1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
|
004080F0 > \55 push ebp
004080F1 . 8BEC mov ebp,esp
004080F3 . 83EC 0C sub esp,0xC
004080F6 . 68 56104000 push <jmp.&MSVBVM50.__vbaExceptHandler> ; SE 处理程序安装
004080FB . 64:A1 0000000>mov eax,dword ptr fs:[0]
00408101 . 50 push eax
00408102 . 64:8925 00000>mov dword ptr fs:[0],esp
00408109 . 81EC D0000000 sub esp,0xD0
0040810F . 53 push ebx
00408110 . 56 push esi
00408111 . 8B75 08 mov esi,dword ptr ss:[ebp+0x8]
00408114 . 57 push edi
00408115 . 8BC6 mov eax,esi
00408117 . 83E6 FE and esi,-0x2
0040811A . 8965 F4 mov dword ptr ss:[ebp-0xC],esp
0040811D . 83E0 01 and eax,0x1
00408120 . 8B1E mov ebx,dword ptr ds:[esi]
00408122 . C745 F8 30104>mov dword ptr ss:[ebp-0x8],AfKayAs_.00401030
00408129 . 56 push esi
0040812A . 8945 FC mov dword ptr ss:[ebp-0x4],eax
0040812D . 8975 08 mov dword ptr ss:[ebp+0x8],esi
00408130 . 899D 40FFFFFF mov dword ptr ss:[ebp-0xC0],ebx
00408136 . FF53 04 call dword ptr ds:[ebx+0x4]
00408139 . 8B83 08030000 mov eax,dword ptr ds:[ebx+0x308]
0040813F . 33FF xor edi,edi
00408141 . 56 push esi
00408142 . 897D E8 mov dword ptr ss:[ebp-0x18],edi
00408145 . 897D E4 mov dword ptr ss:[ebp-0x1C],edi
00408148 . 897D E0 mov dword ptr ss:[ebp-0x20],edi
0040814B . 897D DC mov dword ptr ss:[ebp-0x24],edi
0040814E . 897D D8 mov dword ptr ss:[ebp-0x28],edi
00408151 . 897D D4 mov dword ptr ss:[ebp-0x2C],edi
00408154 . 897D C4 mov dword ptr ss:[ebp-0x3C],edi
00408157 . 897D B4 mov dword ptr ss:[ebp-0x4C],edi
0040815A . 897D A4 mov dword ptr ss:[ebp-0x5C],edi
0040815D . 897D 94 mov dword ptr ss:[ebp-0x6C],edi
00408160 . FFD0 call eax
00408162 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
00408165 . 50 push eax
00408166 . 51 push ecx
00408167 . FF15 20B14000 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>] ; msvbvm50.__vbaObjSet
0040816D . 8B9B 18030000 mov ebx,dword ptr ds:[ebx+0x318]
00408173 . 56 push esi
00408174 . 8985 50FFFFFF mov dword ptr ss:[ebp-0xB0],eax
0040817A . 899D 3CFFFFFF mov dword ptr ss:[ebp-0xC4],ebx
00408180 . FFD3 call ebx
00408182 . 8D55 DC lea edx,dword ptr ss:[ebp-0x24]
00408185 . 50 push eax
00408186 . 52 push edx
00408187 . FF15 20B14000 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>] ; msvbvm50.__vbaObjSet
0040818D . 8BD8 mov ebx,eax
0040818F . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
00408192 . 51 push ecx
00408193 . 53 push ebx
00408194 . 8B03 mov eax,dword ptr ds:[ebx]
00408196 . FF90 A0000000 call dword ptr ds:[eax+0xA0]
0040819C . 3BC7 cmp eax,edi
0040819E . 7D 12 jge short AfKayAs_.004081B2
004081A0 . 68 A0000000 push 0xA0
004081A5 . 68 AC6F4000 push AfKayAs_.00406FAC
004081AA . 53 push ebx
004081AB . 50 push eax
004081AC . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; msvbvm50.__vbaHresultCheckObj
004081B2 > 56 push esi
004081B3 . FF95 3CFFFFFF call dword ptr ss:[ebp-0xC4]
004081B9 . 8D55 D8 lea edx,dword ptr ss:[ebp-0x28]
004081BC . 50 push eax
004081BD . 52 push edx
004081BE . FF15 20B14000 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>] ; msvbvm50.__vbaObjSet
004081C4 . 8BD8 mov ebx,eax
004081C6 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
004081C9 . 51 push ecx
004081CA . 53 push ebx
004081CB . 8B03 mov eax,dword ptr ds:[ebx]
004081CD . FF90 A0000000 call dword ptr ds:[eax+0xA0]
004081D3 . 3BC7 cmp eax,edi
004081D5 . 7D 12 jge short AfKayAs_.004081E9
