mysms.exe VB程序跟踪手记
kongfoo/2004.1.31
VB native程序当然要用VBDE来搞了。查看FrmMain的Form_Load为0280f0,
OD载入,去4280f0。
004280F0 55 PUSH EBP
004280F1 8BEC MOV EBP,ESP
004280F3 83EC 18 SUB ESP,18
004280F6 68 E61A4000 PUSH <JMP.&MSVBVM60.__vbaExceptHandler>
004280FB 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00428101 50 PUSH EAX
00428102 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
00428109 B8 F8010000 MOV EAX,1F8
0042810E E8 CD99FDFF CALL <JMP.&MSVBVM60.__vbaChkstk>
粗略跟一下,4287d7的CALL出注册对话框:
004287D6 50 PUSH EAX ==这里改成jmp 428ea7,跳过注册对话框及注册检测(为什么是428ea7?跟过就知啦
004287D7 FF92 B0020000 CALL DWORD PTR DS:[EDX+2B0] ==机器码:E9CC0600009090
004287DD DBE2 FCLEX
004287DF 8985 14FFFFFF MOV DWORD PTR SS:[EBP-EC],EAX
004287E5 83BD 14FFFFFF 00 CMP DWORD PTR SS:[EBP-EC],0
004287EC 7D 26 JGE SHORT MYSMS.00428814
004287EE 68 B0020000 PUSH 2B0
004287F3 68 94874000 PUSH MYSMS.00408794
004287F8 8B8D 18FFFFFF MOV ECX,DWORD PTR SS:[EBP-E8]
004287FE 51 PUSH ECX
004287FF 8B95 14FFFFFF MOV EDX,DWORD PTR SS:[EBP-EC]
00428805 52 PUSH EDX
00428806 FF15 60104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheck>; MSVBVM60.__vbaHresultCheckObj
0042880C 8985 C0FEFFFF MOV DWORD PTR SS:[EBP-140],EAX
00428812 EB 0A JMP SHORT MYSMS.0042881E
00428814 C785 C0FEFFFF 00000>MOV DWORD PTR SS:[EBP-140],0
0042881E C745 FC 15000000 MOV DWORD PTR SS:[EBP-4],15
00428825 A1 2C204400 MOV EAX,DWORD PTR DS:[44202C]
0042882A 50 PUSH EAX
0042882B 68 70874000 PUSH MYSMS.00408770
00428830 FF15 D0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
00428836 85C0 TEST EAX,EAX
00428838 75 0D JNZ SHORT MYSMS.00428847 ==不跳就退出了。。。
0042883A C745 FC 16000000 MOV DWORD PTR SS:[EBP-4],16
00428841 FF15 38104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaEnd>] ; MSVBVM60.__vbaEnd
00428847 C745 FC 18000000 MOV DWORD PTR SS:[EBP-4],18
0042884E 68 2C204400 PUSH MYSMS.0044202C
00428853 E8 88830000 CALL MYSMS.00430BE0
00428858 8BD0 MOV EDX,EAX
0042885A 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
0042885D FF15 CC114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
00428863 50 PUSH EAX
00428864 FF15 84114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Str>] ; MSVBVM60.__vbaI4Str ==这里会出13类型不匹配
0042886A 8BF0 MOV ESI,EAX
0042886C 68 24834000 PUSH MYSMS.00408324 ; UNICODE "14201496"
00428871 FF15 84114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Str>] ; MSVBVM60.__vbaI4Str
00428877 33F0 XOR ESI,EAX
00428879 89B5 BCFEFFFF MOV DWORD PTR SS:[EBP-144],ESI
0042887F DB85 BCFEFFFF FILD DWORD PTR SS:[EBP-144]
00428885 DD9D B4FEFFFF FSTP QWORD PTR SS:[EBP-14C]
0042888B 8B0D 28204400 MOV ECX,DWORD PTR DS:[442028]
00428891 51 PUSH ECX
00428892 FF15 70114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str
00428898 DC9D B4FEFFFF FCOMP QWORD PTR SS:[EBP-14C]
0042889E DFE0 FSTSW AX
004288A0 F6C4 40 TEST AH,40
004288A3 75 0C JNZ SHORT MYSMS.004288B1
004288A5 C785 B0FEFFFF 01000>MOV DWORD PTR SS:[EBP-150],1
004288AF EB 0A JMP SHORT MYSMS.004288BB
004288B1 C785 B0FEFFFF 00000>MOV DWORD PTR SS:[EBP-150],0
004288BB 8B95 B0FEFFFF MOV EDX,DWORD PTR SS:[EBP-150]
004288C1 F7DA NEG EDX
004288C3 66:8995 18FFFFFF MOV WORD PTR SS:[EBP-E8],DX
004288CA 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
