[转载]OCN CrackMe2004算法分析+VB注册机源码
文章作者:hrbx【破文标题】OCN CrackMe2004算法分析+VB注册机源码
【破解作者】hrbx
【作者主页】hrbx.ys168.com
【作者邮箱】[email]hrbx@163.com[/email]
【破解平台】WinXP
【使用工具】flyOD1.10、Peid
【破解日期】2006-01-01
【软件名称】OCN Crackme2004
【软件大小】44KB
【下载地址】[url]http://ocn.e5v.com/bbs1/viewthread.php?tid=1114&fpage=1&highlight=&page=1[/url]
【加壳方式】无
【软件简介】OCN CrackMe2004
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
-----------------------------------------------------------------------------------------------
【破解过程】
1.查壳。用Peid扫描,显示为:Microsoft Visual Basic 5.0 / 6.0,无壳。
2.试运行CrackMe。输入注册信息后点击Validate按钮,注册信息被清空,无任何提示。
3.OD载入。命令行下断点:bp __vbaLenBstr,回车,F9运行,输入注册信息:
================================
Name:hrbx
Serial:9876543210
================================
点击Validate按钮,立即中断:
660E5F5F MS> 8B4424 04 mov eax,dword ptr ss:[esp+4] ; 中断在这里
660E5F63 85C0 test eax,eax
660E5F65 74 05 je short MSVBVM60.660E5F6C
660E5F67 8B40 FC mov eax,dword ptr ds:[eax-4]
Alt+F9返回,来到:
004052D1 . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBst>
004052D7 . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8] ; Alt+F9返回到这里
004052DD . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
004052E0 . 8985 50FFFFFF mov dword ptr ss:[ebp-B0],eax
向上查找,来到00405010 处F2下断,同时命令栏:bc __vbaLenBstr,清除断点
CTRL+F2重新载入程序,F9运行,填入注册信息后点击Validate按钮,中断:
00405010 > \55 push ebp ; F2在此下断,中断后F8往下走
00405011 . 8BEC mov ebp,esp
00405013 . 83EC 0C sub esp,0C
00405016 . 68 56124000 push <jmp.&MSVBVM60.__vbaExceptHandler>
0040501B . 64:A1 00000000 mov eax,dword ptr fs:[0]
00405021 . 50 push eax
00405022 . 64:8925 00000000 mov dword ptr fs:[0],esp
.......................................................
省略部分代码
.......................................................
0040536A > \8B45 C0 mov eax,dword ptr ss:[ebp-40] ; 用户名"hrbx"
0040536D . 8D55 88 lea edx,dword ptr ss:[ebp-78]
00405370 . 8945 A0 mov dword ptr ss:[ebp-60],eax
00405373 . 52 push edx
00405374 . 8D45 98 lea eax,dword ptr ss:[ebp-68]
00405377 . 57 push edi
00405378 . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
0040537E . 50 push eax
0040537F . 51 push ecx
00405380 . C745 90 01000000 mov dword ptr ss:[ebp-70],1
00405387 . C745 88 02000000 mov dword ptr ss:[ebp-78],2
0040538E . C745 C0 00000000 mov dword ptr ss:[ebp-40],0
00405395 . C745 98 08000000 mov dword ptr ss:[ebp-68],8
0040539C . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.#632>] ; rtcMidCharVar,循环取用户名每一位字符
004053A2 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88]
004053A8 . 8D45 BC lea eax,dword ptr ss:[ebp-44]
004053AB . 52 push edx
004053AC . 50 push eax
004053AD . FF15 D4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
004053B3 . 50 push eax
004053B4 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符的ASCII值
004053BA . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
004053BD . 66:8985 40FFFFFF mov word ptr ss:[ebp-C0],ax ; EAX=68("h")
004053C4 . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-C8]
004053CA . 51 push ecx
004053CB . 8D85 68FFFFFF lea eax,dword ptr ss:[ebp-98]
004053D1 . 52 push edx
004053D2 . 50 push eax
004053D3 . C785 38FFFFFF 02>mov dword ptr ss:[ebp-C8],2
004053DD . FF15 24114000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; 用户名ASCII值累加,0x1B4
004053E3 . 8BD0 mov edx,eax
004053E5 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
004053E8 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
004053EE . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
004053F1 . FF15 50114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
004053F7 . 8D4D AC lea ecx,dword ptr ss:[ebp-54]
004053FA . FF15 54114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]
00405400 . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
00405406 . 8D55 88 lea edx,dword ptr ss:[ebp-78]
00405409 . 51 push ecx
0040540A . 8D45 98 lea eax,dword ptr ss:[ebp-68]
0040540D . 52 push edx
0040540E . 50 push eax
0040540F . 6A 03 push 3
00405411 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
00405417 . B8 01000000 mov eax,1
0040541C . 83C4 10 add esp,10
0040541F . 03C7 add eax,edi
00405421 . 0F80 92070000 jo Crackme2.00405BB9
00405427 . 8BF8 mov edi,eax
00405429 .^ E9 EFFEFFFF jmp Crackme2.0040531D
0040542E > B8 02000000 mov eax,2 ; EAX=2
00405433 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00405436 . 8985 50FFFFFF mov dword ptr ss:[ebp-B0],eax
0040543C . 8985 48FFFFFF mov dword ptr ss:[ebp-B8],eax
00405442 . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8]
00405448 . 51 push ecx
00405449 . 8D45 98 lea eax,dword ptr ss:[ebp-68]
0040544C . 52 push edx
0040544D . 50 push eax
0040544E . FF15 28114000 call dword ptr ds:[<&MSVBVM60.__vbaVarMod>] ; 用户名ASCII值累加值/2,0x1B4/2=0xEA
00405454 . 8BD0 mov edx,eax
00405456 . 8D8D 0CFFFFFF lea ecx,dword ptr ss:[ebp-F4]
0040545C . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
00405462 . 8D8D 0CFFFFFF lea ecx,dword ptr ss:[ebp-F4]
00405468 . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8]
0040546E . 51 push ecx
0040546F . 52 push edx
00405470 . C785 50FFFFFF 00>mov dword ptr ss:[ebp-B0],0
0040547A . C785 48FFFFFF 02>mov dword ptr ss:[ebp-B8],8002
00405484 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 判断余数是否为0
0040548A . 66:85C0 test ax,ax ; 即判断用户名ASCII值累加值是奇数还是偶数
0040548D . 0F84 12030000 je Crackme2.004057A5 ; 用户名ASCII值累加值为奇数则跳
00405493 . 8B06 mov eax,dword ptr ds:[esi]
00405495 . 56 push esi
00405496 . FF90 10030000 call dword ptr ds:[eax+310]
0040549C . 8D4D AC lea ecx,dword ptr ss:[ebp-54]
0040549F . 50 push eax
004054A0 . 51 push ecx
004054A1 . FFD3 call ebx
004054A3 . 8BF8 mov edi,eax
004054A5 . 8D45 C0 lea eax,dword ptr ss:[ebp-40]
004054A8 . 50 push eax
004054A9 . 57 push edi
004054AA . 8B17 mov edx,dword ptr ds:[edi]
004054AC . FF92 A0000000 call dword ptr ds:[edx+A0]
004054B2 . 85C0 test eax,eax
004054B4 . DBE2 fclex
004054B6 . 7D 12 jge short Crackme2.004054CA
004054B8 . 68 A0000000 push 0A0
004054BD . 68 743D4000 push Crackme2.00403D74
004054C2 . 57 push edi
004054C3 . 50 push eax
004054C4 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>; 用户名ASCII值累加为偶数来到这里
004054CA > 8B55 C0 mov edx,dword ptr ss:[ebp-40] ; 用户名"hrbx"
004054CD . 8B3D 38114000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaStrMove>>
004054D3 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
004054D6 . C745 C0 00000000 mov dword ptr ss:[ebp-40],0
004054DD . FFD7 call edi
004054DF . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
004054E2 . 51 push ecx
