160 - 17 bjanes.3

環境:

Wiondws XP sp3


工具:

ollydbg,ExeInfo PE


查殼:

用Exeinfo PE 查殼,沒有殼,是VB寫的


過程:

?一:隨便輸入一個serial,得到一個錯誤信息消息框,OD載入然后字符串搜索錯誤信息,找到后雙擊轉回CPU窗口,可以看到:

00404E08   .  8D55 CC       lea edx,dword ptr ss:[ebp-0x34]
00404E0B   .  8D85 08FFFFFF lea eax,dword ptr ss:[ebp-0xF8]
00404E11   .  C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],BJCM30A.00402B58      ;  UNICODE "FFFF"
00404E1B   .  52            push edx                                          ; /var18
00404E1C   .  50            push eax                                          ; |var28
00404E1D   .  C785 08FFFFFF>mov dword ptr ss:[ebp-0xF8],0x8008                ; |
00404E27   .  FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>]     ; \__vbaVarTstEq
00404E2D   .  66:85C0       test ax,ax                                        ;  等于0就跳,ax不能等于0,就是說上面兩個位置的值要相等
00404E30      0F84 AD000000 je BJCM30A.00404EE3                               ;  關鍵跳
00404E36      8B1D CC104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarDup>]    ;  MSVBVM60.__vbaVarDup
00404E3C   .  B9 04000280   mov ecx,0x80020004
00404E41   .  898D 20FFFFFF mov dword ptr ss:[ebp-0xE0],ecx
00404E47   .  B8 0A000000   mov eax,0xA
00404E4C   .  898D 30FFFFFF mov dword ptr ss:[ebp-0xD0],ecx
00404E52   .  8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-0x108]
00404E58   .  8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8]
00404E5E   .  8985 18FFFFFF mov dword ptr ss:[ebp-0xE8],eax
00404E64   .  8985 28FFFFFF mov dword ptr ss:[ebp-0xD8],eax
00404E6A   .  C785 00FFFFFF>mov dword ptr ss:[ebp-0x100],BJCM30A.00402BB4     ;  UNICODE "Correct serial!"
00404E74   .  89B5 F8FEFFFF mov dword ptr ss:[ebp-0x108],esi
00404E7A   .  FFD3          call ebx                                          ;  <&MSVBVM60.__vbaVarDup>
00404E7C   .  8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8]
00404E82   .  8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8]
00404E88   .  C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],BJCM30A.00402B68      ;  UNICODE "Good job, tell me how you do that!"
00404E92   .  89B5 08FFFFFF mov dword ptr ss:[ebp-0xF8],esi
00404E98   .  FFD3          call ebx
00404E9A   .  8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-0xE8]
00404EA0   .  8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8]
00404EA6   .  51            push ecx
00404EA7   .  8D85 38FFFFFF lea eax,dword ptr ss:[ebp-0xC8]
00404EAD   .  52            push edx
00404EAE   .  50            push eax
00404EAF   .  8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8]
00404EB5   .  57            push edi
00404EB6   .  51            push ecx
00404EB7   .  FF15 3C104000 call dword ptr ds:[<&MSVBVM60.#595>]              ;  MSVBVM60.rtcMsgBox
00404EBD   .  8D95 18FFFFFF lea edx,dword ptr ss:[ebp-0xE8]
00404EC3   .  8D85 28FFFFFF lea eax,dword ptr ss:[ebp-0xD8]
00404EC9   .  52            push edx
00404ECA   .  8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8]
00404ED0   .  50            push eax
00404ED1   .  8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8]
00404ED7   .  51            push ecx
00404ED8   .  52            push edx
00404ED9   .  E9 A8000000   jmp BJCM30A.00404F86
00404EDE   >  BE 08000000   mov esi,0x8
00404EE3   >  8B1D CC104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarDup>]    ;  MSVBVM60.__vbaVarDup
00404EE9   .  B9 04000280   mov ecx,0x80020004
00404EEE   .  898D 20FFFFFF mov dword ptr ss:[ebp-0xE0],ecx
00404EF4   .  B8 0A000000   mov eax,0xA
00404EF9   .  898D 30FFFFFF mov dword ptr ss:[ebp-0xD0],ecx
00404EFF   .  8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-0x108]
00404F05   .  8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8]
00404F0B   .  8985 18FFFFFF mov dword ptr ss:[ebp-0xE8],eax
00404F11   .  8985 28FFFFFF mov dword ptr ss:[ebp-0xD8],eax
00404F17   .  C785 00FFFFFF>mov dword ptr ss:[ebp-0x100],BJCM30A.00402A10     ;  UNICODE "Wrong serial!"
00404F21   .  89B5 F8FEFFFF mov dword ptr ss:[ebp-0x108],esi
00404F27   .  FFD3          call ebx                                          ;  <&MSVBVM60.__vbaVarDup>
00404F29   .  8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8]
00404F2F   .  8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8]
00404F35   .  C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],BJCM30A.00402BD8      ;  UNICODE "Sorry, try again!"
00404F3F   .  89B5 08FFFFFF mov dword ptr ss:[ebp-0xF8],esi
00404F45   .  FFD3          call ebx
00404F47   .  8D85 18FFFFFF lea eax,dword ptr ss:[ebp-0xE8]
00404F4D   .  8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-0xD8]
00404F53   .  50            push eax
00404F54   .  8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8]
00404F5A   .  51            push ecx
00404F5B   .  52            push edx
00404F5C   .  8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8]
00404F62   .  57            push edi
00404F63   .  50            push eax
00404F64   .  FF15 3C104000 call dword ptr ds:[<&MSVBVM60.#595>]              ;  MSVBVM60.rtcMsgBox

爆破的話就已經解決了,接下來是分析算法。

往上翻一翻,看到了這個:

00404476   .  83F8 05       cmp eax,0x5                                       ; 這里就是判斷是否彈出下面的消息框的
00404479   .  0F8E AD000000 jle BJCM30A.0040452C
0040447F   .  8B1D CC104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarDup>]    ;  MSVBVM60.__vbaVarDup
00404485   .  B9 04000280   mov ecx,0x80020004
0040448A   .  898D 20FFFFFF mov dword ptr ss:[ebp-0xE0],ecx
00404490   .  B8 0A000000   mov eax,0xA
00404495   .  898D 30FFFFFF mov dword ptr ss:[ebp-0xD0],ecx
0040449B   .  BE 08000000   mov esi,0x8
004044A0   .  8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-0x108]
004044A6   .  8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8]
004044AC   .  8985 18FFFFFF mov dword ptr ss:[ebp-0xE8],eax
004044B2   .  8985 28FFFFFF mov dword ptr ss:[ebp-0xD8],eax
004044B8   .  C785 00FFFFFF>mov dword ptr ss:[ebp-0x100],BJCM30A.00402AE0     ;  UNICODE "Cheater!!!   CHEATER!!!   Cheater!!!   CHEATER!!!"
004044C2   .  89B5 F8FEFFFF mov dword ptr ss:[ebp-0x108],esi
004044C8   .  FFD3          call ebx                                          ;  <&MSVBVM60.__vbaVarDup>
004044CA   .  8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8]
004044D0   .  8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8]
004044D6   .  C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],BJCM30A.00402A68      ;  UNICODE "  You have SmartCheck loaded!...Close it and try again!!!"
004044E0   .  89B5 08FFFFFF mov dword ptr ss:[ebp-0xF8],esi
004044E6   .  FFD3          call ebx
004044E8   .  8D95 18FFFFFF lea edx,dword ptr ss:[ebp-0xE8]
004044EE   .  8D85 28FFFFFF lea eax,dword ptr ss:[ebp-0xD8]
004044F4   .  52            push edx
004044F5   .  8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8]
004044FB   .  50            push eax
004044FC   .  51            push ecx
004044FD   .  8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8]
00404503   .  57            push edi
00404504   .  52            push edx
00404505   .  FF15 3C104000 call dword ptr ds:[<&MSVBVM60.#595>]              ;  MSVBVM60.rtcMsgBox
0040450B   .  8D85 18FFFFFF lea eax,dword ptr ss:[ebp-0xE8]
00404511   .  8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-0xD8]
00404517   .  50            push eax
00404518   .  8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8]
0040451E   .  51            push ecx
0040451F   .  8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8]
00404525   .  52            push edx
00404526   .  50            push eax
00404527   .  E9 5A0A0000   jmp BJCM30A.00404F86
0040452C   >  8B0E          mov ecx,dword ptr ds:[esi]

