160 - 17 bjanes.3

最新推荐文章于 2023-12-18 13:27:27 发布
最新推荐文章于 2023-12-18 13:27:27 发布
阅读量610 收藏
点赞数
分类专栏: 160个CrackMe
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/goodnameused/article/details/78248422
版权

环境:

Wiondws XP sp3


工具:

ollydbg,ExeInfo PE


查壳:

用Exeinfo PE 查壳,没有壳,是VB写的


过程:

 一:随便输入一个serial,得到一个错误信息消息框,OD载入然后字符串搜索错误信息,找到后双击转回CPU窗口,可以看到:

00404E08   .  8D55 CC       lea edx,dword ptr ss:[ebp-0x34]
00404E0B   .  8D85 08FFFFFF lea eax,dword ptr ss:[ebp-0xF8]
00404E11   .  C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],BJCM30A.00402B58      ;  UNICODE "FFFF"
00404E1B   .  52            push edx                                          ; /var18
00404E1C   .  50            push eax                                          ; |var28
00404E1D   .  C785 08FFFFFF>mov dword ptr ss:[ebp-0xF8],0x8008                ; |
00404E27   .  FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>]     ; \__vbaVarTstEq
00404E2D   .  66:85C0       test ax,ax                                        ;  等于0就跳,ax不能等于0,就是说上面两个位置的值要相等
00404E30      0F84 AD000000 je BJCM30A.00404EE3                               ;  关键跳
00404E36      8B1D CC104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarDup>]    ;  MSVBVM60.__vbaVarDup
00404E3C   .  B9 04000280   mov ecx,0x80020004
00404E41   .  898D 20FFFFFF mov dword ptr ss:[ebp-0xE0],ecx
00404E47   .  B8 0A000000   mov eax,0xA
00404E4C   .  898D 30FFFFFF mov dword ptr ss:[ebp-0xD0],ecx
00404E52   .  8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-0x108]
00404E58   .  8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8]
00404E5E   .  8985 18FFFFFF mov dword ptr ss:[ebp-0xE8],eax
00404E64   .  8985 28FFFFFF mov dword ptr ss:[ebp-0xD8],eax
00404E6A   .  C785 00FFFFFF>mov dword ptr ss:[ebp-0x100],BJCM30A.00402BB4     ;  UNICODE "Correct serial!"
00404E74   .  89B5 F8FEFFFF mov dword ptr ss:[ebp-0x108],esi
00404E7A   .  FFD3          call ebx                                          ;  <&MSVBVM60.__vbaVarDup>
00404E7C   .  8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8]
00404E82   .  8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8]
00404E88   .  C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],BJCM30A.00402B68      ;  UNICODE "Good job, tell me how you do that!"
00404E92   .  89B5 08FFFFFF mov dword ptr ss:[ebp-0xF8],esi
00404E98   .  FFD3          call ebx
00404E9A   .  8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-0xE8]
00404EA0   .  8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8]
00404EA6   .  51            push ecx
00404EA7   .  8D85 38FFFFFF lea eax,dword ptr ss:[ebp-0xC8]
00404EAD   .  52            push edx
00404EAE   .  50            push eax
00404EAF   .  8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8]
00404EB5   .  57            push edi
00404EB6   .  51            push ecx
00404EB7   .  FF15 3C104000 call dword ptr ds:[<&MSVBVM60.#595>]              ;  MSVBVM60.rtcMsgBox
00404EBD   .  8D95 18FFFFFF lea edx,dword ptr ss:[ebp-0xE8]
00404EC3   .  8D85 28FFFFFF lea eax,dword ptr ss:[ebp-0xD8]
00404EC9   .  52            push edx
00404ECA   .  8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8]
00404ED0   .  50            push eax
00404ED1   .  8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8]
00404ED7   .  51            push ecx
00404ED8   .  52            push edx
00404ED9   .  E9 A8000000   jmp BJCM30A.00404F86
00404EDE   >  BE 08000000   mov esi,0x8
00404EE3   >  8B1D CC104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarDup>]    ;  MSVBVM60.__vbaVarDup
00404EE9   .  B9 04000280   mov ecx,0x80020004
00404EEE   .  898D 20FFFFFF mov dword ptr ss:[ebp-0xE0],ecx
00404EF4   .  B8 0A000000   mov eax,0xA
00404EF9   .  898D 30FFFFFF mov dword ptr ss:[ebp-0xD0],ecx
00404EFF   .  8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-0x108]
00404F05   .  8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8]
00404F0B   .  8985 18FFFFFF mov dword ptr ss:[ebp-0xE8],eax
00404F11   .  8985 28FFFFFF mov dword ptr ss:[ebp-0xD8],eax
00404F17   .  C785 00FFFFFF>mov dword ptr ss:[ebp-0x100],BJCM30A.00402A10     ;  UNICODE "Wrong serial!"
00404F21   .  89B5 F8FEFFFF mov dword ptr ss:[ebp-0x108],esi
00404F27   .  FFD3          call ebx                                          ;  <&MSVBVM60.__vbaVarDup>
00404F29   .  8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8]
00404F2F   .  8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8]
00404F35   .  C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],BJCM30A.00402BD8      ;  UNICODE "Sorry, try again!"
00404F3F   .  89B5 08FFFFFF mov dword ptr ss:[ebp-0xF8],esi
00404F45   .  FFD3          call ebx
00404F47   .  8D85 18FFFFFF lea eax,dword ptr ss:[ebp-0xE8]
00404F4D   .  8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-0xD8]
00404F53   .  50            push eax
00404F54   .  8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8]
00404F5A   .  51            push ecx
00404F5B   .  52            push edx
00404F5C   .  8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8]
00404F62   .  57            push edi
00404F63   .  50            push eax
00404F64   .  FF15 3C104000 call dword ptr ds:[<&MSVBVM60.#595>]              ;  MSVBVM60.rtcMsgBox

爆破的话就已经解决了,接下来是分析算法。

往上翻一翻,看到了这个:

00404476   .  83F8 05       cmp eax,0x5                                       ; 这里就是判断是否弹出下面的消息框的
00404479   .  0F8E AD000000 jle BJCM30A.0040452C
0040447F   .  8B1D CC104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarDup>]    ;  MSVBVM60.__vbaVarDup
00404485   .  B9 04000280   mov ecx,0x80020004
0040448A   .  898D 20FFFFFF mov dword ptr ss:[ebp-0xE0],ecx
00404490   .  B8 0A000000   mov eax,0xA
00404495   .  898D 30FFFFFF mov dword ptr ss:[ebp-0xD0],ecx
0040449B   .  BE 08000000   mov esi,0x8
004044A0   .  8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-0x108]
004044A6   .  8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8]
004044AC   .  8985 18FFFFFF mov dword ptr ss:[ebp-0xE8],eax
004044B2   .  8985 28FFFFFF mov dword ptr ss:[ebp-0xD8],eax
004044B8   .  C785 00FFFFFF>mov dword ptr ss:[ebp-0x100],BJCM30A.00402AE0     ;  UNICODE "Cheater!!!   CHEATER!!!   Cheater!!!   CHEATER!!!"
004044C2   .  89B5 F8FEFFFF mov dword ptr ss:[ebp-0x108],esi
004044C8   .  FFD3          call ebx                                          ;  <&MSVBVM60.__vbaVarDup>
004044CA   .  8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8]
004044D0   .  8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8]
004044D6   .  C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],BJCM30A.00402A68      ;  UNICODE "  You have SmartCheck loaded!...Close it and try again!!!"
004044E0   .  89B5 08FFFFFF mov dword ptr ss:[ebp-0xF8],esi
004044E6   .  FFD3          call ebx
004044E8   .  8D95 18FFFFFF lea edx,dword ptr ss:[ebp-0xE8]
004044EE   .  8D85 28FFFFFF lea eax,dword ptr ss:[ebp-0xD8]
004044F4   .  52            push edx
004044F5   .  8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8]
004044FB   .  50            push eax
004044FC   .  51            push ecx
004044FD   .  8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8]
00404503   .  57            push edi
00404504   .  52            push edx
00404505   .  FF15 3C104000 call dword ptr ds:[<&MSVBVM60.#595>]              ;  MSVBVM60.rtcMsgBox
0040450B   .  8D85 18FFFFFF lea eax,dword ptr ss:[ebp-0xE8]
00404511   .  8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-0xD8]
00404517   .  50            push eax
00404518   .  8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8]
0040451E   .  51            push ecx
0040451F   .  8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8]
00404525   .  52            push edx
00404526   .  50            push eax
00404527   .  E9 5A0A0000   jmp BJCM30A.00404F86
0040452C   >  8B0E          mov ecx,dword ptr ds:[esi]

