【破文标题】AVPR之VBA BackDoor功能初步逆向
【软件名称】AVPR PRO 1.5
【软件介绍】 Advanced VBA Password Recovery 是一个速度很快的密码恢复软件,它能够很轻松地将 由 Visual Basic编制的应用程序丢失的密码恢复过来,同样它也适用于 Office 97 and Office 2000 制作的文档。
【软件地址】http://www4.skycn.com/soft/6733.html
【破文作者】KiLlL[DFCG]
【破解时间】2005-08-14 14:33-16:04
【破解声明】仅为技术交流之用!
【破解过程】
我是很菜的,请大家一定多指点,好多地方是我猜的,错误多多,请大家指正。
不知道从哪里翻到一个软件,叫做AVPR,似乎是破解VBA密码用的,我是用不上,但是发现菜单上有个命 令“VBA Backdoor”,通过这个可以查看任意加密vba代码而不用提供密码。选择后弹出对话框,提示如 下:
---------------------------
Warning ! AVPR Pro will now start a document host application.
You cannot use any other AVPR Pro features when this application
is still running. You also cannot close AVPR Pro until closing
a host application.
You will be able to use any password to unlock VBA macros in this document
during this session.
---------------------------
这里我就奇怪了,既然是只对当前进程有效的话,肯定不是对vba文件操作,应该是对内存中的文件进行 操作,一时好奇,就简单的分析了一下。
首先就是OD载入,bpx messageboxa,断下:
00408112 |> \51 push ecx ; |Text
00408113 |. E8 083D0D00 call <jmp.&user32.GetFocus> ; |[GetFocus
00408118 |. 50 push eax ; |hOwner
00408119 |. E8 8E3E0D00 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
往下拉拉,看到了这个:
00408524 |. 52 |push edx ; /Arg1 => 00E33550 ASCII "VBA Memory Patch successfully applied"
00408525 |. E8 06E6FFFF |call avprp.00406B30 ; \avprp.00406B30
0040852A |. 59 |pop ecx
0040852B |. EB 0D |jmp short avprp.0040853A
好嘛,如果patch成功的话就有上面的提示了,所以猜测关键代码在他们中间,来看看:
00408189 |> \68 00010000 |push 100 ; /Arg5 = 00000100; Case 6 of switch 0040814D
0040818E |. 8D85 0CFCFFFF |lea eax,dword ptr ss:[ebp-3F4] ; |
00408194 |. 50 |push eax ; |Arg4
00408195 |. 8B95 1CFDFFFF |mov edx,dword ptr ss:[ebp-2E4] ; |
0040819B |. 52 |push edx ; |Arg3
0040819C |. 8B8D 18FDFFFF |mov ecx,dword ptr ss:[ebp-2E8] ; |
004081A2 |. 51 |push ecx ; |Arg2
004081A3 |. 8B85 6CFFFFFF |mov eax,dword ptr ss:[ebp-94] ; |
004081A9 |. 50 |push eax ; |Arg1
004081AA |. E8 F1030000 |call avprp.004085A0 ; \这个是读取文件标 志
004081AF |. 83C4 14 |add esp,14
004081B2 |. 85C0 |test eax,eax
004081B4 |. 0F84 80030000 |je avprp.0040853A ; 是否读到了100
004081BA |. 68 28144E00 |push avprp.004E1428 ; ASCII "VBE6.DLL"
这里出现了另外一个标志:VBE6.dll,这个是干什么的?我对vba了解甚少,估计这个是打开vba文件时 候调用的。
注意,如果打开一个保护vba的office程序,不一定载入这个dll的,只有编辑或者运行的时候才是。
第一次跟的时候,我没有进去call avprp.004085A0 ,高手都说,粗跟,然后确认目标后细跟。这里让 大家明白,就跟进去看看。
004085A0 /$ 55 push ebp
004085A1 |. 8BEC mov ebp,esp
004085A3 |. 83C4 E4 add esp,-1C
004085A6 |. 33C0 xor eax,eax
004085A8 |. 53 push ebx
004085A9 |. 56 push esi
004085AA |. 57 push edi
004085AB |. 8B5D 0C mov ebx,dword ptr ss:[ebp+C]
004085AE |. 8B7D 10 mov edi,dword ptr ss:[ebp+10]
004085B1 |. 8B75 08 mov esi,dword ptr ss:[ebp+8]
004085B4 |. 8945 F4 mov dword ptr ss:[ebp-C],eax
004085B7 |. 85DB test ebx,ebx
004085B9 |. 75 07 jnz short avprp.004085C2
004085BB |. 33C0 xor eax,eax
004085BD |. E9 13010000 jmp avprp.004086D5
004085C2 |> 53 push ebx ; /hFile
004085C3 |. E8 FE300D00 call <jmp.&kernel32.GetFileType> ; \GetFileType
004085C8 |. 83F8 01 cmp eax,1
004085CB |. 74 07 je short avprp.004085D4
004085CD |. 33C0 xor eax,eax
004085CF |. E9 01010000 jmp avprp.004086D5
004085D4 |> 6A 00 push 0 ; /Origin = FILE_BEGIN
004085D6 |. 6A 00 push 0 ; |pOffsetHi = NULL
004085D8 |. 6A 00 push 0 ; |OffsetLo = 0
004085DA |. 53 push ebx ; |hFile
004085DB |. E8 84320D00 call <jmp.&kernel32.SetFilePointer> ; \SetFilePointer
004085E0 |. 8D55 F4 lea edx,dword ptr ss:[ebp-C]
004085E3 |. 6A 00 push 0 ; /pOverlapped = NULL
004085E5 |. 52 push edx ; |pBytesRead
004085E6 |. 8D4D FE lea ecx,dword ptr ss:[ebp-2] ; |
004085E9 |. 6A 02 push 2 ; |BytesToRead = 2
004085EB |. 51 push ecx ; |Buffer
004085EC |. 53 push ebx ; |hFile
004085ED |. E8 30320D00 call <jmp.&kernel32.ReadFile> ; \ReadFile
004085F2 |. 66:817D FE 4D5A cmp word ptr ss:[ebp-2],5A4D ; 读取文件头,是否 为MZ
004085F8 |. 74 07 je short avprp.00408601
004085FA |. 33C0 xor eax,eax
004085FC |. E9 D4000000 jmp avprp.004086D5
00408601 |> 6A 00 push 0 ; /Origin = FILE_BEGIN
00408603 |. 6A 00 push 0 ; |pOffsetHi = NULL
00408605 |. 6A 3C push 3C ; |OffsetLo = 3C (60.)
