心动文件夹 V3.4

标题：心动文件夹 V3.4
作者：fly
时间：2003/05/01 12:09pm
链接：http://bbs.pediy.com

简单算法——心动文件夹 V3.4

下载页面： http://www.skycn.com/soft/5368.html
软件大小： 1319 KB
软件语言：简体中文
软件类别：国产软件 / 共享版 / 系统设置
应用平台： Win9x/NT/2000/XP
加入时间： 2003-04-24 17:46:40
下载次数： 21851
推荐等级： ***
开发商： http://www.king-soft.com/

【软件简介】：一个可以保护和个性化你文件夹的好工具。心动文件夹一个极具个性化的软件，它能改变文件夹的视图、提示、图标及融合背景，使你的文件夹富有个性化，让你的文件夹可以唱歌、跳舞、震动和放电影，还能使用特效来转换文件夹的显示方式。让文件夹打开时变得绚丽无比。除此之外你还可以为文件夹设置密码保护，这样在个性化文件夹的同时还能保护好文件的安全。

【软件限制】：NAG

【作者声明】：初学Crack，只是感兴趣，没有其它目的。失误之处敬请诸位大侠赐教！

【破解工具】：TRW2000娃娃修改版、Ollydbg1.09、PEiD、W32Dasm 9.0白金版

—————————————————————————————————
【过程】：

SSTI2002.exe 无壳。VB 6.0 编写。

用户名：fly
试炼码：13572468
—————————————————————————————————
* Reference To: MSVBVM60.__vbaHresultCheckObj, Ord:0000h
|
:00423405 FF1574104000 Call dword ptr [00401074]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004233F7(C)
|
:0042340B 8B4DE8 mov ecx, dword ptr [ebp-18]
====>EAX=fly 用户名

:0042340E 51 push ecx
:0042340F E89CB2FFFF call 0041E6B0
====>关键CALL！进入！

:00423414 8BD0 mov edx, eax
:00423416 8D4DE0 lea ecx, dword ptr [ebp-20]

* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:00423419 FF15FC114000 Call dword ptr [004011FC]
:0042341F 8B55E4 mov edx, dword ptr [ebp-1C]
====>EDX=13572468 试炼码

:00423422 50 push eax
====>EAX=5D5D18342B 注册码

:00423423 52 push edx

* Reference To: MSVBVM60.__vbaStrCmp, Ord:0000h
|
:00423424 FF15D8104000 Call dword ptr [004010D8]
====>比较CALL！

:0042342A 8BF8 mov edi, eax
:0042342C 8D45E4 lea eax, dword ptr [ebp-1C]
:0042342F F7DF neg edi
:00423431 8D4DE0 lea ecx, dword ptr [ebp-20]
:00423434 50 push eax
:00423435 1BFF sbb edi, edi
====>爆破点！

:00423437 8D55E8 lea edx, dword ptr [ebp-18]
:0042343A 51 push ecx
:0042343B 47 inc edi
:0042343C 52 push edx
:0042343D 6A03 push 00000003
:0042343F F7DF neg edi

* Reference To: MSVBVM60.__vbaFreeStrList, Ord:0000h
|
:00423441 FF15A4114000 Call dword ptr [004011A4]
:00423447 8D45D8 lea eax, dword ptr [ebp-28]
:0042344A 8D4DDC lea ecx, dword ptr [ebp-24]
:0042344D 50 push eax
:0042344E 51 push ecx
:0042344F 6A02 push 00000002

* Reference To: MSVBVM60.__vbaFreeObjList, Ord:0000h
|
:00423451 FF1544104000 Call dword ptr [00401044]
:00423457 83C41C add esp, 0000001C
:0042345A B904000280 mov ecx, 80020004
:0042345F B80A000000 mov eax, 0000000A
:00423464 894DA0 mov dword ptr [ebp-60], ecx
:00423467 6685FF test di, di
:0042346A 894598 mov dword ptr [ebp-68], eax
:0042346D 894DB0 mov dword ptr [ebp-50], ecx
:00423470 8945A8 mov dword ptr [ebp-58], eax
:00423473 894DC0 mov dword ptr [ebp-40], ecx
:00423476 8945B8 mov dword ptr [ebp-48], eax
:00423479 0F8486010000 je 00423605
====>跳则OVER！

