【破文作者】 YuanQiao[BCG]
【文章题目】 固定资产管理系统
----------------------------------------------------------------------------------------------
【破解难度】 +++初级+++ 中级 高级 超难
【破解平台】 WinXP SP2
----------------------------------------------------------------------------------------------
【文章简介】
资产管理系统建立在信息技术基础上,以系统化的管理思想,帮助各类组织,对其整个组织范围内的各类资产,提供入库、资产查询、分布查
询、统计、领用出库、报废一系列资产全生命周期管理功能;并在资产信息集中的基础上,向资产管理人员提供强大的智能决策支持。从而为
组织内决策层、职能层、执行层等提供集决策、管理、维护手段为一体的资产管理全面解决方案。 ----------------------------------------------------------------------------------------------
【破解过程】
CPU号:39056758417437
CPU编号为:BFEBFBFF转换为带符号的十进制数----------->-1075053569
CPU号与CPU编号组合为:39056758417437-1075053569 39056758417437-1075053569取前14位数则为39056758417437
3 9 0 5 6 7 5 8 4 1 7 4 3 7
33 39 30 35 36 37 35 38 34 31 37 34 33 37
1 2 3 4 5 6 7 8 9 a b c d e
(0x33 and 0xff)*0x11*0x1
(0x39 and 0xff)*0x11*0x2
(0x30 and 0xff)*0x11*0x3
(0x35 and 0xff)*0x11*0x4
(0x36 and 0xff)*0x11*0x5
(0x37 and 0xff)*0x11*0x6
(0x35 and 0xff)*0x11*0x7
(0x38 and 0xff)*0x11*0x8
(0x34 and 0xff)*0x11*0x9
(0x31 and 0xff)*0x11*0xa
(0x37 and 0xff)*0x11*0xb
(0x34 and 0xff)*0x11*0xc
(0x33 and 0xff)*0x11*0xd
(0x37 and 0xff)*0x11*0xe
\\\\\\\\\\\\\\\反编译后的PB语言程序。\\\\\\\\\\\\\\
integer i
long ll_kl
string ls_tmp
for i = 1 to len(ls_kl)
ls_tmp = mid(ls_kl,i,1)
ll_kl = ll_kl + (asc(ls_tmp) * 17) * i
next
return ll_kl
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
上面计算之后累加为:0x011A58-------->94520
(0x33 and 0xff)*0xd*0x1
(0x39 and 0xff)*0xd*0x2
(0x30 and 0xff)*0xd*0x3
(0x35 and 0xff)*0xd*0x4
(0x36 and 0xff)*0xd*0x5
(0x37 and 0xff)*0xd*0x6
(0x35 and 0xff)*0xd*0x7
(0x38 and 0xff)*0xd*0x8
(0x34 and 0xff)*0xd*0x9
(0x31 and 0xff)*0xd*0xa
(0x37 and 0xff)*0xd*0xb
(0x34 and 0xff)*0xd*0xc
(0x33 and 0xff)*0xd*0xd
(0x37 and 0xff)*0xd*0xe
\\\\\\\\\\\\\反编译后的PB语言程序。\\\\\\\\\\\\\\\\\
integer i
long ll_kl
string ls_tmp
for i = 1 to len(ls_kl)
ls_tmp = mid(ls_kl,i,1)
ll_kl = ll_kl + (asc(ls_tmp) * 13) * i
next
return ll_kl
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
上面计算之后累加为:0x017138-------->72280 94520-72280------------------->这个就是注册码。 0070A8C8 /. 55 PUSH EBP
0070A8C9 |. 8BEC MOV EBP,ESP
0070A8CB |. 6A 00 PUSH 0
0070A8CD |. 6A 00 PUSH 0
0070A8CF |. 6A 00 PUSH 0
0070A8D1 |. 53 PUSH EBX
0070A8D2 |. 8BD8 MOV EBX,EAX
0070A8D4 |. 33C0 XOR EAX,EAX
0070A8D6 |. 55 PUSH EBP
0070A8D7 |. 68 C3A97000 PUSH ASSET.0070A9C3
0070A8DC |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0070A8DF |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0070A8E2 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
0070A8E5 |. 8B83 10030000 MOV EAX,DWORD PTR DS:[EBX+310]
