环境
Windows xp sp3
工具
exeinfope
Ollydbg
查壳
无壳的VB程序
测试
输入“1234567”
显示这个:
直接OD载入字符串搜索。
00402D20 > \55 push ebp
00402D21 . 8BEC mov ebp,esp
00402D23 . 83EC 0C sub esp,0xC
00402D26 . 68 66104000 push <jmp.&MSVBVM50.__vbaExceptHandler> ; SE 处理程序安装
00402D2B . 64:A1 0000000>mov eax,dword ptr fs:[0]
00402D31 . 50 push eax
00402D32 . 64:8925 00000>mov dword ptr fs:[0],esp
00402D39 . 81EC 98000000 sub esp,0x98
00402D3F . 53 push ebx
00402D40 . 56 push esi
00402D41 . 8B75 08 mov esi,dword ptr ss:[ebp+0x8]
00402D44 . 57 push edi
00402D45 . 8BC6 mov eax,esi
00402D47 . 83E6 FE and esi,0xFFFFFFFE
00402D4A . 8965 F4 mov dword ptr ss:[ebp-0xC],esp
00402D4D . 83E0 01 and eax,0x1
00402D50 . 8B1E mov ebx,dword ptr ds:[esi]
00402D52 . C745 F8 20104>mov dword ptr ss:[ebp-0x8],CarLitoZ.0040>
00402D59 . 56 push esi
00402D5A . 8945 FC mov dword ptr ss:[ebp-0x4],eax
00402D5D . 8975 08 mov dword ptr ss:[ebp+0x8],esi
00402D60 . FF53 04 call dword ptr ds:[ebx+0x4]
00402D63 . 33FF xor edi,edi
00402D65 . 56 push esi
00402D66 . 897D E8 mov dword ptr ss:[ebp-0x18],edi
00402D69 . 897D E4 mov dword ptr ss:[ebp-0x1C],edi
00402D6C . 897D D4 mov dword ptr ss:[ebp-0x2C],edi
00402D6F . 897D C4 mov dword ptr ss:[ebp-0x3C],edi
00402D72 . 897D B4 mov dword ptr ss:[ebp-0x4C],edi
00402D75 . 897D A4 mov dword ptr ss:[ebp-0x5C],edi
00402D78 . 897D 94 mov dword ptr ss:[ebp-0x6C],edi
00402D7B . 897D 84 mov dword ptr ss:[ebp-0x7C],edi
00402D7E . FF93 F8060000 call dword ptr ds:[ebx+0x6F8] ; 这里跟进去,因为这里会得出比较结果
00402D84 . 3BC7 cmp eax,edi
00402D86 . 7D 12 jge XCarLitoZ.00402D9A
00402D88 . 68 F8060000 push 0x6F8
00402D8D . 68 0C224000 push CarLitoZ.0040220C
00402D92 . 56 push esi
00402D93 . 50 push eax
00402D94 . FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj
00402D9A > 8D4E 34 lea ecx,dword ptr ds:[esi+0x34]
00402D9D . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
00402DA0 . 51 push ecx ; /var18
00402DA1 . 52 push edx ; |var28
00402DA2 . C745 9C 01000>mov dword ptr ss:[ebp-0x64],0x1 ; |
00402DA9 . C745 94 02800>mov dword ptr ss:[ebp-0x6C],0x8002 ; |
00402DB0 . FF15 6C614000 call dword ptr ds:[<&MSVBVM50.__vbaVarTs>; \__vbaVarTstEq
00402DB6 . 8B3D C4614000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaVa>; MSVBVM50.__vbaVarDup
00402DBC . B9 04000280 mov ecx,0x80020004
00402DC1 . 66:85C0 test ax,ax
00402DC4 . B8 0A000000 mov eax,0xA
00402DC9 . 894D AC mov dword ptr ss:[ebp-0x54],ecx
00402DCC . 894D BC mov dword ptr ss:[ebp-0x44],ecx
00402DCF . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax
00402DD2 . 8945 B4 mov dword ptr ss:[ebp-0x4C],eax
00402DD5 . C745 8C 08234>mov dword ptr ss:[ebp-0x74],CarLitoZ.004>; UNICODE "CrackMe v1.0"
00402DDC . C745 84 08000>mov dword ptr ss:[ebp-0x7C],0x8
00402DE3 . 8D55 84 lea edx,dword ptr ss:[ebp-0x7C]
00402DE6 . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
00402DE9 . 0F84 5A010000 je CarLitoZ.00402F49
00402DEF . FFD7 call edi ; <&MSVBVM50.__vbaVarDup>
