链接:https://www.52pojie.cn/thread-615320-1-1.html
https://www.52pojie.cn/thread-265789-1-1.html
【这个感觉还是没有理解透彻……以后再弄】
程序是VB,表示不会
1、搜索关键字/堆栈平衡都可以找到关键跳转,直接nop掉即可。
2、看不懂程序,只看到了有很多的函数_vbaVarForInit、rtcMidCharVar、_vbaStrVarVal、_rtcAnsiValueBstr、_vbaVarAdd、_vbaVarNext
004020A6 . 53 push ebx ; msvbvm50.__vbaMidStmtVar
004020A7 . 50 push eax
004020A8 . FF15 14414000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; msvbvm50.__vbaHresultCheckObj
004020AE > 8B45 A8 mov eax,dword ptr ss:[ebp-0x58] ; 用户名[15d6fc]
004020B1 . 8975 A8 mov dword ptr ss:[ebp-0x58],esi ; msvbvm50.__vbaVarMove
004020B4 . 8B35 FC404000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVarMove>] ; msvbvm50.__vbaVarMove
004020BA . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
004020BD . 8D4D BC lea ecx,dword ptr ss:[ebp-0x44]
004020C0 . 8945 9C mov dword ptr ss:[ebp-0x64],eax ; eax=用户名
004020C3 . C745 94 08000>mov dword ptr ss:[ebp-0x6C],0x8
004020CA . FFD6 call esi ; msvbvm50.__vbaVarMove; <&MSVBVM50.__vbaVarMove>
004020CC . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]
004020CF . FF15 B4414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>] ; msvbvm50.__vbaFreeObj
004020D5 . B8 01000000 mov eax,0x1 ; eax = 1
004020DA . 8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-0xAC]
004020E0 . 8985 5CFFFFFF mov dword ptr ss:[ebp-0xA4],eax
004020E6 . 8985 4CFFFFFF mov dword ptr ss:[ebp-0xB4],eax
004020EC . 8D55 BC lea edx,dword ptr ss:[ebp-0x44] ; edx = 0012f49c
004020EF . 51 push ecx ; /Step8 = NULL
004020F0 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C] ; |
004020F3 . BB 02000000 mov ebx,0x2 ; |ebx = 2
004020F8 . 52 push edx ; |/var18 = 00914950
004020F9 . 50 push eax ; ||retBuffer8 = 0012F484
004020FA . 899D 54FFFFFF mov dword ptr ss:[ebp-0xAC],ebx ; ||edx = 用户名
00402100 . 899D 44FFFFFF mov dword ptr ss:[ebp-0xBC],ebx ; ||msvbvm50.__vbaMidStmtVar
00402106 . FF15 18414000 call dword ptr ds:[<&MSVBVM50.__vbaLenVar>] ; |\__vbaLenVar
0040210C . 8D8D 44FFFFFF lea ecx,dword ptr ss:[ebp-0xBC] ; |
00402112 . 50 push eax ; |End8 = 0012F484
00402113 . 8D95 E8FEFFFF lea edx,dword ptr ss:[ebp-0x118] ; |
00402119 . 51 push ecx ; |Start8 = NULL
0040211A . 8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-0x108] ; |
00402120 . 52 push edx ; |TMPend8 = 00914950
00402121 . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24] ; |
00402124 . 50 push eax ; |TMPstep8 = 0012F484
00402125 . 51 push ecx ; |Counter8 = NULL
00402126 . FF15 20414000 call dword ptr ds:[<&MSVBVM50.__vbaVarForInit>] ; \__vbaVarForInit
0040212C . 8B3D 04414000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaFreeVarList>] ; msvbvm50.__vbaFreeVarList
00402132 > 85C0 test eax,eax
00402134 . 0F84 9C000000 je Andréna.004021D6
0040213A . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
0040213D . 8D45 DC lea eax,dword ptr ss:[ebp-0x24]
00402140 . 52 push edx
00402141 . 50 push eax
00402142 . C745 9C 01000>mov dword ptr ss:[ebp-0x64],0x1
00402149 . 895D 94 mov dword ptr ss:[ebp-0x6C],ebx ; msvbvm50.__vbaMidStmtVar
0040214C . FF15 90414000 call dword ptr ds:[<&MSVBVM50.__vbaI4Var>] ; msvbvm50.__vbaI4Var
00402152 . 8D4D BC lea ecx,dword ptr ss:[ebp-0x44] ; |
00402155 . 50 push eax ; |Start = 0x12F484
00402156 . 8D55 84 lea edx,dword ptr ss:[ebp-0x7C] ; |
00402159 . 51 push ecx ; |dString8 = NULL
0040215A . 52 push edx ; |RetBUFFER = 00914950
