- UID
- 2887
注册时间2005-8-25
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
【软件名称】密码监听器 V2.5
【下载地址】http://www2.skycn.com/soft/6294.html
【应用平台】Win9x/NT/2000/XP
【软件大小】222kb
【软件限制】功能限制
【破解作者】ayan
【破解声明】破解只是感兴趣,无其它目的。失误之处敬请诸位大侠赐教!
【破解工具】flyOD peid
【软件简介】 密码监听器用于监听网页的密码,包括网页上的邮箱、论坛、聊天室等等。只需在一台电脑上运行,就可以监听局域网内任意一台电脑登录的账号和密码,并将密码显示、保存,或发送到用户指定的邮箱。
===================================================================
【分析过程】
查壳,Microsoft Visual C++ 6.0,OD载入,查找字符串‘注册失败’双击,向上来到0040BA97处,在此下断。
运行,注册确定断下,F8向下分析:
0040BA97 8D4D F0 lea ecx,dword ptr ss:[ebp-10] //在此下断
0040BA9A E8 531C0000 call <jmp.&MFC42.#6283>
0040BA9F 8B45 EC mov eax,dword ptr ss:[ebp-14]//注册名->EAX
0040BAA2 3978 F8 cmp dword ptr ds:[eax-8],edi //是否输入注册名
0040BAA5 0F84 F6020000 je pswmonit.0040BDA1 //没输跳 OVER
0040BAAB 8B45 F0 mov eax,dword ptr ss:[ebp-10]//注册码->EAX
0040BAAE 3978 F8 cmp dword ptr ds:[eax-8],edi //是否输入注册码
0040BAB1 0F84 EA020000 je pswmonit.0040BDA1 //没输跳 OVER
0040BAB7 8D4D EC lea ecx,dword ptr ss:[ebp-14]
0040BABA E8 1D1D0000 call <jmp.&MFC42.#4202>
0040BABF A1 00704100 mov eax,dword ptr ds:[417000]//C-EAX
0040BAC4 33F6 xor esi,esi //ESI清零,准备作为记数器
0040BAC6 3BC7 cmp eax,edi //比较EAX ESI
0040BAC8 7E 3F jle short pswmonit.0040BB09 //小于等于跳
0040BACA 8D45 E0 lea eax,dword ptr ss:[ebp-20] \
0040BACD 56 push esi |
0040BACE 50 push eax |
0040BACF B9 F86F4100 mov ecx,pswmonit.00416FF8 |
0040BAD4 E8 CA9DFFFF call pswmonit.004058A3 |
0040BAD9 8D4D E0 lea ecx,dword ptr ss:[ebp-20] |
0040BADC C645 FC 02 mov byte ptr ss:[ebp-4],2 |
0040BAE0 E8 F71C0000 call <jmp.&MFC42.#4202> |
0040BAE5 FF75 EC push dword ptr ss:[ebp-14] |
0040BAE8 8D4D E0 lea ecx,dword ptr ss:[ebp-20] |循环测试用户名,等于任何一个就OVER了
0040BAEB E8 F61B0000 call <jmp.&MFC42.#2764> |好象最多的是风飘雪大侠
0040BAF0 85C0 test eax,eax |
0040BAF2 7D 6A jge short pswmonit.0040BB5E |
0040BAF4 8D4D E0 lea ecx,dword ptr ss:[ebp-20] |
0040BAF7 C645 FC 01 mov byte ptr ss:[ebp-4],1 |
0040BAFB E8 801B0000 call <jmp.&MFC42.#800> |
0040BB00 46 inc esi |
0040BB01 3B35 00704100 cmp esi,dword ptr ds:[417000] |
0040BB07 ^ 7C C1 jl short pswmonit.0040BACA /
0040BB09 8D45 D8 lea eax,dword ptr ss:[ebp-28]
0040BB0C 6A 01 push 1
0040BB0E 50 push eax
0040BB0F 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
0040BB12 E8 111C0000 call <jmp.&MFC42.#4129>
0040BB17 8B00 mov eax,dword ptr ds:[eax]
0040BB19 8B35 AC044100 mov esi,dword ptr ds:[<&MSVCRT._mbsc>; msvcrt._mbscmp
0040BB1F BB 60524100 mov ebx,pswmonit.00415260
0040BB24 C645 FC 03 mov byte ptr ss:[ebp-4],3
0040BB28 53 push ebx
0040BB29 50 push eax
0040BB2A FFD6 call esi
0040BB2C 59 pop ecx
0040BB2D 85C0 test eax,eax
0040BB2F 59 pop ecx
