[原创]三江影像科报告系统 1.2的算法分析-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]三江影像科报告系统 1.2的算法分析

发表于: 2005-12-5 01:15 3893

[原创]三江影像科报告系统 1.2的算法分析

funinggaj

2005-12-5 01:15

3893

破解软件：三江影像科报告系统 1.2
破解工具：peid，od
破解作者：funinggaj
下载地址：http://www.ntsj.net/
软件介绍：
软件设计者放射科专业毕业，有着多年的放射科工作经验，现再次创业进入IT业后推出了本软件，软件包含放射科报告系统，医学CT报告系统，并且可以增加B超报告系统，1.2版功能如下：影像登记、预约管理、借片管理、影像报告、报告模板、各类报表等.
破解过程：od载人，下断点来到：

00467C93 .  55          push ebp
00467C94 .  68 0F7E4600 push 影像科管.00467E0F                   ;下断点
00467C99 .  64:FF30       push dword ptr fs:[eax]
00467C9C .  64:8920       mov dword ptr fs:[eax],esp
00467C9F .  8D55 EC       lea edx,dword ptr ss:[ebp-14]
00467CA2 .  8B83 30030000  mov eax,dword ptr ds:[ebx+330]
00467CA8 .  E8 13ADF9FF call <jmp.&vcl70.Controls::TControl::GetTex>
00467CAD .  8B45 EC       mov eax,dword ptr ss:[ebp-14]
00467CB0 .  50          push eax
00467CB1 .  8D55 E8       lea edx,dword ptr ss:[ebp-18]
00467CB4 .  8B83 24030000  mov eax,dword ptr ds:[ebx+324]
00467CBA .  E8 01ADF9FF call <jmp.&vcl70.Controls::TControl::GetTex>
00467CBF .  8B45 E8       mov eax,dword ptr ss:[ebp-18]             ;  假注册码
00467CC2 .  8D4D F0       lea ecx,dword ptr ss:[ebp-10]
00467CC5 .  5A          pop edx
00467CC6 .  E8 4D870000 call 影像科管.00470418                         ;  算法call
00467CCB .  8B45 F0       mov eax,dword ptr ss:[ebp-10]
00467CCE .  50          push eax
00467CCF .  8D55 E4       lea edx,dword ptr ss:[ebp-1C]
00467CD2 .  8B83 20030000  mov eax,dword ptr ds:[ebx+320]
00467CD8 .  E8 E3ACF9FF call <jmp.&vcl70.Controls::TControl::GetTex>
00467CDD .  8B55 E4       mov edx,dword ptr ss:[ebp-1C]             ;  机器码
00467CE0 .  58          pop eax
00467CE1 .  E8 0295F9FF call <jmp.&rtl70.System::LStrCmp>          ;  比较call，也是爆破点
00467CE6 .  0F85 03010000  jnz 影像科管.00467DEF
00467CEC .  8B83 34030000  mov eax,dword ptr ds:[ebx+334]
00467CF2 .  33D2          xor edx,edx
00467CF4 .  8B08          mov ecx,dword ptr ds:[eax]
00467CF6 .  FF91 78010000  call dword ptr ds:[ecx+178]
00467CFC .  8D55 D4       lea edx,dword ptr ss:[ebp-2C]
00467CFF .  8B83 3C030000  mov eax,dword ptr ds:[ebx+33C]
00467D05 .  E8 1AA10000 call 影像科管.00471E24
00467D0A .  8D55 D4       lea edx,dword ptr ss:[ebp-2C]
00467D0D .  8B83 34030000  mov eax,dword ptr ds:[ebx+334]
00467D13 .  E8 88B8F9FF call <jmp.&dsnap70.Dbclient::TCustomClientD>
00467D18 .  8B83 34030000  mov eax,dword ptr ds:[ebx+334]
00467D1E .  B2 01       mov dl,1
00467D20 .  8B08          mov ecx,dword ptr ds:[eax]
00467D22 .  FF91 78010000  call dword ptr ds:[ecx+178]
00467D28 .  8B83 34030000  mov eax,dword ptr ds:[ebx+334]
00467D2E .  E8 1DB6F9FF call <jmp.&dbrtl70.Db::TDataSet::Edit>
00467D33 .  8D4D D0       lea ecx,dword ptr ss:[ebp-30]
00467D36 .  BA C07E4600 mov edx,影像科管.00467EC0                      ;  ASCII "sweetykiss"
00467D3B .  B8 D47E4600 mov eax,影像科管.00467ED4                      ;  ASCII "true"
00467D40 .  E8 77850000 call 影像科管.004702BC
00467D45 .  8B45 D0       mov eax,dword ptr ss:[ebp-30]
00467D48 .  50          push eax
00467D49 .  8B83 34030000  mov eax,dword ptr ds:[ebx+334]
00467D4F .  8B40 30       mov eax,dword ptr ds:[eax+30]
00467D52 .  BA 01000000 mov edx,1
00467D57 .  E8 4CB5F9FF call <jmp.&dbrtl70.Db::TFields::GetField>
00467D5C .  5A          pop edx
00467D5D .  8B08          mov ecx,dword ptr ds:[eax]
00467D5F .  FF91 B0000000  call dword ptr ds:[ecx+B0]
00467D65 .  8D55 CC       lea edx,dword ptr ss:[ebp-34]
00467D68 .  8B83 24030000  mov eax,dword ptr ds:[ebx+324]
00467D6E .  E8 4DACF9FF call <jmp.&vcl70.Controls::TControl::GetTex>
00467D73 .  8B45 CC       mov eax,dword ptr ss:[ebp-34]
00467D76 .  50          push eax
00467D77 .  8B83 34030000  mov eax,dword ptr ds:[ebx+334]
00467D7D .  8B40 30       mov eax,dword ptr ds:[eax+30]
00467D80 .  BA 02000000 mov edx,2
00467D85 .  E8 1EB5F9FF call <jmp.&dbrtl70.Db::TFields::GetField>
00467D8A .  5A          pop edx
00467D8B .  8B08          mov ecx,dword ptr ds:[eax]
00467D8D .  FF91 B0000000  call dword ptr ds:[ecx+B0]
00467D93 .  8D55 BC       lea edx,dword ptr ss:[ebp-44]
00467D96 .  8B83 34030000  mov eax,dword ptr ds:[ebx+334]
00467D9C .  E8 07B8F9FF call <jmp.&dsnap70.Dbclient::TCustomClientD>
00467DA1 .  8D55 BC       lea edx,dword ptr ss:[ebp-44]
00467DA4 .  8D4D FC       lea ecx,dword ptr ss:[ebp-4]
00467DA7 .  8B83 3C030000  mov eax,dword ptr ds:[ebx+33C]
00467DAD .  E8 36A20000 call 影像科管.00471FE8
00467DB2 .  C783 44030000 >mov dword ptr ds:[ebx+344],2
00467DBC .  A1 207A4700 mov eax,dword ptr ds:[477A20]
00467DC1 .  8B00          mov eax,dword ptr ds:[eax]
00467DC3 .  8B80 4C030000  mov eax,dword ptr ds:[eax+34C]
00467DC9 .  33D2          xor edx,edx
00467DCB .  E8 B8B0F9FF call <jmp.&vcl70.Actnlist::TCustomAction::S>
00467DD0 .  6A 03       push 3
00467DD2 .  B9 01000000 mov ecx,1
00467DD7 .  BA 987E4600 mov edx,影像科管.00467E98
00467DDC .  B8 E47E4600 mov eax,影像科管.00467EE4

