solved new crackme

This commit is contained in:
Chenx221 2024-10-07 15:26:54 +08:00
parent bd48c84933
commit 49d92c4071
Signed by: chenx221
GPG Key ID: D7A9EC07024C3021
5 changed files with 676 additions and 0 deletions

BIN
bjcm40a/BJCM40A.EXE Normal file

Binary file not shown.

BIN
bjcm40a/BJCM40A_Patched.EXE Normal file

Binary file not shown.

Binary file not shown.

50
bjcm40a/README.TXT Normal file
View File

@ -0,0 +1,50 @@
aUTHOr -- Bjanes
pROGRAm -- VB6 Crackme
vERSIOn -- 4.0a
dATe -- 29/09/1999
pLACe -- Somewhere on my comp :)
pROTECTIOn - Serial only, Anti-SmartCheck
rULEs -- There is only one rule -> You must find correct serial
Greetings to all crackers out there,
Hope you all sucessfuly crack previous version of crackme...:)
So here is my new crackme, and the new challenge for you!
Again it's a bit harder to crack then previous verison.
Serial is not hardcoded and you can't find it just looking
with hex editor. You also can't fish it with Sice.
Another think why this crackme is harder then previous one
is because it use few subroutines witch program calls to
generate the serial!...So there are alot of calls :)
This crackme also detects if SmartCheck is loaded and fill
it with tons of messages!
I don't know is this crackme even crackable, if not mail me
and I'll make the new one, witch will be easier then this!
I wrote it for NEWBIES to advance their R. C. E. skills on
cracking Visual Basic programs.
Every version will have one crackme marked "a", and
another one marked with "b".
Crackmes marked with "a" has serial-only protection
and crackmes marked with "b" has name/serial protection!
Also every next version will be more difficult to crack.
[Maybe there will be crackmes marked with "c"(misc. protection)]
Sorry, but I can't give you any hints, because I'm not experienced
with cracking VB programs, actually I hate them :)
If you somehow lose the exe file, have only this text file and don't
know where to download the executable, go to the Eternal Bliss' homepage
and you'll probably find it. The link is http://crackmes.cjb.net/
If you're so stupid that you can't crack this program don't mail me! :)
Mail me only if you sucessfuly crack it, and tell me how.
My Email is -- BornaJanes@hotmail.com
Hope you'll learn something new from it,
Good luck and Enjoy!
Borna
My gratitude goes to: Eternal Bliss, The Sandman, Jeff, Iczelion, _ytc.

626
bjcm40a/solve.md Normal file
View File

@ -0,0 +1,626 @@
去调试器检测(和上一版本系统):
```
>bjcm40a.exe
0000435A:FF->E9
0000435B:15->B0
0000435C:9C->01
0000435D:10->00
0000435E:40->00
```
计算serial
这里整理了一些检查serial的代码
```c#
string serial = "serial";
int length = serial.Length;
if(serial!="")
{
if(serial[0]/5==length)
{
int v = serial[0]+serial[^1];
v= ((v<<1) ^ 3)*0x2468AC;
v= Convert.ToInt32(v.ToString("X")[^3..], 16);
int v2 = serial[1]+serial[2]+serial[3];
v2 = v2>>1;
v2 = (v2^6)*0x20;
if(v1==v2)
{
//SUCCESS
}
}
}
```
尝试一下暴力寻找匹配的serial
```c#
namespace GuestSerial
{
internal class Program
{
static void Main(string[] args)
{
for (int p1 = 35; p1 <= 126; p1 += 5)
{
for (int p2 = 32; p2 <= 126; p2++)
{
for (int p3 = 32; p3 <= 126; p3++)
{
for (int p4 = 32; p4 <= 126; p4++)
{
for (int p5 = 32; p5 <= 126; p5++)
{
int v1 = (((p1 + p2) * 2) ^ 3) * 0x2468AC % 4096;
int v2 = (((p3 + p4 + p5) / 2) ^ 6) * 0x20;
if (v1 == v2)
{
Console.WriteLine("Serial: " + p1 + (char)p3 + (char)p4 + (char)p5 + "..." + (char)p2);
return;
}
}
}
}
}
}
}
}
}
```
去TM的不存在serial
```
D:\sources\keygen\GuestSerial\bin\Release\net8.0\GuestSerial.exe (进程 21136)已退出,代码为 0 (0x0)。
按任意键关闭此窗口. . .
```
> I don't know is this crackme even crackable, if not mail me
> and I'll make the new one, witch will be easier then this!