004081D7 . 68 A0000000 push 0xA0
004081DC . 68 AC6F4000 push AfKayAs_.00406FAC
004081E1 . 53 push ebx
004081E2 . 50 push eax
004081E3 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; msvbvm50.__vbaHresultCheckObj
004081E9 > 8B95 50FFFFFF mov edx,dword ptr ss:[ebp-0xB0] ; user32.77D18830
004081EF . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C] ; 输入的用户名:3333
004081F2 . 50 push eax ; /输入的用户名:3333
004081F3 . 8B1A mov ebx,dword ptr ds:[edx] ; |
004081F5 . FF15 F8B04000 call dword ptr ds:[<&MSVBVM50.__vbaLenBstr>] ; \计算输入的用户名的长度:4
004081FB . 8BF8 mov edi,eax ; edi = 4
004081FD . 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18]
00408200 . 69FF 385B0100 imul edi,edi,0x15B38 ; edi = 4 * 0x15B38 = 0x56CE0
00408206 . 51 push ecx ; /String = 00000001 ???
00408207 . 0F80 B7050000 jo AfKayAs_.004087C4 ; |
0040820D . FF15 0CB14000 call dword ptr ds:[<&MSVBVM50.#rtcAnsiValueBstr_516>] ; \rtcAnsiValueBstr
00408213 . 0FBFD0 movsx edx,ax ; 第一个字符:0x33
00408216 . 03FA add edi,edx ; edi = 0x56CE0 + 0x33 == 0x56D13
00408218 . 0F80 A6050000 jo AfKayAs_.004087C4
0040821E . 57 push edi
0040821F . FF15 F4B04000 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>] ; 将无符号数转换为10进制字符串
00408225 . 8BD0 mov edx,eax ; edx = "355603"
00408227 . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
0040822A . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMove>] ; msvbvm50.__vbaStrMove
00408230 . 8BBD 50FFFFFF mov edi,dword ptr ss:[ebp-0xB0] ; user32.77D18830
00408236 . 50 push eax
00408237 . 57 push edi
00408238 . FF93 A4000000 call dword ptr ds:[ebx+0xA4]
0040823E . 85C0 test eax,eax
00408240 . 7D 12 jge short AfKayAs_.00408254
00408242 . 68 A4000000 push 0xA4
00408247 . 68 AC6F4000 push AfKayAs_.00406FAC
0040824C . 57 push edi
0040824D . 50 push eax
0040824E . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; msvbvm50.__vbaHresultCheckObj
00408254 > 8D45 E0 lea eax,dword ptr ss:[ebp-0x20]
00408257 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
0040825A . 50 push eax
0040825B . 8D55 E8 lea edx,dword ptr ss:[ebp-0x18]
0040825E . 51 push ecx
0040825F . 52 push edx
00408260 . 6A 03 push 0x3
00408262 . FF15 80B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStrList>] ; msvbvm50.__vbaFreeStrList
00408268 . 83C4 10 add esp,0x10
0040826B . 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
0040826E . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
00408271 . 8D55 DC lea edx,dword ptr ss:[ebp-0x24]
00408274 . 50 push eax
00408275 . 51 push ecx
00408276 . 52 push edx
00408277 . 6A 03 push 0x3
00408279 . FF15 08B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObjList>] ; msvbvm50.__vbaFreeObjList
0040827F . 8B9D 40FFFFFF mov ebx,dword ptr ss:[ebp-0xC0]
00408285 . 83C4 10 add esp,0x10
00408288 . 8B83 FC020000 mov eax,dword ptr ds:[ebx+0x2FC]
0040828E . 56 push esi
0040828F . 8985 38FFFFFF mov dword ptr ss:[ebp-0xC8],eax
00408295 . FFD0 call eax
00408297 . 8B3D 20B14000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaObjSet>] ; msvbvm50.__vbaObjSet
0040829D . 50 push eax
0040829E . 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
004082A1 . 50 push eax
004082A2 . FFD7 call edi ; <&MSVBVM50.__vbaObjSet>
004082A4 . 56 push esi
004082A5 . 8985 58FFFFFF mov dword ptr ss:[ebp-0xA8],eax
004082AB . FF93 08030000 call dword ptr ds:[ebx+0x308]
