| 查看: 790 | 回复: 19 | |||
| 当前主题已经存档。 | |||
| 当前只显示满足指定条件的回帖,点击这里查看本话题的所有回帖 | |||
sdlj8051金虫 (著名写手)
|
[交流]
[转贴]VB P-code粗略分析
|
||
|
VB-Pcode反编译文件的粗略分析,高手莫笑话! 分析1: Private Sub Command1_Click() Dim x As Integer, y As Integer, z As Integer x = 123 y = 321 z = x + y MsgBox z End Sub [Command1.Click] :00401874 F47B LitI2_Byte ;Push 7B //123入栈 :00401876 707AFF FStI2 ;Pop WORD [LOCAL_0086] //弹出0086操作数 //整形占2个字节 {x=123} :00401879 F34101 LitI2 ;Push 0141 //321入栈 :0040187C 7078FF FStI2 ;Pop WORD [LOCAL_0088] //弹出0088操作数 //正好是0086+2,说明内存写时是连续的 {y=321} :0040187F 6B7AFF FLdI2 ;Push WORD [LOCAL_0086] //f?load?i2应该是integer :00401882 6B78FF FLdI2 ;Push WORD [LOCAL_0088] //继续第二个参数入栈 :00401885 A9 AddI2 ; //整数相加,保存在0088+2 {z = x + y} :00401886 7076FF FStI2 ;Pop WORD [LOCAL_008A] //SUM出栈待用 ================ //MsgBox原形 MsgBox(prompt[, buttons] [, title] [, helpfile, context]) ================ :00401889 2704FF LitVar ;PushVar LOCAL_00FC //未负值参数,context :0040188C 2724FF LitVar ;PushVar LOCAL_00DC //未负值参数,helpfile :0040188F 2744FF LitVar ;PushVar LOCAL_00BC //未负值参数,title :00401892 F500000000 LitI4 ;Push 00000000 //buttons 缺省值为 0 :00401897 0476FF FLdRfVar ;Push LOCAL_008A //prompt,作为显示在对话框中的消息. :0040189A 4D64FF0240 CVarRef ; **********Reference To->msvbvm60.rtcMsgBox | :0040189F 0A00001400 ImpAdCallFPR4 ;Call ptr_00401020; check stack 0014; Push EAX //调用MsgBox {MsgBox z} :004018A4 36060044FF24FF04 FFreeVar ;Free 0006/2 variants //释放变量 :004018AD 13 ExitProcHresult ; //退出程序 分析2: Private Sub Command1_Click() Dim x As Integer, y As Integer, z As Integer x = 123 y = 321 z = x + y MsgBox z, vbOKOnly, "pcode" End Sub [Command1.Click] :00401888 F47B LitI2_Byte ;Push 7B //123入栈 :0040188A 707AFF FStI2 ;Pop WORD [LOCAL_0086] //弹出0086操作数 {x=123} :0040188D F34101 LitI2 ;Push 0141 //321入栈 :00401890 7078FF FStI2 ;Pop WORD [LOCAL_0088] //弹出0088操作数 {y=321} :00401893 6B7AFF FLdI2 ;Push WORD [LOCAL_0086] //ADD第一个参数入栈 :00401896 6B78FF FLdI2 ;Push WORD [LOCAL_0088] //ADD第二个参数入栈 :00401899 A9 AddI2 ; //ADD {z = x + y} :0040189A 7076FF FStI2 ;Pop WORD [LOCAL_008A] //SUM出栈待用 :0040189D 2704FF LitVar ;PushVar LOCAL_00FC //未负值参数,context :004018A0 2724FF LitVar ;PushVar LOCAL_00DC //未负值参数,helpfile ******Possible String Ref To->"pcode" | :004018A3 3A54FF0000 LitVarStr ;PushVarString ptr_004013C8 //"pcode"入栈 :004018A8 4E44FF FStVarCopyObj ;[LOCAL_00BC]=vbaVarDup(Pop) //地址负值 :004018AB 0444FF FLdRfVar ;Push LOCAL_00BC //title果然被负值,看来分析并没有错误 :004018AE F500000000 LitI4 ;Push 00000000 //buttons 缺省值为 0 :004018B3 0476FF FLdRfVar ;Push LOCAL_008A //prompt,SUM :004018B6 4D64FF0240 CVarRef ; **********Reference To->msvbvm60.rtcMsgBox | :004018BB 0A01001400 ImpAdCallFPR4 ;Call ptr_00401020; check stack 0014; Push EAX //调用MsgBox {MsgBox z, vbOKOnly, "pcode"} :004018C0 36060044FF24FF04 FFreeVar ;Free 0006/2 variants //释放变量 :004018C9 13 ExitProcHresult ; //退出程序 :004018CA 0000 LargeBos ;IDE beginning of line with 00 byte codes 分析3: Private Declare Function MessageBox Lib "user32" Alias "MessageBoxA" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long Const MB_OK = &H0& Private Sub Command1_Click() Dim x As Integer, y As Integer, z As Integer x = 123 y = 321 z = x + y MessageBox Me.hwnd, "sum=" & z, "pcode", MB_OK End Sub [Command1.Click] :004018FC F47B LitI2_Byte ;Push 7B //123入栈 :004018FE 707AFF FStI2 ;Pop WORD [LOCAL_0086] //弹出0086操作数 {x = 123} :00401901 F34101 LitI2 ;Push 0141 //321入栈 :00401904 7078FF FStI2 ;Pop WORD [LOCAL_0088] //弹出0088操作数 {x = 123} :00401907 6B7AFF FLdI2 ;Push WORD [LOCAL_0086] //ADD第一个参数入栈 :0040190A 6B78FF FLdI2 ;Push WORD [LOCAL_0088] //ADD第二个参数入栈 :0040190D A9 AddI2 ; /ADD {z = x + y} :0040190E 7076FF FStI2 ;Pop WORD [LOCAL_008A] //SUM出栈待用 :00401911 0470FF FLdRfVar ;Push LOCAL_0090 //将地址入栈,记录地址 :00401914 080800 FLdPr ;[SR]=[STACK_0008] :00401917 0D58000000 VCallHresult ;Call ptr_004014CC //这里应该是调用Me.hwnd,保存在0090 ==================//MsgBox原形 int