环境
Windows xp sp3
工具
1.exeinfo PE
2.ollydbg
查壳
OD载入后可以看出是VB程序
测试
输入:12345678
显示的内容发生了改变,也不影响查找字符串。
004FEC14 > \8B4D E8 mov ecx,dword ptr ss:[ebp-0x18]
004FEC17 . 51 push ecx
004FEC18 . 68 E41B4000 push cupofcof.00401BE4 ; UNICODE ".........."
004FEC1D . FF15 F8105000 call dword ptr ds:[<&MSVBVM50.__vbaStrCm>; MSVBVM50.__vbaStrCmp
004FEC23 . 8BF0 mov esi,eax
004FEC25 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
004FEC28 . F7DE neg esi
004FEC2A . 1BF6 sbb esi,esi
004FEC2C . F7DE neg esi
004FEC2E . F7DE neg esi
004FEC30 . FF15 4C115000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStr
004FEC36 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
004FEC39 . FF15 50115000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>; MSVBVM50.__vbaFreeObj
004FEC3F . 66:3BF7 cmp si,di
004FEC42 . 74 6E je Xcupofcof.004FECB2
004FEC44 . B9 04000280 mov ecx,0x80020004
004FEC49 . B8 0A000000 mov eax,0xA
004FEC4E . 894D AC mov dword ptr ss:[ebp-0x54],ecx
004FEC51 . 894D BC mov dword ptr ss:[ebp-0x44],ecx
004FEC54 . 894D CC mov dword ptr ss:[ebp-0x34],ecx
004FEC57 . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
004FEC5A . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
004FEC5D . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax
004FEC60 . 8945 B4 mov dword ptr ss:[ebp-0x4C],eax
004FEC63 . 8945 C4 mov dword ptr ss:[ebp-0x3C],eax
004FEC66 . C745 9C 001C4>mov dword ptr ss:[ebp-0x64],cupofcof.004>; UNICODE "Incorrect password"
004FEC6D . C745 94 08000>mov dword ptr ss:[ebp-0x6C],0x8
004FEC74 . FF15 38115000 call dword ptr ds:[<&MSVBVM50.__vbaVarDu>; MSVBVM50.__vbaVarDup
004FEC7A . 8D55 A4 lea edx,dword ptr ss:[ebp-0x5C]
004FEC7D . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
004FEC80 . 52 push edx
004FEC81 . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
004FEC84 . 50 push eax
004FEC85 . 51 push ecx
004FEC86 . 8D55 D4 lea edx,dword ptr ss:[ebp-0x2C]
004FEC89 . 6A 10 push 0x10
004FEC8B . 52 push edx
004FEC8C . FF15 E0105000 call dword ptr ds:[<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox[004FEC18]里可以看出明文比较,10个“.”
有点可怕