[Title]: crack a keyfile CM
[Author]: riusksk (quange)
[Homepage ]:Http://riusksk.blogbus.com
[Software ]:Http://bbs.pediy.com/attachment.php? Attachmentid = 30530 & d = 1251718431
[Shelling]: None
[Email ]:Riusksk@qq.com
[Time]: 2009/8/30
[Statement]: This is purely an interest. It has no other purpose. If you make a mistake, please kindly advise me!
――――――――――――――――――――――――――――――――――
[Detailed process ]:
After loading with OD, the next breakpoint: bpx CreateFileA is broken at the following address after running:
004020.a 6A 00 PUSH 0
00401_c 68 80000000 PUSH 80
00404161 51 PUSH ECX
00404162 6A 00 PUSH 0
00404164 52 PUSH EDX
00404165 50 PUSH EAX
00404166 8D43 48 lea eax, dword ptr ds: [EBX + 48]; fcrackme. key
00404169 50 PUSH EAX
0040416A E8 9DD0FFFF CALL <JMP. & KERNEL32.CreateFileA>; disconnected here
0040416F 83F8 ff cmp eax,-1; jump if opening fails
00404172 74 29 je short crme.0040419D
00404174 8903 mov dword ptr ds: [EBX], EAX; save the file handle
00404176 5F POP EDI
00404177 5E POP ESI
00404178 5B POP EBX
00404179 C3 RETN
Therefore, we should first create a file name named "fcrackme. key" as the keyfile,
Run F8 and run RETN. the following address is displayed:
00426592 E8 4DC1FDFF CALL crme.004026E4
00426597 85C0 test eax, EAX
00426599 0F85 66010000 JNZ crme.000000705
0036659f 8D85 A8FEFEFF lea eax, dword ptr ss: [EBP + fffea8]
003475a5 E8 5AD9FDFF CALL crme.00403F04
003475aa E8 F9C0FDFF CALL crme.004026A8
003475af 8945 fc mov dword ptr ss: [EBP-4], EAX
00da-5b2 837D FC 00 cmp dword ptr ss: [EBP-4], 0; Determine whether the file content is empty, not empty jump
0000005b6 75 15 jnz short crme.0000005cd
00100005b8 BA 64674200 mov edx, crme.000000764; ASCII "Key file is empty! "
0000005bd 8B83 B0010000 mov eax, dword ptr ds: [EBX + 1B0]
003665c3 E8 CCB6FEFF CALL crme.00411C94; set text content in the window
0000005c8 E9 28010000 JMP crme.0000006f5
00da-5cd 817D FC 0000010> cmp dword ptr ss: [EBP-4], 10000; compares string lengths in the fcrackme. key File
0000005d4 7E 07 jle short crme.0000005dd
003665d6 C745 FC 0000010> mov dword ptr ss: [EBP-4], 10000
0000005dd 6A 00 PUSH 0
003475df 8D95 fcfffeff lea edx, dword ptr ss: [EBP + FFFEFFFC]
003475e5 8B4D fc mov ecx, dword ptr ss: [EBP-4]; Save the length of the string in keyfile
003475e8 8D85 A8FEFEFF lea eax, dword ptr ss: [EBP + fffea8]
0000005ee E8 71D8FDFF CALL crme.00403E64
003475f3 E8 B0C0FDFF CALL crme.004026A8
0000005f8 53 PUSH EBX
003665f9 57 PUSH EDI
003475fa 56 PUSH ESI
003475fb 8D75 fc lea esi, dword ptr ss: [EBP-4]
003475fe 8B0E mov ecx, dword ptr ds: [ESI]; String Length
00426600 8DB5 fcfffeff lea esi, dword ptr ss: [EBP + FFFEFFFC]; string
00426606 8DBD fbfffeff lea edi, dword ptr ss: [EBP + FFFEFFFB]
0020.60c 31C0 xor eax, EAX
00000060e 83CA ff or edx, FFFFFFFF
00426611 31DB xor ebx, EBX
00426613 40 INC EAX
00426614 F7D2 NOT EDX
00426616 8A1C16 mov bl, byte ptr ds: [ESI + EDX]; take the characters in the keyfile in sequence for the following calculation
00426619 84DB test bl, BL; jump if it is 0. Note that this is hexadecimal 00, which is edited by the hexadecimal editor.
00000061b 74 29 je short crme.000000646
00000061d E8 16000000 CALL crme.000000638
00426622 52 & nb