一个系统错误修复软件需要网络验证的注册破解分析
程序员文章站
2022-04-12 21:39:52
【文章作者】: suredwang
【作者邮箱】: suredwang@126.com
【软件名称】: 系统错误修复精灵V3.0
【软件大小】: 790K
【下载地址】: 自己搜索下载...
【文章作者】: suredwang
【作者邮箱】: suredwang@126.com
【软件名称】: 系统错误修复精灵V3.0
【软件大小】: 790K
【下载地址】: 自己搜索下载
【加壳方式】: 无壳
【保护方式】: 网络验证+注册码
【编写语言】: Microsoft Visual Basic 5.0 / 6.0
【使用工具】: OD
【操作平台】: XP
【软件介绍】: 能快速扫描检测和修复注册表错误,并且还可以作修复备份,随时恢复,维护系统很好用。未注册版本只能扫描不能进行错误修复
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
本人只是个小菜鸟,休息天,闲着无事,就下了个小程序练手,本来以为只是简单注册码保护,没想到还有网络验证,一时就想学习学习,
献丑了。没有其它目的,支持正版,高手飘过
首先用PEID查壳,发现无壳,而且是用VB编写的程序,直接用OD载入,F9运行至注册界面,任意输入注册码787878787878,
点注册 出现“注册码错误”的信息,先用右键查找字符串,发现里面没有一点字符信息,算了看来用查字符串的方法行不通了,打开断点插件
在__vbaStrComp函数下断先看看能否断下,或在命令行下断也一样 bp__vbaStrComp ,点注册后
734793DA > FF7424 08 push dword ptr [esp+8] ; 断在这里
734793DE FF7424 08 push dword ptr [esp+8]
734793E2 6A 00 push 0
734793E4 E8 44E6FFFF call __vbaStrComp
734793E9 C2 0800 retn 8
734793EC > FF7424 08 push dword ptr [esp+8]
734793F0 FF7424 08 push dword ptr [esp+8]
734793F4 6A 01 push 1
734793F6 E8 32E6FFFF call __vbaStrComp
734793FB C2 0800 retn 8
右边的寄存器栏里:
EAX 00000030
ECX 001918CC UNICODE "RCode error"
EDX 00000000
EBX 73497262 MSVBVM60.__vbaFreeVarList
ESP 0012EC08 ASCII "7Bb"
EBP 0012EDA4
ESI 73476A74 MSVBVM60.__vbaStrMove
EDI 00000000
EIP 734793DA MSVBVM60.__vbaStrCmp
看到右边寄存器栏里 出现字符串"RCode error" ,分析看来注册判断应在前面,好了,向上翻找来到注册关键CALL入口地址处再下断,重新
运行
00624000 > \55 push ebp ; 这里下断,重新运行断在这
00624001 . 8BEC mov ebp, esp
00624003 . 83EC 0C sub esp, 0C
00624006 . 68 66204000 push <jmp.&MSVBVM60.__vbaExceptHandle>; SE 处理程序安装
0062400B . 64:A1 0000000>mov eax, dword ptr fs:[0]
00624011 . 50 push eax
00624012 . 64:8925 00000>mov dword ptr fs:[0], esp
00624019 . 81EC 70010000 sub esp, 170
0062401F . 53 push ebx
00624020 . 56 push esi
00624021 . 57 push edi
00624022 . 8965 F4 mov dword ptr [ebp-C], esp
00624025 . C745 F8 A81F4>mov dword ptr [ebp-8], 00401FA8
0062402C . 8B75 08 mov esi, dword ptr [ebp+8]
0062402F . 8BC6 mov eax, esi
00624031 . 83E0 01 and eax, 1
00624034 . 8945 FC mov dword ptr [ebp-4], eax
00624037 . 83E6 FE and esi, FFFFFFFE
0062403A . 56 push esi
0062403B . 8975 08 mov dword ptr [ebp+8], esi
0062403E . 8B0E mov ecx, dword ptr [esi]
00624040 . FF51 04 call dword ptr [ecx+4] ; 按F8单步运行到这,注意这CALL按F8会跳飞,看来有VMP代
码
00624043 . 8B16 mov edx, dword ptr [esi]
00624045 . 33FF xor edi, edi
00624047 . 56 push esi
00624048 . 897D D8 mov dword ptr [ebp-28], edi
0062404B . 897D D4 mov dword ptr [ebp-2C], edi
0062404E . 897D D0 mov dword ptr [ebp-30], edi
00624051 . 897D C0 mov dword ptr [ebp-40], edi
00624054 . 897D B0 mov dword ptr [ebp-50], edi
00624057 . 897D A0 mov dword ptr [ebp-60], edi
0062405A . 897D 9C mov dword ptr [ebp-64], edi
0062405D . 897D 98 mov dword ptr [ebp-68], edi
00624060 . 897D 94 mov dword ptr [ebp-6C], edi
00624063 . 897D 90 mov dword ptr [ebp-70], edi
00624066 . 897D 80 mov dword ptr [ebp-80], edi
00624069 . 89BD 70FFFFFF mov dword ptr [ebp-90], edi
0062406F . 89BD 60FFFFFF mov dword ptr [ebp-A0], edi
00624075 . 89BD 50FFFFFF mov dword ptr [ebp-B0], edi
0062407B . 89BD 40FFFFFF mov dword ptr [ebp-C0], edi
00624081 . 89BD 30FFFFFF mov dword ptr [ebp-D0], edi
00624087 . 89BD 20FFFFFF mov dword ptr [ebp-E0], edi
0062408D . 89BD 10FFFFFF mov dword ptr [ebp-F0], edi
00624093 . 89BD 00FFFFFF mov dword ptr [ebp-100], edi
00624099 . FF92 00030000 call dword ptr [edx+300]
0062409F . 50 push eax
006240A0 . 8D45 90 lea eax, dword ptr [ebp-70]
006240A3 . 50 push eax
006240A4 . FF15 98104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
006240AA . 8BD8 mov ebx, eax
006240AC . 8D55 9C lea edx, dword ptr [ebp-64]
006240AF . 52 push edx
006240B0 . 53 push ebx
006240B1 . 8B0B mov ecx, dword ptr [ebx]
006240B3 . FF91 A0000000 call dword ptr [ecx+A0]
006240B9 . 3BC7 cmp eax, edi
006240BB . DBE2 fclex
006240BD . 7D 12 jge short 006240D1
006240BF . 68 A0000000 push 0A0
006240C4 . 68 58F84500 push 0045F858
006240C9 . 53 push ebx
006240CA . 50 push eax
006240CB . FF15 70104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
006240D1 > 8B45 9C mov eax, dword ptr [ebp-64] ; 这里出现假码
006240D4 . 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
006240DA . 8945 88 mov dword ptr [ebp-78], eax
006240DD . 8D45 80 lea eax, dword ptr [ebp-80]
006240E0 . 50 push eax
006240E1 . 51 push ecx
006240E2 . 897D 9C mov dword ptr [ebp-64], edi
006240E5 . C745 80 08000>mov dword ptr [ebp-80], 8
006240EC . FF15 BC104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar 处理边空格
006240F2 . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
006240F8 . 8D85 00FFFFFF lea eax, dword ptr [ebp-100]
006240FE . 52 push edx ; /var18
006240FF . 50 push eax ; |var28
00624100 . C785 08FFFFFF>mov dword ptr [ebp-F8], 0045DEE0 ; |
0062410A . C785 00FFFFFF>mov dword ptr [ebp-100], 8008 ; |
00624114 . FF15 00124000 call dword ptr [<&MSVBVM60.__vbaVarTstNe>] ; \比较变量是否不相等
0062411A . 8D4D 90 lea ecx, dword ptr [ebp-70]
0062411D . 8985 C4FEFFFF mov dword ptr [ebp-13C], eax
00624123 . FF15 70124000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00624129 . 8B1D 3C104000 mov ebx, dword ptr [<&MSVBVM60.__vbaFreeVa>; MSVBVM60.__vbaFreeVarList