SmartCheck是一個VB程序調試器。那應該就是說這里的判斷會檢測出是否加載了調試器。

繼續往上翻:

00404320   .  FF15 94104000 call dword ptr ds:[<&MSVBVM60.#535>]              ;  MSVBVM60.rtcGetTimer
00404326   .  FF15 D0104000 call dword ptr ds:[<&MSVBVM60.__vbaFpI4>]         ;  MSVBVM60.__vbaFpI4
0040432C   .  8945 A4       mov dword ptr ss:[ebp-0x5C],eax
0040432F   .  8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8]
00404335   .  8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-0x108]
0040433B   .  52            push edx                                          ; /Step8
0040433C   .  8D8D E8FEFFFF lea ecx,dword ptr ss:[ebp-0x118]                  ; |
00404342   .  50            push eax                                          ; |End8
00404343   .  8D95 A4FEFFFF lea edx,dword ptr ss:[ebp-0x15C]                  ; |
00404349   .  51            push ecx                                          ; |Start8
0040434A   .  8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-0x14C]                  ; |
00404350   .  52            push edx                                          ; |TMPend8
00404351   .  8D4D 80       lea ecx,dword ptr ss:[ebp-0x80]                   ; |
00404354   .  BB 02000000   mov ebx,0x2                                       ; |
00404359   .  50            push eax                                          ; |TMPstep8
0040435A   .  51            push ecx                                          ; |Counter8
0040435B   .  C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],0x1                   ; |
00404365   .  899D 08FFFFFF mov dword ptr ss:[ebp-0xF8],ebx                   ; |
0040436B   .  C785 00FFFFFF>mov dword ptr ss:[ebp-0x100],0x3E8                ; |
00404375   .  899D F8FEFFFF mov dword ptr ss:[ebp-0x108],ebx                  ; |
0040437B   .  C785 F0FEFFFF>mov dword ptr ss:[ebp-0x110],0x1                  ; |
00404385   .  899D E8FEFFFF mov dword ptr ss:[ebp-0x118],ebx                  ; |
0040438B   .  FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>]   ; \__vbaVarForInit
00404391   >  3BC7          cmp eax,edi
00404393   .  0F84 C8000000 je BJCM30A.00404461
00404399   .  B8 01000000   mov eax,0x1
0040439E   .  8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8]
004043A4   .  8985 10FFFFFF mov dword ptr ss:[ebp-0xF0],eax
004043AA   .  8985 F0FEFFFF mov dword ptr ss:[ebp-0x110],eax
004043B0   .  8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-0x108]
004043B6   .  52            push edx                                          ; /Step8
004043B7   .  8D8D E8FEFFFF lea ecx,dword ptr ss:[ebp-0x118]                  ; |
004043BD   .  50            push eax                                          ; |End8
004043BE   .  8D95 84FEFFFF lea edx,dword ptr ss:[ebp-0x17C]                  ; |
004043C4   .  51            push ecx                                          ; |Start8
004043C5   .  8D85 94FEFFFF lea eax,dword ptr ss:[ebp-0x16C]                  ; |
004043CB   .  52            push edx                                          ; |TMPend8
004043CC   .  8D4D A8       lea ecx,dword ptr ss:[ebp-0x58]                   ; |
004043CF   .  50            push eax                                          ; |TMPstep8
004043D0   .  51            push ecx                                          ; |Counter8
004043D1   .  899D 08FFFFFF mov dword ptr ss:[ebp-0xF8],ebx                   ; |
004043D7   .  C785 00FFFFFF>mov dword ptr ss:[ebp-0x100],0xFA                 ; |
004043E1   .  899D F8FEFFFF mov dword ptr ss:[ebp-0x108],ebx                  ; |
004043E7   .  899D E8FEFFFF mov dword ptr ss:[ebp-0x118],ebx                  ; |
004043ED   .  FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>]   ; \__vbaVarForInit
004043F3   >  3BC7          cmp eax,edi
004043F5   .  74 4D         je XBJCM30A.00404444
004043F7   .  68 342A4000   push BJCM30A.00402A34                             ;  UNICODE "IS SMARTCHECK LOADED???"
004043FC   .  68 342A4000   push BJCM30A.00402A34                             ;  UNICODE "IS SMARTCHECK LOADED???"
00404401   .  FF15 68104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>]       ;  MSVBVM60.__vbaStrCmp
00404407   .  85C0          test eax,eax
00404409   .  75 1F         jnz XBJCM30A.0040442A
0040440B   .  8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8]
00404411   .  8D4D DC       lea ecx,dword ptr ss:[ebp-0x24]
00404414   .  C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],0x1
0040441E   .  899D 08FFFFFF mov dword ptr ss:[ebp-0xF8],ebx
00404424   .  FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]      ;  MSVBVM60.__vbaVarMove
0040442A   >  8D95 84FEFFFF lea edx,dword ptr ss:[ebp-0x17C]
00404430   .  8D85 94FEFFFF lea eax,dword ptr ss:[ebp-0x16C]
00404436   .  52            push edx                                          ; /TMPend8
00404437   .  8D4D A8       lea ecx,dword ptr ss:[ebp-0x58]                   ; |
0040443A   .  50            push eax                                          ; |TMPstep8
0040443B   .  51            push ecx                                          ; |Counter8
0040443C   .  FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>]   ; \__vbaVarForNext
00404442   .^ EB AF         jmp XBJCM30A.004043F3
00404444   >  8D95 A4FEFFFF lea edx,dword ptr ss:[ebp-0x15C]
0040444A   .  8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-0x14C]
00404450   .  52            push edx                                          ; /TMPend8
00404451   .  8D4D 80       lea ecx,dword ptr ss:[ebp-0x80]                   ; |
00404454   .  50            push eax                                          ; |TMPstep8
00404455   .  51            push ecx                                          ; |Counter8
00404456   .  FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>]   ; \__vbaVarForNext
0040445C   .^ E9 30FFFFFF   jmp BJCM30A.00404391
00404461   >  FF15 94104000 call dword ptr ds:[<&MSVBVM60.#535>]              ;  MSVBVM60.rtcGetTimer
00404467   .  FF15 D0104000 call dword ptr ds:[<&MSVBVM60.__vbaFpI4>]         ;  MSVBVM60.__vbaFpI4
0040446D   .  2B45 A4       sub eax,dword ptr ss:[ebp-0x5C]

這段代碼頭和尾都有一個GetTimer,最后面0040446D這里有一個相減,中間有個雙重循環,如果單步走的話走完的時間花費比較大,所以后面就會有一個兩次GetTimer的結果相減,如果結果大于5,就說明程序在被調試。當然這里沒什么意義,沒必要單步走,所以也就不用管了。

繼續往下:

0040456D   > \8B95 7CFFFFFF mov edx,dword ptr ss:[ebp-0x84]                   ; 這里是取輸入的serial
00404573   .  52            push edx                                          ; /String
00404574   .  FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>]      ; \__vbaLenBstr
0040457A   .  33DB          xor ebx,ebx
0040457C   .  83F8 05       cmp eax,0x5                                       ;  比較輸入serial的長度
0040457F   .  0F9CC3        setl bl                                           ;  bl = CF ^ OF,小于5時,CF為1,OF只有在溢出時才為1
00404582   .  8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
00404588   .  F7DB          neg ebx                                           ;  求補,取反加1
0040458A   .  FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]      ;  MSVBVM60.__vbaFreeStr
00404590   .  8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
00404596   .  FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]      ;  MSVBVM60.__vbaFreeObj
0040459C   .  66:3BDF       cmp bx,di
0040459F   .  0F85 39090000 jnz BJCM30A.00404EDE                              ; 直接跳到錯誤處