00408607 |. 53 push ebx ; |hFile
00408608 |. E8 57320D00 call <jmp.&kernel32.SetFilePointer> ; \SetFilePointer
0040860D |. 8D55 F4 lea edx,dword ptr ss:[ebp-C]
00408610 |. 6A 00 push 0 ; /pOverlapped = NULL
00408612 |. 52 push edx ; |pBytesRead
00408613 |. 8D4D F0 lea ecx,dword ptr ss:[ebp-10] ; |
00408616 |. 6A 04 push 4 ; |BytesToRead = 4
00408618 |. 51 push ecx ; |Buffer
00408619 |. 53 push ebx ; |hFile
0040861A |. E8 03320D00 call <jmp.&kernel32.ReadFile> ; \ReadFile
0040861F |. 6A 00 push 0 ; /Origin = FILE_BEGIN
00408621 |. 6A 00 push 0 ; |pOffsetHi = NULL
00408623 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; |
00408626 |. 50 push eax ; |OffsetLo
00408627 |. 53 push ebx ; |hFile
00408628 |. E8 37320D00 call <jmp.&kernel32.SetFilePointer> ; \SetFilePointer
0040862D |. 8D55 F4 lea edx,dword ptr ss:[ebp-C]
00408630 |. 6A 00 push 0 ; /pOverlapped = NULL
00408632 |. 52 push edx ; |pBytesRead
00408633 |. 8D4D F8 lea ecx,dword ptr ss:[ebp-8] ; |
00408636 |. 6A 04 push 4 ; |BytesToRead = 4
00408638 |. 51 push ecx ; |Buffer
00408639 |. 53 push ebx ; |hFile
0040863A |. E8 E3310D00 call <jmp.&kernel32.ReadFile> ; \ReadFile
0040863F |. 817D F8 5045000>cmp dword ptr ss:[ebp-8],4550 ; 读取文件头是否未 PE
00408646 |. 74 07 je short avprp.0040864F ; 是的话开始:
00408648 |. 33C0 xor eax,eax
0040864A |. E9 86000000 jmp avprp.004086D5
0040864F |> 6A 00 push 0 ; /Origin = FILE_BEGIN
00408651 |. 6A 00 push 0 ; |pOffsetHi = NULL
00408653 |. 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; |
00408656 |. 83C2 34 add edx,34 ; |
00408659 |. 52 push edx ; |OffsetLo
0040865A |. 53 push ebx ; |hFile
0040865B |. E8 04320D00 call <jmp.&kernel32.SetFilePointer> ; \SetFilePointer
00408660 |. 8D4D F4 lea ecx,dword ptr ss:[ebp-C]
00408663 |. 6A 00 push 0 ; /pOverlapped = NULL
00408665 |. 51 push ecx ; |pBytesRead
00408666 |. 8D45 EC lea eax,dword ptr ss:[ebp-14] ; |
00408669 |. 6A 04 push 4 ; |BytesToRead = 4
0040866B |. 50 push eax ; |Buffer
0040866C |. 53 push ebx ; |hFile
0040866D |. E8 B0310D00 call <jmp.&kernel32.ReadFile> ; \ReadFile
00408672 |. 6A 00 push 0 ; /Origin = FILE_BEGIN
00408674 |. 6A 00 push 0 ; |pOffsetHi = NULL
00408676 |. 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; |
00408679 |. 83C2 78 add edx,78 ; |
0040867C |. 52 push edx ; |OffsetLo
0040867D |. 53 push ebx ; |hFile
0040867E |. E8 E1310D00 call <jmp.&kernel32.SetFilePointer> ; \SetFilePointer
00408683 |. 8D4D F4 lea ecx,dword ptr ss:[ebp-C]
00408686 |. 6A 00 push 0 ; /pOverlapped = NULL
00408688 |. 51 push ecx ; |pBytesRead
00408689 |. 8D45 E8 lea eax,dword ptr ss:[ebp-18] ; |
0040868C |. 6A 04 push 4 ; |BytesToRead = 4
0040868E |. 50 push eax ; |Buffer
0040868F |. 53 push ebx ; |hFile
00408690 |. E8 8D310D00 call <jmp.&kernel32.ReadFile> ; \ReadFile
00408695 |. 8D55 F4 lea edx,dword ptr ss:[ebp-C]
00408698 |. 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
0040869B |. 52 push edx ; /pBytesRead
0040869C |. 6A 04 push 4 ; |BytesToRead = 4
0040869E |. 51 push ecx ; |Buffer
0040869F |. 8B45 E8 mov eax,dword ptr ss:[ebp-18] ; |
004086A2 |. 03C7 add eax,edi ; |
004086A4 |. 83C0 0C add eax,0C ; |
004086A7 |. 50 push eax ; |pBaseAddress
004086A8 |. 56 push esi ; |hProcess
004086A9 |. E8 7A310D00 call <jmp.&kernel32.ReadProcessMemory> ; \ReadProcessMemory
004086AE |. 68 45144E00 push avprp.004E1445 ; /String2 = ""
004086B3 |. 8B55 14 mov edx,dword ptr ss:[ebp+14] ; |
004086B6 |. 52 push edx ; |String1
004086B7 |. E8 5C320D00 call <jmp.&kernel32.lstrcpyA> ; \lstrcpyA