004082B1 . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
004082B4 . 50 push eax
004082B5 . 51 push ecx
004082B6 . FFD7 call edi
004082B8 . 8BD8 mov ebx,eax
004082BA . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18]
004082BD . 50 push eax
004082BE . 53 push ebx
004082BF . 8B13 mov edx,dword ptr ds:[ebx]
004082C1 . FF92 A0000000 call dword ptr ds:[edx+0xA0]
004082C7 . 85C0 test eax,eax
004082C9 . 7D 12 jge short AfKayAs_.004082DD
004082CB . 68 A0000000 push 0xA0
004082D0 . 68 AC6F4000 push AfKayAs_.00406FAC
004082D5 . 53 push ebx
004082D6 . 50 push eax
004082D7 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; msvbvm50.__vbaHresultCheckObj
004082DD > 8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8] ; user32.77D1882A
004082E3 . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18] ; 上面计算的序列号:355603
004082E6 . 52 push edx ; 355603
004082E7 . 8B19 mov ebx,dword ptr ds:[ecx]
004082E9 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ; 将edx转换成浮点数,结果在浮点寄存器里
004082EF . D905 08104000 fld dword ptr ds:[0x401008] ; 10.0
004082F5 . 833D 00904000>cmp dword ptr ds:[0x409000],0x0
004082FC . 75 08 jnz short AfKayAs_.00408306
004082FE . D835 0C104000 fdiv dword ptr ds:[0x40100C] ; 10.0 div 5.0 = 2.0
00408304 . EB 0B jmp short AfKayAs_.00408311
00408306 > FF35 0C104000 push dword ptr ds:[0x40100C]
0040830C . E8 578DFFFF call <jmp.&MSVBVM50._adj_fdiv_m32>
00408311 > 83EC 08 sub esp,0x8
00408314 . DFE0 fstsw ax ; 复制状态寄存器到ax寄存器: eax=3100
00408316 . A8 0D test al,0xD
00408318 . 0F85 A1040000 jnz AfKayAs_.004087BF
0040831E . DEC1 faddp st(1),st ; 2.0 + 355603.0 == 355605.0
00408320 . DFE0 fstsw ax ; 3900
00408322 . A8 0D test al,0xD
00408324 . 0F85 95040000 jnz AfKayAs_.004087BF
0040832A . DD1C24 fstp qword ptr ss:[esp] ; 出栈:355605.0
0040832D . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>] ; 转换为字符串
00408333 . 8BD0 mov edx,eax ; 计算的值:355605
00408335 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00408338 . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMove>] ; msvbvm50.__vbaStrMove
0040833E . 899D 34FFFFFF mov dword ptr ss:[ebp-0xCC],ebx
00408344 . 8B9D 58FFFFFF mov ebx,dword ptr ss:[ebp-0xA8] ; user32.77D1882A
0040834A . 50 push eax
0040834B . 8B85 34FFFFFF mov eax,dword ptr ss:[ebp-0xCC]
00408351 . 53 push ebx
00408352 . FF90 A4000000 call dword ptr ds:[eax+0xA4]
00408358 . 85C0 test eax,eax
0040835A . 7D 12 jge short AfKayAs_.0040836E
0040835C . 68 A4000000 push 0xA4
00408361 . 68 AC6F4000 push AfKayAs_.00406FAC
00408366 . 53 push ebx
00408367 . 50 push eax
00408368 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; msvbvm50.__vbaHresultCheckObj
0040836E > 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00408371 . 8D55 E8 lea edx,dword ptr ss:[ebp-0x18]
00408374 . 51 push ecx
00408375 . 52 push edx
00408376 . 6A 02 push 0x2
00408378 . FF15 80B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStrList>] ; msvbvm50.__vbaFreeStrList
0040837E . 83C4 0C add esp,0xC
00408381 . 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
00408384 . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
00408387 . 50 push eax
00408388 . 51 push ecx
00408389 . 6A 02 push 0x2
0040838B . FF15 08B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObjList>] ; msvbvm50.__vbaFreeObjList
00408391 . 8B95 40FFFFFF mov edx,dword ptr ss:[ebp-0xC0]
00408397 . 83C4 0C add esp,0xC