004054E3 . E8 580E0000 call Crackme2.00406340 ; 关键CALL-1,F7进入
004054E8 . 8BD0 mov edx,eax ; 用户名运算后得到字符串"yXJfdD"
004054EA . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
004054ED . FFD7 call edi
004054EF . 8B55 B0 mov edx,dword ptr ss:[ebp-50]
004054F2 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
004054F5 . C785 34FFFFFF 09>mov dword ptr ss:[ebp-CC],9
004054FF . C745 B0 00000000 mov dword ptr ss:[ebp-50],0
00405506 . FFD7 call edi
00405508 . 8D95 34FFFFFF lea edx,dword ptr ss:[ebp-CC] ; 字符串"yXJfdD"
0040550E . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
00405511 . 52 push edx
00405512 . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
00405515 . 50 push eax
00405516 . 51 push ecx
00405517 . E8 341D0000 call Crackme2.00407250 ; 关键call-2,F7进入
0040551C . 8B16 mov edx,dword ptr ds:[esi]
0040551E . 56 push esi
0040551F . FF92 18030000 call dword ptr ds:[edx+318]
00405525 . 50 push eax
00405526 . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
00405529 . 50 push eax
0040552A . FFD3 call ebx
0040552C . 8BF8 mov edi,eax
0040552E . 8D55 B4 lea edx,dword ptr ss:[ebp-4C]
00405531 . 52 push edx
00405532 . 57 push edi
00405533 . 8B0F mov ecx,dword ptr ds:[edi]
00405535 . FF91 A0000000 call dword ptr ds:[ecx+A0]
0040553B . 85C0 test eax,eax
0040553D . DBE2 fclex
0040553F . 7D 12 jge short Crackme2.00405553
00405541 . 68 A0000000 push 0A0
00405546 . 68 743D4000 push Crackme2.00403D74
0040554B . 57 push edi
0040554C . 50 push eax
0040554D . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
00405553 > 8B45 B4 mov eax,dword ptr ss:[ebp-4C] ; 假码"9876543210"
00405556 . 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
00405559 . 8945 90 mov dword ptr ss:[ebp-70],eax
0040555C . 8D45 98 lea eax,dword ptr ss:[ebp-68]
0040555F . 50 push eax
00405560 . 51 push ecx
00405561 . C745 B4 00000000 mov dword ptr ss:[ebp-4C],0
00405568 . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
0040556F . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 真假码比较
00405575 . 8BF8 mov edi,eax
00405577 . 8D55 B0 lea edx,dword ptr ss:[ebp-50]
0040557A . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
0040557D . 52 push edx
0040557E . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
00405581 . 50 push eax
00405582 . 51 push ecx
00405583 . 6A 03 push 3
00405585 . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>
0040558B . 8D55 A8 lea edx,dword ptr ss:[ebp-58]
0040558E . 8D45 AC lea eax,dword ptr ss:[ebp-54]
00405591 . 52 push edx
00405592 . 50 push eax
00405593 . 6A 02 push 2
00405595 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObjList>
0040559B . 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
0040559E . 8D55 98 lea edx,dword ptr ss:[ebp-68]
004055A1 . 51 push ecx
004055A2 . 52 push edx
004055A3 . 6A 02 push 2
004055A5 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
004055AB . 83C4 28 add esp,28
004055AE . 66:85FF test di,di
004055B1 . 0F84 40010000 je Crackme2.004056F7 ; 暴破点1,NOP掉
004055B7 . A1 10904000 mov eax,dword ptr ds:[409010]
004055BC . 85C0 test eax,eax
004055BE . 75 10 jnz short Crackme2.004055D0
004055C0 . 68 10904000 push Crackme2.00409010
F7进入004054E3处的关键CALL-1,来到:
00406340 $ 55 push ebp
00406341 . 8BEC mov ebp,esp
.......................................................
省略部分代码
.......................................................
004063C8 . 8B45 08 mov eax,dword ptr ss:[ebp+8]
004063CB . 8B08 mov ecx,dword ptr ds:[eax] ; 用户名"hrbx"
004063CD . 51 push ecx
004063CE . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 获取用户名长度,EAX=4
004063D4 . 8BC8 mov ecx,eax
004063D6 . FF15 94104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>]
004063DC . 8B35 38114000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaStrMove>>
004063E2 . 8985 08FFFFFF mov dword ptr ss:[ebp-F8],eax ; 用户名长度4保存
004063E8 . BB 01000000 mov ebx,1 ; EBX赋初值1
004063ED . BF 02000000 mov edi,2
004063F2 > 66:3B9D 08FFFFFF cmp bx,word ptr ss:[ebp-F8] ; BX与用户名名长度比较
004063F9 . 0F8F 31040000 jg Crackme2.00406830 ; 没取完用户名则继续
004063FF . 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
00406402 . 8D55 80 lea edx,dword ptr ss:[ebp-80]
00406405 . 0FBFC3 movsx eax,bx
00406408 . 52 push edx
00406409 . 8B11 mov edx,dword ptr ds:[ecx]
0040640B . 50 push eax
0040640C . 52 push edx
0040640D . C745 88 01000000 mov dword ptr ss:[ebp-78],1
00406414 . 897D 80 mov dword ptr ss:[ebp-80],edi
00406417 . FF15 74104000 call dword ptr ds:[<&MSVBVM60.#631>] ; rtcMidCharBstr,取用户名第一位字符"h"
0040641D . 8BD0 mov edx,eax
0040641F . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00406422 . FFD6 call esi
00406424 . 50 push eax
00406425 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取第一位字符的ASCII值
0040642B . 8D95 20FFFFFF lea edx,dword ptr ss:[ebp-E0] ; EAX=0x68("h")
00406431 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
00406434 . 66:8985 28FFFFFF mov word ptr ss:[ebp-D8],ax
0040643B . 89BD 20FFFFFF mov dword ptr ss:[ebp-E0],edi
00406441 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
00406447 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0040644A . FF15 50114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
00406450 . 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
00406453 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
00406459 . 66:8BCB mov cx,bx
0040645C . 8D45 80 lea eax,dword ptr ss:[ebp-80]
0040645F . 66:83C1 01 add cx,1
00406463 . 50 push eax
00406464 . 8B45 08 mov eax,dword ptr ss:[ebp+8]
00406467 . C745 88 01000000 mov dword ptr ss:[ebp-78],1
0040646E . 0F80 64040000 jo Crackme2.004068D8
00406474 . 0FBFD1 movsx edx,cx
00406477 . 8B08 mov ecx,dword ptr ds:[eax] ; 用户名"hrbx"
00406479 . 52 push edx
0040647A . 51 push ecx
0040647B . 897D 80 mov dword ptr ss:[ebp-80],edi
0040647E . FF15 74104000 call dword ptr ds:[<&MSVBVM60.#631>] ; rtcMidCharBstr,取用户名第一位字符"r"
00406484 . 8BD0 mov edx,eax
00406486 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00406489 . FFD6 call esi
0040648B . 50 push eax
0040648C . 6A 00 push 0
0040648E . FF15 E0104000 call dword ptr ds:[<&MSVBVM60.#537>]
00406494 . 8BD0 mov edx,eax
00406496 . 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
00406499 . FFD6 call esi
0040649B . 50 push eax
0040649C . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>]
004064A2 . 8BD0 mov edx,eax
004064A4 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
004064A7 . FFD6 call esi
004064A9 . 50 push eax
004064AA . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取第二位字符的ASCII值
