最近在搞HTTP监听,顺便要找类似的软件对比对比研究研究,找到了EffeTech HTTP Sniffer 3.2,看见要注册码的,手痒于是开开刀。
EffeTech HTTP Sniffer 3.2是用来监听局域网内HTTP包的。但是在我机器上似乎没什么用。一个这么破的软件都要注册,实在让人不爽。
用TRW2000载入,在要求注册框内填点儿东西,下bpx hmemcpy,断两次后弹出出错框。
经过跟踪分析得到结论:注册码长度必须是18位,和用户名无关,其中某几个字符得符合一定条件(条件在下面分析)。
下面是算法分析:
:004109D0 51
push ecx
:004109D1 55
push ebp
:004109D2
56
push esi
:004109D3 57
push edi
:004109D4 8BE9
mov ebp, ecx
:004109D6 6A01
push 00000001
:004109D8
E868E30100 call 0042ED45
:004109DD 8BBD9C000000 mov edi, dword
ptr [ebp+0000009C] // EDI是假注册码地址
:004109E3 837FF812
cmp dword ptr [edi-08], 00000012
// 长度必须是0x12
:004109E7 0F850D010000
jne 00410AFA
:004109ED 8B74240C
mov esi, dword ptr [esp+0C]
:004109F1 8B44240C
mov eax, dword ptr [esp+0C]
:004109F5 53
push ebx
:004109F6 8B5C2410
mov ebx, dword ptr [esp+10]
:004109FA 33D2
xor edx, edx
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00410A5D(C)
|
:004109FC 8A0C17
mov cl, byte ptr [edi+edx]
:004109FF 85D2
test edx, edx
:00410A01 7505
jne 00410A08
:00410A03 0FBED9
movsx ebx, cl //
第0个字符放入EBX
:00410A06 EB51
jmp 00410A59
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00410A01(C)
|
:00410A08 83FA01
cmp edx, 00000001
:00410A0B 7507
jne 00410A14
:00410A0D 0FBEC1
movsx eax, cl
:00410A10 8BF0
mov esi, eax
:00410A12 EB45
jmp 00410A59
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A0B(C)
|
:00410A14 83FA03
cmp edx, 00000003
:00410A17 7431
je 00410A4A
:00410A19 83FA06
cmp edx, 00000006
:00410A1C
7507 jne
00410A25
:00410A1E 0FBEC1
movsx eax, cl
:00410A21 8BF0
mov esi, eax
:00410A23 EB34
jmp 00410A59
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A1C(C)
|
:00410A25 83FA0A
cmp edx, 0000000A
:00410A28 7509
jne 00410A33
:00410A2A 0FBEC1
movsx eax, cl
:00410A2D
89442410 mov dword ptr
[esp+10], eax // 把第0x0A个字符放入ESP+10
:00410A31 EB26
jmp 00410A59
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A28(C)
|
:00410A33 83FA0E
cmp edx, 0000000E
:00410A36 7508
jne 00410A40
:00410A38 0FBEC1
movsx eax, cl
:00410A3B
83EB50 sub ebx,
00000050
// 处理到第0xE个字符时,EBX <-
EBX - Ox50
:00410A3E EB19
jmp 00410A59
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00410A36(C)
|
:00410A40 83FA12
cmp edx, 00000012
:00410A43 7411
je 00410A56
:00410A45 83FA08
cmp edx, 00000008
:00410A48 7507
jne 00410A51
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00410A17(C)
|
:00410A4A 0FBEC1
movsx eax, cl
:00410A4D 8BF0
mov esi, eax
// 第8个字符放入ESI
:00410A4F EB08
jmp 00410A59
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00410A48(C)
|
:00410A51 83FA0F
cmp edx, 0000000F
:00410A54 7503
jne 00410A59
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:00410A43(C)
|
:00410A56 0FBEC1
movsx eax, cl
// 第0x0F个字符最后放入EAX
* Referenced by a
(U)nconditional or (C)onditional Jump at Addresses:
|:00410A06(U), :00410A12(U),
:00410A23(U), :00410A31(U), :00410A3E(U)
|:00410A4F(U), :00410A54(C)
|
:00410A59 42
inc edx
:00410A5A 83FA12
cmp edx, 00000012
:00410A5D 7C9D
jl 004109FC
// 这里是对假注册码的遍历循环
:00410A5F 2B442410
sub eax, dword ptr [esp+10]
:00410A63 2BC6
sub eax, esi
:00410A65 03C3
add eax, ebx
:00410A67 5B
pop ebx
:00410A68 0F858C000000
jne 00410AFA
// 此处是终极判断,不能跳
最后的JNE条件表示EAX - [ESP+10] - ESI + EBX必须等于0,假设正确注册码是
a: array[0..17] of Char;
EAX := a[F];
[ESP+10] := a[10];
ESI := a[8];
EBX := a[0] - $50;
所以注册成功的条件就是Length(a) = 18而且a[F]
- a[10] - a[8]- (a[0] - $50) = 0
捏造一番:a[F] := #$56; a[10] := #$30; a[8]
:= #$30; a[0] := #$5A;
也就是: a[F] := 'V'; a[10] := '0'; a[8] := '0';
a[0] := 'Z';
用户名和别的位可以随便捏造,如:
Passion
Z12345670901234V67
- 标 题:EffeTech HTTP Sniffer 3.2注册算法分析 (5千字)
- 作 者:Passion
- 时 间:2002-6-24 10:52:59
- 链 接:http://bbs.pediy.com