计算serial前要先把按钮的禁用状态取消掉: ``` 第一个窗体的Button 139E: 00->01 第二个窗体的Button 22CA: 00->01 第二个窗体的TextBox 22E8: 00->01 2310: 00->01 2335: 00->01 235F: 00->01 ``` 计算serial 直接给成品: ``` 以下索引全部从1开始 name2长度*name长度*age长度 字符串 p1 name从第二位开始取3个并翻转 p2 name2从第三位开始取2个 p3 name、name2、age字符串长度求和 p4 age从第二位开始取1个 p5 name长度 p6 p1-p2p3p4-p5p6 ``` 细节: ```assembly 00402460 | 55 | push ebp | 00402461 | 8BEC | mov ebp,esp | 00402463 | 83EC 0C | sub esp,C | 00402466 | 68 F6104000 | push | 0040246B | 64:A1 00000000 | mov eax,dword ptr fs:[0] | 00402471 | 50 | push eax | 00402472 | 64:8925 00000000 | mov dword ptr fs:[0],esp | 00402479 | 81EC 28020000 | sub esp,228 | 0040247F | 53 | push ebx | ebx:__vbaStrCopy 00402480 | 56 | push esi | 00402481 | 57 | push edi | edi:"\\J@" 00402482 | 8965 F4 | mov dword ptr ss:[ebp-C],esp | 00402485 | C745 F8 D0104000 | mov dword ptr ss:[ebp-8],breaker's crackme | 0040248C | 8B7D 08 | mov edi,dword ptr ss:[ebp+8] | [ebp+08]:"\\J@" 0040248F | 8BC7 | mov eax,edi | edi:"\\J@" 00402491 | 83E0 01 | and eax,1 | 00402494 | 8945 FC | mov dword ptr ss:[ebp-4],eax | 00402497 | 83E7 FE | and edi,FFFFFFFE | edi:"\\J@" 0040249A | 57 | push edi | edi:"\\J@" 0040249B | 897D 08 | mov dword ptr ss:[ebp+8],edi | [ebp+08]:"\\J@" 0040249E | 8B0F | mov ecx,dword ptr ds:[edi] | edi:"\\J@" 004024A0 | FF51 04 | call dword ptr ds:[ecx+4] | 004024A3 | 8B1D 94104000 | mov ebx,dword ptr ds:[<__vbaStrCopy>] | ebx:__vbaStrCopy 004024A9 | 33F6 | xor esi,esi | 004024AB | BA 501F4000 | mov edx,breaker's crackme # 3_patched.401F | edx:L"Hello", 401F50:L"Hello" 004024B0 | 8D4D E4 | lea ecx,dword ptr ss:[ebp-1C] | 004024B3 | 8975 E8 | mov dword ptr ss:[ebp-18],esi | 004024B6 | 8975 E4 | mov dword ptr ss:[ebp-1C],esi | 004024B9 | 8975 E0 | mov dword ptr ss:[ebp-20],esi | 004024BC | 8975 DC | mov dword ptr ss:[ebp-24],esi | 004024BF | 8975 D8 | mov dword ptr ss:[ebp-28],esi | 004024C2 | 8975 D4 | mov dword ptr ss:[ebp-2C],esi | 004024C5 | 8975 D0 | mov dword ptr ss:[ebp-30],esi | 004024C8 | 8975 CC | mov dword ptr ss:[ebp-34],esi | 004024CB | 8975 C8 | mov dword ptr ss:[ebp-38],esi | 004024CE | 8975 C4 | mov dword ptr ss:[ebp-3C],esi | 004024D1 | 8975 C0 | mov dword ptr ss:[ebp-40],esi | 004024D4 | 8975 BC | mov dword ptr ss:[ebp-44],esi | 004024D7 | 8975 B8 | mov dword ptr ss:[ebp-48],esi | 004024DA | 8975 B4 | mov dword ptr ss:[ebp-4C],esi | 004024DD | 8975 B0 | mov dword ptr ss:[ebp-50],esi | 004024E0 | 8975 AC | mov dword ptr ss:[ebp-54],esi | 004024E3 | 8975 A8 | mov dword ptr ss:[ebp-58],esi | 004024E6 | 8975 A4 | mov dword ptr ss:[ebp-5C],esi | 004024E9 | 8975 A0 | mov dword ptr ss:[ebp-60],esi | 004024EC | 8975 9C | mov dword ptr ss:[ebp-64],esi | 004024EF | 8975 98 | mov dword ptr ss:[ebp-68],esi | 004024F2 | 8975 94 | mov dword ptr ss:[ebp-6C],esi | 004024F5 | 8975 90 | mov dword ptr ss:[ebp-70],esi | 004024F8 | 8975 8C | mov dword ptr ss:[ebp-74],esi | 004024FB | 8975 88 | mov dword ptr ss:[ebp-78],esi | 004024FE | 8975 84 | mov dword ptr ss:[ebp-7C],esi | 00402501 | 8975 80 | mov dword ptr ss:[ebp-80],esi | 00402504 | 89B5 70FFFFFF | mov dword ptr ss:[ebp-90],esi | 0040250A | 89B5 60FFFFFF | mov dword ptr ss:[ebp-A0],esi | 00402510 | 89B5 50FFFFFF | mov dword ptr ss:[ebp-B0],esi | 00402516 | 89B5 40FFFFFF | mov dword ptr ss:[ebp-C0],esi | 0040251C | 89B5 30FFFFFF | mov dword ptr ss:[ebp-D0],esi | 00402522 | 89B5 20FFFFFF | mov dword ptr ss:[ebp-E0],esi | 00402528 | 89B5 10FFFFFF | mov dword ptr ss:[ebp-F0],esi | 0040252E | 89B5 00FFFFFF | mov