Tracking and Analysis Technology of vbprogram

Text/figure laoxuetong
==========================================
I have said in my previous articles that many of my friends are afraid of tracking software written in VB. I think the program code written in VB is too long to see the so-called key code, such as spam code, the reasons are as follows.
1) After the Code Compiled by VB is compiled, the calculation code, event processing code, and attribute setting Code are not directly put in the main program, instead, the database function is handed over to the "delegate" method for processing.
2) prior to "delegation", VB often needs to do a lot of work to ensure that the "delegation" work can proceed smoothly.
3) Unicode encoding is widely used in VB, making it difficult to search Key Strings.
4) VB compilation generally does not directly call the core API. If necessary, it is usually performed through library functions (indirectly called ). As a result, many familiar operations cannot be directly seen in VB, resulting in psychological panic.
5) after the Code Compiled by VB is compiled, a lot of operation data cannot be directly observed, because VB usually uses a structure instead of a pointer to save the data. When using VB to operate data, the header of the structure is provided, rather than the data address. The OD does not parse the structure very well, so it often does not know what the function operation is and what object it is.
However, I do not feel that this is so difficult. Each step of VB has a clear mark, and the function name is clearly visible in OD. Most of these function names have the same names as the functions used in programming with VB. It is easy to identify them. You only need to clarify the specific operation object.
Of course, you need to know who to perform the operation, and you don't need to know it at will. Sometimes you need to track it into the library function, but not every time. Library functions are also a sea of code. If every line of code is tracked, it is not a exhausting problem. Fortunately, the library function also has a clear internal mark. before determining the next operation method, you may wish to scroll through to determine when to "Step" and when to "Step ".
It is also important to understand the form and significance of memory functions. Learning without memory is unsuccessful, so is reading. Besides, many functions may not be used in programming, or are not used at all.
Of course, not all of them need to be remembered. If you have a little bit of English background and have a little bit of knowledge about programming, you can think about it and "Start your work" without remembering anything ". However, the more knowledge, the better it is. This is the truth that cannot be broken.

Tracking and Analysis Technology
Some people think it is difficult, so this article does not use others' software as an example to explain, but uses the method of self-directing and self-performing according to the story, in addition, the tracking technology of VB is studied by combining the source code, the code in the compilation process, and the compiled code.
[Example 1] data transmission between variables
Suppose we have three variables named b1, b2, and b3 in sequence. Set the variable type to Long and String as needed.
In the first type, the three variables are Long type, and the source code is as follows.
Private Sub commandementclick ()
Dim b1, b2, b3 As Long

B1 = 12345678
B2 = b1
B3 = b2
Text1 = b3
End Sub

The above code is compiled into the following assembly code.

; 36: Private Sub commandementclick ()
Pushebp
Movebp, esp
Subesp, 12; Limit 000ch
PushOFFSET FLAT: ___ vbaw.thandler
Moveax, dword ptr fs :__ effect_list
Pusheax
MovDWORD PTR fs :__ effect_list, esp
Subesp, 80; 00000050 H
Pushebx
Pushesi
Pushedi
MovDWORD PTR __$ SEHRec $ [ebp + 8], esp
MovDWORD PTR __$ SEHRec $ [ebp + 12], offset flat: $ S33
Movesi, dword ptr _ Me $ [ebp]
Moveax, esi
Andeax, 1
MovDWORD PTR __$ SEHRec $ [ebp + 16], eax
Andesi,-2; fffffffeH
Pushesi
MovDWORD PTR _ Me $ [ebp], esi
Movecx, dword ptr [esi]
CallDWORD PTR [ecx + 4]
Xoredi, edi

Let's take a look. We have made a lot of preparations to carry out our work. In fact, the variable has been defined. Where? I didn't see it either.

; 37: Dim b1, b2, b3 As Long
; 38:
; 39: b1 = 12345678.

Let's look at the first value assignment process below.

Leaedx, dword ptr _ unnamed_var1 $ [ebp]
MovDWORD PTR _ unnamed_var1 $ [ebp], edi
Leaecx, dword ptr _ b1 $ [ebp]
MovDWORD PTR _ b1 $ [ebp], edi
MovDWORD PTR _ b2 $ [ebp], edi
MovDWORD PTR _ unnamed_var1 $ [ebp], edi
MovDWORD PTR _ unnamed_var1 $ [ebp], edi
MovDWORD PTR _ unnamed_var1 $ [ebp + 8], 12345678; 00bc614eH
MovDWORD PTR _ unnamed_var1 $ [ebp], 3
CallDWORD PTR _ imp _ vbaVarMove

What did you do after the assignment?