004086BC |. 8D4D F4 lea ecx,dword ptr ss:[ebp-C]
004086BF |. 51 push ecx ; /pBytesRead
004086C0 |. 8B45 18 mov eax,dword ptr ss:[ebp+18] ; |
004086C3 |. 50 push eax ; |BytesToRead
004086C4 |. 8B55 14 mov edx,dword ptr ss:[ebp+14] ; |
004086C7 |. 52 push edx ; |Buffer
004086C8 |. 037D E4 add edi,dword ptr ss:[ebp-1C] ; |
004086CB |. 57 push edi ; |pBaseAddress
004086CC |. 56 push esi ; |hProcess
004086CD |. E8 56310D00 call <jmp.&kernel32.ReadProcessMemory> ; \ReadProcessMemory
004086D2 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004086D5 |> 5F pop edi
004086D6 |. 5E pop esi
004086D7 |. 5B pop ebx
004086D8 |. 8BE5 mov esp,ebp
004086DA |. 5D pop ebp
004086DB \. C3 retn
这个函数读取了文件头,判断是不是pe文件,然后又读取了内存,似乎是文件名,不知道是干什么,谁 叫我菜呢,那就不深究了
退出来之后,我们继续来看:
004081AA |. E8 F1030000 |call avprp.004085A0 ; \读了一些东西
004081AF |. 83C4 14 |add esp,14
004081B2 |. 85C0 |test eax,eax
004081B4 |. 0F84 80030000 |je avprp.0040853A ; 是否读到了?
004081BA |. 68 28144E00 |push avprp.004E1428 ; ASCII "VBE6.DLL"
004081BF |. 8D95 0CFCFFFF |lea edx,dword ptr ss:[ebp-3F4]
004081C5 |. 52 |push edx ; /Arg1
004081C6 |. E8 A9B40C00 |call avprp.004D3674 ; \字符比较
004081CB |. 59 |pop ecx
004081CC |. 50 |push eax
004081CD |. E8 EB8A0C00 |call avprp.004D0CBD
004081D2 |. 83C4 08 |add esp,8
004081D5 |. 85C0 |test eax,eax ; 又进行比较?
004081D7 |. 75 23 |jnz short avprp.004081FC
004081D9 |. 68 31144E00 |push avprp.004E1431 ; ASCII "VBE.DLL"
004081DE |. 8D8D 0CFCFFFF |lea ecx,dword ptr ss:[ebp-3F4]
004081E4 |. 51 |push ecx ; /Arg1
004081E5 |. E8 8AB40C00 |call avprp.004D3674 ; \字符比较
004081EA |. 59 |pop ecx
004081EB |. 50 |push eax
004081EC |. E8 CC8A0C00 |call avprp.004D0CBD
004081F1 |. 83C4 08 |add esp,8
004081F4 |. 85C0 |test eax,eax
004081F6 |. 0F84 3E030000 |je avprp.0040853A
其实上面的就是对启动之后的进程名称进行判断,如果是vbe.dll(注意有两个版本,vbe.dll,vbe6.dll, 我的是VBE6.DLL)
的话就往下,否则跳走判断下一个进程。
004081FC |> A1 D4114E00 |mov eax,dword ptr ds:[4E11D4]
00408201 |. 8D55 C0 |lea edx,dword ptr ss:[ebp-40]
00408204 |. 8945 C0 |mov dword ptr ss:[ebp-40],eax
00408207 |. A1 D8114E00 |mov eax,dword ptr ds:[4E11D8]
0040820C |. 8945 C4 |mov dword ptr ss:[ebp-3C],eax
0040820F |. 52 |push edx ; /Arg2
00408210 |. 8B8D 18FDFFFF |mov ecx,dword ptr ss:[ebp-2E8] ; |vbe6.dll
00408216 |. 51 |push ecx ; |284
00408217 |. E8 DC0E0000 |call avprp.004090F8 ; \对vbe6.dll进行读 取
0040821C |. 83C4 08 |add esp,8
0040821F |. 8BD8 |mov ebx,eax
call 004090F8具体读取了什么,我们来看:
004090F8 /$ 55 push ebp
004090F9 |. 8BEC mov ebp,esp
004090FB |. 83C4 D8 add esp,-28
004090FE |. B9 08000000 mov ecx,8
00409103 |. 53 push ebx
00409104 |. 56 push esi
00409105 |. 57 push edi
00409106 |. 8D7D DC lea edi,dword ptr ss:[ebp-24]
00409109 |. 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
0040910C |. 8B75 0C mov esi,dword ptr ss:[ebp+C]
0040910F |. 56 push esi
00409110 |. BE F4134E00 mov esi,avprp.004E13F4 ; UNICODE "VS_VERSION_INFO"
00409115 |. F3:A5 rep movs dword ptr es:[edi],dword ptr >
00409117 |. 5E pop esi
00409118 |. 6A 00 push 0 ; /pFileSizeHigh = NULL
0040911A |. 53 push ebx ; |hFile
0040911B |. E8 9A250D00 call <jmp.&kernel32.GetFileSize> ; \GetFileSize
00409120 |. 8945 FC mov dword ptr ss:[ebp-4],eax ; 获得文件大小
00409123 |. 837D FC FF cmp dword ptr ss:[ebp-4],-1
00409127 |. 75 07 jnz short avprp.00409130
00409129 |. 33C0 xor eax,eax
0040912B |. E9 B9000000 jmp avprp.004091E9
00409130 |> 6A 00 push 0 ; /MapName = NULL
00409132 |. 6A 00 push 0 ; |MaximumSizeLow = 0
00409134 |. 6A 00 push 0 ; |MaximumSizeHigh = 0