dword ptr ss:[ebp-100],esi | 00402534 | 89B5 F0FEFFFF | mov dword ptr ss:[ebp-110],esi | 0040253A | 89B5 E0FEFFFF | mov dword ptr ss:[ebp-120],esi | 00402540 | 89B5 D0FEFFFF | mov dword ptr ss:[ebp-130],esi | 00402546 | 89B5 C0FEFFFF | mov dword ptr ss:[ebp-140],esi | 0040254C | 89B5 B0FEFFFF | mov dword ptr ss:[ebp-150],esi | 00402552 | 89B5 A0FEFFFF | mov dword ptr ss:[ebp-160],esi | 00402558 | 89B5 90FEFFFF | mov dword ptr ss:[ebp-170],esi | 0040255E | 89B5 80FEFFFF | mov dword ptr ss:[ebp-180],esi | 00402564 | 89B5 70FEFFFF | mov dword ptr ss:[ebp-190],esi | 0040256A | 89B5 60FEFFFF | mov dword ptr ss:[ebp-1A0],esi | 00402570 | 89B5 50FEFFFF | mov dword ptr ss:[ebp-1B0],esi | 00402576 | 89B5 30FEFFFF | mov dword ptr ss:[ebp-1D0],esi | 0040257C | FFD3 | call ebx | ebx:__vbaStrCopy 0040257E | BA 601F4000 | mov edx,breaker's crackme # 3_patched.401F | edx:L"Hello", 401F60:L"ARE YOU CRAZY??? WRONG" 00402583 | 8D4D E8 | lea ecx,dword ptr ss:[ebp-18] | 00402586 | FFD3 | call ebx | ebx:__vbaStrCopy 00402588 | 8B17 | mov edx,dword ptr ds:[edi] | edx:L"Hello", edi:"\\J@" 0040258A | 57 | push edi | edi:"\\J@" 0040258B | FF92 FC020000 | call dword ptr ds:[edx+2FC] | 00402591 | 50 | push eax | 00402592 | 8D45 98 | lea eax,dword ptr ss:[ebp-68] | 00402595 | 50 | push eax | 00402596 | FF15 30104000 | call dword ptr ds:[<__vbaObjSet>] | 0040259C | 8BD8 | mov ebx,eax | ebx:__vbaStrCopy 0040259E | 8D55 CC | lea edx,dword ptr ss:[ebp-34] | [ebp-34]: Name 004025A1 | 52 | push edx | edx:L"Hello" 004025A2 | 53 | push ebx | ebx:__vbaStrCopy 004025A3 | 8B0B | mov ecx,dword ptr ds:[ebx] | ebx:__vbaStrCopy 004025A5 | FF91 A0000000 | call dword ptr ds:[ecx+A0] | 004025AB | 3BC6 | cmp eax,esi | 004025AD | DBE2 | fnclex | 004025AF | 7D 12 | jge breaker's crackme # 3_patched.4025C3 | 004025B1 | 68 A0000000 | push A0 | 004025B6 | 68 901F4000 | push breaker's crackme # 3_patched.401F90 | 004025BB | 53 | push ebx | ebx:__vbaStrCopy 004025BC | 50 | push eax | 004025BD | FF15 28104000 | call dword ptr ds:[<__vbaHresultCheckObj>] | 004025C3 | 8B07 | mov eax,dword ptr ds:[edi] | edi:"\\J@" 004025C5 | 57 | push edi | edi:"\\J@" 004025C6 | FF90 00030000 | call dword ptr ds:[eax+300] | 004025CC | 8D4D 94 | lea ecx,dword ptr ss:[ebp-6C] | 004025CF | 50 | push eax | 004025D0 | 51 | push ecx | 004025D1 | FF15 30104000 | call dword ptr ds:[<__vbaObjSet>] | 004025D7 | 8BD8 | mov ebx,eax | ebx:__vbaStrCopy 004025D9 | 8D45 BC | lea eax,dword ptr ss:[ebp-44] | [ebp-44]: Name2 004025DC | 50 | push eax | 004025DD | 53 | push ebx | ebx:__vbaStrCopy 004025DE | 8B13 | mov edx,dword ptr ds:[ebx] | edx:L"Hello", ebx:__vbaStrCopy 004025E0 | FF92 A0000000 | call dword ptr ds:[edx+A0] | 004025E6 | 3BC6 | cmp eax,esi | 004025E8 | DBE2 | fnclex | 004025EA | 7D 12 | jge breaker's crackme # 3_patched.4025FE | 004025EC | 68 A0000000 | push A0 | 004025F1 | 68 901F4000 | push breaker's crackme # 3_patched.401F90 | 004025F6 | 53 | push ebx | ebx:__vbaStrCopy 004025F7 | 50 | push eax | 004025F8 | FF15 28104000 | call dword ptr ds:[<__vbaHresultCheckObj>] | 004025FE | 8B0F | mov ecx,dword ptr ds:[edi] | edi:"\\J@" 00402600 | 57 | push edi | edi:"\\J@" 00402601 | FF91 04030000 | call dword ptr ds:[ecx+304] | 00402607 | 8D55 84 | lea edx,dword ptr ss:[ebp-7C] | 0040260A | 50 | push eax | 0040260B | 52 | push edx | edx:L"Hello" 0040260C | FF15 30104000 | call dword ptr ds:[<__vbaObjSet>] | 00402612 | 8BD8 | mov ebx,eax | ebx:__vbaStrCopy 00402614 | 8D4D AC | lea ecx,dword