[原创][求助]干部人事档案管理系统CPRS（世纪版）逆向-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创][求助]干部人事档案管理系统CPRS（世纪版）逆向

发表于: 2010-12-11 11:37 36190

[原创][求助]干部人事档案管理系统CPRS（世纪版）逆向

homily

活跃值

2010-12-11 11:37

36190

小人菜鸟哦~ 软件我已经爆破了~  为了跟进一步的学习在逆向算法上碰壁了。
希望大侠们给予指点咯~

我已经把壳退了。运行CPRSSH2即可

0054F828  /$  55          push ebp
0054F829  |.  8BEC       mov    ebp, esp
0054F82B  |.  B9 27000000 mov    ecx, 27
0054F830  |>  6A 00       /push 0
0054F832  |.  6A 00       |push 0
0054F834  |.  49          |dec    ecx
0054F835  |.^ 75 F9       \jnz    short 0054F830
0054F837  |.  51          push ecx
0054F838  |.  53          push ebx
0054F839  |.  56          push esi
0054F83A  |.  57          push edi
0054F83B  |.  8BF0       mov    esi, eax
0054F83D  |.  33C0       xor    eax, eax
0054F83F  |.  55          push ebp
0054F840  |.  68 67FA5400 push 0054FA67
0054F845  |.  64:FF30    push dword ptr fs:[eax]
0054F848  |.  64:8920    mov    dword ptr fs:[eax], esp
0054F84B  |.  F646 20 10 test byte ptr [esi+20], 10
0054F84F  |.  0F85 EC010000 jnz    0054FA41
0054F855  |.  8BC2       mov    eax, edx
0054F857  |.  8846 24    mov    byte ptr [esi+24], al
0054F85A  |.  84C0       test al, al
0054F85C  |.  0F84 DF010000 je    0054FA41                         ;  爆破点
0054F862  |.  8D4D FC    lea    ecx, dword ptr [ebp-4]
0054F865  |.  8A56 25    mov    dl, byte ptr [esi+25]
0054F868  |.  8BC6       mov    eax, esi
0054F86A  |.  E8 19FAFFFF call 0054F288
0054F86F  |.  8B55 FC    mov    edx, dword ptr [ebp-4]
0054F872  |.  8D46 30    lea    eax, dword ptr [esi+30]
0054F875  |.  E8 C248EBFF call 0040413C
0054F87A  |.  8D95 F4FEFFFF lea    edx, dword ptr [ebp-10C]
0054F880  |.  8BC6       mov    eax, esi
0054F882  |.  66:BB F0FF mov    bx, 0FFF0
0054F886  |.  E8 D93BEBFF call 00403464                         ;  取硬盘参数
0054F88B  |.  8B95 F4FEFFFF mov    edx, dword ptr [ebp-10C]
0054F891  |.  8D8D F8FEFFFF lea    ecx, dword ptr [ebp-108]       ;  2628399153NTFS
0054F897  |.  8BC6       mov    eax, esi
0054F899  |.  66:BB EFFF mov    bx, 0FFEF
0054F89D  |.  E8 C23BEBFF call 00403464                         ;  硬盘参数逆序出机器号
0054F8A2  |.  8B95 F8FEFFFF mov    edx, dword ptr [ebp-108]       ;  (ASCII "YMZG5364452818")
0054F8A8  |.  8D85 FCFEFFFF lea    eax, dword ptr [ebp-104]
0054F8AE  |.  B9 FF000000 mov    ecx, 0FF
0054F8B3  |.  E8 9C4AEBFF call 00404354
0054F8B8  |.  8D95 FCFEFFFF lea    edx, dword ptr [ebp-104]
0054F8BE  |.  8D86 20020000 lea    eax, dword ptr [esi+220]
0054F8C4  |.  B1 32       mov    cl, 32
0054F8C6  |.  E8 5934EBFF call 00402D24
0054F8CB  |.  8D85 F0FEFFFF lea    eax, dword ptr [ebp-110]
0054F8D1  |.  8B4E 2C    mov    ecx, dword ptr [esi+2C]