SmartCheck是一个VB程序调试器。那应该就是说这里的判断会检测出是否加载了调试器。

继续往上翻:

00404320   .  FF15 94104000 call dword ptr ds:[<&MSVBVM60.#535>]              ;  MSVBVM60.rtcGetTimer
00404326   .  FF15 D0104000 call dword ptr ds:[<&MSVBVM60.__vbaFpI4>]         ;  MSVBVM60.__vbaFpI4
0040432C   .  8945 A4       mov dword ptr ss:[ebp-0x5C],eax
0040432F   .  8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8]
00404335   .  8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-0x108]
0040433B   .  52            push edx                                          ; /Step8
0040433C   .  8D8D E8FEFFFF lea ecx,dword ptr ss:[ebp-0x118]                  ; |
00404342   .  50            push eax                                          ; |End8
00404343   .  8D95 A4FEFFFF lea edx,dword ptr ss:[ebp-0x15C]                  ; |
00404349   .  51            push ecx                                          ; |Start8
0040434A   .  8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-0x14C]                  ; |
00404350   .  52            push edx                                          ; |TMPend8
00404351   .  8D4D 80       lea ecx,dword ptr ss:[ebp-0x80]                   ; |
00404354   .  BB 02000000   mov ebx,0x2                                       ; |
00404359   .  50            push eax                                          ; |TMPstep8
0040435A   .  51            push ecx                                          ; |Counter8
0040435B   .  C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],0x1                   ; |
00404365   .  899D 08FFFFFF mov dword ptr ss:[ebp-0xF8],ebx                   ; |
0040436B   .  C785 00FFFFFF>mov dword ptr ss:[ebp-0x100],0x3E8                ; |
00404375   .  899D F8FEFFFF mov dword ptr ss:[ebp-0x108],ebx                  ; |
0040437B   .  C785 F0FEFFFF>mov dword ptr ss:[ebp-0x110],0x1                  ; |
00404385   .  899D E8FEFFFF mov dword ptr ss:[ebp-0x118],ebx                  ; |
0040438B   .  FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>]   ; \__vbaVarForInit
00404391   >  3BC7          cmp eax,edi
00404393   .  0F84 C8000000 je BJCM30A.00404461
00404399   .  B8 01000000   mov eax,0x1
0040439E   .  8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8]
004043A4   .  8985 10FFFFFF mov dword ptr ss:[ebp-0xF0],eax
004043AA   .  8985 F0FEFFFF mov dword ptr ss:[ebp-0x110],eax
004043B0   .  8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-0x108]
004043B6   .  52            push edx                                          ; /Step8
004043B7   .  8D8D E8FEFFFF lea ecx,dword ptr ss:[ebp-0x118]                  ; |
004043BD   .  50            push eax                                          ; |End8
004043BE   .  8D95 84FEFFFF lea edx,dword ptr ss:[ebp-0x17C]                  ; |
004043C4   .  51            push ecx                                          ; |Start8
004043C5   .  8D85 94FEFFFF lea eax,dword ptr ss:[ebp-0x16C]                  ; |
004043CB   .  52            push edx                                          ; |TMPend8
004043CC   .  8D4D A8       lea ecx,dword ptr ss:[ebp-0x58]                   ; |
004043CF   .  50            push eax                                          ; |TMPstep8
004043D0   .  51            push ecx                                          ; |Counter8
004043D1   .  899D 08FFFFFF mov dword ptr ss:[ebp-0xF8],ebx                   ; |
004043D7   .  C785 00FFFFFF>mov dword ptr ss:[ebp-0x100],0xFA                 ; |
004043E1   .  899D F8FEFFFF mov dword ptr ss:[ebp-0x108],ebx                  ; |
004043E7   .  899D E8FEFFFF mov dword ptr ss:[ebp-0x118],ebx                  ; |
004043ED   .  FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>]   ; \__vbaVarForInit
004043F3   >  3BC7          cmp eax,edi
004043F5   .  74 4D         je XBJCM30A.00404444
004043F7   .  68 342A4000   push BJCM30A.00402A34                             ;  UNICODE "IS SMARTCHECK LOADED???"
004043FC   .  68 342A4000   push BJCM30A.00402A34                             ;  UNICODE "IS SMARTCHECK LOADED???"
00404401   .  FF15 68104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>]       ;  MSVBVM60.__vbaStrCmp
00404407   .  85C0          test eax,eax
00404409   .  75 1F         jnz XBJCM30A.0040442A
0040440B   .  8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8]
00404411   .  8D4D DC       lea ecx,dword ptr ss:[ebp-0x24]
00404414   .  C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],0x1
0040441E   .  899D 08FFFFFF mov dword ptr ss:[ebp-0xF8],ebx
00404424   .  FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]      ;  MSVBVM60.__vbaVarMove
0040442A   >  8D95 84FEFFFF lea edx,dword ptr ss:[ebp-0x17C]
00404430   .  8D85 94FEFFFF lea eax,dword ptr ss:[ebp-0x16C]
00404436   .  52            push edx                                          ; /TMPend8
00404437   .  8D4D A8       lea ecx,dword ptr ss:[ebp-0x58]                   ; |
0040443A   .  50            push eax                                          ; |TMPstep8
0040443B   .  51            push ecx                                          ; |Counter8
0040443C   .  FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>]   ; \__vbaVarForNext
00404442   .^ EB AF         jmp XBJCM30A.004043F3
00404444   >  8D95 A4FEFFFF lea edx,dword ptr ss:[ebp-0x15C]
0040444A   .  8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-0x14C]
00404450   .  52            push edx                                          ; /TMPend8
00404451   .  8D4D 80       lea ecx,dword ptr ss:[ebp-0x80]                   ; |
00404454   .  50            push eax                                          ; |TMPstep8
00404455   .  51            push ecx                                          ; |Counter8
00404456   .  FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>]   ; \__vbaVarForNext
0040445C   .^ E9 30FFFFFF   jmp BJCM30A.00404391
00404461   >  FF15 94104000 call dword ptr ds:[<&MSVBVM60.#535>]              ;  MSVBVM60.rtcGetTimer
00404467   .  FF15 D0104000 call dword ptr ds:[<&MSVBVM60.__vbaFpI4>]         ;  MSVBVM60.__vbaFpI4
0040446D   .  2B45 A4       sub eax,dword ptr ss:[ebp-0x5C]

