【目标软件】HRMIS人力资源管理系统标准版
【破解工具】IDA、SoftICE
【破解目标】得到注册算法
【参考资料】dREAMtHEATER 《Delphi 对象模型学习笔记》http://dreamtheater.reg365.com/papers/Object.htm
这个软件采用了Delphi类虚拟方法来保护注册机制,dREAMtHEATER老大的文章对Delphi类的虚拟方法表格和动态方法表格讲的很清楚
【说明】这个是人事部的老大要试用下,却没试用版;要我帮破下,就做了它;几个月了,一直没时间整理贴上来;今天花时间搞上来,没其他不良企图,只是想与大家交流
开始~
主程序文件用的壳是ASPack 2.12 -> Alexey Solodovnikov,很好脱;找个ASPack的脱壳机脱壳,是Borland Delphi程序
用IDA反汇编,在Strings中找到'请及时注册,谢谢!'的提示串:
CODE:005C3DA0 aIVS db '请及时注册,谢谢!',0 ; DATA XREF: sub_5C3B8C+1A2o
。。。
CODE:005C3C6E 020 lea eax, [ebp+var_4]
CODE:005C3C71 020 push eax
CODE:005C3C72 024 lea edx, [ebp+var_11C]
CODE:005C3C78 024 mov eax, esi
CODE:005C3C7A 024 mov bx, -10h ; call sub_5C3638,这个地方是取得卷信息★★
CODE:005C3C7E 024 call @System@@CallDynaInst$qqrv ; System::__linkproc__ CallDynaInst(void)
CODE:005C3C83 024 mov eax, [ebp+var_11C]
CODE:005C3C89 024 push eax
CODE:005C3C8A 028 lea eax, [ebp+var_120]
CODE:005C3C90 028 lea edx, [esi+0A6h]
CODE:005C3C96 028 call unknown_libname_10 ; LStrFromPCharLen(System::AnsiString &,char *,int)
CODE:005C3C96 ; 分配并从 PChar 复制指定长度的 AnsiString
CODE:005C3C96 ; EAX :目标字符串
CODE:005C3C96 ; EDX :源字符串
CODE:005C3C96 ; ECX :要复制的长度
CODE:005C3C96 ;
CODE:005C3C9B 028 mov edx, [ebp+var_120]
CODE:005C3CA1 028 mov eax, esi
CODE:005C3CA3 028 pop ecx
CODE:005C3CA4 024 mov bx, -12h ; call sub_5C3848,这个地方就是注册算法▲▲▲
CODE:005C3CA8 024 call @System@@CallDynaInst$qqrv ; System::__linkproc__ CallDynaInst(void)
CODE:005C3CAD 024 lea eax, [ebp+var_124]
CODE:005C3CB3 024 lea edx, [esi+254h]
CODE:005C3CB9 024 call unknown_libname_10 ; LStrFromPCharLen(System::AnsiString &,char *,int)
CODE:005C3CB9 ; 分配并从 PChar 复制指定长度的 AnsiString
CODE:005C3CB9 ; EAX :目标字符串
CODE:005C3CB9 ; EDX :源字符串
CODE:005C3CB9 ; ECX :要复制的长度
CODE:005C3CB9 ;
CODE:005C3CBE 024 mov eax, [ebp+var_124]
CODE:005C3CC4 024 mov edx, [ebp+var_4]
CODE:005C3CC7 024 call @System@@LStrCmp$qqrv ; System::__linkproc__ LStrCmp(void)
CODE:005C3CCC 024 jz loc_5C3D5E
CODE:005C3CD2 024 mov ebx, 1
CODE:005C3CD7
CODE:005C3CD7 loc_5C3CD7: ; CODE XREF: sub_5C3B8C+17Aj
CODE:005C3CD7 024 lea eax, [ebp+var_128]
CODE:005C3CDD 024 lea edx, [esi+254h]
CODE:005C3CE3 024 call unknown_libname_10 ; CBuilder 4 and Delphi 4 VCL
CODE:005C3CE8 024 mov eax, [ebp+var_128] ; 用户输入的注册码
CODE:005C3CEE 024 mov edx, [ebp+var_4] ; 程序计算的注册码
CODE:005C3CF1 024 call @System@@LStrCmp$qqrv ; 注册码比较
CODE:005C3CF6 024 jz short loc_5C3D08 ; 注册成功,跳
CODE:005C3CF8 024 lea edx, [ebp+var_4]
CODE:005C3CFB 024 mov eax, esi
CODE:005C3CFD 024 call sub_5C3DE4 ; 注册对话框
CODE:005C3D02 024 inc ebx
