Preface
This is also a simple question.
But VB's disassembly seems to take time.
Unlike the last one, it's done in a few minutes.
Continue with the water blog.
thinking
The registration code is a fixed string. It's just that it adds a bit of computation, not so direct.
Analysis
004030F0 > \55 push ebp 004030F1 . 8BEC mov ebp, esp 004030F3 . 83EC 0C sub esp, 0C 004030F6 . 68 56104000 push <jmp.&MSVBVM50.__vbaExceptHandle>; SE Handler installation 0040318C . FF92 A0000000 call dword ptr [edx+A0] ; Take string address 004031BE . FF15 F8604000 call dword ptr [<&MSVBVM50.__vbaVarMo>; from edx Move to ecx in 004031C4 . 8D4D B8 lea ecx, dword ptr [ebp-48] 004031C7 . FF15 B0614000 call dword ptr [<&MSVBVM50.__vbaFreeO>; MSVBVM50.__vbaFreeObj 004031CD . 8D4D D8 lea ecx, dword ptr [ebp-28] 004031D0 . 8D55 A8 lea edx, dword ptr [ebp-58] 004031D3 . 51 push ecx ; /var18 004031D4 . 52 push edx ; |retBuffer8 004031D5 . BE 01000000 mov esi, 1 ; |esi Initialize to 1 004031DA . FF15 18614000 call dword ptr [<&MSVBVM50.__vbaLenVa>; \__vbaLenVar 004031E0 . 50 push eax 004031E1 . FF15 74614000 call dword ptr [<&MSVBVM50.__vbaI2Var>; MSVBVM50.__vbaI2Var 004031E7 . 8985 F8FEFFFF mov dword ptr [ebp-108], eax ; ebp-108 Length of preservation 004031ED . 8BFE mov edi, esi ; edi = esi 004031EF > 66:3BBD F8FEF>cmp di, word ptr [ebp-108] 004031F6 . 8B1D 6C614000 mov ebx, dword ptr [<&MSVBVM50.__vba>; MSVBVM50.__vbaStrVarVal 004031FC . 0F8F 2D010000 jg 0040332F ; Circulation outlet 00403202 . 66:83FE 04 cmp si, 4 ; Compared with 4 00403206 . 7E 05 jle short 0040320D ; Greater than 4 esi Reinitialize to 1 00403208 . BE 01000000 mov esi, 1 ; esi = 1 0040320D > 0FBFCF movsx ecx, di ; Counter initialization 00403210 . 8D45 A8 lea eax, dword ptr [ebp-58] 00403213 . 8D55 D8 lea edx, dword ptr [ebp-28] 00403216 . 50 push eax ; /Length8 00403217 . 51 push ecx ; |START: ecx 00403218 . 8D45 98 lea eax, dword ptr [ebp-68] ; | 0040321B . 52 push edx ; |Original string 0040321C . 50 push eax ; |RetBUFFER 0040321D . C745 B0 01000>mov dword ptr [ebp-50], 1 ; |LENGTH: 1 00403224 . C745 A8 02000>mov dword ptr [ebp-58], 2 ; | 0040322B . FF15 38614000 call dword ptr [<&MSVBVM50.#632 >]; \ save the n th character to ebp-60 00403231 . B8 02000000 mov eax, 2 ; eax = 2 00403236 . 8D8D 78FFFFFF lea ecx, dword ptr [ebp-88] 0040323C . 0FBFD6 movsx edx, si ; edx = si 0040323F . 8985 78FFFFFF mov dword ptr [ebp-88], eax 00403245 . 8945 88 mov dword ptr [ebp-78], eax 00403248 . 51 push ecx ; /Length8 00403249 . 8D45 88 lea eax, dword ptr [ebp-78] ; | 0040324C . 52 push edx ; |START: edx 0040324D . 8D8D 68FFFFFF lea ecx, dword ptr [ebp-98] ; | 00403253 . 50 push eax ; |dString8 00403254 . 51 push ecx ; |RetBUFFER 00403255 . C745 80 01000>mov dword ptr [ebp-80], 1 ; |LENGTH: 1 0040325C . C745 90 D0070>mov dword ptr [ebp-70], 7D0 ; | 00403263 . FF15 38614000 call dword ptr [<&MSVBVM50.#632 >]; \ take the nth character of the fixed string "2000" and save it to ebp-90 00403269 . 8D55 98 lea edx, dword ptr [ebp-68] 0040326C . 8D45 C0 lea eax, dword ptr [ebp-40] 0040326F . 52 push edx 00403270 . 50 push eax 00403271 . FFD3 call ebx ; Returns the real string address 00403273 . 50 push eax ; /String 00403274 . FF15 0C614000 call dword ptr [<&MSVBVM50.#516 >]; \ return character ASCII 0040327A . 0FBFD0 movsx edx, ax ; edx = ax 0040327D . 8D8D 68FFFFFF lea ecx, dword ptr [ebp-98] 00403283 . 8D45 BC lea eax, dword ptr [ebp-44] 00403286 . 51 push ecx 00403287 . 50 push eax 00403288 . 8995 E8FEFFFF mov dword ptr [ebp-118], edx ; [ebp-118] = edx 0040328E . FFD3 call ebx ; Returns the real string address 00403290 . 50 push eax ; /String 00403291 . FF15 0C614000 call dword ptr [<&MSVBVM50.#516 >]; \ return character ASCII 00403297 . 8B95 E8FEFFFF mov edx, dword ptr [ebp-118] ; edx = [ebp-118] 0040329D . 0FBFC8 movsx ecx, ax ; ecx = ax 004032A0 . 33D1 xor edx, ecx ; edx = edx ^ ecx 004032A2 . 8D85 58FFFFFF lea eax, dword ptr [ebp-A8] 004032A8 . 52 push edx 004032A9 . 50 push eax 004032AA . FF15 64614000 call dword ptr [<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi 004032B0 . 8D4D C8 lea ecx, dword ptr [ebp-38] 004032B3 . 8D95 58FFFFFF lea edx, dword ptr [ebp-A8] 004032B9 . 51 push ecx 004032BA . 8D85 48FFFFFF lea eax, dword ptr [ebp-B8] 004032C0 . 52 push edx 004032C1 . 50 push eax 004032C2 . FF15 70614000 call dword ptr [<&MSVBVM50.__vbaVarCa>; Address saved to ebp-B0 004032C8 . 8BD0 mov edx, eax 004032CA . 8D4D C8 lea ecx, dword ptr [ebp-38] 004032CD . FF15 F8604000 call dword ptr [<&MSVBVM50.__vbaVarMo>; Address from ebp-B0 Move to ebp-30 00403312 . 66:46 inc si ; si = si + 1 00403314 . B8 01000000 mov eax, 1 ; eax = 1 00403319 . 66:03C7 add ax, di ; ax = ax + di 0040331C . 0F80 44020000 jo 00403566 00403322 . 0F80 3E020000 jo 00403566 00403328 . 8BF8 mov edi, eax ; edi = eax 0040332A .^ E9 C0FEFFFF jmp 004031EF 00403338 . 50 push eax ; /var18 00403339 . 51 push ecx ; |var28 0040333A . C785 40FFFFFF>mov dword ptr [ebp-C0], 004027C8 ; |UNICODE "qBQSYdXUe_B\V" 00403344 . C785 38FFFFFF>mov dword ptr [ebp-C8], 8008 ; | 0040334E . FF15 44614000 call dword ptr [<&MSVBVM50.__vbaVarTs>; \__vbaVarTstEq 00403370 . /0F84 E8000000 je 0040345E ; Key jump
Among them, I want to know where the fixed string "2000" address comes from. Just look for it.
Pictured here.
There are too many jumps here. As for how to calculate it, I am too lazy to find it. If you are interested, you can study it.
Register algorithm
#include<stdio.h> int main() { char* name; char* const_s="2000"; int len=0; printf("name:"); scanf("%[^\n]",name);//Input:CrackTheWorld if((len=strlen(name))<=5) return 0; for(int i=0;i<len;i++) { printf("%c",name[i]^const_s[i%4]); } return 0; }
Published 48 original articles, won praise 2, visited 8209