:0042347F 8D5588 lea edx, dword ptr [ebp-78]
:00423482 8D4DC8 lea ecx, dword ptr [ebp-38]

* Possible StringData Ref from Code Obj ->"Y"宍O鑜孮,go忲N�"
|
:00423485 C7459054A84000 mov [ebp-70], 0040A854
:0042348C C7458808000000 mov [ebp-78], 00000008

* Reference To: MSVBVM60.__vbaVarDup, Ord:0000h
|
:00423493 FF15CC114000 Call dword ptr [004011CC]
:00423499 8D5598 lea edx, dword ptr [ebp-68]
:0042349C 8D45A8 lea eax, dword ptr [ebp-58]
:0042349F 52 push edx
:004234A0 8D4DB8 lea ecx, dword ptr [ebp-48]
:004234A3 50 push eax
:004234A4 51 push ecx
:004234A5 8D55C8 lea edx, dword ptr [ebp-38]
:004234A8 6A40 push 00000040
:004234AA 52 push edx

* Reference To: MSVBVM60.rtcMsgBox, Ord:0253h
|
:004234AB FF158C104000 Call dword ptr [0040108C]
====>呵呵，胜利女神！

…… ……省略…… ……

* Reference To: MSVBVM60.rtcMsgBox, Ord:0253h
|
:00423631 FF158C104000 Call dword ptr [0040108C]
====>BAD BOY！

—————————————————————————————————
进入关键CALL：0042340F call 0041E6B0

* Referenced by a CALL at Addresses:
|:0042340F , :00428BF0 , :0043142E
|
:0041E6B0 55 push ebp
:0041E6B1 8BEC mov ebp, esp
:0041E6B3 83EC0C sub esp, 0000000C

* Possible StringData Ref from Code Obj ->"�% @"
|
:0041E6B6 6836214000 push 00402136
:0041E6BB 64A100000000 mov eax, dword ptr fs:[00000000]
:0041E6C1 50 push eax
:0041E6C2 64892500000000 mov dword ptr fs:[00000000], esp
:0041E6C9 81ECA8000000 sub esp, 000000A8
:0041E6CF 53 push ebx
:0041E6D0 56 push esi
:0041E6D1 57 push edi
:0041E6D2 8965F4 mov dword ptr [ebp-0C], esp
:0041E6D5 C745F8D8134000 mov [ebp-08], 004013D8
:0041E6DC 8B5508 mov edx, dword ptr [ebp+08]
:0041E6DF 33FF xor edi, edi
:0041E6E1 8D4DDC lea ecx, dword ptr [ebp-24]
:0041E6E4 897DE0 mov dword ptr [ebp-20], edi
:0041E6E7 897DDC mov dword ptr [ebp-24], edi
:0041E6EA 897DD4 mov dword ptr [ebp-2C], edi
:0041E6ED 897DD0 mov dword ptr [ebp-30], edi
:0041E6F0 897DCC mov dword ptr [ebp-34], edi
:0041E6F3 897DC8 mov dword ptr [ebp-38], edi
:0041E6F6 897DB8 mov dword ptr [ebp-48], edi
:0041E6F9 897DA8 mov dword ptr [ebp-58], edi
:0041E6FC 897D98 mov dword ptr [ebp-68], edi
:0041E6FF 897D94 mov dword ptr [ebp-6C], edi
:0041E702 897D84 mov dword ptr [ebp-7C], edi
:0041E705 89BD74FFFFFF mov dword ptr [ebp+FFFFFF74], edi

* Reference To: MSVBVM60.__vbaStrCopy, Ord:0000h
|
:0041E70B FF1598114000 Call dword ptr [00401198]
:0041E711 8B45DC mov eax, dword ptr [ebp-24]
====>EAX=fly

:0041E714 50 push eax

* Possible StringData Ref from Code Obj ->"DDFJKSLA452WDdfsa782fsa"
|
:0041E715 68CCA14000 push 0040A1CC
====>0040A1CC=DFJKSLA452WDdfsa782fsa
====>为什么第一个字符D没取？不明白。

* Reference To: MSVBVM60.__vbaStrCat, Ord:0000h
|
:0041E71A FF1560104000 Call dword ptr [00401060]
====>将用户名和上面给的字符串连接起来