00470418 /$  55          push ebp
00470419 |.  8BEC          mov ebp,esp
0047041B |.  83C4 D0       add esp,-30
0047041E |.  53          push ebx
0047041F |.  56          push esi
00470420 |.  57          push edi
00470421 |.  33DB          xor ebx,ebx
00470423 |.  895D D0       mov dword ptr ss:[ebp-30],ebx
00470426 |.  895D D8       mov dword ptr ss:[ebp-28],ebx
00470429 |.  895D D4       mov dword ptr ss:[ebp-2C],ebx
0047042C |.  895D E0       mov dword ptr ss:[ebp-20],ebx
0047042F |.  895D DC       mov dword ptr ss:[ebp-24],ebx
00470432 |.  895D E8       mov dword ptr ss:[ebp-18],ebx
00470435 |.  894D F4       mov dword ptr ss:[ebp-C],ecx
00470438 |.  8955 F8       mov dword ptr ss:[ebp-8],edx
0047043B |.  8945 FC       mov dword ptr ss:[ebp-4],eax
0047043E |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
00470441 |.  E8 AA0DF9FF call <jmp.&rtl70.System::LStrAddRef>
00470446 |.  8B45 F8       mov eax,dword ptr ss:[ebp-8]
00470449 |.  E8 A20DF9FF call <jmp.&rtl70.System::LStrAddRef>
0047044E |.  33C0          xor eax,eax
00470450 |.  55          push ebp
00470451 |.  68 75054700 push 影像科管.00470575
00470456 |.  64:FF30       push dword ptr fs:[eax]
00470459 |.  64:8920       mov dword ptr fs:[eax],esp
0047045C |.  8B45 F8       mov eax,dword ptr ss:[ebp-8]
0047045F |.  E8 640DF9FF call <jmp.&rtl70.System::LStrLen>
00470464 |.  8945 F0       mov dword ptr ss:[ebp-10],eax
00470467 |.  837D F0 00    cmp dword ptr ss:[ebp-10],0
0047046B |.  75 0D       jnz short 影像科管.0047047A
0047046D |.  8D45 F8       lea eax,dword ptr ss:[ebp-8]
00470470 |.  BA 8C054700 mov edx,影像科管.0047058C                      ;  ASCII "sweetykiss"
00470475 |.  E8 160DF9FF call <jmp.&rtl70.System::LStrLAsg>
0047047A |>  33FF          xor edi,edi
0047047C |.  8D45 DC       lea eax,dword ptr ss:[ebp-24]
0047047F |.  50          push eax
00470480 |.  B9 02000000 mov ecx,2
00470485 |.  BA 01000000 mov edx,1
0047048A |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]             ;  假注册码
0047048D |.  E8 760DF9FF call <jmp.&rtl70.System::LStrCopy>
00470492 |.  8B4D DC       mov ecx,dword ptr ss:[ebp-24]
00470495 |.  8D45 E0       lea eax,dword ptr ss:[ebp-20]
00470498 |.  BA A0054700 mov edx,影像科管.004705A0
0047049D |.  E8 360DF9FF call <jmp.&rtl70.System::LStrCat3>
004704A2 |.  8B45 E0       mov eax,dword ptr ss:[ebp-20]
004704A5 |.  E8 5614F9FF call <jmp.&rtl70.Sysutils::StrToInt>
004704AA |.  8945 EC       mov dword ptr ss:[ebp-14],eax
004704AD |.  BE 03000000 mov esi,3
004704B2 |>  8D45 D4       /lea eax,dword ptr ss:[ebp-2C]             ;开始算法
004704B5 |.  50          |push eax
004704B6 |.  B9 02000000 |mov ecx,2
004704BB |.  8BD6          |mov edx,esi
004704BD |.  8B45 FC       |mov eax,dword ptr ss:[ebp-4]
004704C0 |.  E8 430DF9FF |call <jmp.&rtl70.System::LStrCopy>
004704C5 |.  8B4D D4       |mov ecx,dword ptr ss:[ebp-2C]