00402DF1 . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
00402DF4 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
00402DF7 . C745 9C D4224>mov dword ptr ss:[ebp-0x64],CarLitoZ.004>; UNICODE "Registration Successful"
00402DFE . C745 94 08000>mov dword ptr ss:[ebp-0x6C],0x8
00402E05 . FFD7 call edi
00402E07 . 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C]
00402E0A . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
00402E0D . 50 push eax
00402E0E . 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C]
00402E11 . 51 push ecx
00402E12 . 52 push edx
00402E13 . 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
00402E16 . 6A 30 push 0x30
00402E18 . 50 push eax
00402E19 . FF15 40614000 call dword ptr ds:[<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox
00402E1F . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]
00402E22 . 8D55 B4 lea edx,dword ptr ss:[ebp-0x4C]
00402E25 . 51 push ecx
00402E26 . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]
00402E29 . 52 push edx
00402E2A . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
00402E2D . 50 push eax
00402E2E . 51 push ecx
00402E2F . 6A 04 push 0x4
00402E31 . FF15 1C614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeV>; MSVBVM50.__vbaFreeVarList
00402E37 . 83C4 14 add esp,0x14
00402E3A . 8D7E 44 lea edi,dword ptr ds:[esi+0x44]
00402E3D . 68 40224000 push CarLitoZ.00402240 ; UNICODE "c:\windows\MTR.dat"
00402E42 . 57 push edi
00402E43 . FF15 90614000 call dword ptr ds:[<&MSVBVM50.__vbaI2Var>; MSVBVM50.__vbaI2Var
00402E49 . 50 push eax
00402E4A . 6A FF push -0x1
00402E4C . 6A 20 push 0x20
00402E4E . FF15 98614000 call dword ptr ds:[<&MSVBVM50.__vbaFileO>; MSVBVM50.__vbaFileOpen
00402E54 . BA 6C224000 mov edx,CarLitoZ.0040226C ; UNICODE "trv2156j0e"
00402E59 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
00402E5C . FF15 AC614000 call dword ptr ds:[<&MSVBVM50.__vbaStrCo>; MSVBVM50.__vbaStrCopy
00402E62 . 57 push edi
00402E63 . FF15 90614000 call dword ptr ds:[<&MSVBVM50.__vbaI2Var>; MSVBVM50.__vbaI2Var
00402E69 . 50 push eax
00402E6A . 8D55 E8 lea edx,dword ptr ss:[ebp-0x18]
00402E6D . 6A 2D push 0x2D
00402E6F . 52 push edx
00402E70 . 6A 00 push 0x0
00402E72 . FF15 24614000 call dword ptr ds:[<&MSVBVM50.__vbaPut4>>; MSVBVM50.__vbaPut4
00402E78 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
00402E7B . FF15 DC614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStr
00402E81 . 57 push edi
00402E82 . FF15 90614000 call dword ptr ds:[<&MSVBVM50.__vbaI2Var>; MSVBVM50.__vbaI2Var
00402E88 . 50 push eax
00402E89 . FF15 60614000 call dword ptr ds:[<&MSVBVM50.__vbaFileC>; MSVBVM50.__vbaFileClose
00402E8F . 56 push esi
00402E90 . FF93 0C030000 call dword ptr ds:[ebx+0x30C]
00402E96 . 50 push eax
00402E97 . 8D45 E4 lea eax,dword ptr ss:[ebp-0x1C]
00402E9A . 50 push eax
00402E9B . FF15 3C614000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>; MSVBVM50.__vbaObjSet
00402EA1 . 8BF8 mov edi,eax
