好久没有破解了,觉得难受,下了个小软破了一下.
东方法律宝典 2005 II的破解过程。
简介: 东方法眼网站制作的常用法律法规软件,收录最常用的法律法规、司法解释近300部,并包含民事证据规定及简易程序司法解释文书样式47种,
是法官、检察官、警官、法学院学生及其他公民的好助手。
下载网址:http://www.skycn.com/soft/18735.html
加了ASP壳用AspackDie.exe脱壳成功。
破解分析:
下断点利用了DEDE,
00478758 |. 8BD8 mov ebx,eax //在这里F2
0047875A |. 33C0 xor eax,eax
0047875C |. 55 push ebp
0047875D |. 68 F6874700 push <unpacked.->system.@HandleFinally;>
00478762 |. 64:FF30 push dword ptr fs:[eax]
00478765 |. 64:8920 mov dword ptr fs:[eax],esp
00478768 |. 8BC3 mov eax,ebx
0047876A |. 8B10 mov edx,dword ptr ds:[eax]
0047876C |. FF92 F0000000 call dword ptr ds:[edx+F0] ; 关键算法 F7
****************************************************************************************************
00478698 /. 55 push ebp
00478699 |. 8BEC mov ebp,esp
0047869B |. 6A 00 push 0
0047869D |. 6A 00 push 0
0047869F |. 53 push ebx
004786A0 |. 8BD8 mov ebx,eax
004786A2 |. 33C0 xor eax,eax
004786A4 |. 55 push ebp
004786A5 |. 68 FA864700 push unpacked.004786FA
004786AA |. 64:FF30 push dword ptr fs:[eax]
004786AD |. 64:8920 mov dword ptr fs:[eax],esp
004786B0 |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
004786B3 |. 8BC3 mov eax,ebx
004786B5 |. 8B08 mov ecx,dword ptr ds:[eax]
004786B7 |. FF91 E0000000 call dword ptr ds:[ecx+E0]
004786BD |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; eax=假码
004786C0 |. 50 push eax
004786C1 |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]
004786C4 |. 8BC3 mov eax,ebx
004786C6 |. 8B08 mov ecx,dword ptr ds:[eax]
004786C8 |. FF91 E4000000 call dword ptr ds:[ecx+E4]
004786CE |. 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; EAX=机器码
004786D1 |. 8B8B F8020000 mov ecx,dword ptr ds:[ebx+2F8] ; ECX=常数dffy*dzs*v2005
004786D7 |. 5A pop edx
004786D8 |. E8 1FF7FFFF call unpacked.00477DFC ; F7
===============================================================================================================
00477C94 /$ 55 push ebp
00477C95 |. 8BEC mov ebp,esp
00477C97 |. 83C4 E0 add esp,-20
00477C9A |. 53 push ebx
00477C9B |. 56 push esi
00477C9C |. 57 push edi
00477C9D |. 33DB xor ebx,ebx
00477C9F |. 895D E0 mov dword ptr ss:[ebp-20],ebx
00477CA2 |. 895D E4 mov dword ptr ss:[ebp-1C],ebx
00477CA5 |. 895D E8 mov dword ptr ss:[ebp-18],ebx
00477CA8 |. 8BF9 mov edi,ecx
00477CAA |. 8955 F8 mov dword ptr ss:[ebp-8],edx
00477CAD |. 8945 FC mov dword ptr ss:[ebp-4],eax
00477CB0 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00477CB3 |. E8 20C3F8FF call unpacked.00403FD8
