最近在搞HTTP监听,顺便要找类似的软件对比对比研究研究,找到了EffeTech HTTP Sniffer 3.2,看见要注册码的,手痒于是开开刀。 EffeTech HTTP Sniffer 3.2是用来监听局域网内HTTP包的。但是在我机器上似乎没什么用。一个这么破的软件都要注册,实在让人不爽。 用TRW2000载入,在要求注册框内填点儿东西,下bpx hmemcpy,断两次后弹出出错框。 经过跟踪分析得到结论:注册码长度必须是18位,和用户名无关,其中某几个字符得符合一定条件(条件在下面分析)。 下面是算法分析: :004109D0 51 push ecx :004109D1 55 push ebp :004109D2 56 push esi :004109D3 57 push edi :004109D4 8BE9 mov ebp, ecx :004109D6 6A01 push 00000001 :004109D8 E868E30100 call 0042ED45 :004109DD 8BBD9C000000 mov edi, dword ptr [ebp+0000009C] // EDI是假注册码地址 :004109E3 837FF812 cmp dword ptr [edi-08], 00000012 // 长度必须是0x12 :004109E7 0F850D010000 jne 00410AFA :004109ED 8B74240C mov esi, dword ptr [esp+0C] :004109F1 8B44240C mov eax, dword ptr [esp+0C] :004109F5 53 push ebx :004109F6 8B5C2410 mov ebx, dword ptr [esp+10] :004109FA 33D2 xor edx, edx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00410A5D(C) | :004109FC 8A0C17 mov cl, byte ptr [edi+edx] :004109FF 85D2 test edx, edx :00410A01 7505 jne 00410A08 :00410A03 0FBED9 movsx ebx, cl // 第0个字符放入EBX :00410A06 EB51 jmp 00410A59 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00410A01(C) | :00410A08 83FA01 cmp edx, 00000001 :00410A0B 7507 jne 00410A14 :00410A0D 0FBEC1 movsx eax, cl :00410A10 8BF0 mov esi, eax :00410A12 EB45 jmp 00410A59 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00410A0B(C) | :00410A14 83FA03 cmp edx, 00000003 :00410A17 7431 je 00410A4A :00410A19 83FA06 cmp edx, 00000006 :00410A1C 7507 jne 00410A25 :00410A1E 0FBEC1 movsx eax, cl :00410A21 8BF0 mov esi, eax :00410A23 EB34 jmp 00410A59 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00410A1C(C) | :00410A25 83FA0A cmp edx, 0000000A :00410A28 7509 jne 00410A33 :00410A2A 0FBEC1 movsx eax, cl :00410A2D 89442410 mov dword ptr [esp+10], eax // 把第0x0A个字符放入ESP+10 :00410A31 EB26 jmp 00410A59 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00410A28(C) | :00410A33 83FA0E cmp edx, 0000000E :00410A36 7508 jne 00410A40 :00410A38 0FBEC1 movsx eax, cl :00410A3B 83EB50 sub ebx, 00000050 // 处理到第0xE个字符时,EBX