0062412F . 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
00624135 . 8D55 80 lea edx, dword ptr [ebp-80]
00624138 . 51 push ecx
00624139 . 52 push edx
0062413A . 6A 02 push 2
0062413C . FFD3 call ebx ; <&MSVBVM60.__vbaFreeVarList>
0062413E . 83C4 0C add esp, 0C
00624141 . 66:39BD C4FEF>cmp word ptr [ebp-13C], di ; 判断注册码是否为空
00624148 0F84 841D0000 je 00625ED2 ; 为空就跳走
0062414E . 8B06 mov eax, dword ptr [esi]
00624150 . 56 push esi
00624151 . C785 08FFFFFF>mov dword ptr [ebp-F8], 0045F86C ; 堆栈里出现
http://www.FairySoftware.com/register/fse/?rcode="
0062415B . C785 00FFFFFF>mov dword ptr [ebp-100], 8
00624165 . FF90 00030000 call dword ptr [eax+300]
0062416B . 8D4D 90 lea ecx, dword ptr [ebp-70]
0062416E . 50 push eax
0062416F . 51 push ecx
00624170 . FF15 98104000 call dword ptr [<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00624176 . 8BF0 mov esi, eax
00624178 . 8D45 9C lea eax, dword ptr [ebp-64]
0062417B . 50 push eax
0062417C . 56 push esi
0062417D . 8B16 mov edx, dword ptr [esi]
0062417F . FF92 A0000000 call dword ptr [edx+A0]
00624185 . 3BC7 cmp eax, edi
00624187 . DBE2 fclex
00624189 . 7D 12 jge short 0062419D
0062418B . 68 A0000000 push 0A0
00624190 . 68 58F84500 push 0045F858
00624195 . 56 push esi
00624196 . 50 push eax
00624197 . FF15 70104000 call dword ptr [<&MSVBVM60.__vbaHresultChec>; MSVBVM60.__vbaHresultCheckObj
0062419D > 8B45 9C mov eax, dword ptr [ebp-64] ; 又出现假码
006241A0 . 8D4D 80 lea ecx, dword ptr [ebp-80]
006241A3 . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
006241A9 . 51 push ecx
006241AA . 52 push edx
006241AB . 897D 9C mov dword ptr [ebp-64], edi
006241AE . 8945 88 mov dword ptr [ebp-78], eax
006241B1 . C745 80 08000>mov dword ptr [ebp-80], 8
006241B8 . FF15 BC104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
006241BE . 8D85 00FFFFFF lea eax, dword ptr [ebp-100]
006241C4 . 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
006241CA . 50 push eax
006241CB . 8D95 60FFFFFF lea edx, dword ptr [ebp-A0]
006241D1 . 51 push ecx
006241D2 . 52 push edx
006241D3 . FF15 A0114000 call dword ptr [<&MSVBVM60.__vbaVarCat>] ; MSVBVM60.__vbaVarCat 连接字符函数
006241D9 . 50 push eax
006241DA . FF15 30104000 call dword ptr [<&MSVBVM60.__vbaStrVarMove>>; MSVBVM60.__vbaStrVarMove
006241E0 . 8B35 44124000 mov esi, dword ptr [<&MSVBVM60.__vbaStrMov>; MSVBVM60.__vbaStrMove
006241E6 . 8BD0 mov edx, eax ; 字符串连接
http://www.FairySoftware.com/register/fse/?rcode=78787878787878")
006241E8 . 8D4D 98 lea ecx, dword ptr [ebp-68]
006241EB . FFD6 call esi ; <&MSVBVM60.__vbaStrMove>
006241ED . 8D45 98 lea eax, dword ptr [ebp-68]
006241F0 . 50 push eax
006241F1 . E8 AA2C0000 call 00626EA0 ; 网络验证CALL ,验证注册码并返回值
006241F6 . 8BD0 mov edx, eax ; 由服务器取回字符串"RCode error"
006241F8 . 8D4D D0 lea ecx, dword ptr [ebp-30]
006241FB . FFD6 call esi
006241FD . 8D4D 98 lea ecx, dword ptr [ebp-68]
00624200 . FF15 74124000 call dword ptr [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00624206 . 8D4D 90 lea ecx, dword ptr [ebp-70]
00624209 . FF15 70124000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
0062420F . 8D8D 60FFFFFF lea ecx, dword ptr [ebp-A0]
00624215 . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
0062421B . 51 push ecx
0062421C . 8D45 80 lea eax, dword ptr [ebp-80]
0062421F . 52 push edx
00624220 . 50 push eax
00624221 . 6A 03 push 3
00624223 . FFD3 call ebx
00624225 . 8B4D D0 mov ecx, dword ptr [ebp-30]
00624228 . 83C4 10 add esp, 10
0062422B . 51 push ecx ; 由服务器取回字符串"RCode error"
0062422C . 68 E0DE4500 push 0045DEE0 ; 与30h 作比较
00624231 . FF15 08114000 call dword ptr [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
00624237 . 85C0 test eax, eax
00624239 0F84 1F1C0000 je 00625E5E ; 判断网络服务器返回值是否为0,所以不会跳
0062423F . 8B45 08 mov eax, dword ptr [ebp+8]
00624242 . 50 push eax
00624243 . 8B10 mov edx, dword ptr [eax]
00624245 . FF92 00030000 call dword ptr [edx+300]
0062424B . 50 push eax
0062424C . 8D45 90 lea eax, dword ptr [ebp-70]
0062424F . 50 push eax
00624250 . FF15 98104000 call dword ptr [<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00624256 . 8B08 mov ecx, dword ptr [eax]
00624258 . 8D55 9C lea edx, dword ptr [ebp-64]
0062425B . 52 push edx
0062425C . 50 push eax
0062425D . 8985 CCFEFFFF mov dword ptr [ebp-134], eax
00624263 . FF91 A0000000 call dword ptr [ecx+A0]
00624269 . 3BC7 cmp eax, edi
0062426B . DBE2 fclex
0062426D . 7D 18 jge short 00624287
0062426F . 8B8D CCFEFFFF mov ecx, dword ptr [ebp-134]
00624275 . 68 A0000000 push 0A0
0062427A . 68 58F84500 push 0045F858
0062427F . 51 push ecx
00624280 . 50 push eax
00624281 . FF15 70104000 call dword ptr [<&MSVBVM60.__vbaHresultChec>; MSVBVM60.__vbaHresultCheckObj
00624287 > 8B55 9C mov edx, dword ptr [ebp-64] ; 假码
0062428A . 6A 01 push 1
0062428C . 52 push edx
0062428D . 68 2CE74500 push 0045E72C ; -
00624292 . 57 push edi
00624293 . FF15 CC114000 call dword ptr [<&MSVBVM60.__vbaInStr>] ; MSVBVM60.__vbaInStr
00624299 . F7D8 neg eax ; 这里判断是否含有注册码并改标志
0062429B . 1BC0 sbb eax, eax
0062429D . 8D4D 9C lea ecx, dword ptr [ebp-64]
006242A0 . 40 inc eax
006242A1 . F7D8 neg eax
006242A3 . 8985 C4FEFFFF mov dword ptr [ebp-13C], eax