:0041E720 8BD0 mov edx, eax
====>EDX=flyDFJKSLA452WDdfsa782fsa

:0041E722 8D4DDC lea ecx, dword ptr [ebp-24]

* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:0041E725 FF15FC114000 Call dword ptr [004011FC]
:0041E72B 57 push edi
:0041E72C 8D5584 lea edx, dword ptr [ebp-7C]
:0041E72F 6880000000 push 00000080
:0041E734 8D45B8 lea eax, dword ptr [ebp-48]
:0041E737 8D4DDC lea ecx, dword ptr [ebp-24]
:0041E73A 52 push edx
:0041E73B 50 push eax
:0041E73C 894D8C mov dword ptr [ebp-74], ecx
:0041E73F C7458408400000 mov [ebp-7C], 00004008

* Reference To: MSVBVM60.rtcStrConvVar2, Ord:02CDh
|
:0041E746 FF1548114000 Call dword ptr [00401148]
:0041E74C 8D4DB8 lea ecx, dword ptr [ebp-48]
:0041E74F 8D5594 lea edx, dword ptr [ebp-6C]
:0041E752 51 push ecx
:0041E753 52 push edx

* Reference To: MSVBVM60.__vbaVar2Vec, Ord:0000h
|
:0041E754 FF1584114000 Call dword ptr [00401184]
:0041E75A 8D4594 lea eax, dword ptr [ebp-6C]
:0041E75D 8D4DD4 lea ecx, dword ptr [ebp-2C]
:0041E760 50 push eax
:0041E761 51 push ecx

* Reference To: MSVBVM60.__vbaAryMove, Ord:0000h
|
:0041E762 FF151C104000 Call dword ptr [0040101C]
:0041E768 8D4DB8 lea ecx, dword ptr [ebp-48]

* Reference To: MSVBVM60.__vbaFreeVar, Ord:0000h
|
:0041E76B FF1520104000 Call dword ptr [00401020]
:0041E771 8B55D4 mov edx, dword ptr [ebp-2C]
:0041E774 52 push edx
:0041E775 6A01 push 00000001

* Reference To: MSVBVM60.__vbaUbound, Ord:0000h
|
:0041E777 FF154C114000 Call dword ptr [0040114C]
:0041E77D 83F814 cmp eax, 00000014
:0041E780 8945D8 mov dword ptr [ebp-28], eax
:0041E783 7E07 jle 0041E78C
:0041E785 C745D814000000 mov [ebp-28], 00000014
====>[ebp-28]=14

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E783(C)
|
:0041E78C 33F6 xor esi, esi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E89C(U)
|
:0041E78E 3B75D8 cmp esi, dword ptr [ebp-28]
====>运算前21位！

:0041E791 0F8F0A010000 jg 0041E8A1
:0041E797 8B45D4 mov eax, dword ptr [ebp-2C]
:0041E79A 3BC7 cmp eax, edi
:0041E79C 7420 je 0041E7BE
:0041E79E 66833801 cmp word ptr [eax], 0001
:0041E7A2 751A jne 0041E7BE
:0041E7A4 8B5014 mov edx, dword ptr [eax+14]
:0041E7A7 8B4810 mov ecx, dword ptr [eax+10]
:0041E7AA 8BFE mov edi, esi
:0041E7AC 2BFA sub edi, edx
:0041E7AE 3BF9 cmp edi, ecx
:0041E7B0 7206 jb 0041E7B8

* Reference To: MSVBVM60.__vbaGenerateBoundsError, Ord:0000h
|
:0041E7B2 FF15D4104000 Call dword ptr [004010D4]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E7B0(C)
|
:0041E7B8 8BDF mov ebx, edi
:0041E7BA 33FF xor edi, edi
:0041E7BC EB08 jmp 0041E7C6

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041E79C(C), :0041E7A2(C)
|

* Reference To: MSVBVM60.__vbaGenerateBoundsError, Ord:0000h
|
:0041E7BE FF15D4104000 Call dword ptr [004010D4]
:0041E7C4 8BD8 mov ebx, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E7BC(U)
|
:0041E7C6 8D5584 lea edx, dword ptr [ebp-7C]
:0041E7C9 8D4DB8 lea ecx, dword ptr [ebp-48]
:0041E7CC C745B001000000 mov [ebp-50], 00000001
:0041E7D3 C745A802000000 mov [ebp-58], 00000002

