02 Keyfiling the reverseme

01 basic reversing

This program is looking for a file name Keyfile.dat

Using the CreateFile function the program try to open the file. But the file doesnt exist.

So go next step CMP
The CMP instruction compares two things and can set C/O/Z flags if the result fits.
EAX is compared to -1
EAX=FFFFFFFF
FFFFFFFF means -1
The CMP result we get is 0

Next instruction is JNZ
JNZ == Jump if not zero
Since the result is 0, the JMP will not be executed. and it will go to error message "Evaluation Priod out of date"

==============================================

So we need to find a way to jump the evaluation period

Double Click Flag Z to change the value to 0

Now you will see the arrow change to Red, which means it will by pass the JMP

==============================================

We can set a breakpoint (=BP) by double clicking of pressing F2.

It is easy for later to show where we need to make changes.
==============================================

Press F8 to go further


Now you will see a whole bunch of jumps and conditional jumps ahead and then nothing...

You will also see a ReadFile

ReadFile tries to read our Keyfile.dat for certain number of bytes which it puts in a buffer at certain address if successfull.

Keyfile.dat was not found with CreateFule ofcourse, so the info here is missing

hFile=FFFFFFFF instead of the value.

ReadFile was going to read 46h (==70d) bytes.
at 402173 (would normally have been filled by CreateFile)
to place them in a buffer at 40211A

TEST EAX,EAX

This instruction is in 99% of all cases used for TEST EAX,EAX. It performs a logical AND but does not save the values. It only sets the Z-Flag, when EAX is 0 or clears it when EAX is not 0.
The O/C flags are always cleared.
test doesn't change the value. It's basically an AND instruction that doesn't assign the result to a destination

After this TEST EAX,EAX comes JUMP if NOT zero, so we are not goin to jump

because EAX is Zero (the Z-flag is set)

If we dont jump, then it goes to error message.
So we need to jump, in order to jump change the value of Z flag to 0

Next one is XOR instruction
XOR EBX EBX

Step over (F8)

When you go to JL SHORT reverseM 004010F7, you will notice again it is going to error message Key file not valid.

So lets search for all the text string

Right Click the white area in the main thread, Search>>Search for all text strings

Change the S-Flag

PEiD

PEiD is a reverser's tool that detects most common packers, cryptors and compilers for PE files.