環境：
Windows xp sp3

工具：
Ollydbg
exeinfope

0x00 查殼

無殼的程序

0x01 分析

運行后說需要keyfile，那就創建一個。
OD載入找找看需要的keyfile叫什么名字

00401000 > $ 6A 00 push 0x0 ; |/pModule = NULL 00401002 . E8 64020000 call <jmp.&KERNEL32.GetModuleHandleA> ; |\GetModuleHandleA 00401007 . A3 77214000 mov dword ptr ds:[0x402177],eax ; | 0040100C . C705 97214000>mov dword ptr ds:[0x402197],0x4003 ; | 00401016 . C705 9B214000>mov dword ptr ds:[0x40219B],DueList_.004>; | 00401020 . C705 9F214000>mov dword ptr ds:[0x40219F],0x0 ; | 0040102A . C705 A3214000>mov dword ptr ds:[0x4021A3],0x0 ; | 00401034 . A1 77214000 mov eax,dword ptr ds:[0x402177] ; | 00401039 . A3 A7214000 mov dword ptr ds:[0x4021A7],eax ; | 0040103E . 6A 04 push 0x4 ; |/RsrcName = 4. 00401040 . 50 push eax ; ||hInst => NULL 00401041 . E8 3F030000 call <jmp.&USER32.LoadIconA> ; |\LoadIconA 00401046 . A3 AB214000 mov dword ptr ds:[0x4021AB],eax ; | 0040104B . 68 007F0000 push 0x7F00 ; |/RsrcName = IDC_ARROW 00401050 . 6A 00 push 0x0 ; ||hInst = NULL 00401052 . E8 C8020000 call <jmp.&USER32.LoadCursorA> ; |\LoadCursorA 00401057 . A3 AF214000 mov dword ptr ds:[0x4021AF],eax ; | 0040105C . 6A 00 push 0x0 ; |/hTemplateFile = NULL 0040105E . 68 6F214000 push DueList_.0040216F ; ||Attributes = READONLY|HIDDEN|SYSTEM|ARCHIVE|TEMPORARY|402048 00401063 . 6A 03 push 0x3 ; ||Mode = OPEN_EXISTING 00401065 . 6A 00 push 0x0 ; ||pSecurity = NULL 00401067 . 6A 03 push 0x3 ; ||ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE 00401069 . 68 000000C0 push 0xC0000000 ; ||Access = GENERIC_READ|GENERIC_WRITE 0040106E . 68 79204000 push DueList_.00402079 ; ||FileName = "due-cm2.dat" 00401073 . E8 0B020000 call <jmp.&KERNEL32.CreateFileA> ; |\CreateFileA