* Possible StringData Ref from Code Obj ->"1123JJDDI8DF94JDFAI342ENB46BM54OWQ"
|
:0041E7DA C7458C84A14000 mov [ebp-74], 0040A184
====>[ebp-74]=123JJDDI8DF94JDFAI342ENB46BM54OWQ

:0041E7E1 C7458408000000 mov [ebp-7C], 00000008

* Reference To: MSVBVM60.__vbaVarDup, Ord:0000h
|
:0041E7E8 FF15CC114000 Call dword ptr [004011CC]
:0041E7EE 8BCE mov ecx, esi
:0041E7F0 8D45A8 lea eax, dword ptr [ebp-58]
:0041E7F3 83C101 add ecx, 00000001
:0041E7F6 50 push eax
:0041E7F7 0F80FD020000 jo 0041EAFA
:0041E7FD 8D55B8 lea edx, dword ptr [ebp-48]
:0041E800 51 push ecx
:0041E801 8D4598 lea eax, dword ptr [ebp-68]
:0041E804 52 push edx
:0041E805 50 push eax

* Reference To: MSVBVM60.rtcMidCharVar, Ord:0278h
|
:0041E806 FF15C0104000 Call dword ptr [004010C0]
====>依次取123JJDDI8DF94JDFAI342

:0041E80C 8B45D4 mov eax, dword ptr [ebp-2C]
:0041E80F 3BC7 cmp eax, edi
:0041E811 741C je 0041E82F
:0041E813 66833801 cmp word ptr [eax], 0001
:0041E817 7516 jne 0041E82F
:0041E819 8B5014 mov edx, dword ptr [eax+14]
:0041E81C 8B4810 mov ecx, dword ptr [eax+10]
:0041E81F 8BFE mov edi, esi
:0041E821 2BFA sub edi, edx
:0041E823 3BF9 cmp edi, ecx
:0041E825 7210 jb 0041E837

* Reference To: MSVBVM60.__vbaGenerateBoundsError, Ord:0000h
|
:0041E827 FF15D4104000 Call dword ptr [004010D4]
:0041E82D EB08 jmp 0041E837

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041E811(C), :0041E817(C)
|

* Reference To: MSVBVM60.__vbaGenerateBoundsError, Ord:0000h
|
:0041E82F FF15D4104000 Call dword ptr [004010D4]
:0041E835 8BF8 mov edi, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041E825(C), :0041E82D(U)
|
:0041E837 8D4D98 lea ecx, dword ptr [ebp-68]
:0041E83A 8D55C8 lea edx, dword ptr [ebp-38]
:0041E83D 51 push ecx
:0041E83E 52 push edx

* Reference To: MSVBVM60.__vbaStrVarVal, Ord:0000h
|
:0041E83F FF1550114000 Call dword ptr [00401150]
:0041E845 50 push eax

* Reference To: MSVBVM60.rtcAnsivalueBstr, Ord:0204h
|
:0041E846 FF1548104000 Call dword ptr [00401048]
:0041E84C 668BC8 mov cx, ax
:0041E84F 8B45D4 mov eax, dword ptr [ebp-2C]
:0041E852 8B500C mov edx, dword ptr [eax+0C]
====>EDX=flyDFJKSLA452WDdfsa78

:0041E855 660FB6041A movzx ax, byte ptr [edx+ebx]
====>依次取flyDDFJKSLA452WDdfsa78字符的HEX值

:0041E85A 33C8 xor ecx, eax
====>依次和123JJDDI8DF94JDFAI342字符的HEX值异或

* Reference To: MSVBVM60.__vbaUI1I2, Ord:0000h
|
:0041E85C FF1510114000 Call dword ptr [00401110]
:0041E862 8B4DD4 mov ecx, dword ptr [ebp-2C]
:0041E865 8B510C mov edx, dword ptr [ecx+0C]
:0041E868 8D4DC8 lea ecx, dword ptr [ebp-38]
:0041E86B 88043A mov byte ptr [edx+edi], al
====>结果入[edx+edi]

☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[edx+edi]内存中的值是上面21次循环运算得出的值：

