汇编学习二-VB(常见函数分析)

1. VB代码如下所示

00401FF0   > ?5            push ebp
00401FF1   .  8BEC          mov ebp,esp
00401FF3   .  83EC 0C       sub esp,0xC
00401FF6   .  68 26104000   push <jmp.&MSVBVM50.__vbaExceptHandler>    ;  SE handler installation
00401FFB   .  64:A1 0000000>mov eax,dword ptr fs:[0]
00402001   .  50            push eax
00402002   .  64:8925 00000>mov dword ptr fs:[0],esp
00402009   .  81EC 18010000 sub esp,0x118
0040200F   .  53            push ebx
00402010   .  8B5D 08       mov ebx,dword ptr ss:[ebp+0x8]
00402013   .  8BC3          mov eax,ebx
00402015   .  56            push esi                                    ;  msvbvm50.__vbaVarMove
00402016   .  83E3 FE       and ebx,0xFFFFFFFE
00402019   .  57            push edi                                    ;  msvbvm50.__vbaFreeVarList
0040201A   .  8965 F4       mov dword ptr ss:[ebp-0xC],esp
0040201D   .  83E0 01       and eax,0x1
00402020   .  8B3B          mov edi,dword ptr ds:[ebx]
00402022   .  C745 F8 00104>mov dword ptr ss:[ebp-0x8],Andréna.00401000
00402029   .  53            push ebx
0040202A   .  8945 FC       mov dword ptr ss:[ebp-0x4],eax
0040202D   .  895D 08       mov dword ptr ss:[ebp+0x8],ebx
00402030   .  FF57 04       call dword ptr ds:[edi+0x4]
00402033   .  33F6          xor esi,esi                                  ;  msvbvm50.__vbaVarMove
00402035   .  53            push ebx
00402036   .  8975 DC       mov dword ptr ss:[ebp-0x24],esi              ;  msvbvm50.__vbaVarMove
00402039   .  8975 CC       mov dword ptr ss:[ebp-0x34],esi              ;  msvbvm50.__vbaVarMove
0040203C   .  8975 BC       mov dword ptr ss:[ebp-0x44],esi              ;  msvbvm50.__vbaVarMove
0040203F   .  8975 AC       mov dword ptr ss:[ebp-0x54],esi              ;  msvbvm50.__vbaVarMove
00402042   .  8975 A8       mov dword ptr ss:[ebp-0x58],esi              ;  msvbvm50.__vbaVarMove
00402045   .  8975 A4       mov dword ptr ss:[ebp-0x5C],esi              ;  msvbvm50.__vbaVarMove
00402048   .  8975 94       mov dword ptr ss:[ebp-0x6C],esi              ;  msvbvm50.__vbaVarMove
0040204B   .  8975 84       mov dword ptr ss:[ebp-0x7C],esi              ;  msvbvm50.__vbaVarMove
0040204E   .  89B5 74FFFFFF mov dword ptr ss:[ebp-0x8C],esi              ;  msvbvm50.__vbaVarMove
00402054   .  89B5 64FFFFFF mov dword ptr ss:[ebp-0x9C],esi              ;  msvbvm50.__vbaVarMove
0040205A   .  89B5 54FFFFFF mov dword ptr ss:[ebp-0xAC],esi              ;  msvbvm50.__vbaVarMove
00402060   .  89B5 44FFFFFF mov dword ptr ss:[ebp-0xBC],esi              ;  msvbvm50.__vbaVarMove
00402066   .  89B5 14FFFFFF mov dword ptr ss:[ebp-0xEC],esi              ;  msvbvm50.__vbaVarMove
0040206C   .  89B5 F8FEFFFF mov dword ptr ss:[ebp-0x108],esi             ;  msvbvm50.__vbaVarMove
00402072   .  89B5 E8FEFFFF mov dword ptr ss:[ebp-0x118],esi             ;  msvbvm50.__vbaVarMove
00402078   .  FF97 FC020000 call dword ptr ds:[edi+0x2FC]
0040207E   .  8D4D A4       lea ecx,dword ptr ss:[ebp-0x5C]
00402081   .  50            push eax
00402082   .  51            push ecx
00402083   .  FF15 24414000 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>]  ;  msvbvm50.__vbaObjSet
00402089   .  8BD8          mov ebx,eax
0040208B   .  8D45 A8       lea eax,dword ptr ss:[ebp-0x58]
0040208E   .  50            push eax
0040208F   .  53            push ebx
00402090   .  8B13          mov edx,dword ptr ds:[ebx]
00402092   .  FF92 A0000000 call dword ptr ds:[edx+0xA0]                  ;  Andréna.00401A24
00402098   .  3BC6          cmp eax,esi                                   ;  msvbvm50.__vbaVarMove
0040209A   . 7D 12         jge short Andréna.004020AE
0040209C   .  68 A0000000   push 0xA0
