[求助]请高手指点vb逆向工程。-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[求助]请高手指点vb逆向工程。

发表于: 2005-9-16 10:42 4247

[求助]请高手指点vb逆向工程。

nnscccn

2005-9-16 10:42

4247

:0040CD30 55                   push ebp
:0040CD31 8BEC                   mov ebp, esp
:0040CD33 83EC08                sub esp, 00000008

* Possible StringData Ref from Code Obj ->"??@"
                              |
:0040CD36 68A6134000             push 004013A6
:0040CD3B 64A100000000          mov eax, dword ptr fs:[00000000]
:0040CD41 50                   push eax
:0040CD42 64892500000000       mov dword ptr fs:[00000000], esp
:0040CD49 83EC2C                sub esp, 0000002C
:0040CD4C 53                   push ebx
:0040CD4D 56                   push esi
:0040CD4E 57                   push edi
:0040CD4F 8965F8                mov dword ptr [ebp-08], esp
:0040CD52 C745FC38134000       mov [ebp-04], 00401338
:0040CD59 33C0                   xor eax, eax //eax=0

* Possible StringData Ref from Code Obj ->"127.0.0.1"
                              |
:0040CD5B BAB8654000             mov edx, 004065B8          //edx="127.0.0.1"
:0040CD60 8D4DD8                lea ecx, dword ptr [ebp-28] //ecx指向变量c
:0040CD63 8945E0                mov dword ptr [ebp-20], eax // dim a as string
:0040CD66 8945DC                mov dword ptr [ebp-24], eax // dim b as string
:0040CD69 8945D8                mov dword ptr [ebp-28], eax // dim c as string
:0040CD6C 8945C8                mov dword ptr [ebp-38], eax

* Reference To: MSVBVM60.__vbaStrCopy, Ord:0000h
                              |
:0040CD6F FF1504114000          Call dword ptr [00401104] // c="127.0.0.1"
:0040CD75 8D45E0                lea eax, dword ptr [ebp-20] //eax指向变量a
:0040CD78 50                   push eax //是参数4吗？

* Possible StringData Ref from Code Obj ->"IP1"
                              |
:0040CD79 6850664000             push 00406650 //参数3

* Possible StringData Ref from Code Obj ->"Software\casinoonnet\casino\init"
                              |
:0040CD7E 6808664000             push 00406608 //参数2
:0040CD83 6801000080             push 80000001 //参数1
:0040CD88 E883F6FFFF             call 0040C410 //函数调用
//GetIP &H80000001,"Software\casinoonnet\casino\init","IP1" 不懂了，请指点？
:0040CD8D 8D4DE0                lea ecx, dword ptr [ebp-20] //ecx指向变量a
:0040CD90 51                   push ecx //保存ecx

* Reference To: MSVBVM60.__vbaStrVarCopy, Ord:0000h
                              |
:0040CD91 FF1550114000          Call dword ptr [00401150] //a=GetIP(参数1，参数2，参数3)
:0040CD97 8BD0                   mov edx, eax
:0040CD99 8D4DDC                lea ecx, dword ptr [ebp-24]

* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
                              |
:0040CD9C FF154C114000          Call dword ptr [0040114C] //b=a  ???
:0040CDA2 8B55DC                mov edx, dword ptr [ebp-24]
:0040CDA5 8B45D8                mov eax, dword ptr [ebp-28]
:0040CDA8 52                   push edx
:0040CDA9 50                   push eax

* Reference To: MSVBVM60.__vbaStrCmp, Ord:0000h
                              |
:0040CDAA FF1594104000          Call dword ptr [00401094] //if b<>c then
:0040CDB0 85C0                   test eax, eax          // goto 0040CDEC
:0040CDB2 7438                   je 0040CDEC             //else
:0040CDB4 6A04                   push 00000004          //
:0040CDB6 B908000000             mov ecx, 00000008       //end if
:0040CDBB 83EC10                sub esp, 00000010

* Possible StringData Ref from Code Obj ->"127.0.0.1"
                              |
:0040CDBE B8B8654000             mov eax, 004065B8
:0040CDC3 8BD4                   mov edx, esp
:0040CDC5 6A01                   push 00000001

* Possible StringData Ref from Code Obj ->"IP1"
                              |
:0040CDC7 6850664000             push 00406650
:0040CDCC 890A                   mov dword ptr [edx], ecx
:0040CDCE 8B4DCC                mov ecx, dword ptr [ebp-34]

