第二篇学习笔记
下断点 MSVBVM60.__vbaStrMove
取消断点返回到反汇编窗口~往上找到这里下断点
004023DC 6A 01 PUSH 1
004023DE FF15 2C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaOnErr>; MSVBVM60.__vbaOnError
004023E4 8B16 MOV EDX,DWORD PTR DS:[ESI]
004023E6 56 PUSH ESI
004023E7 FF92 14030000 CALL DWORD PTR DS:[EDX+314]
004023ED 50 PUSH EAX
004023EE 8D45 C4 LEA EAX,DWORD PTR SS:[EBP-3C]
004023F1 50 PUSH EAX
004023F2 FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
004023F8 8BF8 MOV EDI,EAX
004023FA 8B0F MOV ECX,DWORD PTR DS:[EDI]
004023FC 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38]
004023FF 52 PUSH EDX
00402400 57 PUSH EDI
00402401 FF91 A0000000 CALL DWORD PTR DS:[ECX+A0]
00402407 DBE2 FCLEX
00402409 3BC3 CMP EAX,EBX
0040240B 7D 12 JGE SHORT KeyGenMe.0040241F
0040240D 68 A0000000 PUSH 0A0
00402412 68 581C4000 PUSH KeyGenMe.00401C58
00402417 57 PUSH EDI
00402418 50 PUSH EAX
00402419 FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0040241F 8B55 C8 MOV EDX,DWORD PTR SS:[EBP-38]
00402422 895D C8 MOV DWORD PTR SS:[EBP-38],EBX
00402425 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
00402428 8B3D A4104000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrMove
0040242E FFD7 CALL EDI ; 取用户名; <&MSVBVM60.__vbaStrMove>
00402430 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
00402433 FF15 B4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
00402439 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34]
0040243C 50 PUSH EAX
0040243D FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; 取用户名位数
00402443 8BC8 MOV ECX,EAX
00402445 FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>>; MSVBVM60.__vbaI2I4
0040244B 8945 D0 MOV DWORD PTR SS:[EBP-30],EAX
0040244E 66:3D 0200 CMP AX,2 ; 用户名位数与2比较
00402452 0F8C D1010000 JL KeyGenMe.00402629 ; 小于就跳死
00402458 8B0E MOV ECX,DWORD PTR DS:[ESI]
0040245A 56 PUSH ESI
0040245B FF91 0C030000 CALL DWORD PTR DS:[ECX+30C]
00402461 50 PUSH EAX
00402462 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C]
00402465 52 PUSH EDX
00402466 FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
0040246C 8BF0 MOV ESI,EAX
0040246E 8B06 MOV EAX,DWORD PTR DS:[ESI]
00402470 8D4D C8 LEA ECX,DWORD PTR SS:[EBP-38]
00402473 51 PUSH ECX
00402474 56 PUSH ESI
00402475 FF90 A0000000 CALL DWORD PTR DS:[EAX+A0]
0040247B DBE2 FCLEX
0040247D 3BC3 CMP EAX,EBX
0040247F 7D 12 JGE SHORT KeyGenMe.00402493
00402481 68 A0000000 PUSH 0A0
00402486 68 581C4000 PUSH KeyGenMe.00401C58
0040248B 56 PUSH ESI
0040248C 50 PUSH EAX
0040248D FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00402493 8B55 C8 MOV EDX,DWORD PTR SS:[EBP-38]
00402496 895D C8 MOV DWORD PTR SS:[EBP-38],EBX
00402499 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
0040249C FFD7 CALL EDI ; 取试验码
0040249E 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
004024A1 FF15 B4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
004024A7 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
004024AA 52 PUSH EDX
004024AB FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
004024B1 8BC8 MOV ECX,EAX ; 取试验码位数
004024B3 FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>>; MSVBVM60.__vbaI2I4
004024B9 66:3BC3 CMP AX,BX
004024BC 0F84 67010000 JE KeyGenMe.00402629
004024C2 BF 01000000 MOV EDI,1
004024C7 8BF7 MOV ESI,EDI
