-
-
[原创]新特人力资源管理系统 2.12(网络版) 完整算法分析
-
2005-5-22 03:48
7422
-
[原创]新特人力资源管理系统 2.12(网络版) 完整算法分析
【破文标题】:新特人力资源管理系统 2.12(网络版) 完整算法分析
【破文作者】:KuNgBiM[DFCG]
【作者邮箱】:gb_1227@163.com
【软件名称】:新特人力资源管理系统 2.12
【软件大小】:2632 KB
【软件类别】:国产软件/共享版/行政管理
【整理时间】:2005-4-6
【下载地址】:http://xts.com.cn/
【软件简介】:该系统是一个协助各单位进行科学、全面高效进行人事管理的系统,它参考了哈佛人力资源管理理论,根植于国内人事管理的实际情况,实用而科学。 在内容上,包括了人事变动(新进员工登记、员工离职登记和人事变更管理)、考勤(请假、加班、出差管理等),考核与奖惩、人事档案完整资料(基本资料、人事合同、生理状况、户籍、政治情况、投保管理、担保情况等),工资管理(包括每月应发,实发,补贴,代扣以及发工资所需要各种币值的数量等)等内容。
【保护方式】:注册码+试用时间期制+部分功能限制
【编译语言】:Borland Delphi 6.0 - 7.0
【调试环境】:Win2K、PEiD、W32Dasm、Ollydbg
【破解日期】:2005-05-23
【破解目的】:研究算法分析
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
―――――――――――――――――――――――――――――――――
【破解过程】:
******
试炼信息 ******
用户名称:KuNgBiM
产品编号:4JV2C92G
授权编号:78787878
**********************
:005A1AB0 6A00
push 00000000
:005A1AB2 6A00
push 00000000
:005A1AB4 49
dec ecx
:005A1AB5 75F9
jne 005A1AB0
:005A1AB7 51
push ecx
:005A1AB8 53
push ebx
:005A1AB9 56
push esi
:005A1ABA 57
push edi
:005A1ABB 8945FC
mov dword ptr [
ebp-04],
eax
:005A1ABE 33C0
xor eax,
eax
:005A1AC0 55
push ebp
:005A1AC1 68F41C5A00
push 005A1CF4
:005A1AC6 64FF30
push dword ptr fs:[
eax]
:005A1AC9 648920
mov dword ptr fs:[
eax],
esp
:005A1ACC 8D55F0
lea edx,
dword ptr [
ebp-10]
:005A1ACF 8B45FC
mov eax,
dword ptr [
ebp-04]
:005A1AD2 8B800C030000
mov eax,
dword ptr [
eax+0000030C]
:005A1AD8 E8ABBEEAFF
call 0044D988 //
取用户名称
:005A1ADD 8B45F0
mov eax,
dword ptr [
ebp-10] //ASCII
"KuNgBiM"
:005A1AE0 8D55F4
lea edx,
dword ptr [
ebp-0C]
:005A1AE3 E8D87CE6FF
call 004097C0 //
取用户名称位数
:005A1AE8 837DF400
cmp dword ptr [
ebp-0C], 00000000 //
用户名称位数与0比较
:005A1AEC 7522
jne 005A1B10 //
跳则死
:005A1AEE 33D2
xor edx,
edx
* Possible StringData Ref from Code Obj ->
"请填写用户名称!"
