network spy eval 1.6破解教程【原創】

【軟體名稱】network spy eval 1.6
【下載地址】網上搜尋
【應用平臺】Win9x
【軟體大小】未知
【軟體限制】未知
【破解宣告】破解只是感興趣，無其它目的。失誤之處敬請諸位大俠賜教!
【破解工具】trw2000, peid, W32Dasm
【軟體簡介】功能很全，ping,traceroute hostlookup,finger,listener,scanner,whois,winsock.....，總之上網必備
========================================================================================
【分析過程】
先用peid檢視一下，還好，vc++編寫的軟體，沒有加殼。

執行該程式，載入trw2000 ，輸入註冊姓名：subtway ，序列號：78787878 ，

CTRL+M呼入TRW2000 ，輸入bpx hmemcpy ，按F5返回程式，點選register按鈕，TRW攔截，

下pmodule命令，然後按F10一步步來到
.......

0167:004051AD 8D542448         LEA      EDX,[ESP+48]     //下dedx  顯示：78787878

0167:004051B1 8D442408         LEA      EAX,[ESP+08]     //下deax 顯示：subtway

0167:004051B5 52               PUSH     EDX

0167:004051B6 50               PUSH     EAX

0167:004051B7 E8142E0000       CALL     00407FD0           //關鍵call ，按F8進入

0167:004051BC 83C408           ADD      ESP,BYTE +08

0167:004051BF 85C0             TEST     EAX,EAX

0167:004051C1 744A             JZ       0040520D          // 註冊碼不對則跳，game over！

0167:004051C3 8B3D28104100     MOV      EDI,[00411028]

0167:004051C9 8D4C2408         LEA      ECX,[ESP+08]

0167:004051CD 6820024300       PUSH     DWORD 00430220

0167:004051D2 51               PUSH     ECX

0167:004051D3 6824344100       PUSH     DWORD 00413424

0167:004051D8 6884314100       PUSH     DWORD 00413184

0167:004051DD FFD7             CALL     EDI

0167:004051DF 8D542448         LEA      EDX,[ESP+48]

0167:004051E3 6820024300       PUSH     DWORD 00430220

0167:004051E8 52               PUSH     EDX

0167:004051E9 6838344100       PUSH     DWORD 00413438

0167:004051EE 6884314100       PUSH     DWORD 00413184

0167:004051F3 FFD7             CALL     EDI

0167:004051F5 6A40             PUSH     BYTE +40

0167:004051F7 6804364100       PUSH     DWORD 00413604

0167:004051FC 68C4354100       PUSH     DWORD 004135C4

0167:00405201 56               PUSH     ESI

0167:00405202 FF1554114100     CALL     `USER32!MessageBoxA`     //註冊碼正確的歡迎視窗

0167:00405208 6A01             PUSH     BYTE +01

0167:0040520A 56               PUSH     ESI

0167:0040520B EB39             JMP      SHORT 00405246

0167:0040520D 6A10             PUSH     BYTE +10

0167:0040520F 68B8354100       PUSH     DWORD 004135B8

0167:00405214 6898354100       PUSH     DWORD 00413598

0167:00405219 56               PUSH     ESI

0167:0040521A FF1554114100     CALL     `USER32!MessageBoxA`     // 註冊碼錯誤的歡迎視窗

0167:00405220 5F               POP      EDI

0167:00405221 B801000000       MOV      EAX,01

0167:00405226 5E               POP      ESI

0167:00405227 81C480000000     ADD      ESP,80

.....

