汇编学习二-VB(常见函数分析)

VB代码如下所示
  1 00401FF0   > ?5            push ebp
  2 00401FF1   .  8BEC          mov ebp,esp
  3 00401FF3   .  83EC 0C       sub esp,0xC
  4 00401FF6   .  68 26104000   push <jmp.&MSVBVM50.__vbaExceptHandler>    ;  SE handler installation
  5 00401FFB   .  64:A1 0000000>mov eax,dword ptr fs:[0]
  6 00402001   .  50            push eax
  7 00402002   .  64:8925 00000>mov dword ptr fs:[0],esp
  8 00402009   .  81EC 18010000 sub esp,0x118
  9 0040200F   .  53            push ebx
 10 00402010   .  8B5D 08       mov ebx,dword ptr ss:[ebp+0x8]
 11 00402013   .  8BC3          mov eax,ebx
 12 00402015   .  56            push esi                                    ;  msvbvm50.__vbaVarMove
 13 00402016   .  83E3 FE       and ebx,0xFFFFFFFE
 14 00402019   .  57            push edi                                    ;  msvbvm50.__vbaFreeVarList
 15 0040201A   .  8965 F4       mov dword ptr ss:[ebp-0xC],esp
 16 0040201D   .  83E0 01       and eax,0x1
 17 00402020   .  8B3B          mov edi,dword ptr ds:[ebx]
 18 00402022   .  C745 F8 00104>mov dword ptr ss:[ebp-0x8],Andréna.00401000
 19 00402029   .  53            push ebx
 20 0040202A   .  8945 FC       mov dword ptr ss:[ebp-0x4],eax
 21 0040202D   .  895D 08       mov dword ptr ss:[ebp+0x8],ebx
 22 00402030   .  FF57 04       call dword ptr ds:[edi+0x4]
 23 00402033   .  33F6          xor esi,esi                                  ;  msvbvm50.__vbaVarMove
 24 00402035   .  53            push ebx
 25 00402036   .  8975 DC       mov dword ptr ss:[ebp-0x24],esi              ;  msvbvm50.__vbaVarMove
 26 00402039   .  8975 CC       mov dword ptr ss:[ebp-0x34],esi              ;  msvbvm50.__vbaVarMove
 27 0040203C   .  8975 BC       mov dword ptr ss:[ebp-0x44],esi              ;  msvbvm50.__vbaVarMove
 28 0040203F   .  8975 AC       mov dword ptr ss:[ebp-0x54],esi              ;  msvbvm50.__vbaVarMove
 29 00402042   .  8975 A8       mov dword ptr ss:[ebp-0x58],esi              ;  msvbvm50.__vbaVarMove
 30 00402045   .  8975 A4       mov dword ptr ss:[ebp-0x5C],esi              ;  msvbvm50.__vbaVarMove
 31 00402048   .  8975 94       mov dword ptr ss:[ebp-0x6C],esi              ;  msvbvm50.__vbaVarMove
 32 0040204B   .  8975 84       mov dword ptr ss:[ebp-0x7C],esi              ;  msvbvm50.__vbaVarMove
 33 0040204E   .  89B5 74FFFFFF mov dword ptr ss:[ebp-0x8C],esi              ;  msvbvm50.__vbaVarMove
 34 00402054   .  89B5 64FFFFFF mov dword ptr ss:[ebp-0x9C],esi              ;  msvbvm50.__vbaVarMove
 35 0040205A   .  89B5 54FFFFFF mov dword ptr ss:[ebp-0xAC],esi              ;  msvbvm50.__vbaVarMove
 36 00402060   .  89B5 44FFFFFF mov dword ptr ss:[ebp-0xBC],esi              ;  msvbvm50.__vbaVarMove
 37 00402066   .  89B5 14FFFFFF mov dword ptr ss:[ebp-0xEC],esi              ;  msvbvm50.__vbaVarMove
 38 0040206C   .  89B5 F8FEFFFF mov dword ptr ss:[ebp-0x108],esi             ;  msvbvm50.__vbaVarMove
 39 00402072   .  89B5 E8FEFFFF mov dword ptr ss:[ebp-0x118],esi             ;  msvbvm50.__vbaVarMove
 40 00402078   .  FF97 FC020000 call dword ptr ds:[edi+0x2FC]
 41 0040207E   .  8D4D A4       lea ecx,dword ptr ss:[ebp-0x5C]
 42 00402081   .  50            push eax
 43 00402082   .  51            push ecx
 44 00402083   .  FF15 24414000 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>]  ;  msvbvm50.__vbaObjSet
 45 00402089   .  8BD8          mov ebx,eax
 46 0040208B   .  8D45 A8       lea eax,dword ptr ss:[ebp-0x58]
 47 0040208E   .  50            push eax
 48 0040208F   .  53            push ebx
 49 00402090   .  8B13          mov edx,dword ptr ds:[ebx]
 50 00402092   .  FF92 A0000000 call dword ptr ds:[edx+0xA0]                  ;  Andréna.00401A24
 51 00402098   .  3BC6          cmp eax,esi                                   ;  msvbvm50.__vbaVarMove
 52 0040209A   . 7D 12         jge short Andréna.004020AE
 53 0040209C   .  68 A0000000   push 0xA0
 54 004020A1   .  68 201C4000   push Andréna.00401C20
