某软件算法简单分析

pendan2001 发表于 2016-7-26 10:46

本帖最后由 pendan2001 于 2016-7-26 10:48 编辑

【文章标题】:门诊电子处方软件 V2.027+VB算法分析
【软件名称】: 门诊电子处方软件 V2.027
【下载地址】: 自己找吧
【使用工具】: OD等
【操作平台】:Win7
【软件介绍】: 一看就明白干什么的。
【声明】: 仅为算法研究，勿作它途。
看到论坛里有人在讨论这个软件，把这个以前的版本给需要的人参考下。以前写的没截图，抱歉啊。

PEID检测到：
Microsoft Visual Basic 5.0 / 6.0

注册信息：
机器码：1831200
注册码：123456789

点注册按钮，程序直接退出，无信息提示。

00405758 .816C24 04 3B0>sub dword ptr , 3B//输入假码123456789断在这里
00405760 .E9 0B280B00 jmp 004B7F70
00405765 .816C24 04 630>sub dword ptr , 63
0040576D .E9 7E290B00 jmp 004B80F0
00405772 .816C24 04 670>sub dword ptr , 67
0040577A .E9 812A0B00 jmp 004B8200
0040577F .816C24 04 3F0>sub dword ptr , 3F//点注册按钮断在这里
00405787 .E9 842B0B00 jmp 004B8310

004B7F70 > \55          push ebp
004B7F71 .8BEC       mov ebp, esp
004B7F73 .83EC 0C    sub esp, 0C
004B7F76 .68 162C4000 push <jmp.&MSVBVM60.__vbaExceptHandle>;SE 处理程序安装
004B7F7B .64:A1 0000000>mov eax, dword ptr fs:
004B7F81 .50          push eax
004B7F82 .64:8925 00000>mov dword ptr fs:, esp
004B7F89 .83EC 3C    sub esp, 3C
004B7F8C .53          push ebx
004B7F8D .56          push esi
004B7F8E .57          push edi
004B7F8F .8965 F4    mov dword ptr , esp
004B7F92 .C745 F8 D8244>mov dword ptr , 004024D8
004B7F99 .8B7D 08    mov edi, dword ptr
004B7F9C .8BC7       mov eax, edi
004B7F9E .83E0 01    and eax, 1
004B7FA1 .8945 FC    mov dword ptr , eax
004B7FA4 .83E7 FE    and edi, FFFFFFFE
004B7FA7 .57          push edi
004B7FA8 .897D 08    mov dword ptr , edi
004B7FAB .8B0F       mov ecx, dword ptr
004B7FAD .FF51 04    call dword ptr
004B7FB0 .8B17       mov edx, dword ptr
004B7FB2 .33DB       xor ebx, ebx
004B7FB4 .57          push edi
004B7FB5 .895D E8    mov dword ptr , ebx
004B7FB8 .895D E4    mov dword ptr , ebx
004B7FBB .895D D4    mov dword ptr , ebx
004B7FBE .895D C4    mov dword ptr , ebx
004B7FC1 .FF92 08030000 call dword ptr
004B7FC7 .50          push eax
004B7FC8 .8D45 E4    lea eax, dword ptr
004B7FCB .50          push eax
004B7FCC .FF15 78104000 call dword ptr [<&MSVBVM60.__vbaObjSe>;MSVBVM60.__vbaObjSet
004B7FD2 .8BF0       mov esi, eax
004B7FD4 .8D55 E8    lea edx, dword ptr
004B7FD7 .52          push edx
004B7FD8 .56          push esi
004B7FD9 .8B0E       mov ecx, dword ptr
004B7FDB .FF91 A0000000 call dword ptr
004B7FE1 .3BC3       cmp eax, ebx
004B7FE3 .DBE2       fclex
004B7FE5 .7D 12       jge short 004B7FF9
004B7FE7 .68 A0000000 push 0A0
004B7FEC .68 20974000 push 00409720
004B7FF1 .56          push esi
004B7FF2 .50          push eax
004B7FF3 .FF15 5C104000 call dword ptr [<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
004B7FF9 >8B45 E8    mov eax, dword ptr
004B7FFC .50          push eax                            ;(UNICODE "123456789")
004B7FFD .68 949B4000 push 00409B94
004B8002 .FF15 B8104000 call dword ptr [<&MSVBVM60.__vbaStrCm>;MSVBVM60.__vbaStrCmp