这段代码头和尾都有一个GetTimer,最后面0040446D这里有一个相减,中间有个双重循环,如果单步走的话走完的时间花费比较大,所以后面就会有一个两次GetTimer的结果相减,如果结果大于5,就说明程序在被调试。当然这里没什么意义,没必要单步走,所以也就不用管了。

继续往下:

0040456D   > \8B95 7CFFFFFF mov edx,dword ptr ss:[ebp-0x84]                   ; 这里是取输入的serial
00404573   .  52            push edx                                          ; /String
00404574   .  FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>]      ; \__vbaLenBstr
0040457A   .  33DB          xor ebx,ebx
0040457C   .  83F8 05       cmp eax,0x5                                       ;  比较输入serial的长度
0040457F   .  0F9CC3        setl bl                                           ;  bl = CF ^ OF,小于5时,CF为1,OF只有在溢出时才为1
00404582   .  8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
00404588   .  F7DB          neg ebx                                           ;  求补,取反加1
0040458A   .  FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]      ;  MSVBVM60.__vbaFreeStr
00404590   .  8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
00404596   .  FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]      ;  MSVBVM60.__vbaFreeObj
0040459C   .  66:3BDF       cmp bx,di
0040459F   .  0F85 39090000 jnz BJCM30A.00404EDE                              ; 直接跳到错误处

这是段判断serial长度的代码,在0040457C处存在下列情况:

(1)如果serial长度len < 5 :相减会借位,CF位置1,OF位置0,BL的结果也就会是1

(2)   len >= 5 :相减不会借位,CF位和OF位都置0,BL的结果也就会是0

00404588 处的neg指令取补,这样(1)情况下的结果会是ebx = FFFFFFF,(2)情况下是ebx = 00000000

得知serial长度要大于等于5之后,继续往下:

