实例操作之 音速启动(vstart) 用户数据解密(user50/*.vst)
音速启动(vstart5版本)是一款很好用的桌面快捷方式管理工具, 添加好的快捷方式可以按我们自己的需求分类管理,最终是保存在user50目录下的三个文件中(常用程序.vst,常用文件.vst,常用网址.vst), 我们用记事本打开可看到内容是加密的保存的
现在我们来解密,查看明文数据
开整,上工具, 1). PEiD 查看程序是由VB开发的, 2. VB Decompiler11.5反编译程序, 结果可看到,界面设计有55个界面, 我们不看界面设计,直接看代码,从代码中找关键词,如user50/目录, .vst文件的访问
优先查看frmMain主界面的onload事件代码Form_Load_4D4F30,如下:
Private Sub Form_Load() '4D4F30
Dim var_F4 As Variant
Dim var_FC As App
Dim var_3C As Variant
loc_004D4F95: On Error Resume Next
loc_004D4FD1: var_F4 = (Command <> "nopre")
loc_004D4FEA: If var_F4 = 0 Then GoTo loc_004D52C5
loc_004D502E: var_F4 = var_11C
loc_004D5047: var_3C = Global.App
loc_004D504C: var_F8 = var_3C
loc_004D508B: var_FC = var_3C
loc_004D50A7: var_E0 = var_FC.PrevInstance
loc_004D50AC: var_100 = var_E0
loc_004D50EF: var_104 = var_E0
loc_004D5108: If var_104 = 0 Then GoTo loc_004D52C5
loc_004D5123: var_FC.LinkTopic = global_0043EF28
loc_004D512B: var_F4 = Me
loc_004D51D8: var_F4 = frmMain.LinkAndSendMessage("ActiveMe")
loc_004D5252: var_F4 = var_134
loc_004D527B: var_F8 = Global.Unload Me
loc_004D52C0: GoTo loc_004D62A3
loc_004D52C5: ' Referenced from: 004D4FEA
loc_004D52F1: global_72 = CLng(Day(Date))
loc_004D5343: global_0066813C = Proc_4_38_519DD0(global_00668054, "PassWord", var_30)
loc_004D5372: If Len(global_0066813C) <= 0 Then GoTo loc_004D54AE
loc_004D539C: var_28 = Proc_4_28_518360("音速启动", "请输入音速启动的登陆口令:", global_0043EF28)
loc_004D53BA: If (var_28 = global_0043EF28) Then GoTo loc_004D53CE
loc_004D53C3: End
loc_004D53C9: GoTo loc_004D62A3
loc_004D53CE: ' Referenced from: 004D53BA
loc_004D53FF: var_F4 = (Proc_43_0_5848F0(var_28, -1, 0) = global_0066813C)
loc_004D5418: If var_F4 = 0 Then GoTo loc_004D54A7
loc_004D5484: MsgBox("您输入的口令是错误的!", 16, 10, 10, 10)
loc_004D54A5: GoTo loc_004D54A9
loc_004D54A7: ' Referenced from: 004D5418
loc_004D54A7: GoTo loc_004D54AE
loc_004D54A9: ' Referenced from: 004D54A5
loc_004D54A9: GoTo loc_004D5378
loc_004D54AE: ' Referenced from: 004D54A7
loc_004D5530: global_0066804C = StrComp(var_98, GetSetting("VStart5", "Main", "Path", 10), 1)
loc_004D555C: SaveSetting("VStart5", "Main", "Path", global_0066805C)
loc_004D557D: SaveSetting("VStart5", "Main", "MYVER", "5.1 Build 2012.5.26")
loc_004D559E: SaveSetting("VStart5", "Main", "MYVER2", "10031")
loc_004D55B2: If global_00668260 < 5 Then GoTo loc_004D55CF
loc_004D55CA: var_803C = Proc_20_1_536B20("/APP/\Files\RegAsm.exe", "[hide] CoreAudio.dll /codebase", global_0043EF28)
loc_004D55CF: ' Referenced from: 004D55B2
loc_004D561D: var_F4 = (Dir(global_0066805C & "UpDate2.exe", 0) = global_0043EF28)
loc_004D563F: If var_F4 = 0 Then GoTo loc_004D57D7
loc_004D564C: DoEvents
loc_004D565E: var_804C = Sleep(300)
loc_004D5670: DoEvents
loc_004D56A7: var_94 = "发现新的升级检查程序,按确定进行替换。"
loc_004D56DC: MsgBox(var_94, 64, 10, 10, 10)
loc_004D5704: DoEvents
loc_004D5716: var_8054 = Sleep(300)
loc_004D5728: DoEvents
loc_004D575E: var_8064 = DeleteFile(global_0066805C & "UpDate.exe")
loc_004D57BE: call Name(global_0066805C & "UpDate.exe", global_0066805C & "UpDate2.exe", var_94, var_90, global_0066805C, FFFFFFFFh, Me, 0, 0, 0)
loc_004D57D7: ' Referenced from: 004D563F
loc_004D57E0: var_8074 = Proc_4_10_5142B0(0, , 0)
loc_004D5833: global_00668070 = Proc_4_39_51A100(global_00668050, "OnTop", var_30)
loc_004D589A: global_00668072 = Proc_4_39_51A100(global_00668050, "InDeskTop", var_30)
loc_004D5901: global_00668074 = Proc_4_39_51A100(global_00668050, "NoMove", var_30)
loc_004D5981: var_8084 = Proc_4_39_51A100(global_00668050, "Show", var_30)
loc_004D59B7: global_00668076 = Proc_4_39_51A100(global_00668054, "RunMinXList", var_38)(-1)
loc_004D5A1F: global_006680E8 = Proc_4_39_51A100(global_00668050, "SearchOption", var_30)
loc_004D5A56: global_00668064 = global_0066805C & "User50\HotKey.vsh"
loc_004D5AB7: global_0066807A = Proc_4_39_51A100("HotKey", "App", var_34)
loc_004D5B22: global_006681F0 = Proc_4_39_51A100(global_00668054, "AllLock", var_30)
loc_004D5B5C: var_F4 = frmMain.Timer7
loc_004D5B73: var_F4.Enabled = True
loc_004D5B78: var_F8 = var_F4
loc_004D5BD8: SaveSetting("VStart5", "Main", "Running", "Yes")
loc_004D5BEE: If global_00668076 = 0 Then GoTo loc_004D5D16
loc_004D5C32: var_F4 = var_140
loc_004D5CD5: var_F8 = frmList.Show 10, var_98
loc_004D5D14: GoTo loc_004D5D22
loc_004D5D16: ' Referenced from: 004D5BEE
loc_004D5D1D: var_80A4 = Proc_4_11_514560(var_94, var_90, var_AC)
loc_004D5D22: ' Referenced from: 004D5D14
loc_004D5D29: var_80A8 = Proc_36_1_57A430(var_A8, var_A4, var_A0)
loc_004D5D3B: var_80AC = Proc_36_0_578A10(-1, 0, 0)
loc_004D5D6F: var_80B8 = DeleteFile(global_0066805C & "UpDateFile.exe")
loc_004D5DAE: var_F4 = frmMain.Timer2
loc_004D5DB9: var_E4 = GetDoubleClickTime(var_E4)
