- UID
- 47764
注册时间2008-3-1
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
【文章标题】: 密码监听器v2.5算法分析
【文章作者】: frozenrain
【作者QQ号】: 403121809
【软件名称】: 密码监听器v2.5
【软件大小】: 450K
【下载地址】: 自己搜索下载
【加壳方式】: 无
【保护方式】: 无
【编写语言】: VC++
【使用工具】: PEiD0.94,OllyDbg1.1
【操作平台】: WINXP
看了老大的忠告。最近开始学习算法了,一个很简单的东西。象我这样的新手来练练还不错。
很早以前下的,现在肯定不能用了。
0040BA59 . 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C]
0040BA5C . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0040BA5F . 50 PUSH EAX
0040BA60 . 68 15040000 PUSH 415
0040BA65 . C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
0040BA69 . E8 2C200000 CALL <JMP.&MFC42.#3097> ; 取用户名长度
0040BA6E . 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C]
0040BA71 . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0040BA74 . 50 PUSH EAX
0040BA75 . 68 16040000 PUSH 416
0040BA7A . E8 1B200000 CALL <JMP.&MFC42.#3097> ; 取注册码长度
0040BA7F . 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
0040BA82 . E8 711C0000 CALL <JMP.&MFC42.#6282>
0040BA87 . 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
0040BA8A . E8 631C0000 CALL <JMP.&MFC42.#6283>
0040BA8F . 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
0040BA92 . E8 611C0000 CALL <JMP.&MFC42.#6282>
0040BA97 . 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
0040BA9A . E8 531C0000 CALL <JMP.&MFC42.#6283>
0040BA9F . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0040BAA2 . 3978 F8 CMP DWORD PTR DS:[EAX-8],EDI ; 用户名为空就挂
0040BAA5 . 0F84 F6020000 JE pswmonit.0040BDA1 ; 等于就挂了
0040BAAB . 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0040BAAE . 3978 F8 CMP DWORD PTR DS:[EAX-8],EDI ; 注册码空就挂
0040BAB1 . 0F84 EA020000 JE pswmonit.0040BDA1
0040BAB7 . 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
0040BABA . E8 1D1D0000 CALL <JMP.&MFC42.#4202> ; 用户名若为大写字母则转化为小写,否则不变
0040BABF . A1 00704100 MOV EAX,DWORD PTR DS:[417000]
0040BAC4 . 33F6 XOR ESI,ESI
0040BAC6 . 3BC7 CMP EAX,EDI
0040BAC8 . 7E 3F JLE SHORT pswmonit.0040BB09
0040BACA > 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
0040BACD . 56 PUSH ESI
0040BACE . 50 PUSH EAX
0040BACF . B9 F86F4100 MOV ECX,pswmonit.00416FF8
0040BAD4 . E8 CA9DFFFF CALL pswmonit.004058A3
0040BAD9 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
0040BADC . C645 FC 02 MOV BYTE PTR SS:[EBP-4],2
0040BAE0 . E8 F71C0000 CALL <JMP.&MFC42.#4202> ; 返回固定字符串(系统注释) 。
0040BAE5 . FF75 EC PUSH DWORD PTR SS:[EBP-14]
0040BAE8 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
0040BAEB . E8 F61B0000 CALL <JMP.&MFC42.#2764>
0040BAF0 . 85C0 TEST EAX,EAX
0040BAF2 . 7D 6A JGE SHORT pswmonit.0040BB5E
0040BAF4 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
0040BAF7 . C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
0040BAFB . E8 801B0000 CALL <JMP.&MFC42.#800> ; EAX清零
0040BB00 . 46 INC ESI
0040BB01 . 3B35 00704100 CMP ESI,DWORD PTR DS:[417000]
0040BB07 ^7C C1 JL SHORT pswmonit.0040BACA
0040BB09 > 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
0040BB0C . 6A 01 PUSH 1
