首页 > 代码库 > [抓紧小长假的尾巴] 分析一个KeyFileMe
[抓紧小长假的尾巴] 分析一个KeyFileMe
系统 : Windows xp
程序 : keyfileme
程序下载地址 :http://pan.baidu.com/s/1qYVfvu0
要求 : 编写KeyFile
使用工具 : OD
可在看雪论坛中查找关于此程序的破文:传送门
趁着小长假还没结束,赶紧来个CM暖暖手。废话不多说,直接用DIE查看程序。
提示MASM编写,没有保护壳。
再用OD载入,发现关键子串:no keyfile found!
0040113E . E8 F0010000 call 0040133300401143 . 803D 2C604000>cmp byte ptr [40602C], 10040114A . 74 20 je short 0040116C0040114C . 803D 2C604000>cmp byte ptr [40602C], 200401153 . 74 2C je short 0040118100401155 . 803D 2C604000>cmp byte ptr [40602C], 30040115C . 74 38 je short 004011960040115E . 803D 2C604000>cmp byte ptr [40602C], 400401165 . 74 44 je short 004011AB00401167 . E9 C1010000 jmp 0040132D0040116C > 68 51624000 push 00406251 ; /no keyfile found!00401171 . FF35 76604000 push dword ptr [406076] ; |hWnd = NULL00401177 . E8 5A030000 call <jmp.&user32.SetWindowTextA> ; \SetWindowTextA0040117C . E9 AC010000 jmp 0040132D00401181 > 68 63624000 push 00406263 ; /wrong size!00401186 . FF35 76604000 push dword ptr [406076] ; |hWnd = NULL0040118C . E8 45030000 call <jmp.&user32.SetWindowTextA> ; \SetWindowTextA00401191 . E9 97010000 jmp 0040132D00401196 > 68 6F624000 push 0040626F ; /invalid keyfile!0040119B . FF35 76604000 push dword ptr [406076] ; |hWnd = NULL004011A1 . E8 30030000 call <jmp.&user32.SetWindowTextA> ; \SetWindowTextA004011A6 . E9 82010000 jmp 0040132D004011AB > 68 09604000 push 00406009 ; /registered! good job!004011B0 . FF35 76604000 push dword ptr [406076] ; |hWnd = NULL004011B6 . E8 1B030000 call <jmp.&user32.SetWindowTextA> ; \SetWindowTextA可见结果是由Call直接产生,右击Call指令,选择Follow:
00401333 /$ 6A 00 push 0 ; /hTemplateFile = NULL00401335 |. 68 80000000 push 80 ; |Attributes = NORMAL0040133A |. 6A 03 push 3 ; |Mode = OPEN_EXISTING0040133C |. 6A 00 push 0 ; |pSecurity = NULL0040133E |. 6A 01 push 1 ; |ShareMode = FILE_SHARE_READ00401340 |. 68 00000080 push 80000000 ; |Access = GENERIC_READ00401345 |. 68 32604000 push 00406032 ; |keyfile.dat0040134A |. E8 93010000 call <jmp.&kernel32.CreateFileA> ; \CreateFileA0040134F |. A3 62604000 mov dword ptr [406062], eax00401354 |. 83F8 FF cmp eax, -100401357 |. 0F84 DB000000 je 004014380040135D |. 6A 00 push 0 ; /pFileSizeHigh = NULL0040135F |. FF35 62604000 push dword ptr [406062] ; |hFile = NULL00401365 |. E8 8A010000 call <jmp.&kernel32.GetFileSize> ; \GetFileSize0040136A |. 83F8 20 cmp eax, 20 ; 长度一定要是32个字符0040136D |. 0F85 CE000000 jnz 00401441 ; ↓读取前十六个字符00401373 |. 6A 00 push 0 ; /pOverlapped = NULL00401375 |. 68 48634000 push 00406348 ; |pBytesRead = keyfilem.004063480040137A |. 6A 10 push 10 ; |BytesToRead = 10 (16.)0040137C |. 68 3E604000 push 0040603E ; |Buffer = keyfilem.0040603E00401381 |. FF35 62604000 push dword ptr [406062] ; |hFile = NULL00401387 |. E8 86010000 call <jmp.&kernel32.ReadFile> ; \ReadFile0040138C |. FF35 62604000 push dword ptr [406062] ; /hObject = NULL00401392 |. E8 45010000 call <jmp.&kernel32.CloseHandle> ; \CloseHandle00401397 |. 33C9 xor ecx, ecx00401399 |. 33D2 xor edx, edx0040139B |. BA 0F000000 mov edx, 0F004013A0 |> 0FBE8A 3E6040>/movsx ecx, byte ptr [edx+40603E] ; 循环迭代字符串004013A7 |. 4A |dec edx004013A8 |. 83F9 20 |cmp ecx, 20 ; 是否是空格?004013AB |. 75 09 |jnz short 004013B6 ; 发现不是空格则跳转004013AD |. C682 3F604000>|mov byte ptr [edx+40603F], 0004013B4 |.