环境
Windows xp sp3
查壳
无壳的VB程序
测试:
输入
Name:123456
Serial:12345
字符串搜索,找到判断位置。
判断Name的长度要大于等于5:
00402CBC . 33C9 xor ecx,ecx
00402CBE . 83F8 04 cmp eax,0x4
00402CC1 . 0F9EC1 setle cl
00402CC4 . F7D9 neg ecx
00402CC6 . 66:898D DCFEF>mov word ptr ss:[ebp-0x124],cx
00402CDF . 66:399D DCFEF>cmp word ptr ss:[ebp-0x124],bx
00402CE6 . 0F84 B0000000 je Colormas.00402D9C ; name的长度要大于等于5
00402DF1 > \8B55 D8 mov edx,dword ptr ss:[ebp-0x28] ; 获取Name的长度
00402DF4 . 52 push edx ; /String
00402DF5 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBs>; \__vbaLenBstr
00402DFB . 8985 14FFFFFF mov dword ptr ss:[ebp-0xEC],eax
00402E01 . 8D85 1CFFFFFF lea eax,dword ptr ss:[ebp-0xE4]
00402E07 . 8D8D 0CFFFFFF lea ecx,dword ptr ss:[ebp-0xF4]
00402E0D . 50 push eax ; /Step8
00402E0E . 8D95 FCFEFFFF lea edx,dword ptr ss:[ebp-0x104] ; |
00402E14 . 51 push ecx ; |End8
00402E15 . 8D85 88FEFFFF lea eax,dword ptr ss:[ebp-0x178] ; |
00402E1B . 52 push edx ; |Start8
00402E1C . 8D8D 98FEFFFF lea ecx,dword ptr ss:[ebp-0x168] ; |
00402E22 . 50 push eax ; |TMPend8
00402E23 . 8D55 DC lea edx,dword ptr ss:[ebp-0x24] ; |
00402E26 . 51 push ecx ; |TMPstep8
00402E27 . 52 push edx ; |Counter8
00402E28 . C785 0CFFFFFF>mov dword ptr ss:[ebp-0xF4],0x3 ; |
00402E32 . C785 04FFFFFF>mov dword ptr ss:[ebp-0xFC],0x1 ; |
00402E3C . C785 FCFEFFFF>mov dword ptr ss:[ebp-0x104],0x2 ; |
00402E46 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarFo>; \__vbaVarForInit00402EB1 > \8B45 D4 mov eax,dword ptr ss:[ebp-0x2C] ; Name
00402EB4 . 50 push eax ; /String
00402EB5 . FF15 24104000 call dword ptr ds:[<&MSVBVM60.#516>] ; \rtcAnsiValueBstr00402F15 . 50 push eax
00402F16 . FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>; MSVBVM60.__vbaR8Str
00402F1C . 0FBF8D E8FEFF>movsx ecx,word ptr ss:[ebp-0x118]
00402F23 . 898D 74FEFFFF mov dword ptr ss:[ebp-0x18C],ecx
00402F29 . 8D55 8C lea edx,dword ptr ss:[ebp-0x74]
00402F2C . DB85 74FEFFFF fild dword ptr ss:[ebp-0x18C]
00402F32 . 52 push edx
00402F33 . C785 0CFFFFFF>mov dword ptr ss:[ebp-0xF4],0x5
00402F3D . C745 94 15000>mov dword ptr ss:[ebp-0x6C],0x15
00402F44 . C745 8C 02000>mov dword ptr ss:[ebp-0x74],0x2
00402F4B . DD9D 6CFEFFFF fstp qword ptr ss:[ebp-0x194] ; 这里开始计算serial的其中的一部分00402F51 . DC8D 6CFEFFFF fmul qword ptr ss:[ebp-0x194] ; 432.4
00402F57 . DC0D 00114000 fmul qword ptr ds:[0x401100] ; 17.79
00402F5D . DD9D 14FFFFFF fstp qword ptr ss:[ebp-0xEC] ; 用于下面[00402F97]的计算
00402F8C . 52 push edx ; /var18
00402F8D . 8B19 mov ebx,dword ptr ds:[ecx] ; |
00402F8F . 8D8D 6CFFFFFF lea ecx,dword ptr ss:[ebp-0x94] ; |
00402F95 . 50 push eax ; |var28
00402F96 . 51 push ecx ; |SaveToST
00402F97 . FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaVarDi>; \__vbaVarDiv
00402F9D . 8D55 D0 lea edx,dword ptr ss:[ebp-0x30] ; 其中的一个除数是150040307A . 8D95 98FEFFFF lea edx,dword ptr ss:[ebp-0x168]
00403080 . 51 push ecx ; /TMPend8