CODE:005C3D03 024 cmp ebx, 4 ; 每次运行,可输入3次
CODE:005C3D06 024 jnz short loc_5C3CD7
CODE:005C3D08
CODE:005C3D08 loc_5C3D08: ; CODE XREF: sub_5C3B8C+16Aj
CODE:005C3D08 024 cmp ebx, 3
CODE:005C3D0B 024 jl short loc_5C3D3D
CODE:005C3D0D 024 lea eax, [ebp+var_12C]
CODE:005C3D13 024 lea edx, [esi+254h]
CODE:005C3D19 024 call unknown_libname_10 ; CBuilder 4 and Delphi 4 VCL
CODE:005C3D1E 024 mov eax, [ebp+var_12C]
CODE:005C3D24 024 mov edx, [ebp+var_4]
CODE:005C3D27 024 call @System@@LStrCmp$qqrv ; System::__linkproc__ LStrCmp(void)
CODE:005C3D2C 024 jz short loc_5C3D3D
CODE:005C3D2E 024 mov eax, offset aIVS ; "请及时注册,谢谢!"
; =====================
; CallDynaInst 调用
; call sub_5C3638,这个地方是取得卷信息★★
CODE:005C3638 sub_5C3638 proc near
CODE:005C3638
CODE:005C3638 var_110 = dword ptr -110h
CODE:005C3638 var_10C = dword ptr -10Ch
CODE:005C3638 FileSystemNameBuffer= byte ptr -108h
CODE:005C3638 FileSystemFlags = dword ptr -8
CODE:005C3638 MaximumComponentLength= dword ptr -4
CODE:005C3638
CODE:005C3638 000 push ebp
CODE:005C3639 004 mov ebp, esp
CODE:005C363B 004 add esp, 0FFFFFEF0h
CODE:005C3641 114 push ebx
CODE:005C3642 118 push esi
CODE:005C3643 11C push edi
CODE:005C3644 120 xor ecx, ecx
CODE:005C3646 120 mov [ebp+var_10C], ecx
CODE:005C364C 120 mov [ebp+var_110], ecx
CODE:005C3652 120 mov edi, edx
CODE:005C3654 120 xor eax, eax
CODE:005C3656 120 push ebp
CODE:005C3657 124 push offset loc_5C3712
CODE:005C365C 128 push dword ptr fs:[eax]
CODE:005C365F 12C mov fs:[eax], esp
CODE:005C3662 12C mov eax, 4
CODE:005C3667 12C call @System@@GetMem$qqrv ; System::__linkproc__ GetMem(void)
CODE:005C366C 12C mov ebx, eax
CODE:005C366E 12C push 100h ; nFileSystemNameSize
CODE:005C3673 130 lea eax, [ebp+FileSystemNameBuffer]
CODE:005C3679 130 push eax ; lpFileSystemNameBuffer
CODE:005C367A 134 lea eax, [ebp+FileSystemFlags]
CODE:005C367D 134 push eax ; lpFileSystemFlags
CODE:005C367E 138 lea eax, [ebp+MaximumComponentLength]
CODE:005C3681 138 push eax ; lpMaximumComponentLength
CODE:005C3682 13C push ebx ; lpVolumeSerialNumber
CODE:005C3683 140 push 0 ; nVolumeNameSize
CODE:005C3685 144 push 0 ; lpVolumeNameBuffer
CODE:005C3687 148 push offset off_5C3720 ; lpRootPathName
CODE:005C368C 14C call GetVolumeInformationA
; call sub_5C3848,这个地方就是注册算法▲▲▲
CODE:005C3848 sub_5C3848 proc near
CODE:005C3848
CODE:005C3848 var_38 = dword ptr -38h
CODE:005C3848 var_34 = dword ptr -34h
CODE:005C3848 FrmVolInfoStr[j]= byte ptr -2Eh
CODE:005C3848 FrmVolInfoStr[i]= byte ptr -2Dh
CODE:005C3848 var_2C = dword ptr -2Ch