00402EA3 . 68 88224000 push CarLitoZ.00402288 ; UNICODE "REGISTERED"
00402EA8 . 57 push edi
00402EA9 . 8B0F mov ecx,dword ptr ds:[edi]
00402EAB . FF51 54 call dword ptr ds:[ecx+0x54]
00402EAE . 85C0 test eax,eax
00402EB0 . 7D 0F jge XCarLitoZ.00402EC1
00402EB2 . 6A 54 push 0x54
00402EB4 . 68 A0224000 push CarLitoZ.004022A0
00402EB9 . 57 push edi
00402EBA . 50 push eax
00402EBB . FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj
00402EC1 > 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00402EC4 . FF15 E0614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>; MSVBVM50.__vbaFreeObj
00402ECA . 56 push esi
00402ECB . FF93 04030000 call dword ptr ds:[ebx+0x304]
00402ED1 . 8D55 E4 lea edx,dword ptr ss:[ebp-0x1C]
00402ED4 . 50 push eax
00402ED5 . 52 push edx
00402ED6 . FF15 3C614000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>; MSVBVM50.__vbaObjSet
00402EDC . 8BF8 mov edi,eax
00402EDE . 6A 00 push 0x0
00402EE0 . 57 push edi
00402EE1 . 8B07 mov eax,dword ptr ds:[edi]
00402EE3 . FF90 8C000000 call dword ptr ds:[eax+0x8C]
00402EE9 . 85C0 test eax,eax
00402EEB . 7D 12 jge XCarLitoZ.00402EFF
00402EED . 68 8C000000 push 0x8C
00402EF2 . 68 B0224000 push CarLitoZ.004022B0
00402EF7 . 57 push edi
00402EF8 . 50 push eax
00402EF9 . FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj
00402EFF > 8B3D E0614000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaFr>; MSVBVM50.__vbaFreeObj
00402F05 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00402F08 . FFD7 call edi ; <&MSVBVM50.__vbaFreeObj>
00402F0A . 56 push esi
00402F0B . FF93 08030000 call dword ptr ds:[ebx+0x308]
00402F11 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00402F14 . 50 push eax
00402F15 . 51 push ecx
00402F16 . FF15 3C614000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>; MSVBVM50.__vbaObjSet
00402F1C . 8BF0 mov esi,eax
00402F1E . 6A 00 push 0x0
00402F20 . 56 push esi
00402F21 . 8B16 mov edx,dword ptr ds:[esi]
00402F23 . FF92 8C000000 call dword ptr ds:[edx+0x8C]
00402F29 . 85C0 test eax,eax
00402F2B . 7D 12 jge XCarLitoZ.00402F3F
00402F2D . 68 8C000000 push 0x8C
00402F32 . 68 C0224000 push CarLitoZ.004022C0
00402F37 . 56 push esi
00402F38 . 50 push eax
00402F39 . FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj
00402F3F > 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00402F42 . FFD7 call edi
00402F44 . E9 8C000000 jmp CarLitoZ.00402FD5
00402F49 > FFD7 call edi
00402F4B . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
00402F4E . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
00402F51 . C745 9C 28234>mov dword ptr ss:[ebp-0x64],CarLitoZ.004>; UNICODE " Wrong Code! Try Again"
00402F58 . C745 94 08000>mov dword ptr ss:[ebp-0x6C],0x8
00402F5F . FFD7 call edi
00402F61 . 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C]
00402F64 . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
00402F67 . 50 push eax
00402F68 . 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C]
00402F6B . 51 push ecx