0070A8EB |. E8 C852D8FF CALL ASSET.0048FBB8
0070A8F0 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0070A8F3 |. E8 70E5F4FF CALL ASSET.00658E68
0070A8F8 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0070A8FB |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
0070A8FE |. E8 59E6F4FF CALL ASSET.00658F5C
0070A903 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0070A906 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0070A909 |. E8 12A1CFFF CALL ASSET.00404A20 明码比较
0070A90E |. 75 46 JNZ SHORT ASSET.0070A956 关键跳(爆破口)
0070A910 |. A1 E4007200 MOV EAX,DWORD PTR DS:[7200E4]
0070A915 |. C600 01 MOV BYTE PTR DS:[EAX],1
0070A918 |. B9 D8A97000 MOV ECX,ASSET.0070A9D8
0070A91D |. BA E4A97000 MOV EDX,ASSET.0070A9E4 ; ASCII "Value"
0070A922 |. B8 F4A97000 MOV EAX,ASSET.0070A9F4 ; ASCII "IsReg"
0070A927 |. E8 60E7F4FF CALL ASSET.0065908C
0070A92C |. 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
0070A92F |. BA E4A97000 MOV EDX,ASSET.0070A9E4 ; ASCII "Value"
0070A934 |. B8 04AA7000 MOV EAX,ASSET.0070AA04 ; ASCII "RegNum"
0070A939 |. E8 4EE7F4FF CALL ASSET.0065908C
0070A93E |. B2 01 MOV DL,1
0070A940 |. B8 14AA7000 MOV EAX,ASSET.0070AA14 ; 注册成功!欢迎您使用
0070A945 |. E8 6AA8F4FF CALL ASSET.006551B4
0070A94A |. C783 4C020000>MOV DWORD PTR DS:[EBX+24C],1
0070A954 |. EB 52 JMP SHORT ASSET.0070A9A8
0070A956 |> A1 E4007200 MOV EAX,DWORD PTR DS:[7200E4]
0070A95B |. C600 00 MOV BYTE PTR DS:[EAX],0
0070A95E |. 33C9 XOR ECX,ECX
0070A960 |. BA E4A97000 MOV EDX,ASSET.0070A9E4 ; ASCII "Value"
0070A965 |. B8 F4A97000 MOV EAX,ASSET.0070A9F4 ; ASCII "IsReg"
0070A96A |. E8 1DE7F4FF CALL ASSET.0065908C
0070A96F |. 33C9 XOR ECX,ECX
0070A971 |. BA E4A97000 MOV EDX,ASSET.0070A9E4 ; ASCII "Value"
0070A976 |. B8 04AA7000 MOV EAX,ASSET.0070AA04 ; ASCII "RegNum"
0070A97B |. E8 0CE7F4FF CALL ASSET.0065908C
0070A980 |. B2 01 MOV DL,1
0070A982 |. B8 40AA7000 MOV EAX,ASSET.0070AA40 ; 您输入的是错误的注册码,请重新输入
0070A987 |. E8 28A8F4FF CALL ASSET.006551B4
0070A98C |. 8B83 10030000 MOV EAX,DWORD PTR DS:[EBX+310]
0070A992 |. 8B10 MOV EDX,DWORD PTR DS:[EAX]
0070A994 |. FF92 E0000000 CALL DWORD PTR DS:[EDX+E0]
0070A99A |. 8B83 10030000 MOV EAX,DWORD PTR DS:[EBX+310]
0070A9A0 |. 8B10 MOV EDX,DWORD PTR DS:[EAX]
0070A9A2 |. FF92 C4000000 CALL DWORD PTR DS:[EDX+C4]
0070A9A8 |> 33C0 XOR EAX,EAX
0070A9AA |. 5A POP EDX
0070A9AB |. 59 POP ECX
0070A9AC |. 59 POP ECX
0070A9AD |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
0070A9B0 |. 68 CAA97000 PUSH ASSET.0070A9CA
0070A9B5 |> 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0070A9B8 |. BA 03000000 MOV EDX,3
0070A9BD |. E8 769CCFFF CALL ASSET.00404638