0040BB30 74 4E je short pswmonit.0040BB80
0040BB32 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
0040BB35 6A 01 push 1
0040BB37 50 push eax
0040BB38 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
0040BB3B E8 F21D0000 call <jmp.&MFC42.#5710>
0040BB40 8B00 mov eax,dword ptr ds:[eax]
0040BB42 53 push ebx
0040BB43 50 push eax
0040BB44 FFD6 call esi
0040BB46 8BD8 mov ebx,eax
0040BB48 59 pop ecx
0040BB49 F7DB neg ebx
0040BB4B 59 pop ecx
0040BB4C 1ADB sbb bl,bl
0040BB4E 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
0040BB51 FEC3 inc bl
0040BB53 E8 281B0000 call <jmp.&MFC42.#800>
0040BB58 84DB test bl,bl
0040BB5A 75 24 jnz short pswmonit.0040BB80
0040BB5C EB 24 jmp short pswmonit.0040BB82
0040BB5E 51 push ecx
0040BB5F 8BCC mov ecx,esp
0040BB61 8965 E4 mov dword ptr ss:[ebp-1C],esp
0040BB64 68 1C5E4100 push pswmonit.00415E1C
0040BB69 E8 B41B0000 call <jmp.&MFC42.#537>
0040BB6E E8 7CBCFFFF call pswmonit.004077EF
0040BB73 59 pop ecx
0040BB74 C645 FC 01 mov byte ptr ss:[ebp-4],1
0040BB78 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0040BB7B E9 01020000 jmp pswmonit.0040BD81
0040BB80 B3 01 mov bl,1
0040BB82 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
0040BB85 C645 FC 01 mov byte ptr ss:[ebp-4],1
0040BB89 E8 F21A0000 call <jmp.&MFC42.#800>
0040BB8E 84DB test bl,bl
0040BB90 74 0B je short pswmonit.0040BB9D
0040BB92 51 push ecx
0040BB93 8BCC mov ecx,esp
0040BB95 8965 E0 mov dword ptr ss:[ebp-20],esp
0040BB98 E9 0A020000 jmp pswmonit.0040BDA7
0040BB9D BB BC554100 mov ebx,pswmonit.004155BC ; ASCII "whm_w"//字符"whm_w"->EBX
0040BBA2 8D4D EC lea ecx,dword ptr ss:[ebp-14]
0040BBA5 53 push ebx
0040BBA6 E8 D71B0000 call <jmp.&MFC42.#941> //将注册名和whm_w连在一起运算注册码
0040BBAB 8B45 EC mov eax,dword ptr ss:[ebp-14] //连接后的名字-EAX
0040BBAE 33C9 xor ecx,ecx //ECX清零
0040BBB0 897D DC mov dword ptr ss:[ebp-24],edi //EDI=0
0040BBB3 8B50 F8 mov edx,dword ptr ds:[eax-8] //连接后注册名位数->EDX
0040BBB6 3BD7 cmp edx,edi //比较EDX EDI
0040BBB8 7E 0E jle short pswmonit.0040BBC8 //小于等于跳,下面逐位运算注册名
0040BBBA 0FBE3401 movsx esi,byte ptr ds:[ecx+eax]//逐位取注册名
0040BBBE 0175 DC add dword ptr ss:[ebp-24],esi //注册名累加->[EBP-24]
0040BBC1 41 inc ecx //ECX+1记数
0040BBC2 3BCA cmp ecx,edx //比较取完没取完
0040BBC4 ^ 7C F4 jl short pswmonit.0040BBBA //取完向下走
0040BBC6 33FF xor edi,edi //EDI清零
0040BBC8 8B45 F0 mov eax,dword ptr ss:[ebp-10] //注册码->EAX
0040BBCB 8D4D F0 lea ecx,dword ptr ss:[ebp-10] //地址->ECX
0040BBCE 8B40 F8 mov eax,dword ptr ds:[eax-8] //注册码位数->EAX
0040BBD1 83C0 FE add eax,-2 //EAX=EAX-2
0040BBD4 50 push eax //EAX压栈
0040BBD5 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
0040BBD8 57 push edi
0040BBD9 50 push eax