006242A9 . FF15 74124000 call dword ptr [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
006242AF . 8D4D 90 lea ecx, dword ptr [ebp-70]
006242B2 . FF15 70124000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
006242B8 . 66:39BD C4FEF>cmp word ptr [ebp-13C], di ; 比较是否含有注册码的标志
006242BF 0F84 97000000 jne 0062435C ; 关键爆破点,改为JNZ 或JMP
...................此处省略
跳到这里
0062435C > \8D55 80 lea edx, dword ptr [ebp-80]
0062435F . C745 88 04000>mov dword ptr [ebp-78], 80020004
00624366 . 52 push edx ; /RNDNumber08
00624367 . C745 80 0A000>mov dword ptr [ebp-80], 0A ; |
0062436E . FF15 90104000 call dword ptr [<&MSVBVM60.#594>] ; \rtcRandomize
00624374 . 8D4D 80 lea ecx, dword ptr [ebp-80]
00624377 . FF15 24104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
0062437D . 8D45 80 lea eax, dword ptr [ebp-80]
00624380 . C745 88 04000>mov dword ptr [ebp-78], 80020004
00624387 . 50 push eax ; /arg
00624388 . C745 80 0A000>mov dword ptr [ebp-80], 0A ; |
0062438F . FF15 84104000 call dword ptr [<&MSVBVM60.#593>] ; \rtcRandomNext
00624395 . D80D A01F4000 fmul dword ptr [401FA0]
0062439B . DFE0 fstsw ax
0062439D . A8 0D test al, 0D
0062439F . 0F85 6F1C0000 jnz 00626014
006243A5 . FF15 64124000 call dword ptr [<&MSVBVM60.__vbaFPInt>] ; MSVBVM60.__vbaFPInt
006243AB . D805 501A4000 fadd dword ptr [401A50]
006243B1 . DFE0 fstsw ax
006243B3 . A8 0D test al, 0D
006243B5 . 0F85 591C0000 jnz 00626014
006243BB . FF15 24124000 call dword ptr [<&MSVBVM60.__vbaFpI4>] ; MSVBVM60.__vbaFpI4
006243C1 . 8D4D 80 lea ecx, dword ptr [ebp-80]
006243C4 . 8985 BCFEFFFF mov dword ptr [ebp-144], eax
006243CA . 897D E8 mov dword ptr [ebp-18], edi
006243CD . FF15 24104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
006243D3 . 8B3D 1C104000 mov edi, dword ptr [<&MSVBVM60.__vbaVarMov>; MSVBVM60.__vbaVarMove
006243D9 > 8B45 E8 mov eax, dword ptr [ebp-18] ; 这里是下面JMP返回位
006243DC . 8B8D BCFEFFFF mov ecx, dword ptr [ebp-144]
006243E2 . 3BC1 cmp eax, ecx ; 此处要作多次算法循环
006243E4 . 0F8F AB030000 jg 00624795
006243EA . 8D95 00FFFFFF lea edx, dword ptr [ebp-100]
006243F0 . 8D4D C0 lea ecx, dword ptr [ebp-40]
006243F3 . 8985 08FFFFFF mov dword ptr [ebp-F8], eax
006243F9 . C785 00FFFFFF>mov dword ptr [ebp-100], 3
00624403 . FFD7 call edi
00624405 . 8B4D E8 mov ecx, dword ptr [ebp-18]
00624408 . 83C1 01 add ecx, 1
0062440B . 0F80 081C0000 jo 00626019
00624411 . 51 push ecx
00624412 . FF15 18104000 call dword ptr [<&MSVBVM60.__vbaStrI4>] ; MSVBVM60.__vbaStrI4
00624418 . 8BD0 mov edx, eax
0062441A . 8D4D 9C lea ecx, dword ptr [ebp-64]
0062441D . FFD6 call esi
0062441F . 8D55 9C lea edx, dword ptr [ebp-64]
00624422 . 52 push edx
00624423 . E8 78DBFFFF call 00621FA0 ; 算法关键CALL F7跟进看看做什么的
00624428 . 8945 88 mov dword ptr [ebp-78], eax
0062442B . 8D45 80 lea eax, dword ptr [ebp-80]
0062442E . 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
00624434 . 50 push eax
00624435 . 51 push ecx
00624436 . C745 80 08000>mov dword ptr [ebp-80], 8
0062443D . FF15 00114000 call dword ptr [<&MSVBVM60.#528>] ; MSVBVM60.rtcUpperCaseVar
00624443 . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
00624449 . 8D4D D8 lea ecx, dword ptr [ebp-28]
0062444C . FFD7 call edi
0062444E . 8D4D 9C lea ecx, dword ptr [ebp-64]
00624451 . FF15 74124000 call dword ptr [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00624457 . 8D4D 80 lea ecx, dword ptr [ebp-80]
0062445A . FF15 24104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
00624460 . 8B55 E8 mov edx, dword ptr [ebp-18]
00624463 . 8D4D B0 lea ecx, dword ptr [ebp-50]
00624466 . 83C2 01 add edx, 1
00624469 . C785 00FFFFFF>mov dword ptr [ebp-100], 3
00624473 . 0F80 A01B0000 jo 00626019
00624479 . 8995 08FFFFFF mov dword ptr [ebp-F8], edx
0062447F . 8D95 00FFFFFF lea edx, dword ptr [ebp-100]
00624485 . FFD7 call edi
00624487 . 8B45 E8 mov eax, dword ptr [ebp-18]
0062448A . 8D95 00FFFFFF lea edx, dword ptr [ebp-100]
00624490 . 83C0 02 add eax, 2
00624493 . 8D4D A0 lea ecx, dword ptr [ebp-60]
00624496 . 0F80 7D1B0000 jo 00626019
0062449C . 8985 08FFFFFF mov dword ptr [ebp-F8], eax
006244A2 . C785 00FFFFFF>mov dword ptr [ebp-100], 3
006244AC . FFD7 call edi
006244AE . 8D4D C0 lea ecx, dword ptr [ebp-40]
006244B1 . 8D55 B0 lea edx, dword ptr [ebp-50]
006244B4 . 51 push ecx ; /var18
006244B5 . 52 push edx ; |var28
006244B6 . FF15 10114000 call dword ptr [<&MSVBVM60.__vbaVarTstEq>] ; \__vbaVarTstEq
006244BC . 66:85C0 test ax, ax
006244BF . 0F84 92010000 je 00624657
006244C5 . E8 96CDFFFF call 00621260
006244CA . 8BD0 mov edx, eax
006244CC . 8D4D 9C lea ecx, dword ptr [ebp-64]
006244CF . FFD6 call esi
006244D1 . 50 push eax
006244D2 . FF15 C4114000 call dword ptr [<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str
006244D8 . DC05 701E4000 fadd qword ptr [401E70]
006244DE . 83EC 08 sub esp, 8
006244E1 . DFE0 fstsw ax
006244E3 . A8 0D test al, 0D
006244E5 . 0F85 291B0000 jnz 00626014
006244EB . DD1C24 fstp qword ptr [esp]
006244EE . FF15 38114000 call dword ptr [<&MSVBVM60.__vbaStrR8>] ; MSVBVM60.__vbaStrR8
006244F4 . 8BD0 mov edx, eax
006244F6 . 8D4D 98 lea ecx, dword ptr [ebp-68]
006244F9 . FFD6 call esi
006244FB . 8D45 98 lea eax, dword ptr [ebp-68]