0070A9C2 \. C3 RETN 下面是把CPU号与CPU编号组合之后判断位数是否大于等于14位。如果大于、等于则取前14位,小于则取19780302198302
---------------------CALL ASSET.00658E68----------------------------------------------------------------
00658E68 /$ 55 PUSH EBP
00658E69 |. 8BEC MOV EBP,ESP
00658E6B |. 83C4 E4 ADD ESP,-1C
00658E6E |. 53 PUSH EBX
00658E6F |. 56 PUSH ESI
00658E70 |. 57 PUSH EDI
00658E71 |. 33D2 XOR EDX,EDX
00658E73 |. 8955 E4 MOV DWORD PTR SS:[EBP-1C],EDX
00658E76 |. 8955 E8 MOV DWORD PTR SS:[EBP-18],EDX
00658E79 |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
00658E7C |. 8BF8 MOV EDI,EAX
00658E7E |. 33C0 XOR EAX,EAX
00658E80 |. 55 PUSH EBP
00658E81 |. 68 368F6500 PUSH ASSET.00658F36
00658E86 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00658E89 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00658E8C |. 8BC7 MOV EAX,EDI
00658E8E |. E8 81B7DAFF CALL ASSET.00404614
00658E93 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00658E96 |. E8 B5FFFFFF CALL ASSET.00658E50
00658E9B |. BE 04000000 MOV ESI,4
00658EA0 |. 8D5D EC LEA EBX,DWORD PTR SS:[EBP-14]
00658EA3 |> 8D55 E8 /LEA EDX,DWORD PTR SS:[EBP-18]
00658EA6 |. 8B03 |MOV EAX,DWORD PTR DS:[EBX]
00658EA8 |. E8 A711DBFF |CALL ASSET.0040A054
00658EAD |. 8B55 E8 |MOV EDX,DWORD PTR SS:[EBP-18]
00658EB0 |. 8D45 FC |LEA EAX,DWORD PTR SS:[EBP-4]
00658EB3 |. E8 24BADAFF |CALL ASSET.004048DC
00658EB8 |. 83C3 04 |ADD EBX,4
00658EBB |. 4E |DEC ESI
00658EBC |.^ 75 E5 \JNZ SHORT ASSET.00658EA3
00658EBE |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00658EC1 |. E8 0EBADAFF CALL ASSET.004048D4 ; 计算位数为25位数
00658EC6 |. 83F8 0E CMP EAX,0E ; 位数小于等于14位就转
00658EC9 |. 7E 13 JLE SHORT ASSET.00658EDE
00658ECB |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00658ECE |. 50 PUSH EAX
00658ECF |. B9 0E000000 MOV ECX,0E
00658ED4 |. 33D2 XOR EDX,EDX
00658ED6 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00658ED9 |. E8 56BCDAFF CALL ASSET.00404B34 ; 取前面14位数
00658EDE |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00658EE1 |. E8 EEB9DAFF CALL ASSET.004048D4 ; 计算位数
00658EE6 |. 83F8 0E CMP EAX,0E
00658EE9 |. 7C 11 JL SHORT ASSET.00658EFC ; 位数小于14位就转
00658EEB |. 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
00658EEE |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00658EF1 |. E8 920ADBFF CALL ASSET.00409988
00658EF6 |. 837D E4 00 CMP DWORD PTR SS:[EBP-1C],0
00658EFA |. 75 0D JNZ SHORT ASSET.00658F09
00658EFC |> 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00658EFF |. BA 4C8F6500 MOV EDX,ASSET.00658F4C ; ASCII "19780302198302"---》如果位数小于14位数,则取此数。
00658F04 |. E8 A3B7DAFF CALL ASSET.004046AC
