淺談OICQ的密碼比較 1 (12千字)
學CRACK已經一個多月了,想想當初成功破解第一個軟體時,激動的我連續兩個小時心跳加速,以後的三天晚上
沒睡好覺,多可笑啊!現在回頭再看看,可真是一段美好的回憶!
好了,不說廢話了!下面我淺談一下OICQ的密碼比較過程.
前提是你必須在這臺機子上,曾經成功登陸上伺服器.而且保留matrix.cnt檔案.
我沒技術和時間去反推出密碼.如那位CRACKER成功的話,別忘了告訴我一聲,OK?
EMAIL:CL517@YEAH.NET (可別炸我呀!!!)
希望能交個朋友.
OICQ:9062494
如有錯誤請各位指出.
* Possible StringData Ref from Data Obj ->"matrix.cnt" <===讀入這個檔案!!!
|
:0044192B 68C8125100 push 005112C8
:00441930 51
push ecx
:00441931 50
push eax
:00441932 C645FC05 mov
[ebp-04], 05
:00441936 E87FEF0500 call 004A08BA
:0044193B 8D4DB0
lea ecx, dword ptr [ebp-50]
:0044193E E892A60200 call 0046BFD5
:00441943 3BC3
cmp eax, ebx
:00441945 741F
je 00441966
:00441947 51
push ecx
:00441948 8D450C
lea eax, dword ptr [ebp+0C]
:0044194B 8BCC
mov ecx, esp
:0044194D 8965F0
mov dword ptr [ebp-10], esp
:00441950 50
push eax
:00441951 E844EA0500 call 004A039A
:00441956 8D4DB0
lea ecx, dword ptr [ebp-50]
:00441959 E87EA70200 call 0046C0DC
====>關鍵CALL
:0044195E 3BC3
cmp eax, ebx **比較(這裡只是一個標誌,看不到你輸入的PASSWORD)
:00441960 7404
je 00441966 **一跳就完(很奇怪吧!)
:00441962 8BF7
mov esi, edi
:00441964 EB02
jmp 00441968
matrix.cnt存著上次登陸成功的密碼(當然是加密後的!)
這是我的:
5F 65 00 00 89 3B C2 4A 99 D9 31 B4 29 3C 39 6E 22 BB 2B DD
\ / \
/
--- ---------------------------------------------
這個一會兒 這是上次登陸成功密碼的加密形式
會用到
追進關鍵CALL中:
:0046C0FB 50
push eax
:0046C0FC E85AA3FEFF call 0045645B
***CALL(對你輸入的密碼進行加密處理,
:0046C101 83C40C
add esp, 0000000C 然後存在7AEF20-7AEF2A中)
:0046C104 6A01
push 00000001
:0046C106 5F
pop edi
:0046C107 397E04
cmp dword ptr [esi+04], edi
:0046C10A 7618
jbe 0046C124
:0046C10C 8D45E4
lea eax, dword ptr [ebp-1C]----------- 對剛才加密過的密碼再:0046C10F 6A10
push 00000010
| 進行迴圈加密處理
:0046C111 50
push eax
| 這裡的迴圈次數,是根據
:0046C112 8D45E4
lea eax, dword ptr [ebp-1C] | matrix.cnt的內容
:0046C115 50
push eax
| 656F那就是25951次,
:0046C116 E840A3FEFF call 0045645B
***CALL | 好恐怖的數字呀!!
:0046C11B 83C40C
add esp, 0000000C
|
:0046C11E 47
inc edi
|
:0046C11F 3B7E04
cmp edi, dword ptr [esi+04] |
:0046C122 72E8
jb 0046C10C ------------------------
:0046C124 83C608
add esi, 00000008
:0046C127 6A10
push 00000010
:0046C129 8D45E4
lea eax, dword ptr [ebp-1C]
:0046C12C 56
push esi
:0046C12D 50
push eax
:0046C12E E87DB70100 call 004878B0
<==比較加密後的註冊碼
:0046C133 8BF0
mov esi, eax
:0046C135 83C40C
add esp, 0000000C
:0046C138 F7DE
neg esi
:0046C13A 1BF6
sbb esi, esi
:0046C13C 834DFCFF or
dword ptr [ebp-04], FFFFFFFF
:0046C140 8D4D08
lea ecx, dword ptr [ebp+08]
:0046C143 46
inc esi
:0046C144 E8DC440300 call 004A0625
:0046C149 8B4DF4
mov ecx, dword ptr [ebp-0C]
:0046C14C 8BC6
mov eax, esi
:0046C14E 5F
pop edi
:0046C14F 5E
pop esi
:0046C150 64890D00000000 mov dword ptr fs:[00000000],
ecx
:0046C157 C9
leave
:0046C158 C20400
ret 0004
進入關鍵CALL 0045645B
:0045645B 55
push ebp
:0045645C 8BEC
mov ebp, esp
:0045645E 83EC5C
sub esp, 0000005C
:00456461 8D45A4
lea eax, dword ptr [ebp-5C]
:00456464 50
push eax
:00456465 E847F3FFFF call 004557B1
:0045646A FF7510
push [ebp+10]
:0045646D 8D45A4
lea eax, dword ptr [ebp-5C]
:00456470 FF750C
push [ebp+0C]
:00456473 50
push eax
:00456474 E873F3FFFF call 004557EC
:00456479 8D45A4
lea eax, dword ptr [ebp-5C]
