海啸录音机Ver2.1注册算法分析
对象:海啸录音机Ver2.1
作者:lordor[CCG][BCG][DFCG]
Mail:lordor@sina.com
QQ:88378557
目的:属技术交流,无其它目的,请不要任意散布或用用商业用途。初学破解,如有不对的地方欢迎批评指出。
工具:ollydbg1.09C,fi301
假设:
机器码:lordor
注册码:654321
又是一个VB程序,无壳。今天不忙,正好看一下。
用ollyDbg载入程序。使用我说有方法,用rtcmsg下断,F9运行,来到这里
0040AF63 LEA ECX,DWORD PTR SS:[EBP-28]
0040AF66 CALL EDI
0040AF68 PUSH EAX
0040AF69 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
0040AF6F MOV ESI,EAX
0040AF71 NEG ESI
0040AF73 SBB ESI,ESI
0040AF75 INC ESI
0040AF76 NEG ESI
0040AF78 LEA ECX,DWORD PTR SS:[EBP-28]
0040AF7B CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0040AF81 CMP SI,BX
0040AF84 JE HXRecord.0040B04C ===》从这里跳到提示注册
0040AF8A MOV EAX,DWORD PTR DS:[40F010]
0040AF8F CMP EAX,EBX
0040AF91 JNZ SHORT HXRecord.0040AFA8
0040AF93 PUSH HXRecord.0040F010
0040AF98 PUSH HXRecord.00405020
0040AF9D CALL DWORD PTR DS:[<&MSVBVM60.__vbaNew2>>;
MSVBVM60.__vbaNew2
0040AFA3 MOV EAX,DWORD PTR DS:[40F010]
0040AFA8 MOV ECX,DWORD PTR DS:[EAX]
0040AFAA PUSH EAX
0040AFAB CALL DWORD PTR DS:[ECX+308]
0040AFB1 PUSH EAX
0040AFB2 LEA EDX,DWORD PTR SS:[EBP-30]
0040AFB5 PUSH EDX
0040AFB6 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaOb>; MSVBVM60.__vbaObjSet
0040AFBC CALL EDI
; <&MSVBVM60.__vbaObjSet>
0040AFBE MOV ESI,EAX
0040AFC0 MOV EAX,DWORD PTR DS:[ESI]
0040AFC2 PUSH HXRecord.004068EC
0040AFC7 PUSH ESI
0040AFC8 CALL DWORD PTR DS:[EAX+54]
0040AFCB FCLEX
0040AFCD CMP EAX,EBX
0040AFCF JGE SHORT HXRecord.0040AFE0
0040AFD1 PUSH 54
0040AFD3 PUSH HXRecord.00406648
0040AFD8 PUSH ESI
0040AFD9 PUSH EAX
0040AFDA CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0040AFE0 LEA ECX,DWORD PTR SS:[EBP-30]
0040AFE3 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
0040AFE9 MOV WORD PTR DS:[40F024],0FFFF
0040AFF2 MOV EAX,DWORD PTR DS:[40F010]
0040AFF7 CMP EAX,EBX
0040AFF9 JNZ SHORT HXRecord.0040B010
0040AFFB PUSH HXRecord.0040F010
0040B000 PUSH HXRecord.00405020
0040B005 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNew2>>;
MSVBVM60.__vbaNew2
0040B00B MOV EAX,DWORD PTR DS:[40F010]
0040B010 MOV ECX,DWORD PTR DS:[EAX]
0040B012 PUSH EAX
0040B013 CALL DWORD PTR DS:[ECX+304]
0040B019 PUSH EAX
0040B01A LEA EDX,DWORD PTR SS:[EBP-30]
0040B01D PUSH EDX
0040B01E CALL EDI
0040B020 MOV ESI,EAX
0040B022 MOV EAX,DWORD PTR DS:[ESI]
0040B024 PUSH EBX
0040B025 PUSH ESI
0040B026 CALL DWORD PTR DS:[EAX+5C]
0040B029 FCLEX
0040B02B CMP EAX,EBX
0040B02D JGE SHORT HXRecord.0040B03E
0040B02F PUSH 5C
0040B031 PUSH HXRecord.0040691C
0040B036 PUSH ESI
0040B037 PUSH EAX
0040B038 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0040B03E LEA ECX,DWORD PTR SS:[EBP-30]
