VB逆向工程实战演习(一)
【逆向日期】 9月21日
【逆向作者】 囚徒
【作者邮箱】 nnscccn@yahoo.com.cn
【使用工具】 VBDE、SmartCheck、W32dsm、OD
【逆向平台】 Win9x/NT/2000/XP
【软件名称】 Casino轮盘智能机器人
【下载地址】 见附件
【软件简介】  casino轮盘智能机器人是888赌场的一个脱机外挂,该智能机器人自动 下注,自动“转动”将它挂机后,你就什么都不管了,非常好玩,此类外挂比较少见,所以我决定逆向它。
【软件大小】 84KB
【加壳方式】 没
【逆向声明】 我是一只小菜鸟,想要飞却怎么也飞不高。
【题外话  】 人与动物的最大区别是会利用工具,你会看到,只要善于利用工具,逆向一个VB程序并不是很困难的事情,即使是我这样的菜鸟也可以做到。
----------------------------------------------------------------------------------------------------------------------
【破解内容】
    没壳,没有Command Button,所有的内容都在Form_Load里。用VBDE查看,Form_Load在00406A90,打开W32dsm,载入Casino轮盘智能机器人,查找00406A90,反汇编代码如下:

Quote:
:00406A90 55                       push ebp
:00406A91 8BEC                    mov ebp, esp
:00406A93 83EC0C                  sub esp, 0000000C

* Possible StringData Ref from Code Obj ->"%?@"
                                  |
:00406A96 68A6134000              push 004013A6
:00406A9B 64A100000000            mov eax, dword ptr fs:[00000000]
:00406AA1 50                      push eax
:00406AA2 64892500000000          mov dword ptr fs:[00000000], esp
:00406AA9 81EC84010000            sub esp, 00000184
:00406AAF 53                      push ebx
:00406AB0 56                      push esi
:00406AB1 57                      push edi
:00406AB2 8965F4                  mov dword ptr [ebp-0C], esp
:00406AB5 C745F8A0114000          mov [ebp-08], 004011A0
:00406ABC 8B4508                  mov eax, dword ptr [ebp+08]
:00406ABF 8BC8                    mov ecx, eax
:00406AC1 83E101                  and ecx, 00000001
:00406AC4 894DFC                  mov dword ptr [ebp-04], ecx
:00406AC7 24FE                    and al, FE
:00406AC9 50                      push eax
:00406ACA 894508                  mov dword ptr [ebp+08], eax
:00406ACD 8B10                    mov edx, dword ptr [eax]
:00406ACF FF5204                  call [edx+04]
:00406AD2 33DB                    xor ebx, ebx                       ;从这里开始反编译
:00406AD4 895DDC                  mov dword ptr [ebp-24], ebx        ;下面都是一些变量的定义
:00406AD7 895DD4                  mov dword ptr [ebp-2C], ebx
:00406ADA 895DD0                  mov dword ptr [ebp-30], ebx
:00406ADD 895DC0                  mov dword ptr [ebp-40], ebx
:00406AE0 895DB0                  mov dword ptr [ebp-50], ebx
:00406AE3 895DA0                  mov dword ptr [ebp-60], ebx
:00406AE6 895D90                  mov dword ptr [ebp-70], ebx
:00406AE9 895D80                  mov dword ptr [ebp-80], ebx
:00406AEC 899D70FFFFFF            mov dword ptr [ebp+FFFFFF70], ebx
:00406AF2 899D60FFFFFF            mov dword ptr [ebp+FFFFFF60], ebx
:00406AF8 899D34FFFFFF            mov dword ptr [ebp+FFFFFF34], ebx
:00406AFE 899D24FFFFFF            mov dword ptr [ebp+FFFFFF24], ebx
:00406B04 899D14FFFFFF            mov dword ptr [ebp+FFFFFF14], ebx
:00406B0A 899D04FFFFFF            mov dword ptr [ebp+FFFFFF04], ebx
:00406B10 899DF4FEFFFF            mov dword ptr [ebp+FFFFFEF4], ebx
:00406B16 899DE4FEFFFF            mov dword ptr [ebp+FFFFFEE4], ebx
:00406B1C 899DD4FEFFFF            mov dword ptr [ebp+FFFFFED4], ebx
:00406B22 899DC4FEFFFF            mov dword ptr [ebp+FFFFFEC4], ebx
:00406B28 899DB4FEFFFF            mov dword ptr [ebp+FFFFFEB4], ebx
:00406B2E 899DA4FEFFFF            mov dword ptr [ebp+FFFFFEA4], ebx
:00406B34 E8F7610000              call 0040CD30                       ;跟进去看看
:00406B39 391D10204100            cmp dword ptr [00412010], ebx       ;比较
:00406B3F 7510                    jne 00406B51                        ;不等则跳
:00406B41 6810204100              push 00412010
:00406B46 6804464000              push 00404604