0040215B . FF15 38414000 call dword ptr ds:[<&MSVBVM50.#rtcMidCharVar_632>] ; \rtcMidCharVar
00402161 . 8D45 84 lea eax,dword ptr ss:[ebp-0x7C] ; 此函数的意思是从字符串中取出相应的字符
00402164 . 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58]
00402167 . 50 push eax ; /String8 = 0012F484
00402168 . 51 push ecx ; |ARG2 = NULL
00402169 . FF15 70414000 call dword ptr ds:[<&MSVBVM50.__vbaStrVarVal>] ; \__vbaStrVarVal
0040216F . 50 push eax ; /String = ""
00402170 . FF15 0C414000 call dword ptr ds:[<&MSVBVM50.#rtcAnsiValueBstr_516>] ; \rtcAnsiValueBstr
00402176 . 66:8985 4CFFF>mov word ptr ss:[ebp-0xB4],ax ; "1"=31
0040217D . 8D55 CC lea edx,dword ptr ss:[ebp-0x34]
00402180 . 8D85 44FFFFFF lea eax,dword ptr ss:[ebp-0xBC]
00402186 . 52 push edx ; /var18 = 00914950
00402187 . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C] ; |
0040218D . 50 push eax ; |var28 = 0012F484
0040218E . 51 push ecx ; |saveto8 = NULL
0040218F . 899D 44FFFFFF mov dword ptr ss:[ebp-0xBC],ebx ; |msvbvm50.__vbaMidStmtVar
00402195 . FF15 94414000 call dword ptr ds:[<&MSVBVM50.__vbaVarAdd>] ; \__vbaVarAdd
0040219B . 8BD0 mov edx,eax
0040219D . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34]
004021A0 . FFD6 call esi ; msvbvm50.__vbaVarMove
004021A2 . 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58]
004021A5 . FF15 B8414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStr>] ; msvbvm50.__vbaFreeStr
004021AB . 8D55 84 lea edx,dword ptr ss:[ebp-0x7C] ; "&OK"
004021AE . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C]
004021B1 . 52 push edx
004021B2 . 50 push eax
004021B3 . 53 push ebx ; msvbvm50.__vbaMidStmtVar
004021B4 . FFD7 call edi ; msvbvm50.__vbaFreeVarList
004021B6 . 83C4 0C add esp,0xC
004021B9 . 8D8D E8FEFFFF lea ecx,dword ptr ss:[ebp-0x118]
004021BF . 8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-0x108]
004021C5 . 8D45 DC lea eax,dword ptr ss:[ebp-0x24]
004021C8 . 51 push ecx ; /TMPend8 = NULL
004021C9 . 52 push edx ; |TMPstep8 = 00914950
004021CA . 50 push eax ; |Counter8 = 0012F484
004021CB . FF15 AC414000 call dword ptr ds:[<&MSVBVM50.__vbaVarForNext>] ; \__vbaVarForNext
004021D1 .^ E9 5CFFFFFF jmp Andréna.00402132
004021D6 > 8D4D CC lea ecx,dword ptr ss:[ebp-0x34]
004021D9 . 8D95 54FFFFFF lea edx,dword ptr ss:[ebp-0xAC]
004021DF . 51 push ecx ; /var18 = NULL
004021E0 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C] ; |
004021E3 . 52 push edx ; |var28 = 00914950
004021E4 . 50 push eax ; |SaveTo8 = 0012F484
004021E5 . C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],0x499602D2 ; |
004021EF . C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x3 ; |
004021F9 . FF15 5C414000 call dword ptr ds:[<&MSVBVM50.__vbaVarMul>] ; \__vbaVarMul
004021FF . 8BD0 mov edx,eax
00402201 . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34]
00402204 . FFD6 call esi ; msvbvm50.__vbaVarMove
00402206 . 8B1D A0414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaMidStmtVar>] ; msvbvm50.__vbaMidStmtVar
0040220C . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34]
0040220F . 51 push ecx
00402210 . 6A 04 push 0x4
00402212 . 8D95 54FFFFFF lea edx,dword ptr ss:[ebp-0xAC]
00402218 . 6A 01 push 0x1
0040221A . 52 push edx
0040221B . C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],Andréna.00401C34 ; -
00402225 . C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x8