MessageBox( HWND hWnd, // handle of owner window LPCTSTR lpText, // address of text in message box LPCTSTR lpCaption, // address of title of message box UINT uType // style of message box ); ==================//下面是参数入栈 :0040191C F500000000 LitI4 ;Push 00000000 //uType,参数一 ******Possible String Ref To->"pcode" | :00401921 1B0100 LitStr ;Push ptr_00401624 //装入"pcode"字符 :00401924 0460FF FLdRfVar ;Push LOCAL_00A0 :00401927 34 CStr2Ansi ;vbaStrToAnsi //把Unicode形式转换为Ansi :00401928 6C60FF ILdRf ;Push DWORD [LOCAL_00A0] //lpCaption,参数二 ******Possible String Ref To->"sum=" | :0040192B 1B0200 LitStr ;Push ptr_00401614 //装入"sum="字符 :0040192E 6B76FF FLdI2 ;Push WORD [LOCAL_008A] //参数SUM入栈 :00401931 FBFD CStrUI1 ;vbaStrI2 //将整数转换为字符型,保存在0094 :00401933 236CFF FStStrNoPop ;SysFreeString [LOCAL_0094]; [LOCAL_0094]=[stack] :00401936 2A ConcatStr ;vbaStrCat //连接字符,保存在0098 :00401937 2368FF FStStrNoPop ;SysFreeString [LOCAL_0098]; [LOCAL_0098]=[stack] :0040193A 0464FF FLdRfVar ;Push LOCAL_009C //将地址入栈,记录地址 :0040193D 34 CStr2Ansi ;vbaStrToAnsi //把Unicode形式转换为Ansi :0040193E 6C64FF ILdRf ;Push DWORD [LOCAL_009C] //lpText,参数三 :00401941 6C70FF ILdRf ;Push DWORD [LOCAL_0090] //hWnd,参数四 ***********Reference To:user32.MessageBoxA | :00401944 0A03001000 ImpAdCallFPR4 ;Call ptr_004015E8; check stack 0010; Push EAX //调用MessageBox :00401949 3C SetLastSystemError ;Kernel GetLastError //针对调用MessageBox函数,取得扩展错误信息 :0040194A 3208006CFF68FF64 FFreeStr ;Do SysFreeString [arg_n]; [arg_n]=0 0008/2 times ~ arg :00401955 13 ExitProcHresult ; :00401956 0000 LargeBos ;IDE beginning of line with 00 byte codes [ Last edited by sdlj8051 on 2006-10-6 at 11:36 ] |
回复此楼» 猜你喜欢
存款400万可以在学校里躺平吗
已经有5人回复
-
拟解决的关键科学问题还要不要写
已经有5人回复
-
基金委咋了?2026年的指南还没有出来?
已经有9人回复
-
基金申报
已经有5人回复
-
国自然申请面上模板最新2026版出了吗?
已经有17人回复
-
纳米粒子粒径的测量
已经有8人回复
-
疑惑?
已经有5人回复
-
计算机、0854电子信息(085401-058412)调剂
已经有5人回复
-
Materials Today Chemistry审稿周期
已经有5人回复
-
溴的反应液脱色
已经有7人回复
sdlj8051
金虫 (著名写手)
- 应助: 0 (幼儿园)
- 贵宾: 0.1
- 金币: 1149.8
- 红花: 3
- 帖子: 2254
- 在线: 18.1小时
- 虫号: 71297
- 注册: 2005-05-30
- 专业: 电路与系统
|
**************************************** Case "5" strCode = strCode & "eb" **************************************** :0040297C 3170FF FStStr ;SysFreeString [LOCAL_0090]; [LOCAL_0090]=Pop // 将字符释放到0090 :0040297F 1E2202 Branch ;ESI=00402A06 // 跳出CASE :00402982 04C4FE FLdRfVar ;Push LOCAL_013C // 加载临时变量 ******Possible String Ref To->"6" | :00402985 3A48FF1000 LitVarStr ;PushVarString ptr_004022A4 // "6"入栈 :0040298A 5D HardType ; :0040298B FB33 EqVarBool ;// 判断变量是否相等 :0040298D 1CB901 BranchF ;If Pop=0 then ESI=0040299D // 条件为假跳0040299D :00402990 6C70FF ILdRf ;Push DWORD [LOCAL_0090] // 加载strCode ******Possible String Ref To->"fb" | :00402993 1B1100 LitStr ;Push ptr_004022AC // "fb"入栈 :00402996 2A ConcatStr ;vbaStrCat // 连接字符串 **************************************** Case "6" strCode = strCode & "fb" **************************************** :00402997 3170FF FStStr ;SysFreeString [LOCAL_0090]; [LOCAL_0090]=Pop // 将字符释放到0090 :0040299A 1E2202 Branch ;ESI=00402A06 // 跳出CASE :0040299D 04C4FE FLdRfVar ;Push LOCAL_013C // 加载临时变量 ******Possible String Ref To->"7" | :004029A0 3A48FF1200 LitVarStr ;PushVarString ptr_004022B8 // "7"入栈 :004029A5 5D HardType ; :004029A6 FB33 EqVarBool ;// 判断变量是否相等 :004029A8 1CD401 BranchF ;If Pop=0 then ESI=004029B8 // 条件为假跳004029B8 :004029AB 6C70FF ILdRf ;Push DWORD [LOCAL_0090] // 加载strCode ******Possible String Ref To->"ea" | :004029AE 1B1300 LitStr ;Push ptr_004022C0 // "ea"入栈 :004029B1 2A ConcatStr ;vbaStrCat // 连接字符串 **************************************** Case "7" strCode = strCode & "ea" **************************************** :004029B2 3170FF FStStr ;SysFreeString [LOCAL_0090]; [LOCAL_0090]=Pop // 将字符释放到0090 :004029B5 1E2202 Branch ;ESI=00402A06 // 跳出CASE :004029B8 04C4FE FLdRfVar ;Push LOCAL_013C // 加载临时变量 ******Possible String Ref To->"8" | :004029BB 3A48FF1400 LitVarStr ;PushVarString