好友
阅读权限 30
听众
最后登录 1970-1-1
蚊香
发表于 2008-8-6 19:32
【文章标题】: 电脑公司客户售后管理软件 2.0 算法分析
【文章作者】: 蚊香
【作者邮箱】: xpi386com@163.com
【作者主页】: http://www.xpi386.com
【下载地址】: http://www.skycn.com/soft/47219.html
【保护方式】: 机器码 + 注册码
【编写语言】: Borland Delphi
【操作平台】: D版XP-SP2
【软件介绍】: 一款专门为电脑公司售后服务部量体定做的管理软件
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
查壳,无。Borland Delphi
试用123456789注册,发现是重启验证。搜索注册表,找到如下:
[HKEY_LOCAL_MACHINE\SOFTWARE\vt\dnsh]
"Date"=hex:00,00,00,00,40,5e,e3,40
"Name"="3JX5LR9X"
"Pass"="123456789"
其中这里的"3JX5LR9X"是偶的机器码~~~~~
OD载入主程序,查找字符串“Pass”,找到两处,分别下断。F9运行0068357C .BA B03A6800 mov edx, 00683AB0;断在这里,一路F8下00683581 .8B45 F0 mov eax, dword ptr [ebp-10]00683584 .E8 8B85DCFF call0044BB1400683589 .8B55 B4 mov edx, dword ptr [ebp-4C]0068358C .A1 64287200 mov eax, dword ptr [722864]00683591 .8B00mov eax, dword ptr [eax]00683593 .05 4C070000 add eax, 74C00683598 .E8 5715D8FF call00404AF40068359D .33C0xor eax, eax0068359F .55pushebp006835A0 .68 C6356800 push006835C6006835A5 .64:FF30 pushdword ptr fs:[eax]006835A8 .64:8920 mov dword ptr fs:[eax], esp006835AB .BA C03A6800 mov edx, 00683AC0;date006835B0 .8B45 F0 mov eax, dword ptr [ebp-10]006835B3 .E8 BC86DCFF call0044BC74006835B8 .DD5D E8 fstpqword ptr [ebp-18]006835BB .9Bwait006835BC .33C0xor eax, eax006835BE .5Apop edx006835BF .59pop ecx006835C0 .59pop ecx006835C1 .64:8910 mov dword ptr fs:[eax], edx006835C4 .EB 29 jmp short 006835EF006835C6 .^ E9 250BD8FF jmp 004040F0006835CB .FF75 E4 pushdword ptr [ebp-1C]006835CE .FF75 E0 pushdword ptr [ebp-20]006835D1 .BA C03A6800 mov edx, 00683AC0;ASCII "Date"006835D6 .8B45 F0 mov eax, dword ptr [ebp-10]006835D9 .E8 8286DCFF call0044BC60006835DE .8B45 E0 mov eax, dword ptr [ebp-20]006835E1 .8945 E8 mov dword ptr [ebp-18], eax006835E4 .8B45 E4 mov eax, dword ptr [ebp-1C]006835E7 .8945 EC mov dword ptr [ebp-14], eax006835EA .E8 2D0FD8FF call0040451C006835EF >8B45 F0 mov eax, dword ptr [ebp-10]006835F2 .E8 2D7EDCFF call0044B424006835F7 .33C0xor eax, eax006835F9 .5Apop edx006835FA .59pop ecx006835FB .59pop ecx006835FC .64:8910 mov dword ptr fs:[eax], edx006835FF .68 14366800 push0068361400683604 >8B45 F0 mov eax, dword ptr [ebp-10]00683607 .E8 0406D8FF call00403C100068360C .C3retn0068360D .^ E9 920DD8FF jmp 004043A400683612 .^ EB F0 jmp short 0068360400683614 .DD45 E0 fld qword ptr [ebp-20]00683617 .DC65 E8 fsubqword ptr [ebp-18]0068361A .DD5D D8 fstpqword ptr [ebp-28]0068361D .9Bwait0068361E .D905 C83A6800 fld dword ptr [683AC8]00683624 .DC65 D8 fsubqword ptr [ebp-28]00683627 .E8 5CF8D7FF call00402E880068362C .8B15 64287200 mov edx, dword ptr [722864];电脑公司.0072709800683632 .8B12mov edx, dword ptr [edx]00683634 .8982 54080000 mov dword ptr [edx+854], eax0068363A .8B45 FC mov eax, dword ptr [ebp-4]0068363D .8B90 1C030000 mov edx, dword ptr [eax+31C]00683643 .B9 D43A6800 mov ecx, 00683AD4;ASCII "select count(*) as T_Num from T_custom"00683648 .8B45 FC mov eax, dword ptr [ebp-4]0068364B .E8 00FCFFFF call00683250 ;F8直到这里竟然卡住 ?!!!!00683650 .8B45 FC mov eax, dword ptr [ebp-4] ;此行F2,重载后F9到此,继续F800683653 .8B90 40040000 mov edx, dword ptr [eax+440]00683659 .B9 043B6800 mov ecx, 00683B04;ASCII "select count(*) as T_Num1 from T_GOODS"0068365E .8B45 FC mov eax, dword ptr [ebp-4]00683661 .E8 EAFBFFFF call0068325000683666 .8B45 FC mov eax, dword ptr [ebp-4]00683669 .8B90 7C060000 mov edx, dword ptr [eax+67C]0068366F .B9 343B6800 mov ecx, 00683B34;ASCII "select count(*) as T_Num2 from T_OA"00683674 .8B45 FC mov eax, dword ptr [ebp-4]00683677 .E8 D4FBFFFF call006832500068367C .8B45 FC mov eax, dword ptr [ebp-4]0068367F .8B80 1C030000 mov eax, dword ptr [eax+31C]00683685 .BA 603B6800 mov edx, 00683B60;ASCII "T_Num"0068368A .E8 0D74ECFF call0054AA9C0068368F .8B10mov edx, dword ptr [eax]00683691 .FF52 58 calldword ptr [edx+58]00683694 .8B55 FC mov edx, dword ptr [ebp-4]00683697 .8982 C0070000 mov dword ptr [edx+7C0], eax0068369D .8B45 FC mov eax, dword ptr [ebp-4]006836A0 .8B80 40040000 mov eax, dword ptr [eax+440]006836A6 .BA 703B6800 mov edx, 00683B70;ASCII "T_Num1"006836AB .E8 EC73ECFF call0054AA9C006836B0 .8B10mov edx, dword ptr [eax]006836B2 .FF52 58 calldword ptr [edx+58]006836B5 .8B55 FC mov edx, dword ptr [ebp-4]006836B8 .8982 C8070000 mov dword ptr [edx+7C8], eax006836BE .8B45 FC mov eax, dword ptr [ebp-4]006836C1 .8B80 7C060000 mov eax, dword ptr [eax+67C]006836C7 .BA 803B6800 mov edx, 00683B80;ASCII "T_Num2"006836CC .E8 CB73ECFF call0054AA9C006836D1 .8B10mov edx, dword ptr [eax]006836D3 .FF52 58 calldword ptr [edx+58]006836D6 .8B55 FC mov edx, dword ptr [ebp-4]006836D9 .8982 CC070000 mov dword ptr [edx+7CC], eax006836DF .A1 64287200 mov eax, dword ptr [722864]006836E4 .8B00mov eax, dword ptr [eax]006836E6 .C680 68080000>mov byte ptr [eax+868], 1006836ED .8D4D B0 lea ecx, dword ptr [ebp-50]006836F0 .A1 64287200 mov eax, dword ptr [722864]006836F5 .8B00mov eax, dword ptr [eax]006836F7 .8B90 48070000 mov edx, dword ptr [eax+748] ;出机器码 3JX5LR9X006836FD .A1 88247200 mov eax, dword ptr [722488]00683702 .8B00mov eax, dword ptr [eax]00683704 .E8 8BDCFFFF call00681394 ;经过这里后出真码,F7进去看究竟00683709 .8B55 B0 mov edx, dword ptr [ebp-50]0068370C .A1 64287200 mov eax, dword ptr [722864]00683711 .8B00mov eax, dword ptr [eax]00683713 .8B80 4C070000 mov eax, dword ptr [eax+74C]00683719 .E8 9E17D8FF call00404EBC ;比较CALL,可做内存注册机0068371E .74 44 jeshort 00683764 ;关键跳转00683720 .8D4D AC lea ecx, dword ptr [ebp-54];以下代码省略00683723 .A1 64287200 mov eax, dword ptr [722864];.................
