EffeTech HTTP Sniffer 3.2註冊演算法分析 (5千字)

最近在搞HTTP監聽，順便要找類似的軟體對比對比研究研究，找到了EffeTech HTTP Sniffer 3.2，看見要註冊碼的，手癢於是開開刀。

EffeTech HTTP Sniffer 3.2是用來監聽區域網內HTTP包的。但是在我機器上似乎沒什麼用。一個這麼破的軟體都要註冊，實在讓人不爽。

用TRW2000載入，在要求註冊框內填點兒東西，下bpx hmemcpy，斷兩次後彈出出錯框。

經過跟蹤分析得到結論：註冊碼長度必須是18位，和使用者名稱無關，其中某幾個字元得符合一定條件（條件在下面分析）。

下面是演算法分析：

:004109D0 51 push ecx
:004109D1 55 push ebp
:004109D2 56 push esi
:004109D3 57 push edi
:004109D4 8BE9 mov ebp, ecx
:004109D6 6A01 push 00000001
:004109D8 E868E30100 call 0042ED45
:004109DD 8BBD9C000000 mov edi, dword ptr [ebp+0000009C]   // EDI是假註冊碼地址
:004109E3 837FF812 cmp dword ptr [edi-08], 00000012   // 長度必須是0x12
:004109E7 0F850D010000 jne 00410AFA
:004109ED 8B74240C mov esi, dword ptr [esp+0C]
:004109F1 8B44240C mov eax, dword ptr [esp+0C]
:004109F5 53 push ebx
:004109F6 8B5C2410 mov ebx, dword ptr [esp+10]
:004109FA 33D2 xor edx, edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A5D(C)
|
:004109FC 8A0C17 mov cl, byte ptr [edi+edx]
:004109FF 85D2 test edx, edx
:00410A01 7505 jne 00410A08
:00410A03 0FBED9 movsx ebx, cl               // 第0個字元放入EBX
:00410A06 EB51 jmp 00410A59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A01(C)
|
:00410A08 83FA01 cmp edx, 00000001
:00410A0B 7507 jne 00410A14
:00410A0D 0FBEC1 movsx eax, cl
:00410A10 8BF0 mov esi, eax
:00410A12 EB45 jmp 00410A59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A0B(C)
|
:00410A14 83FA03 cmp edx, 00000003
:00410A17 7431 je 00410A4A
:00410A19 83FA06 cmp edx, 00000006
:00410A1C 7507 jne 00410A25
:00410A1E 0FBEC1 movsx eax, cl
:00410A21 8BF0 mov esi, eax
:00410A23 EB34 jmp 00410A59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A1C(C)
|
:00410A25 83FA0A cmp edx, 0000000A
:00410A28 7509 jne 00410A33
:00410A2A 0FBEC1 movsx eax, cl
:00410A2D 89442410 mov dword ptr [esp+10], eax   // 把第0x0A個字元放入ESP+10
:00410A31 EB26 jmp 00410A59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A28(C)
|
:00410A33 83FA0E cmp edx, 0000000E
:00410A36 7508 jne 00410A40
:00410A38 0FBEC1 movsx eax, cl
:00410A3B 83EB50 sub ebx, 00000050

// 處理到第0xE個字元時，EBX <- EBX - Ox50

:00410A3E EB19 jmp 00410A59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A36(C)
|
:00410A40 83FA12 cmp edx, 00000012
:00410A43 7411 je 00410A56
:00410A45 83FA08 cmp edx, 00000008
:00410A48 7507 jne 00410A51

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A17(C)
|
:00410A4A 0FBEC1 movsx eax, cl
:00410A4D 8BF0 mov esi, eax           // 第8個字元放入ESI
:00410A4F EB08 jmp 00410A59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A48(C)
|
:00410A51 83FA0F cmp edx, 0000000F
:00410A54 7503 jne 00410A59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410A43(C)
|
:00410A56 0FBEC1 movsx eax, cl           // 第0x0F個字元最後放入EAX

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00410A06(U), :00410A12(U), :00410A23(U), :00410A31(U), :00410A3E(U)
|:00410A4F(U), :00410A54(C)
|
:00410A59 42 inc edx
:00410A5A 83FA12 cmp edx, 00000012
:00410A5D 7C9D jl 004109FC           // 這裡是對假註冊碼的遍歷迴圈
:00410A5F 2B442410 sub eax, dword ptr [esp+10]
:00410A63 2BC6 sub eax, esi
:00410A65 03C3 add eax, ebx
:00410A67 5B pop ebx
:00410A68 0F858C000000 jne 00410AFA           // 此處是終極判斷，不能跳

最後的JNE條件表示EAX - [ESP+10] - ESI + EBX必須等於0，假設正確註冊碼是

a: array[0..17] of Char;

EAX := a[F];
[ESP+10] := a[10];
ESI := a[8];
EBX := a[0] - $50;

所以註冊成功的條件就是Length(a) = 18而且a[F] - a[10] - a[8]- (a[0] - $50) = 0

捏造一番：a[F] := #$56; a[10] := #$30; a[8] := #$30; a[0] := #$5A;
也就是： a[F] := 'V'; a[10] := '0'; a[8] := '0'; a[0] := 'Z';

使用者名稱和別的位可以隨便捏造，如：

Passion
Z12345670901234V67

EffeTech HTTP Sniffer 3.2註冊演算法分析 (5千字)

相關文章