00409136 |. 6A 02 push 2 ; |Protection = PAGE_READONLY
00409138 |. 6A 00 push 0 ; |pSecurity = NULL
0040913A |. 53 push ebx ; |284
0040913B |. E8 A8240D00 call <jmp.&kernel32.CreateFileMappingA>; \CreateFileMappingA
00409140 |. 8945 D8 mov dword ptr ss:[ebp-28],eax ; 288
00409143 |. 837D D8 00 cmp dword ptr ss:[ebp-28],0
00409147 |. 75 07 jnz short avprp.00409150
00409149 |. 33C0 xor eax,eax
0040914B |. E9 99000000 jmp avprp.004091E9
00409150 |> 6A 00 push 0 ; /MapSize = 0
00409152 |. 6A 00 push 0 ; |OffsetLow = 0
00409154 |. 6A 00 push 0 ; |OffsetHigh = 0
00409156 |. 6A 04 push 4 ; |AccessMode = FILE_MAP_READ
00409158 |. 8B55 D8 mov edx,dword ptr ss:[ebp-28] ; |288
0040915B |. 52 push edx ; |hMapObject
0040915C |. E8 A3260D00 call <jmp.&kernel32.MapViewOfFile> ; \MapViewOfFile
00409161 |. 8BF8 mov edi,eax
00409163 |. 85FF test edi,edi
00409165 |. 75 0D jnz short avprp.00409174
00409167 |. 8B45 D8 mov eax,dword ptr ss:[ebp-28]
0040916A |. 50 push eax ; /hObject
0040916B |. E8 48240D00 call <jmp.&kernel32.CloseHandle> ; \CloseHandle
00409170 |. 33C0 xor eax,eax
00409172 |. EB 75 jmp short avprp.004091E9
00409174 |> 33DB xor ebx,ebx
00409176 |. EB 56 jmp short avprp.004091CE
00409178 |> 6A 1E /push 1E ; /Arg3 = 0000001E
0040917A |. 8D45 DC |lea eax,dword ptr ss:[ebp-24] ; |
0040917D |. 50 |push eax ; |Arg2
0040917E |. 8BD3 |mov edx,ebx ; |
00409180 |. 03D7 |add edx,edi ; |
00409182 |. 52 |push edx ; |Arg1
00409183 |. E8 3C7B0C00 |call avprp.004D0CC4 ; \avprp.004D0CC4
00409188 |. 83C4 0C |add esp,0C
0040918B |. 85C0 |test eax,eax
0040918D |. 75 3E |jnz short avprp.004091CD
0040918F |. 6A 08 |push 8
00409191 |. 8D4B 2A |lea ecx,dword ptr ds:[ebx+2A]
00409194 |. 03CF |add ecx,edi
00409196 |. 51 |push ecx
00409197 |. 56 |push esi
00409198 |. E8 6B780C00 |call avprp.004D0A08
0040919D |. 0FB706 |movzx eax,word ptr ds:[esi]
004091A0 |. 0FB756 02 |movzx edx,word ptr ds:[esi+2]
004091A4 |. 03C2 |add eax,edx
004091A6 |. 83C4 0C |add esp,0C
004091A9 |. 0FB74E 04 |movzx ecx,word ptr ds:[esi+4]
004091AD |. 0FB756 06 |movzx edx,word ptr ds:[esi+6]
004091B1 |. 03C1 |add eax,ecx
004091B3 |. 03C2 |add eax,edx
004091B5 |. 85C0 |test eax,eax
004091B7 |. 7E 14 |jle short avprp.004091CD
004091B9 |. 57 |push edi ; /BaseAddress
004091BA |. E8 0B270D00 |call <jmp.&kernel32.UnmapViewOfFile> ; \UnmapViewOfFile
004091BF |. 8B45 D8 |mov eax,dword ptr ss:[ebp-28]
004091C2 |. 50 |push eax ; /hObject
004091C3 |. E8 F0230D00 |call <jmp.&kernel32.CloseHandle> ; \CloseHandle
004091C8 |. 8B45 FC |mov eax,dword ptr ss:[ebp-4]
004091CB |. EB 1C |jmp short avprp.004091E9
004091CD |> 43 |inc ebx
004091CE |> 8B55 FC mov edx,dword ptr ss:[ebp-4] ; 文件大小26300
004091D1 |. 83EA 1E |sub edx,1E
004091D4 |. 3BDA |cmp ebx,edx
004091D6 |.^ 72 A0 \jb short avprp.00409178
004091D8 |. 57 push edi ; /BaseAddress
004091D9 |. E8 EC260D00 call <jmp.&kernel32.UnmapViewOfFile> ; \UnmapViewOfFile
004091DE |. 8B4D D8 mov ecx,dword ptr ss:[ebp-28]
004091E1 |. 51 push ecx ; /hObject
004091E2 |. E8 D1230D00 call <jmp.&kernel32.CloseHandle> ; \CloseHandle
004091E7 |. 33C0 xor eax,eax
004091E9 |> 5F pop edi
004091EA |. 5E pop esi
004091EB |. 5B pop ebx
004091EC |. 8BE5 mov esp,ebp
004091EE |. 5D pop ebp
004091EF \. C3 retn
这一段我明白的不多,总而言之就是读了文件版本跟大小,不知道是不是。
好了,读到了以后下面干什么呢,接着上面的:
00408217 |. E8 DC0E0000 |call avprp.004090F8 ; \读取版本以及大小
0040821C |. 83C4 08 |add esp,8
0040821F |. 8BD8 |mov ebx,eax ;这个是文件大小
00408221 |. 85DB |test ebx,ebx
00408223 |. 0F84 D8000000 |je avprp.00408301
