某试题库管理系统V3.11 单机版破解[原创]-软件逆向-看雪-安全社区|安全招聘|kanxue.com

某试题库管理系统V3.11 单机版破解[原创]

2006-5-22 14:23 13585

某试题库管理系统V3.11 单机版破解[原创]

AZMC

2006-5-22 14:23

13585

0) AZMC.13 提供
1) 无壳,Borland Delphi 编写
2) 运行主程序,点击菜单[帮助]-[注册]
3) 跟随向导输入相关信息,其中软件会自动告知你的机器码:CSH309DJCY5BVB,记录下来
4) 一路向导，来到"用户名/注册码/完成注册"输入的对话框处,使用 SPY++ 查看窗口类信息:TDlgzuce_xiaogdao,退出执行程序
5) 使用 eXescope 查看资源，寻找注册向导对话框，定位 [完成注册]按钮事件代码标志
6) 使用 Dede 反编译执行程序,定位 [完成注册]按钮代码入口:006680B8
7) 使用 OllyDebug 加载执行程序，下断 006680B8

006680B8 /.  55    push ebp                                  ;  注册按钮处理入口
006680B9 |.  8BEC mov ebp,esp
006680BB |.  B9 0500>mov ecx,5
006680C0 |>  6A 00 /push 0
006680C2 |.  6A 00 |push 0
006680C4 |.  49    |dec ecx
006680C5 |.^ 75 F9 \jnz short proSitik.006680C0
006680C7 |.  51    push ecx
006680C8 |.  53    push ebx
006680C9 |.  56    push esi
006680CA |.  57    push edi
006680CB |.  8BF8 mov edi,eax
006680CD |.  33C0 xor eax,eax
006680CF |.  55    push ebp
006680D0 |.  68 CA86>push proSitik.006686CA
006680D5 |.  64:FF30 push dword ptr fs:[eax]
006680D8 |.  64:8920 mov dword ptr fs:[eax],esp
006680DB |.  8D55 F0 lea edx,dword ptr ss:[ebp-10]
006680DE |.  8B87 74>mov eax,dword ptr ds:[edi+374]
006680E4 |.  E8 9BB0>call proSitik.00453184                   ;  * Reference to: Controls.TControl.GetText(TControl):TCaption;
006680E9 |.  8B45 F0 mov eax,dword ptr ss:[ebp-10]             ;  获取用户名
006680EC |.  8D55 F4 lea edx,dword ptr ss:[ebp-C]
006680EF |.  E8 6014>call proSitik.00409554                   ;  * Reference to: SysUtils.Trim(AnsiString):AnsiString;overload;
006680F4 |.  837D F4>cmp dword ptr ss:[ebp-C],0
006680F8 |.  75 1F jnz short proSitik.00668119
006680FA |.  6A 00 push 0
006680FC |.  B9 D886>mov ecx,proSitik.006686D8                ;  * Possible String Reference to: '提示'
00668101 |.  BA E086>mov edx,proSitik.006686E0                ;  * Possible String Reference to: '请输入用户名称!'
00668106 |.  A1 2431>mov eax,dword ptr ds:[673124]
0066810B |.  8B00 mov eax,dword ptr ds:[eax]
0066810D |.  E8 A2C1>call proSitik.004742B4                   ;  * Reference to: Forms.TApplication.MessageBox(TApplication;PChar;PChar;Longint):Integer;
00668112 |.  48    dec eax
00668113 |.  0F84 6F>je proSitik.00668688
00668119 |>  8D55 EC lea edx,dword ptr ss:[ebp-14]
0066811C |.  8B87 FC>mov eax,dword ptr ds:[edi+2FC]
00668122 |.  E8 5DB0>call proSitik.00453184                   ;  * Reference to: Controls.TControl.GetText(TControl):TCaption;
00668127 |.  8B45 EC mov eax,dword ptr ss:[ebp-14]             ;  获取机器码
0066812A |.  8D55 FC lea edx,dword ptr ss:[ebp-4]
0066812D |.  E8 2214>call proSitik.00409554                   ;  * Reference to: SysUtils.Trim(AnsiString):AnsiString;overload;
00668132 |.  8D45 E8 lea eax,dword ptr ss:[ebp-18]
00668135 |.  50    push eax                                  ; /Arg1
00668136 |.  33C9 xor ecx,ecx                               ; |
00668138 |.  BA F886>mov edx,proSitik.006686F8                ; |* Reference to: SysUtils.StringReplace(AnsiString;AnsiString;AnsiString;TReplaceFlags):AnsiString;
0066813D |.  8B45 FC mov eax,dword ptr ss:[ebp-4]             ; |
00668140 |.  E8 4343>call proSitik.0044C488                   ; \proSitik.0044C488
00668145 |.  8B55 E8 mov edx,dword ptr ss:[ebp-18]             ;  机器码
00668148 |.  8D45 FC lea eax,dword ptr ss:[ebp-4]
0066814B |.  E8 88C8>call proSitik.004049D8                   ;  * Reference to: System.@LStrLAsg(void;void;void;void);
00668150 |.  8B45 FC mov eax,dword ptr ss:[ebp-4]
00668153 |.  E8 A0CA>call proSitik.00404BF8                   ;  * Reference to: System.@LStrLen(String):Integer;
00668158 |.  8BF0 mov esi,eax
0066815A |.  8D45 F8 lea eax,dword ptr ss:[ebp-8]
0066815D |.  E8 DEC7>call proSitik.00404940                   ;  * Reference to: System.@LStrClr(void;void);
00668162 |.  8BDE mov ebx,esi
00668164 |.  83FB 01 cmp ebx,1
00668167 |.  7C 1F jl short proSitik.00668188
00668169 |>  8D45 E4 /lea eax,dword ptr ss:[ebp-1C]
0066816C |.  8B55 FC |mov edx,dword ptr ss:[ebp-4]
0066816F |.  8A541A >|mov dl,byte ptr ds:[edx+ebx-1]          ;  反向从机器码取字符
00668173 |.  E8 A8C9>|call proSitik.00404B20                   ;  * Reference to: System.@LStrFromChar(String;String;Char);
00668178 |.  8B55 E4 |mov edx,dword ptr ss:[ebp-1C]
0066817B |.  8D45 F8 |lea eax,dword ptr ss:[ebp-8]
0066817E |.  E8 7DCA>|call proSitik.00404C00                   ;  * Reference to: System.@LStrCat;
00668183 |.  4B    |dec ebx
00668184 |.  85DB |test ebx,ebx
00668186 |.^ 75 E1 \jnz short proSitik.00668169
