|
初级会员
|
rockey4加密狗的破解
某概算编制系统
OD载入脱壳后的程序,F9运行,提示“请插放加密锁“
OD重新载入程序,下断bp rtcMsgBox,F9运行,断下
660DC5F3 > 55 PUSH EBP- 断在这里
660DC5F4 8BEC MOV EBP,ESP
660DC5F6 83EC 4C SUB ESP,4C
660DC5F9 8B4D 14 MOV ECX,DWORD PTR SS:[EBP+14]
660DC5FC 53 PUSH EBX
660DC5FD 56 PUSH ESI
660DC5FE 57 PUSH EDI
660DC5FF 66:8339 0A CMP WORD PTR DS:[ECX],0A
660DC603 B8 04000280 MOV EAX,80020004
660DC608 0F85 FC000000 JNZ MSVBVM60.660DC70A
此时看堆栈:
0012F5AC 00BC02DE 返回到 xxxxx.00BC02DE 来自 MSVBVM60.rtcMsgBox
按Ctrl+G,输入地址:00BC02DE,来到这里:
00BC0252 . FF15 B4134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00BC0258 . 66:83BD ACFEF>CMP WORD PTR SS:[EBP-154],0
00BC0260 . 0F84 A9000000 JE xxxxx.00BC030F
00BC0266 > B9 04000280 MOV ECX,80020004
00BC026B . B8 0A000000 MOV EAX,0A
00BC0270 . 898D 18FFFFFF MOV DWORD PTR SS:[EBP-E8],ECX
00BC0276 . 898D 28FFFFFF MOV DWORD PTR SS:[EBP-D8],ECX
00BC027C . 898D 38FFFFFF MOV DWORD PTR SS:[EBP-C8],ECX
00BC0282 . 8D95 00FFFFFF LEA EDX,DWORD PTR SS:[EBP-100]
00BC0288 . 8D8D 40FFFFFF LEA ECX,DWORD PTR SS:[EBP-C0]
00BC028E . 8985 10FFFFFF MOV DWORD PTR SS:[EBP-F0],EAX
00BC0294 . 8985 20FFFFFF MOV DWORD PTR SS:[EBP-E0],EAX
00BC029A . 8985 30FFFFFF MOV DWORD PTR SS:[EBP-D0],EAX
00BC02A0 . C785 08FFFFFF>MOV DWORD PTR SS:[EBP-F8],xxxxx.0047EE24
00BC02AA . C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],8
00BC02B4 . FF15 08134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
00BC02BA . 8D8D 10FFFFFF LEA ECX,DWORD PTR SS:[EBP-F0]
00BC02C0 . 8D95 20FFFFFF LEA EDX,DWORD PTR SS:[EBP-E0]
00BC02C6 . 51 PUSH ECX
00BC02C7 . 8D85 30FFFFFF LEA EAX,DWORD PTR SS:[EBP-D0]
00BC02CD . 52 PUSH EDX
00BC02CE . 50 PUSH EAX
00BC02CF . 8D8D 40FFFFFF LEA ECX,DWORD PTR SS:[EBP-C0]
00BC02D5 . 6A 00 PUSH 0
00BC02D7 . 51 PUSH ECX
00BC02D8 . FF15 BC104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMsgBox>>; 请插放加密锁
00BC02DE . 8D95 10FFFFFF LEA EDX,DWORD PTR SS:[EBP-F0]- 来到这里
然后往上找,我把全部代码贴出来:
00BBF9CF . 90 NOP
00BBF9D0 $ 55 PUSH EBP
00BBF9D1 . 8BEC MOV EBP,ESP
00BBF9D3 . 83EC 08 SUB ESP,8
00BBF9D6 . 68 160B4200 PUSH <JMP.&MSVBVM60.__vbaExceptHandler> ; SE 处理程序安装
00BBF9DB . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00BBF9E1 . 50 PUSH EAX
00BBF9E2 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00BBF9E9 . 81EC 50010000 SUB ESP,150
00BBF9EF . 53 PUSH EBX
00BBF9F0 . 56 PUSH ESI
00BBF9F1 . 57 PUSH EDI
00BBF9F2 . 8965 F8 MOV DWORD PTR SS:[EBP-8],ESP
00BBF9F5 . C745 FC A0014>MOV DWORD PTR SS:[EBP-4],xxxxx.004201A0
00BBF9FC . BB 02000000 MOV EBX,2
00BBFA01 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
00BBFA04 . 53 PUSH EBX
00BBFA05 . 33F6 XOR ESI,ESI
00BBFA07 . 68 38EE4700 PUSH xxxxx.0047EE38
00BBFA0C . 50 PUSH EAX
00BBFA0D . 8975 E0 MOV DWORD PTR SS:[EBP-20],ESI
00BBFA10 . 8975 D0 MOV DWORD PTR SS:[EBP-30],ESI
00BBFA13 . 8975 C0 MOV DWORD PTR SS:[EBP-40],ESI
00BBFA16 . 8975 B8 MOV DWORD PTR SS:[EBP-48],ESI
00BBFA19 . 8975 8C MOV DWORD PTR SS:[EBP-74],ESI
00BBFA1C . 89B5 7CFFFFFF MOV DWORD PTR SS:[EBP-84],ESI
00BBFA22 . 89B5 6CFFFFFF MOV DWORD PTR SS:[EBP-94],ESI
00BBFA28 . 89B5 5CFFFFFF MOV DWORD PTR SS:[EBP-A4],ESI
00BBFA2E . 89B5 58FFFFFF MOV DWORD PTR SS:[EBP-A8],ESI
00BBFA34 . 89B5 50FFFFFF MOV DWORD PTR SS:[EBP-B0],ESI
00BBFA3A . 89B5 40FFFFFF MOV DWORD PTR SS:[EBP-C0],ESI
00BBFA40 . 89B5 30FFFFFF MOV DWORD PTR SS:[EBP-D0],ESI
00BBFA46 . 89B5 20FFFFFF MOV DWORD PTR SS:[EBP-E0],ESI
00BBFA4C . 89B5 10FFFFFF MOV DWORD PTR SS:[EBP-F0],ESI
00BBFA52 . 89B5 00FFFFFF MOV DWORD PTR SS:[EBP-100],ESI
00BBFA58 . 89B5 F0FEFFFF MOV DWORD PTR SS:[EBP-110],ESI
00BBFA5E . 89B5 E0FEFFFF MOV DWORD PTR SS:[EBP-120],ESI
00BBFA64 . 89B5 D0FEFFFF MOV DWORD PTR SS:[EBP-130],ESI
00BBFA6A . 89B5 C0FEFFFF MOV DWORD PTR SS:[EBP-140],ESI
00BBFA70 . 89B5 BCFEFFFF MOV DWORD PTR SS:[EBP-144],ESI
00BBFA76 . 89B5 B8FEFFFF MOV DWORD PTR SS:[EBP-148],ESI
00BBFA7C . 89B5 B4FEFFFF MOV DWORD PTR SS:[EBP-14C],ESI
00BBFA82 . 89B5 B0FEFFFF MOV DWORD PTR SS:[EBP-150],ESI
00BBFA88 . 89B5 A8FEFFFF MOV DWORD PTR SS:[EBP-158],ESI
00BBFA8E . FF15 6C114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaAryCo>; MSVBVM60.__vbaAryConstruct2
00BBFA94 . 8B3D 14104000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaVa>; MSVBVM60.__vbaVarMove
00BBFA9A . 8D95 00FFFFFF LEA EDX,DWORD PTR SS:[EBP-100]
00BBFAA0 . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
00BBFAA3 . C785 08FFFFFF>MOV DWORD PTR SS:[EBP-F8],FFFF8FEF
00BBFAAD . 899D 00FFFFFF MOV DWORD PTR SS:[EBP-100],EBX
00BBFAB3 . FFD7 CALL EDI ; <&MSVBVM60.__vbaVarMove>
00BBFAB5 . 8D95 00FFFFFF LEA EDX,DWORD PTR SS:[EBP-100]
00BBFABB . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
00BBFAC1 . C785 08FFFFFF>MOV DWORD PTR SS:[EBP-F8],FFFFB070
00BBFACB . 899D 00FFFFFF MOV DWORD PTR SS:[EBP-100],EBX
00BBFAD1 . FFD7 CALL EDI
00BBFAD3 . 8D95 00FFFFFF LEA EDX,DWORD PTR SS:[EBP-100]
00BBFAD9 . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
00BBFADF . 89B5 08FFFFFF MOV DWORD PTR SS:[EBP-F8],ESI
00BBFAE5 . 899D 00FFFFFF MOV DWORD PTR SS:[EBP-100],EBX
00BBFAEB . FFD7 CALL EDI
00BBFAED . 8D95 00FFFFFF LEA EDX,DWORD PTR SS:[EBP-100]
00BBFAF3 . 8D8D 5CFFFFFF LEA ECX,DWORD PTR SS:[EBP-A4]
00BBFAF9 . 89B5 08FFFFFF MOV DWORD PTR SS:[EBP-F8],ESI
00BBFAFF . 899D 00FFFFFF MOV DWORD PTR SS:[EBP-100],EBX
00BBFB05 . FFD7 CALL EDI
00BBFB07 . 8B3D 64124000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaI2>; MSVBVM60.__vbaI2Var
00BBFB0D . 8D8D 5CFFFFFF LEA ECX,DWORD PTR SS:[EBP-A4]
00BBFB13 . 51 PUSH ECX
00BBFB14 . 89B5 54FFFFFF MOV DWORD PTR SS:[EBP-AC],ESI
00BBFB1A . FFD7 CALL EDI ; <&MSVBVM60.__vbaI2Var>
00BBFB1C . 8D95 6CFFFFFF LEA EDX,DWORD PTR SS:[EBP-94]
00BBFB22 . 8985 B0FEFFFF MOV DWORD PTR SS:[EBP-150],EAX
00BBFB28 . 52 PUSH EDX
00BBFB29 . FFD7 CALL EDI
00BBFB2B . 8985 B4FEFFFF MOV DWORD PTR SS:[EBP-14C],EAX
00BBFB31 . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
00BBFB37 . 50 PUSH EAX
00BBFB38 . FFD7 CALL EDI
00BBFB3A . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
00BBFB3D . 8985 B8FEFFFF MOV DWORD PTR SS:[EBP-148],EAX
00BBFB43 . 51 PUSH ECX
00BBFB44 . FFD7 CALL EDI
00BBFB46 . 8D55 C0 LEA EDX,DWORD PTR SS:[EBP-40]
00BBFB49 . 8985 BCFEFFFF MOV DWORD PTR SS:[EBP-144],EAX
00BBFB4F . 52 PUSH EDX
00BBFB50 . FF15 E8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
00BBFB56 . 8985 A8FEFFFF MOV DWORD PTR SS:[EBP-158],EAX
00BBFB5C . 8B85 58FFFFFF MOV EAX,DWORD PTR SS:[EBP-A8]
00BBFB62 . 50 PUSH EAX
00BBFB63 . 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0]
00BBFB69 . 51 PUSH ECX
00BBFB6A . FF15 0C134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrTo>; MSVBVM60.__vbaStrToAnsi
00BBFB70 . 50 PUSH EAX
00BBFB71 . 8D95 B0FEFFFF LEA EDX,DWORD PTR SS:[EBP-150]
00BBFB77 . 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
00BBFB7D . 52 PUSH EDX
00BBFB7E . 8D8D B8FEFFFF LEA ECX,DWORD PTR SS:[EBP-148]
00BBFB84 . 50 PUSH EAX
00BBFB85 . 8D95 BCFEFFFF LEA EDX,DWORD PTR SS:[EBP-144]
00BBFB8B . 51 PUSH ECX
00BBFB8C . 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48]
00BBFB8F . 52 PUSH EDX
00BBFB90 . 8B55 AC MOV EDX,DWORD PTR SS:[EBP-54]
00BBFB93 . 8D8D A8FEFFFF LEA ECX,DWORD PTR SS:[EBP-158]
00BBFB99 . 50 PUSH EAX
00BBFB9A . 51 PUSH ECX
00BBFB9B . 52 PUSH EDX
00BBFB9C . 6A 01 PUSH 1
00BBFB9E . E8 D1D28AFF CALL xxxxx.0046CE74- 关键,读狗的CALL
00BBFBA3 . 8985 ACFEFFFF MOV DWORD PTR SS:[EBP-154],EAX
00BBFBA9 . FF15 7C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaSetSy>; MSVBVM60.__vbaSetSystemError
00BBFBAF . 8B85 A8FEFFFF MOV EAX,DWORD PTR SS:[EBP-158]
00BBFBB5 . 8B35 28134000 MOV ESI,DWORD PTR DS:[<&MSVBVM60.__vbaVa>; MSVBVM60.__vbaVarCopy
00BBFBBB . 8D95 00FFFFFF LEA EDX,DWORD PTR SS:[EBP-100]
00BBFBC1 . 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
00BBFBC4 . 8985 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EAX
00BBFBCA . C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],3
00BBFBD4 . FFD6 CALL ESI ; <&MSVBVM60.__vbaVarCopy>
00BBFBD6 . 66:8B8D BCFEF>MOV CX,WORD PTR SS:[EBP-144]
00BBFBDD . 8D95 F0FEFFFF LEA EDX,DWORD PTR SS:[EBP-110]
00BBFBE3 . 66:898D F8FEF>MOV WORD PTR SS:[EBP-108],CX
00BBFBEA . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
00BBFBED . 899D F0FEFFFF MOV DWORD PTR SS:[EBP-110],EBX
00BBFBF3 . FFD6 CALL ESI
00BBFBF5 . 66:8B95 B8FEF>MOV DX,WORD PTR SS:[EBP-148]
00BBFBFC . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
00BBFC02 . 66:8995 E8FEF>MOV WORD PTR SS:[EBP-118],DX
00BBFC09 . 8D95 E0FEFFFF LEA EDX,DWORD PTR SS:[EBP-120]
00BBFC0F . 899D E0FEFFFF MOV DWORD PTR SS:[EBP-120],EBX
00BBFC15 . FFD6 CALL ESI
00BBFC17 . 66:8B85 B4FEF>MOV AX,WORD PTR SS:[EBP-14C]
00BBFC1E . 8D95 D0FEFFFF LEA EDX,DWORD PTR SS:[EBP-130]
00BBFC24 . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
00BBFC2A . 66:8985 D8FEF>MOV WORD PTR SS:[EBP-128],AX
00BBFC31 . 899D D0FEFFFF MOV DWORD PTR SS:[EBP-130],EBX
00BBFC37 . FFD6 CALL ESI
00BBFC39 . 66:8B8D B0FEF>MOV CX,WORD PTR SS:[EBP-150]
00BBFC40 . 8D95 C0FEFFFF LEA EDX,DWORD PTR SS:[EBP-140]
00BBFC46 . 66:898D C8FEF>MOV WORD PTR SS:[EBP-138],CX
00BBFC4D . 8D8D 5CFFFFFF LEA ECX,DWORD PTR SS:[EBP-A4]
00BBFC53 . 899D C0FEFFFF MOV DWORD PTR SS:[EBP-140],EBX
00BBFC59 . FFD6 CALL ESI
00BBFC5B . 8B95 50FFFFFF MOV EDX,DWORD PTR SS:[EBP-B0]
00BBFC61 . 8D85 58FFFFFF LEA EAX,DWORD PTR SS:[EBP-A8]
00BBFC67 . 52 PUSH EDX
00BBFC68 . 50 PUSH EAX
00BBFC69 . FF15 04124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrTo>; MSVBVM60.__vbaStrToUnicode
00BBFC6F . 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0]
00BBFC75 . FF15 B4134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00BBFC7B . 66:83BD ACFEF>CMP WORD PTR SS:[EBP-154],0- 标志位比较,不相等则跳
00BBFC83 . 0F85 DD050000 JNZ xxxxx.00BC0266- 无狗则跳,有狗不跳
00BBFC89 . 8D8D 5CFFFFFF LEA ECX,DWORD PTR SS:[EBP-A4]
00BBFC8F . 51 PUSH ECX
00BBFC90 . FFD7 CALL EDI
00BBFC92 . 8D95 6CFFFFFF LEA EDX,DWORD PTR SS:[EBP-94]
00BBFC98 . 8985 B0FEFFFF MOV DWORD PTR SS:[EBP-150],EAX
00BBFC9E . 52 PUSH EDX
00BBFC9F . FFD7 CALL EDI
00BBFCA1 . 8985 B4FEFFFF MOV DWORD PTR SS:[EBP-14C],EAX
00BBFCA7 . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
00BBFCAD . 50 PUSH EAX
00BBFCAE . FFD7 CALL EDI
00BBFCB0 . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
00BBFCB3 . 8985 B8FEFFFF MOV DWORD PTR SS:[EBP-148],EAX
00BBFCB9 . 51 PUSH ECX
00BBFCBA . FFD7 CALL EDI
00BBFCBC . 8D55 C0 LEA EDX,DWORD PTR SS:[EBP-40]
00BBFCBF . 8985 BCFEFFFF MOV DWORD PTR SS:[EBP-144],EAX
00BBFCC5 . 52 PUSH EDX
00BBFCC6 . FF15 E8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
00BBFCCC . 8985 A8FEFFFF MOV DWORD PTR SS:[EBP-158],EAX
00BBFCD2 . 8B85 58FFFFFF MOV EAX,DWORD PTR SS:[EBP-A8]
00BBFCD8 . 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0]
00BBFCDE . 50 PUSH EAX
00BBFCDF . 51 PUSH ECX
00BBFCE0 . FF15 0C134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrTo>; MSVBVM60.__vbaStrToAnsi
00BBFCE6 . 50 PUSH EAX
00BBFCE7 . 8D95 B0FEFFFF LEA EDX,DWORD PTR SS:[EBP-150]
00BBFCED . 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
00BBFCF3 . 52 PUSH EDX
00BBFCF4 . 8D8D B8FEFFFF LEA ECX,DWORD PTR SS:[EBP-148]
00BBFCFA . 50 PUSH EAX
00BBFCFB . 8D95 BCFEFFFF LEA EDX,DWORD PTR SS:[EBP-144]
00BBFD01 . 51 PUSH ECX
00BBFD02 . 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48]
00BBFD05 . 52 PUSH EDX
00BBFD06 . 8B55 AC MOV EDX,DWORD PTR SS:[EBP-54]
00BBFD09 . 8D8D A8FEFFFF LEA ECX,DWORD PTR SS:[EBP-158]
00BBFD0F . 50 PUSH EAX
00BBFD10 . 51 PUSH ECX
00BBFD11 . 52 PUSH EDX
00BBFD12 . 6A 03 PUSH 3
00BBFD14 . E8 5BD18AFF CALL xxxxx.0046CE74 读狗的CALL
00BBFD19 . 8985 ACFEFFFF MOV DWORD PTR SS:[EBP-154],EAX
00BBFD1F . FF15 7C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaSetSy>; MSVBVM60.__vbaSetSystemError
00BBFD25 . 8B85 A8FEFFFF MOV EAX,DWORD PTR SS:[EBP-158]
00BBFD2B . 8D95 00FFFFFF LEA EDX,DWORD PTR SS:[EBP-100]
00BBFD31 . 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
00BBFD34 . 8985 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EAX
00BBFD3A . C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],3
00BBFD44 . FFD6 CALL ESI
00BBFD46 . 66:8B8D BCFEF>MOV CX,WORD PTR SS:[EBP-144]
00BBFD4D . 8D95 F0FEFFFF LEA EDX,DWORD PTR SS:[EBP-110]
00BBFD53 . 66:898D F8FEF>MOV WORD PTR SS:[EBP-108],CX
00BBFD5A . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
00BBFD5D . 899D F0FEFFFF MOV DWORD PTR SS:[EBP-110],EBX
00BBFD63 . FFD6 CALL ESI
00BBFD65 . 66:8B95 B8FEF>MOV DX,WORD PTR SS:[EBP-148]
00BBFD6C . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
00BBFD72 . 66:8995 E8FEF>MOV WORD PTR SS:[EBP-118],DX
00BBFD79 . 8D95 E0FEFFFF LEA EDX,DWORD PTR SS:[EBP-120]
00BBFD7F . 899D E0FEFFFF MOV DWORD PTR SS:[EBP-120],EBX
00BBFD85 . FFD6 CALL ESI
00BBFD87 . 66:8B85 B4FEF>MOV AX,WORD PTR SS:[EBP-14C]
00BBFD8E . 8D95 D0FEFFFF LEA EDX,DWORD PTR SS:[EBP-130]
00BBFD94 . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
00BBFD9A . 66:8985 D8FEF>MOV WORD PTR SS:[EBP-128],AX
00BBFDA1 . 899D D0FEFFFF MOV DWORD PTR SS:[EBP-130],EBX
00BBFDA7 . FFD6 CALL ESI
00BBFDA9 . 66:8B8D B0FEF>MOV CX,WORD PTR SS:[EBP-150]
00BBFDB0 . 8D95 C0FEFFFF LEA EDX,DWORD PTR SS:[EBP-140]
00BBFDB6 . 66:898D C8FEF>MOV WORD PTR SS:[EBP-138],CX
00BBFDBD . 8D8D 5CFFFFFF LEA ECX,DWORD PTR SS:[EBP-A4]
00BBFDC3 . 899D C0FEFFFF MOV DWORD PTR SS:[EBP-140],EBX
00BBFDC9 . FFD6 CALL ESI
00BBFDCB . 8B95 50FFFFFF MOV EDX,DWORD PTR SS:[EBP-B0]
00BBFDD1 . 8D85 58FFFFFF LEA EAX,DWORD PTR SS:[EBP-A8]
00BBFDD7 . 52 PUSH EDX
00BBFDD8 . 50 PUSH EAX
00BBFDD9 . FF15 04124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrTo>; MSVBVM60.__vbaStrToUnicode
00BBFDDF . 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0]
00BBFDE5 . FF15 B4134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00BBFDEB . 66:83BD ACFEF>CMP WORD PTR SS:[EBP-154],0- 标志位比较,不相等则跳
00BBFDF3 . 0F85 6D040000 JNZ xxxxx.00BC0266- 无狗则跳,有狗不跳
00BBFDF9 . 8D95 00FFFFFF LEA EDX,DWORD PTR SS:[EBP-100]
00BBFDFF . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
00BBFE02 . C785 08FFFFFF>MOV DWORD PTR SS:[EBP-F8],9
00BBFE0C . 899D 00FFFFFF MOV DWORD PTR SS:[EBP-100],EBX
00BBFE12 . FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
00BBFE18 . 8D8D 5CFFFFFF LEA ECX,DWORD PTR SS:[EBP-A4]
00BBFE1E . 51 PUSH ECX
00BBFE1F . FFD7 CALL EDI
00BBFE21 . 8D95 6CFFFFFF LEA EDX,DWORD PTR SS:[EBP-94]
00BBFE27 . 8985 B0FEFFFF MOV DWORD PTR SS:[EBP-150],EAX
00BBFE2D . 52 PUSH EDX
00BBFE2E . FFD7 CALL EDI
00BBFE30 . 8985 B4FEFFFF MOV DWORD PTR SS:[EBP-14C],EAX
00BBFE36 . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
00BBFE3C . 50 PUSH EAX
00BBFE3D . FFD7 CALL EDI
00BBFE3F . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
00BBFE42 . 8985 B8FEFFFF MOV DWORD PTR SS:[EBP-148],EAX
00BBFE48 . 51 PUSH ECX
00BBFE49 . FFD7 CALL EDI
00BBFE4B . 8D55 C0 LEA EDX,DWORD PTR SS:[EBP-40]
00BBFE4E . 8985 BCFEFFFF MOV DWORD PTR SS:[EBP-144],EAX
00BBFE54 . 52 PUSH EDX
00BBFE55 . FF15 E8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
00BBFE5B . 8985 A8FEFFFF MOV DWORD PTR SS:[EBP-158],EAX
00BBFE61 . 8B85 58FFFFFF MOV EAX,DWORD PTR SS:[EBP-A8]
00BBFE67 . 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0]
00BBFE6D . 50 PUSH EAX
00BBFE6E . 51 PUSH ECX
00BBFE6F . FF15 0C134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrTo>; MSVBVM60.__vbaStrToAnsi
00BBFE75 . 50 PUSH EAX
00BBFE76 . 8D95 B0FEFFFF LEA EDX,DWORD PTR SS:[EBP-150]
00BBFE7C . 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
00BBFE82 . 52 PUSH EDX
00BBFE83 . 8D8D B8FEFFFF LEA ECX,DWORD PTR SS:[EBP-148]
00BBFE89 . 50 PUSH EAX
00BBFE8A . 8D95 BCFEFFFF LEA EDX,DWORD PTR SS:[EBP-144]
00BBFE90 . 51 PUSH ECX
00BBFE91 . 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48]
00BBFE94 . 52 PUSH EDX
00BBFE95 . 8B55 AC MOV EDX,DWORD PTR SS:[EBP-54]
00BBFE98 . 8D8D A8FEFFFF LEA ECX,DWORD PTR SS:[EBP-158]
00BBFE9E . 50 PUSH EAX
00BBFE9F . 51 PUSH ECX
00BBFEA0 . 52 PUSH EDX
00BBFEA1 . 6A 0C PUSH 0C
00BBFEA3 . E8 CCCF8AFF CALL xxxxx.0046CE74- 关键,读狗的CALL
00BBFEA8 . 8985 ACFEFFFF MOV DWORD PTR SS:[EBP-154],EAX
00BBFEAE . FF15 7C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaSetSy>; MSVBVM60.__vbaSetSystemError
00BBFEB4 . 8B85 A8FEFFFF MOV EAX,DWORD PTR SS:[EBP-158]
00BBFEBA . 8D95 00FFFFFF LEA EDX,DWORD PTR SS:[EBP-100]
00BBFEC0 . 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
00BBFEC3 . 8985 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EAX
00BBFEC9 . C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],3
00BBFED3 . FFD6 CALL ESI
00BBFED5 . 66:8B8D BCFEF>MOV CX,WORD PTR SS:[EBP-144]
00BBFEDC . 8D95 F0FEFFFF LEA EDX,DWORD PTR SS:[EBP-110]
00BBFEE2 . 66:898D F8FEF>MOV WORD PTR SS:[EBP-108],CX
00BBFEE9 . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
00BBFEEC . 899D F0FEFFFF MOV DWORD PTR SS:[EBP-110],EBX
00BBFEF2 . FFD6 CALL ESI
00BBFEF4 . 66:8B95 B8FEF>MOV DX,WORD PTR SS:[EBP-148]
00BBFEFB . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
00BBFF01 . 66:8995 E8FEF>MOV WORD PTR SS:[EBP-118],DX
00BBFF08 . 8D95 E0FEFFFF LEA EDX,DWORD PTR SS:[EBP-120]
00BBFF0E . 899D E0FEFFFF MOV DWORD PTR SS:[EBP-120],EBX
00BBFF14 . FFD6 CALL ESI
00BBFF16 . 66:8B85 B4FEF>MOV AX,WORD PTR SS:[EBP-14C]
00BBFF1D . 8D95 D0FEFFFF LEA EDX,DWORD PTR SS:[EBP-130]
00BBFF23 . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
00BBFF29 . 66:8985 D8FEF>MOV WORD PTR SS:[EBP-128],AX
00BBFF30 . 899D D0FEFFFF MOV DWORD PTR SS:[EBP-130],EBX
00BBFF36 . FFD6 CALL ESI
00BBFF38 . 66:8B8D B0FEF>MOV CX,WORD PTR SS:[EBP-150]
00BBFF3F . 8D95 C0FEFFFF LEA EDX,DWORD PTR SS:[EBP-140]
00BBFF45 . 66:898D C8FEF>MOV WORD PTR SS:[EBP-138],CX
00BBFF4C . 8D8D 5CFFFFFF LEA ECX,DWORD PTR SS:[EBP-A4]
00BBFF52 . 899D C0FEFFFF MOV DWORD PTR SS:[EBP-140],EBX
00BBFF58 . FFD6 CALL ESI
00BBFF5A . 8B95 50FFFFFF MOV EDX,DWORD PTR SS:[EBP-B0]
00BBFF60 . 52 PUSH EDX
00BBFF61 . 8D85 58FFFFFF LEA EAX,DWORD PTR SS:[EBP-A8]
00BBFF67 . 50 PUSH EAX
00BBFF68 . FF15 04124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrTo>; MSVBVM60.__vbaStrToUnicode
00BBFF6E . 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0]
00BBFF74 . FF15 B4134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00BBFF7A . 66:83BD ACFEF>CMP WORD PTR SS:[EBP-154],0- 标志位比较,不相等则跳
00BBFF82 . 0F85 4F010000 JNZ xxxxx.00BC00D7- 无狗则跳,有狗不跳
00BBFF88 . 8D8D 5CFFFFFF LEA ECX,DWORD PTR SS:[EBP-A4]
00BBFF8E . 51 PUSH ECX
00BBFF8F . FFD7 CALL EDI
00BBFF91 . 8D95 6CFFFFFF LEA EDX,DWORD PTR SS:[EBP-94]
00BBFF97 . 8985 B0FEFFFF MOV DWORD PTR SS:[EBP-150],EAX
00BBFF9D . 52 PUSH EDX
00BBFF9E . FFD7 CALL EDI
00BBFFA0 . 8985 B4FEFFFF MOV DWORD PTR SS:[EBP-14C],EAX
00BBFFA6 . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
00BBFFAC . 50 PUSH EAX
00BBFFAD . FFD7 CALL EDI
00BBFFAF . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
00BBFFB2 . 8985 B8FEFFFF MOV DWORD PTR SS:[EBP-148],EAX
00BBFFB8 . 51 PUSH ECX
00BBFFB9 . FFD7 CALL EDI
00BBFFBB . 8D55 C0 LEA EDX,DWORD PTR SS:[EBP-40]
00BBFFBE . 8985 BCFEFFFF MOV DWORD PTR SS:[EBP-144],EAX
00BBFFC4 . 52 PUSH EDX
00BBFFC5 . FF15 E8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
00BBFFCB . 8985 A8FEFFFF MOV DWORD PTR SS:[EBP-158],EAX
00BBFFD1 . 8B85 58FFFFFF MOV EAX,DWORD PTR SS:[EBP-A8]
00BBFFD7 . 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0]
00BBFFDD . 50 PUSH EAX
00BBFFDE . 51 PUSH ECX
00BBFFDF . FF15 0C134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrTo>; MSVBVM60.__vbaStrToAnsi
00BBFFE5 . 50 PUSH EAX
00BBFFE6 . 8D95 B0FEFFFF LEA EDX,DWORD PTR SS:[EBP-150]
00BBFFEC . 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
00BBFFF2 . 52 PUSH EDX
00BBFFF3 . 8D8D B8FEFFFF LEA ECX,DWORD PTR SS:[EBP-148]
00BBFFF9 . 50 PUSH EAX
00BBFFFA . 8D95 BCFEFFFF LEA EDX,DWORD PTR SS:[EBP-144]
00BC0000 . 51 PUSH ECX
00BC0001 . 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48]
00BC0004 . 52 PUSH EDX
00BC0005 . 8B55 AC MOV EDX,DWORD PTR SS:[EBP-54]
00BC0008 . 8D8D A8FEFFFF LEA ECX,DWORD PTR SS:[EBP-158]
00BC000E . 50 PUSH EAX
00BC000F . 51 PUSH ECX
00BC0010 . 52 PUSH EDX
00BC0011 . 6A 04 PUSH 4
00BC0013 . E8 5CCE8AFF CALL xxxxx.0046CE74- 读狗的CALL
00BC0018 . FF15 7C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaSetSy>; MSVBVM60.__vbaSetSystemError
00BC001E . 8B85 A8FEFFFF MOV EAX,DWORD PTR SS:[EBP-158]
00BC0024 . 8D95 00FFFFFF LEA EDX,DWORD PTR SS:[EBP-100]
00BC002A . 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
00BC002D . 8985 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EAX
00BC0033 . C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],3
00BC003D . FFD6 CALL ESI
00BC003F . 66:8B8D BCFEF>MOV CX,WORD PTR SS:[EBP-144]
00BC0046 . 8D95 F0FEFFFF LEA EDX,DWORD PTR SS:[EBP-110]
00BC004C . 66:898D F8FEF>MOV WORD PTR SS:[EBP-108],CX
00BC0053 . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
00BC0056 . 899D F0FEFFFF MOV DWORD PTR SS:[EBP-110],EBX
00BC005C . FFD6 CALL ESI
00BC005E . 66:8B95 B8FEF>MOV DX,WORD PTR SS:[EBP-148]
00BC0065 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
00BC006B . 66:8995 E8FEF>MOV WORD PTR SS:[EBP-118],DX
00BC0072 . 8D95 E0FEFFFF LEA EDX,DWORD PTR SS:[EBP-120]
00BC0078 . 899D E0FEFFFF MOV DWORD PTR SS:[EBP-120],EBX
00BC007E . FFD6 CALL ESI
00BC0080 . 66:8B85 B4FEF>MOV AX,WORD PTR SS:[EBP-14C]
00BC0087 . 8D95 D0FEFFFF LEA EDX,DWORD PTR SS:[EBP-130]
00BC008D . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
00BC0093 . 66:8985 D8FEF>MOV WORD PTR SS:[EBP-128],AX
00BC009A . 899D D0FEFFFF MOV DWORD PTR SS:[EBP-130],EBX
00BC00A0 . FFD6 CALL ESI
00BC00A2 . 66:8B8D B0FEF>MOV CX,WORD PTR SS:[EBP-150]
00BC00A9 . 8D95 C0FEFFFF LEA EDX,DWORD PTR SS:[EBP-140]
00BC00AF . 66:898D C8FEF>MOV WORD PTR SS:[EBP-138],CX
00BC00B6 . 8D8D 5CFFFFFF LEA ECX,DWORD PTR SS:[EBP-A4]
00BC00BC . 899D C0FEFFFF MOV DWORD PTR SS:[EBP-140],EBX
00BC00C2 . FFD6 CALL ESI
00BC00C4 . 8B95 50FFFFFF MOV EDX,DWORD PTR SS:[EBP-B0]
00BC00CA . 8D85 58FFFFFF LEA EAX,DWORD PTR SS:[EBP-A8]
00BC00D0 . 52 PUSH EDX
00BC00D1 . 50 PUSH EAX
00BC00D2 . E9 82030000 JMP xxxxx.00BC0459
00BC00D7 > 8D95 00FFFFFF LEA EDX,DWORD PTR SS:[EBP-100]
00BC00DD . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
00BC00E0 . C785 08FFFFFF>MOV DWORD PTR SS:[EBP-F8],7
00BC00EA . 899D 00FFFFFF MOV DWORD PTR SS:[EBP-100],EBX
00BC00F0 . FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
00BC00F6 . 8D8D 5CFFFFFF LEA ECX,DWORD PTR SS:[EBP-A4]
00BC00FC . 51 PUSH ECX
00BC00FD . FFD7 CALL EDI
00BC00FF . 8D95 6CFFFFFF LEA EDX,DWORD PTR SS:[EBP-94]
00BC0105 . 8985 B0FEFFFF MOV DWORD PTR SS:[EBP-150],EAX
00BC010B . 52 PUSH EDX
00BC010C . FFD7 CALL EDI
00BC010E . 8985 B4FEFFFF MOV DWORD PTR SS:[EBP-14C],EAX
00BC0114 . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
00BC011A . 50 PUSH EAX
00BC011B . FFD7 CALL EDI
00BC011D . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
00BC0120 . 8985 B8FEFFFF MOV DWORD PTR SS:[EBP-148],EAX
00BC0126 . 51 PUSH ECX
00BC0127 . FFD7 CALL EDI
00BC0129 . 8D55 C0 LEA EDX,DWORD PTR SS:[EBP-40]
00BC012C . 8985 BCFEFFFF MOV DWORD PTR SS:[EBP-144],EAX
00BC0132 . 52 PUSH EDX
00BC0133 . FF15 E8124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
00BC0139 . 8985 A8FEFFFF MOV DWORD PTR SS:[EBP-158],EAX
00BC013F . 8B85 58FFFFFF MOV EAX,DWORD PTR SS:[EBP-A8]
00BC0145 . 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0]
00BC014B . 50 PUSH EAX
00BC014C . 51 PUSH ECX
00BC014D . FF15 0C134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrTo>; MSVBVM60.__vbaStrToAnsi
00BC0153 . 50 PUSH EAX
00BC0154 . 8D95 B0FEFFFF LEA EDX,DWORD PTR SS:[EBP-150]
00BC015A . 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
00BC0160 . 52 PUSH EDX
00BC0161 . 8D8D B8FEFFFF LEA ECX,DWORD PTR SS:[EBP-148]
00BC0167 . 50 PUSH EAX
00BC0168 . 8D95 BCFEFFFF LEA EDX,DWORD PTR SS:[EBP-144]
00BC016E . 51 PUSH ECX
00BC016F . 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48]
00BC0172 . 52 PUSH EDX
00BC0173 . 8B55 AC MOV EDX,DWORD PTR SS:[EBP-54]
00BC0176 . 8D8D A8FEFFFF LEA ECX,DWORD PTR SS:[EBP-158]
00BC017C . 50 PUSH EAX
00BC017D . 51 PUSH ECX
00BC017E . 52 PUSH EDX
00BC017F . 6A 0C PUSH 0C
00BC0181 . E8 EECC8AFF CALL xxxxx.0046CE74
00BC0186 . 8985 ACFEFFFF MOV DWORD PTR SS:[EBP-154],EAX
00BC018C . FF15 7C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaSetSy>; MSVBVM60.__vbaSetSystemError
00BC0192 . 8B85 A8FEFFFF MOV EAX,DWORD PTR SS:[EBP-158]
00BC0198 . 8D95 00FFFFFF LEA EDX,DWORD PTR SS:[EBP-100]
00BC019E . 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
00BC01A1 . 8985 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EAX
00BC01A7 . C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],3
00BC01B1 . FFD6 CALL ESI
00BC01B3 . 66:8B8D BCFEF>MOV CX,WORD PTR SS:[EBP-144]
00BC01BA . 8D95 F0FEFFFF LEA EDX,DWORD PTR SS:[EBP-110]
00BC01C0 . 66:898D F8FEF>MOV WORD PTR SS:[EBP-108],CX
00BC01C7 . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
00BC01CA . 899D F0FEFFFF MOV DWORD PTR SS:[EBP-110],EBX
00BC01D0 . FFD6 CALL ESI
00BC01D2 . 66:8B95 B8FEF>MOV DX,WORD PTR SS:[EBP-148]
00BC01D9 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
00BC01DF . 66:8995 E8FEF>MOV WORD PTR SS:[EBP-118],DX
00BC01E6 . 8D95 E0FEFFFF LEA EDX,DWORD PTR SS:[EBP-120]
00BC01EC . 899D E0FEFFFF MOV DWORD PTR SS:[EBP-120],EBX
00BC01F2 . FFD6 CALL ESI
00BC01F4 . 66:8B85 B4FEF>MOV AX,WORD PTR SS:[EBP-14C]
00BC01FB . 8D95 D0FEFFFF LEA EDX,DWORD PTR SS:[EBP-130]
00BC0201 . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
00BC0207 . 66:8985 D8FEF>MOV WORD PTR SS:[EBP-128],AX
00BC020E . 899D D0FEFFFF MOV DWORD PTR SS:[EBP-130],EBX
00BC0214 . FFD6 CALL ESI
00BC0216 . 66:8B8D B0FEF>MOV CX,WORD PTR SS:[EBP-150]
00BC021D . 8D95 C0FEFFFF LEA EDX,DWORD PTR SS:[EBP-140]
00BC0223 . 66:898D C8FEF>MOV WORD PTR SS:[EBP-138],CX
00BC022A . 8D8D 5CFFFFFF LEA ECX,DWORD PTR SS:[EBP-A4]
00BC0230 . 899D C0FEFFFF MOV DWORD PTR SS:[EBP-140],EBX
00BC0236 . FFD6 CALL ESI
00BC0238 . 8B95 50FFFFFF MOV EDX,DWORD PTR SS:[EBP-B0]
00BC023E . 52 PUSH EDX
00BC023F . 8D85 58FFFFFF LEA EAX,DWORD PTR SS:[EBP-A8]
00BC0245 . 50 PUSH EAX
00BC0246 . FF15 04124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrTo>; MSVBVM60.__vbaStrToUnicode
00BC024C . 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0]
00BC0252 . FF15 B4134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00BC0258 . 66:83BD ACFEF>CMP WORD PTR SS:[EBP-154],0
00BC0260 . 0F84 A9000000 JE xxxxx.00BC030F
00BC0266 > B9 04000280 MOV ECX,80020004
00BC026B . B8 0A000000 MOV EAX,0A
00BC0270 . 898D 18FFFFFF MOV DWORD PTR SS:[EBP-E8],ECX
00BC0276 . 898D 28FFFFFF MOV DWORD PTR SS:[EBP-D8],ECX
00BC027C . 898D 38FFFFFF MOV DWORD PTR SS:[EBP-C8],ECX
00BC0282 . 8D95 00FFFFFF LEA EDX,DWORD PTR SS:[EBP-100]
00BC0288 . 8D8D 40FFFFFF LEA ECX,DWORD PTR SS:[EBP-C0]
00BC028E . 8985 10FFFFFF MOV DWORD PTR SS:[EBP-F0],EAX
00BC0294 . 8985 20FFFFFF MOV DWORD PTR SS:[EBP-E0],EAX
00BC029A . 8985 30FFFFFF MOV DWORD PTR SS:[EBP-D0],EAX
00BC02A0 . C785 08FFFFFF>MOV DWORD PTR SS:[EBP-F8],xxxxx.0047EE24
00BC02AA . C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],8
00BC02B4 . FF15 08134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
00BC02BA . 8D8D 10FFFFFF LEA ECX,DWORD PTR SS:[EBP-F0]
00BC02C0 . 8D95 20FFFFFF LEA EDX,DWORD PTR SS:[EBP-E0]
00BC02C6 . 51 PUSH ECX
00BC02C7 . 8D85 30FFFFFF LEA EAX,DWORD PTR SS:[EBP-D0]
00BC02CD . 52 PUSH EDX
00BC02CE . 50 PUSH EAX
00BC02CF . 8D8D 40FFFFFF LEA ECX,DWORD PTR SS:[EBP-C0]
00BC02D5 . 6A 00 PUSH 0
00BC02D7 . 51 PUSH ECX
00BC02D8 . FF15 BC104000 CALL DWORD PTR DS:[<&MSVBVM60.rtcMsgBox>>; 请插放加密锁
00BC02DE . 8D95 10FFFFFF LEA EDX,DWORD PTR SS:[EBP-F0]
00BC02E4 . 8D85 20FFFFFF LEA EAX,DWORD PTR SS:[EBP-E0]
00BC02EA . 52 PUSH EDX
00BC02EB . 8D8D 30FFFFFF LEA ECX,DWORD PTR SS:[EBP-D0]
00BC02F1 . 50 PUSH EAX
00BC02F2 . 8D95 40FFFFFF LEA EDX,DWORD PTR SS:[EBP-C0]
00BC02F8 . 51 PUSH ECX
00BC02F9 . 52 PUSH EDX
00BC02FA . 6A 04 PUSH 4
00BC02FC . FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
00BC0302 . 83C4 14 ADD ESP,14
00BC0305 . 68 0705BC00 PUSH xxxxx.00BC0507
00BC030A . E9 A1010000 JMP xxxxx.00BC04B0
00BC030F > 8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4]
以上代码看出,程序读了三次狗,现在我们进入读狗的CALL里看看。
在00BBFB9E下断F2,重新载入程序,F9,F7进入,来到这里
0046CE74 $ A1 2858BE00 MOV EAX,DWORD PTR DS:[BE5828] F7来到这里
0046CE79 . 0BC0 OR EAX,EAX
0046CE7B . 74 02 JE SHORT xxxxx.0046CE7F
0046CE7D . FFE0 JMP EAX
0046CE7F > 68 5CCE4600 PUSH xxxxx.0046CE5C
0046CE84 . B8 A00B4200 MOV EAX,<JMP.&MSVBVM60.DllFunctionCall>
0046CE89 . FFD0 CALL EAX
0046CE8B . FFE0 JMP EAX 走到这里,进入
0046CE8D 00 DB 00
-----
10001250 81EC 7C020000 SUB ESP,27C 进入到这里
10001256 A1 8C600010 MOV EAX,DWORD PTR DS:[1000608C]
1000125B 8B0D 90600010 MOV ECX,DWORD PTR DS:[10006090]
10001261 8A15 94600010 MOV DL,BYTE PTR DS:[10006094]
10001267 53 PUSH EBX
10001268 55 PUSH EBP
10001269 56 PUSH ESI
1000126A 57 PUSH EDI
1000126B 8BBC24 90020000 MOV EDI,DWORD PTR SS:[ESP+290]
10001272 66:85FF TEST DI,DI
10001275 C74424 10 00000>MOV DWORD PTR SS:[ESP+10],0
1000127D 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
10001281 894C24 18 MOV DWORD PTR SS:[ESP+18],ECX
10001285 885424 1C MOV BYTE PTR SS:[ESP+1C],DL
10001289 75 11 JNZ SHORT 1000129C- 跳
1000128B 5F POP EDI
1000128C 5E POP ESI
1000128D 5D POP EBP
1000128E 66:B8 0800 MOV AX,8
10001292 5B POP EBX
10001293 81C4 7C020000 ADD ESP,27C
10001299 C2 2400 RETN 24
1000129C A1 60670010 MOV EAX,DWORD PTR DS:[10006760]
100012A1 85C0 TEST EAX,EAX
100012A3 0F85 A1020000 JNZ 1000154A
100012A9 FF15 40500010 CALL DWORD PTR DS:[10005040] ; kernel32.GetVersion
100012AF 6A 00 PUSH 0
100012B1 68 80000000 PUSH 80
100012B6 6A 03 PUSH 3
100012B8 6A 00 PUSH 0
100012BA 3D 00000080 CMP EAX,80000000
100012BF 6A 00 PUSH 0
100012C1 68 000000C0 PUSH C0000000
100012C6 0F83 19020000 JNB 100014E5
100012CC 68 7C600010 PUSH 1000607C ; ASCII "\\.\ROCKEYNT"
100012D1 FF15 3C500010 CALL DWORD PTR DS:[1000503C] ; kernel32.CreateFileA
100012D7 83F8 FF CMP EAX,-1
100012DA A3 60670010 MOV DWORD PTR DS:[10006760],EAX
100012DF 0F85 65020000 JNZ 1000154A--跳
100012E5 68 3F000F00 PUSH 0F003F
100012EA 6A 00 PUSH 0
100012EC 6A 00 PUSH 0
100012EE FF15 00500010 CALL DWORD PTR DS:[10005000]
100012F4 8BD8 MOV EBX,EAX
100012F6 85DB TEST EBX,EBX
100012F8 75 11 JNZ SHORT 1000130B
100012FA 5F POP EDI
100012FB 5E POP ESI
100012FC 5D POP EBP
100012FD 66:0D FFFF OR AX,0FFFF
10001301 5B POP EBX
10001302 81C4 7C020000 ADD ESP,27C
10001308 C2 2400 RETN 24
----
10001540 C2 2400 RETN 24
10001543 8BBC24 90020000 MOV EDI,DWORD PTR SS:[ESP+290] 跳到这里
1000154A 8B8C24 94020000 MOV ECX,DWORD PTR SS:[ESP+294]
10001551 8B8424 9C020000 MOV EAX,DWORD PTR SS:[ESP+29C]
10001558 8B9424 98020000 MOV EDX,DWORD PTR SS:[ESP+298]
1000155F 894C24 24 MOV DWORD PTR SS:[ESP+24],ECX
10001563 8B8C24 A0020000 MOV ECX,DWORD PTR SS:[ESP+2A0]
1000156A 894424 2C MOV DWORD PTR SS:[ESP+2C],EAX
1000156E 8B8424 A8020000 MOV EAX,DWORD PTR SS:[ESP+2A8]
10001575 894C24 30 MOV DWORD PTR SS:[ESP+30],ECX
10001579 8B8C24 AC020000 MOV ECX,DWORD PTR SS:[ESP+2AC]
10001580 895424 28 MOV DWORD PTR SS:[ESP+28],EDX
10001584 8B9424 A4020000 MOV EDX,DWORD PTR SS:[ESP+2A4]
1000158B 894424 38 MOV DWORD PTR SS:[ESP+38],EAX
1000158F 894C24 3C MOV DWORD PTR SS:[ESP+3C],ECX
10001593 8D4424 48 LEA EAX,DWORD PTR SS:[ESP+48]
10001597 895424 34 MOV DWORD PTR SS:[ESP+34],EDX
1000159B 8B9424 B0020000 MOV EDX,DWORD PTR SS:[ESP+2B0]
100015A2 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20]
100015A6 81E7 FFFF0000 AND EDI,0FFFF
100015AC 50 PUSH EAX
100015AD 51 PUSH ECX
100015AE 897C24 28 MOV DWORD PTR SS:[ESP+28],EDI
100015B2 895424 48 MOV DWORD PTR SS:[ESP+48],EDX
100015B6 E8 45FAFFFF CALL RYDLL32.10001000
100015BB 83C4 08 ADD ESP,8
100015BE 8D5424 44 LEA EDX,DWORD PTR SS:[ESP+44]
100015C2 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
100015C6 8D4C24 48 LEA ECX,DWORD PTR SS:[ESP+48]
100015CA 6A 00 PUSH 0
100015CC 52 PUSH EDX
100015CD 8B15 60670010 MOV EDX,DWORD PTR DS:[10006760]
100015D3 6A 02 PUSH 2
100015D5 50 PUSH EAX
100015D6 6A 28 PUSH 28
100015D8 51 PUSH ECX
100015D9 68 00E410A4 PUSH A410E400
100015DE 52 PUSH EDX
100015DF FF15 30500010 CALL DWORD PTR DS:[<&KERNEL32.DeviceIoCo>;底层的
100015E5 85C0 TEST EAX,EAX
100015E7 75 11 JNZ SHORT RYDLL32.100015FA 跳
100015E9 5F POP EDI
100015EA 5E POP ESI
100015EB 5D POP EBP
100015EC 66:0D FFFF OR AX,0FFFF
100015F0 5B POP EBX
100015F1 81C4 7C020000 ADD ESP,27C
100015F7 C2 2400 RETN 24
100015FA 66:8B4424 10 MOV AX,WORD PTR SS:[ESP+10]-----跳到这里,
在这里修改狗的返回值改为:MOV AX,0
100015FF 5F POP EDI
10001600 5E POP ESI
10001601 5D POP EBP
10001602 5B POP EBX
10001603 81C4 7C020000 ADD ESP,27C
10001609 C2 2400 RETN 24
1000160C 90 NOP
-----------------------------------------------------------------------------------
保存修改后的文件RYDLL32.DLL,将修改后的RYDLL32.DLL复制到安装目录下就OK啦
|
