VB逆向工程实战演习(一)
【逆向日期】 9月21日
【逆向作者】 囚徒
【作者邮箱】 nnscccn@yahoo.com.cn
【使用工具】 VBDE、SmartCheck、W32dsm、OD
【逆向平台】 Win9x/NT/2000/XP
【软件名称】 Casino轮盘智能机器人
【下载地址】 见附件
【软件简介】 casino轮盘智能机器人是888赌场的一个脱机外挂,该智能机器人自动 下注,自动“转动”将它挂机后,你就什么都不管了,非常好玩,此类外挂比较少见,所以我决定逆向它。
【软件大小】 84KB
【加壳方式】 没
【逆向声明】 我是一只小菜鸟,想要飞却怎么也飞不高。
【题外话 】 人与动物的最大区别是会利用工具,你会看到,只要善于利用工具,逆向一个VB程序并不是很困难的事情,即使是我这样的菜鸟也可以做到。
----------------------------------------------------------------------------------------------------------------------
【破解内容】
没壳,没有Command Button,所有的内容都在Form_Load里。用VBDE查看,Form_Load在00406A90,打开W32dsm,载入Casino轮盘智能机器人,查找00406A90,反汇编代码如下:
Quote:
:00406A90 55 push ebp
:00406A91 8BEC mov ebp, esp
:00406A93 83EC0C sub esp, 0000000C
* Possible StringData Ref from Code Obj ->"??@"
|
:00406A96 68A6134000 push 004013A6
:00406A9B 64A100000000 mov eax, dword ptr fs:[00000000]
:00406AA1 50 push eax
:00406AA2 64892500000000 mov dword ptr fs:[00000000], esp
:00406AA9 81EC84010000 sub esp, 00000184
:00406AAF 53 push ebx
:00406AB0 56 push esi
:00406AB1 57 push edi
:00406AB2 8965F4 mov dword ptr [ebp-0C], esp
:00406AB5 C745F8A0114000 mov [ebp-08], 004011A0
:00406ABC 8B4508 mov eax, dword ptr [ebp+08]
:00406ABF 8BC8 mov ecx, eax
:00406AC1 83E101 and ecx, 00000001
:00406AC4 894DFC mov dword ptr [ebp-04], ecx
:00406AC7 24FE and al, FE
:00406AC9 50 push eax
:00406ACA 894508 mov dword ptr [ebp+08], eax
:00406ACD 8B10 mov edx, dword ptr [eax]
:00406ACF FF5204 call [edx+04]
:00406AD2 33DB xor ebx, ebx ;从这里开始反编译
:00406AD4 895DDC mov dword ptr [ebp-24], ebx ;下面都是一些变量的定义
:00406AD7 895DD4 mov dword ptr [ebp-2C], ebx
:00406ADA 895DD0 mov dword ptr [ebp-30], ebx
:00406ADD 895DC0 mov dword ptr [ebp-40], ebx
:00406AE0 895DB0 mov dword ptr [ebp-50], ebx
:00406AE3 895DA0 mov dword ptr [ebp-60], ebx
:00406AE6 895D90 mov dword ptr [ebp-70], ebx
:00406AE9 895D80 mov dword ptr [ebp-80], ebx
:00406AEC 899D70FFFFFF mov dword ptr [ebp+FFFFFF70], ebx
:00406AF2 899D60FFFFFF mov dword ptr [ebp+FFFFFF60], ebx
:00406AF8 899D34FFFFFF mov dword ptr [ebp+FFFFFF34], ebx
:00406AFE 899D24FFFFFF mov dword ptr [ebp+FFFFFF24], ebx
:00406B04 899D14FFFFFF mov dword ptr [ebp+FFFFFF14], ebx
:00406B0A 899D04FFFFFF mov dword ptr [ebp+FFFFFF04], ebx
:00406B10 899DF4FEFFFF mov dword ptr [ebp+FFFFFEF4], ebx
:00406B16 899DE4FEFFFF mov dword ptr [ebp+FFFFFEE4], ebx
:00406B1C 899DD4FEFFFF mov dword ptr [ebp+FFFFFED4], ebx
:00406B22 899DC4FEFFFF mov dword ptr [ebp+FFFFFEC4], ebx
:00406B28 899DB4FEFFFF mov dword ptr [ebp+FFFFFEB4], ebx
:00406B2E 899DA4FEFFFF mov dword ptr [ebp+FFFFFEA4], ebx
