 54FFFFFF mov edx, dword ptr [ebp-AC]
00451360 . 8BF0 mov esi, eax
00451362 . F7DE neg esi
00451364 . 1BF6 sbb esi, esi
00451366 . 52 push edx
00451367 . 46 inc esi
00451368 . 68 E4E54000 push 0040E5E4
0045136D . F7DE neg esi
0045136F . FFD3 call ebx //判断product id是否为空
00451371 . F7D8 neg eax
00451373 . 1BC0 sbb eax, eax
00451375 . 40 inc eax
00451376 . F7D8 neg eax
00451378 . 0BF0 or esi, eax
0045137A . 8B85 58FFFFFF mov eax, dword ptr [ebp-A8]
00451380 . 50 push eax
00451381 . 68 E4E54000 push 0040E5E4
00451386 . FFD3 call ebx //判断用户名是否为空
00451388 . 8B8D 48FFFFFF mov ecx, dword ptr [ebp-B8]
0045138E . 8B1D 2C104000 mov ebx, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaLenBstr
00451394 . F7D8 neg eax
00451396 . 1BC0 sbb eax, eax
00451398 . 51 push ecx
00451399 . 40 inc eax
0045139A . F7D8 neg eax
0045139C . 0BF0 or esi, eax
0045139E . FFD3 call ebx ; <&MSVBVM60.__vbaLenBstr>
004513A0 . 33D2 xor edx, edx
004513A2 . 83F8 06 cmp eax, 6 //判断用户名长度是否大于等于6
004513A5 . 8B85 4CFFFFFF mov eax, dword ptr [ebp-B4]
004513AB . 0F9CC2 setl dl
004513AE . F7DA neg edx
004513B0 . 50 push eax
004513B1 . 0BF2 or esi, edx
004513B3 . FFD3 call ebx
004513B5 . 33C9 xor ecx, ecx
004513B7 . 83F8 0A cmp eax, 0A //判断product id是否是10位
004513BA . 0F95C1 setne cl
004513BD . F7D9 neg ecx
004513BF . 8B1D EC114000 mov ebx, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaFreeStrList
004513C5 . 8D95 48FFFFFF lea edx, dword ptr [ebp-B8]
004513CB . 0BF1 or esi, ecx
....省略部分代码
004514CE . 51 push ecx
004514CF . FF15 94104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
004514D5 . 8B10 mov edx, dword ptr [eax]
004514D7 . 8D8D 50FFFFFF lea ecx, dword ptr [ebp-B0]
004514DD . 51 push ecx
004514DE . 50 push eax
004514DF . 8985 E8FDFFFF mov dword ptr [ebp-218], eax
004514E5 . FF92 A0000000 call dword ptr [edx+A0]
004514EB . 3BC7 cmp eax, edi
004514ED . DBE2 fclex
004514EF . 7D 18 jge short 00451509
004514F1 . 8B95 E8FDFFFF mov edx, dword ptr [ebp-218]
004514F7 . 68 A0000000 push 0A0
004514FC . 68 40054100 push 00410540
00451501 . 52 push edx
00451502 . 50 push eax
00451503 . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00451509 > 8B06 mov eax, dword ptr [esi]
0045150B . 56 push esi
0045150C . FF90 00030000 call dword ptr [eax+300]
00451512 . 8D8D 2CFFFFFF lea ecx, dword ptr [ebp-D4]
00451518 . 50 push eax
00451519 . 51 push ecx
0045151A . FF15 94104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
00451520 . 8BF0 mov esi, eax
00451522 . 8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
00451528 . 50 push eax
00451529 . 56 push esi
0045152A . 8B16 mov edx, dword ptr [esi]
0045152C . FF92 A0000000 call dword ptr [edx+A0]
00451532 . 3BC7 cmp eax, edi
00451534 . DBE2 fclex
00451536 . 7D 12 jge short 0045154A
00451538 . 68 A0000000 push 0A0
0045153D . 68 40054100 push 00410540
00451542 . 56 push esi
00451543 . 50 push eax
00451544 . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0045154A > 8B85 48FFFFFF mov eax, dword ptr [ebp-B8]
00451550 . 8D8D 98FEFFFF lea ecx, dword ptr [ebp-168]
00451556 . 6A 04 push 4
00451558 . 8D95 88FEFFFF lea edx, dword ptr [ebp-178]
0045155E . 51 push ecx
0045155F . 52 push edx
00451560 . 89BD 48FFFFFF mov dword ptr [ebp-B8], edi
00451566 . 8985 A0FEFFFF mov dword ptr [ebp-160], eax
0045156C . C785 98FEFFFF>mov dword ptr [ebp-168], 8
00451576 . FF15 4C124000 call dword ptr [<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar //取product id前4位
0045157C . 8B35 98114000 mov esi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrVarVal
00451582 . 8D85 88FEFFFF lea eax, dword ptr [ebp-178]
00451588 . 8D8D 44FFFFFF lea ecx, dword ptr [ebp-BC]
0045158E . 50 push eax
0045158F . 51 push ecx
00451590 . FFD6 call esi ; <&MSVBVM60.__vbaStrVarVal>
00451592 . 50 push eax
00451593 . FF15 90124000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
00451599 . 8B45 08 mov eax, dword ptr [ebp+8]
0045159C . DD9D 04FEFFFF fstp qword ptr [ebp-1FC] ; //保存前4位
004515A2 . 8B10 mov edx, dword ptr [eax]
004515A4 . 50 push eax
004515A5 . FF92 00030000 call dword ptr [edx+300]
004515AB . 50 push eax
004515AC . 8D85 28FFFFFF lea eax, dword ptr [ebp-D8]
004515B2 . 50 push eax
004515B3 . FF15 94104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
004515B9 . 8B08 mov ecx, dword ptr [eax]
004515BB . 8D95 40FFFFFF lea edx, dword ptr [ebp-C0]
004515C1 . 52 push edx
004515C2 . 50 push eax
004515C3 . 8985 D8FDFFFF mov dword ptr [ebp-228], eax
004515C9 . FF91 A0000000 call dword ptr [ecx+A0]
004515CF . 3BC7 cmp eax, edi
004515D1 . DBE2 fclex
004515D3 . 7D 18 jge short 004515ED
004515D5 . 8B8D D8FDFFFF mov ecx, dword ptr [ebp-228]
004515DB . 68 A0000000 push 0A0
004515E0 . 68 40054100 push 00410540
004515E5 . 51 push ecx
004515E6 . 50 push eax
004515E7 . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
004515ED > 8B85 40FFFFFF mov eax, dword ptr [ebp-C0]
004515F3 . 8D95 78FEFFFF lea edx, dword ptr [ebp-188]
004515F9 . 8985 80FEFFFF mov dword ptr [ebp-180], eax
004515FF . 6A 06 push 6
00451601 . 8D85 68FEFFFF lea eax, dword ptr [ebp-198]
00451607 . 52 push edx
00451608 . 50 push eax
00451609 . 89BD 40FFFFFF mov dword ptr [ebp-C0], edi
0045160F . C785 78FEFFFF>mov dword ptr [ebp-188], 8
00451619 . FF15 4C124000 call dword ptr [<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar//取product id前6位
0045161F . 8D8D 68FEFFFF lea ecx, dword ptr [ebp-198]
00451625 . 8D95 3CFFFFFF lea edx, dword ptr [ebp-C4]
0045162B . 51 push ecx
0045162C . 52 push edx
0045162D . FFD6 call esi
0045162F . 50 push eax
00451630 . FF15 90124000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
00451636 . 8B85 58FFFFFF mov eax, dword ptr [ebp-A8]
0045163C . 6A 01 push 1
0045163E . DD9D FCFDFFFF fstp qword ptr [ebp-204] ; //保存product id前6位
00451644 . 8985 20FFFFFF mov dword ptr [ebp-E0], eax
0045164A . 8D85 18FFFFFF lea eax, dword ptr [ebp-E8]
00451650 . 8D8D 08FFFFFF lea ecx, dword ptr [ebp-F8]
00451656 . 50 push eax
00451657 . 51 push ecx
00451658 . 89BD 58FFFFFF mov dword ptr [ebp-A8], edi
0045165E . C785 18FFFFFF>mov dword ptr [ebp-E8], 8
00451668 . FF15 4C124000 call dword ptr [<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar //取product id第一位