00408229 |. 0FB745 C4 |movzx eax,word ptr ss:[ebp-3C] ;这个是版本号
0040822D |. 50 |push eax ; /<%d>
0040822E |. 0FB755 C6 |movzx edx,word ptr ss:[ebp-3A] ; |
00408232 |. 52 |push edx ; |<%d>
00408233 |. 8D95 ECFBFFFF |lea edx,dword ptr ss:[ebp-414] ; |
00408239 |. 0FB74D C0 |movzx ecx,word ptr ss:[ebp-40] ; |
0040823D |. 51 |push ecx ; |<%d>
0040823E |. 0FB745 C2 |movzx eax,word ptr ss:[ebp-3E] ; |
00408242 |. 50 |push eax ; |<%d>
00408243 |. 68 39144E00 |push avprp.004E1439 ; |Format = "%d.% d.%d.%d"
00408248 |. 52 |push edx ; |s
00408249 |. E8 D23E0D00 |call <jmp.&user32.wsprintfA> ; \wsprintfA这里格 式化一下
0040824E |. 66:C745 DC 0800 |mov word ptr ss:[ebp-24],8
00408254 |. 83C4 18 |add esp,18
00408257 |. 8D95 ECFBFFFF |lea edx,dword ptr ss:[ebp-414] ;我机器的版本: 6.4.99.69
0040825D |. 8D45 FC |lea eax,dword ptr ss:[ebp-4]
00408260 |. E8 332D0D00 |call avprp.004DAF98
00408265 |. FF45 E8 |inc dword ptr ss:[ebp-18]
00408268 |. 8BD0 |mov edx,eax
0040826A |. 33C0 |xor eax,eax
0040826C |. 8D4D F8 |lea ecx,dword ptr ss:[ebp-8]
0040826F |. 8945 F8 |mov dword ptr ss:[ebp-8],eax
00408272 |. B8 64E54D00 |mov eax,avprp.004DE564
00408277 |. FF45 E8 |inc dword ptr ss:[ebp-18]
0040827A |. E8 152E0D00 |call avprp.004DB094
0040827F |. 8D55 F8 |lea edx,dword ptr ss:[ebp-8]
00408282 |. 8B0A |mov ecx,dword ptr ds:[edx]
00408284 |. 51 |push ecx ; /"VBA DLL version: 6.4.99.69"
00408285 |. E8 A6E8FFFF |call avprp.00406B30 ; \avprp.00406B30这 个是输出
0040828A |. 59 |pop ecx
到了这里说一下我的电脑一运行到这里就完蛋,我后来跟的时候都是跳过,为了写的详细点,让我们进 去看看是做了什么?
00406B30 /$ 55 push ebp
00406B31 |. 8BEC mov ebp,esp
00406B33 |. 83C4 DC add esp,-24
00406B36 |. B8 A80A4E00 mov eax,avprp.004E0AA8
00406B3B |. E8 4CA30C00 call avprp.004D0E8C
00406B40 |. C745 F8 0100000>mov dword ptr ss:[ebp-8],1
00406B47 |. 8D55 08 lea edx,dword ptr ss:[ebp+8]
00406B4A |. 8D45 08 lea eax,dword ptr ss:[ebp+8]
00406B4D |. E8 7E440D00 call avprp.004DAFD0
00406B52 |. FF45 F8 inc dword ptr ss:[ebp-8]
00406B55 |. 66:C745 EC 0800 mov word ptr ss:[ebp-14],8
00406B5B |. 837D 08 00 cmp dword ptr ss:[ebp+8],0
00406B5F |. 74 05 je short avprp.00406B66
00406B61 |. 8B55 08 mov edx,dword ptr ss:[ebp+8]
00406B64 |. EB 05 jmp short avprp.00406B6B
00406B66 |> BA F0074E00 mov edx,avprp.004E07F0 ;"VBA DLL version: 6.4.99.69"
00406B6B |> 52 push edx ; /lParam
00406B6C |. 6A 00 push 0 ; |wParam = 0
00406B6E |. 68 92810000 push 8192 ; |Message = MSG (8192)
00406B73 |. A1 087E4E00 mov eax,dword ptr ds:[4E7E08] ; |
00406B78 |. 50 push eax ; |hWnd => 2A0296
00406B79 |. E8 AC540D00 call <jmp.&user32.SendMessageA> ; \SendMessageA
00406B7E |. FF4D F8 dec dword ptr ss:[ebp-8]
00406B81 |. 8D45 08 lea eax,dword ptr ss:[ebp+8]
00406B84 |. BA 02000000 mov edx,2
00406B89 |. E8 C2440D00 call avprp.004DB050
00406B8E |. 8B4D DC mov ecx,dword ptr ss:[ebp-24]
00406B91 |. 64:890D 0000000>mov dword ptr fs:[0],ecx
00406B98 |. 8BE5 mov esp,ebp
00406B9A |. 5D pop ebp
00406B9B \. C3 retn
根据程序运行结果判断是把这个信息发到主窗口的text中,但是od中一到这里就完蛋,那就退出去了。
这次记得call avprp.00406B30的时候就nop掉。否则重新来过。
00408284 |. 51 |push ecx ; /"VBA DLL version: 6.4.99.69"
00408285 |. E8 A6E8FFFF |call avprp.00406B30 ; \avprp.00406B30这 个是输出
0040828A |. 59 |pop ecx
0040828A |. 59 |pop ecx
0040828B |. FF4D E8 |dec dword ptr ss:[ebp-18]
0040828E |. 8D45 F8 |lea eax,dword ptr ss:[ebp-8]
00408291 |. BA 02000000 |mov edx,2
00408296 |. E8 B52D0D00 |call avprp.004DB050
0040829B |. FF4D E8 |dec dword ptr ss:[ebp-18]
0040829E |. 8D45 FC |lea eax,dword ptr ss:[ebp-4]