|
:005A1AF0 B80C1D5A00
mov eax, 005A1D0C
:005A1AF5 E8367DFEFF
call 00589830
:005A1AFA 8B45FC
mov eax,
dword ptr [
ebp-04]
:005A1AFD 8B800C030000
mov eax,
dword ptr [
eax+0000030C]
:005A1B03 8B10
mov edx,
dword ptr [
eax]
:005A1B05 FF92C0000000
call dword ptr [
edx+000000C0]
:005A1B0B E97F010000
jmp 005A1C8F
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:005A1AEC(C)
|
:005A1B10 8D55E8
lea edx,
dword ptr [
ebp-18]
:005A1B13 8B45FC
mov eax,
dword ptr [
ebp-04]
:005A1B16 8B80FC020000
mov eax,
dword ptr [
eax+000002FC]
:005A1B1C E867BEEAFF
call 0044D988 //
取授权编号
:005A1B21 8B45E8
mov eax,
dword ptr [
ebp-18] //ASCII
"78787878"
:005A1B24 8D55EC
lea edx,
dword ptr [
ebp-14]
:005A1B27 E8947CE6FF
call 004097C0 //
取授权编号位数
:005A1B2C 837DEC00
cmp dword ptr [
ebp-14], 00000000 //
授权编号位数与0比较
:005A1B30 7522
jne 005A1B54 //
跳则死
:005A1B32 33D2
xor edx,
edx
* Possible StringData Ref from Code Obj ->
"授权号不能为空,请填写授权号!"
|
:005A1B34 B8281D5A00
mov eax, 005A1D28
:005A1B39 E8F27CFEFF
call 00589830
:005A1B3E 8B45FC
mov eax,
dword ptr [
ebp-04]
:005A1B41 8B80FC020000
mov eax,
dword ptr [
eax+000002FC]
:005A1B47 8B10
mov edx,
dword ptr [
eax]
:005A1B49 FF92C0000000
call dword ptr [
edx+000000C0]
:005A1B4F E93B010000
jmp 005A1C8F
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:005A1B30(C)
|
:005A1B54 8D55E4
lea edx,
dword ptr [
ebp-1C] //EDX
地址清零
:005A1B57 8B45FC
mov eax,
dword ptr [
ebp-04]
:005A1B5A 8B80F4020000
mov eax,
dword ptr [
eax+000002F4]
:005A1B60 E823BEEAFF
call 0044D988 //
取产品编号
:005A1B65 8B45E4
mov eax,
dword ptr [
ebp-1C] //ASCII
"4JV2C92G"
:005A1B68 8D55F8
lea edx,
dword ptr [
ebp-08]
:005A1B6B E88485FEFF
call 0058A0F4 //
算法CALL,F7跟进!★
:005A1B70 8D55DC
lea edx,
dword ptr [
ebp-24] //
向EDX赋值
:005A1B73 8B45FC
mov eax,
dword ptr [
ebp-04] //EAX
地址清零
:005A1B76 8B80FC020000
mov eax,
dword ptr [
eax+000002FC]
:005A1B7C E807BEEAFF
call 0044D988 //
取授权编号
:005A1B81 8B45DC
mov eax,
dword ptr [
ebp-24] //
试炼码向EAX赋值
:005A1B84 8D55E0
lea edx,
dword ptr [
ebp-20]
:005A1B87 E8347CE6FF
call 004097C0 //
试炼码运算CALL
:005A1B8C 8B45E0
mov eax,
dword ptr [
ebp-20] //
试炼码赋值给EAX
:005A1B8F 8B55F8
mov edx,
dword ptr [
ebp-08] //
注册码赋值给EDX
:005A1B92 E81532E6FF
call 00404DAC //
关键CALL(比较CALL)
:005A1B97 0F85E3000000
jne 005A1C80 //
爆破点
:005A1B9D 33C0
xor eax,
eax
:005A1B9F 55
push ebp
:005A1BA0 686C1C5A00