 55 004020A6   .  53            push ebx
 56 004020A7   .  50            push eax
 57 004020A8   .  FF15 14414000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] 
 58 004020AE   >  8B45 A8       mov eax,dword ptr ss:[ebp-0x58]     ;  用户名 0012f488=00ebcbdc='wlp'
 59 004020B1   .  8975 A8       mov dword ptr ss:[ebp-0x58],esi     ;  00ebcbdc='wlp'
 60 004020B4   .  8B35 FC404000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVarMove>]              
 61 004020BA   .  8D55 94       lea edx,dword ptr ss:[ebp-0x6C]     ;  edx=0012f474
 62 004020BD   .  8D4D BC       lea ecx,dword ptr ss:[ebp-0x44]     ;  ecx=0012f49c
 63 004020C0   .  8945 9C       mov dword ptr ss:[ebp-0x64],eax     ;  0012f47c=00ebcbdc='wlp'
 64 004020C3   .  C745 94 08000>mov dword ptr ss:[ebp-0x6C],0x8     ;  0012f474
 65 004020CA   .  FFD6          call esi                            ;  msvbvm50.__vbaVarMove; <&MSVBVM50.__vbaVarMove>
 66 004020CC   .  8D4D A4       lea ecx,dword ptr ss:[ebp-0x5C]     ;  上述函数交换ecx,eax .ecx=0012f484
 67 004020CF   .  FF15 B4414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>] 
 68 004020D5   .  B8 01000000   mov eax,0x1                         ;  eax=1
 69 004020DA   .  8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-0xAC]     ;  ecx=0012f434
 70 004020E0   .  8985 5CFFFFFF mov dword ptr ss:[ebp-0xA4],eax     ;  0012f43c=eax=1
 71 004020E6   .  8985 4CFFFFFF mov dword ptr ss:[ebp-0xB4],eax     ;  0012f42c=eax=1
 72 004020EC   .  8D55 BC       lea edx,dword ptr ss:[ebp-0x44]     ;  edx=0012f49c
 73 004020EF   .  51            push ecx
 74 004020F0   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]     ;  eax=0012f474
 75 004020F3   .  BB 02000000   mov ebx,0x2
 76 004020F8   .  52            push edx
 77 004020F9   .  50            push eax
 78 004020FA   .  899D 54FFFFFF mov dword ptr ss:[ebp-0xAC],ebx     ;  已知ebx=2
 79 00402100   .  899D 44FFFFFF mov dword ptr ss:[ebp-0xBC],ebx
 80 00402106   .  FF15 18414000 call dword ptr ds:[<&MSVBVM50.__vbaLenVar>]                   
 81 0040210C   .  8D8D 44FFFFFF lea ecx,dword ptr ss:[ebp-0xBC]     ;  ecx=序列号长度+1
 82 00402112   .  50            push eax
 83 00402113   .  8D95 E8FEFFFF lea edx,dword ptr ss:[ebp-0x118]
 84 00402119   .  51            push ecx
 85 0040211A   .  8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-0x108]
 86 00402120   .  52            push edx
 87 00402121   .  8D4D DC       lea ecx,dword ptr ss:[ebp-0x24]
 88 00402124   .  50            push eax
 89 00402125   .  51            push ecx
 90 00402126   .  FF15 20414000 call dword ptr ds:[<&MSVBVM50.__vbaVarForInit>] 
 91 0040212C   .  8B3D 04414000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaFreeVarList>]          
 92 00402132   >  85C0          test eax,eax                           ;  循环开始judge
 93 00402134   . 0F84 9C000000 je Andréna.004021D6
 94 0040213A   .  8D55 94       lea edx,dword ptr ss:[ebp-0x6C]        ;  寄存器赋予栈地址 edx=0012f474
 95 0040213D   .  8D45 DC       lea eax,dword ptr ss:[ebp-0x24]        ;  eax=0012f4bc
 96 00402140   .  52            push edx
 97 00402141   .  50            push eax
 98 00402142   .  C745 9C 01000>mov dword ptr ss:[ebp-0x64],0x1        ;  0012f47c=1
 99 00402149   .  895D 94       mov dword ptr ss:[ebp-0x6C],ebx        ;  0012f474=ebx=02
100 0040214C   .  FF15 90414000 call dword ptr ds:[<&MSVBVM50.__vbaI4Var>] ;  msvbvm50.__vbaI4Var
101 00402152   .  8D4D BC       lea ecx,dword ptr ss:[ebp-0x44]        ;  ecx=0012f49c
102 00402155   .  50            push eax                               ;  eax=1
103 00402156   .  8D55 84       lea edx,dword ptr ss:[ebp-0x7C]        ;  edx=0012f464
104 00402159   .  51            push ecx
105 0040215A   .  52            push edx
106 0040215B   .  FF15 38414000 call dword ptr ds:[<&MSVBVM50.#632>]  ;  msvbvm50.rtcMidCharVar
107 00402161   .  8D45 84       lea eax,dword ptr ss:[ebp-0x7C]