只能patch了作为报复这次直接在检测失败上开刀
```
>bjcm40a.exe
00004DB0:8B->E9
00004DB1:1D->4E
00004DB2:D4->FF
00004DB3:10->FF
00004DB4:40->FF
```
细节:(已删去一处没用的判断 serial[0]>0x64 && serial[0]<0x1E )
```assembly
004046DD | 8985 60FEFFFF | mov dword ptr ss:[ebp-1A0],eax | serial.Length a
004046E3 | 898D 54FEFFFF | mov dword ptr ss:[ebp-1AC],ecx | serial[0] b
004046E9 | DB85 60FEFFFF | fild dword ptr ss:[ebp-1A0] |
004046EF | DD9D 58FEFFFF | fstp qword ptr ss:[ebp-1A8] | a
004046F5 | DB85 54FEFFFF | fild dword ptr ss:[ebp-1AC] |
004046FB | DD9D 4CFEFFFF | fstp qword ptr ss:[ebp-1B4] | b
00404701 | DD85 4CFEFFFF | fld qword ptr ss:[ebp-1B4] | hex2dec(b)
00404707 | 833D 00604000 00 | cmp dword ptr ds:[406000],0 | 0
0040470E | 75 08 | jne bjcm40a.404718 |
00404710 | DC35 40114000 | fdiv qword ptr ds:[401140] | 5
00404716 | EB 11 | jmp bjcm40a.404729 |
00404718 | FF35 44114000 | push dword ptr ds:[401144] |
0040471E | FF35 40114000 | push dword ptr ds:[401140] |
00404724 | E8 6BCAFFFF | call <JMP.&_adj_fdiv_m64> |
00404729 | DFE0 | fnstsw ax |
0040472B | A8 0D | test al,D |
0040472D | 0F85 0E080000 | jne <bjcm40a.FPException> |
00404733 | FF15 50104000 | call dword ptr ds:[<__vbaFPFix>] |
00404739 | FF15 54104000 | call dword ptr ds:[<__vbaFpR8>] |
0040473F | DC9D 58FEFFFF | fcomp qword ptr ss:[ebp-1A8] |
00404745 | DFE0 | fnstsw ax |
00404747 | F6C4 40 | test ah,40 |
0040474A | 75 07 | jne bjcm40a.404753 |
0040474C | B8 01000000 | mov eax,1 |
00404751 | EB 02 | jmp bjcm40a.404755 |
00404753 | 33C0 | xor eax,eax |
00404755 | F7D8 | neg eax |
00404757 | 66:8BD8 | mov bx,ax |
0040475A | 8D55 A4 | lea edx,dword ptr ss:[ebp-5C] |
0040475D | 8D45 A8 | lea eax,dword ptr ss:[ebp-58] |
00404760 | 52 | push edx |
00404761 | 50 | push eax |
00404762 | 6A 02 | push 2 |
00404764 | FF15 BC104000 | call dword ptr ds:[<__vbaFreeStrList>] |
0040476A | 8D4D 88 | lea ecx,dword ptr ss:[ebp-78] |
0040476D | 8D55 8C | lea edx,dword ptr ss:[ebp-74] | [ebp-74]:_PeekMessageA@20
00404770 | 51 | push ecx |
00404771 | 52 | push edx |
00404772 | 6A 02 | push 2 |
00404774 | FF15 24104000 | call dword ptr ds:[<__vbaFreeObjList>] |
0040477A | 83C4 18 | add esp,18 |
0040477D | 66:3BDF | cmp bx,di | check serial[0] ascii / 5 == serial.Length
00404780 | 0F85 2A060000 | jne <bjcm40a.FAIL> |
00404786 | 8B06 | mov eax,dword ptr ds:[esi] | [esi]:rtcCommandBstr+78
00404788 | 56 | push esi |
00404789 | FF90 08030000 | call dword ptr ds:[eax+308] |
0040478F | 8B1D 40104000 | mov ebx,dword ptr ds:[<__vbaObjSet>] |
00404795 | 8D4D 8C | lea ecx,dword ptr ss:[ebp-74] | [ebp-74]:_PeekMessageA@20
00404798 | 50 | push eax |
00404799 | 51 | push ecx |
0040479A | FFD3 | call ebx |
0040479C | 8B16 | mov edx,dword ptr ds:[esi] | [esi]:rtcCommandBstr+78
0040479E | 56 | push esi |
0040479F | FF92 08030000 | call dword ptr ds:[edx+308] |
004047A5 | 50 | push eax |
004047A6 | 8D45 88 | lea eax,dword ptr ss:[ebp-78] |
004047A9 | 50 | push eax |
004047AA | FFD3 | call ebx |
004047AC | 8B45 8C | mov eax,dword ptr ss:[ebp-74] | [ebp-74]:_PeekMessageA@20
004047AF | 8D8D 74FFFFFF | lea ecx,dword ptr ss:[ebp-8C] | [ebp-8C]:_PeekMessageA@20+1F1
004047B5 | 6A 01 | push 1 |
004047B7 | 8D95 64FFFFFF | lea edx,dword ptr ss:[ebp-9C] |
004047BD | BB 09000000 | mov ebx,9 | 09:'\t'
004047C2 | 51 | push ecx |
004047C3 | 52 | push edx |
004047C4 | 897D 8C | mov dword ptr ss:[ebp-74],edi | [ebp-74]:_PeekMessageA@20, edi:_PeekMessageA@20
004047C7 | 8985 7CFFFFFF | mov dword ptr ss:[ebp-84],eax |
004047CD | 899D 74FFFFFF | mov dword ptr ss:[ebp-8C],ebx | [ebp-8C]:_PeekMessageA@20+1F1
004047D3 | FF15 DC104000 | call dword ptr ds:[<Ordinal#617>] | left(serial,1)
004047D9 | 8B45 88 | mov eax,dword ptr ss:[ebp-78] |
004047DC | 6A 01 | push 1 |
004047DE | 8985 5CFFFFFF | mov dword ptr ss:[ebp-A4],eax |
004047E4 | 8D85 54FFFFFF | lea eax,dword ptr ss:[ebp-AC] |
004047EA | 8D8D 44FFFFFF | lea ecx,dword ptr ss:[ebp-BC] |
004047F0 | 50 | push eax |
004047F1 | 51 | push ecx |
004047F2 | 897D 88 | mov dword ptr ss:[ebp-78],edi | edi:_PeekMessageA@20
004047F5 | 899D 54FFFFFF | mov dword ptr ss:[ebp-AC],ebx |
004047FB | FF15 EC104000 | call dword ptr ds:[<Ordinal#619>] | right(serial,1)
00404801 | 8B1D 98104000 | mov ebx,dword ptr ds:[<__vbaStrVarVal>] |
00404807 | 8D95 44FFFFFF | lea edx,dword ptr ss:[ebp-BC] |
0040480D | 8D45 A4 | lea eax,dword ptr ss:[ebp-5C] |
00404810 | 52 | push edx |
00404811 | 50 | push eax |
00404812 | FFD3 | call ebx |
00404814 | 50 | push eax |
00404815 | FF15 28104000 | call dword ptr ds:[<Ordinal#516>] | int(right...)