0044F168 57 5E 4A 0E 0C 0E 0F 1A 74 05 72 0C 06 1D 00 22 W^J.tr.."
0044F178 27 3A 52 03 0A ':R.
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
|
:0041E86E FF151C124000 Call dword ptr [0040121C]
:0041E874 8D4598 lea eax, dword ptr [ebp-68]
:0041E877 8D4DA8 lea ecx, dword ptr [ebp-58]
:0041E87A 50 push eax
:0041E87B 8D55B8 lea edx, dword ptr [ebp-48]
:0041E87E 51 push ecx
:0041E87F 52 push edx
:0041E880 6A03 push 00000003

* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:0041E882 FF1538104000 Call dword ptr [00401038]
:0041E888 B801000000 mov eax, 00000001
:0041E88D 83C410 add esp, 00000010
:0041E890 03C6 add eax, esi
:0041E892 0F8062020000 jo 0041EAFA
:0041E898 8BF0 mov esi, eax
:0041E89A 33FF xor edi, edi
:0041E89C E9EDFEFFFF jmp 0041E78E

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E791(C)
|
:0041E8A1 33DB xor ebx, ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E968(U)
|
:0041E8A3 3B5DD8 cmp ebx, dword ptr [ebp-28]
====>下面再次循环运算！

:0041E8A6 0F8FC1000000 jg 0041E96D
:0041E8AC 8B4DD4 mov ecx, dword ptr [ebp-2C]
:0041E8AF 3BCF cmp ecx, edi
:0041E8B1 7427 je 0041E8DA
:0041E8B3 66833901 cmp word ptr [ecx], 0001
:0041E8B7 7521 jne 0041E8DA
:0041E8B9 8B5114 mov edx, dword ptr [ecx+14]
:0041E8BC 8B4110 mov eax, dword ptr [ecx+10]

* Reference To: MSVBVM60.__vbaGenerateBoundsError, Ord:0000h
|
:0041E8BF 8B3DD4104000 mov edi, dword ptr [004010D4]
:0041E8C5 8BF3 mov esi, ebx
:0041E8C7 2BF2 sub esi, edx
:0041E8C9 3BF0 cmp esi, eax
:0041E8CB 7205 jb 0041E8D2
:0041E8CD FFD7 call edi
:0041E8CF 8B4DD4 mov ecx, dword ptr [ebp-2C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E8CB(C)
|
:0041E8D2 89B544FFFFFF mov dword ptr [ebp+FFFFFF44], esi
:0041E8D8 EB15 jmp 0041E8EF

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041E8B1(C), :0041E8B7(C)
|

* Reference To: MSVBVM60.__vbaGenerateBoundsError, Ord:0000h
|
:0041E8DA FF15D4104000 Call dword ptr [004010D4]
:0041E8E0 8B4DD4 mov ecx, dword ptr [ebp-2C]

* Reference To: MSVBVM60.__vbaGenerateBoundsError, Ord:0000h
|
:0041E8E3 8B3DD4104000 mov edi, dword ptr [004010D4]
:0041E8E9 898544FFFFFF mov dword ptr [ebp+FFFFFF44], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E8D8(U)
|
:0041E8EF 85C9 test ecx, ecx
:0041E8F1 7421 je 0041E914
:0041E8F3 66833901 cmp word ptr [ecx], 0001
:0041E8F7 751B jne 0041E914
:0041E8F9 8B75D8 mov esi, dword ptr [ebp-28]
:0041E8FC 8B5114 mov edx, dword ptr [ecx+14]
:0041E8FF 8B4110 mov eax, dword ptr [ecx+10]
:0041E902 2BF3 sub esi, ebx
:0041E904 0F80F0010000 jo 0041EAFA
:0041E90A 2BF2 sub esi, edx
:0041E90C 3BF0 cmp esi, eax
:0041E90E 720B jb 0041E91B
:0041E910 FFD7 call edi
:0041E912 EB04 jmp 0041E918

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041E8F1(C), :0041E8F7(C)
|
:0041E914 FFD7 call edi
:0041E916 8BF0 mov esi, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E912(U)
|
:0041E918 8B4DD4 mov ecx, dword ptr [ebp-2C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E90E(C)
|
:0041E91B 85C9 test ecx, ecx
:0041E91D 7421 je 0041E940
:0041E91F 66833901 cmp word ptr [ecx], 0001
:0041E923 751B jne 0041E940
:0041E925 8B5114 mov edx, dword ptr [ecx+14]
:0041E928 8B4110 mov eax, dword ptr [ecx+10]
:0041E92B 8BFB mov edi, ebx
:0041E92D 2BFA sub edi, edx
:0041E92F 3BF8 cmp edi, eax
:0041E931 7209 jb 0041E93C