0045166E . 8B85 54FFFFFF mov eax, dword ptr [ebp-AC]
00451674 . 8D95 F8FEFFFF lea edx, dword ptr [ebp-108]
0045167A . 8985 00FFFFFF mov dword ptr [ebp-100], eax
00451680 . 6A 01 push 1
00451682 . 8D85 E8FEFFFF lea eax, dword ptr [ebp-118]
00451688 . 52 push edx
00451689 . 50 push eax
0045168A . 89BD 54FFFFFF mov dword ptr [ebp-AC], edi
00451690 . C785 F8FEFFFF>mov dword ptr [ebp-108], 8
0045169A . FF15 64124000 call dword ptr [<&MSVBVM60.#619>] ; MSVBVM60.rtcRightCharVar //取product id最后一位
004516A0 . 8B85 50FFFFFF mov eax, dword ptr [ebp-B0]
004516A6 . 8D8D C8FEFFFF lea ecx, dword ptr [ebp-138]
004516AC . 6A 04 push 4
004516AE . 8D95 B8FEFFFF lea edx, dword ptr [ebp-148]
004516B4 . 51 push ecx
004516B5 . 52 push edx
004516B6 . 89BD 50FFFFFF mov dword ptr [ebp-B0], edi
004516BC . 8985 D0FEFFFF mov dword ptr [ebp-130], eax
004516C2 . C785 C8FEFFFF>mov dword ptr [ebp-138], 8
004516CC . FF15 64124000 call dword ptr [<&MSVBVM60.#619>] ; MSVBVM60.rtcRightCharVar//取product id最后4位
004516D2 . 8D85 08FFFFFF lea eax, dword ptr [ebp-F8]
004516D8 . 8D8D E8FEFFFF lea ecx, dword ptr [ebp-118]
004516DE . 50 push eax
004516DF . 8D95 D8FEFFFF lea edx, dword ptr [ebp-128]
004516E5 . 51 push ecx
004516E6 . 52 push edx
004516E7 . FF15 A4114000 call dword ptr [<&MSVBVM60.__vbaVarCa>; MSVBVM60.__vbaVarCat//连接
004516ED . 50 push eax
004516EE . 8D85 B8FEFFFF lea eax, dword ptr [ebp-148]
004516F4 . 8D8D A8FEFFFF lea ecx, dword ptr [ebp-158]
004516FA . 50 push eax
004516FB . 51 push ecx
004516FC . FF15 A4114000 call dword ptr [<&MSVBVM60.__vbaVarCa>; MSVBVM60.__vbaVarCat //两次连接后107890
00451702 . 8D95 4CFFFFFF lea edx, dword ptr [ebp-B4] //即第一位+最后一位+最后四位
00451708 . 50 push eax //我们输入的位1234567890
00451709 . 52 push edx // 所以得到107890
0045170A . FFD6 call esi
0045170C . 50 push eax
0045170D . FF15 90124000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
00451713 . DC85 04FEFFFF fadd qword ptr [ebp-1FC] ; //前4位+107890
00451719 . 8D8D 44FFFFFF lea ecx, dword ptr [ebp-BC] //即107890+1234=109124
0045171F . 8D95 4CFFFFFF lea edx, dword ptr [ebp-B4]
00451725 . DC85 FCFDFFFF fadd qword ptr [ebp-204] //再加上前6位123456+109124=232580
0045172B . DD5D 80 fstp qword ptr [ebp-80] ;
0045172E . DFE0 fstsw ax
00451730 . A8 0D test al, 0D
00451732 . 0F85 69100000 jnz 004527A1
00451738 . 8D85 3CFFFFFF lea eax, dword ptr [ebp-C4]
0045173E . 50 push eax
0045173F . 51 push ecx
00451740 . 52 push edx
00451741 . 6A 03 push 3
00451743 . FFD3 call ebx
00451745 . 8D85 28FFFFFF lea eax, dword ptr [ebp-D8]
0045174B . 8D8D 2CFFFFFF lea ecx, dword ptr [ebp-D4]
00451751 . 50 push eax
00451752 . 8D95 30FFFFFF lea edx, dword ptr [ebp-D0]
00451758 . 51 push ecx
00451759 . 8D85 34FFFFFF lea eax, dword ptr [ebp-CC]
0045175F . 52 push edx
00451760 . 8D8D 38FFFFFF lea ecx, dword ptr [ebp-C8]
00451766 . 50 push eax
00451767 . 51 push ecx
00451768 . 6A 05 push 5
0045176A . FF15 44104000 call dword ptr [<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObjList
00451770 . 8D95 68FEFFFF lea edx, dword ptr [ebp-198]
00451776 . 8D85 78FEFFFF lea eax, dword ptr [ebp-188]
0045177C . 52 push edx
0045177D . 8D8D 88FEFFFF lea ecx, dword ptr [ebp-178]
00451783 . 50 push eax
00451784 . 8D95 98FEFFFF lea edx, dword ptr [ebp-168]
0045178A . 51 push ecx
0045178B . 8D85 A8FEFFFF lea eax, dword ptr [ebp-158]
00451791 . 52 push edx
00451792 . 8D8D B8FEFFFF lea ecx, dword ptr [ebp-148]
00451798 . 50 push eax
00451799 . 8D95 D8FEFFFF lea edx, dword ptr [ebp-128]
0045179F . 51 push ecx
004517A0 . 8D85 C8FEFFFF lea eax, dword ptr [ebp-138]
004517A6 . 52 push edx
004517A7 . 8D8D E8FEFFFF lea ecx, dword ptr [ebp-118]
004517AD . 50 push eax
004517AE . 8D95 08FFFFFF lea edx, dword ptr [ebp-F8]
004517B4 . 51 push ecx
004517B5 . 8D85 F8FEFFFF lea eax, dword ptr [ebp-108]
004517BB . 52 push edx
004517BC . 8D8D 18FFFFFF lea ecx, dword ptr [ebp-E8]
004517C2 . 50 push eax
004517C3 . 51 push ecx
004517C4 . 6A 0C push 0C
004517C6 . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
004517CC . B8 02000000 mov eax, 2
004517D1 . 83C4 5C add esp, 5C
004517D4 . B9 01000000 mov ecx, 1
004517D9 . 8985 58FEFFFF mov dword ptr [ebp-1A8], eax
004517DF . 8985 48FEFFFF mov dword ptr [ebp-1B8], eax
004517E5 . 8985 38FEFFFF mov dword ptr [ebp-1C8], eax
004517EB . 8D95 58FEFFFF lea edx, dword ptr [ebp-1A8]
004517F1 . 898D 60FEFFFF mov dword ptr [ebp-1A0], ecx
004517F7 . 898D 40FEFFFF mov dword ptr [ebp-1C0], ecx
004517FD . 8D85 48FEFFFF lea eax, dword ptr [ebp-1B8]
00451803 . 52 push edx
00451804 . 8D8D 38FEFFFF lea ecx, dword ptr [ebp-1C8]
0045180A . 50 push eax
0045180B . 8D95 B0FDFFFF lea edx, dword ptr [ebp-250]
00451811 . 51 push ecx
00451812 . 8D85 C0FDFFFF lea eax, dword ptr [ebp-240]
00451818 . 52 push edx
00451819 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0045181C . 50 push eax
0045181D . 51 push ecx
0045181E . C785 50FEFFFF>mov dword ptr [ebp-1B0], 63
00451828 . FF15 84104000 call dword ptr [<&MSVBVM60.__vbaVarFo>; MSVBVM60.__vbaVarForInit //for循环初始化
0045182E . 8B35 58124000 mov esi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrMove
00451834 > 3BC7 cmp eax, edi
00451836 . 0F84 CC020000 je 00451B08
0045183C . DD45 80 fld qword ptr [ebp-80]
0045183F . 833D 00D04700>cmp dword ptr [47D000], 0
00451846 . 75 08 jnz short 00451850
00451848 . DC35 C0174000 fdiv qword ptr [4017C0] //结果/3即 232580/3
0045184E . EB 11 jmp short 00451861
00451850 > FF35 C4174000 push dword ptr [4017C4]
00451856 . FF35 C0174000 push dword ptr [4017C0]
0045185C . E8 830BFBFF call
00451861 > C785 58FEFFFF>mov dword ptr [ebp-1A8], 5
0045186B . DC0D B8174000 fmul qword ptr [4017B8] //再*7 232580/3*7
00451871 . DD9D 60FEFFFF fstp qword ptr [ebp-1A0]
00451877 . DFE0 fstsw ax
00451879 . A8 0D test al, 0D
0045187B . 0F85 200F0000 jnz 004527A1
00451881 . 8B45 08 mov eax, dword ptr [ebp+8]
00451884 . 50 push eax
00451885 . 8B10 mov edx, dword ptr [eax]
00451887 . FF92 0C030000 call dword ptr [edx+30C]
0045188D . 50 push eax
0045188E . 8D85 38FFFFFF lea eax, dword ptr [ebp-C8]
00451894 . 50 push eax
00451895 . FF15 94104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
0045189B . 8B08 mov ecx, dword ptr [eax]