運氣很好，一進去就看到了名字。在40106E的位置：”due-cm2.dat”
那就創建一個叫這樣的文件吧。

再運行看看。。。

keyfile無效。因為里面沒有東西吧，看看需要什么。。

00401078 . 83F8 FF cmp eax,-0x1 ; | 0040107B . 75 1D jnz XDueList_.0040109A ; | 0040107D . 6A 00 push 0x0 ; |/Style = MB_OK|MB_APPLMODAL 0040107F . 68 01204000 push DueList_.00402001 ; ||Title = "Duelist's Crackme #2" 00401084 . 68 17204000 push DueList_.00402017 ; ||Text = "Your time-trial has ended... Please register and copy the keyfile sent to you to this directory!" 00401089 . 6A 00 push 0x0 ; ||hOwner = NULL 0040108B . E8 D7020000 call <jmp.&USER32.MessageBoxA> ; |\MessageBoxA 00401090 . E8 24020000 call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess 00401095 . E9 28010000 jmp DueList_.004011C2 0040109A > 6A 00 push 0x0 ; /pOverlapped = NULL 0040109C . 68 73214000 push DueList_.00402173 ; |pBytesRead = DueList_.00402173 004010A1 . 6A 46 push 0x46 ; |BytesToRead = 46 (70.) 004010A3 . 68 1A214000 push DueList_.0040211A ; |Buffer = DueList_.0040211A 004010A8 . 50 push eax ; |hFile 004010A9 . E8 2F020000 call <jmp.&KERNEL32.ReadFile> ; \ReadFile 004010AE . 85C0 test eax,eax ; 判斷文件是否為空 004010B0 . 75 02 jnz XDueList_.004010B4 004010B2 . EB 43 jmp XDueList_.004010F7 004010B4 > 33DB xor ebx,ebx 004010B6 . 33F6 xor esi,esi 004010B8 . 833D 73214000>cmp dword ptr ds:[0x402173],0x12 ; 長度至少為18 004010BF . 7C 36 jl XDueList_.004010F7 004010C1 > 8A83 1A214000 mov al,byte ptr ds:[ebx+0x40211A] 004010C7 . 3C 00 cmp al,0x0 004010C9 . 74 08 je XDueList_.004010D3 004010CB . 3C 01 cmp al,0x1 ; 要有至少兩個0x1 004010CD . 75 01 jnz XDueList_.004010D0 004010CF . 46 inc esi 004010D0 > 43 inc ebx 004010D1 .^ EB EE jmp XDueList_.004010C1 004010D3 > 83FE 02 cmp esi,0x2 004010D6 . 7C 1F jl XDueList_.004010F7 004010D8 . 33F6 xor esi,esi 004010DA . 33DB xor ebx,ebx 004010DC > 8A83 1A214000 mov al,byte ptr ds:[ebx+0x40211A] 004010E2 . 3C 00 cmp al,0x0 004010E4 . 74 09 je XDueList_.004010EF 004010E6 . 3C 01 cmp al,0x1 ; 0x1前面之和要為0x1D5 004010E8 . 74 05 je XDueList_.004010EF 004010EA . 03F0 add esi,eax 004010EC . 43 inc ebx ; 記錄第1個0x1的位置 004010ED .^ EB ED jmp XDueList_.004010DC 004010EF > 81FE D5010000 cmp esi,0x1D5 004010F5 . 74 1D je XDueList_.00401114 004010F7 > 6A 00 push 0x0 ; |/Style = MB_OK|MB_APPLMODAL 004010F9 . 68 01204000 push DueList_.00402001 ; ||Title = "Duelist's Crackme #2" 004010FE . 68 86204000 push DueList_.00402086 ; ||Text = "Your current keyfile is invalid... Please obtain a valid one from the software author!" 00401103 . 6A 00 push 0x0 ; ||hOwner = NULL 00401105 . E8 5D020000 call <jmp.&USER32.MessageBoxA> ; |\MessageBoxA 0040110A . E8 AA010000 call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess 0040110F . E9 AE000000 jmp DueList_.004011C2 00401114 > 33F6 xor esi,esi 00401116 > 43 inc ebx ; 第1個0x1后第2個0x1前的內容就是名字 00401117 . 8A83 1A214000 mov al,byte ptr ds:[ebx+0x40211A] 0040111D . 3C 00 cmp al,0x0 0040111F . 74 18 je XDueList_.00401139 00401121 . 3C 01 cmp al,0x1 00401123 . 74 14 je XDueList_.00401139 00401125 . 83FE 0F cmp esi,0xF 00401128 . 73 0F jnb XDueList_.00401139 0040112A . 3286 1A214000 xor al,byte ptr ds:[esi+0x40211A] ; 這里是計算名字，這個沒什么所謂 00401130 . 8986 60214000 mov dword ptr ds:[esi+0x402160],eax 00401136 . 46 inc esi 00401137 .^ EB DD jmp XDueList_.00401116 00401139 > 43 inc ebx 0040113A . 33F6 xor esi,esi 0040113C > 8A83 1A214000 mov al,byte ptr ds:[ebx+0x40211A] 00401142 . 3C 00 cmp al,0x0 00401144 . 74 09 je XDueList_.0040114F 00401146 . 3C 01 cmp al,0x1 ; 計算第2個0x1后的值 00401148 .^ 74 F2 je XDueList_.0040113C 0040114A . 03F0 add esi,eax 0040114C . 43 inc ebx 0040114D .^ EB ED jmp XDueList_.0040113C 0040114F > 81FE B2010000 cmp esi,0x1B2 ; 這里和前面類似，也要使得值滿足一定要求 00401155 .^ 75 A0 jnz XDueList_.004010F7 ; 不滿足要求就跳到錯誤處

0x02 算法分析

算法相對簡單：
1、一開始會判斷文件里的二進制值中有幾個0x01，如果少于兩個就錯誤。
2、將第一個0x01之前的所有二進制值相加，要滿足它們的和為0x1D5
3、將第一個0x01和第二個0x01中間的值進行異或計算，得到的內容用于注冊成功后顯示。
4、將第二個0x01之后的值進行相加，要滿足它們的和為0x1B2

所以很簡單就得到這個：

31 32 33 34 35 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 13 01 56 5C 46 56 51 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 01 88 88 A2

結果為：

總結

以上是生活随笔為你收集整理的160 - 47 DueList.2的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。