• 标 题:EffeTech HTTP Sniffer 3.2注册算法分析 (5千字)
  • 作 者:Passion
  • 时 间:2002-6-24 10:52:59
  • 链 接:http://bbs.pediy.com

最近在搞HTTP监听,顺便要找类似的软件对比对比研究研究,找到了EffeTech HTTP Sniffer 3.2,看见要注册码的,手痒于是开开刀。

EffeTech HTTP Sniffer 3.2是用来监听局域网内HTTP包的。但是在我机器上似乎没什么用。一个这么破的软件都要注册,实在让人不爽。

用TRW2000载入,在要求注册框内填点儿东西,下bpx hmemcpy,断两次后弹出出错框。

经过跟踪分析得到结论:注册码长度必须是18位,和用户名无关,其中某几个字符得符合一定条件(条件在下面分析)。

下面是算法分析:

:004109D0 51                      push ecx
:004109D1 55                      push ebp
:004109D2 56                      push esi
:004109D3 57                      push edi
:004109D4 8BE9                    mov ebp, ecx
:004109D6 6A01                    push 00000001
:004109D8 E868E30100              call 0042ED45
:004109DD 8BBD9C000000            mov edi, dword ptr [ebp+0000009C]    // EDI是假注册码地址
:004109E3 837FF812                cmp dword ptr [edi-08], 00000012    // 长度必须是0x12
:004109E7 0F850D010000            jne 00410AFA
:004109ED 8B74240C                mov esi, dword ptr [esp+0C]
:004109F1 8B44240C                mov eax, dword ptr [esp+0C]
:004109F5 53                      push ebx
:004109F6 8B5C2410                mov ebx, dword ptr [esp+10]
:004109FA 33D2                    xor edx, edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A5D(C)
|
:004109FC 8A0C17                  mov cl, byte ptr [edi+edx]
:004109FF 85D2                    test edx, edx
:00410A01 7505                    jne 00410A08
:00410A03 0FBED9                  movsx ebx, cl                // 第0个字符放入EBX
:00410A06 EB51                    jmp 00410A59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A01(C)
|
:00410A08 83FA01                  cmp edx, 00000001
:00410A0B 7507                    jne 00410A14
:00410A0D 0FBEC1                  movsx eax, cl
:00410A10 8BF0                    mov esi, eax
:00410A12 EB45                    jmp 00410A59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A0B(C)
|
:00410A14 83FA03                  cmp edx, 00000003
:00410A17 7431                    je 00410A4A
:00410A19 83FA06                  cmp edx, 00000006
:00410A1C 7507                    jne 00410A25
:00410A1E 0FBEC1                  movsx eax, cl
:00410A21 8BF0                    mov esi, eax
:00410A23 EB34                    jmp 00410A59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A1C(C)
|
:00410A25 83FA0A                  cmp edx, 0000000A
:00410A28 7509                    jne 00410A33
:00410A2A 0FBEC1                  movsx eax, cl
:00410A2D 89442410                mov dword ptr [esp+10], eax    // 把第0x0A个字符放入ESP+10
:00410A31 EB26                    jmp 00410A59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A28(C)
|
:00410A33 83FA0E                  cmp edx, 0000000E
:00410A36 7508                    jne 00410A40
:00410A38 0FBEC1                  movsx eax, cl
:00410A3B 83EB50                  sub ebx, 00000050        

// 处理到第0xE个字符时,EBX <- EBX - Ox50

:00410A3E EB19                    jmp 00410A59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A36(C)
|
:00410A40 83FA12                  cmp edx, 00000012
:00410A43 7411                    je 00410A56
:00410A45 83FA08                  cmp edx, 00000008
:00410A48 7507                    jne 00410A51

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A17(C)
|
:00410A4A 0FBEC1                  movsx eax, cl
:00410A4D 8BF0                    mov esi, eax            // 第8个字符放入ESI
:00410A4F EB08                    jmp 00410A59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A48(C)
|
:00410A51 83FA0F                  cmp edx, 0000000F
:00410A54 7503                    jne 00410A59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A43(C)
|
:00410A56 0FBEC1                  movsx eax, cl            // 第0x0F个字符最后放入EAX

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00410A06(U), :00410A12(U), :00410A23(U), :00410A31(U), :00410A3E(U)
|:00410A4F(U), :00410A54(C)
|
:00410A59 42                      inc edx
:00410A5A 83FA12                  cmp edx, 00000012
:00410A5D 7C9D                    jl 004109FC            // 这里是对假注册码的遍历循环
:00410A5F 2B442410                sub eax, dword ptr [esp+10]
:00410A63 2BC6                    sub eax, esi
:00410A65 03C3                    add eax, ebx
:00410A67 5B                      pop ebx
:00410A68 0F858C000000            jne 00410AFA            // 此处是终极判断,不能跳

最后的JNE条件表示EAX - [ESP+10] - ESI + EBX必须等于0,假设正确注册码是

a: array[0..17] of Char;

EAX := a[F];
[ESP+10] := a[10];
ESI := a[8];
EBX := a[0] - $50;

所以注册成功的条件就是Length(a) = 18而且a[F] - a[10] - a[8]- (a[0] - $50) = 0

捏造一番:a[F] := #$56; a[10] := #$30; a[8] := #$30; a[0] := #$5A;
也就是:  a[F] := 'V'; a[10] := '0'; a[8] := '0'; a[0] := 'Z';

用户名和别的位可以随便捏造,如:

Passion
Z12345670901234V67