006244FE . 50 push eax
006244FF . E8 9CDAFFFF call 00621FA0
00624504 . 8D55 80 lea edx, dword ptr [ebp-80]
00624507 . 8D4D C0 lea ecx, dword ptr [ebp-40]
0062450A . 8945 88 mov dword ptr [ebp-78], eax
0062450D . C745 80 08000>mov dword ptr [ebp-80], 8
00624514 . FFD7 call edi
00624516 . 8D4D 98 lea ecx, dword ptr [ebp-68]
00624519 . 8D55 9C lea edx, dword ptr [ebp-64]
0062451C . 51 push ecx
0062451D . 52 push edx
0062451E . 6A 02 push 2
00624520 . FF15 EC114000 call dword ptr [<&MSVBVM60.__vbaFreeStrList>; MSVBVM60.__vbaFreeStrList
00624526 . B9 04000280 mov ecx, 80020004
0062452B . B8 0A000000 mov eax, 0A
00624530 . 898D 58FFFFFF mov dword ptr [ebp-A8], ecx
00624536 . 898D 68FFFFFF mov dword ptr [ebp-98], ecx
0062453C . 898D 78FFFFFF mov dword ptr [ebp-88], ecx
00624542 . 83C4 0C add esp, 0C
00624545 . 8D95 00FFFFFF lea edx, dword ptr [ebp-100]
0062454B . 8D4D 80 lea ecx, dword ptr [ebp-80]
0062454E . 8985 50FFFFFF mov dword ptr [ebp-B0], eax
00624554 . 8985 60FFFFFF mov dword ptr [ebp-A0], eax
0062455A . 8985 70FFFFFF mov dword ptr [ebp-90], eax
00624560 . C785 08FFFFFF>mov dword ptr [ebp-F8], 0045F8F8
0062456A . C785 00FFFFFF>mov dword ptr [ebp-100], 8
00624574 . FF15 18124000 call dword ptr [<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
0062457A . 8D85 50FFFFFF lea eax, dword ptr [ebp-B0]
00624580 . 8D8D 60FFFFFF lea ecx, dword ptr [ebp-A0]
00624586 . 50 push eax
00624587 . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
0062458D . 51 push ecx
0062458E . 52 push edx
0062458F . 8D45 80 lea eax, dword ptr [ebp-80]
00624592 . 6A 30 push 30
00624594 . 50 push eax
00624595 . FF15 9C104000 call dword ptr [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
0062459B . 8D8D 50FFFFFF lea ecx, dword ptr [ebp-B0]
006245A1 . 8D95 60FFFFFF lea edx, dword ptr [ebp-A0]
006245A7 . 51 push ecx
006245A8 . 8D85 70FFFFFF lea eax, dword ptr [ebp-90]
006245AE . 52 push edx
006245AF . 8D4D 80 lea ecx, dword ptr [ebp-80]
006245B2 . 50 push eax
006245B3 . 51 push ecx
006245B4 . 6A 04 push 4
006245B6 . FFD3 call ebx
006245B8 . 83C4 14 add esp, 14
006245BB . E8 A0CCFFFF call 00621260
006245C0 . 8BD0 mov edx, eax
006245C2 . 8D4D 9C lea ecx, dword ptr [ebp-64]
006245C5 . FFD6 call esi
006245C7 . 50 push eax
006245C8 . FF15 C4114000 call dword ptr [<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str
006245CE . DC05 701E4000 fadd qword ptr [401E70]
006245D4 . 83EC 08 sub esp, 8
006245D7 . DFE0 fstsw ax
006245D9 . A8 0D test al, 0D
006245DB . 0F85 331A0000 jnz 00626014
006245E1 . DD1C24 fstp qword ptr [esp]
006245E4 . FF15 38114000 call dword ptr [<&MSVBVM60.__vbaStrR8>] ; MSVBVM60.__vbaStrR8
006245EA . 8BD0 mov edx, eax
006245EC . 8D4D 98 lea ecx, dword ptr [ebp-68]
006245EF . FFD6 call esi
006245F1 . 8D55 98 lea edx, dword ptr [ebp-68]
006245F4 . 52 push edx
006245F5 . E8 A6D9FFFF call 00621FA0
006245FA . 8945 88 mov dword ptr [ebp-78], eax
006245FD . 8D45 80 lea eax, dword ptr [ebp-80]
00624600 . 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
00624606 . 50 push eax
00624607 . 51 push ecx
00624608 . C745 80 08000>mov dword ptr [ebp-80], 8
0062460F . FF15 00114000 call dword ptr [<&MSVBVM60.#528>] ; MSVBVM60.rtcUpperCaseVar
00624615 . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
0062461B . 8D45 94 lea eax, dword ptr [ebp-6C]
0062461E . 52 push edx ; /String8
0062461F . 50 push eax ; |ARG2
00624620 . FF15 98114000 call dword ptr [<&MSVBVM60.__vbaStrVarVal>] ; \__vbaStrVarVal
00624626 . 50 push eax
00624627 . E8 74D3FFFF call 006219A0
0062462C . 8D4D 94 lea ecx, dword ptr [ebp-6C]
0062462F . 8D55 98 lea edx, dword ptr [ebp-68]
00624632 . 51 push ecx
00624633 . 8D45 9C lea eax, dword ptr [ebp-64]
00624636 . 52 push edx
00624637 . 50 push eax
00624638 . 6A 03 push 3
0062463A . FF15 EC114000 call dword ptr [<&MSVBVM60.__vbaFreeStrList>; MSVBVM60.__vbaFreeStrList
00624640 . 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
00624646 . 8D55 80 lea edx, dword ptr [ebp-80]
00624649 . 51 push ecx
0062464A . 52 push edx
0062464B . 6A 02 push 2
0062464D . FFD3 call ebx
0062464F . 83C4 1C add esp, 1C
00624652 . E9 26010000 jmp 0062477D
00624657 > 8D45 C0 lea eax, dword ptr [ebp-40]
0062465A . 8D8D 00FFFFFF lea ecx, dword ptr [ebp-100]
00624660 . 50 push eax ; /var18
00624661 . 51 push ecx ; |var28
00624662 . C785 08FFFFFF>mov dword ptr [ebp-F8], 0045F908 ; |o
0062466C . C785 00FFFFFF>mov dword ptr [ebp-100], 8008 ; |
00624676 . FF15 10114000 call dword ptr [<&MSVBVM60.__vbaVarTstEq>] ; \__vbaVarTstEq
0062467C . 66:85C0 test ax, ax
0062467F . 0F84 94000000 je 00624719
00624685 . B9 04000280 mov ecx, 80020004
0062468A . B8 0A000000 mov eax, 0A
0062468F . 898D 58FFFFFF mov dword ptr [ebp-A8], ecx
00624695 . 898D 68FFFFFF mov dword ptr [ebp-98], ecx
0062469B . 898D 78FFFFFF mov dword ptr [ebp-88], ecx
006246A1 . 8D95 00FFFFFF lea edx, dword ptr [ebp-100]
006246A7 . 8D4D 80 lea ecx, dword ptr [ebp-80]
006246AA . 8985 50FFFFFF mov dword ptr [ebp-B0], eax
006246B0 . 8985 60FFFFFF mov dword ptr [ebp-A0], eax
006246B6 . 8985 70FFFFFF mov dword ptr [ebp-90], eax
006246BC . C785 08FFFFFF>mov dword ptr [ebp-F8], 0045F8E4
