• 标 题:海啸录音机Ver2.1注册算法分析
  • 作 者:lordor
  • 时 间:2003/07/06 03:59pm 
  • 链 接:http://bbs.pediy.com

海啸录音机Ver2.1注册算法分析


对象:海啸录音机Ver2.1
作者:lordor[CCG][BCG][DFCG]
Mail:lordor@sina.com
QQ:88378557
目的:属技术交流,无其它目的,请不要任意散布或用用商业用途。初学破解,如有不对的地方欢迎批评指出。
工具:ollydbg1.09C,fi301

假设:

机器码:lordor
注册码:654321


又是一个VB程序,无壳。今天不忙,正好看一下。
用ollyDbg载入程序。使用我说有方法,用rtcmsg下断,F9运行,来到这里


0040AF63  LEA ECX,DWORD PTR SS:[EBP-28]
0040AF66  CALL EDI
0040AF68  PUSH EAX
0040AF69  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>;  MSVBVM60.__vbaStrCmp
0040AF6F  MOV ESI,EAX
0040AF71  NEG ESI
0040AF73  SBB ESI,ESI
0040AF75  INC ESI
0040AF76  NEG ESI
0040AF78  LEA ECX,DWORD PTR SS:[EBP-28]
0040AF7B  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;  MSVBVM60.__vbaFreeStr
0040AF81  CMP SI,BX
0040AF84  JE HXRecord.0040B04C  ===》从这里跳到提示注册
0040AF8A  MOV EAX,DWORD PTR DS:[40F010]
0040AF8F  CMP EAX,EBX
0040AF91  JNZ SHORT HXRecord.0040AFA8
0040AF93  PUSH HXRecord.0040F010
0040AF98  PUSH HXRecord.00405020
0040AF9D  CALL DWORD PTR DS:[<&MSVBVM60.__vbaNew2>>;  MSVBVM60.__vbaNew2
0040AFA3  MOV EAX,DWORD PTR DS:[40F010]
0040AFA8  MOV ECX,DWORD PTR DS:[EAX]
0040AFAA  PUSH EAX
0040AFAB  CALL DWORD PTR DS:[ECX+308]
0040AFB1  PUSH EAX
0040AFB2  LEA EDX,DWORD PTR SS:[EBP-30]
0040AFB5  PUSH EDX
0040AFB6  MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaOb>;  MSVBVM60.__vbaObjSet
0040AFBC  CALL EDI                                 ;  <&MSVBVM60.__vbaObjSet>
0040AFBE  MOV ESI,EAX
0040AFC0  MOV EAX,DWORD PTR DS:[ESI]
0040AFC2  PUSH HXRecord.004068EC
0040AFC7  PUSH ESI
0040AFC8  CALL DWORD PTR DS:[EAX+54]
0040AFCB  FCLEX
0040AFCD  CMP EAX,EBX
0040AFCF  JGE SHORT HXRecord.0040AFE0
0040AFD1  PUSH 54
0040AFD3  PUSH HXRecord.00406648
0040AFD8  PUSH ESI
0040AFD9  PUSH EAX
0040AFDA  CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>;  MSVBVM60.__vbaHresultCheckObj
0040AFE0  LEA ECX,DWORD PTR SS:[EBP-30]
0040AFE3  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>;  MSVBVM60.__vbaFreeObj
0040AFE9  MOV WORD PTR DS:[40F024],0FFFF
0040AFF2  MOV EAX,DWORD PTR DS:[40F010]
0040AFF7  CMP EAX,EBX
0040AFF9  JNZ SHORT HXRecord.0040B010
0040AFFB  PUSH HXRecord.0040F010