108 00402164   .  8D4D A8       lea ecx,dword ptr ss:[ebp-0x58]
109 00402167   .  50            push eax
110 00402168   .  51            push ecx
111 00402169   .  FF15 70414000 call dword ptr ds:[<&MSVBVM50.__vbaStrVarVal>]                
112 0040216F   .  50            push eax                             ;  eax='w'取值
113 00402170   .  FF15 0C414000 call dword ptr ds:[<&MSVBVM50.#516>] ;  msvbvm50.rtcAnsiValueBstr
114 00402176   .  66:8985 4CFFF>mov word ptr ss:[ebp-0xB4],ax        ;  Unicode转变ansi,返回值eax
115 0040217D   .  8D55 CC       lea edx,dword ptr ss:[ebp-0x34]
116 00402180   .  8D85 44FFFFFF lea eax,dword ptr ss:[ebp-0xBC]
117 00402186   .  52            push edx
118 00402187   .  8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C]
119 0040218D   .  50            push eax
120 0040218E   .  51            push ecx
121 0040218F   .  899D 44FFFFFF mov dword ptr ss:[ebp-0xBC],ebx      ;  下列函数的返回值寄存在ecx
122 00402195   .  FF15 94414000 call dword ptr ds:[<&MSVBVM50.__vbaVarAdd>]                   
124 0040219D   .  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
125 004021A0   .  FFD6          call esi                                                      
126 004021A2   .  8D4D A8       lea ecx,dword ptr ss:[ebp-0x58]      ;  修改了ecx的值
127 004021A5   .  FF15 B8414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStr>]                
128 004021AB   .  8D55 84       lea edx,dword ptr ss:[ebp-0x7C]
129 004021AE   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]
130 004021B1   .  52            push edx
131 004021B2   .  50            push eax
132 004021B3   .  53            push ebx
133 004021B4   .  FFD7          call edi                           ;  msvbvm50.__vbaFreeVarList
134 004021B6   .  83C4 0C       add esp,0xC
135 004021B9   .  8D8D E8FEFFFF lea ecx,dword ptr ss:[ebp-0x118]
136 004021BF   .  8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-0x108]
137 004021C5   .  8D45 DC       lea eax,dword ptr ss:[ebp-0x24]
138 004021C8   .  51            push ecx                          ;  arg3
139 004021C9   .  52            push edx                         ;  arg2
140 004021CA   .  50            push eax                         ;  arg1
141 004021CB   .  FF15 AC414000 call dword ptr ds:[<&MSVBVM50.__vbaVarForNext>]               
142 004021D1   . E9 5CFFFFFF   jmp Andréna.00402132
143 004021D6   >  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
144 004021D9   .  8D95 54FFFFFF lea edx,dword ptr ss:[ebp-0xAC]
145 004021DF   .  51            push ecx                         ;  name的计算值
146 004021E0   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]
147 004021E3   .  52            push edx                        ;  arg2
148 004021E4   .  50            push eax                        ;  arg1
149 004021E5   .  C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],0x499602D2 ;  把1234567890推进栈地址
150 004021EF   .  C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x3        ;  //两变量相乘
151 004021F9   .  FF15 5C414000 call dword ptr ds:[<&MSVBVM50.__vbaVarMul>]           
152 004021FF   .  8BD0          mov edx,eax
153 00402201   .  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
154 00402204   .  FFD6          call esi                                                      
155 00402206   .  8B1D A0414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaMidStmtVar>] 
156 0040220C   .  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
157 0040220F   .  51            push ecx
158 00402210   .  6A 04         push 0x4
159 00402212   .  8D95 54FFFFFF lea edx,dword ptr ss:[ebp-0xAC]
160 00402218   .  6A 01         push 0x1
161 0040221A   .  52            push edx
162 0040221B   .  C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],Andréna.00401C34 ;  UNICODE "-"
163 00402225   .  C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x8
164 0040222F   .  FFD3          call ebx                      ;  <&MSVBVM50.__vbaMidStmtVar>
