x64dbg - 第十二章 | 反匯編練習(三) 上
目標程式
檔案下載:reverseMe.exe
解壓密碼:morosedog
任務目標
- 讓程式使其驗證通過。
分析程式
- 開啟
reverseMe.exe - 直接跳出訊息視窗標題為
Key File ReverseMe內容為Evaluation period out of date. Purchase new license
- 檢驗顯示是使用
MASM32 / TASM32 [Overlay]編寫。
搜尋思路
- 使用搜尋字串找關鍵字。
修改思路
- 移除驗證的部分或是跳過驗證
實際分析
開啟
reverseMe.exe於反匯編視窗點選右鍵選擇
搜尋(S)->目前模組->字串引用(S)1
2
3
4
5
6
7
8位址 反組譯 字串
0040106E push reverseme.402079 "Keyfile.dat"
0040107F push reverseme.402000 " Key File ReverseMe"
00401084 push reverseme.402017 "Evaluation period out of date. Purchase new license"
004010F9 push reverseme.402000 " Key File ReverseMe"
004010FE push reverseme.402086 "Keyfile is not valid. Sorry."
00401207 push reverseme.402000 " Key File ReverseMe"
0040120C push reverseme.4020DE "You really did it! Congratz !!!"看到
Evaluation period out of date. Purchase new license關鍵字對其設定斷點F9執行程式斷點在
00401084 | 68 17204000 | push reverseme.402017 | 402017:"Evaluation period out of date. Purchase new license"F8一步一步過,持續觀察步過到下方指令時
1
0040108B | E8 D7020000 | call <JMP.&MessageBoxA> |`
彈出訊息視窗標題為
Key File ReverseMe內容為Evaluation period out of date. Purchase new license向上觀察會跳轉實現會跳過彈出訊息視窗的指令
1
2
3
4
5
6
7
8
9
100040105C | 6A 00 | push 0 |
0040105E | 68 6F214000 | push reverseme.40216F |
00401063 | 6A 03 | push 3 |
00401065 | 6A 00 | push 0 |
00401067 | 6A 03 | push 3 |
00401069 | 68 000000C0 | push C0000000 |
0040106E | 68 79204000 | push reverseme.402079 | 402079:"Keyfile.dat"
00401073 | E8 0B020000 | call <JMP.&CreateFileA> |
00401078 | 83F8 FF | cmp eax,FFFFFFFF |
0040107B | 75 1D | jne reverseme.40109A |0040107B設定斷點Ctrl + F2重新啟動(S)F9執行程式斷點在
0040107B | 75 1D | jne reverseme.40109A |跳轉未實現jne跳轉實現為ZF=0,我們將其修改為ZF=0F8繼續步過,持續觀察步過到下方指令時
1
2004010B0 | 75 02 | jne reverseme.4010B4 |
004010B2 | EB 43 | jmp reverseme.4010F7 |跳轉到
004010F7F8繼續步過,持續觀察步過到下方指令時
1
00401105 | E8 5D020000 | call <JMP.&MessageBoxA> |
彈出訊息視窗標題為
Key File ReverseMe內容為Keyfile is not valid. Sorry.向上觀察
004010D8 | E9 28010000 | jmp reverseme.401205 ||會跳轉跳過彈出訊息視窗的指令觀察
00401205的位址1
2
3
4
5
6
700401205 | 6A 00 | push 0 |
00401207 | 68 00204000 | push reverseme.402000 | 402000:" Key File ReverseMe"
0040120C | 68 DE204000 | push reverseme.4020DE | 4020DE:"You really did it! Congratz !!!"