0040481B | 66:8BD0 | mov dx,ax |
0040481E | 8D8D 64FFFFFF | lea ecx,dword ptr ss:[ebp-9C] |
00404824 | 8D45 A8 | lea eax,dword ptr ss:[ebp-58] |
00404827 | 51 | push ecx |
00404828 | 50 | push eax |
00404829 | 66:8995 4AFEFFFF | mov word ptr ss:[ebp-1B6],dx |
00404830 | FFD3 | call ebx |
00404832 | 50 | push eax |
00404833 | FF15 28104000 | call dword ptr ds:[<Ordinal#516>] | int(left...)
00404839 | 66:8B8D 4AFEFFFF | mov cx,word ptr ss:[ebp-1B6] |
00404840 | 8D95 34FFFFFF | lea edx,dword ptr ss:[ebp-CC] |
00404846 | 66:03C8 | add cx,ax | sum(int,int)
00404849 | 52 | push edx |
0040484A | 0F80 F6060000 | jo <bjcm40a.ErrOverflow> |
00404850 | 66:898D 3CFFFFFF | mov word ptr ss:[ebp-C4],cx |
00404857 | C785 34FFFFFF 020000 | mov dword ptr ss:[ebp-CC],2 |
00404861 | FF15 B0104000 | call dword ptr ds:[<Ordinal#572>] | hex(sum...)
00404867 | 8B1D E4104000 | mov ebx,dword ptr ds:[<__vbaStrMove>] |
0040486D | 8BD0 | mov edx,eax |
0040486F | 8D4D 90 | lea ecx,dword ptr ss:[ebp-70] | move
00404872 | FFD3 | call ebx |
00404874 | BA 78294000 | mov edx,bjcm40a.402978 | 402978:L"SHL"
00404879 | 8D4D 98 | lea ecx,dword ptr ss:[ebp-68] |
0040487C | FF15 B8104000 | call dword ptr ds:[<__vbaStrCopy>] |
00404882 | BA 682B4000 | mov edx,bjcm40a.402B68 |
00404887 | 8D4D 9C | lea ecx,dword ptr ss:[ebp-64] |
0040488A | FF15 B8104000 | call dword ptr ds:[<__vbaStrCopy>] |
00404890 | 8B55 90 | mov edx,dword ptr ss:[ebp-70] |
00404893 | 8D4D A0 | lea ecx,dword ptr ss:[ebp-60] |
00404896 | 897D 90 | mov dword ptr ss:[ebp-70],edi | edi:_PeekMessageA@20
00404899 | FFD3 | call ebx |
0040489B | 8B06 | mov eax,dword ptr ds:[esi] | [esi]:rtcCommandBstr+78
0040489D | 8D4D 94 | lea ecx,dword ptr ss:[ebp-6C] |
004048A0 | 8D55 98 | lea edx,dword ptr ss:[ebp-68] |
004048A3 | 51 | push ecx |
004048A4 | 52 | push edx |
004048A5 | 8D4D 9C | lea ecx,dword ptr ss:[ebp-64] |
004048A8 | 8D55 A0 | lea edx,dword ptr ss:[ebp-60] |
004048AB | 51 | push ecx |
004048AC | 52 | push edx |
004048AD | 56 | push esi |
004048AE | FF90 F8060000 | call dword ptr ds:[eax+6F8] | fun(hex(...),3,"SHL") CHECK HERE
004048B4 | 3BC7 | cmp eax,edi | edi:_PeekMessageA@20
004048B6 | 7D 12 | jge bjcm40a.4048CA |
004048B8 | 68 F8060000 | push 6F8 |
004048BD | 68 DC274000 | push bjcm40a.4027DC |
004048C2 | 56 | push esi |
004048C3 | 50 | push eax |
004048C4 | FF15 30104000 | call dword ptr ds:[<__vbaHresultCheckObj>] |
004048CA | 8B55 94 | mov edx,dword ptr ss:[ebp-6C] |
004048CD | 8D4D D4 | lea ecx,dword ptr ss:[ebp-2C] |
004048D0 | 897D 94 | mov dword ptr ss:[ebp-6C],edi | edi:_PeekMessageA@20
004048D3 | FFD3 | call ebx |
004048D5 | 8D45 90 | lea eax,dword ptr ss:[ebp-70] |
004048D8 | 8D4D 98 | lea ecx,dword ptr ss:[ebp-68] |
004048DB | 50 | push eax |
004048DC | 8D55 9C | lea edx,dword ptr ss:[ebp-64] |
004048DF | 51 | push ecx |
004048E0 | 8D45 A0 | lea eax,dword ptr ss:[ebp-60] |
004048E3 | 52 | push edx |
004048E4 | 8D4D A4 | lea ecx,dword ptr ss:[ebp-5C] |
004048E7 | 50 | push eax |
004048E8 | 8D55 A8 | lea edx,dword ptr ss:[ebp-58] |
004048EB | 51 | push ecx |
004048EC | 52 | push edx |
004048ED | 6A 06 | push 6 |
004048EF | FF15 BC104000 | call dword ptr ds:[<__vbaFreeStrList>] |
004048F5 | 8D45 88 | lea eax,dword ptr ss:[ebp-78] |
004048F8 | 8D4D 8C | lea ecx,dword ptr ss:[ebp-74] | [ebp-74]:_PeekMessageA@20
004048FB | 50 | push eax |
004048FC | 51 | push ecx |
004048FD | 6A 02 | push 2 |
004048FF | FF15 24104000 | call dword ptr ds:[<__vbaFreeObjList>] |