004064B0 . 8D95 20FFFFFF lea edx,dword ptr ss:[ebp-E0] ; EAX=0x72("r")
004064B6 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
004064B9 . 66:8985 28FFFFFF mov word ptr ss:[ebp-D8],ax
004064C0 . 89BD 20FFFFFF mov dword ptr ss:[ebp-E0],edi
004064C6 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
004064CC . 8D55 A0 lea edx,dword ptr ss:[ebp-60]
004064CF . 8D45 A4 lea eax,dword ptr ss:[ebp-5C]
004064D2 . 52 push edx
004064D3 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004064D6 . 50 push eax
004064D7 . 51 push ecx
004064D8 . 6A 03 push 3
004064DA . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>
004064E0 . 83C4 10 add esp,10
004064E3 . 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
004064E6 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
004064EC . 66:8BC3 mov ax,bx
004064EF . 8D55 80 lea edx,dword ptr ss:[ebp-80]
004064F2 . 66:03C7 add ax,di
004064F5 . 52 push edx
004064F6 . 8B55 08 mov edx,dword ptr ss:[ebp+8]
004064F9 . C745 88 01000000 mov dword ptr ss:[ebp-78],1
00406500 . 0F80 D2030000 jo Crackme2.004068D8
00406506 . 0FBFC8 movsx ecx,ax
00406509 . 8B02 mov eax,dword ptr ds:[edx] ; "hrbx"
0040650B . 51 push ecx
0040650C . 897D 80 mov dword ptr ss:[ebp-80],edi
0040650F . 50 push eax
00406510 . FF15 74104000 call dword ptr ds:[<&MSVBVM60.#631>] ; rtcMidCharBstr,取用户名第三位字符"b"
00406516 . 8BD0 mov edx,eax
00406518 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0040651B . FFD6 call esi
0040651D . 50 push eax
0040651E . 6A 00 push 0
00406520 . FF15 E0104000 call dword ptr ds:[<&MSVBVM60.#537>]
00406526 . 8BD0 mov edx,eax
00406528 . 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
0040652B . FFD6 call esi
0040652D . 50 push eax
0040652E . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>]
00406534 . 8BD0 mov edx,eax
00406536 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
00406539 . FFD6 call esi
0040653B . 50 push eax
0040653C . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符的ASCII值
00406542 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60] ; EAX=0x62("b")
00406545 . 8945 B4 mov dword ptr ss:[ebp-4C],eax
00406548 . 8D55 A4 lea edx,dword ptr ss:[ebp-5C]
0040654B . 51 push ecx
0040654C . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
0040654F . 52 push edx
00406550 . 50 push eax
00406551 . 6A 03 push 3
00406553 . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>
00406559 . 83C4 10 add esp,10
0040655C . 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
0040655F . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
00406565 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
00406568 . 8D95 30FFFFFF lea edx,dword ptr ss:[ebp-D0]
0040656E . 51 push ecx
0040656F . 8D45 80 lea eax,dword ptr ss:[ebp-80]
00406572 . 52 push edx
00406573 . 50 push eax
00406574 . C785 38FFFFFF 04>mov dword ptr ss:[ebp-C8],4 ; 常数,4
0040657E . 89BD 30FFFFFF mov dword ptr ss:[ebp-D0],edi ; 用户名第一位字符的ASCII值转为除以4
00406584 . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarDiv>] ; 104(0x68)/4=26(0x1A)
0040658A . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-90]
00406590 . 50 push eax
00406591 . 51 push ecx
00406592 . FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarInt>] ; 结果取整,得到26(0x1A),记为数值1
00406598 . 50 push eax
00406599 . FF15 DC104000 call dword ptr ds:[<&MSVBVM60.__vbaI2Var>]
0040659F . 8945 E8 mov dword ptr ss:[ebp-18],eax
004065A2 . B8 10000000 mov eax,10 ; EAX赋值,EAX=0x10(16)
004065A7 . 8985 28FFFFFF mov dword ptr ss:[ebp-D8],eax
004065AD . 8985 18FFFFFF mov dword ptr ss:[ebp-E8],eax
004065B3 . 8D55 D0 lea edx,dword ptr ss:[ebp-30]
004065B6 . 8D85 30FFFFFF lea eax,dword ptr ss:[ebp-D0]
004065BC . 52 push edx
004065BD . 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
004065C0 . 50 push eax
004065C1 . 51 push ecx
004065C2 . C785 38FFFFFF 03>mov dword ptr ss:[ebp-C8],3 ; 常数,3
004065CC . 89BD 30FFFFFF mov dword ptr ss:[ebp-D0],edi
004065D2 . 89BD 20FFFFFF mov dword ptr ss:[ebp-E0],edi
004065D8 . 89BD 10FFFFFF mov dword ptr ss:[ebp-F0],edi ; 用户名第一位字符的ASCII值 and 3
004065DE . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAnd>] ; 0x68 and 3=0
004065E4 . 50 push eax
004065E5 . 8D95 20FFFFFF lea edx,dword ptr ss:[ebp-E0]
004065EB . 8D85 70FFFFFF lea eax,dword ptr ss:[ebp-90]
004065F1 . 52 push edx
004065F2 . 50 push eax ; AND运算结果与常数0x10相乘
004065F3 . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; 0x10*0,得到0
004065F9 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
004065FC . 50 push eax
004065FD . 8D95 10FFFFFF lea edx,dword ptr ss:[ebp-F0]
00406603 . 51 push ecx
00406604 . 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-A0]
0040660A . 52 push edx
0040660B . 50 push eax ; 用户名第二位字符"r"的ASCII值除以16(0x10)
0040660C . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarDiv>] ; 114(0x72)/16(0x10)=7.125
00406612 . 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-B0]
00406618 . 50 push eax
00406619 . 51 push ecx
0040661A . FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarInt>] ; 结果取整,得到7
00406620 . 8D95 40FFFFFF lea edx,dword ptr ss:[ebp-C0]
00406626 . 50 push eax
00406627 . 52 push edx
00406628 . FF15 24114000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; 取整后与上面相乘结果相加,7+0=7,记为数值2
0040662E . 50 push eax
0040662F . FF15 DC104000 call dword ptr ds:[<&MSVBVM60.__vbaI2Var>]
00406635 . 8D8D 40FFFFFF lea ecx,dword ptr ss:[ebp-C0]
0040663B . 8945 E0 mov dword ptr ss:[ebp-20],eax
0040663E . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
00406644 . 8B45 08 mov eax,dword ptr ss:[ebp+8]
00406647 . 8B08 mov ecx,dword ptr ds:[eax]
00406649 . 51 push ecx ; 用户名"hrbx"
0040664A . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 获取用户名长度,EAX=4
00406650 . 66:8BD3 mov dx,bx ; DX=BX=1
00406653 . 66:83C2 01 add dx,1 ; DX=DX+1
00406657 . 0F80 7B020000 jo Crackme2.004068D8
0040665D . 0FBFCA movsx ecx,dx ; ECX=DX=2
00406660 . 3BC1 cmp eax,ecx ; 比较用户名长度是否取完
00406662 . 0F8C D5000000 jl Crackme2.0040673D ; 没取完则继续
00406668 . 0FBF55 B4 movsx edx,word ptr ss:[ebp-4C] ; 用户名第三位字符"b"的ASCII值,0x62("b")
0040666C . 8995 FCFEFFFF mov dword ptr ss:[ebp-104],edx ; EDX=0x62
00406672 . C785 38FFFFFF 0F>mov dword ptr ss:[ebp-C8],0F
0040667C . DB85 FCFEFFFF fild dword ptr ss:[ebp-104] ; 转为10进制实数,98(0x62)
00406682 . 89BD 30FFFFFF mov dword ptr ss:[ebp-D0],edi
00406688 . C785 28FFFFFF 04>mov dword ptr ss:[ebp-D8],4
00406692 . 89BD 20FFFFFF mov dword ptr ss:[ebp-E0],edi