0040BBDA E8 511C0000 call <jmp.&MFC42.#4278> //取注册码EAX-2位
0040BBDF FF30 push dword ptr ds:[eax] //[EAX]=试炼码EAX-2位压栈
0040BBE1 8B35 C4044100 mov esi,dword ptr ds:[<&MSVCRT.atol>>; msvcrt.atol
0040BBE7 FFD6 call esi //算法CALL 跟进
0040BBE9 59 pop ecx //将注册码前EAX-2位弹出
0040BBEA 8BF8 mov edi,eax //EAX->EDI
0040BBEC 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
0040BBEF E8 8C1A0000 call <jmp.&MFC42.#800>
0040BBF4 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
0040BBF7 6A 02 push 2
0040BBF9 50 push eax
0040BBFA 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
0040BBFD E8 301D0000 call <jmp.&MFC42.#5710> //取注册码后两位
0040BC02 FF30 push dword ptr ds:[eax]
0040BC04 FF15 C0044100 call dword ptr ds:[<&MSVCRT.atoi>] ; msvcrt.atoi
0040BC0A 59 pop ecx
0040BC0B 8945 D8 mov dword ptr ss:[ebp-28],eax
0040BC0E 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
0040BC11 E8 6A1A0000 call <jmp.&MFC42.#800>
0040BC16 337D D8 xor edi,dword ptr ss:[ebp-28] //注册码前几位运算结果减后两位运算结果->EDI
0040BC19 397D DC cmp dword ptr ss:[ebp-24],edi //比较注册名累加和与EDI
0040BC1C 0F85 66010000 jnz pswmonit.0040BD88 //不等跳,OVER
0040BC22 68 E8604100 push pswmonit.004160E8
0040BC27 53 push ebx
0040BC28 8D4D EC lea ecx,dword ptr ss:[ebp-14]
0040BC2B E8 FE1A0000 call <jmp.&MFC42.#6877>
0040BC30 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
0040BC33 E8 661A0000 call <jmp.&MFC42.#540>
0040BC38 6A 6A push 6A
0040BC3A 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
0040BC3D C645 FC 04 mov byte ptr ss:[ebp-4],4
0040BC41 E8 EE1A0000 call <jmp.&MFC42.#4160>
0040BC46 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
0040BC49 50 push eax
0040BC4A E8 12CEFFFF call pswmonit.00408A61
0040BC4F 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
0040BC52 C70424 E8554100 mov dword ptr ss:[esp],pswmonit.0041>
0040BC59 50 push eax
0040BC5A 8D45 CC lea eax,dword ptr ss:[ebp-34]
0040BC5D 50 push eax
0040BC5E C645 FC 05 mov byte ptr ss:[ebp-4],5
0040BC62 E8 A71C0000 call <jmp.&MFC42.#924>
0040BC67 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
0040BC6A C645 FC 06 mov byte ptr ss:[ebp-4],6
0040BC6E 51 push ecx
0040BC6F 50 push eax
0040BC70 8D45 D0 lea eax,dword ptr ss:[ebp-30]
0040BC73 50 push eax
0040BC74 E8 C51C0000 call <jmp.&MFC42.#922>
0040BC79 50 push eax
0040BC7A 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
0040BC7D C645 FC 07 mov byte ptr ss:[ebp-4],7
0040BC81 E8 B41A0000 call <jmp.&MFC42.#858>
0040BC86 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
0040BC89 C645 FC 06 mov byte ptr ss:[ebp-4],6
0040BC8D E8 EE190000 call <jmp.&MFC42.#800>
0040BC92 8D4D CC lea ecx,dword ptr ss:[ebp-34]