004082A1 |. BA 02000000 |mov edx,2
004082A6 |. E8 A52D0D00 |call avprp.004DB050
004082AB |. 66:C745 DC 1400 |mov word ptr ss:[ebp-24],14
004082B1 |. 8D45 F4 |lea eax,dword ptr ss:[ebp-C]
004082B4 |. 8BD3 |mov edx,ebx
004082B6 |. E8 512D0D00 |call avprp.004DB00C ; 一个转换函数
004082BB |. FF45 E8 |inc dword ptr ss:[ebp-18]
004082BE |. 8BD0 |mov edx,eax
004082C0 |. 33C0 |xor eax,eax
004082C2 |. 8D4D F0 |lea ecx,dword ptr ss:[ebp-10] ; 转换了一下文件大小 2052656
004082C5 |. 8945 F0 |mov dword ptr ss:[ebp-10],eax
004082C8 |. B8 68E54D00 |mov eax,avprp.004DE568
004082CD |. FF45 E8 |inc dword ptr ss:[ebp-18]
004082D0 |. E8 BF2D0D00 |call avprp.004DB094 ; size
004082D5 |. 8D55 F0 |lea edx,dword ptr ss:[ebp-10]
004082D8 |. 8B0A |mov ecx,dword ptr ds:[edx]
004082DA |. 51 |push ecx ; /"VBA DLL size: 2502656"
004082DB |. E8 50E8FFFF |call avprp.00406B30 ; \这里记得nop
004082E0 |. 59 |pop ecx
004082E1 |. FF4D E8 |dec dword ptr ss:[ebp-18]
004082E4 |. 8D45 F0 |lea eax,dword ptr ss:[ebp-10]
004082E7 |. BA 02000000 |mov edx,2
004082EC |. E8 5F2D0D00 |call avprp.004DB050
004082F1 |. FF4D E8 |dec dword ptr ss:[ebp-18]
004082F4 |. 8D45 F4 |lea eax,dword ptr ss:[ebp-C]
004082F7 |. BA 02000000 |mov edx,2
004082FC |. E8 4F2D0D00 |call avprp.004DB050
00408301 |> 81FB 00302600 |cmp ebx,263000 ; 比较文件大小
输出完毕之后要作什么呢?得到了VBE6.dll的版本跟大小,下面显然就是判断了:
00408301 |> \81FB 00302600 |cmp ebx,263000 ; 比较文件大小是否 正确。
00408307 |. 75 39 |jnz short avprp.00408342
00408309 |. 66:837D C2 06 |cmp word ptr ss:[ebp-3E],6 ; 比较版本号了
0040830E |. 75 32 |jnz short avprp.00408342
00408310 |. 66:837D C0 00 |cmp word ptr ss:[ebp-40],0 ;我的是6.4.99.69,这 里跳
00408315 |. 75 2B |jnz short avprp.00408342
00408317 |. 66:837D C6 54 |cmp word ptr ss:[ebp-3A],54
0040831C |. 75 24 |jnz short avprp.00408342
0040831E |. 66:837D C4 23 |cmp word ptr ss:[ebp-3C],23
00408323 |. 75 1D |jnz short avprp.00408342
00408325 |. 8B8D 1CFDFFFF |mov ecx,dword ptr ss:[ebp-2E4]
0040832B |. 51 |push ecx ; /Arg2
0040832C |. 8B85 6CFFFFFF |mov eax,dword ptr ss:[ebp-94] ; |
00408332 |. 50 |push eax ; |Arg1
00408333 |. E8 CC040000 |call avprp.00408804 ; \avprp.00408804
00408338 |. 83C4 08 |add esp,8
0040833B |. 8BF8 |mov edi,eax
0040833D |. E9 D3010000 |jmp avprp.00408515
00408342 |> 81FB 00202600 |cmp ebx,262000 ; 跳到这里,再比较 文件大小。没有问题,跳
00408348 |. 75 39 |jnz short avprp.00408383
0040834A |. 66:837D C2 06 |cmp word ptr ss:[ebp-3E],6
0040834F |. 75 32 |jnz short avprp.00408383
00408351 |. 66:837D C0 00 |cmp word ptr ss:[ebp-40],0
00408356 |. 75 2B |jnz short avprp.00408383
00408358 |. 66:837D C6 57 |cmp word ptr ss:[ebp-3A],57
0040835D |. 75 24 |jnz short avprp.00408383
0040835F |. 66:837D C4 0E |cmp word ptr ss:[ebp-3C],0E
00408364 |. 75 1D |jnz short avprp.00408383
00408366 |. 8B85 1CFDFFFF |mov eax,dword ptr ss:[ebp-2E4]
0040836C |. 50 |push eax ; /Arg2
0040836D |. 8B95 6CFFFFFF |mov edx,dword ptr ss:[ebp-94] ; |
00408373 |. 52 |push edx ; |Arg1
00408374 |. E8 B3050000 |call avprp.0040892C ; \avprp.0040892C
00408379 |. 83C4 08 |add esp,8
0040837C |. 8BF8 |mov edi,eax
0040837E |. E9 92010000 |jmp avprp.00408515
00408383 |> 81FB 00202600 |cmp ebx,262000 ;跳到这里,比较后再 跳
00408389 |. 75 39 |jnz short avprp.004083C4
0040838B |. 66:837D C2 06 |cmp word ptr ss:[ebp-3E],6
00408390 |. 75 32 |jnz short avprp.004083C4
00408392 |. 66:837D C0 00 |cmp word ptr ss:[ebp-40],0
00408397 |. 75 2B |jnz short avprp.004083C4
00408399 |. 66:837D C6 59 |cmp word ptr ss:[ebp-3A],59
0040839E |. 75 24 |jnz short avprp.004083C4
004083A0 |. 66:837D C4 43 |cmp word ptr ss:[ebp-3C],43