00668188 |>  85F6 test esi,esi
0066818A |.  0F8E DD>jle proSitik.0066856D
00668190 |.  BB 0100>mov ebx,1
00668195 |>  8B45 F8 /mov eax,dword ptr ss:[ebp-8]             ;  反转的机器码
00668198 |.  0FB6441>|movzx eax,byte ptr ds:[eax+ebx-1]       ;  获取机器码一个字母，ebx 为 Index
0066819D |.  83C0 D0 |add eax,-30                            ;  Switch (cases 30..6B)
006681A0 |.  83F8 3B |cmp eax,3B
006681A3 |.  0F87 BC>|ja proSitik.00668565
006681A9 |.  FF2485 >|jmp dword ptr ds:[eax*4+6681B0]
006681B0 |.  A082660>|dd proSitik.006682A0                   ;  Switch table used at 006681A9
006681B4 |.  B282660>|dd proSitik.006682B2
006681B8 |.  C482660>|dd proSitik.006682C4
006681BC |.  D682660>|dd proSitik.006682D6
006681C0 |.  E882660>|dd proSitik.006682E8
006681C4 |.  FA82660>|dd proSitik.006682FA
006681C8 |.  0C83660>|dd proSitik.0066830C
006681CC |.  1E83660>|dd proSitik.0066831E
006681D0 |.  3083660>|dd proSitik.00668330
006681D4 |.  4283660>|dd proSitik.00668342
006681D8 |.  6585660>|dd proSitik.00668565
006681DC |.  6585660>|dd proSitik.00668565
006681E0 |.  6585660>|dd proSitik.00668565
006681E4 |.  6585660>|dd proSitik.00668565
006681E8 |.  6585660>|dd proSitik.00668565
006681EC |.  6585660>|dd proSitik.00668565
006681F0 |.  6585660>|dd proSitik.00668565
006681F4 |.  5483660>|dd proSitik.00668354
006681F8 |.  6683660>|dd proSitik.00668366
006681FC |.  7883660>|dd proSitik.00668378
00668200 |.  8A83660>|dd proSitik.0066838A
00668204 |.  9C83660>|dd proSitik.0066839C
00668208 |.  AE83660>|dd proSitik.006683AE
0066820C |.  C083660>|dd proSitik.006683C0
00668210 |.  D283660>|dd proSitik.006683D2
00668214 |.  E483660>|dd proSitik.006683E4
00668218 |.  F683660>|dd proSitik.006683F6
0066821C |.  0884660>|dd proSitik.00668408
00668220 |.  1A84660>|dd proSitik.0066841A
00668224 |.  2C84660>|dd proSitik.0066842C
00668228 |.  3E84660>|dd proSitik.0066843E
0066822C |.  5084660>|dd proSitik.00668450
00668230 |.  6284660>|dd proSitik.00668462
00668234 |.  7484660>|dd proSitik.00668474
00668238 |.  8684660>|dd proSitik.00668486
0066823C |.  9884660>|dd proSitik.00668498
00668240 |.  AA84660>|dd proSitik.006684AA
00668244 |.  6585660>|dd proSitik.00668565
00668248 |.  6585660>|dd proSitik.00668565
0066824C |.  6585660>|dd proSitik.00668565
00668250 |.  6585660>|dd proSitik.00668565
00668254 |.  6585660>|dd proSitik.00668565
00668258 |.  6585660>|dd proSitik.00668565
0066825C |.  6585660>|dd proSitik.00668565
00668260 |.  6585660>|dd proSitik.00668565
00668264 |.  6585660>|dd proSitik.00668565
00668268 |.  6585660>|dd proSitik.00668565
0066826C |.  6585660>|dd proSitik.00668565
00668270 |.  6585660>|dd proSitik.00668565
00668274 |.  BC84660>|dd proSitik.006684BC
00668278 |.  CE84660>|dd proSitik.006684CE
0066827C |.  E084660>|dd proSitik.006684E0
00668280 |.  EF84660>|dd proSitik.006684EF
00668284 |.  FE84660>|dd proSitik.006684FE
00668288 |.  0D85660>|dd proSitik.0066850D
0066828C |.  1C85660>|dd proSitik.0066851C
00668290 |.  2B85660>|dd proSitik.0066852B
00668294 |.  3A85660>|dd proSitik.0066853A
00668298 |.  4985660>|dd proSitik.00668549
0066829C |.  5885660>|dd proSitik.00668558
006682A0 |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 30 ('0') of switch 0066819D
006682A3 <>|.  E8 A0CB>|call proSitik.00404E48                   ;  Error or: System.UniqueString(String;String);overload;
006682A8 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],78
006682AD |.  E9 B302>|jmp proSitik.00668565
006682B2 |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 31 ('1') of switch 0066819D
006682B5 |.  E8 8ECB>|call proSitik.00404E48                   ;  Error or: System.UniqueString(String;String);overload;
006682BA |.  C64418 >|mov byte ptr ds:[eax+ebx-1],6D
006682BF |.  E9 A102>|jmp proSitik.00668565
006682C4 |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 32 ('2') of switch 0066819D
006682C7 |.  E8 7CCB>|call proSitik.00404E48
006682CC |.  C64418 >|mov byte ptr ds:[eax+ebx-1],35
006682D1 |.  E9 8F02>|jmp proSitik.00668565
006682D6 |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 33 ('3') of switch 0066819D
006682D9 |.  E8 6ACB>|call proSitik.00404E48
006682DE |.  C64418 >|mov byte ptr ds:[eax+ebx-1],30
006682E3 |.  E9 7D02>|jmp proSitik.00668565
006682E8 |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 34 ('4') of switch 0066819D
006682EB |.  E8 58CB>|call proSitik.00404E48
006682F0 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],52
006682F5 |.  E9 6B02>|jmp proSitik.00668565