0040839A . 8B82 00030000 mov eax,dword ptr ds:[edx+0x300]
004083A0 . 56 push esi
004083A1 . 8985 30FFFFFF mov dword ptr ss:[ebp-0xD0],eax
004083A7 . FFD0 call eax
004083A9 . 50 push eax
004083AA . 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
004083AD . 50 push eax
004083AE . FFD7 call edi
004083B0 . 56 push esi
004083B1 . 8985 58FFFFFF mov dword ptr ss:[ebp-0xA8],eax
004083B7 . FF95 38FFFFFF call dword ptr ss:[ebp-0xC8]
004083BD . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
004083C0 . 50 push eax
004083C1 . 51 push ecx
004083C2 . FFD7 call edi
004083C4 . 8BD8 mov ebx,eax
004083C6 . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18]
004083C9 . 50 push eax
004083CA . 53 push ebx
004083CB . 8B13 mov edx,dword ptr ds:[ebx]
004083CD . FF92 A0000000 call dword ptr ds:[edx+0xA0]
004083D3 . 85C0 test eax,eax
004083D5 . 7D 12 jge short AfKayAs_.004083E9
004083D7 . 68 A0000000 push 0xA0
004083DC . 68 AC6F4000 push AfKayAs_.00406FAC
004083E1 . 53 push ebx
004083E2 . 50 push eax
004083E3 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; msvbvm50.__vbaHresultCheckObj
004083E9 > 8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8] ; user32.77D1882A
004083EF . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18] ; 计算的值:355605
004083F2 . 52 push edx
004083F3 . 8B19 mov ebx,dword ptr ds:[ecx]
004083F5 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ; msvbvm50.__vbaR8Str
004083FB . DC0D 10104000 fmul qword ptr ds:[0x401010] ; 乘积入栈:355605.0 * 3.0 == 1066815.0
00408401 . 83EC 08 sub esp,0x8
00408404 . DC25 18104000 fsub qword ptr ds:[0x401018] ; 将差入栈:1066815.0 - 2.0 == 1066813.0
0040840A . DFE0 fstsw ax ; 3900
0040840C . A8 0D test al,0xD
0040840E . 0F85 AB030000 jnz AfKayAs_.004087BF
00408414 . DD1C24 fstp qword ptr ss:[esp] ; 出栈:1066813.0
00408417 . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>] ; 将浮点数转为字符串
0040841D . 8BD0 mov edx,eax ; 字符串:10066813
0040841F . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00408422 . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMove>] ; msvbvm50.__vbaStrMove
00408428 . 899D 2CFFFFFF mov dword ptr ss:[ebp-0xD4],ebx
0040842E . 8B9D 58FFFFFF mov ebx,dword ptr ss:[ebp-0xA8] ; user32.77D1882A
00408434 . 50 push eax
00408435 . 8B85 2CFFFFFF mov eax,dword ptr ss:[ebp-0xD4]
0040843B . 53 push ebx
0040843C . FF90 A4000000 call dword ptr ds:[eax+0xA4]
00408442 . 85C0 test eax,eax
00408444 . 7D 12 jge short AfKayAs_.00408458
00408446 . 68 A4000000 push 0xA4
0040844B . 68 AC6F4000 push AfKayAs_.00406FAC
00408450 . 53 push ebx
00408451 . 50 push eax
00408452 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; msvbvm50.__vbaHresultCheckObj
00408458 > 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
0040845B . 8D55 E8 lea edx,dword ptr ss:[ebp-0x18]
0040845E . 51 push ecx
0040845F . 52 push edx
00408460 . 6A 02 push 0x2
00408462 . FF15 80B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStrList>] ; msvbvm50.__vbaFreeStrList
00408468 . 83C4 0C add esp,0xC
0040846B . 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
0040846E . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
00408471 . 50 push eax
00408472 . 51 push ecx
00408473 . 6A 02 push 0x2
00408475 . FF15 08B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObjList>] ; msvbvm50.__vbaFreeObjList
0040847B . 8B95 40FFFFFF mov edx,dword ptr ss:[ebp-0xC0]
00408481 . 83C4 0C add esp,0xC
00408484 . 8B82 04030000 mov eax,dword ptr ds:[edx+0x304]
0040848A . 56 push esi
0040848B . 8985 28FFFFFF mov dword ptr ss:[ebp-0xD8],eax
00408491 . FFD0 call eax
00408493 . 50 push eax
00408494 . 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
00408497 . 50 push eax
00408498 . FFD7 call edi
0040849A . 56 push esi
0040849B . 8985 58FFFFFF mov dword ptr ss:[ebp-0xA8],eax
004084A1 . FF95 30FFFFFF call dword ptr ss:[ebp-0xD0] ; ntdll.7C92E453
004084A7 . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
004084AA . 50 push eax
004084AB . 51 push ecx
004084AC . FFD7 call edi
004084AE . 8BD8 mov ebx,eax
004084B0 . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18]
004084B3 . 50 push eax
004084B4 . 53 push ebx
004084B5 . 8B13 mov edx,dword ptr ds:[ebx]
004084B7 . FF92 A0000000 call dword ptr ds:[edx+0xA0]
004084BD . 85C0 test eax,eax
004084BF . 7D 12 jge short AfKayAs_.004084D3
004084C1 . 68 A0000000 push 0xA0
004084C6 . 68 AC6F4000 push AfKayAs_.00406FAC
004084CB . 53 push ebx
004084CC . 50 push eax
004084CD . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; msvbvm50.__vbaHresultCheckObj
004084D3 > 8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8] ; user32.77D1882A
004084D9 . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18] ; edx = "1066813"
004084DC . 52 push edx
004084DD . 8B19 mov ebx,dword ptr ds:[ecx]
004084DF . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ; msvbvm50.__vbaR8Str
004084E5 . DC25 20104000 fsub qword ptr ds:[0x401020] ; 1066813.0 - -15.0 == 1066828.0
004084EB . 83EC 08 sub esp,0x8
004084EE . DFE0 fstsw ax ; 3900
004084F0 . A8 0D test al,0xD
004084F2 . 0F85 C7020000 jnz AfKayAs_.004087BF
004084F8 . DD1C24 fstp qword ptr ss:[esp] ; 出栈:1066828.0
004084FB . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>] ; msvbvm50.__vbaStrR8
00408501 . 8BD0 mov edx,eax ; edx = "1066828"
00408503 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00408506 . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMove>] ; msvbvm50.__vbaStrMove
0040850C . 899D 24FFFFFF mov dword ptr ss:[ebp-0xDC],ebx
00408512 . 8B9D 58FFFFFF mov ebx,dword ptr ss:[ebp-0xA8] ; user32.77D1882A
00408518 . 50 push eax
00408519 . 8B85 24FFFFFF mov eax,dword ptr ss:[ebp-0xDC]
0040851F . 53 push ebx
00408520 . FF90 A4000000 call dword ptr ds:[eax+0xA4]
00408526 . 85C0 test eax,eax
00408528 . 7D 12 jge short AfKayAs_.0040853C
0040852A . 68 A4000000 push 0xA4
0040852F . 68 AC6F4000 push AfKayAs_.00406FAC
00408534 . 53 push ebx
00408535 . 50 push eax
00408536 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; msvbvm50.__vbaHresultCheckObj
0040853C > 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
0040853F . 8D55 E8 lea edx,dword ptr ss:[ebp-0x18]
00408542 . 51 push ecx
00408543 . 52 push edx
00408544 . 6A 02 push 0x2
00408546 . FF15 80B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStrList>] ; msvbvm50.__vbaFreeStrList
0040854C . 83C4 0C add esp,0xC
0040854F . 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
00408552 . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
00408555 . 50 push eax
00408556 . 51 push ecx
00408557 . 6A 02 push 0x2
00408559 . FF15 08B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObjList>] ; msvbvm50.__vbaFreeObjList
0040855F . 83C4 0C add esp,0xC
00408562 . 56 push esi
00408563 . FF95 28FFFFFF call dword ptr ss:[ebp-0xD8]
00408569 . 8D55 D8 lea edx,dword ptr ss:[ebp-0x28]
0040856C . 50 push eax
0040856D . 52 push edx
0040856E . FFD7 call edi
00408570 . 8BD8 mov ebx,eax
00408572 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00408575 . 51 push ecx
00408576 . 53 push ebx
00408577 . 8B03 mov eax,dword ptr ds:[ebx]
00408579 . FF90 A0000000 call dword ptr ds:[eax+0xA0]
0040857F . 85C0 test eax,eax
00408581 . 7D 12 jge short AfKayAs_.00408595
00408583 . 68 A0000000 push 0xA0
00408588 . 68 AC6F4000 push AfKayAs_.00406FAC
0040858D . 53 push ebx
0040858E . 50 push eax
0040858F . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; msvbvm50.__vbaHresultCheckObj
00408595 > 8B95 40FFFFFF mov edx,dword ptr ss:[ebp-0xC0]
0040859B . 56 push esi
0040859C . FF92 14030000 call dword ptr ds:[edx+0x314]
004085A2 . 50 push eax
004085A3 . 8D45 DC lea eax,dword ptr ss:[ebp-0x24]
004085A6 . 50 push eax
004085A7 . FFD7 call edi
004085A9 . 8BF0 mov esi,eax
004085AB . 8D55 E8 lea edx,dword ptr ss:[ebp-0x18]
004085AE . 52 push edx
004085AF . 56 push esi
004085B0 . 8B0E mov ecx,dword ptr ds:[esi]
004085B2 . FF91 A0000000 call dword ptr ds:[ecx+0xA0]
004085B8 . 85C0 test eax,eax
004085BA . 7D 12 jge short AfKayAs_.004085CE
004085BC . 68 A0000000 push 0xA0
004085C1 . 68 AC6F4000 push AfKayAs_.00406FAC
004085C6 . 56 push esi
004085C7 . 50 push eax
004085C8 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; msvbvm50.__vbaHresultCheckObj
004085CE > 8B45 E8 mov eax,dword ptr ss:[ebp-0x18]
004085D1 . 50 push eax ; 输入的序列号:44445555
004085D2 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ; msvbvm50.__vbaR8Str
004085D8 . 8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C] ; 最终计算的序列号:1066828
004085DB . DD9D 1CFFFFFF fstp qword ptr ss:[ebp-0xE4]
004085E1 . 51 push ecx
004085E2 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ; msvbvm50.__vbaR8Str
004085E8 . 833D 00904000>cmp dword ptr ds:[0x409000],0x0
004085EF . 75 08 jnz short AfKayAs_.004085F9
004085F1 . DCBD 1CFFFFFF fdivr qword ptr ss:[ebp-0xE4]
004085F7 . EB 11 jmp short AfKayAs_.0040860A
004085F9 > FFB5 20FFFFFF push dword ptr ss:[ebp-0xE0]
004085FF . FFB5 1CFFFFFF push dword ptr ss:[ebp-0xE4]
00408605 . E8 888AFFFF call <jmp.&MSVBVM50._adj_fdivr_m64>
0040860A > DFE0 fstsw ax
0040860C . A8 0D test al,0xD
0040860E . 0F85 AB010000 jnz AfKayAs_.004087BF
00408614 . FF15 34B14000 call dword ptr ds:[<&MSVBVM50.__vbaFpR8>] ; msvbvm50.__vbaFpR8
0040861A . DC1D 28104000 fcomp qword ptr ds:[0x401028]
00408620 . DFE0 fstsw ax
00408622 . F6C4 40 test ah,0x40
00408625 . 74 07 je short AfKayAs_.0040862E
00408627 . BE 01000000 mov esi,0x1
0040862C . EB 02 jmp short AfKayAs_.00408630
0040862E > 33F6 xor esi,esi
00408630 > 8D55 E4 lea edx,dword ptr ss:[ebp-0x1C]
00408633 . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18]
00408636 . 52 push edx
00408637 . 50 push eax
00408638 . 6A 02 push 0x2
0040863A . FF15 80B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStrList>] ; msvbvm50.__vbaFreeStrList
00408640 . 83C4 0C add esp,0xC
00408643 . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
00408646 . 8D55 DC lea edx,dword ptr ss:[ebp-0x24]
00408649 . 51 push ecx
0040864A . 52 push edx
0040864B . 6A 02 push 0x2
0040864D . FF15 08B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObjList>] ; msvbvm50.__vbaFreeObjList
00408653 . F7DE neg esi