ptr_004022CC // "8"入栈 :004029C0 5D HardType ; :004029C1 FB33 EqVarBool ;// 判断变量是否相等 :004029C3 1CEF01 BranchF ;If Pop=0 then ESI=004029D3 // 条件为假跳004029D3 :004029C6 6C70FF ILdRf ;Push DWORD [LOCAL_0090] // 加载strCode ******Possible String Ref To->"ec" | :004029C9 1B1500 LitStr ;Push ptr_004022D4 // "ec"入栈 :004029CC 2A ConcatStr ;vbaStrCat // 连接字符串 **************************************** Case "8" strCode = strCode & "ec" **************************************** :004029CD 3170FF FStStr ;SysFreeString [LOCAL_0090]; [LOCAL_0090]=Pop // 将字符释放到0090 :004029D0 1E2202 Branch ;ESI=00402A06 // 跳出CASE :004029D3 04C4FE FLdRfVar ;Push LOCAL_013C // 加载临时变量 ******Possible String Ref To->"9" | :004029D6 3A48FF1600 LitVarStr ;PushVarString ptr_004022E0 // "9"入栈 :004029DB 5D HardType ; :004029DC FB33 EqVarBool ;// 判断变量是否相等 :004029DE 1C0A02 BranchF ;If Pop=0 then ESI=004029EE // 条件为假跳004029EE :004029E1 6C70FF ILdRf ;Push DWORD [LOCAL_0090] // 加载strCode ******Possible String Ref To->"db" | :004029E4 1B1700 LitStr ;Push ptr_004022E8 // "db"入栈 :004029E7 2A ConcatStr ;vbaStrCat // 连接字符串 **************************************** Case "9" strCode = strCode & "db" **************************************** :004029E8 3170FF FStStr ;SysFreeString [LOCAL_0090]; [LOCAL_0090]=Pop // 将字符释放到0090 :004029EB 1E2202 Branch ;ESI=00402A06 // 跳出CASE :004029EE 04C4FE FLdRfVar ;Push LOCAL_013C // 加载临时变量 ******Possible String Ref To->"0" | :004029F1 3A48FF1800 LitVarStr ;PushVarString ptr_004022F4 // "0"入栈 :004029F6 5D HardType ; :004029F7 FB33 EqVarBool ;// 判断变量是否相等 :004029F9 1C2202 BranchF ;If Pop=0 then ESI=00402A06 // 条件为假跳00402A06,正好为CASE结束 :004029FC 6C70FF ILdRf ;Push DWORD [LOCAL_0090] // 加载strCode ******Possible String Ref To->"ab" | :004029FF 1B1900 LitStr ;Push ptr_004022FC // "ab"入栈 :00402A02 2A ConcatStr ;vbaStrCat // 连接字符串 **************************************** Case "0" strCode = strCode & "da" **************************************** :00402A03 3170FF FStStr ;SysFreeString [LOCAL_0090]; [LOCAL_0090]=Pop // 将字符释放到0090 **************************************** End Select **************************************** :00402A06 2828FF0100 LitVarI2 ;PushVarInteger 0001 \ 取长度 :00402A0B 6B66FF FLdI2 ;Push WORD [LOCAL_009A] | 变量i的值 :00402A0E E7 CI4UI1 ; | // MID函数参数入栈 :00402A0F 0478FF FLdRfVar ;Push LOCAL_0088 / 文本内容 :00402A12 4D48FF0840 CVarRef ;// 创建临时变量 :00402A17 0418FF FLdRfVar ;Push LOCAL_00E8 // 加载临时变量 **********Reference To->msvbvm60.rtcMidCharVar | :00402A1A 0A05001000 ImpAdCallFPR4 ;Call ptr_00401036; check stack 0010; Push EAX // MID()操作 :00402A1F 0418FF FLdRfVar ;Push LOCAL_00E8 \ :00402A22 FDFE5CFF CStrVarVal ; / // ASC函数参数入栈 **********Reference To->msvbvm60.rtcAnsiValueBstr | :00402A26 0B04000400 ImpAdCallI2 ;Call ptr_00401030; check stack 0004; Push EAX // ASC()操作 :00402A2B F441 LitI2_Byte ;Push 41 // 65入栈 :00402A2D DF GeI2 ;// 大于等于比较操作 :00402A2E 28E8FE0100 LitVarI2 ;PushVarInteger 0001 \ 取长度 :00402A33 6B66FF FLdI2 ;Push WORD [LOCAL_009A] | 变量i的值 :00402A36 E7 CI4UI1 ; | // MID函数参数入栈 :00402A37 0478FF FLdRfVar ;Push LOCAL_0088 / 文本内容 :00402A3A 4D08FF0840 CVarRef ;// 创建临时变量 :00402A3F 04D8FE FLdRfVar ;Push LOCAL_0128 // 加载临时变量 |
7楼2006-08-23 15:57:19
sdlj8051
金虫 (著名写手)
- 应助: 0 (幼儿园)
- 贵宾: 0.1
- 金币: 1149.8
- 红花: 3
- 帖子: 2254
- 在线: 18.1小时
- 虫号: 71297
- 注册: 2005-05-30
- 专业: 电路与系统
|