006246C6 . C785 00FFFFFF>mov dword ptr [ebp-100], 8
006246D0 . FF15 18124000 call dword ptr [<&
【作者邮箱】: suredwang@126.com
【软件名称】: 系统错误修复精灵V3.0
【软件大小】: 790K
【下载地址】: 自己搜索下载
【加壳方式】: 无壳
【保护方式】: 网络验证+注册码
【编写语言】: Microsoft Visual Basic 5.0 / 6.0
【使用工具】: OD
【操作平台】: XP
【软件介绍】: 能快速扫描检测和修复注册表错误,并且还可以作修复备份,随时恢复,维护系统很好用。未注册版本只能扫描不能进行错误修复
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
本人只是个小菜鸟,休息天,闲着无事,就下了个小程序练手,本来以为只是简单注册码保护,没想到还有网络验证,一时就想学习学习,
献丑了。没有其它目的,支持正版,高手飘过
首先用PEID查壳,发现无壳,而且是用VB编写的程序,直接用OD载入,F9运行至注册界面,任意输入注册码787878787878,
点注册 出现“注册码错误”的信息,先用右键查找字符串,发现里面没有一点字符信息,算了看来用查字符串的方法行不通了,打开断点插件
在__vbaStrComp函数下断先看看能否断下,或在命令行下断也一样 bp__vbaStrComp ,点注册后
734793DA > FF7424 08 push dword ptr [esp+8] ; 断在这里
734793DE FF7424 08 push dword ptr [esp+8]
734793E2 6A 00 push 0
734793E4 E8 44E6FFFF call __vbaStrComp
734793E9 C2 0800 retn 8
734793EC > FF7424 08 push dword ptr [esp+8]
734793F0 FF7424 08 push dword ptr [esp+8]
734793F4 6A 01 push 1
734793F6 E8 32E6FFFF call __vbaStrComp
734793FB C2 0800 retn 8
右边的寄存器栏里:
EAX 00000030
ECX 001918CC UNICODE "RCode error"
EDX 00000000
EBX 73497262 MSVBVM60.__vbaFreeVarList
ESP 0012EC08 ASCII "7Bb"
EBP 0012EDA4
ESI 73476A74 MSVBVM60.__vbaStrMove
EDI 00000000
EIP 734793DA MSVBVM60.__vbaStrCmp
看到右边寄存器栏里 出现字符串"RCode error" ,分析看来注册判断应在前面,好了,向上翻找来到注册关键CALL入口地址处再下断,重新
运行
00624000 > \55 push ebp ; 这里下断,重新运行断在这
00624001 . 8BEC mov ebp, esp
00624003 . 83EC 0C sub esp, 0C
00624006 . 68 66204000 push <jmp.&MSVBVM60.__vbaExceptHandle>; SE 处理程序安装
0062400B . 64:A1 0000000>mov eax, dword ptr fs:[0]
00624011 . 50 push eax
00624012 . 64:8925 00000>mov dword ptr fs:[0], esp
00624019 . 81EC 70010000 sub esp, 170
0062401F . 53 push ebx
00624020 . 56 push esi
00624021 . 57 push edi
00624022 . 8965 F4 mov dword ptr [ebp-C], esp
00624025 . C745 F8 A81F4>mov dword ptr [ebp-8], 00401FA8
0062402C . 8B75 08 mov esi, dword ptr [ebp+8]
0062402F . 8BC6 mov eax, esi
00624031 . 83E0 01 and eax, 1
00624034 . 8945 FC mov dword ptr [ebp-4], eax
00624037 . 83E6 FE and esi, FFFFFFFE
0062403A . 56 push esi
0062403B . 8975 08 mov dword ptr [ebp+8], esi
0062403E . 8B0E mov ecx, dword ptr [esi]
00624040 . FF51 04 call dword ptr [ecx+4] ; 按F8单步运行到这,注意这CALL按F8会跳飞,看来有VMP代
码
00624043 . 8B16 mov edx, dword ptr [esi]
00624045 . 33FF xor edi, edi
00624047 . 56 push esi
00624048 . 897D D8 mov dword ptr [ebp-28], edi
0062404B . 897D D4 mov dword ptr [ebp-2C], edi
0062404E . 897D D0 mov dword ptr [ebp-30], edi
00624051 . 897D C0 mov dword ptr [ebp-40], edi
00624054 . 897D B0 mov dword ptr [ebp-50], edi
00624057 . 897D A0 mov dword ptr [ebp-60], edi
0062405A . 897D 9C mov dword ptr [ebp-64], edi
0062405D . 897D 98 mov dword ptr [ebp-68], edi
00624060 . 897D 94 mov dword ptr [ebp-6C], edi
00624063 . 897D 90 mov dword ptr [ebp-70], edi
00624066 . 897D 80 mov dword ptr [ebp-80], edi
00624069 . 89BD 70FFFFFF mov dword ptr [ebp-90], edi
0062406F . 89BD 60FFFFFF mov dword ptr [ebp-A0], edi
00624075 . 89BD 50FFFFFF mov dword ptr [ebp-B0], edi
0062407B . 89BD 40FFFFFF mov dword ptr [ebp-C0], edi
00624081 . 89BD 30FFFFFF mov dword ptr [ebp-D0], edi
00624087 . 89BD 20FFFFFF mov dword ptr [ebp-E0], edi
0062408D . 89BD 10FFFFFF mov dword ptr [ebp-F0], edi
00624093 . 89BD 00FFFFFF mov dword ptr [ebp-100], edi
00624099 . FF92 00030000 call dword ptr [edx+300]
0062409F . 50 push eax
006240A0 . 8D45 90 lea eax, dword ptr [ebp-70]
006240A3 . 50 push eax
006240A4 . FF15 98104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
006240AA . 8BD8 mov ebx, eax
006240AC . 8D55 9C lea edx, dword ptr [ebp-64]
006240AF . 52 push edx
006240B0 . 53 push ebx
006240B1 . 8B0B mov ecx, dword ptr [ebx]
006240B3 . FF91 A0000000 call dword ptr [ecx+A0]
006240B9 . 3BC7 cmp eax, edi
006240BB . DBE2 fclex
006240BD . 7D 12 jge short 006240D1
006240BF . 68 A0000000 push 0A0
006240C4 . 68 58F84500 push 0045F858
006240C9 . 53 push ebx
006240CA . 50 push eax
006240CB . FF15 70104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
006240D1 > 8B45 9C mov eax, dword ptr [ebp-64] ; 这里出现假码
006240D4 . 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
006240DA . 8945 88 mov dword ptr [ebp-78], eax
006240DD . 8D45 80 lea eax, dword ptr [ebp-80]
006240E0 . 50 push eax
006240E1 . 51 push ecx
006240E2 . 897D 9C mov dword ptr [ebp-64], edi
006240E5 . C745 80 08000>mov dword ptr [ebp-80], 8
006240EC . FF15 BC104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar 处理边空格
006240F2 . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
006240F8 . 8D85 00FFFFFF lea eax, dword ptr [ebp-100]
006240FE . 52 push edx ; /var18
006240FF . 50 push eax ; |var28
00624100 . C785 08FFFFFF>mov dword ptr [ebp-F8], 0045DEE0 ; |
0062410A . C785 00FFFFFF>mov dword ptr [ebp-100], 8008 ; |
00624114 . FF15 00124000 call dword ptr [<&MSVBVM60.__vbaVarTstNe>] ; \比较变量是否不相等
0062411A . 8D4D 90 lea ecx, dword ptr [ebp-70]
0062411D . 8985 C4FEFFFF mov dword ptr [ebp-13C], eax
00624123 . FF15 70124000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00624129 . 8B1D 3C104000 mov ebx, dword ptr [<&MSVBVM60.__vbaFreeVa>; MSVBVM60.__vbaFreeVarList
0062412F . 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
00624135 . 8D55 80 lea edx, dword ptr [ebp-80]
