-
-
破解 纵横工资管理系统 2006.8.1
-
发表于: 2006-8-18 18:56
-
【文章标题】: 破解 纵横工资管理系统 2006.8.1
【文章作者】: KAN-LI
【作者邮箱】: TOM8147@HOTMAIL.COM
【软件名称】: 纵横工资管理系统 2006.8.1
【软件大小】: 自己看属性
【下载地址】: http://www.onlinedown.net/soft/7281.htm
【加壳方式】: ASPack 2.12
【编写语言】: Borland Delphi 4.0 - 5.0
【使用工具】: OD PEID
【操作平台】: WINXP SP2
【作者声明】: 只是感兴趣,没有其他目的
--------------------------------------------------------------------------------
【详细过程】
今天又下载了这个软件,分析了一下,这是最新的版本除了算法实在太长外,破解是很容易的贴上来为初学者(象我一样的菜鸟)一同学习
OD 载入,手脱了 ASPack 的壳 ,启动软件(F9),找到注册地方随意输入用户名和注册码(12 位)
lgjxj
123456789012
然后用万能断点断下,ALT+F9 返回,F8 跑了 N 多下,到下面
0091111B . E8 70F3FFFF CALL ZHYW_u.00910490 ; 关键 CALL
00911120 . 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00911123 . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
―――――――――――――――――――――――――――――――――――――――――――――――――――
F7 进入 0091111B 后到下面
00910490 /$ 55 PUSH EBP
00910491 |. 8BEC MOV EBP,ESP
00910493 |. 83C4 E4 ADD ESP,-1C
00910496 |. 53 PUSH EBX
00910497 |. 56 PUSH ESI
00910498 |. 57 PUSH EDI
00910499 |. 33DB XOR EBX,EBX
0091049B |. 895D F4 MOV DWORD PTR SS:[EBP-C],EBX
0091049E |. 895D F0 MOV DWORD PTR SS:[EBP-10],EBX
009104A1 |. 895D EC MOV DWORD PTR SS:[EBP-14],EBX
009104A4 |. 8BF9 MOV EDI,ECX
009104A6 |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
009104A9 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX ; 机器码
009104AC |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
009104AF |. E8 3C46AFFF CALL ZHYW_u.00404AF0
009104B4 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
009104B7 |. E8 3446AFFF CALL ZHYW_u.00404AF0
009104BC |. 33C0 XOR EAX,EAX
009104BE |. 55 PUSH EBP
009104BF |. 68 62059100 PUSH ZHYW_u.00910562
009104C4 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
009104C7 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
009104CA |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
009104CD |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
009104D0 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
009104D3 |. E8 D4FDFFFF CALL ZHYW_u.009102AC ; 关键 CALL,产生注册码
009104D8 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
009104DB |. E8 C041AFFF CALL ZHYW_u.004046A0
009104E0 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
009104E3 |. E8 5444AFFF CALL ZHYW_u.0040493C
009104E8 |. 8BD8 MOV EBX,EAX
009104EA |. 4B DEC EBX
009104EB |. 85DB TEST EBX,EBX
009104ED |. 7C 4E JL SHORT ZHYW_u.0091053D
009104EF |. 43 INC EBX
009104F0 |. 33F6 XOR ESI,ESI
009104F2 |> 8D45 EC /LEA EAX,DWORD PTR SS:[EBP-14] ; 这个循环不是算注册码的,是提取注册码用
009104F5 |. 50 |PUSH EAX ; /Arg1
009104F6 |. 8B45 F0 |MOV EAX,DWORD PTR SS:[EBP-10] ; |
