拆解一个简单的KeyFile保护

系统 ： Windows xp

程序 ： abexcrackme3

程序下载地址 ：http://pan.baidu.com/s/1mh3TiqO

要求 ： 伪造Keyfile

使用工具 ：IDA

可在看雪论坛中查找关于此程序的破文：http://bbs.pediy.com/showthread.php?t=30192

 

IDA载入程序，找出提示破解成功的字串“Yep, keyfile found!”并定位关键代码：

CODE:00401000 ; =============== S U B R O U T I N E =======================================
CODE:00401000
CODE:00401000 ; Attributes: noreturn
CODE:00401000
CODE:00401000                 public start
CODE:00401000 start           proc near
CODE:00401000                 push    0               ; uType
CODE:00401002                 push    offset Caption  ; "abex' 3rd crackme"
CODE:00401007                 push    offset Text     ; "Click OK to check for the keyfile."
CODE:0040100C                 push    0               ; hWnd
CODE:0040100E                 call    MessageBoxA
CODE:00401013                 push    0               ; hTemplateFile
CODE:00401015                 push    80h             ; dwFlagsAndAttributes
CODE:0040101A                 push    3               ; dwCreationDisposition
CODE:0040101C                 push    0               ; lpSecurityAttributes
CODE:0040101E                 push    0               ; dwShareMode
CODE:00401020                 push    80000000h       ; dwDesiredAccess
CODE:00401025                 push    offset FileName ; "abex.l2c"
CODE:0040102A                 call    CreateFileA
CODE:0040102F                 mov     ds:hFile, eax
CODE:00401034                 cmp     eax, 0FFFFFFFFh
CODE:00401037                 jz      short loc_401075
CODE:00401039                 push    0               ; lpFileSizeHigh
CODE:0040103B                 push    ds:hFile        ; hFile
CODE:00401041                 call    GetFileSize
CODE:00401046                 cmp     eax, 12h
CODE:00401049                 jnz     short loc_401060
CODE:0040104B                 push    0               ; uType
CODE:0040104D                 push    offset aWellDone ; "Well done!"
CODE:00401052                 push    offset aYepKeyfileFoun ; "Yep, keyfile found!"
CODE:00401057                 push    0               ; hWnd
CODE:00401059                 call    MessageBoxA
CODE:0040105E                 jmp     short loc_401088
CODE:00401060 ; ---------------------------------------------------------------------------
CODE:00401060
CODE:00401060 loc_401060:                             ; CODE XREF: start+49j
CODE:00401060                 push    0               ; uType
CODE:00401062                 push    offset aError   ; "Error"
CODE:00401067                 push    offset aTheFoundFileIs ; "The found file is not a valid keyfile!"
CODE:0040106C                 push    0               ; hWnd
CODE:0040106E                 call    MessageBoxA
CODE:00401073                 jmp     short loc_401088
CODE:00401075 ; ---------------------------------------------------------------------------
CODE:00401075
CODE:00401075 loc_401075:                             ; CODE XREF: start+37j
CODE:00401075                 push    0               ; uType
CODE:00401077                 push    offset aError_0 ; "Error"
CODE:0040107C                 push    offset aHmmmmmICanTFin ; "Hmmmmm, I can't find the file!"
CODE:00401081                 push    0               ; hWnd
CODE:00401083                 call    MessageBoxA
CODE:00401088
CODE:00401088 loc_401088:                             ; CODE XREF: start+5Ej
CODE:00401088                                         ; start+73j
CODE:00401088                 call    ExitProcess
CODE:00401088 start           endp ; sp-analysis failed
CODE:00401088

程序查找一个Keyfile，文件名为“abex.l2c”，文件长度应为18字节，这样就可以通过验证。在abexcrackme3程序路径下新建文件，文件名为“abex.l2c”，用记事本打开并将内容设置为“012345678901234567”再运行abexcrackme3即可通过验证：