工资表之星9.0 注册算法分析
日期:2005年4月19日 破解人:Baby2008
--------------------------------------------------------------------------------------------------------------
【软件名称】:工资表之星9.0
【软件大小】:8.32 MB
【下载地址】:http://www.gzb99.com
【软件简介】:
工资管理,舍我其谁?对于工资管理这样的财务软件,您需要是性能成熟可靠、功能灵活强大,工资表之星可以全面满足您的要求:1、历经4
年发展,功能已完全成熟稳定,是中小型单位工资管理的最佳工具,全国数万用户已充分证明了这一点。2、设计定位于中小单位,从诞生之日
起就不断和用户交流,征求改进意见。程序设计非常贴近用户,有不少独到之处。功能相当灵活,几乎适用于每一类型单位。3、操作简便,界
面非常友好,大量的向导使您轻松入门。除帮助文件之外,还免费提供长达上百页图文并茂的入门手册(电子版)。4、国内功能最强的工资管理
软件之一:优秀的多账套管理功能,支持月报、日报和不定期报;超强汇总功能,可以按指定条件对多个帐套的数据联合汇总;智能化灵活的
报表定制,10余种常见报表;完备的数据导入和导出接口。工资支持发送邮件及短信。5、价廉物美,免费并赠送支票打印专家注册版。6、对
用户高度负责,任何版本的用户都可免费升级到最新版本。
【保护方式】:注册码保护,试用时间限制
【破解声明】:初学Crack,只是感兴趣,失误之处敬请诸位大侠赐教!
【破解工具】:OllyDbg.V1.10 聆风听雨汉化第二版、PeID 0.93,DeDe。
【破解过程】:
Borland Delphi 6.0 - 7.0程序未加壳,OD直接载入C:\Program Files\salarystar9\salarystar.exe,插件查找“注册成功,下次启动……”
,双击来到0067E500,向上查找,在0067E3F0下断,F9运行,输入注册码:12345678901234567890,点击确定,OD中断在:
0067E3F0 >/. 55 push ebp ; <-Tregform@BitBtn1Click
0067E3F1 |. 8BEC mov ebp,esp
0067E3F3 |. 33C9 xor ecx,ecx
0067E3F5 |. 51 push ecx
0067E3F6 |. 51 push ecx
0067E3F7 |. 51 push ecx
0067E3F8 |. 51 push ecx
0067E3F9 |. 51 push ecx
0067E3FA |. 53 push ebx
0067E3FB |. 56 push esi
0067E3FC |. 8BD8 mov ebx,eax
0067E3FE |. 33C0 xor eax,eax
0067E400 |. 55 push ebp
0067E401 |. 68 4DE56700 push <salaryst.->System.@HandleFinally>
0067E406 |. 64:FF30 push dword ptr fs:[eax]
0067E409 |. 64:8920 mov dword ptr fs:[eax],esp
0067E40C |. 8D55 F4 lea edx,[local.3]
0067E40F >|. 8B83 24030000 mov eax,dword ptr ds:[ebx+324] ; *Edit1:N.A.
0067E415 >|. E8 4A65E0FF call salaryst.00484964 ; ->Controls.TControl.GetText(TControl):TCaption;
0067E41A |. 837D F4 00 cmp [local.3],0
0067E41E |. 0F84 F9000000 je salaryst.0067E51D ; 注册码不能为空
0067E424 |. 8D45 F8 lea eax,[local.2]
0067E427 |. 8B15 98CF7000 mov edx,dword ptr ds:[70CF98] ; salaryst.0070EC68
0067E42D |. 8B12 mov edx,dword ptr ds:[edx]
0067E42F >|. E8 8065D8FF call salaryst.004049B4 ; ->System.@LStrLAsg(void;void;void;void);
0067E434 |. 8D55 F0 lea edx,[local.4]
0067E437 >|. 8B83 24030000 mov eax,dword ptr ds:[ebx+324] ; *Edit1:N.A.
