Like Share Discussion Bookmark Smile

J.J. Huang   2019-08-01   x64dbg   瀏覽次數:

x64dbg - 第十二章 | 反匯編練習(三) 上

目標程式

檔案下載:reverseMe.exe
解壓密碼:morosedog


任務目標

  • 讓程式使其驗證通過。

分析程式

  • 開啟reverseMe.exe
  • 直接跳出訊息視窗標題為Key File ReverseMe內容為Evaluation period out of date. Purchase new license

  • 檢驗顯示是使用MASM32 / TASM32 [Overlay]編寫。


搜尋思路

  • 使用搜尋字串找關鍵字。

修改思路

  • 移除驗證的部分或是跳過驗證

實際分析

  • 開啟reverseMe.exe

  • 於反匯編視窗點選右鍵選擇搜尋(S)->目前模組->字串引用(S)

    1
    2
    3
    4
    5
    6
    7
    8
    位址       反組譯                   字串                                                   
    0040106E push reverseme.402079 "Keyfile.dat"
    0040107F push reverseme.402000 " Key File ReverseMe"
    00401084 push reverseme.402017 "Evaluation period out of date. Purchase new license"
    004010F9 push reverseme.402000 " Key File ReverseMe"
    004010FE push reverseme.402086 "Keyfile is not valid. Sorry."
    00401207 push reverseme.402000 " Key File ReverseMe"
    0040120C push reverseme.4020DE "You really did it! Congratz !!!"
  • 看到Evaluation period out of date. Purchase new license關鍵字對其設定斷點

  • F9執行程式

  • 斷點在00401084 | 68 17204000 | push reverseme.402017 | 402017:"Evaluation period out of date. Purchase new license"

  • F8一步一步過,持續觀察

  • 步過到下方指令時

    1
    0040108B | E8 D7020000              | call <JMP.&MessageBoxA>                     |`
  • 彈出訊息視窗標題為Key File ReverseMe內容為Evaluation period out of date. Purchase new license

  • 向上觀察會跳轉實現會跳過彈出訊息視窗的指令

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    0040105C | 6A 00                    | push 0                                      |
    0040105E | 68 6F214000 | push reverseme.40216F |
    00401063 | 6A 03 | push 3 |
    00401065 | 6A 00 | push 0 |
    00401067 | 6A 03 | push 3 |
    00401069 | 68 000000C0 | push C0000000 |
    0040106E | 68 79204000 | push reverseme.402079 | 402079:"Keyfile.dat"
    00401073 | E8 0B020000 | call <JMP.&CreateFileA> |
    00401078 | 83F8 FF | cmp eax,FFFFFFFF |
    0040107B | 75 1D | jne reverseme.40109A |
  • 0040107B設定斷點

  • Ctrl + F2重新啟動(S)

  • F9執行程式

  • 斷點在0040107B | 75 1D | jne reverseme.40109A |跳轉未實現

  • jne跳轉實現為ZF=0,我們將其修改為ZF=0

  • F8繼續步過,持續觀察

  • 步過到下方指令時

    1
    2
    004010B0 | 75 02                    | jne reverseme.4010B4                        |
    004010B2 | EB 43 | jmp reverseme.4010F7 |
  • 跳轉到004010F7

  • F8繼續步過,持續觀察

  • 步過到下方指令時

    1
    00401105 | E8 5D020000              | call <JMP.&MessageBoxA>                     |
  • 彈出訊息視窗標題為Key File ReverseMe內容為Keyfile is not valid. Sorry.

  • 向上觀察004010D8 | E9 28010000 | jmp reverseme.401205 ||會跳轉跳過彈出訊息視窗的指令

  • 觀察00401205的位址

    1
    2
    3
    4
    5
    6
    7
    00401205 | 6A 00                    | push 0                                      |
    00401207 | 68 00204000 | push reverseme.402000 | 402000:" Key File ReverseMe"
    0040120C | 68 DE204000 | push reverseme.4020DE | 4020DE:"You really did it! Congratz !!!"
    00401211 | 6A 00 | push 0 |
    00401213 | E8 4F010000 | call <JMP.&MessageBoxA> |
    00401218 | E8 9C000000 | call <JMP.&ExitProcess> |
    0040121D | C3 | ret |
  • 找到了驗證成功的訊息視窗位址

