起手
- PEID看看还是vb的程序
- VB.Decompiler说是压缩了,点是没法载入,点否居然载入了,花Q,
追码
第一部分
和02一样,这个就简单了,只是小部分变化.
Len(userName) * 88888 + Asc(userName)
第二部分
浮点,妈妈咪呀,我一个指令都不会.只能百度现学
FLD类似于 PUSH指令
FSTP类似于 POP指令
FADD类似于 ADD指令
汇编指令:fld dword ptr ds:[eax+0xC] 意思是将[eax+c]的值以浮点型放进ST0里面
汇编指令:fstp dword ptr ss:[ebp-0x20] 意思是将ST0里面的浮点值,放到ebp-20这个内存里面,同是清空ST0里面的值
FSTSW。这条指令将状态寄存器中的内容传送至 AX寄存器
0:无效指令,2:除零,3:溢出,4下溢出,5精度
流程如下,过程很长,作者目的明显,想要展示常用浮点指令.
004082DD > \8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8] ; TextInpu.60F91140
004082E3 . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18]
004082E6 . 52 push edx
004082E7 . 8B19 mov ebx,dword ptr ds:[ecx] ; msvbvm50.740E5A95
004082E9 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vb>; 注册码转单精度浮点入浮点堆栈
004082EF . D905 08104000 fld dword ptr ds:[<fRegCode>] ; 压入浮点堆栈 10
004082F5 . 833D 00904000 0>cmp dword ptr ds:[0x409000],0x0
004082FC . 75 08 jnz short AfKayAs_.00408306
004082FE . D835 0C104000 fdiv dword ptr ds:[0x40100C] ; 和40100c数字除 =5
00408304 . EB 0B jmp short AfKayAs_.00408311
00408306 > FF35 0C104000 push dword ptr ds:[0x40100C]
0040830C . E8 578DFFFF call <jmp.&MSVBVM50._adj_fdiv_m32>
00408311 > 83EC 08 sub esp,0x8
00408314 . DFE0 fstsw ax ; 把协处理器状态寄存器的值传送给AX
00408316 . A8 0D test al,0xD ; 0b 1101 溢出,除0,无效指令?
00408318 . 0F85 A1040000 jnz AfKayAs_.004087BF
0040831E . DEC1 faddp st(1),st ; 浮点堆栈两个数相加
00408320 . DFE0 fstsw ax
00408322 . A8 0D test al,0xD
00408324 . 0F85 95040000 jnz AfKayAs_.004087BF
0040832A . DD1C24 fstp qword ptr ss:[esp] ; 把算好的数据从弹出浮点堆栈
0040832D . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vb>; msvbvm50.__vbaStrR8
00408333 . 8BD0 mov edx,eax
00408335 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00408338 . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vb>; msvbvm50.__vbaStrMove
0040833E . 899D 34FFFFFF mov dword ptr ss:[ebp-0xCC],ebx
00408344 . 8B9D 58FFFFFF mov ebx,dword ptr ss:[ebp-0xA8] ; TextInpu.60F91140
0040834A . 50 push eax
0040834B . 8B85 34FFFFFF mov eax,dword ptr ss:[ebp-0xCC]
00408351 . 53 push ebx ; 总的来说就是code+(10./2.)
00408352 . FF90 A4000000 call dword ptr ds:[eax+0xA4] ; 又把数据存在文本框了
004083CD . FF92 A0000000 call dword ptr ds:[edx+0xA0] ; 继续拉出来
004083D3 . 85C0 test eax,eax
004083D5 . 7D 12 jge short AfKayAs_.004083E9
004083D7 . 68 A0000000 push 0xA0
004083DC . 68 AC6F4000 push AfKayAs_.00406FAC
004083E1 . 53 push ebx
004083E2 . 50 push eax
004083E3 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vb>; msvbvm50.__vbaHresultCheckObj
004083E9 > 8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8] ; TextInpu.60F91140
004083EF . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18]
004083F2 . 52 push edx
004083F3 . 8B19 mov ebx,dword ptr ds:[ecx] ; msvbvm50.740E5A95
004083F5 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vb>; msvbvm50.__vbaR8Str
004083FB . DC0D 10104000 fmul qword ptr ds:[0x401010] ; 继续转 然后 *3
00408401 . 83EC 08 sub esp,0x8
00408404 . DC25 18104000 fsub qword ptr ds:[0x401018] ; -2
0040840A . DFE0 fstsw ax
0040840C . A8 0D test al,0xD
0040840E . 0F85 AB030000 jnz AfKayAs_.004087BF
00408414 . DD1C24 fstp qword ptr ss:[esp] ; 继续变成字串,存回去
00408417 . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vb>; msvbvm50.__vbaStrR8
0040841D . 8BD0 mov edx,eax
0040841F . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00408422 . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vb>; msvbvm50.__vbaStrMove
00408428 . 899D 2CFFFFFF mov dword ptr ss:[ebp-0xD4],ebx
0040842E . 8B9D 58FFFFFF mov ebx,dword ptr ss:[ebp-0xA8] ; TextInpu.60F91140
00408434 . 50 push eax
00408435 . 8B85 2CFFFFFF mov eax,dword ptr ss:[ebp-0xD4] ; TextInpu.60FA38C8
0040843B . 53 push ebx
0040843C . FF90 A4000000 call dword ptr ds:[eax+0xA4]