0067E43D >|. E8 2265E0FF call salaryst.00484964 ; ->Controls.TControl.GetText(TControl):TCaption;
0067E442 |. 8B45 F0 mov eax,[local.4] ; 注册码
0067E445 |. 8D55 FC lea edx,[local.1]
0067E448 >|. E8 C7FEFFFF call salaryst.0067E314 ; ->:Tregform._PROC_0067E314()
0067E44D |. 8B45 FC mov eax,[local.1]
0067E450 >|. E8 5FFFFFFF call salaryst.0067E3B4 ; ->WebAdapt.TAdapterUpdateField.ConvertValueCount
(TAdapterUpdateField;AdaptReq.IActionFieldValue):System.Integer;
0067E455 |. 8BF0 mov esi,eax ; Eax=$A
0067E457 |. 83FE 05 cmp esi,5
0067E45A |. 0F8C BD000000 jl salaryst.0067E51D
0067E460 |. 8D45 EC lea eax,[local.5]
0067E463 |. 50 push eax
0067E464 >|. E8 7FFFFFFF call salaryst.0067E3E8 ; ->ADODB.TParameters.GetAttrCount
(TParameters):Integer;<+>
0067E469 |. 8BD0 mov edx,eax ; Eax=$4
0067E46B |. 8BCE mov ecx,esi ; Esi=$A
0067E46D |. 8B45 FC mov eax,[local.1] ; 注册码
0067E470 >|. E8 C769D8FF call salaryst.00404E3C ; ->System.@LStrCopy(注册码,4,10),记为SN[4-13];
0067E475 |. 8B45 EC mov eax,[local.5]
0067E478 |. 50 push eax
0067E479 |. A1 C0D27000 mov eax,dword ptr ds:[70D2C0]
0067E47E |. 8B00 mov eax,dword ptr ds:[eax]
0067E480 |. 8B80 DC000000 mov eax,dword ptr ds:[eax+DC]
0067E486 |. 33C9 xor ecx,ecx
0067E488 |. 8B55 F8 mov edx,[local.2]
0067E48B >|. E8 4CB0E6FF call salaryst.004E94DC ; 注册验证关键,跟进
0067E490 |. 84C0 test al,al
0067E492 |. 74 7F je short salaryst.0067E513 ; 验证爆破
0067E494 |. A1 C0D27000 mov eax,dword ptr ds:[70D2C0]
0067E499 |. 8B00 mov eax,dword ptr ds:[eax]
0067E49B |. 8B40 60 mov eax,dword ptr ds:[eax+60]
0067E49E >|. E8 2D8FE4FF call salaryst.004C73D0 ; ->DB.TDataSet.Close(TDataSet);
0067E4A3 |. A1 C0D27000 mov eax,dword ptr ds:[70D2C0]
0067E4A8 |. 8B00 mov eax,dword ptr ds:[eax]
0067E4AA |. 8B40 60 mov eax,dword ptr ds:[eax+60]
0067E4AD |. 8B80 48020000 mov eax,dword ptr ds:[eax+248]
0067E4B3 |. 8B10 mov edx,dword ptr ds:[eax]
0067E4B5 |. FF52 44 call dword ptr ds:[edx+44]
0067E4B8 |. A1 C0D27000 mov eax,dword ptr ds:[70D2C0]
0067E4BD |. 8B00 mov eax,dword ptr ds:[eax]
0067E4BF |. 8B40 60 mov eax,dword ptr ds:[eax+60]
0067E4C2 |. 8B80 48020000 mov eax,dword ptr ds:[eax+248]
0067E4C8 |. BA 64E56700 mov edx,salaryst.0067E564 ; ASCII "UPDATE USERINFO SET PROGRAMKEY=:PEKY"
0067E4CD |. 8B08 mov ecx,dword ptr ds:[eax]
0067E4CF |. FF51 38 call dword ptr ds:[ecx+38]
0067E4D2 |. A1 C0D27000 mov eax,dword ptr ds:[70D2C0]
0067E4D7 |. 8B00 mov eax,dword ptr ds:[eax]
0067E4D9 |. 8B40 60 mov eax,dword ptr ds:[eax+60]
0067E4DC |. 8B80 50020000 mov eax,dword ptr ds:[eax+250]
0067E4E2 |. 33D2 xor edx,edx
0067E4E4 >|. E8 6B68E4FF call salaryst.004C4D54 ; ->ComCtrls.TListItems.Delete(TListItems;Integer);<+>