0040B000  PUSH HXRecord.00405020
0040B005  CALL DWORD PTR DS:[<&MSVBVM60.__vbaNew2>>;  MSVBVM60.__vbaNew2
0040B00B  MOV EAX,DWORD PTR DS:[40F010]
0040B010  MOV ECX,DWORD PTR DS:[EAX]
0040B012  PUSH EAX
0040B013  CALL DWORD PTR DS:[ECX+304]
0040B019  PUSH EAX
0040B01A  LEA EDX,DWORD PTR SS:[EBP-30]
0040B01D  PUSH EDX
0040B01E  CALL EDI
0040B020  MOV ESI,EAX
0040B022  MOV EAX,DWORD PTR DS:[ESI]
0040B024  PUSH EBX
0040B025  PUSH ESI
0040B026  CALL DWORD PTR DS:[EAX+5C]
0040B029  FCLEX
0040B02B  CMP EAX,EBX
0040B02D  JGE SHORT HXRecord.0040B03E
0040B02F  PUSH 5C
0040B031  PUSH HXRecord.0040691C
0040B036  PUSH ESI
0040B037  PUSH EAX
0040B038  CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>;  MSVBVM60.__vbaHresultCheckObj
0040B03E  LEA ECX,DWORD PTR SS:[EBP-30]
0040B041  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>;  MSVBVM60.__vbaFreeObj
0040B047  JMP HXRecord.0040B174
0040B04C  MOV ECX,80020004
0040B051  MOV DWORD PTR SS:[EBP-68],ECX
0040B054  MOV EAX,0A
0040B059  MOV DWORD PTR SS:[EBP-70],EAX
0040B05C  MOV DWORD PTR SS:[EBP-58],ECX
0040B05F  MOV DWORD PTR SS:[EBP-60],EAX
0040B062  MOV DWORD PTR SS:[EBP-88],HXRecord.00406>
0040B06C  MOV ESI,8
0040B071  MOV DWORD PTR SS:[EBP-90],ESI
0040B077  LEA EDX,DWORD PTR SS:[EBP-90]
0040B07D  LEA ECX,DWORD PTR SS:[EBP-50]
0040B080  MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaVa>;  MSVBVM60.__vbaVarDup
0040B086  CALL EDI                                 ;  <&MSVBVM60.__vbaVarDup>
0040B088  MOV DWORD PTR SS:[EBP-78],HXRecord.00406>
0040B08F  MOV DWORD PTR SS:[EBP-80],ESI
0040B092  LEA EDX,DWORD PTR SS:[EBP-80]
0040B095  LEA ECX,DWORD PTR SS:[EBP-40]
0040B098  CALL EDI
0040B09A  LEA ECX,DWORD PTR SS:[EBP-70]
0040B09D  PUSH ECX
0040B09E  LEA EDX,DWORD PTR SS:[EBP-60]
0040B0A1  PUSH EDX
0040B0A2  LEA EAX,DWORD PTR SS:[EBP-50]
0040B0A5  PUSH EAX
0040B0A6  PUSH 40
0040B0A8  LEA ECX,DWORD PTR SS:[EBP-40]
0040B0AB  PUSH ECX
0040B0AC  CALL DWORD PTR DS:[<&MSVBVM60.#595>]     ;  MSVBVM60.rtcMsgBox ==>启动时揭示未注册
0040B0B2  LEA EDX,DWORD PTR SS:[EBP-70]
0040B0B5  PUSH EDX
0040B0B6  LEA EAX,DWORD PTR SS:[EBP-60]


运行后,在注册框中输入用户名及注册码,来到这里:


0040D7E2  FCLEX
0040D7E4  JGE SHORT HXRecord.0040D7F8
0040D7E6  PUSH 0A0
0040D7EB  PUSH HXRecord.00406EE8
0040D7F0  PUSH EDI
0040D7F1  PUSH EAX
0040D7F2  CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>;  MSVBVM60.__vbaHresultCheckObj
0040D7F8  MOV EDX,DWORD PTR SS:[EBP-20]   ==>用户名入edx
0040D7FB  MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaSt>;  MSVBVM60.__vbaStrMove
0040D801  LEA ECX,DWORD PTR SS:[EBP-24]
0040D804  MOV DWORD PTR SS:[EBP-20],0
0040D80B  CALL EDI                                 ;  <&MSVBVM60.__vbaStrMove>
0040D80D  MOV ECX,DWORD PTR SS:[EBP-1C]  ==>注册码入ecx
0040D810  LEA EDX,DWORD PTR SS:[EBP-24]
0040D813  PUSH ECX  ==>压入注册码指针
0040D814  PUSH EDX  ==>压入用户名指针
0040D815  CALL HXRecord.0040CF30  ==>关键call
0040D81A  MOV EDX,EAX  ==>产生真码,入edx
0040D81C  LEA ECX,DWORD PTR SS:[EBP-28] ==>
0040D81F  CALL EDI
0040D821  PUSH EAX
0040D822  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>;  MSVBVM60.__vbaStrCmp
0040D828  MOV EDI,EAX
0040D82A  LEA EAX,DWORD PTR SS:[EBP-28]
0040D82D  NEG EDI
0040D82F  LEA ECX,DWORD PTR SS:[EBP-1C]
0040D832  PUSH EAX
0040D833  SBB EDI,EDI
0040D835  LEA EDX,DWORD PTR SS:[EBP-24]
0040D838  PUSH ECX
0040D839  INC EDI
0040D83A  PUSH EDX
0040D83B  PUSH 3
0040D83D  NEG EDI
0040D83F  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;  MSVBVM60.__vbaFreeStrList
0040D845  LEA EAX,DWORD PTR SS:[EBP-30]
0040D848  LEA ECX,DWORD PTR SS:[EBP-2C]
0040D84B  PUSH EAX
0040D84C  PUSH ECX
0040D84D  PUSH 2
0040D84F  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>;  MSVBVM60.__vbaFreeObjList
0040D855  ADD ESP,1C
0040D858  TEST DI,DI
0040D85B  JE HXRecord.0040DBA7  ==>关键跳,如不跳,则保存注册信息
0040D861  MOV EDX,DWORD PTR DS:[ESI]
0040D863  PUSH ESI
0040D864  CALL DWORD PTR DS:[EDX+300]
0040D86A  PUSH EAX
0040D86B  LEA EAX,DWORD PTR SS:[EBP-2C]
0040D86E  PUSH EAX
0040D86F  CALL EBX
0040D871  MOV EDI,EAX
0040D873  LEA EDX,DWORD PTR SS:[EBP-1C]
0040D876  PUSH EDX
0040D877  PUSH EDI
0040D878  MOV ECX,DWORD PTR DS:[EDI]
0040D87A  CALL DWORD PTR DS:[ECX+A0]
0040D880  TEST EAX,EAX
0040D882  FCLEX
0040D884  JGE SHORT HXRecord.0040D898
0040D886  PUSH 0A0
0040D88B  PUSH HXRecord.00406EE8
0040D890  PUSH EDI
0040D891  PUSH EAX
0040D892  CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>;  MSVBVM60.__vbaHresultCheckObj
0040D898  MOV EDX,DWORD PTR SS:[EBP-1C]
0040D89B  LEA ECX,DWORD PTR SS:[EBP-28]
0040D89E  MOV DWORD PTR SS:[EBP-1C],0
0040D8A5  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>;  MSVBVM60.__vbaStrMove