004020A1   .  68 201C4000   push Andréna.00401C20
004020A6   .  53            push ebx
004020A7   .  50            push eax
004020A8   .  FF15 14414000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] 
004020AE   >  8B45 A8       mov eax,dword ptr ss:[ebp-0x58]     ;  用户名 0012f488=00ebcbdc='wlp'
004020B1   .  8975 A8       mov dword ptr ss:[ebp-0x58],esi     ;  00ebcbdc='wlp'
004020B4   .  8B35 FC404000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVarMove>]              
004020BA   .  8D55 94       lea edx,dword ptr ss:[ebp-0x6C]     ;  edx=0012f474
004020BD   .  8D4D BC       lea ecx,dword ptr ss:[ebp-0x44]     ;  ecx=0012f49c
004020C0   .  8945 9C       mov dword ptr ss:[ebp-0x64],eax     ;  0012f47c=00ebcbdc='wlp'
004020C3   .  C745 94 08000>mov dword ptr ss:[ebp-0x6C],0x8     ;  0012f474
004020CA   .  FFD6          call esi                            ;  msvbvm50.__vbaVarMove; <&MSVBVM50.__vbaVarMove>
004020CC   .  8D4D A4       lea ecx,dword ptr ss:[ebp-0x5C]     ;  上述函数交换ecx,eax .ecx=0012f484
004020CF   .  FF15 B4414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>] 
004020D5   .  B8 01000000   mov eax,0x1                         ;  eax=1
004020DA   .  8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-0xAC]     ;  ecx=0012f434
004020E0   .  8985 5CFFFFFF mov dword ptr ss:[ebp-0xA4],eax     ;  0012f43c=eax=1
004020E6   .  8985 4CFFFFFF mov dword ptr ss:[ebp-0xB4],eax     ;  0012f42c=eax=1
004020EC   .  8D55 BC       lea edx,dword ptr ss:[ebp-0x44]     ;  edx=0012f49c
004020EF   .  51            push ecx
004020F0   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]     ;  eax=0012f474
004020F3   .  BB 02000000   mov ebx,0x2
004020F8   .  52            push edx
004020F9   .  50            push eax
004020FA   .  899D 54FFFFFF mov dword ptr ss:[ebp-0xAC],ebx     ;  已知ebx=2
00402100   .  899D 44FFFFFF mov dword ptr ss:[ebp-0xBC],ebx
00402106   .  FF15 18414000 call dword ptr ds:[<&MSVBVM50.__vbaLenVar>]                   
0040210C   .  8D8D 44FFFFFF lea ecx,dword ptr ss:[ebp-0xBC]     ;  ecx=序列号长度+1
00402112   .  50            push eax
00402113   .  8D95 E8FEFFFF lea edx,dword ptr ss:[ebp-0x118]
00402119   .  51            push ecx
0040211A   .  8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-0x108]
00402120   .  52            push edx
00402121   .  8D4D DC       lea ecx,dword ptr ss:[ebp-0x24]
00402124   .  50            push eax
00402125   .  51            push ecx
00402126   .  FF15 20414000 call dword ptr ds:[<&MSVBVM50.__vbaVarForInit>] 
0040212C   .  8B3D 04414000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaFreeVarList>]          
00402132   >  85C0          test eax,eax                           ;  循环开始judge
00402134   . 0F84 9C000000 je Andréna.004021D6
0040213A   .  8D55 94       lea edx,dword ptr ss:[ebp-0x6C]        ;  寄存器赋予栈地址 edx=0012f474
0040213D   .  8D45 DC       lea eax,dword ptr ss:[ebp-0x24]        ;  eax=0012f4bc
00402140   .  52            push edx
00402141   .  50            push eax
00402142   .  C745 9C 01000>mov dword ptr ss:[ebp-0x64],0x1        ;  0012f47c=1
00402149   .  895D 94       mov dword ptr ss:[ebp-0x6C],ebx        ;  0012f474=ebx=02
0040214C   .  FF15 90414000 call dword ptr ds:[<&MSVBVM50.__vbaI4Var>] ;  msvbvm50.__vbaI4Var
00402152   .  8D4D BC       lea ecx,dword ptr ss:[ebp-0x44]        ;  ecx=0012f49c
00402155   .  50            push eax                               ;  eax=1
00402156   .  8D55 84       lea edx,dword ptr ss:[ebp-0x7C]        ;  edx=0012f464
00402159   .  51            push ecx
0040215A   .  52            push edx
0040215B   .  FF15 38414000 call dword ptr ds:[<&MSVBVM50.#632>]  ;  msvbvm50.rtcMidCharVar