006682FA |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 35 ('5') of switch 0066819D
006682FD |.  E8 46CB>|call proSitik.00404E48
00668302 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],4E
00668307 |.  E9 5902>|jmp proSitik.00668565
0066830C |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 36 ('6') of switch 0066819D
0066830F |.  E8 34CB>|call proSitik.00404E48
00668314 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],31
00668319 |.  E9 4702>|jmp proSitik.00668565
0066831E |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 37 ('7') of switch 0066819D
00668321 |.  E8 22CB>|call proSitik.00404E48
00668326 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],78
0066832B |.  E9 3502>|jmp proSitik.00668565
00668330 |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 38 ('8') of switch 0066819D
00668333 |.  E8 10CB>|call proSitik.00404E48
00668338 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],30
0066833D |.  E9 2302>|jmp proSitik.00668565
00668342 |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 39 ('9') of switch 0066819D
00668345 |.  E8 FECA>|call proSitik.00404E48
0066834A |.  C64418 >|mov byte ptr ds:[eax+ebx-1],31
0066834F |.  E9 1102>|jmp proSitik.00668565
00668354 |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 41 ('A') of switch 0066819D
00668357 |.  E8 ECCA>|call proSitik.00404E48
0066835C |.  C64418 >|mov byte ptr ds:[eax+ebx-1],33
00668361 |.  E9 FF01>|jmp proSitik.00668565
00668366 |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 42 ('B') of switch 0066819D
00668369 |.  E8 DACA>|call proSitik.00404E48
0066836E |.  C64418 >|mov byte ptr ds:[eax+ebx-1],4B
00668373 |.  E9 ED01>|jmp proSitik.00668565
00668378 |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 43 ('C') of switch 0066819D
0066837B |.  E8 C8CA>|call proSitik.00404E48
00668380 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],50
00668385 |.  E9 DB01>|jmp proSitik.00668565
0066838A |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 44 ('D') of switch 0066819D
0066838D |.  E8 B6CA>|call proSitik.00404E48
00668392 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],4D
00668397 |.  E9 C901>|jmp proSitik.00668565
0066839C |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 45 ('E') of switch 0066819D
0066839F |.  E8 A4CA>|call proSitik.00404E48
006683A4 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],4A
006683A9 |.  E9 B701>|jmp proSitik.00668565
006683AE |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 46 ('F') of switch 0066819D
006683B1 |.  E8 92CA>|call proSitik.00404E48
006683B6 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],59
006683BB |.  E9 A501>|jmp proSitik.00668565
006683C0 |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 47 ('G') of switch 0066819D
006683C3 |.  E8 80CA>|call proSitik.00404E48
006683C8 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],32
006683CD |.  E9 9301>|jmp proSitik.00668565
006683D2 |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 48 ('H') of switch 0066819D
006683D5 |.  E8 6ECA>|call proSitik.00404E48
006683DA |.  C64418 >|mov byte ptr ds:[eax+ebx-1],66
006683DF |.  E9 8101>|jmp proSitik.00668565
006683E4 |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 49 ('I') of switch 0066819D
006683E7 |.  E8 5CCA>|call proSitik.00404E48
006683EC |.  C64418 >|mov byte ptr ds:[eax+ebx-1],5A
006683F1 |.  E9 6F01>|jmp proSitik.00668565
006683F6 |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 4A ('J') of switch 0066819D
006683F9 |.  E8 4ACA>|call proSitik.00404E48
006683FE |.  C64418 >|mov byte ptr ds:[eax+ebx-1],2D
00668403 |.  E9 5D01>|jmp proSitik.00668565
00668408 |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 4B ('K') of switch 0066819D
0066840B |.  E8 38CA>|call proSitik.00404E48
00668410 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],36
00668415 |.  E9 4B01>|jmp proSitik.00668565
0066841A |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 4C ('L') of switch 0066819D
0066841D |.  E8 26CA>|call proSitik.00404E48
00668422 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],4E
00668427 |.  E9 3901>|jmp proSitik.00668565
0066842C |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 4D ('M') of switch 0066819D
0066842F |.  E8 14CA>|call proSitik.00404E48
00668434 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],41
00668439 |.  E9 2701>|jmp proSitik.00668565
0066843E |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 4E ('N') of switch 0066819D