00404616   > \8B8D 7CFFFFFF mov ecx,dword ptr ss:[ebp-0x84]                   ; 取serial
0040461C   .  51            push ecx                                          ; /String
0040461D   .  FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>]      ; \__vbaLenBstr
00404623   .  8985 00FFFFFF mov dword ptr ss:[ebp-0x100],eax                  ;  serial长度
00404629   .  8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8]
0040462F   .  8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-0x108]
00404635   .  52            push edx                                          ; /Step8
00404636   .  8D8D E8FEFFFF lea ecx,dword ptr ss:[ebp-0x118]                  ; |
0040463C   .  50            push eax                                          ; |End8
0040463D   .  8D95 64FEFFFF lea edx,dword ptr ss:[ebp-0x19C]                  ; |
00404643   .  51            push ecx                                          ; |Start8
00404644   .  8D85 74FEFFFF lea eax,dword ptr ss:[ebp-0x18C]                  ; |
0040464A   .  52            push edx                                          ; |TMPend8
0040464B   .  8D4D 94       lea ecx,dword ptr ss:[ebp-0x6C]                   ; |
0040464E   .  50            push eax                                          ; |TMPstep8
0040464F   .  51            push ecx                                          ; |Counter8
00404650   .  C785 F8FEFFFF>mov dword ptr ss:[ebp-0x108],0x3                  ; |
0040465A   .  C785 F0FEFFFF>mov dword ptr ss:[ebp-0x110],0x1                  ; |
00404664   .  C785 E8FEFFFF>mov dword ptr ss:[ebp-0x118],0x2                  ; |
0040466E   .  FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>]   ; \__vbaVarForInit
00404674   .  8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]                   ;  指向serial地址的指针的地址
0040467A   .  8985 30FEFFFF mov dword ptr ss:[ebp-0x1D0],eax                  ;  这个是用来判断是否已经结束循环
00404680   .  FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]      ;  MSVBVM60.__vbaFreeStr
00404686   .  8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
0040468C   .  FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]      ;  MSVBVM60.__vbaFreeObj
00404692   .  8B1D DC104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaStrMove>]   ;  MSVBVM60.__vbaStrMove
00404698   >  39BD 30FEFFFF cmp dword ptr ss:[ebp-0x1D0],edi
0040469E   .  0F84 F5010000 je BJCM30A.00404899                               ;  循环结束,跳出循环
004046A4   .  8B16          mov edx,dword ptr ds:[esi]
004046A6   .  56            push esi
004046A7   .  FF92 08030000 call dword ptr ds:[edx+0x308]
004046AD   .  50            push eax                                          ;  
004046AE   .  8D85 5CFFFFFF lea eax,dword ptr ss:[ebp-0xA4]
004046B4   .  50            push eax
004046B5   .  FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]       ;  MSVBVM60.__vbaObjSet
004046BB   .  8B08          mov ecx,dword ptr ds:[eax]                        ;  注意观察一下,程序很经常出现这样的内容
004046BD   .  8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-0x84]                   ;  可以考虑是不是由程序编译生成出来的,与算法无关
004046C3   .  52            push edx                                          ; 区分好可以降低分析难度
004046C4   .  50            push eax
004046C5   .  8985 D4FEFFFF mov dword ptr ss:[ebp-0x12C],eax
004046CB   .  FF91 A0000000 call dword ptr ds:[ecx+0xA0]
004046D1   .  3BC7          cmp eax,edi
004046D3   .  DBE2          fclex
004046D5   .  7D 18         jge XBJCM30A.004046EF                             ;  
004046D7   .  8B8D D4FEFFFF mov ecx,dword ptr ss:[ebp-0x12C]
004046DD   .  68 A0000000   push 0xA0
004046E2   .  68 442B4000   push BJCM30A.00402B44
004046E7   .  51            push ecx
004046E8   .  50            push eax                                          ;  特别是这些函数调用,注意是push了几个参数
004046E9   .  FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckOb>;  MSVBVM60.__vbaHresultCheckObj
004046EF   >  8B16          mov edx,dword ptr ds:[esi]
004046F1   .  56            push esi
004046F2   .  FF92 08030000 call dword ptr ds:[edx+0x308]
004046F8   .  50            push eax
004046F9   .  8D85 58FFFFFF lea eax,dword ptr ss:[ebp-0xA8]
004046FF   .  50            push eax
00404700   .  FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]       ;  MSVBVM60.__vbaObjSet
00404706   .  8B08          mov ecx,dword ptr ds:[eax]
00404708   .  8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88]
0040470E   .  52            push edx
0040470F   .  50            push eax
00404710   .  8985 CCFEFFFF mov dword ptr ss:[ebp-0x134],eax
00404716   .  FF91 A0000000 call dword ptr ds:[ecx+0xA0]
0040471C   .  3BC7          cmp eax,edi
0040471E   .  DBE2          fclex
00404720   .  7D 18         jge XBJCM30A.0040473A
00404722   .  8B8D CCFEFFFF mov ecx,dword ptr ss:[ebp-0x134]
00404728   .  68 A0000000   push 0xA0
0040472D   .  68 442B4000   push BJCM30A.00402B44
00404732   .  51            push ecx
00404733   .  50            push eax
00404734   .  FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckOb>;  MSVBVM60.__vbaHresultCheckObj
0040473A   >  B8 01000000   mov eax,0x1
0040473F   .  8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8]
00404745   .  8985 50FFFFFF mov dword ptr ss:[ebp-0xB0],eax
0040474B   .  8985 30FFFFFF mov dword ptr ss:[ebp-0xD0],eax
00404751   .  8985 00FFFFFF mov dword ptr ss:[ebp-0x100],eax
00404757   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]
0040475A   .  B9 02000000   mov ecx,0x2
0040475F   .  52            push edx
00404760   .  50            push eax
00404761   .  898D 48FFFFFF mov dword ptr ss:[ebp-0xB8],ecx
00404767   .  898D 28FFFFFF mov dword ptr ss:[ebp-0xD8],ecx
0040476D   .  898D F8FEFFFF mov dword ptr ss:[ebp-0x108],ecx
00404773   .  FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]        ;  MSVBVM60.__vbaI4Var
00404779   .  8B8D 7CFFFFFF mov ecx,dword ptr ss:[ebp-0x84]
0040477F   .  8B3D 54104000 mov edi,dword ptr ds:[<&MSVBVM60.#631>]           ;  MSVBVM60.rtcMidCharBstr
00404785   .  50            push eax
00404786   .  51            push ecx
00404787   .  FFD7          call edi                                          ;  <&MSVBVM60.#631>
00404789   .  8BD0          mov edx,eax                                       ;  eax为返回的字符的地址
0040478B   .  8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C]
00404791   .  FFD3          call ebx                                          ;  将刚刚返回的字符的地址copy到ebp-0x8c
00404793   .  50            push eax
00404794   .  8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8]
0040479A   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]
0040479D   .  52            push edx
0040479E   .  8D8D F8FEFFFF lea ecx,dword ptr ss:[ebp-0x108]                  ;  ecx的值肯定是0x02,这个位置的值是上面赋值的
004047A4   .  50            push eax                                          ; /var18
004047A5   .  8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8]                   ; |保存位置
004047AB   .  51            push ecx                                          ; |var28
004047AC   .  52            push edx                                          ; |saveto8
004047AD   .  FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>]       ; \__vbaVarAdd
004047B3   .  50            push eax
004047B4   .  FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]        ;  MSVBVM60.__vbaI4Var
004047BA   .  50            push eax
004047BB   .  8B85 78FFFFFF mov eax,dword ptr ss:[ebp-0x88]
004047C1   .  50            push eax
004047C2   .  FFD7          call edi                                          ;  这里是后一个位置的字符
004047C4   .  8BD0          mov edx,eax
004047C6   .  8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90]
004047CC   .  FFD3          call ebx
004047CE   .  50            push eax
004047CF   .  FF15 68104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>]       ;  MSVBVM60.__vbaStrCmp
004047D5   .  8BF8          mov edi,eax                                       ;  将比较结果存到edi,相同返回0,不同返回-1
004047D7   .  8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90]                   ;  后面的内容都是free
004047DD   .  F7DF          neg edi                                           ;  这里有个取补
004047DF   .  8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C]
004047E5   .  51            push ecx
004047E6   .  8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88]
004047EC   .  52            push edx
004047ED   .  1BFF          sbb edi,edi                                       ;  再减CF的值
004047EF   .  8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
004047F5   .  50            push eax
004047F6   .  47            inc edi                                           ;  这里edi+1
004047F7   .  51            push ecx
004047F8   .  6A 04         push 0x4
004047FA   .  F7DF          neg edi                                           ;  再对edi取补
004047FC   .  FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>]  ;  MSVBVM60.__vbaFreeStrList
00404802   .  8D95 58FFFFFF lea edx,dword ptr ss:[ebp-0xA8]
00404808   .  8D85 5CFFFFFF lea eax,dword ptr ss:[ebp-0xA4]
0040480E   .  52            push edx
0040480F   .  50            push eax
00404810   .  6A 02         push 0x2
00404812   .  FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObjList>]  ;  MSVBVM60.__vbaFreeObjList
00404818   .  8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-0xD8]
0040481E   .  8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8]
00404824   .  51            push ecx
00404825   .  8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8]
0040482B   .  52            push edx
0040482C   .  50            push eax
0040482D   .  6A 03         push 0x3
0040482F   .  FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>]  ;  MSVBVM60.__vbaFreeVarList
00404835   .  83C4 30       add esp,0x30
00404838   .  66:85FF       test di,di                                        ;  比较edi是否为0
0040483B   .  74 37         je XBJCM30A.00404874                              ;  如果为0就跳转,意味着两个字符是不相同的
0040483D   .  8D4D B8       lea ecx,dword ptr ss:[ebp-0x48]                   ;  如果相同就+1
00404840   .  8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8]
00404846   .  51            push ecx                                          ; /var18
00404847   .  8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8]                   ; |
0040484D   .  52            push edx                                          ; |var28
0040484E   .  50            push eax                                          ; |saveto8
0040484F   .  C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],0x1                   ; |
00404859   .  C785 08FFFFFF>mov dword ptr ss:[ebp-0xF8],0x2                   ; |
00404863   .  FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>]       ; \__vbaVarAdd
00404869   .  8BD0          mov edx,eax
0040486B   .  8D4D B8       lea ecx,dword ptr ss:[ebp-0x48]
0040486E   .  FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]      ;  MSVBVM60.__vbaVarMove
00404874   >  8D8D 64FEFFFF lea ecx,dword ptr ss:[ebp-0x19C]                  ;  循环终止的次数
0040487A   .  8D95 74FEFFFF lea edx,dword ptr ss:[ebp-0x18C]                  ;  循环每一步的步长
00404880   .  51            push ecx                                          ; /TMPend8
00404881   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]                   ; |循环的当前值
00404884   .  52            push edx                                          ; |TMPstep8
00404885   .  50            push eax                                          ; |Counter8
00404886   .  FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>]   ; \__vbaVarForNext
0040488C   .  8985 30FEFFFF mov dword ptr ss:[ebp-0x1D0],eax
00404892   .  33FF          xor edi,edi
00404894   .^ E9 FFFDFFFF   jmp BJCM30A.00404698


这段代码的主要作用是判断输入的serial每个相邻的字符是否相同,就好像输入的是:66666,将相邻且相同的字符的次数累计起来,又因为是先用第一个和第二个字符比较,所以根据上面的“66666"会算出:4。继续往下: 

004048E4   > \8B95 7CFFFFFF mov edx,dword ptr ss:[ebp-0x84]                   ;  这里是使得serial不能全部一样
004048EA   .  52            push edx                                          ; /String
004048EB   .  FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>]      ; \__vbaLenBstr
004048F1   .  83E8 01       sub eax,0x1                                       ;  serial长度-1
004048F4   .  8D8D 08FFFFFF lea ecx,dword ptr ss:[ebp-0xF8]
004048FA   .  0F80 AA070000 jo BJCM30A.004050AA                               ;  溢出就跳
00404900   .  8985 10FFFFFF mov dword ptr ss:[ebp-0xF0],eax
00404906   .  8D45 B8       lea eax,dword ptr ss:[ebp-0x48]
00404909   .  50            push eax                                          ; /var18
0040490A   .  51            push ecx                                          ; |var28
0040490B   .  C785 08FFFFFF>mov dword ptr ss:[ebp-0xF8],0x8003                ; |
00404915   .  FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>]     ; \__vbaVarTstEq
0040491B   .  8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
00404921   .  66:8985 CCFEF>mov word ptr ss:[ebp-0x134],ax
00404928   .  FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]      ;  MSVBVM60.__vbaFreeStr
0040492E   .  8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
00404934   .  FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]      ;  MSVBVM60.__vbaFreeObj
0040493A   .  66:39BD CCFEF>cmp word ptr ss:[ebp-0x134],di                    ;  这里要相等
00404941   .  0F85 97050000 jnz BJCM30A.00404EDE                              ;  这里不能跳