0040BB0E . 50 PUSH EAX
0040BB0F . 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
0040BB12 . E8 111C0000 CALL <JMP.&MFC42.#4129>
0040BB17 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
0040BB19 . 8B35 AC044100 MOV ESI,DWORD PTR DS:[<&MSVCRT._mbscmp>] ; msvcrt._mbscmp
0040BB1F . BB 60524100 MOV EBX,pswmonit.00415260
0040BB24 . C645 FC 03 MOV BYTE PTR SS:[EBP-4],3
0040BB28 . 53 PUSH EBX ; /s2 => "0"
0040BB29 . 50 PUSH EAX ; |s1 (若s1=0则挂了)
0040BB2A . FFD6 CALL ESI ; \_mbscmp
0040BB2C . 59 POP ECX
0040BB2D . 85C0 TEST EAX,EAX ; EAX为1
0040BB2F . 59 POP ECX
0040BB30 . 74 4E JE SHORT pswmonit.0040BB80 ; 等于就跳了
0040BB32 . 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
0040BB35 . 6A 01 PUSH 1
0040BB37 . 50 PUSH EAX
0040BB38 . 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
0040BB3B . E8 F21D0000 CALL <JMP.&MFC42.#5710>
0040BB40 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
0040BB42 . 53 PUSH EBX
0040BB43 . 50 PUSH EAX
0040BB44 . FFD6 CALL ESI
0040BB46 . 8BD8 MOV EBX,EAX
0040BB48 . 59 POP ECX
0040BB49 . F7DB NEG EBX
0040BB4B . 59 POP ECX
0040BB4C . 1ADB SBB BL,BL
0040BB4E . 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
0040BB51 . FEC3 INC BL
0040BB53 . E8 281B0000 CALL <JMP.&MFC42.#800> ; BL清0
0040BB58 . 84DB TEST BL,BL
0040BB5A . 75 24 JNZ SHORT pswmonit.0040BB80
0040BB5C EB 24 JMP SHORT pswmonit.0040BB82
0040BB5E > 51 PUSH ECX
0040BB5F . 8BCC MOV ECX,ESP
0040BB61 . 8965 E4 MOV DWORD PTR SS:[EBP-1C],ESP
0040BB64 . 68 1C5E4100 PUSH pswmonit.00415E1C
0040BB69 . E8 B41B0000 CALL <JMP.&MFC42.#537>
0040BB6E . E8 7CBCFFFF CALL pswmonit.004077EF
0040BB73 . 59 POP ECX
0040BB74 . C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
0040BB78 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
0040BB7B . E9 01020000 JMP pswmonit.0040BD81
0040BB80 > B3 01 MOV BL,1
0040BB82 > 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
0040BB85 . C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
0040BB89 . E8 F21A0000 CALL <JMP.&MFC42.#800>
0040BB8E . 84DB TEST BL,BL
0040BB90 74 0B JE SHORT pswmonit.0040BB9D ; 不等于就挂了
0040BB92 . 51 PUSH ECX
0040BB93 . 8BCC MOV ECX,ESP
0040BB95 . 8965 E0 MOV DWORD PTR SS:[EBP-20],ESP
0040BB98 . E9 0A020000 JMP pswmonit.0040BDA7 ; 跳就挂
0040BB9D > BB BC554100 MOV EBX,pswmonit.004155BC ; ASCII "whm_w"
0040BBA2 . 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
0040BBA5 . 53 PUSH EBX
0040BBA6 . E8 D71B0000 CALL <JMP.&MFC42.#941> ; 将whm_w加到用户名后面 用户名长度放ECX
0040BBAB . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0040BBAE . 33C9 XOR ECX,ECX
0040BBB0 . 897D DC MOV DWORD PTR SS:[EBP-24],EDI
0040BBB3 . 8B50 F8 MOV EDX,DWORD PTR DS:[EAX-8] ; 新用户名长度放EDX
0040BBB6 . 3BD7 CMP EDX,EDI
0040BBB8 . 7E 0E JLE SHORT pswmonit.0040BBC8
0040BBBA > 0FBE3401 MOVSX ESI,BYTE PTR DS:[ECX+EAX] ; 逐个取新用户名
0040BBBE . 0175 DC ADD DWORD PTR SS:[EBP-24],ESI ; 加上自身ASCII存堆栈中
0040BBC1 . 41 INC ECX
0040BBC2 . 3BCA CMP ECX,EDX
0040BBC4 .^7C F4 JL SHORT pswmonit.0040BBBA