0045189D . 8D95 58FFFFFF lea edx, dword ptr [ebp-A8]
004518A3 . 52 push edx
004518A4 . 50 push eax
004518A5 . 8985 F4FDFFFF mov dword ptr [ebp-20C], eax
004518AB . FF91 A0000000 call dword ptr [ecx+A0] //取用户名
004518B1 . 3BC7 cmp eax, edi
004518B3 . DBE2 fclex
004518B5 . 7D 18 jge short 004518CF
004518B7 . 8B8D F4FDFFFF mov ecx, dword ptr [ebp-20C]
004518BD . 68 A0000000 push 0A0
004518C2 . 68 40054100 push 00410540
004518C7 . 51 push ecx
004518C8 . 50 push eax
004518C9 . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
004518CF > 8B95 58FFFFFF mov edx, dword ptr [ebp-A8]
004518D5 . 8D8D 54FFFFFF lea ecx, dword ptr [ebp-AC]
004518DB . 89BD 58FFFFFF mov dword ptr [ebp-A8], edi
004518E1 . FFD6 call esi
004518E3 . 8D95 54FFFFFF lea edx, dword ptr [ebp-AC]
004518E9 . 52 push edx
004518EA . E8 819B0200 call 0047B470 //这里是对用户名进行计算下面详细分析
004518EF . DD9D 50FEFFFF fstp qword ptr [ebp-1B0]
004518F5 . 8D45 D4 lea eax, dword ptr [ebp-2C] //运算后的结果为13267
004518F8 . C785 48FEFFFF>mov dword ptr [ebp-1B8], 5
00451902 . 50 push eax
00451903 . FF15 04124000 call dword ptr [<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
00451909 . 83F8 65 cmp eax, 65
0045190C . 8985 F8FDFFFF mov dword ptr [ebp-208], eax
00451912 . 72 06 jb short 0045191A
00451914 . FF15 F0104000 call dword ptr [<&MSVBVM60.__vbaGener>; MSVBVM60.__vbaGenerateBoundsError
0045191A > 8D8D 58FEFFFF lea ecx, dword ptr [ebp-1A8]
00451920 . 8D55 D4 lea edx, dword ptr [ebp-2C]
00451923 . 51 push ecx
00451924 . 8D85 18FFFFFF lea eax, dword ptr [ebp-E8]
0045192A . 52 push edx
0045192B . 50 push eax
0045192C . FF15 58114000 call dword ptr [<&MSVBVM60.__vbaVarMu>; MSVBVM60.__vbaVarMul
//前面product id算出的结果(s1)*i(循环的次数)
00451932 . 8D8D 48FEFFFF lea ecx, dword ptr [ebp-1B8]
00451938 . 50 push eax
00451939 . 8D95 08FFFFFF lea edx, dword ptr [ebp-F8]
0045193F . 51 push ecx
00451940 . 52 push edx
00451941 . FF15 14124000 call dword ptr [<&MSVBVM60.__vbaVarAd>; MSVBVM60.__vbaVarAdd
//s1+username算出的结果(13267)=s2
00451947 . 50 push eax
00451948 . FF15 28104000 call dword ptr [<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarMove
0045194E . 8BD0 mov edx, eax
00451950 . 8D8D 50FFFFFF lea ecx, dword ptr [ebp-B0]
00451956 . FFD6 call esi
00451958 . 8B8D F8FDFFFF mov ecx, dword ptr [ebp-208]
0045195E . 8BD0 mov edx, eax
00451960 . 8B45 A0 mov eax, dword ptr [ebp-60]
00451963 . 8D0C88 lea ecx, dword ptr [eax+ecx*4]
00451966 . FF15 E0114000 call dword ptr [<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
0045196C . 8D95 50FFFFFF lea edx, dword ptr [ebp-B0]
00451972 . 8D85 54FFFFFF lea eax, dword ptr [ebp-AC]
00451978 . 52 push edx
00451979 . 50 push eax
0045197A . 6A 02 push 2
0045197C . FFD3 call ebx
0045197E . 83C4 0C add esp, 0C
00451981 . 8D8D 38FFFFFF lea ecx, dword ptr [ebp-C8]
00451987 . FF15 8C124000 call dword ptr [<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
0045198D . 8D8D 08FFFFFF lea ecx, dword ptr [ebp-F8]
00451993 . FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
00451999 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0045199C . 51 push ecx
0045199D . FF15 04124000 call dword ptr [<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
004519A3 . 83F8 65 cmp eax, 65
004519A6 . 8985 F8FDFFFF mov dword ptr [ebp-208], eax
004519AC . 72 06 jb short 004519B4
004519AE . FF15 F0104000 call dword ptr [<&MSVBVM60.__vbaGener>; MSVBVM60.__vbaGenerateBoundsError
004519B4 > 8B55 A0 mov edx, dword ptr [ebp-60]
004519B7 . 8B85 F8FDFFFF mov eax, dword ptr [ebp-208]
004519BD . 8B0C82 mov ecx, dword ptr [edx+eax*4]
004519C0 . 51 push ecx
004519C1 . FF15 90124000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
004519C7 . DD9D 04FEFFFF fstp qword ptr [ebp-1FC]
004519CD . 8D55 D4 lea edx, dword ptr [ebp-2C]
004519D0 . 52 push edx
004519D1 . FF15 04124000 call dword ptr [<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
004519D7 . 83F8 65 cmp eax, 65
004519DA . 8985 F0FDFFFF mov dword ptr [ebp-210], eax
004519E0 . 72 06 jb short 004519E8
004519E2 . FF15 F0104000 call dword ptr [<&MSVBVM60.__vbaGener>; MSVBVM60.__vbaGenerateBoundsError
004519E8 > 8B45 A0 mov eax, dword ptr [ebp-60]
004519EB . 8B8D F0FDFFFF mov ecx, dword ptr [ebp-210]
004519F1 . 8B1488 mov edx, dword ptr [eax+ecx*4]
004519F4 . 52 push edx
004519F5 . FF15 90124000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
004519FB . 8B85 08FEFFFF mov eax, dword ptr [ebp-1F8]
00451A01 . 8B8D 04FEFFFF mov ecx, dword ptr [ebp-1FC]
00451A07 . DD9D 44FDFFFF fstp qword ptr [ebp-2BC]
00451A0D . 68 00000040 push 40000000
00451A12 . 57 push edi
00451A13 . 50 push eax
00451A14 . 51 push ecx
00451A15 . FF15 F4114000 call dword ptr [<&MSVBVM60.__vbaPower>; MSVBVM60.__vbaPowerR8 //s2^2=s3
00451A1B . 833D 00D04700>cmp dword ptr [47D000], 0
00451A22 . 75 08 jnz short 00451A2C
00451A24 . DC35 C0174000 fdiv qword ptr [4017C0] //s3/3=s4
00451A2A . EB 11 jmp short 00451A3D
00451A2C > FF35 C4174000 push dword ptr [4017C4]
00451A32 . FF35 C0174000 push dword ptr [4017C0]
00451A38 . E8 A709FBFF call
00451A3D > 83EC 08 sub esp, 8
00451A40 . DC85 44FDFFFF fadd qword ptr [ebp-2BC] //s4+s2=s5
00451A46 . DFE0 fstsw ax
00451A48 . A8 0D test al, 0D
00451A4A . 0F85 510D0000 jnz 004527A1
00451A50 . DD1C24 fstp qword ptr [esp]
00451A53 . FF15 2C124000 call dword ptr [<&MSVBVM60.#614>] ; MSVBVM60.rtcSqr //s5^0.5
00451A59 . DD9D 20FFFFFF fstp qword ptr [ebp-E0]
00451A5F . 8D95 18FFFFFF lea edx, dword ptr [ebp-E8]
00451A65 . 8D85 08FFFFFF lea eax, dword ptr [ebp-F8]
00451A6B . 52 push edx
00451A6C . 50 push eax
00451A6D . C785 18FFFFFF>mov dword ptr [ebp-E8], 5
00451A77 . FF15 DC114000 call dword ptr [<&MSVBVM60.#573>] ; MSVBVM60.rtcHexVarFromVar
//将上面的计算结果的整数部分转换成16进制
00451A7D . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00451A80 . 51 push ecx
00451A81 . FF15 04124000 call dword ptr [<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
00451A87 . 83F8 65 cmp eax, 65
00451A8A . 8985 F4FDFFFF mov dword ptr [ebp-20C], eax
00451A90 . 72 06 jb short 00451A98
00451A92 . FF15 F0104000 call dword ptr [<&MSVBVM60.__vbaGener>; MSVBVM60.__vbaGenerateBoundsError
00451A98 > 8D95 08FFFFFF lea edx, dword ptr [ebp-F8]
..............
