【文章标题】: 佳宜固定资产管理软件v1.31(企业版) 算法简析
【文章作者】: hczcyy(我是一只标准的菜鸟)
【作者邮箱】: hczcyy@163.com
【作者QQ号】: 55346577
【软件名称】: 佳宜固定资产管理软件v1.31(企业版)
【软件大小】: 3118KB
【下载地址】: http://sq.newhua.com/soft/46509.htm
【加壳方式】: 无
【保护方式】: 序列号+姓名+注册码
【编写语言】: Delphi
【使用工具】: PEID OD WIN32DASM
【操作平台】: xp+sp2
【软件介绍】: 佳宜固定资产管理系统是一款优秀的固定资产管理软件
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
1.运行.随便输入注册名和注册码,有出错提示.
1.用peid查壳,显示编程语言为delphi.无壳.
2.用od载入,查找字符串"系统注册失败".没有.......怎么办?只好用win32dasm载入,好,找到了,在od同处下断.
载入运行,输入用户名:hczcyy,注册码:87654321断在这里,
005E50DD 6A 03 push 3 //出错提示,向上看
005E50DF 68 EC515E00 push JyAssetG.005E51EC
005E50E4 E8 6F0FFFFF call <jmp.&PunUnitLib.ShowMess>
005E50E9 33C0 xor eax,eax
005E50EB 5A pop edx
005E50EC 59 pop ecx
005E50ED 59 pop ecx
005E50EE 64:8910 mov dword ptr fs:[eax],edx
005E50F1 68 55515E00 push JyAssetG.005E5155
005E50F6 8D45 CC lea eax,dword ptr ss:[ebp-34]
我们来到这里:
005E4F16 6A 00 push 0
005E4F18 68 5C515E00 push JyAssetG.005E515C
005E4F1D E8 3611FFFF call <jmp.&PunUnitLib.ShowMess>
005E4F22 8B45 FC mov eax,dword ptr ss:[ebp-4]
005E4F25 8B80 04030000 mov eax,dword ptr ds:[eax+304]
005E4F2B 8B10 mov edx,dword ptr ds:[eax]
005E4F2D FF92 C0000000 call dword ptr ds:[edx+C0]
005E4F33 E9 B1010000 jmp JyAssetG.005E50E9
005E4F38 8D55 E8 lea edx,dword ptr ss:[ebp-18]
005E4F3B 8B45 FC mov eax,dword ptr ss:[ebp-4]
005E4F3E 8B80 FC020000 mov eax,dword ptr ds:[eax+2FC]
005E4F44 E8 4BA0E6FF call JyAssetG.0044EF94 //取得注册码:87654321
005E4F49 8B45 E8 mov eax,dword ptr ss:[ebp-18]
005E4F4C 8D55 EC lea edx,dword ptr ss:[ebp-14]
005E4F4F E8 CC47E2FF call JyAssetG.00409720 //这个call是去假码位数
005E4F54 837D EC 00 cmp dword ptr ss:[ebp-14],0 //没有输入则完
005E4F58 75 22 jnz short JyAssetG.005E4F7C
005E4F5A 6A 00 push 0
005E4F5C 68 70515E00 push JyAssetG.005E5170
005E4F61 E8 F210FFFF call <jmp.&PunUnitLib.ShowMess>
005E4F66 8B45 FC mov eax,dword ptr ss:[ebp-4]
005E4F69 8B80 FC020000 mov eax,dword ptr ds:[eax+2FC]
005E4F6F 8B10 mov edx,dword ptr ds:[eax]
005E4F71 FF92 C0000000 call dword ptr ds:[edx+C0]
005E4F77 E9 6D010000 jmp JyAssetG.005E50E9
005E4F7C A1 2C556200 mov eax,dword ptr ds:[62552C]
005E4F81 8B00 mov eax,dword ptr ds:[eax] //固定字符串"CM86-R1F8"
005E4F83 E8 4800E2FF call JyAssetG.00404FD0
005E4F88 50 push eax
005E4F89 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
005E4F8C 8B45 FC mov eax,dword ptr ss:[ebp-4]