009104F9 |. 0FB60430 |MOVZX EAX,BYTE PTR DS:[EAX+ESI] ; |
009104FD |. 8945 E4 |MOV DWORD PTR SS:[EBP-1C],EAX ; |
00910500 |. C645 E8 00 |MOV BYTE PTR SS:[EBP-18],0 ; |
00910504 |. 8D55 E4 |LEA EDX,DWORD PTR SS:[EBP-1C] ; |
00910507 |. 33C9 |XOR ECX,ECX ; |
00910509 |. B8 78059100 |MOV EAX,ZHYW_u.00910578 ; |ASCII "%x"
0091050E |. E8 55E1AFFF |CALL ZHYW_u.0040E668 ; \ZHYW_u.0040E668
00910513 |. 8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]
00910516 |. E8 2144AFFF |CALL ZHYW_u.0040493C
0091051B |. 48 |DEC EAX
0091051C |. 75 10 |JNZ SHORT ZHYW_u.0091052E
0091051E |. 8D45 EC |LEA EAX,DWORD PTR SS:[EBP-14]
00910521 |. 8B4D EC |MOV ECX,DWORD PTR SS:[EBP-14]
00910524 |. BA 84059100 |MOV EDX,ZHYW_u.00910584
00910529 |. E8 5A44AFFF |CALL ZHYW_u.00404988
0091052E |> 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
00910531 |. 8B55 EC |MOV EDX,DWORD PTR SS:[EBP-14]
00910534 |. E8 0B44AFFF |CALL ZHYW_u.00404944
00910539 |. 46 |INC ESI
0091053A |. 4B |DEC EBX
0091053B |.^ 75 B5 \JNZ SHORT ZHYW_u.009104F2
0091053D |> 8BC7 MOV EAX,EDI
――――――――――――――――――――――――――――――――――――――――――――――――――――――――
F7 跟进 009104D3 后,省略 N 多代码 到下面
0091034A |. E8 F545AFFF |CALL ZHYW_u.00404944
0091034F |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 机器码入 AX
00910352 |. E8 E545AFFF |CALL ZHYW_u.0040493C
00910357 |. 25 07000080 |AND EAX,80000007
0091035C |. 79 05 |JNS SHORT ZHYW_u.00910363
0091035E |. 48 |DEC EAX
0091035F |. 83C8 F8 |OR EAX,FFFFFFF8
00910362 |. 40 |INC EAX
00910363 |> 85C0 |TEST EAX,EAX
00910365 |.^ 75 DB \JNZ SHORT ZHYW_u.00910342
00910367 |. 33DB XOR EBX,EBX
00910369 |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
0091036C |> 8B55 F8 /MOV EDX,DWORD PTR SS:[EBP-8]
0091036F |. 8A141A |MOV DL,BYTE PTR DS:[EDX+EBX]
00910372 |. 8810 |MOV BYTE PTR DS:[EAX],DL
00910374 |. 43 |INC EBX
00910375 |. 40 |INC EAX
00910376 |. 83FB 08 |CMP EBX,8
00910379 |.^ 75 F1 \JNZ SHORT ZHYW_u.0091036C
0091037B |. 6A 0F PUSH 0F ; /Arg1 = 0000000F
0091037D |. B9 685E9500 MOV ECX,ZHYW_u.00955E68 ; |
00910382 |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24] ; |
00910385 |. BA 07000000 MOV EDX,7 ; |
0091038A |. E8 EDFAFFFF CALL ZHYW_u.0090FE7C ; \ZHYW_u.0090FE7C
0091038F |. 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
00910392 |. E8 0943AFFF CALL ZHYW_u.004046A0
00910397 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0091039A |. E8 9D45AFFF CALL ZHYW_u.0040493C
0091039F |. 85C0 TEST EAX,EAX
009103A1 |. 79 03 JNS SHORT ZHYW_u.009103A6
009103A3 |. 83C0 07 ADD EAX,7
009103A6 |> C1F8 03 SAR EAX,3
009103A9 |. 48 DEC EAX
009103AA |. 85C0 TEST EAX,EAX
009103AC |. 7C 65 JL SHORT ZHYW_u.00910413
