About the storage format and addressing method of data in VB: Do you like to break what language written? I believe no one will answer VB. It seems that the more "advanced", the more "fool", the more the code is automatically added, and the intent of the source program is hidden, the difficulty of crack is more, the bigger " Refers to a complete cracking algorithm, write the registration machine). The procedure directly written directly with ASM, the result of the anti-assessment and the source program are terrible. It is more likely to read with VC. It is more difficult to write with delphi, but after all, there is also a good use of Dede, VB Write ? The lengthy code, complex storage mode, covered DLL, enough to make people crash. The previous use of VB is also a few rookie-level programmers, and the protection is also very simple. It is not too difficult to crack the VB program. It is now, it seems that VB has become a case-complicated plus-shell software, They have been programmed by each road, protect the high difficulty algorithm to protect the superuncutive code, 呜呼 mourn! Recently, I have encountered several software, all asprotect vb (seems to be p-code), depressed combination, cracking in a few days, wants to study some stuff in VB, so I have this article. I think the masters have now been studied, maybe it is disdainful to write, please also ask you more points. First look at the VB common data type:
Code:
Byte 1 byte 0 to 255
Boolean 2 bytes True or False
Integer 2 bytes -32, 768 to 32, 767
LONG (long integer) 4 bytes-2, 147, 483, 648 to 2, 147, 483, 647
SINGLE (single-precision floating point) 4 bytes negative time from -3.402823E38 to -1.401298E-45
From 1.401298E-45 to 3.402823E38 when positive
Double (double precision floating point) 8 bytes negative time from -1.79769313486232E308 to -4.94065645841247E-324
At the time of 5.94065645841247E-324 to 1.79769313486232E308
Currency 8 bytes from -922, 337, 203, 685, 477.5808 to 922, 337, 203, 685, 477.5807
Decimal 14 bytes do not have a decimal point /- 79, 228, 162, 514, 264, 337, 593, 543, 950, 335
There are 28 digits in the right side of the decimal point /- 7.922816251426437593543950335
The smallest non-zero value is /- 0.000000000000000000000000000001
Date 8 bytes January 1 to December 31, 9999
Object 4 bytes any Object reference
String 10 bytes string length 0 to about 2 billion
String strings from 1 to about 65, 400
VARIANT 16 bytes any digital value, the maximum range of Double
Variant 22 bytes string lengths have the same range as the growth string
It is easy to see memory like Integer, Long, Single, Double, and other languages. The more special is currency, and his value is a real value except 10,000, but this is not much. The most troublesome is the Variant type, because VB is designed as a fool-style language, no strict regulations for data types, can even be used directly without declaring variables, so in the reverse VB program, the statement on type conversion With a large part, as long as one involving data calculations, you will always see a bunch of recovery, many of which are parameters, and variables that have not been declared directly, etc., are Variant types. This type is important in VB, it is very important, but it is often confused. It is very special in the memory, and it is also specifically provided for this VB to provide a set of functions (multi-belled with var words). These functions are actually placed in oleaut32.dll, but often by msvbvm60.dll Call, such as __vbavartsteq, __ vbavartstne, __ vbavarmove, __ vbavaradd, __ vbavarsub, varbstrcmp, etc. The address of the Variant variable is slightly mentioned in the book, but not in detail, I will add some: First of all, we must understand that the Variant variables that have not declared type don't really have a data type, just a VB compilation The system of "type information" of these variables is also included in the data of the variable. When the program is run, it flexibly determines the variable according to the operation of the variable, such as such a code:
Dim Roba As Variant
Roba = 4321
TEXT1.TEXT = ROBA
The program declares that a Variant variable Roba (or simply did not declare) gives it a value of 4321, then the compiler knows that Roba is an Integer type variable, but it assigns it to Text1.Text1.text (That is to display 4321 in a text box) This time the compiler immediately inserts the statement to make the ROBA becomes a string variable. (It's really hard to help M $.) So how is this variable stored? Look at the example below:
Code:
Private submmand1_click ()
Dim A, B As Variant
A = "ROBA"
B = Text1.text
IF a = b THEN
Msgbox "Well Done!", Vbokonly, "CRACK"
END IF
End Sub
Use W32DASM to disassemble, look up strings, it is easy to find below:
Code:
: 00401D49 8D45DC LEA EAX, DWORD PTR [EBP-24]
: 00401D4C 8D4DCC LEA ECX, DWORD PTR [EBP-34]
: 00401D4F 50 Push Eax; Variable A
: 00401D50 51 PUSH ECX; Variable B
* Reference to: msvbvm60 .__ vbavartsteq, ord: 0000h
|
: 00401D51 FF1540104000 Call DWORD PTR [00401040]; Comparison
: 00401D57 6685C0 Test AX, AX
: 00401D5A 0F8484000000 JE 00401DE4; Different Jumps * Reference to: MSVBVM60 .__ vbavardup, Ord: 0000H
|
: 00401D60 8B3D7C104000 MOV EDI, DWORD PTR [0040107C]
: 00401D66 B904000280 MOV ECX, 80020004
: 00401D6B 894D8C MOV DWORD PTR [EBP-74], ECX
: 00401D6E B80A000000 MOV Eax, 0000000A
: 00401D73 894D9C MOV DWORD PTR [EBP-64], ECX
: 00401D76 8D9564FFFFFFLE EDX, DWORD PTR [EBP FFFFFF64]
: 00401D7C 8D4DA4 LEA ECX, DWORD PTR [EBP-5C]
: 00401D7F 894584 MOV DWORD PTR [EBP-7C], EAX
: 00401D82 894594 MOV DWORD PTR [EBP-6C], EAX
* Possible StringData Ref from code obj -> "ccrack"
|
: 00401D85 C7856cffffffffc174000 MOV DWORD PTR [EBP FFFFFFF6C], 004017FC
: 00401D8F 899D64FFFFFM DWORD PTR [EBP FFFFFF64], EBX
: 00401D95 FFD7 Call Edi
: 00401D97 8D9574FFFFF LEA EDX, DWORD PTR [EBP FFFFFFF74]
: 00401D9D 8D4DB4 LEA ECX, DWORD PTR [EBP-4C]
* Possible stringdata ref from code obj -> "wwell done!"