004B8046 .FF15 94104000 call dword ptr [<&MSVBVM60.#520>] ;MSVBVM60.rtcTrimVar
004B804C .8D4D C4    lea ecx, dword ptr
004B804F .8D55 E8    lea edx, dword ptr
004B8052 .51          push ecx                            ; /String8
004B8053 .52          push edx                            ; |ARG2
004B8054 .FF15 28114000 call dword ptr [<&MSVBVM60.__vbaStrVa>; \__vbaStrVarVal
004B805A .50          push eax                            ; /(UNICODE "123456789")
004B805B .68 00994000 push 00409900                      ; |szKey = "logmm"
004B8060 .68 EC984000 push 004098EC                      ; |Section = "xueves"
004B8065 .68 EC984000 push 004098EC                      ; |APPName = "xueves"
004B806A .FF15 08104000 call dword ptr [<&MSVBVM60.#690>] ; \rtcSaveSetting

生成机器码：
00405787 .E9 842B0B00 jmp 004B8310
............
004B842F > \D945 A4    fld dword ptr             ;堆栈 ss:=20490.00
004B8432 .D865 A0    fsub dword ptr             ;20490-4905=15585
004B8435 .8B0F       mov ecx, dword ptr
004B8437 .51          push ecx
004B8438 .833D 00E04C00>cmp dword ptr , 0
004B843F .75 08       jnz short 004B8449
004B8441 .D835 00134000 fdiv dword ptr             ;15585/2=7792.5
004B8447 .EB 0B       jmp short 004B8454
004B8449 >FF35 00134000 push dword ptr
004B844F .E8 D4A7F4FF call <jmp.&MSVBVM60._adj_fdiv_m32>
004B8454 >DFE0       fstsw ax
004B8456 .A8 0D       test al, 0D
004B8458 .0F85 89030000 jnz 004B87E7
.............
004B8538 > \D945 A4    fld dword ptr             ;堆栈 ss:=11520.00
004B853B .D865 A0    fsub dword ptr             ;11520-4050=7470
004B853E .8B0F       mov ecx, dword ptr
004B8540 .51          push ecx
004B8541 .833D 00E04C00>cmp dword ptr , 0
004B8548 .75 08       jnz short 004B8552
004B854A .D835 00134000 fdiv dword ptr             ;7470/2=3735
004B8550 .EB 0B       jmp short 004B855D
004B8552 >FF35 00134000 push dword ptr
004B8558 .E8 CBA6F4FF call <jmp.&MSVBVM60._adj_fdiv_m32>
004B855D >DFE0       fstsw ax
004B855F .A8 0D       test al, 0D
004B8561 .0F85 80020000 jnz 004B87E7
................
004B859F .FFD7       call edi                            ;<&MSVBVM60.__vbaObjSet>
004B85A1 .8B15 38E04C00 mov edx, dword ptr       ;(UNICODE "1831200")
004B85A7 .8BF0       mov esi, eax
004B85A9 .52          push edx                            ;(UNICODE "1831200")
004B85AA .56          push esi//
0716CA24E0 39 48 01 D8 D5 96 72 01 00 00 00 C8 D5 96 72?H卣杛...日杛
0716CA34B8 D5 96 72 A0 D5 96 72 88 D5 96 72 78 D5 96 72刚杛犝杛堈杛x諙r
0716CA4468 D5 96 72 06 50 83 11 D8 36 48 01 24 CB 16 07h諙rP??H$?
0716CA54C4 FE 4B 01 00 00 00 00 40 76 16 07 14 04 01 00宁K....@v.