loc_004D5DDB: var_F4.Interval = var_E4
loc_004D5DE0: var_F8 = var_F4
loc_004D5E35: If global_006681AE = 0 Then GoTo loc_004D5E42
loc_004D5E40: If global_00668076 Then GoTo loc_004D5E4E
loc_004D5E42: ' Referenced from: 004D5E35
loc_004D5E49: var_80C8 = Proc_4_41_51A410(var_E4, var_E4, var_E8)
loc_004D5E55: var_80CC = Proc_6_1_51AA20(var_E4, var_E4, var_E4)
loc_004D5EBB: var_F4 = (Proc_4_38_519DD0("Mail", "Enabled", var_34) = global_0043EF28)
loc_004D5EE6: If var_F4 = 0 Then GoTo loc_004D5F88
loc_004D5F41: frmMail.Visible = False
loc_004D5F49: var_F8 = var_14C
loc_004D5FB8: var_F4 = (InStr(, Proc_32_10_5624C0(1, var_E4), "vsEnFolder.exe", 1) > 0)
loc_004D5FD1: If var_F4 = 0 Then GoTo loc_004D6010
loc_004D6001: var_F0 = Shell(global_0066805C & "vsEnFolder.exe", 4)
loc_004D6010: ' Referenced from: 004D5FD1
loc_004D6020: If global_006681B6 Then GoTo loc_004D605F
loc_004D6050: var_F0 = Shell(global_0066805C & "Plugins\MiniClock\MiniClock.exe", 1)
loc_004D605F: ' Referenced from: 004D6020
loc_004D606F: If global_00668194 = 0 Then GoTo loc_004D61AA
loc_004D60C2: var_94 = global_00668196
loc_004D6170: var_80F8 = Proc_20_1_536B20(global_0066805C & "UpDate.exe", CStr("Y" & IIf(global_00668196, "Y", "N") & "10031"), global_0043EF28)
loc_004D61AA: ' Referenced from: 004D606F
loc_004D61F8: var_F4 = Proc_4_39_51A100(global_00668054, "AutoBackUp", var_30)
loc_004D621B: If var_F4 = 0 Then GoTo loc_004D62A3
loc_004D6242: var_F4 = frmMain.Timer6
loc_004D6259: var_F4.Enabled = True
loc_004D625E: var_F8 = var_F4
loc_004D62A3: ' Referenced from: 004D52C0
loc_004D62A3: ' Referenced from: 004D53C9
loc_004D62B0: GoTo loc_004D62F9
loc_004D62F8: Exit Sub
loc_004D62F9: ' Referenced from: 004D62B0
End Sub
看到了密码验证,升级等关键词,关没有栏目加载的东东, 整个主界面下的程序都点开看,基本上没看到什么关键信息
往下找clsData模块下的代码,看到一个LoadFile_50B020方法,代码如下:
Public Function LoadFile(strFile) '50B020
loc_0050B086: On Error GoTo loc_0050D329
loc_0050B0A4: If (strFile = global_0043EF28) Then GoTo loc_0050B0BC
loc_0050B0B6: var_28 = pFileName
loc_0050B0BC: ' Referenced from: 0050B0A4
loc_0050B0DE: var_5C = FreeFile(10)
loc_0050B103: Open var_28 For Input As #var_5C Len = -1
loc_0050B11E: Line Input #var_5C, var_50
loc_0050B140: If InStr(1, var_50, global_004421B4, 1) > 0 Then GoTo loc_0050B2AE
loc_0050B18A: var_50 = Proc_48_1_589690(CStr(Trim(var_50)), 1, Me)
loc_0050B1DF: var_8C = Split(var_50, global_004421B4, -1, 0)
loc_0050B208: var_30 = var_F0
loc_0050B22F: If var_30 = 0 Then GoTo loc_0050B282
loc_0050B238: If var_30 <> 1 Then GoTo loc_0050B282
loc_0050B257: If var_F4 >= 0 Then GoTo loc_0050B265
loc_0050B263: GoTo loc_0050B271
loc_0050B265: ' Referenced from: 0050B257
loc_0050B26B: var_124 = Err.Raise
loc_0050B271: ' Referenced from: 0050B263
loc_0050B27A: var_128 = var_F4
loc_0050B280: GoTo loc_0050B28E
loc_0050B282: ' Referenced from: 0050B22F
loc_0050B288: var_128 = Err.Raise
loc_0050B28E: ' Referenced from: 0050B280
loc_0050B2A3: pPassWord = var_30
loc_0050B2A9: GoTo loc_0050B348
loc_0050B2AE: ' Referenced from: 0050B140
loc_0050B303: var_8C = Split(var_50, global_004421B4, -1, 0)
loc_0050B32C: var_30 = var_F0
loc_0050B348: ' Referenced from: 0050B2A9
loc_0050B385: var_8C = Split(var_50, global_004421B4, -1, 0)
loc_0050B3AE: var_30 = var_F0
loc_0050B3D5: If var_30 = 0 Then GoTo loc_0050B425
loc_0050B3DE: If var_30 <> 1 Then GoTo loc_0050B425
loc_0050B3FA: If var_F4 >= 0 Then GoTo loc_0050B408
loc_0050B406: GoTo loc_0050B414
loc_0050B408: ' Referenced from: 0050B3FA
loc_0050B40E: var_12C = Err.Raise
loc_0050B414: ' Referenced from: 0050B406
loc_0050B41D: var_130 = var_F4
loc_0050B423: GoTo loc_0050B431
loc_0050B425: ' Referenced from: 0050B3D5
loc_0050B42B: var_130 = Err.Raise
loc_0050B431: ' Referenced from: 0050B423
loc_0050B446: pTitle = var_30
loc_0050B457: If var_30 = 0 Then GoTo loc_0050B4AA
loc_0050B460: If var_30 <> 1 Then GoTo loc_0050B4AA
loc_0050B47F: If var_F4 >= 0 Then GoTo loc_0050B48D
loc_0050B48B: GoTo loc_0050B499
loc_0050B48D: ' Referenced from: 0050B47F
loc_0050B493: var_134 = Err.Raise
loc_0050B499: ' Referenced from: 0050B48B
loc_0050B4A2: var_138 = var_F4
loc_0050B4A8: GoTo loc_0050B4B6
loc_0050B4AA: ' Referenced from: 0050B457
loc_0050B4B0: var_138 = Err.Raise
loc_0050B4B6: ' Referenced from: 0050B4A8
loc_0050B4CB: pDate = var_30
loc_0050B4DC: If var_30 = 0 Then GoTo loc_0050B52F
loc_0050B4E5: If var_30 <> 1 Then GoTo loc_0050B52F
loc_0050B504: If var_F4 >= 0 Then GoTo loc_0050B512
loc_0050B510: GoTo loc_0050B51E
loc_0050B512: ' Referenced from: 0050B504
loc_0050B518: var_13C = Err.Raise
loc_0050B51E: ' Referenced from: 0050B510
loc_0050B527: var_140 = var_F4
loc_0050B52D: GoTo loc_0050B53B
loc_0050B52F: ' Referenced from: 0050B4DC
loc_0050B535: var_140 = Err.Raise
loc_0050B53B: ' Referenced from: 0050B52D
