-
-
[原创]三江影像科报告系统 1.2的算法分析
-
发表于: 2005-12-5 01:15 3892
-
破解软件:三江影像科报告系统 1.2
破解工具:peid,od
破解作者:funinggaj
下载地址:http://www.ntsj.net/
软件介绍:
软件设计者放射科专业毕业,有着多年的放射科工作经验,现再次创业进入IT业后推出了本软件,软件包含放射科报告系统,医学CT报告系统,并且可以增加B超报告系统,1.2版功能如下:影像登记、预约管理、借片管理、影像报告、报告模板、各类报表等.
破解过程:od载人,下断点来到:
00467C93 . 55 push ebp
00467C94 . 68 0F7E4600 push 影像科管.00467E0F ;下断点
00467C99 . 64:FF30 push dword ptr fs:[eax]
00467C9C . 64:8920 mov dword ptr fs:[eax],esp
00467C9F . 8D55 EC lea edx,dword ptr ss:[ebp-14]
00467CA2 . 8B83 30030000 mov eax,dword ptr ds:[ebx+330]
00467CA8 . E8 13ADF9FF call <jmp.&vcl70.Controls::TControl::GetTex>
00467CAD . 8B45 EC mov eax,dword ptr ss:[ebp-14]
00467CB0 . 50 push eax
00467CB1 . 8D55 E8 lea edx,dword ptr ss:[ebp-18]
00467CB4 . 8B83 24030000 mov eax,dword ptr ds:[ebx+324]
00467CBA . E8 01ADF9FF call <jmp.&vcl70.Controls::TControl::GetTex>
00467CBF . 8B45 E8 mov eax,dword ptr ss:[ebp-18] ; 假注册码
00467CC2 . 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
00467CC5 . 5A pop edx
00467CC6 . E8 4D870000 call 影像科管.00470418 ; 算法call
00467CCB . 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00467CCE . 50 push eax
00467CCF . 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
00467CD2 . 8B83 20030000 mov eax,dword ptr ds:[ebx+320]
00467CD8 . E8 E3ACF9FF call <jmp.&vcl70.Controls::TControl::GetTex>
00467CDD . 8B55 E4 mov edx,dword ptr ss:[ebp-1C] ; 机器码
00467CE0 . 58 pop eax
00467CE1 . E8 0295F9FF call <jmp.&rtl70.System::LStrCmp> ; 比较call,也是爆破点
00467CE6 . 0F85 03010000 jnz 影像科管.00467DEF
00467CEC . 8B83 34030000 mov eax,dword ptr ds:[ebx+334]
00467CF2 . 33D2 xor edx,edx
00467CF4 . 8B08 mov ecx,dword ptr ds:[eax]
00467CF6 . FF91 78010000 call dword ptr ds:[ecx+178]
00467CFC . 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
00467CFF . 8B83 3C030000 mov eax,dword ptr ds:[ebx+33C]
00467D05 . E8 1AA10000 call 影像科管.00471E24
00467D0A . 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
00467D0D . 8B83 34030000 mov eax,dword ptr ds:[ebx+334]
00467D13 . E8 88B8F9FF call <jmp.&dsnap70.Dbclient::TCustomClientD>
00467D18 . 8B83 34030000 mov eax,dword ptr ds:[ebx+334]
00467D1E . B2 01 mov dl,1
00467D20 . 8B08 mov ecx,dword ptr ds:[eax]
00467D22 . FF91 78010000 call dword ptr ds:[ecx+178]
00467D28 . 8B83 34030000 mov eax,dword ptr ds:[ebx+334]
00467D2E . E8 1DB6F9FF call <jmp.&dbrtl70.Db::TDataSet::Edit>
00467D33 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
00467D36 . BA C07E4600 mov edx,影像科管.00467EC0 ; ASCII "sweetykiss"
00467D3B . B8 D47E4600 mov eax,影像科管.00467ED4 ; ASCII "true"
00467D40 . E8 77850000 call 影像科管.004702BC
00467D45 . 8B45 D0 mov eax,dword ptr ss:[ebp-30]
00467D48 . 50 push eax
00467D49 . 8B83 34030000 mov eax,dword ptr ds:[ebx+334]
