最近使用VbsEdit 6.8.2.0学习vbs,提示需要注册码,为了个人学习用,于是就想尝试找寻注册码。
用peid查壳显示 Nothing found,只要用od载入先看看,
发现开始的几行代码如下:
00583A0F > $ E8 94950000 call vbsedit.0058CFA8
00583A14 .^ E9 89FEFFFF jmp vbsedit.005838A2
00583A19 $ 3B0D 605E6200 cmp ecx,dword ptr ds:[0x625E60]
00583A1F . 75 02 jnz Xvbsedit.00583A23
00583A21 . F3: prefix rep:
00583A22 . C3 retn
这与我之前看到的一个壳很相似,都是
call XXX
jmp xxx
cmp XX
jnz XXX
rep:
retn
形式的
我就先跟踪了一下,发现根本找不到入口点,用通用的定律也不能解决,
求大神帮忙看看这是一个什么壳?
call进的代码如下:
CPU Disasm
地址 十六进制数据 汇编代码 注释
0058CFA8 /$ 8BFF mov edi,edi ; ntdll.7C930208
0058CFAA |. 55 push ebp
0058CFAB |. 8BEC mov ebp,esp
0058CFAD |. 83EC 10 sub esp,0x10
0058CFB0 |. A1 605E6200 mov eax,dword ptr ds:[0x625E60]
0058CFB5 |. 8365 F8 00 and [local.2],0x0
0058CFB9 |. 8365 FC 00 and [local.1],0x0
0058CFBD |. 53 push ebx
0058CFBE |. 57 push edi
0058CFBF |. BF 4EE640BB mov edi,0xBB40E64E
0058CFC4 |. BB 0000FFFF mov ebx,0xFFFF0000
0058CFC9 |. 3BC7 cmp eax,edi
0058CFCB |. 74 0D je Xvbsedit.0058CFDA
0058CFCD |. 85C3 test ebx,eax
0058CFCF |. 74 09 je Xvbsedit.0058CFDA
0058CFD1 |. F7D0 not eax
0058CFD3 |. A3 645E6200 mov dword ptr ds:[0x625E64],eax
0058CFD8 |. EB 65 jmp Xvbsedit.0058D03F
0058CFDA |> 56 push esi
0058CFDB |. 8D45 F8 lea eax,[local.2]
0058CFDE |. 50 push eax ; /pFileTime
0058CFDF |. FF15 E0725B00 call dword ptr ds:[<&KERNEL32.GetSystemT>; \GetSystemTimeAsFileTime
0058CFE5 |. 8B75 FC mov esi,[local.1]
0058CFE8 |. 3375 F8 xor esi,[local.2]
0058CFEB |. FF15 98735B00 call dword ptr ds:[<&KERNEL32.GetCurrent>; [GetCurrentProcessId
0058CFF1 |. 33F0 xor esi,eax
0058CFF3 |. FF15 98745B00 call dword ptr ds:[<&KERNEL32.GetCurrent>; [GetCurrentThreadId
0058CFF9 |. 33F0 xor esi,eax
0058CFFB |. FF15 04745B00 call dword ptr ds:[<&KERNEL32.GetTickCou>; [GetTickCount
0058D001 |. 33F0 xor esi,eax
0058D003 |. 8D45 F0 lea eax,[local.4]
0058D006 |. 50 push eax ; /pPerformanceCount
0058D007 |. FF15 9C725B00 call dword ptr ds:[<&KERNEL32.QueryPerfo>; \QueryPerformanceCounter
0058D00D |. 8B45 F4 mov eax,[local.3]
0058D010 |. 3345 F0 xor eax,[local.4]
0058D013 |. 33F0 xor esi,eax
0058D015 |. 3BF7 cmp esi,edi
0058D017 |. 75 07 jnz Xvbsedit.0058D020
0058D019 |. BE 4FE640BB mov esi,0xBB40E64F
0058D01E |. EB 10 jmp Xvbsedit.0058D030
0058D020 |> 85F3 test ebx,esi
0058D022 |. 75 0C jnz Xvbsedit.0058D030
0058D024 |. 8BC6 mov eax,esi
0058D026 |. 0D 11470000 or eax,0x4711
0058D02B |. C1E0 10 shl eax,0x10
0058D02E |. 0BF0 or esi,eax
0058D030 |> 8935 605E6200 mov dword ptr ds:[0x625E60],esi
0058D036 |. F7D6 not esi
0058D038 |. 8935 645E6200 mov dword ptr ds:[0x625E64],esi
0058D03E |. 5E pop esi
0058D03F |> 5F pop edi
0058D040 |. 5B pop ebx
0058D041 |. C9 leave
0058D042 \. C3 retn
jmp的代码如下:
CPU Disasm
地址 十六进制数据 汇编代码 注释
005838A2 > /6A 58 push 0x58
005838A4 . |68 005B6100 push vbsedit.00615B00
005838A9 . |E8 02490000 call vbsedit.005881B0
005838AE . |8D45 98 lea eax,dword ptr ss:[ebp-0x68]
005838B1 . |50 push eax ; /pStartupinfo
005838B2 . |FF15 B8735B00 call dword ptr ds:[<&KERNEL32.GetStartup>; \GetStartupInfoW
005838B8 . |33F6 xor esi,esi
005838BA . |3935 98DA6300 cmp dword ptr ds:[0x63DA98],esi
005838C0 . |75 0B jnz Xvbsedit.005838CD
005838C2 . |56 push esi
005838C3 . |56 push esi
005838C4 . |6A 01 push 0x1
005838C6 . |56 push esi
005838C7 . |FF15 BC735B00 call dword ptr ds:[<&KERNEL32.HeapSetInf>; kernel32.HeapSetInformation
005838CD > |B8 4D5A0000 mov eax,0x5A4D
005838D2 . |66:3905 00004>cmp word ptr ds:[0x400000],ax
005838D9 . |74 05 je Xvbsedit.005838E0