0067E4E9 |. 8B55 FC mov edx,[local.1]
0067E4EC >|. E8 EB82E4FF call salaryst.004C67DC ; ->DB.TParam.SetAsString(TParam;AnsiString);
0067E4F1 |. A1 C0D27000 mov eax,dword ptr ds:[70D2C0]
0067E4F6 |. 8B00 mov eax,dword ptr ds:[eax]
0067E4F8 |. 8B40 60 mov eax,dword ptr ds:[eax+60]
0067E4FB >|. E8 3C59E6FF call salaryst.004E3E3C ; ->DBTables.TTable.DeleteTable(TTable);<+>
0067E500 |. B8 94E56700 mov eax,salaryst.0067E594 ; 注册成功……
0067E505 >|. E8 62E5E2FF call salaryst.004ACA6C ; ->Dialogs.ShowMessage(AnsiString);
0067E50A |. 8BC3 mov eax,ebx
0067E50C >|. E8 074EE2FF call salaryst.004A3318 ; ->Forms.TCustomForm.Close(TCustomForm);
0067E511 |. EB 0A jmp short salaryst.0067E51D
0067E513 |> B8 E8E56700 mov eax,salaryst.0067E5E8 ; 注册码错误
0067E518 >|. E8 4FE5E2FF call salaryst.004ACA6C ; ->Dialogs.ShowMessage(AnsiString);
0067E51D |> 33C0 xor eax,eax
0067E51F |. 5A pop edx
0067E520 |. 59 pop ecx
0067E521 |. 59 pop ecx
0067E522 |. 64:8910 mov dword ptr fs:[eax],edx
0067E525 |. 68 54E56700 push salaryst.0067E554
0067E52A |> 8D45 EC lea eax,[local.5]
0067E52D >|. E8 EA63D8FF call salaryst.0040491C ; ->System.@LStrClr(void;void);
0067E532 |. 8D45 F0 lea eax,[local.4]
0067E535 |. BA 02000000 mov edx,2
0067E53A >|. E8 0164D8FF call salaryst.00404940 ; ->System.@LStrArrayClr(void;void;Integer);
0067E53F |. 8D45 F8 lea eax,[local.2]
0067E542 |. BA 02000000 mov edx,2
0067E547 >|. E8 F463D8FF call salaryst.00404940 ; ->System.@LStrArrayClr(void;void;Integer);
0067E54C \. C3 retn
0067E54D > .^ E9 6A5CD8FF jmp salaryst.004041BC ; ->System.@HandleFinally;
0067E552 .^ EB D6 jmp short salaryst.0067E52A
0067E554 . 5E pop esi
0067E555 . 5B pop ebx
0067E556 . 8BE5 mov esp,ebp
0067E558 . 5D pop ebp
0067E559 . C3 retn
可以看出,程序在0067E470 处先取得试炼码的4-13位,记为SN[4-13],在0067E48B处调用函数验证,根据验证结果在0067E492跳转,跟进
0067E48B >|. E8 4CB0E6FF call salaryst.004E94DC 看看究竟:
--------------------------------------------------------------------------------------------------------------
004E94DC /$ 55 push ebp
004E94DD |. 8BEC mov ebp,esp
004E94DF |. 83C4 F0 add esp,-10
004E94E2 |. 53 push ebx
004E94E3 |. 33DB xor ebx,ebx
004E94E5 |. 895D F0 mov [local.4],ebx
004E94E8 |. 895D F4 mov [local.3],ebx
004E94EB |. 894D F8 mov [local.2],ecx
004E94EE |. 8955 FC mov [local.1],edx
004E94F1 |. 8BD8 mov ebx,eax
004E94F3 |. 8B45 FC mov eax,[local.1]
004E94F6 |. E8 D1B8F1FF call salaryst.00404DCC
004E94FB |. 8B45 F8 mov eax,[local.2]
004E94FE |. E8 C9B8F1FF call salaryst.00404DCC
004E9503 |. 8B45 08 mov eax,[arg.1]
004E9506 |. E8 C1B8F1FF call salaryst.00404DCC
004E950B |. 33C0 xor eax,eax
004E950D |. 55 push ebp
004E950E |. 68 C6954E00 push salaryst.004E95C6
