1 00401FF0 > ?5 push ebp
2 00401FF1 . 8BEC mov ebp,esp
3 00401FF3 . 83EC 0C sub esp,0xC
4 00401FF6 . 68 26104000 push <jmp.&MSVBVM50.__vbaExceptHandler> ; SE handler installation
5 00401FFB . 64:A1 0000000>mov eax,dword ptr fs:[0]
6 00402001 . 50 push eax
7 00402002 . 64:8925 00000>mov dword ptr fs:[0],esp
8 00402009 . 81EC 18010000 sub esp,0x118
9 0040200F . 53 push ebx
10 00402010 . 8B5D 08 mov ebx,dword ptr ss:[ebp+0x8]
11 00402013 . 8BC3 mov eax,ebx
12 00402015 . 56 push esi ; msvbvm50.__vbaVarMove
13 00402016 . 83E3 FE and ebx,0xFFFFFFFE
14 00402019 . 57 push edi ; msvbvm50.__vbaFreeVarList
15 0040201A . 8965 F4 mov dword ptr ss:[ebp-0xC],esp
16 0040201D . 83E0 01 and eax,0x1
17 00402020 . 8B3B mov edi,dword ptr ds:[ebx]
18 00402022 . C745 F8 00104>mov dword ptr ss:[ebp-0x8],Andréna.00401000
19 00402029 . 53 push ebx
20 0040202A . 8945 FC mov dword ptr ss:[ebp-0x4],eax
21 0040202D . 895D 08 mov dword ptr ss:[ebp+0x8],ebx
22 00402030 . FF57 04 call dword ptr ds:[edi+0x4]
23 00402033 . 33F6 xor esi,esi ; msvbvm50.__vbaVarMove
24 00402035 . 53 push ebx
25 00402036 . 8975 DC mov dword ptr ss:[ebp-0x24],esi ; msvbvm50.__vbaVarMove
26 00402039 . 8975 CC mov dword ptr ss:[ebp-0x34],esi ; msvbvm50.__vbaVarMove
27 0040203C . 8975 BC mov dword ptr ss:[ebp-0x44],esi ; msvbvm50.__vbaVarMove
28 0040203F . 8975 AC mov dword ptr ss:[ebp-0x54],esi ; msvbvm50.__vbaVarMove
29 00402042 . 8975 A8 mov dword ptr ss:[ebp-0x58],esi ; msvbvm50.__vbaVarMove
30 00402045 . 8975 A4 mov dword ptr ss:[ebp-0x5C],esi ; msvbvm50.__vbaVarMove
31 00402048 . 8975 94 mov dword ptr ss:[ebp-0x6C],esi ; msvbvm50.__vbaVarMove
32 0040204B . 8975 84 mov dword ptr ss:[ebp-0x7C],esi ; msvbvm50.__vbaVarMove
33 0040204E . 89B5 74FFFFFF mov dword ptr ss:[ebp-0x8C],esi ; msvbvm50.__vbaVarMove
34 00402054 . 89B5 64FFFFFF mov dword ptr ss:[ebp-0x9C],esi ; msvbvm50.__vbaVarMove
35 0040205A . 89B5 54FFFFFF mov dword ptr ss:[ebp-0xAC],esi ; msvbvm50.__vbaVarMove
36 00402060 . 89B5 44FFFFFF mov dword ptr ss:[ebp-0xBC],esi ; msvbvm50.__vbaVarMove
37 00402066 . 89B5 14FFFFFF mov dword ptr ss:[ebp-0xEC],esi ; msvbvm50.__vbaVarMove
38 0040206C . 89B5 F8FEFFFF mov dword ptr ss:[ebp-0x108],esi ; msvbvm50.__vbaVarMove
39 00402072 . 89B5 E8FEFFFF mov dword ptr ss:[ebp-0x118],esi ; msvbvm50.__vbaVarMove
40 00402078 . FF97 FC020000 call dword ptr ds:[edi+0x2FC]
41 0040207E . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]
42 00402081 . 50 push eax
43 00402082 . 51 push ecx
44 00402083 . FF15 24414000 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>] ; msvbvm50.__vbaObjSet
45 00402089 . 8BD8 mov ebx,eax
46 0040208B . 8D45 A8 lea eax,dword ptr ss:[ebp-0x58]
47 0040208E . 50 push eax
48 0040208F . 53 push ebx
49 00402090 . 8B13 mov edx,dword ptr ds:[ebx]
50 00402092 . FF92 A0000000 call dword ptr ds:[edx+0xA0] ; Andréna.00401A24
51 00402098 . 3BC6 cmp eax,esi ; msvbvm50.__vbaVarMove
52 0040209A .� 7D 12 jge short Andréna.004020AE
53 0040209C . 68 A0000000 push 0xA0
54 004020A1 . 68 201C4000 push Andréna.00401C20
55 004020A6 . 53 push ebx
56 004020A7 . 50 push eax
57 004020A8 . FF15 14414000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; msvbvm50.__vbaHresultCheckObj
58 004020AE > 8B45 A8 mov eax,dword ptr ss:[ebp-0x58] ; 用户名 0012f488=00ebcbdc=‘wlp‘