005838DB > |8975 E4 mov dword ptr ss:[ebp-0x1C],esi
005838DE . |EB 36 jmp Xvbsedit.00583916
005838E0 > |A1 3C004000 mov eax,dword ptr ds:[0x40003C]
005838E5 . |81B8 00004000>cmp dword ptr ds:[eax+0x400000],0x4550
005838EF .^|75 EA jnz Xvbsedit.005838DB
005838F1 . |B9 0B010000 mov ecx,0x10B
005838F6 . |66:3988 18004>cmp word ptr ds:[eax+0x400018],cx
005838FD .^|75 DC jnz Xvbsedit.005838DB
005838FF . |83B8 74004000>cmp dword ptr ds:[eax+0x400074],0xE
00583906 .^|76 D3 jbe Xvbsedit.005838DB
00583908 . |33C9 xor ecx,ecx
0058390A . |39B0 E8004000 cmp dword ptr ds:[eax+0x4000E8],esi
00583910 . |0F95C1 setne cl
00583913 . |894D E4 mov dword ptr ss:[ebp-0x1C],ecx
00583916 > |E8 6F960000 call vbsedit.0058CF8A
0058391B . |85C0 test eax,eax
0058391D . |75 08 jnz Xvbsedit.00583927
0058391F . |6A 1C push 0x1C
00583921 . |E8 53FFFFFF call vbsedit.00583879
00583926 . |59 pop ecx
00583927 > |E8 E3940000 call vbsedit.0058CE0F
0058392C . |85C0 test eax,eax
0058392E . |75 08 jnz Xvbsedit.00583938
00583930 . |6A 10 push 0x10
00583932 . |E8 42FFFFFF call vbsedit.00583879
00583937 . |59 pop ecx
00583938 > |E8 E2900000 call vbsedit.0058CA1F
0058393D . |8975 FC mov dword ptr ss:[ebp-0x4],esi
00583940 . |E8 958E0000 call vbsedit.0058C7DA
00583945 . |85C0 test eax,eax
00583947 . |79 08 jns Xvbsedit.00583951
00583949 . |6A 1B push 0x1B
0058394B . |E8 09750000 call vbsedit.0058AE59
00583950 . |59 pop ecx
00583951 > |FF15 C0735B00 call dword ptr ds:[<&KERNEL32.GetCommand>; [GetCommandLineW
00583957 . |A3 94DA6300 mov dword ptr ds:[0x63DA94],eax
0058395C . |E8 218E0000 call vbsedit.0058C782
00583961 . |A3 78A86300 mov dword ptr ds:[0x63A878],eax
00583966 . |E8 698D0000 call vbsedit.0058C6D4
0058396B . |85C0 test eax,eax
0058396D . |79 08 jns Xvbsedit.00583977
0058396F . |6A 08 push 0x8
00583971 . |E8 E3740000 call vbsedit.0058AE59
00583976 . |59 pop ecx
00583977 > |E8 268B0000 call vbsedit.0058C4A2
0058397C . |85C0 test eax,eax
0058397E . |79 08 jns Xvbsedit.00583988
00583980 . |6A 09 push 0x9
00583982 . |E8 D2740000 call vbsedit.0058AE59
00583987 . |59 pop ecx
00583988 > |6A 01 push 0x1
0058398A . |E8 A9720000 call vbsedit.0058AC38
0058398F . |59 pop ecx
00583990 . |3BC6 cmp eax,esi
00583992 . |74 07 je Xvbsedit.0058399B
00583994 . |50 push eax
00583995 . |E8 BF740000 call vbsedit.0058AE59
0058399A . |59 pop ecx
0058399B > |E8 BC8A0000 call vbsedit.0058C45C
005839A0 . |F645 C4 01 test byte ptr ss:[ebp-0x3C],0x1
005839A4 . |74 06 je Xvbsedit.005839AC
005839A6 . |0FB74D C8 movzx ecx,word ptr ss:[ebp-0x38]
005839AA . |EB 03 jmp Xvbsedit.005839AF
005839AC > |6A 0A push 0xA
005839AE . |59 pop ecx
005839AF > |51 push ecx
005839B0 . |50 push eax
005839B1 . |56 push esi
005839B2 . |68 00004000 push vbsedit.00400000
005839B7 . |E8 2EC40100 call vbsedit.0059FDEA
005839BC . |8945 E0 mov dword ptr ss:[ebp-0x20],eax
005839BF . |3975 E4 cmp dword ptr ss:[ebp-0x1C],esi
005839C2 . |75 06 jnz Xvbsedit.005839CA
005839C4 . |50 push eax
005839C5 . |E8 45740000 call vbsedit.0058AE0F
005839CA > |E8 6C740000 call vbsedit.0058AE3B
005839CF . |EB 2E jmp Xvbsedit.005839FF
005839D1 . |8B45 EC mov eax,dword ptr ss:[ebp-0x14]
005839D4 . |8B08 mov ecx,dword ptr ds:[eax]
005839D6 . |8B09 mov ecx,dword ptr ds:[ecx]
005839D8 . |894D DC mov dword ptr ss:[ebp-0x24],ecx
005839DB . |50 push eax
005839DC . |51 push ecx
005839DD . |E8 30890000 call vbsedit.0058C312
005839E2 . |59 pop ecx
005839E3 . |59 pop ecx
005839E4 . |C3 retn
求大神支招
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