這是段判斷serial長度的代碼,在0040457C處存在下列情況:

(1)如果serial長度len < 5 :相減會借位,CF位置1,OF位置0,BL的結果也就會是1

(2) ? len >= 5 :相減不會借位,CF位和OF位都置0,BL的結果也就會是0

00404588 處的neg指令取補,這樣(1)情況下的結果會是ebx = FFFFFFF,(2)情況下是ebx = 00000000

得知serial長度要大于等于5之后,繼續往下:

00404616   > \8B8D 7CFFFFFF mov ecx,dword ptr ss:[ebp-0x84]                   ; 取serial
0040461C   .  51            push ecx                                          ; /String
0040461D   .  FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>]      ; \__vbaLenBstr
00404623   .  8985 00FFFFFF mov dword ptr ss:[ebp-0x100],eax                  ;  serial長度
00404629   .  8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8]
0040462F   .  8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-0x108]
00404635   .  52            push edx                                          ; /Step8
00404636   .  8D8D E8FEFFFF lea ecx,dword ptr ss:[ebp-0x118]                  ; |
0040463C   .  50            push eax                                          ; |End8
0040463D   .  8D95 64FEFFFF lea edx,dword ptr ss:[ebp-0x19C]                  ; |
00404643   .  51            push ecx                                          ; |Start8
00404644   .  8D85 74FEFFFF lea eax,dword ptr ss:[ebp-0x18C]                  ; |
0040464A   .  52            push edx                                          ; |TMPend8
0040464B   .  8D4D 94       lea ecx,dword ptr ss:[ebp-0x6C]                   ; |
0040464E   .  50            push eax                                          ; |TMPstep8
0040464F   .  51            push ecx                                          ; |Counter8
00404650   .  C785 F8FEFFFF>mov dword ptr ss:[ebp-0x108],0x3                  ; |
0040465A   .  C785 F0FEFFFF>mov dword ptr ss:[ebp-0x110],0x1                  ; |
00404664   .  C785 E8FEFFFF>mov dword ptr ss:[ebp-0x118],0x2                  ; |
0040466E   .  FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>]   ; \__vbaVarForInit
00404674   .  8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]                   ;  指向serial地址的指針的地址
0040467A   .  8985 30FEFFFF mov dword ptr ss:[ebp-0x1D0],eax                  ;  這個是用來判斷是否已經結束循環
00404680   .  FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]      ;  MSVBVM60.__vbaFreeStr
00404686   .  8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
0040468C   .  FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]      ;  MSVBVM60.__vbaFreeObj
00404692   .  8B1D DC104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaStrMove>]   ;  MSVBVM60.__vbaStrMove
00404698   >  39BD 30FEFFFF cmp dword ptr ss:[ebp-0x1D0],edi
0040469E   .  0F84 F5010000 je BJCM30A.00404899                               ;  循環結束,跳出循環
004046A4   .  8B16          mov edx,dword ptr ds:[esi]
004046A6   .  56            push esi
004046A7   .  FF92 08030000 call dword ptr ds:[edx+0x308]
004046AD   .  50            push eax                                          ;  
004046AE   .  8D85 5CFFFFFF lea eax,dword ptr ss:[ebp-0xA4]
004046B4   .  50            push eax
004046B5   .  FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]       ;  MSVBVM60.__vbaObjSet
004046BB   .  8B08          mov ecx,dword ptr ds:[eax]                        ;  注意觀察一下,程序很經常出現這樣的內容
004046BD   .  8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-0x84]                   ;  可以考慮是不是由程序編譯生成出來的,與算法無關
004046C3   .  52            push edx                                          ; 區分好可以降低分析難度
004046C4   .  50            push eax
004046C5   .  8985 D4FEFFFF mov dword ptr ss:[ebp-0x12C],eax
004046CB   .  FF91 A0000000 call dword ptr ds:[ecx+0xA0]
004046D1   .  3BC7          cmp eax,edi
004046D3   .  DBE2          fclex
004046D5   .  7D 18         jge XBJCM30A.004046EF                             ;  
004046D7   .  8B8D D4FEFFFF mov ecx,dword ptr ss:[ebp-0x12C]
004046DD   .  68 A0000000   push 0xA0
004046E2   .  68 442B4000   push BJCM30A.00402B44
004046E7   .  51            push ecx
004046E8   .  50            push eax                                          ;  特別是這些函數調用,注意是push了幾個參數
004046E9   .  FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckOb>;  MSVBVM60.__vbaHresultCheckObj
004046EF   >  8B16          mov edx,dword ptr ds:[esi]
004046F1   .  56            push esi
004046F2   .  FF92 08030000 call dword ptr ds:[edx+0x308]
004046F8   .  50            push eax
004046F9   .  8D85 58FFFFFF lea eax,dword ptr ss:[ebp-0xA8]
004046FF   .  50            push eax
00404700   .  FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]       ;  MSVBVM60.__vbaObjSet
00404706   .  8B08          mov ecx,dword ptr ds:[eax]
00404708   .  8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88]
0040470E   .  52            push edx
0040470F   .  50            push eax
00404710   .  8985 CCFEFFFF mov dword ptr ss:[ebp-0x134],eax
00404716   .  FF91 A0000000 call dword ptr ds:[ecx+0xA0]
0040471C   .  3BC7          cmp eax,edi
0040471E   .  DBE2          fclex
00404720   .  7D 18         jge XBJCM30A.0040473A
00404722   .  8B8D CCFEFFFF mov ecx,dword ptr ss:[ebp-0x134]
00404728   .  68 A0000000   push 0xA0
0040472D   .  68 442B4000   push BJCM30A.00402B44
00404732   .  51            push ecx
00404733   .  50            push eax
00404734   .  FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckOb>;  MSVBVM60.__vbaHresultCheckObj
0040473A   >  B8 01000000   mov eax,0x1
0040473F   .  8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8]
00404745   .  8985 50FFFFFF mov dword ptr ss:[ebp-0xB0],eax
0040474B   .  8985 30FFFFFF mov dword ptr ss:[ebp-0xD0],eax
00404751   .  8985 00FFFFFF mov dword ptr ss:[ebp-0x100],eax
00404757   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]
0040475A   .  B9 02000000   mov ecx,0x2
0040475F   .  52            push edx
00404760   .  50            push eax
00404761   .  898D 48FFFFFF mov dword ptr ss:[ebp-0xB8],ecx
00404767   .  898D 28FFFFFF mov dword ptr ss:[ebp-0xD8],ecx
0040476D   .  898D F8FEFFFF mov dword ptr ss:[ebp-0x108],ecx
00404773   .  FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]        ;  MSVBVM60.__vbaI4Var
00404779   .  8B8D 7CFFFFFF mov ecx,dword ptr ss:[ebp-0x84]
0040477F   .  8B3D 54104000 mov edi,dword ptr ds:[<&MSVBVM60.#631>]           ;  MSVBVM60.rtcMidCharBstr
00404785   .  50            push eax
00404786   .  51            push ecx
00404787   .  FFD7          call edi                                          ;  <&MSVBVM60.#631>
00404789   .  8BD0          mov edx,eax                                       ;  eax為返回的字符的地址
0040478B   .  8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C]
00404791   .  FFD3          call ebx                                          ;  將剛剛返回的字符的地址copy到ebp-0x8c
00404793   .  50            push eax
00404794   .  8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8]
0040479A   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]
0040479D   .  52            push edx
0040479E   .  8D8D F8FEFFFF lea ecx,dword ptr ss:[ebp-0x108]                  ;  ecx的值肯定是0x02,這個位置的值是上面賦值的
004047A4   .  50            push eax                                          ; /var18
004047A5   .  8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8]                   ; |保存位置
004047AB   .  51            push ecx                                          ; |var28
004047AC   .  52            push edx                                          ; |saveto8
004047AD   .  FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>]       ; \__vbaVarAdd
004047B3   .  50            push eax
004047B4   .  FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]        ;  MSVBVM60.__vbaI4Var
004047BA   .  50            push eax
004047BB   .  8B85 78FFFFFF mov eax,dword ptr ss:[ebp-0x88]
004047C1   .  50            push eax
004047C2   .  FFD7          call edi                                          ;  這里是后一個位置的字符
004047C4   .  8BD0          mov edx,eax
004047C6   .  8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90]
004047CC   .  FFD3          call ebx
004047CE   .  50            push eax
004047CF   .  FF15 68104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>]       ;  MSVBVM60.__vbaStrCmp
004047D5   .  8BF8          mov edi,eax                                       ;  將比較結果存到edi,相同返回0,不同返回-1
004047D7   .  8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90]                   ;  后面的內容都是free
004047DD   .  F7DF          neg edi                                           ;  這里有個取補
004047DF   .  8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C]
004047E5   .  51            push ecx
004047E6   .  8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88]
004047EC   .  52            push edx
004047ED   .  1BFF          sbb edi,edi                                       ;  再減CF的值
004047EF   .  8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
004047F5   .  50            push eax
004047F6   .  47            inc edi                                           ;  這里edi+1
004047F7   .  51            push ecx
004047F8   .  6A 04         push 0x4
004047FA   .  F7DF          neg edi                                           ;  再對edi取補
004047FC   .  FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>]  ;  MSVBVM60.__vbaFreeStrList
00404802   .  8D95 58FFFFFF lea edx,dword ptr ss:[ebp-0xA8]
00404808   .  8D85 5CFFFFFF lea eax,dword ptr ss:[ebp-0xA4]
0040480E   .  52            push edx
0040480F   .  50            push eax
00404810   .  6A 02         push 0x2
00404812   .  FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObjList>]  ;  MSVBVM60.__vbaFreeObjList
00404818   .  8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-0xD8]
0040481E   .  8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8]
00404824   .  51            push ecx
00404825   .  8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8]
0040482B   .  52            push edx
0040482C   .  50            push eax
0040482D   .  6A 03         push 0x3
0040482F   .  FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>]  ;  MSVBVM60.__vbaFreeVarList
00404835   .  83C4 30       add esp,0x30
00404838   .  66:85FF       test di,di                                        ;  比較edi是否為0
0040483B   .  74 37         je XBJCM30A.00404874                              ;  如果為0就跳轉,意味著兩個字符是不相同的
0040483D   .  8D4D B8       lea ecx,dword ptr ss:[ebp-0x48]                   ;  如果相同就+1
00404840   .  8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8]
00404846   .  51            push ecx                                          ; /var18
00404847   .  8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8]                   ; |
0040484D   .  52            push edx                                          ; |var28
0040484E   .  50            push eax                                          ; |saveto8
0040484F   .  C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],0x1                   ; |
00404859   .  C785 08FFFFFF>mov dword ptr ss:[ebp-0xF8],0x2                   ; |
00404863   .  FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>]       ; \__vbaVarAdd
00404869   .  8BD0          mov edx,eax
0040486B   .  8D4D B8       lea ecx,dword ptr ss:[ebp-0x48]
0040486E   .  FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]      ;  MSVBVM60.__vbaVarMove
00404874   >  8D8D 64FEFFFF lea ecx,dword ptr ss:[ebp-0x19C]                  ;  循環終止的次數
0040487A   .  8D95 74FEFFFF lea edx,dword ptr ss:[ebp-0x18C]                  ;  循環每一步的步長
00404880   .  51            push ecx                                          ; /TMPend8
00404881   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]                   ; |循環的當前值
00404884   .  52            push edx                                          ; |TMPstep8
00404885   .  50            push eax                                          ; |Counter8
00404886   .  FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>]   ; \__vbaVarForNext
0040488C   .  8985 30FEFFFF mov dword ptr ss:[ebp-0x1D0],eax
00404892   .  33FF          xor edi,edi
00404894   .^ E9 FFFDFFFF   jmp BJCM30A.00404698