00624138 . 51 push ecx
00624139 . 52 push edx
0062413A . 6A 02 push 2
0062413C . FFD3 call ebx ; <&MSVBVM60.__vbaFreeVarList>
0062413E . 83C4 0C add esp, 0C
00624141 . 66:39BD C4FEF>cmp word ptr [ebp-13C], di ; 判断注册码是否为空
00624148 0F84 841D0000 je 00625ED2 ; 为空就跳走
0062414E . 8B06 mov eax, dword ptr [esi]
00624150 . 56 push esi
00624151 . C785 08FFFFFF>mov dword ptr [ebp-F8], 0045F86C ; 堆栈里出现
http://www.FairySoftware.com/register/fse/?rcode="
0062415B . C785 00FFFFFF>mov dword ptr [ebp-100], 8
00624165 . FF90 00030000 call dword ptr [eax+300]
0062416B . 8D4D 90 lea ecx, dword ptr [ebp-70]
0062416E . 50 push eax
0062416F . 51 push ecx
00624170 . FF15 98104000 call dword ptr [<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00624176 . 8BF0 mov esi, eax
00624178 . 8D45 9C lea eax, dword ptr [ebp-64]
0062417B . 50 push eax
0062417C . 56 push esi
0062417D . 8B16 mov edx, dword ptr [esi]
0062417F . FF92 A0000000 call dword ptr [edx+A0]
00624185 . 3BC7 cmp eax, edi
00624187 . DBE2 fclex
00624189 . 7D 12 jge short 0062419D
0062418B . 68 A0000000 push 0A0
00624190 . 68 58F84500 push 0045F858
00624195 . 56 push esi
00624196 . 50 push eax
00624197 . FF15 70104000 call dword ptr [<&MSVBVM60.__vbaHresultChec>; MSVBVM60.__vbaHresultCheckObj
0062419D > 8B45 9C mov eax, dword ptr [ebp-64] ; 又出现假码
006241A0 . 8D4D 80 lea ecx, dword ptr [ebp-80]
006241A3 . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
006241A9 . 51 push ecx
006241AA . 52 push edx
006241AB . 897D 9C mov dword ptr [ebp-64], edi
006241AE . 8945 88 mov dword ptr [ebp-78], eax
006241B1 . C745 80 08000>mov dword ptr [ebp-80], 8
006241B8 . FF15 BC104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
006241BE . 8D85 00FFFFFF lea eax, dword ptr [ebp-100]
006241C4 . 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
006241CA . 50 push eax
006241CB . 8D95 60FFFFFF lea edx, dword ptr [ebp-A0]
006241D1 . 51 push ecx
006241D2 . 52 push edx
006241D3 . FF15 A0114000 call dword ptr [<&MSVBVM60.__vbaVarCat>] ; MSVBVM60.__vbaVarCat 连接字符函数
006241D9 . 50 push eax
006241DA . FF15 30104000 call dword ptr [<&MSVBVM60.__vbaStrVarMove>>; MSVBVM60.__vbaStrVarMove
006241E0 . 8B35 44124000 mov esi, dword ptr [<&MSVBVM60.__vbaStrMov>; MSVBVM60.__vbaStrMove
006241E6 . 8BD0 mov edx, eax ; 字符串连接
http://www.FairySoftware.com/register/fse/?rcode=78787878787878")
006241E8 . 8D4D 98 lea ecx, dword ptr [ebp-68]
006241EB . FFD6 call esi ; <&MSVBVM60.__vbaStrMove>
006241ED . 8D45 98 lea eax, dword ptr [ebp-68]
006241F0 . 50 push eax
006241F1 . E8 AA2C0000 call 00626EA0 ; 网络验证CALL ,验证注册码并返回值
006241F6 . 8BD0 mov edx, eax ; 由服务器取回字符串"RCode error"
006241F8 . 8D4D D0 lea ecx, dword ptr [ebp-30]
006241FB . FFD6 call esi
006241FD . 8D4D 98 lea ecx, dword ptr [ebp-68]
00624200 . FF15 74124000 call dword ptr [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00624206 . 8D4D 90 lea ecx, dword ptr [ebp-70]
00624209 . FF15 70124000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
0062420F . 8D8D 60FFFFFF lea ecx, dword ptr [ebp-A0]
00624215 . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
0062421B . 51 push ecx
0062421C . 8D45 80 lea eax, dword ptr [ebp-80]
0062421F . 52 push edx
00624220 . 50 push eax
00624221 . 6A 03 push 3
00624223 . FFD3 call ebx
00624225 . 8B4D D0 mov ecx, dword ptr [ebp-30]
00624228 . 83C4 10 add esp, 10
0062422B . 51 push ecx ; 由服务器取回字符串"RCode error"
0062422C . 68 E0DE4500 push 0045DEE0 ; 与30h 作比较
00624231 . FF15 08114000 call dword ptr [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
00624237 . 85C0 test eax, eax
00624239 0F84 1F1C0000 je 00625E5E ; 判断网络服务器返回值是否为0,所以不会跳
0062423F . 8B45 08 mov eax, dword ptr [ebp+8]
00624242 . 50 push eax
00624243 . 8B10 mov edx, dword ptr [eax]
00624245 . FF92 00030000 call dword ptr [edx+300]
0062424B . 50 push eax
0062424C . 8D45 90 lea eax, dword ptr [ebp-70]
0062424F . 50 push eax
00624250 . FF15 98104000 call dword ptr [<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00624256 . 8B08 mov ecx, dword ptr [eax]
00624258 . 8D55 9C lea edx, dword ptr [ebp-64]
0062425B . 52 push edx
0062425C . 50 push eax
0062425D . 8985 CCFEFFFF mov dword ptr [ebp-134], eax
00624263 . FF91 A0000000 call dword ptr [ecx+A0]
00624269 . 3BC7 cmp eax, edi
0062426B . DBE2 fclex
0062426D . 7D 18 jge short 00624287
0062426F . 8B8D CCFEFFFF mov ecx, dword ptr [ebp-134]
00624275 . 68 A0000000 push 0A0
0062427A . 68 58F84500 push 0045F858
0062427F . 51 push ecx
00624280 . 50 push eax
00624281 . FF15 70104000 call dword ptr [<&MSVBVM60.__vbaHresultChec>; MSVBVM60.__vbaHresultCheckObj
00624287 > 8B55 9C mov edx, dword ptr [ebp-64] ; 假码
0062428A . 6A 01 push 1
0062428C . 52 push edx
0062428D . 68 2CE74500 push 0045E72C ; -
00624292 . 57 push edi
00624293 . FF15 CC114000 call dword ptr [<&MSVBVM60.__vbaInStr>] ; MSVBVM60.__vbaInStr
00624299 . F7D8 neg eax ; 这里判断是否含有注册码并改标志
0062429B . 1BC0 sbb eax, eax
0062429D . 8D4D 9C lea ecx, dword ptr [ebp-64]
006242A0 . 40 inc eax
006242A1 . F7D8 neg eax
006242A3 . 8985 C4FEFFFF mov dword ptr [ebp-13C], eax
006242A9 . FF15 74124000 call dword ptr [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