...............
00451B0B . 50 push eax
00451B0C . 8B08 mov ecx, dword ptr [eax]
00451B0E . FF91 FC020000 call dword ptr [ecx+2FC]
00451B14 . 8D95 18FFFFFF lea edx, dword ptr [ebp-E8]
00451B1A . 8D4D B4 lea ecx, dword ptr [ebp-4C]
00451B1D . 8985 20FFFFFF mov dword ptr [ebp-E0], eax
00451B23 . C785 18FFFFFF>mov dword ptr [ebp-E8], 9
00451B2D . FF15 18104000 call dword ptr [<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
00451B33 . B8 02000000 mov eax, 2
00451B38 . B9 01000000 mov ecx, 1
00451B3D . 8985 58FEFFFF mov dword ptr [ebp-1A8], eax
00451B43 . 8985 48FEFFFF mov dword ptr [ebp-1B8], eax
00451B49 . 8985 38FEFFFF mov dword ptr [ebp-1C8], eax
00451B4F . 8D95 58FEFFFF lea edx, dword ptr [ebp-1A8]
00451B55 . 898D 60FEFFFF mov dword ptr [ebp-1A0], ecx
00451B5B . 898D 40FEFFFF mov dword ptr [ebp-1C0], ecx
00451B61 . 8D85 48FEFFFF lea eax, dword ptr [ebp-1B8]
00451B67 . 52 push edx
00451B68 . 8D8D 38FEFFFF lea ecx, dword ptr [ebp-1C8]
00451B6E . 50 push eax
00451B6F . 8D95 90FDFFFF lea edx, dword ptr [ebp-270]
00451B75 . 51 push ecx
00451B76 . 8D85 A0FDFFFF lea eax, dword ptr [ebp-260]
00451B7C . 52 push edx
00451B7D . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00451B80 . 50 push eax
00451B81 . 51 push ecx
00451B82 . C785 50FEFFFF>mov dword ptr [ebp-1B0], 63
00451B8C . FF15 84104000 call dword ptr [<&MSVBVM60.__vbaVarFo>; MSVBVM60.__vbaVarForInit//初始化for循环
00451B92 . 8B3D 5C104000 mov edi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaLsetFixstr
00451B98 > 85C0 test eax, eax
00451B9A . 0F84 590A0000 je 004525F9
00451BA0 . 8D55 B4 lea edx, dword ptr [ebp-4C]
00451BA3 . 8D8D 80FDFFFF lea ecx, dword ptr [ebp-280]
00451BA9 . FF15 38124000 call dword ptr [<&MSVBVM60.__vbaVarCo>; MSVBVM60.__vbaVarCopy
00451BAF . 8D55 D4 lea edx, dword ptr [ebp-2C]
00451BB2 . 52 push edx
00451BB3 . FF15 04124000 call dword ptr [<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
00451BB9 . 83F8 65 cmp eax, 65
00451BBC . 8985 F8FDFFFF mov dword ptr [ebp-208], eax
00451BC2 . 72 06 jb short 00451BCA
00451BC4 . FF15 F0104000 call dword ptr [<&MSVBVM60.__vbaGener>; MSVBVM60.__vbaGenerateBoundsError
00451BCA > 8B85 6CFFFFFF mov eax, dword ptr [ebp-94]
00451BD0 . 8B8D F8FDFFFF mov ecx, dword ptr [ebp-208]
00451BD6 . 6A 06 push 6
00451BD8 . C785 58FEFFFF>mov dword ptr [ebp-1A8], 4008
00451BE2 . 8D1488 lea edx, dword ptr [eax+ecx*4]
00451BE5 . 8D85 58FEFFFF lea eax, dword ptr [ebp-1A8]
00451BEB . 8D8D 18FFFFFF lea ecx, dword ptr [ebp-E8]
00451BF1 . 50 push eax
00451BF2 . 51 push ecx
00451BF3 . 8995 60FEFFFF mov dword ptr [ebp-1A0], edx//上面的for循环好象会生成100个16进制数
00451BFF . 8B95 6CFFFFFF mov edx, dword ptr [ebp-94] ; (initial cpu selection) //这里就是取一个
00451C05 . 8D85 38FEFFFF lea eax, dword ptr [ebp-1C8]
00451C0B . 6A 06 push 6
00451C0D . 8D8D F8FEFFFF lea ecx, dword ptr [ebp-108]
00451C13 . 81C2 88000000 add edx, 88
00451C19 . 50 push eax
00451C1A . 51 push ecx
00451C1B . C785 50FEFFFF>mov dword ptr [ebp-1B0], 00410E84 ; -
00451C25 . C785 48FEFFFF>mov dword ptr [ebp-1B8], 8
00451C2F . 8995 40FEFFFF mov dword ptr [ebp-1C0], edx
00451C35 . C785 38FEFFFF>mov dword ptr [ebp-1C8], 4008
00451C3F . FF15 4C124000 call dword ptr [<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar//这里去第二个16进制数
00451C45 . 8B95 6CFFFFFF mov edx, dword ptr [ebp-94]
00451C4B . 8D85 18FEFFFF lea eax, dword ptr [ebp-1E8]
00451C51 . 6A 06 push 6
00451C53 . 8D8D C8FEFFFF lea ecx, dword ptr [ebp-138]
00451C59 . 83C2 48 add edx, 48
00451C5C . 50 push eax
00451C5D . 51 push ecx
00451C5E . C785 30FEFFFF>mov dword ptr [ebp-1D0], 00410E84 ; -
00451C68 . C785 28FEFFFF>mov dword ptr [ebp-1D8], 8
00451C72 . 8995 20FEFFFF mov dword ptr [ebp-1E0], edx
00451C78 . C785 18FEFFFF>mov dword ptr [ebp-1E8], 4008
00451C82 . FF15 4C124000 call dword ptr [<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar//这里去第三个16进制数
00451C88 . 8D95 80FDFFFF lea edx, dword ptr [ebp-280]
00451C8E . 8D85 18FFFFFF lea eax, dword ptr [ebp-E8]
00451C94 . 52 push edx
00451C95 . 8D8D 48FEFFFF lea ecx, dword ptr [ebp-1B8]
00451C9B . 50 push eax
00451C9C . 8D95 08FFFFFF lea edx, dword ptr [ebp-F8]
00451CA2 . 51 push ecx
00451CA3 . 52 push edx
00451CA4 . FF15 A4114000 call dword ptr [<&MSVBVM60.__vbaVarCa>; MSVBVM60.__vbaVarCat
00451CAA . 50 push eax
00451CAB . 8D85 F8FEFFFF lea eax, dword ptr [ebp-108]
00451CB1 . 8D8D E8FEFFFF lea ecx, dword ptr [ebp-118]