0040D8AB  MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaSt>;  MSVBVM60.__vbaStrCopy
0040D8B1  MOV EDX,HXRecord.004068C4                ;  UNICODE "Name"
0040D8B6  LEA ECX,DWORD PTR SS:[EBP-24]
0040D8B9  CALL EBX                                 ;  <&MSVBVM60.__vbaStrCopy>
0040D8BB  MOV EDX,HXRecord.00406894                ;  UNICODE "Software\HX\HXRecord"
0040D8C0  LEA ECX,DWORD PTR SS:[EBP-20]
0040D8C3  CALL EBX
0040D8C5  LEA EAX,DWORD PTR SS:[EBP-28]
0040D8C8  LEA ECX,DWORD PTR SS:[EBP-24]
0040D8CB  PUSH EAX
0040D8CC  LEA EDX,DWORD PTR SS:[EBP-20]
0040D8CF  PUSH ECX
0040D8D0  LEA EAX,DWORD PTR SS:[EBP-B4]
0040D8D6  PUSH EDX
0040D8D7  PUSH EAX
0040D8D8  MOV DWORD PTR SS:[EBP-B4],80000002
0040D8E2  CALL HXRecord.0040C930
0040D8E7  LEA ECX,DWORD PTR SS:[EBP-28]
0040D8EA  LEA EDX,DWORD PTR SS:[EBP-24]
0040D8ED  PUSH ECX
0040D8EE  LEA EAX,DWORD PTR SS:[EBP-20]
0040D8F1  PUSH EDX
0040D8F2  PUSH EAX
0040D8F3  PUSH 3
0040D8F5  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;  MSVBVM60.__vbaFreeStrList
0040D8FB  ADD ESP,10
0040D8FE  LEA ECX,DWORD PTR SS:[EBP-2C]
0040D901  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>;  MSVBVM60.__vbaFreeObj
0040D907  MOV ECX,DWORD PTR DS:[ESI]
0040D909  PUSH ESI
0040D90A  CALL DWORD PTR DS:[ECX+2FC]
0040D910  LEA EDX,DWORD PTR SS:[EBP-2C]
0040D913  PUSH EAX
0040D914  PUSH EDX
0040D915  CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>;  MSVBVM60.__vbaObjSet
0040D91B  MOV EDI,EAX
0040D91D  LEA ECX,DWORD PTR SS:[EBP-1C]
0040D920  PUSH ECX
0040D921  PUSH EDI
0040D922  MOV EAX,DWORD PTR DS:[EDI]
0040D924  CALL DWORD PTR DS:[EAX+A0]
0040D92A  TEST EAX,EAX
0040D92C  FCLEX
0040D92E  JGE SHORT HXRecord.0040D942
0040D930  PUSH 0A0
0040D935  PUSH HXRecord.00406EE8
0040D93A  PUSH EDI
0040D93B  PUSH EAX
0040D93C  CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>;  MSVBVM60.__vbaHresultCheckObj
0040D942  MOV EDX,DWORD PTR SS:[EBP-1C]
0040D945  LEA ECX,DWORD PTR SS:[EBP-28]
0040D948  MOV DWORD PTR SS:[EBP-1C],0
0040D94F  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>;  MSVBVM60.__vbaStrMove
0040D955  MOV EDX,HXRecord.004068D4                ;  UNICODE "Register"
0040D95A  LEA ECX,DWORD PTR SS:[EBP-24]
0040D95D  CALL EBX
0040D95F  MOV EDX,HXRecord.00406894                ;  UNICODE "Software\HX\HXRecord"
0040D964  LEA ECX,DWORD PTR SS:[EBP-20]
0040D967  CALL EBX
0040D969  LEA EDX,DWORD PTR SS:[EBP-28]
0040D96C  LEA EAX,DWORD PTR SS:[EBP-24]
0040D96F  PUSH EDX

