vbaNew2产生的Nag如何移除

neu21 · 发表于 2008-9-2 18:27:03

由vbaNew2 nag的代码是：
004BE410    55          push ebp
004BE411    8BEC       mov    ebp, esp
004BE413    83EC 08    sub    esp, 8
004BE416    68 06324000 push <jmp.&MSVBVM60.__vbaExceptHandle>;  入口地址
004BE41B  |.  64:A1 0000000>mov    eax, dword ptr fs:[0]
004BE421    50          push eax
004BE422    64:8925 00000>mov    dword ptr fs:[0], esp
004BE429  |.  83EC 30    sub    esp, 30
004BE42C  |.  53          push ebx
004BE42D  |.  56          push esi
004BE42E  |.  57          push edi
004BE42F  |.  8965 F8    mov    dword ptr [ebp-8], esp
004BE432  |.  C745 FC D8274>mov    dword ptr [ebp-4], 004027D8
004BE439  |.  8B0D 14A14D00 mov    ecx, dword ptr [4DA114]
004BE43F  |.  33C0       xor    eax, eax
004BE441  |.  3BC8       cmp    ecx, eax
004BE443  |.  8945 EC    mov    dword ptr [ebp-14], eax
004BE446    66:A3 24A04D0>mov    word ptr [4DA024], ax
004BE44C    75 10       jnz    short 004BE45E
004BE44E    68 14A14D00 push 004DA114
004BE453  |.  68 085B4000 push 00405B08
004BE458  |.  FF15 94114000 call dword ptr [<&MSVBVM60.__vbaNew2>>;  MSVBVM60.__vbaNew2
004BE45E  |>  83EC 10    sub    esp, 10
004BE461  |.  B9 0A000000 mov    ecx, 0A
004BE466  |.  8BDC       mov    ebx, esp
004BE468  |.  894D DC    mov    dword ptr [ebp-24], ecx
004BE46B  |.  B8 04000280 mov    eax, 80020004
004BE470  |.  83EC 10    sub    esp, 10
004BE473  |.  890B       mov    dword ptr [ebx], ecx
004BE475  |.  8B4D D0    mov    ecx, dword ptr [ebp-30]
004BE478  |.  8BD0       mov    edx, eax
004BE47A  |.  8B35 14A14D00 mov    esi, dword ptr [4DA114]
004BE480  |.  894B 04    mov    dword ptr [ebx+4], ecx
004BE483  |.  8BCC       mov    ecx, esp
004BE485  |.  8B3E       mov    edi, dword ptr [esi]
004BE487    56          push esi
004BE488    8943 08    mov    dword ptr [ebx+8], eax
004BE48B  |.  8B45 D8    mov    eax, dword ptr [ebp-28]
004BE48E  |.  8943 0C    mov    dword ptr [ebx+C], eax
004BE491  |.  8B45 DC    mov    eax, dword ptr [ebp-24]
004BE494  |.  8901       mov    dword ptr [ecx], eax
004BE496  |.  8B45 E0    mov    eax, dword ptr [ebp-20]
004BE499  |.  8941 04    mov    dword ptr [ecx+4], eax
004BE49C  |.  8951 08    mov    dword ptr [ecx+8], edx
004BE49F  |.  8B55 E8    mov    edx, dword ptr [ebp-18]
004BE4A2  |.  8951 0C    mov    dword ptr [ecx+C], edx
004BE4A5    FF97 B0020000 call dword ptr [edi+2B0] 这个call进去后产生nag 但是不能nop 因为还有按钮在nag上
004BE4AB  |.  85C0       test eax, eax
004BE4AD  |.  DBE2       fclex
004BE4AF  |.  7D 12       jge    short 004BE4C3
004BE4B1  |.  68 B0020000 push 2B0
004BE4B6  |.  68 64D94000 push 0040D964
004BE4BB  |.  56          push esi
004BE4BC  |.  50          push eax
004BE4BD  |.  FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaHresu>;  MSVBVM60.__vbaHresultCheckObj
004BE4C3  |>  68 D2E44B00 push 004BE4D2
004BE4C8  |.  8D4D EC    lea    ecx, dword ptr [ebp-14]
004BE4CB  |.  FF15 58124000 call dword ptr [<&MSVBVM60.__vbaFreeS>;  MSVBVM60.__vbaFreeStr
004BE4D1  \.  C3          retn
004BE4D2 .  8B4D F0    mov    ecx, dword ptr [ebp-10]
004BE4D5 .  5F          pop    edi
004BE4D6 .  5E          pop    esi
004BE4D7 .  64:890D 00000>mov    dword ptr fs:[0], ecx
004BE4DE .  5B          pop    ebx
004BE4DF .  8BE5       mov    esp, ebp
004BE4E1 .  5D          pop    ebp
004BE4E2 .  C3          retn