:0045647C 50
push eax
:0045647D FF7508
push [ebp+08]
:00456480 E8BBFEFFFF call 00456340
*****這裡進行加密處理
:00456485 83C418
add esp, 00000018
:00456488 C9
leave
:00456489 C3
ret
:00456340 53
push ebx
:00456341 56
push esi
:00456342 8B742410 mov
esi, dword ptr [esp+10]
:00456346 57
push edi
* Possible StringData Ref from Data Obj ->""
|
:00456347 BAAC195100 mov edx,
005119AC
:0045634C 8B4E58
mov ecx, dword ptr [esi+58]
:0045634F 8D5E18
lea ebx, dword ptr [esi+18]
:00456352 8BC1
mov eax, ecx
:00456354 83E103
and ecx, 00000003
:00456357 C1F802
sar eax, 02
:0045635A 83E900
sub ecx, 00000000
:0045635D 8B3C83
mov edi, dword ptr [ebx+4*eax]
:00456360 740B
je 0045636D
:00456362 49
dec ecx
:00456363 7414
je 00456379
:00456365 49
dec ecx
:00456366 7418
je 00456380
:00456368 49
dec ecx
:00456369 741E
je 00456389
:0045636B EB24
jmp 00456391
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00456360(C)
|
:0045636D 0FB63DAC195100 movzx edi, byte ptr
[005119AC]
* Possible StringData Ref from Data Obj ->""
|
:00456374 BAAD195100 mov edx,
005119AD
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00456363(C)
|
:00456379 33C9
xor ecx, ecx
:0045637B 8A2A
mov ch, byte ptr [edx]
:0045637D 0BF9
or edi, ecx
:0045637F 42
inc edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00456366(C)
|
:00456380 0FB60A
movzx ecx, byte ptr [edx]
:00456383 C1E110
shl ecx, 10
:00456386 0BF9
or edi, ecx
:00456388 42
inc edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00456369(C)
|
:00456389 0FB60A
movzx ecx, byte ptr [edx]
:0045638C C1E118
shl ecx, 18
:0045638F 0BF9
or edi, ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045636B(U)
|
:00456391 893C83
mov dword ptr [ebx+4*eax], edi
:00456394 40
inc eax
:00456395 837E5838 cmp
dword ptr [esi+58], 00000038
:00456399 7C1E
jl 004563B9
:0045639B 6A10
push 00000010
:0045639D 59
pop ecx
:0045639E 3BC1
cmp eax, ecx
:004563A0 7D09
jge 004563AB
:004563A2 8D3C83
lea edi, dword ptr [ebx+4*eax]
:004563A5 2BC8
sub ecx, eax
:004563A7 33C0
xor eax, eax
:004563A9 F3
repz
:004563AA AB
stosd
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004563A0(C)
|
:004563AB 6A40
push 00000040
:004563AD 53
push ebx
:004563AE 56
push esi
:004563AF E8B5F6FFFF call 00455A69
:004563B4 83C40C
add esp, 0000000C
:004563B7 33C0
xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00456399(C)
|
:004563B9 6A0E
push 0000000E
:004563BB 59
pop ecx
:004563BC 3BC1
cmp eax, ecx
:004563BE 7D09
jge 004563C9
:004563C0 8D3C83
lea edi, dword ptr [ebx+4*eax]
:004563C3 2BC8
sub ecx, eax
:004563C5 33C0
xor eax, eax
:004563C7 F3
repz
:004563C8 AB
stosd
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004563BE(C)
|
:004563C9 8B4610
mov eax, dword ptr [esi+10]
:004563CC 6A40
push 00000040
:004563CE 894338
mov dword ptr [ebx+38], eax
:004563D1 8B4614
mov eax, dword ptr [esi+14]
:004563D4 53
push ebx
:004563D5 56
push esi
:004563D6 89433C
mov dword ptr [ebx+3C], eax
:004563D9 E88BF6FFFF call 00455A69
*******這裡
:004563DE 8B44241C mov
eax, dword ptr [esp+1C]
:004563E2 8B0E
mov ecx, dword ptr [esi]
:004563E4 83C40C
add esp, 0000000C
:004563E7 8BD1
mov edx, ecx ======>從這裡到0045645A處
