一个简单ReverseMe的分析
我的博客代码排版不行,发这里好看点,别BSOD载入00401000 > $6A 00 push 0 ; |/pModule = NULL
00401002.E8 64020000call <jmp.&KERNEL32.GetModuleHandleA> ; |\GetModuleHandleA初始化句柄00401007.A3 77214000mov dword ptr , eax ; |
0040100C.C705 97214000>mov dword ptr , 4003 ; |
00401016.C705 9B214000>mov dword ptr , 004011A6 ; |
00401020.C705 9F214000>mov dword ptr , 0 ; |
0040102A.C705 A3214000>mov dword ptr , 0 ; |
00401034.A1 77214000mov eax, dword ptr ; |
00401039.A3 A7214000mov dword ptr , eax ; |
0040103E.6A 04 push 4 ; |/RsrcName = 4.
00401040.50 push eax ; ||hInst => NULL
00401041.E8 3F030000call <jmp.&USER32.LoadIconA> ; |\LoadIconA初始化图标00401046.A3 AB214000mov dword ptr , eax ; |
0040104B.68 007F0000push 7F00 ; |/RsrcName = IDC_ARROW
00401050.6A 00 push 0 ; ||hInst = NULL
00401052.E8 C8020000call <jmp.&USER32.LoadCursorA> ; |\LoadCursorA初始化光标00401057.A3 AF214000mov dword ptr , eax ; |
0040105C.6A 00 push 0 ; |/hTemplateFile = NULL
0040105E.68 6F214000push 0040216F ; ||Attributes = READONLY|HIDDEN|SYSTEM|ARCHIVE|TEMPORARY|402048
00401063.6A 03 push 3 ; ||Mode = OPEN_EXISTING
00401065.6A 00 push 0 ; ||pSecurity = NULL
00401067.6A 03 push 3 ; ||ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401069.68 000000C0push C0000000 ; ||Access = GENERIC_READ|GENERIC_WRITE
0040106E.68 79204000push 00402079 ; ||FileName = "Keyfile.dat"
00401073.E8 0B020000call <jmp.&KERNEL32.CreateFileA> ; |\CreateFileA打开Keyfile.dat文件,Keyfile.dat文件就是判断的关键00401078.83F8 FF cmp eax, -1 ; |
0040107B.75 1D jnz short 0040109A ; |存在文件则跳到0040109A继续判断 , 否则往下提示错误0040107D.6A 00 push 0 ; |/Style = MB_OK|MB_APPLMODAL
0040107F.68 00204000push 00402000 ; ||Title = " Key File ReverseMe"
00401084.68 17204000push 00402017 ; ||Text = "Evaluation period out of date. Purchase new license"
00401089.6A 00 push 0 ; ||hOwner = NULL
0040108B.E8 D7020000call <jmp.&USER32.MessageBoxA> ; |\MessageBoxA对话框提示没文件00401090.E8 24020000call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess退出0040109A> \6A 00 push 0 ; /pOverlapped = NULL
0040109C.68 73214000push 00402173 ; |pBytesRead = ReverseM.00402173
004010A1.6A 46 push 46 ; |BytesToRead = 46 (70.)
