汇编学习-三(VB)
2024-09-01 13:53:53
- 闲来无事做了一下160个crackme,因为是VB程序,所以将得到的一点心得记录如下(OD加载注释)
00401ED7 . push eax ; Andréna.004018A8
00401ED8 . FF15 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; msvbvm50.__vbaHresultCheckObj
00401EDE > 8B45 A8 mov eax,dword ptr ss:[ebp-0x58] ; eax=0012f488=00ed28ec='12345678'
00401EE1 . A8 mov dword ptr ss:[ebp-0x58],esi ; esi='12345678'
00401EE4 . 8B35 F8404000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVarMove>] ; msvbvm50.__vbaVarMove
00401EEA . 8D55 lea edx,dword ptr ss:[ebp-0x6C] ; edx=0012f474
00401EED . 8D4D BC lea ecx,dword ptr ss:[ebp-0x44] ; ecx=0012f49c
00401EF0 . 9C mov dword ptr ss:[ebp-0x64],eax ; 0012f47c=00ed28ec
00401EF3 . C745 mov dword ptr ss:[ebp-0x6C],0x8 ; 0012f474=8
00401EFA . FFD6 call esi ; <&MSVBVM50.__vbaVarMove>
00401EFC . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C] ; 上述函数交换了ecx和eax ecx=0012f484=00ed28ec='12345678'
00401EFF . FF15 AC414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>] ; msvbvm50.__vbaFreeObj
00401F05 . B9 mov ecx,0x2 ; ecx=2
00401F0A . B8 mov eax,0x1 ; eax=1
00401F0F . 898D 54FFFFFF mov dword ptr ss:[ebp-0xAC],ecx ; 0012f434=2
00401F15 . 898D 44FFFFFF mov dword ptr ss:[ebp-0xBC],ecx ; 0012f424=2
00401F1B . 8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-0xAC] ; ecx=0012f434
00401F21 . 5CFFFFFF mov dword ptr ss:[ebp-0xA4],eax ; 0012f43c=1
00401F27 . 4CFFFFFF mov dword ptr ss:[ebp-0xB4],eax ; 0012f42c=1
00401F2D . 8D55 BC lea edx,dword ptr ss:[ebp-0x44] ; edx=0012f49c
00401F30 . push ecx
00401F31 . 8D45 lea eax,dword ptr ss:[ebp-0x6C] ; eax=0012f474
00401F34 . push edx
00401F35 . push eax ; 参数1: 8 参数2: 0012f49c(00000080)
00401F36 . FF15 call dword ptr ds:[<&MSVBVM50.__vbaLenVar>] ; msvbvm50.__vbaLenVar
00401F3C . 8D8D 44FFFFFF lea ecx,dword ptr ss:[ebp-0xBC] ; ecx=0012f424(上述函数的返回值为ecx)
00401F42 . push eax ; Andréna.004018A8
00401F43 . 8D95 ECFEFFFF lea edx,dword ptr ss:[ebp-0x114]
00401F49 . push ecx
00401F4A . 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-0x104] ; eax=0012f3dc
00401F50 . push edx
00401F51 . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24] ; ecx=0012F4bc
00401F54 . push eax ; Andréna.004018A8
00401F55 . push ecx ; 参数1:0 参数2:0 参数3:0 参数4:2 参数5:03 参数6:2
00401F56 . FF15 1C414000 call dword ptr ds:[<&MSVBVM50.__vbaVarForInit>] ; msvbvm50.__vbaVarForInit
00401F5C . 8B1D mov ebx,dword ptr ds:[<&MSVBVM50.__vbaVarCat>] ; msvbvm50.__vbaVarCat
00401F62 . 8B3D mov edi,dword ptr ds:[<&MSVBVM50.__vbaFreeVarList>] ; msvbvm50.__vbaFreeVarList
00401F68 > 85C0 test eax,eax ; eax=1,ecx=3,edx=9
00401F6A . 0F84 BB000000 je Andréna.0040202B
00401F70 . 8D55 lea edx,dword ptr ss:[ebp-0x6C] ; edx=0012f474
00401F73 . 8D45 DC lea eax,dword ptr ss:[ebp-0x24] ; eax=0012f4bc
00401F76 . push edx
00401F77 . push eax ; Andréna.004018A8
00401F78 . C745 9C mov dword ptr ss:[ebp-0x64],0x1 ; 0012f47c=1
00401F7F . C745 mov dword ptr ss:[ebp-0x6C],0x2 ; 0012f474=2
00401F86 . FF15 call dword ptr ds:[<&MSVBVM50.__vbaI4Var>] ; msvbvm50.__vbaI4Var
00401F8C . 8D4D BC lea ecx,dword ptr ss:[ebp-0x44] ; ecx=0012f49c
00401F8F . push eax ; eax=1
00401F90 . 8D55 lea edx,dword ptr ss:[ebp-0x7C] ; edx=0012f4bc
00401F93 . push ecx
00401F94 . push edx ; 参数1:0 参数2:8 参数3:1 参数4:2
00401F95 . FF15 call dword ptr ds:[<&MSVBVM50.#>] ; msvbvm50.rtcMidCharVar
