系统 : Windows xp
程序 : noodles-crackme2
程序下载地址 :http://pan.baidu.com/s/1mhJ4Ems
要求 : 编写KeyFile
使用工具 : OD
可在看雪论坛中查找关于此程序的破文:传送门
废话不多说,直接下断点
CreateFileA
断在系统函数中,然后ctrl+k查看调用栈,回溯到文件处理代码:
00401499 > \6A 00 push 0x0 ; /hTemplateFile = NULL
0040149B . 68 80000000 push 0x80 ; |Attributes = NORMAL
004014A0 . 6A 03 push 0x3 ; |Mode = OPEN_EXISTING
004014A2 . 6A 00 push 0x0 ; |pSecurity = NULL
004014A4 . 6A 00 push 0x0 ; |ShareMode = 0
004014A6 . 68 00000080 push 0x80000000 ; |Access = GENERIC_READ
004014AB . 68 F1354000 push noodles-.004035F1 ; |FileName = "spook.key"
004014B0 . E8 6F010000 call <jmp.&KERNEL32.CreateFileA> ; \CreateFileA
004014B5 . 83F8 FF cmp eax,-0x1
004014B8 . 0F84 99000000 je noodles-.00401557
004014BE . A3 E9354000 mov dword ptr ds:[0x4035E9],eax
004014C3 . FF35 E9354000 push dword ptr ds:[0x4035E9] ; /hFile = NULL
004014C9 . E8 32010000 call <jmp.&KERNEL32.GetFileType> ; \GetFileType
004014CE . 68 FB354000 push noodles-.004035FB ; /pFileSizeHigh = noodles-.004035FB
004014D3 . FF35 E9354000 push dword ptr ds:[0x4035E9] ; |hFile = NULL
004014D9 . E8 1C010000 call <jmp.&KERNEL32.GetFileSize> ; \GetFileSize
004014DE . A3 ED354000 mov dword ptr ds:[0x4035ED],eax
004014E3 . 83F8 08 cmp eax,0x8 ; 大小是否等于8?
004014E6 . 75 6F jnz Xnoodles-.00401557
004014E8 . 6A 00 push 0x0 ; /pOverlapped = NULL
004014EA . 68 FB354000 push noodles-.004035FB ; |pBytesRead = noodles-.004035FB
004014EF . 50 push eax ; |BytesToRead
004014F0 . 68 FF354000 push noodles-.004035FF ; |Buffer = noodles-.004035FF
004014F5 . FF35 E9354000 push dword ptr ds:[0x4035E9] ; |hFile = NULL
004014FB . E8 BE000000 call <jmp.&KERNEL32.ReadFile> ; \ReadFile
00401500 . 85C0 test eax,eax
00401502 . 74 53 je Xnoodles-.00401557
00401504 . 33C0 xor eax,eax
00401506 . FF35 E9354000 push dword ptr ds:[0x4035E9] ; /hObject = NULL
0040150C . E8 A7000000 call <jmp.&KERNEL32.CloseHandle> ; \CloseHandle
00401511 . B8 FF354000 mov eax,noodles-.004035FF
00401516 . C100 05 rol dword ptr ds:[eax],0x5
00401519 . 8300 0F add dword ptr ds:[eax],0xF
0040151C . C148 04 07 ror dword ptr ds:[eax+0x4],0x7
00401520 . 8368 04 05 sub dword ptr ds:[eax+0x4],0x5
00401524 . 8178 04 BDD84>cmp dword ptr ds:[eax+0x4],0xC642D8BD
0040152B . 75 2A jnz Xnoodles-.00401557
0040152D . 8138 FC098E2E cmp dword ptr ds:[eax],0x2E8E09FC
00401533 . 75 22 jnz Xnoodles-.00401557
00401535 . 68 88130000 push 0x1388
0040153A . 68 94334000 push noodles-.00403394 ; /Text = "Your keyfile is fine happy happy joy joy"
0040153F . 68 8B130000 push 0x138B ; |ControlID = 138B (5003.)
00401544 . FF75 08 push dword ptr ss:[ebp+0x8] ; |hWnd
00401547 . E8 62010000 call <jmp.&USER32.SetDlgItemTextA> ; \SetDlgItemTextA
0040154C . 8B25 BD334000 mov esp,dword ptr ds:[0x4033BD]
00401552 .^ E9 CBFDFFFF jmp noodles-.00401322
00401557 > 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
00401559 . 68 63364000 push noodles-.00403663 ; |Title = "Error!"
0040155E . 68 6A364000 push noodles-.0040366A ; |Text = "Ketfile not present
or incorrect"
00401563 . 6A 00 push 0x0 ; |hOwner = NULL
00401565 . E8 4A010000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
0040156A . 6A 01 push 0x1 ; /ExitCode = 1
0040156C . E8 5F000000 call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess
可以看出这是一个很简单的数据运算过程,只要反推四步即可得到keyfile的内容。
以下上生成keyfile的c++代码:
#include <iostream>
#include <fstream>
using namespace std;
int main( void )
{
unsigned int v1 = 0x2E8E09FC,v2 = 0xC642D8BD;
__asm{
push eax
push ebx
mov eax,v1
mov ebx,v2
sub eax,0xF
ror eax,0x5
add ebx,0x5
rol ebx,0x7
mov v1,eax
mov v2,ebx
pop ebx
pop eax
}
ofstream out( "spook.key",ios::out | ios::binary | ios::trunc );
if ( out.is_open() ){
out.write( (const char *)&v1,4 );
out.write( (const char *)&v2,4 );
}
else
cout << "Open file failed." << endl;
out.close();
return 0;
}
给出可用的KeyFIle内容:
4F 70 74 69 63 61 6C 21
我们一路奋战,不是为了改变世界,而是不让世界改变我们
——《熔炉》