CODE:005C3848 var_28 = dword ptr -28h
CODE:005C3848 var_24 = dword ptr -24h
CODE:005C3848 var_20 = dword ptr -20h
CODE:005C3848 var_1C = dword ptr -1Ch
CODE:005C3848 FrmVolInfoStr[j]_tmp= dword ptr -18h
CODE:005C3848 FrmVolInfoStr[i]_Tmp= dword ptr -14h
CODE:005C3848 BuildinStr_01 = dword ptr -10h
CODE:005C3848 FrmVolInfoStr = dword ptr -0Ch
CODE:005C3848 UserOrganizationName= dword ptr -8
CODE:005C3848 var_4 = dword ptr -4
CODE:005C3848 arg_0 = dword ptr 8
CODE:005C3848
CODE:005C3848 000 push ebp
CODE:005C3849 004 mov ebp, esp
CODE:005C384B 004 push ecx
CODE:005C384C 008 mov ecx, 6
CODE:005C3851
CODE:005C3851 loc_5C3851: ; CODE XREF: sub_5C3848+Ej
CODE:005C3851 008 push 0
CODE:005C3853 00C push 0 ; i,从0到末位
CODE:005C3853 ; j,从末位到0
CODE:005C3853 ;
CODE:005C3855 010 dec ecx
CODE:005C3856 010 jnz short loc_5C3851
CODE:005C3858 010 push ecx
CODE:005C3859 014 xchg ecx, [ebp+var_4] ; 格式化卷信息串
CODE:005C385C 014 push ebx
CODE:005C385D 018 push esi
CODE:005C385E 01C push edi
CODE:005C385F 020 mov [ebp+FrmVolInfoStr], ecx
CODE:005C3862 020 mov [ebp+UserOrganizationName], edx ; 用户填入的单位名称
CODE:005C3862 ; 注意:这个名称是经过了变换的
CODE:005C3862 ; 方法是:取第一个,取最末位,取第二个,取倒数第二个,。。。
CODE:005C3865 020 mov [ebp+var_4], eax
CODE:005C3868 020 mov eax, [ebp+UserOrganizationName]
CODE:005C386B 020 call @@LStrAddRef ; __linkproc__ LStrAddRef
CODE:005C3870 020 mov eax, [ebp+FrmVolInfoStr]
CODE:005C3873 020 call @@LStrAddRef ; __linkproc__ LStrAddRef
CODE:005C3878 020 xor eax, eax
CODE:005C387A 020 push ebp
CODE:005C387B 024 push offset loc_5C3A4A
CODE:005C3880 028 push dword ptr fs:[eax]
CODE:005C3883 02C mov fs:[eax], esp
CODE:005C3886 02C lea edx, [ebp+var_34]
CODE:005C3889 02C mov eax, [ebp+var_4]
CODE:005C388C 02C mov eax, [eax+28h] ; "FD52F4F6-E33E-4866-A232-E5A1C8CE0E62_STAND_HRMIS_ShangXin_HeLuo"
CODE:005C388F 02C call @Sysutils@Trim$qqrx17System@AnsiString ; Sysutils::Trim(System::AnsiString)
CODE:005C3894 02C cmp [ebp+var_34], 0
CODE:005C3898 02C jz short loc_5C38AA ; 上面的串为空,则取下面的串
CODE:005C389A 02C lea eax, [ebp+BuildinStr_01]
CODE:005C389D 02C mov edx, [ebp+var_4]
CODE:005C38A0 02C mov edx, [edx+28h]
CODE:005C38A3 02C call @@LStrLAsg ; __linkproc__ LStrLAsg
CODE:005C38A8 02C jmp short loc_5C38B7 ; 卷信息串
CODE:005C38AA ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
CODE:005C38AA
CODE:005C38AA loc_5C38AA: ; CODE XREF: sub_5C3848+50j
CODE:005C38AA 02C lea eax, [ebp+BuildinStr_01]
CODE:005C38AD 02C mov edx, offset aZxasdqexcsrfcw ; "#zXaSDqExCsRFcW$VdevJMfrbgNtnhymju,kilo"...
