PassWD2000破解過程~~~轉貼~~~~~~ (11千字)

===========================================
軟體名稱：PassWD2000
最新版本：2.85
大小：868,352 bytes
下載地址：http://www.passwd2000.com
功能簡介：密碼管理
===========================================
破解工具：Soft-ICE4.05
破解者：iCHBoy
聯絡信箱：ichboy@263.net
破解日期：2001,10,9
作者宣告：歡迎轉載，但請保持原作者為iCHBoy.
===========================================
Name：iCHBoy
Serial：MY4LB8AA11
===========================================
破解步驟：
1,啟動sice,執行passWD,輸入name:iCHBoy,serial:1234567890(10位)
2,下bpx hmemcpy
3,F12十幾次，來到程式領空
4,具體程式碼段分析：
015F:0048D917 MOV EAX,[EBP-1C]
015F:0048D91A CALL 00403E10
015F:0048D91F CMP EAX,BYTE +0A       <-- 比較密碼是否為10位
015F:0048D922 JNZ NEAR 0048DE51       <-- 0048DE51 段為出錯
015F:0048D928 LEA EDX,[EBP-1C]       <-- 以下非關鍵註釋略
015F:0048D92B MOV EAX,[EBX+02E0]
015F:0048D931 CALL 00443500
015F:0048D936 MOV EAX,[EBP-1C]
015F:0048D939 CALL 00403E10
015F:0048D93E DEC EAX
015F:0048D93F JL NEAR 0048DE51
015F:0048D945 LEA EDX,[EBP-1C]
015F:0048D948 MOV EAX,[EBX+02E4]
015F:0048D94E CALL 00443500
015F:0048D953 MOV EAX,[EBP-1C]
015F:0048D956 LEA EDX,[EBP-14]
015F:0048D959 CALL 00408364
015F:0048D95E LEA EDX,[EBP-1C]
015F:0048D961 MOV EAX,[EBX+02E0]
015F:0048D967 CALL 00443500
015F:0048D96C MOV EAX,[EBP-1C]
015F:0048D96F LEA EDX,[EBP-18]
015F:0048D972 CALL 00408364
015F:0048D977 MOV BYTE [EBP-05],00
015F:0048D97B MOV BYTE [EBP-06],00
015F:0048D97F MOV BYTE [EBP-07],01
015F:0048D983 MOV EAX,[EBP-18]
015F:0048D986 CALL 00403E10
015F:0048D98B MOV EDI,EAX
015F:0048D98D TEST EDI,EDI
015F:0048D98F JNG 0048D9E4
015F:0048D991 MOV ESI,01             <-- 如果想要研究一下演算法，此段可要仔細了
015F:0048D996 MOV EAX,[EBP-18]         <-- ESI=01,[EAX]=ICHBOY (注意：已為大寫)
015F:0048D999 MOV DL,[EAX+ESI-01]         <-- 迴圈取得每一個字母
015F:0048D99D MOV EAX,EBX
015F:0048D99F CALL 0048E158
015F:0048D9A4 ADD [EBP-05],AL         <-- [EBP-05]初始為0，加
015F:0048D9A7 MOV EAX,ESI
015F:0048D9A9 AND EAX,80000001         <-- 當前第幾位 and 80000001,
015F:0048D9AE JNS 0048D9B5         <-- 從而以下演算法分成兩個分支
015F:0048D9B0 DEC EAX
015F:0048D9B1 OR EAX,BYTE -02
015F:0048D9B4 INC EAX
015F:0048D9B5 TEST EAX,EAX             <-- 1分支：EAX=0
015F:0048D9B7 JNZ 0048D9CC
015F:0048D9B9 MOV EAX,[EBP-18]
015F:0048D9BC MOV DL,[EAX+ESI-01]
015F:0048D9C0 MOV EAX,EBX
015F:0048D9C2 CALL 0048E158
015F:0048D9C7 ADD [EBP-06],AL         <-- [EBP-6]+AL
015F:0048D9CA JMP SHORT 0048D9E0
015F:0048D9CC MOV EAX,[EBP-18]         <-- 2分支：EAX!=0
015F:0048D9CF MOV DL,[EAX+ESI-01]
015F:0048D9D3 MOV EAX,EBX
015F:0048D9D5 CALL 0048E158
015F:0048D9DA IMUL BYTE [EBP-07]         <-- EAX*[EBP-07],[EBP-07]初始為01
