首页 > 代码库 > [抓紧小长假的尾巴] 分析一个KeyFileMe

[抓紧小长假的尾巴] 分析一个KeyFileMe

系统 : Windows xp

程序 : keyfileme

程序下载地址 :http://pan.baidu.com/s/1qYVfvu0

要求 : 编写KeyFile

使用工具 : OD

可在看雪论坛中查找关于此程序的破文:传送门

 

趁着小长假还没结束,赶紧来个CM暖暖手。废话不多说,直接用DIE查看程序。

提示MASM编写,没有保护壳。

再用OD载入,发现关键子串:no keyfile found!

0040113E   .  E8 F0010000   call    0040133300401143   .  803D 2C604000>cmp     byte ptr [40602C], 10040114A   .  74 20         je      short 0040116C0040114C   .  803D 2C604000>cmp     byte ptr [40602C], 200401153   .  74 2C         je      short 0040118100401155   .  803D 2C604000>cmp     byte ptr [40602C], 30040115C   .  74 38         je      short 004011960040115E   .  803D 2C604000>cmp     byte ptr [40602C], 400401165   .  74 44         je      short 004011AB00401167   .  E9 C1010000   jmp     0040132D0040116C   >  68 51624000   push    00406251                         ; /no keyfile found!00401171   .  FF35 76604000 push    dword ptr [406076]               ; |hWnd = NULL00401177   .  E8 5A030000   call    <jmp.&user32.SetWindowTextA>     ; \SetWindowTextA0040117C   .  E9 AC010000   jmp     0040132D00401181   >  68 63624000   push    00406263                         ; /wrong size!00401186   .  FF35 76604000 push    dword ptr [406076]               ; |hWnd = NULL0040118C   .  E8 45030000   call    <jmp.&user32.SetWindowTextA>     ; \SetWindowTextA00401191   .  E9 97010000   jmp     0040132D00401196   >  68 6F624000   push    0040626F                         ; /invalid keyfile!0040119B   .  FF35 76604000 push    dword ptr [406076]               ; |hWnd = NULL004011A1   .  E8 30030000   call    <jmp.&user32.SetWindowTextA>     ; \SetWindowTextA004011A6   .  E9 82010000   jmp     0040132D004011AB   >  68 09604000   push    00406009                         ; /registered! good job!004011B0   .  FF35 76604000 push    dword ptr [406076]               ; |hWnd = NULL004011B6   .  E8 1B030000   call    <jmp.&user32.SetWindowTextA>     ; \SetWindowTextA

可见结果是由Call直接产生,右击Call指令,选择Follow:

00401333  /$  6A 00         push    0                                ; /hTemplateFile = NULL00401335  |.  68 80000000   push    80                               ; |Attributes = NORMAL0040133A  |.  6A 03         push    3                                ; |Mode = OPEN_EXISTING0040133C  |.  6A 00         push    0                                ; |pSecurity = NULL0040133E  |.  6A 01         push    1                                ; |ShareMode = FILE_SHARE_READ00401340  |.  68 00000080   push    80000000                         ; |Access = GENERIC_READ00401345  |.  68 32604000   push    00406032                         ; |keyfile.dat0040134A  |.  E8 93010000   call    <jmp.&kernel32.CreateFileA>      ; \CreateFileA0040134F  |.  A3 62604000   mov     dword ptr [406062], eax00401354  |.  83F8 FF       cmp     eax, -100401357  |.  0F84 DB000000 je      004014380040135D  |.  6A 00         push    0                                ; /pFileSizeHigh = NULL0040135F  |.  FF35 62604000 push    dword ptr [406062]               ; |hFile = NULL00401365  |.  E8 8A010000   call    <jmp.&kernel32.GetFileSize>      ; \GetFileSize0040136A  |.  83F8 20       cmp     eax, 20                          ;  长度一定要是32个字符0040136D  |.  0F85 CE000000 jnz     00401441                         ;  ↓读取前十六个字符00401373  |.  6A 00         push    0                                ; /pOverlapped = NULL00401375  |.  68 48634000   push    00406348                         ; |pBytesRead = keyfilem.004063480040137A  |.  6A 10         push    10                               ; |BytesToRead = 10 (16.)0040137C  |.  68 3E604000   push    0040603E                         ; |Buffer = keyfilem.0040603E00401381  |.  FF35 62604000 push    dword ptr [406062]               ; |hFile = NULL00401387  |.  E8 86010000   call    <jmp.&kernel32.ReadFile>         ; \ReadFile0040138C  |.  FF35 62604000 push    dword ptr [406062]               ; /hObject = NULL00401392  |.  E8 45010000   call    <jmp.&kernel32.CloseHandle>      ; \CloseHandle00401397  |.  33C9          xor     ecx, ecx00401399  |.  33D2          xor     edx, edx0040139B  |.  BA 0F000000   mov     edx, 0F004013A0  |>  0FBE8A 3E6040>/movsx   ecx, byte ptr [edx+40603E]      ;  循环迭代字符串004013A7  |.  4A            |dec     edx004013A8  |.  83F9 20       |cmp     ecx, 20                         ;  是否是空格?004013AB  |.  75 09         |jnz     short 004013B6                  ;  发现不是空格则跳转004013AD  |.  C682 3F604000>|mov     byte ptr [edx+40603F], 0004013B4  |.^ EB EA         \jmp     short 004013A0004013B6  |>  E9 A1000000   jmp     0040145C004013BB  |>  6A 00         push    0                                ; /hTemplateFile = NULL004013BD  |.  68 80000000   push    80                               ; |Attributes = NORMAL004013C2  |.  6A 03         push    3                                ; |Mode = OPEN_EXISTING004013C4  |.  6A 00         push    0                                ; |pSecurity = NULL004013C6  |.  6A 01         push    1                                ; |ShareMode = FILE_SHARE_READ004013C8  |.  68 00000080   push    80000000                         ; |Access = GENERIC_READ004013CD  |.  68 32604000   push    00406032                         ; |keyfile.dat004013D2  |.  E8 0B010000   call    <jmp.&kernel32.CreateFileA>      ; \CreateFileA004013D7  |.  A3 62604000   mov     dword ptr [406062], eax          ;  ↓读取文件后半部分004013DC  |.  68 A7624000   push    004062A7                         ; /pOverlapped = keyfilem.004062A7004013E1  |.  68 48634000   push    00406348                         ; |pBytesRead = keyfilem.00406348004013E6  |.  6A 10         push    10                               ; |BytesToRead = 10 (16.)004013E8  |.  68 4E604000   push    0040604E                         ; |Buffer = keyfilem.0040604E004013ED  |.  FF35 62604000 push    dword ptr [406062]               ; |hFile = NULL004013F3  |.  E8 1A010000   call    <jmp.&kernel32.ReadFile>         ; \ReadFile004013F8  |.  FF35 62604000 push    dword ptr [406062]               ; /hObject = NULL004013FE  |.  E8 D9000000   call    <jmp.&kernel32.CloseHandle>      ; \CloseHandle00401403  |.  33C9          xor     ecx, ecx00401405  |.  33D2          xor     edx, edx00401407  |.  BA 0F000000   mov     edx, 0F0040140C  |>  0FBE8A 4E6040>/movsx   ecx, byte ptr [edx+40604E]      ;  把多余的空格部分去除00401413  |.  4A            |dec     edx00401414  |.  83F9 20       |cmp     ecx, 2000401417  |.  75 09         |jnz     short 0040142200401419  |.  C682 4F604000>|mov     byte ptr [edx+40604F], 000401420  |.^ EB EA         \jmp     short 0040140C00401422  |>  68 87624000   push    00406287                         ; /String2 = ""00401427  |.  68 4E604000   push    0040604E                         ; |String1 = ""0040142C  |.  E8 ED000000   call    <jmp.&kernel32.lstrcmpA>         ; \lstrcmpA00401431  |.  83F8 00       cmp     eax, 000401434  |.  74 1D         je      short 0040145300401436  |.  75 12         jnz     short 0040144A00401438  |>  C605 2C604000>mov     byte ptr [40602C], 10040143F  |.  EB 63         jmp     short 004014A400401441  |>  C605 2C604000>mov     byte ptr [40602C], 200401448  |.  EB 5A         jmp     short 004014A40040144A  |>  C605 2C604000>mov     byte ptr [40602C], 300401451  |.  EB 51         jmp     short 004014A400401453  |>  C605 2C604000>mov     byte ptr [40602C], 40040145A  |.  EB 48         jmp     short 004014A40040145C  |>  53            push    ebx0040145D  |.  57            push    edi0040145E  |.  68 3E604000   push    0040603E                         ; /String = ""00401463  |.  E8 BC000000   call    <jmp.&kernel32.lstrlenA>         ; \lstrlenA00401468  |.  8BD0          mov     edx, eax0040146A  |.  33C9          xor     ecx, ecx0040146C  |.  33DB          xor     ebx, ebx0040146E  |>  0FB681 3E6040>/movzx   eax, byte ptr [ecx+40603E]      ;  循环迭代字符串00401475  |.  83C0 0F       |add     eax, 0F00401478  |.  83F0 20       |xor     eax, 200040147B  |.  03D8          |add     ebx, eax0040147D  |.  41            |inc     ecx                             ;  循环变量自增0040147E  |.  3BCA          |cmp     ecx, edx                        ;  是否遍历完毕?00401480  |.^ 75 EC         \jnz     short 0040146E00401482  |.  33C9          xor     ecx, ecx00401484  |.  69DB 697A0000 imul    ebx, ebx, 7A690040148A  |.  53            push    ebx                              ; /<%X>0040148B  |.  68 84624000   push    00406284                         ; |%x00401490  |.  68 87624000   push    00406287                         ; |s = keyfilem.0040628700401495  |.  E8 0C000000   call    <jmp.&user32.wsprintfA>          ; \wsprintfA0040149A  |.  83C4 0C       add     esp, 0C0040149D  |.  5F            pop     edi0040149E  |.  5B            pop     ebx0040149F  |.^ E9 17FFFFFF   jmp     004013BB004014A4  \>  C3            retn

KeyFile长度必须为32,前面写着用户名,后面是密码。而CM的计算方式是简单的F(用户名) = 密码。

给出可用的KeyFIle内容:

DreamCracker    26F86D8         

运行效果:

技术分享

[抓紧小长假的尾巴] 分析一个KeyFileMe