環境
Windows xp sp3

工具
exeinfope
OllyDBG

查殼
無殼的VB程序

測試
運行程序后出現Nag窗口，所以這次的目標是除Nag窗口和找到serial

程序運行后彈出Nag窗口，并且等待5秒后按鈕的標題改成“Continue..”，點擊后才會彈出輸入serial的窗口。

字符串搜索可以一下子知道serial的內容：

00405721 . 68 A4264000 push CodeZero.004026A4 ; UNICODE "55555" 00405726 . E8 3BBAFFFF call <jmp.&MSVBVM50.__vbaStrCmp> 0040572B . 8BF0 mov esi,eax 0040572D . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18] 00405730 . F7DE neg esi 00405732 . 1BF6 sbb esi,esi 00405734 . 46 inc esi 00405735 . F7DE neg esi 00405737 . E8 18BAFFFF call <jmp.&MSVBVM50.__vbaFreeStr> 0040573C . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C] 0040573F . E8 0ABAFFFF call <jmp.&MSVBVM50.__vbaFreeObj> 00405744 . 6A 0A push 0xA 00405746 . 66:3BF3 cmp si,bx 00405749 . 58 pop eax 0040574A . B9 04000280 mov ecx,0x80020004 0040574F . 6A 08 push 0x8 00405751 . 894D AC mov dword ptr ss:[ebp-0x54],ecx 00405754 . 5E pop esi 00405755 . 894D BC mov dword ptr ss:[ebp-0x44],ecx 00405758 . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax 0040575B . 8945 B4 mov dword ptr ss:[ebp-0x4C],eax 0040575E . C745 8C 68264>mov dword ptr ss:[ebp-0x74],CodeZero.004>; UNICODE "VB Crack-Me 1.0 by CodeZero" 00405765 . 8975 84 mov dword ptr ss:[ebp-0x7C],esi 00405768 . 8D55 84 lea edx,dword ptr ss:[ebp-0x7C] 0040576B . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C] 0040576E . 74 2A je XCodeZero.0040579A 00405770 . E8 CDB9FFFF call <jmp.&MSVBVM50.__vbaVarDup> 00405775 . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C] 00405778 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C] 0040577B . C745 9C B4264>mov dword ptr ss:[ebp-0x64],CodeZero.004>; UNICODE "Congratulations! you've really made it :-)" 00405782 . 8975 94 mov dword ptr ss:[ebp-0x6C],esi 00405785 . E8 B8B9FFFF call <jmp.&MSVBVM50.__vbaVarDup> 0040578A . 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C] 0040578D . 50 push eax 0040578E . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C] 00405791 . 50 push eax 00405792 . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C] 00405795 . 50 push eax 00405796 . 6A 40 push 0x40 00405798 . EB 28 jmp XCodeZero.004057C2 0040579A > E8 A3B9FFFF call <jmp.&MSVBVM50.__vbaVarDup> 0040579F . C745 9C 10274>mov dword ptr ss:[ebp-0x64],CodeZero.004>; UNICODE "Invalid unlock code, please try again." 004057A6 > 8D55 94 lea edx,dword ptr ss:[ebp-0x6C] 004057A9 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C] 004057AC . 8975 94 mov dword ptr ss:[ebp-0x6C],esi 004057AF . E8 8EB9FFFF call <jmp.&MSVBVM50.__vbaVarDup>

字符串明文比較

剩下來就是去除Nag窗口了：
OD打開程序后讓程序運行起來，等顯示“continue..”后對.text段下內存訪問斷點，然后讓程序運行，多按幾次F9就可以來到這里。

00402330 . 816C24 04 570>sub dword ptr ss:[esp+0x4],0x57 00402338 . E9 85360000 jmp CodeZero.004059C2 ; 用來顯示輸入serial窗口 0040233D . 816C24 04 330>sub dword ptr ss:[esp+0x4],0x33 00402345 E9 7B370000 jmp CodeZero.00405AC5 ; 用來顯示Nag窗口的“5” 0040234A . 816C24 04 3F0>sub dword ptr ss:[esp+0x4],0x3F 00402352 E9 77380000 jmp CodeZero.00405BCE ; 用來顯示Nag窗口的“4” 00402357 . 816C24 04 430>sub dword ptr ss:[esp+0x4],0x43 0040235F E9 73390000 jmp CodeZero.00405CD7 ; 用來顯示Nag窗口的“3” 00402364 . 816C24 04 470>sub dword ptr ss:[esp+0x4],0x47 0040236C E9 6F3A0000 jmp CodeZero.00405DE0 ; 用來顯示Nag窗口的“2” 00402371 . 816C24 04 4B0>sub dword ptr ss:[esp+0x4],0x4B 00402379 E9 6B3B0000 jmp CodeZero.00405EE9 ; 用來顯示Nag窗口的“1” 0040237E . 816C24 04 530>sub dword ptr ss:[esp+0x4],0x53 00402386 E9 673C0000 jmp CodeZero.00405FF2 ; 用來顯示Nag窗口的“continue..”

