- 闲来无事做了一下160个crackme,因为是VB程序,所以将得到的一点心得记录如下(OD加载注释)
1 00401ED7 . 50 push eax ; Andréna.004018A8 2 00401ED8 . FF15 10414000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; msvbvm50.__vbaHresultCheckObj 3 00401EDE > 8B45 A8 mov eax,dword ptr ss:[ebp-0x58] ; eax=0012f488=00ed28ec='12345678' 4 00401EE1 . 8975 A8 mov dword ptr ss:[ebp-0x58],esi ; esi='12345678' 5 00401EE4 . 8B35 F8404000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVarMove>] ; msvbvm50.__vbaVarMove 6 00401EEA . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C] ; edx=0012f474 7 00401EED . 8D4D BC lea ecx,dword ptr ss:[ebp-0x44] ; ecx=0012f49c 8 00401EF0 . 8945 9C mov dword ptr ss:[ebp-0x64],eax ; 0012f47c=00ed28ec 9 00401EF3 . C745 94 08000000 mov dword ptr ss:[ebp-0x6C],0x8 ; 0012f474=8 10 00401EFA . FFD6 call esi ; <&MSVBVM50.__vbaVarMove> 11 00401EFC . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C] ; 上述函数交换了ecx和eax ecx=0012f484=00ed28ec='12345678' 12 00401EFF . FF15 AC414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>] ; msvbvm50.__vbaFreeObj 13 00401F05 . B9 02000000 mov ecx,0x2 ; ecx=2 14 00401F0A . B8 01000000 mov eax,0x1 ; eax=1 15 00401F0F . 898D 54FFFFFF mov dword ptr ss:[ebp-0xAC],ecx ; 0012f434=2 16 00401F15 . 898D 44FFFFFF mov dword ptr ss:[ebp-0xBC],ecx ; 0012f424=2 17 00401F1B . 8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-0xAC] ; ecx=0012f434 18 00401F21 . 8985 5CFFFFFF mov dword ptr ss:[ebp-0xA4],eax ; 0012f43c=1 19 00401F27 . 8985 4CFFFFFF mov dword ptr ss:[ebp-0xB4],eax ; 0012f42c=1 20 00401F2D . 8D55 BC lea edx,dword ptr ss:[ebp-0x44] ; edx=0012f49c 21 00401F30 . 51 push ecx 22 00401F31 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C] ; eax=0012f474 23 00401F34 . 52 push edx 24 00401F35 . 50 push eax ; 参数1: 8 参数2: 0012f49c(00000080) 25 00401F36 . FF15 14414000 call dword ptr ds:[<&MSVBVM50.__vbaLenVar>] ; msvbvm50.__vbaLenVar 26 00401F3C . 8D8D 44FFFFFF lea ecx,dword ptr ss:[ebp-0xBC] ; ecx=0012f424(上述函数的返回值为ecx) 27 00401F42 . 50 push eax ; Andréna.004018A8 28 00401F43 . 8D95 ECFEFFFF lea edx,dword ptr ss:[ebp-0x114] 29 00401F49 . 51 push ecx 30 00401F4A . 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-0x104] ; eax=0012f3dc 31 00401F50 . 52 push edx 32 00401F51 . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24] ; ecx=0012F4bc 33 00401F54 . 50 push eax ; Andréna.004018A8 34 00401F55 . 51 push ecx ; 参数1:0 参数2:0 参数3:0 参数4:2 参数5:03 参数6:2 35 00401F56 . FF15 1C414000 call dword ptr ds:[<&MSVBVM50.__vbaVarForInit>] ; msvbvm50.__vbaVarForInit 36 00401F5C . 8B1D 68414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaVarCat>] ; msvbvm50.__vbaVarCat 37 00401F62 . 8B3D 00414000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaFreeVarList>] ; msvbvm50.__vbaFreeVarList 38 00401F68 > 85C0 test eax,eax ; eax=1,ecx=3,edx=9 39 00401F6A . 0F84 BB000000 je Andréna.0040202B 40 00401F70 . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C] ; edx=0012f474 41 00401F73 . 8D45 DC lea eax,dword ptr ss:[ebp-0x24] ; eax=0012f4bc 42 00401F76 . 52 push edx 43 00401F77 . 50 push eax ; Andréna.004018A8 44 00401F78 . C745 9C 01000000 mov dword ptr ss:[ebp-0x64],0x1 ; 0012f47c=1 45 00401F7F . C745 94 02000000 mov dword ptr ss:[ebp-0x6C],0x2 ; 0012f474=2 46 00401F86 . FF15 90414000 call dword ptr ds:[<&MSVBVM50.__vbaI4Var>] ; msvbvm50.__vbaI4Var 47 00401F8C . 8D4D BC lea ecx,dword ptr ss:[ebp-0x44] ; ecx=0012f49c 48 00401F8F . 50 push eax ; eax=1 49 00401F90 . 8D55 84 lea edx,dword ptr ss:[ebp-0x7C] ; edx=0012f4bc 50 00401F93 . 51 push ecx 51 00401F94 . 