00406698 . DD9D F4FEFFFF fstp qword ptr ss:[ebp-10C] ; st=98.000000000000000000
0040669E . DD85 F4FEFFFF fld qword ptr ss:[ebp-10C]
004066A4 . 833D 00904000 00 cmp dword ptr ds:[409000],0
004066AB . 75 08 jnz short Crackme2.004066B5
004066AD . DC35 F8114000 fdiv qword ptr ds:[4011F8] ; 98/64=1.53125,ds:[4011F8]=64(常数)
004066B3 . EB 11 jmp short Crackme2.004066C6
004066B5 > FF35 FC114000 push dword ptr ds:[4011FC]
004066BB . FF35 F8114000 push dword ptr ds:[4011F8]
004066C1 . E8 AEABFFFF call <jmp.&MSVBVM60._adj_fdiv_m64>
004066C6 > DFE0 fstsw ax
004066C8 . A8 0D test al,0D
004066CA . 0F85 03020000 jnz Crackme2.004068D3
004066D0 . FF15 44114000 call dword ptr ds:[<&MSVBVM60.__vbaFPInt>] ; 除法结果取整
004066D6 . DD9D 18FFFFFF fstp qword ptr ss:[ebp-E8] ; st=1.0000000000000000000
004066DC . 8D45 BC lea eax,dword ptr ss:[ebp-44]
004066DF . 8D8D 30FFFFFF lea ecx,dword ptr ss:[ebp-D0]
004066E5 . 50 push eax
004066E6 . 8D55 80 lea edx,dword ptr ss:[ebp-80]
004066E9 . 51 push ecx
004066EA . 52 push edx
004066EB . C785 10FFFFFF 05>mov dword ptr ss:[ebp-F0],5 ; 用户名第二位字符"r"的ASCII值0x72
004066F5 . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAnd>] ; 0x72 and 0F(常数),得到2
004066FB . 50 push eax
004066FC . 8D85 20FFFFFF lea eax,dword ptr ss:[ebp-E0]
00406702 . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-90]
00406708 . 50 push eax
00406709 . 51 push ecx
0040670A . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; (And运算结果)*4,2*4=8
00406710 . 50 push eax
00406711 . 8D95 10FFFFFF lea edx,dword ptr ss:[ebp-F0]
00406717 . 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-A0]
0040671D . 52 push edx
0040671E . 50 push eax
0040671F . FF15 24114000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; 除法结果加上乘法结果,1+8=9,记为数值3
00406725 . 50 push eax
00406726 . FF15 DC104000 call dword ptr ds:[<&MSVBVM60.__vbaI2Var>]
0040672C . 8D8D 60FFFFFF lea ecx,dword ptr ss:[ebp-A0]
00406732 . 8945 CC mov dword ptr ss:[ebp-34],eax
00406735 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
0040673B . EB 07 jmp short Crackme2.00406744
0040673D > C745 CC FFFFFFFF mov dword ptr ss:[ebp-34],-1
00406744 > 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
00406747 . 8B11 mov edx,dword ptr ds:[ecx] ; 用户名"hrbx"
00406749 . 52 push edx
0040674A . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 获取用户名长度,EAX=4
00406750 . 66:8BCB mov cx,bx ; CX=BX=1
00406753 . 66:03CF add cx,di ; CX=CX+DI=1+2=3
00406756 . 0F80 7C010000 jo Crackme2.004068D8
0040675C . 0FBFD1 movsx edx,cx ; EDX=CX=3
0040675F . 3BC2 cmp eax,edx ; 比较用户名长度是否取完
00406761 . 7C 0B jl short Crackme2.0040676E ; 没取完则继续
00406763 . 8B45 B4 mov eax,dword ptr ss:[ebp-4C] ; 用户名第三位字符"b"的ASCII值,EAX=0x62
00406766 . 83E0 3F and eax,3F ; EAX=EAX AND 3F=0X22
00406769 . 8945 B8 mov dword ptr ss:[ebp-48],eax ; EAX=0x22保存,记为数值4
0040676C . EB 07 jmp short Crackme2.00406775
0040676E > C745 B8 FFFFFFFF mov dword ptr ss:[ebp-48],-1
00406775 > 8B45 AC mov eax,dword ptr ss:[ebp-54]
00406778 . 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
0040677B . 50 push eax ; 固定字符串"DYEFCGHXIJKVLAMNOPZQBRSTUWy
0040677C . 51 push ecx scxdevpfgwhizjaklmbnoqrtu0123456789+/"
0040677D . E8 5E010000 call Crackme2.004068E0 ; 根据数值1在字符串中取字符,得到"y"
00406782 . 8BD0 mov edx,eax
00406784 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00406787 . FFD6 call esi
00406789 . 50 push eax
0040678A . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; 字符串连接,得到"y"
00406790 . 8BD0 mov edx,eax
00406792 . 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
00406795 . FFD6 call esi
00406797 . 8D55 E0 lea edx,dword ptr ss:[ebp-20]
0040679A . 50 push eax
0040679B . 52 push edx
0040679C . E8 3F010000 call Crackme2.004068E0 ; 根据数值2在字符串中取字符,得到"X"
004067A1 . 8BD0 mov edx,eax
004067A3 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
004067A6 . FFD6 call esi
004067A8 . 50 push eax
004067A9 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; 字符串连接,得到"yX"
004067AF . 8BD0 mov edx,eax
004067B1 . 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
004067B4 . FFD6 call esi
004067B6 . 50 push eax
004067B7 . 8D45 CC lea eax,dword ptr ss:[ebp-34]
004067BA . 50 push eax
004067BB . E8 20010000 call Crackme2.004068E0 ; 根据数值3在字符串中取字符,得到"J"
004067C0 . 8BD0 mov edx,eax
004067C2 . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
004067C5 . FFD6 call esi
004067C7 . 50 push eax
004067C8 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; 字符串连接,得到"yXJ"
004067CE . 8BD0 mov edx,eax
004067D0 . 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
004067D3 . FFD6 call esi
004067D5 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
004067D8 . 50 push eax
004067D9 . 51 push ecx
004067DA . E8 01010000 call Crackme2.004068E0 ; 根据数值4在字符串中取字符,得到"f"
004067DF . 8BD0 mov edx,eax
004067E1 . 8D4D 90 lea ecx,dword ptr ss:[ebp-70]
004067E4 . FFD6 call esi
004067E6 . 50 push eax
004067E7 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; 字符串连接,得到"yXJf"
004067ED . 8BD0 mov edx,eax
004067EF . 8D4D AC lea ecx,dword ptr ss:[ebp-54]
004067F2 . FFD6 call esi
004067F4 . 8D55 90 lea edx,dword ptr ss:[ebp-70]
004067F7 . 8D45 94 lea eax,dword ptr ss:[ebp-6C]
004067FA . 52 push edx
004067FB . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
004067FE . 50 push eax
004067FF . 8D55 9C lea edx,dword ptr ss:[ebp-64]
00406802 . 51 push ecx
00406803 . 8D45 A0 lea eax,dword ptr ss:[ebp-60]
00406806 . 52 push edx
00406807 . 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
0040680A . 50 push eax
0040680B . 8D55 A8 lea edx,dword ptr ss:[ebp-58]
0040680E . 51 push ecx
0040680F . 52 push edx
00406810 . 6A 07 push 7
00406812 . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>
00406818 . B8 03000000 mov eax,3 ; EAX=3,每次取用户名中的3个字符
0040681D . 83C4 20 add esp,20
00406820 . 66:03C3 add ax,bx ; EAX=EAX+EBX
00406823 . 0F80 AF000000 jo Crackme2.004068D8
00406829 . 8BD8 mov ebx,eax ; EBX=EAX
0040682B .^ E9 C2FBFFFF jmp Crackme2.004063F2 ; 跳回去继续取用户名下一位字符
00406830 > 8B55 AC mov edx,dword ptr ss:[ebp-54] ; 得到字符串"yXJfdD"
00406833 . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
00406836 . FF15 00114000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>]
0040683C . 9B wait
0040683D . 68 BD684000 push Crackme2.004068BD
00406842 . EB 5F jmp short Crackme2.004068A3
00406844 . F645 FC 04 test byte ptr ss:[ebp-4],4
00406848 . 74 09 je short Crackme2.00406853
F7进入00405517处的关键call-2,来到:
00407250 $ 55 push ebp
00407251 . 8BEC mov ebp,esp
.......................................................
