租车行管理系统V1.8暴破+算法分析+注册机
本帖最后由 HPKEr 于 2011-1-29 17:51 编辑【文章标题】: 租车行管理系统V1.8暴破+算法分析+注册机
【文章作者】: HPKEr
【软件名称】: 租车行管理系统
【软件大小】: 1.58 MB
【下载地址】: http://945520.qupan.cc/6945148.html
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OD PEID0.95
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
我机器序列号:232397168
TestCode:123456789012
随便找个方法让程序断下来,分析如下:
004CFF0C/.55 PUSH EBP
004CFF0D|.8BEC MOV EBP,ESP
004CFF0F|.B9 04000000 MOV ECX,4
004CFF14|>6A 00 /PUSH 0
004CFF16|.6A 00 |PUSH 0
004CFF18|.49 |DEC ECX
004CFF19|.^ 75 F9 \JNZ SHORT Rent.004CFF14
004CFF1B|.51 PUSH ECX
004CFF1C|.53 PUSH EBX
004CFF1D|.8BD8 MOV EBX,EAX
004CFF1F|.33C0 XOR EAX,EAX
004CFF21|.55 PUSH EBP
004CFF22|.68 6F014D00 PUSH Rent.004D016F
004CFF27|.64:FF30 PUSH DWORD PTR FS:
004CFF2A|.64:8920 MOV DWORD PTR FS:,ESP
004CFF2D|.8D55 FC LEA EDX,DWORD PTR SS:
004CFF30|.8B83 04030000 MOV EAX,DWORD PTR DS:
004CFF36|.E8 1D62F9FF CALL Rent.00466158 ;取假码
004CFF3B|.8B45 FC MOV EAX,DWORD PTR SS: ;假码:123456789012入EAX
004CFF3E|.E8 1547F3FF CALL Rent.00404658 ;计算假码位数为:12位
004CFF43|.83F8 0C CMP EAX,0C
004CFF46|.74 3F JE SHORT Rent.004CFF87 ;不为零,后面就会提示“注册码错误!”
004CFF48|.6A 10 PUSH 10
004CFF4A|.8D55 F8 LEA EDX,DWORD PTR SS:
004CFF4D|.A1 384B5300 MOV EAX,DWORD PTR DS:
004CFF52|.8B00 MOV EAX,DWORD PTR DS:
004CFF54|.E8 A768FBFF CALL Rent.00486800
004CFF59|.8B45 F8 MOV EAX,DWORD PTR SS:
004CFF5C|.E8 F748F3FF CALL Rent.00404858
004CFF61|.50 PUSH EAX
004CFF62|.68 7C014D00 PUSH Rent.004D017C ;注册码错误!
004CFF67|.8BC3 MOV EAX,EBX
004CFF69|.E8 EACBF9FF CALL Rent.0046CB58
004CFF6E|.50 PUSH EAX ; |hOwner
004CFF6F|.E8 4075F3FF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
004CFF74|.8B83 04030000 MOV EAX,DWORD PTR DS:
004CFF7A|.8B10 MOV EDX,DWORD PTR DS:
004CFF7C|.FF92 C4000000 CALL DWORD PTR DS:
004CFF82|.E9 9B010000 JMP Rent.004D0122
004CFF87|>8D55 F4 LEA EDX,DWORD PTR SS:
004CFF8A|.8B83 04030000 MOV EAX,DWORD PTR DS:
004CFF90|.E8 C361F9FF CALL Rent.00466158
004CFF95|.8B45 F4 MOV EAX,DWORD PTR SS:
004CFF98|.50 PUSH EAX
004CFF99|.8D55 F0 LEA EDX,DWORD PTR SS:
004CFF9C|.8B83 00030000 MOV EAX,DWORD PTR DS:
004CFFA2|.E8 B161F9FF CALL Rent.00466158 ;计算序列号:232397168
004CFFA7|.8B45 F0 MOV EAX,DWORD PTR SS: ;序列号:232397168入EAX
004CFFAA|.5A POP EDX
004CFFAB|.E8 94F8FFFF CALL Rent.004CF844 ;计算CALL,F7跟进
004CFFB0|.84C0 TEST AL,AL
004CFFB2|.0F84 30010000 JE Rent.004D00E8
004CFFB8|.A1 38495300 MOV EAX,DWORD PTR DS:
004CFFBD|.8B00 MOV EAX,DWORD PTR DS:
004CFFBF|.8B80 5C030000 MOV EAX,DWORD PTR DS:
004CFFC5|.E8 6619FDFF CALL Rent.004A1930