004E9513 |. 64:FF30 push dword ptr fs:[eax]
004E9516 |. 64:8920 mov dword ptr fs:[eax],esp
004E9519 |. 8B45 FC mov eax,[local.1] ; 用户名,记为Name
004E951C |. E8 BBB6F1FF call salaryst.00404BDC ; Length(Name)
004E9521 |. 3B43 4C cmp eax,dword ptr ds:[ebx+4C] ; $64
004E9524 |. 7F 19 jg short salaryst.004E953F
004E9526 |. 8B45 FC mov eax,[local.1] ; Name
004E9529 |. E8 AEB6F1FF call salaryst.00404BDC ; Length(Name)
004E952E |. 3B43 50 cmp eax,dword ptr ds:[ebx+50] ; 3
004E9531 |. 7C 0C jl short salaryst.004E953F ; 3<Length(Name)<100
004E9533 |. 8B45 08 mov eax,[arg.1] ; SN[4-13]
004E9536 |. E8 A1B6F1FF call salaryst.00404BDC ; Length(SN[4-13])
004E953B |. 85C0 test eax,eax
004E953D |. 75 04 jnz short salaryst.004E9543
004E953F |> 33DB xor ebx,ebx
004E9541 |. EB 60 jmp short salaryst.004E95A3
004E9543 |> 8D55 F4 lea edx,[local.3]
004E9546 |. 8B45 08 mov eax,[arg.1] ; SN[4-13]
004E9549 |. E8 4EFFF1FF call salaryst.0040949C
004E954E |. 8B55 F4 mov edx,[local.3]
004E9551 |. 8D45 08 lea eax,[arg.1]
004E9554 |. E8 5BB4F1FF call salaryst.004049B4
004E9559 |. 8D4D F0 lea ecx,[local.4]
004E955C |. 8B55 FC mov edx,[local.1] ; Name
004E955F |. 8BC3 mov eax,ebx
004E9561 |. E8 72FCFFFF call salaryst.004E91D8 ; 关键,跟进!
004E9566 |. 8B45 F0 mov eax,[local.4] ; 由Name计算所得Serial的前10位
004E9569 |. 8B55 08 mov edx,[arg.1] ; SN[4-13]
004E956C |. E8 A3FFF1FF call salaryst.00409514 ; Strcmp(Name计算结果,SN[4-13])
004E9571 |. 85C0 test eax,eax
004E9573 75 04 jnz short salaryst.004E9579 ; 注册验证爆破点
004E9575 |. 33DB xor ebx,ebx
004E9577 |. EB 2A jmp short salaryst.004E95A3
004E9579 |> 8D43 48 lea eax,dword ptr ds:[ebx+48]
004E957C |. 8B55 FC mov edx,[local.1] ; 用户名
004E957F |. E8 ECB3F1FF call salaryst.00404970
004E9584 |. 8D43 54 lea eax,dword ptr ds:[ebx+54]
004E9587 |. 8B55 F8 mov edx,[local.2]
004E958A |. E8 E1B3F1FF call salaryst.00404970
004E958F |. 8D43 5C lea eax,dword ptr ds:[ebx+5C]
004E9592 |. 8B55 08 mov edx,[arg.1]
004E9595 |. E8 D6B3F1FF call salaryst.00404970
004E959A |. 8BC3 mov eax,ebx
004E959C |. E8 B3010000 call salaryst.004E9754
004E95A1 |. B3 01 mov bl,1
004E95A3 |> 33C0 xor eax,eax
004E95A5 |. 5A pop edx
004E95A6 |. 59 pop ecx
004E95A7 |. 59 pop ecx
004E95A8 |. 64:8910 mov dword ptr fs:[eax],edx
004E95AB |. 68 CD954E00 push salaryst.004E95CD
004E95B0 |> 8D45 F0 lea eax,[local.4]
004E95B3 |. BA 04000000 mov edx,4
004E95B8 |. E8 83B3F1FF call salaryst.00404940
004E95BD |. 8D45 08 lea eax,[arg.1]
004E95C0 |. E8 57B3F1FF call salaryst.0040491C
004E95C5 \. C3 retn
--------------------------------------------------------------------------------------------------------------