省略部分代码
.......................................................
0040729B . 51 push ecx ; 字符串"yXJfdD"
0040729C . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 获取字符串长度,EAX=6
004072A2 . 8BC8 mov ecx,eax ; ECX=EAX=6
004072A4 . FF15 94104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>]
004072AA . 8B5D 10 mov ebx,dword ptr ss:[ebp+10]
004072AD . 8B35 10104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaVarMove>>
004072B3 . 8B3D 18104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaFreeVar>>
004072B9 . 8985 60FFFFFF mov dword ptr ss:[ebp-A0],eax ; 字符串长度保存
004072BF . C745 C8 01000000 mov dword ptr ss:[ebp-38],1
004072C6 > 66:8B95 60FFFFFF mov dx,word ptr ss:[ebp-A0]
004072CD . 66:3955 C8 cmp word ptr ss:[ebp-38],dx ; 比较是否取完字符串
004072D1 . 0F8F DD120000 jg Crackme2.004085B4
004072D7 . 8B45 0C mov eax,dword ptr ss:[ebp+C]
004072DA . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004072DD . 0FBF55 C8 movsx edx,word ptr ss:[ebp-38]
004072E1 . 8945 90 mov dword ptr ss:[ebp-70],eax
004072E4 . 51 push ecx
004072E5 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
004072E8 . 52 push edx
004072E9 . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
004072EC . 50 push eax
004072ED . 51 push ecx
004072EE . C745 B0 01000000 mov dword ptr ss:[ebp-50],1
004072F5 . C745 A8 02000000 mov dword ptr ss:[ebp-58],2
004072FC . C745 88 08400000 mov dword ptr ss:[ebp-78],4008
00407303 . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.#632>] ; rtcMidCharVar,循环取字符串每一位字符
00407309 . 8D55 98 lea edx,dword ptr ss:[ebp-68] ; 第一位字符"y"
0040730C . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
0040730F . FFD6 call esi
00407311 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00407314 . FFD7 call edi
00407316 . 8D55 CC lea edx,dword ptr ss:[ebp-34]
00407319 . 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-98]
0040731F . FF15 30114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCopy>]
00407325 . 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
0040732B . 8D45 88 lea eax,dword ptr ss:[ebp-78]
0040732E . 52 push edx
0040732F . 50 push eax
00407330 . C745 90 60414000 mov dword ptr ss:[ebp-70],Crackme2.00404160
00407337 . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
0040733E . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"a"
00407344 . 66:85C0 test ax,ax
00407347 . 74 23 je short Crackme2.0040736C ; 不是则跳
00407349 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0040734C . 53 push ebx
0040734D . 51 push ecx
0040734E . E8 EDEEFFFF call Crackme2.00406240
00407353 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00407356 . FFD7 call edi
00407358 . 68 68414000 push Crackme2.00404168 ; 字符若为"a",则取地址00404168的字符"B"
0040735D . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"B"的ASCII值
00407363 . 66:05 B900 add ax,0B9 ; AX=AX+0B9
00407367 . E9 FF110000 jmp Crackme2.0040856B
0040736C > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
00407372 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
00407375 . 52 push edx
00407376 . 50 push eax
00407377 . C745 90 70414000 mov dword ptr ss:[ebp-70],Crackme2.00404170
0040737E . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
00407385 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"b"
0040738B . 66:85C0 test ax,ax
0040738E . 74 23 je short Crackme2.004073B3 ; 不是则跳
00407390 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00407393 . 53 push ebx
00407394 . 51 push ecx
00407395 . E8 A6EEFFFF call Crackme2.00406240
0040739A . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0040739D . FFD7 call edi
0040739F . 68 78414000 push Crackme2.00404178 ; 字符若为"b",则取地址00404178的字符"8"
004073A4 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"8"的ASCII值
004073AA . 66:05 8C00 add ax,8C ; AX=AX+8C
004073AE . E9 B8110000 jmp Crackme2.0040856B
004073B3 > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
004073B9 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
004073BC . 52 push edx
004073BD . 50 push eax
004073BE . C745 90 80414000 mov dword ptr ss:[ebp-70],Crackme2.00404180
004073C5 . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
004073CC . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"c"
004073D2 . 66:85C0 test ax,ax
004073D5 . 74 23 je short Crackme2.004073FA ; 不是则跳
004073D7 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004073DA . 53 push ebx
004073DB . 51 push ecx
004073DC . E8 5FEEFFFF call Crackme2.00406240
004073E1 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004073E4 . FFD7 call edi
004073E6 . 68 68414000 push Crackme2.00404168 ; 字符若为"c",则取地址00404168的字符"B"
004073EB . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"B"的ASCII值
004073F1 . 66:05 B500 add ax,0B5 ; AX=AX+0B5
004073F5 . E9 71110000 jmp Crackme2.0040856B
004073FA > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
.......................................................
省略部分代码
.......................................................