00668441 |.  E8 02CA>|call proSitik.00404E48
00668446 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],39
0066844B |.  E9 1501>|jmp proSitik.00668565
00668450 |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 4F ('O') of switch 0066819D
00668453 |.  E8 F0C9>|call proSitik.00404E48
00668458 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],30
0066845D |.  E9 0301>|jmp proSitik.00668565
00668462 |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 50 ('P') of switch 0066819D
00668465 |.  E8 DEC9>|call proSitik.00404E48
0066846A |.  C64418 >|mov byte ptr ds:[eax+ebx-1],31
0066846F |.  E9 F100>|jmp proSitik.00668565
00668474 |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 51 ('Q') of switch 0066819D
00668477 |.  E8 CCC9>|call proSitik.00404E48
0066847C |.  C64418 >|mov byte ptr ds:[eax+ebx-1],4F
00668481 |.  E9 DF00>|jmp proSitik.00668565
00668486 |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 52 ('R') of switch 0066819D
00668489 |.  E8 BAC9>|call proSitik.00404E48
0066848E |.  C64418 >|mov byte ptr ds:[eax+ebx-1],4B
00668493 |.  E9 CD00>|jmp proSitik.00668565
00668498 |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 53 ('S') of switch 0066819D
0066849B |.  E8 A8C9>|call proSitik.00404E48
006684A0 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],50
006684A5 |.  E9 BB00>|jmp proSitik.00668565
006684AA |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 54 ('T') of switch 0066819D
006684AD |.  E8 96C9>|call proSitik.00404E48
006684B2 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],4D
006684B7 |.  E9 A900>|jmp proSitik.00668565
006684BC |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 61 ('a') of switch 0066819D
006684BF |.  E8 84C9>|call proSitik.00404E48
006684C4 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],4A
006684C9 |.  E9 9700>|jmp proSitik.00668565
006684CE |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 62 ('b') of switch 0066819D
006684D1 |.  E8 72C9>|call proSitik.00404E48
006684D6 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],59
006684DB |.  E9 8500>|jmp proSitik.00668565
006684E0 |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 63 ('c') of switch 0066819D
006684E3 |.  E8 60C9>|call proSitik.00404E48
006684E8 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],39
006684ED |.  EB 76 |jmp short proSitik.00668565
006684EF |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 64 ('d') of switch 0066819D
006684F2 |.  E8 51C9>|call proSitik.00404E48
006684F7 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],30
006684FC |.  EB 67 |jmp short proSitik.00668565
006684FE |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 65 ('e') of switch 0066819D
00668501 |.  E8 42C9>|call proSitik.00404E48
00668506 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],31
0066850B |.  EB 58 |jmp short proSitik.00668565
0066850D |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 66 ('f') of switch 0066819D
00668510 |.  E8 33C9>|call proSitik.00404E48
00668515 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],4F
0066851A |.  EB 49 |jmp short proSitik.00668565
0066851C |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 67 ('g') of switch 0066819D
0066851F |.  E8 24C9>|call proSitik.00404E48
00668524 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],4B
00668529 |.  EB 3A |jmp short proSitik.00668565
0066852B |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 68 ('h') of switch 0066819D
0066852E |.  E8 15C9>|call proSitik.00404E48
00668533 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],50
00668538 |.  EB 2B |jmp short proSitik.00668565
0066853A |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 69 ('i') of switch 0066819D
0066853D |.  E8 06C9>|call proSitik.00404E48
00668542 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],4D
00668547 |.  EB 1C |jmp short proSitik.00668565
00668549 |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 6A ('j') of switch 0066819D
0066854C |.  E8 F7C8>|call proSitik.00404E48
00668551 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],4A
00668556 |.  EB 0D |jmp short proSitik.00668565
00668558 |>  8D45 F8 |lea eax,dword ptr ss:[ebp-8]             ;  Case 6B ('k') of switch 0066819D
0066855B |.  E8 E8C8>|call proSitik.00404E48
00668560 |.  C64418 >|mov byte ptr ds:[eax+ebx-1],59
00668565 |>  43    |inc ebx                                  ;  Default case of switch 0066819D
00668566 |.  4E    |dec esi
00668567 |.^ 0F85 28>\jnz proSitik.00668195