loc_0050B554: pBarCount = CLng(var_30)
loc_0050B567: pBarRealCount = pBarCount
loc_0050B57A: pBarMaxCount = pBarCount
loc_0050B588: If var_30 = 0 Then GoTo loc_0050B5DB
loc_0050B591: If var_30 <> 1 Then GoTo loc_0050B5DB
loc_0050B5B0: If var_F4 >= 0 Then GoTo loc_0050B5BE
loc_0050B5BC: GoTo loc_0050B5CA
loc_0050B5BE: ' Referenced from: 0050B5B0
loc_0050B5C4: var_144 = Err.Raise
loc_0050B5CA: ' Referenced from: 0050B5BC
loc_0050B5D3: var_148 = var_F4
loc_0050B5D9: GoTo loc_0050B5E7
loc_0050B5DB: ' Referenced from: 0050B588
loc_0050B5E1: var_148 = Err.Raise
loc_0050B5E7: ' Referenced from: 0050B5D9
loc_0050B600: pShortCount = CLng(var_30)
loc_0050B613: pShortRealCount = pShortCount
loc_0050B626: pShortMaxCount = pShortCount
loc_0050B637: If pBarCount <= 0 Then GoTo loc_0050B66D
loc_0050B664: ReDim global_92(0 To pBarCount(1))
loc_0050B66D: ' Referenced from: 0050B637
loc_0050B67B: If pShortCount <= 0 Then GoTo loc_0050B6B1
loc_0050B6A8: ReDim global_96(0 To pShortCount(1))
loc_0050B6B1: ' Referenced from: 0050B67B
loc_0050B6EF: If EOF(1) Then GoTo loc_0050D110
loc_0050B70A: Line Input #var_5C, var_50
loc_0050B770: var_D4 = ((var_2C <= 0) Or (pShortCount = 0))
loc_0050B7B5: var_F4 = CBool((Trim(var_50) <> global_0043EF28) And ((var_2C <= 0) Or (pShortCount = 0)))
loc_0050B7DB: If var_F4 = 0 Then GoTo loc_0050D10B
loc_0050B7FC: var_FC = Left$(var_50, 1)
loc_0050B81D: If (var_FC = "+") Then GoTo loc_0050C029
loc_0050B836: var_24 = var_24(1)
loc_0050B863: var_54 = Mid$(var_50, 2, 10)
loc_0050B88C: var_34 = InStr(1, var_54, global_004421B4, 0)
loc_0050B89A: If var_34 > 0 Then GoTo loc_0050B9F4
loc_0050B8AE: If global_92 = 0 Then GoTo loc_0050B908
loc_0050B8BA: If global_92 <> 1 Then GoTo loc_0050B908
loc_0050B8DD: If var_F4 >= 0 Then GoTo loc_0050B8EB
loc_0050B8E9: GoTo loc_0050B8F7
loc_0050B8EB: ' Referenced from: 0050B8DD
loc_0050B8F1: var_14C = Err.Raise
loc_0050B8F7: ' Referenced from: 0050B8E9
loc_0050B900: var_150 = var_F4*36
loc_0050B906: GoTo loc_0050B914
loc_0050B908: ' Referenced from: 0050B8AE
loc_0050B90E: var_150 = Err.Raise
loc_0050B914: ' Referenced from: 0050B906
loc_0050B939: global_92 = Proc_48_1_589690(var_54, 0, 0)
loc_0050B956: If global_92 = 0 Then GoTo loc_0050B9B0
loc_0050B962: If global_92 <> 1 Then GoTo loc_0050B9B0
loc_0050B985: If var_F4 >= 0 Then GoTo loc_0050B993
loc_0050B991: GoTo loc_0050B99F
loc_0050B993: ' Referenced from: 0050B985
loc_0050B999: var_154 = Err.Raise
loc_0050B99F: ' Referenced from: 0050B991
loc_0050B9A8: var_158 = var_F4*36
loc_0050B9AE: GoTo loc_0050B9BC
loc_0050B9B0: ' Referenced from: 0050B956
loc_0050B9B6: var_158 = Err.Raise
loc_0050B9BC: ' Referenced from: 0050B9AE
loc_0050B9EF: GoTo loc_0050BD0A
loc_0050B9F4: ' Referenced from: 0050B89A
loc_0050BA02: If global_92 = 0 Then GoTo loc_0050BA5C
loc_0050BA0E: If global_92 <> 1 Then GoTo loc_0050BA5C
loc_0050BA31: If var_F4 >= 0 Then GoTo loc_0050BA3F
loc_0050BA3D: GoTo loc_0050BA4B
loc_0050BA3F: ' Referenced from: 0050BA31
loc_0050BA45: var_15C = Err.Raise
loc_0050BA4B: ' Referenced from: 0050BA3D
loc_0050BA54: var_160 = var_F4*36
loc_0050BA5A: GoTo loc_0050BA68
loc_0050BA5C: ' Referenced from: 0050BA02
loc_0050BA62: var_160 = Err.Raise
loc_0050BA68: ' Referenced from: 0050BA5A
loc_0050BAAC: global_92 = Proc_48_1_589690(Left$(var_54, var_34(-1)), 0, fs:[00000000h])
loc_0050BAE1: If global_92 = 0 Then GoTo loc_0050BB3B
loc_0050BAED: If global_92 <> 1 Then GoTo loc_0050BB3B
loc_0050BB10: If var_F4 >= 0 Then GoTo loc_0050BB1E
loc_0050BB1C: GoTo loc_0050BB2A
loc_0050BB1E: ' Referenced from: 0050BB10
loc_0050BB24: var_164 = Err.Raise
loc_0050BB2A: ' Referenced from: 0050BB1C
loc_0050BB33: var_168 = var_F4*36
loc_0050BB39: GoTo loc_0050BB47
loc_0050BB3B: ' Referenced from: 0050BAE1
loc_0050BB41: var_168 = Err.Raise
loc_0050BB47: ' Referenced from: 0050BB39
loc_0050BB93: ecx = Proc_48_1_589690(Mid$(var_54, var_34(1), var_7C), , )
loc_0050BBC3: If global_92 = 0 Then GoTo loc_0050BC1D
loc_0050BBCF: If global_92 <> 1 Then GoTo loc_0050BC1D
loc_0050BBF2: If var_F4 >= 0 Then GoTo loc_0050BC00
loc_0050BBFE: GoTo loc_0050BC0C
loc_0050BC00: ' Referenced from: 0050BBF2
loc_0050BC06: var_16C = Err.Raise
loc_0050BC0C: ' Referenced from: 0050BBFE
loc_0050BC15: var_170 = var_F4*36
loc_0050BC1B: GoTo loc_0050BC29
loc_0050BC1D: ' Referenced from: 0050BBC3
loc_0050BC23: var_170 = Err.Raise
loc_0050BC29: ' Referenced from: 0050BC1B
loc_0050BC30: If global_92 = 0 Then GoTo loc_0050BC8A
loc_0050BC3C: If global_92 <> 1 Then GoTo loc_0050BC8A
loc_0050BC5F: If var_F8 >= 0 Then GoTo loc_0050BC6D
loc_0050BC6B: GoTo loc_0050BC79
loc_0050BC6D: ' Referenced from: 0050BC5F
loc_0050BC73: var_174 = Err.Raise
loc_0050BC79: ' Referenced from: 0050BC6B
loc_0050BC82: var_178 = var_F8*36