00658F09 |> 8BC7 MOV EAX,EDI
00658F0B |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00658F0E |. E8 55B7DAFF CALL ASSET.00404668
00658F13 |. 33C0 XOR EAX,EAX
00658F15 |. 5A POP EDX
00658F16 |. 59 POP ECX
00658F17 |. 59 POP ECX
00658F18 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00658F1B |. 68 3D8F6500 PUSH ASSET.00658F3D
00658F20 |> 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
00658F23 |. BA 02000000 MOV EDX,2
00658F28 |. E8 0BB7DAFF CALL ASSET.00404638
00658F2D |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00658F30 |. E8 DFB6DAFF CALL ASSET.00404614
00658F35 \. C3 RETN 由上面取的14位码计算注册码:
---------------CALL ASSET.00658F5C------------------------------
00658F5C /$ 55 PUSH EBP
00658F5D |. 8BEC MOV EBP,ESP
00658F5F |. 83C4 E0 ADD ESP,-20
00658F62 |. 53 PUSH EBX
00658F63 |. 56 PUSH ESI
00658F64 |. 57 PUSH EDI
00658F65 |. 33C9 XOR ECX,ECX
00658F67 |. 894D E4 MOV DWORD PTR SS:[EBP-1C],ECX
00658F6A |. 894D E0 MOV DWORD PTR SS:[EBP-20],ECX
00658F6D |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
00658F70 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00658F73 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00658F76 |. E8 49BBDAFF CALL ASSET.00404AC4
00658F7B |. 33C0 XOR EAX,EAX
00658F7D |. 55 PUSH EBP
00658F7E |. 68 70906500 PUSH ASSET.00659070
00658F83 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00658F86 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00658F89 |. C745 E8 00000>MOV DWORD PTR SS:[EBP-18],0
00658F90 |. C745 EC 00000>MOV DWORD PTR SS:[EBP-14],0
00658F97 |. C745 F0 00000>MOV DWORD PTR SS:[EBP-10],0
00658F9E |. C745 F4 00000>MOV DWORD PTR SS:[EBP-C],0
00658FA5 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00658FA8 |. E8 27B9DAFF CALL ASSET.004048D4
00658FAD |. 8BF0 MOV ESI,EAX
00658FAF |. 85F6 TEST ESI,ESI
00658FB1 |. 7E 66 JLE SHORT ASSET.00659019
00658FB3 |. B9 01000000 MOV ECX,1
00658FB8 |> 8B45 FC /MOV EAX,DWORD PTR SS:[EBP-4]
00658FBB |. 8A5C08 FF |MOV BL,BYTE PTR DS:[EAX+ECX-1]
00658FBF |. 8BFB |MOV EDI,EBX
00658FC1 |. 81E7 FF000000 |AND EDI,0FF
00658FC7 |. 6BC7 11 |IMUL EAX,EDI,11
00658FCA |. 71 05 |JNO SHORT ASSET.00658FD1
00658FCC |. E8 8FA6DAFF |CALL ASSET.00403660
00658FD1 |> F7E9 |IMUL ECX
00658FD3 |. 71 05 |JNO SHORT ASSET.00658FDA
00658FD5 |. E8 86A6DAFF |CALL ASSET.00403660
00658FDA |> 99 |CDQ
00658FDB |. 0345 F0 |ADD EAX,DWORD PTR SS:[EBP-10]
00658FDE |. 1355 F4 |ADC EDX,DWORD PTR SS:[EBP-C]
00658FE1 |. 71 05 |JNO SHORT ASSET.00658FE8
00658FE3 |. E8 78A6DAFF |CALL ASSET.00403660
00658FE8 |> 8945 F0 |MOV DWORD PTR SS:[EBP-10],EAX
00658FEB |. 8955 F4 |MOV DWORD PTR SS:[EBP-C],EDX