004704C8 |.  8D45 D8       |lea eax,dword ptr ss:[ebp-28]
004704CB |.  BA A0054700 |mov edx,影像科管.004705A0
004704D0 |.  E8 030DF9FF |call <jmp.&rtl70.System::LStrCat3>
004704D5 |.  8B45 D8       |mov eax,dword ptr ss:[ebp-28]
004704D8 |.  E8 2314F9FF |call <jmp.&rtl70.Sysutils::StrToInt>
004704DD |.  8945 E4       |mov dword ptr ss:[ebp-1C],eax
004704E0 |.  3B7D F0       |cmp edi,dword ptr ss:[ebp-10]
004704E3 |.  7D 03       |jge short 影像科管.004704E8
004704E5 |.  47          |inc edi
004704E6 |.  EB 05       |jmp short 影像科管.004704ED
004704E8 |>  BF 01000000 |mov edi,1
004704ED |>  8B45 F8       |mov eax,dword ptr ss:[ebp-8]
004704F0 |.  33DB          |xor ebx,ebx
004704F2 |.  8A5C38 FF    |mov bl,byte ptr ds:[eax+edi-1]                ;将假注册码除前两位外，依次两位送入运算
004704F6 |.  335D E4       |xor ebx,dword ptr ss:[ebp-1C]                ;用户名的asc码依次送入运算
004704F9 |.  3B5D EC       |cmp ebx,dword ptr ss:[ebp-14]                ;结果和假注册码前两位比较
004704FC |.  7F 0B       |jg short 影像科管.00470509
004704FE |.  81C3 FF000000  |add ebx,0FF                                  ;小于则+FF
00470504 |.  2B5D EC       |sub ebx,dword ptr ss:[ebp-14]                ;再-前两位假注册码的asc码
00470507 |.  EB 03       |jmp short 影像科管.0047050C
00470509 |>  2B5D EC       |sub ebx,dword ptr ss:[ebp-14]                ;大于则直接-前两位假注册码的asc码
0047050C |>  8D45 D0       |lea eax,dword ptr ss:[ebp-30]
0047050F |.  8BD3          |mov edx,ebx
00470511 |.  E8 8A0CF9FF |call <jmp.&rtl70.System::LStrFromChar>
00470516 |.  8B55 D0       |mov edx,dword ptr ss:[ebp-30]
00470519 |.  8D45 E8       |lea eax,dword ptr ss:[ebp-18]
0047051C |.  E8 AF0CF9FF |call <jmp.&rtl70.System::LStrCat>
00470521 |.  8B45 E4       |mov eax,dword ptr ss:[ebp-1C]
00470524 |.  8945 EC       |mov dword ptr ss:[ebp-14],eax
00470527 |.  83C6 02       |add esi,2
0047052A |.  8B45 FC       |mov eax,dword ptr ss:[ebp-4]
0047052D |.  E8 960CF9FF |call <jmp.&rtl70.System::LStrLen>
00470532 |.  3BF0          |cmp esi,eax
00470534 |.^ 0F8C 78FFFFFF  \jl 影像科管.004704B2
0047053A |.  8B45 F4       mov eax,dword ptr ss:[ebp-C]
0047053D |.  8B55 E8       mov edx,dword ptr ss:[ebp-18]
00470540 |.  E8 430CF9FF call <jmp.&rtl70.System::LStrAsg>
00470545 |.  33C0          xor eax,eax
00470547 |.  5A          pop edx
00470548 |.  59          pop ecx
00470549 |.  59          pop ecx
0047054A |.  64:8910       mov dword ptr fs:[eax],edx
0047054D |.  68 7C054700 push 影像科管.0047057C
00470552 |>  8D45 D0       lea eax,dword ptr ss:[ebp-30]
00470555 |.  BA 05000000 mov edx,5
0047055A |.  E8 210CF9FF call <jmp.&rtl70.System::LStrArrayClr>
0047055F |.  8D45 E8       lea eax,dword ptr ss:[ebp-18]
00470562 |.  E8 110CF9FF call <jmp.&rtl70.System::LStrClr>
00470567 |.  8D45 F8       lea eax,dword ptr ss:[ebp-8]
0047056A |.  BA 02000000 mov edx,2
0047056F |.  E8 0C0CF9FF call <jmp.&rtl70.System::LStrArrayClr>
00470574 \.  C3          retn