此处代码开始先对用户名Name进行简单的校验,要求: $3<length(Name)<$64,然后通过call salaryst.004E91D8产生注册码与SN[4-13]比较,
一致则注册成功! 004E9561 |. E8 72FCFFFF call salaryst.004E91D8当然是关键啦,跟进:
--------------------------------------------------------------------------------------------------------------
004E91D8 /$ 55 push ebp
004E91D9 |. 8BEC mov ebp,esp
004E91DB |. 83C4 E4 add esp,-1C
004E91DE |. 53 push ebx
004E91DF |. 56 push esi
004E91E0 |. 57 push edi
004E91E1 |. 33DB xor ebx,ebx
004E91E3 |. 895D E4 mov [local.7],ebx
004E91E6 |. 895D F4 mov [local.3],ebx
004E91E9 |. 8BF9 mov edi,ecx
004E91EB |. 8955 FC mov [local.1],edx ; Name
004E91EE |. 8BF0 mov esi,eax
004E91F0 |. 8B45 FC mov eax,[local.1]
004E91F3 |. E8 D4BBF1FF call salaryst.00404DCC
004E91F8 |. 33C0 xor eax,eax
004E91FA |. 55 push ebp
004E91FB |. 68 F1924E00 push salaryst.004E92F1
004E9200 |. 64:FF30 push dword ptr fs:[eax]
004E9203 |. 64:8920 mov dword ptr fs:[eax],esp
004E9206 |. 8B45 FC mov eax,[local.1] ; Name
004E9209 |. E8 CEB9F1FF call salaryst.00404BDC ; Length(Name)
004E920E |. 3B46 4C cmp eax,dword ptr ds:[esi+4C] ; $64
004E9211 |. 7F 0D jg short salaryst.004E9220
004E9213 |. 8B45 FC mov eax,[local.1] ; Name
004E9216 |. E8 C1B9F1FF call salaryst.00404BDC ; Length(Name)
004E921B |. 3B46 50 cmp eax,dword ptr ds:[esi+50] ; 3
004E921E |. 7D 0C jge short salaryst.004E922C
004E9220 |> 8BC7 mov eax,edi
004E9222 |. E8 F5B6F1FF call salaryst.0040491C
004E9227 |. E9 9F000000 jmp salaryst.004E92CB
004E922C |> 8B45 FC mov eax,[local.1] ; Name
004E922F |. E8 A8B9F1FF call salaryst.00404BDC ; Length(Name)
004E9234 |. 8BD8 mov ebx,eax ; EBX=Length(Name)
004E9236 |. EB 31 jmp short salaryst.004E9269
004E9238 |> 8B45 FC /mov eax,[local.1] ; Name
004E923B |. 8A4418 FF |mov al,byte ptr ds:[eax+ebx-1] ; Name[i],i=Length DownTo Length-6
004E923F |. 25 FF000000 |and eax,0FF ; Name[i] and FF
004E9244 |. 33D2 |xor edx,edx
004E9246 |. 52 |push edx
004E9247 |. 50 |push eax
004E9248 |. 8B46 68 |mov eax,dword ptr ds:[esi+68] ; 3BC068F1
004E924B |. 8B56 6C |mov edx,dword ptr ds:[esi+6C] ; 0DDE5F87
004E924E |. E8 15C8F1FF |call salaryst.00405A68 ; 0DDE5F873BC068F1 Mod Name[i]
004E9253 |. 52 |push edx ; /Arg2
004E9254 |. 50 |push eax ; |Arg1
004E9255 |. 8D45 E4 |lea eax,[local.7] ; |
004E9258 |. E8 0F0BF2FF |call salaryst.00409D6C ; \IntToStr
004E925D |. 8B55 E4 |mov edx,[local.7]
004E9260 |. 8D45 F4 |lea eax,[local.3]
004E9263 |. E8 7CB9F1FF |call salaryst.00404BE4
004E9268 |. 4B |dec ebx
004E9269 |> 8B45 FC mov eax,[local.1] ; Name
004E926C |. E8 6BB9F1FF |call salaryst.00404BDC ; Length(Name)
004E9271 |. 83E8 06 |sub eax,6 ; Length(Name)-6
004E9274 |. 3BD8 |cmp ebx,eax
004E9276 |. 7C 04 |jl short salaryst.004E927C