006686F4  01 00 00 00 2D 00 00 00    ...-...
006686FC  FF FF FF FF 01 00 00 00    ??...
00668704  43 00 00 00 FF FF FF FF    C...??
0066870C  01 00 00 00 67 00 00 00    ...g...
00668714  FF FF FF FF 32 00 00 00    ??2...

0066856D |>  68 0487>push proSitik.00668704
00668572 |.  FF75 F8 push dword ptr ss:[ebp-8]
00668575 |.  68 1087>push proSitik.00668710
0066857A |.  8D45 E0 lea eax,dword ptr ss:[ebp-20]
0066857D |.  BA 0300>mov edx,3
00668582 |.  E8 31C7>call proSitik.00404CB8                   ;  转换后的机器码处理: "C"+"string"+"g"
0668587 |.  8B45 E0 mov eax,dword ptr ss:[ebp-20]
0066858A |.  50    push eax
0066858B |.  8D55 DC lea edx,dword ptr ss:[ebp-24]
0066858E |.  8B87 78>mov eax,dword ptr ds:[edi+378]
00668594 |.  E8 EBAB>call proSitik.00453184                   ;  * Reference to: Controls.TControl.GetText(TControl):TCaption;
00668599 |.  8B55 DC mov edx,dword ptr ss:[ebp-24]             ;  获取注册码
0066859C |.  58    pop eax                                  ;  和转换后的机器码比较
0066859D |.  E8 9AC7>call proSitik.00404D3C                   ;  * Reference to: System.@LStrCmp;
006685A2 |.  0F85 C8>jnz proSitik.00668670;=====爆破点！
006685A8 |.  B2 01 mov dl,1
006685AA |.  A1 B0B5>mov eax,dword ptr ds:[47B5B0]
006685AF |.  E8 6831>call proSitik.0047B71C                   ;  * Reference to: Registry.TRegistry.Create(TRegistry;boolean);overload;
006685B4 |.  8BD8 mov ebx,eax
006685B6 |.  BA 0200>mov edx,80000002
006685BB |.  8BC3 mov eax,ebx
006685BD |.  E8 3632>call proSitik.0047B7F8                   ;  * Reference to: Registry.TRegistry.SetRootKey(TRegistry;HKEY);
006685C2 |.  B1 01 mov cl,1
006685C4 |.  BA 1C87>mov edx,proSitik.0066871C                ;  ASCII "Software\Microsoft\Windows\CurrentVersion\www\www3"
006685C9 |.  8BC3 mov eax,ebx
006685CB |.  E8 6C33>call proSitik.0047B93C                   ;  * Reference to: Registry.TRegistry.OpenKey(TRegistry;AnsiString;Boolean):Boolean;
006685D0 |.  84C0 test al,al
006685D2 |.  74 2B je short proSitik.006685FF
006685D4 |.  33C9 xor ecx,ecx
006685D6 |.  BA 5887>mov edx,proSitik.00668758                ;  ASCII "wwwok"
006685DB |.  8BC3 mov eax,ebx
006685DD |.  E8 7A37>call proSitik.0047BD5C                   ;  * Reference to: Registry.TRegistry.WriteInteger(TRegistry;AnsiString;Integer);
006685E2 |.  8D55 D8 lea edx,dword ptr ss:[ebp-28]
006685E5 |.  8B87 78>mov eax,dword ptr ds:[edi+378]
006685EB |.  E8 94AB>call proSitik.00453184                   ;  * Reference to: Controls.TControl.GetText(TControl):TCaption;
006685F0 |.  8B4D D8 mov ecx,dword ptr ss:[ebp-28]
006685F3 |.  BA 6887>mov edx,proSitik.00668768                ;  ASCII "wwwcode"
006685F8 |.  8BC3 mov eax,ebx
006685FA |.  E8 B936>call proSitik.0047BCB8                   ;  * Reference to: Registry.TRegistry.WriteString(TRegistry;AnsiString;AnsiString);
006685FF |>  8BC3 mov eax,ebx
00668601 |.  E8 C231>call proSitik.0047B7C8                   ;  * Reference to: Registry.TRegistry.CloseKey(TRegistry);
00668606 |.  BA 0200>mov edx,80000002
0066860B |.  8BC3 mov eax,ebx
0066860D |.  E8 E631>call proSitik.0047B7F8                   ;  * Reference to: Registry.TRegistry.SetRootKey(TRegistry;HKEY);
00668612 |.  B1 01 mov cl,1
00668614 |.  BA 7887>mov edx,proSitik.00668778                ;  ASCII "Software\stk"
00668619 |.  8BC3 mov eax,ebx
0066861B |.  E8 1C33>call proSitik.0047B93C                   ;  * Reference to: Registry.TRegistry.OpenKey(TRegistry;AnsiString;Boolean):Boolean;
00668620 |.  84C0 test al,al