分析1:(源文件) ============================================= Private Sub Command1_Click() Dim name As String, code As String Dim i As Integer name = Text1.Text For i = 1 To Len(name) code = code & CStr(Asc(Mid(name, i, 1))) Next i Text2.Text = code End Sub ============================================= (P-Code) ============================================= [Command1.Click] :00401BD8 0468FF FLdRfVar ;Push LOCAL_0098 //开辟内存空间 :00401BDB 21 FLdPrThis ;[SR]=[stack2] //和下句配套使用 :00401BDC 0F0403 VCallAd ;Return the control index 03 //获得窗体句柄 :00401BDF 196CFF FStAdFunc ;//取propget过程地址 :00401BE2 086CFF FLdPr ;[SR]=[LOCAL_0094] //加载过程 ***********Reference To:[propget]TextBox.Text //propget,TextBox.Text的取过程 | :00401BE5 0DA0000000 VCallHresult ;Call ptr_004014A8 //获得文本框中的内容 :00401BEA 3E68FF FLdZeroAd ;Push DWORD [LOCAL_0098]; [LOCAL_0098]=0 //将内容入栈 :00401BED 3178FF FStStr ;SysFreeString [LOCAL_0088]; [LOCAL_0088]=Pop //将字符释放到0088 :00401BF0 1A6CFF FFree1Ad ;Push [LOCAL_0094]; Call [[[LOCAL_0094]]+8]; [[LOCAL_0094]]=0 :00401BF3 F401 LitI2_Byte ;Push 01 :00401BF5 0472FF FLdRfVar ;Push LOCAL_008E //将文本框中的内容入栈 :00401BF8 6C78FF ILdRf ;Push DWORD [LOCAL_0088] //字符串入栈作为参数 :00401BFB 4A FnLenStr ;vbaLenBstr //计算字符串长度 :00401BFC E4 CI2I4 ;Verify [stack] high word is 0000, ECX=[ECX] ***********循环计算开始 :00401BFD FE6364FF7200 ForI2 ;//For运算 :00401C03 6C74FF ILdRf ;Push DWORD [LOCAL_008C] \ :00401C06 2834FF0100 LitVarI2 ;PushVarInteger 0001 | :00401C0B 6B72FF FLdI2 ;Push WORD [LOCAL_008E] | MID函数参数入栈 :00401C0E E7 CI4UI1 ; | :00401C0F 0478FF FLdRfVar ;Push LOCAL_0088 | :00401C12 4D54FF0840 CVarRef ; | :00401C17 0424FF FLdRfVar ;Push LOCAL_00DC / **********Reference To->msvbvm60.rtcMidCharVar //MID | :00401C1A 0A01001000 ImpAdCallFPR4 ;Call ptr_00401030; check stack 0010; Push EAX //MID取字符 :00401C1F 0424FF FLdRfVar ;Push LOCAL_00DC //取得字符入栈 :00401C22 FDFE68FF CStrVarVal ; **********Reference To->msvbvm60.rtcAnsiValueBstr //ASC | :00401C26 0B02000400 ImpAdCallI2 ;Call ptr_00401036; check stack 0004; Push EAX //ASC运算 :00401C2B FBFD CStrUI1 ;vbaStrI2 //将整数转换为字符 :00401C2D 2320FF FStStrNoPop ;SysFreeString [LOCAL_00E0]; [LOCAL_00E0]=[stack] //将字符释放 :00401C30 2A ConcatStr ;vbaStrCat //连接字符串 :00401C31 3174FF FStStr ;SysFreeString [LOCAL_008C]; [LOCAL_008C]=Pop //将字符释放 :00401C34 32040068FF20FF FFreeStr ;Do SysFreeString [arg_n]; [arg_n]=0 0004/2 times ~ arg :00401C3B 36040034FF24FF FFreeVar ;Free 0004/2 variants //释放变量 :00401C42 0472FF FLdRfVar ;Push LOCAL_008E //将文本框中的内容入栈 :00401C45 6464FF2B00 NextI2 ; **********循环计算结束 :00401C4A 6C74FF ILdRf ;Push DWORD [LOCAL_008C] :00401C4D 21 FLdPrThis ;[SR]=[stack2] //和下句配套使用 :00401C4E 0F0003 VCallAd ;Return the control index 02 //获得窗体句柄 :00401C51 196CFF FStAdFunc ;//取propput过程地址 :00401C54 086CFF FLdPr ;[SR]=[LOCAL_0094] //加载过程 ***********Reference To:[propput]TextBox.Text //propput,TextBox.Text的赋值过程 | :00401C57 0DA4000000 VCallHresult ;Call ptr_004014A8 //给TextBox.Text赋值 :00401C5C 1A6CFF FFree1Ad ;Push [LOCAL_0094]; Call [[[LOCAL_0094]]+8]; [[LOCAL_0094]]=0 :00401C5F 13 ExitProcHresult ;//退出过程 在1的基础上我们在加个判断看看! 分析2:(源文件) ============================================= Private Sub Command1_Click() Dim name As String, code As String, T As String, F As String Dim i As Integer T = "True code!" F = "False code!" name = Text1.Text For i = 1 To Len(name) code = code & CStr(Asc(Mid(name, i, 1))) Next i If Text2.Text = code Then MsgBox T, vbOKOnly, "P-Code(2-2)" Else MsgBox F, vbOKOnly, "P-Code(2-2)" End If End Sub ============================================= (P-Code) ============================================= [Command1.Click] ******Possible String Ref To->"True code!" | :00401C48 1B0000 LitStr ;Push ptr_004016F4 //装入"True code!"字符 :00401C4B 4370FF FStStrCopy ;[LOCAL_0090]=SysAllocStringByteLen(Pop, [Pop-4]); SysFreeString Pop //复制到内存0090 ******Possible String Ref To->"False code!" | :00401C4E 1B0100 LitStr ;Push ptr_00401710 //装入"False code!"