009103AE |. 40 INC EAX
009103AF |. 8945 D0 MOV DWORD PTR SS:[EBP-30],EAX
009103B2 |. C745 D4 00000>MOV DWORD PTR SS:[EBP-2C],0
009103B9 |> 33DB /XOR EBX,EBX
009103BB |. 8D45 EC |LEA EAX,DWORD PTR SS:[EBP-14]
009103BE |> 8B55 D4 |/MOV EDX,DWORD PTR SS:[EBP-2C]
009103C1 |. C1E2 03 ||SHL EDX,3
009103C4 |. 03D3 ||ADD EDX,EBX
009103C6 |. 8B4D FC ||MOV ECX,DWORD PTR SS:[EBP-4]
009103C9 |. 8A1411 ||MOV DL,BYTE PTR DS:[ECX+EDX]
009103CC |. 8810 ||MOV BYTE PTR DS:[EAX],DL
009103CE |. 43 ||INC EBX
009103CF |. 40 ||INC EAX
009103D0 |. 83FB 08 ||CMP EBX,8
009103D3 |.^ 75 E9 |\JNZ SHORT ZHYW_u.009103BE
009103D5 |. 8D45 E4 |LEA EAX,DWORD PTR SS:[EBP-1C]
009103D8 |. 50 |PUSH EAX ; /Arg2
009103D9 |. 6A 07 |PUSH 7 ; |Arg1 = 00000007
009103DB |. 8D55 EC |LEA EDX,DWORD PTR SS:[EBP-14] ; |
009103DE |. B9 07000000 |MOV ECX,7 ; |
009103E3 |. 33C0 |XOR EAX,EAX ; |
009103E5 |. E8 EAFCFFFF |CALL ZHYW_u.009100D4 ; \完成算法在这里
――――――――――――――――――――――――――――――――――――――――――――――――――
F7 进入 009103E5 后到下面,这个 CALL 的给作者玩得我够了 ,搞一大段算法,苦
009100D4 /$ 55 PUSH EBP
009100D5 |. 8BEC MOV EBP,ESP
009100D7 |. 83C4 E8 ADD ESP,-18
009100DA |. 53 PUSH EBX
009100DB |. 56 PUSH ESI
009100DC |. 57 PUSH EDI
009100DD |. 8BD9 MOV EBX,ECX
009100DF |. 85DB TEST EBX,EBX
009100E1 |. 78 0A JS SHORT ZHYW_u.009100ED
009100E3 |. C1EB 02 SHR EBX,2
009100E6 |> 8B349A /MOV ESI,DWORD PTR DS:[EDX+EBX*4] ; 算法这里开始
009100E9 |. 4B |DEC EBX
009100EA |. 56 |PUSH ESI
009100EB |.^ 79 F9 \JNS SHORT ZHYW_u.009100E6
009100ED |> 8BD4 MOV EDX,ESP
009100EF |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
009100F2 |. 8BD8 MOV EBX,EAX
009100F4 |. C745 F8 08000>MOV DWORD PTR SS:[EBP-8],8
009100FB |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
009100FE |. 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]
00910101 |> 8A10 /MOV DL,BYTE PTR DS:[EAX]
00910103 |. 8811 |MOV BYTE PTR DS:[ECX],DL
00910105 |. 41 |INC ECX
00910106 |. 40 |INC EAX
00910107 |. FF4D F8 |DEC DWORD PTR SS:[EBP-8]
0091010A |.^ 75 F5 \JNZ SHORT ZHYW_u.00910101
0091010C |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
0091010F |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
00910112 |. E8 81F9FFFF CALL ZHYW_u.0090FA98 ; 这个CALL把上面的计算结果又一次加工
00910117 |. 84DB TEST BL,BL
00910119 |. 0F85 B5000000 JNZ ZHYW_u.009101D4
0091011F |. C745 F8 10000>MOV DWORD PTR SS:[EBP-8],10
00910126 |. C745 EC 685E9>MOV DWORD PTR SS:[EBP-14],ZHYW_u.00955E6>
0091012D |> B8 04000000 /MOV EAX,4 ; 第二段 开始
00910132 |. 8B55 0C |MOV EDX,DWORD PTR SS:[EBP+C]
00910135 |. 8D75 F4 |LEA ESI,DWORD PTR SS:[EBP-C]
00910138 |> 8A0A |/MOV CL,BYTE PTR DS:[EDX]
0091013A |. 880E ||MOV BYTE PTR DS:[ESI],CL