00467D4F . 8B40 30 mov eax,dword ptr ds:[eax+30]
00467D52 . BA 01000000 mov edx,1
00467D57 . E8 4CB5F9FF call <jmp.&dbrtl70.Db::TFields::GetField>
00467D5C . 5A pop edx
00467D5D . 8B08 mov ecx,dword ptr ds:[eax]
00467D5F . FF91 B0000000 call dword ptr ds:[ecx+B0]
00467D65 . 8D55 CC lea edx,dword ptr ss:[ebp-34]
00467D68 . 8B83 24030000 mov eax,dword ptr ds:[ebx+324]
00467D6E . E8 4DACF9FF call <jmp.&vcl70.Controls::TControl::GetTex>
00467D73 . 8B45 CC mov eax,dword ptr ss:[ebp-34]
00467D76 . 50 push eax
00467D77 . 8B83 34030000 mov eax,dword ptr ds:[ebx+334]
00467D7D . 8B40 30 mov eax,dword ptr ds:[eax+30]
00467D80 . BA 02000000 mov edx,2
00467D85 . E8 1EB5F9FF call <jmp.&dbrtl70.Db::TFields::GetField>
00467D8A . 5A pop edx
00467D8B . 8B08 mov ecx,dword ptr ds:[eax]
00467D8D . FF91 B0000000 call dword ptr ds:[ecx+B0]
00467D93 . 8D55 BC lea edx,dword ptr ss:[ebp-44]
00467D96 . 8B83 34030000 mov eax,dword ptr ds:[ebx+334]
00467D9C . E8 07B8F9FF call <jmp.&dsnap70.Dbclient::TCustomClientD>
00467DA1 . 8D55 BC lea edx,dword ptr ss:[ebp-44]
00467DA4 . 8D4D FC lea ecx,dword ptr ss:[ebp-4]
00467DA7 . 8B83 3C030000 mov eax,dword ptr ds:[ebx+33C]
00467DAD . E8 36A20000 call 影像科管.00471FE8
00467DB2 . C783 44030000 >mov dword ptr ds:[ebx+344],2
00467DBC . A1 207A4700 mov eax,dword ptr ds:[477A20]
00467DC1 . 8B00 mov eax,dword ptr ds:[eax]
00467DC3 . 8B80 4C030000 mov eax,dword ptr ds:[eax+34C]
00467DC9 . 33D2 xor edx,edx
00467DCB . E8 B8B0F9FF call <jmp.&vcl70.Actnlist::TCustomAction::S>
00467DD0 . 6A 03 push 3
00467DD2 . B9 01000000 mov ecx,1
00467DD7 . BA 987E4600 mov edx,影像科管.00467E98
00467DDC . B8 E47E4600 mov eax,影像科管.00467EE4
00470418 /$ 55 push ebp
00470419 |. 8BEC mov ebp,esp
0047041B |. 83C4 D0 add esp,-30
0047041E |. 53 push ebx
0047041F |. 56 push esi
00470420 |. 57 push edi
00470421 |. 33DB xor ebx,ebx
00470423 |. 895D D0 mov dword ptr ss:[ebp-30],ebx
00470426 |. 895D D8 mov dword ptr ss:[ebp-28],ebx
00470429 |. 895D D4 mov dword ptr ss:[ebp-2C],ebx
0047042C |. 895D E0 mov dword ptr ss:[ebp-20],ebx
0047042F |. 895D DC mov dword ptr ss:[ebp-24],ebx
00470432 |. 895D E8 mov dword ptr ss:[ebp-18],ebx
00470435 |. 894D F4 mov dword ptr ss:[ebp-C],ecx
00470438 |. 8955 F8 mov dword ptr ss:[ebp-8],edx
0047043B |. 8945 FC mov dword ptr ss:[ebp-4],eax
0047043E |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00470441 |. E8 AA0DF9FF call <jmp.&rtl70.System::LStrAddRef>
00470446 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00470449 |. E8 A20DF9FF call <jmp.&rtl70.System::LStrAddRef>
0047044E |. 33C0 xor eax,eax
00470450 |. 55 push ebp
00470451 |. 68 75054700 push 影像科管.00470575
00470456 |. 64:FF30 push dword ptr fs:[eax]