0040222F . FFD3 call ebx ; msvbvm50.__vbaMidStmtVar; <&MSVBVM50.__vbaMidStmtVar>
00402231 . 8D45 CC lea eax,dword ptr ss:[ebp-0x34] ; "ck"
00402234 . 8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-0xAC]
0040223A . 50 push eax
0040223B . 6A 09 push 0x9
0040223D . 6A 01 push 0x1
0040223F . 51 push ecx
00402240 . C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],Andréna.00401C34 ; -
0040224A . C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x8
00402254 . FFD3 call ebx ; msvbvm50.__vbaMidStmtVar
00402256 . 8B45 08 mov eax,dword ptr ss:[ebp+0x8] ; "ck"
00402259 . 50 push eax
0040225A . 8B10 mov edx,dword ptr ds:[eax]
0040225C . FF92 04030000 call dword ptr ds:[edx+0x304]
00402262 . 50 push eax
00402263 . 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C]
00402266 . 50 push eax ; "110-4691-5770"
00402267 . FF15 24414000 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>] ; msvbvm50.__vbaObjSet
0040226D . 8BD8 mov ebx,eax
0040226F . 8D55 A8 lea edx,dword ptr ss:[ebp-0x58]
00402272 . 52 push edx
00402273 . 53 push ebx ; msvbvm50.__vbaMidStmtVar
00402274 . 8B0B mov ecx,dword ptr ds:[ebx]
00402276 . FF91 A0000000 call dword ptr ds:[ecx+0xA0]
0040227C . 85C0 test eax,eax
0040227E . 7D 12 jge short Andréna.00402292
00402280 . 68 A0000000 push 0xA0
00402285 . 68 201C4000 push Andréna.00401C20
0040228A . 53 push ebx ; msvbvm50.__vbaMidStmtVar
0040228B . 50 push eax
0040228C . FF15 14414000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; msvbvm50.__vbaHresultCheckObj
00402292 > 8B45 A8 mov eax,dword ptr ss:[ebp-0x58] ; 注册码
00402295 . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34]
00402298 . 8945 9C mov dword ptr ss:[ebp-0x64],eax
0040229B . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C]
0040229E . 50 push eax ; /var18 = 0012F484
0040229F . 51 push ecx ; |var28 = NULL
004022A0 . C745 A8 00000>mov dword ptr ss:[ebp-0x58],0x0 ; |
004022A7 . C745 94 08800>mov dword ptr ss:[ebp-0x6C],0x8008 ; |
004022AE . FF15 48414000 call dword ptr ds:[<&MSVBVM50.__vbaVarTstEq>] ; \__vbaVarTstEq
004022B4 . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]
004022B7 . 8BD8 mov ebx,eax ; 关键!!
004022B9 . FF15 B4414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>] ; msvbvm50.__vbaFreeObj
004022BF . 8D4D 94 lea ecx,dword ptr ss:[ebp-0x6C]
004022C2 . FF15 00414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeVar>] ; msvbvm50.__vbaFreeVar
004022C8 . 66:85DB test bx,bx
004022CB . 0F84 C0000000 je Andréna.00402391 ; 关键跳转
004022D1 . FF15 74414000 call dword ptr ds:[<&MSVBVM50.#rtcBeep_534>] ; msvbvm50.rtcBeep
004022D7 . 8B1D 98414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaVarDup>] ; msvbvm50.__vbaVarDup
004022DD . B9 04000280 mov ecx,0x80020004
004022E2 . 898D 6CFFFFFF mov dword ptr ss:[ebp-0x94],ecx
004022E8 . B8 0A000000 mov eax,0xA
004022ED . 898D 7CFFFFFF mov dword ptr ss:[ebp-0x84],ecx
004022F3 . 8D95 44FFFFFF lea edx,dword ptr ss:[ebp-0xBC]
004022F9 . 8D4D 84 lea ecx,dword ptr ss:[ebp-0x7C]
004022FC . 8985 64FFFFFF mov dword ptr ss:[ebp-0x9C],eax
00402302 . 8985 74FFFFFF mov dword ptr ss:[ebp-0x8C],eax
00402308 . C785 4CFFFFFF>mov dword ptr ss:[ebp-0xB4],Andréna.00401CA8 ; RiCHTiG !
00402312 . C785 44FFFFFF>mov dword ptr ss:[ebp-0xBC],0x83、用VB Decomplier工具进行反编译
4、发现程序算法是:取name的每一个字符ascii进行相加,之后再与1234567890相乘,将其转为字符串,并将第4和第9个字符转为“-”
好像是这样……