這段代碼的主要作用是判斷輸入的serial每個相鄰的字符是否相同,就好像輸入的是:66666,將相鄰且相同的字符的次數累計起來,又因為是先用第一個和第二個字符比較,所以根據上面的“66666"會算出:4。繼續往下: 

004048E4   > \8B95 7CFFFFFF mov edx,dword ptr ss:[ebp-0x84]                   ;  這里是使得serial不能全部一樣
004048EA   .  52            push edx                                          ; /String
004048EB   .  FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>]      ; \__vbaLenBstr
004048F1   .  83E8 01       sub eax,0x1                                       ;  serial長度-1
004048F4   .  8D8D 08FFFFFF lea ecx,dword ptr ss:[ebp-0xF8]
004048FA   .  0F80 AA070000 jo BJCM30A.004050AA                               ;  溢出就跳
00404900   .  8985 10FFFFFF mov dword ptr ss:[ebp-0xF0],eax
00404906   .  8D45 B8       lea eax,dword ptr ss:[ebp-0x48]
00404909   .  50            push eax                                          ; /var18
0040490A   .  51            push ecx                                          ; |var28
0040490B   .  C785 08FFFFFF>mov dword ptr ss:[ebp-0xF8],0x8003                ; |
00404915   .  FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>]     ; \__vbaVarTstEq
0040491B   .  8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
00404921   .  66:8985 CCFEF>mov word ptr ss:[ebp-0x134],ax
00404928   .  FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]      ;  MSVBVM60.__vbaFreeStr
0040492E   .  8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
00404934   .  FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]      ;  MSVBVM60.__vbaFreeObj
0040493A   .  66:39BD CCFEF>cmp word ptr ss:[ebp-0x134],di                    ;  這里要相等
00404941   .  0F85 97050000 jnz BJCM30A.00404EDE                              ;  這里不能跳

這里是就是判斷整個serial是否僅由一個字符組成,如:66666,66656就不是了。判斷的方法是從上一段代碼處計算出相鄰且相同的字符的次數,然后與serial的長度-1比較。相同就是由一個字符組成,不相同的話就不是。如果僅有1個字符組成就會彈出錯誤的消息框,原因的話分析完算法就知道了。 