00658FEE |. 6BC7 0D |IMUL EAX,EDI,0D
00658FF1 |. 71 05 |JNO SHORT ASSET.00658FF8
00658FF3 |. E8 68A6DAFF |CALL ASSET.00403660
00658FF8 |> F7E9 |IMUL ECX
00658FFA |. 71 05 |JNO SHORT ASSET.00659001
00658FFC |. E8 5FA6DAFF |CALL ASSET.00403660
00659001 |> 99 |CDQ
00659002 |. 0345 E8 |ADD EAX,DWORD PTR SS:[EBP-18]
00659005 |. 1355 EC |ADC EDX,DWORD PTR SS:[EBP-14]
00659008 |. 71 05 |JNO SHORT ASSET.0065900F
0065900A |. E8 51A6DAFF |CALL ASSET.00403660
0065900F |> 8945 E8 |MOV DWORD PTR SS:[EBP-18],EAX
00659012 |. 8955 EC |MOV DWORD PTR SS:[EBP-14],EDX
00659015 |. 41 |INC ECX
00659016 |. 4E |DEC ESI
00659017 |.^ 75 9F \JNZ SHORT ASSET.00658FB8
00659019 |> FF75 F4 PUSH DWORD PTR SS:[EBP-C] ; /Arg2
0065901C |. FF75 F0 PUSH DWORD PTR SS:[EBP-10] ; |Arg1
0065901F |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C] ; |
00659022 |. E8 1911DBFF CALL ASSET.0040A140 ; \ASSET.0040A140
00659027 |. FF75 E4 PUSH DWORD PTR SS:[EBP-1C]
0065902A |. 68 88906500 PUSH ASSET.00659088
0065902F |. FF75 EC PUSH DWORD PTR SS:[EBP-14] ; /Arg2
00659032 |. FF75 E8 PUSH DWORD PTR SS:[EBP-18] ; |Arg1
00659035 |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20] ; |
00659038 |. E8 0311DBFF CALL ASSET.0040A140 ; \ASSET.0040A140
0065903D |. FF75 E0 PUSH DWORD PTR SS:[EBP-20]
00659040 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00659043 |. BA 03000000 MOV EDX,3
00659048 |. E8 47B9DAFF CALL ASSET.00404994
0065904D |. 33C0 XOR EAX,EAX
0065904F |. 5A POP EDX
00659050 |. 59 POP ECX
00659051 |. 59 POP ECX
00659052 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00659055 |. 68 77906500 PUSH ASSET.00659077
0065905A |> 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
0065905D |. BA 02000000 MOV EDX,2
00659062 |. E8 D1B5DAFF CALL ASSET.00404638
00659067 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0065906A |. E8 A5B5DAFF CALL ASSET.00404614
0065906F \. C3 RETN 下面是C程序算法:
=============================================
#include "Stdio.h"
#include "Conio.h"
int main(void)
{char num[20];
int i;
long sn1,sn2;
long a,b,c;
scanf("%s",num);
sn1=0; sn2=0;
for (i=0;i<strlen(num);i++)
for (c=i+1;c<i+2;c++)
{a=(num[i]&0xff)*0x11*c;
b=(num[i]&0xff)*0xd*c;
sn1=sn1+a;
sn2=sn2+b;
}
printf("%ld-%ld\n",sn1,sn2);
getch();
return 0;
} 注册信息保存在ETZC.INI里。
----------------------------------------------------------------------------------------------
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
----------------------------------------------------------------------------------------------
文章写于2005-10-30 23:19:35
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)