00404905 | 8D95 34FFFFFF | lea edx,dword ptr ss:[ebp-CC] |
0040490B | 8D85 44FFFFFF | lea eax,dword ptr ss:[ebp-BC] |
00404911 | 52 | push edx |
00404912 | 8D8D 54FFFFFF | lea ecx,dword ptr ss:[ebp-AC] |
00404918 | 50 | push eax |
00404919 | 8D95 64FFFFFF | lea edx,dword ptr ss:[ebp-9C] |
0040491F | 51 | push ecx |
00404920 | 8D85 74FFFFFF | lea eax,dword ptr ss:[ebp-8C] | [ebp-8C]:_PeekMessageA@20+1F1
00404926 | 52 | push edx |
00404927 | 50 | push eax |
00404928 | 6A 05 | push 5 |
0040492A | FF15 18104000 | call dword ptr ds:[<__vbaFreeVarList>] |
00404930 | 83C4 40 | add esp,40 |
00404933 | BA 94294000 | mov edx,bjcm40a.402994 | *
00404938 | 8D4D A4 | lea ecx,dword ptr ss:[ebp-5C] |
0040493B | FF15 B8104000 | call dword ptr ds:[<__vbaStrCopy>] |
00404941 | BA 702B4000 | mov edx,bjcm40a.402B70 | 402B70:L"2468AC"
00404946 | 8D4D A8 | lea ecx,dword ptr ss:[ebp-58] |
00404949 | FF15 B8104000 | call dword ptr ds:[<__vbaStrCopy>] |
0040494F | 8B0E | mov ecx,dword ptr ds:[esi] | [esi]:rtcCommandBstr+78
00404951 | 8D55 A0 | lea edx,dword ptr ss:[ebp-60] |
00404954 | 8D45 A4 | lea eax,dword ptr ss:[ebp-5C] |
00404957 | 52 | push edx |
00404958 | 50 | push eax |
00404959 | 8D55 A8 | lea edx,dword ptr ss:[ebp-58] |
0040495C | 8D45 D4 | lea eax,dword ptr ss:[ebp-2C] |
0040495F | 52 | push edx |
00404960 | 50 | push eax |
00404961 | 56 | push esi |
00404962 | FF91 F8060000 | call dword ptr ds:[ecx+6F8] | pre_result * 0x2468AC = v1
00404968 | 3BC7 | cmp eax,edi | edi:_PeekMessageA@20
0040496A | 7D 12 | jge bjcm40a.40497E |
0040496C | 68 F8060000 | push 6F8 |
00404971 | 68 DC274000 | push bjcm40a.4027DC |
00404976 | 56 | push esi |
00404977 | 50 | push eax |
00404978 | FF15 30104000 | call dword ptr ds:[<__vbaHresultCheckObj>] |
0040497E | 8B55 A0 | mov edx,dword ptr ss:[ebp-60] |
00404981 | 8D4D D4 | lea ecx,dword ptr ss:[ebp-2C] |
00404984 | 897D A0 | mov dword ptr ss:[ebp-60],edi | edi:_PeekMessageA@20
00404987 | FFD3 | call ebx |
00404989 | 8D4D A4 | lea ecx,dword ptr ss:[ebp-5C] |
0040498C | 8D55 A8 | lea edx,dword ptr ss:[ebp-58] |
0040498F | 51 | push ecx |
00404990 | 52 | push edx |
00404991 | 6A 02 | push 2 |
00404993 | FF15 BC104000 | call dword ptr ds:[<__vbaFreeStrList>] |
00404999 | 8B06 | mov eax,dword ptr ds:[esi] | [esi]:rtcCommandBstr+78
0040499B | 83C4 0C | add esp,C |
0040499E | 56 | push esi |
0040499F | FF90 08030000 | call dword ptr ds:[eax+308] |
004049A5 | 8D4D 8C | lea ecx,dword ptr ss:[ebp-74] | [ebp-74]:_PeekMessageA@20
004049A8 | 50 | push eax |
004049A9 | 51 | push ecx |
004049AA | FF15 40104000 | call dword ptr ds:[<__vbaObjSet>] |
004049B0 | 8B10 | mov edx,dword ptr ds:[eax] |
004049B2 | 8D4D A8 | lea ecx,dword ptr ss:[ebp-58] |
004049B5 | 51 | push ecx |
004049B6 | 50 | push eax |
004049B7 | 8985 ECFEFFFF | mov dword ptr ss:[ebp-114],eax |
004049BD | FF92 A0000000 | call dword ptr ds:[edx+A0] |
004049C3 | 3BC7 | cmp eax,edi | edi:_PeekMessageA@20
004049C5 | DBE2 | fnclex |
004049C7 | 7D 18 | jge bjcm40a.4049E1 |
004049C9 | 8B95 ECFEFFFF | mov edx,dword ptr ss:[ebp-114] |
004049CF | 68 A0000000 | push A0 |
004049D4 | 68 542B4000 | push bjcm40a.402B54 |
004049D9 | 52 | push edx |
004049DA | 50 | push eax |
004049DB | FF15 30104000 | call dword ptr ds:[<__vbaHresultCheckObj>] |
004049E1 | 8B06 | mov eax,dword ptr ds:[esi] | [esi]:rtcCommandBstr+78
004049E3 | 56 | push esi |
004049E4 | FF90 08030000 | call dword ptr ds:[eax+308] |
