好友 阅读权限 20
听众 最后登录 1970-1-1
转自看雪论坛 附件稍后补上 忘记论坛密码了 IDA,">标 题: 【原创】 一个 BumpyFlea's CrackMe 的破解 分析(总共有5个关卡)(使用了P-Code的编译方式) 作 者: CuteSnail 时 间: 2007-12-29,14:51:38链 接: http://bbs.pediy.com/showthread.php?t=57307【文章标题】: 一个 BumpyFlea's CrackMe 的破解分析+(总共有5个关卡)+(使用了P-Code的编译方式) 【文章作者】: CuteSnail 【作者QQ号】: 121567771 【作者声明】: 只是感兴趣的自娱自乐,没有其他目的。失误之处还要敬请诸位大侠赐教! ------------------------------------------------------------------------------- 【详细过程】 程序用了VB6的 P-Code 方式编译,因此使用了 VBExplorer 1.1 来静态反编译;使用了 WKTVBDE 4.1 来动态跟踪(从第3关开始): ||===|| ||第1关: Remove Me (NAG窗口的爆破),代码见下面的分析: ||===|| [Form.Load] :00404C6C 27FCFE LitVar ;PushVar LOCAL_0104 :00404C6F 271CFF LitVar ;PushVar LOCAL_00E4 ******Possible String Ref To->"Remove Me" | :00404C72 3A4CFF1400 LitVarStr ;PushVarString ptr_00402920 :00404C77 4E3CFF FStVarCopyObj ;[LOCAL_00C4]=vbaVarDup(Pop) :00404C7A 043CFF FLdRfVar ;Push LOCAL_00C4 :00404C7D F530000000 LitI4 ;Push 00000030 ******Possible String Ref To->"This is a nag, U need to Remove Me" | :00404C82 3A6CFF1500 LitVarStr ;PushVarString ptr_004028D4 :00404C87 4E5CFF FStVarCopyObj ;[LOCAL_00A4]=vbaVarDup(Pop) :00404C8A 045CFF FLdRfVar ;Push LOCAL_00A4 **********Reference To->msvbvm60.rtcMsgBox | :00404C8D 0A0D001400 ImpAdCallFPR4 ;//很明显,就是这里弹出了NAG的对话框!// :00404C92 3608005CFF3CFF1C FFreeVar ;Free 0008/2 variants :00404C9D F400 LitI2_Byte ;Push 00 :00404C9F 21 FLdPrThis ;[SR]=[stack2] :00404CA0 0FFC02 VCallAd ;Return the control index 01 :00404CA3 19F8FE FStAdFunc ; :00404CA6 08F8FE FLdPr ;[SR]=[LOCAL_0108] :后面的代码省略。。。 从上面可以知道,00404C8D 处的 ImpAdCallFPR4 命令就是弹出NAG对话框的命名,只要将它跳过,就OK了;而P-Code的jmp/je/jne命令则分别对应是如下: (正常格式) (P-Code格式) jmp xxXX <=> Branch xxXX ;以机器码1E开头; 机器码长度为3,后2位机器码放跳转的长度; xxXX为跳转地址,xx表示地位,XX表示高位. je xxXX <=> BranchT xxXX ;以机器码1D开头; 机器码长度为3,其余同上. jne xxXX <=> BranchF xxXX ;以机器码1C开头; 机器码长度为3,其余同上. 故将上面的: :00404C8D 0A0D001400 ImpAdCallFPR4 ;这里弹出NAG的对话框 这行命令的机器码:“0A0D001400” 用16进制编辑软件(如:010 Editor)定位到地址00404C8D后, 将其先修改为: “1E00000000”,然后再用VBExplorer来反编译,便发现该处变为如下的命令了: :00404C8D 1E0000 Branch ;ESI=00404C6C //注意这句中 ESI 的数值大小 :00404C90 0000 LargeBos ;被修改的地方,机器码仍然为3+2=5的总长度 从上面可以看到 ESI=00404C6C 这句,而要强制跳转的地方便是紧跟上面语句之后的00404C92处的语句,故用 00404C92 - 00404C6C = 26(十进制38),知道了要跳的长度为16进制的26,因此将上面修改后的机器码“1E00000000”的1E后面的长度 0000 修改为 2600 (26放前面,是因为寄存器中是低位放前面,高位放后面),即变为:“1E26000000”便OK了!运行程序,NAG窗口被爆破了,呵呵。 ||===|| ||第2关: Level 1 Menu: Password (Password的寻找),代码见下面的分析: ||===|| [Password.Change] :00404D64 0474FF FLdRfVar :00404D67 21 FLdPrThis :00404D68 0F9003 VCallAd :00404D6B 1978FF FStAdFunc :00404D6E 0878FF FLdPr ***********Reference To:[propget]TextBox.Text ;得到输入的PassWord | :00404D71 0DA0000A00 VCallHresult ;Call ptr_00402734 :00404D76 6C74FF ILdRf ******Possible String Ref To->"123454321" ;//假的注册码 | :00404D79 1B1700 LitStr :00404D7C FB30 EqStr :00404D7E 2F74FF FFree1Str :00404D81 1A78FF FFree1Ad :00404D84 1C5400 BranchF ;If Pop=0 then ESI=00404DB8//这里需要跳走 :00404D87 27F4FE LitVar :00404D8A 2714FF LitVar ******Possible String Ref To->"Almost" ;//假注册对话框的标题 | :00404D8D 3A44FF1800 LitVarStr :00404D92 4E34FF FStVarCopyObj :00404D95 0434FF FLdRfVar :00404D98 F500000000 LitI4 ******Possible String Ref To->"Nice try. I also Use this number. Unfortunatly it ain't the password." | ;//假注册对话框的内容 :00404D9D 3A64FF1900 LitVarStr :00404DA2 4E54FF FStVarCopyObj :00404DA5 0454FF FLdRfVar **********Reference To->msvbvm60.rtcMsgBox | :00404DA8 0A0D001400 ImpAdCallFPR4 ;弹出假注册的对话框 :00404DAD 36080054FF34FF14 FFreeVar :00404DB8 0474FF FLdRfVar ;Push LOCAL_008C :00404DBB 21 FLdPrThis :00404DBC 0F9003 VCallAd :00404DBF 1978FF FStAdFunc :00404DC2 0878FF FLdPr ***********Reference To:[propget]TextBox.Text ;得到输入的PassWord | :00404DC5 0DA0000A00 VCallHresult :00404DCA 6C74FF ILdRf ******Possible String Ref To->"bUmPy FlEa 1799" ;真正的PassWord,明码固定的比较 | :00404DCD 1B1A00 LitStr :00404DD0 FB30 EqStr :00404DD2 2F74FF FFree1Str :00404DD5 1A78FF FFree1Ad :00404DD8 1CA800 BranchF ;If Pop=0 then ESI=00404E0C//关键比较,不能跳走 :00404DDB 27F4FE LitVar :00404DDE 2714FF LitVar ******Possible String Ref To->"Congratz" ;//成功的注册对话框的标题 | :00404DE1 3A44FF1B00 LitVarStr :00404DE6 4E34FF FStVarCopyObj :00404DE9 0434FF FLdRfVar :00404DEC F500000000 LitI4 ******Possible String Ref To->"Congradulations. You found the correct Password" | ;//成功的注册对话框的内容 :00404DF1 3A64FF1C00 LitVarStr :00404DF6 4E54FF FStVarCopyObj :00404DF9 0454FF FLdRfVar **********Reference To->msvbvm60.rtcMsgBox | :00404DFC 0A0D001400 ImpAdCallFPR4 ;弹出成功的注册对话框 :00404E01 36080054FF34FF14 FFreeVar :00404E0C 0474FF FLdRfVar ;Push LOCAL_008C :00404E0F 21 FLdPrThis :00404E10 0F9003 VCallAd :00404E13 1978FF FStAdFunc :00404E16 0878FF FLdPr ***********Reference To:[propget]TextBox.Text | :00404E19 0DA0000A00 VCallHresult ;得到输入的PassWord :00404E1E 6C74FF ILdRf :00404E21 4A FnLenStr :00404E22 F519000000 LitI4 :00404E27 E0 GeI4 :00404E28 2F74FF FFree1Str :00404E2B 1A78FF FFree1Ad :00404E2E 1CFE00 BranchF ;If Pop=0 then ESI=00404E62 //PassWord不长,则不提示 :00404E31 27F4FE LitVar :00404E34 2714FF LitVar ******Possible String Ref To->"Password isn't this long" | :00404E37 3A44FF1D00 LitVarStr ;PassWord太长的提示标题 :00404E3C 4E34FF FStVarCopyObj :00404E3F 0434FF FLdRfVar :00404E42 F500000000 LitI4 ******Possible String Ref To->"Your Password is a little too long" | :00404E47 3A64FF1E00 LitVarStr ;PassWord太长的提示内容 :00404E4C 4E54FF FStVarCopyObj :00404E4F 0454FF FLdRfVar **********Reference To->msvbvm60.rtcMsgBox | :00404E52 0A0D001400 ImpAdCallFPR4 ;PassWord太长的提示对话框 :00404E57 36080054FF34FF14 FFreeVar :00404E62 13 ExitProcHresult ; 从上面的分析,便可以很轻松的得到真正正确的PassWord为:bUmPy FlEa 1799 然后,开始进入第3关。 ||===|| ||第3关: Level 1 Menu: Enable Me (启用屏蔽的菜单),见下面的修改: ||===|| 用16进制编辑软件(如:010 Editor)打开该CrackMe后,搜索字符串'Enable Me',找到后,将它后面紧跟的(1BC2处开始)机器码: 00 05 修改为: 00 06 即可!(因为:05=表示禁用; 06=表示启用,呵呵 ;) ||===|| ||第4关: Level 2 Menu: Serial Code (注册名/注册码的检测),代码见下面的分析(VBExplorer1.1配合WKTVBDE4.1的分析): ||===|| [Check.Click] :00405220 0002 LargeBos ;IDE beginning of line with 02 byte codes :00405222 0005 LargeBos ;IDE beginning of line with 05 byte codes :00405224 4BFFFF OnErrorGoto :00405227 0027 LargeBos ;IDE beginning of line with 27 byte codes :00405229 0474FF FLdRfVar :0040522C 21 FLdPrThis :0040522D 0F2003 VCallAd :00405230 1978FF FStAdFunc :00405233 0878FF FLdPr ***********Reference To:[propget]TextBox.Text | :00405236 0DA0000A00 VCallHresult ;得到注册名 :0040523B 6C74FF ILdRf :0040523E 4A FnLenStr ;得到其长度 :0040523F F506000000 LitI4 ;装入数值6 :00405244 D6 LeI4 :00405245 2F74FF FFree1Str :00405248 1A78FF FFree1Ad ;与6比较 :0040524B 1C6400 BranchF ;If Pop=0 then ESI=00405284 //大于跳走 :0040524E 0033 LargeBos ;IDE beginning of line with 33 byte codes :00405250 27F4FE LitVar :00405253 2714FF LitVar ******Possible String Ref To->"Try again" | :00405256 3A44FF0B00 LitVarStr ;注册名长度不符的提示标题 :0040525B 4E34FF FStVarCopyObj :0040525E 0434FF FLdRfVar :00405261 F500000000 LitI4 ******Possible String Ref To->"Name must be greater than 6 characters" | :00405266 3A64FF0C00 LitVarStr ;注册名长度不符的提示内容 :0040526B 4E54FF FStVarCopyObj :0040526E 0454FF FLdRfVar **********Reference To->msvbvm60.rtcMsgBox | :00405271 0A0D001400 ImpAdCallFPR4 ;注册名长度不符的提示对话框 :00405276 36080054FF34FF14 FFreeVar :00405281 1EC101 Branch ;跳走,失败 :00405284 0025 LargeBos ;注册名长度大于6,来到这里: :00405286 0474FF FLdRfVar :00405289 21 FLdPrThis :0040528A 0F1C03 VCallAd :0040528D 1978FF FStAdFunc :00405290 0878FF FLdPr ***********Reference To:[propget]TextBox.Text | :00405293 0DA0000A00 VCallHresult ;得到注册码 :00405298 6C74FF ILdRf ******Possible String Ref To->"" | :0040529B 1B0E00 LitStr :0040529E FB30 EqStr :004052A0 2F74FF FFree1Str :004052A3 1A78FF FFree1Ad ;是否为空 :004052A6 1CBF00 BranchF ;If Pop=0 then ESI=004052DF //不为空,跳走 :004052A9 0033 LargeBos :004052AB 27F4FE LitVar :004052AE 2714FF LitVar ******Possible String Ref To->"Might help" | :004052B1 3A44FF0F00 LitVarStr ;注册码不符的提示标题 :004052B6 4E34FF FStVarCopyObj :004052B9 0434FF FLdRfVar :004052BC F500000000 LitI4 ******Possible