00470459 |. 64:8920 mov dword ptr fs:[eax],esp
0047045C |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0047045F |. E8 640DF9FF call <jmp.&rtl70.System::LStrLen>
00470464 |. 8945 F0 mov dword ptr ss:[ebp-10],eax
00470467 |. 837D F0 00 cmp dword ptr ss:[ebp-10],0
0047046B |. 75 0D jnz short 影像科管.0047047A
0047046D |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00470470 |. BA 8C054700 mov edx,影像科管.0047058C ; ASCII "sweetykiss"
00470475 |. E8 160DF9FF call <jmp.&rtl70.System::LStrLAsg>
0047047A |> 33FF xor edi,edi
0047047C |. 8D45 DC lea eax,dword ptr ss:[ebp-24]
0047047F |. 50 push eax
00470480 |. B9 02000000 mov ecx,2
00470485 |. BA 01000000 mov edx,1
0047048A |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 假注册码
0047048D |. E8 760DF9FF call <jmp.&rtl70.System::LStrCopy>
00470492 |. 8B4D DC mov ecx,dword ptr ss:[ebp-24]
00470495 |. 8D45 E0 lea eax,dword ptr ss:[ebp-20]
00470498 |. BA A0054700 mov edx,影像科管.004705A0
0047049D |. E8 360DF9FF call <jmp.&rtl70.System::LStrCat3>
004704A2 |. 8B45 E0 mov eax,dword ptr ss:[ebp-20]
004704A5 |. E8 5614F9FF call <jmp.&rtl70.Sysutils::StrToInt>
004704AA |. 8945 EC mov dword ptr ss:[ebp-14],eax
004704AD |. BE 03000000 mov esi,3
004704B2 |> 8D45 D4 /lea eax,dword ptr ss:[ebp-2C] ;开始算法
004704B5 |. 50 |push eax
004704B6 |. B9 02000000 |mov ecx,2
004704BB |. 8BD6 |mov edx,esi
004704BD |. 8B45 FC |mov eax,dword ptr ss:[ebp-4]
004704C0 |. E8 430DF9FF |call <jmp.&rtl70.System::LStrCopy>
004704C5 |. 8B4D D4 |mov ecx,dword ptr ss:[ebp-2C]
004704C8 |. 8D45 D8 |lea eax,dword ptr ss:[ebp-28]
004704CB |. BA A0054700 |mov edx,影像科管.004705A0
004704D0 |. E8 030DF9FF |call <jmp.&rtl70.System::LStrCat3>
004704D5 |. 8B45 D8 |mov eax,dword ptr ss:[ebp-28]
004704D8 |. E8 2314F9FF |call <jmp.&rtl70.Sysutils::StrToInt>
004704DD |. 8945 E4 |mov dword ptr ss:[ebp-1C],eax
004704E0 |. 3B7D F0 |cmp edi,dword ptr ss:[ebp-10]
004704E3 |. 7D 03 |jge short 影像科管.004704E8
004704E5 |. 47 |inc edi
004704E6 |. EB 05 |jmp short 影像科管.004704ED
004704E8 |> BF 01000000 |mov edi,1
004704ED |> 8B45 F8 |mov eax,dword ptr ss:[ebp-8]
004704F0 |. 33DB |xor ebx,ebx
004704F2 |. 8A5C38 FF |mov bl,byte ptr ds:[eax+edi-1] ;将假注册码除前两位外,依次两位送入运算
004704F6 |. 335D E4 |xor ebx,dword ptr ss:[ebp-1C] ;用户名的asc码依次送入运算
004704F9 |. 3B5D EC |cmp ebx,dword ptr ss:[ebp-14] ;结果和假注册码前两位比较
004704FC |. 7F 0B |jg short 影像科管.00470509
004704FE |. 81C3 FF000000 |add ebx,0FF ;小于则+FF
00470504 |. 2B5D EC |sub ebx,dword ptr ss:[ebp-14] ;再-前两位假注册码的asc码
00470507 |. EB 03 |jmp short 影像科管.0047050C
00470509 |> 2B5D EC |sub ebx,dword ptr ss:[ebp-14] ;大于则直接-前两位假注册码的asc码
0047050C |> 8D45 D0 |lea eax,dword ptr ss:[ebp-30]
0047050F |. 8BD3 |mov edx,ebx