004288CD FF15 F0114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
004288D3 0FBF85 18FFFFFF MOVSX EAX,WORD PTR SS:[EBP-E8]
004288DA 85C0 TEST EAX,EAX
004288DC 0F84 4A010000 JE MYSMS.00428A2C ==这里要改,跳过注册检测
004288E2 C745 FC 19000000 MOV DWORD PTR SS:[EBP-4],19
004288E9 C745 84 04000280 MOV DWORD PTR SS:[EBP-7C],80020004
004288F0 C785 7CFFFFFF 0A000>MOV DWORD PTR SS:[EBP-84],0A
004288FA C745 94 04000280 MOV DWORD PTR SS:[EBP-6C],80020004
00428901 C745 8C 0A000000 MOV DWORD PTR SS:[EBP-74],0A
00428908 C785 54FFFFFF 68884>MOV DWORD PTR SS:[EBP-AC],MYSMS.00408868
00428912 C785 4CFFFFFF 08000>MOV DWORD PTR SS:[EBP-B4],8
0042891C 8D95 4CFFFFFF LEA EDX,DWORD PTR SS:[EBP-B4]
00428922 8D4D 9C LEA ECX,DWORD PTR SS:[EBP-64]
00428925 FF15 B8114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
0042892B C785 64FFFFFF 40884>MOV DWORD PTR SS:[EBP-9C],MYSMS.00408840
00428935 C785 5CFFFFFF 08000>MOV DWORD PTR SS:[EBP-A4],8
0042893F 8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]
00428945 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
00428948 FF15 B8114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
0042894E 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
00428954 51 PUSH ECX
00428955 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
00428958 52 PUSH EDX
00428959 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
0042895C 50 PUSH EAX
0042895D 6A 40 PUSH 40
0042895F 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
00428962 51 PUSH ECX
00428963 FF15 80104000 CALL DWORD PTR DS:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox ==请重新注册对话框
用UE改掉程序后回到VBDE,再看FrmReg的OKButton偏移量03e340。去下个断。
没断到。看FrmLH的CmdOK_Click偏移量031740。也没断到。还有个FrmUser,
CmdOK:3bd10。还是不是。。。下断rtcMsgBox。。。断下来:
00440FE8 52 PUSH EDX
00440FE9 FF15 80104000 CALL DWORD PTR DS:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
向上看看,函数入口在440d80。再440fe9的rtcMsgBox上有个跳可以跳过对话框,
下断。按了确定后居然是跳过的。。。要跟一下。。。
00440F7A 66:3BFB CMP DI,BX
00440F7D 0F84 8C000000 JE MYSMS.0044100F
在下面的跳会跳去一个JMP然后跳回上面rtcMsgBox前面。
00441158 66:85FF TEST DI,DI
0044115B 0F84 D6020000 JE MYSMS.00441437 ==改掉
0044130D 66:85F6 TEST SI,SI
00441310 0F84 11010000 JE MYSMS.00441427 ==上面改掉后这里跳的话就会重启电脑,改
改掉也不行,还是说没注册成功。只能从函数入口440d80一路跟下来了。
....前面略
00440E41 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24] ==注册码
00440E44 50 PUSH EAX
00440E45 68 70874000 PUSH MYSMS.00408770
00440E4A FF15 D0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
00440E50 8BF8 MOV EDI,EAX
00440E52 F7DF NEG EDI
00440E54 1BFF SBB EDI,EDI
00440E56 47 INC EDI
00440E57 F7DF NEG EDI
00440E59 66:89BD 3CFFFFFF MOV WORD PTR SS:[EBP-C4],DI
00440E60 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00440E63 FF15 F0114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00440E69 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
00440E6C FF15 EC114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
00440E72 66:3BFB CMP DI,BX
00440E75 0F84 8C000000 JE MYSMS.00440F07 ==不跳的话说注册ID不能为空
跳过来后:
00440F07 8B06 MOV EAX,DWORD PTR DS:[ESI] ; MYSMS.00442E00
00440F09 56 PUSH ESI
00440F0A FF90 04030000 CALL DWORD PTR DS:[EAX+304]
00440F10 50 PUSH EAX
00440F11 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
00440F14 51 PUSH ECX
00440F15 FF15 78104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