push 005A1C6C
:005A1BA5 64FF30
push dword ptr fs:[
eax]
:005A1BA8 648920
mov dword ptr fs:[
eax],
esp
:005A1BAB B201
mov dl, 01
:005A1BAD A1F8634700
mov eax,
dword ptr [004763F8]
:005A1BB2 E84149EDFF
call 004764F8
:005A1BB7 8BD8
mov ebx,
eax
:005A1BB9 BA02000080
mov edx, 80000002
:005A1BBE 8BC3
mov eax,
ebx
:005A1BC0 E8D349EDFF
call 00476598
:005A1BC5 B101
mov cl, 01
* Possible StringData Ref from Code Obj ->
"software\yiyong\rsgz" //
写入注册表的注册信息保存位置
|
:005A1BC7 BA501D5A00
mov edx, 005A1D50
:005A1BCC 8BC3
mov eax,
ebx
:005A1BCE E8294AEDFF
call 004765FC
:005A1BD3 8D55D8
lea edx,
dword ptr [
ebp-28]
:005A1BD6 8B45FC
mov eax,
dword ptr [
ebp-04]
:005A1BD9 8B800C030000
mov eax,
dword ptr [
eax+0000030C]
:005A1BDF E8A4BDEAFF
call 0044D988
:005A1BE4 8B4DD8
mov ecx,
dword ptr [
ebp-28]
* Possible StringData Ref from Code Obj ->
"UserName" //
入驻注册表内的用户名称
|
:005A1BE7 BA701D5A00
mov edx, 005A1D70
:005A1BEC 8BC3
mov eax,
ebx
:005A1BEE E8A54BEDFF
call 00476798
:005A1BF3 8D55D0
lea edx,
dword ptr [
ebp-30]
:005A1BF6 8B45FC
mov eax,
dword ptr [
ebp-04]
:005A1BF9 8B80F4020000
mov eax,
dword ptr [
eax+000002F4]
:005A1BFF E884BDEAFF
call 0044D988
:005A1C04 8B45D0
mov eax,
dword ptr [
ebp-30]
:005A1C07 8D55D4
lea edx,
dword ptr [
ebp-2C]
:005A1C0A E8117DFEFF
call 00589920
:005A1C0F 8B4DD4
mov ecx,
dword ptr [
ebp-2C]
* Possible StringData Ref from Code Obj ->
"SignCode" //
入驻注册表内的产品编号(硬盘号)
|
:005A1C12 BA841D5A00
mov edx, 005A1D84
:005A1C17 8BC3
mov eax,
ebx
:005A1C19 E87A4BEDFF
call 00476798
:005A1C1E 8D55CC
lea edx,
dword ptr [
ebp-34]
:005A1C21 8B45F8
mov eax,
dword ptr [
ebp-08]
:005A1C24 E8F77CFEFF
call 00589920
:005A1C29 8B4DCC
mov ecx,
dword ptr [
ebp-34]
* Possible StringData Ref from Code Obj ->
"RegCode" //
入驻注册表内的授权编号(注册码)
|
:005A1C2C BA981D5A00
mov edx, 005A1D98
:005A1C31 8BC3
mov eax,
ebx
:005A1C33 E8604BEDFF
call 00476798
:005A1C38 8BC3
mov eax,
ebx
:005A1C3A E8E11EE6FF
call 00403B20
:005A1C3F 33D2
xor edx,
edx
* Possible StringData Ref from Code Obj ->
"系统注册成功,欢迎你使用本软件!" //
注册成功的提示信息
|
:005A1C41 B8A81D5A00
mov eax, 005A1DA8
:005A1C46 E8E57BFEFF
call 00589830
:005A1C4B A1C8D35E00
mov eax,
dword ptr [005ED3C8]
:005A1C50 C70002000000
mov dword ptr [
eax], 00000002
:005A1C56 A16CD15E00
mov eax,
dword ptr [005ED16C]
:005A1C5B 8B00
mov eax,
dword ptr [
eax]
:005A1C5D E8FED7ECFF
call 0046F460
