ollydbg Use Notes (iii)

ollydbg Use Notes (iii)

Reference

Book: "Encryption and decryption"

Video: Small Turtle decryption Series video

Reverseme.exe:http://pan.baidu.com/s/1c0fbgi8

ReverseMe.exe hack

This reverseme will read the key file to register.

Loading, observing annotations, we can find a few key places

0040105C. 6A, push 0;  /htemplatefile = null0040105e. 6f214000 Push 0040216F; | Attributes = readonly| hidden| system| archive|  temporary|40204800401063. 6A 3; |  Mode = open_existing00401065.  6A 0; |psecurity = NULL00401067. 6A 3; | ShareMode = file_share_read|  file_share_write00401069. 000000C0 Push C0000000; | Access = generic_read|  generic_write0040106e. 79204000 Push 00402079; |  FileName = "Keyfile.dat" 00401073. E8 0b020000 call <jmp.&kernel32. createfilea>;  \createfilea00401078.  83F8 FF cmp eax, -10040107b 1D jnz short 0040109a0040107d. 6A push 0; |/style = mb_ok| Mb_applmodal0040107f. 00204000 push 00402000; | |  Title = "Key File reverseme" 00401084. 17204000 push 00402017; | | Text = "Evaluation period out of date."  Purchase new License "00401089. 6A push 0; | |  Howner = null0040108b. E8 D7020000 call <jmp.&user32.  messageboxa>; |\messageboxa00401090. E8 24020000 call <jmp.&kernel32. exitprocess>;  \exitprocess00401095. E9 83010000 jmp 0040121d0040109a > 6A, push 0;  /poverlapped = null0040109c.  73214000 push 00402173; |pbytesread = reversem.00402173004010a1. 6A 46; | Bytestoread = 46 (70.)  004010a3. 1a214000 Push 0040211A; |  Buffer = reversem.0040211a004010a8.              Push EAX                ; |hfile004010a9. E8 2f020000 call <jmp.&kernel32. readfile>;  \readfile004010ae.  85C0 test eax, eax004010b0.  JNZ short 004010b4004010b2.  EB in jmp short 004010f7004010b4 > 33DB xor ebx, Ebx004010b6.  33f6 xor esi, esi004010b8.  833D 73214000>cmp dword ptr [402173], 10004010BF.  7C-JL Short 004010f7004010c1 > 8a83 1a214000 mov al, byte ptr [ebx+40211a]004010c7.  3 C-CMP al, 0004010c9.  Je short 004010D3004010CB.  3 C-CMP al, 47004010CD.  JNZ short 004010D0004010CF. ESI004010D0 Inc > Inc ebx004010d1 ^ EB EE jmp Short 004010c100401  0d3 > 83FE cmp esi, 8004010d6.  7C 1F JL Short 004010f7004010d8. E9 28010000 jmp 00401205

004010f5   ./eb-         jmp short     004010f7004010f7   > \6a-         push    0                                ; |/style = mb_ok| Mb_applmodal004010f9   .  00204000   push    00402000                         ; | | Title = "Key File reverseme" 004010FE   .  86204000   push    00402086                         ; | | Text = "KeyFile is not valid. Sorry. " 00401103   .  6A         push    0                                ; | | Howner = NULL00401105   .  E8 5d020000   call    <jmp.&user32. Messageboxa>        ; |\messageboxa0040110a   .  E8 AA010000   call    <jmp.&kernel32. Exitprocess>      ; \exitprocess0040110f   .  E9 09010000   jmp     0040121D

00401205   > \6a    0                                ; |/style = mb_ok| mb_applmodal00401207   .  00204000   push    00402000                         ; | | Title = "Key File reverseme" 0040120C   .  DE204000   push    004020DE                         ; | | Text = "You really did it! Congratz!!! " 00401211   .  6A         push    0                                ; | | Howner = NULL00401213   .  E8 4f010000   call    <jmp.&user32. Messageboxa>        ; |\messageboxa00401218   .  E8 9c000000   call    <jmp.&kernel32. Exitprocess>      , \exitprocess0040121d   >  C3            retn

We can derive from 0040106E that the key file is Keyfile.dat

If no Keyfile.dat is found , the function returns eax=-1,0040107b's JNZ without jumping and then executing.

If Keyfile.dat exists, it jumps to 0040109A.

0040109A~004010A9 is to read the file function without the tube, if the read error will jump to 004010F7.

004010b2~004010d8 is calculating Keyfile.dat right.

We can see that the ultimate goal is to get the program to jump to 00401205, and you can see that you want the 004010D8 to run

run attempt to modify 004010b2~004010d8 in the jump, when jmp  00401205 runs.

Brute Force hack

Through the above analysis,

We'll start by changing the 0040107B jnz short 0040109A to jmp short004010d8.

Parsing keys

Look at the 004010B4~004010D8 code.

First compare if the key length is greater than 10, and then run if greater than 10.

Discover 004010C1~004010D1 This is a loop in which the characters of the comparison key file are not ASCII 47, the number of cycles recorded with ESI until the read to ASCII 0.

The loop ends and the ESI is judged to be greater than 8, greater than jmp 00401205.

So we create a new Keyfile.dat, written in Notepad, such as GGGGGGGGGGGGGGGG0 can.