52 push edx ; 参数1:0 参数2:8 参数3:1 参数4:2 52 00401F95 . FF15 34414000 call dword ptr ds:[<&MSVBVM50.#632>] ; msvbvm50.rtcMidCharVar 53 00401F9B . 8D45 84 lea eax,dword ptr ss:[ebp-0x7C] ; eax=0012f464 54 00401F9E . 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58] ; ecx=0012f488 55 00401FA1 . 50 push eax ; Andréna.004018A8 56 00401FA2 . 51 push ecx ; 参数1:0 参数2:(0012f0008)0 57 00401FA3 . FF15 64414000 call dword ptr ds:[<&MSVBVM50.__vbaStrVarVal>] ; msvbvm50.__vbaStrVarVal 58 00401FA9 . 50 push eax ; eax=00f556fc='1'(下列函数eax) 59 00401FAA . FF15 08414000 call dword ptr ds:[<&MSVBVM50.#516>] ; msvbvm50.rtcAnsiValueBstr 60 00401FB0 . 66:05 0A00 add ax,0xA ; ax+=0xA 61 00401FB4 . 0F80 B0020000 jo Andréna.0040226A 62 00401FBA . 0FBFD0 movsx edx,ax ; edx=00f556fe,ax=003B 63 00401FBD . 52 push edx ; 参数1:0x3b 参数2:(0012f4ec->0012f4fc) 64 00401FBE . FF15 70414000 call dword ptr ds:[<&MSVBVM50.#537>] ; msvbvm50.rtcBstrFromAnsi 65 00401FC4 . 8985 7CFFFFFF mov dword ptr ss:[ebp-0x84],eax ; 0012f45c=00f4d41c=';' 66 00401FCA . 8D45 CC lea eax,dword ptr ss:[ebp-0x34] ; eax=0012f4ac 67 00401FCD . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C] ; ecx=0012f454 68 00401FD3 . 50 push eax ; Andréna.004018A8 69 00401FD4 . 8D95 64FFFFFF lea edx,dword ptr ss:[ebp-0x9C] ; edx=0012f444 70 00401FDA . 51 push ecx 71 00401FDB . 52 push edx 72 00401FDC . C785 74FFFFFF 080000>mov dword ptr ss:[ebp-0x8C],0x8 ; 0012f454=8 73 00401FE6 . FFD3 call ebx 74 00401FE8 . 8BD0 mov edx,eax ; eax=0012f444 75 00401FEA . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34] ; ecx=0012f4ac 76 00401FED . FFD6 call esi 77 00401FEF . 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58] ; ecx=0012f488 78 00401FF2 . FF15 B0414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStr>] ; msvbvm50.__vbaFreeStr 79 00401FF8 . 8D85 74FFFFFF lea eax,dword ptr ss:[ebp-0x8C] 80 00401FFE . 8D4D 84 lea ecx,dword ptr ss:[ebp-0x7C] 81 00402001 . 50 push eax ; Andréna.004018A8 82 00402002 . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C] 83 00402005 . 51 push ecx 84 00402006 . 52 push edx 85 00402007 . 6A 03 push 0x3 86 00402009 . FFD7 call edi 87 0040200B . 83C4 10 add esp,0x10 88 0040200E . 8D85 ECFEFFFF lea eax,dword ptr ss:[ebp-0x114] 89 00402014 . 8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-0x104] 90 0040201A . 8D55 DC lea edx,dword ptr ss:[ebp-0x24] 91 0040201D . 50 push eax ; Andréna.004018A8 92 0040201E . 51 push ecx 93 0040201F . 52 push edx 94 00402020 . FF15 A4414000 call dword ptr ds:[<&MSVBVM50.__vbaVarForNext>] ; msvbvm50.__vbaVarForNext 95 00402026 .^ E9 3DFFFFFF jmp Andréna.00401F68 96 0040202B > 8D45 CC lea eax,dword ptr ss:[ebp-0x34] ; eax=0012f4ac 97 0040202E . 8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-0xAC] ; ecx=0012f434 98 00402034 . 50 push eax ; Andréna.004018A8 99 00402035 . 51 push ecx 100 00402036 . C785 5CFFFFFF 8C1A40>mov dword ptr ss:[ebp-0xA4],Andréna.00401A8C ; UNICODE "kXy^rO|*yXo*mkMuOn*+" 101 00402040 . C785 54FFFFFF 088000>mov dword ptr ss:[ebp-0xAC],0x8008 ; 0012f434=0x8008 102 0040204A . FF15 40414000 call dword ptr ds:[<&MSVBVM50.__vbaVarTstEq>] ; msvbvm50.__vbaVarTstEq 103 00402050 . 66:85C0 test ax,ax 104 00402053 . 0F84 C0000000 je Andréna.00402119 105 00402059 . FF15 6C414000 call dword ptr ds:[<&MSVBVM50.#534>] ; msvbvm50.rtcBeep 106 0040205F . 8B1D 94414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaVarDup>] ; msvbvm50.__vbaVarDup 107 00402065 . B9 0A000000 mov ecx,0xA 108 109
在分析VB的时候应该具体的了解到地址调用,善于追根朔源,从栈地址到具体的内容(data)。清楚每个函数的参数。