这里是就是判断整个serial是否仅由一个字符组成,如:66666,66656就不是了。判断的方法是从上一段代码处计算出相邻且相同的字符的次数,然后与serial的长度-1比较。相同就是由一个字符组成,不相同的话就不是。如果仅有1个字符组成就会弹出错误的消息框,原因的话分析完算法就知道了。 

004049A6   > \8B95 7CFFFFFF mov edx,dword ptr ss:[ebp-0x84]                   ;  读serial长度
004049AC   .  52            push edx                                          ; /String
004049AD   .  FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>]      ; \__vbaLenBstr
004049B3   .  8985 00FFFFFF mov dword ptr ss:[ebp-0x100],eax
004049B9   .  8D85 08FFFFFF lea eax,dword ptr ss:[ebp-0xF8]
004049BF   .  8D8D F8FEFFFF lea ecx,dword ptr ss:[ebp-0x108]
004049C5   .  50            push eax                                          ; /Step8
004049C6   .  8D95 E8FEFFFF lea edx,dword ptr ss:[ebp-0x118]                  ; |
004049CC   .  51            push ecx                                          ; |End8
004049CD   .  8D85 44FEFFFF lea eax,dword ptr ss:[ebp-0x1BC]                  ; |
004049D3   .  52            push edx                                          ; |Start8
004049D4   .  8D8D 54FEFFFF lea ecx,dword ptr ss:[ebp-0x1AC]                  ; |
004049DA   .  50            push eax                                          ; |TMPend8
004049DB   .  8D55 94       lea edx,dword ptr ss:[ebp-0x6C]                   ; |
004049DE   .  51            push ecx                                          ; |TMPstep8
004049DF   .  52            push edx                                          ; |Counter8
004049E0   .  C785 F8FEFFFF>mov dword ptr ss:[ebp-0x108],0x3                  ; |
004049EA   .  C785 F0FEFFFF>mov dword ptr ss:[ebp-0x110],0x1                  ; |
004049F4   .  C785 E8FEFFFF>mov dword ptr ss:[ebp-0x118],0x2                  ; |
004049FE   .  FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>]   ; \__vbaVarForInit
00404A04   .  8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]                   ;  seial保存的地址存入ecx
00404A0A   .  8985 2CFEFFFF mov dword ptr ss:[ebp-0x1D4],eax
00404A10   .  FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]      ;  MSVBVM60.__vbaFreeStr
00404A16   .  8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
00404A1C   .  FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]      ;  MSVBVM60.__vbaFreeObj
00404A22   >  39BD 2CFEFFFF cmp dword ptr ss:[ebp-0x1D4],edi                  ;  判断是否结束循环
00404A28   .  0F84 1D030000 je BJCM30A.00404D4B
00404A2E   .  8B06          mov eax,dword ptr ds:[esi]
00404A30   .  56            push esi
00404A31   .  FF90 08030000 call dword ptr ds:[eax+0x308]
00404A37   .  8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
00404A3D   .  50            push eax
00404A3E   .  51            push ecx
00404A3F   .  FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]       ;  MSVBVM60.__vbaObjSet
00404A45   .  8B10          mov edx,dword ptr ds:[eax]
00404A47   .  8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
00404A4D   .  51            push ecx
00404A4E   .  50            push eax
00404A4F   .  8985 D4FEFFFF mov dword ptr ss:[ebp-0x12C],eax
00404A55   .  FF92 A0000000 call dword ptr ds:[edx+0xA0]
00404A5B   .  3BC7          cmp eax,edi
00404A5D   .  DBE2          fclex
00404A5F   .  7D 18         jge XBJCM30A.00404A79
00404A61   .  8B95 D4FEFFFF mov edx,dword ptr ss:[ebp-0x12C]
00404A67   .  68 A0000000   push 0xA0
00404A6C   .  68 442B4000   push BJCM30A.00402B44
00404A71   .  52            push edx
00404A72   .  50            push eax
00404A73   .  FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckOb>;  MSVBVM60.__vbaHresultCheckObj
00404A79   >  8B85 7CFFFFFF mov eax,dword ptr ss:[ebp-0x84]
00404A7F   .  50            push eax                                          ; /String
00404A80   .  FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>]      ; \__vbaLenBstr
00404A86   .  8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8]
00404A8C   .  8985 50FFFFFF mov dword ptr ss:[ebp-0xB0],eax                   ;  获取serial长度存入0xB0
00404A92   .  51            push ecx
00404A93   .  C785 48FFFFFF>mov dword ptr ss:[ebp-0xB8],0x3
00404A9D   .  FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#572>]              ;  MSVBVM60.rtcHexBstrFromVar
00404AA3   .  8BD0          mov edx,eax                                       ;  serial的长度转为16进制
00404AA5   .  8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-0x9C]
00404AAB   .  FFD3          call ebx                                          ;  将edx的值存到ecx的位置
00404AAD   .  8B16          mov edx,dword ptr ds:[esi]
00404AAF   .  56            push esi
00404AB0   .  FF92 08030000 call dword ptr ds:[edx+0x308]
00404AB6   .  50            push eax
00404AB7   .  8D85 58FFFFFF lea eax,dword ptr ss:[ebp-0xA8]
00404ABD   .  50            push eax
00404ABE   .  FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]       ;  MSVBVM60.__vbaObjSet
00404AC4   .  8B85 58FFFFFF mov eax,dword ptr ss:[ebp-0xA8]
00404ACA   .  8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8]
00404AD0   .  6A 01         push 0x1
00404AD2   .  8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8]
00404AD8   .  51            push ecx
00404AD9   .  52            push edx
00404ADA   .  89BD 58FFFFFF mov dword ptr ss:[ebp-0xA8],edi
00404AE0   .  8985 40FFFFFF mov dword ptr ss:[ebp-0xC0],eax
00404AE6   .  C785 38FFFFFF>mov dword ptr ss:[ebp-0xC8],0x9
00404AF0   .  FF15 D4104000 call dword ptr ds:[<&MSVBVM60.#617>]              ;  MSVBVM60.rtcLeftCharVar
00404AF6   .  8D85 28FFFFFF lea eax,dword ptr ss:[ebp-0xD8]
00404AFC   .  8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88]
00404B02   .  50            push eax                                          ; /String8
00404B03   .  51            push ecx                                          ; |ARG2
00404B04   .  FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]    ; \__vbaStrVarVal
00404B0A   .  50            push eax                                          ; /String
00404B0B   .  FF15 28104000 call dword ptr ds:[<&MSVBVM60.#516>]              ; \rtcAnsiValueBstr
00404B11   .  8D95 18FFFFFF lea edx,dword ptr ss:[ebp-0xE8]
00404B17   .  66:8985 20FFF>mov word ptr ss:[ebp-0xE0],ax
00404B1E   .  52            push edx
00404B1F   .  C785 18FFFFFF>mov dword ptr ss:[ebp-0xE8],0x2
00404B29   .  FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#572>]              ;  MSVBVM60.rtcHexBstrFromVar
00404B2F   .  8BD0          mov edx,eax                                       ;  将上面字符的unicode码的每一个数字分别转成unicode值
00404B31   .  8D8D 60FFFFFF lea ecx,dword ptr ss:[ebp-0xA0]
00404B37   .  FFD3          call ebx                                          ;  将刚刚的结果存到0xA0
00404B39   .  BA 6C294000   mov edx,BJCM30A.0040296C                          ;  *
00404B3E   .  8D8D 6CFFFFFF lea ecx,dword ptr ss:[ebp-0x94]                   ;  将edx的内容copy到ecx地址上
00404B44   .  FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>]      ;  MSVBVM60.__vbaStrCopy
00404B4A   .  8B95 60FFFFFF mov edx,dword ptr ss:[ebp-0xA0]
00404B50   .  8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90]
00404B56   .  89BD 60FFFFFF mov dword ptr ss:[ebp-0xA0],edi
00404B5C   .  FFD3          call ebx                                          ;  vbaStrMove
00404B5E   .  8B95 64FFFFFF mov edx,dword ptr ss:[ebp-0x9C]
00404B64   .  8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C]
00404B6A   .  89BD 64FFFFFF mov dword ptr ss:[ebp-0x9C],edi
00404B70   .  FFD3          call ebx                                          ;  将edx的内容strmov到ecx地址上
00404B72   .  8B06          mov eax,dword ptr ds:[esi]
00404B74   .  8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-0x98]
00404B7A   .  8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-0x94]