loc_0050BC88: GoTo loc_0050BC96
loc_0050BC8A: ' Referenced from: 0050BC30
loc_0050BC90: var_178 = Err.Raise
loc_0050BC96: ' Referenced from: 0050BC88
loc_0050BCF1: var_4C = Left$(Unsupported("edx+eax+00000004h"), 3) & Right$(Unsupported("ecx+edx+00000004h"), 3)
loc_0050BD0A: ' Referenced from: 0050B9EF
loc_0050BD18: If global_92 = 0 Then GoTo loc_0050BD72
loc_0050BD24: If global_92 <> 1 Then GoTo loc_0050BD72
loc_0050BD47: If var_F4 >= 0 Then GoTo loc_0050BD55
loc_0050BD53: GoTo loc_0050BD61
loc_0050BD55: ' Referenced from: 0050BD47
loc_0050BD5B: var_17C = Err.Raise
loc_0050BD61: ' Referenced from: 0050BD53
loc_0050BD6A: var_180 = var_F4*36
loc_0050BD70: GoTo loc_0050BD7E
loc_0050BD72: ' Referenced from: 0050BD18
loc_0050BD78: var_180 = Err.Raise
loc_0050BD7E: ' Referenced from: 0050BD70
loc_0050BDAB: If global_92 = 0 Then GoTo loc_0050BE05
loc_0050BDB7: If global_92 <> 1 Then GoTo loc_0050BE05
loc_0050BDDA: If var_F4 >= 0 Then GoTo loc_0050BDE8
loc_0050BDE6: GoTo loc_0050BDF4
loc_0050BDE8: ' Referenced from: 0050BDDA
loc_0050BDEE: var_184 = Err.Raise
loc_0050BDF4: ' Referenced from: 0050BDE6
loc_0050BDFD: var_188 = var_F4*36
loc_0050BE03: GoTo loc_0050BE11
loc_0050BE05: ' Referenced from: 0050BDAB
loc_0050BE0B: var_188 = Err.Raise
loc_0050BE11: ' Referenced from: 0050BE03
loc_0050BE32: If var_2C <= 0 Then GoTo loc_0050BEC3
loc_0050BE46: If global_96 = 0 Then GoTo loc_0050BEA0
loc_0050BE52: If global_96 <> 1 Then GoTo loc_0050BEA0
loc_0050BE75: If var_F4 >= 0 Then GoTo loc_0050BE83
loc_0050BE81: GoTo loc_0050BE8F
loc_0050BE83: ' Referenced from: 0050BE75
loc_0050BE89: var_18C = Err.Raise
loc_0050BE8F: ' Referenced from: 0050BE81
loc_0050BE98: var_190 = var_F4*48
loc_0050BE9E: GoTo loc_0050BEAC
loc_0050BEA0: ' Referenced from: 0050BE46
loc_0050BEA6: var_190 = Err.Raise
loc_0050BEAC: ' Referenced from: 0050BE9E
loc_0050BEC3: ' Referenced from: 0050BE32
loc_0050BECE: If var_60 Then GoTo loc_0050BF68
loc_0050BEE2: If global_92 = 0 Then GoTo loc_0050BF45
loc_0050BEEE: If global_92 <> 1 Then GoTo loc_0050BF45
loc_0050BF1A: If var_F4 >= 0 Then GoTo loc_0050BF28
loc_0050BF26: GoTo loc_0050BF34
loc_0050BF28: ' Referenced from: 0050BF1A
loc_0050BF2E: var_194 = Err.Raise
loc_0050BF34: ' Referenced from: 0050BF26
loc_0050BF3D: var_198 = var_F4*36
loc_0050BF43: GoTo loc_0050BF51
loc_0050BF45: ' Referenced from: 0050BEE2
loc_0050BF4B: var_198 = Err.Raise
loc_0050BF51: ' Referenced from: 0050BF43
loc_0050BF68: ' Referenced from: 0050BECE
loc_0050BF73: If var_60 <> 1 Then GoTo loc_0050C016
loc_0050BF7D: If var_2C <= 0 Then GoTo loc_0050C016
loc_0050BF91: If global_92 = 0 Then GoTo loc_0050BFF4
loc_0050BF9D: If global_92 <> 1 Then GoTo loc_0050BFF4
loc_0050BFC9: If var_F4 >= 0 Then GoTo loc_0050BFD7
loc_0050BFD5: GoTo loc_0050BFE3
loc_0050BFD7: ' Referenced from: 0050BFC9
loc_0050BFDD: var_19C = Err.Raise
loc_0050BFE3: ' Referenced from: 0050BFD5
loc_0050BFEC: var_1A0 = var_F4*36
loc_0050BFF2: GoTo loc_0050C000
loc_0050BFF4: ' Referenced from: 0050BF91
loc_0050BFFA: var_1A0 = Err.Raise
loc_0050C000: ' Referenced from: 0050BFF2
loc_0050C016: ' Referenced from: 0050BF73
loc_0050C024: GoTo loc_0050D10B
loc_0050C029: ' Referenced from: 0050B81D
loc_0050C044: If (var_FC = global_00444220) Then GoTo loc_0050C118
loc_0050C066: If global_92 = 0 Then GoTo loc_0050C0C0
loc_0050C072: If global_92 <> 1 Then GoTo loc_0050C0C0
loc_0050C095: If var_F4 >= 0 Then GoTo loc_0050C0A3
loc_0050C0A1: GoTo loc_0050C0AF
loc_0050C0A3: ' Referenced from: 0050C095
loc_0050C0A9: var_1A4 = Err.Raise
loc_0050C0AF: ' Referenced from: 0050C0A1
loc_0050C0B8: var_1A8 = var_F4*36
loc_0050C0BE: GoTo loc_0050C0CC
loc_0050C0C0: ' Referenced from: 0050C066
loc_0050C0C6: var_1A8 = Err.Raise
loc_0050C0CC: ' Referenced from: 0050C0BE
loc_0050C0E8: var_80F8 = CLng(Mid$(var_50, 2, var_7C))
loc_0050C113: GoTo loc_0050D10B
loc_0050C118: ' Referenced from: 0050C044
loc_0050C133: If (var_FC = global_00444228) Then GoTo loc_0050C223
loc_0050C155: If global_92 = 0 Then GoTo loc_0050C1AF
loc_0050C161: If global_92 <> 1 Then GoTo loc_0050C1AF
loc_0050C184: If var_F4 >= 0 Then GoTo loc_0050C192
loc_0050C190: GoTo loc_0050C19E
loc_0050C192: ' Referenced from: 0050C184
loc_0050C198: var_1AC = Err.Raise
loc_0050C19E: ' Referenced from: 0050C190
loc_0050C1A7: var_1B0 = var_F4*36
loc_0050C1AD: GoTo loc_0050C1BB
loc_0050C1AF: ' Referenced from: 0050C155
loc_0050C1B5: var_1B0 = Err.Raise
loc_0050C1BB: ' Referenced from: 0050C1AD
loc_0050C1FC: ecx = Proc_48_1_589690(Mid$(var_50, 2, var_7C), , )
loc_0050C21E: GoTo loc_0050D10B
loc_0050C223: ' Referenced from: 0050C133
loc_0050C23E: If (var_FC = "|") Then GoTo loc_0050C32E
loc_0050C260: If global_92 = 0 Then GoTo loc_0050C2BA