004B85AB .8B0E       mov ecx, dword ptr
004B85AD .FF91 A4000000 call dword ptr
004B85B3 .85C0       test eax, eax
004B85B5 .DBE2       fclex
004B85B7 .7D 0E       jge short 004B85C7
004B85B9 .68 A4000000 push 0A4
004B85BE .68 20974000 push 00409720
004B85C3 .56          push esi
004B85C4 .50          push eax
004B85C5 .FFD3       call ebx
004B85C7 >8D4D E8    lea ecx, dword ptr
004B85CA .FF15 C8114000 call dword ptr [<&MSVBVM60.__vbaFreeO>;MSVBVM60.__vbaFreeObj
004B85D0 .8D45 D8    lea eax, dword ptr
004B85D3 .68 38E04C00 push 004CE038
004B85D8 .50          push eax
004B85D9 .E8 324AFFFF call 004AD010//////////////////算法核心
004B85DE .83EC 10    sub esp, 10
004B85E1 .B9 0A000000 mov ecx, 0A
004B85E6 .8BD4       mov edx, esp
004B85E8 .B8 04000280 mov eax, 80020004
004B85ED .68 00994000 push 00409900                      ; /szKey = "logmm"
004B85F2 .68 EC984000 push 004098EC                      ; |Section = "xueves"
004B85F7 .890A       mov dword ptr , ecx          ; |
004B85F9 .8B4D AC    mov ecx, dword ptr       ; |
004B85FC .68 EC984000 push 004098EC                      ; |AppName = "xueves"
004B8601 .894A 04    mov dword ptr , ecx       ; |
004B8604 .8942 08    mov dword ptr , eax       ; |
004B8607 .8B45 B4    mov eax, dword ptr       ; |
004B860A .8942 0C    mov dword ptr , eax       ; |
004B860D .FF15 7C114000 call dword ptr [<&MSVBVM60.#689>] ; \rtcGetSetting
004B8613 .8D4D D8    lea ecx, dword ptr
004B8616 .8D55 C8    lea edx, dword ptr
004B8619 .51          push ecx                            ; /var18
004B861A .52          push edx                            ; |var28
004B861B .8945 D0    mov dword ptr , eax       ; |(UNICODE "123")假码前3位
004B861E .C745 C8 08800>mov dword ptr , 8008       ; |
004B8625 .FF15 C0104000 call dword ptr [<&MSVBVM60.__vbaVarTs>; \__vbaVarTstEq//比较是否相等
004B862B .66:8BF0    mov si, ax
004B862E .8D45 C8    lea eax, dword ptr
004B8631 .8D4D D8    lea ecx, dword ptr
004B8634 .50          push eax
004B8635 .51          push ecx
004B8636 .6A 02       push 2
004B8638 .FF15 30104000 call dword ptr [<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
004B863E .A1 5CE04C00 mov eax, dword ptr
004B8643 .83C4 0C    add esp, 0C
004B8646 .66:85F6    test si, si
004B8649 .0F84 9D000000 je    004B86EC
004B864F .85C0       test eax, eax
004B8651 .75 15       jnz short 004B8668
004B8653 .68 5CE04C00 push 004CE05C
004B8658 .68 3C4F4000 push 00404F3C
004B865D .FF15 48114000 call dword ptr [<&MSVBVM60.__vbaNew2>>;MSVBVM60.__vbaNew2