00402161   .  8D45 84       lea eax,dword ptr ss:[ebp-0x7C]
00402164   .  8D4D A8       lea ecx,dword ptr ss:[ebp-0x58]
00402167   .  50            push eax
00402168   .  51            push ecx
00402169   .  FF15 70414000 call dword ptr ds:[<&MSVBVM50.__vbaStrVarVal>]                
0040216F   .  50            push eax                             ;  eax='w'取值
00402170   .  FF15 0C414000 call dword ptr ds:[<&MSVBVM50.#516>] ;  msvbvm50.rtcAnsiValueBstr
00402176   .  66:8985 4CFFF>mov word ptr ss:[ebp-0xB4],ax        ;  Unicode转变ansi,返回值eax
0040217D   .  8D55 CC       lea edx,dword ptr ss:[ebp-0x34]
00402180   .  8D85 44FFFFFF lea eax,dword ptr ss:[ebp-0xBC]
00402186   .  52            push edx
00402187   .  8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C]
0040218D   .  50            push eax
0040218E   .  51            push ecx
0040218F   .  899D 44FFFFFF mov dword ptr ss:[ebp-0xBC],ebx      ;  下列函数的返回值寄存在ecx
00402195   .  FF15 94414000 call dword ptr ds:[<&MSVBVM50.__vbaVarAdd>]                   
0040219D   .  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
004021A0   .  FFD6          call esi                                                      
004021A2   .  8D4D A8       lea ecx,dword ptr ss:[ebp-0x58]      ;  修改了ecx的值
004021A5   .  FF15 B8414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStr>]                
004021AB   .  8D55 84       lea edx,dword ptr ss:[ebp-0x7C]
004021AE   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]
004021B1   .  52            push edx
004021B2   .  50            push eax
004021B3   .  53            push ebx
004021B4   .  FFD7          call edi                           ;  msvbvm50.__vbaFreeVarList
004021B6   .  83C4 0C       add esp,0xC
004021B9   .  8D8D E8FEFFFF lea ecx,dword ptr ss:[ebp-0x118]
004021BF   .  8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-0x108]
004021C5   .  8D45 DC       lea eax,dword ptr ss:[ebp-0x24]
004021C8   .  51            push ecx                          ;  arg3
004021C9   .  52            push edx                         ;  arg2
004021CA   .  50            push eax                         ;  arg1
004021CB   .  FF15 AC414000 call dword ptr ds:[<&MSVBVM50.__vbaVarForNext>]               
004021D1   . E9 5CFFFFFF   jmp Andréna.00402132
004021D6   >  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
004021D9   .  8D95 54FFFFFF lea edx,dword ptr ss:[ebp-0xAC]
004021DF   .  51            push ecx                         ;  name的计算值
004021E0   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]
004021E3   .  52            push edx                        ;  arg2
004021E4   .  50            push eax                        ;  arg1
004021E5   .  C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],0x499602D2 ;  把1234567890推进栈地址
004021EF   .  C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x3        ;  //两变量相乘
004021F9   .  FF15 5C414000 call dword ptr ds:[<&MSVBVM50.__vbaVarMul>]           
004021FF   .  8BD0          mov edx,eax
00402201   .  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
00402204   .  FFD6          call esi                                                      
00402206   .  8B1D A0414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaMidStmtVar>] 
0040220C   .  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
0040220F   .  51            push ecx
00402210   .  6A 04         push 0x4
00402212   .  8D95 54FFFFFF lea edx,dword ptr ss:[ebp-0xAC]
00402218   .  6A 01         push 0x1
0040221A   .  52            push edx
0040221B   .  C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],Andréna.00401C34 ;  UNICODE "-"
00402225   .  C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x8