015F:0048D9DD MOV [EBP-07],AL
015F:0048D9E0 INC ESI
015F:0048D9E1 DEC EDI
015F:0048D9E2 JNZ 0048D996         <-- 迴圈，直至全部讀完
015F:0048D9E4 XOR EAX,EAX
015F:0048D9E6 MOV AL,[EBP-05]         <-- 最後相加結果存AL
015F:0048D9E9 MOV ECX,23             <-- ECX=23;
015F:0048D9EE XOR EDX,EDX             <-- EDX存商
015F:0048D9F0 DIV ECX             <-- EAX/ECX
015F:0048D9F2 MOV [EBP-05],DL         <-- EDX商存[EBP-05]
015F:0048D9F5 XOR EAX,EAX
015F:0048D9F7 MOV AL,[EBP-05]
015F:0048D9FA MOV AL,[EBX+EAX+030C]     <-- [EAX+030C]密碼資訊存放處
015F:0048DA01 MOV EDX,[EBP-14]         [123456789ZRXYGAMEVIWCSBJHLFPKTOQUDN]
015F:0048DA04 CMP AL,[EDX]         <-- 第一位密碼：AL= 'M'
015F:0048DA06 JNZ NEAR 0048DE51
015F:0048DA0C XOR EAX,EAX
015F:0048DA0E MOV AL,[EBP-06]         <-- 以下演算法用途，自己看吧
015F:0048DA11 MOV ECX,23
015F:0048DA16 XOR EDX,EDX
015F:0048DA18 DIV ECX
015F:0048DA1A MOV [EBP-06],DL
015F:0048DA1D XOR EAX,EAX
015F:0048DA1F MOV AL,[EBP-06]
015F:0048DA22 MOV AL,[EBX+EAX+030C]
015F:0048DA29 MOV EDX,[EBP-14]
015F:0048DA2C CMP AL,[EDX+01]         <-- 第二位密碼：AL= 'Y'
015F:0048DA2F JNZ NEAR 0048DE51
015F:0048DA35 XOR EAX,EAX
015F:0048DA37 MOV AL,[EBP-07]         <-- 演算法
015F:0048DA3A MOV ECX,23
015F:0048DA3F XOR EDX,EDX
015F:0048DA41 DIV ECX
015F:0048DA43 MOV [EBP-07],DL
015F:0048DA46 XOR EAX,EAX
015F:0048DA48 MOV AL,[EBP-07]
015F:0048DA4B MOV AL,[EBX+EAX+030C]
015F:0048DA52 MOV EDX,[EBP-14]
015F:0048DA55 CMP AL,[EDX+02]         <-- 第三位密碼：AL= '4'
015F:0048DA58 JNZ NEAR 0048DE51
015F:0048DA5E MOV DL,[EBP-05]         <-- 取得最後一次除的商
015F:0048DA61 MOV EAX,EBX
015F:0048DA63 CALL 0048E16C
015F:0048DA68 LEA EAX,[EBP-20]
015F:0048DA6B MOV EDX,[EBP-14]
015F:0048DA6E MOV DL,[EDX+03]
015F:0048DA71 CALL 00403D38
015F:0048DA76 MOV EDX,[EBP-20]
015F:0048DA79 MOV EAX,EBX
015F:0048DA7B CALL 0048E2F0
015F:0048DA80 LEA EDX,[EBP-0C]
015F:0048DA83 CALL 00408510
015F:0048DA88 LEA EAX,[EBP-20]
015F:0048DA8B MOV EDX,[EBP-14]
015F:0048DA8E MOV DL,[EDX+03]
015F:0048DA91 CALL 00403D38
015F:0048DA96 MOV EDX,[EBP-20]
015F:0048DA99 MOV EAX,EBX
015F:0048DA9B CALL 0048E2F0
015F:0048DAA0 MOV AL,[EBX+EAX*8+0330]     <-- 取得第四位密碼
015F:0048DAA7 MOV EDX,[EBP-14]         <-- 和輸入的密碼
015F:0048DAAA CMP AL,[EDX+03]         <-- 第四位密碼：AL= 'L'
015F:0048DAAD JNZ NEAR 0048DE51
015F:0048DAB3 MOV DL,[EBP-06]         <-- 以下簡略
015F:0048DAB6 MOV EAX,EBX
015F:0048DAB8 CALL 0048E16C
015F:0048DABD LEA EAX,[EBP-20]
015F:0048DAC0 MOV EDX,[EBP-14]
015F:0048DAC3 MOV DL,[EDX+04]
015F:0048DAC6 CALL 00403D38
015F:0048DACB MOV EDX,[EBP-20]
015F:0048DACE MOV EAX,EBX
015F:0048DAD0 CALL 0048E2F0