loc_0050C26C: If global_92 <> 1 Then GoTo loc_0050C2BA
loc_0050C28F: If var_F4 >= 0 Then GoTo loc_0050C29D
loc_0050C29B: GoTo loc_0050C2A9
loc_0050C29D: ' Referenced from: 0050C28F
loc_0050C2A3: var_1B4 = Err.Raise
loc_0050C2A9: ' Referenced from: 0050C29B
loc_0050C2B2: var_1B8 = var_F4*36
loc_0050C2B8: GoTo loc_0050C2C6
loc_0050C2BA: ' Referenced from: 0050C260
loc_0050C2C0: var_1B8 = Err.Raise
loc_0050C2C6: ' Referenced from: 0050C2B8
loc_0050C307: ecx = Proc_48_1_589690(Mid$(var_50, 2, var_7C), , )
loc_0050C329: GoTo loc_0050D10B
loc_0050C32E: ' Referenced from: 0050C23E
loc_0050C36B: var_8C = Split(var_50, global_004421B4, -1, 0)
loc_0050C3C3: var_10C = UBound(var_F0)
loc_0050C3DA: GoTo loc_0050C3EE
loc_0050C3DF: var_64 = var_64 + var_108
loc_0050C3EB: var_64 = var_64+var_108
loc_0050C3EE: ' Referenced from: 0050C3DA
loc_0050C3F7: If var_64 > var_10C Then GoTo loc_0050C50F
loc_0050C408: If var_30 = 0 Then GoTo loc_0050C459
loc_0050C411: If var_F0 <> 1 Then GoTo loc_0050C459
loc_0050C42E: If var_F8 >= 0 Then GoTo loc_0050C43C
loc_0050C43A: GoTo loc_0050C448
loc_0050C43C: ' Referenced from: 0050C42E
loc_0050C442: var_1BC = Err.Raise
loc_0050C448: ' Referenced from: 0050C43A
loc_0050C451: var_1C0 = var_F8
loc_0050C457: GoTo loc_0050C465
loc_0050C459: ' Referenced from: 0050C408
loc_0050C45F: var_1C0 = Err.Raise
loc_0050C465: ' Referenced from: 0050C457
loc_0050C469: If var_30 = 0 Then GoTo loc_0050C4BA
loc_0050C472: If var_F0 <> 1 Then GoTo loc_0050C4BA
loc_0050C48F: If var_F4 >= 0 Then GoTo loc_0050C49D
loc_0050C49B: GoTo loc_0050C4A9
loc_0050C49D: ' Referenced from: 0050C48F
loc_0050C4A3: var_1C4 = Err.Raise
loc_0050C4A9: ' Referenced from: 0050C49B
loc_0050C4B2: var_1C8 = var_F4
loc_0050C4B8: GoTo loc_0050C4C6
loc_0050C4BA: ' Referenced from: 0050C469
loc_0050C4C0: var_1C8 = Err.Raise
loc_0050C4C6: ' Referenced from: 0050C4B8
loc_0050C4F4: var_30 = Proc_48_1_589690(var_F0, 0)
loc_0050C50A: GoTo loc_0050C3DC
loc_0050C50F: ' Referenced from: 0050C3F7
loc_0050C51A: If var_30 = 0 Then GoTo loc_0050C56A
loc_0050C523: If var_30 <> 1 Then GoTo loc_0050C56A
loc_0050C53F: If var_F4 >= 0 Then GoTo loc_0050C54D
loc_0050C54B: GoTo loc_0050C559
loc_0050C54D: ' Referenced from: 0050C53F
loc_0050C553: var_1CC = Err.Raise
loc_0050C559: ' Referenced from: 0050C54B
loc_0050C562: var_1D0 = var_F4
loc_0050C568: GoTo loc_0050C576
loc_0050C56A: ' Referenced from: 0050C51A
loc_0050C570: var_1D0 = Err.Raise
loc_0050C576: ' Referenced from: 0050C568
loc_0050C595: var_64 = InStr(1, var_30, global_004421B4, 0)
loc_0050C5A8: var_8148 = (var_4C = global_0043EF28)
loc_0050C5B0: If var_8148 = 0 Then GoTo loc_0050C88F
loc_0050C5BA: If var_64 <= 0 Then GoTo loc_0050C88F
loc_0050C5CB: If var_30 = 0 Then GoTo loc_0050C61B
loc_0050C5D4: If var_30 <> 1 Then GoTo loc_0050C61B
loc_0050C5F0: If var_F4 >= 0 Then GoTo loc_0050C5FE
loc_0050C5FC: GoTo loc_0050C60A
loc_0050C5FE: ' Referenced from: 0050C5F0
loc_0050C604: var_1D4 = Err.Raise
loc_0050C60A: ' Referenced from: 0050C5FC
loc_0050C613: var_1D8 = var_F4
loc_0050C619: GoTo loc_0050C627
loc_0050C61B: ' Referenced from: 0050C5CB
loc_0050C621: var_1D8 = Err.Raise
loc_0050C627: ' Referenced from: 0050C619
loc_0050C66B: var_F8 = StrComp(var_4C, Left$(var_30, var_64(-1)), 0)
loc_0050C684: If var_F8 = 0 Then GoTo loc_0050C747
loc_0050C70B: MsgBox("记录文件被异常地修改!", 16, 10, 10, 10)
loc_0050C73C: End
loc_0050C742: GoTo loc_0050C88F
loc_0050C747: ' Referenced from: 0050C684
loc_0050C760: If var_30 = 0 Then GoTo loc_0050C7B0
loc_0050C769: If var_30 <> 1 Then GoTo loc_0050C7B0
loc_0050C785: If var_F8 >= 0 Then GoTo loc_0050C793
loc_0050C791: GoTo loc_0050C79F
loc_0050C793: ' Referenced from: 0050C785
loc_0050C799: var_1DC = Err.Raise
loc_0050C79F: ' Referenced from: 0050C791
loc_0050C7A8: var_1E0 = var_F8
loc_0050C7AE: GoTo loc_0050C7BC
loc_0050C7B0: ' Referenced from: 0050C760
loc_0050C7B6: var_1E0 = Err.Raise
loc_0050C7BC: ' Referenced from: 0050C7AE
loc_0050C7C0: If var_30 = 0 Then GoTo loc_0050C810
loc_0050C7C9: If var_30 <> 1 Then GoTo loc_0050C810
loc_0050C7E5: If var_F4 >= 0 Then GoTo loc_0050C7F3
loc_0050C7F1: GoTo loc_0050C7FF
loc_0050C7F3: ' Referenced from: 0050C7E5
loc_0050C7F9: var_1E4 = Err.Raise
loc_0050C7FF: ' Referenced from: 0050C7F1
loc_0050C808: var_1E8 = var_F4
loc_0050C80E: GoTo loc_0050C81C
loc_0050C810: ' Referenced from: 0050C7C0
loc_0050C816: var_1E8 = Err.Raise
loc_0050C81C: ' Referenced from: 0050C80E
loc_0050C86D: var_30 = Proc_48_1_589690(Mid$(var_30, var_64(1), var_7C))
loc_0050C88F: ' Referenced from: 0050C742
loc_0050C89A: If var_60 Then GoTo loc_0050C8C5
loc_0050C8BF: var_48 = var_2C
loc_0050C8C5: ' Referenced from: 0050C89A
loc_0050C8D5: If var_2C > 0 Then GoTo loc_0050D0FD
loc_0050C8EE: var_2C = var_2C(1)