004083A5 |. 75 1D |jnz short avprp.004083C4
004083A7 |. 8B85 1CFDFFFF |mov eax,dword ptr ss:[ebp-2E4]
004083AD |. 50 |push eax ; /Arg2
004083AE |. 8B95 6CFFFFFF |mov edx,dword ptr ss:[ebp-94] ; |
004083B4 |. 52 |push edx ; |Arg1
004083B5 |. E8 9A060000 |call avprp.00408A54 ; \avprp.00408A54
004083BA |. 83C4 08 |add esp,8
004083BD |. 8BF8 |mov edi,eax
004083BF |. E9 51010000 |jmp avprp.00408515
004083C4 |> 81FB 00202600 |cmp ebx,262000 ;跳到这里
004083CA |. 75 39 |jnz short avprp.00408405
004083CC |. 66:837D C2 06 |cmp word ptr ss:[ebp-3E],6
004083D1 |. 75 32 |jnz short avprp.00408405
004083D3 |. 66:837D C0 03 |cmp word ptr ss:[ebp-40],3
004083D8 |. 75 2B |jnz short avprp.00408405
004083DA |. 66:837D C6 5B |cmp word ptr ss:[ebp-3A],5B
004083DF |. 75 24 |jnz short avprp.00408405
004083E1 |. 66:837D C4 08 |cmp word ptr ss:[ebp-3C],8
004083E6 |. 75 1D |jnz short avprp.00408405
004083E8 |. 8B85 1CFDFFFF |mov eax,dword ptr ss:[ebp-2E4]
004083EE |. 50 |push eax ; /Arg2
004083EF |. 8B95 6CFFFFFF |mov edx,dword ptr ss:[ebp-94] ; |
004083F5 |. 52 |push edx ; |Arg1
004083F6 |. E8 81070000 |call avprp.00408B7C ; \avprp.00408B7C
004083FB |. 83C4 08 |add esp,8
004083FE |. 8BF8 |mov edi,eax
00408400 |. E9 10010000 |jmp avprp.00408515
00408405 |> 81FB 10692400 |cmp ebx,246910 ;跳到这里,大小不一 样,跳
0040840B |. 75 39 |jnz short avprp.00408446
0040840D |. 66:837D C2 06 |cmp word ptr ss:[ebp-3E],6
00408412 |. 75 32 |jnz short avprp.00408446
00408414 |. 66:837D C0 04 |cmp word ptr ss:[ebp-40],4
00408419 |. 75 2B |jnz short avprp.00408446
0040841B |. 66:837D C6 61 |cmp word ptr ss:[ebp-3A],61
00408420 |. 75 24 |jnz short avprp.00408446
00408422 |. 66:837D C4 3B |cmp word ptr ss:[ebp-3C],3B
00408427 |. 75 1D |jnz short avprp.00408446
00408429 |. 8B85 1CFDFFFF |mov eax,dword ptr ss:[ebp-2E4]
0040842F |. 50 |push eax ; /Arg2
00408430 |. 8B95 6CFFFFFF |mov edx,dword ptr ss:[ebp-94] ; |
00408436 |. 52 |push edx ; |Arg1
00408437 |. E8 A0020000 |call avprp.004086DC ; \avprp.004086DC
0040843C |. 83C4 08 |add esp,8
0040843F |. 8BF8 |mov edi,eax
00408441 |. E9 CF000000 |jmp avprp.00408515
00408446 |> 81FB 10630B00 |cmp ebx,0B6310 ;跳。
0040844C |. 75 39 |jnz short avprp.00408487
0040844E |. 66:837D C2 05 |cmp word ptr ss:[ebp-3E],5
00408453 |. 75 32 |jnz short avprp.00408487
00408455 |. 66:837D C0 00 |cmp word ptr ss:[ebp-40],0
0040845A |. 75 2B |jnz short avprp.00408487
0040845C |. 66:837D C6 29 |cmp word ptr ss:[ebp-3A],29
00408461 |. 75 24 |jnz short avprp.00408487
00408463 |. 66:837D C4 15 |cmp word ptr ss:[ebp-3C],15
00408468 |. 75 1D |jnz short avprp.00408487
0040846A |. 8B85 1CFDFFFF |mov eax,dword ptr ss:[ebp-2E4]
00408470 |. 50 |push eax ; /Arg2
00408471 |. 8B95 6CFFFFFF |mov edx,dword ptr ss:[ebp-94] ; |
00408477 |. 52 |push edx ; |Arg1
00408478 |. E8 630B0000 |call avprp.00408FE0 ; \avprp.00408FE0
0040847D |. 83C4 08 |add esp,8
00408480 |. 8BF8 |mov edi,eax
00408482 |. E9 8E000000 |jmp avprp.00408515
00408487 |> 81FB 105F0B00 |cmp ebx,0B5F10 ;跳
0040848D |. 75 36 |jnz short avprp.004084C5
0040848F |. 66:837D C2 05 |cmp word ptr ss:[ebp-3E],5
00408494 |. 75 2F |jnz short avprp.004084C5
00408496 |. 66:837D C0 00 |cmp word ptr ss:[ebp-40],0
0040849B |. 75 28 |jnz short avprp.004084C5
0040849D |. 66:837D C6 23 |cmp word ptr ss:[ebp-3A],23
004084A2 |. 75 21 |jnz short avprp.004084C5
004084A4 |. 66:837D C4 08 |cmp word ptr ss:[ebp-3C],8
004084A9 |. 75 1A |jnz short avprp.004084C5
004084AB |. 8B85 1CFDFFFF |mov eax,dword ptr ss:[ebp-2E4]