00403081 . 8D45 DC lea eax,dword ptr ss:[ebp-0x24] ; |
00403084 . 52 push edx ; |TMPstep8
00403085 . 50 push eax ; |Counter8
00403086 . FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarFo>; \__vbaVarForNext
0040308C . 8985 7CFEFFFF mov dword ptr ss:[ebp-0x184],eax
00403092 . 33DB xor ebx,ebx
00403094 .^ E9 CBFDFFFF jmp Colormas.00402E64截取了for循环中我认为对计算serial有价值的一部分。
当这个for循环结束之后,会通过name算出最后一个值。
(1)会用name最后一个字符,乘以432.4 * 17.79 / 15
004030F4 . 8B18 mov ebx,dword ptr ds:[eax]
004030F6 . FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>; MSVBVM60.__vbaR8Str
004030FC . FF15 64104000 call dword ptr ds:[<&MSVBVM60.__vbaFPFix>; MSVBVM60.__vbaFPFix
00403102 . 83EC 08 sub esp,0x8
00403105 . DD1C24 fstp qword ptr ss:[esp]
00403108 . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrR8>; MSVBVM60.__vbaStrR8
(2)这一段是将上面算出来的数值取整
004032DD > \8B55 D8 mov edx,dword ptr ss:[ebp-0x28]
004032E0 . 52 push edx ; /String
004032E1 . FF15 24104000 call dword ptr ds:[<&MSVBVM60.#516>] ; \rtcAnsiValueBstr
004032E7 . 0FBFC0 movsx eax,ax
004032EA . 8B4D D4 mov ecx,dword ptr ss:[ebp-0x2C]
004032ED . 8985 60FEFFFF mov dword ptr ss:[ebp-0x1A0],eax
004032F3 . DB85 60FEFFFF fild dword ptr ss:[ebp-0x1A0]
004032F9 . 51 push ecx
004032FA . DD9D 58FEFFFF fstp qword ptr ss:[ebp-0x1A8]
00403300 . FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>; MSVBVM60.__vbaR8Str
00403306 . DC85 58FEFFFF fadd qword ptr ss:[ebp-0x1A8]
0040330C . 8B16 mov edx,dword ptr ds:[esi]
0040330E . 56 push esi
0040330F . C785 0CFFFFFF>mov dword ptr ss:[ebp-0xF4],0x5
00403319 . DD9D 14FFFFFF fstp qword ptr ss:[ebp-0xEC] ; 保存相加结果
(3)上面那一段主要是再将上面(2)得到的结果加上第一个字符的值。
00403361 > \8B55 D0 mov edx,dword ptr ss:[ebp-0x30]
00403364 . 52 push edx
00403365 . FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>; MSVBVM60.__vbaR8Str
0040336B . 66:6BDB 19 imul bx,bx,0x19 ; 第一个字符乘以0x19
0040336F . 0F80 0B050000 jo Colormas.00403880
00403375 . 0FBFC3 movsx eax,bx
00403378 . 8985 54FEFFFF mov dword ptr ss:[ebp-0x1AC],eax
0040337E . 8D4D 8C lea ecx,dword ptr ss:[ebp-0x74]
00403381 . DB85 54FEFFFF fild dword ptr ss:[ebp-0x1AC]
00403387 . 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-0x84]
0040338D . 51 push ecx
0040338E . 52 push edx
0040338F . C745 8C 05000>mov dword ptr ss:[ebp-0x74],0x5
00403396 . DD9D 4CFEFFFF fstp qword ptr ss:[ebp-0x1B4]
0040339C . DCA5 4CFEFFFF fsub qword ptr ss:[ebp-0x1B4] ; 减去上面那个值
004033A2 . DD5D 94 fstp qword ptr ss:[ebp-0x6C]
(4)用(2)得出的结果减去name第一个字符*0x19的值,并且将这个值转成16进制。
004033E6 > \8B45 C8 mov eax,dword ptr ss:[ebp-0x38]
004033E9 . 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
004033EF . 8D95 4CFFFFFF lea edx,dword ptr ss:[ebp-0xB4]
004033F5 . 51 push ecx
004033F6 . 52 push edx
004033F7 . C745 C8 00000>mov dword ptr ss:[ebp-0x38],0x0
004033FE . 8985 64FFFFFF mov dword ptr ss:[ebp-0x9C],eax
00403404 . C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],0x8