0040B041 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
0040B047 JMP HXRecord.0040B174
0040B04C MOV ECX,80020004
0040B051 MOV DWORD PTR SS:[EBP-68],ECX
0040B054 MOV EAX,0A
0040B059 MOV DWORD PTR SS:[EBP-70],EAX
0040B05C MOV DWORD PTR SS:[EBP-58],ECX
0040B05F MOV DWORD PTR SS:[EBP-60],EAX
0040B062 MOV DWORD PTR SS:[EBP-88],HXRecord.00406>
0040B06C MOV ESI,8
0040B071 MOV DWORD PTR SS:[EBP-90],ESI
0040B077 LEA EDX,DWORD PTR SS:[EBP-90]
0040B07D LEA ECX,DWORD PTR SS:[EBP-50]
0040B080 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaVa>; MSVBVM60.__vbaVarDup
0040B086 CALL EDI
; <&MSVBVM60.__vbaVarDup>
0040B088 MOV DWORD PTR SS:[EBP-78],HXRecord.00406>
0040B08F MOV DWORD PTR SS:[EBP-80],ESI
0040B092 LEA EDX,DWORD PTR SS:[EBP-80]
0040B095 LEA ECX,DWORD PTR SS:[EBP-40]
0040B098 CALL EDI
0040B09A LEA ECX,DWORD PTR SS:[EBP-70]
0040B09D PUSH ECX
0040B09E LEA EDX,DWORD PTR SS:[EBP-60]
0040B0A1 PUSH EDX
0040B0A2 LEA EAX,DWORD PTR SS:[EBP-50]
0040B0A5 PUSH EAX
0040B0A6 PUSH 40
0040B0A8 LEA ECX,DWORD PTR SS:[EBP-40]
0040B0AB PUSH ECX
0040B0AC CALL DWORD PTR DS:[<&MSVBVM60.#595>]
; MSVBVM60.rtcMsgBox ==>启动时揭示未注册
0040B0B2 LEA EDX,DWORD PTR SS:[EBP-70]
0040B0B5 PUSH EDX
0040B0B6 LEA EAX,DWORD PTR SS:[EBP-60]
运行后,在注册框中输入用户名及注册码,来到这里:
0040D7E2 FCLEX
0040D7E4 JGE SHORT HXRecord.0040D7F8
0040D7E6 PUSH 0A0
0040D7EB PUSH HXRecord.00406EE8
0040D7F0 PUSH EDI
0040D7F1 PUSH EAX
0040D7F2 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0040D7F8 MOV EDX,DWORD PTR SS:[EBP-20] ==>用户名入edx
0040D7FB MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrMove
0040D801 LEA ECX,DWORD PTR SS:[EBP-24]
0040D804 MOV DWORD PTR SS:[EBP-20],0
0040D80B CALL EDI
; <&MSVBVM60.__vbaStrMove>
0040D80D MOV ECX,DWORD PTR SS:[EBP-1C] ==>注册码入ecx
0040D810 LEA EDX,DWORD PTR SS:[EBP-24]
0040D813 PUSH ECX ==>压入注册码指针
0040D814 PUSH EDX ==>压入用户名指针
0040D815 CALL HXRecord.0040CF30 ==>关键call
0040D81A MOV EDX,EAX ==>产生真码,入edx
0040D81C LEA ECX,DWORD PTR SS:[EBP-28] ==>
0040D81F CALL EDI
0040D821 PUSH EAX
0040D822 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
0040D828 MOV EDI,EAX
0040D82A LEA EAX,DWORD PTR SS:[EBP-28]
0040D82D NEG EDI
0040D82F LEA ECX,DWORD PTR SS:[EBP-1C]
0040D832 PUSH EAX
0040D833 SBB EDI,EDI
0040D835 LEA EDX,DWORD PTR SS:[EBP-24]
0040D838 PUSH ECX
0040D839 INC EDI
0040D83A PUSH EDX
0040D83B PUSH 3
0040D83D NEG EDI
0040D83F CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
0040D845 LEA EAX,DWORD PTR SS:[EBP-30]
0040D848 LEA ECX,DWORD PTR SS:[EBP-2C]
0040D84B PUSH EAX