CODE:005C38B2 02C call @@LStrLAsg ; __linkproc__ LStrLAsg
CODE:005C38B7
CODE:005C38B7 loc_5C38B7: ; CODE XREF: sub_5C3848+60j
CODE:005C38B7 02C mov eax, [ebp+FrmVolInfoStr] ; 卷信息串
CODE:005C38BA 02C call sub_404464
CODE:005C38BF 02C mov esi, eax ; 卷信息串长度
CODE:005C38C1 02C jmp short loc_5C38CE
CODE:005C38C3 ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
CODE:005C38C3
CODE:005C38C3 loc_5C38C3: ; CODE XREF: sub_5C3848+90j
CODE:005C38C3 02C lea eax, [ebp+BuildinStr_01]
CODE:005C38C6 02C mov edx, [ebp+BuildinStr_01]
CODE:005C38C9 02C call @System@@LStrCat$qqrv ; System::__linkproc__ LStrCat(void)
CODE:005C38CE
CODE:005C38CE loc_5C38CE: ; CODE XREF: sub_5C3848+79j
CODE:005C38CE 02C mov eax, [ebp+BuildinStr_01]
CODE:005C38D1 02C call sub_404464
CODE:005C38D6 02C cmp esi, eax
CODE:005C38D8 02C jg short loc_5C38C3 ;
CODE:005C38D8 ;
CODE:005C38D8 ;
CODE:005C38D8 ;
CODE:005C38DA 02C lea ecx, [ebp+var_38]
CODE:005C38DD 02C mov edx, [ebp+UserOrganizationName]
CODE:005C38E0 02C mov eax, [ebp+var_4]
CODE:005C38E3 02C call sub_5C3770 ; 对单位名称进行运算,如下
CODE:005C38E3 ; 注意:UserUnitName变成了
CODE:005C38E3 ; UserUnitName_BuildinStr_01
CODE:005C38E8 02C mov edx, [ebp+var_38]
CODE:005C38EB 02C lea eax, [ebp+UserOrganizationName]
CODE:005C38EE 02C call @@LStrLAsg ; __linkproc__ LStrLAsg
CODE:005C38F3 02C lea eax, [ebp+UserOrganizationName]
CODE:005C38F6 02C mov edx, [ebp+BuildinStr_01]
CODE:005C38F9 02C call @System@@LStrCat$qqrv ; System::__linkproc__ LStrCat(void)
CODE:005C38FE 02C mov eax, [ebp+arg_0]
CODE:005C3901 02C call @@LStrClr ; __linkproc__ LStrClr
CODE:005C3906 02C mov edi, esi
CODE:005C3908 02C test edi, edi
CODE:005C390A 02C jle loc_5C3A22
CODE:005C3910 02C mov ebx, 1 ; counter
CODE:005C3915
CODE:005C3915 loc_5C3915: ; CODE XREF: sub_5C3848+1D4j
CODE:005C3915 02C mov eax, [ebp+FrmVolInfoStr]
CODE:005C3918 02C mov al, [eax+ebx-1] ; 从前往后取字符
CODE:005C391C 02C mov [ebp+FrmVolInfoStr[i]], al
CODE:005C391F 02C mov eax, esi ; length of FrmVolInfoStr
CODE:005C3921 02C sub eax, ebx
CODE:005C3923 02C mov edx, [ebp+FrmVolInfoStr]
CODE:005C3926 02C mov al, [edx+eax] ; 从后往前取字符
CODE:005C3929 02C mov [ebp+FrmVolInfoStr[j]], al
CODE:005C392C 02C lea edx, [ebp+FrmVolInfoStr[i]_Tmp] ; FrmVolInfoStr[i]
CODE:005C392F 02C xor eax, eax
CODE:005C3931 02C mov al, [ebp+FrmVolInfoStr[i]]
CODE:005C3934 02C call @Sysutils@IntToStr$qqri ; Sysutils::IntToStr(int)
CODE:005C3939 02C mov eax, [ebp+var_4]
CODE:005C393C 02C cmp byte ptr [eax+40h], 0
CODE:005C3940 02C jz short loc_5C395E