59 004020B1 . 8975 A8 mov dword ptr ss:[ebp-0x58],esi ; 00ebcbdc=‘wlp‘
60 004020B4 . 8B35 FC404000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVarMove>] ; msvbvm50.__vbaVarMove
61 004020BA . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C] ; edx=0012f474
62 004020BD . 8D4D BC lea ecx,dword ptr ss:[ebp-0x44] ; ecx=0012f49c
63 004020C0 . 8945 9C mov dword ptr ss:[ebp-0x64],eax ; 0012f47c=00ebcbdc=‘wlp‘
64 004020C3 . C745 94 08000>mov dword ptr ss:[ebp-0x6C],0x8 ; 0012f474
65 004020CA . FFD6 call esi ; msvbvm50.__vbaVarMove; <&MSVBVM50.__vbaVarMove>
66 004020CC . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C] ; 上述函数交换ecx,eax .ecx=0012f484
67 004020CF . FF15 B4414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>] ; msvbvm50.__vbaFreeObj
68 004020D5 . B8 01000000 mov eax,0x1 ; eax=1
69 004020DA . 8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-0xAC] ; ecx=0012f434
70 004020E0 . 8985 5CFFFFFF mov dword ptr ss:[ebp-0xA4],eax ; 0012f43c=eax=1
71 004020E6 . 8985 4CFFFFFF mov dword ptr ss:[ebp-0xB4],eax ; 0012f42c=eax=1
72 004020EC . 8D55 BC lea edx,dword ptr ss:[ebp-0x44] ; edx=0012f49c
73 004020EF . 51 push ecx
74 004020F0 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C] ; eax=0012f474
75 004020F3 . BB 02000000 mov ebx,0x2
76 004020F8 . 52 push edx
77 004020F9 . 50 push eax
78 004020FA . 899D 54FFFFFF mov dword ptr ss:[ebp-0xAC],ebx ; 已知ebx=2
79 00402100 . 899D 44FFFFFF mov dword ptr ss:[ebp-0xBC],ebx
80 00402106 . FF15 18414000 call dword ptr ds:[<&MSVBVM50.__vbaLenVar>] ; msvbvm50.__vbaLenVar
81 0040210C . 8D8D 44FFFFFF lea ecx,dword ptr ss:[ebp-0xBC] ; ecx=序列号长度+1
82 00402112 . 50 push eax
83 00402113 . 8D95 E8FEFFFF lea edx,dword ptr ss:[ebp-0x118]
84 00402119 . 51 push ecx
85 0040211A . 8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-0x108]
86 00402120 . 52 push edx
87 00402121 . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
88 00402124 . 50 push eax
89 00402125 . 51 push ecx
90 00402126 . FF15 20414000 call dword ptr ds:[<&MSVBVM50.__vbaVarForInit>] ; msvbvm50.__vbaVarForInit
91 0040212C . 8B3D 04414000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaFreeVarList>] ; msvbvm50.__vbaFreeVarList
92 00402132 > 85C0 test eax,eax ; 循环开始judge
93 00402134 .� 0F84 9C000000 je Andréna.004021D6
94 0040213A . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C] ; 寄存器赋予栈地址 edx=0012f474
95 0040213D . 8D45 DC lea eax,dword ptr ss:[ebp-0x24] ; eax=0012f4bc
96 00402140 . 52 push edx
97 00402141 . 50 push eax
98 00402142 . C745 9C 01000>mov dword ptr ss:[ebp-0x64],0x1 ; 0012f47c=1
99 00402149 . 895D 94 mov dword ptr ss:[ebp-0x6C],ebx ; 0012f474=ebx=02
100 0040214C . FF15 90414000 call dword ptr ds:[<&MSVBVM50.__vbaI4Var>] ; msvbvm50.__vbaI4Var
101 00402152 . 8D4D BC lea ecx,dword ptr ss:[ebp-0x44] ; ecx=0012f49c
102 00402155 . 50 push eax ; eax=1
103 00402156 . 8D55 84 lea edx,dword ptr ss:[ebp-0x7C] ; edx=0012f464
104 00402159 . 51 push ecx
105 0040215A . 52 push edx
106 0040215B . FF15 38414000 call dword ptr ds:[<&MSVBVM50.#632>] ; msvbvm50.rtcMidCharVar
107 00402161 . 8D45 84 lea eax,dword ptr ss:[ebp-0x7C]
108 00402164 . 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58]
109 00402167 . 50 push eax
110 00402168 . 51 push ecx
111 00402169 . FF15 70414000 call dword ptr ds:[<&MSVBVM50.__vbaStrVarVal>] ; msvbvm50.__vbaStrVarVal