进入 0068370400681394/$55pushebp00681395|.8BECmov ebp, esp00681397|.51pushecx00681398|.B9 04000000 mov ecx, 40068139D|>6A 00 /push00068139F|.6A 00 |push0006813A1|.49|dec ecx006813A2|.^ 75 F9 \jnz short 0068139D006813A4|.51pushecx006813A5|.874D FC xchgdword ptr [ebp-4], ecx006813A8|.53pushebx006813A9|.56pushesi006813AA|.57pushedi006813AB|.8BF9mov edi, ecx006813AD|.8955 FC mov dword ptr [ebp-4], edx006813B0|.8B45 FC mov eax, dword ptr [ebp-4]006813B3|.E8 A83BD8FF call00404F60006813B8|.33C0xor eax, eax006813BA|.55pushebp006813BB|.68 55156800 push00681555006813C0|.64:FF30 pushdword ptr fs:[eax]006813C3|.64:8920 mov dword ptr fs:[eax], esp006813C6|.8BC7mov eax, edi006813C8|.E8 D336D8FF call00404AA0006813CD|.8B45 FC mov eax, dword ptr [ebp-4]006813D0|.E8 9B39D8FF call00404D70006813D5|.8BF0mov esi, eax006813D7|.85F6testesi, esi006813D9|.7E 26 jle short 00681401006813DB|.BB 01000000 mov ebx, 1006813E0|>8D4D EC /lea ecx, dword ptr [ebp-14]006813E3|.8B45 FC |mov eax, dword ptr [ebp-4]006813E6|.0FB64418 FF |movzx eax, byte ptr [eax+ebx-1] ;依次取机器码的16进制ASCII值到EAX006813EB|.33D2|xor edx, edx006813ED|.E8 9A8FD8FF |call0040A38C006813F2|.8B55 EC |mov edx, dword ptr [ebp-14]006813F5|.8D45 F8 |lea eax, dword ptr [ebp-8]006813F8|.E8 7B39D8FF |call00404D78006813FD|.43|inc ebx006813FE|.4E|dec esi006813FF|.^ 75 DF \jnz short 006813E0;循环00681401|>8B45 F8 mov eax, dword ptr [ebp-8] ;将机器码依次取得的ASCII值相连接,设为STR100681404|.E8 6739D8FF call00404D7000681409|.8BF0mov esi, eax0068140B|.85F6testesi, esi0068140D|.7E 2C jle short 0068143B0068140F|.BB 01000000 mov ebx, 100681414|>8B45 F8 /mov eax, dword ptr [ebp-8]00681417|.E8 5439D8FF |call00404D700068141C|.2BC3|sub eax, ebx0068141E|.8B55 F8 |mov edx, dword ptr [ebp-8]00681421|.8A1402|mov dl, byte ptr [edx+eax];从右至左依次取STR100681424|.8D45 E8 |lea eax, dword ptr [ebp-18]00681427|.E8 5C38D8FF |call00404C880068142C|.8B55 E8 |mov edx, dword ptr [ebp-18]0068142F|.8D45 F4 |lea eax, dword ptr [ebp-C]00681432|.E8 4139D8FF |call00404D7800681437|.43|inc ebx00681438|.4E|dec esi00681439|.^ 75 D9 \jnz short 00681414;此循环将STR1倒序排列,设为STR20068143B|>8D45 F8 lea eax, dword ptr [ebp-8]0068143E|.50pusheax0068143F|.B9 04000000 mov ecx, 400681444|.BA 01000000 mov edx, 100681449|.8B45 F4 mov eax, dword ptr [ebp-C]0068144C|.E8 7F3BD8FF call00404FD000681451|.8D45 F4 lea eax, dword ptr [ebp-C]00681454|.50pusheax00681455|.B9 04000000 mov ecx, 4 ;ECX=40068145A|.BA 05000000 mov edx, 5 ;EDX=50068145F|.8B45 F4 mov eax, dword ptr [ebp-C]00681462|.E8 693BD8FF call00404FD0 ;取STR2中的前4位00681467|.8B45 F8 mov eax, dword ptr [ebp-8]0068146A|.E8 0139D8FF call00404D700068146F|.83F8 04 cmp eax, 400681472|.7D 2F jge short 006814A300681474|.8B45 F8 mov eax, dword ptr [ebp-8]00681477|.E8 F438D8FF call00404D700068147C|.8BD8mov ebx, eax0068147E|.83FB 03 cmp ebx, 300681481|.7F 20 jgshort 006814A300681483|>8D4D E4 /lea ecx, dword ptr [ebp-1C]00681486|.8BC3|mov eax, ebx00681488|.C1E0 02 |shl eax, 20068148B|.33D2|xor edx, edx0068148D|.E8 FA8ED8FF |call0040A38C00681492|.8B55 E4 |mov edx, dword ptr [ebp-1C]00681495|.8D45 F8 |lea eax, dword ptr [ebp-8]00681498|.E8 DB38D8FF |call00404D780068149D|.43|inc ebx0068149E|.83FB 04 |cmp ebx, 4006814A1|.