:00406B34 E8F7610000 call 0040CD30 ;跟进去看看
:00406B39 391D10204100 cmp dword ptr [00412010], ebx ;比较
:00406B3F 7510 jne 00406B51 ;不等则跳
:00406B41 6810204100 push 00412010
:00406B46 6804464000 push 00404604
* Reference To: MSVBVM60.__vbaNew2, Ord:0000h
|
:00406B4B FF15F8104000 Call dword ptr [004010F8]
*
*
*
ret
-------------------------------------------------------------------------------------------------------------------
Quote:
:0040CD30 55 push ebp
:0040CD31 8BEC mov ebp, esp
:0040CD33 83EC08 sub esp, 00000008
* Possible StringData Ref from Code Obj ->"??@"
|
:0040CD36 68A6134000 push 004013A6
:0040CD3B 64A100000000 mov eax, dword ptr fs:[00000000]
:0040CD41 50 push eax
:0040CD42 64892500000000 mov dword ptr fs:[00000000], esp
:0040CD49 83EC2C sub esp, 0000002C
:0040CD4C 53 push ebx
:0040CD4D 56 push esi
:0040CD4E 57 push edi
:0040CD4F 8965F8 mov dword ptr [ebp-08], esp
:0040CD52 C745FC38134000 mov [ebp-04], 00401338
:0040CD59 33C0 xor eax, eax //eax=0
* Possible StringData Ref from Code Obj ->"127.0.0.1"
|
:0040CD5B BAB8654000 mov edx, 004065B8 ;edx="127.0.0.1"
:0040CD60 8D4DD8 lea ecx, dword ptr [ebp-28] ;ecx指向变量c
:0040CD63 8945E0 mov dword ptr [ebp-20], eax ;dim a as string
:0040CD66 8945DC mov dword ptr [ebp-24], eax ;dim b as string
:0040CD69 8945D8 mov dword ptr [ebp-28], eax ;dim c as string
:0040CD6C 8945C8 mov dword ptr [ebp-38], eax
* Reference To: MSVBVM60.__vbaStrCopy, Ord:0000h
|
:0040CD6F FF1504114000 Call dword ptr [00401104] ;c="127.0.0.1"
:0040CD75 8D45E0 lea eax, dword ptr [ebp-20] ;eax指向变量a
:0040CD78 50 push eax ;Arg4:Long,长整型,4字节
* Possible StringData Ref from Code Obj ->"IP1"
|
:0040CD79 6850664000 push 00406650 ;Arg3:string
* Possible StringData Ref from Code Obj ->"Software\casinoonnet\casino\init"
|
:0040CD7E 6808664000 push 00406608 ;Arg2:lpSubkey,string
:0040CD83 6801000080 push 80000001 ;Arg1:这个值就是HKEY_CURRENT_USER,Long
:0040CD88 E883F6FFFF call 0040C410 ;函数调用:这是作者自己构造的一个函数。
;下面我们来看看这个函数
;初步确定与注册表有关
;我们要用到SmartCheck
*
*
*
ret
------------------------------------------------------------------------------------------------------------------
打开SmartCheck,载入Casino轮盘机器人,在Event里可以看到:
Quote:
_Load
OnError
RegOpenKeyExA returns Long:2
*
*
*
_Load
可以看到,第一步是打开注册表,查RegOpenKeyEx函数,有:
RegOpenKeyEx(ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, phkResult As Long)
它有5个参数,我们看看它是在哪里,在SmartCheck中,鼠标点击左边的RegOpenKeyExA returns Long:2,在右边可以看到它的地址是0040C4AC,我们在W32dsm中查找这个地址,看它是从哪里跳过来的。
Quote:
* Referenced by a CALL at Address:
|:0040CD88 ;是从这里跳过来的
| ;0040CD88就是我们上面那个Call