* Possible StringData Ref from Code Obj ->"SSoftware\casinoonnet\casino\init"
                              |
:0040CDD1 6808664000             push 00406608
:0040CDD6 6801000080             push 80000001
:0040CDDB 894A04                mov dword ptr [edx+04], ecx
:0040CDDE 894208                mov dword ptr [edx+08], eax
:0040CDE1 8B45D4                mov eax, dword ptr [ebp-2C]
:0040CDE4 89420C                mov dword ptr [edx+0C], eax
:0040CDE7 E874FBFFFF             call 0040C960

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040CDB2(C)
|
:0040CDEC 680BCE4000             push 0040CE0B
:0040CDF1 8D4DE0                lea ecx, dword ptr [ebp-20]

* Reference To: MSVBVM60.__vbaFreeVar, Ord:0000h
                              |
:0040CDF4 FF1514104000          Call dword ptr [00401014]

* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
                              |
:0040CDFA 8B3574114000          mov esi, dword ptr [00401174]
:0040CE00 8D4DDC                lea ecx, dword ptr [ebp-24]
:0040CE03 FFD6                   call esi
:0040CE05 8D4DD8                lea ecx, dword ptr [ebp-28]
:0040CE08 FFD6                   call esi
:0040CE0A C3                   ret
总结:
dim a as string
dim b as string
dim c as string
c="127.0.0.1"
a=GetIP(&H80000001,"software\casinoonnet\casino\init","IP1")
b=a
if b<>c then
  goto 0040CDEC
else

end if

[课程]Linux pwn 探索篇！

收藏・0

免费・0

支持

最新回复 (4)
nnscccn 雪币： 218 活跃值： (40) 能力值： ( LV4，RANK：50 ) 在线值：发帖 19 回帖 64 粉丝 0 关注私信	nnscccn 1 2 楼 Dim a As String a = "127.0.0.1" If RegCreateKey(HKEY_CURRENT_USER, "Software\casinoonnet\casino\init", "IP1") = 0 Then Else End If 2005-9-16 12:15 0
nnscccn 雪币： 218 活跃值： (40) 能力值： ( LV4，RANK：50 ) 在线值：发帖 19 回帖 64 粉丝 0 关注私信	nnscccn 1 3 楼有对逆向工程感兴趣的，加我QQ：15825629 2005-9-16 12:23 0
nnscccn 雪币： 218 活跃值： (40) 能力值： ( LV4，RANK：50 ) 在线值：发帖 19 回帖 64 粉丝 0 关注私信	nnscccn 1 4 楼 * Possible StringData Ref from Code Obj ->"IP1" \| :0040CD79 6850664000 push 00406650<--hKey * Possible StringData Ref from Code Obj ->"Software\casinoonnet\casino\init" \| :0040CD7E 6808664000 push 00406608<--SubKey :0040CD83 6801000080 push 80000001<--这里就是HKEY_CURRENT_USER :0040CD88 E883F6FFFF call 0040C410 //函数调用 2005-9-16 12:28 0
nnscccn 雪币： 218 活跃值： (40) 能力值： ( LV4，RANK：50 ) 在线值：发帖 19 回帖 64 粉丝 0 关注私信	nnscccn 1 5 楼 vb逆向工程QQ群:15825629 2005-9-16 14:22 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

nnscccn

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (4)
nnscccn 雪币： 218 活跃值： (40) 能力值： ( LV4，RANK：50 ) 在线值：发帖 19 回帖 64 粉丝 0 关注私信	nnscccn 1 2 楼 Dim a As String a = "127.0.0.1" If RegCreateKey(HKEY_CURRENT_USER, "Software\casinoonnet\casino\init", "IP1") = 0 Then Else End If 2005-9-16 12:15 0
nnscccn 雪币： 218 活跃值： (40) 能力值： ( LV4，RANK：50 ) 在线值：发帖 19 回帖 64 粉丝 0 关注私信	nnscccn 1 3 楼有对逆向工程感兴趣的，加我QQ：15825629 2005-9-16 12:23 0
nnscccn 雪币： 218 活跃值： (40) 能力值： ( LV4，RANK：50 ) 在线值：发帖 19 回帖 64 粉丝 0 关注私信	nnscccn 1 4 楼 * Possible StringData Ref from Code Obj ->"IP1" \| :0040CD79 6850664000 push 00406650<--hKey * Possible StringData Ref from Code Obj ->"Software\casinoonnet\casino\init" \| :0040CD7E 6808664000 push 00406608<--SubKey :0040CD83 6801000080 push 80000001<--这里就是HKEY_CURRENT_USER :0040CD88 E883F6FFFF call 0040C410 //函数调用 2005-9-16 12:28 0
nnscccn 雪币： 218 活跃值： (40) 能力值： ( LV4，RANK：50 ) 在线值：发帖 19 回帖 64 粉丝 0 关注私信	nnscccn 1 5 楼 vb逆向工程QQ群:15825629 2005-9-16 14:22 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复