004049A6   > \8B95 7CFFFFFF mov edx,dword ptr ss:[ebp-0x84]                   ;  讀serial長度
004049AC   .  52            push edx                                          ; /String
004049AD   .  FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>]      ; \__vbaLenBstr
004049B3   .  8985 00FFFFFF mov dword ptr ss:[ebp-0x100],eax
004049B9   .  8D85 08FFFFFF lea eax,dword ptr ss:[ebp-0xF8]
004049BF   .  8D8D F8FEFFFF lea ecx,dword ptr ss:[ebp-0x108]
004049C5   .  50            push eax                                          ; /Step8
004049C6   .  8D95 E8FEFFFF lea edx,dword ptr ss:[ebp-0x118]                  ; |
004049CC   .  51            push ecx                                          ; |End8
004049CD   .  8D85 44FEFFFF lea eax,dword ptr ss:[ebp-0x1BC]                  ; |
004049D3   .  52            push edx                                          ; |Start8
004049D4   .  8D8D 54FEFFFF lea ecx,dword ptr ss:[ebp-0x1AC]                  ; |
004049DA   .  50            push eax                                          ; |TMPend8
004049DB   .  8D55 94       lea edx,dword ptr ss:[ebp-0x6C]                   ; |
004049DE   .  51            push ecx                                          ; |TMPstep8
004049DF   .  52            push edx                                          ; |Counter8
004049E0   .  C785 F8FEFFFF>mov dword ptr ss:[ebp-0x108],0x3                  ; |
004049EA   .  C785 F0FEFFFF>mov dword ptr ss:[ebp-0x110],0x1                  ; |
004049F4   .  C785 E8FEFFFF>mov dword ptr ss:[ebp-0x118],0x2                  ; |
004049FE   .  FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>]   ; \__vbaVarForInit
00404A04   .  8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]                   ;  seial保存的地址存入ecx
00404A0A   .  8985 2CFEFFFF mov dword ptr ss:[ebp-0x1D4],eax
00404A10   .  FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]      ;  MSVBVM60.__vbaFreeStr
00404A16   .  8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
00404A1C   .  FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]      ;  MSVBVM60.__vbaFreeObj
00404A22   >  39BD 2CFEFFFF cmp dword ptr ss:[ebp-0x1D4],edi                  ;  判斷是否結束循環
00404A28   .  0F84 1D030000 je BJCM30A.00404D4B
00404A2E   .  8B06          mov eax,dword ptr ds:[esi]
00404A30   .  56            push esi
00404A31   .  FF90 08030000 call dword ptr ds:[eax+0x308]
00404A37   .  8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
00404A3D   .  50            push eax
00404A3E   .  51            push ecx
00404A3F   .  FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]       ;  MSVBVM60.__vbaObjSet
00404A45   .  8B10          mov edx,dword ptr ds:[eax]
00404A47   .  8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
00404A4D   .  51            push ecx
00404A4E   .  50            push eax
00404A4F   .  8985 D4FEFFFF mov dword ptr ss:[ebp-0x12C],eax
00404A55   .  FF92 A0000000 call dword ptr ds:[edx+0xA0]
00404A5B   .  3BC7          cmp eax,edi
00404A5D   .  DBE2          fclex
00404A5F   .  7D 18         jge XBJCM30A.00404A79
00404A61   .  8B95 D4FEFFFF mov edx,dword ptr ss:[ebp-0x12C]
00404A67   .  68 A0000000   push 0xA0
00404A6C   .  68 442B4000   push BJCM30A.00402B44
00404A71   .  52            push edx
00404A72   .  50            push eax
00404A73   .  FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckOb>;  MSVBVM60.__vbaHresultCheckObj
00404A79   >  8B85 7CFFFFFF mov eax,dword ptr ss:[ebp-0x84]
00404A7F   .  50            push eax                                          ; /String
00404A80   .  FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>]      ; \__vbaLenBstr
00404A86   .  8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8]
00404A8C   .  8985 50FFFFFF mov dword ptr ss:[ebp-0xB0],eax                   ;  獲取serial長度存入0xB0
00404A92   .  51            push ecx
00404A93   .  C785 48FFFFFF>mov dword ptr ss:[ebp-0xB8],0x3
00404A9D   .  FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#572>]              ;  MSVBVM60.rtcHexBstrFromVar
00404AA3   .  8BD0          mov edx,eax                                       ;  serial的長度轉為16進制
00404AA5   .  8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-0x9C]
00404AAB   .  FFD3          call ebx                                          ;  將edx的值存到ecx的位置
00404AAD   .  8B16          mov edx,dword ptr ds:[esi]
00404AAF   .  56            push esi
00404AB0   .  FF92 08030000 call dword ptr ds:[edx+0x308]
00404AB6   .  50            push eax
00404AB7   .  8D85 58FFFFFF lea eax,dword ptr ss:[ebp-0xA8]
00404ABD   .  50            push eax
00404ABE   .  FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]       ;  MSVBVM60.__vbaObjSet
00404AC4   .  8B85 58FFFFFF mov eax,dword ptr ss:[ebp-0xA8]
00404ACA   .  8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8]
00404AD0   .  6A 01         push 0x1
00404AD2   .  8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8]
00404AD8   .  51            push ecx
00404AD9   .  52            push edx
00404ADA   .  89BD 58FFFFFF mov dword ptr ss:[ebp-0xA8],edi
00404AE0   .  8985 40FFFFFF mov dword ptr ss:[ebp-0xC0],eax
00404AE6   .  C785 38FFFFFF>mov dword ptr ss:[ebp-0xC8],0x9
00404AF0   .  FF15 D4104000 call dword ptr ds:[<&MSVBVM60.#617>]              ;  MSVBVM60.rtcLeftCharVar
00404AF6   .  8D85 28FFFFFF lea eax,dword ptr ss:[ebp-0xD8]
00404AFC   .  8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88]
00404B02   .  50            push eax                                          ; /String8
00404B03   .  51            push ecx                                          ; |ARG2
00404B04   .  FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]    ; \__vbaStrVarVal
00404B0A   .  50            push eax                                          ; /String
00404B0B   .  FF15 28104000 call dword ptr ds:[<&MSVBVM60.#516>]              ; \rtcAnsiValueBstr
00404B11   .  8D95 18FFFFFF lea edx,dword ptr ss:[ebp-0xE8]
00404B17   .  66:8985 20FFF>mov word ptr ss:[ebp-0xE0],ax
00404B1E   .  52            push edx
00404B1F   .  C785 18FFFFFF>mov dword ptr ss:[ebp-0xE8],0x2
00404B29   .  FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#572>]              ;  MSVBVM60.rtcHexBstrFromVar
00404B2F   .  8BD0          mov edx,eax                                       ;  將上面字符的unicode碼的每一個數字分別轉成unicode值
00404B31   .  8D8D 60FFFFFF lea ecx,dword ptr ss:[ebp-0xA0]
00404B37   .  FFD3          call ebx                                          ;  將剛剛的結果存到0xA0
00404B39   .  BA 6C294000   mov edx,BJCM30A.0040296C                          ;  *
00404B3E   .  8D8D 6CFFFFFF lea ecx,dword ptr ss:[ebp-0x94]                   ;  將edx的內容copy到ecx地址上
00404B44   .  FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>]      ;  MSVBVM60.__vbaStrCopy
00404B4A   .  8B95 60FFFFFF mov edx,dword ptr ss:[ebp-0xA0]
00404B50   .  8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90]
00404B56   .  89BD 60FFFFFF mov dword ptr ss:[ebp-0xA0],edi
00404B5C   .  FFD3          call ebx                                          ;  vbaStrMove
00404B5E   .  8B95 64FFFFFF mov edx,dword ptr ss:[ebp-0x9C]
00404B64   .  8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C]
00404B6A   .  89BD 64FFFFFF mov dword ptr ss:[ebp-0x9C],edi
00404B70   .  FFD3          call ebx                                          ;  將edx的內容strmov到ecx地址上
00404B72   .  8B06          mov eax,dword ptr ds:[esi]
00404B74   .  8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-0x98]
00404B7A   .  8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-0x94]
00404B80   .  51            push ecx
00404B81   .  52            push edx
00404B82   .  8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90]
00404B88   .  8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C]
00404B8E   .  51            push ecx
00404B8F   .  52            push edx
00404B90   .  56            push esi
00404B91   .  FF90 F8060000 call dword ptr ds:[eax+0x6F8]                     ;  計算第一個字符*serial長度的值
00404B97   .  3BC7          cmp eax,edi
00404B99   .  7D 12         jge XBJCM30A.00404BAD
00404B9B   .  68 F8060000   push 0x6F8
00404BA0   .  68 B4274000   push BJCM30A.004027B4
00404BA5   .  56            push esi
00404BA6   .  50            push eax
00404BA7   .  FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckOb>;  MSVBVM60.__vbaHresultCheckObj
00404BAD   >  8B95 68FFFFFF mov edx,dword ptr ss:[ebp-0x98]                   ;  這里是剛剛計算的結果
00404BB3   .  8D4D C8       lea ecx,dword ptr ss:[ebp-0x38]                   ;  將剛剛計算的結果存到這里來
00404BB6   .  89BD 68FFFFFF mov dword ptr ss:[ebp-0x98],edi
00404BBC   .  FFD3          call ebx
00404BBE   .  8D85 60FFFFFF lea eax,dword ptr ss:[ebp-0xA0]                   ;  下面都是一些free,就不用看了
00404BC4   .  8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-0x9C]
00404BCA   .  50            push eax
00404BCB   .  8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-0x94]
00404BD1   .  51            push ecx
00404BD2   .  8D85 70FFFFFF lea eax,dword ptr ss:[ebp-0x90]
00404BD8   .  52            push edx
00404BD9   .  8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C]
00404BDF   .  50            push eax
00404BE0   .  8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88]
00404BE6   .  51            push ecx
00404BE7   .  8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84]
00404BED   .  52            push edx
00404BEE   .  50            push eax
00404BEF   .  6A 07         push 0x7
00404BF1   .  FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>]  ;  MSVBVM60.__vbaFreeStrList
00404BF7   .  8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-0xA8]
00404BFD   .  8D95 5CFFFFFF lea edx,dword ptr ss:[ebp-0xA4]
00404C03   .  51            push ecx
00404C04   .  52            push edx
00404C05   .  6A 02         push 0x2
00404C07   .  FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObjList>]  ;  MSVBVM60.__vbaFreeObjList
00404C0D   .  8D85 18FFFFFF lea eax,dword ptr ss:[ebp-0xE8]
00404C13   .  8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-0xD8]
00404C19   .  50            push eax
00404C1A   .  8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8]
00404C20   .  51            push ecx
00404C21   .  8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8]
00404C27   .  52            push edx
00404C28   .  50            push eax
00404C29   .  6A 04         push 0x4
00404C2B   .  FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>]  ;  MSVBVM60.__vbaFreeVarList
00404C31   .  8B0E          mov ecx,dword ptr ds:[esi]
00404C33   .  83C4 40       add esp,0x40
00404C36   .  56            push esi
00404C37   .  FF91 08030000 call dword ptr ds:[ecx+0x308]
00404C3D   .  8D95 5CFFFFFF lea edx,dword ptr ss:[ebp-0xA4]
00404C43   .  50            push eax
00404C44   .  52            push edx
00404C45   .  FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]       ;  MSVBVM60.__vbaObjSet
00404C4B   .  8B08          mov ecx,dword ptr ds:[eax]
00404C4D   .  8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-0x84]
00404C53   .  52            push edx
00404C54   .  50            push eax
00404C55   .  8985 D4FEFFFF mov dword ptr ss:[ebp-0x12C],eax
00404C5B   .  FF91 A0000000 call dword ptr ds:[ecx+0xA0]
00404C61   .  3BC7          cmp eax,edi
00404C63   .  DBE2          fclex
00404C65   .  7D 18         jge XBJCM30A.00404C7F
00404C67   .  8B8D D4FEFFFF mov ecx,dword ptr ss:[ebp-0x12C]
00404C6D   .  68 A0000000   push 0xA0
00404C72   .  68 442B4000   push BJCM30A.00402B44
00404C77   .  51            push ecx
00404C78   .  50            push eax
00404C79   .  FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckOb>;  MSVBVM60.__vbaHresultCheckObj
00404C7F   >  8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8]
00404C85   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]
00404C88   .  52            push edx
00404C89   .  50            push eax
00404C8A   .  C785 50FFFFFF>mov dword ptr ss:[ebp-0xB0],0x1
00404C94   .  C785 48FFFFFF>mov dword ptr ss:[ebp-0xB8],0x2
00404C9E   .  FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]        ;  MSVBVM60.__vbaI4Var
00404CA4   .  8B8D 7CFFFFFF mov ecx,dword ptr ss:[ebp-0x84]                   ;  到這里再看。讀取輸入的serial
00404CAA   .  50            push eax
00404CAB   .  51            push ecx
00404CAC   .  FF15 54104000 call dword ptr ds:[<&MSVBVM60.#631>]              ;  MSVBVM60.rtcMidCharBstr
00404CB2   .  8BD0          mov edx,eax
00404CB4   .  8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88]
00404CBA   .  FFD3          call ebx
00404CBC   .  50            push eax                                          ; /String
00404CBD   .  FF15 28104000 call dword ptr ds:[<&MSVBVM60.#516>]              ; \rtcAnsiValueBstr
00404CC3   .  66:8985 00FFF>mov word ptr ss:[ebp-0x100],ax
00404CCA   .  8D55 CC       lea edx,dword ptr ss:[ebp-0x34]
00404CCD   .  8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-0x108]
00404CD3   .  52            push edx                                          ; /var18
00404CD4   .  8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8]                   ; |
00404CDA   .  50            push eax                                          ; |var28
00404CDB   .  51            push ecx                                          ; |saveto8
00404CDC   .  C785 F8FEFFFF>mov dword ptr ss:[ebp-0x108],0x2                  ; |
00404CE6   .  FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>]       ; \__vbaVarAdd
00404CEC   .  8BD0          mov edx,eax                                       ;  結果保存的地址
00404CEE   .  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]                   ;  將相加結果復制到這里
00404CF1   .  FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]      ;  MSVBVM60.__vbaVarMove
00404CF7   .  8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88]
00404CFD   .  8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84]
00404D03   .  52            push edx
00404D04   .  50            push eax
00404D05   .  6A 02         push 0x2
00404D07   .  FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>]  ;  MSVBVM60.__vbaFreeStrList
00404D0D   .  83C4 0C       add esp,0xC
00404D10   .  8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
00404D16   .  FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]      ;  MSVBVM60.__vbaFreeObj
00404D1C   .  8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8]
00404D22   .  FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]      ;  MSVBVM60.__vbaFreeVar
00404D28   .  8D8D 44FEFFFF lea ecx,dword ptr ss:[ebp-0x1BC]                  ;  終值
00404D2E   .  8D95 54FEFFFF lea edx,dword ptr ss:[ebp-0x1AC]                  ;  步長
00404D34   .  51            push ecx                                          ; /TMPend8
00404D35   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]                   ; |累加值
00404D38   .  52            push edx                                          ; |TMPstep8
00404D39   .  50            push eax                                          ; |Counter8
00404D3A   .  FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>]   ; \__vbaVarForNext
00404D40   .  8985 2CFEFFFF mov dword ptr ss:[ebp-0x1D4],eax
00404D46   .^ E9 D7FCFFFF   jmp BJCM30A.00404A22