00668622 |.  74 1D je short proSitik.00668641
00668624 |.  8D55 D4 lea edx,dword ptr ss:[ebp-2C]
00668627 |.  8B87 74>mov eax,dword ptr ds:[edi+374]
0066862D |.  E8 52AB>call proSitik.00453184                   ;  * Reference to: Controls.TControl.GetText(TControl):TCaption;
00668632 |.  8B4D D4 mov ecx,dword ptr ss:[ebp-2C]
00668635 |.  BA 9087>mov edx,proSitik.00668790                ;  * Possible String Reference to: '用户名称'
0066863A |.  8BC3 mov eax,ebx
0066863C |.  E8 7736>call proSitik.0047BCB8                   ;  * Reference to: Registry.TRegistry.WriteString(TRegistry;AnsiString;AnsiString);
00668641 |>  8BC3 mov eax,ebx
00668643 |.  E8 8031>call proSitik.0047B7C8                   ;  * Reference to: Registry.TRegistry.CloseKey(TRegistry);
00668648 |.  8BC3 mov eax,ebx
0066864A |.  E8 21B4>call proSitik.00403A70                   ;  * Reference to: System.TObject.Free(TObject);
0066864F |.  6A 00 push 0
00668651 |.  B9 D886>mov ecx,proSitik.006686D8                ;  * Possible String Reference to: '提示'
00668656 |.  BA 9C87>mov edx,proSitik.0066879C                ;  * Possible String Reference to: '注册成功,感谢您的支持'
0066865B |.  A1 2431>mov eax,dword ptr ds:[673124]
00668660 |.  8B00 mov eax,dword ptr ds:[eax]
00668662 |.  E8 4DBC>call proSitik.004742B4                   ;  * Reference to: Forms.TApplication.MessageBox(TApplication;PChar;PChar;Longint):Integer;
00668667 |.  8BC7 mov eax,edi
00668669 |.  E8 3A83>call proSitik.004709A8                   ;  * Reference to: Forms.TCustomForm.Close(TCustomForm);
0066866E |.  EB 18 jmp short proSitik.00668688
00668670 |>  6A 00 push 0
00668672 |.  B9 D886>mov ecx,proSitik.006686D8                ;  * Possible String Reference to: '提示'
00668677 |.  BA B487>mov edx,proSitik.006687B4                ;  * Possible String Reference to: '注册码错误,请检查'
0066867C |.  A1 2431>mov eax,dword ptr ds:[673124]
00668681 |.  8B00 mov eax,dword ptr ds:[eax]
00668683 |.  E8 2CBC>call proSitik.004742B4                   ;  * Reference to: Forms.TApplication.MessageBox(TApplication;PChar;PChar;Longint):Integer;
00668688 |>  33C0 xor eax,eax
0066868A |.  5A    pop edx
0066868B |.  59    pop ecx
0066868C |.  59    pop ecx
0066868D |.  64:8910 mov dword ptr fs:[eax],edx
00668690 |.  68 D186>push proSitik.006686D1                   ;  * Possible String Reference to: '_^[?]锰崾?
00668695 |>  8D45 D4 lea eax,dword ptr ss:[ebp-2C]
00668698 |.  BA 0300>mov edx,3
0066869D |.  E8 C2C2>call proSitik.00404964                   ;  * Reference to: System.@LStrArrayClr(void;void;Integer);
006686A2 |.  8D45 E0 lea eax,dword ptr ss:[ebp-20]
006686A5 |.  BA 0300>mov edx,3
006686AA |.  E8 B5C2>call proSitik.00404964                   ;  * Reference to: System.@LStrArrayClr(void;void;Integer);
006686AF |.  8D45 EC lea eax,dword ptr ss:[ebp-14]
006686B2 |.  BA 0200>mov edx,2
006686B7 |.  E8 A8C2>call proSitik.00404964                   ;  * Reference to: System.@LStrArrayClr(void;void;Integer);
006686BC |.  8D45 F4 lea eax,dword ptr ss:[ebp-C]
006686BF |.  BA 0300>mov edx,3
006686C4 |.  E8 9BC2>call proSitik.00404964                   ;  * Reference to: System.@LStrArrayClr(void;void;Integer);
006686C9 \.  C3    retn
006686CA .^ E9 35BB>jmp proSitik.00404204                   ;  * Reference to: System.@HandleFinally;
006686CF .^ EB C4 jmp short proSitik.00668695
006686D1 .  5F    pop edi
006686D2 .  5E    pop esi
006686D3 .  5B    pop ebx
006686D4 .  8BE5 mov esp,ebp
006686D6 .  5D    pop ebp
006686D7 .  C3    retn