00477CB8 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; EAX=dffy*dzs*v2005
00477CBB |. E8 18C3F8FF call unpacked.00403FD8
00477CC0 |. 33C0 xor eax,eax
00477CC2 |. 55 push ebp
00477CC3 |. 68 ED7D4700 push unpacked.00477DED
00477CC8 |. 64:FF30 push dword ptr fs:[eax]
00477CCB |. 64:8920 mov dword ptr fs:[eax],esp
00477CCE |. 837D FC 00 cmp dword ptr ss:[ebp-4],0
00477CD2 |. 74 6F je short unpacked.00477D43
00477CD4 |. BB 01000000 mov ebx,1 ; EBX=1
00477CD9 |. 8D75 EF lea esi,dword ptr ss:[ebp-11]
00477CDC |> 8B45 FC /mov eax,dword ptr ss:[ebp-4]
00477CDF |. E8 40C1F8FF |call unpacked.00403E24 ; 求机器码长度
00477CE4 |. 50 |push eax
00477CE5 |. 8BC3 |mov eax,ebx ; EAX=EBX
00477CE7 |. 48 |dec eax ; EAX--
00477CE8 |. 5A |pop edx
00477CE9 |. 8BCA |mov ecx,edx ; ECX=EDX
00477CEB |. 99 |cdq
00477CEC |. F7F9 |idiv ecx ; EAX/ECX
00477CEE |. 8B45 FC |mov eax,dword ptr ss:[ebp-4]
00477CF1 |. 8A0410 |mov al,byte ptr ds:[eax+edx] ; AL=机器码[I]
00477CF4 |. 50 |push eax
00477CF5 |. 8B45 FC |mov eax,dword ptr ss:[ebp-4]
00477CF8 |. E8 27C1F8FF |call unpacked.00403E24 ; 求机器码长度
00477CFD |. 5A |pop edx ; EDX=机器码[I]
00477CFE |. 32D0 |xor dl,al ; DL XOR AL
00477D00 |. 32D3 |xor dl,bl ; DL XOR BL
00477D02 |. 8816 |mov byte ptr ds:[esi],dl ; 保存 [ESI]=DL
00477D04 |. 43 |inc ebx ; EBX++
00477D05 |. 46 |inc esi ; ESI++
00477D06 |. 83FB 0A |cmp ebx,0A
00477D09 |.^ 75 D1 \jnz short unpacked.00477CDC
00477D0B |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00477D0E |. E8 11C1F8FF call unpacked.00403E24 ; 求机器码长度
00477D13 |. 8BF0 mov esi,eax
00477D15 |. 85F6 test esi,esi
00477D17 |. 7E 2A jle short unpacked.00477D43
00477D19 |. BB 01000000 mov ebx,1 ; EBX=1
00477D1E |> 8B45 FC /mov eax,dword ptr ss:[ebp-4]
00477D21 |. E8 FEC0F8FF |call unpacked.00403E24 ; 求机器码长度 =10
00477D26 |. 2BC3 |sub eax,ebx ; EAX=9
00477D28 |. 8B55 FC |mov edx,dword ptr ss:[ebp-4] ; EDX=机器码
00477D2B |. 8A0C02 |mov cl,byte ptr ds:[edx+eax] ; CL=机器码[9-I]
00477D2E |. 8BC3 |mov eax,ebx
00477D30 |. 48 |dec eax
00477D31 |. 51 |push ecx
00477D32 |. B9 09000000 |mov ecx,9
00477D37 |. 99 |cdq
00477D38 |. F7F9 |idiv ecx
00477D3A |. 59 |pop ecx
00477D3B |. 304C15 EF |xor byte ptr ss:[ebp+edx-11],cl ; 依次 异或
00477D3F |. 43 |inc ebx
00477D40 |. 4E |dec esi
00477D41 |.^ 75 DB \jnz short unpacked.00477D1E
00477D43 |> 837D F8 00 cmp dword ptr ss:[ebp-8],0
00477D47 |. 74 39 je short unpacked.00477D82
00477D49 |. BB 01000000 mov ebx,1
00477D4E |. 8D75 EF lea esi,dword ptr ss:[ebp-11]
00477D51 |> 8B45 F8 /mov eax,dword ptr ss:[ebp-8]