00440F1B 8BF8 MOV EDI,EAX
00440F1D 8B17 MOV EDX,DWORD PTR DS:[EDI]
00440F1F 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
00440F22 50 PUSH EAX
00440F23 57 PUSH EDI
00440F24 FF92 A0000000 CALL DWORD PTR DS:[EDX+A0]
00440F2A DBE2 FCLEX
00440F2C 3BC3 CMP EAX,EBX
00440F2E 7D 12 JGE SHORT MYSMS.00440F42
00440F30 68 A0000000 PUSH 0A0
00440F35 68 2C884000 PUSH MYSMS.0040882C
00440F3A 57 PUSH EDI
00440F3B 50 PUSH EAX
00440F3C FF15 60104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00440F42 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
00440F45 895D DC MOV DWORD PTR SS:[EBP-24],EBX
00440F48 8945 C4 MOV DWORD PTR SS:[EBP-3C],EAX
00440F4B C745 BC 08000000 MOV DWORD PTR SS:[EBP-44],8
00440F52 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44] ==注册码
00440F55 51 PUSH ECX
00440F56 FF15 E4104000 CALL DWORD PTR DS:[<&MSVBVM60.#561>] ; MSVBVM60.rtcIsNumeric
00440F5C 66:8BF8 MOV DI,AX
00440F5F F7D7 NOT EDI
00440F61 66:89BD 3CFFFFFF MOV WORD PTR SS:[EBP-C4],DI
00440F68 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
00440F6B FF15 EC114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
00440F71 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
00440F74 FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
00440F7A 66:3BFB CMP DI,BX
00440F7D 0F84 8C000000 JE MYSMS.0044100F ==不跳的话说注册码不正确,只能是数字
跳过来后:
0044100F 8B0E MOV ECX,DWORD PTR DS:[ESI] ; MYSMS.00442E00
00441011 56 PUSH ESI
00441012 FF91 04030000 CALL DWORD PTR DS:[ECX+304]
00441018 50 PUSH EAX
00441019 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30]
0044101C 52 PUSH EDX
0044101D FF15 78104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
00441023 8BF8 MOV EDI,EAX
00441025 8B07 MOV EAX,DWORD PTR DS:[EDI]
00441027 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
0044102A 51 PUSH ECX
0044102B 57 PUSH EDI
0044102C FF90 A0000000 CALL DWORD PTR DS:[EAX+A0]
00441032 DBE2 FCLEX
00441034 3BC3 CMP EAX,EBX
00441036 7D 12 JGE SHORT MYSMS.0044104A
00441038 68 A0000000 PUSH 0A0
0044103D 68 2C884000 PUSH MYSMS.0040882C
00441042 57 PUSH EDI
00441043 50 PUSH EAX
00441044 FF15 60104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0044104A 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24] ==注册码
0044104D 895D DC MOV DWORD PTR SS:[EBP-24],EBX
00441050 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
00441053 8B1D CC114000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrMove
00441059 FFD3 CALL EBX
0044105B 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
0044105E 52 PUSH EDX
0044105F E8 2C00FFFF CALL MYSMS.00431090
00441064 8BD0 MOV EDX,EAX
00441066 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00441069 FFD3 CALL EBX
0044106B 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
0044106E 50 PUSH EAX
0044106F E8 6CFBFEFF CALL MYSMS.00430BE0
00441074 8BD0 MOV EDX,EAX
00441076 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00441079 FFD3 CALL EBX
0044107B 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
0044107E 51 PUSH ECX
0044107F 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
00441082 52 PUSH EDX
00441083 6A 02 PUSH 2
00441085 FF15 88114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
0044108B 83C4 0C ADD ESP,0C