0040D84C PUSH ECX
0040D84D PUSH 2
0040D84F CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObjList
0040D855 ADD ESP,1C
0040D858 TEST DI,DI
0040D85B JE HXRecord.0040DBA7 ==>关键跳,如不跳,则保存注册信息
0040D861 MOV EDX,DWORD PTR DS:[ESI]
0040D863 PUSH ESI
0040D864 CALL DWORD PTR DS:[EDX+300]
0040D86A PUSH EAX
0040D86B LEA EAX,DWORD PTR SS:[EBP-2C]
0040D86E PUSH EAX
0040D86F CALL EBX
0040D871 MOV EDI,EAX
0040D873 LEA EDX,DWORD PTR SS:[EBP-1C]
0040D876 PUSH EDX
0040D877 PUSH EDI
0040D878 MOV ECX,DWORD PTR DS:[EDI]
0040D87A CALL DWORD PTR DS:[ECX+A0]
0040D880 TEST EAX,EAX
0040D882 FCLEX
0040D884 JGE SHORT HXRecord.0040D898
0040D886 PUSH 0A0
0040D88B PUSH HXRecord.00406EE8
0040D890 PUSH EDI
0040D891 PUSH EAX
0040D892 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0040D898 MOV EDX,DWORD PTR SS:[EBP-1C]
0040D89B LEA ECX,DWORD PTR SS:[EBP-28]
0040D89E MOV DWORD PTR SS:[EBP-1C],0
0040D8A5 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0040D8AB MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrCopy
0040D8B1 MOV EDX,HXRecord.004068C4
; UNICODE "Name"
0040D8B6 LEA ECX,DWORD PTR SS:[EBP-24]
0040D8B9 CALL EBX
; <&MSVBVM60.__vbaStrCopy>
0040D8BB MOV EDX,HXRecord.00406894
; UNICODE "Software\HX\HXRecord"
0040D8C0 LEA ECX,DWORD PTR SS:[EBP-20]
0040D8C3 CALL EBX
0040D8C5 LEA EAX,DWORD PTR SS:[EBP-28]
0040D8C8 LEA ECX,DWORD PTR SS:[EBP-24]
0040D8CB PUSH EAX
0040D8CC LEA EDX,DWORD PTR SS:[EBP-20]
0040D8CF PUSH ECX
0040D8D0 LEA EAX,DWORD PTR SS:[EBP-B4]
0040D8D6 PUSH EDX
0040D8D7 PUSH EAX
0040D8D8 MOV DWORD PTR SS:[EBP-B4],80000002
0040D8E2 CALL HXRecord.0040C930
0040D8E7 LEA ECX,DWORD PTR SS:[EBP-28]
0040D8EA LEA EDX,DWORD PTR SS:[EBP-24]
0040D8ED PUSH ECX
0040D8EE LEA EAX,DWORD PTR SS:[EBP-20]
0040D8F1 PUSH EDX
0040D8F2 PUSH EAX
0040D8F3 PUSH 3
0040D8F5 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
0040D8FB ADD ESP,10
0040D8FE LEA ECX,DWORD PTR SS:[EBP-2C]
0040D901 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
0040D907 MOV ECX,DWORD PTR DS:[ESI]
0040D909 PUSH ESI
0040D90A CALL DWORD PTR DS:[ECX+2FC]
0040D910 LEA EDX,DWORD PTR SS:[EBP-2C]
0040D913 PUSH EAX
0040D914 PUSH EDX
0040D915 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
0040D91B MOV EDI,EAX
0040D91D LEA ECX,DWORD PTR SS:[EBP-1C]
0040D920 PUSH ECX
0040D921 PUSH EDI
0040D922 MOV EAX,DWORD PTR DS:[EDI]
0040D924 CALL DWORD PTR DS:[EAX+A0]
0040D92A TEST EAX,EAX
0040D92C FCLEX
0040D92E JGE SHORT HXRecord.0040D942
0040D930 PUSH 0A0
0040D935 PUSH HXRecord.00406EE8
0040D93A PUSH EDI
0040D93B PUSH EAX