00470511 |. E8 8A0CF9FF |call <jmp.&rtl70.System::LStrFromChar>
00470516 |. 8B55 D0 |mov edx,dword ptr ss:[ebp-30]
00470519 |. 8D45 E8 |lea eax,dword ptr ss:[ebp-18]
0047051C |. E8 AF0CF9FF |call <jmp.&rtl70.System::LStrCat>
00470521 |. 8B45 E4 |mov eax,dword ptr ss:[ebp-1C]
00470524 |. 8945 EC |mov dword ptr ss:[ebp-14],eax
00470527 |. 83C6 02 |add esi,2
0047052A |. 8B45 FC |mov eax,dword ptr ss:[ebp-4]
0047052D |. E8 960CF9FF |call <jmp.&rtl70.System::LStrLen>
00470532 |. 3BF0 |cmp esi,eax
00470534 |.^ 0F8C 78FFFFFF \jl 影像科管.004704B2
0047053A |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0047053D |. 8B55 E8 mov edx,dword ptr ss:[ebp-18]
00470540 |. E8 430CF9FF call <jmp.&rtl70.System::LStrAsg>
00470545 |. 33C0 xor eax,eax
00470547 |. 5A pop edx
00470548 |. 59 pop ecx
00470549 |. 59 pop ecx
0047054A |. 64:8910 mov dword ptr fs:[eax],edx
0047054D |. 68 7C054700 push 影像科管.0047057C
00470552 |> 8D45 D0 lea eax,dword ptr ss:[ebp-30]
00470555 |. BA 05000000 mov edx,5
0047055A |. E8 210CF9FF call <jmp.&rtl70.System::LStrArrayClr>
0047055F |. 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00470562 |. E8 110CF9FF call <jmp.&rtl70.System::LStrClr>
00470567 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0047056A |. BA 02000000 mov edx,2
0047056F |. E8 0C0CF9FF call <jmp.&rtl70.System::LStrArrayClr>
00470574 \. C3 retn
算法分析:注册码长度应为,机器码长度*2+2,字符范围应是0123456789abcdefABCDEF,假设注册码为a1a2a3a4a5a6a7a8a9a10a11a12a13a14a15a16a17a18,我的机器码为BFEBFBFF,其对应的asc码为:42 46 45 42 46 42 46 46我的用户名为ELSA,对应的asc码为:45 4C 53 41则:
a3a4 xor 45--->小于a1a2,a3a4 xor 45 +FF-(a1a2)
--->大于a1a2,a3a4 xor 45-(a1a2) 所输出的值为B的asc值42 (即机器码前四位的第一位)
a5a6 xor 4C--->小于a3a4,a5a6 xor 4C +FF-(a3a4)
--->大于a3a4,a5a6 xor 4C-(a3a4) 所输出的值为F的asc值46 (即机器码前四位的第二位)
a7a8 xor 53--->小于a5a6,a7a8 xor 53 +FF-(a5a6)
--->大于a5a6,a7a8 xor 53-(a5a6) 所输出的值为E的asc值45(即机器码前四位的第三位)
a9a10 xor 41--->小于a7a8,a9a10 xor 41 +FF-(a7a8)
--->大于a7a8,a9a10 xor 41-(a7a8) 所输出的值为B的asc值42 (即机器码前四位的第四位)
a11a12 xor 45--->小于a9a10,a11a12 xor 45 +FF-(a9a10)
--->大于a9a10,a11a12 xor 45-(a9a10) 所输出的值为F的asc值46 (即机器码后四位的第一位)
a13a14 xor4C--->小于a11a12,a13a14 xor4C +FF-(a11a12)
--->大于a11a12,a13a14 xor4C-(a11a12) 所输出的值为B的asc值42(即机器码后四位的第二位)
a15a16 xor 53--->小于a13a14,a15a16 xor 53 +FF-(a13a14)
--->大于a13a14,a15a16 xor 53-(a13a14) 所输出的值为F的asc值46(即机器码后四位的第三位)
a17a18 xor 41--->小于a15a16,a17a18 xor 41 +FF-(a15a16)
--->大于a15a16,a17a18 xor 41-(a15a16) 所输出的值为F的asc值46 (即机器码后四位的第四位)
我的用户名:ELSA
我的机器码:BFEBFBFF
为大家提供一组注册码:383FC95CDF63E963E8或者是383fc95cdf63e963e8
破解工具:peid,od
破解作者:funinggaj
下载地址:http://www.ntsj.net/
软件介绍:
软件设计者放射科专业毕业,有着多年的放射科工作经验,现再次创业进入IT业后推出了本软件,软件包含放射科报告系统,医学CT报告系统,并且可以增加B超报告系统,1.2版功能如下:影像登记、预约管理、借片管理、影像报告、报告模板、各类报表等.