會發現即使在上面的指令里下了斷點也無法阻擋Nag窗口的出現，表面Nag窗口的指令比這些還要早就執行了。

觀察這些jmp所跳到的地方，發現[004059C2]是最小的，如果跟到[004059C2]，會發現這段指令上面還有很多指令。

0040595C |. 57 push edi 0040595D |. 50 push eax 0040595E |. E8 F7B7FFFF call <jmp.&MSVBVM50.__vbaHresultCheckObj> 00405963 |> 833D 38704000>cmp dword ptr ds:[0x407038],0x0 0040596A |. 75 0F jnz XCodeZero.0040597B 0040596C |. 68 38704000 push CodeZero.00407038 00405971 |. 68 B01D4000 push CodeZero.00401DB0 00405976 |. E8 B5B7FFFF call <jmp.&MSVBVM50.__vbaNew2> 0040597B |> 8B35 38704000 mov esi,dword ptr ds:[0x407038] 00405981 6A FF push -0x1 00405983 56 push esi 00405984 8B06 mov eax,dword ptr ds:[esi] 00405986 FF90 BC010000 call dword ptr ds:[eax+0x1BC] ; 這里是生成Nag窗口的地方 0040598C |. 85C0 test eax,eax 0040598E |. 7D 11 jge XCodeZero.004059A1 00405990 |. 68 BC010000 push 0x1BC 00405995 |. 68 C8274000 push CodeZero.004027C8 0040599A |. 56 push esi 0040599B |. 50 push eax 0040599C |. E8 B9B7FFFF call <jmp.&MSVBVM50.__vbaHresultCheckObj> 004059A1 |> 8365 FC 00 and [local.1],0x0 004059A5 |. 8B45 08 mov eax,[arg.1] 004059A8 |. 50 push eax 004059A9 |. 8B08 mov ecx,dword ptr ds:[eax] 004059AB |. FF51 08 call dword ptr ds:[ecx+0x8] 004059AE |. 8B4D EC mov ecx,[local.5] 004059B1 |. 8B45 FC mov eax,[local.1] 004059B4 |. 5F pop edi 004059B5 |. 5E pop esi 004059B6 |. 64:890D 00000>mov dword ptr fs:[0],ecx 004059BD |. 5B pop ebx 004059BE |. C9 leave 004059BF \. C2 0400 retn 0x4 004059C2 > 55 push ebp ; 這里往下是生成輸入serial窗口的地方 004059C3 . 8BEC mov ebp,esp

[004059C2]上面的指令具體又是什么時候實現的呢？
可以找到大多數每段指令開始的地方看一看

push ebp

于是找到了這個：

0040583D /> \55 push ebp

然后就跟到了這里來：

00401D88 . 816C24 04 330>sub dword ptr ss:[esp+0x4],0x33 00401D90 . E9 5F380000 jmp CodeZero.004055F4 ; 這個是響應點擊“Check” 00401D95 . 816C24 04 370>sub dword ptr ss:[esp+0x4],0x37 00401D9D . E9 9B3A0000 jmp CodeZero.0040583D ; 這個是響應點擊“About” 00401DA2 . 816C24 04 3F0>sub dword ptr ss:[esp+0x4],0x3F 00401DAA . E9 563B0000 jmp CodeZero.00405905 ; 這個是跳到生成Nag窗口的

現在就可以去除Nag窗口了，只需要把：

0040583D /> \55 push ebp

改為：

00405905 C2 0400 retn 0x4

然后再將：

00402345 E9 7B370000 jmp CodeZero.00405AC5 ; 顯示“5”

改為：

00402345 /E9 78360000 jmp CodeZero.004059C2 ; 顯示輸入serial的窗口

patch后就可以去除Nag窗口了。
而serial則是“55555”

創作挑戰賽新人創作獎勵來咯，堅持創作打卡瓜分現金大獎

總結

以上是生活随笔為你收集整理的160 - 25 CodeZero.1的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。