0091013C |. 46 ||INC ESI
0091013D |. 42 ||INC EDX
0091013E |. 48 ||DEC EAX
0091013F |.^ 75 F7 |\JNZ SHORT ZHYW_u.00910138
00910141 |. B8 04000000 |MOV EAX,4
00910146 |. 8B55 0C |MOV EDX,DWORD PTR SS:[EBP+C]
00910149 |. 83C2 04 |ADD EDX,4
0091014C |> 8A0A |/MOV CL,BYTE PTR DS:[EDX]
0091014E |. 884A FC ||MOV BYTE PTR DS:[EDX-4],CL
00910151 |. 42 ||INC EDX
00910152 |. 48 ||DEC EAX
00910153 |.^ 75 F7 |\JNZ SHORT ZHYW_u.0091014C
00910155 |. 6A 05 |PUSH 5 ; /Arg3 = 00000005
00910157 |. 8D45 F0 |LEA EAX,DWORD PTR SS:[EBP-10] ; |
0091015A |. 50 |PUSH EAX ; |Arg2
0091015B |. 6A 03 |PUSH 3 ; |Arg1 = 00000003
0091015D |. 8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14] ; |
00910160 |. 8BC8 |MOV ECX,EAX ; |
00910162 |. 8B45 0C |MOV EAX,DWORD PTR SS:[EBP+C] ; |
00910165 |. 8B55 08 |MOV EDX,DWORD PTR SS:[EBP+8] ; |
00910168 |. E8 3FFEFFFF |CALL ZHYW_u.0090FFAC ; \ZHYW_u.0090FFAC
0091016D |. B8 04000000 |MOV EAX,4
00910172 |. 8D55 F4 |LEA EDX,DWORD PTR SS:[EBP-C]
00910175 |. 8D75 F0 |LEA ESI,DWORD PTR SS:[EBP-10]
00910178 |. 8B4D 0C |MOV ECX,DWORD PTR SS:[EBP+C]
0091017B |. 83C1 04 |ADD ECX,4
0091017E |> 8A1A |/MOV BL,BYTE PTR DS:[EDX]
00910180 |. 321E ||XOR BL,BYTE PTR DS:[ESI]
00910182 |. 8819 ||MOV BYTE PTR DS:[ECX],BL
00910184 |. 41 ||INC ECX
00910185 |. 46 ||INC ESI
00910186 |. 42 ||INC EDX
00910187 |. 48 ||DEC EAX
00910188 |.^ 75 F4 |\JNZ SHORT ZHYW_u.0091017E
0091018A |. 8345 EC 06 |ADD DWORD PTR SS:[EBP-14],6
0091018E |. FF4D F8 |DEC DWORD PTR SS:[EBP-8]
00910191 |.^ 75 9A \JNZ SHORT ZHYW_u.0091012D ; 跳回,这里循环 十多次,你说死了没有
00910193 |. B8 04000000 MOV EAX,4
00910198 |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
0091019B |. 83C2 04 ADD EDX,4
0091019E |. 8D4D F4 LEA ECX,DWORD PTR SS:[EBP-C]
009101A1 |> 8A1A /MOV BL,BYTE PTR DS:[EDX]
009101A3 |. 8819 |MOV BYTE PTR DS:[ECX],BL
009101A5 |. 41 |INC ECX
009101A6 |. 42 |INC EDX
009101A7 |. 48 |DEC EAX
009101A8 |.^ 75 F7 \JNZ SHORT ZHYW_u.009101A1
009101AA |. B8 04000000 MOV EAX,4
009101AF |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
009101B2 |> 8A0A /MOV CL,BYTE PTR DS:[EDX]
009101B4 |. 884A 04 |MOV BYTE PTR DS:[EDX+4],CL
009101B7 |. 42 |INC EDX
009101B8 |. 48 |DEC EAX
009101B9 |.^ 75 F7 \JNZ SHORT ZHYW_u.009101B2
009101BB |. B8 04000000 MOV EAX,4
009101C0 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
009101C3 |. 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]
009101C6 |> 8A1A /MOV BL,BYTE PTR DS:[EDX]
009101C8 |. 8819 |MOV BYTE PTR DS:[ECX],BL
009101CA |. 41 |INC ECX
009101CB |. 42 |INC EDX
009101CC |. 48 |DEC EAX
009101CD |.^ 75 F7 \JNZ SHORT ZHYW_u.009101C6
