keyFile 鞏固練習

系統 ： Windows xp

程序 ： noodles-crackme2

程序下載地址 ：http://pan.baidu.com/s/1mhJ4Ems

要求 ： 編寫KeyFile

使用工具 ： OD

可在看雪論壇中查找關於此程序的破文：傳送門

 

廢話很少說，直接下斷點

CreateFileA

斷在系統函數中，而後ctrl+k查看調用棧，回溯到文件處理代碼：

00401499   > \6A 00         push 0x0                                 ; /hTemplateFile = NULL
0040149B   .  68 80000000   push 0x80                                ; |Attributes = NORMAL
004014A0   .  6A 03         push 0x3                                 ; |Mode = OPEN_EXISTING
004014A2   .  6A 00         push 0x0                                 ; |pSecurity = NULL
004014A4   .  6A 00         push 0x0                                 ; |ShareMode = 0
004014A6   .  68 00000080   push 0x80000000                          ; |Access = GENERIC_READ
004014AB   .  68 F1354000   push noodles-.004035F1                   ; |FileName = "spook.key"
004014B0   .  E8 6F010000   call <jmp.&KERNEL32.CreateFileA>         ; \CreateFileA
004014B5   .  83F8 FF       cmp eax,-0x1 004014B8   .  0F84 99000000 je noodles-.00401557
004014BE   .  A3 E9354000   mov dword ptr ds:[0x4035E9],eax 004014C3   .  FF35 E9354000 push dword ptr ds:[0x4035E9]             ; /hFile = NULL
004014C9   .  E8 32010000   call <jmp.&KERNEL32.GetFileType>         ; \GetFileType
004014CE   .  68 FB354000   push noodles-.004035FB                   ; /pFileSizeHigh = noodles-.004035FB
004014D3   .  FF35 E9354000 push dword ptr ds:[0x4035E9]             ; |hFile = NULL
004014D9   .  E8 1C010000   call <jmp.&KERNEL32.GetFileSize>         ; \GetFileSize
004014DE   .  A3 ED354000   mov dword ptr ds:[0x4035ED],eax 004014E3   .  83F8 08       cmp eax,0x8                              ; 大小是否等於8？
004014E6   .  75 6F         jnz Xnoodles-.00401557
004014E8   .  6A 00         push 0x0                                 ; /pOverlapped = NULL
004014EA   .  68 FB354000   push noodles-.004035FB                   ; |pBytesRead = noodles-.004035FB
004014EF   .  50            push eax                                 ; |BytesToRead
004014F0   .  68 FF354000   push noodles-.004035FF                   ; |Buffer = noodles-.004035FF
004014F5   .  FF35 E9354000 push dword ptr ds:[0x4035E9]             ; |hFile = NULL
004014FB   .  E8 BE000000   call <jmp.&KERNEL32.ReadFile>            ; \ReadFile
00401500   .  85C0          test eax,eax 00401502   .  74 53         je Xnoodles-.00401557
00401504   .  33C0          xor eax,eax 00401506   .  FF35 E9354000 push dword ptr ds:[0x4035E9]             ; /hObject = NULL
0040150C   .  E8 A7000000   call <jmp.&KERNEL32.CloseHandle>         ; \CloseHandle
00401511   .  B8 FF354000   mov eax,noodles-.004035FF
00401516   .  C100 05       rol dword ptr ds:[eax],0x5 00401519   .  8300 0F       add dword ptr ds:[eax],0xF 0040151C   .  C148 04 07    ror dword ptr ds:[eax+0x4],0x7 00401520   .  8368 04 05    sub dword ptr ds:[eax+0x4],0x5 00401524   .  8178 04 BDD84>cmp dword ptr ds:[eax+0x4],0xC642D8BD 0040152B   .  75 2A         jnz Xnoodles-.00401557
0040152D   .  8138 FC098E2E cmp dword ptr ds:[eax],0x2E8E09FC 00401533   .  75 22         jnz Xnoodles-.00401557
00401535   .  68 88130000   push 0x1388 0040153A   .  68 94334000   push noodles-.00403394                   ; /Text = "Your keyfile is fine happy happy joy joy"
0040153F   .  68 8B130000   push 0x138B                              ; |ControlID = 138B (5003.)
00401544   .  FF75 08       push dword ptr ss:[ebp+0x8]              ; |hWnd
00401547   .  E8 62010000   call <jmp.&USER32.SetDlgItemTextA>       ; \SetDlgItemTextA
0040154C   .  8B25 BD334000 mov esp,dword ptr ds:[0x4033BD] 00401552   .^ E9 CBFDFFFF   jmp noodles-.00401322
00401557   >  6A 00         push 0x0                                 ; /Style = MB_OK|MB_APPLMODAL
00401559   .  68 63364000   push noodles-.00403663                   ; |Title = "Error!"
0040155E   .  68 6A364000   push noodles-.0040366A                   ; |Text = "Ketfile not present

or incorrect" 00401563 . 6A 00 push 0x0 ; |hOwner = NULL 00401565 . E8 4A010000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA 0040156A . 6A 01 push 0x1 ; /ExitCode = 1 0040156C . E8 5F000000 call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess

能夠看出這是一個很簡單的數據運算過程，只要反推四步便可獲得keyfile的內容。

如下上生成keyfile的c++代碼：

#include <iostream> #include <fstream>

using namespace std; int main( void ) { unsigned int v1 = 0x2E8E09FC,v2 = 0xC642D8BD; __asm{ push eax push ebx mov eax,v1 mov ebx,v2 sub eax,0xF ror eax,0x5 add ebx,0x5 rol ebx,0x7 mov v1,eax mov v2,ebx pop ebx pop eax } ofstream out( "spook.key",ios::out | ios::binary | ios::trunc ); if ( out.is_open() ){ out.write( (const char *)&v1,4 ); out.write( (const char *)&v2,4 ); } else cout << "Open file failed." << endl; out.close(); return 0; }

給出可用的KeyFIle內容：

4F 70 74 69 63 61 6C 21