破解过程:od载人,下断点来到:
00467C93 . 55 push ebp
00467C94 . 68 0F7E4600 push 影像科管.00467E0F ;下断点
00467C99 . 64:FF30 push dword ptr fs:[eax]
00467C9C . 64:8920 mov dword ptr fs:[eax],esp
00467C9F . 8D55 EC lea edx,dword ptr ss:[ebp-14]
00467CA2 . 8B83 30030000 mov eax,dword ptr ds:[ebx+330]
00467CA8 . E8 13ADF9FF call <jmp.&vcl70.Controls::TControl::GetTex>
00467CAD . 8B45 EC mov eax,dword ptr ss:[ebp-14]
00467CB0 . 50 push eax
00467CB1 . 8D55 E8 lea edx,dword ptr ss:[ebp-18]
00467CB4 . 8B83 24030000 mov eax,dword ptr ds:[ebx+324]
00467CBA . E8 01ADF9FF call <jmp.&vcl70.Controls::TControl::GetTex>
00467CBF . 8B45 E8 mov eax,dword ptr ss:[ebp-18] ; 假注册码
00467CC2 . 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
00467CC5 . 5A pop edx
00467CC6 . E8 4D870000 call 影像科管.00470418 ; 算法call
00467CCB . 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00467CCE . 50 push eax
00467CCF . 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
00467CD2 . 8B83 20030000 mov eax,dword ptr ds:[ebx+320]
00467CD8 . E8 E3ACF9FF call <jmp.&vcl70.Controls::TControl::GetTex>
00467CDD . 8B55 E4 mov edx,dword ptr ss:[ebp-1C] ; 机器码
00467CE0 . 58 pop eax
00467CE1 . E8 0295F9FF call <jmp.&rtl70.System::LStrCmp> ; 比较call,也是爆破点
00467CE6 . 0F85 03010000 jnz 影像科管.00467DEF
00467CEC . 8B83 34030000 mov eax,dword ptr ds:[ebx+334]
00467CF2 . 33D2 xor edx,edx
00467CF4 . 8B08 mov ecx,dword ptr ds:[eax]
00467CF6 . FF91 78010000 call dword ptr ds:[ecx+178]
00467CFC . 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
00467CFF . 8B83 3C030000 mov eax,dword ptr ds:[ebx+33C]
00467D05 . E8 1AA10000 call 影像科管.00471E24
00467D0A . 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
00467D0D . 8B83 34030000 mov eax,dword ptr ds:[ebx+334]
00467D13 . E8 88B8F9FF call <jmp.&dsnap70.Dbclient::TCustomClientD>
00467D18 . 8B83 34030000 mov eax,dword ptr ds:[ebx+334]
00467D1E . B2 01 mov dl,1
00467D20 . 8B08 mov ecx,dword ptr ds:[eax]
00467D22 . FF91 78010000 call dword ptr ds:[ecx+178]
00467D28 . 8B83 34030000 mov eax,dword ptr ds:[ebx+334]
00467D2E . E8 1DB6F9FF call <jmp.&dbrtl70.Db::TDataSet::Edit>
00467D33 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
00467D36 . BA C07E4600 mov edx,影像科管.00467EC0 ; ASCII "sweetykiss"
00467D3B . B8 D47E4600 mov eax,影像科管.00467ED4 ; ASCII "true"
00467D40 . E8 77850000 call 影像科管.004702BC
00467D45 . 8B45 D0 mov eax,dword ptr ss:[ebp-30]
00467D48 . 50 push eax
00467D49 . 8B83 34030000 mov eax,dword ptr ds:[ebx+334]
00467D4F . 8B40 30 mov eax,dword ptr ds:[eax+30]
00467D52 . BA 01000000 mov edx,1
00467D57 . E8 4CB5F9FF call <jmp.&dbrtl70.Db::TFields::GetField>