004CFFCA|.A1 38495300 MOV EAX,DWORD PTR DS:
004CFFCF|.8B00 MOV EAX,DWORD PTR DS:
004CFFD1|.8B80 5C030000 MOV EAX,DWORD PTR DS:
004CFFD7|.E8 58A0FEFF CALL Rent.004BA034
004CFFDC|.8B10 MOV EDX,DWORD PTR DS:
004CFFDE|.FF52 44 CALL DWORD PTR DS:
004CFFE1|.A1 38495300 MOV EAX,DWORD PTR DS:
004CFFE6|.8B00 MOV EAX,DWORD PTR DS:
004CFFE8|.8B80 5C030000 MOV EAX,DWORD PTR DS:
004CFFEE|.E8 41A0FEFF CALL Rent.004BA034
004CFFF3|.BA 94014D00 MOV EDX,Rent.004D0194 ;delete from config where item='regcode'
004CFFF8|.8B08 MOV ECX,DWORD PTR DS:
004CFFFA|.FF51 38 CALL DWORD PTR DS:
004CFFFD|.A1 38495300 MOV EAX,DWORD PTR DS:
004D0002|.8B00 MOV EAX,DWORD PTR DS:
004D0004|.8B80 5C030000 MOV EAX,DWORD PTR DS:
004D000A|.E8 4D9FFEFF CALL Rent.004B9F5C
004D000F|.A1 38495300 MOV EAX,DWORD PTR DS:
004D0014|.8B00 MOV EAX,DWORD PTR DS:
004D0016|.8B80 5C030000 MOV EAX,DWORD PTR DS:
004D001C|.E8 13A0FEFF CALL Rent.004BA034
004D0021|.8B10 MOV EDX,DWORD PTR DS:
004D0023|.FF52 44 CALL DWORD PTR DS:
004D0026|.68 C4014D00 PUSH Rent.004D01C4 ;insert into config values('regcode','
004D002B|.8D55 E8 LEA EDX,DWORD PTR SS:
004D002E|.8B83 04030000 MOV EAX,DWORD PTR DS:
004D0034|.E8 1F61F9FF CALL Rent.00466158
004D0039|.FF75 E8 PUSH DWORD PTR SS:
004D003C|.68 F4014D00 PUSH Rent.004D01F4 ;')
004D0041|.8D45 EC LEA EAX,DWORD PTR SS:
004D0044|.BA 03000000 MOV EDX,3
004D0049|.E8 CA46F3FF CALL Rent.00404718
004D004E|.8B45 EC MOV EAX,DWORD PTR SS:
004D0051|.50 PUSH EAX
004D0052|.A1 38495300 MOV EAX,DWORD PTR DS:
004D0057|.8B00 MOV EAX,DWORD PTR DS:
004D0059|.8B80 5C030000 MOV EAX,DWORD PTR DS:
004D005F|.E8 D09FFEFF CALL Rent.004BA034
004D0064|.5A POP EDX
004D0065|.8B08 MOV ECX,DWORD PTR DS:
004D0067|.FF51 38 CALL DWORD PTR DS:
004D006A|.A1 38495300 MOV EAX,DWORD PTR DS:
004D006F|.8B00 MOV EAX,DWORD PTR DS:
004D0071|.8B80 5C030000 MOV EAX,DWORD PTR DS:
004D0077|.E8 E09EFEFF CALL Rent.004B9F5C
004D007C|.8D55 E4 LEA EDX,DWORD PTR SS:
004D007F|.8B83 04030000 MOV EAX,DWORD PTR DS:
004D0085|.E8 CE60F9FF CALL Rent.00466158
004D008A|.8B55 E4 MOV EDX,DWORD PTR SS:
004D008D|.A1 68455300 MOV EAX,DWORD PTR DS:
004D0092|.E8 5543F3FF CALL Rent.004043EC
004D0097|.6A 40 PUSH 40
004D0099|.8D55 E0 LEA EDX,DWORD PTR SS:
004D009C|.A1 384B5300 MOV EAX,DWORD PTR DS:
004D00A1|.8B00 MOV EAX,DWORD PTR DS:
004D00A3|.E8 5867FBFF CALL Rent.00486800
004D00A8|.8B45 E0 MOV EAX,DWORD PTR SS:
004D00AB|.E8 A847F3FF CALL Rent.00404858
004D00B0|.50 PUSH EAX
004D00B1|.68 F8014D00 PUSH Rent.004D01F8 ;注册成功!