:005A1C62 33C0
xor eax,
eax
:005A1C64 5A
pop edx
:005A1C65 59
pop ecx
:005A1C66 59
pop ecx
:005A1C67 648910
mov dword ptr fs:[
eax],
edx
:005A1C6A EB23
jmp 005A1C8F
:005A1C6C E98F23E6FF
jmp 00404000
:005A1C71 8B45FC
mov eax,
dword ptr [
ebp-04]
:005A1C74 E8379FECFF
call 0046BBB0
:005A1C79 E8AE27E6FF
call 0040442C
:005A1C7E EB0F
jmp 005A1C8F
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:005A1B97(C)
|
:005A1C80 BA03000000
mov edx, 00000003
* Possible StringData Ref from Code Obj ->
"系统注册失败,请检查注册是否有误!" //
注册失败的提示信息
|
:005A1C85 B8D41D5A00
mov eax, 005A1DD4
:005A1C8A E8A17BFEFF
call 00589830
===============
跟进:005A1B6B E88485FEFF call 0058A0F4 [算法CALL] ===============
0058A0F4 55
push ebp
0058A0F5 8BEC
mov ebp,
esp
0058A0F7 B9 05000000
mov ecx,5 //
检查注册内容是否填写完整,并循环5次
0058A0FC 6A 00
push 0
0058A0FE 6A 00
push 0
0058A100 49
dec ecx
0058A101 ^ 75 F9
jnz short ManGl.0058A0FC
0058A103 53
push ebx
0058A104 56
push esi
0058A105 57
push edi
0058A106 8BFA
mov edi,
edx
0058A108 8945 FC
mov dword ptr ss:[
ebp-4],
eax //
取产品编号 ASCII "4JV2C92G
"
0058A10B 8B45 FC
mov eax,
dword ptr ss:[
ebp-4] //
移入EAX,准备开始计算
0058A10E E8 3DADE7FF
call ManGl.00404E50
0058A113 33C0
xor eax,
eax //
异或清零
0058A115 55
push ebp
0058A116 68 B0A25800
push ManGl.0058A2B0
0058A11B 64:FF30
push dword ptr fs:[
eax]
0058A11E 64:8920
mov dword ptr fs:[
eax],
esp
0058A121 8BC7
mov eax,
edi
0058A123 E8 88A8E7FF
call ManGl.004049B0
0058A128 8B45 FC
mov eax,
dword ptr ss:[
ebp-4] //
取产品编号 ASCII "4JV2C92G
"
0058A12B E8 38ABE7FF
call ManGl.00404C68
0058A130 8BF0
mov esi,
eax
0058A132 85F6
test esi,
esi //
esi=8
0058A134 7E 26
jle short ManGl.0058A15C
0058A136 BB 01000000
mov ebx,1 //
运算开始
0058A13B 8D4D EC
lea ecx,
dword ptr ss:[
ebp-14]
0058A13E 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
0058A141 0FB64418 FF
movzx eax,
byte ptr ds:[
eax+
ebx-1] //
依次取产品编号的HEX值
0058A146 33D2
xor edx,
edx //
异或清零
0058A148 E8 9BFBE7FF
call ManGl.00409CE8
0058A14D 8B55 EC
mov edx,
dword ptr ss:[
ebp-14] //
产品编号的HEX值
//1
、EDX=34“4”
//2
、EDX=4A“J”
//3
、EDX=56“V”
//4
、EDX=32“2”
//5
、EDX=43“C”
//6
、EDX=39“9”
//7
、EDX=32“2”
//8
、EDX=47“G”
0058A150 8D45 F8
lea eax,
dword ptr ss:[
ebp-8] //
将产品编号的HEX值连起来存入EAX=344A563243393247
0058A153 E8 18ABE7FF
call ManGl.00404C70
0058A158 43
inc ebx //EBX
自加一,指向下一位
0058A159 4E
dec esi
0058A15A ^ 75 DF