004049EA | 8D4D 88 | lea ecx,dword ptr ss:[ebp-78] |
004049ED | 50 | push eax |
004049EE | 51 | push ecx |
004049EF | FF15 40104000 | call dword ptr ds:[<__vbaObjSet>] |
004049F5 | 8B10 | mov edx,dword ptr ds:[eax] |
004049F7 | 8D4D A0 | lea ecx,dword ptr ss:[ebp-60] |
004049FA | 51 | push ecx |
004049FB | 50 | push eax |
004049FC | 8985 E4FEFFFF | mov dword ptr ss:[ebp-11C],eax | [ebp-11C]:_PeekMessageA@20+1F1
00404A02 | FF92 A0000000 | call dword ptr ds:[edx+A0] |
00404A08 | 3BC7 | cmp eax,edi | edi:_PeekMessageA@20
00404A0A | DBE2 | fnclex |
00404A0C | 7D 18 | jge bjcm40a.404A26 |
00404A0E | 8B95 E4FEFFFF | mov edx,dword ptr ss:[ebp-11C] | [ebp-11C]:_PeekMessageA@20+1F1
00404A14 | 68 A0000000 | push A0 |
00404A19 | 68 542B4000 | push bjcm40a.402B54 |
00404A1E | 52 | push edx |
00404A1F | 50 | push eax |
00404A20 | FF15 30104000 | call dword ptr ds:[<__vbaHresultCheckObj>] |
00404A26 | 8B06 | mov eax,dword ptr ds:[esi] | [esi]:rtcCommandBstr+78
00404A28 | 56 | push esi |
00404A29 | FF90 08030000 | call dword ptr ds:[eax+308] |
00404A2F | 8D4D 84 | lea ecx,dword ptr ss:[ebp-7C] |
00404A32 | 50 | push eax |
00404A33 | 51 | push ecx |
00404A34 | FF15 40104000 | call dword ptr ds:[<__vbaObjSet>] |
00404A3A | 8B10 | mov edx,dword ptr ds:[eax] |
00404A3C | 8D4D 98 | lea ecx,dword ptr ss:[ebp-68] |
00404A3F | 51 | push ecx |
00404A40 | 50 | push eax |
00404A41 | 8985 DCFEFFFF | mov dword ptr ss:[ebp-124],eax |
00404A47 | FF92 A0000000 | call dword ptr ds:[edx+A0] |
00404A4D | 3BC7 | cmp eax,edi | edi:_PeekMessageA@20
00404A4F | DBE2 | fnclex |
00404A51 | 7D 18 | jge bjcm40a.404A6B |
00404A53 | 8B95 DCFEFFFF | mov edx,dword ptr ss:[ebp-124] |
00404A59 | 68 A0000000 | push A0 |
00404A5E | 68 542B4000 | push bjcm40a.402B54 |
00404A63 | 52 | push edx |
00404A64 | 50 | push eax |
00404A65 | FF15 30104000 | call dword ptr ds:[<__vbaHresultCheckObj>] |
00404A6B | 8B3D 5C104000 | mov edi,dword ptr ds:[<Ordinal#631>] | edi:_PeekMessageA@20
00404A71 | B8 02000000 | mov eax,2 |
00404A76 | B9 01000000 | mov ecx,1 |
00404A7B | 8985 74FFFFFF | mov dword ptr ss:[ebp-8C],eax | [ebp-8C]:_PeekMessageA@20+1F1
00404A81 | 8985 64FFFFFF | mov dword ptr ss:[ebp-9C],eax |
00404A87 | 8985 54FFFFFF | mov dword ptr ss:[ebp-AC],eax |
00404A8D | 8D85 64FFFFFF | lea eax,dword ptr ss:[ebp-9C] |
00404A93 | 898D 7CFFFFFF | mov dword ptr ss:[ebp-84],ecx |
00404A99 | 898D 6CFFFFFF | mov dword ptr ss:[ebp-94],ecx |
00404A9F | 898D 5CFFFFFF | mov dword ptr ss:[ebp-A4],ecx |
00404AA5 | 8B4D A0 | mov ecx,dword ptr ss:[ebp-60] |
00404AA8 | 50 | push eax |
00404AA9 | 6A 03 | push 3 |
00404AAB | 51 | push ecx |
00404AAC | FFD7 | call edi | serial[2]
00404AAE | 8BD0 | mov edx,eax |
00404AB0 | 8D4D 9C | lea ecx,dword ptr ss:[ebp-64] |
00404AB3 | FFD3 | call ebx |
00404AB5 | 50 | push eax |
00404AB6 | FF15 28104000 | call dword ptr ds:[<Ordinal#516>] | asc(serial...)
00404ABC | 8B4D A8 | mov ecx,dword ptr ss:[ebp-58] |
00404ABF | 66:8BD0 | mov dx,ax |
00404AC2 | 8D85 74FFFFFF | lea eax,dword ptr ss:[ebp-8C] | [ebp-8C]:_PeekMessageA@20+1F1
00404AC8 | 66:8995 48FEFFFF | mov word ptr ss:[ebp-1B8],dx |
00404ACF | 50 | push eax |
00404AD0 | 6A 02 | push 2 |
00404AD2 | 51 | push ecx |
00404AD3 | FFD7 | call edi | serial[1]
00404AD5 | 8BD0 | mov edx,eax |
00404AD7 | 8D4D A4 | lea ecx,dword ptr ss:[ebp-5C] |
00404ADA | FFD3 | call ebx |
00404ADC | 50 | push eax |
00404ADD | FF15 28104000 | call dword ptr ds:[<Ordinal#516>] | asc(serial...)
