【软件名称】network spy eval 1.6
【下载地址】网上搜索
【应用平台】Win9x
【软件大小】未知
【软件限制】未知
【破解声明】破解只是感兴趣,无其它目的。失误之处敬请诸位大侠赐教!
【破解工具】trw2000, peid, W32Dasm
【软件简介】功能很全,ping,traceroute hostlookup,finger,listener,scanner,whois,winsock.....,总之上网必备
========================================================================================
【分析过程】
先用peid查看一下,还好,vc++编写的软件,没有加壳。
运行该程序 ,加载trw2000 ,输入注册姓名:subtway , 序列号:78787878 ,
CTRL+M呼入TRW2000 ,输入bpx hmemcpy ,按F5返回程序,点击register按钮,TRW拦截,
下pmodule命令,然后按F10一步步来到
.......
0167:004051AD 8D542448 LEA EDX,[ESP+48] //下dedx 显示:78787878
0167:004051B1 8D442408 LEA EAX,[ESP+08] //下deax 显示:subtway
0167:004051B5 52 PUSH EDX
0167:004051B6 50 PUSH EAX
0167:004051B7 E8142E0000 CALL 00407FD0 //关键call ,按F8进入
0167:004051BC 83C408 ADD ESP,BYTE +08
0167:004051BF 85C0 TEST EAX,EAX
0167:004051C1 744A JZ 0040520D // 注册码不对则跳,game over!
0167:004051C3 8B3D28104100 MOV EDI,[00411028]
0167:004051C9 8D4C2408 LEA ECX,[ESP+08]
0167:004051CD 6820024300 PUSH DWORD 00430220
0167:004051D2 51 PUSH ECX
0167:004051D3 6824344100 PUSH DWORD 00413424
0167:004051D8 6884314100 PUSH DWORD 00413184
0167:004051DD FFD7 CALL EDI
0167:004051DF 8D542448 LEA EDX,[ESP+48]
0167:004051E3 6820024300 PUSH DWORD 00430220
0167:004051E8 52 PUSH EDX
0167:004051E9 6838344100 PUSH DWORD 00413438
0167:004051EE 6884314100 PUSH DWORD 00413184
0167:004051F3 FFD7 CALL EDI
0167:004051F5 6A40 PUSH BYTE +40
0167:004051F7 6804364100 PUSH DWORD 00413604
0167:004051FC 68C4354100 PUSH DWORD 004135C4
0167:00405201 56 PUSH ESI
0167:00405202 FF1554114100 CALL `USER32!MessageBoxA` //注册码正确的欢迎窗口
0167:00405208 6A01 PUSH BYTE +01
0167:0040520A 56 PUSH ESI
0167:0040520B EB39 JMP SHORT 00405246
0167:0040520D 6A10 PUSH BYTE +10
0167:0040520F 68B8354100 PUSH DWORD 004135B8
0167:00405214 6898354100 PUSH DWORD 00413598
0167:00405219 56 PUSH ESI
0167:0040521A FF1554114100 CALL `USER32!MessageBoxA` // 注册码错误的欢迎窗口
0167:00405220 5F POP EDI
0167:00405221 B801000000 MOV EAX,01
0167:00405226 5E POP ESI
0167:00405227 81C480000000 ADD ESP,80
..... 追入call后, 0167:00407FD0 83EC20 SUB ESP,BYTE +20
:00407FD3 56 PUSH ESI
:00407FD4 8B742428 MOV ESI,[ESP+28]
:00407FD8 56 PUSH ESI
:00407FD9 FF1560104100 Call dword ptr [00411060]
:00407FDF 83F804 cmp eax, 00000004 //比较注册姓名位数,小于4则跳,game over
:00407FE2 7D07 jge 00407FEB
:00407FE4 33C0 xor eax, eax
:00407FE6 5E pop esi
:00407FE7 83C420 add esp, 00000020
:00407FEA C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407FE2(C)
|
:00407FEB 0FBE4601 movsx eax, byte ptr [esi+01] //取姓名第2位u的ASC码0x75 放入eax
:00407FEF 0FBE4E02 movsx ecx, byte ptr [esi+02] //取姓名第3位b的ASC码0x62 放入ecx
:00407FF3 D1E0 shl eax, 1 //eax=eax*2=0x75*2=0xea(十进制234)
:00407FF5 50 push eax
:00407FF6 0FBE4603 movsx eax, byte ptr [esi+03] //取姓名第4位t的ASC码0x74 放入eax
:00407FFA C1E102 shl ecx, 02 //ecx=ecx*4=0x62*4=0x188(十进制392)
:00407FFD 51 push ecx
:00407FFE B90A000000 mov ecx, 0000000A //ecx=a(十进制10)
:00408003 99 cdq
:00408004 F7F9 idiv ecx //用eax的值(0x74)和ecx的值(a)做除法运算,商为b(十进制11) ,放在eax中,余数为6(十进制6) ,放在edx
:00408006 B8A0C634FA mov eax, FA34C6A0 //eax=0xfa34c6a0(十进制4197762720)
:0040800B 8BCA mov ecx, edx //ecx=edx=6
:0040800D D3E0 shl eax, cl //eax=eax*(2^ecx)=0x8d31a800(十进制2368841728)
:0040800F 8D4C240C lea ecx, dword ptr [esp+0C]
:00408013 50 push eax * Possible StringData Ref from Data Obj ->"%010u-%d%d"
|
:00408014 68383B4100 push 00413B38
:00408019 51 push ecx * Reference To: USER32.wsprintfA, Ord:02B3h
|
:0040801A FF1544114100 Call dword ptr [00411144] //将上述计算的值合成最后的注册码 ->2368841728-392234
:00408020 8B542440 mov edx, dword ptr [esp+40]
:00408024 83C414 add esp, 00000014
:00408027 8D442404 lea eax, dword ptr [esp+04]
:0040802B 52 push edx //下dedx,显示:78787878 ->输入的注册码
:0040802C 50 push eax //下deax,显示:2368841728-392234 ->正确的注册码 * Reference To: KERNEL32.lstrcmpA, Ord:0329h
|
:0040802D FF1544104100 Call dword ptr [00411044] //比较eax和edx,不等则game over!
:00408033 F7D8 neg eax
:00408035 1BC0 sbb eax, eax
:00408037 5E pop esi
:00408038 40 inc eax
:00408039 83C420 add esp, 00000020
:0040803C C3 ret
========================================================================================
【分析总结】
注册码只和姓名的二、三、四位有关,注册机如下:
//this is a keymaker program of network spy eval 1.6!
#include <iostream.h>
#include <string.h>
#include <stdlib.h>
#include <math.h>
int main()
{
cout<<"the keymaker of network spy eval 1.6"<<endl;
cout<<"========================"<<endl;
cout<<"made by subtway+0"<<endl;
cout<<"========================"<<endl;
cout<<endl;
char s1[20];
cout<<"please input your name:";
cin>>s1;
int len=strlen(s1);
if(len<4)
{cout<<"please input again!your name must has at lease 4 chars!"<<endl;
return 0;
}
else
{
int m1,m2,m3,m4;
unsigned long m5;
m1=s1[1]*2;
m2=s1[2]*4;
m3=s1[3]/10;
m4=s1[3]%10;
m5=0xfa34c6a0*pow(2,m4);
cout<<"your password is: "<<m5<<"-"<<m2<<m1<<endl;
system ("PAUSE");
return 0;
}
}
========================================================================================
【版权信息】
copyright subtway+0 all rights reserved! 2004-12-25
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!