005E4F8F 8B80 F4020000 mov eax,dword ptr ds:[eax+2F4]
005E4F95 E8 FA9FE6FF call JyAssetG.0044EF94 //取机器码,我这里为:"5FBCKZR1"
005E4F9A 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
005E4F9D E8 2E00E2FF call JyAssetG.00404FD0
005E4FA2 50 push eax
005E4FA3 E8 E010FFFF call <jmp.&PunUnitLib.GetRegPass> //算法call,虽然是明码比较,我们还是要找
005E4FA8 8BD0 mov edx,eax //算法的. :)
005E4FAA 8D45 F8 lea eax,dword ptr ss:[ebp-8]
005E4FAD E8 5EFDE1FF call JyAssetG.00404D10
005E4FB2 8D55 DC lea edx,dword ptr ss:[ebp-24]
005E4FB5 8B45 FC mov eax,dword ptr ss:[ebp-4]
005E4FB8 8B80 FC020000 mov eax,dword ptr ds:[eax+2FC]
005E4FBE E8 D19FE6FF call JyAssetG.0044EF94
005E4FC3 8B45 DC mov eax,dword ptr ss:[ebp-24]
005E4FC6 8D55 E0 lea edx,dword ptr ss:[ebp-20]
005E4FC9 E8 5247E2FF call JyAssetG.00409720
005E4FCE 8B45 E0 mov eax,dword ptr ss:[ebp-20] //假码入栈
005E4FD1 8B55 F8 mov edx,dword ptr ss:[ebp-8] //真码入栈 (嘿嘿明码比较)
005E4FD4 E8 43FFE1FF call JyAssetG.00404F1C //关键call
005E4FD9 0F85 FE000000 jnz JyAssetG.005E50DD //关键跳转
跟入005E4FA3 这个call来到这里:
003E9037 55 push ebp
003E9038 68 F2913E00 push PunUnitL.003E91F2
003E903D 64:FF30 push dword ptr fs:[eax]
003E9040 64:8920 mov dword ptr fs:[eax],esp
003E9043 8D45 EC lea eax,dword ptr ss:[ebp-14]
003E9046 E8 65B5F8FF call PunUnitL.003745B0
003E904B 8D45 F0 lea eax,dword ptr ss:[ebp-10]
003E904E 8B55 08 mov edx,dword ptr ss:[ebp+8]
003E9051 E8 4AB7F8FF call PunUnitL.003747A0
003E9056 8B45 F0 mov eax,dword ptr ss:[ebp-10]
003E9059 E8 0AB8F8FF call PunUnitL.00374868
003E905E 8BF0 mov esi,eax
003E9060 85F6 test esi,esi
003E9062 7E 26 jle short PunUnitL.003E908A
003E9064 BB 01000000 mov ebx,1 //ebx为计数器
003E9069 8D4D E8 lea ecx,dword ptr ss:[ebp-18] //这里分别取机器码的各位ascii码
003E906C 8B45 F0 mov eax,dword ptr ss:[ebp-10]
003E906F 0FB64418 FF movzx eax,byte ptr ds:[eax+ebx-1]
003E9074 33D2 xor edx,edx
003E9076 E8 F905F9FF call PunUnitL.00379674 //这个call是将取得的ascii码连起来
003E907B 8B55 E8 mov edx,dword ptr ss:[ebp-18]
003E907E 8D45 FC lea eax,dword ptr ss:[ebp-4] // "5FBCKZR1"取的结果为"354642434B5A5231"
003E9081 E8 EAB7F8FF call PunUnitL.00374870
003E9086 43 inc ebx
003E9087 4E dec esi
003E9088 ^ 75 DF jnz short PunUnitL.003E9069
003E908A 8B45 FC mov eax,dword ptr ss:[ebp-4]
003E908D E8 D6B7F8FF call PunUnitL.00374868
003E9092 8BF0 mov esi,eax
003E9094 85F6 test esi,esi
003E9096 7E 2C jle short PunUnitL.003E90C4