String Ref To->"Please enter a serial code" | :004052C1 3A64FF1000 LitVarStr ;注册码不符的提示内容 :004052C6 4E54FF FStVarCopyObj :004052C9 0454FF FLdRfVar **********Reference To->msvbvm60.rtcMsgBox | :004052CC 0A0D001400 ImpAdCallFPR4 ;注册码不符的提示对话框 :004052D1 36080054FF34FF14 FFreeVar :004052DC 1EC101 Branch ;跳走,失败 :004052DF 0041 LargeBos ;注册码符合要求,来到这里//在WKTVBDE中这里下断,F8键跟进:// :004052E1 0474FF FLdRfVar :004052E4 21 FLdPrThis :004052E5 0F1C03 VCallAd :004052E8 1978FF FStAdFunc :004052EB 0878FF FLdPr ***********Reference To:[propget]TextBox.Text | :004052EE 0DA0000A00 VCallHresult ;得到注册名 :004052F3 6C74FF ILdRf :004052F6 F35243 LitI2 :004052F9 FBFD CStrUI1 ;转换为10进制字符码值 :004052FB 23F0FE FStStrNoPop :004052FE 080800 FLdPr :00405301 893400 MemLdI2 :00405304 FBFD CStrUI1 ;再次转换? :00405306 23ECFE FStStrNoPop :00405309 2A ConcatStr ;连接字符//得到完全的注册码 :0040530A 23E8FE FStStrNoPop :0040530D FB3D NeStr :0040530F 320800F0FEECFE74 FFreeStr :0040531A 1A78FF FFree1Ad ;关键比较 :0040531D 1C4D01 BranchF ;If Pop=0 then ESI=0040536D //跳走,成功 :00405320 0033 LargeBos :00405322 27F4FE LitVar :00405325 2714FF LitVar ******Possible String Ref To->"Try again" | :00405328 3A44FF0B00 LitVarStr ;注册码错误提示标题 :0040532D 4E34FF FStVarCopyObj :00405330 0434FF FLdRfVar :00405333 F500000000 LitI4 ******Possible String Ref To->"Soz, but that ain't the correct serial" | :00405338 3A64FF1100 LitVarStr ;注册码错误提示内容 :0040533D 4E54FF FStVarCopyObj :00405340 0454FF FLdRfVar **********Reference To->msvbvm60.rtcMsgBox | :00405343 0A0D001400 ImpAdCallFPR4 ;注册码错误提示对话框 :00405348 36080054FF34FF14 FFreeVar :00405353 0017 LargeBos ******Possible String Ref To->"" | :00405355 1B0E00 LitStr :00405358 21 FLdPrThis :00405359 0F1C03 VCallAd :0040535C 1978FF FStAdFunc :0040535F 0878FF FLdPr ***********Reference To:[propput]TextBox.Text | :00405362 0DA4000A00 VCallHresult ;清空注册码 :00405367 1A78FF FFree1Ad :0040536A 1EC101 Branch ;失败,从这里跳走 :0040536D 0041 LargeBos ;前面成功,便来到这里 :0040536F 0474FF FLdRfVar :00405372 21 FLdPrThis :00405373 0F1C03 VCallAd :00405376 1978FF FStAdFunc :00405379 0878FF FLdPr ***********Reference To:[propget]TextBox.Text | :0040537C 0DA0000A00 VCallHresult :00405381 6C74FF ILdRf :00405384 F35243 LitI2 :00405387 FBFD CStrUI1 :00405389 23F0FE FStStrNoPop :0040538C 080800 FLdPr :0040538F 893400 MemLdI2 :00405392 FBFD CStrUI1 :00405394 23ECFE FStStrNoPop :00405397 2A ConcatStr :00405398 23E8FE FStStrNoPop :0040539B FB30 EqStr :0040539D 320800F0FEECFE74 FFreeStr :004053A8 1A78FF FFree1Ad :004053AB 1CC101 BranchF ;If Pop=0 then ESI=004053E1 //跳走,失败 :004053AE 0033 LargeBos :004053B0 27F4FE LitVar :004053B3 2714FF LitVar ******Possible String