112 0040216F . 50 push eax ; eax=‘w‘取值
113 00402170 . FF15 0C414000 call dword ptr ds:[<&MSVBVM50.#516>] ; msvbvm50.rtcAnsiValueBstr
114 00402176 . 66:8985 4CFFF>mov word ptr ss:[ebp-0xB4],ax ; Unicode转变ansi,返回值eax
115 0040217D . 8D55 CC lea edx,dword ptr ss:[ebp-0x34]
116 00402180 . 8D85 44FFFFFF lea eax,dword ptr ss:[ebp-0xBC]
117 00402186 . 52 push edx
118 00402187 . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C]
119 0040218D . 50 push eax
120 0040218E . 51 push ecx
121 0040218F . 899D 44FFFFFF mov dword ptr ss:[ebp-0xBC],ebx ; 下列函数的返回值寄存在ecx
122 00402195 . FF15 94414000 call dword ptr ds:[<&MSVBVM50.__vbaVarAdd>] ; msvbvm50.__vbaVarAdd
123 0040219B . 8BD0 mov edx,eax
124 0040219D . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34]
125 004021A0 . FFD6 call esi ; msvbvm50.__vbaVarMove
126 004021A2 . 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58] ; 修改了ecx的值
127 004021A5 . FF15 B8414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStr>] ; msvbvm50.__vbaFreeStr
128 004021AB . 8D55 84 lea edx,dword ptr ss:[ebp-0x7C]
129 004021AE . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C]
130 004021B1 . 52 push edx
131 004021B2 . 50 push eax
132 004021B3 . 53 push ebx
133 004021B4 . FFD7 call edi ; msvbvm50.__vbaFreeVarList
134 004021B6 . 83C4 0C add esp,0xC
135 004021B9 . 8D8D E8FEFFFF lea ecx,dword ptr ss:[ebp-0x118]
136 004021BF . 8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-0x108]
137 004021C5 . 8D45 DC lea eax,dword ptr ss:[ebp-0x24]
138 004021C8 . 51 push ecx ; arg3
139 004021C9 . 52 push edx ; arg2
140 004021CA . 50 push eax ; arg1
141 004021CB . FF15 AC414000 call dword ptr ds:[<&MSVBVM50.__vbaVarForNext>] ; msvbvm50.__vbaVarForNext
142 004021D1 .� E9 5CFFFFFF jmp Andréna.00402132
143 004021D6 > 8D4D CC lea ecx,dword ptr ss:[ebp-0x34]
144 004021D9 . 8D95 54FFFFFF lea edx,dword ptr ss:[ebp-0xAC]
145 004021DF . 51 push ecx ; name的计算值
146 004021E0 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C]
147 004021E3 . 52 push edx ; arg2
148 004021E4 . 50 push eax ; arg1
149 004021E5 . C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],0x499602D2 ; 把1234567890推进栈地址
150 004021EF . C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x3 ; //两变量相乘
151 004021F9 . FF15 5C414000 call dword ptr ds:[<&MSVBVM50.__vbaVarMul>] ; msvbvm50.__vbaVarMul
152 004021FF . 8BD0 mov edx,eax
153 00402201 . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34]
154 00402204 . FFD6 call esi ; msvbvm50.__vbaVarMove
155 00402206 . 8B1D A0414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaMidStmtVar>] ; msvbvm50.__vbaMidStmtVar
156 0040220C . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34]
157 0040220F . 51 push ecx
158 00402210 . 6A 04 push 0x4
159 00402212 . 8D95 54FFFFFF lea edx,dword ptr ss:[ebp-0xAC]
160 00402218 . 6A 01 push 0x1
161 0040221A . 52 push edx
162 0040221B . C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],Andréna.00401C34 ; UNICODE "-"
163 00402225 . C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x8
164 0040222F . FFD3 call ebx ; <&MSVBVM50.__vbaMidStmtVar>
165 00402231 . 8D45 CC lea eax,dword ptr ss:[ebp-0x34]
166 00402234 . 8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-0xAC]
167 0040223A . 50 push eax
168 0040223B . 6A 09 push 0x9
169 0040223D . 6A 01 push 0x1
170 0040223F . 51 push ecx
171 00402240 . C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],Andréna.00401C34 ; UNICODE "-"
172 0040224A . C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x8
173 00402254 . FFD3 call ebx
174 00402256 . 8B45 08 mov eax,dword ptr ss:[ebp+0x8] ; 取字符串(string, start, num)
175 00402259 . 50 push eax
176 0040225A . 8B10 mov edx,dword ptr ds:[eax]
177 0040225C . FF92 04030000 call dword ptr ds:[edx+0x304]
178 00402262 . 50 push eax
179 00402263 . 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C]
180 00402266 . 50 push eax
181 00402267 . FF15 24414000 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>] ; msvbvm50.__vbaObjSet
182 0040226D . 8BD8 mov ebx,eax
183 0040226F . 8D55 A8 lea edx,dword ptr ss:[ebp-0x58]
184 00402272 . 52 push edx
185 00402273 . 53 push ebx
186 00402274 . 8B0B mov ecx,dword ptr ds:[ebx]
187 00402276 . FF91 A0000000 call dword ptr ds:[ecx+0xA0]
188 0040227C . 85C0 test eax,eax
189 0040227E .� 7D 12 jge short Andréna.00402292
190 00402280 . 68 A0000000 push 0xA0
191 00402285 . 68 201C4000 push Andréna.00401C20
192 0040228A . 53 push ebx
193 0040228B . 50 push eax
194 0040228C . FF15 14414000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; msvbvm50.__vbaHresultCheckObj
195 00402292 > 8B45 A8 mov eax,dword ptr ss:[ebp-0x58]
196 00402295 . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34]
197 00402298 . 8945 9C mov dword ptr ss:[ebp-0x64],eax
198 0040229B . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C] ; lea指令用于取变量的地址
199 0040229E . 50 push eax
200 0040229F . 51 push ecx
201 004022A0 . C745 A8 00000>mov dword ptr ss:[ebp-0x58],0x0
202 004022A7 . C745 94 08800>mov dword ptr ss:[ebp-0x6C],0x8008
203 004022AE . FF15 48414000 call dword ptr ds:[<&MSVBVM50.__vbaVarTstEq>] ; msvbvm50.__vbaVarTstEq
204 004022B4 . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]
205 004022B7 . 8BD8 mov ebx,eax
206 004022B9 . FF15 B4414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>] ; msvbvm50.__vbaFreeObj
207 004022BF . 8D4D 94 lea ecx,dword ptr ss:[ebp-0x6C]
208 004022C2 . FF15 00414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeVar>] ; msvbvm50.__vbaFreeVar
209 004022C8 . 66:85DB test bx,bx
210 004022CB .� 0F84 C0000000 je Andréna.00402391 ; 注册码关键跳
211 004022D1 . FF15 74414000 call dword ptr ds:[<&MSVBVM50.#534>] ; msvbvm50.rtcBeep
212 004022D7 . 8B1D 98414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaVarDup>] ; msvbvm50.__vbaVarDup
213 004022DD . B9 04000280 mov ecx,0x80020004
214 004022E2 . 898D 6CFFFFFF mov dword ptr ss:[ebp-0x94],ecx
215 004022E8 . B8 0A000000 mov eax,0xA
216 004022ED . 898D 7CFFFFFF mov dword ptr ss:[ebp-0x84],ecx
217 004022F3 . 8D95 44FFFFFF lea edx,dword ptr ss:[ebp-0xBC]
218 004022F9 . 8D4D 84 lea ecx,dword ptr ss:[ebp-0x7C]
219 004022FC . 8985 64FFFFFF mov dword ptr ss:[ebp-0x9C],eax
220 00402302 . 8985 74FFFFFF mov dword ptr ss:[ebp-0x8C],eax
221 00402308 . C785 4CFFFFFF>mov dword ptr ss:[ebp-0xB4],Andréna.00401CA8 ; UNICODE "RiCHTiG !"
222 00402312 . C785 44FFFFFF>mov dword ptr ss:[ebp-0xBC],0x8
223 0040231C . FFD3 call ebx ; <&MSVBVM50.__vbaVarDup>
224 0040231E . 8D95 54FFFFFF lea edx,dword ptr ss:[ebp-0xAC]
225
226
一般情况分析VB程序,需要观察OD里面的汇编代码,栈区域,以及数据区域。在分析的过程中会大量的使用地址来传递参数(经常会有地址的地址这种方法来操作),要想真正能理解,那还是需要多做一些练习。