0044108E 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
00441091 FF15 EC114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
00441097 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] ==处理过的注册码12345678->21436587(每2位互换)
0044109A 50 PUSH EAX
0044109B 8B3D 84114000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaI4>; MSVBVM60.__vbaI4Str
004410A1 FFD7 CALL EDI ==将字串'21436587'转成数值得14718ab
004410A3 8BD0 MOV EDX,EAX
004410A5 68 24834000 PUSH MYSMS.00408324 ; UNICODE "14201496"
004410AA 8995 14FFFFFF MOV DWORD PTR SS:[EBP-EC],EDX ==14718ab
004410B0 FFD7 CALL EDI ; MSVBVM60.__vbaI4Str ==将'14201496'转成数值得d8b298
004410B2 8B8D 14FFFFFF MOV ECX,DWORD PTR SS:[EBP-EC] ==14718ab
004410B8 33C8 XOR ECX,EAX ==两数异或
004410BA 51 PUSH ECX
004410BB FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrI4>; MSVBVM60.__vbaStrI4 ==将结果转成字串'27241011'
004410C1 8BD0 MOV EDX,EAX
004410C3 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
004410C6 FFD3 CALL EBX ; MSVBVM60.__vbaStrMove
004410C8 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20] =='27241011'
004410CB 52 PUSH EDX
004410CC FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
004410D2 83F8 08 CMP EAX,8
004410D5 74 16 JE SHORT MYSMS.004410ED
004410D7 68 00954000 PUSH MYSMS.00409500
004410DC 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
004410DF 50 PUSH EAX
004410E0 FF15 4C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
004410E6 8BD0 MOV EDX,EAX
004410E8 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
004410EB FFD3 CALL EBX
004410ED 8B0E MOV ECX,DWORD PTR DS:[ESI]
004410EF 56 PUSH ESI
004410F0 FF91 08030000 CALL DWORD PTR DS:[ECX+308]
004410F6 50 PUSH EAX
004410F7 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30]
004410FA 52 PUSH EDX
004410FB FF15 78104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
00441101 8BF8 MOV EDI,EAX
00441103 8B07 MOV EAX,DWORD PTR DS:[EDI]
00441105 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00441108 51 PUSH ECX
00441109 57 PUSH EDI
0044110A FF90 A0000000 CALL DWORD PTR DS:[EAX+A0]
00441110 DBE2 FCLEX
00441112 85C0 TEST EAX,EAX
00441114 7D 12 JGE SHORT MYSMS.00441128
00441116 68 A0000000 PUSH 0A0
0044111B 68 2C884000 PUSH MYSMS.0040882C
00441120 57 PUSH EDI
00441121 50 PUSH EAX
00441122 FF15 60104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00441128 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24] ==注册ID '52728452'
0044112B 52 PUSH EDX
0044112C 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] ==注册码和14201496运算后的结果12345678->27241011
0044112F 50 PUSH EAX
00441130 FF15 D0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
00441136 8BF8 MOV EDI,EAX
00441138 F7DF NEG EDI
0044113A 1BFF SBB EDI,EDI
0044113C 47 INC EDI
0044113D F7DF NEG EDI
0044113F 66:89BD 3CFFFFFF MOV WORD PTR SS:[EBP-C4],DI
00441146 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00441149 FF15 F0114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0044114F 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
00441152 FF15 EC114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
00441158 66:85FF TEST DI,DI
0044115B 0F84 D6020000 JE MYSMS.00441437 ==比较完了
算法:输入的8位数字每2位交换再和14201496异或,结果转换成字串再和'52728452'比较。
逆算法:52728452与14201496异或,再每2位交换。66589404