00401211 | 6A 00 | push 0 |
00401213 | E8 4F010000 | call <JMP.&MessageBoxA> |
00401218 | E8 9C000000 | call <JMP.&ExitProcess> |
0040121D | C3 | ret |找到了驗證成功的訊息視窗位址
回頭觀察
004010B2 | EB 43 | jmp reverseme.4010F7 |是什麼條件執行的向上觀察
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
240040109A | 6A 00 | push 0 |
0040109C | 68 73214000 | push reverseme.402173 |
004010A1 | 6A 46 | push 46 |
004010A3 | 68 1A214000 | push reverseme.40211A |
004010A8 | 50 | push eax |
004010A9 | E8 2F020000 | call <JMP.&ReadFile> |
004010AE | 85C0 | test eax,eax |
004010B0 | 75 02 | jne reverseme.4010B4 |
004010B2 | EB 43 | jmp reverseme.4010F7 |
004010B4 | 33DB | xor ebx,ebx |
004010B6 | 33F6 | xor esi,esi |
004010B8 | 833D 73214000 10 | cmp dword ptr ds:[402173],10 |
004010BF | 7C 36 | jl reverseme.4010F7 |
004010C1 | 8A83 1A214000 | mov al,byte ptr ds:[ebx+40211A] |
004010C7 | 3C 00 | cmp al,0 |
004010C9 | 74 08 | je reverseme.4010D3 |
004010CB | 3C 47 | cmp al,47 | 47:'G'
004010CD | 75 01 | jne reverseme.4010D0 |
004010CF | 46 | inc esi |
004010D0 | 43 | inc ebx |
004010D1 | EB EE | jmp reverseme.4010C1 |
004010D3 | 83FE 08 | cmp esi,8 |
004010D6 | 7C 1F | jl reverseme.4010F7 |
004010D8 | E9 28010000 | jmp reverseme.401205 |可以發現這一大段在做驗證,失敗則跳轉至
004010F7成功則跳轉至00401205
分析總結
- 函數
CreateFileA檔名參數Keyfile.dat1
20040106E | 68 79204000 | push reverseme.402079 | 402079:"Keyfile.dat"
00401073 | E8 0B020000 | call <JMP.&CreateFileA> | 0040107B,實現跳轉則跳過彈出失敗訊息。004010B0,實現跳轉則跳過彈出失效訊息。00401205,彈出成功訊息視窗的位址。0040109A~004010D8假設為驗證的區塊。1
2
3// 關鍵在於讀取檔案和比較
004010A9 | E8 2F020000 | call <JMP.&ReadFile> |
004010AE | 85C0 | test eax,eax |
修改思路
根據分析總結做對應
- 將會跳轉到失敗訊息的部分直接修改跳轉到成功的訊息位址
- 將
Keyfile.dat的驗證邏輯找出
實際修改
這邊使用修改思路的第1個方法做示範。
開啟
reverseMe.exe將所有中斷點移除
0040107B | 75 1D | jne reverseme.40109A |按下空白鍵將指令修改為
jmp 0x00401205,按下確定修改後如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23// 修改前
00401073 | E8 0B020000 | call <JMP.&CreateFileA> |
00401078 | 83F8 FF | cmp eax,FFFFFFFF |
0040107B | 75 1D | jne reverseme.40109A |
0040107D | 6A 00 | push 0 |
0040107F | 68 00204000 | push reverseme.402000 | 402000:" Key File ReverseMe"
00401084 | 68 17204000 | push reverseme.402017 | 402017:"Evaluation period out of date. Purchase new license"
00401089 | 6A 00 | push 0 |
0040108B | E8 D7020000 | call <JMP.&MessageBoxA> |
00401090 | E8 24020000 | call <JMP.&ExitProcess> |
00401095 | E9 83010000 | jmp reverseme.40121D |
// 修改後
00401073 | E8 0B020000 | call <JMP.&CreateFileA> |
00401078 | 83F8 FF | cmp eax,FFFFFFFF |
0040107B | E9 85010000 | jmp reverseme.401205 |
00401080 | 0020 | add byte ptr ds:[eax],ah |
00401082 | 40 | inc eax |
00401083 | 0068 17 | add byte ptr ds:[eax+17],ch |
00401086 | 2040 00 | and byte ptr ds:[eax],al |
00401089 | 6A 00 | push 0 |
0040108B | E8 D7020000 | call <JMP.&MessageBoxA> |
00401090 | E8 24020000 | call <JMP.&ExitProcess> |
00401095 | E9 83010000 | jmp reverseme.40121D |F9執行彈出訊息視窗標題為
Key File ReverseMe內容為You really did it! Congratz !!!點擊
修補程式或是快捷鍵Ctrl + P點擊
修補檔案(P)另存檔名
Fix_reverseMe.exe恭喜補丁產生
Fix_reverseMe.exe
註:以上參考了
x64dbg
x64dbg’s documentation!
CSDN billvsme的专栏 的 OllyDbg 使用笔记 (三)
