Disclaimer
The opinions expressed herein are my own personal opinions and do not represent anyone else's view in any way, including those of my employer.
© Copyright 2008
The opinions expressed herein are my own personal opinions and do not represent anyone else's view in any way, including those of my employer.
© Copyright 2008
今天搞了个VB的小CrackMe,有一些心得几下来,不然过不久就都忘了,如果此文对你有帮助,我也会倍感欣慰
1.VB的变量
ds:[0040100C]=7349986E (msvbvm60.__vbaVarMove)
Var就是变量了,但是实际值是在指针偏移+8处,比如这个0012F49C变量指针,其实际值是31 00 00 00
0012F49C 02 00 00 00 00 00 00 00 31 00 00 00
对于字符串变量,31 00 00 00就是一个字符串指针
2.VB对API的调用
VB对API调用必然会用到这个函数
004011B0 .- FF25 68104000 jmp dword ptr [<&MSVBVM60.DllFunctio>; msvbvm60.DllFunctionCall
即DllFunctionCall,对其下断,保准对api的掉用一个都跑不掉
而且就在调用DllFunctionCall上面不远处就有那个api的字符串,比如
004025D8 . 75 73 65 72 3>ascii "user32",0
004025DF 00 db 00
004025E0 0C db 0C
004025E1 00 db 00
004025E2 00 db 00
004025E3 00 db 00
004025E4 . 4D 65 73 73 6>ascii "MessageBoxA",0
004025F0 D8254000 dd test.004025D8 ; ASCII "user32"
004025F4 E4254000 dd test.004025E4 ; ASCII "MessageBoxA"
004025F8 00 db 00
004025F9 00 db 00
004025FA 04 db 04
004025FB 00 db 00
004025FC D4424000 dd test.004042D4
00402600 00 db 00
00402601 00 db 00
00402602 00 db 00
00402603 00 db 00
00402604 00 db 00
00402605 00 db 00
00402606 00 db 00
00402607 00 db 00
00402608 $ A1 DC424000 mov eax, dword ptr [4042DC]
0040260D . 0BC0 or eax, eax
0040260F . 74 02 je short 00402613
00402611 . FFE0 jmp eax
00402613 > 68 F0254000 push 004025F0
00402618 . B8 B0114000 mov eax,
0040261D . FFD0 call eax
0040261F . FFE0 jmp eax
3.转帖ximo的VB事件找法:二进制搜索81 6C 24 ,比如下面这样的形式:
00402C1C . 816C24 04 4300>sub dword ptr [esp+4], 43
00402C24 . E9 B7000000 jmp 00402CE0
后面可能会有很多jmp语句,直接对有jmp那行下断就可以断下VB的关键事件模块
OK,暂时总结上面三点,以后有继续补充
Comment Meta:
XHTML:
More Options ...
Categories
Tag Cloud
Blog RSS
Comments RSS
Void 
Life « Default
Earth 
Wind 
Water 
Fire Light 
Previous: 
Next: 
Last 50 Posts 
Back