朋友的硬盘被这个软件给锁住了需要密码才能还原。
按理说,应该走到
0040990E: call MSVBVM60.DLL.__vbaStrCmp
就应该是判断密码的,但是后边的jz怎么修改也不行。
附件中是那个程序,为了安全如果调试请在虚拟中或者静态分析,这个已经是脱壳后的。
Private sub Command4__409870
00409870: push ebp
00409871: mov ebp, esp
00409873: sub esp, 0000000Ch
00409876: push 004010D6h ; MSVBVM60.DLL.__vbaExceptHandler
0040987B: mov eax, fs:[00h]
00409881: push eax
00409882: mov fs:[00000000h], esp
00409889: sub esp, 0000009Ch
0040988F: push ebx
00409890: push esi
00409891: push edi
00409892: mov var_0C, esp
00409895: mov var_08, 004010B8h
0040989C: mov esi, [ebp+08h]
0040989F: mov eax, esi
004098A1: and eax, 00000001h
004098A4: mov var_04, eax
004098A7: and esi, FFFFFFFEh
004098AA: push esi
004098AB: mov [ebp+08h], esi
004098AE: mov ecx, [esi]
004098B0: call [ecx+04h]
004098B3: mov edx, [esi]
004098B5: xor edi, edi
004098B7: push esi
004098B8: mov var_18, edi
004098BB: mov var_1C, edi
004098BE: mov var_2C, edi
004098C1: mov var_3C, edi
004098C4: mov var_4C, edi
004098C7: mov var_5C, edi
004098CA: mov var_6C, edi
004098CD: call [edx+00000314h]
004098D3: push eax
004098D4: lea eax, var_1C
004098D7: push eax
004098D8: call Set (object)
004098DE: mov esi, eax
004098E0: lea edx, var_18
004098E3: push edx
004098E4: push esi
004098E5: mov ecx, [esi]
004098E7: call [ecx+000000A0h]
004098ED: cmp eax, edi
004098EF: fclex
004098F1: jnl 409905h
004098F3: push 000000A0h
004098F8: push 00406630h
004098FD: push esi
004098FE: push eax
004098FF: call MSVBVM60.DLL.__vbaHresultCheckObj
00409905: mov eax, var_18
00409908: push eax
00409909: push 00406644h
0040990E: call MSVBVM60.DLL.__vbaStrCmp
00409914: mov esi, eax
00409916: lea ecx, var_18
00409919: neg esi
0040991B: sbb esi, esi
0040991D: inc esi
0040991E: neg esi
00409920: call MSVBVM60.DLL.__vbaFreeStr
00409926: lea ecx, var_1C
00409929: call MSVBVM60.DLL.__vbaFreeObj
0040992F: mov ecx, 80020004h
00409934: mov eax, 0000000Ah
00409939: cmp si, di
0040993C: mov var_54, ecx
0040993F: mov var_5C, eax
00409942: mov var_44, ecx
00409945: mov var_4C, eax
00409948: mov var_34, ecx
0040994B: mov var_3C, eax
0040994E: jz 409993h
00409950: lea edx, var_6C
00409953: lea ecx, var_2C
00409956: mov var_64, 0040664Ch
0040995D: mov var_6C, 00000008h
00409964: call MSVBVM60.DLL.__vbaVarDup
0040996A: lea ecx, var_5C
0040996D: lea edx, var_4C
00409970: push ecx
00409971: lea eax, var_3C
00409974: push edx
00409975: push eax
00409976: lea ecx, var_2C
00409979: push edi
0040997A: push ecx
0040997B: call rtcMsgBox
00409981: lea edx, var_5C
00409984: lea eax, var_4C
00409987: push edx
00409988: lea ecx, var_3C
0040998B: push eax
0040998C: lea edx, var_2C
0040998F: push ecx
00409990: push edx
00409991: jmp 4099D4h
00409993: lea edx, var_6C
00409996: lea ecx, var_2C
00409999: mov var_64, 00406660h
004099A0: mov var_6C, 00000008h
004099A7: call MSVBVM60.DLL.__vbaVarDup
004099AD: lea eax, var_5C
004099B0: lea ecx, var_4C
004099B3: push eax
004099B4: lea edx, var_3C
004099B7: push ecx
004099B8: push edx
004099B9: lea eax, var_2C
004099BC: push edi
004099BD: push eax
004099BE: call rtcMsgBox
004099C4: lea ecx, var_5C
004099C7: lea edx, var_4C
004099CA: push ecx
004099CB: lea eax, var_3C
004099CE: push edx
004099CF: lea ecx, var_2C
004099D2: push eax
004099D3: push ecx
004099D4: push 00000004h
004099D6: call MSVBVM60.DLL.__vbaFreeVarList
004099DC: add esp, 00000014h
004099DF: mov var_04, edi
004099E2: push 00409A18h
004099E7: jmp 409A17h
004099E9: lea ecx, var_18
004099EC: call MSVBVM60.DLL.__vbaFreeStr
004099F2: lea ecx, var_1C
004099F5: call MSVBVM60.DLL.__vbaFreeObj
004099FB: lea edx, var_5C
004099FE: lea eax, var_4C
00409A01: push edx
00409A02: lea ecx, var_3C
00409A05: push eax
00409A06: lea edx, var_2C
00409A09: push ecx
00409A0A: push edx
00409A0B: push 00000004h
00409A0D: call MSVBVM60.DLL.__vbaFreeVarList
00409A13: add esp, 00000014h
00409A16: ret
End Sub
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!