; 40: b2 = b1

The following is the transfer process between variables.

Lea edx, dword ptr _ b1 $ [ebp]
Lea ecx, dword ptr _ b2 $ [ebp]
Call dword ptr _ imp _ vbaVarCopy

Can you see what method is used?

; 41: b3 = b2

The next is the transfer process between the second variables.

Lea edx, dword ptr _ b2 $ [ebp]
Push edx
Call dword ptr _ imp ____ v1_4var
Mov ebx, eax

How to implement it?

; 42: Text1 = b3

Let's look at how integers are converted into characters. Who is the most skeptical?

Moveax, dword ptr [esi]
Pushesi
CallDWORD PTR [eax + 764]
Leaecx, dword ptr _ unnamed_var1 $ [ebp]
Pusheax
Pushecx
CallDWORD PTR _ imp ____ vbaObjSet
Movesi, eax
Pushebx
Movedx, dword ptr [esi]
MovDWORD PTR-100 + [ebp], edx
CallDWORD PTR _ imp ____ vbaStrI4
Movedx, eax
Leaecx, dword ptr _ unnamed_var1 $ [ebp]
CallDWORD PTR _ imp _ vbaStrMove
Movedx, dword ptr-100 + [ebp]
Pusheax
Pushesi
CallDWORD PTR [edx + 164]
Cmpeax, edi
Fnclex
JgeSHORT $ L59
Push164; 000000a4H
PushOFFSET FLAT: ___ vba @ 001E08B4
Pushesi
Pusheax
CallDWORD PTR _ imp ____ vbaHresultCheckObj
$ L59:
Leaecx, dword ptr _ unnamed_var1 $ [ebp]
CallDWORD PTR _ imp _ vbaFreeStr
Leaecx, dword ptr _ unnamed_var1 $ [ebp]
CallDWORD PTR _ imp _ vbaFreeObj
; 43: End Sub

The above is the original code that has been compiled but has not yet been linked. If necessary, you can use OD to find it. For example:

00401BD7 mov dword ptr ss: [EBP-48], 0BC614E

However, compare the code before and after, and you will see that the Code has changed, because this is the code after the link. Completely copy the above Code and compare it as follows.

00401B80 PUSH EBP
00401B81 mov ebp, ESP
00401B83 sub esp, 0C
00401B86 PUSH <JMP. & MSVBVM60. _ vba1_thandler>
; SE handler installation
00401B8B mov eax, dword ptr fs: [0]
00401B91 PUSH EAX
00401B92 mov dword ptr fs: [0], ESP
00401B99 sub esp, 50
00401B9C PUSH EBX
00401B9D PUSH ESI
00401B9E PUSH EDI
00401B9F mov dword ptr ss: [EBP-C], ESP
00401BA2 mov dword ptr ss: [EBP-8], example 1.004010A0
00401BA9 mov esi, dword ptr ss: [EBP + 8]
00401BAC mov eax, ESI
00401BAE and eax, 1
00401BB1 mov dword ptr ss: [EBP-4], EAX
00401BB4 and esi, FFFFFFFE
00401BB7 PUSH ESI
00401BB8 mov dword ptr ss: [EBP + 8], ESI
00401BBB mov ecx, dword ptr ds: [ESI]
00401BBD call dword ptr ds: [ECX + 4]
00401BC0 xor edi, EDI
00401BC2 lea edx, dword ptr ss: [EBP-50]
00401BC5 mov dword ptr ss: [EBP-50], EDI
00401BC8 lea ecx, dword ptr ss: [EBP-24]
00401BCB mov dword ptr ss: [EBP-24], EDI
00401BCE mov dword ptr ss: [EBP-34], EDI
00401BD1 mov dword ptr ss: [EBP-3C], EDI
00401BD4 mov dword ptr ss: [EBP-40], EDI
00401BD7 mov dword ptr ss: [EBP-48], 0BC614E
Here is the value assigned to variable b1.
00401BDE mov dword ptr ss: [EBP-50], 3
00401BE5 call dword ptr ds: [<& MSVBVM60. _ vbaVarMove>
; MSVBVM60. _ vbaVarMove

After the assignment, we did the job. Remember this function name, which is an important breakpoint for VB tracking (Let me explain later ).

00401BEB lea edx, dword ptr ss: [EBP-24]
00401BEE lea ecx, dword ptr ss: [EBP-34]
00401BF1 call dword ptr ds: [<& MSVBVM60. _ vbaVarCopy>
; MSVBVM60. _ vbaVarCopy

I used a new function to transfer the value of b1 to b2. Have you seen the constant 12345678?

00401BF7 lea edx, dword ptr ss: [EBP-34]
0040