00467D5C . 5A pop edx
00467D5D . 8B08 mov ecx,dword ptr ds:[eax]
00467D5F . FF91 B0000000 call dword ptr ds:[ecx+B0]
00467D65 . 8D55 CC lea edx,dword ptr ss:[ebp-34]
00467D68 . 8B83 24030000 mov eax,dword ptr ds:[ebx+324]
00467D6E . E8 4DACF9FF call <jmp.&vcl70.Controls::TControl::GetTex>
00467D73 . 8B45 CC mov eax,dword ptr ss:[ebp-34]
00467D76 . 50 push eax
00467D77 . 8B83 34030000 mov eax,dword ptr ds:[ebx+334]
00467D7D . 8B40 30 mov eax,dword ptr ds:[eax+30]
00467D80 . BA 02000000 mov edx,2
00467D85 . E8 1EB5F9FF call <jmp.&dbrtl70.Db::TFields::GetField>
00467D8A . 5A pop edx
00467D8B . 8B08 mov ecx,dword ptr ds:[eax]
00467D8D . FF91 B0000000 call dword ptr ds:[ecx+B0]
00467D93 . 8D55 BC lea edx,dword ptr ss:[ebp-44]
00467D96 . 8B83 34030000 mov eax,dword ptr ds:[ebx+334]
00467D9C . E8 07B8F9FF call <jmp.&dsnap70.Dbclient::TCustomClientD>
00467DA1 . 8D55 BC lea edx,dword ptr ss:[ebp-44]
00467DA4 . 8D4D FC lea ecx,dword ptr ss:[ebp-4]
00467DA7 . 8B83 3C030000 mov eax,dword ptr ds:[ebx+33C]
00467DAD . E8 36A20000 call 影像科管.00471FE8
00467DB2 . C783 44030000 >mov dword ptr ds:[ebx+344],2
00467DBC . A1 207A4700 mov eax,dword ptr ds:[477A20]
00467DC1 . 8B00 mov eax,dword ptr ds:[eax]
00467DC3 . 8B80 4C030000 mov eax,dword ptr ds:[eax+34C]
00467DC9 . 33D2 xor edx,edx
00467DCB . E8 B8B0F9FF call <jmp.&vcl70.Actnlist::TCustomAction::S>
00467DD0 . 6A 03 push 3
00467DD2 . B9 01000000 mov ecx,1
00467DD7 . BA 987E4600 mov edx,影像科管.00467E98
00467DDC . B8 E47E4600 mov eax,影像科管.00467EE4
00470418 /$ 55 push ebp
00470419 |. 8BEC mov ebp,esp
0047041B |. 83C4 D0 add esp,-30
0047041E |. 53 push ebx
0047041F |. 56 push esi
00470420 |. 57 push edi
00470421 |. 33DB xor ebx,ebx
00470423 |. 895D D0 mov dword ptr ss:[ebp-30],ebx
00470426 |. 895D D8 mov dword ptr ss:[ebp-28],ebx
00470429 |. 895D D4 mov dword ptr ss:[ebp-2C],ebx
0047042C |. 895D E0 mov dword ptr ss:[ebp-20],ebx
0047042F |. 895D DC mov dword ptr ss:[ebp-24],ebx
00470432 |. 895D E8 mov dword ptr ss:[ebp-18],ebx
00470435 |. 894D F4 mov dword ptr ss:[ebp-C],ecx
00470438 |. 8955 F8 mov dword ptr ss:[ebp-8],edx
0047043B |. 8945 FC mov dword ptr ss:[ebp-4],eax
0047043E |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00470441 |. E8 AA0DF9FF call <jmp.&rtl70.System::LStrAddRef>
00470446 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00470449 |. E8 A20DF9FF call <jmp.&rtl70.System::LStrAddRef>
0047044E |. 33C0 xor eax,eax
00470450 |. 55 push ebp
00470451 |. 68 75054700 push 影像科管.00470575
00470456 |. 64:FF30 push dword ptr fs:[eax]
00470459 |. 64:8920 mov dword ptr fs:[eax],esp