jnz short ManGl.0058A13B //
向上循环运算开始
0058A15C 8B45 F8
mov eax,
dword ptr ss:[
ebp-8]
0058A15F E8 04ABE7FF
call ManGl.00404C68
0058A164 8BF0
mov esi,
eax
0058A166 85F6
test esi,
esi
0058A168 7E 2C
jle short ManGl.0058A196
0058A16A BB 01000000
mov ebx,1
0058A16F 8B45 F8
mov eax,
dword ptr ss:[
ebp-8] //
分别将HEX值取倒
0058A172 E8 F1AAE7FF
call ManGl.00404C68
0058A177 2BC3
sub eax,
ebx
0058A179 8B55 F8
mov edx,
dword ptr ss:[
ebp-8]
0058A17C 8A1402
mov dl,
byte ptr ds:[
edx+
eax]
0058A17F 8D45 E8
lea eax,
dword ptr ss:[
ebp-18]
0058A182 E8 09AAE7FF
call ManGl.00404B90
0058A187 8B55 E8
mov edx,
dword ptr ss:[
ebp-18]
0058A18A 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
0058A18D E8 DEAAE7FF
call ManGl.00404C70
0058A192 43
inc ebx //EBX
自加一,指向下一位
0058A193 4E
dec esi
0058A194 ^ 75 D9
jnz short ManGl.0058A16F //
向上循环取倒运算开始
0058A196 8D45 F8
lea eax,
dword ptr ss:[
ebp-8]
0058A199 50
push eax
0058A19A B9 04000000
mov ecx,4
0058A19F BA 01000000
mov edx,1
0058A1A4 8B45 F4
mov eax,
dword ptr ss:[
ebp-C] //
取倒完毕EAX值变为"742393342365A443
"
0058A1A7 E8 14ADE7FF
call ManGl.00404EC0
0058A1AC 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
0058A1AF 50
push eax
0058A1B0 B9 04000000
mov ecx,4 //
取4位数
0058A1B5 BA 05000000
mov edx,5
0058A1BA 8B45 F4
mov eax,
dword ptr ss:[
ebp-C]
0058A1BD E8 FEACE7FF
call ManGl.00404EC0
0058A1C2 8B45 F8
mov eax,
dword ptr ss:[
ebp-8] //
存入内存EAX,待取! ASCII "7423
" ★SN1
0058A1C5 E8 9EAAE7FF
call ManGl.00404C68
0058A1CA 83F8 04
cmp eax,4 //
是否多取
0058A1CD 7D 2F
jge short ManGl.0058A1FE //
位数取多,则重取!
0058A1CF 8B45 F8
mov eax,
dword ptr ss:[
ebp-8]
0058A1D2 E8 91AAE7FF
call ManGl.00404C68
0058A1D7 8BD8
mov ebx,
eax
0058A1D9 83FB 03
cmp ebx,3
0058A1DC 7F 20
jg short ManGl.0058A1FE
0058A1DE 8D4D E4
lea ecx,
dword ptr ss:[
ebp-1C]
0058A1E1 8BC3
mov eax,
ebx
0058A1E3 C1E0 02
shl eax,2
0058A1E6 33D2
xor edx,
edx
0058A1E8 E8 FBFAE7FF
call ManGl.00409CE8
0058A1ED 8B55 E4
mov edx,
dword ptr ss:[
ebp-1C]
0058A1F0 8D45 F8
lea eax,
dword ptr ss:[
ebp-8]
0058A1F3 E8 78AAE7FF
call ManGl.00404C70
0058A1F8 43
inc ebx
0058A1F9 83FB 04
cmp ebx,4
0058A1FC ^ 75 E0
jnz short ManGl.0058A1DE
0058A1FE 8B45 F4
mov eax,
dword ptr ss:[
ebp-C] //
存入内存EAX,待取! ASCII "9334
" ★SN2
0058A201 E8 62AAE7FF
call ManGl.00404C68
0058A206 83F8 04
cmp eax,4 //
是否多取
0058A209 7D 2F
jge short ManGl.0058A23A //
位数取多,则重取!