009101CF |. E9 BB000000 JMP ZHYW_u.0091028F
009101D4 |> 80FB 01 CMP BL,1
009101D7 |. 0F85 B2000000 JNZ ZHYW_u.0091028F
009101DD |. C745 F8 F0FFF>MOV DWORD PTR SS:[EBP-8],-10
009101E4 |. BB C25E9500 MOV EBX,ZHYW_u.00955EC2
009101E9 |> B8 04000000 /MOV EAX,4
009101EE |. 8B55 0C |MOV EDX,DWORD PTR SS:[EBP+C]
009101F1 |. 8D75 F4 |LEA ESI,DWORD PTR SS:[EBP-C]
009101F4 |> 8A0A |/MOV CL,BYTE PTR DS:[EDX]
009101F6 |. 880E ||MOV BYTE PTR DS:[ESI],CL
009101F8 |. 46 ||INC ESI
009101F9 |. 42 ||INC EDX
009101FA |. 48 ||DEC EAX
009101FB |.^ 75 F7 |\JNZ SHORT ZHYW_u.009101F4
009101FD |. B8 04000000 |MOV EAX,4
00910202 |. 8B55 0C |MOV EDX,DWORD PTR SS:[EBP+C]
00910205 |. 83C2 04 |ADD EDX,4
00910208 |> 8A0A |/MOV CL,BYTE PTR DS:[EDX]
0091020A |. 884A FC ||MOV BYTE PTR DS:[EDX-4],CL
0091020D |. 42 ||INC EDX
0091020E |. 48 ||DEC EAX
0091020F |.^ 75 F7 |\JNZ SHORT ZHYW_u.00910208
00910211 |. 6A 05 |PUSH 5 ; /Arg3 = 00000005
00910213 |. 8D45 F0 |LEA EAX,DWORD PTR SS:[EBP-10] ; |
00910216 |. 50 |PUSH EAX ; |Arg2
00910217 |. 6A 03 |PUSH 3 ; |Arg1 = 00000003
00910219 |. 8BCB |MOV ECX,EBX ; |
0091021B |. 8B45 0C |MOV EAX,DWORD PTR SS:[EBP+C] ; |
0091021E |. 8B55 08 |MOV EDX,DWORD PTR SS:[EBP+8] ; |
00910221 |. E8 86FDFFFF |CALL ZHYW_u.0090FFAC ; \ZHYW_u.0090FFAC
00910226 |. B8 04000000 |MOV EAX,4
0091022B |. 8D55 F4 |LEA EDX,DWORD PTR SS:[EBP-C]
0091022E |. 8D75 F0 |LEA ESI,DWORD PTR SS:[EBP-10]
00910231 |. 8B4D 0C |MOV ECX,DWORD PTR SS:[EBP+C]
00910234 |. 83C1 04 |ADD ECX,4
00910237 |. 894D E8 |MOV DWORD PTR SS:[EBP-18],ECX
0091023A |> 8A0A |/MOV CL,BYTE PTR DS:[EDX]
0091023C |. 320E ||XOR CL,BYTE PTR DS:[ESI]
0091023E |. 8B7D E8 ||MOV EDI,DWORD PTR SS:[EBP-18]
00910241 |. 880F ||MOV BYTE PTR DS:[EDI],CL
00910243 |. FF45 E8 ||INC DWORD PTR SS:[EBP-18]
00910246 |. 46 ||INC ESI
00910247 |. 42 ||INC EDX
00910248 |. 48 ||DEC EAX
00910249 |.^ 75 EF |\JNZ SHORT ZHYW_u.0091023A
0091024B |. 83EB 06 |SUB EBX,6
0091024E |. FF45 F8 |INC DWORD PTR SS:[EBP-8]
00910251 |.^ 75 96 \JNZ SHORT ZHYW_u.009101E9
00910253 |. B8 04000000 MOV EAX,4
00910258 |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
0091025B |. 83C2 04 ADD EDX,4
0091025E |. 8D5D F4 LEA EBX,DWORD PTR SS:[EBP-C]
00910261 |> 8A0A /MOV CL,BYTE PTR DS:[EDX]
00910263 |. 880B |MOV BYTE PTR DS:[EBX],CL
00910265 |. 43 |INC EBX
00910266 |. 42 |INC EDX
00910267 |. 48 |DEC EAX
00910268 |.^ 75 F7 \JNZ SHORT ZHYW_u.00910261
0091026A |. B8 04000000 MOV EAX,4
0091026F |. 8B5D 0C MOV EBX,DWORD PTR SS:[EBP+C]
00910272 |> 8A13 /MOV DL,BYTE PTR DS:[EBX]
00910274 |. 8853 04 |MOV BYTE PTR DS:[EBX+4],DL
00910277 |. 43 |INC EBX
00910278 |. 48 |DEC EAX