^ 75 E0 \jnz short 00681483006814A3|>8B45 F4 mov eax, dword ptr [ebp-C] ;取STR2的5-8位006814A6|.E8 C538D8FF call00404D70006814AB|.83F8 04 cmp eax, 4006814AE|.7D 2F jge short 006814DF006814B0|.8B45 F4 mov eax, dword ptr [ebp-C]006814B3|.E8 B838D8FF call00404D70006814B8|.8BD8mov ebx, eax006814BA|.83FB 03 cmp ebx, 3006814BD|.7F 20 jgshort 006814DF006814BF|>8D4D E0 /lea ecx, dword ptr [ebp-20]006814C2|.8BC3|mov eax, ebx006814C4|.C1E0 02 |shl eax, 2006814C7|.33D2|xor edx, edx006814C9|.E8 BE8ED8FF |call0040A38C006814CE|.8B55 E0 |mov edx, dword ptr [ebp-20]006814D1|.8D45 F4 |lea eax, dword ptr [ebp-C]006814D4|.E8 9F38D8FF |call00404D78006814D9|.43|inc ebx006814DA|.83FB 04 |cmp ebx, 4006814DD|.^ 75 E0 \jnz short 006814BF006814DF|>8D45 F0 lea eax, dword ptr [ebp-10]006814E2|.BA 6C156800 mov edx, 0068156C;固定字符串“dnsh268d58k”,设为STR3006814E7|.E8 4C36D8FF call00404B38006814EC|.8D45 DC lea eax, dword ptr [ebp-24]006814EF|.50pusheax006814F0|.B9 04000000 mov ecx, 4 ;ECX=4006814F5|.BA 01000000 mov edx, 1 ;EDX=1006814FA|.8B45 F0 mov eax, dword ptr [ebp-10]006814FD|.E8 CE3AD8FF call00404FD0 ;取STR3的前4位即“dnsh”00681502|.FF75 DC pushdword ptr [ebp-24]00681505|.68 80156800 push00681580 ;-0068150A|.FF75 F8 pushdword ptr [ebp-8];用“-”连接0068150D|.8D45 D8 lea eax, dword ptr [ebp-28]00681510|.50pusheax00681511|.B9 05000000 mov ecx, 5 ;ECX=500681516|.BA 05000000 mov edx, 5 ;EDX=50068151B|.8B45 F0 mov eax, dword ptr [ebp-10]0068151E|.E8 AD3AD8FF call00404FD0 ;SRE3中的第5位开始,取5位,即“268d5”00681523|.FF75 D8 pushdword ptr [ebp-28]00681526|.68 80156800 push00681580 ;-0068152B|.FF75 F4 pushdword ptr [ebp-C];用“-”连接0068152E|.8BC7mov eax, edi00681530|.BA 06000000 mov edx, 600681535|.E8 F638D8FF call00404E300068153A|.33C0xor eax, eax0068153C|.5Apop edx0068153D|.59pop ecx0068153E|.59pop ecx0068153F|.64:8910 mov dword ptr fs:[eax], edx00681542|.68 5C156800 push0068155C00681547|>8D45 D8 lea eax, dword ptr [ebp-28]0068154A|.BA 0A000000 mov edx, 0A0068154F|.E8 7035D8FF call00404AC400681554\.C3retn00681555 .^ E9 4A2ED8FF jmp 004043A40068155A .^ EB EB jmp short 006815470068155C .5Fpop edi0068155D .5Epop esi0068155E .5Bpop ebx0068155F .8BE5mov esp, ebp00681561 .5Dpop ebp00681562 .C3retn
--------------------------------------------------------------------------------
【经验总结】
以偶的机器为例:
机器码 3JX5LR9X
16进制ASCII = 334A58354C523958
倒序排行= 859325C45385A433
取1-4位 = 8593
取5-8位 = 25C4
取固定内容“dnsh” 和 “268d5”
组合以上“dnsh-8593268d5-25C4”即为注册码
KeyGen
KeyGen.rar
(11 KB, 下载次数: 58)
核心源码(VB Code):
For i = 1 To L
a = a & Hex(Asc(Mid(Text1.Text, i, 1)))
Next i
C = a
S = StrReverse(C)
Text2.Text = "dnsh-" & CStr(Mid(S, 1, 4)) & "268d5-" & CStr(Mid(S, 5, 4))
VB6.0精简版测试通过~~~~~~~~~
--------------------------------------------------------------------------------
【版权声明】: 本文 蚊香 原创, 转载请注明作者并保持文章的完整, 谢谢!
2008年08月06日 PM 07:27:56
免费评分
查看全部评分