015F:0048DAD5 LEA EDX,[EBP-20]
015F:0048DAD8 CALL 00408510
015F:0048DADD MOV EDX,[EBP-20]
015F:0048DAE0 LEA EAX,[EBP-0C]
015F:0048DAE3 CALL 00403E18
015F:0048DAE8 LEA EAX,[EBP-20]
015F:0048DAEB MOV EDX,[EBP-14]
015F:0048DAEE MOV DL,[EDX+04]
015F:0048DAF1 CALL 00403D38
015F:0048DAF6 MOV EDX,[EBP-20]
015F:0048DAF9 MOV EAX,EBX
015F:0048DAFB CALL 0048E2F0
015F:0048DB00 MOV AL,[EBX+EAX*8+0330]     <-- 取得正確密碼
015F:0048DB07 MOV EDX,[EBP-14]
015F:0048DB0A CMP AL,[EDX+04]         <-- 第五位密碼：AL= 'B'
015F:0048DB0D JNZ NEAR 0048DE51
015F:0048DB13 MOV DL,[EBP-07]
015F:0048DB16 MOV EAX,EBX
015F:0048DB18 CALL 0048E16C
015F:0048DB1D LEA EAX,[EBP-20]
015F:0048DB20 MOV EDX,[EBP-14]
015F:0048DB23 MOV DL,[EDX+05]
015F:0048DB26 CALL 00403D38
015F:0048DB2B MOV EDX,[EBP-20]
015F:0048DB2E MOV EAX,EBX
015F:0048DB30 CALL 0048E2F0
015F:0048DB35 LEA EDX,[EBP-20]
015F:0048DB38 CALL 00408510
015F:0048DB3D MOV EDX,[EBP-20]
015F:0048DB40 LEA EAX,[EBP-0C]
015F:0048DB43 CALL 00403E18
015F:0048DB48 LEA EAX,[EBP-20]
015F:0048DB4B MOV EDX,[EBP-14]
015F:0048DB4E MOV DL,[EDX+05]
015F:0048DB51 CALL 00403D38
015F:0048DB56 MOV EDX,[EBP-20]
015F:0048DB59 MOV EAX,EBX
015F:0048DB5B CALL 0048E2F0
015F:0048DB60 MOV AL,[EBX+EAX*8+0330]
015F:0048DB67 MOV EDX,[EBP-14]
015F:0048DB6A CMP AL,[EDX+05]       <-- 第六位密碼：AL= '8'
015F:0048DB6D JNZ NEAR 0048DE51
015F:0048DB73 MOV EAX,[EBP-0C]       <-- 不要被以下程式碼迷惑了，只管看我注的密碼判斷點
015F:0048DB76 CALL 00408540
015F:0048DB7B MOV [EBP-04],EAX
015F:0048DB7E MOV BYTE [EBP-05],00
015F:0048DB82 MOV BYTE [EBP-06],00
015F:0048DB86 MOV BYTE [EBP-07],01
015F:0048DB8A LEA EAX,[EBP-10]
015F:0048DB8D MOV ECX,[EBP-0C]
015F:0048DB90 MOV EDX,[EBP-18]
015F:0048DB93 CALL 00403E5C
015F:0048DB98 MOV EAX,[EBP-10]
015F:0048DB9B CALL 00403E10
015F:0048DBA0 MOV EDI,EAX
015F:0048DBA2 TEST EDI,EDI
015F:0048DBA4 JNG 0048DBF9
015F:0048DBA6 MOV ESI,01
015F:0048DBAB MOV EAX,[EBP-10]
015F:0048DBAE MOV DL,[EAX+ESI-01]
015F:0048DBB2 MOV EAX,EBX
015F:0048DBB4 CALL 0048E158
015F:0048DBB9 ADD [EBP-05],AL
015F:0048DBBC MOV EAX,ESI
015F:0048DBBE AND EAX,80000001
015F:0048DBC3 JNS 0048DBCA
015F:0048DBC5 DEC EAX
015F:0048DBC6 OR EAX,BYTE -02
015F:0048DBC9 INC EAX
015F:0048DBCA TEST EAX,EAX
015F:0048DBCC JNZ 0048DBE1
015F:0048DBCE MOV EAX,[EBP-10]
015F:0048DBD1 MOV DL,[EAX+ESI-01]
015F:0048DBD5 MOV EAX,EBX
015F:0048DBD7 CALL 0048E158
015F:0048DBDC ADD [EBP-06],AL
015F:0048DBDF JMP SHORT 0048DBF5
015F:0048DBE1 MOV EAX,[EBP-10]
015F:0048DBE4 MOV DL,[EAX+ESI-01]
015F:0048DBE8 MOV EAX,EBX
015F:0048DBEA CALL 0048E158
015F:0048DBEF IMUL BYTE [EBP-07]
015F:0048DBF2 MOV [EBP-07],AL
