破解 密码监听器 v1.4 注册码
软件名称:密码监听器 V1.4
软件简介:密码监听器用于监听基于WEB的邮箱密码、POP3收信密码、FTP登录
密码,只需在一台电脑上运行,就可以监听局域网内任意一台电脑登录的用户
名和密码,并将密码显示、保存,或发送到用户指定的邮箱。
破解工具:TRW2000 1.22汉化版、W32DASM 8.93汉化版、FI 2.5。
破解人:飞鹰[BCG]
E-mail:flithawk@263.net
网址:http://flithawk.longcity.net
破解步骤:首先,用 FI 查壳,可知该软件没有被加壳;后用 W32DASM 编译
软件,查找注册码错误信息“注册失败!”,找到后,向上分析就可以知道真
注册码和注册算法。分析过程如下:
* Possible Reference to Dialog: DialogID_0088, CONTROL_ID:0416, ""
|
:0040D628 6816040000 push 00000416
:0040D62D 8BCD
mov ecx, ebp
* Reference To: MFC42.Ordinal:0C19, Ord:0C19h
|
:0040D62F E8E8250000 Call 0040FC1C
:0040D634 8D4C240C lea
ecx, dword ptr [esp+0C]
* Reference To: MFC42.Ordinal:188A, Ord:188Ah
|
:0040D638 E84F220000 Call 0040F88C
:0040D63D 8D4C240C lea
ecx, dword ptr [esp+0C]
* Reference To: MFC42.Ordinal:188B, Ord:188Bh
|
:0040D641 E840220000 Call 0040F886
:0040D646 8D4C2410 lea
ecx, dword ptr [esp+10]
* Reference To: MFC42.Ordinal:188A, Ord:188Ah
|
:0040D64A E83D220000 Call 0040F88C
:0040D64F 8D4C2410 lea
ecx, dword ptr [esp+10]
* Reference To: MFC42.Ordinal:188B, Ord:188Bh
|
:0040D653 E82E220000 Call 0040F886
:0040D658 8D4C240C lea
ecx, dword ptr [esp+0C]
* Reference To: MFC42.Ordinal:106A, Ord:106Ah
|
:0040D65C E8AF220000 Call 0040F910
* Possible StringData Ref from Data Obj ->"whm_w"
|
:0040D661 6814744100 push 00417414
:0040D666 8D4C2410 lea
ecx, dword ptr [esp+10]
* Reference To: MFC42.Ordinal:03AD, Ord:03ADh
|
:0040D66A E893240000 Call 0040FB02
:0040D66F 8B54240C mov
edx, dword ptr [esp+0C]
:0040D673 33FF
xor edi, edi
:0040D675 33C0
xor eax, eax
:0040D677 8B4AF8
mov ecx, dword ptr [edx-08]
:0040D67A 85C9
test ecx, ecx
:0040D67C 7E0B
jle 0040D689
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D687(C)
|
:0040D67E 0FBE3410 movsx
esi, byte ptr [eax+edx] ++注
:0040D682 03FE
add edi, esi ++册
:0040D684 40
inc eax
++码
:0040D685 3BC1
cmp eax, ecx
++算
:0040D687 7CF5
jl 0040D67E
++法
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D67C(C)
|
:0040D689 8B542410 mov
edx, dword ptr [esp+10]
:0040D68D 53
push ebx
:0040D68E 8D4C2414 lea
ecx, dword ptr [esp+14]
:0040D692 8B42F8
mov eax, dword ptr [edx-08]
:0040D695 83C0FE
add eax, FFFFFFFE
:0040D698 50
push eax
:0040D699 8D442420 lea
eax, dword ptr [esp+20]
:0040D69D 6A00
push 00000000
:0040D69F 50
push eax
* Reference To: MFC42.Ordinal:10B6, Ord:10B6h
|
:0040D6A0 E8A1220000 Call 0040F946
:0040D6A5 8B00
mov eax, dword ptr [eax]
:0040D6A7 50
push eax
* Reference To: MSVCRT.atol, Ord:023Eh
|
:0040D6A8 FF15A4244100 Call dword ptr
[004124A4]
:0040D6AE 83C404
add esp, 00000004
:0040D6B1 8D4C241C lea
ecx, dword ptr [esp+1C]
:0040D6B5 8BF0
mov esi, eax
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:0040D6B7 E810210000 Call 0040F7CC
:0040D6BC 8D4C241C lea
ecx, dword ptr [esp+1C]
:0040D6C0 6A02
push 00000002
:0040D6C2 51
push ecx
:0040D6C3 8D4C241C lea
ecx, dword ptr [esp+1C]
* Reference To: MFC42.Ordinal:164E, Ord:164Eh
|
:0040D6C7 E8A6230000 Call 0040FA72
:0040D6CC 8B00
mov eax, dword ptr [eax]
:0040D6CE 50
push eax
* Reference To: MSVCRT.atoi, Ord:023Dh
|
:0040D6CF FF1578244100 Call dword ptr
[00412478]
:0040D6D5 83C404
add esp, 00000004
:0040D6D8 8D4C241C lea
ecx, dword ptr [esp+1C]
:0040D6DC 8BD8
mov ebx, eax
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:0040D6DE E8E9200000 Call 0040F7CC
:0040D6E3 33F3
xor esi, ebx
:0040D6E5 5B
pop ebx
:0040D6E6 3BFE
cmp edi, esi==>真假注册比较
:0040D6E8 0F85F3000000 jne 0040D7E1==>跳转则显示出错信息
:0040D6EE 68387E4100 push 00417E38
* Possible StringData Ref from Data Obj ->"whm_w"
|
:0040D6F3 6814744100 push 00417414
:0040D6F8 8D4C2414 lea
ecx, dword ptr [esp+14]
* Reference To: MFC42.Ordinal:1ADD, Ord:1ADDh
|
:0040D6FC E8F1210000 Call 0040F8F2
:0040D701 668B1550A64100 mov dx, word ptr
[0041A650]
:0040D708 B918000000 mov ecx,
00000018
:0040D70D 33C0
xor eax, eax
:0040D70F 8D7C241E lea
edi, dword ptr [esp+1E]
:0040D713 668954241C mov word
ptr [esp+1C], dx
* Possible Reference to Dialog: DialogID_0064
|
:0040D718 6A64
push 00000064
:0040D71A F3
repz
:0040D71B AB
stosd
:0040D71C 66AB
stosw
:0040D71E 8D442420 lea
eax, dword ptr [esp+20]
:0040D722 50
push eax
* Reference To: KERNEL32.GetSystemDirectoryA, Ord:0159h
|
:0040D723 FF1538204100 Call dword ptr
[00412038]
:0040D729 8D4C241C lea
ecx, dword ptr [esp+1C]
:0040D72D 51
push ecx
:0040D72E 8D4C241C lea
ecx, dword ptr [esp+1C]
* Reference To: MFC42.Ordinal:0219, Ord:0219h
|
:0040D732 E85B210000 Call 0040F892
:0040D737 8D4C2414 lea
ecx, dword ptr [esp+14]
:0040D73B C684248800000002 mov byte ptr [esp+00000088],
02
* Reference To: MFC42.Ordinal:021C, Ord:021Ch
|
:0040D743 E8A2200000 Call 0040F7EA
:0040D748 C684248800000003 mov byte ptr [esp+00000088],
03
* Reference To: KERNEL32.GetVersion, Ord:0174h
|
:0040D750 FF153C204100 Call dword ptr
[0041203C]
:0040D756 8B542418 mov
edx, dword ptr [esp+18]
:0040D75A 50
push eax
:0040D75B 52
push edx
:0040D75C 8D44241C lea
eax, dword ptr [esp+1C]
* Possible StringData Ref from Data Obj ->"%s\%ld.ini"
|
:0040D760 683C744100 push 0041743C
:0040D765 50
push eax
* Reference To: MFC42.Ordinal:0B02, Ord:0B02h
|
:0040D766 E8F7200000 Call 0040F862
:0040D76B 8B4C2424 mov
ecx, dword ptr [esp+24]
:0040D76F 8B54241C mov
edx, dword ptr [esp+1C]
* Reference To: KERNEL32.WritePrivateProfileStringA, Ord:02E5h
|
:0040D773 8B351C204100 mov esi, dword
ptr [0041201C]
:0040D779 83C410
add esp, 00000010
:0040D77C 51
push ecx
:0040D77D 52
push edx
* Possible StringData Ref from Data Obj ->"USERNAME"
|
:0040D77E 6830744100 push 00417430
* Possible StringData Ref from Data Obj ->"REGINFO"
|
:0040D783 6828744100 push 00417428
:0040D788 FFD6
call esi
:0040D78A 8B442414 mov
eax, dword ptr [esp+14]
:0040D78E 8B4C2410 mov
ecx, dword ptr [esp+10]
:0040D792 50
push eax
:0040D793 51
push ecx
* Possible StringData Ref from Data Obj ->"PASSWORD"
|
:0040D794 681C744100 push 0041741C
* Possible StringData Ref from Data Obj ->"REGINFO"
|
:0040D799 6828744100 push 00417428
:0040D79E FFD6
call esi
:0040D7A0 6830100000 push 00001030
* Possible StringData Ref from Data Obj ->"注册信息"==>继续向上分析
|
:0040D7A5 68047B4100 push 00417B04
* Possible StringData Ref from Data Obj ->"您成功注册!"==>成功信息
|
:0040D7AA 68F47A4100 push 00417AF4
:0040D7AF 8BCD
mov ecx, ebp
* Reference To: MFC42.Ordinal:1080, Ord:1080h
|
:0040D7B1 E812210000 Call 0040F8C8
:0040D7B6 8BCD
mov ecx, ebp
* Reference To: MFC42.Ordinal:12F5, Ord:12F5h
|
:0040D7B8 E80D220000 Call 0040F9CA
:0040D7BD 8D4C2414 lea
ecx, dword ptr [esp+14]
:0040D7C1 C684248800000002 mov byte ptr [esp+00000088],
02
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:0040D7C9 E8FE1F0000 Call 0040F7CC
:0040D7CE 8D4C2418 lea
ecx, dword ptr [esp+18]
:0040D7D2 C684248800000001 mov byte ptr [esp+00000088],
01
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:0040D7DA E8ED1F0000 Call 0040F7CC
:0040D7DF EB16
jmp 0040D7F7
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D6E8(C)
|
:0040D7E1 6830100000 push 00001030
* Possible StringData Ref from Data Obj ->"注册信息"==>继续向上分析
|
:0040D7E6 68047B4100 push 00417B04
* Possible StringData Ref from Data Obj ->"注册失败!"==>出错信息
|
:0040D7EB 68E87A4100 push 00417AE8
:0040D7F0 8BCD
mov ecx, ebp
* Reference To: MFC42.Ordinal:1080, Ord:1080h
|
:0040D7F2 E8D1200000 Call 0040F8C8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D7DF(U)
|
:0040D7F7 8D4C2410 lea
ecx, dword ptr [esp+10]
:0040D7FB C684248800000000 mov byte ptr [esp+00000088],
00
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:0040D803 E8C41F0000 Call 0040F7CC
:0040D808 8D4C240C lea
ecx, dword ptr [esp+0C]
:0040D80C C7842488000000FFFFFFFF mov dword ptr [esp+00000088], FFFFFFFF
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:0040D817 E8B01F0000 Call 0040F7CC
:0040D81C 8B8C2480000000 mov ecx, dword ptr
[esp+00000080]
:0040D823 5F
pop edi
:0040D824 5E
pop esi
:0040D825 5D
pop ebp
:0040D826 64890D00000000 mov dword ptr fs:[00000000],
ecx
:0040D82D 81C480000000 add esp, 00000080
:0040D833 C3
ret
再次运行软件,用 TRW2000 在 0040D6E6 处下断后,用 ?edi 命令就可以显
示出真的注册码。知道真注册码后再把该注册码的前后分别加上00,才能注册
成功。
例如:我的用户名是:flithawk[BCG],用 ?edi 显示出来的注册码是:1888
,则真的注册码是:00188800。
用 VB 编写注册机,源程序如下:
Private Sub Command1_Click()
Dim x As Integer, i As Integer, y As String
If Text1.Text = "" Then
MsgBox "用户名不能为空,请重新输入。", 0, "错误"
Text1.SetFocus
Else
x = 0
y = LCase(Text1.Text & "whm_w")
For i = 1 To Len(y)
x = x + Asc(Mid$(y, i, 1))
Next i
Text2.Text = "00" & x & "00"
End If
End Sub
至此,整个软件的破解完成!
我仅以此篇祝愿BCG组织能不断发展壮大!我也顺便向各位BCG的成员问好,希
望大家以后能多多保持联系!
Crack
by 飞鹰[BCG] flithawk@263.net 2001.10.25
- 标 题:破解 密码监听器 v1.4 注册码,顺便向BCG组织的各位兄弟问好! (12千字)
- 作 者:飞鹰[BCG]
- 时 间:2001-10-25 18:50:40
- 链 接:http://bbs.pediy.com