loc_0050C906: var_100 = global_96
loc_0050C913: If var_100 = 0 Then GoTo loc_0050C96D
loc_0050C91F: If var_100 <> 1 Then GoTo loc_0050C96D
loc_0050C92D: var_F4 = (var_2C - var_100(20))
loc_0050C942: If var_F4 >= 0 Then GoTo loc_0050C950
loc_0050C94E: GoTo loc_0050C95C
loc_0050C950: ' Referenced from: 0050C942
loc_0050C956: var_1EC = Err.Raise
loc_0050C95C: ' Referenced from: 0050C94E
loc_0050C965: var_1F0 = var_F4*48
loc_0050C96B: GoTo loc_0050C979
loc_0050C96D: ' Referenced from: 0050C913
loc_0050C973: var_1F0 = Err.Raise
loc_0050C979: ' Referenced from: 0050C96B
loc_0050C982: var_100(12) = var_100(12) + var_1F0
loc_0050C988: var_104 = var_100(12)+var_1F0
loc_0050C999: If var_60 Then GoTo loc_0050C9B0
loc_0050C9AE: GoTo loc_0050C9CB
loc_0050C9B0: ' Referenced from: 0050C999
loc_0050C9CB: ' Referenced from: 0050C9AE
loc_0050C9D9: If global_92 = 0 Then GoTo loc_0050CA33
loc_0050C9E5: If global_92 <> 1 Then GoTo loc_0050CA33
loc_0050CA08: If var_F8 >= 0 Then GoTo loc_0050CA16
loc_0050CA14: GoTo loc_0050CA22
loc_0050CA16: ' Referenced from: 0050CA08
loc_0050CA1C: var_1F4 = Err.Raise
loc_0050CA22: ' Referenced from: 0050CA14
loc_0050CA2B: var_1F8 = var_F8*36
loc_0050CA31: GoTo loc_0050CA3F
loc_0050CA33: ' Referenced from: 0050C9D9
loc_0050CA39: var_1F8 = Err.Raise
loc_0050CA3F: ' Referenced from: 0050CA31
loc_0050CA46: If global_92 = 0 Then GoTo loc_0050CAA0
loc_0050CA52: If global_92 <> 1 Then GoTo loc_0050CAA0
loc_0050CA75: If var_F4 >= 0 Then GoTo loc_0050CA83
loc_0050CA81: GoTo loc_0050CA8F
loc_0050CA83: ' Referenced from: 0050CA75
loc_0050CA89: var_1FC = Err.Raise
loc_0050CA8F: ' Referenced from: 0050CA81
loc_0050CA98: var_200 = var_F4*36
loc_0050CA9E: GoTo loc_0050CAAC
loc_0050CAA0: ' Referenced from: 0050CA46
loc_0050CAA6: var_200 = Err.Raise
loc_0050CAAC: ' Referenced from: 0050CA9E
loc_0050CABF: Unsupported("edx+eax+00000008h") = Unsupported("edx+eax+00000008h") + 1
loc_0050CAF4: var_104(4) = var_2C(1)
loc_0050CB07: var_104(8) = var_24
loc_0050CB15: If var_30 = 0 Then GoTo loc_0050CB65
loc_0050CB1E: If var_30 <> 1 Then GoTo loc_0050CB65
loc_0050CB3A: If var_F4 >= 0 Then GoTo loc_0050CB48
loc_0050CB46: GoTo loc_0050CB54
loc_0050CB48: ' Referenced from: 0050CB3A
loc_0050CB4E: var_204 = Err.Raise
loc_0050CB54: ' Referenced from: 0050CB46
loc_0050CB5D: var_208 = var_F4
loc_0050CB63: GoTo loc_0050CB71
loc_0050CB65: ' Referenced from: 0050CB15
loc_0050CB6B: var_208 = Err.Raise
loc_0050CB71: ' Referenced from: 0050CB63
loc_0050CB89: var_104(4) = var_30
loc_0050CB9A: If var_30 = 0 Then GoTo loc_0050CBED
loc_0050CBA3: If var_30 <> 1 Then GoTo loc_0050CBED
loc_0050CBC2: If var_F4 >= 0 Then GoTo loc_0050CBD0
loc_0050CBCE: GoTo loc_0050CBDC
loc_0050CBD0: ' Referenced from: 0050CBC2
loc_0050CBD6: var_20C = Err.Raise
loc_0050CBDC: ' Referenced from: 0050CBCE
loc_0050CBE5: var_210 = var_F4
loc_0050CBEB: GoTo loc_0050CBF9
loc_0050CBED: ' Referenced from: 0050CB9A
loc_0050CBF3: var_210 = Err.Raise
loc_0050CBF9: ' Referenced from: 0050CBEB
loc_0050CC11: var_104(5) = var_30
loc_0050CC22: If var_30 = 0 Then GoTo loc_0050CC75
loc_0050CC2B: If var_30 <> 1 Then GoTo loc_0050CC75
loc_0050CC4A: If var_F4 >= 0 Then GoTo loc_0050CC58
loc_0050CC56: GoTo loc_0050CC64
loc_0050CC58: ' Referenced from: 0050CC4A
loc_0050CC5E: var_214 = Err.Raise
loc_0050CC64: ' Referenced from: 0050CC56
loc_0050CC6D: var_218 = var_F4
loc_0050CC73: GoTo loc_0050CC81
loc_0050CC75: ' Referenced from: 0050CC22
loc_0050CC7B: var_218 = Err.Raise
loc_0050CC81: ' Referenced from: 0050CC73
loc_0050CC99: var_104(6) = var_30
loc_0050CCAA: If var_30 = 0 Then GoTo loc_0050CCFD
loc_0050CCB3: If var_30 <> 1 Then GoTo loc_0050CCFD
loc_0050CCD2: If var_F4 >= 0 Then GoTo loc_0050CCE0
loc_0050CCDE: GoTo loc_0050CCEC
loc_0050CCE0: ' Referenced from: 0050CCD2
loc_0050CCE6: var_21C = Err.Raise
loc_0050CCEC: ' Referenced from: 0050CCDE
loc_0050CCF5: var_220 = var_F4
loc_0050CCFB: GoTo loc_0050CD09
loc_0050CCFD: ' Referenced from: 0050CCAA
loc_0050CD03: var_220 = Err.Raise
loc_0050CD09: ' Referenced from: 0050CCFB
loc_0050CD21: var_104(7) = var_30
loc_0050CD32: If var_30 = 0 Then GoTo loc_0050CD85
loc_0050CD3B: If var_30 <> 1 Then GoTo loc_0050CD85
loc_0050CD5A: If var_F4 >= 0 Then GoTo loc_0050CD68
loc_0050CD66: GoTo loc_0050CD74
loc_0050CD68: ' Referenced from: 0050CD5A
loc_0050CD6E: var_224 = Err.Raise
loc_0050CD74: ' Referenced from: 0050CD66
loc_0050CD7D: var_228 = var_F4
loc_0050CD83: GoTo loc_0050CD91
loc_0050CD85: ' Referenced from: 0050CD32
loc_0050CD8B: var_228 = Err.Raise
loc_0050CD91: ' Referenced from: 0050CD83
loc_0050CDA9: var_104(8) = var_30
loc_0050CDBA: If var_30 = 0 Then GoTo loc_0050CE0D
loc_0050CDC3: If var_30 <> 1 Then GoTo loc_0050CE0D
loc_0050CDE2: If var_F4 >= 0 Then GoTo loc_0050CDF0