字符 :00401C51 436CFF FStStrCopy ;[LOCAL_0094]=SysAllocStringByteLen(Pop, [Pop-4]); SysFreeString Pop //复制到内存0094 :00401C54 0460FF FLdRfVar ;Push LOCAL_00A0 //开辟内存空间 :00401C57 21 FLdPrThis ;[SR]=[stack2] //和下句配套使用 :00401C58 0F0403 VCallAd ;Return the control index 03 //获得窗体句柄 :00401C5B 1964FF FStAdFunc ;//取propget过程地址 :00401C5E 0864FF FLdPr ;[SR]=[LOCAL_009C] //加载过程 ***********Reference To:[propget]TextBox.Text //propget,TextBox.Text的取过程 | :00401C61 0DA0000200 VCallHresult ;Call ptr_00401728 //获得文本框中的内容 :00401C66 3E60FF FLdZeroAd ;Push DWORD [LOCAL_00A0]; [LOCAL_00A0]=0 //将内容入栈 :00401C69 3178FF FStStr ;SysFreeString [LOCAL_0088]; [LOCAL_0088]=Pop //将字符释放到0088 :00401C6C 1A64FF FFree1Ad ;Push [LOCAL_009C]; Call [[[LOCAL_009C]]+8]; [[LOCAL_009C]]=0 :00401C6F F401 LitI2_Byte ;Push 01 :00401C71 046AFF FLdRfVar ;Push LOCAL_0096 //将文本框中的内容入栈 :00401C74 6C78FF ILdRf ;Push DWORD [LOCAL_0088] //字符串入栈作为参数 :00401C77 4A FnLenStr ;vbaLenBstr //计算字符串长度 :00401C78 E4 CI2I4 ;Verify [stack] high word is 0000, ECX=[ECX] ***********循环计算开始 :00401C79 FE635CFF7E00 ForI2 ;//For运算 :00401C7F 6C74FF ILdRf ;Push DWORD [LOCAL_008C] \ :00401C82 282CFF0100 LitVarI2 ;PushVarInteger 0001 | :00401C87 6B6AFF FLdI2 ;Push WORD [LOCAL_0096] | :00401C8A E7 CI4UI1 ; | MID函数参数入栈 :00401C8B 0478FF FLdRfVar ;Push LOCAL_0088 | :00401C8E 4D4CFF0840 CVarRef ; | :00401C93 041CFF FLdRfVar ;Push LOCAL_00E4 / **********Reference To->msvbvm60.rtcMidCharVar //MID | :00401C96 0A03001000 ImpAdCallFPR4 ;Call ptr_00401030; check stack 0010; Push EAX //MID取字符 :00401C9B 041CFF FLdRfVar ;Push LOCAL_00E4 //取得字符入栈 :00401C9E FDFE60FF CStrVarVal ; **********Reference To->msvbvm60.rtcAnsiValueBstr | :00401CA2 0B04000400 ImpAdCallI2 ;Call ptr_00401036; check stack 0004; Push EAX //ASC运算 :00401CA7 FBFD CStrUI1 ;vbaStrI2 //将整数转换为字符 :00401CA9 2318FF FStStrNoPop ;SysFreeString [LOCAL_00E8]; [LOCAL_00E8]=[stack] //将字符释放 :00401CAC 2A ConcatStr ;vbaStrCat //连接字符串 :00401CAD 3174FF FStStr ;SysFreeString [LOCAL_008C]; [LOCAL_008C]=Pop //将字符释放 :00401CB0 32040060FF18FF FFreeStr ;Do SysFreeString [arg_n]; [arg_n]=0 0004/2 times ~ arg :00401CB7 3604002CFF1CFF FFreeVar ;Free 0004/2 variants //释放变量 :00401CBE 046AFF FLdRfVar ;Push LOCAL_0096 //将文本框中的内容入栈 :00401CC1 645CFF3700 NextI2 ; **********循环计算结束 :00401CC6 0460FF FLdRfVar ;Push LOCAL_00A0 //将文本框2中的内容入栈 :00401CC9 21 FLdPrThis ;[SR]=[stack2] //和下句配套使用 :00401CCA 0F0003 VCallAd ;Return the control index 02 //获得窗体句柄 :00401CCD 1964FF FStAdFunc ;//取propput过程地址 :00401CD0 0864FF FLdPr ;[SR]=[LOCAL_009C] //加载过程 ***********Reference To:[propget]TextBox.Text //propget,TextBox.Text的取过程 | :00401CD3 0DA0000200 VCallHresult ;Call ptr_00401728 //获得文本框中的内容 :00401CD8 6C60FF ILdRf ;Push DWORD [LOCAL_00A0] //将文本框2中的内容入栈 :00401CDB 6C74FF ILdRf ;Push DWORD [LOCAL_008C] //正确code :00401CDE FB30 EqStr ;//字符串相等比较 :00401CE0 2F60FF FFree1Str ;SysFreeString [LOCAL_00A0]; [LOCAL_00A0]=0 :00401CE3 1A64FF FFree1Ad ;Push [LOCAL_009C]; Call [[[LOCAL_009C]]+8]; [[LOCAL_009C]]=0 :00401CE6 1CD000 BranchF ;If Pop=0 then ESI=00401D18 //不相等则跳 :00401CE9 27E8FE LitVar ;PushVar LOCAL_0118 \ :00401CEC 271CFF LitVar ;PushVar LOCAL_00E4 | ******Possible String Ref To->"P-Code(2-2)" | | | :00401CEF 3A3CFF0500 LitVarStr ;PushVarString ptr_0040173C | MsgBox函数参数入栈 :00401CF4 4E2CFF FStVarCopyObj ;[LOCAL_00D4]=vbaVarDup(Pop) | 具体怎么看请找我的 :00401CF7 042CFF FLdRfVar ;Push LOCAL_00D4 | Pcode粗略分析(1) :00401CFA F500000000 LitI4 ;Push 00000000 | :00401CFF 0470FF FLdRfVar ;Push LOCAL_0090 / :00401D02 4D4CFF0840 CVarRef ; **********Reference To->msvbvm60.rtcMsgBox | :00401D07 0A06001400 ImpAdCallFPR4 ;Call ptr_0040103C; check stack 0014; Push EAX MsgBox :00401D0C 3606002CFF1CFFE8 FFreeVar ;Free 0006/2 variants //释放变量 :00401D15 1EFC00 Branch ;ESI=00401D44 //跳转到00401D44 :00401D18 27E8FE LitVar ;PushVar LOCAL_0118 \ :00401D1B 271CFF LitVar ;PushVar LOCAL_00E4 | ******Possible String Ref To->"P-Code(2-2)" | | | :00401D1E 3A3CFF0500 LitVarStr ;PushVarString ptr_0040173C | MsgBox函数参数入栈 :00401D23 4E2CFF FStVarCopyObj ;[LOCAL_00D4]=vbaVarDup(Pop) | :00401D26 042CFF FLdRfVar ;Push LOCAL_00D4 | :00401D29 F500000000 LitI4 ;Push 00000000 | :00401D2E 046CFF FLdRfVar ;Push LOCAL_0094 / :00401D31 4D4CFF0840 CVarRef ; **********Reference To->msvbvm60.rtcMsgBox | :00401D36 0A06001400 ImpAdCallFPR4 ;Call ptr_0040103C; check stack 0014; Push EAX //MsgBox :00401D3B 3606002CFF1CFFE8 FFreeVar ;Free 0006/2 variants //释放内存变量 :00401D44 13 ExitProcHresult ;//退出过程 :00401D45 0000 LargeBos ;IDE beginning of line with 00 byte codes |