004084B5 . 8B13 mov edx,dword ptr ds:[ebx] ; 继续拉出来鞭尸
004084B7 . FF92 A0000000 call dword ptr ds:[edx+0xA0]
004084BD . 85C0 test eax,eax
004084BF . 7D 12 jge short AfKayAs_.004084D3
004084C1 . 68 A0000000 push 0xA0
004084C6 . 68 AC6F4000 push AfKayAs_.00406FAC
004084CB . 53 push ebx
004084CC . 50 push eax
004084CD . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vb>; msvbvm50.__vbaHresultCheckObj
004084D3 > 8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8] ; TextInpu.60F91140
004084D9 . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18]
004084DC . 52 push edx
004084DD . 8B19 mov ebx,dword ptr ds:[ecx] ; msvbvm50.740E5A95
004084DF . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vb>; msvbvm50.__vbaR8Str
004084E5 . DC25 20104000 fsub qword ptr ds:[0x401020] ; +15 减减就是加了,真是老阴b
004084EB . 83EC 08 sub esp,0x8
004084EE . DFE0 fstsw ax
004084F0 . A8 0D test al,0xD
004084F2 . 0F85 C7020000 jnz AfKayAs_.004087BF
004084F8 . DD1C24 fstp qword ptr ss:[esp]
004084FB . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vb>; msvbvm50.__vbaStrR8
00408501 . 8BD0 mov edx,eax
00408503 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00408506 . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vb>; msvbvm50.__vbaStrMove
0040850C . 899D 24FFFFFF mov dword ptr ss:[ebp-0xDC],ebx
00408512 . 8B9D 58FFFFFF mov ebx,dword ptr ss:[ebp-0xA8] ; TextInpu.60F91140
00408518 . 50 push eax
00408519 . 8B85 24FFFFFF mov eax,dword ptr ss:[ebp-0xDC]
0040851F . 53 push ebx
00408520 . FF90 A4000000 call dword ptr ds:[eax+0xA4] ; 继续存起来
00408572 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00408575 . 51 push ecx
00408576 . 53 push ebx
00408577 . 8B03 mov eax,dword ptr ds:[ebx]
00408579 . FF90 A0000000 call dword ptr ds:[eax+0xA0] ; 拉出来
004085AB . 8D55 E8 lea edx,dword ptr ss:[ebp-0x18]
004085AE . 52 push edx
004085AF . 56 push esi
004085B0 . 8B0E mov ecx,dword ptr ds:[esi]
004085B2 . FF91 A0000000 call dword ptr ds:[ecx+0xA0] ; 读出假的注册码??
004085B8 . 85C0 test eax,eax
004085BA . 7D 12 jge short AfKayAs_.004085CE
004085BC . 68 A0000000 push 0xA0
004085C1 . 68 AC6F4000 push AfKayAs_.00406FAC
004085C6 . 56 push esi
004085C7 . 50 push eax
004085C8 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vb>; msvbvm50.__vbaHresultCheckObj
004085CE > 8B45 E8 mov eax,dword ptr ss:[ebp-0x18] ; 吧假的注册码变浮点
004085D1 . 50 push eax
004085D2 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vb>; msvbvm50.__vbaR8Str
004085D8 . 8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C] ; CoreUICo.60CEEBA4
004085DB . DD9D 1CFFFFFF fstp qword ptr ss:[ebp-0xE4] ; 然后pop到内存
004085E1 . 51 push ecx ; 吧算出来的码到浮点
004085E2 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vb>; msvbvm50.__vbaR8Str
004085E8 . 833D 00904000 0>cmp dword ptr ds:[0x409000],0x0
004085EF . 75 08 jnz short AfKayAs_.004085F9
004085F1 . DCBD 1CFFFFFF fdivr qword ptr ss:[ebp-0xE4] ; 假的和真的相除
004085F7 . EB 11 jmp short AfKayAs_.0040860A
004085F9 > FFB5 20FFFFFF push dword ptr ss:[ebp-0xE0]
004085FF . FFB5 1CFFFFFF push dword ptr ss:[ebp-0xE4]
00408605 . E8 888AFFFF call <jmp.&MSVBVM50._adj_fdivr_m64>
0040860A > DFE0 fstsw ax
0040860C . A8 0D test al,0xD
0040860E . 0F85 AB010000 jnz AfKayAs_.004087BF
00408614 . FF15 34B14000 call dword ptr ds:[<&MSVBVM50.__vb>; ????
0040861A . DC1D 28104000 fcomp qword ptr ds:[0x401028] ; 和1比较
00408620 . DFE0 fstsw ax
00408622 . F6C4 40 test ah,0x40 ; 相等么
注册机
Function Regcode(userName As String) As String
Dim t As Single
t = Len(userName) * 88888 + Asc(userName)
t = t + 2
t = t * 3 - 2
t = t + 15
Regcode = t
End Function
疑问
这次VB程序局部变量又没有变成local.1这种形式了,有什么办法让他强制变么?
[复制链接]
发表于 2021-1-13 01:02
|
发表于 2021-1-13 10:56