006242AF . 8D4D 90 lea ecx, dword ptr [ebp-70]
006242B2 . FF15 70124000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
006242B8 . 66:39BD C4FEF>cmp word ptr [ebp-13C], di ; 比较是否含有注册码的标志
006242BF 0F84 97000000 jne 0062435C ; 关键爆破点,改为JNZ 或JMP
...................此处省略
跳到这里
0062435C > \8D55 80 lea edx, dword ptr [ebp-80]
0062435F . C745 88 04000>mov dword ptr [ebp-78], 80020004
00624366 . 52 push edx ; /RNDNumber08
00624367 . C745 80 0A000>mov dword ptr [ebp-80], 0A ; |
0062436E . FF15 90104000 call dword ptr [<&MSVBVM60.#594>] ; \rtcRandomize
00624374 . 8D4D 80 lea ecx, dword ptr [ebp-80]
00624377 . FF15 24104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
0062437D . 8D45 80 lea eax, dword ptr [ebp-80]
00624380 . C745 88 04000>mov dword ptr [ebp-78], 80020004
00624387 . 50 push eax ; /arg
00624388 . C745 80 0A000>mov dword ptr [ebp-80], 0A ; |
0062438F . FF15 84104000 call dword ptr [<&MSVBVM60.#593>] ; \rtcRandomNext
00624395 . D80D A01F4000 fmul dword ptr [401FA0]
0062439B . DFE0 fstsw ax
0062439D . A8 0D test al, 0D
0062439F . 0F85 6F1C0000 jnz 00626014
006243A5 . FF15 64124000 call dword ptr [<&MSVBVM60.__vbaFPInt>] ; MSVBVM60.__vbaFPInt
006243AB . D805 501A4000 fadd dword ptr [401A50]
006243B1 . DFE0 fstsw ax
006243B3 . A8 0D test al, 0D
006243B5 . 0F85 591C0000 jnz 00626014
006243BB . FF15 24124000 call dword ptr [<&MSVBVM60.__vbaFpI4>] ; MSVBVM60.__vbaFpI4
006243C1 . 8D4D 80 lea ecx, dword ptr [ebp-80]
006243C4 . 8985 BCFEFFFF mov dword ptr [ebp-144], eax
006243CA . 897D E8 mov dword ptr [ebp-18], edi
006243CD . FF15 24104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
006243D3 . 8B3D 1C104000 mov edi, dword ptr [<&MSVBVM60.__vbaVarMov>; MSVBVM60.__vbaVarMove
006243D9 > 8B45 E8 mov eax, dword ptr [ebp-18] ; 这里是下面JMP返回位
006243DC . 8B8D BCFEFFFF mov ecx, dword ptr [ebp-144]
006243E2 . 3BC1 cmp eax, ecx ; 此处要作多次算法循环
006243E4 . 0F8F AB030000 jg 00624795
006243EA . 8D95 00FFFFFF lea edx, dword ptr [ebp-100]
006243F0 . 8D4D C0 lea ecx, dword ptr [ebp-40]
006243F3 . 8985 08FFFFFF mov dword ptr [ebp-F8], eax
006243F9 . C785 00FFFFFF>mov dword ptr [ebp-100], 3
00624403 . FFD7 call edi
00624405 . 8B4D E8 mov ecx, dword ptr [ebp-18]
00624408 . 83C1 01 add ecx, 1
0062440B . 0F80 081C0000 jo 00626019
00624411 . 51 push ecx
00624412 . FF15 18104000 call dword ptr [<&MSVBVM60.__vbaStrI4>] ; MSVBVM60.__vbaStrI4
00624418 . 8BD0 mov edx, eax
0062441A . 8D4D 9C lea ecx, dword ptr [ebp-64]
0062441D . FFD6 call esi
0062441F . 8D55 9C lea edx, dword ptr [ebp-64]
00624422 . 52 push edx
00624423 . E8 78DBFFFF call 00621FA0 ; 算法关键CALL F7跟进看看做什么的
00624428 . 8945 88 mov dword ptr [ebp-78], eax
0062442B . 8D45 80 lea eax, dword ptr [ebp-80]
0062442E . 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
00624434 . 50 push eax
00624435 . 51 push ecx
00624436 . C745 80 08000>mov dword ptr [ebp-80], 8
0062443D . FF15 00114000 call dword ptr [<&MSVBVM60.#528>] ; MSVBVM60.rtcUpperCaseVar
00624443 . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
00624449 . 8D4D D8 lea ecx, dword ptr [ebp-28]
0062444C . FFD7 call edi
0062444E . 8D4D 9C lea ecx, dword ptr [ebp-64]
00624451 . FF15 74124000 call dword ptr [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00624457 . 8D4D 80 lea ecx, dword ptr [ebp-80]
0062445A . FF15 24104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
00624460 . 8B55 E8 mov edx, dword ptr [ebp-18]
00624463 . 8D4D B0 lea ecx, dword ptr [ebp-50]
00624466 . 83C2 01 add edx, 1
00624469 . C785 00FFFFFF>mov dword ptr [ebp-100], 3
00624473 . 0F80 A01B0000 jo 00626019
00624479 . 8995 08FFFFFF mov dword ptr [ebp-F8], edx
0062447F . 8D95 00FFFFFF lea edx, dword ptr [ebp-100]
00624485 . FFD7 call edi
00624487 . 8B45 E8 mov eax, dword ptr [ebp-18]
0062448A . 8D95 00FFFFFF lea edx, dword ptr [ebp-100]
00624490 . 83C0 02 add eax, 2
00624493 . 8D4D A0 lea ecx, dword ptr [ebp-60]
00624496 . 0F80 7D1B0000 jo 00626019
0062449C . 8985 08FFFFFF mov dword ptr [ebp-F8], eax
006244A2 . C785 00FFFFFF>mov dword ptr [ebp-100], 3
006244AC . FFD7 call edi
006244AE . 8D4D C0 lea ecx, dword ptr [ebp-40]
006244B1 . 8D55 B0 lea edx, dword ptr [ebp-50]
006244B4 . 51 push ecx ; /var18
006244B5 . 52 push edx ; |var28
006244B6 . FF15 10114000 call dword ptr [<&MSVBVM60.__vbaVarTstEq>] ; \__vbaVarTstEq
006244BC . 66:85C0 test ax, ax
006244BF . 0F84 92010000 je 00624657
006244C5 . E8 96CDFFFF call 00621260
006244CA . 8BD0 mov edx, eax
006244CC . 8D4D 9C lea ecx, dword ptr [ebp-64]
006244CF . FFD6 call esi
006244D1 . 50 push eax
006244D2 . FF15 C4114000 call dword ptr [<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str
006244D8 . DC05 701E4000 fadd qword ptr [401E70]
006244DE . 83EC 08 sub esp, 8
006244E1 . DFE0 fstsw ax
006244E3 . A8 0D test al, 0D
006244E5 . 0F85 291B0000 jnz 00626014
006244EB . DD1C24 fstp qword ptr [esp]
006244EE . FF15 38114000 call dword ptr [<&MSVBVM60.__vbaStrR8>] ; MSVBVM60.__vbaStrR8
006244F4 . 8BD0 mov edx, eax
006244F6 . 8D4D 98 lea ecx, dword ptr [ebp-68]
006244F9 . FFD6 call esi
006244FB . 8D45 98 lea eax, dword ptr [ebp-68]
006244FE . 50 push eax
006244FF . E8 9CDAFFFF call 00621FA0
00624504 . 8D55 80 lea edx, dword ptr [ebp-80]