004010A3.68 1A214000push 0040211A ; |Buffer = ReverseM.0040211A
004010A8.50 push eax ; |hFile
004010A9.E8 2F020000call <jmp.&KERNEL32.ReadFile> ; \ReadFile读入文件004010AE.85C0 test eax, eax
004010B0.75 02 jnz short 004010B4文件不为空则跳到004010B4继续判断004010B2.EB 43 jmp short 004010F7为空则跳到004010F7提示错误004010B4>33DB xor ebx, ebx
004010B6.33F6 xor esi, esiEBX,ESI清零,用于计算004010B8.833D 73214000>cmp dword ptr , 10
004010BF.7C 36 jl short 004010F7文件长度是否为十六进制10,即十进制16
不为19则跳到004010F7提示错误004010C1>8A83 1A214000 mov al, byte ptr
004010C7.3C 00 cmp al, 0
004010C9.74 08 je short 004010D3al依次存储文件内的字符ASCII值,娶到0(即取完了)则跳到004010D3判断004010CB.3C 47 cmp al, 47
004010CD.75 01 jnz short 004010D0字符ASCII不为十六进制47(即"G"),则跳到004010D0继续判断下一字符004010CF.46 inc esi是"G"则ESI加1004010D0>43 inc ebx
004010D1.^ EB EE jmp short 004010C1BBX加一,回跳到004010C1,继续取下一字符004010D3>83FE 08 cmp esi, 8
004010D6.7C 1F jl short 004010F7
004010D8.E9 28010000jmp 00401205ESI为8,即字符串中有8个"G",则跳到004010F7提示成功
否则跳到00401205提示错误004010F5. /EB 00 jmp short 004010F7
004010F7> \6A 00 push 0 ; |/Style = MB_OK|MB_APPLMODAL
004010F9.68 00204000push 00402000 ; ||Title = " Key File ReverseMe"
004010FE.68 86204000push 00402086 ; ||Text = "Keyfile is not valid. Sorry."
00401103.6A 00 push 0 ; ||hOwner = NULL
00401105.E8 5D020000call <jmp.&USER32.MessageBoxA> ; |\MessageBoxA
0040110A.E8 AA010000call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess
0040110F.E9 09010000jmp 0040121D00401205> \6A 00 push 0 ; |/Style = MB_OK|MB_APPLMODAL
00401207.68 00204000push 00402000 ; ||Title = " Key File ReverseMe"
0040120C.68 DE204000push 004020DE ; ||Text = "You really did it! Congratz !!!"
00401211.6A 00 push 0 ; ||hOwner = NULL
00401213.E8 4F010000call <jmp.&USER32.MessageBoxA> ; |\MessageBoxA
00401218.E8 9C000000call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess
0040121D>C3 retn总结:
在ReverseMe目录建立文件Keyfile.dat(可用记事本)
Keyfile.dat为16个字节长度
16个字符中应还有8个G 不用跟帖
只是在这放一下给我朋友看 既然是ReverseMe,我也就练习一下试试吧!
照着上面的反汇编,试着用C写了一下,呵呵:
HANDLE hMod=GetModuleHandle(NULL);
HICON hIcon=LoadIcon(hMod,IDI_XXXX);
HCURSOR hCursor=LoadCursor(hMod,IDR_XXXX);
HANDLE hFile=CreateFile("Keyfile.dat",GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,
NULL,OPEN_EXISTING,READONLY|HIDDEN|SYSTEM|ARCHIVE|TEMPORARY|402048,NULL);
if(INVALID_HANDLE_VALUE==hFile){
MessageBox(NULL,"Evaluation period out of date. Purchase new license","Key File ReverseMe",MB_OK|MB_APPLMODAL);
return 0;
}
TCHAR szBuffer; //应该是全局的变量
DWORD dwReadByte; //同上
if(ReadFile(hFile,szBuffer,70,&dwReadByte,NULL)){
if(dwReadByte>0x10){
int i=0,j=0;
for(i;;){
if(szBuffer==0)
break;
if(szBuffer==0x47)
j++;
i++;
}
if(j>=8){
MessageBox(NULL,"You really did it! Congratz !!!","Key File ReverseMe",MB_OK|MB_APPLMODAL);
return 0;
}
}
}
else{
MessageBox(NULL,"Keyfile is not valid. Sorry.","Key File ReverseMe",MB_OK|MB_APPLMODAL);
return 0;
}
这样下来,也就明白了:
1、Keyfile.dat文件的长度应该大于或者等于16字节
2、其中必须有8个或者8个以上的字母“G”,呵呵
[ 本帖最后由 chenguo 于 2009-2-3 22:51 编辑 ] 都是高手。小菜鸟悄悄路过
页:
[1]