00402F6C . 52 push edx
00402F6D . 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
00402F70 . 6A 10 push 0x10
00402F72 . 50 push eax
00402F73 . FF15 40614000 call dword ptr ds:[<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox
00402F79 . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]
00402F7C . 8D55 B4 lea edx,dword ptr ss:[ebp-0x4C]
00402F7F . 51 push ecx
00402F80 . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]
00402F83 . 52 push edx
00402F84 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
00402F87 . 50 push eax
00402F88 . 51 push ecx
00402F89 . 6A 04 push 0x4
00402F8B . FF15 1C614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeV>; MSVBVM50.__vbaFreeVarList
00402F91 . 83C4 14 add esp,0x14
00402F94 . 56 push esi
00402F95 . FF93 08030000 call dword ptr ds:[ebx+0x308]
00402F9B . 8D55 E4 lea edx,dword ptr ss:[ebp-0x1C]
00402F9E . 50 push eax
00402F9F . 52 push edx
00402FA0 . FF15 3C614000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>; MSVBVM50.__vbaObjSet
00402FA6 . 8BF0 mov esi,eax
00402FA8 . 68 5C234000 push CarLitoZ.0040235C
00402FAD . 56 push esi
00402FAE . 8B06 mov eax,dword ptr ds:[esi]
00402FB0 . FF90 A4000000 call dword ptr ds:[eax+0xA4]
00402FB6 . 85C0 test eax,eax
00402FB8 . 7D 12 jge XCarLitoZ.00402FCC
00402FBA . 68 A4000000 push 0xA4
00402FBF . 68 C0224000 push CarLitoZ.004022C0
00402FC4 . 56 push esi
00402FC5 . 50 push eax
00402FC6 . FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj
00402FCC > 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00402FCF . FF15 E0614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>; MSVBVM50.__vbaFreeObj
00402FD5 > C745 FC 00000>mov dword ptr ss:[ebp-0x4],0x0
00402FDC . 68 12304000 push CarLitoZ.00403012
00402FE1 . EB 2E jmp XCarLitoZ.00403011
00402FE3 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
00402FE6 . FF15 DC614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStr
00402FEC . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00402FEF . FF15 E0614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>; MSVBVM50.__vbaFreeObj
00402FF5 . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]
00402FF8 . 8D55 B4 lea edx,dword ptr ss:[ebp-0x4C]
00402FFB . 51 push ecx
00402FFC . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]
00402FFF . 52 push edx
00403000 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
00403003 . 50 push eax
00403004 . 51 push ecx
00403005 . 6A 04 push 0x4
00403007 . FF15 1C614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeV>; MSVBVM50.__vbaFreeVarList
0040300D . 83C4 14 add esp,0x14
00403010 . C3 retn
00403011 > C3 retn ; RET 用作跳转到 00403012
00403012 > 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
00403015 . 50 push eax
00403016 . 8B10 mov edx,dword ptr ds:[eax]
00403018 . FF52 08 call dword ptr ds:[edx+0x8]
0040301B . 8B4D EC mov ecx,dword ptr ss:[ebp-0x14]
0040301E . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
00403021 . 5F pop edi