0058A20B 8B45 F4
mov eax,
dword ptr ss:[
ebp-C]
0058A20E E8 55AAE7FF
call ManGl.00404C68
0058A213 8BD8
mov ebx,
eax
0058A215 83FB 03
cmp ebx,3
0058A218 7F 20
jg short ManGl.0058A23A
0058A21A 8D4D E0
lea ecx,
dword ptr ss:[
ebp-20]
0058A21D 8BC3
mov eax,
ebx
0058A21F C1E0 02
shl eax,2
0058A222 33D2
xor edx,
edx
0058A224 E8 BFFAE7FF
call ManGl.00409CE8
0058A229 8B55 E0
mov edx,
dword ptr ss:[
ebp-20]
0058A22C 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
0058A22F E8 3CAAE7FF
call ManGl.00404C70
0058A234 43
inc ebx
0058A235 83FB 04
cmp ebx,4
0058A238 ^ 75 E0
jnz short ManGl.0058A21A
0058A23A 8D55 F0
lea edx,
dword ptr ss:[
ebp-10]
0058A23D B8 C8A25800
mov eax,ManGl.0058A2C8 //
获取固定字符串 ASCII "B6E5-7U3N
"
0058A242 E8 79F5E7FF
call ManGl.004097C0
0058A247 8D45 DC
lea eax,
dword ptr ss:[
ebp-24]
0058A24A 50
push eax
0058A24B B9 04000000
mov ecx,4 //
取4位数
0058A250 BA 01000000
mov edx,1
0058A255 8B45 F0
mov eax,
dword ptr ss:[
ebp-10]
0058A258 E8 63ACE7FF
call ManGl.00404EC0
0058A25D FF75 DC
push dword ptr ss:[
ebp-24] //ASCII
"B6E5" ★SN3
0058A260 68 DCA25800
push ManGl.0058A2DC //
用“-”符号连接
0058A265 FF75 F8
push dword ptr ss:[
ebp-8] //
从内存中取出★SN1 ASCII "7423
"
0058A268 8D45 D8
lea eax,
dword ptr ss:[
ebp-28]
0058A26B 50
push eax
0058A26C B9 05000000
mov ecx,5
0058A271 BA 05000000
mov edx,5 //
取5位数
0058A276 8B45 F0
mov eax,
dword ptr ss:[
ebp-10] //
再次取固定字符串 ASCII "B6E5-7U3N
"
0058A279 E8 42ACE7FF
call ManGl.00404EC0
0058A27E FF75 D8
push dword ptr ss:[
ebp-28] //ASCII
"-7U3N" ★SN4
0058A281 68 DCA25800
push ManGl.0058A2DC //
用“-”符号连接
0058A286 FF75 F4
push dword ptr ss:[
ebp-C] //
从内存中取出★SN2 ASCII "9334
"
0058A289 8BC7
mov eax,
edi
0058A28B BA 06000000
mov edx,6
0058A290 E8 93AAE7FF
call ManGl.00404D28
0058A295 33C0
xor eax,
eax
0058A297 5A
pop edx
0058A298 59
pop ecx
0058A299 59
pop ecx
0058A29A 64:8910
mov dword ptr fs:[
eax],
edx
0058A29D 68 B7A25800
push ManGl.0058A2B7
0058A2A2 8D45 D8
lea eax,
dword ptr ss:[
ebp-28]
0058A2A5 BA 0A000000
mov edx,0A
0058A2AA E8 25A7E7FF
call ManGl.004049D4
0058A2AF C3
retn
0058A2B0 ^\E9 FF9FE7FF
jmp ManGl.004042B4 //
如果未计算完,则继续
0058A2B5 ^ EB EB
jmp short ManGl.0058A2A2
0058A2B7 5F
pop edi
0058A2B8 5E
pop esi
0058A2B9 5B
pop ebx
0058A2BA 8BE5
mov esp,
ebp
0058A2BC 5D
pop ebp
0058A2BD C3
retn //
返回程序
-------------------------------------------------------------------------------------------------------------------------
【算法总结】
注册验证非常简单:
用户名可以任意填写,并不参与注册码计算!
1
、取机器码十六进制来反排序.
2
、用到的常数为“B6E5-7U3N”.
3
、注册码的组合方式为:
注册码=“B6E5”+“-”+取倒(HEX(机器码倒数1、2位))+“-7U3N”+“-”+取倒(HEX(机器码倒数后3、4位))
即:SN3 + SN1 + SN4 + SN2
=================================
注册信息:
用户名称:KuNgBiM
产品编号:4JV2C92G
授权编号:B6E5-7423-7U3N-9334
=================================
〓本文完〓
--------------------------------------------------------------------------
版权所有(C)2005 KuNgBiM[DFCG] Copyright (C) 2005 KuNgBiM[DFCG]
--------------------------------------------------------------------------
Cracked BY KuNgBiM[DFCG]
2005-05-23
3:16:18 AM
阿里云助力开发者!2核2G 3M带宽不限流量!6.18限时价,开
发者可享99元/年,续费同价!