-----------------------------------
关键call

0040CF30  PUSH EBP
0040CF31  MOV EBP,ESP
0040CF33  SUB ESP,0C
0040CF36  PUSH <JMP.&MSVBVM60.__vbaExceptHandler>  ;  SE handler installation
0040CF3B  MOV EAX,DWORD PTR FS:[0]  ==>安装seh(结构异常化)
0040CF41  PUSH EAX
0040CF42  MOV DWORD PTR FS:[0],ESP
0040CF49  SUB ESP,78   ==>为局部变量分配空间
0040CF4C  PUSH EBX
0040CF4D  PUSH ESI
0040CF4E  PUSH EDI
0040CF4F  MOV DWORD PTR SS:[EBP-C],ESP
0040CF52  MOV DWORD PTR SS:[EBP-8],HXRecord.004012>
0040CF59  XOR ESI,ESI
0040CF5B  MOV EDX,HXRecord.00406D6C                ;  UNICODE "***"
0040CF60  LEA ECX,DWORD PTR SS:[EBP-30]
0040CF63  MOV DWORD PTR SS:[EBP-20],ESI
0040CF66  MOV DWORD PTR SS:[EBP-2C],ESI
0040CF69  MOV DWORD PTR SS:[EBP-30],ESI
0040CF6C  MOV DWORD PTR SS:[EBP-34],ESI
0040CF6F  MOV DWORD PTR SS:[EBP-44],ESI
0040CF72  MOV DWORD PTR SS:[EBP-54],ESI
0040CF75  MOV DWORD PTR SS:[EBP-64],ESI
0040CF78  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCo>;  MSVBVM60.__vbaStrCopy
0040CF7E  MOV EDI,DWORD PTR SS:[EBP+8]  ==>用户名
0040CF81  LEA EAX,DWORD PTR SS:[EBP-64]
0040CF84  PUSH 0F
0040CF86  LEA ECX,DWORD PTR SS:[EBP-44]
0040CF89  PUSH EAX
0040CF8A  PUSH ECX
0040CF8B  MOV DWORD PTR SS:[EBP-5C],EDI
0040CF8E  MOV DWORD PTR SS:[EBP-64],4008
0040CF95  CALL DWORD PTR DS:[<&MSVBVM60.#617>]     ;  MSVBVM60.rtcLeftCharVar
0040CF9B  LEA EDX,DWORD PTR SS:[EBP-44]
0040CF9E  PUSH EDX
0040CF9F  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>;  MSVBVM60.__vbaStrVarMove
0040CFA5  MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaSt>;  MSVBVM60.__vbaStrMove
0040CFAB  MOV EDX,EAX
0040CFAD  MOV ECX,EDI
0040CFAF  CALL EBX                                 ;  <&MSVBVM60.__vbaStrMove>
0040CFB1  LEA ECX,DWORD PTR SS:[EBP-44]
0040CFB4  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;  MSVBVM60.__vbaFreeVar
0040CFBA  MOV EAX,DWORD PTR DS:[EDI]  ==>用户名
0040CFBC  PUSH EAX
0040CFBD  CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>;  MSVBVM60.__vbaLenBstr
0040CFC3  CMP EAX,6是 ==>比较用户名长度
0040CFC6  MOV DWORD PTR SS:[EBP-28],EAX
0040CFC9  JL HXRecord.0040D12C
0040CFCF  MOV ECX,1  ==>计数器
0040CFD4  MOV DWORD PTR SS:[EBP-18],ECX
0040CFD7  CMP ECX,EAX
0040CFD9  JG HXRecord.0040D120
0040CFDF  LEA EDX,DWORD PTR SS:[EBP-44]
0040CFE2  LEA EAX,DWORD PTR SS:[EBP-64]
0040CFE5  PUSH EDX
0040CFE6  PUSH ECX
0040CFE7  LEA ECX,DWORD PTR SS:[EBP-54]
0040CFEA  PUSH EAX
0040CFEB  PUSH ECX
0040CFEC  MOV DWORD PTR SS:[EBP-3C],1
0040CFF3  MOV DWORD PTR SS:[EBP-44],2
0040CFFA  MOV DWORD PTR SS:[EBP-5C],EDI
0040CFFD  MOV DWORD PTR SS:[EBP-64],4008
0040D004  CALL DWORD PTR DS:[<&MSVBVM60.#632>]     ;  MSVBVM60.rtcMidCharVar ==>取用户名第ecx位
0040D00A  LEA EDX,DWORD PTR SS:[EBP-54]
0040D00D  PUSH EDX
0040D00E  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>;  MSVBVM60.__vbaStrVarMove