00404B80   .  51            push ecx
00404B81   .  52            push edx
00404B82   .  8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90]
00404B88   .  8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C]
00404B8E   .  51            push ecx
00404B8F   .  52            push edx
00404B90   .  56            push esi
00404B91   .  FF90 F8060000 call dword ptr ds:[eax+0x6F8]                     ;  计算第一个字符*serial长度的值
00404B97   .  3BC7          cmp eax,edi
00404B99   .  7D 12         jge XBJCM30A.00404BAD
00404B9B   .  68 F8060000   push 0x6F8
00404BA0   .  68 B4274000   push BJCM30A.004027B4
00404BA5   .  56            push esi
00404BA6   .  50            push eax
00404BA7   .  FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckOb>;  MSVBVM60.__vbaHresultCheckObj
00404BAD   >  8B95 68FFFFFF mov edx,dword ptr ss:[ebp-0x98]                   ;  这里是刚刚计算的结果
00404BB3   .  8D4D C8       lea ecx,dword ptr ss:[ebp-0x38]                   ;  将刚刚计算的结果存到这里来
00404BB6   .  89BD 68FFFFFF mov dword ptr ss:[ebp-0x98],edi
00404BBC   .  FFD3          call ebx
00404BBE   .  8D85 60FFFFFF lea eax,dword ptr ss:[ebp-0xA0]                   ;  下面都是一些free,就不用看了
00404BC4   .  8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-0x9C]
00404BCA   .  50            push eax
00404BCB   .  8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-0x94]
00404BD1   .  51            push ecx
00404BD2   .  8D85 70FFFFFF lea eax,dword ptr ss:[ebp-0x90]
00404BD8   .  52            push edx
00404BD9   .  8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C]
00404BDF   .  50            push eax
00404BE0   .  8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88]
00404BE6   .  51            push ecx
00404BE7   .  8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84]
00404BED   .  52            push edx
00404BEE   .  50            push eax
00404BEF   .  6A 07         push 0x7
00404BF1   .  FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>]  ;  MSVBVM60.__vbaFreeStrList
00404BF7   .  8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-0xA8]
00404BFD   .  8D95 5CFFFFFF lea edx,dword ptr ss:[ebp-0xA4]
00404C03   .  51            push ecx
00404C04   .  52            push edx
00404C05   .  6A 02         push 0x2
00404C07   .  FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObjList>]  ;  MSVBVM60.__vbaFreeObjList
00404C0D   .  8D85 18FFFFFF lea eax,dword ptr ss:[ebp-0xE8]
00404C13   .  8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-0xD8]
00404C19   .  50            push eax
00404C1A   .  8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8]
00404C20   .  51            push ecx
00404C21   .  8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8]
00404C27   .  52            push edx
00404C28   .  50            push eax
00404C29   .  6A 04         push 0x4
00404C2B   .  FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>]  ;  MSVBVM60.__vbaFreeVarList
00404C31   .  8B0E          mov ecx,dword ptr ds:[esi]
00404C33   .  83C4 40       add esp,0x40
00404C36   .  56            push esi
00404C37   .  FF91 08030000 call dword ptr ds:[ecx+0x308]
00404C3D   .  8D95 5CFFFFFF lea edx,dword ptr ss:[ebp-0xA4]
00404C43   .  50            push eax
00404C44   .  52            push edx
00404C45   .  FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]       ;  MSVBVM60.__vbaObjSet
00404C4B   .  8B08          mov ecx,dword ptr ds:[eax]
00404C4D   .  8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-0x84]
00404C53   .  52            push edx
00404C54   .  50            push eax
00404C55   .  8985 D4FEFFFF mov dword ptr ss:[ebp-0x12C],eax
00404C5B   .  FF91 A0000000 call dword ptr ds:[ecx+0xA0]
00404C61   .  3BC7          cmp eax,edi
00404C63   .  DBE2          fclex
00404C65   .  7D 18         jge XBJCM30A.00404C7F
00404C67   .  8B8D D4FEFFFF mov ecx,dword ptr ss:[ebp-0x12C]
00404C6D   .  68 A0000000   push 0xA0
00404C72   .  68 442B4000   push BJCM30A.00402B44
00404C77   .  51            push ecx
00404C78   .  50            push eax
00404C79   .  FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckOb>;  MSVBVM60.__vbaHresultCheckObj
00404C7F   >  8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8]
00404C85   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]
00404C88   .  52            push edx
00404C89   .  50            push eax
00404C8A   .  C785 50FFFFFF>mov dword ptr ss:[ebp-0xB0],0x1
00404C94   .  C785 48FFFFFF>mov dword ptr ss:[ebp-0xB8],0x2
00404C9E   .  FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]        ;  MSVBVM60.__vbaI4Var
00404CA4   .  8B8D 7CFFFFFF mov ecx,dword ptr ss:[ebp-0x84]                   ;  到这里再看。读取输入的serial
00404CAA   .  50            push eax
00404CAB   .  51            push ecx
00404CAC   .  FF15 54104000 call dword ptr ds:[<&MSVBVM60.#631>]              ;  MSVBVM60.rtcMidCharBstr
00404CB2   .  8BD0          mov edx,eax
00404CB4   .  8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88]
00404CBA   .  FFD3          call ebx
00404CBC   .  50            push eax                                          ; /String
00404CBD   .  FF15 28104000 call dword ptr ds:[<&MSVBVM60.#516>]              ; \rtcAnsiValueBstr
00404CC3   .  66:8985 00FFF>mov word ptr ss:[ebp-0x100],ax
00404CCA   .  8D55 CC       lea edx,dword ptr ss:[ebp-0x34]
00404CCD   .  8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-0x108]
00404CD3   .  52            push edx                                          ; /var18
00404CD4   .  8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8]                   ; |
00404CDA   .  50            push eax                                          ; |var28
00404CDB   .  51            push ecx                                          ; |saveto8
00404CDC   .  C785 F8FEFFFF>mov dword ptr ss:[ebp-0x108],0x2                  ; |
00404CE6   .  FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>]       ; \__vbaVarAdd
00404CEC   .  8BD0          mov edx,eax                                       ;  结果保存的地址
00404CEE   .  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]                   ;  将相加结果复制到这里
00404CF1   .  FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]      ;  MSVBVM60.__vbaVarMove
00404CF7   .  8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88]
00404CFD   .  8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84]
00404D03   .  52            push edx
00404D04   .  50            push eax
00404D05   .  6A 02         push 0x2
00404D07   .  FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>]  ;  MSVBVM60.__vbaFreeStrList
00404D0D   .  83C4 0C       add esp,0xC
00404D10   .  8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
00404D16   .  FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]      ;  MSVBVM60.__vbaFreeObj
00404D1C   .  8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8]
00404D22   .  FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]      ;  MSVBVM60.__vbaFreeVar
00404D28   .  8D8D 44FEFFFF lea ecx,dword ptr ss:[ebp-0x1BC]                  ;  终值
00404D2E   .  8D95 54FEFFFF lea edx,dword ptr ss:[ebp-0x1AC]                  ;  步长
00404D34   .  51            push ecx                                          ; /TMPend8
00404D35   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]                   ; |累加值
00404D38   .  52            push edx                                          ; |TMPstep8
00404D39   .  50            push eax                                          ; |Counter8
00404D3A   .  FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>]   ; \__vbaVarForNext
00404D40   .  8985 2CFEFFFF mov dword ptr ss:[ebp-0x1D4],eax
00404D46   .^ E9 D7FCFFFF   jmp BJCM30A.00404A22