* Reference To: MSVBVM60.__vbaGenerateBoundsError, Ord:0000h
|
:0041E933 FF15D4104000 Call dword ptr [004010D4]
:0041E939 8B4DD4 mov ecx, dword ptr [ebp-2C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E931(C)
|
:0041E93C 8BC7 mov eax, edi
:0041E93E EB05 jmp 0041E945

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041E91D(C), :0041E923(C)
|
:0041E940 FFD7 call edi
:0041E942 8B4DD4 mov ecx, dword ptr [ebp-2C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E93E(U)
|
:0041E945 8B490C mov ecx, dword ptr [ecx+0C]

☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[ecx+0C]内存中的值是上面21次循环异或运算得出的值：

:0041E948 8A1431 mov dl, byte ptr [ecx+esi]
====>倒序取57 5E 4A 0E 0C 0E 0F 1A 74 05 72 0C 06 1D 00 22 27 3A 52 03 0A

:0041E94B 8BB544FFFFFF mov esi, dword ptr [ebp+FFFFFF44]
====>ESI=循环次数。从0开始

:0041E951 321431 xor dl, byte ptr [ecx+esi]
====>倒序取的值依次与57 5E 4A 0E 0C 0E 0F 1A 74 05 72 0C 06 1D 00 22 27 3A 52 03 0A异或

:0041E954 881401 mov byte ptr [ecx+eax], dl
====>结果入[ecx+eax]
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[ecx+eax]内存中最后得到的值：

0044F168 5D 5D 18 34 2B 2C 0F 07 72 09 00 05 74 1A 0F 0E ]]4+,r..t
0044F178 0C 0E 4A 5E 57 .J^W
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

:0041E957 B801000000 mov eax, 00000001
:0041E95C 03C3 add eax, ebx
:0041E95E 0F8096010000 jo 0041EAFA
:0041E964 8BD8 mov ebx, eax
:0041E966 33FF xor edi, edi
:0041E968 E936FFFFFF jmp 0041E8A3
====>再次循环运算21次！

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E8A6(C)
|

* Reference To: MSVBVM60.__vbaStrVarMove, Ord:0000h
|
:0041E96D 8B1D2C104000 mov ebx, dword ptr [0040102C]
:0041E973 33F6 xor esi, esi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041EA3E(U)
|
:0041E975 3B75D8 cmp esi, dword ptr [ebp-28]
:0041E978 0F8FC5000000 jg 0041EA43
:0041E97E 8B4DD4 mov ecx, dword ptr [ebp-2C]
:0041E981 8B45D0 mov eax, dword ptr [ebp-30]
:0041E984 8D55CC lea edx, dword ptr [ebp-34]
:0041E987 51 push ecx
:0041E988 52 push edx
:0041E989 89857CFFFFFF mov dword ptr [ebp+FFFFFF7C], eax
:0041E98F C78574FFFFFF08000000 mov dword ptr [ebp+FFFFFF74], 00000008

* Reference To: MSVBVM60.__vbaAryLock, Ord:0000h
|
:0041E999 FF15C4114000 Call dword ptr [004011C4]
:0041E99F 8B4DCC mov ecx, dword ptr [ebp-34]
:0041E9A2 3BCF cmp ecx, edi
:0041E9A4 7423 je 0041E9C9
:0041E9A6 66833901 cmp word ptr [ecx], 0001
:0041E9AA 751D jne 0041E9C9
:0041E9AC 8B5114 mov edx, dword ptr [ecx+14]
:0041E9AF 8B4110 mov eax, dword ptr [ecx+10]
:0041E9B2 8BFE mov edi, esi
:0041E9B4 2BFA sub edi, edx
:0041E9B6 3BF8 cmp edi, eax
:0041E9B8 7209 jb 0041E9C3