0047045C |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0047045F |. E8 640DF9FF call <jmp.&rtl70.System::LStrLen>
00470464 |. 8945 F0 mov dword ptr ss:[ebp-10],eax
00470467 |. 837D F0 00 cmp dword ptr ss:[ebp-10],0
0047046B |. 75 0D jnz short 影像科管.0047047A
0047046D |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00470470 |. BA 8C054700 mov edx,影像科管.0047058C ; ASCII "sweetykiss"
00470475 |. E8 160DF9FF call <jmp.&rtl70.System::LStrLAsg>
0047047A |> 33FF xor edi,edi
0047047C |. 8D45 DC lea eax,dword ptr ss:[ebp-24]
0047047F |. 50 push eax
00470480 |. B9 02000000 mov ecx,2
00470485 |. BA 01000000 mov edx,1
0047048A |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 假注册码
0047048D |. E8 760DF9FF call <jmp.&rtl70.System::LStrCopy>
00470492 |. 8B4D DC mov ecx,dword ptr ss:[ebp-24]
00470495 |. 8D45 E0 lea eax,dword ptr ss:[ebp-20]
00470498 |. BA A0054700 mov edx,影像科管.004705A0
0047049D |. E8 360DF9FF call <jmp.&rtl70.System::LStrCat3>
004704A2 |. 8B45 E0 mov eax,dword ptr ss:[ebp-20]
004704A5 |. E8 5614F9FF call <jmp.&rtl70.Sysutils::StrToInt>
004704AA |. 8945 EC mov dword ptr ss:[ebp-14],eax
004704AD |. BE 03000000 mov esi,3
004704B2 |> 8D45 D4 /lea eax,dword ptr ss:[ebp-2C] ;开始算法
004704B5 |. 50 |push eax
004704B6 |. B9 02000000 |mov ecx,2
004704BB |. 8BD6 |mov edx,esi
004704BD |. 8B45 FC |mov eax,dword ptr ss:[ebp-4]
004704C0 |. E8 430DF9FF |call <jmp.&rtl70.System::LStrCopy>
004704C5 |. 8B4D D4 |mov ecx,dword ptr ss:[ebp-2C]
004704C8 |. 8D45 D8 |lea eax,dword ptr ss:[ebp-28]
004704CB |. BA A0054700 |mov edx,影像科管.004705A0
004704D0 |. E8 030DF9FF |call <jmp.&rtl70.System::LStrCat3>
004704D5 |. 8B45 D8 |mov eax,dword ptr ss:[ebp-28]
004704D8 |. E8 2314F9FF |call <jmp.&rtl70.Sysutils::StrToInt>
004704DD |. 8945 E4 |mov dword ptr ss:[ebp-1C],eax
004704E0 |. 3B7D F0 |cmp edi,dword ptr ss:[ebp-10]
004704E3 |. 7D 03 |jge short 影像科管.004704E8
004704E5 |. 47 |inc edi
004704E6 |. EB 05 |jmp short 影像科管.004704ED
004704E8 |> BF 01000000 |mov edi,1
004704ED |> 8B45 F8 |mov eax,dword ptr ss:[ebp-8]
004704F0 |. 33DB |xor ebx,ebx
004704F2 |. 8A5C38 FF |mov bl,byte ptr ds:[eax+edi-1] ;将假注册码除前两位外,依次两位送入运算
004704F6 |. 335D E4 |xor ebx,dword ptr ss:[ebp-1C] ;用户名的asc码依次送入运算
004704F9 |. 3B5D EC |cmp ebx,dword ptr ss:[ebp-14] ;结果和假注册码前两位比较
004704FC |. 7F 0B |jg short 影像科管.00470509
004704FE |. 81C3 FF000000 |add ebx,0FF ;小于则+FF
00470504 |. 2B5D EC |sub ebx,dword ptr ss:[ebp-14] ;再-前两位假注册码的asc码
00470507 |. EB 03 |jmp short 影像科管.0047050C
00470509 |> 2B5D EC |sub ebx,dword ptr ss:[ebp-14] ;大于则直接-前两位假注册码的asc码
0047050C |> 8D45 D0 |lea eax,dword ptr ss:[ebp-30]