0040BBC6 . 33FF XOR EDI,EDI
0040BBC8 > 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0040BBCB . 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
0040BBCE . 8B40 F8 MOV EAX,DWORD PTR DS:[EAX-8] ; 取注册码长度放EAX中
0040BBD1 . 83C0 FE ADD EAX,-2 ; 注册码长度减2
0040BBD4 . 50 PUSH EAX
0040BBD5 . 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
0040BBD8 . 57 PUSH EDI
0040BBD9 . 50 PUSH EAX
0040BBDA . E8 511C0000 CALL <JMP.&MFC42.#4278> ; 去掉注册码后2位
0040BBDF . FF30 PUSH DWORD PTR DS:[EAX] ; /s
0040BBE1 . 8B35 C4044100 MOV ESI,DWORD PTR DS:[<&MSVCRT.atol>] ; |msvcrt.atol
0040BBE7 . FFD6 CALL ESI ; \atol
0040BBE9 . 59 POP ECX
0040BBEA . 8BF8 MOV EDI,EAX
0040BBEC . 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
0040BBEF . E8 8C1A0000 CALL <JMP.&MFC42.#800>
0040BBF4 . 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
0040BBF7 . 6A 02 PUSH 2
0040BBF9 . 50 PUSH EAX
0040BBFA . 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
0040BBFD . E8 301D0000 CALL <JMP.&MFC42.#5710> ; 取注册码后2位
0040BC02 . FF30 PUSH DWORD PTR DS:[EAX] ; /s
0040BC04 . FF15 C0044100 CALL DWORD PTR DS:[<&MSVCRT.atoi>] ; \atoi
0040BC0A . 59 POP ECX
0040BC0B . 8945 D8 MOV DWORD PTR SS:[EBP-28],EAX
0040BC0E . 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
0040BC11 . E8 6A1A0000 CALL <JMP.&MFC42.#800>
0040BC16 . 337D D8 XOR EDI,DWORD PTR SS:[EBP-28] ; 注册码前n-2位与后2位异或(设注册码长度为n)
0040BC19 . 397D DC CMP DWORD PTR SS:[EBP-24],EDI ; EDI与前面逐个用户名相加的结果比较(这里可以改寄存器值)
0040BC1C 0F85 66010000 JNZ pswmonit.0040BD88 ; 关键跳转,不相等就挂 爆破点
0040BD3A . 68 30100000 PUSH 1030
0040BD3F . 68 085E4100 PUSH pswmonit.00415E08
0040BD44 . 68 F85D4100 PUSH pswmonit.00415DF8
0040BD49 . E8 9E190000 CALL <JMP.&MFC42.#4224> ; 成功!到这按F8就成功了
失败处
0040BD8B . 68 30100000 PUSH 1030
0040BD90 . 68 085E4100 PUSH pswmonit.00415E08
0040BD95 . 68 1C5E4100 PUSH pswmonit.00415E1C
0040BD9A E8 4D190000 CALL <JMP.&MFC42.#4224> ; 失败处
0040BD9F . EB 16 JMP SHORT pswmonit.0040BDB7
0040BDA1 > 51 PUSH ECX
0040BDA2 . 8BCC MOV ECX,ESP
0040BDA4 . 8965 E0 MOV DWORD PTR SS:[EBP-20],ESP
0040BDA7 > 68 1C5E4100 PUSH pswmonit.00415E1C
0040BDAC . E8 71190000 CALL <JMP.&MFC42.#537>
0040BDB1 E8 39BAFFFF CALL pswmonit.004077EF ; 失败处
一个非常简单的注册机 一个用户名可以有好几个注册码。
下面是我写的注册机
#include <iOStream.h>
#include <string.h>
void Calc(int m);
void main()
{
char Client[32]={0},Result[32]={0};
cout<<"请输入用户名"<<endl;
do{
cin>>Client;
int length=strlen(Client);
for(int i=0;i<length;i++)
{
if(Client>64&&Client<91)
Client=Client+32;
}
strcat(Client,"whm_w");
int asciisum=0;
length=strlen(Client);
for(int j=0;j<length;j++)
asciisum+=Client[j];
Calc(asciisum);
}while(1);
}
void Calc(int m)
{
int s=0,t=0;
int n=0;
for(int i=0;i<9999;i++)
{
for(int j=0;j<100;j++)
{
n=s^t;
if(m==n)
{
cout<<"注册码为:"<<t<<s<<endl;
break;
}
t++;
}
s++;
}
}
PS:注册码小于6不行 |
|
IP卡
发表于 2008-3-22 18:37:36
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2008-3-22 21:51:38
发表于 2008-5-4 15:11:48
发表于 2008-5-4 22:13:46
发表于 2008-5-5 16:41:47