00407A74 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"A"
00407A7A . 66:85C0 test ax,ax
00407A7D . 74 23 je short Crackme2.00407AA2 ; 不是则跳
00407A7F . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00407A82 . 53 push ebx
00407A83 . 51 push ecx
00407A84 . E8 B7E7FFFF call Crackme2.00406240
00407A89 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00407A8C . FFD7 call edi
00407A8E . 68 48424000 push Crackme2.00404248 ; 字符若为"A",则取地址00404248的字符"5"
00407A93 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"5"的ASCII值
00407A99 . 66:05 5A00 add ax,5A ; AX=AX+5A
00407A9D . E9 C90A0000 jmp Crackme2.0040856B
00407AA2 > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
00407AA8 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
00407AAB . 52 push edx
00407AAC . 50 push eax
00407AAD . C745 90 68414000 mov dword ptr ss:[ebp-70],Crackme2.00404168
00407AB4 . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
00407ABB . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"B"
00407AC1 . 66:85C0 test ax,ax
00407AC4 . 74 23 je short Crackme2.00407AE9 ; 不是则跳
00407AC6 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00407AC9 . 53 push ebx
00407ACA . 51 push ecx
00407ACB . E8 70E7FFFF call Crackme2.00406240
00407AD0 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00407AD3 . FFD7 call edi
00407AD5 . 68 A03E4000 push Crackme2.00403EA0 ; 字符若为"B",则取地址00403EA0的字符"F"
00407ADA . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"F"的ASCII值
00407AE0 . 66:05 F500 add ax,0F5 ; AX=AX+0F5
00407AE4 . E9 820A0000 jmp Crackme2.0040856B
00407AE9 > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
00407AEF . 8D45 88 lea eax,dword ptr ss:[ebp-78]
.......................................................
省略部分代码
.......................................................
00408191 > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
00408197 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
0040819A . 52 push edx
0040819B . 50 push eax
0040819C . C745 90 68424000 mov dword ptr ss:[ebp-70],Crackme2.00404268
004081A3 . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
004081AA . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"1"
004081B0 . 66:85C0 test ax,ax
004081B3 . 74 23 je short Crackme2.004081D8 ; 不是则跳
004081B5 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004081B8 . 53 push ebx
004081B9 . 51 push ecx
004081BA . E8 81E0FFFF call Crackme2.00406240
004081BF . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004081C2 . FFD7 call edi
004081C4 . 68 D4404000 push Crackme2.004040D4 ; 字符若为"1",则取地址004040D4的字符"D"
004081C9 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"D"的ASCII值
004081CF . 66:05 DA00 add ax,0DA ; AX=AX+0DA
004081D3 . E9 93030000 jmp Crackme2.0040856B
004081D8 > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
004081DE . 8D45 88 lea eax,dword ptr ss:[ebp-78]
004081E1 . 52 push edx
004081E2 . 50 push eax
004081E3 . C745 90 98414000 mov dword ptr ss:[ebp-70],Crackme2.00404198
004081EA . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
004081F1 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"2"
004081F7 . 66:85C0 test ax,ax
004081FA . 74 23 je short Crackme2.0040821F ; 不是则跳
004081FC . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004081FF . 53 push ebx
00408200 . 51 push ecx
00408201 . E8 3AE0FFFF call Crackme2.00406240
00408206 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00408209 . FFD7 call edi
0040820B . 68 90414000 push Crackme2.00404190 ; 字符若为"2",则取地址00404190的字符"3"
00408210 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"3"的ASCII值
00408216 . 66:05 3C00 add ax,3C ; AX=AX+3C
0040821A . E9 4C030000 jmp Crackme2.0040856B
.......................................................
省略部分代码
.......................................................
00408470 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"#"
00408476 . 66:85C0 test ax,ax
00408479 . 74 23 je short Crackme2.0040849E ; 不是则跳
0040847B . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0040847E . 53 push ebx
0040847F . 51 push ecx
00408480 . E8 BBDDFFFF call Crackme2.00406240
00408485 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00408488 . FFD7 call edi
0040848A . 68 28424000 push Crackme2.00404228 ; 字符若为"#",则取地址00404228的字符"E"
0040848F . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"E"的ASCII值
00408495 . 66:05 EB00 add ax,0EB ; AX=AX+0EB
00408499 . E9 CD000000 jmp Crackme2.0040856B
0040849E > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
004084A4 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
004084A7 . 52 push edx
004084A8 . 50 push eax
004084A9 . C745 90 08434000 mov dword ptr ss:[ebp-70],Crackme2.00404308
004084B0 . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
004084B7 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"^"
004084BD . 66:85C0 test ax,ax
004084C0 . 74 23 je short Crackme2.004084E5 ; 不是则跳
004084C2 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004084C5 . 53 push ebx
004084C6 . 51 push ecx
004084C7 . E8 74DDFFFF call Crackme2.00406240
004084CC . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004084CF . FFD7 call edi
004084D1 . 68 A03E4000 push Crackme2.00403EA0 ; 字符若为"^",则取地址00403EA0的字符"F"
004084D6 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"D"的ASCII值
004084DC . 66:05 FB00 add ax,0FB ; AX=AX+0FB
004084E0 . E9 86000000 jmp Crackme2.0040856B
004084E5 > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
004084EB . 8D45 88 lea eax,dword ptr ss:[ebp-78]
004084EE . 52 push edx
004084EF . 50 push eax
004084F0 . C745 90 10434000 mov dword ptr ss:[ebp-70],Crackme2.00404310
004084F7 . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
004084FE . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"$"
00408504 . 66:85C0 test ax,ax
00408507 . 74 20 je short Crackme2.00408529 ; 不是则跳
00408509 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0040850C . 53 push ebx
0040850D . 51 push ecx
0040850E . E8 2DDDFFFF call Crackme2.00406240
00408513 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00408516 . FFD7 call edi
00408518 . 68 28424000 push Crackme2.00404228 ; 字符若为"$",则取地址00404228的字符"E"
0040851D . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"E"的ASCII值
00408523 . 66:05 E500 add ax,0E5 ; AX=AX+0E5
00408527 . EB 42 jmp short Crackme2.0040856B
00408529 > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
0040852F . 8D45 88 lea eax,dword ptr ss:[ebp-78]
00408532 . 52 push edx
00408533 . 50 push eax
00408534 . C745 90 18434000 mov dword ptr ss:[ebp-70],Crackme2.00404318
0040853B . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
00408542 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"&"
00408548 . 66:85C0 test ax,ax
0040854B . 74 48 je short Crackme2.00408595 ; 不是则跳
0040854D . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00408550 . 53 push ebx
00408551 . 51 push ecx
00408552 . E8 E9DCFFFF call Crackme2.00406240
00408557 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0040855A . FFD7 call edi
0040855C . 68 9C3F4000 push Crackme2.00403F9C ; 字符若为"&",则取地址00403F9C的字符"C"
00408561 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"C"的ASCII值
00408567 . 66:05 C200 add ax,0C2 ; AX=AX+0C2
0040856B > 0F80 B5000000 jo Crackme2.00408626
