环境
Windows xp sp3
工具
exeinfope
OllyDBG
查壳
无壳的VB程序
测试
运行程序后出现Nag窗口,所以这次的目标是除Nag窗口和找到serial
程序运行后弹出Nag窗口,并且等待5秒后按钮的标题改成“Continue..”,点击后才会弹出输入serial的窗口。
字符串搜索可以一下子知道serial的内容:
00405721 . 68 A4264000 push CodeZero.004026A4 ; UNICODE "55555"
00405726 . E8 3BBAFFFF call <jmp.&MSVBVM50.__vbaStrCmp>
0040572B . 8BF0 mov esi,eax
0040572D . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
00405730 . F7DE neg esi
00405732 . 1BF6 sbb esi,esi
00405734 . 46 inc esi
00405735 . F7DE neg esi
00405737 . E8 18BAFFFF call <jmp.&MSVBVM50.__vbaFreeStr>
0040573C . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
0040573F . E8 0ABAFFFF call <jmp.&MSVBVM50.__vbaFreeObj>
00405744 . 6A 0A push 0xA
00405746 . 66:3BF3 cmp si,bx
00405749 . 58 pop eax
0040574A . B9 04000280 mov ecx,0x80020004
0040574F . 6A 08 push 0x8
00405751 . 894D AC mov dword ptr ss:[ebp-0x54],ecx
00405754 . 5E pop esi
00405755 . 894D BC mov dword ptr ss:[ebp-0x44],ecx
00405758 . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax
0040575B . 8945 B4 mov dword ptr ss:[ebp-0x4C],eax
0040575E . C745 8C 68264>mov dword ptr ss:[ebp-0x74],CodeZero.004>; UNICODE "VB Crack-Me 1.0 by CodeZero"
00405765 . 8975 84 mov dword ptr ss:[ebp-0x7C],esi
00405768 . 8D55 84 lea edx,dword ptr ss:[ebp-0x7C]
0040576B . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
0040576E . 74 2A je XCodeZero.0040579A
00405770 . E8 CDB9FFFF call <jmp.&MSVBVM50.__vbaVarDup>
00405775 . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
00405778 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
0040577B . C745 9C B4264>mov dword ptr ss:[ebp-0x64],CodeZero.004>; UNICODE "Congratulations! you've really made it :-)"
00405782 . 8975 94 mov dword ptr ss:[ebp-0x6C],esi
00405785 . E8 B8B9FFFF call <jmp.&MSVBVM50.__vbaVarDup>
0040578A . 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C]
0040578D . 50 push eax
0040578E . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
00405791 . 50 push eax
00405792 . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]
00405795 . 50 push eax
00405796 . 6A 40 push 0x40
00405798 . EB 28 jmp XCodeZero.004057C2
0040579A > E8 A3B9FFFF call <jmp.&MSVBVM50.__vbaVarDup>
0040579F . C745 9C 10274>mov dword ptr ss:[ebp-0x64],CodeZero.004>; UNICODE "Invalid unlock code, please try again."
004057A6 > 8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
004057A9 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
004057AC . 8975 94 mov dword ptr ss:[ebp-0x6C],esi
004057AF . E8 8EB9FFFF call <jmp.&MSVBVM50.__vbaVarDup>字符串明文比较
剩下来就是去除Nag窗口了:
OD打开程序后让程序运行起来,等显示“continue..”后对.text段下内存访问断点,然后让程序运行,多按几次F9就可以来到这里。
00402330 . 816C24 04 570>sub dword ptr ss:[esp+0x4],0x57
00402338 . E9 85360000 jmp CodeZero.004059C2 ; 用来显示输入serial窗口
0040233D . 816C24 04 330>sub dword ptr ss:[esp+0x4],0x33
00402345 E9 7B370000 jmp CodeZero.00405AC5 ; 用来显示Nag窗口的“5”
0040234A . 816C24 04 3F0>sub dword ptr ss:[esp+0x4],0x3F
00402352 E9 77380000 jmp CodeZero.00405BCE ; 用来显示Nag窗口的“4”
00402357 . 816C24 04 430>sub dword ptr ss:[esp+0x4],0x43
0040235F E9 73390000 jmp CodeZero.00405CD7 ; 用来显示Nag窗口的“3”
00402364 . 816C24 04 470>sub dword ptr ss:[esp+0x4],0x47
0040236C E9 6F3A0000 jmp CodeZero.00405DE0 ; 用来显示Nag窗口的“2”