003E9098 BB 01000000 mov ebx,1 //这里又是一个循环,将取得的结果反序排列
003E909D 8B45 FC mov eax,dword ptr ss:[ebp-4]
003E90A0 E8 C3B7F8FF call PunUnitL.00374868
003E90A5 2BC3 sub eax,ebx
003E90A7 8B55 FC mov edx,dword ptr ss:[ebp-4]
003E90AA 8A1402 mov dl,byte ptr ds:[edx+eax]
003E90AD 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
003E90B0 E8 DBB6F8FF call PunUnitL.00374790
003E90B5 8B55 E4 mov edx,dword ptr ss:[ebp-1C]
003E90B8 8D45 F8 lea eax,dword ptr ss:[ebp-8]
003E90BB E8 B0B7F8FF call PunUnitL.00374870
003E90C0 43 inc ebx
003E90C1 4E dec esi
003E90C2 ^ 75 D9 jnz short PunUnitL.003E909D
003E90C4 8D45 FC lea eax,dword ptr ss:[ebp-4]
003E90C7 50 push eax
003E90C8 B9 04000000 mov ecx,4
003E90CD BA 01000000 mov edx,1
003E90D2 8B45 F8 mov eax,dword ptr ss:[ebp-8] //我这里结果为"1325A5B434246453"
003E90D5 E8 E6B9F8FF call PunUnitL.00374AC0
003E90DA 8D45 F8 lea eax,dword ptr ss:[ebp-8]
003E90DD 50 push eax
003E90DE B9 04000000 mov ecx,4
003E90E3 BA 05000000 mov edx,5
003E90E8 8B45 F8 mov eax,dword ptr ss:[ebp-8]
003E90EB E8 D0B9F8FF call PunUnitL.00374AC0
003E90F0 8B45 FC mov eax,dword ptr ss:[ebp-4] //取前 4位 "1325"
003E90F3 E8 70B7F8FF call PunUnitL.00374868
003E90F8 83F8 04 cmp eax,4
003E90FB 7D 2F jge short PunUnitL.003E912C
003E90FD 8B45 FC mov eax,dword ptr ss:[ebp-4]
003E9100 E8 63B7F8FF call PunUnitL.00374868
003E9105 8BD8 mov ebx,eax
003E9107 83FB 03 cmp ebx,3
003E910A 7F 20 jg short PunUnitL.003E912C
003E910C 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
003E910F 8BC3 mov eax,ebx
003E9111 C1E0 02 shl eax,2
003E9114 33D2 xor edx,edx
003E9116 E8 5905F9FF call PunUnitL.00379674
003E911B 8B55 E0 mov edx,dword ptr ss:[ebp-20]
003E911E 8D45 FC lea eax,dword ptr ss:[ebp-4]
003E9121 E8 4AB7F8FF call PunUnitL.00374870
003E9126 43 inc ebx
003E9127 83FB 04 cmp ebx,4
003E912A ^ 75 E0 jnz short PunUnitL.003E910C
003E912C 8B45 F8 mov eax,dword ptr ss:[ebp-8] //再取4位"A5B4"
003E912F E8 34B7F8FF call PunUnitL.00374868
003E9134 83F8 04 cmp eax,4
003E9137 7D 2F jge short PunUnitL.003E9168
003E9139 8B45 F8 mov eax,dword ptr ss:[ebp-8]
003E913C E8 27B7F8FF call PunUnitL.00374868
003E9141 8BD8 mov ebx,eax
003E9143 83FB 03 cmp ebx,3
003E9146 7F 20 jg short PunUnitL.003E9168
003E9148 8D4D DC lea ecx,dword ptr ss:[ebp-24]
003E914B 8BC3 mov eax,ebx
003E914D C1E0 02 shl eax,2
003E9150 33D2 xor edx,edx