nag里面有个按纽需要点一下才能在进程序主界面.

00417C2C . /E9 DF920900 jmp    004B0F10
00417C31    |816C24 04 AB0>sub    dword ptr [esp+4], 1AB
00417C39 . /E9 B2990900 jmp    004B15F0

这个应该是按纽事件，按纽本身有timer，nag出现必须过500.ms才能使用.点了按钮就出现下面的代码  这些应该是主程序代码.

004B15F0 > \55          push ebp
004B15F1    8BEC       mov    ebp, esp
004B15F3    83EC 0C    sub    esp, 0C
004B15F6 .  68 06324000 push <jmp.&MSVBVM60.__vbaExceptHandle>;  SE 处理程序安装
004B15FB .  64:A1 0000000>mov    eax, dword ptr fs:[0]
004B1601 .  50          push eax
004B1602 .  64:8925 00000>mov    dword ptr fs:[0], esp
004B1609 .  83EC 78    sub    esp, 78
004B160C .  53          push ebx
004B160D .  56          push esi
004B160E .  57          push edi
004B160F .  8965 F4    mov    dword ptr [ebp-C], esp
004B1612 .  C745 F8 58244>mov    dword ptr [ebp-8], 00402458
004B1619 .  8B75 08    mov    esi, dword ptr [ebp+8]
004B161C .  8BC6       mov    eax, esi
004B161E .  83E0 01    and    eax, 1
004B1621 .  8945 FC    mov    dword ptr [ebp-4], eax
004B1624 .  83E6 FE    and    esi, FFFFFFFE
004B1627 .  56          push esi
004B1628 .  8975 08    mov    dword ptr [ebp+8], esi
004B162B .  8B0E       mov    ecx, dword ptr [esi]
004B162D .  FF51 04    call dword ptr [ecx+4]
004B1630 .  8B16       mov    edx, dword ptr [esi]
004B1632 .  33C0       xor    eax, eax
004B1634 .  56          push esi
004B1635 .  8945 E4    mov    dword ptr [ebp-1C], eax
004B1638 .  8945 E0    mov    dword ptr [ebp-20], eax
004B163B .  8945 DC    mov    dword ptr [ebp-24], eax
004B163E .  8945 CC    mov    dword ptr [ebp-34], eax
004B1641 .  8945 A8    mov    dword ptr [ebp-58], eax
004B1644 .  8945 A4    mov    dword ptr [ebp-5C], eax
004B1647 .  8945 A0    mov    dword ptr [ebp-60], eax
004B164A .  FF92 EC040000 call dword ptr [edx+4EC]
004B1650 .  8B3D 8C104000 mov    edi, dword ptr [<&MSVBVM60.__vba>;  MSVBVM60.__vbaObjSet
以下省略

004B1656 .  50          push eax
004B1657 .  8D45 E0    lea    eax, dword ptr [ebp-20]
004B165A .  50          push eax
004B165B .  FFD7       call edi                            ;  <&MSVBVM60.__vbaObjSet>
004B165D .  8BD8       mov    ebx, eax
004B165F .  8D55 A0    lea    edx, dword ptr [ebp-60]

省略一部分. 如何去掉nag呢？

小生我怕怕 · 发表于 2008-9-4 21:11:25

直接把启动NAG前的跳转指向气候后窗口试试!

glassfox · 发表于 2008-9-6 15:15:40

sub
jmp
找VB的特征处。

一般都是连着的sub **X
jmp **X -----》修改这个**

		自动登录	找回密码
密码			加入我们

[求助] vbaNew2产生的Nag如何移除