004AD010 $55          push ebp
004AD011 .8BEC       mov ebp, esp
004AD013 .83EC 0C    sub esp, 0C
004AD016 .68 162C4000 push <jmp.&MSVBVM60.__vbaExceptHandle>;SE 处理程序安装
004AD01B .64:A1 0000000>mov eax, dword ptr fs:
004AD021 .50          push eax
004AD022 .64:8925 00000>mov dword ptr fs:, esp
004AD029 .83EC 74    sub esp, 74
004AD02C .53          push ebx
004AD02D .56          push esi
004AD02E .57          push edi
004AD02F .8965 F4    mov dword ptr , esp
004AD032 .C745 F8 68214>mov dword ptr , 00402168
004AD039 .8B75 0C    mov esi, dword ptr
004AD03C .33C0       xor eax, eax
004AD03E .8945 DC    mov dword ptr , eax
004AD041 .8945 D0    mov dword ptr , eax
004AD044 .8945 CC    mov dword ptr , eax
004AD047 .8945 BC    mov dword ptr , eax
004AD04A .8945 AC    mov dword ptr , eax
004AD04D .8945 9C    mov dword ptr , eax
004AD050 .8945 8C    mov dword ptr , eax
004AD053 .8B06       mov eax, dword ptr
004AD055 .50          push eax
004AD056 .FF15 D4114000 call dword ptr [<&MSVBVM60.#581>] ;MSVBVM60.rtcR8ValFromBstr
004AD05C .DC0D 60214000 fmul qword ptr             ;1831200x56=102547200
004AD062 .8D4D 9C    lea ecx, dword ptr
004AD065 .6A 01       push 1
004AD067 .8D55 BC    lea edx, dword ptr
004AD06A .BF 08400000 mov edi, 4008
004AD06F .DD5D D4    fstp qword ptr
004AD072 .DFE0       fstsw ax
004AD074 .A8 0D       test al, 0D
004AD076 .0F85 4D010000 jnz 004AD1C9
004AD07C .51          push ecx
004AD07D .52          push edx
004AD07E .8975 A4    mov dword ptr , esi
004AD081 .897D 9C    mov dword ptr , edi
004AD084 .FF15 94114000 call dword ptr [<&MSVBVM60.#617>] ;MSVBVM60.rtcLeftCharVar
004AD08A .8D45 8C    lea eax, dword ptr
004AD08D .6A 01       push 1
004AD08F .8D4D AC    lea ecx, dword ptr
004AD092 .50          push eax
004AD093 .51          push ecx
004AD094 .8975 94    mov dword ptr , esi
004AD097 .897D 8C    mov dword ptr , edi
004AD09A .FF15 A4114000 call dword ptr [<&MSVBVM60.#619>] ;MSVBVM60.rtcRightCharVar
004AD0A0 .8B35 28114000 mov esi, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaStrVarVal
004AD0A6 .8D55 AC    lea edx, dword ptr
004AD0A9 .8D45 CC    lea eax, dword ptr
004AD0AC .52          push edx                            ; /String8
004AD0AD .50          push eax                            ; |ARG2
004AD0AE .FFD6       call esi                            ; \__vbaStrVarVal
004AD0B0 .8B3D 40104000 mov edi, dword ptr [<&MSVBVM60.#516>>;MSVBVM60.rtcAnsiValueBstr
004AD0B6 .50          push eax                            ; /String
004AD0B7 .FFD7       call edi                            ; \rtcAnsiValueBstr
004AD0B9 .8D4D BC    lea ecx, dword ptr
004AD0BC .8D55 D0    lea edx, dword ptr
004AD0BF .51          push ecx                            ; /String8
004AD0C0 .52          push edx                            ; |ARG2
004AD0C1 .66:8BD8    mov bx, ax                         ; |
004AD0C4 .FFD6       call esi                            ; \__vbaStrVarVal
004AD0C6 .50          push eax                            ; /String
004AD0C7 .FFD7       call edi                            ; \rtcAnsiValueBstr