003E9152 E8 1D05F9FF call PunUnitL.00379674
003E9157 8B55 DC mov edx,dword ptr ss:[ebp-24]
003E915A 8D45 F8 lea eax,dword ptr ss:[ebp-8]
003E915D E8 0EB7F8FF call PunUnitL.00374870
003E9162 43 inc ebx
003E9163 83FB 04 cmp ebx,4
003E9166 ^ 75 E0 jnz short PunUnitL.003E9148
003E9168 8D45 D8 lea eax,dword ptr ss:[ebp-28]
003E916B 8B55 0C mov edx,dword ptr ss:[ebp+C] //EDX=固定字符串"CM86-R1F8"
003E916E E8 2DB6F8FF call PunUnitL.003747A0
003E9173 8B45 D8 mov eax,dword ptr ss:[ebp-28] //以下是将CM86-R1F8 1325 A5B4重新排序
003E9176 8D55 F4 lea edx,dword ptr ss:[ebp-C]
003E9179 E8 DE03F9FF call PunUnitL.0037955C
003E917E 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
003E9181 50 push eax
003E9182 B9 04000000 mov ecx,4
003E9187 BA 01000000 mov edx,1
003E918C 8B45 F4 mov eax,dword ptr ss:[ebp-C]
003E918F E8 2CB9F8FF call PunUnitL.00374AC0
003E9194 FF75 D4 push dword ptr ss:[ebp-2C]
003E9197 68 0C923E00 push PunUnitL.003E920C
003E919C FF75 FC push dword ptr ss:[ebp-4]
003E919F 8D45 D0 lea eax,dword ptr ss:[ebp-30]
003E91A2 50 push eax
003E91A3 B9 05000000 mov ecx,5
003E91A8 BA 05000000 mov edx,5
003E91AD 8B45 F4 mov eax,dword ptr ss:[ebp-C]
003E91B0 E8 0BB9F8FF call PunUnitL.00374AC0
003E91B5 FF75 D0 push dword ptr ss:[ebp-30]
003E91B8 68 0C923E00 push PunUnitL.003E920C
003E91BD FF75 F8 push dword ptr ss:[ebp-8]
003E91C0 8D45 EC lea eax,dword ptr ss:[ebp-14]
003E91C3 BA 06000000 mov edx,6
003E91C8 E8 5BB7F8FF call PunUnitL.00374928
003E91CD 8B45 EC mov eax,dword ptr ss:[ebp-14] //eax="CM86-1325-R1F8-A5B4"
003E91D0 E8 8BB8F8FF call PunUnitL.00374A60
003E91D5 8BD8 mov ebx,eax
003E91D7 33C0 xor eax,eax
003E91D9 5A pop edx
003E91DA 59 pop ecx
003E91DB 59 pop ecx
003E91DC 64:8910 mov dword ptr fs:[eax],edx
003E91DF 68 F9913E00 push PunUnitL.003E91F9
003E91E4 8D45 D0 lea eax,dword ptr ss:[ebp-30]
003E91E7 BA 0C000000 mov edx,0C
003E91EC E8 E3B3F8FF call PunUnitL.003745D4
003E91F1 C3 retn
--------------------------------------------------------------------------------
【经验总结】
1.注册名不参与注册码的运算.
2.注册码运算过程如下:取机器码的ascii码连起来,然后反序,前8位分两段取(记为XXXX和YYYY).
3.再将固定字符串CM86 和R1F8与他们连起来.次序固定 :CM86-XXXX-R1F8-YYYY
4.水能帮写个注册机,不胜感激,(用vb和delphi都可以,最好不要用c或c++,谢谢)
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪论坛论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年05月27日 1:47:08
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
