-
-
[原创]一个超简单的KeyFile
-
发表于:
2006-8-20 12:01
5319
-
【文章标题】: 一个超简单的KeyFile
【文章作者】: rcracker
【下载地址】: 自己搜索下载
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
PEID侦测为ASPack 2.11,用esp定律脱壳。
OD载入脱壳后的文件。下断点。
00401098 > \6A 00 PUSH 0 ; /hTemplateFile = NULL
0040109A . 68 EF204000 PUSH 1.004020EF ; |Attributes = READONLY|HIDDEN|SYSTEM|ARCHIVE|NORMAL|402048
0040109F . 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING
004010A1 . 6A 00 PUSH 0 ; |pSecurity = NULL
004010A3 . 6A 03 PUSH 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
004010A5 . 68 000000C0 PUSH C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
004010AA . 68 E5204000 PUSH 1.004020E5 ; |[BCG].key--------------------------------文件名.
004010AF . E8 DE000000 CALL <JMP.&kernel32.CreateFileA> ; \CreateFileA
004010B4 . A3 00204000 MOV DWORD PTR DS:[402000],EAX
004010B9 . 833D 00204000>CMP DWORD PTR DS:[402000],-1 ;EAX返回-1表示文件不存在
004010C0 . 0F84 92000000 JE 1.00401158 ; 文件不存在,跳向失败
004010C6 . 6A 00 PUSH 0 ; /pOverlapped = NULL
004010C8 . 68 07214000 PUSH 1.00402107 ; |pBytesRead = 1.00402107
004010CD . 6A 0A PUSH 0A ; |BytesToRead = A (10.)
004010CF . 68 F3204000 PUSH 1.004020F3 ; |Buffer = 1.004020F3
004010D4 . FF35 00204000 PUSH DWORD PTR DS:[402000] ; |hFile = NULL
004010DA . E8 C5000000 CALL <JMP.&kernel32.ReadFile> ; \ReadFile
004010DF . 85C0 TEST EAX,EAX
004010E1 . 74 75 JE SHORT 1.00401158
004010E3 . 6A 00 PUSH 0 ; /pOverlapped = NULL
004010E5 . 68 07214000 PUSH 1.00402107 ; |pBytesRead = 1.00402107
004010EA . 6A 0A PUSH 0A ; |BytesToRead = A (10.)
004010EC . 68 FD204000 PUSH 1.004020FD ; |Buffer = 1.004020FD
004010F1 . FF35 00204000 PUSH DWORD PTR DS:[402000] ; |hFile = NULL
004010F7 . E8 A8000000 CALL <JMP.&kernel32.ReadFile> ; \ReadFile
004010FC . 85C0 TEST EAX,EAX
004010FE . 74 58 JE SHORT 1.00401158
00401100 . FF35 00204000 PUSH DWORD PTR DS:[402000] ; /hObject = NULL
00401106 . E8 93000000 CALL <JMP.&kernel32.CloseHandle> ; \CloseHandle
0040110B . 33C0 XOR EAX,EAX
0040110D . EB 04 JMP SHORT 1.00401113
0040110F . C9 LEAVE
00401110 . C2 1000 RETN 10
00401113 > 80B0 F3204000>XOR BYTE PTR DS:[EAX+4020F3],58 ;keyfile中的每个字节值分别与58相异或。
0040111A . 40 INC EAX
0040111B . 80B8 F3204000>CMP BYTE PTR DS:[EAX+4020F3],0 ;比较是否取完。
00401122 .^ 75 EF JNZ SHORT 1.00401113 ;没有继续。
00401124 . 68 F3204000 PUSH 1.004020F3 ;这里相当于假码。
下命令 dd 4020f3
004020F3 49 7A 6B 1C 0D 3E 2F D0 C1 00 00 00 00 00 00 00 Izk.>/辛.......
00402103 00 00 00 00 00 00 00 00 00 0E 00 00 00 90 00 00 ............?.
00402113 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00401129 . 68 FD204000 PUSH 1.004020FD ;这里相当于真码。
下命令 dd 4020fd
004020FD 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0E ...............
0040210D 00 00 00 90 00 00 00 00 00 00 00 00 00 00 00 00 ...?...........
0040211D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040112E . E8 77000000 CALL <JMP.&kernel32.lstrcmp> ; \lstrcmpA-----------关键比较.
00401133 . 83F8 00 CMP EAX,0
00401136 . 74 06 JE SHORT 1.0040113E
00401138 . EB 1E JMP SHORT 1.00401158
0040113A . C9 LEAVE
0040113B . C2 1000 RETN 10
0040113E > 68 00100000 PUSH 1000 ; /Style = MB_OK|MB_SYSTEMMODAL
00401143 . 68 26204000 PUSH 1.00402026 ; |officialcrackme
00401148 . 68 BF204000 PUSH 1.004020BF ; |注册验证成功,恭喜您成功破解了这个程序
0040114D . 6A 00 PUSH 0 ; |hOwner = NULL
0040114F . E8 5C000000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
00401154 . C9 LEAVE
算法总结:
keyfile文件名为[BCG].KEY,其中的每个字节的值与58异或的结果都应为0,即keyfile中所有字节的值都应为58.
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