0040D014  MOV EDX,EAX
0040D016  LEA ECX,DWORD PTR SS:[EBP-20]
0040D019  CALL EBX
0040D01B  LEA EAX,DWORD PTR SS:[EBP-54]
0040D01E  LEA ECX,DWORD PTR SS:[EBP-44]
0040D021  PUSH EAX
0040D022  PUSH ECX
0040D023  PUSH 2
0040D025  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;  MSVBVM60.__vbaFreeVarList
0040D02B  MOV EDX,DWORD PTR SS:[EBP-20]
0040D02E  ADD ESP,0C
0040D031  PUSH EDX
0040D032  CALL DWORD PTR DS:[<&MSVBVM60.#516>]     ;  MSVBVM60.rtcAnsivalueBstr
==>取得的一位转换为十六进制值
//eax=6c
//eax=6f
//eax=72
//eax=64
//eax=6f
//eax=72
0040D038  PUSH EAX
0040D039  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrI2>;  MSVBVM60.__vbaStrI2 ==>转换为十进制
//[eax]=108
//[eax]=111
//[eax]=114
//[eax]=100
//[eax]=111
//[eax]=114
0040D03F  MOV EDX,EAX
0040D041  LEA ECX,DWORD PTR SS:[EBP-20]
0040D044  CALL EBX
0040D046  MOV EAX,DWORD PTR SS:[EBP-20]
0040D049  PUSH EAX
0040D04A  CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>;  MSVBVM60.__vbaLenBstr
0040D050  MOV DWORD PTR SS:[EBP-84],EAX
0040D056  MOV EDI,1
0040D05B  CMP EDI,DWORD PTR SS:[EBP-84]
0040D061  JG SHORT HXRecord.0040D0D0
0040D063  LEA ECX,DWORD PTR SS:[EBP-20]
0040D066  LEA EDX,DWORD PTR SS:[EBP-44]
0040D069  MOV DWORD PTR SS:[EBP-5C],ECX
0040D06C  PUSH EDX
0040D06D  LEA EAX,DWORD PTR SS:[EBP-64]
0040D070  PUSH EDI
0040D071  LEA ECX,DWORD PTR SS:[EBP-54]
0040D074  PUSH EAX
0040D075  PUSH ECX
0040D076  MOV DWORD PTR SS:[EBP-3C],1
0040D07D  MOV DWORD PTR SS:[EBP-44],2
0040D084  MOV DWORD PTR SS:[EBP-64],4008
0040D08B  CALL DWORD PTR DS:[<&MSVBVM60.#632>]     ;  MSVBVM60.rtcMidCharVar
0040D091  LEA EDX,DWORD PTR SS:[EBP-54]
0040D094  PUSH EDX
0040D095  CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2Err>;  MSVBVM60.__vbaI2ErrVar
0040D09B  MOVSX EAX,AX
0040D09E  ADD EAX,ESI
0040D0A0  LEA ECX,DWORD PTR SS:[EBP-54]
0040D0A3  JO HXRecord.0040D186
0040D0A9  MOV ESI,EAX
0040D0AB  LEA EDX,DWORD PTR SS:[EBP-54]
0040D0AE  PUSH ECX
0040D0AF  LEA EAX,DWORD PTR SS:[EBP-44]
0040D0B2  PUSH EDX
0040D0B3  PUSH EAX
0040D0B4  PUSH 3
0040D0B6  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;  MSVBVM60.__vbaFreeVarList
0040D0BC  MOV EAX,1
0040D0C1  ADD ESP,10
0040D0C4  ADD EAX,EDI
0040D0C6  JO HXRecord.0040D186
0040D0CC  MOV EDI,EAX
0040D0CE  JMP SHORT HXRecord.0040D05B  ==>以上为把十进制值各位相加再加1,
//[eax]=108  ==>10
//[eax]=111  ==>4
//[eax]=114 ==>7
//[eax]=100 ==>2
//[eax]=111 ==>4
//[eax]=114 ==>7
0040D0D0  MOV ECX,DWORD PTR SS:[EBP-2C]
0040D0D3  ADD ESI,1
0040D0D6  JO HXRecord.0040D186
0040D0DC  PUSH ECX
0040D0DD  PUSH ESI
0040D0DE  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrI4>;  MSVBVM60.__vbaStrI4
0040D0E4  MOV EDX,EAX
0040D0E6  LEA ECX,DWORD PTR SS:[EBP-34]
0040D0E9  CALL EBX
0040D0EB  PUSH EAX
0040D0EC  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCa>;  MSVBVM60.__vbaStrCat ==>各位接起来