00408571 . 66:8945 90 mov word ptr ss:[ebp-70],ax ; AX保存
00408575 . 8D55 DC lea edx,dword ptr ss:[ebp-24]
00408578 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
0040857B . 52 push edx
0040857C . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0040857F . 50 push eax
00408580 . 51 push ecx
00408581 . C745 88 02000000 mov dword ptr ss:[ebp-78],2
00408588 . FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 取每次AX值的10进制形式转为字符串连接
0040858E . 8BD0 mov edx,eax
00408590 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
00408593 . FFD6 call esi
00408595 > 8D55 DC lea edx,dword ptr ss:[ebp-24]
00408598 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
0040859B . FF15 30114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCopy>]
004085A1 . B8 01000000 mov eax,1
004085A6 . 66:0345 C8 add ax,word ptr ss:[ebp-38]
004085AA . 70 7A jo short Crackme2.00408626
004085AC . 8945 C8 mov dword ptr ss:[ebp-38],eax
004085AF .^ E9 12EDFFFF jmp Crackme2.004072C6
004085B4 > 68 F7854000 push Crackme2.004085F7
004085B9 . EB 23 jmp short Crackme2.004085DE
004085BB . F645 FC 04 test byte ptr ss:[ebp-4],4
004085BF . 74 09 je short Crackme2.004085CA
004085C1 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
004085C4 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
004085CA > 8D55 98 lea edx,dword ptr ss:[ebp-68]
004085CD . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
004085D0 . 52 push edx
004085D1 . 50 push eax
004085D2 . 6A 02 push 2
004085D4 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
004085DA . 83C4 0C add esp,0C
004085DD . C3 retn
004085DE > \8B35 18104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaFreeVar>>
004085E4 . 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-98]
004085EA . FFD6 call esi
004085EC . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004085EF . FFD6 call esi
004085F1 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
004085F4 . FFD6 call esi
004085F6 . C3 retn
004085F7 . 8B45 08 mov eax,dword ptr ss:[ebp+8]
004085FA . 8B55 B8 mov edx,dword ptr ss:[ebp-48]
004085FD . 8BC8 mov ecx,eax
004085FF . 5F pop edi
00408600 . 5E pop esi
00408601 . 5B pop ebx
00408602 . 8911 mov dword ptr ds:[ecx],edx
00408604 . 8B55 BC mov edx,dword ptr ss:[ebp-44]
00408607 . 8951 04 mov dword ptr ds:[ecx+4],edx
0040860A . 8B55 C0 mov edx,dword ptr ss:[ebp-40]
0040860D . 8951 08 mov dword ptr ds:[ecx+8],edx ; 真码"283233302113112268",内存注册机
00408610 . 8B55 C4 mov edx,dword ptr ss:[ebp-3C]
00408613 . 8951 0C mov dword ptr ds:[ecx+C],edx
00408616 . 8B4D EC mov ecx,dword ptr ss:[ebp-14]
00408619 . 64:890D 00000000 mov dword ptr fs:[0],ecx
00408620 . 8BE5 mov esp,ebp
00408622 . 5D pop ebp
00408623 . C2 0C00 retn 0C
若用户名ASCII值累加为奇数来到以下位置(设用户名"hrby"):
004057A5 > \8B16 mov edx,dword ptr ds:[esi] ; 用户名ASCII值累加为奇数跳到这里
004057A7 . 56 push esi
004057A8 . FF92 10030000 call dword ptr ds:[edx+310]
004057AE . 50 push eax
004057AF . 8D45 AC lea eax,dword ptr ss:[ebp-54]
004057B2 . 50 push eax
004057B3 . FFD3 call ebx
004057B5 . 8BF8 mov edi,eax
004057B7 . 8D55 C0 lea edx,dword ptr ss:[ebp-40]
004057BA . 52 push edx
004057BB . 57 push edi
004057BC . 8B0F mov ecx,dword ptr ds:[edi]
004057BE . FF91 A0000000 call dword ptr ds:[ecx+A0]
004057C4 . 85C0 test eax,eax
004057C6 . DBE2 fclex
004057C8 . 7D 12 jge short Crackme2.004057DC
004057CA . 68 A0000000 push 0A0
004057CF . 68 743D4000 push Crackme2.00403D74
004057D4 . 57 push edi
004057D5 . 50 push eax
004057D6 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
004057DC > 8B45 C0 mov eax,dword ptr ss:[ebp-40] ; 用户名"hrby"
004057DF . 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
004057E2 . 8945 A0 mov dword ptr ss:[ebp-60],eax
004057E5 . 8D45 98 lea eax,dword ptr ss:[ebp-68]
004057E8 . 50 push eax
004057E9 . 51 push ecx
004057EA . C745 C0 00000000 mov dword ptr ss:[ebp-40],0
004057F1 . C745 98 08000000 mov dword ptr ss:[ebp-68],8
004057F8 . E8 B3110000 call Crackme2.004069B0 ; 关键CALL-3,F7进入
004057FD . 8D55 88 lea edx,dword ptr ss:[ebp-78]
00405800 . C785 34FFFFFF 09>mov dword ptr ss:[ebp-CC],9
0040580A . 52 push edx
0040580B . FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>>
00405811 . 8BD0 mov edx,eax ; 得到字符串"27B8066481EB68098F8A0DB8266588"
00405813 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
00405816 . FF15 38114000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
0040581C . 8D85 34FFFFFF lea eax,dword ptr ss:[ebp-CC]
00405822 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
00405825 . 50 push eax
00405826 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88]
0040582C . 51 push ecx
0040582D . 52 push edx
0040582E . E8 1D1A0000 call Crackme2.00407250 ; 同关键CALL-2,见前面分析
00405833 . 8B06 mov eax,dword ptr ds:[esi]
00405835 . 56 push esi
00405836 . FF90 18030000 call dword ptr ds:[eax+318]
0040583C . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0040583F . 50 push eax
00405840 . 51 push ecx
00405841 . FFD3 call ebx
00405843 . 8BF8 mov edi,eax
00405845 . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
00405848 . 50 push eax
00405849 . 57 push edi
0040584A . 8B17 mov edx,dword ptr ds:[edi]
0040584C . FF92 A0000000 call dword ptr ds:[edx+A0]
00405852 . 85C0 test eax,eax
00405854 . DBE2 fclex
00405856 . 7D 12 jge short Crackme2.0040586A
00405858 . 68 A0000000 push 0A0
0040585D . 68 743D4000 push Crackme2.00403D74
00405862 . 57 push edi
00405863 . 50 push eax
00405864 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
0040586A > 8B45 B8 mov eax,dword ptr ss:[ebp-48]
0040586D . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
00405873 . 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
00405879 . 51 push ecx
0040587A . 52 push edx
0040587B . C745 B8 00000000 mov dword ptr ss:[ebp-48],0
00405882 . 8985 70FFFFFF mov dword ptr ss:[ebp-90],eax
00405888 . C785 68FFFFFF 08>mov dword ptr ss:[ebp-98],8008
00405892 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 真假码比较
00405898 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
0040589B . 8BF8 mov edi,eax
0040589D . FF15 50114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
004058A3 . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
004058A6 . 8D4D AC lea ecx,dword ptr ss:[ebp-54]
004058A9 . 50 push eax
004058AA . 51 push ecx
004058AB . 6A 02 push 2
004058AD . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObjList>
004058B3 . 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
004058B9 . 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-88]
004058BF . 52 push edx
004058C0 . 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
004058C3 . 50 push eax
004058C4 . 8D55 98 lea edx,dword ptr ss:[ebp-68]
004058C7 . 51 push ecx
004058C8 . 52 push edx
004058C9 . 6A 04 push 4
004058CB . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
004058D1 . 83C4 20 add esp,20
004058D4 . 66:85FF test di,di
004058D7 . 0F84 85010000 je Crackme2.00405A62 ; 暴破点2,NOP掉
004058DD . A1 10904000 mov eax,dword ptr ds:[409010]
004058E2 . 85C0 test eax,eax
004058E4 . 75 10 jnz short Crackme2.004058F6
F7进入004057F8处的关键CALL-3,来到:
004069B0 $ 55 push ebp
.......................................................
省略部分代码
.......................................................