0040222F   .  FFD3          call ebx                      ;  <&MSVBVM50.__vbaMidStmtVar>
00402231   .  8D45 CC       lea eax,dword ptr ss:[ebp-0x34]
00402234   .  8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-0xAC]
0040223A   .  50            push eax
0040223B   .  6A 09         push 0x9
0040223D   .  6A 01         push 0x1
0040223F   .  51            push ecx
00402240   .  C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],Andréna.00401C34 ;  UNICODE "-"
0040224A   .  C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x8
00402254   .  FFD3          call ebx
00402256   .  8B45 08       mov eax,dword ptr ss:[ebp+0x8]  ;  取字符串（string, start, num）
00402259   .  50            push eax
0040225A   .  8B10          mov edx,dword ptr ds:[eax]
0040225C   .  FF92 04030000 call dword ptr ds:[edx+0x304]
00402262   .  50            push eax
00402263   .  8D45 A4       lea eax,dword ptr ss:[ebp-0x5C]
00402266   .  50            push eax
00402267   .  FF15 24414000 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>] 
0040226D   .  8BD8          mov ebx,eax
0040226F   .  8D55 A8       lea edx,dword ptr ss:[ebp-0x58]
00402272   .  52            push edx
00402273   .  53            push ebx
00402274   .  8B0B          mov ecx,dword ptr ds:[ebx]
00402276   .  FF91 A0000000 call dword ptr ds:[ecx+0xA0]
0040227C   .  85C0          test eax,eax
0040227E   . 7D 12         jge short Andréna.00402292
00402280   .  68 A0000000   push 0xA0
00402285   .  68 201C4000   push Andréna.00401C20
0040228A   .  53            push ebx
0040228B   .  50            push eax
0040228C   .  FF15 14414000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>]         
00402292   >  8B45 A8       mov eax,dword ptr ss:[ebp-0x58]
00402295   .  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
00402298   .  8945 9C       mov dword ptr ss:[ebp-0x64],eax
0040229B   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]  ;  lea指令用于取变量的地址
0040229E   .  50            push eax
0040229F   .  51            push ecx
004022A0   .  C745 A8 00000>mov dword ptr ss:[ebp-0x58],0x0
004022A7   .  C745 94 08800>mov dword ptr ss:[ebp-0x6C],0x8008
004022AE   .  FF15 48414000 call dword ptr ds:[<&MSVBVM50.__vbaVarTstEq>]                
004022B4   .  8D4D A4       lea ecx,dword ptr ss:[ebp-0x5C]
004022B7   .  8BD8          mov ebx,eax
004022B9   .  FF15 B4414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>]                  
004022BF   .  8D4D 94       lea ecx,dword ptr ss:[ebp-0x6C]
004022C2   .  FF15 00414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeVar>]                  
004022C8   .  66:85DB       test bx,bx
004022CB   . 0F84 C0000000 je Andréna.00402391      ;  注册码关键跳
004022D1   .  FF15 74414000 call dword ptr ds:[<&MSVBVM50.#534>] ;  msvbvm50.rtcBeep
004022D7   .  8B1D 98414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaVarDup>]             
004022E2   .  898D 6CFFFFFF mov dword ptr ss:[ebp-0x94],ecx
004022E8   .  B8 0A000000   mov eax,0xA
004022ED   .  898D 7CFFFFFF mov dword ptr ss:[ebp-0x84],ecx
004022F3   .  8D95 44FFFFFF lea edx,dword ptr ss:[ebp-0xBC]
004022F9   .  8D4D 84       lea ecx,dword ptr ss:[ebp-0x7C]
004022FC   .  8985 64FFFFFF mov dword ptr ss:[ebp-0x9C],eax
00402302   .  8985 74FFFFFF mov dword ptr ss:[ebp-0x8C],eax
00402308   .  C785 4CFFFFFF>mov dword ptr ss:[ebp-0xB4],Andréna ;  UNICODE "RiCHTiG !"
00402312   .  C785 44FFFFFF>mov dword ptr ss:[ebp-0xBC],0x8
0040231C   .  FFD3          call ebx          ;  <&MSVBVM50.__vbaVarDup>
0040231E   .  8D95 54FFFFFF lea edx,dword ptr ss:[ebp-0xAC]

 

一般情况分析VB程序，需要观察OD里面的汇编代码，栈区域，以及数据区域。在分析的过程中会大量的使用地址来传递参数（经常会有地址的地址这种方法来操作），要想真正能理解，那还是需要多做一些练习。