00624507 . 8D4D C0 lea ecx, dword ptr [ebp-40]
0062450A . 8945 88 mov dword ptr [ebp-78], eax
0062450D . C745 80 08000>mov dword ptr [ebp-80], 8
00624514 . FFD7 call edi
00624516 . 8D4D 98 lea ecx, dword ptr [ebp-68]
00624519 . 8D55 9C lea edx, dword ptr [ebp-64]
0062451C . 51 push ecx
0062451D . 52 push edx
0062451E . 6A 02 push 2
00624520 . FF15 EC114000 call dword ptr [<&MSVBVM60.__vbaFreeStrList>; MSVBVM60.__vbaFreeStrList
00624526 . B9 04000280 mov ecx, 80020004
0062452B . B8 0A000000 mov eax, 0A
00624530 . 898D 58FFFFFF mov dword ptr [ebp-A8], ecx
00624536 . 898D 68FFFFFF mov dword ptr [ebp-98], ecx
0062453C . 898D 78FFFFFF mov dword ptr [ebp-88], ecx
00624542 . 83C4 0C add esp, 0C
00624545 . 8D95 00FFFFFF lea edx, dword ptr [ebp-100]
0062454B . 8D4D 80 lea ecx, dword ptr [ebp-80]
0062454E . 8985 50FFFFFF mov dword ptr [ebp-B0], eax
00624554 . 8985 60FFFFFF mov dword ptr [ebp-A0], eax
0062455A . 8985 70FFFFFF mov dword ptr [ebp-90], eax
00624560 . C785 08FFFFFF>mov dword ptr [ebp-F8], 0045F8F8
0062456A . C785 00FFFFFF>mov dword ptr [ebp-100], 8
00624574 . FF15 18124000 call dword ptr [<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
0062457A . 8D85 50FFFFFF lea eax, dword ptr [ebp-B0]
00624580 . 8D8D 60FFFFFF lea ecx, dword ptr [ebp-A0]
00624586 . 50 push eax
00624587 . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
0062458D . 51 push ecx
0062458E . 52 push edx
0062458F . 8D45 80 lea eax, dword ptr [ebp-80]
00624592 . 6A 30 push 30
00624594 . 50 push eax
00624595 . FF15 9C104000 call dword ptr [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
0062459B . 8D8D 50FFFFFF lea ecx, dword ptr [ebp-B0]
006245A1 . 8D95 60FFFFFF lea edx, dword ptr [ebp-A0]
006245A7 . 51 push ecx
006245A8 . 8D85 70FFFFFF lea eax, dword ptr [ebp-90]
006245AE . 52 push edx
006245AF . 8D4D 80 lea ecx, dword ptr [ebp-80]
006245B2 . 50 push eax
006245B3 . 51 push ecx
006245B4 . 6A 04 push 4
006245B6 . FFD3 call ebx
006245B8 . 83C4 14 add esp, 14
006245BB . E8 A0CCFFFF call 00621260
006245C0 . 8BD0 mov edx, eax
006245C2 . 8D4D 9C lea ecx, dword ptr [ebp-64]
006245C5 . FFD6 call esi
006245C7 . 50 push eax
006245C8 . FF15 C4114000 call dword ptr [<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str
006245CE . DC05 701E4000 fadd qword ptr [401E70]
006245D4 . 83EC 08 sub esp, 8
006245D7 . DFE0 fstsw ax
006245D9 . A8 0D test al, 0D
006245DB . 0F85 331A0000 jnz 00626014
006245E1 . DD1C24 fstp qword ptr [esp]
006245E4 . FF15 38114000 call dword ptr [<&MSVBVM60.__vbaStrR8>] ; MSVBVM60.__vbaStrR8
006245EA . 8BD0 mov edx, eax
006245EC . 8D4D 98 lea ecx, dword ptr [ebp-68]
006245EF . FFD6 call esi
006245F1 . 8D55 98 lea edx, dword ptr [ebp-68]
006245F4 . 52 push edx
006245F5 . E8 A6D9FFFF call 00621FA0
006245FA . 8945 88 mov dword ptr [ebp-78], eax
006245FD . 8D45 80 lea eax, dword ptr [ebp-80]
00624600 . 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
00624606 . 50 push eax
00624607 . 51 push ecx
00624608 . C745 80 08000>mov dword ptr [ebp-80], 8
0062460F . FF15 00114000 call dword ptr [<&MSVBVM60.#528>] ; MSVBVM60.rtcUpperCaseVar
00624615 . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
0062461B . 8D45 94 lea eax, dword ptr [ebp-6C]
0062461E . 52 push edx ; /String8
0062461F . 50 push eax ; |ARG2
00624620 . FF15 98114000 call dword ptr [<&MSVBVM60.__vbaStrVarVal>] ; \__vbaStrVarVal
00624626 . 50 push eax
00624627 . E8 74D3FFFF call 006219A0
0062462C . 8D4D 94 lea ecx, dword ptr [ebp-6C]
0062462F . 8D55 98 lea edx, dword ptr [ebp-68]
00624632 . 51 push ecx
00624633 . 8D45 9C lea eax, dword ptr [ebp-64]
00624636 . 52 push edx
00624637 . 50 push eax
00624638 . 6A 03 push 3
0062463A . FF15 EC114000 call dword ptr [<&MSVBVM60.__vbaFreeStrList>; MSVBVM60.__vbaFreeStrList
00624640 . 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
00624646 . 8D55 80 lea edx, dword ptr [ebp-80]
00624649 . 51 push ecx
0062464A . 52 push edx
0062464B . 6A 02 push 2
0062464D . FFD3 call ebx
0062464F . 83C4 1C add esp, 1C
00624652 . E9 26010000 jmp 0062477D
00624657 > 8D45 C0 lea eax, dword ptr [ebp-40]
0062465A . 8D8D 00FFFFFF lea ecx, dword ptr [ebp-100]
00624660 . 50 push eax ; /var18
00624661 . 51 push ecx ; |var28
00624662 . C785 08FFFFFF>mov dword ptr [ebp-F8], 0045F908 ; |o
0062466C . C785 00FFFFFF>mov dword ptr [ebp-100], 8008 ; |
00624676 . FF15 10114000 call dword ptr [<&MSVBVM60.__vbaVarTstEq>] ; \__vbaVarTstEq
0062467C . 66:85C0 test ax, ax
0062467F . 0F84 94000000 je 00624719
00624685 . B9 04000280 mov ecx, 80020004
0062468A . B8 0A000000 mov eax, 0A
0062468F . 898D 58FFFFFF mov dword ptr [ebp-A8], ecx
00624695 . 898D 68FFFFFF mov dword ptr [ebp-98], ecx
0062469B . 898D 78FFFFFF mov dword ptr [ebp-88], ecx
006246A1 . 8D95 00FFFFFF lea edx, dword ptr [ebp-100]
006246A7 . 8D4D 80 lea ecx, dword ptr [ebp-80]
006246AA . 8985 50FFFFFF mov dword ptr [ebp-B0], eax
006246B0 . 8985 60FFFFFF mov dword ptr [ebp-A0], eax
006246B6 . 8985 70FFFFFF mov dword ptr [ebp-90], eax
006246BC . C785 08FFFFFF>mov dword ptr [ebp-F8], 0045F8E4
006246C6 . C785 00FFFFFF>mov dword ptr [ebp-100], 8
006246D0 . FF15 18124000 call dword ptr [<&