CODE:005C3942 02C mov eax, [ebp+BuildinStr_01]
CODE:005C3945 02C movzx eax, byte ptr [eax+ebx-1]
CODE:005C394A 02C mov edx, [ebp+UserOrganizationName]
CODE:005C394D 02C movzx edx, byte ptr [edx+ebx-1]
CODE:005C3952 02C add eax, edx ; BuildinStr_01[i]+UserUnitName[i]
CODE:005C3954 02C lea edx, [ebp+var_28]
CODE:005C3957 02C call @Sysutils@IntToStr$qqri ; Sysutils::IntToStr(int)
CODE:005C395C 02C jmp short loc_5C396E ; FrmVolInfoStr[j]
CODE:005C395E ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
CODE:005C395E
CODE:005C395E loc_5C395E: ; CODE XREF: sub_5C3848+F8j
CODE:005C395E 02C lea edx, [ebp+var_28]
CODE:005C3961 02C mov eax, [ebp+BuildinStr_01]
CODE:005C3964 02C movzx eax, byte ptr [eax+ebx-1]
CODE:005C3969 02C call @Sysutils@IntToStr$qqri ; Sysutils::IntToStr(int)
CODE:005C396E
CODE:005C396E loc_5C396E: ; CODE XREF: sub_5C3848+114j
CODE:005C396E 02C lea edx, [ebp+FrmVolInfoStr[j]_tmp] ; FrmVolInfoStr[j]
CODE:005C3971 02C xor eax, eax
CODE:005C3973 02C mov al, [ebp+FrmVolInfoStr[j]]
CODE:005C3976 02C call @Sysutils@IntToStr$qqri ; Sysutils::IntToStr(int)
CODE:005C397B 02C mov eax, [ebp+FrmVolInfoStr[i]_Tmp]
CODE:005C397E 02C call sub_404464
CODE:005C3983 02C mov edx, [ebp+FrmVolInfoStr[i]_Tmp]
CODE:005C3986 02C mov dl, [edx+eax-1]
CODE:005C398A 02C lea eax, [ebp+var_1C]
CODE:005C398D 02C call unknown_libname_6 ; CBuilder 4 and Delphi 4 VCL
CODE:005C3992 02C mov eax, [ebp+FrmVolInfoStr[j]_tmp] ; 卷信息,从后往前取的字符
CODE:005C3995 02C call sub_404464
CODE:005C399A 02C mov edx, [ebp+FrmVolInfoStr[j]_tmp]
CODE:005C399D 02C mov dl, [edx+eax-1]
CODE:005C39A1 02C lea eax, [ebp+var_20] ; FrmVolInfoStr[j]_tmp,串末位
CODE:005C39A4 02C call unknown_libname_6 ; CBuilder 4 and Delphi 4 VCL
CODE:005C39A9 02C mov eax, [ebp+var_28] ; UserUnitName[i]+BuildinStr_01[i]
CODE:005C39AC 02C call sub_404464
CODE:005C39B1 02C mov edx, [ebp+var_28]
CODE:005C39B4 02C mov dl, [edx+eax-1]
CODE:005C39B8 02C lea eax, [ebp+var_2C] ; UserUnitName[i]+BuildinStr_01[i],串末位
CODE:005C39BB 02C call unknown_libname_6 ; CBuilder 4 and Delphi 4 VCL
CODE:005C39C0 02C mov eax, [ebp+var_1C] ; FrmVolInfoStr[i]_tmp,串末位
CODE:005C39C3 02C call @StrToInt
CODE:005C39C8 02C push eax
CODE:005C39C9 030 mov eax, [ebp+var_20]
CODE:005C39CC 030 call @StrToInt
CODE:005C39D1 030 pop edx
CODE:005C39D2 02C add edx, eax
CODE:005C39D4 02C push edx
CODE:005C39D5 030 mov eax, [ebp+var_2C]
CODE:005C39D8 030 call @StrToInt
CODE:005C39DD 030 mov edx, eax
CODE:005C39DF 030 pop eax
CODE:005C39E0 02C add eax, edx