这里是计算sum(serial)的值,就是将每个字符都加起来。还有就是计算serial[0]*len(serial)的值。具体计算的过程在:00404B91处。

在00404B91单步跟进去,单步走可以走到这里:

00403C3A   .  50            push eax
00403C3B   .  68 6C294000   push BJCM30A.0040296C                             ;  *
00403C40   .  FFD7          call edi
00403C42   .  85C0          test eax,eax
00403C44   .  75 1F         jnz XBJCM30A.00403C65
00403C46   .  8B76 50       mov esi,dword ptr ds:[esi+0x50]                   ;  serial的长度
00403C49   .  8D55 D8       lea edx,dword ptr ss:[ebp-0x28]
00403C4C   .  52            push edx
00403C4D   .  8B4E 04       mov ecx,dword ptr ds:[esi+0x4]                    ;  serial第一个字符的16进制值
00403C50   .  0FAF0E        imul ecx,dword ptr ds:[esi]
00403C53   .  0F80 CA000000 jo BJCM30A.00403D23
00403C59   .  894D E0       mov dword ptr ss:[ebp-0x20],ecx
00403C5C   .  C745 D8 03000>mov dword ptr ss:[ebp-0x28],0x3
00403C63   .  EB 4D         jmp XBJCM30A.00403CB2


根据去之后走两步就发现是一switch的语句,找到上面的位置后,就可以发现这里是计算serial[0]*len(serial)的值。

循环结束之后,可以来到这里:

00404D4B   > \8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
00404D4E   .  51            push ecx                                          ;  将计算值转成unicode,如0xFF变成"FF"
00404D4F   .  FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#572>]              ;  MSVBVM60.rtcHexBstrFromVar
00404D55   .  8BD0          mov edx,eax
00404D57   .  8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90]
00404D5D   .  FFD3          call ebx
00404D5F   .  BA 0C294000   mov edx,BJCM30A.0040290C                          ;  =
00404D64   .  8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88]
00404D6A   .  FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>]      ;  MSVBVM60.__vbaStrCopy
00404D70   .  8B95 70FFFFFF mov edx,dword ptr ss:[ebp-0x90]
00404D76   .  8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
00404D7C   .  89BD 70FFFFFF mov dword ptr ss:[ebp-0x90],edi
00404D82   .  FFD3          call ebx
00404D84   .  8B16          mov edx,dword ptr ds:[esi]
00404D86   .  8D85 74FFFFFF lea eax,dword ptr ss:[ebp-0x8C]
00404D8C   .  8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88]
00404D92   .  50            push eax
00404D93   .  51            push ecx
00404D94   .  8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84]
00404D9A   .  8D4D C8       lea ecx,dword ptr ss:[ebp-0x38]
00404D9D   .  50            push eax
00404D9E   .  51            push ecx
00404D9F   .  56            push esi
00404DA0   .  FF92 F8060000 call dword ptr ds:[edx+0x6F8]                     ; 这里也是调用刚刚那个函数,只是选择的是另一个case
00404DA6   .  3BC7          cmp eax,edi
00404DA8   .  7D 12         jge XBJCM30A.00404DBC
00404DAA   .  68 F8060000   push 0x6F8
00404DAF   .  68 B4274000   push BJCM30A.004027B4
00404DB4   .  56            push esi
00404DB5   .  50            push eax
00404DB6   .  FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckOb>;  MSVBVM60.__vbaHresultCheckObj
00404DBC   >  8B85 74FFFFFF mov eax,dword ptr ss:[ebp-0x8C]
00404DC2      BE 08000000   mov esi,0x8
00404DC7   .  8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8]
00404DCD   .  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
00404DD0   .  89BD 74FFFFFF mov dword ptr ss:[ebp-0x8C],edi
00404DD6   .  8985 50FFFFFF mov dword ptr ss:[ebp-0xB0],eax
00404DDC   .  89B5 48FFFFFF mov dword ptr ss:[ebp-0xB8],esi
00404DE2   .  FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]      ;  MSVBVM60.__vbaVarMove
00404DE8   .  8D95 70FFFFFF lea edx,dword ptr ss:[ebp-0x90]
00404DEE   .  8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88]
00404DF4   .  52            push edx
00404DF5   .  8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
00404DFB   .  50            push eax
00404DFC   .  51            push ecx
00404DFD   .  6A 03         push 0x3
00404DFF   .  FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>]  ;  MSVBVM60.__vbaFreeStrList
00404E05   .  83C4 10       add esp,0x10
00404E08   .  8D55 CC       lea edx,dword ptr ss:[ebp-0x34]
00404E0B   .  8D85 08FFFFFF lea eax,dword ptr ss:[ebp-0xF8]
00404E11   .  C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],BJCM30A.00402B58      ;  UNICODE "FFFF"
00404E1B   .  52            push edx                                          ; /var18
00404E1C   .  50            push eax                                          ; |var28
00404E1D   .  C785 08FFFFFF>mov dword ptr ss:[ebp-0xF8],0x8008                ; |
00404E27   .  FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>]     ; \__vbaVarTstEq
00404E2D   .  66:85C0       test ax,ax                                        ;  等于0就跳,ax不能等于0,就是说上面两个位置的值要相等
00404E30      0F84 AD000000 je BJCM30A.00404EE3                               ;  关键跳
00404E36      8B1D CC104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarDup>]    ;  MSVBVM60.__vbaVarDup

后面那几行指令就是判断serial的正确性了,要注意的地方还有00404DA0的call,这行的是这个case:

00403A57   .  51            push ecx
00403A58   .  68 0C294000   push BJCM30A.0040290C                             ;  =
00403A5D   .  FFD7          call edi
00403A5F   .  85C0          test eax,eax
00403A61   .  75 37         jnz XBJCM30A.00403A9A
00403A63   .  8B76 50       mov esi,dword ptr ds:[esi+0x50]
00403A66   .  8D4D C8       lea ecx,dword ptr ss:[ebp-0x38]
00403A69   .  51            push ecx
00403A6A   .  8B16          mov edx,dword ptr ds:[esi]                        ;  这里是之前*计算的结果
00403A6C   .  8B7E 04       mov edi,dword ptr ds:[esi+0x4]                    ;  这里是每个字符相加的结果
00403A6F   .  3BD7          cmp edx,edi
00403A71   .  C745 C8 0B000>mov dword ptr ss:[ebp-0x38],0xB
00403A78   .  0F94C0        sete al
00403A7B   .  F7D8          neg eax
00403A7D   .  66:8945 D0    mov word ptr ss:[ebp-0x30],ax                     ;  将比较值转成unicode
00403A81   .  FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#572>]              ;  MSVBVM60.rtcHexBstrFromVar
00403A87   .  8BD0          mov edx,eax
00403A89   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
00403A8C   .  FF15 DC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]      ;  MSVBVM60.__vbaStrMove
00403A92   .  8D4D C8       lea ecx,dword ptr ss:[ebp-0x38]
00403A95   .  E9 2C020000   jmp BJCM30A.00403CC6

注意一下00403A78的指令,这里是将上面的sum(serial)和serial[0]*len(serial)比较,比较结果有两种:

(1)相同:ZF位为1,然后neg就会变成FFFFFFFF

(2)不同:ZF位为0,neg后仍为00000000

后面一个转换:

(1)会变成“FFFF”

(2)变成“0”


留意到00404E11里有个"FFFF",这样的话就知道算法了。


算法不是很复杂,只是简单的判断sum(serial)和serial[0]*len(serial)是否相等。

而那个serial不能为同一个字符组成的原因也知道了,不然的话显然满足判断条件。

注册机也不用写了。任意一串编码连续的字符(长度是单数),只要把中间的字符放在第一位,就能满足要求了。

















什么名字都被用了
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Python 爬虫报错分析
m0_58367408的博客
10-07 4876
python 爬虫报错分析
python爬虫 关于requests.exceptions.ConnectionError 等问题
热门推荐
寻绾的博客
12-11 5万+
在爬虫中报如下的错误: requests.exceptions.ConnectionError: (‘Connection aborted.’, RemoteDisconnected(‘Remote end closed connection without response’,)) 发现该错误是因为如下: 1、http的连接数超过最大限制,默认的情况下连接是Keep-alive的,所以这就导致了服务器保持了太多连接而不能再新建连接。 2、ip被封 3、程序请求速度过快。 解决办法如下: 第一种方法: tr
调用Django接口‘Connection aborted.‘, RemoteDisconnected(‘Remote end closed connection without response‘
本博客暂停使用
01-18 6009
调用Django接口,出现错误requests.exceptions.ConnectionError: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response',))
python连接elasticsearch
weixin_43361136的博客
11-14 1993
在后续创建连接时还是会使用默认的ssl加载,需设置context才有用。设置的用户名密码就是在这里被翻译的。
python requests 报错 Connection aborted ConnectionResetError RemoteDisconnected 解决方法
whatday的专栏
10-25 4万+
错误:requests.exceptions.ConnectionError: (‘Connection aborted.’, RemoteDisconnected(‘Remote end closed connection without response’,)) 解决方法 (1)随机切换User-Agent: user_agent_list = ["Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Geck
httprunner+pytest+allure+Jenkins接口自动化(二)
0.85度的博客
11-05 322
在编写httprunner脚本时遇到如下报错: 2022-10-29 21:15:41.661 | ERROR| httprunner.client:request:214 - ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))
Locust做接口性能测试测时候RemoteDisconnected的解决办法(ConnectionError(ProtocolError('Connection aborted.', RemoteD...
Python研究所
11-03 1508
问题现象 解决办法 在网上搜了很多帖子,但是都无法解决我的问题。 常规的原因可能是:达到了服务端的最大连接数,或者链路限流,或者测试机的内存不足等 但我的原因最终是因为wait_time,我的被测服务器入口是haproxy代理,http_requests的time_out时间为5秒 同时我的脚本设置的wait_time也是1,5秒,大约10%的包会出现: (ConnectionErro...
Error (ProtocolError(‘Connection aborted.‘, RemoteDisconnected(‘Remote end closed connection without
全栈川川
02-09 2633
我本来在爬取weibo,于是就给我报错了如下: Error (ProtocolError('Connection aborted.', RemoteDisconnected('Remote end closed connection without response')),) 解决办法: user_agent_list = [ "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/6
RemoteDisconnected: Remote end closed connection without response的解决方法
u010883226的专栏
05-03 3万+
根据各位大神的解释是UA(User-Agent)出现问题了, headers = {'User-Agent': 'User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36'} req = ...
RemoteDisconnected("Remote end closed connection without" urllib3.exceptions.ProtocolError:解决方法
ACL_lihan的博客
05-19 1万+
自己用Django搭好网站后,想用爬虫来模拟登录的时候,老是莫名其妙出现这个错误,看样子应该是被ban了 加了header后试了下还是报错。 于是看了下网上的解决方案,把settings.py的一个中间件注释掉后还是报错。 MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', 'djang...
爬虫requests报错锦集
最新发布
qazzaq123_的博客
12-18 698
响应结果: {"ip":"240e:335:240d:2610:2df3:f613:d79c:ff90","addresses":[],"type_id":11}我们的爬虫经常卡死又没有任何的报错信息,原因就在这里了。连接错误:(“连接已中止。”,RemoteDisconnected(“远程结束关闭的连接而无响应”))print('相应状态码为:',response.status_code)原因是:返回结果list是空的,没有一个元素。结果: 相应状态码为: 200。
VB+浮点运算的的简单算法
独上高楼,望断天涯路
02-19 1040
标 题: 《编程百科全书》注册算法,VB+浮点运算,不过很简单的算法 作 者:laoqian 时 间:2005-02-04 16:29 链 接:http://bbs.pediy.com/showthread.php?threadid=10803 【破解作者】 laoqian[FCG] 【作者邮箱】 lao-qian@163.com 【作者主页】 www.FCGchina.co
160 - 16 bjanes.2
123
05-06 203
160 - 16 bjanes.2
160 - 14 bjanes.1
123
05-06 330
160 - 14 bjanes.1
VBA编程_常用函数总结1
健身房
04-04 961
文章目录IsEmptyReplaceAscMidRound IsEmpty   用于判断单元格是否为空: Sub Main() ActiveSheet.Cells(7, 3).Value = 1 If IsEmpty(ActiveSheet.Cells(7, 3)) Then Debug.Print "Is Empty" Else Debug.Print "Not Empty" End If End Sub Replace   函数原型如下
Python3.6请求网站时报错:http.client.RemoteDisconnected: Remote end closed connection without response
东虫虾草博客
05-27 4万+
调整前的代码段: data = urllib.request.urlopen(url).read() 运行时报错:     http.client.RemoteDisconnected: Remote end closed connection without response 调整后代码段: headers = {'User-Agent': 'User-
关于Connection aborted问题的解决方案(爬虫中遇到)
BigBoy_Coder的博客
05-11 1万+
无意间发现的小反爬虫手段,在此记录一下 错误类型 在爬虫中报如下的错误: requests.exceptions.ConnectionError: (‘Connection aborted.’, RemoteDisconnected(‘Remote end closed connection without response’,)) 解决方法(1)随机切换User-Agent: user_agent_list = [ "Mozilla/5.0 (Windows NT 10.0; WOW6
【已解决】requests.exceptions.ConnectionError: (‘Connection aborted.’, RemoteDisconnected(‘Remote end clo
马哥的专栏
11-08 2156
requests爬虫报错:requests.exceptions.ConnectionError:
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值