* Reference To: MSVBVM60.__vbaGenerateBoundsError, Ord:0000h
|
:0041E9BA FF15D4104000 Call dword ptr [004010D4]
:0041E9C0 8B4DCC mov ecx, dword ptr [ebp-34]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E9B8(C)
|
:0041E9C3 8BC7 mov eax, edi
:0041E9C5 33FF xor edi, edi
:0041E9C7 EB09 jmp 0041E9D2

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041E9A4(C), :0041E9AA(C)
|

* Reference To: MSVBVM60.__vbaGenerateBoundsError, Ord:0000h
|
:0041E9C9 FF15D4104000 Call dword ptr [004010D4]
:0041E9CF 8B4DCC mov ecx, dword ptr [ebp-34]
====>ECX=[ebp-34]
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[ebp-34]内存中值：

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E9C7(U)
|
:0041E9D2 8B490C mov ecx, dword ptr [ecx+0C]
:0041E9D5 8D5584 lea edx, dword ptr [ebp-7C]
:0041E9D8 03C8 add ecx, eax
:0041E9DA 8D45B8 lea eax, dword ptr [ebp-48]
:0041E9DD 52 push edx
:0041E9DE 50 push eax
:0041E9DF 894D8C mov dword ptr [ebp-74], ecx
:0041E9E2 C7458411400000 mov [ebp-7C], 00004011

* Reference To: MSVBVM60.rtcHexVarFromVar, Ord:023Dh
|
:0041E9E9 FF1594114000 Call dword ptr [00401194]
====>rtcHexVarFromVar

:0041E9EF 8D4DCC lea ecx, dword ptr [ebp-34]
:0041E9F2 51 push ecx

* Reference To: MSVBVM60.__vbaAryUnlock, Ord:0000h
|
:0041E9F3 FF1510124000 Call dword ptr [00401210]
:0041E9F9 8D9574FFFFFF lea edx, dword ptr [ebp+FFFFFF74]
:0041E9FF 8D45B8 lea eax, dword ptr [ebp-48]
:0041EA02 52 push edx
:0041EA03 8D4DA8 lea ecx, dword ptr [ebp-58]
:0041EA06 50 push eax
:0041EA07 51 push ecx

* Reference To: MSVBVM60.__vbaVarCat, Ord:0000h
|
:0041EA08 FF1558114000 Call dword ptr [00401158]
:0041EA0E 50 push eax
:0041EA0F FFD3 call ebx
:0041EA11 8BD0 mov edx, eax
====>EDX=5D5D18342B2CF77295741AFECE4A5E57

:0041EA13 8D4DD0 lea ecx, dword ptr [ebp-30]

* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:0041EA16 FF15FC114000 Call dword ptr [004011FC]
:0041EA1C 8D55A8 lea edx, dword ptr [ebp-58]
:0041EA1F 8D45B8 lea eax, dword ptr [ebp-48]
:0041EA22 52 push edx
:0041EA23 50 push eax
:0041EA24 6A02 push 00000002

* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:0041EA26 FF1538104000 Call dword ptr [00401038]
:0041EA2C B801000000 mov eax, 00000001
:0041EA31 83C40C add esp, 0000000C
:0041EA34 03C6 add eax, esi
:0041EA36 0F80BE000000 jo 0041EAFA
:0041EA3C 8BF0 mov esi, eax
:0041EA3E E932FFFFFF jmp 0041E975
====>再次循环！把上面所得的HEX值直接变成字符。
====>呵呵，没学过VB，不知如何精确表达了。^O^^O^

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E978(C)
|
:0041EA43 8D5584 lea edx, dword ptr [ebp-7C]
:0041EA46 6A0A push 0000000A
:0041EA48 8D45B8 lea eax, dword ptr [ebp-48]
:0041EA4B 8D4DD0 lea ecx, dword ptr [ebp-30]
:0041EA4E 52 push edx
:0041EA4F 50 push eax
:0041EA50 894D8C mov dword ptr [ebp-74], ecx
:0041EA53 C7458408400000 mov [ebp-7C], 00004008

* Reference To: MSVBVM60.rtcLeftCharVar, Ord:0269h
|
:0041EA5A FF15E8114000 Call dword ptr [004011E8]
====>从字符串左边取10个字符

:0041EA60 8D4DB8 lea ecx, dword ptr [ebp-48]
:0041EA63 51 push ecx
:0041EA64 FFD3 call ebx
:0041EA66 8BD0 mov edx, eax
====>EDX=5D5D18342B 这就是我的注册码了！