CODE:005C39E2 02C lea edx, [ebp+var_24] ; FrmVolINfoStr[i]_tmp+FrmVolInfoStr[j]_tmp+(UserUnitName[i]+BuildinStr_01[i])
CODE:005C39E5 02C call @Sysutils@IntToStr$qqri ; Sysutils::IntToStr(int)
CODE:005C39EA 02C mov eax, [ebp+var_24]
CODE:005C39ED 02C call sub_404464
CODE:005C39F2 02C dec eax
CODE:005C39F3 02C jle short loc_5C3A0C ; 只有一位,jump;否则取末位
CODE:005C39F5 02C mov eax, [ebp+var_24]
CODE:005C39F8 02C call sub_404464
CODE:005C39FD 02C mov edx, [ebp+var_24]
CODE:005C3A00 02C mov dl, [edx+eax-1]
CODE:005C3A04 02C lea eax, [ebp+var_24]
CODE:005C3A07 02C call unknown_libname_6 ; CBuilder 4 and Delphi 4 VCL
CODE:005C3A0C
CODE:005C3A0C loc_5C3A0C: ; CODE XREF: sub_5C3848+1ABj
CODE:005C3A0C 02C mov eax, [ebp+arg_0]
CODE:005C3A0F 02C mov edx, [ebp+var_24]
CODE:005C3A12 02C call @System@@LStrCat$qqrv ; System::__linkproc__ LStrCat(void)
CODE:005C3A17 02C mov eax, [ebp+arg_0]
CODE:005C3A1A 02C inc ebx
CODE:005C3A1B 02C dec edi
CODE:005C3A1C 02C jnz loc_5C3915
CODE:005C3A22
CODE:005C3A22 loc_5C3A22: ; CODE XREF: sub_5C3848+C2j
CODE:005C3A22 02C xor eax, eax
CODE:005C3A24 02C pop edx
CODE:005C3A25 028 pop ecx
CODE:005C3A26 024 pop ecx
CODE:005C3A27 020 mov fs:[eax], edx
CODE:005C3A2A 020 push offset loc_5C3A51
CODE:005C3A2F
CODE:005C3A2F loc_5C3A2F: ; CODE XREF: sub_5C3848+207j
CODE:005C3A2F 024 lea eax, [ebp+var_38]
CODE:005C3A32 024 mov edx, 2
CODE:005C3A37
CODE:005C3A37 loc_5C3A37: ; DATA XREF: CODE:off_5E7484o
CODE:005C3A37 024 call @@LStrArrayClr ; __linkproc__ LStrArrayClr
CODE:005C3A3C 024 lea eax, [ebp+var_2C]
CODE:005C3A3F
CODE:005C3A3F loc_5C3A3F: ; DATA XREF: CODE:off_9C6C60o
CODE:005C3A3F ; CODE:off_5C3720o ...
CODE:005C3A3F 024 mov edx, 0Ah
CODE:005C3A44 024 call @@LStrArrayClr ; __linkproc__ LStrArrayClr
CODE:005C3A49 024 retn
CODE:005C3A4A ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
CODE:005C3A4A
CODE:005C3A4A loc_5C3A4A: ; DATA XREF: sub_5C3848+33o
CODE:005C3A4A 020 jmp @System@@HandleFinally$qqrv ; System::__linkproc__ HandleFinally(void)
CODE:005C3A4F ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
CODE:005C3A4F 020 jmp short loc_5C3A2F
CODE:005C3A51 ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
CODE:005C3A51
CODE:005C3A51 loc_5C3A51: ; DATA XREF: sub_5C3848+1E2o
CODE:005C3A51 020 pop edi
CODE:005C3A52 01C pop esi
CODE:005C3A53 018 pop ebx
CODE:005C3A54 014 mov esp, ebp
CODE:005C3A56 004 pop ebp
CODE:005C3A57 000 retn 4
CODE:005C3A57 sub_5C3848 endp
CODE:005C3A57
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