^ EB EA \jmp short 004013A0004013B6 |> E9 A1000000 jmp 0040145C004013BB |> 6A 00 push 0 ; /hTemplateFile = NULL004013BD |. 68 80000000 push 80 ; |Attributes = NORMAL004013C2 |. 6A 03 push 3 ; |Mode = OPEN_EXISTING004013C4 |. 6A 00 push 0 ; |pSecurity = NULL004013C6 |. 6A 01 push 1 ; |ShareMode = FILE_SHARE_READ004013C8 |. 68 00000080 push 80000000 ; |Access = GENERIC_READ004013CD |. 68 32604000 push 00406032 ; |keyfile.dat004013D2 |. E8 0B010000 call <jmp.&kernel32.CreateFileA> ; \CreateFileA004013D7 |. A3 62604000 mov dword ptr [406062], eax ; ↓读取文件后半部分004013DC |. 68 A7624000 push 004062A7 ; /pOverlapped = keyfilem.004062A7004013E1 |. 68 48634000 push 00406348 ; |pBytesRead = keyfilem.00406348004013E6 |. 6A 10 push 10 ; |BytesToRead = 10 (16.)004013E8 |. 68 4E604000 push 0040604E ; |Buffer = keyfilem.0040604E004013ED |. FF35 62604000 push dword ptr [406062] ; |hFile = NULL004013F3 |. E8 1A010000 call <jmp.&kernel32.ReadFile> ; \ReadFile004013F8 |. FF35 62604000 push dword ptr [406062] ; /hObject = NULL004013FE |. E8 D9000000 call <jmp.&kernel32.CloseHandle> ; \CloseHandle00401403 |. 33C9 xor ecx, ecx00401405 |. 33D2 xor edx, edx00401407 |. BA 0F000000 mov edx, 0F0040140C |> 0FBE8A 4E6040>/movsx ecx, byte ptr [edx+40604E] ; 把多余的空格部分去除00401413 |. 4A |dec edx00401414 |. 83F9 20 |cmp ecx, 2000401417 |. 75 09 |jnz short 0040142200401419 |. C682 4F604000>|mov byte ptr [edx+40604F], 000401420 |.^ EB EA \jmp short 0040140C00401422 |> 68 87624000 push 00406287 ; /String2 = ""00401427 |. 68 4E604000 push 0040604E ; |String1 = ""0040142C |. E8 ED000000 call <jmp.&kernel32.lstrcmpA> ; \lstrcmpA00401431 |. 83F8 00 cmp eax, 000401434 |. 74 1D je short 0040145300401436 |. 75 12 jnz short 0040144A00401438 |> C605 2C604000>mov byte ptr [40602C], 10040143F |. EB 63 jmp short 004014A400401441 |> C605 2C604000>mov byte ptr [40602C], 200401448 |. EB 5A jmp short 004014A40040144A |> C605 2C604000>mov byte ptr [40602C], 300401451 |. EB 51 jmp short 004014A400401453 |> C605 2C604000>mov byte ptr [40602C], 40040145A |. EB 48 jmp short 004014A40040145C |> 53 push ebx0040145D |. 57 push edi0040145E |. 68 3E604000 push 0040603E ; /String = ""00401463 |. E8 BC000000 call <jmp.&kernel32.lstrlenA> ; \lstrlenA00401468 |. 8BD0 mov edx, eax0040146A |. 33C9 xor ecx, ecx0040146C |. 33DB xor ebx, ebx0040146E |> 0FB681 3E6040>/movzx eax, byte ptr [ecx+40603E] ; 循环迭代字符串00401475 |. 83C0 0F |add eax, 0F00401478 |. 83F0 20 |xor eax, 200040147B |. 03D8 |add ebx, eax0040147D |. 41 |inc ecx ; 循环变量自增0040147E |. 3BCA |cmp ecx, edx ; 是否遍历完毕?00401480 |.^ 75 EC \jnz short 0040146E00401482 |. 33C9 xor ecx, ecx00401484 |. 69DB 697A0000 imul ebx, ebx, 7A690040148A |. 53 push ebx ; /<%X>0040148B |. 68 84624000 push 00406284 ; |%x00401490 |. 68 87624000 push 00406287 ; |s = keyfilem.0040628700401495 |. E8 0C000000 call <jmp.&user32.wsprintfA> ; \wsprintfA0040149A |. 83C4 0C add esp, 0C0040149D |. 5F pop edi0040149E |. 5B pop ebx0040149F |.^ E9 17FFFFFF jmp 004013BB004014A4 \> C3 retnKeyFile长度必须为32,前面写着用户名,后面是密码。而CM的计算方式是简单的F(用户名) = 密码。
给出可用的KeyFIle内容:
DreamCracker 26F86D8 运行效果:
[抓紧小长假的尾巴] 分析一个KeyFileMe
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。