转换后的机器码处理：
===================

006686F4  01 00 00 00 2D 00 00 00    ...-...
006686FC  FF FF FF FF 01 00 00 00    ??...
00668704  43 00 00 00 FF FF FF FF    C...??
0066870C  01 00 00 00 67 00 00 00    ...g...
00668714  FF FF FF FF 32 00 00 00    ??2...

1,"C"
1,"g"
E(14),"KVKNYP-M1x0fPP"
===> 首部附加 'C',尾部附加 'g' ===>"CKVKNYP-M1x0fPPg"

00404CB8 53                   push ebx
00404CB9 56                   push esi
00404CBA 57                   push edi
00404CBB 52                   push edx
00404CBC 50                   push eax
00404CBD 89D3                mov    ebx, edx          ; ebx = edx = 3
00404CBF 31FF                xor    edi, edi
00404CC1 8B4C9414             mov    ecx, [esp+edx*4+$14] ; ecx = 668704,value = 43000000('C')
00404CC5 85C9                test ecx, ecx
00404CC7 7406                jz    00404CCF
00404CC9 3908                cmp    [eax], ecx          ; eax = 12E700,value = 00000000
00404CCB 7502                jnz    00404CCF
00404CCD 89C7                mov    edi, eax
00404CCF 31C0                xor    eax, eax          ; eax = 0
00404CD1 8B4C9414             mov    ecx, [esp+edx*4+$14] ; ecx = 668704,value = 43000000('C')
00404CD5 85C9                test ecx, ecx
00404CD7 7409                jz    00404CE2
00404CD9 0341FC                add    eax, [ecx-$04]    ; ecx-$04 = 668700,value = 01000000
00404CDC 39CF                cmp    edi, ecx          ; 字符串末尾?
00404CDE 7502                jnz    00404CE2
00404CE0 31FF                xor    edi, edi
00404CE2 4A                   dec    edx
00404CE3 75EC                jnz    00404CD1
00404CE5 85FF                test edi, edi
00404CE7 7414                jz    00404CFD
00404CE9 89C2                mov    edx, eax
00404CEB 89F8                mov    eax, edi
00404CED 8B37                mov    esi, [edi]
00404CEF 8B76FC                mov    esi, [esi-$04]

* Reference to: System.@LStrSetLength;
|
00404CF2 E885020000          call 00404F7C
00404CF7 57                   push edi
00404CF8 0337                add    esi, [edi]
00404CFA 4B                   dec    ebx
00404CFB EB08                jmp    00404D05