00408655 . 83C4 0C add esp,0xC
00408658 . B9 04000280 mov ecx,0x80020004
0040865D . B8 0A000000 mov eax,0xA
00408662 . 894D 9C mov dword ptr ss:[ebp-0x64],ecx
00408665 . 66:85F6 test si,si
00408668 . 8945 94 mov dword ptr ss:[ebp-0x6C],eax
0040866B . 894D AC mov dword ptr ss:[ebp-0x54],ecx
0040866E . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax
00408671 . 894D BC mov dword ptr ss:[ebp-0x44],ecx
00408674 . 8945 B4 mov dword ptr ss:[ebp-0x4C],eax
00408677 74 62 je short AfKayAs_.004086DB ; 关键的跳转
00408679 . 8B35 14B14000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaStrCat>] ; msvbvm50.__vbaStrCat
0040867F . 68 C06F4000 push AfKayAs_.00406FC0 ; UNICODE "You Get It"
00408684 . 68 DC6F4000 push AfKayAs_.00406FDC ; /String = ""
00408689 . FFD6 call esi ; \__vbaStrCat
0040868B . 8BD0 mov edx,eax
0040868D . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
00408690 . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMove>] ; msvbvm50.__vbaStrMove
00408696 . 50 push eax
00408697 . 68 E86F4000 push AfKayAs_.00406FE8 ; UNICODE "KeyGen It Now"
0040869C . FFD6 call esi
0040869E . 8945 CC mov dword ptr ss:[ebp-0x34],eax
004086A1 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C]
004086A4 . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]
004086A7 . 50 push eax
004086A8 . 8D55 B4 lea edx,dword ptr ss:[ebp-0x4C]
004086AB . 51 push ecx
004086AC . 52 push edx
004086AD . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]
004086B0 . 6A 00 push 0x0
004086B2 . 50 push eax
004086B3 . C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
004086BA . FF15 24B14000 call dword ptr ds:[<&MSVBVM50.#rtcMsgBox_595>] ; msvbvm50.rtcMsgBox
004086C0 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
004086C3 . FF15 A8B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStr>] ; msvbvm50.__vbaFreeStr
004086C9 . 8D4D 94 lea ecx,dword ptr ss:[ebp-0x6C]
004086CC . 8D55 A4 lea edx,dword ptr ss:[ebp-0x5C]
004086CF . 51 push ecx
004086D0 . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
004086D3 . 52 push edx
004086D4 . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
004086D7 . 50 push eax
004086D8 . 51 push ecx
004086D9 . EB 60 jmp short AfKayAs_.0040873B
004086DB > 8B35 14B14000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaStrCat>] ; msvbvm50.__vbaStrCat
004086E1 . 68 08704000 push AfKayAs_.00407008 ; UNICODE "You Get Wrong"
004086E6 . 68 DC6F4000 push AfKayAs_.00406FDC ; /String = ""
004086EB . FFD6 call esi ; \__vbaStrCat
004086ED . 8BD0 mov edx,eax
004086EF . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
004086F2 . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMove>] ; msvbvm50.__vbaStrMove
004086F8 . 50 push eax
004086F9 . 68 28704000 push AfKayAs_.00407028 ; UNICODE "Try Again"
004086FE . FFD6 call esi
00408700 . 8945 CC mov dword ptr ss:[ebp-0x34],eax
00408703 . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
00408706 . 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C]
00408709 . 52 push edx
0040870A . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
0040870D . 50 push eax
0040870E . 51 push ecx
0040870F . 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C]
00408712 . 6A 00 push 0x0
00408714 . 52 push edx
00408715 . C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
0040871C . FF15 24B14000 call dword ptr ds:[<&MSVBVM50.#rtcMsgBox_595>] ; 错误提示框
|