===========================================
软件名称:PassWD2000
最新版本:2.85
大小:868,352 bytes
下载地址:http://www.passwd2000.com
功能简介:密码管理
===========================================
破解工具:Soft-ICE4.05
破 解 者:iCHBoy
联系信箱:ichboy@263.net
破解日期:2001,10,9
作者声明:欢迎转载,但请保持原作者为iCHBoy.
===========================================
Name:iCHBoy
Serial:MY4LB8AA11
===========================================
破解步骤:
1,启动sice,运行passWD,输入name:iCHBoy,serial:1234567890(10位)
2,下bpx hmemcpy
3,F12十几次,来到程序领空
4,具体代码段分析:
015F:0048D917 MOV EAX,[EBP-1C]
015F:0048D91A CALL 00403E10
015F:0048D91F CMP EAX,BYTE +0A
<-- 比较密码是否为10位
015F:0048D922 JNZ NEAR 0048DE51
<-- 0048DE51 段为出错
015F:0048D928 LEA EDX,[EBP-1C]
<-- 以下非关键注释略
015F:0048D92B MOV EAX,[EBX+02E0]
015F:0048D931 CALL 00443500
015F:0048D936 MOV EAX,[EBP-1C]
015F:0048D939 CALL 00403E10
015F:0048D93E DEC EAX
015F:0048D93F JL NEAR 0048DE51
015F:0048D945 LEA EDX,[EBP-1C]
015F:0048D948 MOV EAX,[EBX+02E4]
015F:0048D94E CALL 00443500
015F:0048D953 MOV EAX,[EBP-1C]
015F:0048D956 LEA EDX,[EBP-14]
015F:0048D959 CALL 00408364
015F:0048D95E LEA EDX,[EBP-1C]
015F:0048D961 MOV EAX,[EBX+02E0]
015F:0048D967 CALL 00443500
015F:0048D96C MOV EAX,[EBP-1C]
015F:0048D96F LEA EDX,[EBP-18]
015F:0048D972 CALL 00408364
015F:0048D977 MOV BYTE [EBP-05],00
015F:0048D97B MOV BYTE [EBP-06],00
015F:0048D97F MOV BYTE [EBP-07],01
015F:0048D983 MOV EAX,[EBP-18]
015F:0048D986 CALL 00403E10
015F:0048D98B MOV EDI,EAX
015F:0048D98D TEST EDI,EDI
015F:0048D98F JNG 0048D9E4
015F:0048D991 MOV ESI,01
<-- 如果想要研究一下算法,此段可要仔细了
015F:0048D996 MOV EAX,[EBP-18]
<-- ESI=01,[EAX]=ICHBOY (注意:已为大写)
015F:0048D999 MOV DL,[EAX+ESI-01]
<-- 循环取得每一个字母
015F:0048D99D MOV EAX,EBX
015F:0048D99F CALL 0048E158
015F:0048D9A4 ADD [EBP-05],AL
<-- [EBP-05]初始为0,加
015F:0048D9A7 MOV EAX,ESI
015F:0048D9A9 AND EAX,80000001
<-- 当前第几位 and 80000001,
015F:0048D9AE JNS 0048D9B5
<-- 从而以下算法分成两个分支
015F:0048D9B0 DEC EAX
015F:0048D9B1 OR EAX,BYTE -02
015F:0048D9B4 INC EAX
015F:0048D9B5 TEST EAX,EAX
<-- 1分支:EAX=0
015F:0048D9B7 JNZ 0048D9CC
015F:0048D9B9 MOV EAX,[EBP-18]
015F:0048D9BC MOV DL,[EAX+ESI-01]
015F:0048D9C0 MOV EAX,EBX
015F:0048D9C2 CALL 0048E158
015F:0048D9C7 ADD [EBP-06],AL
<-- [EBP-6]+AL
015F:0048D9CA JMP SHORT 0048D9E0
015F:0048D9CC MOV EAX,[EBP-18]
<-- 2分支:EAX!=0
015F:0048D9CF MOV DL,[EAX+ESI-01]
015F:0048D9D3 MOV EAX,EBX
015F:0048D9D5 CALL 0048E158
015F:0048D9DA IMUL BYTE [EBP-07]
<-- EAX*[EBP-07],[EBP-07]初始为01
015F:0048D9DD MOV [EBP-07],AL
015F:0048D9E0 INC ESI
015F:0048D9E1 DEC EDI
015F:0048D9E2 JNZ 0048D996
<-- 循环,直至全部读完
015F:0048D9E4 XOR EAX,EAX
015F:0048D9E6 MOV AL,[EBP-05]
<-- 最后相加结果存AL
015F:0048D9E9 MOV ECX,23
<-- ECX=23;
015F:0048D9EE XOR EDX,EDX
<-- EDX存商
015F:0048D9F0 DIV ECX
<-- EAX/ECX
015F:0048D9F2 MOV [EBP-05],DL
<-- EDX商存[EBP-05]
015F:0048D9F5 XOR EAX,EAX
015F:0048D9F7 MOV AL,[EBP-05]
015F:0048D9FA MOV AL,[EBX+EAX+030C]
<-- [EAX+030C]密码信息存放处
015F:0048DA01 MOV EDX,[EBP-14]
[123456789ZRXYGAMEVIWCSBJHLFPKTOQUDN]
015F:0048DA04 CMP AL,[EDX]
<-- 第一位密码:AL= 'M'
015F:0048DA06 JNZ NEAR 0048DE51
015F:0048DA0C XOR EAX,EAX
015F:0048DA0E MOV AL,[EBP-06]
<-- 以下算法用途,自己看吧
015F:0048DA11 MOV ECX,23
015F:0048DA16 XOR EDX,EDX
015F:0048DA18 DIV ECX
015F:0048DA1A MOV [EBP-06],DL
015F:0048DA1D XOR EAX,EAX
015F:0048DA1F MOV AL,[EBP-06]
015F:0048DA22 MOV AL,[EBX+EAX+030C]
015F:0048DA29 MOV EDX,[EBP-14]
015F:0048DA2C CMP AL,[EDX+01]
<-- 第二位密码:AL= 'Y'
015F:0048DA2F JNZ NEAR 0048DE51
015F:0048DA35 XOR EAX,EAX
015F:0048DA37 MOV AL,[EBP-07]
<-- 算法
015F:0048DA3A MOV ECX,23
015F:0048DA3F XOR EDX,EDX
015F:0048DA41 DIV ECX
015F:0048DA43 MOV [EBP-07],DL
015F:0048DA46 XOR EAX,EAX
015F:0048DA48 MOV AL,[EBP-07]
015F:0048DA4B MOV AL,[EBX+EAX+030C]
015F:0048DA52 MOV EDX,[EBP-14]
015F:0048DA55 CMP AL,[EDX+02]
<-- 第三位密码:AL= '4'
015F:0048DA58 JNZ NEAR 0048DE51
015F:0048DA5E MOV DL,[EBP-05]
<-- 取得最后一次除的商
015F:0048DA61 MOV EAX,EBX
015F:0048DA63 CALL 0048E16C
015F:0048DA68 LEA EAX,[EBP-20]
015F:0048DA6B MOV EDX,[EBP-14]
015F:0048DA6E MOV DL,[EDX+03]
015F:0048DA71 CALL 00403D38
015F:0048DA76 MOV EDX,[EBP-20]
015F:0048DA79 MOV EAX,EBX
015F:0048DA7B CALL 0048E2F0
015F:0048DA80 LEA EDX,[EBP-0C]
015F:0048DA83 CALL 00408510
015F:0048DA88 LEA EAX,[EBP-20]
015F:0048DA8B MOV EDX,[EBP-14]
015F:0048DA8E MOV DL,[EDX+03]
015F:0048DA91 CALL 00403D38
015F:0048DA96 MOV EDX,[EBP-20]
015F:0048DA99 MOV EAX,EBX
015F:0048DA9B CALL 0048E2F0
015F:0048DAA0 MOV AL,[EBX+EAX*8+0330]
<-- 取得第四位密码
015F:0048DAA7 MOV EDX,[EBP-14]
<-- 和输入的密码
015F:0048DAAA CMP AL,[EDX+03]
<-- 第四位密码:AL= 'L'
015F:0048DAAD JNZ NEAR 0048DE51
015F:0048DAB3 MOV DL,[EBP-06]
<-- 以下简略
015F:0048DAB6 MOV EAX,EBX
015F:0048DAB8 CALL 0048E16C
015F:0048DABD LEA EAX,[EBP-20]
015F:0048DAC0 MOV EDX,[EBP-14]
015F:0048DAC3 MOV DL,[EDX+04]
015F:0048DAC6 CALL 00403D38
015F:0048DACB MOV EDX,[EBP-20]
015F:0048DACE MOV EAX,EBX
015F:0048DAD0 CALL 0048E2F0
015F:0048DAD5 LEA EDX,[EBP-20]
015F:0048DAD8 CALL 00408510
015F:0048DADD MOV EDX,[EBP-20]
015F:0048DAE0 LEA EAX,[EBP-0C]
015F:0048DAE3 CALL 00403E18
015F:0048DAE8 LEA EAX,[EBP-20]
015F:0048DAEB MOV EDX,[EBP-14]
015F:0048DAEE MOV DL,[EDX+04]
015F:0048DAF1 CALL 00403D38
015F:0048DAF6 MOV EDX,[EBP-20]
015F:0048DAF9 MOV EAX,EBX
015F:0048DAFB CALL 0048E2F0
015F:0048DB00 MOV AL,[EBX+EAX*8+0330]
<-- 取得正确密码
015F:0048DB07 MOV EDX,[EBP-14]
015F:0048DB0A CMP AL,[EDX+04]
<-- 第五位密码:AL= 'B'
015F:0048DB0D JNZ NEAR 0048DE51
015F:0048DB13 MOV DL,[EBP-07]
015F:0048DB16 MOV EAX,EBX
015F:0048DB18 CALL 0048E16C
015F:0048DB1D LEA EAX,[EBP-20]
015F:0048DB20 MOV EDX,[EBP-14]
015F:0048DB23 MOV DL,[EDX+05]
015F:0048DB26 CALL 00403D38
015F:0048DB2B MOV EDX,[EBP-20]
015F:0048DB2E MOV EAX,EBX
015F:0048DB30 CALL 0048E2F0
015F:0048DB35 LEA EDX,[EBP-20]
015F:0048DB38 CALL 00408510
015F:0048DB3D MOV EDX,[EBP-20]
015F:0048DB40 LEA EAX,[EBP-0C]
015F:0048DB43 CALL 00403E18
015F:0048DB48 LEA EAX,[EBP-20]
015F:0048DB4B MOV EDX,[EBP-14]
015F:0048DB4E MOV DL,[EDX+05]
015F:0048DB51 CALL 00403D38
015F:0048DB56 MOV EDX,[EBP-20]
015F:0048DB59 MOV EAX,EBX
015F:0048DB5B CALL 0048E2F0
015F:0048DB60 MOV AL,[EBX+EAX*8+0330]
015F:0048DB67 MOV EDX,[EBP-14]
015F:0048DB6A CMP AL,[EDX+05]
<-- 第六位密码:AL= '8'
015F:0048DB6D JNZ NEAR 0048DE51
015F:0048DB73 MOV EAX,[EBP-0C]
<-- 不要被以下代码迷惑了,只管看我注的密码判断点
015F:0048DB76 CALL 00408540
015F:0048DB7B MOV [EBP-04],EAX
015F:0048DB7E MOV BYTE [EBP-05],00
015F:0048DB82 MOV BYTE [EBP-06],00
015F:0048DB86 MOV BYTE [EBP-07],01
015F:0048DB8A LEA EAX,[EBP-10]
015F:0048DB8D MOV ECX,[EBP-0C]
015F:0048DB90 MOV EDX,[EBP-18]
015F:0048DB93 CALL 00403E5C
015F:0048DB98 MOV EAX,[EBP-10]
015F:0048DB9B CALL 00403E10
015F:0048DBA0 MOV EDI,EAX
015F:0048DBA2 TEST EDI,EDI
015F:0048DBA4 JNG 0048DBF9
015F:0048DBA6 MOV ESI,01
015F:0048DBAB MOV EAX,[EBP-10]
015F:0048DBAE MOV DL,[EAX+ESI-01]
015F:0048DBB2 MOV EAX,EBX
015F:0048DBB4 CALL 0048E158
015F:0048DBB9 ADD [EBP-05],AL
015F:0048DBBC MOV EAX,ESI
015F:0048DBBE AND EAX,80000001
015F:0048DBC3 JNS 0048DBCA
015F:0048DBC5 DEC EAX
015F:0048DBC6 OR EAX,BYTE -02
015F:0048DBC9 INC EAX
015F:0048DBCA TEST EAX,EAX
015F:0048DBCC JNZ 0048DBE1
015F:0048DBCE MOV EAX,[EBP-10]
015F:0048DBD1 MOV DL,[EAX+ESI-01]
015F:0048DBD5 MOV EAX,EBX
015F:0048DBD7 CALL 0048E158
015F:0048DBDC ADD [EBP-06],AL
015F:0048DBDF JMP SHORT 0048DBF5
015F:0048DBE1 MOV EAX,[EBP-10]
015F:0048DBE4 MOV DL,[EAX+ESI-01]
015F:0048DBE8 MOV EAX,EBX
015F:0048DBEA CALL 0048E158
015F:0048DBEF IMUL BYTE [EBP-07]
015F:0048DBF2 MOV [EBP-07],AL
015F:0048DBF5 INC ESI
015F:0048DBF6 DEC EDI
015F:0048DBF7 JNZ 0048DBAB
015F:0048DBF9 XOR EAX,EAX
015F:0048DBFB MOV AL,[EBP-05]
015F:0048DBFE MOV ECX,23
015F:0048DC03 XOR EDX,EDX
015F:0048DC05 DIV ECX
015F:0048DC07 MOV [EBP-05],DL
015F:0048DC0A XOR EAX,EAX
015F:0048DC0C MOV AL,[EBP-05]
015F:0048DC0F MOV AL,[EBX+EAX+030C]
015F:0048DC16 MOV EDX,[EBP-14]
015F:0048DC19 CMP AL,[EDX+06]
<-- 第七位密码:AL= 'A'
015F:0048DC1C JNZ NEAR 0048DE51
015F:0048DC22 XOR EAX,EAX
015F:0048DC24 MOV AL,[EBP-06]
015F:0048DC27 MOV ECX,23
015F:0048DC2C XOR EDX,EDX
015F:0048DC2E DIV ECX
015F:0048DC30 MOV [EBP-06],DL
015F:0048DC33 XOR EAX,EAX
015F:0048DC35 MOV AL,[EBP-06]
015F:0048DC38 MOV AL,[EBX+EAX+030C]
015F:0048DC3F MOV EDX,[EBP-14]
015F:0048DC42 CMP AL,[EDX+07]
<-- 第八位密码:AL= 'A'
015F:0048DC45 JNZ NEAR 0048DE51
015F:0048DC4B XOR EAX,EAX
015F:0048DC4D MOV AL,[EBP-07]
015F:0048DC50 MOV ECX,23
015F:0048DC55 XOR EDX,EDX
015F:0048DC57 DIV ECX
015F:0048DC59 MOV [EBP-07],DL
015F:0048DC5C XOR EAX,EAX
015F:0048DC5E MOV AL,[EBP-07]
015F:0048DC61 MOV AL,[EBX+EAX+030C]
015F:0048DC68 MOV EDX,[EBP-14]
015F:0048DC6B CMP AL,[EDX+08]
<-- 第九位密码:AL= '1'
015F:0048DC6E JNZ NEAR 0048DE51
015F:0048DC74 MOV EAX,[EBP-18]
015F:0048DC77 MOV DL,[EAX]
015F:0048DC79 MOV EAX,EBX
015F:0048DC7B CALL 0048E158
015F:0048DC80 MOV [EBP-08],AL
015F:0048DC83 MOV EAX,[EBP-10]
015F:0048DC86 CALL 00403E10
015F:0048DC8B MOV EDI,EAX
015F:0048DC8D SUB EDI,BYTE +02
015F:0048DC90 JL 0048DCD5
015F:0048DC92 INC EDI
015F:0048DC93 MOV ESI,02
015F:0048DC98 MOV EAX,ESI
015F:0048DC9A AND EAX,80000001
015F:0048DC9F JNS 0048DCA6
015F:0048DCA1 DEC EAX
015F:0048DCA2 OR EAX,BYTE -02
015F:0048DCA5 INC EAX
015F:0048DCA6 TEST EAX,EAX
015F:0048DCA8 JNZ 0048DCBD
015F:0048DCAA MOV EAX,[EBP-10]
015F:0048DCAD MOV DL,[EAX+ESI-01]
015F:0048DCB1 MOV EAX,EBX
015F:0048DCB3 CALL 0048E158
015F:0048DCB8 ADD [EBP-08],AL
015F:0048DCBB JMP SHORT 0048DCD1
015F:0048DCBD MOV EAX,[EBP-10]
015F:0048DCC0 MOV DL,[EAX+ESI-01]
015F:0048DCC4 MOV EAX,EBX
015F:0048DCC6 CALL 0048E158
015F:0048DCCB IMUL BYTE [EBP-08]
015F:0048DCCE MOV [EBP-08],AL
015F:0048DCD1 INC ESI
015F:0048DCD2 DEC EDI
015F:0048DCD3 JNZ 0048DC98
015F:0048DCD5 XOR EAX,EAX
015F:0048DCD7 MOV AL,[EBP-08]
015F:0048DCDA MOV ECX,23
015F:0048DCDF XOR EDX,EDX
015F:0048DCE1 DIV ECX
015F:0048DCE3 MOV AL,[EBX+EDX+030C]
015F:0048DCEA MOV EDX,[EBP-14]
015F:0048DCED CMP AL,[EDX+09]
<-- 最后一位躲在这儿:AL= '1'
015F:0048DCF0 JNZ NEAR 0048DE51
iCHBoy,2001,10,9
- 标 题:PassWD2000破解过程~~~转贴~~~~~~ (11千字)
- 作 者:伪装者[CCG]
- 时 间:2001-10-10 6:16:03
- 链 接:http://bbs.pediy.com