00404AE3 | 66:8BBD 48FEFFFF | mov di,word ptr ss:[ebp-1B8] |
00404AEA | 8D95 54FFFFFF | lea edx,dword ptr ss:[ebp-AC] |
00404AF0 | 66:03F8 | add di,ax | serial[1]+serial[2]
00404AF3 | 8B45 98 | mov eax,dword ptr ss:[ebp-68] |
00404AF6 | 52 | push edx |
00404AF7 | 6A 04 | push 4 |
00404AF9 | 50 | push eax |
00404AFA | 0F80 46040000 | jo <bjcm40a.ErrOverflow> |
00404B00 | FF15 5C104000 | call dword ptr ds:[<Ordinal#631>] | serial[3]
00404B06 | 8BD0 | mov edx,eax |
00404B08 | 8D4D 94 | lea ecx,dword ptr ss:[ebp-6C] |
00404B0B | FFD3 | call ebx |
00404B0D | 50 | push eax |
00404B0E | FF15 28104000 | call dword ptr ds:[<Ordinal#516>] | asc(serial...)
00404B14 | 66:03F8 | add di,ax | serial[1]+2+3
00404B17 | 8D8D 44FFFFFF | lea ecx,dword ptr ss:[ebp-BC] |
00404B1D | 0F80 23040000 | jo <bjcm40a.ErrOverflow> |
00404B23 | 51 | push ecx |
00404B24 | 66:89BD 4CFFFFFF | mov word ptr ss:[ebp-B4],di |
00404B2B | C785 44FFFFFF 020000 | mov dword ptr ss:[ebp-BC],2 |
00404B35 | FF15 B0104000 | call dword ptr ds:[<Ordinal#572>] | hex(s...)
00404B3B | 8BD0 | mov edx,eax |
00404B3D | 8D4D D8 | lea ecx,dword ptr ss:[ebp-28] |
00404B40 | FFD3 | call ebx |
00404B42 | 8D55 94 | lea edx,dword ptr ss:[ebp-6C] |
00404B45 | 8D45 98 | lea eax,dword ptr ss:[ebp-68] |
00404B48 | 52 | push edx |
00404B49 | 8D4D 9C | lea ecx,dword ptr ss:[ebp-64] |
00404B4C | 50 | push eax |
00404B4D | 8D55 A0 | lea edx,dword ptr ss:[ebp-60] |
00404B50 | 51 | push ecx |
00404B51 | 8D45 A4 | lea eax,dword ptr ss:[ebp-5C] |
00404B54 | 52 | push edx |
00404B55 | 8D4D A8 | lea ecx,dword ptr ss:[ebp-58] |
00404B58 | 50 | push eax |
00404B59 | 51 | push ecx |
00404B5A | 6A 06 | push 6 |
00404B5C | FF15 BC104000 | call dword ptr ds:[<__vbaFreeStrList>] |
00404B62 | 8D55 84 | lea edx,dword ptr ss:[ebp-7C] |
00404B65 | 8D45 88 | lea eax,dword ptr ss:[ebp-78] |
00404B68 | 52 | push edx |
00404B69 | 8D4D 8C | lea ecx,dword ptr ss:[ebp-74] | [ebp-74]:_PeekMessageA@20
00404B6C | 50 | push eax |
00404B6D | 51 | push ecx |
00404B6E | 6A 03 | push 3 |
00404B70 | FF15 24104000 | call dword ptr ds:[<__vbaFreeObjList>] |
00404B76 | 8D95 44FFFFFF | lea edx,dword ptr ss:[ebp-BC] |
00404B7C | 52 | push edx |
00404B7D | 8D85 54FFFFFF | lea eax,dword ptr ss:[ebp-AC] |
00404B83 | 8D8D 64FFFFFF | lea ecx,dword ptr ss:[ebp-9C] |
00404B89 | 50 | push eax |
00404B8A | 8D95 74FFFFFF | lea edx,dword ptr ss:[ebp-8C] | [ebp-8C]:_PeekMessageA@20+1F1
00404B90 | 51 | push ecx |
00404B91 | 52 | push edx |
00404B92 | 6A 04 | push 4 |
00404B94 | FF15 18104000 | call dword ptr ds:[<__vbaFreeVarList>] |
00404B9A | 8B3D B8104000 | mov edi,dword ptr ds:[<__vbaStrCopy>] | edi:_PeekMessageA@20
00404BA0 | 83C4 40 | add esp,40 |
00404BA3 | BA 6C294000 | mov edx,bjcm40a.40296C | 40296C:L"SHR"
00404BA8 | 8D4D A4 | lea ecx,dword ptr ss:[ebp-5C] |
00404BAB | FFD7 | call edi | edi:_PeekMessageA@20
00404BAD | BA 842B4000 | mov edx,bjcm40a.402B84 | 6
00404BB2 | 8D4D A8 | lea ecx,dword ptr ss:[ebp-58] |
00404BB5 | FFD7 | call edi | edi:_PeekMessageA@20
00404BB7 | 8B06 | mov eax,dword ptr ds:[esi] | [esi]:rtcCommandBstr+78
00404BB9 | 8D4D A0 | lea ecx,dword ptr ss:[ebp-60] |
00404BBC | 8D55 A4 | lea edx,dword ptr ss:[ebp-5C] |
00404BBF | 51 | push ecx |
00404BC0 | 52 | push edx |
00404BC1 | 8D4D A8 | lea ecx,dword ptr ss:[ebp-58] |
00404BC4 | 8D55 D8 | lea edx,dword ptr ss:[ebp-28] |
00404BC7 | 51 | push ecx |
00404BC8 | 52 | push edx |
00404BC9 | 56 | push esi |
00404BCA | FF90 F8060000 | call dword ptr ds:[eax+6F8] | pre_result SHR 6
00404BD0 | 33FF | xor edi,edi | edi:_PeekMessageA@20