004AD0C9 .66:03D8    add bx, ax                         ;30+31=61
004AD0CC .8D4D CC    lea ecx, dword ptr
004AD0CF .0F80 F9000000 jo    004AD1CE
004AD0D5 .0FBFC3    movsx eax, bx
004AD0D8 .8945 80    mov dword ptr , eax
004AD0DB .8D55 D0    lea edx, dword ptr
004AD0DE .DB45 80    fild dword ptr             ;堆栈 ss:=00000061 (十进制 97.)
004AD0E1 .51          push ecx
004AD0E2 .52          push edx
004AD0E3 .6A 02       push 2
004AD0E5 .DD9D 78FFFFFF fstp qword ptr
004AD0EB .DD85 78FFFFFF fld qword ptr             ;堆栈 ss:=97.00000000000000
004AD0F1 .DC45 D4    fadd qword ptr             ;97+102547200=102547297
004AD0F4 .DD5D D4    fstp qword ptr
004AD0F7 .DFE0       fstsw ax
004AD0F9 .A8 0D       test al, 0D
004AD0FB .0F85 C8000000 jnz 004AD1C9
004AD101 .FF15 64114000 call dword ptr [<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStrList
004AD107 .8D45 AC    lea eax, dword ptr
004AD10A .8D4D BC    lea ecx, dword ptr
004AD10D .50          push eax
004AD10E .51          push ecx
004AD10F .6A 02       push 2
004AD111 .FF15 30104000 call dword ptr [<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
004AD117 .83C4 18    add esp, 18
004AD11A .8B55 D8    mov edx, dword ptr
004AD11D .8B45 D4    mov eax, dword ptr
004AD120 .52          push edx                            ;edx=419872FD
004AD121 .50          push eax                            ;eax=84000000
004AD122 .FF15 E8104000 call dword ptr [<&MSVBVM60.__vbaStrR8>;MSVBVM60.__vbaStrR8
004AD128 .8BD0       mov edx, eax                      ;(UNICODE "102547297")
004AD12A .8D4D D0    lea ecx, dword ptr
004AD12D .FF15 9C114000 call dword ptr [<&MSVBVM60.__vbaStrMo>;MSVBVM60.__vbaStrMove
004AD133 .50          push eax                            ;(UNICODE "102547297")
004AD134 .68 9CA74000 push 0040A79C                      ; /string ="7"
004AD139 .FF15 4C104000 call dword ptr [<&MSVBVM60.__vbaStrCa>; \__vbaStrCat
004AD13F .8D55 BC    lea edx, dword ptr       ;1025472977
004AD142 .8D4D DC    lea ecx, dword ptr
004AD145 .8945 C4    mov dword ptr , eax
004AD148 .C745 BC 08000>mov dword ptr , 8
004AD14F .FF15 14104000 call dword ptr [<&MSVBVM60.__vbaVarMo>;MSVBVM60.__vbaVarMove
004AD155 .8D4D D0    lea ecx, dword ptr
004AD158 .FF15 CC114000 call dword ptr [<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
004AD15E .9B          wait
004AD15F .68 9AD14A00 push 004AD19A
004AD164 .EB 33       jmp short 004AD199

输入注册码1025472977,点注册按钮，直接退出，重启软件后，发现已经提示“已注册”。OK,呵呵节约了注册费230元了。

算法总结：
机器码1831200x56=102547200，取第1位与最后1位的字符的16进制相加得到61，转为10进制97，
102547200+97=102547297,连接固定字符7,组合在一起就是注册码1025472977了。

xuhw 发表于 2016-7-26 11:02

赞啊，一起研究讨论

fo66 发表于 2016-7-26 11:03

感谢老师谢谢了{:1_919:}

pendan2001 发表于 2016-7-26 11:17

thank you 许鹏0101,客气了。:loveliness:

ppszxc 发表于 2016-7-26 11:18

机器码C3C0300063怎么计算

poaxcb 发表于 2016-7-26 11:27

谢谢楼主谢谢分享!

泪落尘埃 发表于 2016-7-26 11:34

没有看明白！{:1_906:}

herculesrance 发表于 2016-7-26 13:09

学习学习。

Godsec 发表于 2016-7-27 16:23

Thanks You

byh3025 发表于 2016-7-27 18:51

是明码出现的还是你自己算出来的呢

页: [1] 2

吾爱破解 - 52pojie.cn's Archiver

某软件算法简单分析