00403022 . 5E pop esi
00403023 . 64:890D 00000>mov dword ptr fs:[0],ecx
0040302A . 5B pop ebx
0040302B . 8BE5 mov esp,ebp
0040302D . 5D pop ebp
0040302E . C2 0400 retn 0x4因为是VB程序,所以会有很多变量的生成销毁函数调用,注意一下就好了,因为结构都差不多,看看哪些语句重复的,基本上就可考虑是为函数调用服务的,与算法无关。
在关键call那里跟进去:
跳过一些函数调用,直接来到算法部分:
0040362B . 8945 9C mov dword ptr ss:[ebp-0x64],eax
0040362E . 52 push edx ; /Length8
0040362F . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C] ; |
00403632 . 6A 06 push 0x6 ; |Start = 6
00403634 . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C] ; |
0040363A . BB 02000000 mov ebx,0x2 ; |
0040363F . 50 push eax ; |dString8
00403640 . 51 push ecx ; |RetBUFFER
00403641 . 8975 E8 mov dword ptr ss:[ebp-0x18],esi ; |
00403644 . C785 A4FDFFFF>mov dword ptr ss:[ebp-0x25C],0x8008 ; |
0040364E . C745 8C 01000>mov dword ptr ss:[ebp-0x74],0x1 ; |
00403655 . 895D 84 mov dword ptr ss:[ebp-0x7C],ebx ; |
00403658 . 8975 E4 mov dword ptr ss:[ebp-0x1C],esi ; |
0040365B . C745 94 08000>mov dword ptr ss:[ebp-0x6C],0x8 ; |
00403662 . FFD7 call edi ; \rtcMidCharVar
00403664 . 8B45 E0 mov eax,dword ptr ss:[ebp-0x20]
00403667 . 8D95 54FFFFFF lea edx,dword ptr ss:[ebp-0xAC]
0040366D . 8985 6CFFFFFF mov dword ptr ss:[ebp-0x94],eax
00403673 . 52 push edx ; /Length8
00403674 . 8D85 64FFFFFF lea eax,dword ptr ss:[ebp-0x9C] ; |
0040367A . 6A 09 push 0x9 ; |Start = 9
0040367C . 8D8D 44FFFFFF lea ecx,dword ptr ss:[ebp-0xBC] ; |
00403682 . 50 push eax ; |dString8
00403683 . 51 push ecx ; |RetBUFFER
00403684 . C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],0x1 ; |
0040368E . 899D 54FFFFFF mov dword ptr ss:[ebp-0xAC],ebx ; |
00403694 . 8975 E0 mov dword ptr ss:[ebp-0x20],esi ; |
00403697 . C785 64FFFFFF>mov dword ptr ss:[ebp-0x9C],0x8 ; |
004036A1 . FFD7 call edi ; \rtcMidCharVar
004036A3 . 8B45 DC mov eax,dword ptr ss:[ebp-0x24]
004036A6 . 8D95 14FFFFFF lea edx,dword ptr ss:[ebp-0xEC]
004036AC . 8985 2CFFFFFF mov dword ptr ss:[ebp-0xD4],eax
004036B2 . 52 push edx ; /Length8
004036B3 . 8D85 24FFFFFF lea eax,dword ptr ss:[ebp-0xDC] ; |
004036B9 . 68 8F000000 push 0x8F ; |Start = 8F
004036BE . 8D8D 04FFFFFF lea ecx,dword ptr ss:[ebp-0xFC] ; |
004036C4 . 50 push eax ; |dString8
004036C5 . 51 push ecx ; |RetBUFFER
004036C6 . C785 1CFFFFFF>mov dword ptr ss:[ebp-0xE4],0x1 ; |
004036D0 . 899D 14FFFFFF mov dword ptr ss:[ebp-0xEC],ebx ; |
004036D6 . 8975 DC mov dword ptr ss:[ebp-0x24],esi ; |
004036D9 . C785 24FFFFFF>mov dword ptr ss:[ebp-0xDC],0x8 ; |
004036E3 . FFD7 call edi ; \rtcMidCharVar
004036E5 . 8B45 D8 mov eax,dword ptr ss:[ebp-0x28]
004036E8 . 8D95 D4FEFFFF lea edx,dword ptr ss:[ebp-0x12C]
004036EE . 8985 ECFEFFFF mov dword ptr ss:[ebp-0x114],eax
004036F4 . 52 push edx ; /Length8
004036F5 . 8D85 E4FEFFFF lea eax,dword ptr ss:[ebp-0x11C] ; |
004036FB . 6A 10 push 0x10 ; |Start = 10
004036FD . 8D8D C4FEFFFF lea ecx,dword ptr ss:[ebp-0x13C] ; |
00403703 . 50 push eax ; |dString8
00403704 . 51 push ecx ; |RetBUFFER