ptr ss:[ebp-54] | [ebp-54]: Age 00402617 | 51 | push ecx | 00402618 | 53 | push ebx | ebx:__vbaStrCopy 00402619 | 8B03 | mov eax,dword ptr ds:[ebx] | ebx:__vbaStrCopy 0040261B | FF90 A0000000 | call dword ptr ds:[eax+A0] | 00402621 | 3BC6 | cmp eax,esi | 00402623 | DBE2 | fnclex | 00402625 | 7D 12 | jge breaker's crackme # 3_patched.402639 | 00402627 | 68 A0000000 | push A0 | 0040262C | 68 901F4000 | push breaker's crackme # 3_patched.401F90 | 00402631 | 53 | push ebx | ebx:__vbaStrCopy 00402632 | 50 | push eax | 00402633 | FF15 28104000 | call dword ptr ds:[<__vbaHresultCheckObj>] | 00402639 | 8B17 | mov edx,dword ptr ds:[edi] | edx:L"Hello", edi:"\\J@" 0040263B | 57 | push edi | edi:"\\J@" 0040263C | FF92 FC020000 | call dword ptr ds:[edx+2FC] | 00402642 | 50 | push eax | 00402643 | 8D45 A4 | lea eax,dword ptr ss:[ebp-5C] | 00402646 | 50 | push eax | 00402647 | FF15 30104000 | call dword ptr ds:[<__vbaObjSet>] | 0040264D | 8BD8 | mov ebx,eax | ebx:__vbaStrCopy 0040264F | 8D55 DC | lea edx,dword ptr ss:[ebp-24] | [ebp-24]: Name 00402652 | 52 | push edx | edx:L"Hello" 00402653 | 53 | push ebx | ebx:__vbaStrCopy 00402654 | 8B0B | mov ecx,dword ptr ds:[ebx] | ebx:__vbaStrCopy 00402656 | FF91 A0000000 | call dword ptr ds:[ecx+A0] | 0040265C | 3BC6 | cmp eax,esi | 0040265E | DBE2 | fnclex | 00402660 | 7D 12 | jge breaker's crackme # 3_patched.402674 | 00402662 | 68 A0000000 | push A0 | 00402667 | 68 901F4000 | push breaker's crackme # 3_patched.401F90 | 0040266C | 53 | push ebx | ebx:__vbaStrCopy 0040266D | 50 | push eax | 0040266E | FF15 28104000 | call dword ptr ds:[<__vbaHresultCheckObj>] | 00402674 | 8B07 | mov eax,dword ptr ds:[edi] | edi:"\\J@" 00402676 | 57 | push edi | edi:"\\J@" 00402677 | FF90 00030000 | call dword ptr ds:[eax+300] | 0040267D | 8D4D A0 | lea ecx,dword ptr ss:[ebp-60] | 00402680 | 50 | push eax | 00402681 | 51 | push ecx | 00402682 | FF15 30104000 | call dword ptr ds:[<__vbaObjSet>] | 00402688 | 8BD8 | mov ebx,eax | ebx:__vbaStrCopy 0040268A | 8D45 D8 | lea eax,dword ptr ss:[ebp-28] | [ebp-28]: Name2 0040268D | 50 | push eax | 0040268E | 53 | push ebx | ebx:__vbaStrCopy 0040268F | 8B13 | mov edx,dword ptr ds:[ebx] | edx:L"Hello", ebx:__vbaStrCopy 00402691 | FF92 A0000000 | call dword ptr ds:[edx+A0] | 00402697 | 3BC6 | cmp eax,esi | 00402699 | DBE2 | fnclex | 0040269B | 7D 12 | jge breaker's crackme # 3_patched.4026AF | 0040269D | 68 A0000000 | push A0 | 004026A2 | 68 901F4000 | push breaker's crackme # 3_patched.401F90 | 004026A7 | 53 | push ebx | ebx:__vbaStrCopy 004026A8 | 50 | push eax | 004026A9 | FF15 28104000 | call dword ptr ds:[<__vbaHresultCheckObj>] | 004026AF | 8B0F | mov ecx,dword ptr ds:[edi] | edi:"\\J@" 004026B1 | 57 | push edi | edi:"\\J@" 004026B2 | FF91 04030000 | call dword ptr ds:[ecx+304] | 004026B8 | 8D55 9C | lea edx,dword ptr ss:[ebp-64] | 004026BB | 50 | push eax | 004026BC | 52 | push edx | edx:L"Hello" 004026BD | FF15 30104000 | call dword ptr ds:[<__vbaObjSet>] | 004026C3 | 8BD8 | mov ebx,eax | ebx:__vbaStrCopy 004026C5 | 8D4D D4 | lea ecx,dword ptr ss:[ebp-2C] | [ebp-2C]: Age 004026C8 | 51 | push ecx | 004026C9 | 53 | push ebx | ebx:__vbaStrCopy 004026CA | 8B03 | mov eax,dword ptr ds:[ebx] | ebx:__vbaStrCopy 004026CC | FF90 A0000000 | call dword ptr ds:[eax+A0] | 004026D2 | 3BC6 | cmp eax,esi | 004026D4 | DBE2 | fnclex | 004026D6 | 7D 12 | jge breaker's crackme # 3_patched.4026EA | 004026D8 | 68 A0000000 | push A0 | 004026DD | 68 901F4000 | push breaker's crackme # 3_patched.401F90 | 004026E2 | 53 | push ebx | ebx:__vbaStrCopy 004026E3 | 50 | push eax | 004026E4 | FF15 28104000 | call dword ptr ds:[<__vbaHresultCheckObj>] | 004026EA | 8B45 CC | mov eax,dword ptr ss:[ebp-34] | 004026ED | 8D95 60FFFFFF | lea edx,dword ptr ss:[ebp-A0] | 004026F3 | 8985 78FFFFFF | mov dword ptr ss:[ebp-88],eax | [ebp-88]:GetWindowExtEx+59 004026F9 | 52 | push edx | length3 004026FA | 8D85 70FFFFFF | lea eax,dword ptr ss:[ebp-90] | 00402700 | 6A 02 | push 2 | index2 00402702 | 8D8D 50FFFFFF | lea ecx,dword ptr ss:[ebp-B0] | 00402708 | 50 | push eax | Name 00402709 | 51 | push ecx | store 0040270A | C785 68FFFFFF 030000 | mov dword ptr ss:[ebp-98],3 | 00402714 | C785 60FFFFFF 020000 | mov dword ptr ss:[ebp-A0],2 | 0040271E | 8975 CC | mov dword ptr ss:[ebp-34],esi | 00402721 | C785 70FFFFFF 080000 | mov dword ptr ss:[ebp-90],8 | 0040272B | FF15 44104000 | call dword ptr ds:[] | 00402731 | 8B55 D8 | mov edx,dword ptr ss:[ebp-28] | 00402734 | 8B1D 10104000 | mov ebx,dword ptr ds:[<__vbaLenBstr>] | ebx:__vbaStrCopy 0040273A | 52 | push edx | edx:L"Hello" 0040273B | FFD3 | call ebx | Name2.Length 0040273D | 8BD0 | mov edx,eax | edx:L"Hello" 0040273F | 8B45 DC | mov eax,dword ptr ss:[ebp-24] | 00402742 | 50 | push eax | 00402743 | 8995 C8FDFFFF | mov dword ptr ss:[ebp-238],edx | name2len 00402749 | FFD3 | call ebx | Name.Length 0040274B | 8B9D C8FDFFFF | mov ebx,dword ptr ss:[ebp-238] | ebx:__vbaStrCopy, [ebp-238]:MinUserRequestViewHitTest+9AD44 00402751 | 8B4D D4 | mov ecx,dword ptr ss:[ebp-2C] | [ebp-2C]: Age 00402754 | 0FAFD8 | imul ebx,eax | name2len*namelen 00402757 | 51 | push ecx | 00402758 | 0F80 CF070000 | jo breaker's crackme # 3_patched.402F2D | 0040275E | FF15 10104000 | call dword ptr ds:[<__vbaLenBstr>] | age.Length 00402764 | 0FAFD8 | imul ebx,eax | 前面len的*结果 再*agelen 00402767 | 0F80 C0070000 | jo breaker's crackme # 3_patched.402F2D | 0040276D | 53 | push ebx | ebx:__vbaStrCopy 0040276E | FF15 08104000 | call dword ptr ds:[<__vbaStrI4>] | 计算结果转成对应十六进制的字符串 00402774 | 8B1D B0104000 | mov ebx,dword ptr ds:[<__vbaStrMove>] | ebx:__vbaStrCopy 0040277A | 8BD0 | mov edx,eax | edx:L"Hello" 0040277C | 8D4D D0 | lea ecx,dword ptr ss:[ebp-30] | 0040277F | FFD3 | call ebx | ebx:__vbaStrCopy 00402781 | 50 | push eax | 00402782 | 68 A41F4000 | push breaker's crackme # 3_patched.401FA4 | - 00402787 | FF15 24104000 | call dword ptr ds:[<__vbaStrCat>] | 0040278D | 8BD0 | mov edx,eax | edx:L"Hello" 0040278F | 8D4D C4 | lea ecx,dword ptr ss:[ebp-3C] | 00402792 | FFD3 | call ebx | ebx:__vbaStrCopy 00402794 | 50 | push eax | 末尾加了-的*结果 00402795 | 8D95 50FFFFFF | lea edx,dword ptr ss:[ebp-B0] | 前面取3位的内容 0040279B | 8D45 C8 | lea eax,dword ptr ss:[ebp-38] | 0040279E | 52 | push edx | edx:L"Hello" 0040279F | 50 | push eax | 004027A0 | FF15 78104000 | call dword ptr ds:[<__vbaStrVarVal>] | 004027A6 | 50 | push eax | 004027A7 | FF15 68104000 | call dword ptr ds:[] | 翻转三位结果 004027AD | 8BD0 | mov edx,eax | edx:L"Hello" 004027AF | 8D4D C0 | lea ecx,dword ptr ss:[ebp-40] | 004027B2 | FFD3 | call ebx | ebx:__vbaStrCopy 004027B4 | 50 | push eax | 004027B5 | FF15 24104000 | call dword ptr ds:[<__vbaStrCat>] | 组合 004027BB | 8985 18FFFFFF | mov dword ptr ss:[ebp-E8],eax | 004027C1 | B9 08000000 | mov ecx,8 | 004027C6 | B8 02000000 | mov eax,2 | 004027CB | 898D 10FFFFFF | mov dword ptr ss:[ebp-F0],ecx | 004027D1 | 8985 38FFFFFF | mov dword ptr ss:[ebp-C8],eax | 004027D7 | 8985 30FFFFFF | mov dword ptr ss:[ebp-D0],eax | 004027DD | 8B45 BC | mov eax,dword ptr ss:[ebp-44] | [ebp-44]: Name2 004027E0 | 898D 40FFFFFF | mov dword ptr ss:[ebp-C0],ecx | 004027E6 | 8D8D 30FFFFFF | lea ecx,dword ptr ss:[ebp-D0] | 004027EC | 8985 48FFFFFF | mov dword ptr ss:[ebp-B8],eax | 004027F2 | 51 | push ecx | 004027F3 | 8D95 40FFFFFF | lea edx,dword ptr ss:[ebp-C0] | 004027F9 | 6A 03 | push 3 | 004027FB | 8D85 20FFFFFF | lea eax,dword ptr ss:[ebp-E0] | 00402801 | 52 | push edx | edx:L"Hello" 00402802 | 50 | push eax | 00402803 | 8975 BC | mov dword ptr ss:[ebp-44],esi | 00402806 | FF15 44104000 | call dword ptr ds:[] | Name2 index3 取两位 0040280C | 8B0F | mov ecx,dword ptr ds:[edi] | edi:"\\J@" 0040280E | 57 | push edi | edi:"\\J@" 0040280F | FF91 FC020000 | call dword ptr ds:[ecx+2FC] | 00402815 | 8D55 90 | lea edx,dword ptr ss:[ebp-70] | 00402818 | 50 | push eax | 00402819 | 52 | push edx | edx:L"Hello" 0040281A | FF15 30104000 | call dword ptr ds:[<__vbaObjSet>] | 00402820 | 8BD8 | mov ebx,eax | ebx:__vbaStrCopy 00402822 | 8D4D B8 | lea ecx,dword ptr ss:[ebp-48] | [ebp-48]: Name 00402825 | 51 | push ecx | 00402826 | 53 | push ebx | ebx:__vbaStrCopy 00402827 | 8B03 | mov eax,dword ptr ds:[ebx] | ebx:__vbaStrCopy 00402829 | FF90 A0000000 | call dword ptr ds:[eax+A0] | 0040282F | 3BC6 | cmp eax,esi | 00402831 | DBE2 | fnclex | 00402833 | 7D 12 | jge breaker's crackme # 3_patched.402847 | 00402835 | 68 A0000000 | push A0 | 0040283A | 68 901F4000 | push breaker's crackme # 3_patched.401F90 | 0040283F | 53 | push ebx | ebx:__vbaStrCopy 00402840 | 50 | push eax | 00402841 | FF15 28104000 | call dword ptr ds:[<__vbaHresultCheckObj>] | 00402847 | 8B17 | mov edx,dword ptr ds:[edi] | edx:L"Hello", edi:"\\J@" 00402849 | 57 | push edi | edi:"\\J@" 0040284A | FF92 00030000 | call dword ptr ds:[edx+300] | 00402850 | 50 | push eax | 00402851 | 8D45 8C | lea eax,dword ptr ss:[ebp-74] | 00402854 | 50 | push eax | 00402855 | FF15 30104000 | call dword ptr ds:[<__vbaObjSet>] | 0040285B | 8BD8 | mov ebx,eax | ebx:__vbaStrCopy 0040285D | 8D55 B4 | lea edx,dword ptr ss:[ebp-4C] | [ebp-4C]: Name2 00402860 | 52 | push edx | edx:L"Hello" 00402861 | 53 | push ebx | ebx:__vbaStrCopy 00402862 | 8B0B | mov ecx,dword ptr ds:[ebx] | ebx:__vbaStrCopy 00402864 | FF91 A0000000 | call dword ptr ds:[ecx+A0] | 0040286A | 3BC6 | cmp eax,esi | 0040286C | DBE2 | fnclex | 0040286E | 7D 12 | jge breaker's crackme # 3_patched.402882 | 00402870 | 68 A0000000 | push A0 | 00402875 | 68 901F4000 | push breaker's crackme # 3_patched.401F90 | 0040287A | 53 | push ebx | ebx:__vbaStrCopy 0040287B | 50 | push eax | 0040287C | FF15 28104000 | call dword ptr ds:[<__vbaHresultCheckObj>] | 00402882 | 8B07 | mov eax,dword ptr ds:[edi] | edi:"\\J@" 00402884 | 57 | push edi | edi:"\\J@" 00402885 | FF90 04030000 | call dword ptr ds:[eax+304] | 0040288B | 8D4D 88 | lea ecx,dword ptr ss:[ebp-78] | 0040288E | 50 | push eax | 0040288F | 51 | push ecx | 00402890 | FF15 30104000 | call dword ptr ds:[<__vbaObjSet>] | 00402896 | 8BD8 | mov ebx,eax | ebx:__vbaStrCopy 00402898 | 8D45 B0 | lea eax,dword ptr ss:[ebp-50] | [ebp-50]: Age 0040289B | 50 | push eax | 0040289C | 53 | push ebx | ebx:__vbaStrCopy 0040289D | 8B13 | mov edx,dword ptr ds:[ebx] | edx:L"Hello", ebx:__vbaStrCopy 0040289F | FF92 A0000000 | call dword ptr ds:[edx+A0] | 004028A5 | 3BC6 | cmp eax,esi | 004028A7 | DBE2 | fnclex | 004028A9 | 7D 12 | jge breaker's crackme # 3_patched.4028BD | 004028AB | 68 A0000000 | push A0 | 004028B0 | 68 901F4000 | push