VB P-code 动态调试要点

P-code伪编码，用od太麻烦，需用到WKTVBDebugger

方法1：

把cm放到wktv目录下面，打开，运行

机器码与命令：

BranchF:     机器码1C  类似jnz/jne   如果堆栈为0就跳            

BranchT:     机器码1D  类似je/jz       如果堆栈为-1就跳

Branch:       机器码1E  类似jmp        无条件跳

单击‘高级信息’或‘Analize BranchX' 可看到当前进程所有跳转位置

EqVarBool:  机器码33   比较指令，根据结果将0或-1压入堆栈

ConcatStr:  机器码2A    字符串连接指令 ，此指令单步跟踪时会在日志窗口留下相应结果，可ctr+O在此处下断

LitI2_Byte:   机器码F4    将数据压入堆栈

FLdZeroAd/CVarStr:取字符串指令，特点同ConcatStr

 

方法2：

也可结合VB Decompiler找到if地址，（或直接在这里推导算法），个人推荐直接推导算法

去od的dump窗口找这个地址，把1C改成1D即可爆破

 

方法3：

VBParser先分析一下，

然后倒入od,在关键处下内存断点，单步跟

现在用方法2举个栗子：

cm导入vb decompiler:

Dim var_11C As Variant
  Dim var_176 As Integer
  loc_40E28C: If (Me.txtname.Text = vbNullString) Then
  loc_40E2B0:   MsgBox("You have to enter you name first.", &H40, "Error", var_FC, var_11C)
  loc_40E2C0:   Exit Sub
  loc_40E2C1: End If
  loc_40E2E1: If (Me.txtkey.Text = vbNullString) Then
  loc_40E305:   MsgBox("You have to enter a key first.", &H40, "Error", var_FC, var_11C)
  loc_40E315:   Exit Sub
  loc_40E316: End If
  loc_40E336: If (Me.txtkey.Text = vbNullString) Then
  loc_40E35A:   MsgBox("You have to enter at least 5 chars.", &H40, "Error", var_FC, var_11C)
  loc_40E36A:   Exit Sub
  loc_40E36B: End If                                                                                                                     上面是查看name和key是否为空且name必须长度大于5
  loc_40E393: For var_14C = 1 To CVar(Len(Me.txtname.Text)): var_12C = var_14C 'Variant                变量12c=变量14c
  loc_40E3C1:   var_FC = Mid(CVar(Me.txtname.Text), CLng(var_12C), 1)                                           FC轮询name每一位
  loc_40E3D5:   var_11C = var_94 & CVar(Asc(CStr(var_FC)))                                                           变量94= name每一位变体，并组合，例如name为‘11111’那么变量94=‘4949494949’
  loc_40E3D9:   var_94 = var_11C 'Variant                                                                        
  loc_40E3EF: Next var_14C 'Variant
  loc_40E3F5: ' Referenced from: 40E422
  loc_40E404: If (Len(var_94) > 9) Then                                                                                         变量94反复除以3.14直到变量94为9位数
  loc_40E41E:   var_94 = Fix((var_94 / 3.141592654)) 'Variant                                                         并赋值给变量94
  loc_40E422:   GoTo loc_40E3F5
  loc_40E425: End If
  loc_40E449: var_94 = (var_94 Xor &H30F85678 - CVar(global_76)) 'Variant                                    变量94与30F85678异或，再减去全局变量76，通过其他函数可以查到全局变量，大家自己动手查查
  loc_40E45A: For var_170 = 1 To 10: var_12C = var_170 'Variant
  loc_40E489:   If (Me.txtkey.Text = global_52(CLng(var_12C))) Then                                             
  loc_40E48C:   End If 
  loc_40E48F: Next var_170 'Variant
  loc_40E4DE: If ((CVar(Me.txtkey.Text) - var_94) = CVar(Len(Me.txtname.Text))) Then                      密码-变量94=name长度，得密码
  loc_40E502:   MsgBox("Wow, you have found a correct key!", &H40, "Correct key", var_FC, var_11C)
  loc_40E533:   MsgBox("Mail me, how you got it: CyberBlade@gmx.net ", &H40, "Correct key!", var_FC, var_11C)
  loc_40E550:   Me.Command2.Caption = "Exit"
  loc_40E55B: Else
  loc_40E567:   global_80 = (global_80 + 1)
  loc_40E570:   var_176 = global_80
  loc_40E579:   If (var_176 = 6) Then
  loc_40E5B3:     If (MsgBox("-=Do you need a hint ?=-", &H24, "I can't stand it anymore", var_FC, var_11C) = 7) Then
  loc_40E5B6:       Exit Sub
  loc_40E5BA:     Else
  loc_40E5DB:       MsgBox("Forget it.", &H40, "he, he...", var_FC, var_11C)
  loc_40E5F0:       global_80 = 0
  loc_40E5F3:     End If
  loc_40E5F6:   Else
  loc_40E5FC:     If (var_176 > 3) Then
  loc_40E620:       MsgBox("Have you ever been trying to be successful in cracking my password ?", &H20, "Failed", var_FC, var_11C)
  loc_40E633:     Else
  loc_40E639:       If (var_176 <= 3) Then
  loc_40E65D:         MsgBox("Sorry, wrong key.", &H40, "Failed", var_FC, var_11C)
  loc_40E66D:       End If
  loc_40E66D:     End If
  loc_40E66D:   End If
  loc_40E66D: End If
  loc_40E677: Me.txtkey.SetFocus
  loc_40E67F: Exit Sub

 

所以说我个人是十分推荐方法2的，一目了然