00402371 . 816C24 04 4B0>sub dword ptr ss:[esp+0x4],0x4B
00402379 E9 6B3B0000 jmp CodeZero.00405EE9 ; 用来显示Nag窗口的“1”
0040237E . 816C24 04 530>sub dword ptr ss:[esp+0x4],0x53
00402386 E9 673C0000 jmp CodeZero.00405FF2 ; 用来显示Nag窗口的“continue..”
会发现即使在上面的指令里下了断点也无法阻挡Nag窗口的出现,表面Nag窗口的指令比这些还要早就执行了。
观察这些jmp所跳到的地方,发现[004059C2]是最小的,如果跟到[004059C2],会发现这段指令上面还有很多指令。
0040595C |. 57 push edi
0040595D |. 50 push eax
0040595E |. E8 F7B7FFFF call <jmp.&MSVBVM50.__vbaHresultCheckObj>
00405963 |> 833D 38704000>cmp dword ptr ds:[0x407038],0x0
0040596A |. 75 0F jnz XCodeZero.0040597B
0040596C |. 68 38704000 push CodeZero.00407038
00405971 |. 68 B01D4000 push CodeZero.00401DB0
00405976 |. E8 B5B7FFFF call <jmp.&MSVBVM50.__vbaNew2>
0040597B |> 8B35 38704000 mov esi,dword ptr ds:[0x407038]
00405981 6A FF push -0x1
00405983 56 push esi
00405984 8B06 mov eax,dword ptr ds:[esi]
00405986 FF90 BC010000 call dword ptr ds:[eax+0x1BC] ; 这里是生成Nag窗口的地方
0040598C |. 85C0 test eax,eax
0040598E |. 7D 11 jge XCodeZero.004059A1
00405990 |. 68 BC010000 push 0x1BC
00405995 |. 68 C8274000 push CodeZero.004027C8
0040599A |. 56 push esi
0040599B |. 50 push eax
0040599C |. E8 B9B7FFFF call <jmp.&MSVBVM50.__vbaHresultCheckObj>
004059A1 |> 8365 FC 00 and [local.1],0x0
004059A5 |. 8B45 08 mov eax,[arg.1]
004059A8 |. 50 push eax
004059A9 |. 8B08 mov ecx,dword ptr ds:[eax]
004059AB |. FF51 08 call dword ptr ds:[ecx+0x8]
004059AE |. 8B4D EC mov ecx,[local.5]
004059B1 |. 8B45 FC mov eax,[local.1]
004059B4 |. 5F pop edi
004059B5 |. 5E pop esi
004059B6 |. 64:890D 00000>mov dword ptr fs:[0],ecx
004059BD |. 5B pop ebx
004059BE |. C9 leave
004059BF \. C2 0400 retn 0x4
004059C2 > 55 push ebp ; 这里往下是生成输入serial窗口的地方
004059C3 . 8BEC mov ebp,esp[004059C2]上面的指令具体又是什么时候实现的呢?
可以找到大多数每段指令开始的地方看一看
push ebp于是找到了这个:
0040583D /> \55 push ebp
然后就跟到了这里来:
00401D88 . 816C24 04 330>sub dword ptr ss:[esp+0x4],0x33
00401D90 . E9 5F380000 jmp CodeZero.004055F4 ; 这个是响应点击“Check”
00401D95 . 816C24 04 370>sub dword ptr ss:[esp+0x4],0x37
00401D9D . E9 9B3A0000 jmp CodeZero.0040583D ; 这个是响应点击“About”
00401DA2 . 816C24 04 3F0>sub dword ptr ss:[esp+0x4],0x3F
00401DAA . E9 563B0000 jmp CodeZero.00405905 ; 这个是跳到生成Nag窗口的
现在就可以去除Nag窗口了,只需要把:
0040583D /> \55 push ebp
改为:
00405905 C2 0400 retn 0x4然后再将:
00402345 E9 7B370000 jmp CodeZero.00405AC5 ; 显示“5”改为:
00402345 /E9 78360000 jmp CodeZero.004059C2 ; 显示输入serial的窗口patch后就可以去除Nag窗口了。
而serial则是“55555”