00451CB7 . 50 push eax
00451CB8 . 51 push ecx
00451CB9 . FF15 A4114000 call dword ptr [<&MSVBVM60.__vbaVarCa>; MSVBVM60.__vbaVarCat
00451CBF . 50 push eax
00451CC0 . 8D95 28FEFFFF lea edx, dword ptr [ebp-1D8]
00451CC6 . 8D85 D8FEFFFF lea eax, dword ptr [ebp-128]
00451CCC . 52 push edx
00451CCD . 50 push eax
00451CCE . FF15 A4114000 call dword ptr [<&MSVBVM60.__vbaVarCa>; MSVBVM60.__vbaVarCat
00451CD4 . 8D8D C8FEFFFF lea ecx, dword ptr [ebp-138]
00451CDA . 50 push eax
00451CDB . 8D95 B8FEFFFF lea edx, dword ptr [ebp-148]
00451CE1 . 51 push ecx
00451CE2 . 52 push edx
00451CE3 . FF15 A4114000 call dword ptr [<&MSVBVM60.__vbaVarCa>; MSVBVM60.__vbaVarCat //将3个数用"-"连接起来
00451CE9 . 50 push eax
00451CEA . FF15 00114000 call dword ptr [<&MSVBVM60.__vbaVarTs>; MSVBVM60.__vbaVarTstEq //与注册码进行比较
00451CF0 . 8985 14FEFFFF mov dword ptr [ebp-1EC], eax
00451CF6 . 8D85 B8FEFFFF lea eax, dword ptr [ebp-148]
00451CFC . 8D8D C8FEFFFF lea ecx, dword ptr [ebp-138]
00451D02 . 50 push eax
00451D03 . 8D95 D8FEFFFF lea edx, dword ptr [ebp-128]
00451D09 . 51 push ecx
00451D0A . 8D85 E8FEFFFF lea eax, dword ptr [ebp-118]
00451D10 . 52 push edx
00451D11 . 8D8D F8FEFFFF lea ecx, dword ptr [ebp-108]
00451D17 . 50 push eax
00451D18 . 8D95 08FFFFFF lea edx, dword ptr [ebp-F8]
00451D1E . 51 push ecx
00451D1F . 8D85 18FFFFFF lea eax, dword ptr [ebp-E8]
00451D25 . 52 push edx
00451D26 . 50 push eax
00451D27 . 6A 07 push 7
00451D29 . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
00451D2F . 83C4 20 add esp, 20
00451D32 . 66:83BD 14FEF>cmp word ptr [ebp-1EC], 0
00451D3A . 0F84 9C080000 je 004525DC //比较是否是真码爆破点(改为nop)
00451D40 . A1 24D04700 mov eax, dword ptr [47D024] //下面的一些代码是将注册成功信息写入system32下面的一个文件
00451D45 . C785 60FEFFFF>mov dword ptr [ebp-1A0], -1
00451D4F . 85C0 test eax, eax //而且不会再次验证,也就是说只要暴破依次就永久有效无需修改原文件
00451D51 . C785 58FEFFFF>mov dword ptr [ebp-1A8], 0B
00451D5B . 75 15 jnz short 00451D72
00451D5D . 68 24D04700 push 0047D024
00451D62 . 68 A8AC4000 push 0040ACA8
00451D67 . FF15 CC114000 call dword ptr [<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
00451D6D . A1 24D04700 mov eax, dword ptr [47D024]
00451D72 > 8B95 58FEFFFF mov edx, dword ptr [ebp-1A8]
00451D78 . 83EC 10 sub esp, 10
00451D7B . 8BCC mov ecx, esp
00451D7D . 68 0D000180 push 8001000D
00451D82 . 50 push eax
00451D83 . 8911 mov dword ptr [ecx], edx
00451D85 . 8B95 5CFEFFFF mov edx, dword ptr [ebp-1A4]
00451D8B . 8951 04 mov dword ptr [ecx+4], edx
00451D8E . 8B95 60FEFFFF mov edx, dword ptr [ebp-1A0]
00451D94 . 8951 08 mov dword ptr [ecx+8], edx
00451D97 . 8B95 64FEFFFF mov edx, dword ptr [ebp-19C]
00451D9D . 8951 0C mov dword ptr [ecx+C], edx
00451DA0 . 8B08 mov ecx, dword ptr [eax]
00451DA2 . FF91 0C040000 call dword ptr [ecx+40C]
下面分析对用户名进行运算的那个过程
0047B470 $ 55 push ebp
0047B471 . 8BEC mov ebp, esp
0047B473 . 83EC 08 sub esp, 8
0047B476 . 68 C6234000 push ; SE 处理程序安装
0047B47B . 64:A1 0000000>mov eax, dword ptr fs:[0]
0047B481 . 50 push eax
0047B482 . 64:8925 00000>mov dword ptr fs:[0], esp
0047B489 . 81EC 04010000 sub esp, 104
0047B48F . 53 push ebx
0047B490 . 56 push esi
0047B491 . 57 push edi
0047B492 . 8965 F8 mov dword ptr [ebp-8], esp
0047B495 . C745 FC 88234>mov dword ptr [ebp-4], 00402388
0047B49C . 33C0 xor eax, eax
0047B49E . 8B3D 68114000 mov edi, dword ptr [<&MSVBVM60.#712>>; MSVBVM60.rtcReplace
0047B4A4 . 8945 DC mov dword ptr [ebp-24], eax
0047B4A7 . 8945 D4 mov dword ptr [ebp-2C], eax
0047B4AA . 8945 C8 mov dword ptr [ebp-38], eax
0047B4AD . 8945 C4 mov dword ptr [ebp-3C], eax
0047B4B0 . 8945 C0 mov dword ptr [ebp-40], eax
0047B4B3 . 8945 B0 mov dword ptr [ebp-50], eax
0047B4B6 . 8945 A0 mov dword ptr [ebp-60], eax
0047B4B9 . 8945 90 mov dword ptr [ebp-70], eax
0047B4BC . 8945 80 mov dword ptr [ebp-80], eax
0047B4BF . 8985 70FFFFFF mov dword ptr [ebp-90], eax
0047B4C5 . 8985 60FFFFFF mov dword ptr [ebp-A0], eax
0047B4CB . 8985 50FFFFFF mov dword ptr [ebp-B0], eax
0047B4D1 . 8985 40FFFFFF mov dword ptr [ebp-C0], eax
0047B4D7 . 8985 10FFFFFF mov dword ptr [ebp-F0], eax
0047B4DD . 8985 00FFFFFF mov dword ptr [ebp-100], eax
0047B4E3 . 8B45 08 mov eax, dword ptr [ebp+8]
0047B4E6 . 6A 01 push 1
0047B4E8 . 6A FF push -1
0047B4EA . 8B08 mov ecx, dword ptr [eax]
0047B4EC . 6A 01 push 1
0047B4EE . 68 64324100 push 00413264
//; 1将用户名中的a(不分大小写,因为输入用户名的时候会自动转成大写)全转成1
0047B4F3 . 68 5C324100 push 0041325C
//; a下面分别把b-z转换成对应的2-26,下面就不重复叙述了.