00401F9B . 8D45 lea eax,dword ptr ss:[ebp-0x7C] ; eax=0012f464
00401F9E . 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58] ; ecx=0012f488
00401FA1 . push eax ; Andréna.004018A8
00401FA2 . push ecx ; 参数1:0 参数2:(0012f0008)0
00401FA3 . FF15 call dword ptr ds:[<&MSVBVM50.__vbaStrVarVal>] ; msvbvm50.__vbaStrVarVal
00401FA9 . push eax ; eax=00f556fc='1'(下列函数eax)
00401FAA . FF15 call dword ptr ds:[<&MSVBVM50.#>] ; msvbvm50.rtcAnsiValueBstr
00401FB0 . : 0A00 add ax,0xA ; ax+=0xA
00401FB4 . 0F80 B0020000 jo Andréna.0040226A
00401FBA . 0FBFD0 movsx edx,ax ; edx=00f556fe,ax=003B
00401FBD . push edx ; 参数1:0x3b 参数2:(0012f4ec->0012f4fc)
00401FBE . FF15 call dword ptr ds:[<&MSVBVM50.#>] ; msvbvm50.rtcBstrFromAnsi
00401FC4 . 7CFFFFFF mov dword ptr ss:[ebp-0x84],eax ; 0012f45c=00f4d41c=';'
00401FCA . 8D45 CC lea eax,dword ptr ss:[ebp-0x34] ; eax=0012f4ac
00401FCD . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C] ; ecx=0012f454
00401FD3 . push eax ; Andréna.004018A8
00401FD4 . 8D95 64FFFFFF lea edx,dword ptr ss:[ebp-0x9C] ; edx=0012f444
00401FDA . push ecx
00401FDB . push edx
00401FDC . C785 74FFFFFF >mov dword ptr ss:[ebp-0x8C],0x8 ; 0012f454=8
00401FE6 . FFD3 call ebx
00401FE8 . 8BD0 mov edx,eax ; eax=0012f444
00401FEA . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34] ; ecx=0012f4ac
00401FED . FFD6 call esi
00401FEF . 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58] ; ecx=0012f488
00401FF2 . FF15 B0414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStr>] ; msvbvm50.__vbaFreeStr
00401FF8 . 8D85 74FFFFFF lea eax,dword ptr ss:[ebp-0x8C]
00401FFE . 8D4D lea ecx,dword ptr ss:[ebp-0x7C]
. push eax ; Andréna.004018A8
. 8D55 lea edx,dword ptr ss:[ebp-0x6C]
. push ecx
. push edx
. 6A push 0x3
. FFD7 call edi
0040200B . 83C4 add esp,0x10
0040200E . 8D85 ECFEFFFF lea eax,dword ptr ss:[ebp-0x114]
. 8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-0x104]
0040201A . 8D55 DC lea edx,dword ptr ss:[ebp-0x24]
0040201D . push eax ; Andréna.004018A8
0040201E . push ecx
0040201F . push edx
. FF15 A4414000 call dword ptr ds:[<&MSVBVM50.__vbaVarForNext>] ; msvbvm50.__vbaVarForNext
.^ E9 3DFFFFFF jmp Andréna.00401F68
0040202B > 8D45 CC lea eax,dword ptr ss:[ebp-0x34] ; eax=0012f4ac
0040202E . 8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-0xAC] ; ecx=0012f434
. push eax ; Andréna.004018A8
. push ecx
. C785 5CFFFFFF 8C1A40>mov dword ptr ss:[ebp-0xA4],Andréna.00401A8C ; UNICODE "kXy^rO|*yXo*m\kMuOn*+"
. C785 54FFFFFF >mov dword ptr ss:[ebp-0xAC],0x8008 ; 0012f434=0x8008
0040204A . FF15 call dword ptr ds:[<&MSVBVM50.__vbaVarTstEq>] ; msvbvm50.__vbaVarTstEq
. :85C0 test ax,ax
. 0F84 C0000000 je Andréna.
. FF15 6C414000 call dword ptr ds:[<&MSVBVM50.#>] ; msvbvm50.rtcBeep
0040205F . 8B1D mov ebx,dword ptr ds:[<&MSVBVM50.__vbaVarDup>] ; msvbvm50.__vbaVarDup
. B9 0A000000 mov ecx,0xA在分析VB的时候应该具体的了解到地址调用,善于追根朔源,从栈地址到具体的内容(data)。清楚每个函数的参数。
最新文章
- C数组下标越界
- nodejs前端跨域访问
- sql server 2008笔记
- Powershell下设置环境变量
- JQuery_给元素添加或删除类等以及CSS()方法
- Centos中安装vim
- uva 11732 - strcmp() Anyone? 不错的Trie题
- Rational Rose的四种视图介绍
- vmware 10 注冊码
- radhat6.6上安装oracle12c RAC (一)
- c语言小程序以及java生成注释文档方法
- [CF286E] Ladies' shop
- Spring Boot WebSocket从入门到放弃
- 辨析element.offsetXxxx和element.style.xxxx
- Vue基础进阶 之 过渡效果
- XSS(跨站脚本攻击)漏洞解决方案
- linux sftp安装【转】
- 设计模式及Python实现
- Java考试题之七
- Web前端学习笔记之jQuery基础