00477D54 |. E8 CBC0F8FF |call unpacked.00403E24 ; 求dffy*dzs*v2005长度
00477D59 |. 50 |push eax
00477D5A |. 8BC3 |mov eax,ebx
00477D5C |. 48 |dec eax
00477D5D |. 5A |pop edx
00477D5E |. 8BCA |mov ecx,edx
00477D60 |. 99 |cdq
00477D61 |. F7F9 |idiv ecx
00477D63 |. 8B45 F8 |mov eax,dword ptr ss:[ebp-8]
00477D66 |. 8A0410 |mov al,byte ptr ds:[eax+edx] ; al=changshu[i]
00477D69 |. 3206 |xor al,byte ptr ds:[esi] ; al^esi[i]
00477D6B |. 50 |push eax
00477D6C |. 8B45 F8 |mov eax,dword ptr ss:[ebp-8]
00477D6F |. E8 B0C0F8FF |call unpacked.00403E24 ; 求dffy*dzs*v2005长度
00477D74 |. 5A |pop edx
00477D75 |. 32D0 |xor dl,al ; dl^al
00477D77 |. 32D3 |xor dl,bl ; dl^bl
00477D79 |. 8816 |mov byte ptr ds:[esi],dl
00477D7B |. 43 |inc ebx
00477D7C |. 46 |inc esi
00477D7D |. 83FB 0A |cmp ebx,0A
00477D80 |.^ 75 CF \jnz short unpacked.00477D51
00477D82 |> 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00477D85 |. E8 1ABEF8FF call unpacked.00403BA4
00477D8A |. BB 09000000 mov ebx,9 ; EBX=9
00477D8F |. 8D75 EF lea esi,dword ptr ss:[ebp-11]
00477D92 |> 8D45 E4 /lea eax,dword ptr ss:[ebp-1C]
00477D95 |. 8A16 |mov dl,byte ptr ds:[esi] ; DL=esi[i]
00477D97 |. E8 B0BFF8FF |call unpacked.00403D4C
00477D9C |. 8B55 E4 |mov edx,dword ptr ss:[ebp-1C]
00477D9F |. 8D45 E8 |lea eax,dword ptr ss:[ebp-18]
00477DA2 |. E8 85C0F8FF |call unpacked.00403E2C
00477DA7 |. 46 |inc esi
00477DA8 |. 4B |dec ebx
00477DA9 |.^ 75 E7 \jnz short unpacked.00477D92
00477DAB |. 8D55 E0 lea edx,dword ptr ss:[ebp-20]
00477DAE |. 8B45 E8 mov eax,dword ptr ss:[ebp-18] ; ESX=RES[]
00477DB1 |. E8 9AFDFFFF call unpacked.00477B50 ; f7
00477DB6 |. 8B55 E0 mov edx,dword ptr ss:[ebp-20] ; EDX=真码
=============================================================================================================
00477B50 /$ 55 push ebp
00477B51 |. 8BEC mov ebp,esp
00477B53 |. 83C4 F0 add esp,-10
00477B56 |. 53 push ebx
00477B57 |. 56 push esi
00477B58 |. 57 push edi
00477B59 |. 33C9 xor ecx,ecx
00477B5B |. 894D F0 mov dword ptr ss:[ebp-10],ecx
00477B5E |. 8BFA mov edi,edx
00477B60 |. 8945 FC mov dword ptr ss:[ebp-4],eax
00477B63 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00477B66 |. E8 6DC4F8FF call unpacked.00403FD8
00477B6B |. 33C0 xor eax,eax
00477B6D |. 55 push ebp
00477B6E |. 68 847C4700 push unpacked.00477C84
00477B73 |. 64:FF30 push dword ptr fs:[eax]
00477B76 |. 64:8920 mov dword ptr fs:[eax],esp
00477B79 |. 8BC7 mov eax,edi
00477B7B |. E8 24C0F8FF call unpacked.00403BA4
00477B80 |. E9 D7000000 jmp unpacked.00477C5C