* Reference To: MSVBVM60.__vbaNew2, Ord:0000h
                                  |
:00406B4B FF15F8104000            Call dword ptr [004010F8]
 *
 *
 *
                                  ret
-------------------------------------------------------------------------------------------------------------------
Quote:

:0040CD30 55                      push ebp
:0040CD31 8BEC                    mov ebp, esp
:0040CD33 83EC08                  sub esp, 00000008

* Possible StringData Ref from Code Obj ->"%?@"
                                  |
:0040CD36 68A6134000              push 004013A6
:0040CD3B 64A100000000            mov eax, dword ptr fs:[00000000]
:0040CD41 50                      push eax
:0040CD42 64892500000000          mov dword ptr fs:[00000000], esp
:0040CD49 83EC2C                  sub esp, 0000002C
:0040CD4C 53                      push ebx
:0040CD4D 56                      push esi
:0040CD4E 57                      push edi
:0040CD4F 8965F8                  mov dword ptr [ebp-08], esp
:0040CD52 C745FC38134000          mov [ebp-04], 00401338
:0040CD59 33C0                    xor eax, eax //eax=0

* Possible StringData Ref from Code Obj ->"127.0.0.1"
                                  |
:0040CD5B BAB8654000              mov edx, 004065B8                             ;edx="127.0.0.1"
:0040CD60 8D4DD8                  lea ecx, dword ptr [ebp-28]                   ;ecx指向变量c
:0040CD63 8945E0                  mov dword ptr [ebp-20], eax                   ;dim a as string
:0040CD66 8945DC                  mov dword ptr [ebp-24], eax                   ;dim b as string
:0040CD69 8945D8                  mov dword ptr [ebp-28], eax                   ;dim c as string
:0040CD6C 8945C8                  mov dword ptr [ebp-38], eax 

* Reference To: MSVBVM60.__vbaStrCopy, Ord:0000h
                                  |
:0040CD6F FF1504114000            Call dword ptr [00401104]                     ;c="127.0.0.1"
:0040CD75 8D45E0                  lea eax, dword ptr [ebp-20]                   ;eax指向变量a
:0040CD78 50                      push eax                                      ;Arg4:Long,长整型,4字节

* Possible StringData Ref from Code Obj ->"IP1"
                                  |
:0040CD79 6850664000              push 00406650                                 ;Arg3:string

* Possible StringData Ref from Code Obj ->"Software\casinoonnet\casino\init"
                                  |
:0040CD7E 6808664000              push 00406608                                 ;Arg2:lpSubkey,string
:0040CD83 6801000080              push 80000001                                 ;Arg1:这个值就是HKEY_CURRENT_USER,Long
:0040CD88 E883F6FFFF              call 0040C410                                 ;函数调用:这是作者自己构造的一个函数。
                                                                                ;下面我们来看看这个函数
                                                                                ;初步确定与注册表有关
                                                                                ;我们要用到SmartCheck
 *
 *
 *
                                  ret
------------------------------------------------------------------------------------------------------------------
打开SmartCheck,载入Casino轮盘机器人,在Event里可以看到:
Quote:

_Load
  OnError
  RegOpenKeyExA returns Long:2 
  *
  *
  *
_Load
可以看到,第一步是打开注册表,查RegOpenKeyEx函数,有:
RegOpenKeyEx(ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, phkResult As Long)
它有5个参数,我们看看它是在哪里,在SmartCheck中,鼠标点击左边的RegOpenKeyExA returns Long:2,在右边可以看到它的地址是0040C4AC,我们在W32dsm中查找这个地址,看它是从哪里跳过来的。
Quote:

* Referenced by a CALL at Address:
|:0040CD88                                                                      ;是从这里跳过来的
|                                                                               ;0040CD88就是我们上面那个Call
:0040C410 55                      push ebp
:0040C411 8BEC                    mov ebp, esp
:0040C413 83EC14                  sub esp, 00000014

* Possible StringData Ref from Code Obj ->"%?@"
                                  |
:0040C416 68A6134000              push 004013A6
:0040C41B 64A100000000            mov eax, dword ptr fs:[00000000]
:0040C421 50                      push eax
:0040C422 64892500000000          mov dword ptr fs:[00000000], esp
:0040C429 81ECA0000000            sub esp, 000000A0
:0040C42F 53                      push ebx
:0040C430 56                      push esi
:0040C431 57                      push edi
:0040C432 8965EC                  mov dword ptr [ebp-14], esp
:0040C435 C745F0E8124000          mov [ebp-10], 004012E8
:0040C43C 33F6                    xor esi, esi
:0040C43E 8975F4                  mov dword ptr [ebp-0C], esi                    ;
:0040C441 8975F8                  mov dword ptr [ebp-08], esi
:0040C444 8975E0                  mov dword ptr [ebp-20], esi                 ;Dim bb as string
:0040C447 8975D8                  mov dword ptr [ebp-28], esi                 ;Dim aa as string
:0040C44A 8975D0                  mov dword ptr [ebp-30], esi
:0040C44D 8975CC                  mov dword ptr [ebp-34], esi
:0040C450 8975BC                  mov dword ptr [ebp-44], esi
:0040C453 8975AC                  mov dword ptr [ebp-54], esi
:0040C456 89759C                  mov dword ptr [ebp-64], esi
:0040C459 89758C                  mov dword ptr [ebp-74], esi
:0040C45C 89B57CFFFFFF            mov dword ptr [ebp+FFFFFF7C], esi              ;
:0040C462 89B56CFFFFFF            mov dword ptr [ebp+FFFFFF6C], esi
:0040C468 89B55CFFFFFF            mov dword ptr [ebp+FFFFFF5C], esi
:0040C46E 8B550C                  mov edx, dword ptr [ebp+0C]                 ;实参,即上面的Arg2
:0040C471 8D4DD8                  lea ecx, dword ptr [ebp-28]

* Reference To: MSVBVM60.__vbaStrCopy, Ord:0000h
                                  |
:0040C474 8B3D04114000            mov edi, dword ptr [00401104]
:0040C47A FFD7                    call edi                                    ;aa=Arg2
:0040C47C 8B5510                  mov edx, dword ptr [ebp+10]                 ;实参,即上面的Arg3
:0040C47F 8D4DE0                  lea ecx, dword ptr [ebp-20]
:0040C482 FFD7                    call edi                                    ;bb=Arg3
:0040C484 6A01                    push 00000001

* Reference To: MSVBVM60.__vbaOnError, Ord:0000h
                                  |
:0040C486 FF155C104000            Call dword ptr [0040105C]                   ;On Error Resume Next
:0040C48C 68EC214100              push 004121EC                               ;Arg5:phKeyResult
:0040C491 6819000200              push 00020019                               ;Arg4:SamDesired
:0040C496 56                      push esi                                    ;Arg3:ulOptions
:0040C497 8B45D8                  mov eax, dword ptr [ebp-28]
:0040C49A 50                      push eax
:0040C49B 8D4DD0                  lea ecx, dword ptr [ebp-30]
:0040C49E 51                      push ecx

* Reference To: MSVBVM60.__vbaStrToAnsi, Ord:0000h
                                  |
:0040C49F 8B3528114000            mov esi, dword ptr [00401128]
:0040C4A5 FFD6                    call esi
:0040C4A7 50                      push eax                                     ;Arg2:lpSubKey
:0040C4A8 8B5508                  mov edx, dword ptr [ebp+08]
:0040C4AB 52                      push edx                                     ;Arg1:hKey=80000001
:0040C4AC E8D395FFFF              call 00405A84                                ;我们来到这里RegOpenKeyEx
--------------------------------------------------------------------------------------------------------------
 以上是一小段逆向心得,请有兴趣的朋友和我共同探讨。我的E-mail:nnscccn@yahoo.com.cn