00406A62 . 8985 78FEFFFF mov dword ptr ss:[ebp-188],eax
00406A68 . C785 20FFFFFF 14>mov dword ptr ss:[ebp-E0],14 ; 常数,0x14(20)
00406A72 . C785 18FFFFFF 02>mov dword ptr ss:[ebp-E8],2
00406A7C . FFD6 call esi
00406A7E . 8B7D 0C mov edi,dword ptr ss:[ebp+C]
00406A81 . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
00406A87 . 50 push eax
00406A88 . 8BD7 mov edx,edi
00406A8A . 8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-E8]
00406A90 . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaVarVargNofr>
00406A96 . 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
00406A9C . 50 push eax
00406A9D . 51 push ecx
00406A9E . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVar>] ; 获取用户名"hrby"长度,4
00406AA4 . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8]
00406AAA . 50 push eax
00406AAB . 52 push edx
00406AAC . FF15 00104000 call dword ptr ds:[<&MSVBVM60.__vbaVarSub>] ; 0x14-4=0x10,0x14-用户名长度
00406AB2 . 8BD0 mov edx,eax
00406AB4 . 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
00406AB7 . FFD6 call esi
00406AB9 . 8D45 9C lea eax,dword ptr ss:[ebp-64]
00406ABC . 8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-E8]
00406AC2 . 50 push eax
00406AC3 . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
00406AC9 . BB 01000000 mov ebx,1
00406ACE . 51 push ecx
00406ACF . 52 push edx
00406AD0 . 899D 20FFFFFF mov dword ptr ss:[ebp-E0],ebx
00406AD6 . C785 18FFFFFF 02>mov dword ptr ss:[ebp-E8],8002
00406AE0 . FF15 0C114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCmpLt>]
00406AE6 . 50 push eax
00406AE7 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8]
00406AED . 50 push eax
00406AEE . FF15 08114000 call dword ptr ds:[<&MSVBVM60.__vbaVarNot>]
00406AF4 . 50 push eax
00406AF5 . FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vbaBoolVarNull>
00406AFB . 66:85C0 test ax,ax
00406AFE . 0F84 AF000000 je Crackme2.00406BB3
00406B04 . B8 02000000 mov eax,2
00406B09 . 8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-E8]
00406B0F . 8985 18FFFFFF mov dword ptr ss:[ebp-E8],eax
00406B15 . 8985 08FFFFFF mov dword ptr ss:[ebp-F8],eax
00406B1B . 8D55 9C lea edx,dword ptr ss:[ebp-64]
00406B1E . 51 push ecx
00406B1F . 8D85 08FFFFFF lea eax,dword ptr ss:[ebp-F8]
00406B25 . 52 push edx
00406B26 . 8D8D D8FEFFFF lea ecx,dword ptr ss:[ebp-128]
00406B2C . 50 push eax
00406B2D . 8D95 E8FEFFFF lea edx,dword ptr ss:[ebp-118]
00406B33 . 51 push ecx
00406B34 . 8D45 AC lea eax,dword ptr ss:[ebp-54]
00406B37 . 52 push edx
00406B38 . 50 push eax
00406B39 . 899D 20FFFFFF mov dword ptr ss:[ebp-E0],ebx
00406B3F . 899D 10FFFFFF mov dword ptr ss:[ebp-F0],ebx
00406B45 . FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>>
00406B4B . 8B1D 48114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarForNe>
00406B51 > 85C0 test eax,eax
00406B53 . 74 64 je short Crackme2.00406BB9
00406B55 . 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
00406B5B . 6A 15 push 15 ; 常数,0x15
00406B5D . 51 push ecx
00406B5E . FF15 C8104000 call dword ptr ds:[<&MSVBVM60.#608>]
00406B64 . 8BD7 mov edx,edi
00406B66 . 8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-E8]
00406B6C . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaVarVargNofr>
00406B72 . 50 push eax
00406B73 . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
00406B79 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8]
00406B7F . 52 push edx
00406B80 . 50 push eax
00406B81 . FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 在用户名后连接0x10(16)个常数0x15,
00406B87 . 8BD0 mov edx,eax
00406B89 . 8BCF mov ecx,edi
00406B8B . FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaVargVarMove>
00406B91 . 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
00406B97 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
00406B9D . 8D8D D8FEFFFF lea ecx,dword ptr ss:[ebp-128]
00406BA3 . 8D95 E8FEFFFF lea edx,dword ptr ss:[ebp-118]
00406BA9 . 51 push ecx
00406BAA . 8D45 AC lea eax,dword ptr ss:[ebp-54]
00406BAD . 52 push edx
00406BAE . 50 push eax
00406BAF . FFD3 call ebx
00406BB1 .^ EB 9E jmp short Crackme2.00406B51
00406BB3 > 8B1D 48114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarForNe>
00406BB9 > 8D95 18FFFFFF lea edx,dword ptr ss:[ebp-E8]
00406BBF . 8D4D 8C lea ecx,dword ptr ss:[ebp-74]
00406BC2 . C785 20FFFFFF 01>mov dword ptr ss:[ebp-E0],1
00406BCC . C785 18FFFFFF 02>mov dword ptr ss:[ebp-E8],2
00406BD6 . FFD6 call esi
00406BD8 . B9 01000000 mov ecx,1
00406BDD . B8 02000000 mov eax,2
00406BE2 . 898D 20FFFFFF mov dword ptr ss:[ebp-E0],ecx
00406BE8 . 898D 10FFFFFF mov dword ptr ss:[ebp-F0],ecx
00406BEE . 8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-E8]
00406BF4 . 8985 18FFFFFF mov dword ptr ss:[ebp-E8],eax
00406BFA . 8985 08FFFFFF mov dword ptr ss:[ebp-F8],eax
00406C00 . 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-84]
00406C06 . 51 push ecx
00406C07 . 8D85 08FFFFFF lea eax,dword ptr ss:[ebp-F8]
00406C0D . 52 push edx
00406C0E . 8D8D B8FEFFFF lea ecx,dword ptr ss:[ebp-148]
00406C14 . 50 push eax
00406C15 . 8D95 C8FEFFFF lea edx,dword ptr ss:[ebp-138]
00406C1B . 51 push ecx
00406C1C . 8D45 BC lea eax,dword ptr ss:[ebp-44]
00406C1F . 52 push edx
00406C20 . 50 push eax
00406C21 . FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>>
00406C27 > 85C0 test eax,eax
00406C29 . 0F84 EE000000 je Crackme2.00406D1D
00406C2F . 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
00406C35 . 8D55 BC lea edx,dword ptr ss:[ebp-44]
00406C38 . 51 push ecx
00406C39 . 52 push edx
00406C3A . C785 60FFFFFF 01>mov dword ptr ss:[ebp-A0],1
00406C44 . C785 58FFFFFF 02>mov dword ptr ss:[ebp-A8],2
00406C4E . FF15 20114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]
00406C54 . 50 push eax
00406C55 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8]
00406C5B . 57 push edi
00406C5C . 50 push eax
00406C5D . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.#632>] ; rtcMidCharVar,循环取用户名每一位字符"h"
00406C63 . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8]
00406C69 . 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
00406C6F . 51 push ecx
00406C70 . 52 push edx
00406C71 . FF15 D4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
00406C77 . 50 push eax
00406C78 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符的ASCII值
00406C7E . 66:8985 10FFFFFF mov word ptr ss:[ebp-F0],ax ;&nbs