算法分析：注册码长度应为，机器码长度*2+2，字符范围应是0123456789abcdefABCDEF,假设注册码为a1a2a3a4a5a6a7a8a9a10a11a12a13a14a15a16a17a18,我的机器码为BFEBFBFF，其对应的asc码为：42 46 45 42 46 42 46 46我的用户名为ELSA，对应的asc码为：45 4C 53 41则：
a3a4 xor 45--->小于a1a2,a3a4 xor 45 +FF-(a1a2)
         --->大于a1a2,a3a4 xor 45-(a1a2) 所输出的值为B的asc值42 (即机器码前四位的第一位)
a5a6 xor 4C--->小于a3a4,a5a6 xor 4C +FF-(a3a4)
         --->大于a3a4,a5a6 xor 4C-(a3a4) 所输出的值为F的asc值46 (即机器码前四位的第二位)
a7a8 xor 53--->小于a5a6,a7a8 xor 53 +FF-(a5a6)
         --->大于a5a6,a7a8 xor 53-(a5a6) 所输出的值为E的asc值45(即机器码前四位的第三位)
a9a10 xor 41--->小于a7a8,a9a10 xor 41 +FF-(a7a8)
         --->大于a7a8,a9a10 xor 41-(a7a8) 所输出的值为B的asc值42 (即机器码前四位的第四位)
a11a12 xor 45--->小于a9a10,a11a12 xor 45 +FF-(a9a10)
         --->大于a9a10,a11a12 xor 45-(a9a10) 所输出的值为F的asc值46 (即机器码后四位的第一位)
a13a14 xor4C--->小于a11a12,a13a14 xor4C +FF-(a11a12)
         --->大于a11a12,a13a14 xor4C-(a11a12) 所输出的值为B的asc值42(即机器码后四位的第二位)
a15a16 xor 53--->小于a13a14,a15a16 xor 53 +FF-(a13a14)
         --->大于a13a14,a15a16 xor 53-(a13a14) 所输出的值为F的asc值46(即机器码后四位的第三位)
a17a18 xor 41--->小于a15a16,a17a18 xor 41 +FF-(a15a16)
         --->大于a15a16,a17a18 xor 41-(a15a16) 所输出的值为F的asc值46 (即机器码后四位的第四位)
我的用户名：ELSA
我的机器码：BFEBFBFF
为大家提供一组注册码：383FC95CDF63E963E8或者是383fc95cdf63e963e8

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持

最新回复 (1)
yunfeng 雪币： 269 活跃值： (51) 能力值： ( LV4，RANK：50 ) 在线值：发帖 3 回帖 489 粉丝 0 关注私信	yunfeng 1 2 楼支持一下． 2005-12-5 09:39 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

funinggaj

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
yunfeng 雪币： 269 活跃值： (51) 能力值： ( LV4，RANK：50 ) 在线值：发帖 3 回帖 489 粉丝 0 关注私信	yunfeng 1 2 楼支持一下． 2005-12-5 09:39 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复