系统 : Windows xp

程序 : noodles-crackme2

程序下载地址 :http://pan.baidu.com/s/1mhJ4Ems

要求 : 编写KeyFile

使用工具 : OD

可在看雪论坛中查找关于此程序的破文:传送门

 

废话不多说,直接下断点

CreateFileA

断在系统函数中,然后ctrl+k查看调用栈,回溯到文件处理代码:

00401499   > \6A 00         push 0x0                                 ; /hTemplateFile = NULL
0040149B   .  68 80000000   push 0x80                                ; |Attributes = NORMAL
004014A0   .  6A 03         push 0x3                                 ; |Mode = OPEN_EXISTING
004014A2   .  6A 00         push 0x0                                 ; |pSecurity = NULL
004014A4   .  6A 00         push 0x0                                 ; |ShareMode = 0
004014A6   .  68 00000080   push 0x80000000                          ; |Access = GENERIC_READ
004014AB   .  68 F1354000   push noodles-.004035F1                   ; |FileName = "spook.key"
004014B0   .  E8 6F010000   call <jmp.&KERNEL32.CreateFileA>         ; \CreateFileA
004014B5   .  83F8 FF       cmp eax,-0x1
004014B8   .  0F84 99000000 je noodles-.00401557
004014BE   .  A3 E9354000   mov dword ptr ds:[0x4035E9],eax
004014C3   .  FF35 E9354000 push dword ptr ds:[0x4035E9]             ; /hFile = NULL
004014C9   .  E8 32010000   call <jmp.&KERNEL32.GetFileType>         ; \GetFileType
004014CE   .  68 FB354000   push noodles-.004035FB                   ; /pFileSizeHigh = noodles-.004035FB
004014D3   .  FF35 E9354000 push dword ptr ds:[0x4035E9]             ; |hFile = NULL
004014D9   .  E8 1C010000   call <jmp.&KERNEL32.GetFileSize>         ; \GetFileSize
004014DE   .  A3 ED354000   mov dword ptr ds:[0x4035ED],eax
004014E3   .  83F8 08       cmp eax,0x8                              ;  大小是否等于8?
004014E6   .  75 6F         jnz Xnoodles-.00401557
004014E8   .  6A 00         push 0x0                                 ; /pOverlapped = NULL
004014EA   .  68 FB354000   push noodles-.004035FB                   ; |pBytesRead = noodles-.004035FB
004014EF   .  50            push eax                                 ; |BytesToRead
004014F0   .  68 FF354000   push noodles-.004035FF                   ; |Buffer = noodles-.004035FF
004014F5   .  FF35 E9354000 push dword ptr ds:[0x4035E9]             ; |hFile = NULL
004014FB   .  E8 BE000000   call <jmp.&KERNEL32.ReadFile>            ; \ReadFile
00401500   .  85C0          test eax,eax
00401502   .  74 53         je Xnoodles-.00401557
00401504   .  33C0          xor eax,eax
00401506   .  FF35 E9354000 push dword ptr ds:[0x4035E9]             ; /hObject = NULL
0040150C   .  E8 A7000000   call <jmp.&KERNEL32.CloseHandle>         ; \CloseHandle
00401511   .  B8 FF354000   mov eax,noodles-.004035FF
00401516   .  C100 05       rol dword ptr ds:[eax],0x5
00401519   .  8300 0F       add dword ptr ds:[eax],0xF
0040151C   .  C148 04 07    ror dword ptr ds:[eax+0x4],0x7
00401520   .  8368 04 05    sub dword ptr ds:[eax+0x4],0x5
00401524   .  8178 04 BDD84>cmp dword ptr ds:[eax+0x4],0xC642D8BD
0040152B   .  75 2A         jnz Xnoodles-.00401557
0040152D   .  8138 FC098E2E cmp dword ptr ds:[eax],0x2E8E09FC
00401533   .  75 22         jnz Xnoodles-.00401557
00401535   .  68 88130000   push 0x1388
0040153A   .  68 94334000   push noodles-.00403394                   ; /Text = "Your keyfile is fine happy happy joy joy"
0040153F   .  68 8B130000   push 0x138B                              ; |ControlID = 138B (5003.)
00401544   .  FF75 08       push dword ptr ss:[ebp+0x8]              ; |hWnd
00401547   .  E8 62010000   call <jmp.&USER32.SetDlgItemTextA>       ; \SetDlgItemTextA
0040154C   .  8B25 BD334000 mov esp,dword ptr ds:[0x4033BD]
00401552   .^ E9 CBFDFFFF   jmp noodles-.00401322
00401557   >  6A 00         push 0x0                                 ; /Style = MB_OK|MB_APPLMODAL
00401559   .  68 63364000   push noodles-.00403663                   ; |Title = "Error!"
0040155E   .  68 6A364000   push noodles-.0040366A                   ; |Text = "Ketfile not present

or incorrect"
00401563   .  6A 00         push 0x0                                 ; |hOwner = NULL
00401565   .  E8 4A010000   call <jmp.&USER32.MessageBoxA>           ; \MessageBoxA
0040156A   .  6A 01         push 0x1                                 ; /ExitCode = 1
0040156C   .  E8 5F000000   call <jmp.&KERNEL32.ExitProcess>         ; \ExitProcess

可以看出这是一个很简单的数据运算过程,只要反推四步即可得到keyfile的内容。

以下上生成keyfile的c++代码:

#include <iostream>
#include <fstream>

using namespace std;

int main( void )
{
    unsigned int v1 = 0x2E8E09FC,v2 = 0xC642D8BD;

    __asm{
        push eax
        push ebx

        mov eax,v1
        mov ebx,v2

        sub eax,0xF
        ror eax,0x5

        add ebx,0x5
        rol ebx,0x7

        mov v1,eax
        mov v2,ebx

        pop ebx
        pop eax
    }

    ofstream out( "spook.key",ios::out | ios::binary | ios::trunc );
    if ( out.is_open() ){
        out.write( (const char *)&v1,4 );
        out.write( (const char *)&v2,4 );
    }
    else
        cout << "Open file failed." << endl;

    out.close();

    return 0;
}

给出可用的KeyFIle内容:

4F 70 74 69 63 61 6C 21