Ref To->"Congradz" | :004053B6 3A44FF1200 LitVarStr ;注册码正确提示标题 :004053BB 4E34FF FStVarCopyObj :004053BE 0434FF FLdRfVar :004053C1 F500000000 LitI4 ******Possible String Ref To->"Well Done. Now generate a keygen" | :004053C6 3A64FF1300 LitVarStr ;注册码正确提示内容 :004053CB 4E54FF FStVarCopyObj :004053CE 0454FF FLdRfVar **********Reference To->msvbvm60.rtcMsgBox | :004053D1 0A0D001400 ImpAdCallFPR4 ;注册码正确提示对话框 :004053D6 36080054FF34FF14 FFreeVar :004053E1 0002 LargeBos :004053E3 0000 LargeBos :004053E5 13 ExitProcHresult :004053E6 0000 LargeBos 经过上面的分析后,知道了注册码是由固定字符串‘17234’连接上注册名的运算结果后得到的,注册名的运算通过在WKTVBDE中分析后,大致算法用pascal语言表示,就是: ////////////////////////////////////// program keygen; var name : string; i, tmp : integer; begin write('name:'); readln(name); tmp := 0; for i := 1 to length(name) do tmp := tmp + ord(name) * (i-1); writeln('Serial: 17234', tmp); readln; end. ////////////////////////////////////// 够简单吧,嘿嘿,放上一组注册信息: Name: CuteSnail Serial Code: 172343715 ||===|| ||第5关: Level 3 Menu: Solve The Patterns (框框条条的很奇怪的检测),代码见下面的分析: ||===|| [Chec2.Click] :0040543C 0476FF FLdRfVar ;开始分析: :0040543F 21 FLdPrThis :00405440 0F7003 VCallAd ;第1个选择框的状态(在WKTVBDE中定位) :00405443 1978FF FStAdFunc :00405446 0878FF FLdPr ***********Reference To:[propget]CheckBox.Value | :00405449 0DE0000200 VCallHresult :0040544E 6B76FF FLdI2 :00405451 F401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了 :00405453 C6 EqI2 ;检测是否被选上! :00405454 046EFF FLdRfVar :00405457 21 FLdPrThis :00405458 0F5C03 VCallAd ;第6个选择框的状态(排列顺序为:从上倒下,从左到右) :0040545B 1970FF FStAdFunc :0040545E 0870FF FLdPr ***********Reference To:[propget]CheckBox.Value | :00405461 0DE0000200 VCallHresult :00405466 6B6EFF FLdI2 :00405469 F401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了 :0040546B C6 EqI2 ;检测是否被选上! :0040546C C4 AndI4 :0040546D 0466FF FLdRfVar :00405470 21 FLdPrThis :00405471 0F4803 VCallAd ;第11个选择框的状态 :00405474 1968FF FStAdFunc :00405477 0868FF FLdPr ***********Reference To:[propget]CheckBox.Value | :0040547A 0DE0000200 VCallHresult :0040547F 6B66FF FLdI2 :00405482 F401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了 :00405484 C6 EqI2 ;检测是否被选上! :00405485 C4 AndI4 :00405486 045EFF FLdRfVar :00405489 21 FLdPrThis :0040548A 0F3403 VCallAd ;第16个选择框的状态 :0040548D 1960FF FStAdFunc :00405490 0860FF FLdPr ***********Reference To:[propget]CheckBox.Value | :00405493 0DE0000200 VCallHresult :00405498 6B5EFF FLdI2 :0040549B F401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了 :0040549D C6 EqI2 ;检测是否被选上! :0040549E C4 AndI4 :0040549F 0456FF FLdRfVar :004054A2 21 FLdPrThis :004054A3 0F6C03 VCallAd ;第2个选择框的状态 :004054A6 1958FF FStAdFunc :004054A9 0858FF FLdPr ***********Reference To:[propget]CheckBox.Value | :004054AC 0DE0000200 VCallHresult :004054B1 6B56FF FLdI2 :004054B4 F401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了 :004054B6 C6 EqI2 ;检测是否被选上! :004054B7 C4 AndI4 :004054B8 044EFF FLdRfVar :004054BB 21 FLdPrThis :004054BC 0F5003 VCallAd ;第9个选择框的状态 :004054BF 1950FF FStAdFunc :004054C2 0850FF FLdPr ***********Reference To:[propget]CheckBox.Value | :004054C5 0DE0000200 VCallHresult :004054CA 6B4EFF FLdI2 :004054CD F401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了 :004054CF C6 EqI2 ;检测是否被选上! :004054D0 C4 AndI4 :004054D1 0446FF FLdRfVar :004054D4 21 FLdPrThis :004054D5 0F3C03 VCallAd ;第14个选择框的状态 :004054D8 1948FF FStAdFunc :004054DB 0848FF FLdPr ***********Reference To:[propget]CheckBox.Value | :004054DE 0DE0000200 VCallHresult :004054E3 6B46FF FLdI2 :004054E6 F401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了 :004054E8 C6 EqI2 ;检测是否被选上! :004054E9 C4 AndI4 :004054EA 043EFF FLdRfVar :004054ED 21 FLdPrThis :004054EE 0F6403 VCallAd ;第4个选择框的状态 :004054F1 1940FF FStAdFunc :004054F4 0840FF FLdPr ***********Reference To:[propget]CheckBox.Value | :004054F7 0DE0000200 VCallHresult :004054FC 6B3EFF FLdI2 :004054FF F401 LitI2_Byte ;Push 01 //为1则表示选择框被选上了 :00405501 C6 EqI2 ;检测是否被选上! :00405502 C4 AndI4 :00405503 0436FF FLdRfVar :00405506 21 FLdPrThis :00405507 0F5403 VCallAd ;第8个选择框的状态 :0040550A 1938FF FStAdFunc :0040550D 0838FF FLdPr ***********Reference To:[propget]CheckBox.Value | :00405510 0DE0000200 VCallHresult :00405515 6B36FF FLdI2 :00405518 F400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上 :0040551A C6 EqI2 ;检测是否被选上! :0040551B C4 AndI4 :0040551C 042EFF FLdRfVar :0040551F 21 FLdPrThis :00405520 0F6803 VCallAd ;第3个选择框的状态 :00405523 1930FF FStAdFunc :00405526 0830FF FLdPr ***********Reference To:[propget]CheckBox.Value | :00405529 0DE0000200 VCallHresult :0040552E 6B2EFF FLdI2 :00405531 F400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上 :00405533 C6 EqI2 ;检测是否被选上! :00405534 C4 AndI4 :00405535 0426FF FLdRfVar :00405538 21 FLdPrThis :00405539 0F6003 VCallAd ;第5个选择框的状态 :0040553C 1928FF FStAdFunc :0040553F 0828FF FLdPr ***********Reference To:[propget]CheckBox.Value | :00405542 0DE0000200 VCallHresult :00405547 6B26FF FLdI2 :0040554A F400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上 :0040554C C6 EqI2 ;检测是否被选上! :0040554D C4 AndI4 :0040554E 041EFF FLdRfVar :00405551 21 FLdPrThis :00405552 0F5803 VCallAd ;第7个选择框的状态 :00405555 1920FF FStAdFunc :00405558 0820FF FLdPr ***********Reference To:[propget]CheckBox.Value | :0040555B 0DE0000200 VCallHresult :00405560 6B1EFF FLdI2 :00405563 F400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上 :00405565 C6 EqI2 ;检测是否被选上! :00405566 C4 AndI4 :00405567 0416FF FLdRfVar :0040556A 21 FLdPrThis :0040556B 0F4C03 VCallAd ;第10个选择框的状态 :0040556E 1918FF FStAdFunc :00405571 0818FF FLdPr ***********Reference To:[propget]CheckBox.Value | :00405574 0DE0000200 VCallHresult :00405579 6B16FF FLdI2 :0040557C F400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上 :0040557E C6 EqI2 ;检测是否被选上! :0040557F C4 AndI4 :00405580 040EFF FLdRfVar :00405583 21 FLdPrThis :00405584 0F4403 VCallAd ;第12个选择框的状态 :00405587 1910FF FStAdFunc :0040558A 0810FF FLdPr ***********Reference To:[propget]CheckBox.Value | :0040558D 0DE0000200 VCallHresult :00405592 6B0EFF FLdI2 :00405595 F400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上 :00405597 C6 EqI2 ;检测是否被选上! :00405598 C4 AndI4 :00405599 0406FF FLdRfVar :0040559C 21 FLdPrThis :0040559D 0F4003 VCallAd ;第13个选择框的状态 :004055A0 1908FF FStAdFunc :004055A3 0808FF FLdPr ***********Reference To:[propget]CheckBox.Value | :004055A6 0DE0000200 VCallHresult :004055AB 6B06FF FLdI2 :004055AE F400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上 :004055B0 C6 EqI2 ;检测是否被选上! :004055B1 C4 AndI4 :004055B2 04FEFE FLdRfVar :004055B5 21 FLdPrThis :004055B6 0F3803 VCallAd ;第15个选择框的状态 :004055B9 1900FF FStAdFunc :004055BC 0800FF FLdPr ***********Reference To:[propget]CheckBox.Value | :004055BF 0DE0000200 VCallHresult ;第16个选择框的状态 :004055C4 6BFEFE FLdI2 :004055C7 F400 LitI2_Byte ;Push 00 //为0则表示选择框不被选上 :004055C9 C6 EqI2 ;检测是否被选上! :004055CA C4 AndI4 :004055CB 29200078FF70FF68 FFreeAd :004055EE 1CC101 BranchF ;关键跳转,符合上面的条件,便不跳走 ******Possible String Ref To->"true" | :004055F1 3ADCFE0300 LitVarStr :004055F6 FD00ECFE FStVarCopy :004055FA 1ECA01 Branch ;跳走 ******Possible String Ref To->"false" | :004055FD 3ADCFE0400 LitVarStr :00405602 FD00ECFE FStVarCopy :00405606 21 FLdPrThis ;跳来到这里(当符合上面的要求时) :00405607 0FBC03 VCallAd ;得到滑动条1的状态 :0040560A 1978FF FStAdFunc :0040560D 0878FF FLdPr :00405610 61CCFE0B000000 LateIdLdVar :00405617 FC22 CI4Var :00405619 F503000000 LitI4 ;Push 00000003 //压入数值3 :0040561E C7 EqI4 ;Push (Pop1 == Pop2) //两者比较是否一样 :0040561F 21 FLdPrThis :00405620 0FB803 VCallAd ;得到滑动条2的状态 :00405623 1970FF FStAdFunc :00405626 0870FF FLdPr :00405629 61BCFE0B000000 LateIdLdVar :00405630 FC22 CI4Var :00405632 F508000000 LitI4 ;Push 00000008 //压入数值8 :00405637 C7 EqI4 ;Push (Pop1 == Pop2) //两者比较是否一样 :00405638 C4 AndI4 :00405639 29040078FF70FF FFreeAd :00405640 360400CCFEBCFE FFreeVar :00405647 1C1A02 BranchF ;关键跳转,符合上面的条件,便不跳走 ******Possible String Ref To->"true" | :0040564A 3ADCFE0300 LitVarStr :0040564F FD00ACFE