這里是計算sum(serial)的值,就是將每個字符都加起來。還有就是計算serial[0]*len(serial)的值。具體計算的過程在:00404B91處。

在00404B91單步跟進去,單步走可以走到這里:

00403C3A   .  50            push eax
00403C3B   .  68 6C294000   push BJCM30A.0040296C                             ;  *
00403C40   .  FFD7          call edi
00403C42   .  85C0          test eax,eax
00403C44   .  75 1F         jnz XBJCM30A.00403C65
00403C46   .  8B76 50       mov esi,dword ptr ds:[esi+0x50]                   ;  serial的長度
00403C49   .  8D55 D8       lea edx,dword ptr ss:[ebp-0x28]
00403C4C   .  52            push edx
00403C4D   .  8B4E 04       mov ecx,dword ptr ds:[esi+0x4]                    ;  serial第一個字符的16進制值
00403C50   .  0FAF0E        imul ecx,dword ptr ds:[esi]
00403C53   .  0F80 CA000000 jo BJCM30A.00403D23
00403C59   .  894D E0       mov dword ptr ss:[ebp-0x20],ecx
00403C5C   .  C745 D8 03000>mov dword ptr ss:[ebp-0x28],0x3
00403C63   .  EB 4D         jmp XBJCM30A.00403CB2


根據去之后走兩步就發現是一switch的語句,找到上面的位置后,就可以發現這里是計算serial[0]*len(serial)的值。

循環結束之后,可以來到這里:

00404D4B   > \8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
00404D4E   .  51            push ecx                                          ;  將計算值轉成unicode,如0xFF變成"FF"
00404D4F   .  FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#572>]              ;  MSVBVM60.rtcHexBstrFromVar
00404D55   .  8BD0          mov edx,eax
00404D57   .  8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90]
00404D5D   .  FFD3          call ebx
00404D5F   .  BA 0C294000   mov edx,BJCM30A.0040290C                          ;  =
00404D64   .  8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88]
00404D6A   .  FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>]      ;  MSVBVM60.__vbaStrCopy
00404D70   .  8B95 70FFFFFF mov edx,dword ptr ss:[ebp-0x90]
00404D76   .  8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
00404D7C   .  89BD 70FFFFFF mov dword ptr ss:[ebp-0x90],edi
00404D82   .  FFD3          call ebx
00404D84   .  8B16          mov edx,dword ptr ds:[esi]
00404D86   .  8D85 74FFFFFF lea eax,dword ptr ss:[ebp-0x8C]
00404D8C   .  8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88]
00404D92   .  50            push eax
00404D93   .  51            push ecx
00404D94   .  8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84]
00404D9A   .  8D4D C8       lea ecx,dword ptr ss:[ebp-0x38]
00404D9D   .  50            push eax
00404D9E   .  51            push ecx
00404D9F   .  56            push esi
00404DA0   .  FF92 F8060000 call dword ptr ds:[edx+0x6F8]                     ; 這里也是調用剛剛那個函數,只是選擇的是另一個case
00404DA6   .  3BC7          cmp eax,edi
00404DA8   .  7D 12         jge XBJCM30A.00404DBC
00404DAA   .  68 F8060000   push 0x6F8
00404DAF   .  68 B4274000   push BJCM30A.004027B4
00404DB4   .  56            push esi
00404DB5   .  50            push eax
00404DB6   .  FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckOb>;  MSVBVM60.__vbaHresultCheckObj
00404DBC   >  8B85 74FFFFFF mov eax,dword ptr ss:[ebp-0x8C]
00404DC2      BE 08000000   mov esi,0x8
00404DC7   .  8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8]
00404DCD   .  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
00404DD0   .  89BD 74FFFFFF mov dword ptr ss:[ebp-0x8C],edi
00404DD6   .  8985 50FFFFFF mov dword ptr ss:[ebp-0xB0],eax
00404DDC   .  89B5 48FFFFFF mov dword ptr ss:[ebp-0xB8],esi
00404DE2   .  FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]      ;  MSVBVM60.__vbaVarMove
00404DE8   .  8D95 70FFFFFF lea edx,dword ptr ss:[ebp-0x90]
00404DEE   .  8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88]
00404DF4   .  52            push edx
00404DF5   .  8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
00404DFB   .  50            push eax
00404DFC   .  51            push ecx
00404DFD   .  6A 03         push 0x3
00404DFF   .  FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>]  ;  MSVBVM60.__vbaFreeStrList
00404E05   .  83C4 10       add esp,0x10
00404E08   .  8D55 CC       lea edx,dword ptr ss:[ebp-0x34]
00404E0B   .  8D85 08FFFFFF lea eax,dword ptr ss:[ebp-0xF8]
00404E11   .  C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],BJCM30A.00402B58      ;  UNICODE "FFFF"
00404E1B   .  52            push edx                                          ; /var18
00404E1C   .  50            push eax                                          ; |var28
00404E1D   .  C785 08FFFFFF>mov dword ptr ss:[ebp-0xF8],0x8008                ; |
00404E27   .  FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>]     ; \__vbaVarTstEq
00404E2D   .  66:85C0       test ax,ax                                        ;  等于0就跳,ax不能等于0,就是說上面兩個位置的值要相等
00404E30      0F84 AD000000 je BJCM30A.00404EE3                               ;  關鍵跳
00404E36      8B1D CC104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarDup>]    ;  MSVBVM60.__vbaVarDup

后面那幾行指令就是判斷serial的正確性了,要注意的地方還有00404DA0的call,這行的是這個case:

00403A57   .  51            push ecx
00403A58   .  68 0C294000   push BJCM30A.0040290C                             ;  =
00403A5D   .  FFD7          call edi
00403A5F   .  85C0          test eax,eax
00403A61   .  75 37         jnz XBJCM30A.00403A9A
00403A63   .  8B76 50       mov esi,dword ptr ds:[esi+0x50]
00403A66   .  8D4D C8       lea ecx,dword ptr ss:[ebp-0x38]
00403A69   .  51            push ecx
00403A6A   .  8B16          mov edx,dword ptr ds:[esi]                        ;  這里是之前*計算的結果
00403A6C   .  8B7E 04       mov edi,dword ptr ds:[esi+0x4]                    ;  這里是每個字符相加的結果
00403A6F   .  3BD7          cmp edx,edi
00403A71   .  C745 C8 0B000>mov dword ptr ss:[ebp-0x38],0xB
00403A78   .  0F94C0        sete al
00403A7B   .  F7D8          neg eax
00403A7D   .  66:8945 D0    mov word ptr ss:[ebp-0x30],ax                     ;  將比較值轉成unicode
00403A81   .  FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#572>]              ;  MSVBVM60.rtcHexBstrFromVar
00403A87   .  8BD0          mov edx,eax
00403A89   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
00403A8C   .  FF15 DC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]      ;  MSVBVM60.__vbaStrMove
00403A92   .  8D4D C8       lea ecx,dword ptr ss:[ebp-0x38]
00403A95   .  E9 2C020000   jmp BJCM30A.00403CC6

注意一下00403A78的指令,這里是將上面的sum(serial)和serial[0]*len(serial)比較,比較結果有兩種:

(1)相同:ZF位為1,然后neg就會變成FFFFFFFF

(2)不同:ZF位為0,neg后仍為00000000

后面一個轉換:

(1)會變成“FFFF”

(2)變成“0”


留意到00404E11里有個"FFFF",這樣的話就知道算法了。


算法不是很復雜,只是簡單的判斷sum(serial)和serial[0]*len(serial)是否相等。

而那個serial不能為同一個字符組成的原因也知道了,不然的話顯然滿足判斷條件。

注冊機也不用寫了。任意一串編碼連續的字符(長度是單數),只要把中間的字符放在第一位,就能滿足要求了。

















本文來自互聯網用戶投稿,該文觀點僅代表作者本人,不代表本站立場。本站僅提供信息存儲空間服務,不擁有所有權,不承擔相關法律責任。
如若轉載,請注明出處:http://www.pswp.cn/news/376445.shtml
繁體地址,請注明出處:http://hk.pswp.cn/news/376445.shtml
英文地址,請注明出處:http://en.pswp.cn/news/376445.shtml

如若內容造成侵權/違法違規/事實不符,請聯系多彩編程網進行投訴反饋email:809451989@qq.com,一經查實,立即刪除!

相關文章

菜鳥nginx源碼剖析

菜鳥nginx源碼剖析

菜鳥nginx源碼剖析 配置與部署篇&#xff08;一&#xff09; 手把手配置nginx “I love you” TCMalloc 對MYSQL 性能 優化的分析 菜鳥nginx源碼剖析系列文章解讀 Author&#xff1a;Echo Chen&#xff08;陳斌&#xff09; Email&#xff1a;chenb19870707gmail.com Blog&…
閱讀更多...
很有挫敗感

很有挫敗感

總會時不時的懷疑自己是不是學編程的料&#xff0c;還是自己太笨&#xff1f; 自己讀研前對編程可以說是一竅不通&#xff0c;雖然本科時學過C&#xff0c;但那時也只是應付考試&#xff0c;沒學到什么真才實學。 幸好讀研后&#xff0c;自己開始猛的補各種知識&#xff0c;開始…
閱讀更多...
160 - 18 Brad Soblesky.1

160 - 18 Brad Soblesky.1

環境&#xff1a; windows xp sp3 工具&#xff1a; Ollydbg&#xff0c;exeinfope 用exeinfope查殼&#xff1a; 沒有殼&#xff0c;vc編譯的 運行后第一步&#xff0c;隨便輸入個”12345“&#xff0c;彈出一個錯誤消息框。 OD載入后直接搜索錯誤消息框的字符串&#xff0c…
閱讀更多...
漢字轉拼音縮寫