0054F8D4  |.  8B56 30    mov    edx, dword ptr [esi+30]
0054F8D7  |.  E8 E84AEBFF call 004043C4
0054F8DC  |.  8B85 F0FEFFFF mov    eax, dword ptr [ebp-110]
0054F8E2  |.  E8 A9ADEBFF call 0040A690
0054F8E7  |.  84C0       test al, al
0054F8E9  |.  74 21       je    short 0054F90C
0054F8EB  |.  8D85 ECFEFFFF lea    eax, dword ptr [ebp-114]
0054F8F1  |.  8B4E 2C    mov    ecx, dword ptr [esi+2C]
0054F8F4  |.  8B56 30    mov    edx, dword ptr [esi+30]
0054F8F7  |.  E8 C84AEBFF call 004043C4
0054F8FC  |.  8B95 ECFEFFFF mov    edx, dword ptr [ebp-114]
0054F902  |.  8D4E 40    lea    ecx, dword ptr [esi+40]
0054F905  |.  8BC6       mov    eax, esi
0054F907  |.  E8 A0FEFFFF call 0054F7AC                         ;  create file a
0054F90C  |>  8D85 E8FEFFFF lea    eax, dword ptr [ebp-118]
0054F912  |.  8D96 53020000 lea    edx, dword ptr [esi+253]       ;  D:\Windows\System32\WinSock2.cps
0054F918  |.  E8 FF49EBFF call 0040431C
0054F91D  |.  8B85 E8FEFFFF mov    eax, dword ptr [ebp-118]
0054F923  |.  50          push eax
0054F924  |.  8D95 E0FEFFFF lea    edx, dword ptr [ebp-120]
0054F92A  |.  8BC6       mov    eax, esi
0054F92C  |.  66:BB F0FF mov    bx, 0FFF0
0054F930  |.  E8 2F3BEBFF call 00403464
0054F935  |.  8B95 E0FEFFFF mov    edx, dword ptr [ebp-120]
0054F93B  |.  8D8D E4FEFFFF lea    ecx, dword ptr [ebp-11C]
0054F941  |.  8BC6       mov    eax, esi
0054F943  |.  66:BB EEFF mov    bx, 0FFEE
0054F947  |.  E8 183BEBFF call 00403464                         ;  注册码算法call
0054F94C  |.  8B95 E4FEFFFF mov    edx, dword ptr [ebp-11C]
0054F952  |.  58          pop    eax                            ;  15266516060191
0054F953  |.  E8 304BEBFF call 00404488
0054F958  |.  0F84 E3000000 je    0054FA41
0054F95E  |.  BF 01000000 mov    edi, 1
0054F963  |>  8D85 DCFEFFFF /lea    eax, dword ptr [ebp-124]
0054F969  |.  8D96 53020000 |lea    edx, dword ptr [esi+253]
0054F96F  |.  E8 A849EBFF |call 0040431C
0054F974  |.  8B85 DCFEFFFF |mov    eax, dword ptr [ebp-124]
0054F97A  |.  50          |push eax
0054F97B  |.  8D95 D4FEFFFF |lea    edx, dword ptr [ebp-12C]
0054F981  |.  8BC6       |mov    eax, esi
0054F983  |.  66:BB F0FF |mov    bx, 0FFF0
0054F987  |.  E8 D83AEBFF |call 00403464
0054F98C  |.  8B95 D4FEFFFF |mov    edx, dword ptr [ebp-12C]
0054F992  |.  8D8D D8FEFFFF |lea    ecx, dword ptr [ebp-128]
0054F998  |.  8BC6       |mov    eax, esi
0054F99A  |.  66:BB EEFF |mov    bx, 0FFEE
0054F99E  |.  E8 C13AEBFF |call 00403464
0054F9A3  |.  8B95 D8FEFFFF |mov    edx, dword ptr [ebp-128]
0054F9A9  |.  58          |pop    eax
0054F9AA  |.  E8 D94AEBFF |call 00404488
0054F9AF  |.  74 0D       |je    short 0054F9BE