004084B1 |. 50 |push eax ; /Arg2
004084B2 |. 8B95 6CFFFFFF |mov edx,dword ptr ss:[ebp-94] ; |
004084B8 |. 52 |push edx ; |Arg1
004084B9 |. E8 AE0B0000 |call avprp.0040906C ; \avprp.0040906C
004084BE |. 83C4 08 |add esp,8
004084C1 |. 8BF8 |mov edi,eax
004084C3 |. EB 50 |jmp short avprp.00408515
004084C5 |> \66:837D C2 06 |cmp word ptr ss:[ebp-3E],6 ; 跳到了这里,停了 。获得版本号
004084CA |. 75 1B |jnz short avprp.004084E7
004084CC |. 53 |push ebx ; /文件大小263000
004084CD |. 8B85 1CFDFFFF |mov eax,dword ptr ss:[ebp-2E4] ; |Stack ss: [0167FCD4]=65000000
004084D3 |. 50 |push eax ; |Arg2
004084D4 |. 8B95 6CFFFFFF |mov edx,dword ptr ss:[ebp-94] ; |
004084DA |. 52 |push edx ; |Arg1
004084DB |. E8 60080000 |call avprp.00408D40 ; \关键函数。
004084E0 |. 83C4 0C |add esp,0C
004084E3 |. 8BF8 |mov edi,eax
上面跳了半天,估计是判断不同的版本,并比较文件大小。当当当当,终于到了最关键的地方了,大家 请看call 408D40
=========================================================================================== =======
关键函数:
00408D40 /$ 55 push ebp
00408D41 |. 8BEC mov ebp,esp
00408D43 |. 83C4 BC add esp,-44
00408D46 |. 33C0 xor eax,eax
00408D48 |. 33D2 xor edx,edx
00408D4A |. B9 04000000 mov ecx,4
00408D4F |. 53 push ebx
00408D50 |. 56 push esi
00408D51 |. 57 push edi
00408D52 |. BE 76134E00 mov esi,avprp.004E1376
00408D57 |. 8B7D 10 mov edi,dword ptr ss:[ebp+10] ; 文件 大小263000
00408D5A |. 8945 FC mov dword ptr ss:[ebp-4],eax
00408D5D |. 8955 F8 mov dword ptr ss:[ebp-8],edx
00408D60 |. 57 push edi
00408D61 |. 8D7D D8 lea edi,dword ptr ss:[ebp-28]
00408D64 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi] ; 6a50cc75
00408D66 |. 5F pop edi
00408D67 |. B9 06000000 mov ecx,6
00408D6C |. 57 push edi
00408D6D |. 8D7D BC lea edi,dword ptr ss:[ebp-44]
00408D70 |. BE 86134E00 mov esi,avprp.004E1386
00408D75 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
00408D77 |. A4 movs byte ptr es:[edi],byte ptr ds:[esi] ; 这里 藏着秘密9090909090 EB
00408D78 |. 5F pop edi
00408D79 |. A0 9F134E00 mov al,byte ptr ds:[4E139F] ; EB
00408D7E |. 8B15 A0134E00 mov edx,dword ptr ds:[4E13A0] ; 90909090
00408D84 |. 8845 EF mov byte ptr ss:[ebp-11],al ; EB
00408D87 |. 8955 E8 mov dword ptr ss:[ebp-18],edx
00408D8A |. 66:8B15 A4134E0>mov dx,word ptr ds:[4E13A4] ; 9090
有没有发现什么东西?9090909090 EB,敏感的你知道要干什么了吗?
00408D79 |. A0 9F134E00 mov al,byte ptr ds:[4E139F] ; EB
00408D7E |. 8B15 A0134E00 mov edx,dword ptr ds:[4E13A0] ; 90909090
00408D84 |. 8845 EF mov byte ptr ss:[ebp-11],al ; EB
00408D87 |. 8955 E8 mov dword ptr ss:[ebp-18],edx
00408D8A |. 66:8B15 A4134E0>mov dx,word ptr ds:[4E13A4] ; 9090
00408D91 |. 66:8955 EC mov word ptr ss:[ebp-14],dx
00408D95 |. 57 push edi ; /MemSize
00408D96 |. 6A 40 push 40 ; |Flags = GPTR
00408D98 |. E8 DD290D00 call <jmp.&kernel32.GlobalAlloc> ; \GlobalAlloc
00408D9D |. 8BF0 mov esi,eax
00408D9F |. 6A 00 push 0 ; /pBytesRead = NULL
00408DA1 |. 57 push edi ; |BytesToRead
00408DA2 |. 56 push esi ; |Buffer
00408DA3 |. 8B45 0C mov eax,dword ptr ss:[ebp+C] ; |65000000
00408DA6 |. 50 push eax ; |pBaseAddress
00408DA7 |. 8B55 08 mov edx,dword ptr ss:[ebp+8] ; |
00408DAA |. 52 push edx ; |hProcess
00408DAB |. E8 782A0D00 call <jmp.&kernel32.ReadProcessMemory> ; \ReadProcessMemory
00408DB0 |. 85C0 test eax,eax
堆栈情况
023BFB20 00000274 |hProcess = 00000274 (window)
023BFB24 65000000 |pBaseAddress = 65000000
023BFB28 023C0020 |Buffer = 023C0020
023BFB2C 00263000 |BytesToRead = 263000 (2502656.)
023BFB30 00000000 \pBytesRead = NULL
看看这次读到的什么?D 23c0020,了不得,原来把整个的dll读入了内存。
帖子太长,接下帖-》