0047B4F8 . 51 push ecx
0047B4F9 . FFD7 call edi ; <&MSVBVM60.#712>
0047B4FB . 8B35 58124000 mov esi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrMove
0047B501 . 8BD0 mov edx, eax
0047B503 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B506 . FFD6 call esi ; <&MSVBVM60.__vbaStrMove>
0047B508 . 8B55 D4 mov edx, dword ptr [ebp-2C]
0047B50B . 6A 01 push 1
0047B50D . 6A FF push -1
0047B50F . 6A 01 push 1
0047B511 . 68 74324100 push 00413274 ; 2
0047B516 . 68 6C324100 push 0041326C ; b
0047B51B . 52 push edx
0047B51C . FFD7 call edi
0047B51E . 8BD0 mov edx, eax
0047B520 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B523 . FFD6 call esi
0047B525 . 8B45 D4 mov eax, dword ptr [ebp-2C]
0047B528 . 6A 01 push 1
0047B52A . 6A FF push -1
0047B52C . 6A 01 push 1
0047B52E . 68 BC2E4100 push 00412EBC ; 3
0047B533 . 68 B8224100 push 004122B8 ; c
0047B538 . 50 push eax
0047B539 . FFD7 call edi
0047B53B . 8BD0 mov edx, eax
0047B53D . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B540 . FFD6 call esi
0047B542 . 8B4D D4 mov ecx, dword ptr [ebp-2C]
0047B545 . 6A 01 push 1
0047B547 . 6A FF push -1
0047B549 . 6A 01 push 1
0047B54B . 68 D8254100 push 004125D8 ; 4
0047B550 . 68 10314100 push 00413110 ; d
0047B555 . 51 push ecx
0047B556 . FFD7 call edi
0047B558 . 8BD0 mov edx, eax
0047B55A . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B55D . FFD6 call esi
0047B55F . 8B55 D4 mov edx, dword ptr [ebp-2C]
0047B562 . 6A 01 push 1
0047B564 . 6A FF push -1
0047B566 . 6A 01 push 1
0047B568 . 68 2C244100 push 0041242C ; 5
0047B56D . 68 E0254100 push 004125E0 ; e
0047B572 . 52 push edx
0047B573 . FFD7 call edi
0047B575 . 8BD0 mov edx, eax
0047B577 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B57A . FFD6 call esi
0047B57C . 6A 01 push 1
0047B57E . 6A FF push -1
0047B580 . 8B45 D4 mov eax, dword ptr [ebp-2C]
0047B583 . 6A 01 push 1
0047B585 . 68 3C244100 push 0041243C ; 6
0047B58A . 68 34244100 push 00412434 ; f
0047B58F . 50 push eax
0047B590 . FFD7 call edi
0047B592 . 8BD0 mov edx, eax
0047B594 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B597 . FFD6 call esi
0047B599 . 8B4D D4 mov ecx, dword ptr [ebp-2C]
0047B59C . 6A 01 push 1
0047B59E . 6A FF push -1
0047B5A0 . 6A 01 push 1
0047B5A2 . 68 181E4100 push 00411E18 ; 7
0047B5A7 . 68 501C4100 push 00411C50 ; g
0047B5AC . 51 push ecx
0047B5AD . FFD7 call edi
0047B5AF . 8BD0 mov edx, eax
0047B5B1 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B5B4 . FFD6 call esi
0047B5B6 . 8B55 D4 mov edx, dword ptr [ebp-2C]
0047B5B9 . 6A 01 push 1
0047B5BB . 6A FF push -1
0047B5BD . 6A 01 push 1
0047B5BF . 68 94214100 push 00412194 ; 8
0047B5C4 . 68 E41F4100 push 00411FE4 ; h
0047B5C9 . 52 push edx
0047B5CA . FFD7 call edi
0047B5CC . 8BD0 mov edx, eax
0047B5CE . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B5D1 . FFD6 call esi
0047B5D3 . 8B45 D4 mov eax, dword ptr [ebp-2C]
0047B5D6 . 6A 01 push 1
0047B5D8 . 6A FF push -1
0047B5DA . 6A 01 push 1
0047B5DC . 68 D0124100 push 004112D0 ; 9
0047B5E1 . 68 C8224100 push 004122C8 ; i
0047B5E6 . 50 push eax
0047B5E7 . FFD7 call edi
0047B5E9 . 8BD0 mov edx, eax
0047B5EB . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B5EE . FFD6 call esi
0047B5F0 . 8B4D D4 mov ecx, dword ptr [ebp-2C]
0047B5F3 . 6A 01 push 1
0047B5F5 . 6A FF push -1
0047B5F7 . 6A 01 push 1
0047B5F9 . 68 4C174100 push 0041174C ; 10
0047B5FE . 68 881A4100 push 00411A88 ; j
0047B603 . 51 push ecx
0047B604 . FFD7 call edi
0047B606 . 8BD0 mov edx, eax
0047B608 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B60B . FFD6 call esi
0047B60D . 8B55 D4 mov edx, dword ptr [ebp-2C]
0047B610 . 6A 01 push 1
0047B612 . 6A FF push -1
0047B614 . 6A 01 push 1
0047B616 . 68 E00E4100 push 00410EE0 ; 11
0047B61B . 68 C4154100 push 004115C4 ; k
0047B620 . 52 push edx
0047B621 . FFD7 call edi
0047B623 . 8BD0 mov edx, eax
0047B625 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B628 . FFD6 call esi
0047B62A . 8B45 D4 mov eax, dword ptr [ebp-2C]
0047B62D . 6A 01 push 1
0047B62F . 6A FF push -1
0047B631 . 6A 01 push 1
0047B633 . 68 100D4100 push 00410D10 ; 12
0047B638 . 68 280E4100 push 00410E28 ; l
0047B63D . 50 push eax
0047B63E . FFD7 call edi
0047B640 . 8BD0 mov edx, eax
0047B642 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B645 . FFD6 call esi
0047B647 . 8B4D D4 mov ecx, dword ptr [ebp-2C]
0047B64A . 6A 01 push 1
0047B64C . 6A FF push -1
0047B64E . 6A 01 push 1
0047B650 . 68 F8064100 push 004106F8 ; 13
0047B655 . 68 900A4100 push 00410A90 ; m
0047B65A . 51 push ecx
0047B65B . FFD7 call edi
0047B65D . 8BD0 mov edx, eax
0047B65F . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B662 . FFD6 call esi
0047B664 . 8B55 D4 mov edx, dword ptr [ebp-2C]
0047B667 . 6A 01 push 1
0047B669 . 6A FF push -1
0047B66B . 6A 01 push 1
0047B66D . 68 A8E64000 push 0040E6A8 ; 14
0047B672 . 68 980A4100 push 00410A98 ; n
0047B677 . 52 push edx
0047B678 . FFD7 call edi
0047B67A . 8BD0 mov edx, eax
0047B67C . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B67F . FFD6 call esi
0047B681 . 8B45 D4 mov eax, dword ptr [ebp-2C]
0047B684 . 6A 01 push 1
0047B686 . 6A FF push -1
0047B688 . 6A 01 push 1
0047B68A . 68 80324100 push 00413280 ; 15
0047B68F . 68 9CFB4000 push 0040FB9C ; o
0047B694 . 50 push eax
0047B695 . FFD7 call edi
0047B697 . 8BD0 mov edx, eax
0047B699 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B69C . FFD6 call esi
0047B69E . 8B4D D4 mov ecx, dword ptr [ebp-2C]
0047B6A1 . 6A 01 push 1
0047B6A3 . 6A FF push -1
0047B6A5 . 6A 01 push 1
0047B6A7 . 68 94324100 push 00413294 ; 16
0047B6AC . 68 8C324100 push 0041328C ; p
0047B6B1 . 51 push ecx
0047B6B2 . FFD7 call edi
0047B6B4 . 8BD0 mov edx, eax
0047B6B6 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B6B9 . FFD6 call esi
0047B6BB . 8B55 D4 mov edx, dword ptr [ebp-2C]
0047B6BE . 6A 01 push 1
0047B6C0 . 6A FF push -1
0047B6C2 . 6A 01 push 1
0047B6C4 . 68 A8324100 push 004132A8 ; 17
0047B6C9 . 68 A0324100 push 004132A0 ; q
0047B6CE . 52 push edx
0047B6CF . FFD7 call edi
0047B6D1 . 8BD0 mov edx, eax
0047B6D3 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B6D6 . FFD6 call esi