2楼2006-08-23 15:53:43
sdlj8051
金虫 (著名写手)
- 应助: 0 (幼儿园)
- 贵宾: 0.1
- 金币: 1149.8
- 红花: 3
- 帖子: 2254
- 在线: 18.1小时
- 虫号: 71297
- 注册: 2005-05-30
- 专业: 电路与系统
|
'在理解前两节知识的前提下,我们这里引入一个我自己写的LYSA算法和一个简单的CrackmeONEII作为分析的目标。 '作为除夕的礼物送给大家,小鸟一只让向各位献丑了! 'CrackmeONEII '为了和前面衔接,CrackmeONEII是在Pcode(2-2)基础上写的 '下面是源代码,里面用的是一种查表法 ***********Reference CrackmeONEII's Sound code Private Sub Command1_Click() Dim name As String, code As String, strCode As String, T As String, F As String Dim i As Integer, j As Integer T = "CrackmeONEII+LYSA-II True code!" F = "CrackmeONEII+LYSA-II False code!" name = "": code = "": strCode = "" name = Text1.Text If name = "" Then Text1.Text = "" Exit Sub End If If Asc(name) < 0 Then Text1.Text = "" Exit Sub End If For i = 1 To Len(name) If Asc(Mid(name, i, 1)) >= 48 And Asc(Mid(name, i, 1)) <= 57 Then '0-9 Select Case Mid(name, i, 1) Case "1" strCode = strCode & "da" Case "2" strCode = strCode & "fa" Case "3" strCode = strCode & "fc" Case "4" strCode = strCode & "dc" Case "5" strCode = strCode & "eb" Case "6" strCode = strCode & "fb" Case "7" strCode = strCode & "ea" Case "8" strCode = strCode & "ec" Case "9" strCode = strCode & "db" Case "0" strCode = strCode & "ab" End Select End If If Asc(Mid(name, i, 1)) >= 65 And Asc(Mid(name, i, 1)) <= 90 Then 'A-Z Select Case Mid(name, i, 1) Case "A" strCode = strCode & "01" Case "B" strCode = strCode & "62" Case "C" strCode = strCode & "81" Case "D" strCode = strCode & "84" Case "E" strCode = strCode & "63" Case "F" strCode = strCode & "71" Case "G" strCode = strCode & "72" Case "H" strCode = strCode & "91" Case "I" strCode = strCode & "74" Case "J" strCode = strCode & "93" Case "K" strCode = strCode & "03" Case "L" strCode = strCode & "82" Case "M" strCode = strCode & "61" Case "N" strCode = strCode & "02" Case "O" strCode = strCode & "65" Case "P" strCode = strCode & "8a" Case "Q" strCode = strCode & "92" Case "R" strCode = strCode & "75" Case "S" strCode = strCode & "05" Case "T" strCode = strCode & "95" Case "U" strCode = strCode & "83" Case "V" strCode = strCode & "64" Case "W" strCode = strCode & "85" Case "X" strCode = strCode & "04" Case "Y" strCode = strCode & "94" Case "Z" strCode = strCode & "73" End Select End If If Asc(Mid(name, i, 1)) >= 97 And Asc(Mid(name, i, 1)) <= 122 Then 'a-z Select Case Mid(name, i, 1) Case "a" strCode = strCode & "10" Case "b" strCode = strCode & "26" Case "c" strCode = strCode & "18" Case "d" strCode = strCode & "48" Case "e" strCode = strCode & "36" Case "f" strCode = strCode & "17" Case "g" strCode = strCode & "27" Case "h" strCode = strCode & "19" Case "i" strCode = strCode & "47" Case "j" strCode = strCode & "39" Case "k" strCode = strCode & "30" Case "l" strCode = strCode & "28" Case "m" strCode = strCode & "16" Case "n" strCode = strCode & "20" Case "o" strCode = strCode & "56" Case "p" strCode = strCode & "3f" Case "q" strCode = strCode & "29" Case "r" strCode = strCode & "57" Case "s" strCode = strCode & "50" Case "t" strCode = strCode & "59" Case "u" strCode = strCode & "38" Case "v" strCode = strCode & "46" Case "w" strCode = strCode & "58" Case "x" strCode = strCode & "40" Case "y" strCode = strCode & "94" Case "z" strCode = strCode & "37" End Select End If If Asc(Mid(name, i, 1)) >= 0 And Asc(Mid(name, i, 1)) <= 47 Then Text1.Text = "" Exit Sub End If If Asc(Mid(name, i, 1)) >= 58 And Asc(Mid(name, i, 1)) <= 64 Then Text1.Text = "" Exit Sub End If If Asc(Mid(name, i, 1)) >= 91 And Asc(Mid(name, i, 1)) <= 96 Then Text1.Text = "" Exit Sub End If If Asc(Mid(name, i, 1)) >= 123 And Asc(Mid(name, i, 1)) <= 255 Then Text1.Text = "" Exit Sub End If Next i 'MsgBox strCode For j = 1 To Len(strCode) If Mid(strCode, j, 1) = "f" Then code = code & "f" Next j For j = 1 To Len(strCode) If Mid(strCode, j, 1) = "e" Then code = code & "e" Next j For j = 1 To Len(strCode) If