00477B85 |> 8B45 FC /mov eax,dword ptr ss:[ebp-4] ; EAX=RES[I]
00477B88 |. E8 97C2F8FF |call unpacked.00403E24 ; 求长度
00477B8D |. 8BC8 |mov ecx,eax
00477B8F |. 8BC1 |mov eax,ecx
00477B91 |. BB 03000000 |mov ebx,3 ; EBX=3
00477B96 |. 99 |cdq
00477B97 |. F7FB |idiv ebx
00477B99 |. 85C0 |test eax,eax
00477B9B |. 7E 07 |jle short unpacked.00477BA4
00477B9D |. BB 03000000 |mov ebx,3 ; EBX=3
00477BA2 |. EB 02 |jmp short unpacked.00477BA6
00477BA4 |> 8BD9 |mov ebx,ecx
00477BA6 |> 8D45 F9 |lea eax,dword ptr ss:[ebp-7]
00477BA9 |. 33C9 |xor ecx,ecx ; ECX=0
00477BAB |. BA 03000000 |mov edx,3 ; EDX=3
00477BB0 |. E8 B3AFF8FF |call unpacked.00402B68
00477BB5 |. 8D45 F5 |lea eax,dword ptr ss:[ebp-B]
00477BB8 |. B9 40000000 |mov ecx,40
00477BBD |. BA 04000000 |mov edx,4
00477BC2 |. E8 A1AFF8FF |call unpacked.00402B68
00477BC7 |. 8D45 FC |lea eax,dword ptr ss:[ebp-4] ; EAX=RES[I]
00477BCA |. E8 25C4F8FF |call unpacked.00403FF4
00477BCF |. 8D55 F9 |lea edx,dword ptr ss:[ebp-7]
00477BD2 |. 8BCB |mov ecx,ebx
00477BD4 |. E8 B7ACF8FF |call unpacked.00402890
00477BD9 |. 83FB 03 |cmp ebx,3
00477BDC |. 7C 08 |jl short unpacked.00477BE6
00477BDE |. 8A45 FB |mov al,byte ptr ss:[ebp-5] ; 取值
00477BE1 |. 24 3F |and al,3F ; AL & 3F
00477BE3 |. 8845 F8 |mov byte ptr ss:[ebp-8],al
00477BE6 |> 83FB 02 |cmp ebx,2
00477BE9 |. 7C 15 |jl short unpacked.00477C00
00477BEB |. 8A45 FA |mov al,byte ptr ss:[ebp-6]
00477BEE |. C1E0 02 |shl eax,2 ; AL*4
00477BF1 |. 33D2 |xor edx,edx ; EDX=0
00477BF3 |. 8A55 FB |mov dl,byte ptr ss:[ebp-5]
00477BF6 |. C1EA 06 |shr edx,6 ; EDX 右移6次
00477BF9 |. 0AC2 |or al,dl ; AL | DL
00477BFB |. 24 3F |and al,3F ; AL & 3F
00477BFD |. 8845 F7 |mov byte ptr ss:[ebp-9],al
00477C00 |> 8A45 F9 |mov al,byte ptr ss:[ebp-7]
00477C03 |. 8BD0 |mov edx,eax ; EDX=EAX
00477C05 |. C1E2 04 |shl edx,4 ; EDX 左移 4次
00477C08 |. 33C9 |xor ecx,ecx ; ECX=0
00477C0A |. 8A4D FA |mov cl,byte ptr ss:[ebp-6]
00477C0D |. C1E9 04 |shr ecx,4 ; ECX 右移4次
00477C10 |. 0AD1 |or dl,cl ; DL | CL
00477C12 |. 80E2 3F |and dl,3F ; DL & 3F
00477C15 |. 8855 F6 |mov byte ptr ss:[ebp-A],dl
00477C18 |. 25 FF000000 |and eax,0FF ; EAX & FF
00477C1D |. C1E8 02 |shr eax,2 ; EAX /4
00477C20 |. 24 3F |and al,3F ; AL & 3F
00477C22 |. 8845 F5 |mov byte ptr ss:[ebp-B],al ; 注意
00477C25 |. 8D45 FC |lea eax,dword ptr ss:[ebp-4]
00477C28 |. 8BCB |mov ecx,ebx
00477C2A |. BA 01000000 |mov edx,1
00477C2F |. E8 38C4F8FF |call unpacked.0040406C
00477C34 |. BE 04000000 |mov esi,4 ; ESI=4
00477C39 |. 8D5D F5 |lea ebx,dword ptr ss:[ebp-B] ; EBX=[EBP-B]