004D00B6|.8BC3 MOV EAX,EBX
004D00B8|.E8 9BCAF9FF CALL Rent.0046CB58
004D00BD|.50 PUSH EAX ; |hOwner
004D00BE|.E8 F173F3FF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
004D00C3|.A1 C84C5300 MOV EAX,DWORD PTR DS:
004D00C8|.C600 01 MOV BYTE PTR DS:,1
004D00CB|.A1 38495300 MOV EAX,DWORD PTR DS:
004D00D0|.8B00 MOV EAX,DWORD PTR DS:
004D00D2|.8B80 1C030000 MOV EAX,DWORD PTR DS:
004D00D8|.33D2 XOR EDX,EDX
004D00DA|.E8 995FF9FF CALL Rent.00466078
004D00DF|.8BC3 MOV EAX,EBX
004D00E1|.E8 4E34FBFF CALL Rent.00483534
004D00E6|.EB 3A JMP SHORT Rent.004D0122
004D00E8|>6A 10 PUSH 10
004D00EA|.8D55 DC LEA EDX,DWORD PTR SS:
004D00ED|.A1 384B5300 MOV EAX,DWORD PTR DS:
004D00F2|.8B00 MOV EAX,DWORD PTR DS:
004D00F4|.E8 0767FBFF CALL Rent.00486800
004D00F9|.8B45 DC MOV EAX,DWORD PTR SS:
004D00FC|.E8 5747F3FF CALL Rent.00404858
004D0101|.50 PUSH EAX
004D0102|.68 7C014D00 PUSH Rent.004D017C ;注册码错误!
004D0107|.8BC3 MOV EAX,EBX
004D0109|.E8 4ACAF9FF CALL Rent.0046CB58
004D010E|.50 PUSH EAX ; |hOwner
004D010F|.E8 A073F3FF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
004D0114|.8B83 04030000 MOV EAX,DWORD PTR DS:
004D011A|.8B10 MOV EDX,DWORD PTR DS:
004D011C|.FF92 C4000000 CALL DWORD PTR DS:
004D0122|>33C0 XOR EAX,EAX
004D0124|.5A POP EDX
004D0125|.59 POP ECX
004D0126|.59 POP ECX
004D0127|.64:8910 MOV DWORD PTR FS:,EDX
004D012A|.68 76014D00 PUSH Rent.004D0176
004D012F|>8D45 DC LEA EAX,DWORD PTR SS:
004D0132|.BA 02000000 MOV EDX,2
004D0137|.E8 8042F3FF CALL Rent.004043BC
004D013C|.8D45 E4 LEA EAX,DWORD PTR SS:
004D013F|.BA 02000000 MOV EDX,2
004D0144|.E8 7342F3FF CALL Rent.004043BC
004D0149|.8D45 EC LEA EAX,DWORD PTR SS:
004D014C|.E8 4742F3FF CALL Rent.00404398
004D0151|.8D45 F0 LEA EAX,DWORD PTR SS:
004D0154|.BA 02000000 MOV EDX,2
004D0159|.E8 5E42F3FF CALL Rent.004043BC
004D015E|.8D45 F8 LEA EAX,DWORD PTR SS:
004D0161|.E8 3242F3FF CALL Rent.00404398
004D0166|.8D45 FC LEA EAX,DWORD PTR SS:
004D0169|.E8 2A42F3FF CALL Rent.00404398
004D016E\.C3 RETN
004D016F .^ E9 483BF3FF JMP Rent.00403CBC
004D0174 .^ EB B9 JMP SHORT Rent.004D012F
004D0176 .5B POP EBX
004D0177 .8BE5 MOV ESP,EBP
004D0179 .5D POP EBP
004D017A .C3 RETN
F7跟进 CALL Rent.004CF844 ;计算CALL,F7跟进
代码如下:
004CF844/$55 PUSH EBP
004CF845|.8BEC MOV EBP,ESP
004CF847|.83C4 F4 ADD ESP,-0C
004CF84A|.53 PUSH EBX
004CF84B|.56 PUSH ESI
004CF84C|.33C9 XOR ECX,ECX
004CF84E|.894D F4 MOV DWORD PTR SS:,ECX
004CF851|.8955 F8 MOV DWORD PTR SS:,EDX ;假码:123456789012入堆栈0012F200
004CF854|.8945 FC MOV DWORD PTR SS:,EAX ;序列号:232397168入堆栈0012F204
004CF857|.8B45 FC MOV EAX,DWORD PTR SS:
004CF85A|.E8 E94FF3FF CALL Rent.00404848
004CF85F|.8B45 F8 MOV EAX,DWORD PTR SS:
004CF862|.E8 E14FF3FF CALL Rent.00404848
004CF867|.33C0 XOR EAX,EAX ;EAX清零
004CF869|.55 PUSH EBP
004CF86A|.68 F7F84C00 PUSH Rent.004CF8F7
004CF86F|.64:FF30 PUSH DWORD PTR FS:
004CF872|.64:8920 MOV DWORD PTR FS:,ESP
004CF875|.33DB XOR EBX,EBX ;EBX清零
004CF877|.8B45 F8 MOV EAX,DWORD PTR SS:
004CF87A|.E8 D94DF3FF CALL Rent.00404658 ;取假码位数
004CF87F|.83F8 0C CMP EAX,0C
004CF882|.75 58 JNZ SHORT Rent.004CF8DC ;不等于12位,EAX清零,退出。
004CF884|.8D45 F4 LEA EAX,DWORD PTR SS:
004CF887|.50 PUSH EAX
004CF888|.B9 08000000 MOV ECX,8
004CF88D|.BA 05000000 MOV EDX,5
004CF892|.8B45 F8 MOV EAX,DWORD PTR SS: ;假码:123456789012入EAX
004CF895|.E8 1E50F3FF CALL Rent.004048B8 ;取假码后八位“56789012”
004CF89A|.BE 01000000 MOV ESI,1
004CF89F|>8B45 FC /MOV EAX,DWORD PTR SS: ;序列号:232397168入EAX
004CF8A2|.8A4430 FF |MOV AL,BYTE PTR DS: ;序列号第一位:32入AL
004CF8A6|.E8 39FEFFFF |CALL Rent.004CF6E4 ;根据序列号第一位数字值,来取假码第几位,我这取第五位(返回值为:34)
004CF8AB|.8B55 F4 |MOV EDX,DWORD PTR SS: ;假码余下:56789012入EDX
004CF8AE|.3A4432 FF |CMP AL,BYTE PTR DS: ;EAX=34与第一位35比较
004CF8B2|.75 28 |JNZ SHORT Rent.004CF8DC ;结果不为零,EAX清零,退出。
004CF8B4|.46 |INC ESI ;计数器加1
004CF8B5|.83FE 03 |CMP ESI,3 ;ESI值不为3就继续循环
004CF8B8|.^ 75 E5 \JNZ SHORT Rent.004CF89F
004CF8BA|.BE 03000000 MOV ESI,3
004CF8BF|>8B45 FC /MOV EAX,DWORD PTR SS: ;序列号:232397168入EAX
004CF8C2|.8A4430 FF |MOV AL,BYTE PTR DS: ;序列号第一位入AL
004CF8C6|.E8 19FEFFFF |CALL Rent.004CF6E4 ;这里计算同004CF8A6一样,返回值ASCII码为:34
004CF8CB|.8B55 F4 |MOV EDX,DWORD PTR SS: ;剩余假码:56789012入EDX
004CF8CE|.3A4432 03 |CMP AL,BYTE PTR DS: ;这里取剩余假码:56789012的第7位与序列号返回值:4比较
004CF8D2|.75 08 |JNZ SHORT Rent.004CF8DC ;结果不为零,EAX清零,退出
004CF8D4|.46 |INC ESI
004CF8D5|.83FE 05 |CMP ESI,5
004CF8D8|.^ 75 E5 \JNZ SHORT Rent.004CF8BF
004CF8DA|.B3 01 MOV BL,1
004CF8DC|>33C0 XOR EAX,EAX
004CF8DE|.5A POP EDX
004CF8DF|.59 POP ECX
004CF8E0|.59 POP ECX
004CF8E1|.64:8910 MOV DWORD PTR FS:,EDX
004CF8E4|.68 FEF84C00 PUSH Rent.004CF8FE
004CF8E9|>8D45 F4 LEA EAX,DWORD PTR SS: ;剩余假码:56789012入EAX
004CF8EC|.BA 03000000 MOV EDX,3
004CF8F1|.E8 C64AF3FF CALL Rent.004043BC
004CF8F6\.C3 RETN
004CF8F7 .^ E9 C043F3FF JMP Rent.00403CBC
004CF8FC .^ EB EB JMP SHORT Rent.004CF8E9
004CF8FE .8BC3 MOV EAX,EBX
004CF900 .5E POP ESI
004CF901 .5B POP EBX
004CF902 .8BE5 MOV ESP,EBP
004CF904 .5D POP EBP
004CF905 .C3 RETN
F7跟进CALL Rent.004CF6E4 典型Switch语句,代码如下:
004CF6E4/$25 FF000000 AND EAX,0FF
004CF6E9|.83C0 D0 ADD EAX,-30 ;Switch (cases 30..39)
004CF6EC|.83F8 09 CMP EAX,9
004CF6EF|.77 4D JA SHORT Rent.004CF73E
004CF6F1|.FF2485 F8F64C>JMP DWORD PTR DS:
004CF6F8|.20F74C00 DD Rent.004CF720 ;Switch table used at 004CF6F1
004CF6FC|.23F74C00 DD Rent.004CF723
004CF700|.26F74C00 DD Rent.004CF726