0054F9B1  |.  8BC6       |mov    eax, esi
0054F9B3  |.  E8 0C010000 |call 0054FAC4                      ;  注册窗口
0054F9B8  |.  47          |inc    edi
0054F9B9  |.  83FF 04    |cmp    edi, 4
0054F9BC  |.^ 75 A5       \jnz    short 0054F963                ;  判断循环滴3次
0054F9BE  |>  83FF 03    cmp    edi, 3
0054F9C1  |.  7C 5D       jl    short 0054FA20
0054F9C3  |.  8D85 D0FEFFFF lea    eax, dword ptr [ebp-130]
0054F9C9  |.  8D96 53020000 lea    edx, dword ptr [esi+253]
0054F9CF  |.  E8 4849EBFF call 0040431C
0054F9D4  |.  8B85 D0FEFFFF mov    eax, dword ptr [ebp-130]
0054F9DA  |.  50          push eax
0054F9DB  |.  8D95 C8FEFFFF lea    edx, dword ptr [ebp-138]
0054F9E1  |.  8BC6       mov    eax, esi
0054F9E3  |.  66:BB F0FF mov    bx, 0FFF0
0054F9E7  |.  E8 783AEBFF call 00403464
0054F9EC  |.  8B95 C8FEFFFF mov    edx, dword ptr [ebp-138]
0054F9F2  |.  8D8D CCFEFFFF lea    ecx, dword ptr [ebp-134]
0054F9F8  |.  8BC6       mov    eax, esi
0054F9FA  |.  66:BB EEFF mov    bx, 0FFEE
0054F9FE  |.  E8 613AEBFF call 00403464
0054FA03  |.  8B95 CCFEFFFF mov    edx, dword ptr [ebp-134]
0054FA09  |.  58          pop    eax
0054FA0A  |.  E8 794AEBFF call 00404488
0054FA0F  |.  74 0F       je    short 0054FA20                   ;  判断进入系统退出系统
0054FA11  |.  B8 80FA5400 mov    eax, 0054FA80                   ;  请及时注册,谢谢!
0054FA16  |.  E8 951DF1FF call 004617B0
0054FA1B  |.  E8 F044EBFF call 00403F10
0054FA20  |>  8D85 C4FEFFFF lea    eax, dword ptr [ebp-13C]
0054FA26  |.  8B4E 2C    mov    ecx, dword ptr [esi+2C]
0054FA29  |.  8B56 30    mov    edx, dword ptr [esi+30]
0054FA2C  |.  E8 9349EBFF call 004043C4
0054FA31  |.  8B95 C4FEFFFF mov    edx, dword ptr [ebp-13C]
0054FA37  |.  8D4E 40    lea    ecx, dword ptr [esi+40]
0054FA3A  |.  8BC6       mov    eax, esi
0054FA3C  |.  E8 77070000 call 005501B8
0054FA41  |>  33C0       xor    eax, eax
0054FA43  |.  5A          pop    edx
0054FA44  |.  59          pop    ecx
0054FA45  |.  59          pop    ecx
0054FA46  |.  64:8910    mov    dword ptr fs:[eax], edx
0054FA49  |.  68 6EFA5400 push 0054FA6E
0054FA4E  |>  8D85 C4FEFFFF lea    eax, dword ptr [ebp-13C]
0054FA54  |.  BA 0E000000 mov    edx, 0E
0054FA59  |.  E8 AE46EBFF call 0040410C
0054FA5E  |.  8D45 FC    lea    eax, dword ptr [ebp-4]
0054FA61  |.  E8 8246EBFF call 004040E8
0054FA66  \.  C3          retn
0054FA67 .^ E9 7C3FEBFF jmp    004039E8
0054FA6C .^ EB E0       jmp    short 0054FA4E
0054FA6E .  5F          pop    edi
0054FA6F .  5E          pop    esi
0054FA70 .  5B          pop    ebx
0054FA71 .  8BE5       mov    esp, ebp
0054FA73 .  5D          pop    ebp
0054FA74 .  C3          retn