004E9278 |. 85DB |test ebx,ebx
004E927A |.^ 7F BC \jg short salaryst.004E9238
004E927C |> 8D55 F8 lea edx,[local.2]
004E927F |. 8B45 F4 mov eax,[local.3] ; Name计算结果
004E9282 |. E8 79C9F1FF call salaryst.00405C00 ; ValInt64(String;Integer;Integer):Int64;
004E9287 |. 8945 E8 mov [local.6],eax ; ValInt64 低字节
004E928A |. 8955 EC mov [local.5],edx ; ValInt64 高字节
004E928D |. 8B5E 60 mov ebx,dword ptr ds:[esi+60] ; $A
004E9290 |. 85DB test ebx,ebx
004E9292 |. 7F 11 jg short salaryst.004E92A5
004E9294 |. FF75 EC push [local.5] ; /Arg2
004E9297 |. FF75 E8 push [local.6] ; |Arg1
004E929A |. 8BD7 mov edx,edi ; |
004E929C |. 33C0 xor eax,eax ; |
004E929E |. E8 190BF2FF call salaryst.00409DBC ; \salaryst.00409DBC
004E92A3 |. EB 26 jmp short salaryst.004E92CB
004E92A5 |> FF75 EC push [local.5] ; /Arg2
004E92A8 |. FF75 E8 push [local.6] ; |Arg1
004E92AB |. 8BD7 mov edx,edi ; |
004E92AD |. 8BC3 mov eax,ebx ; |
004E92AF |. E8 080BF2FF call salaryst.00409DBC ; \IntToHex
004E92B4 |. 8B07 mov eax,dword ptr ds:[edi] ; 真正的SN后面部分,记为Serial
004E92B6 |. E8 21B9F1FF call salaryst.00404BDC ; Length
004E92BB |. 8BC8 mov ecx,eax
004E92BD |. 2B4E 60 sub ecx,dword ptr ds:[esi+60] ; 10
004E92C0 |. 8B56 60 mov edx,dword ptr ds:[esi+60]
004E92C3 |. 42 inc edx ; 10+1
004E92C4 |. 8BC7 mov eax,edi
004E92C6 |. E8 B1BBF1FF call salaryst.00404E7C ; System.@LStrDelete;即取Serial前10位
004E92CB |> 33C0 xor eax,eax
004E92CD |. 5A pop edx
004E92CE |. 59 pop ecx
004E92CF |. 59 pop ecx
004E92D0 |. 64:8910 mov dword ptr fs:[eax],edx
004E92D3 |. 68 F8924E00 push salaryst.004E92F8
004E92D8 |> 8D45 E4 lea eax,[local.7]
004E92DB |. E8 3CB6F1FF call salaryst.0040491C
004E92E0 |. 8D45 F4 lea eax,[local.3]
004E92E3 |. E8 34B6F1FF call salaryst.0040491C
004E92E8 |. 8D45 FC lea eax,[local.1]
004E92EB |. E8 2CB6F1FF call salaryst.0040491C
004E92F0 \. C3 retn
--------------------------------------------------------------------------------------------------------------
老家到了,开始又是校验用户名的有效性,然后循环计算注册名,产生注册码的后面部分。 【算法总结】:
1、循环从后面开始取注册名字符Name[i],直到Length(Name)-6结束;
2、0DDE5F873BC068F1 Mod Name[i] 转换位10进制字符串;
3、连接2产生的字符串,转换16进制字符串
4、取3中16进制字符串的前10位与试炼码SN[4-13]比较,相等注册成功。
Delphi 7.0注册机源代码如下:
Procedure TForm1.btn3Click(Sender: TObject);
Var
i: Integer;
Name, Temp: String;
Begin
Name := edt1.Text;
//用户名校验
If (Length(Name) <= 3) Or (Length(Name) > 100) Then Exit;
//用户名计算
For i := Length(Name) Downto 1 Do
If i > Length(Name) - 6 Then
Temp := Temp + IntToStr($0DDE5F873BC068F1 Mod (Ord(Name[i]) And $FF));
//前面3位,14位后,可以是任意字符 ,那前3位就取PEDIY中DIY吧
edt2.Text := 'DIY' + LeftStr(IntToHex(StrToInt64(Temp), 10), 10);
End;
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!