:004563E9 8808
mov byte ptr [eax], cl (開始向7AEF20-7AEF2A存入加密後的密碼)
:004563EB 40
inc eax
:004563EC C1EA08
shr edx, 08
:004563EF 8810
mov byte ptr [eax], dl
:004563F1 8BD1
mov edx, ecx
:004563F3 40
inc eax
:004563F4 5F
pop edi
:004563F5 C1EA10
shr edx, 10
:004563F8 8810
mov byte ptr [eax], dl
:004563FA 40
inc eax
:004563FB C1E918
shr ecx, 18
:004563FE 8808
mov byte ptr [eax], cl
:00456400 8B4E04
mov ecx, dword ptr [esi+04]
:00456403 40
inc eax
:00456404 8BD1
mov edx, ecx
:00456406 C1EA08
shr edx, 08
:00456409 8808
mov byte ptr [eax], cl
:0045640B 40
inc eax
:0045640C 8810
mov byte ptr [eax], dl
:0045640E 8BD1
mov edx, ecx
:00456410 40
inc eax
:00456411 C1EA10
shr edx, 10
:00456414 8810
mov byte ptr [eax], dl
:00456416 40
inc eax
:00456417 C1E918
shr ecx, 18
:0045641A 8808
mov byte ptr [eax], cl
:0045641C 8B4E08
mov ecx, dword ptr [esi+08]
:0045641F 40
inc eax
:00456420 8BD1
mov edx, ecx
:00456422 C1EA08
shr edx, 08
:00456425 8808
mov byte ptr [eax], cl
:00456427 40
inc eax
:00456428 8810
mov byte ptr [eax], dl
:0045642A 8BD1
mov edx, ecx
:0045642C 40
inc eax
:0045642D C1EA10
shr edx, 10
:00456430 8810
mov byte ptr [eax], dl
:00456432 40
inc eax
:00456433 C1E918
shr ecx, 18
:00456436 8808
mov byte ptr [eax], cl
:00456438 8B4E0C
mov ecx, dword ptr [esi+0C]
:0045643B 40
inc eax
:0045643C 8BD1
mov edx, ecx
:0045643E C1EA08
shr edx, 08
:00456441 8808
mov byte ptr [eax], cl
:00456443 40
inc eax
:00456444 8810
mov byte ptr [eax], dl
:00456446 8BD1
mov edx, ecx
:00456448 40
inc eax
:00456449 C1EA10
shr edx, 10
:0045644C C1E918
shr ecx, 18
:0045644F 8810
mov byte ptr [eax], dl
:00456451 884801
mov byte ptr [eax+01], cl
:00456454 83665800 and
dword ptr [esi+58], 00000000
:00456458 5E
pop esi
:00456459 5B
pop ebx
:0045645A C3
ret
相關文章
- 破解OICQ的密碼演算法 (6千字)2001-06-25密碼演算法
- 淺談前端MOCK資料工具比較2018-11-16前端Mock
- OICQ圖形留言系統(1千字)2015-11-15
- js 深比較和淺比較2020-11-26JS
- react-redux的淺比較2018-12-28ReactRedux
- APP 密碼儲存在何處比較安全2016-06-07APP密碼
- OicqSend (Oicq訊息釋出) Ver 2.01.903
破解 (1千字)2000-09-21
- Oicq 99c Build 0820版破解 (1千字)2000-10-13UI
- 淺談Hyper-v與VMware伺服器虛擬化比較2017-11-08伺服器
- redux connect的淺比較說明2018-09-28Redux
- 『凌雲郵神』 註冊碼破解 (非明碼比較的哦 ^_^) (6千字)2001-11-05
- 比較早的一個keygen練習, 參考hambo教程。 (1千字)2001-10-19
- oicq build 0425 的不完全破解 (3千字)2000-05-28UI
- 淺談國密演算法2020-04-04演算法
- 密碼學之各種加解密演算法比較2017-06-07密碼學解密演算法
- OICQ HACK 1.0 破解過程 (9千字)2001-04-23
- TIM1比較模式2024-06-28模式
- 淺析FoxMail 3.11 及其密文解碼公式 (4千字)2001-01-02AI公式
- 我的破解心得(12) (1千字)2001-03-13
- 初學者(12) (1千字)2000-06-09
- Database | 淺談Query Optimization (1)2021-04-09Database
- 淺談0/1切換2015-04-30
- 一種非明碼比較程式的註冊------NS-SHAFT註冊碼破解 (9千字)2015-11-15
- 字元編碼淺談2013-05-21字元
- 淺議密碼強度與密碼破解(2)2014-02-10密碼
- 淺談C#緩衝區溢位的祕密2010-12-28C#
- 淺談利用 TEB 實現的反跟蹤 (6千字)2003-02-09
- mysql中count(1)與count(*)比較2016-04-07MySql
- 工廠模式的問題 比較淺顯高手莫嫌2005-05-10模式
- 一個比較好的shell指令碼2010-11-25指令碼
- 淺談JavaScript的編碼規範2011-09-26JavaScript
- Python解惑:整數比較 is ==的比較2017-12-08Python
- WINZIP的密碼校對原理 (3千字)2001-08-29密碼
- 談談系統密碼儲存策略2018-09-17密碼
- 淺談用“搜尋大法”來索取記憶體註冊碼 (4千字)2001-03-23記憶體
- 程式碼規範淺談2022-04-15
- 密碼管理軟體。 (2千字)2001-03-12密碼
- 轉一篇比較簡單的installshiled的破解 (2千字)2001-05-14