  • 回頭觀察004010B2 | EB 43 | jmp reverseme.4010F7 |是什麼條件執行的

  • 向上觀察

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    0040109A | 6A 00                    | push 0                                      |
    0040109C | 68 73214000 | push reverseme.402173 |
    004010A1 | 6A 46 | push 46 |
    004010A3 | 68 1A214000 | push reverseme.40211A |
    004010A8 | 50 | push eax |
    004010A9 | E8 2F020000 | call <JMP.&ReadFile> |
    004010AE | 85C0 | test eax,eax |
    004010B0 | 75 02 | jne reverseme.4010B4 |
    004010B2 | EB 43 | jmp reverseme.4010F7 |
    004010B4 | 33DB | xor ebx,ebx |
    004010B6 | 33F6 | xor esi,esi |
    004010B8 | 833D 73214000 10 | cmp dword ptr ds:[402173],10 |
    004010BF | 7C 36 | jl reverseme.4010F7 |
    004010C1 | 8A83 1A214000 | mov al,byte ptr ds:[ebx+40211A] |
    004010C7 | 3C 00 | cmp al,0 |
    004010C9 | 74 08 | je reverseme.4010D3 |
    004010CB | 3C 47 | cmp al,47 | 47:'G'
    004010CD | 75 01 | jne reverseme.4010D0 |
    004010CF | 46 | inc esi |
    004010D0 | 43 | inc ebx |
    004010D1 | EB EE | jmp reverseme.4010C1 |
    004010D3 | 83FE 08 | cmp esi,8 |
    004010D6 | 7C 1F | jl reverseme.4010F7 |
    004010D8 | E9 28010000 | jmp reverseme.401205 |
  • 可以發現這一大段在做驗證,失敗則跳轉至004010F7成功則跳轉至00401205


分析總結

  1. 函數CreateFileA檔名參數Keyfile.dat
    1
    2
    0040106E | 68 79204000              | push reverseme.402079                       | 402079:"Keyfile.dat"
    00401073 | E8 0B020000 | call <JMP.&CreateFileA> |
  2. 0040107B,實現跳轉則跳過彈出失敗訊息。
  3. 004010B0,實現跳轉則跳過彈出失效訊息。
  4. 00401205,彈出成功訊息視窗的位址。
  5. 0040109A ~ 004010D8 假設為驗證的區塊。
    1
    2
    3
    // 關鍵在於讀取檔案和比較
    004010A9 | E8 2F020000 | call <JMP.&ReadFile> |
    004010AE | 85C0 | test eax,eax |

修改思路

根據分析總結做對應

  1. 將會跳轉到失敗訊息的部分直接修改跳轉到成功的訊息位址
  2. Keyfile.dat的驗證邏輯找出

實際修改

這邊使用修改思路的第1個方法做示範。

  • 開啟reverseMe.exe

  • 將所有中斷點移除

  • 0040107B | 75 1D | jne reverseme.40109A |按下空白鍵

  • 將指令修改為jmp 0x00401205,按下確定

  • 修改後如下

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    // 修改前
    00401073 | E8 0B020000 | call <JMP.&CreateFileA> |
    00401078 | 83F8 FF | cmp eax,FFFFFFFF |
    0040107B | 75 1D | jne reverseme.40109A |
    0040107D | 6A 00 | push 0 |
    0040107F | 68 00204000 | push reverseme.402000 | 402000:" Key File ReverseMe"
    00401084 | 68 17204000 | push reverseme.402017 | 402017:"Evaluation period out of date. Purchase new license"
    00401089 | 6A 00 | push 0 |
    0040108B | E8 D7020000 | call <JMP.&MessageBoxA> |
    00401090 | E8 24020000 | call <JMP.&ExitProcess> |
    00401095 | E9 83010000 | jmp reverseme.40121D |
    // 修改後
    00401073 | E8 0B020000 | call <JMP.&CreateFileA> |
    00401078 | 83F8 FF | cmp eax,FFFFFFFF |
    0040107B | E9 85010000 | jmp reverseme.401205 |
    00401080 | 0020 | add byte ptr ds:[eax],ah |
    00401082 | 40 | inc eax |
    00401083 | 0068 17 | add byte ptr ds:[eax+17],ch |
    00401086 | 2040 00 | and byte ptr ds:[eax],al |
    00401089 | 6A 00 | push 0 |
    0040108B | E8 D7020000 | call <JMP.&MessageBoxA> |
    00401090 | E8 24020000 | call <JMP.&ExitProcess> |
    00401095 | E9 83010000 | jmp reverseme.40121D |
  • F9執行

  • 彈出訊息視窗標題為Key File ReverseMe內容為You really did it! Congratz !!!

  • 點擊修補程式 或是快捷鍵Ctrl + P

  • 點擊修補檔案(P)

  • 另存檔名Fix_reverseMe.exe

  • 恭喜補丁產生Fix_reverseMe.exe


註:以上參考了
x64dbg
x64dbg’s documentation!
CSDN billvsme的专栏OllyDbg 使用笔记 (三)