004024C9 8B1D 0C104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeVarList
004024CF 66:3B75 D0 CMP SI,WORD PTR SS:[EBP-30]
004024D3 0F8F 89000000 JG KeyGenMe.00402562
004024D9 C745 BC 0100000>MOV DWORD PTR SS:[EBP-44],1
004024E0 C745 B4 0200000>MOV DWORD PTR SS:[EBP-4C],2
004024E7 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
004024EA 8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EAX
004024F0 C785 74FFFFFF 0>MOV DWORD PTR SS:[EBP-8C],4008
004024FA 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C]
004024FD 51 PUSH ECX
004024FE 0FBFD6 MOVSX EDX,SI
00402501 52 PUSH EDX
00402502 8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
00402508 50 PUSH EAX
00402509 8D4D A4 LEA ECX,DWORD PTR SS:[EBP-5C]
0040250C 51 PUSH ECX
0040250D FF15 44104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
00402513 8D55 A4 LEA EDX,DWORD PTR SS:[EBP-5C]
00402516 52 PUSH EDX
00402517 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
0040251A 50 PUSH EAX
0040251B FF15 74104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
00402521 50 PUSH EAX
00402522 FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ; 取用户名ASCII码
00402528 0FBFC8 MOVSX ECX,AX
0040252B 03CF ADD ECX,EDI ; 累积用户名ASCII放ECX~加初值一
0040252D 0F80 62010000 JO KeyGenMe.00402695
00402533 8BF9 MOV EDI,ECX ; 累积和还给EDI
00402535 8D4D C8 LEA ECX,DWORD PTR SS:[EBP-38]
00402538 FF15 B8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0040253E 8D55 A4 LEA EDX,DWORD PTR SS:[EBP-5C]
00402541 52 PUSH EDX
00402542 8D45 B4 LEA EAX,DWORD PTR SS:[EBP-4C]
00402545 50 PUSH EAX
00402546 6A 02 PUSH 2
00402548 FFD3 CALL EBX
0040254A 83C4 0C ADD ESP,0C
0040254D B8 01000000 MOV EAX,1
00402552 66:03C6 ADD AX,SI
00402555 0F80 3A010000 JO KeyGenMe.00402695
0040255B 8BF0 MOV ESI,EAX
0040255D ^ E9 6DFFFFFF JMP KeyGenMe.004024CF
00402562 69FF 10030000 IMUL EDI,EDI,310 ; 累积和与310相乘
00402568 0F80 27010000 JO KeyGenMe.00402695
0040256E DD05 E8104000 FLD QWORD PTR DS:[4010E8] ; 固定值26A2F285
00402574 FF15 9C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFpI4>>; 固定值转换成十六进制
0040257A 33F8 XOR EDI,EAX ; 累积和与固定值XOR
0040257C 897D D8 MOV DWORD PTR SS:[EBP-28],EDI
0040257F DB45 D8 FILD DWORD PTR SS:[EBP-28]
00402582 DD9D 14FFFFFF FSTP QWORD PTR SS:[EBP-EC]
00402588 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24]
0040258B 51 PUSH ECX
0040258C FF15 80104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8Str>; MSVBVM60.__vbaR8Str
00402592 DC9D 14FFFFFF FCOMP QWORD PTR SS:[EBP-EC] ; 真假码比较
00402598 DFE0 FSTSW AX
0040259A F6C4 40 TEST AH,40
0040259D 0F84 86000000 JE KeyGenMe.00402629 ; 关键挑
004025A3 B9 04000280 MOV ECX,80020004
004025A8 894D 8C MOV DWORD PTR SS:[EBP-74],ECX
004025AB B8 0A000000 MOV EAX,0A
004025B0 8945 84 MOV DWORD PTR SS:[EBP-7C],EAX
004025B3 894D 9C MOV DWORD PTR SS:[EBP-64],ECX
004025B6 8945 94 MOV DWORD PTR SS:[EBP-6C],EAX
004025B9 C785 6CFFFFFF 8>MOV DWORD PTR SS:[EBP-94],KeyGenMe.00401>; UNICODE "Congratulations"
算法总结:1,用户名ASCII累积和加初值一
2,累积和与310相乘
3,再与固定值XOR 26A2F285
4,结果要为十进制
写算法注册机 var name:string;
i:integer;
s1,s2,s3:longword;
begin
name:=edit1.Text;
s1:=1;
if length(name)<2 then exit;
for i:=1 to length(name) do
s1:=s1+ord(name[i]);
s2:=s1*$310;
s3:=S2 Xor $26A2F285;
edit2.text:=inttostr(s3);
end;
上一页 1 2 3 4 5 6 下一页 |
安全中国首页 > 文章中心 > 补丁技术