:0040C410 55 push ebp
:0040C411 8BEC mov ebp, esp
:0040C413 83EC14 sub esp, 00000014
* Possible StringData Ref from Code Obj ->"??@"
|
:0040C416 68A6134000 push 004013A6
:0040C41B 64A100000000 mov eax, dword ptr fs:[00000000]
:0040C421 50 push eax
:0040C422 64892500000000 mov dword ptr fs:[00000000], esp
:0040C429 81ECA0000000 sub esp, 000000A0
:0040C42F 53 push ebx
:0040C430 56 push esi
:0040C431 57 push edi
:0040C432 8965EC mov dword ptr [ebp-14], esp
:0040C435 C745F0E8124000 mov [ebp-10], 004012E8
:0040C43C 33F6 xor esi, esi
:0040C43E 8975F4 mov dword ptr [ebp-0C], esi ;
:0040C441 8975F8 mov dword ptr [ebp-08], esi
:0040C444 8975E0 mov dword ptr [ebp-20], esi ;Dim bb as string
:0040C447 8975D8 mov dword ptr [ebp-28], esi ;Dim aa as string
:0040C44A 8975D0 mov dword ptr [ebp-30], esi
:0040C44D 8975CC mov dword ptr [ebp-34], esi
:0040C450 8975BC mov dword ptr [ebp-44], esi
:0040C453 8975AC mov dword ptr [ebp-54], esi
:0040C456 89759C mov dword ptr [ebp-64], esi
:0040C459 89758C mov dword ptr [ebp-74], esi
:0040C45C 89B57CFFFFFF mov dword ptr [ebp+FFFFFF7C], esi ;
:0040C462 89B56CFFFFFF mov dword ptr [ebp+FFFFFF6C], esi
:0040C468 89B55CFFFFFF mov dword ptr [ebp+FFFFFF5C], esi
:0040C46E 8B550C mov edx, dword ptr [ebp+0C] ;实参,即上面的Arg2
:0040C471 8D4DD8 lea ecx, dword ptr [ebp-28]
* Reference To: MSVBVM60.__vbaStrCopy, Ord:0000h
|
:0040C474 8B3D04114000 mov edi, dword ptr [00401104]
:0040C47A FFD7 call edi ;aa=Arg2
:0040C47C 8B5510 mov edx, dword ptr [ebp+10] ;实参,即上面的Arg3
:0040C47F 8D4DE0 lea ecx, dword ptr [ebp-20]
:0040C482 FFD7 call edi ;bb=Arg3
:0040C484 6A01 push 00000001
* Reference To: MSVBVM60.__vbaOnError, Ord:0000h
|
:0040C486 FF155C104000 Call dword ptr [0040105C] ;On Error Resume Next
:0040C48C 68EC214100 push 004121EC ;Arg5:phKeyResult
:0040C491 6819000200 push 00020019 ;Arg4:SamDesired
:0040C496 56 push esi ;Arg3:ulOptions
:0040C497 8B45D8 mov eax, dword ptr [ebp-28]
:0040C49A 50 push eax
:0040C49B 8D4DD0 lea ecx, dword ptr [ebp-30]
:0040C49E 51 push ecx
* Reference To: MSVBVM60.__vbaStrToAnsi, Ord:0000h
|
:0040C49F 8B3528114000 mov esi, dword ptr [00401128]
:0040C4A5 FFD6 call esi
:0040C4A7 50 push eax ;Arg2:lpSubKey
:0040C4A8 8B5508 mov edx, dword ptr [ebp+08]
:0040C4AB 52 push edx ;Arg1:hKey=80000001
:0040C4AC E8D395FFFF call 00405A84 ;我们来到这里RegOpenKeyEx
--------------------------------------------------------------------------------------------------------------
以上是一小段逆向心得,请有兴趣的朋友和我共同探讨。我的E-mail:nnscccn@yahoo.com.cn
附件:casino.rar
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