015F:0048DBF5 INC ESI
015F:0048DBF6 DEC EDI
015F:0048DBF7 JNZ 0048DBAB
015F:0048DBF9 XOR EAX,EAX
015F:0048DBFB MOV AL,[EBP-05]
015F:0048DBFE MOV ECX,23
015F:0048DC03 XOR EDX,EDX
015F:0048DC05 DIV ECX
015F:0048DC07 MOV [EBP-05],DL
015F:0048DC0A XOR EAX,EAX
015F:0048DC0C MOV AL,[EBP-05]
015F:0048DC0F MOV AL,[EBX+EAX+030C]
015F:0048DC16 MOV EDX,[EBP-14]
015F:0048DC19 CMP AL,[EDX+06]         <-- 第七位密碼：AL= 'A'
015F:0048DC1C JNZ NEAR 0048DE51
015F:0048DC22 XOR EAX,EAX
015F:0048DC24 MOV AL,[EBP-06]
015F:0048DC27 MOV ECX,23
015F:0048DC2C XOR EDX,EDX
015F:0048DC2E DIV ECX
015F:0048DC30 MOV [EBP-06],DL
015F:0048DC33 XOR EAX,EAX
015F:0048DC35 MOV AL,[EBP-06]
015F:0048DC38 MOV AL,[EBX+EAX+030C]
015F:0048DC3F MOV EDX,[EBP-14]
015F:0048DC42 CMP AL,[EDX+07]         <-- 第八位密碼：AL= 'A'
015F:0048DC45 JNZ NEAR 0048DE51
015F:0048DC4B XOR EAX,EAX
015F:0048DC4D MOV AL,[EBP-07]
015F:0048DC50 MOV ECX,23
015F:0048DC55 XOR EDX,EDX
015F:0048DC57 DIV ECX
015F:0048DC59 MOV [EBP-07],DL
015F:0048DC5C XOR EAX,EAX
015F:0048DC5E MOV AL,[EBP-07]
015F:0048DC61 MOV AL,[EBX+EAX+030C]
015F:0048DC68 MOV EDX,[EBP-14]
015F:0048DC6B CMP AL,[EDX+08]         <-- 第九位密碼：AL= '1'
015F:0048DC6E JNZ NEAR 0048DE51
015F:0048DC74 MOV EAX,[EBP-18]
015F:0048DC77 MOV DL,[EAX]
015F:0048DC79 MOV EAX,EBX
015F:0048DC7B CALL 0048E158
015F:0048DC80 MOV [EBP-08],AL
015F:0048DC83 MOV EAX,[EBP-10]
015F:0048DC86 CALL 00403E10
015F:0048DC8B MOV EDI,EAX
015F:0048DC8D SUB EDI,BYTE +02
015F:0048DC90 JL 0048DCD5
015F:0048DC92 INC EDI
015F:0048DC93 MOV ESI,02
015F:0048DC98 MOV EAX,ESI
015F:0048DC9A AND EAX,80000001
015F:0048DC9F JNS 0048DCA6
015F:0048DCA1 DEC EAX
015F:0048DCA2 OR EAX,BYTE -02
015F:0048DCA5 INC EAX
015F:0048DCA6 TEST EAX,EAX
015F:0048DCA8 JNZ 0048DCBD
015F:0048DCAA MOV EAX,[EBP-10]
015F:0048DCAD MOV DL,[EAX+ESI-01]
015F:0048DCB1 MOV EAX,EBX
015F:0048DCB3 CALL 0048E158
015F:0048DCB8 ADD [EBP-08],AL
015F:0048DCBB JMP SHORT 0048DCD1
015F:0048DCBD MOV EAX,[EBP-10]
015F:0048DCC0 MOV DL,[EAX+ESI-01]
015F:0048DCC4 MOV EAX,EBX
015F:0048DCC6 CALL 0048E158
015F:0048DCCB IMUL BYTE [EBP-08]
015F:0048DCCE MOV [EBP-08],AL
015F:0048DCD1 INC ESI
015F:0048DCD2 DEC EDI
015F:0048DCD3 JNZ 0048DC98
015F:0048DCD5 XOR EAX,EAX
015F:0048DCD7 MOV AL,[EBP-08]
015F:0048DCDA MOV ECX,23
015F:0048DCDF XOR EDX,EDX
015F:0048DCE1 DIV ECX
015F:0048DCE3 MOV AL,[EBX+EDX+030C]
015F:0048DCEA MOV EDX,[EBP-14]
015F:0048DCED CMP AL,[EDX+09]         <-- 最後一位躲在這兒：AL= '1'
015F:0048DCF0 JNZ NEAR 0048DE51

                              iCHBoy,2001,10,9

PassWD2000破解過程~轉貼~~~~ (11千字)

相關文章