breaker's crackme # 3_patched.401F90 | 004028B5 | 53 | push ebx | ebx:__vbaStrCopy 004028B6 | 50 | push eax | 004028B7 | FF15 28104000 | call dword ptr ds:[<__vbaHresultCheckObj>] | 004028BD | 8B4D B4 | mov ecx,dword ptr ss:[ebp-4C] | [ebp-4C]: Name2 004028C0 | 8B1D 10104000 | mov ebx,dword ptr ds:[<__vbaLenBstr>] | ebx:__vbaStrCopy 004028C6 | 51 | push ecx | 004028C7 | FFD3 | call ebx | Name2.Length 004028C9 | 8BD0 | mov edx,eax | edx:L"Hello" 004028CB | 8B45 B8 | mov eax,dword ptr ss:[ebp-48] | 004028CE | 50 | push eax | 004028CF | 8995 C4FDFFFF | mov dword ptr ss:[ebp-23C],edx | 004028D5 | FFD3 | call ebx | Name.Length 004028D7 | 8B9D C4FDFFFF | mov ebx,dword ptr ss:[ebp-23C] | ebx:__vbaStrCopy 004028DD | 8B4D B0 | mov ecx,dword ptr ss:[ebp-50] | [ebp-50]: Age 004028E0 | 03D8 | add ebx,eax | len name+ len name2 004028E2 | 51 | push ecx | 004028E3 | 0F80 44060000 | jo breaker's crackme # 3_patched.402F2D | 004028E9 | FF15 10104000 | call dword ptr ds:[<__vbaLenBstr>] | 004028EF | 03D8 | add ebx,eax | 前面基础上+age len 004028F1 | 8B45 AC | mov eax,dword ptr ss:[ebp-54] | 004028F4 | B9 08000000 | mov ecx,8 | 004028F9 | 8D95 C0FEFFFF | lea edx,dword ptr ss:[ebp-140] | 004028FF | 8985 D8FEFFFF | mov dword ptr ss:[ebp-128],eax | 00402905 | 898D 50FEFFFF | mov dword ptr ss:[ebp-1B0],ecx | 0040290B | 898D D0FEFFFF | mov dword ptr ss:[ebp-130],ecx | 00402911 | 52 | push edx | edx:L"Hello" 00402912 | 8D85 D0FEFFFF | lea eax,dword ptr ss:[ebp-130] | 00402918 | 6A 02 | push 2 | 0040291A | 8D8D B0FEFFFF | lea ecx,dword ptr ss:[ebp-150] | 00402920 | 50 | push eax | 00402921 | 0F80 06060000 | jo breaker's crackme # 3_patched.402F2D | 00402927 | 51 | push ecx | 00402928 | 899D 68FEFFFF | mov dword ptr ss:[ebp-198],ebx | ebx:__vbaStrCopy 0040292E | C785 60FEFFFF 030000 | mov dword ptr ss:[ebp-1A0],3 | 00402938 | C785 58FEFFFF A41F40 | mov dword ptr ss:[ebp-1A8],breaker's crack | 00402942 | C785 C8FEFFFF 010000 | mov dword ptr ss:[ebp-138],1 | 0040294C | C785 C0FEFFFF 020000 | mov dword ptr ss:[ebp-140],2 | 00402956 | 8975 AC | mov dword ptr ss:[ebp-54],esi | 00402959 | FF15 44104000 | call dword ptr ds:[] | age 从第二位开始取1位 0040295F | 8B17 | mov edx,dword ptr ds:[edi] | edx:L"Hello", edi:"\\J@" 00402961 | 57 | push edi | edi:"\\J@" 00402962 | FF92 FC020000 | call dword ptr ds:[edx+2FC] | 00402968 | 50 | push eax | 00402969 | 8D45 80 | lea eax,dword ptr ss:[ebp-80] | 0040296C | 50 | push eax | 0040296D | FF15 30104000 | call dword ptr ds:[<__vbaObjSet>] | 00402973 | 8BD8 | mov ebx,eax | ebx:__vbaStrCopy 00402975 | 8D55 A8 | lea edx,dword ptr ss:[ebp-58] | [ebp-58]: Name 00402978 | 52 | push edx | edx:L"Hello" 00402979 | 53 | push ebx | ebx:__vbaStrCopy 0040297A | 8B0B | mov ecx,dword ptr ds:[ebx] | ebx:__vbaStrCopy 0040297C | FF91 A0000000 | call dword ptr ds:[ecx+A0] | 00402982 | 3BC6 | cmp eax,esi | 00402984 | DBE2 | fnclex | 00402986 | 7D 12 | jge breaker's crackme # 3_patched.40299A | 00402988 | 68 A0000000 | push A0 | 0040298D | 68 901F4000 | push breaker's crackme # 3_patched.401F90 | 00402992 | 53 | push ebx | ebx:__vbaStrCopy 00402993 | 50 | push eax | 00402994 | FF15 28104000 | call dword ptr ds:[<__vbaHresultCheckObj>] | 0040299A | 8B45 A8 | mov eax,dword ptr ss:[ebp-58] | 0040299D | 50 | push eax | 0040299E | FF15 10104000 | call dword ptr ds:[<__vbaLenBstr>] | len name 004029A4 | 8B1D 7C104000 | mov ebx,dword ptr ds:[<__vbaVarCat>] | ebx:__vbaStrCopy 004029AA | 8D8D 10FFFFFF | lea ecx,dword ptr ss:[ebp-F0] | 004029B0 | 8985 38FEFFFF | mov dword ptr ss:[ebp-1C8],eax | 004029B6 | 8D95 20FFFFFF | lea edx,dword ptr ss:[ebp-E0] | 004029BC | 51 | push ecx | 004029BD | 8D85 00FFFFFF | lea eax,dword ptr ss:[ebp-100] | 004029C3 | 52 | push edx | edx:L"Hello" 004029C4 | 50 | push eax | 004029C5 | C785 30FEFFFF 030000 | mov dword ptr ss:[ebp-1D0],3 | 004029CF | FFD3 | call ebx | 拼接: **-***+ name2后两位 004029D1 | 8D8D 60FEFFFF | lea ecx,dword ptr ss:[ebp-1A0] | 004029D7 | 50 | push eax | 004029D8 | 8D95 F0FEFFFF | lea edx,dword ptr ss:[ebp-110] | 004029DE | 51 | push ecx | 004029DF | 52 | push edx | edx:L"Hello" 004029E0 | FFD3 | call ebx | 拼接: 前面的结果+ 三个字符串长度求和 004029E2 | 50 | push eax | 004029E3 | 8D85 50FEFFFF | lea eax,dword ptr ss:[ebp-1B0] | - 004029E9 | 8D8D E0FEFFFF | lea ecx,dword ptr ss:[ebp-120] | 004029EF | 50 | push eax | 004029F0 | 51 | push ecx | 004029F1 | FFD3 | call ebx | 再拼个- 004029F3 | 50 | push eax | 004029F4 | 8D95 B0FEFFFF | lea edx,dword ptr ss:[ebp-150] | 004029FA | 8D85 A0FEFFFF | lea eax,dword ptr ss:[ebp-160] | 00402A00 | 52 | push edx | edx:L"Hello" 00402A01 | 50 | push eax | 00402A02 | FFD3 | call ebx | 再拼个Age第二位 00402A04 | 8D8D 30FEFFFF | lea ecx,dword ptr ss:[ebp-1D0] | 00402A0A | 50 | push eax | 00402A0B | 8D95 90FEFFFF | lea edx,dword ptr ss:[ebp-170] | 00402A11 | 51 | push ecx | 00402A12 | 52 | push edx | edx:L"Hello" 00402A13 | FFD3 | call ebx | 再拼个? 00402A15 | 50 | push eax | 00402A16 | FF15 0C104000 | call dword ptr ds:[<__vbaStrVarMove>] | 00402A1C | 8BD0 | mov edx,eax | edx:L"Hello" 00402A1E | 8D4D E0 | lea ecx,dword ptr ss:[ebp-20] | 00402A21 | FF15 B0104000 | call dword ptr ds:[<__vbaStrMove>] | 00402A27 | 8D45 A8 | lea eax,dword ptr ss:[ebp-58] | 清理工作 00402A2A | 8D4D B0 | lea ecx,dword ptr ss:[ebp-50] | 00402A2D | 50 | push eax | 00402A2E | 8D55 B4 | lea edx,dword ptr ss:[ebp-4C] | 00402A31 | 51 | push ecx | 00402A32 | 8D45 B8 | lea eax,dword ptr ss:[ebp-48] | 00402A35 | 52 | push edx | edx:L"Hello" 00402A36 | 8D4D C0 | lea ecx,dword ptr ss:[ebp-40] | 00402A39 | 50 | push eax | 00402A3A | 8D55 C4 | lea edx,dword ptr ss:[ebp-3C] | 00402A3D | 51 | push ecx | 00402A3E | 8D45 C8 | lea eax,dword ptr ss:[ebp-38] | 00402A41 | 52 | push edx | edx:L"Hello" 00402A42 | 8D4D D0 | lea ecx,dword ptr ss:[ebp-30] | 00402A45 | 50 | push eax | 00402A46 | 8D55 D4 | lea edx,dword ptr ss:[ebp-2C] | 00402A49 | 51 | push ecx | 00402A4A | 8D45 D8 | lea eax,dword ptr ss:[ebp-28] | 00402A4D | 52 | push edx | edx:L"Hello" 00402A4E | 8D4D DC | lea ecx,dword ptr ss:[ebp-24] | 00402A51 | 50 | push eax | 00402A52 | 51 | push ecx | 00402A53 | 6A 0B | push B | 00402A55 | FF15 98104000 | call dword ptr ds:[<__vbaFreeStrList>] | 00402A5B | 8D55 80 | lea edx,dword ptr ss:[ebp-80] | 00402A5E | 8D45 84 | lea eax,dword ptr ss:[ebp-7C] | 00402A61 | 52 | push edx | edx:L"Hello" 00402A62 | 8D4D 88 | lea ecx,dword ptr ss:[ebp-78] | 00402A65 | 50 | push eax | 00402A66 | 8D55 8C | lea edx,dword ptr ss:[ebp-74] | 00402A69 | 51 | push ecx | 00402A6A | 8D45 90 | lea eax,dword ptr ss:[ebp-70] | 00402A6D | 52 | push edx | edx:L"Hello" 00402A6E | 8D4D 94 | lea ecx,dword ptr ss:[ebp-6C] | 00402A71 | 50 | push eax | 00402A72 | 8D55 98 | lea edx,dword ptr ss:[ebp-68] | 00402A75 | 51 | push ecx | 00402A76 | 52 | push edx | edx:L"Hello" 00402A77 | 8D45 9C | lea eax,dword ptr ss:[ebp-64] | 00402A7A | 8D4D A0 | lea ecx,dword ptr ss:[ebp-60] | 00402A7D | 50 | push eax | 00402A7E | 8D55 A4 | lea edx,dword ptr ss:[ebp-5C] | 00402A81 | 51 | push ecx | 00402A82 | 52 | push edx | edx:L"Hello" 00402A83 | 6A 0A | push A | 00402A85 | FF15 1C104000 | call dword ptr ds:[<__vbaFreeObjList>] | 00402A8B | 83C4 5C | add esp,5C | 00402A8E | 8D85 90FEFFFF | lea eax,dword ptr ss:[ebp-170] | 00402A94 | 8D8D A0FEFFFF | lea ecx,dword ptr ss:[ebp-160] | 00402A9A | 8D95 B0FEFFFF | lea edx,dword ptr ss:[ebp-150] | 00402AA0 | 50 | push eax | 00402AA1 | 51 | push ecx | 00402AA2 | 8D85 E0FEFFFF | lea eax,dword ptr ss:[ebp-120] | 00402AA8 | 52 | push edx | edx:L"Hello" 00402AA9 | 8D8D C0FEFFFF | lea ecx,dword ptr ss:[ebp-140] | 00402AAF | 50 | push eax | 00402AB0 | 8D95 D0FEFFFF | lea edx,dword ptr ss:[ebp-130] | 00402AB6 | 51 | push ecx | 00402AB7 | 8D85 F0FEFFFF | lea eax,dword ptr ss:[ebp-110] | 00402ABD | 52 | push edx | edx:L"Hello" 00402ABE | 8D8D 00FFFFFF | lea ecx,dword ptr ss:[ebp-100] | 00402AC4 | 50 | push eax | 00402AC5 | 8D95 20FFFFFF | lea edx,dword ptr ss:[ebp-E0] | 00402ACB | 51 | push ecx | 00402ACC | 8D85 10FFFFFF | lea eax,dword ptr ss:[ebp-F0] | 00402AD2 | 8B1D 14104000 | mov ebx,dword ptr ds:[<__vbaFreeVarList>] | ebx:__vbaStrCopy 00402AD8 | 52 | push edx | edx:L"Hello" 00402AD9 | 8D8D 30FFFFFF | lea ecx,dword ptr ss:[ebp-D0] | 00402ADF | 50 | push eax | 00402AE0 | 8D95 40FFFFFF | lea edx,dword ptr ss:[ebp-C0] | 00402AE6 | 51 | push ecx | 00402AE7 | 8D85 50FFFFFF | lea eax,dword ptr ss:[ebp-B0] | 00402AED | 52 | push edx | edx:L"Hello" 00402AEE | 8D8D 60FFFFFF | lea ecx,dword ptr ss:[ebp-A0] | 00402AF4 | 50 | push eax | 00402AF5 | 8D95 70FFFFFF | lea edx,dword ptr ss:[ebp-90] | 00402AFB | 51 | push ecx | 00402AFC | 52 | push edx | edx:L"Hello" 00402AFD | 6A 0F | push F | 00402AFF | FFD3 | call ebx | ebx:__vbaStrCopy 00402B01 | 8B07 | mov eax,dword ptr ds:[edi] | edi:"\\J@" 00402B03 | 83C4 40 | add esp,40 | 00402B06 | 57 | push edi | edi:"\\J@" 00402B07 | FF90 08030000 | call dword ptr ds:[eax+308] | 00402B0D | 8D4D A4 | lea ecx,dword ptr ss:[ebp-5C] | 00402B10 | 50 | push eax | 00402B11 | 51 | push ecx | 00402B12 | FF15 30104000 | call dword ptr ds:[<__vbaObjSet>] | 00402B18 | 8BF8 | mov edi,eax | edi:"\\J@" 00402B1A | 8D45 DC | lea eax,dword ptr ss:[ebp-24] | [ebp-24]: Serial 00402B1D | 50 | push eax | 00402B1E | 57 | push edi | edi:"\\J@" 00402B1F | 8B17 | mov edx,dword ptr ds:[edi] | edx:L"Hello", edi:"\\J@" 00402B21 | FF92 A0000000 | call dword ptr ds:[edx+A0] | 00402B27 | 3BC6 | cmp eax,esi | 00402B29 | DBE2 | fnclex | 00402B2B | 7D 12 | jge breaker's crackme # 3_patched.402B3F | 00402B2D | 68 A0000000 | push A0 | 00402B32 | 68 901F4000 | push breaker's crackme # 3_patched.401F90 | 00402B37 | 57 | push edi | edi:"\\J@" 00402B38 | 50 | push eax | 00402B39 | FF15 28104000 | call dword ptr ds:[<__vbaHresultCheckObj>] | 00402B3F | 8B4D DC | mov ecx,dword ptr ss:[ebp-24] | 00402B42 | 8B55 E0 | mov edx,dword ptr ss:[ebp-20] | 00402B45 | 51 | push ecx | serial 00402B46 | 52 | push edx | True Serial 00402B47 | FF15 50104000 | call dword ptr ds:[<__vbaStrCmp>] | 00402B4D | 8BF8 | mov edi,eax | edi:"\\J@" 00402B4F | 8D4D DC | lea ecx,dword ptr ss:[ebp-24] | 00402B52 | F7DF | neg edi | edi:"\\J@" 00402B54 | 1BFF | sbb edi,edi | edi:"\\J@" 00402B56 | 47 | inc edi | edi:"\\J@" 00402B57 | F7DF | neg edi | edi:"\\J@" 00402B59 | FF15 C0104000 | call dword ptr ds:[<__vbaFreeStr>] | 00402B5F | 8D4D A4 | lea ecx,dword ptr ss:[ebp-5C] | 00402B62 | FF15 C4104000 | call dword ptr ds:[<__vbaFreeObj>] | 00402B68 | 66:3BFE | cmp di,si | 最后的判断 00402B6B | 0F84 87000000 | je ] | Success ```