00403705 . C785 DCFEFFFF>mov dword ptr ss:[ebp-0x124],0x1 ; |
0040370F . 899D D4FEFFFF mov dword ptr ss:[ebp-0x12C],ebx ; |
00403715 . 8975 D8 mov dword ptr ss:[ebp-0x28],esi ; |
00403718 . C785 E4FEFFFF>mov dword ptr ss:[ebp-0x11C],0x8 ; |
00403722 . FFD7 call edi ; \rtcMidCharVar
00403724 . 8B45 D4 mov eax,dword ptr ss:[ebp-0x2C]
00403727 . 8D95 94FEFFFF lea edx,dword ptr ss:[ebp-0x16C]
0040372D . 8985 ACFEFFFF mov dword ptr ss:[ebp-0x154],eax
00403733 . 52 push edx ; /Length8
00403734 . 8D85 A4FEFFFF lea eax,dword ptr ss:[ebp-0x15C] ; |
0040373A . 68 A1000000 push 0xA1 ; |Start = A1
0040373F . 8D8D 84FEFFFF lea ecx,dword ptr ss:[ebp-0x17C] ; |
00403745 . 50 push eax ; |dString8
00403746 . 51 push ecx ; |RetBUFFER
00403747 . C785 9CFEFFFF>mov dword ptr ss:[ebp-0x164],0x1 ; |
00403751 . 899D 94FEFFFF mov dword ptr ss:[ebp-0x16C],ebx ; |
00403757 . 8975 D4 mov dword ptr ss:[ebp-0x2C],esi ; |
0040375A . C785 A4FEFFFF>mov dword ptr ss:[ebp-0x15C],0x8 ; |
00403764 . FFD7 call edi ; \rtcMidCharVar
00403766 . 8B45 D0 mov eax,dword ptr ss:[ebp-0x30]
00403769 . C785 5CFEFFFF>mov dword ptr ss:[ebp-0x1A4],0x1
00403773 . 899D 54FEFFFF mov dword ptr ss:[ebp-0x1AC],ebx
00403779 . 8975 D0 mov dword ptr ss:[ebp-0x30],esi
0040377C . 8985 6CFEFFFF mov dword ptr ss:[ebp-0x194],eax
00403782 . 8D95 54FEFFFF lea edx,dword ptr ss:[ebp-0x1AC]
00403788 . 8D85 64FEFFFF lea eax,dword ptr ss:[ebp-0x19C]
0040378E . 52 push edx ; /Length8
0040378F . 68 AB000000 push 0xAB ; |Start = AB
00403794 . 8D8D 44FEFFFF lea ecx,dword ptr ss:[ebp-0x1BC] ; |
0040379A . 50 push eax ; |dString8
0040379B . 51 push ecx ; |RetBUFFER
0040379C . C785 64FEFFFF>mov dword ptr ss:[ebp-0x19C],0x8 ; |
004037A6 . FFD7 call edi ; \rtcMidCharVar
004037A8 . 8B45 CC mov eax,dword ptr ss:[ebp-0x34]
004037AB . 8D95 14FEFFFF lea edx,dword ptr ss:[ebp-0x1EC]
004037B1 . 8985 2CFEFFFF mov dword ptr ss:[ebp-0x1D4],eax
004037B7 . 52 push edx ; /Length8
004037B8 . 8D85 24FEFFFF lea eax,dword ptr ss:[ebp-0x1DC] ; |
004037BE . 68 A6000000 push 0xA6 ; |Start = A6
004037C3 . 8D8D 04FEFFFF lea ecx,dword ptr ss:[ebp-0x1FC] ; |
004037C9 . 50 push eax ; |dString8
004037CA . 51 push ecx ; |RetBUFFER
004037CB . C785 1CFEFFFF>mov dword ptr ss:[ebp-0x1E4],0x1 ; |
004037D5 . 899D 14FEFFFF mov dword ptr ss:[ebp-0x1EC],ebx ; |
004037DB . 8975 CC mov dword ptr ss:[ebp-0x34],esi ; |
004037DE . C785 24FEFFFF>mov dword ptr ss:[ebp-0x1DC],0x8 ; |
004037E8 . FFD7 call edi ; \rtcMidCharVar
004037EA . 8B45 C8 mov eax,dword ptr ss:[ebp-0x38]
004037ED . 8D95 D4FDFFFF lea edx,dword ptr ss:[ebp-0x22C]
004037F3 . 8985 ECFDFFFF mov dword ptr ss:[ebp-0x214],eax
004037F9 . 52 push edx ; /Length8
004037FA . 8D85 E4FDFFFF lea eax,dword ptr ss:[ebp-0x21C] ; |
00403800 . 68 A8000000 push 0xA8 ; |Start = A8
00403805 . 8D8D C4FDFFFF lea ecx,dword ptr ss:[ebp-0x23C] ; |
0040380B . 50 push eax ; |dString8
0040380C . 51 push ecx ; |RetBUFFER
0040380D . C785 DCFDFFFF>mov dword ptr ss:[ebp-0x224],0x1 ; |