loc_0050CDEE: GoTo loc_0050CDFC
loc_0050CDF0: ' Referenced from: 0050CDE2
loc_0050CDF6: var_22C = Err.Raise
loc_0050CDFC: ' Referenced from: 0050CDEE
loc_0050CE05: var_230 = var_F4
loc_0050CE0B: GoTo loc_0050CE19
loc_0050CE0D: ' Referenced from: 0050CDBA
loc_0050CE13: var_230 = Err.Raise
loc_0050CE19: ' Referenced from: 0050CE0B
loc_0050CE35: var_104(32) = CLng(var_30)
loc_0050CE5C: var_7C = global_004421B4
loc_0050CE66: If var_30 = 0 Then GoTo loc_0050CEB9
loc_0050CE6F: If var_30 <> 1 Then GoTo loc_0050CEB9
loc_0050CE8E: If var_F4 >= 0 Then GoTo loc_0050CE9C
loc_0050CE9A: GoTo loc_0050CEA8
loc_0050CE9C: ' Referenced from: 0050CE8E
loc_0050CEA2: var_234 = Err.Raise
loc_0050CEA8: ' Referenced from: 0050CE9A
loc_0050CEB1: var_238 = var_F4
loc_0050CEB7: GoTo loc_0050CEC5
loc_0050CEB9: ' Referenced from: 0050CE66
loc_0050CEBF: var_238 = Err.Raise
loc_0050CEC5: ' Referenced from: 0050CEB7
loc_0050CEFB: var_8C = Split(var_30 & global_004421B4, var_7C, -1, 0)
loc_0050CF24: var_58 = var_F0
loc_0050CF54: If var_58 = 0 Then GoTo loc_0050CFA4
loc_0050CF5D: If var_58 <> 1 Then GoTo loc_0050CFA4
loc_0050CF79: If var_F4 >= 0 Then GoTo loc_0050CF87
loc_0050CF85: GoTo loc_0050CF93
loc_0050CF87: ' Referenced from: 0050CF79
loc_0050CF8D: var_23C = Err.Raise
loc_0050CF93: ' Referenced from: 0050CF85
loc_0050CF9C: var_240 = var_F4
loc_0050CFA2: GoTo loc_0050CFB0
loc_0050CFA4: ' Referenced from: 0050CF54
loc_0050CFAA: var_240 = Err.Raise
loc_0050CFB0: ' Referenced from: 0050CFA2
loc_0050CFCC: var_104(36) = CLng(var_58)
loc_0050CFDA: If var_58 = 0 Then GoTo loc_0050D02D
loc_0050CFE3: If var_58 <> 1 Then GoTo loc_0050D02D
loc_0050D002: If var_F4 >= 0 Then GoTo loc_0050D010
loc_0050D00E: GoTo loc_0050D01C
loc_0050D010: ' Referenced from: 0050D002
loc_0050D016: var_244 = Err.Raise
loc_0050D01C: ' Referenced from: 0050D00E
loc_0050D025: var_248 = var_F4
loc_0050D02B: GoTo loc_0050D039
loc_0050D02D: ' Referenced from: 0050CFDA
loc_0050D033: var_248 = Err.Raise
loc_0050D039: ' Referenced from: 0050D02B
loc_0050D051: var_104(12) = var_58
loc_0050D062: If var_30 = 0 Then GoTo loc_0050D0B5
loc_0050D06B: If var_30 <> 1 Then GoTo loc_0050D0B5
loc_0050D08A: If var_F4 >= 0 Then GoTo loc_0050D098
loc_0050D096: GoTo loc_0050D0A4
loc_0050D098: ' Referenced from: 0050D08A
loc_0050D09E: var_24C = Err.Raise
loc_0050D0A4: ' Referenced from: 0050D096
loc_0050D0AD: var_250 = var_F4
loc_0050D0B3: GoTo loc_0050D0C1
loc_0050D0B5: ' Referenced from: 0050D062
loc_0050D0BB: var_250 = Err.Raise
loc_0050D0C1: ' Referenced from: 0050D0B3
loc_0050D0D9: var_104(11) = var_30
loc_0050D0FD: ' Referenced from: 0050C8D5
loc_0050D10B: ' Referenced from: 0050C024
loc_0050D10B: ' Referenced from: 0050C113
loc_0050D10B: ' Referenced from: 0050C21E
loc_0050D10B: ' Referenced from: 0050C329
loc_0050D10B: GoTo loc_0050B6DB
loc_0050D110: ' Referenced from: 0050B6EF
loc_0050D11B: If var_60 Then GoTo loc_0050D1AC
loc_0050D12F: If global_92 = 0 Then GoTo loc_0050D189
loc_0050D13B: If global_92 <> 1 Then GoTo loc_0050D189
loc_0050D15E: If var_F4 >= 0 Then GoTo loc_0050D16C
loc_0050D16A: GoTo loc_0050D178
loc_0050D16C: ' Referenced from: 0050D15E
loc_0050D172: var_254 = Err.Raise
loc_0050D178: ' Referenced from: 0050D16A
loc_0050D181: var_258 = var_F4*36
loc_0050D187: GoTo loc_0050D195
loc_0050D189: ' Referenced from: 0050D12F
loc_0050D18F: var_258 = Err.Raise
loc_0050D195: ' Referenced from: 0050D187
loc_0050D1AC: ' Referenced from: 0050D11B
loc_0050D1B7: If var_2C <= 0 Then GoTo loc_0050D2D2
loc_0050D1CB: If global_96 = 0 Then GoTo loc_0050D225
loc_0050D1D7: If global_96 <> 1 Then GoTo loc_0050D225
loc_0050D1FA: If var_F4 >= 0 Then GoTo loc_0050D208
loc_0050D206: GoTo loc_0050D214
loc_0050D208: ' Referenced from: 0050D1FA
loc_0050D20E: var_25C = Err.Raise
loc_0050D214: ' Referenced from: 0050D206
loc_0050D21D: var_260 = var_F4*48
loc_0050D223: GoTo loc_0050D231
loc_0050D225: ' Referenced from: 0050D1CB
loc_0050D22B: var_260 = Err.Raise
loc_0050D231: ' Referenced from: 0050D223
loc_0050D256: If global_92 = 0 Then GoTo loc_0050D2B0
loc_0050D262: If global_92 <> 1 Then GoTo loc_0050D2B0
loc_0050D285: If var_F4 >= 0 Then GoTo loc_0050D293
loc_0050D291: GoTo loc_0050D29F
loc_0050D293: ' Referenced from: 0050D285
loc_0050D299: var_264 = Err.Raise
loc_0050D29F: ' Referenced from: 0050D291
loc_0050D2A8: var_268 = var_F4*36
loc_0050D2AE: GoTo loc_0050D2BC
loc_0050D2B0: ' Referenced from: 0050D256
loc_0050D2B6: var_268 = Err.Raise
loc_0050D2BC: ' Referenced from: 0050D2AE
loc_0050D2D2: ' Referenced from: 0050D1B7
loc_0050D2DF: pShortCount = var_2C
loc_0050D2EF: pShortRealCount = var_2C
loc_0050D2FF: pShortMaxCount = var_2C
loc_0050D313: Close #var_5C
loc_0050D327: GoTo loc_0050D36C
