EffeTech HTTP Sniffer 3.2注册算法分析

时间:2005-12-20 来源: 作者: 点击:
最近在搞HTTP监听,顺便要找类似的软件对比对比研究研究,找到了EffeTech HTTP Sniffer 3.2,看见要注册码的,手痒于是开开刀。 EffeTech HTTP Sniffer 3.2是用来监听局域网内HTTP包的。但是在我机器上似乎没什么用。一个这么破的软件都要注册,实在让人不爽。 用TRW200
  最近在搞HTTP监听,顺便要找类似的软件对比对比研究研究,找到了EffeTech HTTP Sniffer 3.2,看见要注册码的,手痒于是开开刀。

EffeTech HTTP Sniffer 3.2是用来监听局域网内HTTP包的。但是在我机器上似乎没什么用。一个这么破的软件都要注册,实在让人不爽。

用TRW2000载入,在要求注册框内填点儿东西,下bpx hmemcpy,断两次后弹出出错框。

经过跟踪分析得到结论:注册码长度必须是18位,和用户名无关,其中某几个字符得符合一定条件(条件在下面分析)。

下面是算法分析:

:004109D0 51 push ecx
:004109D1 55 push ebp
:004109D2 56 push esi
:004109D3 57 push edi
:004109D4 8BE9 mov ebp, ecx
:004109D6 6A01 push 00000001
:004109D8 E868E30100 call 0042ED45
:004109DD 8BBD9C000000 mov edi, dword ptr [ebp+0000009C] // EDI是假注册码地址
:004109E3 837FF812 cmp dword ptr [edi-08], 00000012 // 长度必须是0x12
:004109E7 0F850D010000 jne 00410AFA
:004109ED 8B74240C mov esi, dword ptr [esp+0C]
:004109F1 8B44240C mov eax, dword ptr [esp+0C]
:004109F5 53 push ebx
:004109F6 8B5C2410 mov ebx, dword ptr [esp+10]
:004109FA 33D2 xor edx, edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A5D(C)
|
:004109FC 8A0C17 mov cl, byte ptr [edi+edx]
:004109FF 85D2 test edx, edx
:00410A01 7505 jne 00410A08
:00410A03 0FBED9 movsx ebx, cl // 第0个字符放入EBX
:00410A06 EB51 jmp 00410A59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A01(C)
|
:00410A08 83FA01 cmp edx, 00000001
:00410A0B 7507 jne 00410A14
:00410A0D 0FBEC1 movsx eax, cl
:00410A10 8BF0 mov esi, eax
:00410A12 EB45 jmp 00410A59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A0B(C)
|
:00410A14 83FA03 cmp edx, 00000003
:00410A17 7431 je 00410A4A
:00410A19 83FA06 cmp edx, 00000006
:00410A1C 7507 jne 00410A25
:00410A1E 0FBEC1 movsx eax, cl
:00410A21 8BF0 mov esi, eax
:00410A23 EB34 jmp 00410A59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A1C(C)
|
:00410A25 83FA0A cmp edx, 0000000A
:00410A28 7509 jne 00410A33
:00410A2A 0FBEC1 movsx eax, cl
:00410A2D 89442410 mov dword ptr [esp+10], eax // 把第0x0A个字符放入ESP+10
:00410A31 EB26 jmp 00410A59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A28(C)
|
:00410A33 83FA0E cmp edx, 0000000E
:00410A36 7508 jne 00410A40
:00410A38 0FBEC1 movsx eax, cl
:00410A3B 83EB50 sub ebx, 00000050

// 处理到第0xE个字符时,EBX <- EBX - Ox50

:00410A3E EB19 jmp 00410A59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A36(C)
|
:00410A40 83FA12 cmp edx, 00000012
:00410A43 7411 je 00410A56
:00410A45 83FA08 cmp edx, 00000008
:00410A48 7507 jne 00410A51

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A17(C)
|
:00410A4A 0FBEC1 movsx eax, cl
:00410A4D 8BF0 mov esi, eax // 第8个字符放入ESI
:00410A4F EB08 jmp 00410A59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A48(C)
|
:00410A51 83FA0F cmp edx, 0000000F
:00410A54 7503 jne 00410A59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A43(C)
|
:00410A56 0FBEC1 movsx eax, cl // 第0x0F个字符最后放入EAX

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00410A06(U), :00410A12(U), :00410A23(U), :00410A31(U), :00410A3E(U)
|:00410A4F(U), :00410A54(C)
|
:00410A59 42 inc edx
:00410A5A 83FA12 cmp edx, 00000012
:00410A5D 7C9D jl 004109FC // 这里是对假注册码的遍历循环
:00410A5F 2B442410 sub eax, dword ptr [esp+10]
:00410A63 2BC6 sub eax, esi
:00410A65 03C3 add eax, ebx
:00410A67 5B pop ebx
:00410A68 0F858C000000 jne 00410AFA // 此处是终极判断,不能跳

最后的JNE条件表示EAX - [ESP+10] - ESI + EBX必须等于0,假设正确注册码是

a: array[0..17] of Char;

EAX := a[F];
[ESP+10] := a[10];
ESI := a[8];
EBX := a[0] - $50;

所以注册成功的条件就是Length(a) = 18而且a[F] - a[10] - a[8]- (a[0] - $50) = 0

捏造一番:a[F] := #$56; a[10] := #$30; a[8] := #$30; a[0] := #$5A;
也就是: a[F] := 'V'; a[10] := '0'; a[8] := '0'; a[0] := 'Z';

用户名和别的位可以随便捏造,如:

Passion
Z12345670901234V67
------分隔线----------------------------
顶一下
(0)
0%
踩一下
(0)
0%
------分隔线----------------------------
最新评论 查看所有评论
发表评论 查看所有评论
请自觉遵守互联网相关的政策法规,严禁发布色情、暴力、反动的言论。
评价:
表情:
用户名: 密码: 验证码:
推荐内容