0040BC95 C645 FC 05 mov byte ptr ss:[ebp-4],5
0040BC99 E8 E2190000 call <jmp.&MFC42.#800>
0040BC9E 8B45 E8 mov eax,dword ptr ss:[ebp-18]
0040BCA1 8378 F8 00 cmp dword ptr ds:[eax-8],0
0040BCA5 0F84 C3000000 je pswmonit.0040BD6E //不能跳
0040BCAB 8D45 F0 lea eax,dword ptr ss:[ebp-10]
0040BCAE 8D4D DC lea ecx,dword ptr ss:[ebp-24]
0040BCB1 50 push eax
0040BCB2 E8 591A0000 call <jmp.&MFC42.#535>
0040BCB7 6A 00 push 0
0040BCB9 C645 FC 08 mov byte ptr ss:[ebp-4],8
0040BCBD FF15 A8044100 call dword ptr ds:[<&MSVCRT.time>] ; msvcrt.time
0040BCC3 50 push eax
0040BCC4 FF15 D8044100 call dword ptr ds:[<&MSVCRT.srand>] ; msvcrt.srand
0040BCCA 59 pop ecx
0040BCCB 59 pop ecx
0040BCCC FF15 B0044100 call dword ptr ds:[<&MSVCRT.rand>] ; msvcrt.rand
0040BCD2 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
0040BCD5 8BD8 mov ebx,eax
0040BCD7 E8 C2190000 call <jmp.&MFC42.#540>
0040BCDC 53 push ebx
0040BCDD 8D45 D8 lea eax,dword ptr ss:[ebp-28]
0040BCE0 68 30524100 push pswmonit.00415230 ; ASCII "%d"
0040BCE5 50 push eax
0040BCE6 C645 FC 09 mov byte ptr ss:[ebp-4],9
0040BCEA E8 271A0000 call <jmp.&MFC42.#2818>
0040BCEF FF75 DC push dword ptr ss:[ebp-24]
0040BCF2 FFD6 call esi
0040BCF4 8B4D D8 mov ecx,dword ptr ss:[ebp-28]
0040BCF7 33C3 xor eax,ebx
0040BCF9 50 push eax
0040BCFA 53 push ebx
0040BCFB 8B49 F8 mov ecx,dword ptr ds:[ecx-8]
0040BCFE 8D45 DC lea eax,dword ptr ss:[ebp-24]
0040BD01 51 push ecx
0040BD02 68 145E4100 push pswmonit.00415E14 ; ASCII "%d%d%d"
0040BD07 50 push eax
0040BD08 E8 091A0000 call <jmp.&MFC42.#2818>
0040BD0D 83C4 24 add esp,24
0040BD10 8B35 58004100 mov esi,dword ptr ds:[<&KERNEL32.Wri>; kernel32.WritePrivateProfileStringA
0040BD16 BB E0554100 mov ebx,pswmonit.004155E0 ; ASCII "REGINFO"
0040BD1B FF75 E8 push dword ptr ss:[ebp-18]
0040BD1E FF75 EC push dword ptr ss:[ebp-14]
0040BD21 68 D4554100 push pswmonit.004155D4 ; ASCII "USERNAME"
0040BD26 53 push ebx
0040BD27 FFD6 call esi
0040BD29 FF75 E8 push dword ptr ss:[ebp-18]
0040BD2C FF75 DC push dword ptr ss:[ebp-24]
0040BD2F 68 C8554100 push pswmonit.004155C8 ; ASCII "PASSWORD"
0040BD34 53 push ebx
0040BD35 FFD6 call esi
0040BD37 8B4D E4 mov ecx,dword ptr ss:[ebp-1C]
0040BD3A 68 30100000 push 1030
0040BD3F 68 085E4100 push pswmonit.00415E08
0040BD44 68 F85D4100 push pswmonit.00415DF8 //到这里注册成功
跟进0040BBE7这个CALL后来到这里
77BEBE7B > 8BFF mov edi,edi
77BEBE7D 55 push ebp
77BEBE7E 8BEC mov ebp,esp
77BEBE80 56 push esi
77BEBE81 8B75 08 mov esi,dword ptr ss:[ebp+8] //取注册码->ESI
77BEBE84 85F6 test esi,esi //测试
77BEBE86 75 07 jnz short msvcrt.77BEBE8F //不为零跳
77BEBE88 33C0 xor eax,eax
77BEBE8A E9 81000000 jmp msvcrt.77BEBF10
77BEBE8F 57 push edi