loc_0050D329: ' Referenced from: 0050B086
loc_0050D340: On Error GoTo 0
loc_0050D34F: On Error Resume Next
loc_0050D366: Close #var_5C
loc_0050D36C: ' Referenced from: 0050D327
loc_0050D36C: Exit Sub
loc_0050D377: GoTo loc_0050D3B1
loc_0050D3B0: Exit Function
loc_0050D3B1: ' Referenced from: 0050D377
End Function
嗯, 这个估计就是我们要的,来吧, OD登场,载入程序(记得先关闭vstart程序,因为只能单开), ctrl+g定位到50B020,我们在0050B0BC处下好断点,因为这行可以看文件名,运行程序,直接在这行停下了,可以看到右侧寄存器edx就是文件名"xxx/常用程序.vst", F8单步向下跟踪,中间全是MSVBVM60.DLL的系统方法,都直接跳过,直到0050B918这行,是用户定义的方法,,此时可以看到方法入参数edx是一个字符串,我们用记事本打开"常用程序.vst",可以看到edx就是文件第二行的密文,,F7进入方法, 我们先返回VB Decompiler看一下这个方法的源代码:
Private Sub Proc_48_1_589690
loc_005896E2: var_38 = Me
loc_005896EA: On Error GoTo loc_005899A3
loc_0058970D: If 1 > Len(var_38) Then GoTo loc_0058995A
loc_005897B3: var_40 = Mid(var_38, 1+1, 1)
loc_005897EE: var_28 = InStr(1, "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz", Mid(var_38, 1, 1), 0)(-1)
loc_005897FE: var_8018 = InStr(1, "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz", var_40, 0)
loc_00589821: var_24 = var_8018(-1)
loc_0058982D: If Sign((var_8018(-1) And 7) - 0) Then GoTo loc_00589837
loc_00589837: ' Referenced from: 0058982D
loc_0058983F: var_2C = ((var_8018(-1) And 7) - 1 Or 16777208) + 1
loc_00589854: ReDim Preserve var_44(0 To 0)
loc_00589862: If var_44 = 0 Then GoTo loc_0058988E
loc_00589868: If var_44 <> 1 Then GoTo loc_0058988E
loc_00589878: If var_44 < 0 Then GoTo loc_00589886
loc_0058987A: var_8028 = Err.Raise
loc_00589886: ' Referenced from: 00589878
loc_0058988C: GoTo loc_0058989A
loc_0058988E: ' Referenced from: 00589862
loc_00589894: var_A8 = Err.Raise
loc_0058989A: ' Referenced from: 0058988C
loc_0058989A: movzx cx, var_24
loc_005898A9: movzx dx, var_28
loc_005898C5: var_44 = var_88*003Eh+var_40
loc_005898CD: If var_44 = 0 Then GoTo loc_005898F0
loc_005898D3: If var_44 <> 1 Then GoTo loc_005898F0
loc_005898DD: If var_44 < 0 Then GoTo loc_005898E8
loc_005898DF: var_8034 = Err.Raise
loc_005898E8: ' Referenced from: 005898DD
loc_005898EE: GoTo loc_005898FF
loc_005898F0: ' Referenced from: 005898CD
loc_005898F6: var_AC = Err.Raise
loc_005898FF: ' Referenced from: 005898EE
loc_00589901: If var_44 = 0 Then GoTo loc_00589920
loc_00589907: If var_44 <> 1 Then GoTo loc_00589920
loc_00589911: If var_44 < 0 Then GoTo loc_0058991C
loc_00589913: var_803C = Err.Raise
loc_0058991C: ' Referenced from: 00589911
loc_0058991E: GoTo loc_00589929
loc_00589920: ' Referenced from: 00589901
loc_00589920: var_8040 = Err.Raise
loc_00589929: ' Referenced from: 0058991E
loc_00589938: var_44 = var_44 xor var_2C
loc_00589955: GoTo loc_00589707
loc_0058995A: ' Referenced from: 0058970D
loc_00589987: var_3C = StrConv(var_44, 64, 0)
loc_00589996: Exit Sub
loc_005899A1: GoTo loc_005899E1
loc_005899A3: ' Referenced from: 005896EA
loc_005899B1: Exit Sub
loc_005899BC: GoTo loc_005899E1
loc_005899C2: If var_C = 0 Then GoTo loc_005899CD
loc_005899CD: ' Referenced from: 005899C2
loc_005899E0: Exit Sub
loc_005899E1: ' Referenced from: 005899A1
loc_005899E1: ' Referenced from: 005899BC
End Sub
从上面代码可以知道,这个就是解密算法了,结合OD单步跟踪分析结果为:
1). 按每2位循环字符串(00589944处+2)
2). 固定串"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"
3). 取2个字符,分别得到字符在固定串中的位置p1,p2
4). 将两个位置值进行运算((p2 >> 3) * 0x3E + p1) ^ (p2 & 7) 得到一个明文字符
5). 循环完得到整串明文串
破解代码为:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
char * encode(unsigned char *str);
char * decode(char *str);
int main() {
unsigned char *str0 = (unsigned char *)"系统功能";
char *str = encode(str0);
char *code = decode(str);
printf("初始为: %s\n密文为: %s\n明文为: %s\n", str0, str, code);
free(code);
system("pause");
return 0;
}
char * decode(char *str){
char *chr = (char *)"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz";
int len = strlen(str);
char *code = (char *) calloc(len / 2 + 1, sizeof(char));
int p1,p2;
char tmp[2] = {0};
for(int i=0; i<len/2; i++){
tmp[0] = str[2*i];
p1 = strcspn(chr, tmp);
tmp[0] = str[2*i+1];
p2 = strcspn(chr, tmp);
code[i] = ((p2 >> 3) * 0x3E + p1) ^ (p2 & 7);
}
return code;
}
char * encode(unsigned char *str){
char *chr = (char *)"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz";
int len = strlen((char *)str), rnd = 0, p1, p2, s;
char *code = (char *) calloc(len * 2 + 1, sizeof(char));
srand((unsigned int)time(NULL));
for(int i=0; i<len; i++){
rnd = rand() % 62;
s = 0;
for(int j=0; j<62; j++){
p1 = (j + rnd) % 62;
for(p2=0; p2<62; p2++){
if((((p2 >> 3) * 0x3E + p1) ^ (p2 & 7)) == str[i]){
s = 1;
break;
}
}
if(s == 1) break;
}
code[2*i] = chr[p1];
code[2*i+1] = chr[p2];
}
return code;
}
运行示例:
密文为: R2xSV0qTA1cULZb1
明文为: 系统功能
整个文件解密就自行解决吧, 从第二行开始,有+号的要跳过,按逗号分隔一段段解密,(需要注意的是,解密出来的字符是iso-8859-1编码的,需要转GB2312才能正常显示中文)
分析过程中,发现有密码验证这块,有兴趣的也可以同理破之~
大佬破文直达VStart音速启动功能爆破
浙公网安备 33010602011771号