进入注册码 call  我追到算法处~

0054F5D6  |> /8B45 FC    /mov    eax, dword ptr [ebp-4]
0054F5D9  |. |8A4418 FF    |mov    al, byte ptr [eax+ebx-1]       ;  ebx 计数器
0054F5DD  |. |8845 D7    |mov    byte ptr [ebp-29], al          ;  正取
0054F5E0  |. |8BC6       |mov    eax, esi
0054F5E2  |. |2BC3       |sub    eax, ebx
0054F5E4  |. |8B55 FC    |mov    edx, dword ptr [ebp-4]
0054F5E7  |. |8A0402       |mov    al, byte ptr [edx+eax]
0054F5EA  |. |8845 D6    |mov    byte ptr [ebp-2A], al          ;  反取
0054F5ED  |. |8D55 F0    |lea    edx, dword ptr [ebp-10]
0054F5F0  |. |33C0       |xor    eax, eax
0054F5F2  |. |8A45 D7    |mov    al, byte ptr [ebp-29]
0054F5F5  |. |E8 26AEEBFF |call 0040A420                      ;  ascii 3
0054F5FA  |. |8D55 DC    |lea    edx, dword ptr [ebp-24]
0054F5FD  |. |8B45 F4    |mov    eax, dword ptr [ebp-C]          ;  DelphiAndJBuilder
0054F600    |0FB64418 FF movzx eax, byte ptr [eax+ebx-1]       ;  正去
0054F605  |. |E8 16AEEBFF |call 0040A420                      ;  ascii 1
0054F60A  |. |8D55 EC    |lea    edx, dword ptr [ebp-14]
0054F60D  |. |33C0       |xor    eax, eax
0054F60F  |. |8A45 D6    |mov    al, byte ptr [ebp-2A]
0054F612  |. |E8 09AEEBFF |call 0040A420
0054F617  |. |8B45 F0    |mov    eax, dword ptr [ebp-10]
0054F61A  |. |E8 594DEBFF |call 00404378
0054F61F  |. |8B55 F0    |mov    edx, dword ptr [ebp-10]
0054F622  |. |8A5402 FF    |mov    dl, byte ptr [edx+eax-1]
0054F626  |. |8D45 E8    |lea    eax, dword ptr [ebp-18]
0054F629  |. |E8 624CEBFF |call 00404290
0054F62E  |. |8B45 EC    |mov    eax, dword ptr [ebp-14]
0054F631  |. |E8 424DEBFF |call 00404378
0054F636  |. |8B55 EC    |mov    edx, dword ptr [ebp-14]
0054F639  |. |8A5402 FF    |mov    dl, byte ptr [edx+eax-1]
0054F63D  |. |8D45 E4    |lea    eax, dword ptr [ebp-1C]
0054F640  |. |E8 4B4CEBFF |call 00404290
0054F645  |. |8B45 DC    |mov    eax, dword ptr [ebp-24]
0054F648  |. |E8 2B4DEBFF |call 00404378
0054F64D  |. |8B55 DC    |mov    edx, dword ptr [ebp-24]
0054F650  |. |8A5402 FF    |mov    dl, byte ptr [edx+eax-1]
0054F654  |. |8D45 D8    |lea    eax, dword ptr [ebp-28]
0054F657  |. |E8 344CEBFF |call 00404290
0054F65C  |. |8B45 E8    |mov    eax, dword ptr [ebp-18]
0054F65F  |. |E8 20AEEBFF |call 0040A484
0054F664  |. |50          |push eax
0054F665  |. |8B45 E4    |mov    eax, dword ptr [ebp-1C]
0054F668  |. |E8 17AEEBFF |call 0040A484
0054F66D  |. |5A          |pop    edx
0054F66E  |. |03D0       |add    edx, eax
0054F670  |. |52          |push edx
0054F671  |. |8B45 D8    |mov    eax, dword ptr [ebp-28]
0054F674  |. |E8 0BAEEBFF |call 0040A484
0054F679  |. |8BD0       |mov    edx, eax
0054F67B  |. |58          |pop    eax
0054F67C  |. |03C2       |add    eax, edx
0054F67E  |. |8D55 E0    |lea    edx, dword ptr [ebp-20]
0054F681  |. |E8 9AADEBFF |call 0040A420
0054F686  |. |8B45 E0    |mov    eax, dword ptr [ebp-20]
0054F689  |. |E8 EA4CEBFF |call 00404378
0054F68E  |. |48          |dec    eax
0054F68F  |. |7E 17       |jle    short 0054F6A8
0054F691  |. |8B45 E0    |mov    eax, dword ptr [ebp-20]
0054F694  |. |E8 DF4CEBFF |call 00404378
0054F699  |. |8B55 E0    |mov    edx, dword ptr [ebp-20]
0054F69C  |. |8A5402 FF    |mov    dl, byte ptr [edx+eax-1]
0054F6A0  |. |8D45 E0    |lea    eax, dword ptr [ebp-20]
0054F6A3  |. |E8 E84BEBFF |call 00404290
0054F6A8  |> |8B45 F8    |mov    eax, dword ptr [ebp-8]
0054F6AB  |. |8B55 E0    |mov    edx, dword ptr [ebp-20]
0054F6AE  |. |E8 CD4CEBFF |call 00404380                      ;  增加1位注册码
0054F6B3  |. |8B45 F8    |mov    eax, dword ptr [ebp-8]          ;  导入注册码
0054F6B6  |. |43          |inc    ebx
0054F6B7  |. |4F          |dec    edi
0054F6B8  |.^\0F85 18FFFFFF \jnz    0054F5D6
0054F6BE  |>  33C0       xor    eax, eax
0054F6C0  |.  5A          pop    edx
0054F6C1  |.  59          pop    ecx
0054F6C2  |.  59          pop    ecx
0054F6C3  |.  64:8910    mov    dword ptr fs:[eax], edx
0054F6C6  |.  68 F0F65400 push 0054F6F0
0054F6CB  |>  8D45 D0    lea    eax, dword ptr [ebp-30]
0054F6CE  |.  E8 154AEBFF call 004040E8
0054F6D3  |.  8D45 D8    lea    eax, dword ptr [ebp-28]
0054F6D6  |.  BA 08000000 mov    edx, 8
0054F6DB  |.  E8 2C4AEBFF call 0040410C
0054F6E0  |.  8D45 FC    lea    eax, dword ptr [ebp-4]
0054F6E3  |.  E8 004AEBFF call 004040E8
0054F6E8  \.  C3          retn