FStVarCopy :00405653 1E2302 Branch ;跳走 ******Possible String Ref To->"false" | :00405656 3ADCFE0400 LitVarStr :0040565B FD00ACFE FStVarCopy :0040565F 04ECFE FLdRfVar ;跳来到这里(当符合上面的要求时) ******Possible String Ref To->"true" | :00405662 3ADCFE0300 LitVarStr :00405667 5D HardType :00405668 FB2FCCFE EqVar :0040566C 04ACFE FLdRfVar ******Possible String Ref To->"false" | :0040566F 3A9CFE0400 LitVarStr :00405674 5D HardType :00405675 FB2FBCFE EqVar :00405679 FB278CFE AndVar :0040567D FF1B CBoolVarNull :0040567F 1C5B02 BranchF ;关键跳转,符合上面的条件,跳走 ******Possible String Ref To->"Almost there, now just get the slider values" | :00405682 1B0500 LitStr ;这是快要成功的提示 :00405685 21 FLdPrThis :00405686 0F7403 VCallAd :00405689 1978FF FStAdFunc :0040568C 0878FF FLdPr ***********Reference To:[propput]Label.Caption | :0040568F 0D54000600 VCallHresult :00405694 1A78FF FFree1Ad :00405697 04ECFE FLdRfVar ;跳来到这里(当符合上面的要求时) ******Possible String Ref To->"false" | :0040569A 3ADCFE0400 LitVarStr :0040569F 5D HardType :004056A0 FB2FCCFE EqVar :004056A4 04ACFE FLdRfVar ******Possible String Ref To->"true" | :004056A7 3A9CFE0300 LitVarStr :004056AC 5D HardType :004056AD FB2FBCFE EqVar :004056B1 FB278CFE AndVar :004056B5 FF1B CBoolVarNull :004056B7 1C9302 BranchF ;关键跳转,符合上面的条件,跳走 ******Possible String Ref To->"Almost there, now just get the boxes right" | :004056BA 1B0700 LitStr ;这是快要成功的提示 :004056BD 21 FLdPrThis :004056BE 0F7403 VCallAd :004056C1 1978FF FStAdFunc :004056C4 0878FF FLdPr ***********Reference To:[propput]Label.Caption | :004056C7 0D54000600 VCallHresult :004056CC 1A78FF FFree1Ad :004056CF 04ECFE FLdRfVar ;跳来到这里(当符合上面的要求时) ******Possible String Ref To->"true" | :004056D2 3ADCFE0300 LitVarStr :004056D7 5D HardType :004056D8 FB2FCCFE EqVar :004056DC 04ACFE FLdRfVar ******Possible String Ref To->"true" | :004056DF 3A9CFE0300 LitVarStr :004056E4 5D HardType :004056E5 FB2FBCFE EqVar :004056E9 FB278CFE AndVar :004056ED FF1B CBoolVarNull :004056EF 1CCB02 BranchF ;关键跳转,符合上面的条件,便不跳走 ******Possible String Ref To->"Congradulations, you figured it out" | :004056F2 1B0800 LitStr ;注册成功的提示 :004056F5 21 FLdPrThis :004056F6 0F7403 VCallAd :004056F9 1978FF FStAdFunc :004056FC 0878FF FLdPr :后面的代码省略。。。 从上面的比较来看,有8处的CheckBox状态检测是Push 01,剩下的8处便是Push 00,因此需要有8个CheckBox选择框需要被选上,它们分别是:第1、6、11、16、2、9、14、4位置的CheckBox选择框,而8、3、5、7、10、12、13、15位置的选择框则不能被选上;上面的第一根滑动条的数值必须是3,下面的第二根滑动条的数值必须是8,符合上面的这些要求,便注册成功了,哈哈^_^ ----------------------------------------------------------------------------------- 【版权声明】: 本文由 CuteSnail 原创, 转载请注明作者并保持文章的完整性, 谢谢! 再见!!
发帖前要善用【论坛搜索 】 功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。
发表于 2012-4-1 04:47