0040D93C CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0040D942 MOV EDX,DWORD PTR SS:[EBP-1C]
0040D945 LEA ECX,DWORD PTR SS:[EBP-28]
0040D948 MOV DWORD PTR SS:[EBP-1C],0
0040D94F CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0040D955 MOV EDX,HXRecord.004068D4
; UNICODE "Register"
0040D95A LEA ECX,DWORD PTR SS:[EBP-24]
0040D95D CALL EBX
0040D95F MOV EDX,HXRecord.00406894
; UNICODE "Software\HX\HXRecord"
0040D964 LEA ECX,DWORD PTR SS:[EBP-20]
0040D967 CALL EBX
0040D969 LEA EDX,DWORD PTR SS:[EBP-28]
0040D96C LEA EAX,DWORD PTR SS:[EBP-24]
0040D96F PUSH EDX
-----------------------------------
关键call
0040CF30 PUSH EBP
0040CF31 MOV EBP,ESP
0040CF33 SUB ESP,0C
0040CF36 PUSH <JMP.&MSVBVM60.__vbaExceptHandler> ;
SE handler installation
0040CF3B MOV EAX,DWORD PTR FS:[0] ==>安装seh(结构异常化)
0040CF41 PUSH EAX
0040CF42 MOV DWORD PTR FS:[0],ESP
0040CF49 SUB ESP,78 ==>为局部变量分配空间
0040CF4C PUSH EBX
0040CF4D PUSH ESI
0040CF4E PUSH EDI
0040CF4F MOV DWORD PTR SS:[EBP-C],ESP
0040CF52 MOV DWORD PTR SS:[EBP-8],HXRecord.004012>
0040CF59 XOR ESI,ESI
0040CF5B MOV EDX,HXRecord.00406D6C
; UNICODE "***"
0040CF60 LEA ECX,DWORD PTR SS:[EBP-30]
0040CF63 MOV DWORD PTR SS:[EBP-20],ESI
0040CF66 MOV DWORD PTR SS:[EBP-2C],ESI
0040CF69 MOV DWORD PTR SS:[EBP-30],ESI
0040CF6C MOV DWORD PTR SS:[EBP-34],ESI
0040CF6F MOV DWORD PTR SS:[EBP-44],ESI
0040CF72 MOV DWORD PTR SS:[EBP-54],ESI
0040CF75 MOV DWORD PTR SS:[EBP-64],ESI
0040CF78 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
0040CF7E MOV EDI,DWORD PTR SS:[EBP+8] ==>用户名
0040CF81 LEA EAX,DWORD PTR SS:[EBP-64]
0040CF84 PUSH 0F
0040CF86 LEA ECX,DWORD PTR SS:[EBP-44]
0040CF89 PUSH EAX
0040CF8A PUSH ECX
0040CF8B MOV DWORD PTR SS:[EBP-5C],EDI
0040CF8E MOV DWORD PTR SS:[EBP-64],4008
0040CF95 CALL DWORD PTR DS:[<&MSVBVM60.#617>]
; MSVBVM60.rtcLeftCharVar
0040CF9B LEA EDX,DWORD PTR SS:[EBP-44]
0040CF9E PUSH EDX
0040CF9F CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarMove
0040CFA5 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrMove
0040CFAB MOV EDX,EAX
0040CFAD MOV ECX,EDI
0040CFAF CALL EBX
; <&MSVBVM60.__vbaStrMove>
0040CFB1 LEA ECX,DWORD PTR SS:[EBP-44]
0040CFB4 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
0040CFBA MOV EAX,DWORD PTR DS:[EDI] ==>用户名
0040CFBC PUSH EAX
0040CFBD CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
0040CFC3 CMP EAX,6是 ==>比较用户名长度
0040CFC6 MOV DWORD PTR SS:[EBP-28],EAX
0040CFC9 JL HXRecord.0040D12C
0040CFCF MOV ECX,1 ==>计数器
0040CFD4 MOV DWORD PTR SS:[EBP-18],ECX
0040CFD7 CMP ECX,EAX
0040CFD9 JG HXRecord.0040D120
0040CFDF LEA EDX,DWORD PTR SS:[EBP-44]
