160个练手CrackMe-027

1、无壳。VC

2、搜索提示的字符，定位关键代码

00401346   .  FF75 E8       push dword ptr ss:[ebp-0x18]             ; /RootPathName
00401349   .  FF15 04204000 call dword ptr ds:[<&KERNEL32.GetDriveTy>; \GetDriveTypeA
0040134F   .  83F8 03       cmp eax,0x3                              ;  3 指固定磁盘
00401352   .  74 3E         je XCosh_1.00401392
00401354   .  8D45 E8       lea eax,dword ptr ss:[ebp-0x18]
00401357   .  68 58304000   push Cosh_1.00403058                     ;  CD_CHECK.DAT
0040135C   .  50            push eax
0040135D   .  8D45 E0       lea eax,dword ptr ss:[ebp-0x20]
00401360   .  50            push eax
00401361   .  E8 22030000   call <jmp.&MFC42.#924>
00401366   .  8B00          mov eax,dword ptr ds:[eax]
00401368   .  53            push ebx                                 ; /hTemplateFile
00401369   .  53            push ebx                                 ; |Attributes
0040136A   .  53            push ebx                                 ; |Mode
0040136B   .  53            push ebx                                 ; |pSecurity
0040136C   .  6A 01         push 0x1                                 ; |ShareMode = FILE_SHARE_READ
0040136E   .  68 00000080   push 0x80000000                          ; |Access = GENERIC_READ
00401373   .  50            push eax                                 ; |FileName
00401374   .  FF15 00204000 call dword ptr ds:[<&KERNEL32.CreateFile>; \CreateFileA
0040137A   .  83F8 FF       cmp eax,-0x1
0040137D   .  8D4D E0       lea ecx,dword ptr ss:[ebp-0x20]
00401380   .  0F9445 F3     sete byte ptr ss:[ebp-0xD]
00401384   .  E8 11030000   call <jmp.&MFC42.#800>
00401389   .  385D F3       cmp byte ptr ss:[ebp-0xD],bl
0040138C   .  0F84 F3000000 je Cosh_1.00401485                       ;  跳向成功
00401392   >  FF45 EC       inc dword ptr ss:[ebp-0x14]
00401395   .  83C7 04       add edi,0x4
00401398   .  837D EC 07    cmp dword ptr ss:[ebp-0x14],0x7
0040139C   .^ 75 9F         jnz XCosh_1.0040133D
0040139E   .  53            push ebx
0040139F   .  68 4C304000   push Cosh_1.0040304C                     ;  Try again
004013A4   .  68 40304000   push Cosh_1.00403040                     ;  You lost
004013A9   >  8B4D E4       mov ecx,dword ptr ss:[ebp-0x1C]

GetDriveTypeA(); 判断磁盘类型，当返回结果为3时，跳过CreateFile();

CreateFile(); 在这里是打开文件对象，并返回可访问的句柄；



这是程序调用CreateFile()时传的参数，貌似有错，第5个参数MOD传的是0，但这个参数并没有0的选项，所以不管文件存不存在都是返回-1，GetLastError返回的是87，即参数错误。

解决办法：插入U盘，新建CD_CHECK.DAT文件，在00401374 CreateFileA()下断，修在堆栈改传入的参数



OK~