//1047247

0040D0F2  MOV EDX,EAX
0040D0F4  LEA ECX,DWORD PTR SS:[EBP-2C]
0040D0F7  CALL EBX
0040D0F9  LEA ECX,DWORD PTR SS:[EBP-34]
0040D0FC  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;  MSVBVM60.__vbaFreeStr
0040D102  MOV ECX,DWORD PTR SS:[EBP-18]
0040D105  MOV EDI,DWORD PTR SS:[EBP+8]
0040D108  MOV EAX,1
0040D10D  ADD EAX,ECX
0040D10F  JO SHORT HXRecord.0040D186
0040D111  MOV DWORD PTR SS:[EBP-18],EAX
0040D114  MOV ECX,EAX
0040D116  MOV EAX,DWORD PTR SS:[EBP-28]
0040D119  XOR ESI,ESI
0040D11B  JMP HXRecord.0040CFD7
0040D120  MOV EDX,DWORD PTR SS:[EBP-2C]
0040D123  LEA ECX,DWORD PTR SS:[EBP-30]
0040D126  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCo>;  MSVBVM60.__vbaStrCopy
0040D12C  PUSH HXRecord.0040D170
0040D131  JMP SHORT HXRecord.0040D15F
0040D133  TEST BYTE PTR SS:[EBP-4],4
0040D137  JE SHORT HXRecord.0040D142
0040D139  LEA ECX,DWORD PTR SS:[EBP-30]
0040D13C  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;  MSVBVM60.__vbaFreeStr
0040D142  LEA ECX,DWORD PTR SS:[EBP-34]
0040D145  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;  MSVBVM60.__vbaFreeStr
0040D14B  LEA EDX,DWORD PTR SS:[EBP-54]
0040D14E  LEA EAX,DWORD PTR SS:[EBP-44]
0040D151  PUSH EDX
0040D152  PUSH EAX
0040D153  PUSH 2
0040D155  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;  MSVBVM60.__vbaFreeVarList
0040D15B  ADD ESP,0C
0040D15E  RETN
0040D15F  MOV ESI,DWORD PTR DS:[<&MSVBVM60.__vbaFr>;  MSVBVM60.__vbaFreeStr
0040D165  LEA ECX,DWORD PTR SS:[EBP-20]
0040D168  CALL ESI                                 ;  <&MSVBVM60.__vbaFreeStr>
0040D16A  LEA ECX,DWORD PTR SS:[EBP-2C]
0040D16D  CALL ESI
0040D16F  RETN
0040D170  MOV ECX,DWORD PTR SS:[EBP-14]
0040D173  MOV EAX,DWORD PTR SS:[EBP-30]
0040D176  POP EDI
0040D177  POP ESI
0040D178  MOV DWORD PTR FS:[0],ECX
0040D17F  POP EBX
0040D180  MOV ESP,EBP
0040D182  POP EBP
0040D183  RETN 4
0040D186  CALL DWORD PTR DS:[<&MSVBVM60.__vbaError>;  MSVBVM60.__vbaErrorOverflow
0040D18C  NOP
0040D18D  NOP
0040D18E  NOP
0040D18F  NOP
0040D190  XOR EAX,EAX
0040D192  RETN 4

-----------------------------------------------
总结:
关键call,不是很复杂,虽然VB程序代码很多,但大家应该可以看得明白的。

一个可用的注册码:
用户名:lordor
注册码:1047247


cracked by  lordor
03.7.06