0047B6D8 . 8B45 D4 mov eax, dword ptr [ebp-2C]
0047B6DB . 6A 01 push 1
0047B6DD . 6A FF push -1
0047B6DF . 6A 01 push 1
0047B6E1 . 68 BC324100 push 004132BC ; 18
0047B6E6 . 68 B4324100 push 004132B4 ; r
0047B6EB . 50 push eax
0047B6EC . FFD7 call edi
0047B6EE . 8BD0 mov edx, eax
0047B6F0 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B6F3 . FFD6 call esi
0047B6F5 . 8B4D D4 mov ecx, dword ptr [ebp-2C]
0047B6F8 . 6A 01 push 1
0047B6FA . 6A FF push -1
0047B6FC . 6A 01 push 1
0047B6FE . 68 D0324100 push 004132D0 ; 19
0047B703 . 68 C8324100 push 004132C8 ; s
0047B708 . 51 push ecx
0047B709 . FFD7 call edi
0047B70B . 8BD0 mov edx, eax
0047B70D . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B710 . FFD6 call esi
0047B712 . 8B55 D4 mov edx, dword ptr [ebp-2C]
0047B715 . 6A 01 push 1
0047B717 . 6A FF push -1
0047B719 . 6A 01 push 1
0047B71B . 68 E4324100 push 004132E4 ; 20
0047B720 . 68 DC324100 push 004132DC ; t
0047B725 . 52 push edx
0047B726 . FFD7 call edi
0047B728 . 8BD0 mov edx, eax
0047B72A . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B72D . FFD6 call esi
0047B72F . 8B45 D4 mov eax, dword ptr [ebp-2C]
0047B732 . 6A 01 push 1
0047B734 . 6A FF push -1
0047B736 . 6A 01 push 1
0047B738 . 68 F8324100 push 004132F8 ; 21
0047B73D . 68 F0324100 push 004132F0 ; u
0047B742 . 50 push eax
0047B743 . FFD7 call edi
0047B745 . 8BD0 mov edx, eax
0047B747 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B74A . FFD6 call esi
0047B74C . 8B4D D4 mov ecx, dword ptr [ebp-2C]
0047B74F . 6A 01 push 1
0047B751 . 6A FF push -1
0047B753 . 6A 01 push 1
0047B755 . 68 0C334100 push 0041330C ; 22
0047B75A . 68 04334100 push 00413304 ; v
0047B75F . 51 push ecx
0047B760 . FFD7 call edi
0047B762 . 8BD0 mov edx, eax
0047B764 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B767 . FFD6 call esi
0047B769 . 8B55 D4 mov edx, dword ptr [ebp-2C]
0047B76C . 6A 01 push 1
0047B76E . 6A FF push -1
0047B770 . 6A 01 push 1
0047B772 . 68 20334100 push 00413320 ; 23
0047B777 . 68 18334100 push 00413318 ; w
0047B77C . 52 push edx
0047B77D . FFD7 call edi
0047B77F . 8BD0 mov edx, eax
0047B781 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B784 . FFD6 call esi
0047B786 . 8B45 D4 mov eax, dword ptr [ebp-2C]
0047B789 . 6A 01 push 1
0047B78B . 6A FF push -1
0047B78D . 6A 01 push 1
0047B78F . 68 34334100 push 00413334 ; 24
0047B794 . 68 2C334100 push 0041332C ; x
0047B799 . 50 push eax
0047B79A . FFD7 call edi
0047B79C . 8BD0 mov edx, eax
0047B79E . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B7A1 . FFD6 call esi
0047B7A3 . 8B4D D4 mov ecx, dword ptr [ebp-2C]
0047B7A6 . 6A 01 push 1
0047B7A8 . 6A FF push -1
0047B7AA . 6A 01 push 1
0047B7AC . 68 48334100 push 00413348 ; 25
0047B7B1 . 68 40334100 push 00413340 ; y
0047B7B6 . 51 push ecx
0047B7B7 . FFD7 call edi
0047B7B9 . 8BD0 mov edx, eax
0047B7BB . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B7BE . FFD6 call esi
0047B7C0 . 8B55 D4 mov edx, dword ptr [ebp-2C]
0047B7C3 . 6A 01 push 1
0047B7C5 . 6A FF push -1
0047B7C7 . 6A 01 push 1
0047B7C9 . 68 5C334100 push 0041335C ; 26
0047B7CE . 68 54334100 push 00413354 ; z
0047B7D3 . 52 push edx
0047B7D4 . FFD7 call edi
0047B7D6 . 8BD0 mov edx, eax
0047B7D8 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B7DB . FFD6 call esi
0047B7DD . 8B45 D4 mov eax, dword ptr [ebp-2C]
0047B7E0 . 50 push eax
0047B7E1 . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
0047B7E7 . 8BC8 mov ecx, eax
0047B7E9 . FF15 04114000 call dword ptr [<&MSVBVM60.__vbaI2I4>>; MSVBVM60.__vbaI2I4
0047B7EF . 8B3D 98114000 mov edi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaStrVarVal
0047B7F5 . 8BD8 mov ebx, eax
0047B7F7 > 66:83FB 06 cmp bx, 6
//比较结果是否大于6位,大的话继续运算
0047B7FB . 0F8E 1D020000 jle 0047BA1E
0047B801 . 0FBFCB movsx ecx, bx
0047B804 . 898D F4FEFFFF mov dword ptr [ebp-10C], ecx
0047B80A . 895D EC mov dword ptr [ebp-14], ebx
0047B80D . DB85 F4FEFFFF fild dword ptr [ebp-10C]
//将转换好的用户名的位数载入
0047B813 . DD9D ECFEFFFF fstp qword ptr [ebp-114]
0047B819 . DD85 ECFEFFFF fld qword ptr [ebp-114]
0047B81F . 833D 00D04700>cmp dword ptr [47D000], 0
0047B826 . 75 08 jnz short 0047B830
0047B828 . DC35 80234000 fdiv qword ptr [402380]
//位数除以2
0047B82E . EB 11 jmp short 0047B841
0047B830 > FF35 84234000 push dword ptr [402384]
0047B836 . FF35 80234000 push dword ptr [402380]
0047B83C . E8 A36BF8FF call
0047B841 > DFE0 fstsw ax
0047B843 . A8 0D test al, 0D
0047B845 . 0F85 61020000 jnz 0047BAAC
0047B84B . FF15 44124000 call dword ptr [<&MSVBVM60.__vbaR8Int>; MSVBVM60.__vbaR8IntI2
0047B851 . 66:8B55 EC mov dx, word ptr [ebp-14]
0047B855 . 8BD8 mov ebx, eax
0047B857 . B8 02000000 mov eax, 2
0047B85C . B9 01000000 mov ecx, 1
0047B861 . 8985 60FFFFFF mov dword ptr [ebp-A0], eax
0047B867 . 8985 50FFFFFF mov dword ptr [ebp-B0], eax
0047B86D . 8985 40FFFFFF mov dword ptr [ebp-C0], eax
0047B873 . 898D 68FFFFFF mov dword ptr [ebp-98], ecx
0047B879 . 898D 48FFFFFF mov dword ptr [ebp-B8], ecx
0047B87F . 8D85 60FFFFFF lea eax, dword ptr [ebp-A0]
0047B885 . 66:8995 58FFF>mov word ptr [ebp-A8], dx
0047B88C . 8D8D 50FFFFFF lea ecx, dword ptr [ebp-B0]
0047B892 . 50 push eax
0047B893 . 8D95 40FFFFFF lea edx, dword ptr [ebp-C0]
0047B899 . 51 push ecx
0047B89A . 8D85 00FFFFFF lea eax, dword ptr [ebp-100]
0047B8A0 . 52 push edx
0047B8A1 . 8D8D 10FFFFFF lea ecx, dword ptr [ebp-F0]
0047B8A7 . 50 push eax
0047B8A8 . 8D55 DC lea edx, dword ptr [ebp-24]
0047B8AB . 51 push ecx
0047B8AC . 52 push edx
0047B8AD . FF15 84104000 call dword ptr [<&MSVBVM60.__vbaVarFo>; MSVBVM60.__vbaVarForInit
//初始化循环,循环次数为转换后用户名的长度
0047B8B5 .^ 0F84 3CFFFFFF je 0047B7F7
0047B8BB . 66:8B4D EC mov cx, word ptr [ebp-14]
0047B8BF . 8D45 D4 lea eax, dword ptr [ebp-2C]
0047B8C2 . 66:2BCB sub cx, bx
0047B8C5 . 8985 58FFFFFF mov dword ptr [ebp-A8], eax
0047B8CB . 0F80 E0010000 jo 0047BAB1
0047B8D1 . 0FBFD1 movsx edx, cx
0047B8D4 . 8D85 50FFFFFF lea eax, dword ptr [ebp-B0]
0047B8DA . 52 push edx
0047B8DB . 8D4D A0 lea ecx, dword ptr [ebp-60]
0047B8DE . 50 push eax
0047B8DF . 51 push ecx
0047B8E0 . C785 50FFFFFF>mov dword ptr [ebp-B0], 4008
0047B8EA . FF15 64124000 call dword ptr [<&MSVBVM60.#619>] ; MSVBVM60.rtcRightCharVar