00477C3C |> 8D45 F0 |/lea eax,dword ptr ss:[ebp-10]
00477C3F |. 33D2 ||xor edx,edx
00477C41 |. 8A13 ||mov dl,byte ptr ds:[ebx]
00477C43 |. 8A92 9DE44700 ||mov dl,byte ptr ds:[edx+47E49D] ; 注意 [47E49D]数组字典表
00477C49 |. E8 FEC0F8FF ||call unpacked.00403D4C
00477C4E |. 8B55 F0 ||mov edx,dword ptr ss:[ebp-10]
00477C51 |. 8BC7 ||mov eax,edi
00477C53 |. E8 D4C1F8FF ||call unpacked.00403E2C ; 取真码后保存
00477C58 |. 43 ||inc ebx ; EBX++
00477C59 |. 4E ||dec esi ; ESI--
00477C5A |.^ 75 E0 |\jnz short unpacked.00477C3C
00477C5C |> 837D FC 00 cmp dword ptr ss:[ebp-4],0
00477C60 |.^ 0F85 1FFFFFFF \jnz unpacked.00477B85
00477C66 |. 33C0 xor eax,eax
========================================================================================================
void main()
{
char jqm[11]={0},kk[]= {'d','f','f','y','*','d','z','s','*','v'},tmp[11]={0};// "4671145184"
char tab[]="IYAGPXDJQWMHVCNFUZRBKESOLTtfkysbohlujwecpmiaqndxzvgr46+02573/81=";//注册码字典表
char zhucema[13]={0},tmp1[13]={0};
unsigned int t,t1;
cin>>jqm;
for(int i=0;i<9;i++)
{
t=jqm[i]^10;
t=t^(i+1);
tmp[i]=t;
}
cout<<"您的机器码是: "<<jqm<<endl;
t=tmp[0];
for( i=9;i>=0;i--)
{
tmp[9-i]=tmp[9-i]^jqm[i];
}
tmp[0]=t;
tmp[9]=0;
/*
0012F980 3F ...?
0012F984 0A0A0F06 ....
0012F988 0D040909 ....
*/
for( i=0;i<9;i++)
{
t=tmp[i]^kk[i];
t=t^0x0E;
t=t^(i+1);
tmp[i]=t;
}
//第一次取表参加运算的是上面tmp[i]的前3位。
tmp1[0]=tmp[2]&0x3f;
t=tmp[1];
__asm
{
shl t,2
}
t1=tmp[2];
__asm
{
shr t1,6
}
t=t|t1;
t=t&0x3f;
tmp1[1]=t;
t=tmp[0];
__asm
{
shl t,4
}
t1=tmp[1];
__asm
{
shr t1,4
}
t=t|t1;
t=t&0x3f;
tmp1[2]=t;
t=tmp[0];
t&=0xff;
t/=4;
t=t&0x3f;
tmp1[3]=t;
for(i=0;i<4;i++)
{
zhucema[3-i]=tab[tmp1[i]];//前4位注册码
}
//第2次取表参加运算的是tmp[]中间3位。
tmp1[0]=tmp[5]&0x3f;
t=tmp[4];
__asm
{
shl t,2
}
t1=tmp[5];
__asm
{
shr t1,6
}
t=t|t1;
t=t&0x3f;
tmp1[1]=t;
t=tmp[3];
__asm
{
shl t,4
}
t1=tmp[4];
__asm
{
shr t1,4
}
t=t|t1;
t=t&0x3f;
tmp1[2]=t;
t=tmp[3];
t&=0xff;
t/=4;
t=t&0x3f;
tmp1[3]=t;
for(i=0;i<4;i++)
{
zhucema[7-i]=tab[tmp1[i]];//中间4位注册码
}
//第3次取表参加运算的是tmp[]后3位。
tmp1[0]=tmp[8]&0x3f;
t=tmp[7];
__asm
{
shl t,2
}
t1=tmp[8];
__asm
{
shr t1,6
}
t=t|t1;
t=t&0x3f;
tmp1[1]=t;
t=tmp[6];
__asm
{
shl t,4
}
t1=tmp[7];
__asm
{
shr t1,4
}
t=t|t1;
t=t&0x3f;
tmp1[2]=t;
t=tmp[6];
t&=0xff;
t/=4;
t=t&0x3f;
tmp1[3]=t;
for(i=0;i<4;i++)
{
zhucema[11-i]=tab[tmp1[i]];//后4位注册码
}
cout<<"您的注册码是: "<<zhucema<<endl;
}
========================================================================================
下次再会!^_^
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