00404BD2 | 3BC7 | cmp eax,edi | edi:_PeekMessageA@20
00404BD4 | 7D 12 | jge bjcm40a.404BE8 |
00404BD6 | 68 F8060000 | push 6F8 |
00404BDB | 68 DC274000 | push bjcm40a.4027DC |
00404BE0 | 56 | push esi |
00404BE1 | 50 | push eax |
00404BE2 | FF15 30104000 | call dword ptr ds:[<__vbaHresultCheckObj>] |
00404BE8 | 8B55 A0 | mov edx,dword ptr ss:[ebp-60] |
00404BEB | 8D4D D8 | lea ecx,dword ptr ss:[ebp-28] |
00404BEE | 897D A0 | mov dword ptr ss:[ebp-60],edi | edi:_PeekMessageA@20
00404BF1 | FFD3 | call ebx |
00404BF3 | 8D45 A4 | lea eax,dword ptr ss:[ebp-5C] |
00404BF6 | 8D4D A8 | lea ecx,dword ptr ss:[ebp-58] |
00404BF9 | 50 | push eax |
00404BFA | 51 | push ecx |
00404BFB | 6A 02 | push 2 |
00404BFD | FF15 BC104000 | call dword ptr ds:[<__vbaFreeStrList>] |
00404C03 | 83C4 0C | add esp,C |
00404C06 | BA 94294000 | mov edx,bjcm40a.402994 | *
00404C0B | 8D4D A4 | lea ecx,dword ptr ss:[ebp-5C] |
00404C0E | FF15 B8104000 | call dword ptr ds:[<__vbaStrCopy>] |
00404C14 | BA 8C2B4000 | mov edx,bjcm40a.402B8C | 20
00404C19 | 8D4D A8 | lea ecx,dword ptr ss:[ebp-58] |
00404C1C | FF15 B8104000 | call dword ptr ds:[<__vbaStrCopy>] |
00404C22 | 8B16 | mov edx,dword ptr ds:[esi] | [esi]:rtcCommandBstr+78
00404C24 | 8D45 A0 | lea eax,dword ptr ss:[ebp-60] |
00404C27 | 8D4D A4 | lea ecx,dword ptr ss:[ebp-5C] |
00404C2A | 50 | push eax |
00404C2B | 51 | push ecx |
00404C2C | 8D45 A8 | lea eax,dword ptr ss:[ebp-58] |
00404C2F | 8D4D D8 | lea ecx,dword ptr ss:[ebp-28] |
00404C32 | 50 | push eax |
00404C33 | 51 | push ecx |
00404C34 | 56 | push esi |
00404C35 | FF92 F8060000 | call dword ptr ds:[edx+6F8] | pre_result * 20 = v2
00404C3B | 3BC7 | cmp eax,edi | edi:_PeekMessageA@20
00404C3D | 7D 12 | jge bjcm40a.404C51 |
00404C3F | 68 F8060000 | push 6F8 |
00404C44 | 68 DC274000 | push bjcm40a.4027DC |
00404C49 | 56 | push esi |
00404C4A | 50 | push eax |
00404C4B | FF15 30104000 | call dword ptr ds:[<__vbaHresultCheckObj>] |
00404C51 | 8B55 A0 | mov edx,dword ptr ss:[ebp-60] |
00404C54 | 8D4D D8 | lea ecx,dword ptr ss:[ebp-28] |
00404C57 | 897D A0 | mov dword ptr ss:[ebp-60],edi | edi:_PeekMessageA@20
00404C5A | FFD3 | call ebx |
00404C5C | 8D55 A4 | lea edx,dword ptr ss:[ebp-5C] |
00404C5F | 8D45 A8 | lea eax,dword ptr ss:[ebp-58] |
00404C62 | 52 | push edx |
00404C63 | 50 | push eax |
00404C64 | 6A 02 | push 2 |
00404C66 | FF15 BC104000 | call dword ptr ds:[<__vbaFreeStrList>] |
00404C6C | 8B4D D4 | mov ecx,dword ptr ss:[ebp-2C] |
00404C6F | 83C4 0C | add esp,C |
00404C72 | 6A 03 | push 3 |
00404C74 | 51 | push ecx |
00404C75 | FF15 E8104000 | call dword ptr ds:[<Ordinal#618>] | right(v1,3)
00404C7B | 8BD0 | mov edx,eax |
00404C7D | 8D4D 9C | lea ecx,dword ptr ss:[ebp-64] |
00404C80 | FFD3 | call ebx |
00404C82 | BA 34294000 | mov edx,bjcm40a.402934 | =
00404C87 | 8D4D A4 | lea ecx,dword ptr ss:[ebp-5C] |
00404C8A | FF15 B8104000 | call dword ptr ds:[<__vbaStrCopy>] |
00404C90 | 8B55 9C | mov edx,dword ptr ss:[ebp-64] |
00404C93 | 8D4D A8 | lea ecx,dword ptr ss:[ebp-58] |
00404C96 | 897D 9C | mov dword ptr ss:[ebp-64],edi | edi:_PeekMessageA@20
00404C99 | FFD3 | call ebx |
00404C9B | 8B16 | mov edx,dword ptr ds:[esi] | [esi]:rtcCommandBstr+78
00404C9D | 8D45 A0 | lea eax,dword ptr ss:[ebp-60] |
00404CA0 | 8D4D A4 | lea ecx,dword ptr ss:[ebp-5C] |
00404CA3 | 50 | push eax |
00404CA4 | 51 | push ecx |
00404CA5 | 8D45 A8 | lea eax,dword ptr ss:[ebp-58] |
00404CA8 | 8D4D D8 | lea ecx,dword ptr ss:[ebp-28] |
00404CAB | 50 | push eax |
00404CAC | 51 | push ecx |
00404CAD | 56 | push esi |
00404CAE | FF92 F8060000 | call dword ptr ds:[edx+6F8] | v1 == v2?