追入call後，

0167:00407FD0 83EC20              SUB      ESP,BYTE +20

:00407FD3 56                      PUSH     ESI

:00407FD4 8B742428                MOV      ESI,[ESP+28]

:00407FD8 56                      PUSH     ESI

:00407FD9 FF1560104100            Call dword ptr [00411060]

:00407FDF 83F804                  cmp eax, 00000004      //比較註冊姓名位數，小於4則跳，game over

:00407FE2 7D07                    jge 00407FEB

:00407FE4 33C0                    xor eax, eax

:00407FE6 5E                      pop esi

:00407FE7 83C420                  add esp, 00000020

:00407FEA C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:00407FE2(C)

|

:00407FEB 0FBE4601                movsx eax, byte ptr [esi+01]    //取姓名第2位u的ASC碼0x75 放入eax

:00407FEF 0FBE4E02                movsx ecx, byte ptr [esi+02]    //取姓名第3位b的ASC碼0x62 放入ecx

:00407FF3 D1E0                    shl eax, 1        //eax=eax*2=0x75*2=0xea(十進位制234)

:00407FF5 50                      push eax

:00407FF6 0FBE4603                movsx eax, byte ptr [esi+03]    //取姓名第4位t的ASC碼0x74 放入eax

:00407FFA C1E102                  shl ecx, 02        //ecx=ecx*4=0x62*4=0x188(十進位制392)

:00407FFD 51                      push ecx

:00407FFE B90A000000              mov ecx, 0000000A      //ecx=a(十進位制10)

:00408003 99                      cdq

:00408004 F7F9                    idiv ecx        //用eax的值(0x74)和ecx的值(a)做除法運算，商為b(十進位制11) ，放在eax中,餘數為6(十進位制6) ，放在edx

:00408006 B8A0C634FA              mov eax, FA34C6A0      //eax=0xfa34c6a0(十進位制4197762720)

:0040800B 8BCA                    mov ecx, edx        //ecx=edx=6

:0040800D D3E0                    shl eax, cl        //eax=eax*(2^ecx)=0x8d31a800(十進位制2368841728)

:0040800F 8D4C240C                lea ecx, dword ptr [esp+0C]

:00408013 50                      push eax

* Possible StringData Ref from Data Obj ->"%010u-%d%d"

                                  |

:00408014 68383B4100              push 00413B38

:00408019 51                      push ecx

* Reference To: USER32.wsprintfA, Ord:02B3h

                                  |

:0040801A FF1544114100            Call dword ptr [00411144]    //將上述計算的值合成最後的註冊碼－>2368841728－392234

:00408020 8B542440                mov edx, dword ptr [esp+40]

:00408024 83C414                  add esp, 00000014

:00408027 8D442404                lea eax, dword ptr [esp+04]

:0040802B 52                      push edx                    //下dedx,顯示：78787878  －>輸入的註冊碼

:0040802C 50                      push eax                          //下deax,顯示：2368841728-392234  －>正確的註冊碼

* Reference To: KERNEL32.lstrcmpA, Ord:0329h

                                  |

:0040802D FF1544104100            Call dword ptr [00411044]           //比較eax和edx，不等則game over!

:00408033 F7D8                    neg eax

:00408035 1BC0                    sbb eax, eax

:00408037 5E                      pop esi

:00408038 40                      inc eax

:00408039 83C420                  add esp, 00000020

:0040803C C3                      ret

========================================================================================
【分析總結】

註冊碼只和姓名的二、三、四位有關，序號產生器如下：

//this is a keymaker program of network spy eval 1.6!
#include <iostream.h>
#include <string.h>
#include <stdlib.h>
#include <math.h>
int main()
{
  cout<<"the keymaker of network spy eval 1.6"<<endl;
  cout<<"========================"<<endl;
  cout<<"made by subtway+0"<<endl;
  cout<<"========================"<<endl;
  cout<<endl;
  char s1[20];
  cout<<"please input your name:";
  cin>>s1;
  int len=strlen(s1);
if(len<4)
{cout<<"please input again!your name must has at lease 4 chars!"<<endl;
return 0;
}
else
{
     int m1,m2,m3,m4;
     unsigned long m5;
     m1=s1[1]*2;
     m2=s1[2]*4;
     m3=s1[3]/10;
     m4=s1[3]%10;
     m5=0xfa34c6a0*pow(2,m4);
cout<<"your password is: "<<m5<<"-"<<m2<<m1<<endl;
system ("PAUSE");
return 0;
}
}
========================================================================================
【版權資訊】

copyright subtway+0 all rights reserved!

                                                   2004-12-25

network spy eval 1.6破解教程【原創】

相關文章