Mid(strCode, j, 1) = "d" Then code = code & "d" Next j For j = 1 To Len(strCode) If Mid(strCode, j, 1) = "c" Then code = code & "c" Next j For j = 1 To Len(strCode) If Mid(strCode, j, 1) = "b" Then code = code & "b" Next j For j = 1 To Len(strCode) If Mid(strCode, j, 1) = "a" Then code = code & "a" Next j For j = 1 To Len(strCode) If Mid(strCode, j, 1) = "9" Then code = code & "9" Next j For j = 1 To Len(strCode) If Mid(strCode, j, 1) = "8" Then code = code & "8" Next j For j = 1 To Len(strCode) If Mid(strCode, j, 1) = "7" Then code = code & "7" Next j For j = 1 To Len(strCode) If Mid(strCode, j, 1) = "6" Then code = code & "6" Next j For j = 1 To Len(strCode) If Mid(strCode, j, 1) = "5" Then code = code & "5" Next j For j = 1 To Len(strCode) If Mid(strCode, j, 1) = "4" Then code = code & "4" Next j For j = 1 To Len(strCode) If Mid(strCode, j, 1) = "3" Then code = code & "3" Next j For j = 1 To Len(strCode) If Mid(strCode, j, 1) = "2" Then code = code & "2" Next j For j = 1 To Len(strCode) If Mid(strCode, j, 1) = "1" Then code = code & "1" Next j For j = 1 To Len(strCode) If Mid(strCode, j, 1) = "0" Then code = code & "0" Next j 'MsgBox code If Text2.Text = code Then MsgBox T, vbOKOnly, "CrackmeONEII+LYSA-II" Else Text1.Text = "" Text2.Text = "" MsgBox F, vbOKOnly, "CrackmeONEII+LYSA-II" End If End Sub ***********Reference VB P-code [Command1.Click] ******Possible String Ref To->"CrackmeONEII+LYSA-II True code!" | :004027E4 1B0000 LitStr ;Push ptr_0040219C // 装入字符串 :004027E7 436CFF FStStrCopy ;[LOCAL_0094]=SysAllocStringByteLen(Pop, [Pop-4]); SysFreeString Pop // 复制到内存0094 ******Possible String Ref To->"CrackmeONEII+LYSA-II False code!" | :004027EA 1B0100 LitStr ;Push ptr_004021E0 // 装入字符串 :004027ED 4368FF FStStrCopy ;[LOCAL_0098]=SysAllocStringByteLen(Pop, [Pop-4]); SysFreeString Pop // 复制到内存0098 ******Possible String Ref To->"" | :004027F0 1B0200 LitStr ;Push ptr_00402228 // 装入字符串 :004027F3 4378FF FStStrCopy ;[LOCAL_0088]=SysAllocStringByteLen(Pop, [Pop-4]); SysFreeString Pop // 复制到内存0088 ******Possible String Ref To->"" | :004027F6 1B0200 LitStr ;Push ptr_00402228 // 装入字符串 :004027F9 4374FF FStStrCopy ;[LOCAL_008C]=SysAllocStringByteLen(Pop, [Pop-4]); SysFreeString Pop // 复制到内存008C ******Possible String Ref To->"" | :004027FC 1B0200 LitStr ;Push ptr_00402228 // 装入字符串 :004027FF 4370FF FStStrCopy ;[LOCAL_0090]=SysAllocStringByteLen(Pop, [Pop-4]); SysFreeString Pop // 复制到内存0090 **************************************** T = "CrackmeONEII+LYSA-II True code!" F = "CrackmeONEII+LYSA-II False code!" name = "": code = "": strCode = "" **************************************** :00402802 045CFF FLdRfVar ;Push LOCAL_00A4 // 开辟内存空间 :00402805 21 FLdPrThis ;[SR]=[stack2] \ :00402806 0F0403 VCallAd ;Return the control index 03 / // 获得窗体句柄 :00402809 1960FF FStAdFunc ;// 取propget过程地址 :0040280C 0860FF FLdPr ;[SR]=[LOCAL_00A0] // 加载过程 ***********Reference To:[propget]TextBox.Text // propget,TextBox.Text的取过程 | :0040280F 0DA0000300 VCallHresult ;Call ptr_0040222C // 获得文本框中的内容 :00402814 3E5CFF FLdZeroAd ;Push DWORD [LOCAL_00A4]; [LOCAL_00A4]=0 // 将内容入栈 :00402817 3178FF FStStr ;SysFreeString [LOCAL_0088]; [LOCAL_0088]=Pop // 将字符释放到0088 :0040281A 1A60FF FFree1Ad ;Push [LOCAL_00A0]; Call [[[LOCAL_00A0]]+8]; [[LOCAL_00A0]]=0 // 调用后释放空间 **************************************** name = Text1.Text **************************************** :0040281D 6C78FF ILdRf ;Push DWORD [LOCAL_0088] // 装载获取的文本内容,作为参数 ******Possible String Ref To->"" | :00402820 1B0200 LitStr ;Push ptr_00402228 // NULL字符入栈 :00402823 FB30 EqStr ;//字符串比较 :00402825 1C5A00 BranchF ;If Pop=0 then ESI=0040283E // 不相等则跳(F->条件为假)0040283E ******Possible String Ref To->"" | :00402828 1B0200 LitStr ;Push ptr_00402228 // NULL字符入栈 :0040282B 21 FLdPrThis ;[SR]=[stack2] \ :0040282C 0F0403 VCallAd ;Return the control index 03 / // 获得窗体句柄 :0040282F 1960FF FStAdFunc ;// 取propput过程地址 :00402832 0860FF FLdPr ;[SR]=[LOCAL_00A0] // 加载过程 ***********Reference To:[propput]TextBox.Text // propput,TextBox.Text的赋值过程 | :00402835 0DA4000300 VCallHresult ;Call ptr_0040222C // 将文本框赋值为NULL字符 :0040283A 1A60FF FFree1Ad ;Push [LOCAL_00A0]; Call [[[LOCAL_00A0]]+8]; [[LOCAL_00A0]]=0 // 调用后释放空间 :0040283D 13 ExitProcHresult ;// 退出过程 |