00403817 . 899D D4FDFFFF mov dword ptr ss:[ebp-0x22C],ebx ; |
0040381D . 8975 C8 mov dword ptr ss:[ebp-0x38],esi ; |
00403820 . C785 E4FDFFFF>mov dword ptr ss:[ebp-0x21C],0x8 ; |
0040382A . FFD7 call edi ; \rtcMidCharVar
0040382C . 8B3D C0614000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaVa>; MSVBVM50.__vbaVarAdd
00403832 . 8D95 A4FDFFFF lea edx,dword ptr ss:[ebp-0x25C]
00403838 . 8D85 74FFFFFF lea eax,dword ptr ss:[ebp-0x8C] ; 输入的字符串
0040383E . 52 push edx ; /var18
0040383F . 8D8D 44FFFFFF lea ecx,dword ptr ss:[ebp-0xBC] ; |将字符串连起来而已
00403845 . 50 push eax ; |/var18
00403846 . 8D95 34FFFFFF lea edx,dword ptr ss:[ebp-0xCC] ; ||
0040384C . 51 push ecx ; ||var28
0040384D . 52 push edx ; ||saveto8
0040384E . FFD7 call edi ; |\__vbaVarAdd
00403850 . 50 push eax ; |/var18
00403851 . 8D85 04FFFFFF lea eax,dword ptr ss:[ebp-0xFC] ; ||
00403857 . 8D8D F4FEFFFF lea ecx,dword ptr ss:[ebp-0x10C] ; ||
0040385D . 50 push eax ; ||var28
0040385E . 51 push ecx ; ||saveto8
0040385F . FFD7 call edi ; |\__vbaVarAdd
00403861 . 50 push eax ; |/var18
00403862 . 8D95 C4FEFFFF lea edx,dword ptr ss:[ebp-0x13C] ; ||
00403868 . 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-0x14C] ; ||
0040386E . 52 push edx ; ||var28
0040386F . 50 push eax ; ||saveto8
00403870 . FFD7 call edi ; |\__vbaVarAdd
00403872 . 8D8D 84FEFFFF lea ecx,dword ptr ss:[ebp-0x17C] ; |
00403878 . 50 push eax ; |/var18
00403879 . 8D95 74FEFFFF lea edx,dword ptr ss:[ebp-0x18C] ; ||
0040387F . 51 push ecx ; ||var28
00403880 . 52 push edx ; ||saveto8
00403881 . FFD7 call edi ; |\__vbaVarAdd
00403883 . 50 push eax ; |/var18
00403884 . 8D85 44FEFFFF lea eax,dword ptr ss:[ebp-0x1BC] ; ||
0040388A . 8D8D 34FEFFFF lea ecx,dword ptr ss:[ebp-0x1CC] ; ||
00403890 . 50 push eax ; ||var28
00403891 . 51 push ecx ; ||saveto8
00403892 . FFD7 call edi ; |\__vbaVarAdd
00403894 . 50 push eax ; |/var18
00403895 . 8D95 04FEFFFF lea edx,dword ptr ss:[ebp-0x1FC] ; ||
0040389B . 8D85 F4FDFFFF lea eax,dword ptr ss:[ebp-0x20C] ; ||
004038A1 . 52 push edx ; ||var28
004038A2 . 50 push eax ; ||saveto8
004038A3 . FFD7 call edi ; |\__vbaVarAdd
004038A5 . 8D8D C4FDFFFF lea ecx,dword ptr ss:[ebp-0x23C] ; |
004038AB . 50 push eax ; |/var18
004038AC . 51 push ecx ; ||var28
004038AD . 8D95 B4FDFFFF lea edx,dword ptr ss:[ebp-0x24C] ; ||
004038B3 . 52 push edx ; ||saveto8
004038B4 . FFD7 call edi ; |\__vbaVarAdd
004038B6 . 50 push eax ; |var28
004038B7 . FF15 6C614000 call dword ptr ds:[<&MSVBVM50.__vbaVarTs>; \__vbaVarTstEq
004038BD . 8BF8 mov edi,eax
每次rtcMidCharVar函数调用完后,eax会是一个地址,内存跟随这个地址,会得到一个variant类型的变量,如:
0012F390 08 00 00 00 00 D1 91 00 ....褢.
0012F398 44 36 16 00 C5 A5 07 74 D6.钮t再跟随这个163644地址,就会得到一个字符。
00163644 72 00 00 00 00 00 00 00 r.......
0016364C 80 37 16 00 25 00 03 00 €7.%..刚刚好rctMidCharVar这个函数出现了8次,于是有8个字符。
而后面的vbaVarAdd函数则是将这8个字符合在了一起,变成了字符串。
在0040383E位置是我们输入的serial,
而在004038B6是那合在一起的8个字符,
后面的vbaVarTstEq函数的作用就不言而喻了。
所以最后那8个字符为:
rkh1oyie
这就是serial了。