0047050F |. 8BD3 |mov edx,ebx
00470511 |. E8 8A0CF9FF |call <jmp.&rtl70.System::LStrFromChar>
00470516 |. 8B55 D0 |mov edx,dword ptr ss:[ebp-30]
00470519 |. 8D45 E8 |lea eax,dword ptr ss:[ebp-18]
0047051C |. E8 AF0CF9FF |call <jmp.&rtl70.System::LStrCat>
00470521 |. 8B45 E4 |mov eax,dword ptr ss:[ebp-1C]
00470524 |. 8945 EC |mov dword ptr ss:[ebp-14],eax
00470527 |. 83C6 02 |add esi,2
0047052A |. 8B45 FC |mov eax,dword ptr ss:[ebp-4]
0047052D |. E8 960CF9FF |call <jmp.&rtl70.System::LStrLen>
00470532 |. 3BF0 |cmp esi,eax
00470534 |.^ 0F8C 78FFFFFF \jl 影像科管.004704B2
0047053A |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0047053D |. 8B55 E8 mov edx,dword ptr ss:[ebp-18]
00470540 |. E8 430CF9FF call <jmp.&rtl70.System::LStrAsg>
00470545 |. 33C0 xor eax,eax
00470547 |. 5A pop edx
00470548 |. 59 pop ecx
00470549 |. 59 pop ecx
0047054A |. 64:8910 mov dword ptr fs:[eax],edx
0047054D |. 68 7C054700 push 影像科管.0047057C
00470552 |> 8D45 D0 lea eax,dword ptr ss:[ebp-30]
00470555 |. BA 05000000 mov edx,5
0047055A |. E8 210CF9FF call <jmp.&rtl70.System::LStrArrayClr>
0047055F |. 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00470562 |. E8 110CF9FF call <jmp.&rtl70.System::LStrClr>
00470567 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0047056A |. BA 02000000 mov edx,2
0047056F |. E8 0C0CF9FF call <jmp.&rtl70.System::LStrArrayClr>
00470574 \. C3 retn
算法分析:注册码长度应为,机器码长度*2+2,字符范围应是0123456789abcdefABCDEF,假设注册码为a1a2a3a4a5a6a7a8a9a10a11a12a13a14a15a16a17a18,我的机器码为BFEBFBFF,其对应的asc码为:42 46 45 42 46 42 46 46我的用户名为ELSA,对应的asc码为:45 4C 53 41则:
a3a4 xor 45--->小于a1a2,a3a4 xor 45 +FF-(a1a2)
--->大于a1a2,a3a4 xor 45-(a1a2) 所输出的值为B的asc值42 (即机器码前四位的第一位)
a5a6 xor 4C--->小于a3a4,a5a6 xor 4C +FF-(a3a4)
--->大于a3a4,a5a6 xor 4C-(a3a4) 所输出的值为F的asc值46 (即机器码前四位的第二位)
a7a8 xor 53--->小于a5a6,a7a8 xor 53 +FF-(a5a6)
--->大于a5a6,a7a8 xor 53-(a5a6) 所输出的值为E的asc值45(即机器码前四位的第三位)
a9a10 xor 41--->小于a7a8,a9a10 xor 41 +FF-(a7a8)
--->大于a7a8,a9a10 xor 41-(a7a8) 所输出的值为B的asc值42 (即机器码前四位的第四位)
a11a12 xor 45--->小于a9a10,a11a12 xor 45 +FF-(a9a10)
--->大于a9a10,a11a12 xor 45-(a9a10) 所输出的值为F的asc值46 (即机器码后四位的第一位)
a13a14 xor4C--->小于a11a12,a13a14 xor4C +FF-(a11a12)
--->大于a11a12,a13a14 xor4C-(a11a12) 所输出的值为B的asc值42(即机器码后四位的第二位)
a15a16 xor 53--->小于a13a14,a15a16 xor 53 +FF-(a13a14)
--->大于a13a14,a15a16 xor 53-(a13a14) 所输出的值为F的asc值46(即机器码后四位的第三位)
a17a18 xor 41--->小于a15a16,a17a18 xor 41 +FF-(a15a16)
--->大于a15a16,a17a18 xor 41-(a15a16) 所输出的值为F的asc值46 (即机器码后四位的第四位)
我的用户名:ELSA
我的机器码:BFEBFBFF
为大家提供一组注册码:383FC95CDF63E963E8或者是383fc95cdf63e963e8
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
看原图
赞赏
雪币:
留言: