1、VB,无壳
2、VB Decompiler + OD
定位Check按钮事件,搜索字符串,找到“Correct password”。
0040E137 . 66:85FF test di,di
0040E13A . 0F84 2C010000 je CyberBla.0040E26C ; 关键跳转
0040E140 . BB 04000280 mov ebx,0x80020004
0040E145 . BF 0A000000 mov edi,0xA
0040E14A . BE 08000000 mov esi,0x8
0040E14F . 8D55 80 lea edx,dword ptr ss:[ebp-0x80]
0040E152 . 8D4D C0 lea ecx,dword ptr ss:[ebp-0x40]
0040E155 . 895D A8 mov dword ptr ss:[ebp-0x58],ebx
0040E158 . 897D A0 mov dword ptr ss:[ebp-0x60],edi
0040E15B . 895D B8 mov dword ptr ss:[ebp-0x48],ebx
0040E15E . 897D B0 mov dword ptr ss:[ebp-0x50],edi
0040E161 . C745 88 5C354>mov dword ptr ss:[ebp-0x78],CyberBla.004>; Correct password
0040E168 . 8975 80 mov dword ptr ss:[ebp-0x80],esi
0040E16B . FF15 78114100 call dword ptr ds:[<&MSVBVM50.__vbaVarDu>; MSVBVM50.__vbaVarDup
0040E171 . 8D55 90 lea edx,dword ptr ss:[ebp-0x70]
0040E174 . 8D4D D0 lea ecx,dword ptr ss:[ebp-0x30]
0040E177 . C745 98 FC344>mov dword ptr ss:[ebp-0x68],CyberBla.004>; Not bad, you have found the correct password.
0040E17E . 8975 90 mov dword ptr ss:[ebp-0x70],esi
0040E181 . FF15 78114100 call dword ptr ds:[<&MSVBVM50.__vbaVarDu>; MSVBVM50.__vbaVarDup
0040E187 . 8D55 A0 lea edx,dword ptr ss:[ebp-0x60]
di != 0 则弹出成功信息框。
向上查找004E11E处,有赋值。
0040E0E8 > \8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C]
0040E0EB . 51 push ecx ; 输入的Serial转为浮点数
0040E0EC . FF15 5C114100 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>; MSVBVM50.__vbaR8Str
0040E0F2 . DB43 4C fild dword ptr ds:[ebx+0x4C] ; push正确的key
0040E0F5 . DD9D 38FFFFFF fstp qword ptr ss:[ebp-0xC8]
0040E0FB . DCA5 38FFFFFF fsub qword ptr ss:[ebp-0xC8] ; Serial - key
0040E101 . DFE0 fstsw ax
0040E103 . A8 0D test al,0xD
0040E105 . 0F85 EB030000 jnz CyberBla.0040E4F6
0040E10B . FF15 14114100 call dword ptr ds:[<&MSVBVM50.__vbaFpR8>>; MSVBVM50.__vbaFpR8
0040E111 . DC1D 08104000 fcomp qword ptr ds:[0x401008] ; 与0.0比较
0040E117 . DFE0 fstsw ax
0040E119 . F6C4 40 test ah,0x40 ; 相应位是1则对edi赋值
0040E11C . 74 05 je XCyberBla.0040E123
0040E11E . BF 01000000 mov edi,0x1 ; edi赋值
0040E123 > 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
0040E126 . FF15 8C114100 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStr
0040E12C . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
0040E12F . FF15 90114100 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>; MSVBVM50.__vbaFreeObj
0040E135 . F7DF neg edi
0040E137 . 66:85FF test di,di
0040E13A . 0F84 2C010000 je CyberBla.0040E26C ; 关键跳转
0040E140 . BB 04000280 mov ebx,0x80020004
在0040E0F2下断,运行到这,查看提示信息,十进制 3157561288,就是密码。