0040CFE2 LEA EAX,DWORD PTR SS:[EBP-64]
0040CFE5 PUSH EDX
0040CFE6 PUSH ECX
0040CFE7 LEA ECX,DWORD PTR SS:[EBP-54]
0040CFEA PUSH EAX
0040CFEB PUSH ECX
0040CFEC MOV DWORD PTR SS:[EBP-3C],1
0040CFF3 MOV DWORD PTR SS:[EBP-44],2
0040CFFA MOV DWORD PTR SS:[EBP-5C],EDI
0040CFFD MOV DWORD PTR SS:[EBP-64],4008
0040D004 CALL DWORD PTR DS:[<&MSVBVM60.#632>]
; MSVBVM60.rtcMidCharVar ==>取用户名第ecx位
0040D00A LEA EDX,DWORD PTR SS:[EBP-54]
0040D00D PUSH EDX
0040D00E CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarMove
0040D014 MOV EDX,EAX
0040D016 LEA ECX,DWORD PTR SS:[EBP-20]
0040D019 CALL EBX
0040D01B LEA EAX,DWORD PTR SS:[EBP-54]
0040D01E LEA ECX,DWORD PTR SS:[EBP-44]
0040D021 PUSH EAX
0040D022 PUSH ECX
0040D023 PUSH 2
0040D025 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0040D02B MOV EDX,DWORD PTR SS:[EBP-20]
0040D02E ADD ESP,0C
0040D031 PUSH EDX
0040D032 CALL DWORD PTR DS:[<&MSVBVM60.#516>]
; MSVBVM60.rtcAnsivalueBstr
==>取得的一位转换为十六进制值
//eax=6c
//eax=6f
//eax=72
//eax=64
//eax=6f
//eax=72
0040D038 PUSH EAX
0040D039 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrI2>; MSVBVM60.__vbaStrI2
==>转换为十进制
//[eax]=108
//[eax]=111
//[eax]=114
//[eax]=100
//[eax]=111
//[eax]=114
0040D03F MOV EDX,EAX
0040D041 LEA ECX,DWORD PTR SS:[EBP-20]
0040D044 CALL EBX
0040D046 MOV EAX,DWORD PTR SS:[EBP-20]
0040D049 PUSH EAX
0040D04A CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
0040D050 MOV DWORD PTR SS:[EBP-84],EAX
0040D056 MOV EDI,1
0040D05B CMP EDI,DWORD PTR SS:[EBP-84]
0040D061 JG SHORT HXRecord.0040D0D0
0040D063 LEA ECX,DWORD PTR SS:[EBP-20]
0040D066 LEA EDX,DWORD PTR SS:[EBP-44]
0040D069 MOV DWORD PTR SS:[EBP-5C],ECX
0040D06C PUSH EDX
0040D06D LEA EAX,DWORD PTR SS:[EBP-64]
0040D070 PUSH EDI
0040D071 LEA ECX,DWORD PTR SS:[EBP-54]
0040D074 PUSH EAX
0040D075 PUSH ECX
0040D076 MOV DWORD PTR SS:[EBP-3C],1
0040D07D MOV DWORD PTR SS:[EBP-44],2
0040D084 MOV DWORD PTR SS:[EBP-64],4008
0040D08B CALL DWORD PTR DS:[<&MSVBVM60.#632>]
; MSVBVM60.rtcMidCharVar
0040D091 LEA EDX,DWORD PTR SS:[EBP-54]
0040D094 PUSH EDX
0040D095 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2Err>; MSVBVM60.__vbaI2ErrVar
0040D09B MOVSX EAX,AX
0040D09E ADD EAX,ESI
0040D0A0 LEA ECX,DWORD PTR SS:[EBP-54]
0040D0A3 JO HXRecord.0040D186
0040D0A9 MOV ESI,EAX
0040D0AB LEA EDX,DWORD PTR SS:[EBP-54]
0040D0AE PUSH ECX
0040D0AF LEA EAX,DWORD PTR SS:[EBP-44]
0040D0B2 PUSH EDX
0040D0B3 PUSH EAX
0040D0B4 PUSH 3
0040D0B6 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0040D0BC MOV EAX,1
0040D0C1 ADD ESP,10
0040D0C4 ADD EAX,EDI
0040D0C6 JO HXRecord.0040D186