77BEBE90 E8 90E00100 call msvcrt.77C09F25
77BEBE95 8B78 64 mov edi,dword ptr ds:[eax+64]
77BEBE98 3B3D F4F7C277 cmp edi,dword ptr ds:[77C2F7F4] ; msvcrt.77C2F7A0
77BEBE9E 74 07 je short msvcrt.77BEBEA7
77BEBEA0 E8 BD750100 call msvcrt.77C03462
77BEBEA5 8BF8 mov edi,eax
77BEBEA7 837F 28 01 cmp dword ptr ds:[edi+28],1
77BEBEAB 0FB606 movzx eax,byte ptr ds:[esi] //逐位取注册码
77BEBEAE 7E 0E jle short msvcrt.77BEBEBE
77BEBEB0 6A 08 push 8
77BEBEB2 50 push eax
77BEBEB3 57 push edi
77BEBEB4 E8 2A060000 call msvcrt.77BEC4E3
77BEBEB9 83C4 0C add esp,0C
77BEBEBC EB 0A jmp short msvcrt.77BEBEC8
77BEBEBE 8B4F 48 mov ecx,dword ptr ds:[edi+48] //[EDI+48]->ECX
77BEBEC1 0FB60441 movzx eax,byte ptr ds:[ecx+eax*2]//EAX=ECX+EAX*2
77BEBEC5 83E0 08 and eax,8 //EAX=EAX AND 8
77BEBEC8 85C0 test eax,eax //测试
77BEBECA 74 03 je short msvcrt.77BEBECF //为零跳到另一种算法
77BEBECC 46 inc esi
77BEBECD ^ EB D8 jmp short msvcrt.77BEBEA7
77BEBECF 0FB60E movzx ecx,byte ptr ds:[esi] //逐位取试炼码->ECX
77BEBED2 46 inc esi //ESI=ESI-1
77BEBED3 83F9 2D cmp ecx,2D //ECX和2D比较
77BEBED6 8BD1 mov edx,ecx //ECX->EDX
77BEBED8 5F pop edi
77BEBED9 74 05 je short msvcrt.77BEBEE0 //ECX=2D跳
77BEBEDB 83F9 2B cmp ecx,2B //ECX和2B比较
77BEBEDE 75 04 jnz short msvcrt.77BEBEE4 //不等跳
77BEBEE0 0FB60E movzx ecx,byte ptr ds:[esi]
77BEBEE3 46 inc esi
77BEBEE4 33C0 xor eax,eax //EAX清零
77BEBEE6 83F9 30 cmp ecx,30 //注册码和30比较
77BEBEE9 7C 0A jl short msvcrt.77BEBEF5 //小于跳
77BEBEEB 83F9 39 cmp ecx,39 //和39比较
77BEBEEE 7F 05 jg short msvcrt.77BEBEF5 //大于跳
77BEBEF0 83E9 30 sub ecx,30 //ECX=ECX-30
77BEBEF3 EB 03 jmp short msvcrt.77BEBEF8
77BEBEF5 83C9 FF or ecx,FFFFFFFF
77BEBEF8 83F9 FF cmp ecx,-1 //和-1比较,相等跳出循环
77BEBEFB 74 0C je short msvcrt.77BEBF09
77BEBEFD 8D0480 lea eax,dword ptr ds:[eax+eax*4]//EAX=EAX+EAX*4
77BEBF00 8D0441 lea eax,dword ptr ds:[ecx+eax*2]//EAX=ECX+EAX*2将注册码EAX-2逐位运算->EAX
77BEBF03 0FB60E movzx ecx,byte ptr ds:[esi] //逐位取注册码
77BEBF06 46 inc esi //ESI=ESI+1
77BEBF07 ^ EB DD jmp short msvcrt.77BEBEE6 //回跳到循环开始
77BEBF09 83FA 2D cmp edx,2D //比较EDX 2D(-)
77BEBF0C 75 02 jnz short msvcrt.77BEBF10 //不等跳
77BEBF0E F7D8 neg eax //取补
77BEBF10 5E pop esi
77BEBF11 5D pop ebp
77BEBF12 C3 retn
同样计算后两位试炼码时也调用这个CALL
====================================================================
【分析总结】
注册码前面N-2位逐个经过 EAX=EAX+EAX*4 EAX=ECX+EAX*2(EAX初始为0,ECX=注册玛ASCLL-30)运算后减后两位用同样算式计算结果和注册名(小写)+whm_w的ASCLL十六进制和值相等既注册成功
注册成功后写进目录下Option.ini文件
一组可用的注册码
注册名:AYAN
注册码:96712
======================================================================
【版权信息】纯属技术交流,转载请保持文章完整,谢谢!
2005-08-28
[ Last edited by ayan on 2005-8-28 at 07:31 AM ] |
|
IP卡
发表于 2005-8-28 07:26:46
提升卡
置顶卡
变色卡
千斤顶
显身卡