3楼2006-08-23 15:54:41
sdlj8051
金虫 (著名写手)
- 应助: 0 (幼儿园)
- 贵宾: 0.1
- 金币: 1149.8
- 红花: 3
- 帖子: 2254
- 在线: 18.1小时
- 虫号: 71297
- 注册: 2005-05-30
- 专业: 电路与系统
|
**************************************** If name = "" Then Text1.Text = "" Exit Sub End If **************************************** :0040283E 6C78FF ILdRf ;Push DWORD [LOCAL_0088] // 装载获取的文本内容,作为参数 **********Reference To->msvbvm60.rtcAnsiValueBstr //ASC() | :00402841 0B04000400 ImpAdCallI2 ;Call ptr_00401030; check stack 0004; Push EAX // ASC([LOCAL_0088]) :00402846 F400 LitI2_Byte ;Push 00 // 0入栈 :00402848 D0 LtI2 ;// 整数的小于判断(less than) :00402849 1C7E00 BranchF ;If Pop=0 then ESI=00402862 // 不小于则跳00402862 ******Possible String Ref To->"" | :0040284C 1B0200 LitStr ;Push ptr_00402228 // NULL字符入栈 :0040284F 21 FLdPrThis ;[SR]=[stack2] \ :00402850 0F0403 VCallAd ;Return the control index 03 / // 获得窗体句柄 :00402853 1960FF FStAdFunc ;// 取propput过程地址 :00402856 0860FF FLdPr ;[SR]=[LOCAL_00A0] // 加载过程 ***********Reference To:[propput]TextBox.Text // propput,TextBox.Text的赋值过程 | :00402859 0DA4000300 VCallHresult ;Call ptr_0040222C // 将文本框赋值为NULL字符 :0040285E 1A60FF FFree1Ad ;Push [LOCAL_00A0]; Call [[[LOCAL_00A0]]+8]; [[LOCAL_00A0]]=0 // 调用后释放空间 :00402861 13 ExitProcHresult ;// 退出过程 **************************************** If Asc(name) < 0 Then Text1.Text = "" Exit Sub End If **************************************** :00402862 F401 LitI2_Byte ;Push 01 // 01入栈 :00402864 0466FF FLdRfVar ;Push LOCAL_009A // 加载变量i :00402867 6C78FF ILdRf ;Push DWORD [LOCAL_0088] // 装载获取的文本内容,作为参数 :0040286A 4A FnLenStr ;vbaLenBstr // 计算name长度 :0040286B E4 CI2I4 ;Verify [stack] high word is 0000, ECX=[ECX] :0040286C FE6358FFA30A ForI2 ;// FOR **************************************** For i = 1 To Len(name) **************************************** :00402872 2828FF0100 LitVarI2 ;PushVarInteger 0001 \ 取长度 :00402877 6B66FF FLdI2 ;Push WORD [LOCAL_009A] | 变量i的值 :0040287A E7 CI4UI1 ; | // MID函数参数入栈 :0040287B 0478FF FLdRfVar ;Push LOCAL_0088 / 文本内容 :0040287E 4D48FF0840 CVarRef ;// 创建临时变量 :00402883 0418FF FLdRfVar ;Push LOCAL_00E8 // 加载临时变量 **********Reference To->msvbvm60.rtcMidCharVar | :00402886 0A05001000 ImpAdCallFPR4 ;Call ptr_00401036; check stack 0010; Push EAX // MID操作 :0040288B 0418FF FLdRfVar ;Push LOCAL_00E8 \ :0040288E FDFE5CFF CStrVarVal ; / // ASC函数参数入栈 **********Reference To->msvbvm60.rtcAnsiValueBstr | :00402892 0B04000400 ImpAdCallI2 ;Call ptr_00401030; check stack 0004; Push EAX // ASC操作 :00402897 F430 LitI2_Byte ;Push 30 // 48入栈 :00402899 DF GeI2 ;// 大于等于比较操作 :0040289A 28E8FE0100 LitVarI2 ;PushVarInteger 0001 \ 取长度 :0040289F 6B66FF FLdI2 ;Push WORD [LOCAL_009A] | 变量i的值 :004028A2 E7 CI4UI1 ; | // MID函数参数入栈 :004028A3 0478FF FLdRfVar ;Push LOCAL_0088 / 文本内容 :004028A6 4D08FF0840 CVarRef ;// 创建临时变量 :004028AB 04D8FE FLdRfVar ;Push LOCAL_0128 // 加载临时变量 **********Reference To->msvbvm60.rtcMidCharVar | :004028AE 0A05001000 ImpAdCallFPR4 ;Call ptr_00401036; check stack 0010; Push EAX //MID操作 :004028B3 04D8FE FLdRfVar ;Push LOCAL_0128 \ :004028B6 FDFED4FE CStrVarVal ; / // ASC函数参数入栈 **********Reference To->msvbvm60.rtcAnsiValueBstr | :004028BA 0B04000400 ImpAdCallI2 ;Call ptr_00401030; check stack 0004; Push EAX //ASC操作 :004028BF F439 LitI2_Byte ;Push 39 // 57入栈 :004028C1 D5 LeI2 ;// 小于等于比较操作 :004028C2 C4 AndI4 ;// AND :004028C3 3204005CFFD4FE FFreeStr ;Do SysFreeString [arg_n]; [arg_n]=0 0004/2 times ~ arg :004028CA 36080028FF18FFE8 FFreeVar ;Free 0008/2 variants // 释放临时变量 :004028D5 1C2202 BranchF ;If Pop=0 then ESI=00402A06 // 条件为假则跳00402A06 |
4楼2006-08-23 15:55:43