通过字符串“ 请及时注册,谢谢!” 找到注册位置

总结下来
1。取硬盘参数
2。逆序出机器号（带一定算法）

算法里面
1。硬盘参数正取 + 反取+ 一个“DelphiAndJBuilder ”正取
通过一系列的运算出注册码。。。

然后我就卡在那一系列运算上了~ call太多希望大侠们指点啊~~~
这算法有点纠结。。。。

还有软件会在c盘system32下面创建个文件记录注册号和注册码
0054F907  |.  E8 A0FEFFFF call 0054F7AC                         ;  create file a

谢谢~

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

收藏・0

免费・0

支持

分享

最新回复 (3)
homily 雪币： 227 活跃值： (25) 能力值： ( LV3，RANK：20 ) 在线值：发帖 5 回帖 37 粉丝 1 关注私信	homily 2 楼算法部分看的我云里雾里~ 救命~ 硬盘序列号正取反取出3个acsii 码通过3个acsii码再出序列号软件我已经弄成绿色的了~ 不用安装的~ 只是打包的时候名字变成setup了~~ 汗~~~~~ 2010-12-11 11:40 0
homily 雪币： 227 活跃值： (25) 能力值： ( LV3，RANK：20 ) 在线值：发帖 5 回帖 37 粉丝 1 关注私信	homily 3 楼我的东西怎么没了~ = = 怎么回事啊 2010-12-12 21:32 0
pencil 雪币： 1163 活跃值： (137) 能力值： ( LV12，RANK：230 ) 在线值：发帖 22 回帖 680 粉丝 1 关注私信	pencil 5 4 楼不支持国产软件破解相关附件。。。 2010-12-13 13:20 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

返回

homily

发帖

回帖

RANK

他的文章

看雪公众号

专注于PC、移动、智能设备安全研究及逆向工程的开发者社区

//