漢字轉拼音縮寫

漢字轉拼音縮寫 /// 〈summary〉 /// 漢字轉拼音縮寫 /// Code By MuseStudiohotmail.com /// 2014-12-02 /// 〈/summary〉 /// 〈param name"str"〉要轉換的漢字字符串〈/param〉 /// 〈returns〉拼音縮寫〈/returns〉 public string GetPYString(string str) { s…
閱讀更多...
160 - 19 Brad Soblesky.2

160 - 19 Brad Soblesky.2

環境&#xff1a; windows xp sp3 工具&#xff1a; OD&#xff0c;exeinfope 查殼&#xff1a; 用exeinfope查殼&#xff0c;發現沒有殼而且是vc編譯的 隨便輸入一個name和serial&#xff0c;name "12345" serial "678910" 彈出錯誤窗口&#xff0c…
閱讀更多...
微信公眾平臺開發(59)相冊

微信公眾平臺開發(59)相冊

微信公眾平臺開發 微信公眾平臺開發模式 企業微信公眾平臺 萬能相冊 3G相冊作者&#xff1a;方倍工作室 地址&#xff1a;http://www.cnblogs.com/txw1958/p/weixin-59-albums.html 相冊(Photo album)又稱影集或照片集&#xff0c;是用來裝放相片的物品。相冊主要用來收藏和保…
閱讀更多...
BugFix系列---開篇介紹

BugFix系列---開篇介紹

這個系列的文章&#xff0c;主要目的在于積累總結實際開發中遇到的錯誤&#xff0c;記錄下來自己的解決思路&#xff0c;用來提升自己。 不出意外&#xff0c;應該會持續不斷的記錄更新&#xff0c;在整個開發openstack的過程中&#xff0c;抓住機會吸取開源界大牛的有點經驗&a…
閱讀更多...
160 - 20 BuLLeT.8

160 - 20 BuLLeT.8

環境&#xff1a; Windows xp sp3 工具&#xff1a; exeinfope, ollydbg 查殼&#xff1a; 用exeinfope查殼&#xff0c;發現加了殼 -- WWPack32 ver 1.xx &#xff0c;用f8單步調試法&#xff0c;脫殼。 脫掉之后發現是delphi寫的 運行之后發現界面整潔&#xff0c;目標明…
閱讀更多...
hadoop學習筆記:zookeeper學習(上)

hadoop學習筆記:zookeeper學習(上)

在前面的文章里我多次提到zookeeper對于分布式系統開發的重要性&#xff0c;因此對zookeeper的學習是非常必要的。本篇博文主要是講解zookeeper的安裝和zookeeper的一些基本的應用&#xff0c;同時我還會教大家如何安裝偽分布式&#xff0c;偽分布式不能在windows下實現&#x…
閱讀更多...
戀愛Linux(Fedora20)2——安裝Java運行環境(JDK)

戀愛Linux(Fedora20)2——安裝Java運行環境(JDK)

因為Fedora20自帶OpenJDK&#xff0c;所以我們先刪除掉自帶的&#xff1a; 1)查看當前的jdk情況 # rpm -qa|grep jdk 2)卸載openjdk # yum -y remove java java-1.7.0-openjdk* 3)下載JDK(我用的是這個&#xff0c;大家用什么版本可以自行選擇)。 http://download.csdn.net/det…
閱讀更多...
160 - 21 Cabeca

160 - 21 Cabeca

環境&#xff1a; Windows xp sp3 工具&#xff1a; exeinfope ollydbg 查殼&#xff1a; 拿到程序后查殼&#xff0c;發現程序無殼&#xff0c;為Delphi寫的。 程序長成這個樣 輸入&#xff1a; Name:GNUBD Serial&#xff1a;1234567 Serial&#xff1a;76543…
閱讀更多...
JS函數重載解決方案

JS函數重載解決方案

JS的函數定義可以指定形式參數名稱&#xff0c;多多少少我們會以為js至少可以支持參數個數不同的方法重載&#xff0c;然而遺憾的是這僅僅是一個假象&#xff0c;js所有的參數都是以arguments傳遞過去的&#xff0c;這個參數類似于數組&#xff0c;在函數調用的時候&#xff0c…
閱讀更多...
JS中replace替換全部元素的解決辦法

JS中replace替換全部元素的解決辦法

JavaScript中replace() 方法如果直接用str.replace("-","!") 只會替換第一個匹配的字符. 然而我們大多數需要替換的是全部匹配的元素&#xff0c;而JavaScript又沒有java中的replaceAll的方法&#xff0c;這個時候就需要特殊處理了。 String repace(new R…
閱讀更多...
160 - 22 CarLitoZ.1

160 - 22 CarLitoZ.1

環境 Windows xp sp3 工具 exeinfope Ollydbg 查殼 無殼的VB程序 測試 輸入“1234567” 顯示這個&#xff1a; 直接OD載入字符串搜索。 00402D20 > \55 push ebp 00402D21 . 8BEC mov ebp,esp 00402D23 . 83EC 0C sub e…
閱讀更多...
實戰MEF(4):搜索范圍

實戰MEF(4):搜索范圍

在前面的文章中&#xff0c;幾乎每個示例我們都會接觸到擴展類的搜索位置&#xff0c;我們也不妨想一下&#xff0c;既然是自動擴展&#xff0c;它肯定會有一個或者多人可供查找的位置&#xff0c;不然MEF框架怎么知道哪里有擴展組件呢&#xff1f; 就像我們用導航系統去查找某…
閱讀更多...
Android應用程序請求SurfaceFlinger服務創建Surface的過程分析

Android應用程序請求SurfaceFlinger服務創建Surface的過程分析

文章轉載至CSDN社區羅升陽的安卓之旅&#xff0c;原文地址&#xff1a;http://blog.csdn.net/luoshengyang/article/details/7884628 前面我們已經學習過Android應用程序與SurfaceFlinger服務的連接過程了。連接上SurfaceFlinger服務之后&#xff0c;Android應用程序就可以請求…
閱讀更多...
Oracle面試題(基礎篇)

Oracle面試題(基礎篇)

1. Oracle跟SQL Server 2005的區別&#xff1f; 宏觀上&#xff1a; 1). 最大的區別在于平臺&#xff0c;oracle可以運行在不同的平臺上&#xff0c;sql server只能運行在windows平臺上&#xff0c;由于windows平臺的穩定性和安全性影響了sql server的穩定性和安全性 2). oracl…
閱讀更多...
160 - 23 Chafe.1

160 - 23 Chafe.1

環境 Windows xp sp3 工具 exeinfope ollydbg 查殼 用exeinfoe查殼 測試 可以從左下角狀態欄看出serial是無效的 直接OD載入字符串搜索 00401274 |. /75 17 jnz XChafe_1.0040128D 00401276 |. |6A 00 push 0x0 ; /Ti…
閱讀更多...
fis 詳細介紹(mac版) - 12-26沒有弄完 - 暫停

fis 詳細介紹(mac版) - 12-26沒有弄完 - 暫停

fis可以讓fe進入角色&#xff0c;而不必擔心底層的架構&#xff0c;性能得到優化。僅需三條命令&#xff0c;即可解決所有前端開發要求fis是nodejs寫的&#xff0c;發布在vpn(&#xff1f;)上下載 www.nodejs.org&#xff0c;并安裝nodejs&#xff0c;其中包括npm安裝fis: sudo…
閱讀更多...
用文件模擬CMOS保存數據

用文件模擬CMOS保存數據

Hi3520D 芯片的內置CMOS最多只有5個字節可以用&#xff0c;但是我需要保存的數據有很多。 其中一個解決辦法是&#xff1a;可以把其他需要保存的數據放到一個配置文件中。每次寫的時候寫到配置文件&#xff0c;用的時候再從配置文件讀出數據即可。 用文件寫&#xff1a; 1 stat…
閱讀更多...
最新文章

Copyright @ 2022~2023