165 00402231   .  8D45 CC       lea eax,dword ptr ss:[ebp-0x34]
166 00402234   .  8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-0xAC]
167 0040223A   .  50            push eax
168 0040223B   .  6A 09         push 0x9
169 0040223D   .  6A 01         push 0x1
170 0040223F   .  51            push ecx
171 00402240   .  C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],Andréna.00401C34 ;  UNICODE "-"
172 0040224A   .  C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x8
173 00402254   .  FFD3          call ebx
174 00402256   .  8B45 08       mov eax,dword ptr ss:[ebp+0x8]  ;  取字符串（string, start, num）
175 00402259   .  50            push eax
176 0040225A   .  8B10          mov edx,dword ptr ds:[eax]
177 0040225C   .  FF92 04030000 call dword ptr ds:[edx+0x304]
178 00402262   .  50            push eax
179 00402263   .  8D45 A4       lea eax,dword ptr ss:[ebp-0x5C]
180 00402266   .  50            push eax
181 00402267   .  FF15 24414000 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>] 
182 0040226D   .  8BD8          mov ebx,eax
183 0040226F   .  8D55 A8       lea edx,dword ptr ss:[ebp-0x58]
184 00402272   .  52            push edx
185 00402273   .  53            push ebx
186 00402274   .  8B0B          mov ecx,dword ptr ds:[ebx]
187 00402276   .  FF91 A0000000 call dword ptr ds:[ecx+0xA0]
188 0040227C   .  85C0          test eax,eax
189 0040227E   . 7D 12         jge short Andréna.00402292
190 00402280   .  68 A0000000   push 0xA0
191 00402285   .  68 201C4000   push Andréna.00401C20
192 0040228A   .  53            push ebx
193 0040228B   .  50            push eax
194 0040228C   .  FF15 14414000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>]         
195 00402292   >  8B45 A8       mov eax,dword ptr ss:[ebp-0x58]
196 00402295   .  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
197 00402298   .  8945 9C       mov dword ptr ss:[ebp-0x64],eax
198 0040229B   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]  ;  lea指令用于取变量的地址
199 0040229E   .  50            push eax
200 0040229F   .  51            push ecx
201 004022A0   .  C745 A8 00000>mov dword ptr ss:[ebp-0x58],0x0
202 004022A7   .  C745 94 08800>mov dword ptr ss:[ebp-0x6C],0x8008
203 004022AE   .  FF15 48414000 call dword ptr ds:[<&MSVBVM50.__vbaVarTstEq>]                
204 004022B4   .  8D4D A4       lea ecx,dword ptr ss:[ebp-0x5C]
205 004022B7   .  8BD8          mov ebx,eax
206 004022B9   .  FF15 B4414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>]                  
207 004022BF   .  8D4D 94       lea ecx,dword ptr ss:[ebp-0x6C]
208 004022C2   .  FF15 00414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeVar>]                  
209 004022C8   .  66:85DB       test bx,bx
210 004022CB   . 0F84 C0000000 je Andréna.00402391      ;  注册码关键跳
211 004022D1   .  FF15 74414000 call dword ptr ds:[<&MSVBVM50.#534>] ;  msvbvm50.rtcBeep
212 004022D7   .  8B1D 98414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaVarDup>]             
214 004022E2   .  898D 6CFFFFFF mov dword ptr ss:[ebp-0x94],ecx
215 004022E8   .  B8 0A000000   mov eax,0xA
216 004022ED   .  898D 7CFFFFFF mov dword ptr ss:[ebp-0x84],ecx
217 004022F3   .  8D95 44FFFFFF lea edx,dword ptr ss:[ebp-0xBC]
218 004022F9   .  8D4D 84       lea ecx,dword ptr ss:[ebp-0x7C]
219 004022FC   .  8985 64FFFFFF mov dword ptr ss:[ebp-0x9C],eax
220 00402302   .  8985 74FFFFFF mov dword ptr ss:[ebp-0x8C],eax
221 00402308   .  C785 4CFFFFFF>mov dword ptr ss:[ebp-0xB4],Andréna ;  UNICODE "RiCHTiG !"
222 00402312   .  C785 44FFFFFF>mov dword ptr ss:[ebp-0xBC],0x8
223 0040231C   .  FFD3          call ebx          ;  <&MSVBVM50.__vbaVarDup>
224 0040231E   .  8D95 54FFFFFF lea edx,dword ptr ss:[ebp-0xAC]
225 
226
一般情况分析VB程序，需要观察OD里面的汇编代码，栈区域，以及数据区域。在分析的过程中会大量的使用地址来传递参数（经常会有地址的地址这种方法来操作），要想真正能理解，那还是需要多做一些练习。
posted @ 2020-03-12 16:32 呵哒wlp 阅读(725) 评论(0) 编辑收藏举报
会员力量，点亮园子希望
刷新页面返回顶部
呵哒wlp

汇编学习二-VB(常见函数分析)

公告