004CF704|.29F74C00 DD Rent.004CF729
004CF708|.2CF74C00 DD Rent.004CF72C
004CF70C|.2FF74C00 DD Rent.004CF72F
004CF710|.32F74C00 DD Rent.004CF732
004CF714|.35F74C00 DD Rent.004CF735
004CF718|.38F74C00 DD Rent.004CF738
004CF71C|.3BF74C00 DD Rent.004CF73B
004CF720|>B0 38 MOV AL,38 ;Case 30 ('0') of switch 004CF6E9
004CF722|.C3 RETN
004CF723|>B0 36 MOV AL,36 ;Case 31 ('1') of switch 004CF6E9
004CF725|.C3 RETN
004CF726|>B0 34 MOV AL,34 ;Case 32 ('2') of switch 004CF6E9
004CF728|.C3 RETN
004CF729|>B0 30 MOV AL,30 ;Case 33 ('3') of switch 004CF6E9
004CF72B|.C3 RETN
004CF72C|>B0 35 MOV AL,35 ;Case 34 ('4') of switch 004CF6E9
004CF72E|.C3 RETN
004CF72F|>B0 32 MOV AL,32 ;Case 35 ('5') of switch 004CF6E9
004CF731|.C3 RETN
004CF732|>B0 39 MOV AL,39 ;Case 36 ('6') of switch 004CF6E9
004CF734|.C3 RETN
004CF735|>B0 31 MOV AL,31 ;Case 37 ('7') of switch 004CF6E9
004CF737|.C3 RETN
004CF738|>B0 33 MOV AL,33 ;Case 38 ('8') of switch 004CF6E9
004CF73A|.C3 RETN
004CF73B|>B0 37 MOV AL,37 ;Case 39 ('9') of switch 004CF6E9
004CF73D|.C3 RETN
004CF73E|>33C0 XOR EAX,EAX ;Default case of switch 004CF6E9
004CF740\.C3 RETN
软件注册成功图:
主程序界面图:
暴力破解图:
暴力破解主程序界面图:
软件注册机源码(C源码)如下:
#include "stdafx.h"
#include "string.h"
int main(int argc, char* argv[])
{
char serial;
int seriallen;
printf("请输入序列号=");
gets(serial);
seriallen=strlen(serial);
if(seriallen<9 || seriallen>9)
{
printf("你输入的序列号不正确,请重新输入!\n");
return 0;
}
printf("注册码=");
for(int i=0;i<=1;i++)
{
char temp;
temp=serial;
int conter=temp-48;
if(conter > 9 || conter < 0)
return 0;
switch(conter)
{
case 0:
serial=8+48;break;
case 1:
serial=6+48;break;
case 2:
serial=4+48;serial=48;serial=52;serial=48;break;
case 3:
serial=0+48;break;
case 4:
serial=5+48;break;
case 5:
serial=2+48;break;
case 6:
serial=9+48;break;
case 7:
serial=1+48;break;
case 8:
serial=3+48;break;
case 9:
serial=7+48;break;
}
}
for(int j=0;j<=11;j++)
{
printf("%c",serial);
}
printf("\n");
return 0;
}
序列号:232397168
注册码:232340168040
--------------------------------------------------------------------------------
【经验总结】
1.此软件作者引用注册算法有误(其中有些代码缺失),导致计算注册码固定模式。
2.此软件序列号固定(一般软件的序列号是通过获取机器硬件得到,而此软件安装在任何机器上,序列号相同......),导致计算出注册码也固定 。
3.通过此软件注册码计算模块,算出注册码,用此注册码注册,提示成功,但是重启软件后,还会出现注册框。
4.此软件作者有欺骗用户嫌疑 。
5.通过修改试用时间值,也可以达到破解目的,(压缩包里含有破解文件)此软件试用时间为:100年。
6.压缩包包含注册机及注册机使用说明。
7.另附注册机源码,通过VC6.0开发环境测试通过。
8.此软件通过调用Rent3.mdb文件,进行存储、删除、修改等车辆管理信息。
9.Rent3.mdb数据库文件,数据库密码为:ynduanlian里面有管理员用户名:admin初次登录密码为空。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于吾爱破解技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2011年01月29日 上午 17:40:00
路过!~ 看看。。。。。 看看啊、、、、 我一个啊,沙发 看不太懂。 玩一下,学习学习。 牛人,支持一下 看了 好文章。 牛人,支持