//取转换或的用户名的右半边,如果是位数是单数则要比左半边多1位
0047B8F0 . 8D55 A0 lea edx, dword ptr [ebp-60]
0047B8F3 . 8D45 C4 lea eax, dword ptr [ebp-3C]
0047B8F6 . 52 push edx
0047B8F7 . 50 push eax
0047B8F8 . FFD7 call edi
0047B8FA . 50 push eax
0047B8FB . FF15 90124000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
0047B901 . DD9D 28FFFFFF fstp qword ptr [ebp-D8]
0047B907 . 8D55 DC lea edx, dword ptr [ebp-24]
0047B90A . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B90D . 52 push edx
0047B90E . 898D 48FFFFFF mov dword ptr [ebp-B8], ecx
0047B914 . C785 40FFFFFF>mov dword ptr [ebp-C0], 4008
0047B91E . FF15 04124000 call dword ptr [<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
0047B924 . 50 push eax
0047B925 . 8D85 40FFFFFF lea eax, dword ptr [ebp-C0]
0047B92B . 8D4D 90 lea ecx, dword ptr [ebp-70]
0047B92E . 50 push eax
0047B92F . 51 push ecx
0047B930 . FF15 4C124000 call dword ptr [<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar
//取第n位(n是循环次数)
0047B936 . 8D55 90 lea edx, dword ptr [ebp-70]
//不知道为什么2只后都会少取一位,哪位知道解释下
0047B939 . 8D45 C0 lea eax, dword ptr [ebp-40]
//会多一个空字符,不知道为什么
0047B93C . 52 push edx
0047B93D . 50 push eax
0047B93E . FFD7 call edi
0047B940 . 50 push eax
0047B941 . FF15 90124000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
0047B947 . DD9D 20FFFFFF fstp qword ptr [ebp-E0] ; 1
0047B94D . 0FBFD3 movsx edx, bx
0047B950 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B953 . 8D85 60FFFFFF lea eax, dword ptr [ebp-A0]
0047B959 . 898D 68FFFFFF mov dword ptr [ebp-98], ecx
0047B95F . 52 push edx
0047B960 . 8D4D B0 lea ecx, dword ptr [ebp-50]
0047B963 . 50 push eax
0047B964 . 51 push ecx
0047B965 . C785 60FFFFFF>mov dword ptr [ebp-A0], 4008
0047B96F . FF15 4C124000 call dword ptr [<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar //取左半边
0047B975 . 8D55 B0 lea edx, dword ptr [ebp-50] //和上面的问题一样,也会少一位
0047B978 . 8D45 C8 lea eax, dword ptr [ebp-38]
0047B97B . 52 push edx
0047B97C . 50 push eax
0047B97D . FFD7 call edi
0047B97F . 50 push eax
0047B980 . FF15 90124000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
0047B986 . DC85 28FFFFFF fadd qword ptr [ebp-D8] //左半部分加上右半部分
0047B98C . 8D4D 80 lea ecx, dword ptr [ebp-80]
0047B98F . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
0047B995 . 51 push ecx
0047B996 . 52 push edx
0047B997 . DC85 20FFFFFF fadd qword ptr [ebp-E0] //在加上左边的n位(n为循环次数)
0047B99D . C745 80 05000>mov dword ptr [ebp-80], 5
0047B9A4 . DD5D 88 fstp qword ptr [ebp-78]
0047B9A7 . DFE0 fstsw ax
0047B9A9 . A8 0D test al, 0D
0047B9AB . 0F85 FB000000 jnz 0047BAAC
0047B9B1 . FF15 28124000 call dword ptr [<&MSVBVM60.#613>] ; MSVBVM60.rtcVarStrFromVar
0047B9B7 . 8D85 70FFFFFF lea eax, dword ptr [ebp-90]
0047B9BD . 50 push eax
0047B9BE . FF15 28104000 call dword ptr [<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarMove
0047B9C4 . 8BD0 mov edx, eax
0047B9C6 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047B9C9 . FFD6 call esi
0047B9CB . 8D4D C0 lea ecx, dword ptr [ebp-40]
0047B9CE . 8D55 C4 lea edx, dword ptr [ebp-3C]
0047B9D1 . 51 push ecx
0047B9D2 . 52 push edx
0047B9D3 . 8D45 C8 lea eax, dword ptr [ebp-38]
0047B9D6 . 50 push eax
0047B9D7 . 6A 03 push 3
0047B9D9 . FF15 EC114000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
0047B9DF . 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
0047B9E5 . 8D55 80 lea edx, dword ptr [ebp-80]
0047B9E8 . 51 push ecx
0047B9E9 . 8D45 90 lea eax, dword ptr [ebp-70]
0047B9EC . 52 push edx
0047B9ED . 8D4D A0 lea ecx, dword ptr [ebp-60]
0047B9F0 . 50 push eax
0047B9F1 . 8D55 B0 lea edx, dword ptr [ebp-50]
0047B9F4 . 51 push ecx
0047B9F5 . 52 push edx
0047B9F6 . 6A 05 push 5
0047B9F8 . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0047B9FE . 83C4 28 add esp, 28
0047BA01 . 8D85 00FFFFFF lea eax, dword ptr [ebp-100]
0047BA07 . 8D8D 10FFFFFF lea ecx, dword ptr [ebp-F0]
0047BA0D . 8D55 DC lea edx, dword ptr [ebp-24]
0047BA10 . 50 push eax
0047BA11 . 51 push ecx
0047BA12 . 52 push edx
0047BA13 . FF15 78124000 call dword ptr [<&MSVBVM60.__vbaVarFo>; MSVBVM60.__vbaVarForNext
0047BA19 .^ E9 95FEFFFF jmp 0047B8B3
0047BA1E > 8B45 D4 mov eax, dword ptr [ebp-2C]
0047BA21 . 50 push eax
0047BA22 . FF15 90124000 call dword ptr [<&MSVBVM60.#581>] ; MSVBVM60.rtcR8ValFromBstr
0047BA28 . DD5D CC fstp qword ptr [ebp-34]
0047BA2B . 9B wait
0047BA2C . 68 96BA4700 push 0047BA96
0047BA31 . EB 37 jmp short 0047BA6A
0047BA33 . 8D4D C0 lea ecx, dword ptr [ebp-40]
0047BA36 . 8D55 C4 lea edx, dword ptr [ebp-3C]
0047BA39 . 51 push ecx
0047BA3A . 8D45 C8 lea eax, dword ptr [ebp-38]
0047BA3D . 52 push edx
0047BA3E . 50 push eax
0047BA3F . 6A 03 push 3
0047BA41 . FF15 EC114000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
0047BA47 . 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
0047BA4D . 8D55 80 lea edx, dword ptr [ebp-80]
0047BA50 . 51 push ecx
0047BA51 . 8D45 90 lea eax, dword ptr [ebp-70]
0047BA54 . 52 push edx
0047BA55 . 8D4D A0 lea ecx, dword ptr [ebp-60]
0047BA58 . 50 push eax
0047BA59 . 8D55 B0 lea edx, dword ptr [ebp-50]
0047BA5C . 51 push ecx
0047BA5D . 52 push edx
0047BA5E . 6A 05 push 5
0047BA60 . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0047BA66 . 83C4 28 add esp, 28
0047BA69 . C3 retn
0047BA6A > 8D85 00FFFFFF lea eax, dword ptr [ebp-100]
0047BA70 . 8D8D 10FFFFFF lea ecx, dword ptr [ebp-F0]
0047BA76 . 50 push eax
0047BA77 . 51 push ecx
0047BA78 . 6A 02 push 2
0047BA7A . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0047BA80 . 83C4 0C add esp, 0C
0047BA83 . 8D4D DC lea ecx, dword ptr [ebp-24]
0047BA86 . FF15 20104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
0047BA8C . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0047BA8F . FF15 84124000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0047BA95 . C3 retn
0047BA96 . 8B4D F0 mov ecx, dword ptr [ebp-10]
0047BA99 . 5F pop edi
0047BA9A . DD45 CC fld qword ptr [ebp-34]
0047BA9D . 5E pop esi
0047BA9E . 64:890D 00000>mov dword ptr fs:[0], ecx
0047BAA5 . 5B pop ebx
0047BAA6 . 8BE5 mov esp, ebp
0047BAA8 . 5D pop ebp
0047BAA9 . C2 0400 retn 4
最后给出一组正确的注册码
用户名:noirlucifer
产品id:1234567890
注册码:4E5D5-A2AAC7-562C42
ps:每个用户名都对应多个注册码,不知是作者失误还是故意.
|