* Reference to: System.@NewAnsiString(Integer):Pointer;
|
00404CFD E802FDFFFF          call 00404A04
00404D02 50                   push eax
00404D03 89C6                mov    esi, eax
00404D05 8B449C18             mov    eax, [esp+ebx*4+$18]
00404D09 89F2                mov    edx, esi
00404D0B 85C0                test eax, eax
00404D0D 740A                jz    00404D19
00404D0F 8B48FC                mov    ecx, [eax-$04]
00404D12 01CE                add    esi, ecx

* Reference to: System.Move(void;void;void;void;Integer);
|
00404D14 E833DDFFFF          call 00402A4C
00404D19 4B                   dec    ebx
00404D1A 75E9                jnz    00404D05
00404D1C 5A                   pop    edx
00404D1D 58                   pop    eax
00404D1E 85FF                test edi, edi
00404D20 750C                jnz    00404D2E
00404D22 85D2                test edx, edx
00404D24 7403                jz    00404D29
00404D26 FF4AF8                dec    dword ptr [edx-$08]

* Reference to: System.@LStrAsg(void;void;void;void);
|
00404D29 E866FCFFFF          call 00404994
00404D2E 5A                   pop    edx
00404D2F 5F                   pop    edi
00404D30 5E                   pop    esi
00404D31 5B                   pop    ebx
00404D32 58                   pop    eax
00404D33 8D2494                lea    esp, [esp+edx*4]
00404D36 FFE0                jmp    eax
00404D38 C3                   ret

8) 注册码算法分析

--- 软件自动获取的机器码: CSH309DJCY5BVB
--- 反转机器码:BVB5YCJD903HSC
--- 字符替换表
原始字符: 0123456789ABCDEFGHIJKLMNOPQRSTabcdefghijk
替换字符: xm50RN1x013KPMJY2fZ-6NA901OKPMJY901OKPMJY
如果机器码中的字符不在原始字符表中，则原样复制
--- 结果:KVKNYP-M1x0fPP
--- 首尾分别加上'C'和'g'
--- 得到: CKVKNYP-M1x0fPPg,即机器码为 CSH309DJCY5BVB 的注册码！

9) 注册机代码

#include "stdafx.h"

#include <conio.h>

int _tmain(int argc, _TCHAR* argv[])
{
char strIndex[1024] = "0123456789ABCDEFGHIJKLMNOPQRSTabcdefghijk";
char strTable[1024] = "xm50RN1x013KPMJY2fZ-6NA901OKPMJY901OKPMJY";
char strMC[1024];
char strReverseMC[1024];
char strKey[1024];

char strTMP[1024];
int lenMC;
int lenIndex;
char ch,ch1;

int i,j,k;

printf("\r\nKeyGen for 某试题库管理系统[3.1单机版] - AZMC.13 - 2006.05.22\r\n\r\n");
printf("Please input your machine code:");
scanf("%32s",strMC);
lenMC=strlen(strMC);

lenIndex = strlen( strIndex );
for( i = 0; i < lenMC; i++ )
{
ch = strMC[ lenMC - i - 1 ];
strReverseMC[ i ] = ch;
}
strReverseMC[ i ] = 0;

for( i = 0; i < lenMC; i++ ) {
ch = strReverseMC[ i ];
ch1 = ch;
ch -= 0x30;
if( ch > 0x3B ) {
strKey[ i+1 ] = strReverseMC[ i ];
continue;
}
k = 0xff;
for( j = 0; j < lenIndex; j ++ ) {
if( ch1 == strIndex[ j ] ) {
k = j;
break;
}
}
if( k != 0xff ) strKey[ i+1 ] = strTable[ k ];
else strKey[ i+1 ] = strReverseMC[ i ];
}
strKey[ 0 ] = 'C';
strKey[ i+1 ] = 'g';
strKey[ i+2 ] = 0;

printf("\r\nThe key is: %s\r\n",strKey);

printf("\r\n\r\nPress any key to exit...\r\n");
getch();

return 0;
}

10) 收工

[培训]《安卓高级研修班(网课)》月薪三万计划，掌握调试、分析还原ollvm、vmp的方法，定制art虚拟机自动化脱壳的方法

收藏・0

点赞・7

打赏

最新回复 (3)
误入楼台雪币： 236 活跃值： (35) 能力值： ( LV4，RANK：50 ) 在线值：发帖 24 回帖 200 粉丝 0 关注私信	误入楼台 1 2006-5-22 19:51 2 楼 0 全是代码~！！！学习了
yunfeng 雪币： 269 活跃值： (46) 能力值： ( LV4，RANK：50 ) 在线值：发帖 3 回帖 486 粉丝 0 关注私信	yunfeng 1 2006-5-23 19:24 3 楼 0 学习收藏了.万维试题库
lezhihua 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	lezhihua 2006-5-23 23:47 4 楼 0 强!实在是强!佩服楼主!!! 我已经把试用版的爆破了,功能没有限制.
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复