|
: 00401DA0 C7857cffffffe0174000 MOV DWORD PTR [EBP FFFFFF7C], 004017E0
: 00401DAA 899D74FFFFFM DWORD PTR [EBP FFFFFFF74], EBX
: 00401DB0 FFD7 Call Edi
: 00401DB2 8D5584 LEA EDX, DWORD PTR [EBP-7C]
: 00401DB5 8D4594 LEA EAX, DWORD PTR [EBP-6C]
: 00401DB8 52 Push EDX
: 00401DB9 8D4DA4 LEA ECX, DWORD PTR [EBP-5C]
: 00401DBC 50 Push EAX
: 00401DBD 51 PUSH ECX
: 00401DBE 8D55B4 LEA EDX, DWORD PTR [EBP-4C]
: 00401DC1 56 Push ESI: 00401DC2 52 PUSH EDX
* Reference to: msvbvm60.rtcmsgbox, ord: 0253h
|
: 00401DC3 FF1528104000 Call DWORD PTR [00401028]; Success Dialog
Very obvious comparative method, followed by Softice, entered 1111, interrupt at 401D51, but when D EAX, D ECX can only see 08: D EAX016F: 0063F3EC 08 00 00 00 00 4A 21-CC 0F 51 00 86 72 6F 17 ... J! .. q..ro.016f: 0063f3fc F4 F8 63 00 B6 10 40 004 F3 63 00 A0 10 40 00 ..c ... @. 4. C ... @. 016f: 0063F40C 01 00 00 00 1C F4 63 00-73 AD 02 66 CC 05 51 00 ... cs.f..q.: d ECX016F: 0063F3DC 08 00 00 006 18 18 76 8B-E0 0F 51 00 0C 00 0d 00 .... 6.V ... q ..... 016f: 0063f3ec 08 00 00 00 00 4A 21-CC 0F 51 00 86 72 6F 17 ... ... j! .. q..ro.016f: 0063f3fc F4 F8 63 00 B6 10 40 00-34 F3 63 00 A0 10 40 00 ..c ... @. 4.c ... @. Of course not It may be that two 08 comparisons, the actual Unicode string address is placed behind 8 bytes. That is, 510FCC and 510FE0: D 510FCC016F: 00510FCC 52 00 00 00 14 00 00 00 00 00 00 0 ROBA ........ 016F: 00510FDC 08 00 00 31 00 31 00-31 00 31 00 00 00 00 .... 1.1.1.1 ..... 016f: 00510FEC 11 00 00 A0 1C 00 41 00-0C 00 41 00 EC 0F 51 00 ... a ... a .. .Q: D 510FE0016F: 00510FE0 31 00 00 00 00 00 00 00 001 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00-1C 00 41 00 0C 00 41 00-EC 0F 51 00 02 00 00 A0 ..a ... a ... q ..... 016f: 00511000 ?? ?? ?? ?? ?? ??????????? ??????? ................ What does 08 mean? Why is EAX, ECX wants to point to such a inexplicable value? I guess that 08 is the actual type of Varient, try a type:
Code:
Private submmand1_click ()
DIM B As Variant
B = Text1.text
IF b = 5678 THEN
Msgbox "Well Done!", Vbokonly, "CRACK"
END IF
End Sub
Code:
: 00401D13 50 Push EAX
00401D14 51 PUSH ECX
: 00401D15 C7857cffffff2e160000 MOV DWORD PTR [EBP FFFFFF7C], 0000162E; 162EH = 5678: 00401D1F C78574FFFFF02800000 MOV DWORD PTR [EBP FFFFFF74], 00008002; Type value
* Reference to: msvbvm60 .__ vbavartsteq, ord: 0000h
|
: 00401D29 FF1540104000 Call DWORD PTR [00401040]
: 00401D2F 6685c0 Test AX, AX
: 00401D32 0F8484000000 JE 00401DBC
At 401d29, D EAX still sees 08, D * (EAX 8) to see the string we entered freely, while D ECX see: D ECX016F: 0063F384 02 80 00 00 66 24 27 06-2e 16 00 00 00 dd 00 ... f $ '......... 016f: 0063F394 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 016f: 0063f3a4 00 00 00 10 db 01 00-01 84 D7 3A 00 00 00 ........... You can see 02, then Push it aspect, what is ECX 8? 162E, oh ~~~~ The first byte represents the actual type of the data, and the seven bytes of the subsequent bytes do not know what to use, and the value of the data or the address of the data is at the ninth byte. I have organized various actual types of code for the Variant variable:
Code:
02 INTEGER can be seen with D EAX 8, accounting for two bytes
03 Long can be seen with D EAX 8, occupying four bytes
04 SINGLE can be seen with DS EAX 8
05 Double can be seen with DL EAX 8
08 String can be seen with D * (EAX 8)
0b Boolean can be seen with D EAX 8, true is fffffff
11 Byte can be seen with D EAX 8, accounting for one byte
I will not feel inexplicable when you d out of a 05,08. There are still many things that don't understand, such as what is in the middle of the seven in the end, how is the process of implementing the virtual function of a VAR word (I followed into a vbavaradd found extremely complicated), etc., please also ask you Point out to help us spend these ropes in the dark.