0040D0CC MOV EDI,EAX
0040D0CE JMP SHORT HXRecord.0040D05B ==>以上为把十进制值各位相加再加1,
//[eax]=108 ==>10
//[eax]=111 ==>4
//[eax]=114 ==>7
//[eax]=100 ==>2
//[eax]=111 ==>4
//[eax]=114 ==>7
0040D0D0 MOV ECX,DWORD PTR SS:[EBP-2C]
0040D0D3 ADD ESI,1
0040D0D6 JO HXRecord.0040D186
0040D0DC PUSH ECX
0040D0DD PUSH ESI
0040D0DE CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrI4>; MSVBVM60.__vbaStrI4
0040D0E4 MOV EDX,EAX
0040D0E6 LEA ECX,DWORD PTR SS:[EBP-34]
0040D0E9 CALL EBX
0040D0EB PUSH EAX
0040D0EC CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
==>各位接起来
//1047247
0040D0F2 MOV EDX,EAX
0040D0F4 LEA ECX,DWORD PTR SS:[EBP-2C]
0040D0F7 CALL EBX
0040D0F9 LEA ECX,DWORD PTR SS:[EBP-34]
0040D0FC CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0040D102 MOV ECX,DWORD PTR SS:[EBP-18]
0040D105 MOV EDI,DWORD PTR SS:[EBP+8]
0040D108 MOV EAX,1
0040D10D ADD EAX,ECX
0040D10F JO SHORT HXRecord.0040D186
0040D111 MOV DWORD PTR SS:[EBP-18],EAX
0040D114 MOV ECX,EAX
0040D116 MOV EAX,DWORD PTR SS:[EBP-28]
0040D119 XOR ESI,ESI
0040D11B JMP HXRecord.0040CFD7
0040D120 MOV EDX,DWORD PTR SS:[EBP-2C]
0040D123 LEA ECX,DWORD PTR SS:[EBP-30]
0040D126 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
0040D12C PUSH HXRecord.0040D170
0040D131 JMP SHORT HXRecord.0040D15F
0040D133 TEST BYTE PTR SS:[EBP-4],4
0040D137 JE SHORT HXRecord.0040D142
0040D139 LEA ECX,DWORD PTR SS:[EBP-30]
0040D13C CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0040D142 LEA ECX,DWORD PTR SS:[EBP-34]
0040D145 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0040D14B LEA EDX,DWORD PTR SS:[EBP-54]
0040D14E LEA EAX,DWORD PTR SS:[EBP-44]
0040D151 PUSH EDX
0040D152 PUSH EAX
0040D153 PUSH 2
0040D155 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0040D15B ADD ESP,0C
0040D15E RETN
0040D15F MOV ESI,DWORD PTR DS:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeStr
0040D165 LEA ECX,DWORD PTR SS:[EBP-20]
0040D168 CALL ESI
; <&MSVBVM60.__vbaFreeStr>
0040D16A LEA ECX,DWORD PTR SS:[EBP-2C]
0040D16D CALL ESI
0040D16F RETN
0040D170 MOV ECX,DWORD PTR SS:[EBP-14]
0040D173 MOV EAX,DWORD PTR SS:[EBP-30]
0040D176 POP EDI
0040D177 POP ESI
0040D178 MOV DWORD PTR FS:[0],ECX
0040D17F POP EBX
0040D180 MOV ESP,EBP
0040D182 POP EBP
0040D183 RETN 4
0040D186 CALL DWORD PTR DS:[<&MSVBVM60.__vbaError>; MSVBVM60.__vbaErrorOverflow
0040D18C NOP
0040D18D NOP
0040D18E NOP
0040D18F NOP
0040D190 XOR EAX,EAX
0040D192 RETN 4
-----------------------------------------------
总结:
关键call,不是很复杂,虽然VB程序代码很多,但大家应该可以看得明白的。
一个可用的注册码:
用户名:lordor
注册码:1047247
cracked by lordor
03.7.06