00404CB4 | 3BC7 | cmp eax,edi | edi:_PeekMessageA@20
00404CB6 | 7D 12 | jge bjcm40a.404CCA |
00404CB8 | 68 F8060000 | push 6F8 |
00404CBD | 68 DC274000 | push bjcm40a.4027DC |
00404CC2 | 56 | push esi |
00404CC3 | 50 | push eax |
00404CC4 | FF15 30104000 | call dword ptr ds:[<__vbaHresultCheckObj>] |
00404CCA | 8B55 A0 | mov edx,dword ptr ss:[ebp-60] |
00404CCD | 8D4D D8 | lea ecx,dword ptr ss:[ebp-28] |
00404CD0 | 897D A0 | mov dword ptr ss:[ebp-60],edi | edi:_PeekMessageA@20
00404CD3 | FFD3 | call ebx |
00404CD5 | 8D55 9C | lea edx,dword ptr ss:[ebp-64] |
00404CD8 | 8D45 A4 | lea eax,dword ptr ss:[ebp-5C] |
00404CDB | 52 | push edx |
00404CDC | 8D4D A8 | lea ecx,dword ptr ss:[ebp-58] |
00404CDF | 50 | push eax |
00404CE0 | 51 | push ecx |
00404CE1 | 6A 03 | push 3 |
00404CE3 | FF15 BC104000 | call dword ptr ds:[<__vbaFreeStrList>] |
00404CE9 | 8B55 D8 | mov edx,dword ptr ss:[ebp-28] |
00404CEC | 83C4 10 | add esp,10 |
00404CEF | 52 | push edx | 前面比较的结果0或FFFF
00404CF0 | 68 982B4000 | push bjcm40a.402B98 | 402B98:L"FFFF"
00404CF5 | FF15 70104000 | call dword ptr ds:[<__vbaStrCmp>] |
00404CFB | 85C0 | test eax,eax |
00404CFD | 0F85 AD000000 | jne <bjcm40a.FAIL> |
00404D03 | 8B1D D4104000 | mov ebx,dword ptr ds:[<__vbaVarDup>] | Success
00404D09 | B9 04000280 | mov ecx,80020004 |
00404D0E | 898D 4CFFFFFF | mov dword ptr ss:[ebp-B4],ecx |
00404D14 | B8 0A000000 | mov eax,A | 0A:'\n'
00404D19 | 898D 5CFFFFFF | mov dword ptr ss:[ebp-A4],ecx |
00404D1F | BE 08000000 | mov esi,8 |
00404D24 | 8D95 14FFFFFF | lea edx,dword ptr ss:[ebp-EC] |
00404D2A | 8D8D 64FFFFFF | lea ecx,dword ptr ss:[ebp-9C] |
00404D30 | 8985 44FFFFFF | mov dword ptr ss:[ebp-BC],eax |
00404D36 | 8985 54FFFFFF | mov dword ptr ss:[ebp-AC],eax |
00404D3C | C785 1CFFFFFF F42B40 | mov dword ptr ss:[ebp-E4],bjcm40a.402BF4 | 402BF4:L"Correct serial!"
00404D46 | 89B5 14FFFFFF | mov dword ptr ss:[ebp-EC],esi |
00404D4C | FFD3 | call ebx |
00404D4E | 8D95 24FFFFFF | lea edx,dword ptr ss:[ebp-DC] | [ebp-DC]:int __stdcall _PeekMessage(struct tagMSG *, struct HWND__*, unsigned int, unsigned int, unsigned int, unsigned int, int)+EB
00404D54 | 8D8D 74FFFFFF | lea ecx,dword ptr ss:[ebp-8C] | [ebp-8C]:_PeekMessageA@20+1F1
00404D5A | C785 2CFFFFFF A82B40 | mov dword ptr ss:[ebp-D4],bjcm40a.402BA8 | 402BA8:L"Good job, tell me how you do that!"
00404D64 | 89B5 24FFFFFF | mov dword ptr ss:[ebp-DC],esi | [ebp-DC]:int __stdcall _PeekMessage(struct tagMSG *, struct HWND__*, unsigned int, unsigned int, unsigned int, unsigned int, int)+EB
00404D6A | FFD3 | call ebx |
00404D6C | 8D85 44FFFFFF | lea eax,dword ptr ss:[ebp-BC] |
00404D72 | 8D8D 54FFFFFF | lea ecx,dword ptr ss:[ebp-AC] |
00404D78 | 50 | push eax |
00404D79 | 8D95 64FFFFFF | lea edx,dword ptr ss:[ebp-9C] |
00404D7F | 51 | push ecx |
00404D80 | 52 | push edx |
00404D81 | 8D85 74FFFFFF | lea eax,dword ptr ss:[ebp-8C] | [ebp-8C]:_PeekMessageA@20+1F1
00404D87 | 57 | push edi | edi:_PeekMessageA@20
00404D88 | 50 | push eax |
00404D89 | FF15 3C104000 | call dword ptr ds:[<Ordinal#595>] |
00404D8F | 8D8D 44FFFFFF | lea ecx,dword ptr ss:[ebp-BC] |
00404D95 | 8D95 54FFFFFF | lea edx,dword ptr ss:[ebp-AC] |
00404D9B | 51 | push ecx |
00404D9C | 8D85 64FFFFFF | lea eax,dword ptr ss:[ebp-9C] |
00404DA2 | 52 | push edx |
00404DA3 | 8D8D 74FFFFFF | lea ecx,dword ptr ss:[ebp-8C] | [ebp-8C]:_PeekMessageA@20+1F1
00404DA9 | 50 | push eax |
00404DAA | 51 | push ecx |
00404DAB | E9 A8000000 | jmp bjcm40a.404E58 |
00404DB0 | 8B1D D4104000 | mov ebx,dword ptr ds:[<__vbaVarDup>] |
```