:0041EA68 8D4DE0 lea ecx, dword ptr [ebp-20]

* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:0041EA6B FF15FC114000 Call dword ptr [004011FC]
:0041EA71 8D4DB8 lea ecx, dword ptr [ebp-48]

* Reference To: MSVBVM60.__vbaFreeVar, Ord:0000h
|
:0041EA74 FF1520104000 Call dword ptr [00401020]
:0041EA7A 68E4EA4100 push 0041EAE4
:0041EA7F EB46 jmp 0041EAC7
:0041EA81 F645FC04 test [ebp-04], 04
:0041EA85 7409 je 0041EA90
:0041EA87 8D4DE0 lea ecx, dword ptr [ebp-20]

* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
|
:0041EA8A FF151C124000 Call dword ptr [0040121C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041EA85(C)
|
:0041EA90 8D55CC lea edx, dword ptr [ebp-34]
:0041EA93 52 push edx

* Reference To: MSVBVM60.__vbaAryUnlock, Ord:0000h
|
:0041EA94 FF1510124000 Call dword ptr [00401210]
:0041EA9A 8D4DC8 lea ecx, dword ptr [ebp-38]

* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
|
:0041EA9D FF151C124000 Call dword ptr [0040121C]
:0041EAA3 8D4598 lea eax, dword ptr [ebp-68]
:0041EAA6 8D4DA8 lea ecx, dword ptr [ebp-58]
:0041EAA9 50 push eax
:0041EAAA 8D55B8 lea edx, dword ptr [ebp-48]
:0041EAAD 51 push ecx
:0041EAAE 52 push edx
:0041EAAF 6A03 push 00000003

* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:0041EAB1 FF1538104000 Call dword ptr [00401038]
:0041EAB7 83C410 add esp, 00000010
:0041EABA 8D4594 lea eax, dword ptr [ebp-6C]
:0041EABD 50 push eax
:0041EABE 6A00 push 00000000

* Reference To: MSVBVM60.__vbaAryDestruct, Ord:0000h
|
:0041EAC0 FF157C104000 Call dword ptr [0040107C]
:0041EAC6 C3 ret

—————————————————————————————————
【算法总结】：

晕，没学过VB，许多指令不清楚其精确涵义，只能一边猜测一边调试了，不妥之处请方家指正！

1、取用户名fly和程序给的字符串DFJKSLA452WDdfsa782fsa连接起来。

2、依次取flyDFJKSLA452WDdfsa782fsa前21位的字符的HEX值和程序给的123JJDDI8DF94JDFAI342ENB46BM54OWQ的前21位依次进行异或运算。得出的结果为：57 5E 4A 0E 0C 0E 0F 1A 74 05 72 0C 06 1D 00 22 27 3A 52 03 0A

3、分别倒序和正序取57 5E 4A 0E 0C 0E 0F 1A 74 05 72 0C 06 1D 00 22 27 3A 52 03 0A
进行异或。得出：5D 5D 18 34 2B 2C 0F 07 72 09 00 05 74 1A 0F 0E 0C 0E 4A 5E 57

4、把上面的HEX值直接变成字符（去掉0），得出：5D5D18342B2CF77295741AFECE4A5E57

5、取5D5D18342B2CF77295741AFECE4A5E57的左边10位字符作为注册码。

—————————————————————————————————
【KeyMake之{78th}内存注册机】：

中断地址：00423422
中断次数：1
第一字节：50
指令长度：1

内存方式：EAX
宽字符串

—————————————————————————————————
【注册信息保存】：

REGEDIT4

[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Login Master\User\username]
"Name"="fly"

[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Login Master\User\userID]
"ID"="5D5D18342B"

—————————————————————————————————
【整理】：

用户名：fly
注册码：5D5D18342B

—————————————————————————————————

, _/
/| _.-~/ \_ , 青春都一饷
( /~ / \~-._ |\
`\\ _/ \ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_ //'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 换了破解轻狂
`~ _( ,_..--\ ( ,;'' / ~-- /._`\
/~~//' /' `~\ ) /--.._, )_ `~
" `~" " `" /~'`\ `\\~~\
" " "~' ""

Cracked By 巢水工作坊——fly [OCN][FCG]

2003-04-30 21:34