0040340E . FF15 C0104000 call dword ptr ds:[<&MSVBVM60.#573>] ; MSVBVM60.rtcHexVarFromVar(5)将(2)的结果转为16进制
00403482 > \8B55 C4 mov edx,dword ptr ss:[ebp-0x3C]
00403485 . 52 push edx ; /String = "1"
00403486 . FF15 24104000 call dword ptr ds:[<&MSVBVM60.#516>] ; \rtcAnsiValueBstr
0040348C . 0FBFD8 movsx ebx,ax
0040348F . 8B45 C0 mov eax,dword ptr ss:[ebp-0x40]
00403492 . 50 push eax ; /String
00403493 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBs>; \__vbaLenBstr
00403499 . 0FAFD8 imul ebx,eax ; 长度*首字符
0040349C . 8B8D ACFEFFFF mov ecx,dword ptr ss:[ebp-0x154]
004034A2 . C785 FCFEFFFF>mov dword ptr ss:[ebp-0x104],0x3
004034AC . 0F80 CE030000 jo Colormas.00403880
004034B2 . 83EB 1B sub ebx,0x1B ; 减去0x1B(6)取出name的第一个字符 * name的长度 - 0x1B
004034C9 . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84]
004034CF . 52 push edx
004034D0 . 8D8D 6CFFFFFF lea ecx,dword ptr ss:[ebp-0x94]
004034D6 . 50 push eax
004034D7 . 51 push ecx
004034D8 . FF15 A4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCa>; MSVBVM60.__vbaVarCat
004034DE . 50 push eax
004034DF . 8D95 4CFFFFFF lea edx,dword ptr ss:[ebp-0xB4]
004034E5 . 8D85 3CFFFFFF lea eax,dword ptr ss:[ebp-0xC4]
004034EB . 52 push edx
004034EC . 50 push eax
004034ED . FF15 A4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCa>; MSVBVM60.__vbaVarCat
004034F3 . 8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-0x104]
004034F9 . 50 push eax
004034FA . 8D95 2CFFFFFF lea edx,dword ptr ss:[ebp-0xD4]
00403500 . 51 push ecx
00403501 . 52 push edx
00403502 . FF15 A4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCa>; MSVBVM60.__vbaVarCat
00403508 . 50 push eax ; /String8
00403509 . 8D45 BC lea eax,dword ptr ss:[ebp-0x44] ; |
0040350C . 50 push eax ; |ARG2
0040350D . FF15 A0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVa>; \__vbaStrVarVal
(7)将(3)(4)(5)(6)的值合起来。
00403665 . 50 push eax
00403666 . 51 push ecx
00403667 . 52 push edx ; /String
00403668 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBs>; \__vbaLenBstr
0040366E . 50 push eax
0040366F . FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI4>; MSVBVM60.__vbaStrI4
00403675 . 8B35 DC104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrMove
0040367B . 8BD0 mov edx,eax
0040367D . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34]
00403680 . FFD6 call esi ; <&MSVBVM60.__vbaStrMove>
00403682 . 8B3D 30104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrCat
00403688 . 50 push eax ; /String
00403689 . FFD7 call edi ; \__vbaStrCat
0040368B . 8BD0 mov edx,eax ; 将name的长度加到serial里面去
0040368D . 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38]
00403690 . FFD6 call esi
00403692 . 50 push eax
00403693 . 68 741F4000 push Colormas.00401F74 ; UNICODE "-CM"
00403698 . FFD7 call edi ; 计算出来的值再加上-CM
(8)将(7)的结果加上name的长度,后面再加一个字符串“-CM”
所以(8)就是所求的serial了