00910279 |.^ 75 F7 \JNZ SHORT ZHYW_u.00910272
0091027B |. B8 04000000 MOV EAX,4
00910280 |. 8D5D F4 LEA EBX,DWORD PTR SS:[EBP-C]
00910283 |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
00910286 |> 8A0B /MOV CL,BYTE PTR DS:[EBX]
00910288 |. 880A |MOV BYTE PTR DS:[EDX],CL
0091028A |. 42 |INC EDX
0091028B |. 43 |INC EBX
0091028C |. 48 |DEC EAX
0091028D |.^ 75 F7 \JNZ SHORT ZHYW_u.00910286
0091028F |> 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
00910292 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
00910295 |. E8 82F8FFFF CALL ZHYW_u.0090FB1C ; 这个CALL,里面才是最后计算
0091029A |. 8B7D DC MOV EDI,DWORD PTR SS:[EBP-24]
0091029D |. 8B75 E0 MOV ESI,DWORD PTR SS:[EBP-20]
009102A0 |. 8B5D E4 MOV EBX,DWORD PTR SS:[EBP-1C]
009102A3 |. 8BE5 MOV ESP,EBP
009102A5 |. 5D POP EBP
009102A6 \. C2 0800 RETN 8
;上面几乎全是计算部分,循环多啊,这样的软件你说,救命
―――――――――――――――――――――――――――――――――――――――――――――――――――――
F7 入 00910295,进了一层又一层的 机关,总算到位了
0090FB2D |. E8 8638AFFF CALL ZHYW_u.004033B8 ; 这个CALL 清空指定内存空间
0090FB32 |. 33D2 XOR EDX,EDX
0090FB34 |. B8 A00A9500 MOV EAX,ZHYW_u.00950AA0
0090FB39 |> 8A18 /MOV BL,BYTE PTR DS:[EAX] ;注册码就是这个循环产生的
0090FB3B |. 8BCB |MOV ECX,EBX
0090FB3D |. 80E1 07 |AND CL,7
0090FB40 |. 81E1 FF000000 |AND ECX,0FF
0090FB46 |. 51 |PUSH ECX
0090FB47 |. B9 07000000 |MOV ECX,7
0090FB4C |. 5F |POP EDI
0090FB4D |. 2BCF |SUB ECX,EDI
0090FB4F |. BF 01000000 |MOV EDI,1
0090FB54 |. D3E7 |SHL EDI,CL
0090FB56 |. 33C9 |XOR ECX,ECX
0090FB58 |. 8ACB |MOV CL,BL
0090FB5A |. C1E9 03 |SHR ECX,3
0090FB5D |. 0FB60C0E |MOVZX ECX,BYTE PTR DS:[ESI+ECX]
0090FB61 |. 23F9 |AND EDI,ECX
0090FB63 |. 74 1A |JE SHORT ZHYW_u.0090FB7F
0090FB65 |. 8BCA |MOV ECX,EDX
0090FB67 |. 83E1 07 |AND ECX,7
0090FB6A |. 51 |PUSH ECX
0090FB6B |. B9 07000000 |MOV ECX,7
0090FB70 |. 5B |POP EBX
0090FB71 |. 2BCB |SUB ECX,EBX
0090FB73 |. B3 01 |MOV BL,1
0090FB75 |. D2E3 |SHL BL,CL
0090FB77 |. 8BCA |MOV ECX,EDX
0090FB79 |. C1E9 03 |SHR ECX,3
0090FB7C |. 081C0C |OR BYTE PTR SS:[ESP+ECX],BL
0090FB7F |> 42 |INC EDX
0090FB80 |. 40 |INC EAX
0090FB81 |. 83FA 40 |CMP EDX,40 ;共要循环 64 次,晕死
0090FB84 |.^ 75 B3 \JNZ SHORT ZHYW_u.0090FB39 ;跳回
;
0090FB86 |. BA 08000000 MOV EDX,8
0090FB8B |. 8BC4 MOV EAX,ESP
0090FB8D |. 8BCE MOV ECX,ESI
0090FB8F |> 8A18 /MOV BL,BYTE PTR DS:[EAX] ;这个循环是提取结果送入指定的内存
0090FB91 |. 8819 |MOV BYTE PTR DS:[ECX],BL
0090FB93 |. 41 |INC ECX
0090FB94 |. 40 |INC EAX
0090FB95 |. 4A |DEC EDX
0090FB96 |.^ 75 F7 \JNZ SHORT ZHYW_u.0090FB8F
--------------------------------------------------------------------------------
【经验总结】
1:算法跟用户名无关,只认 机器码
2:首先经过 009103E5 CALL 计算出第一步 ,把结果保存(这里的计算长啊 。。。。。。。。。。)
3:进入 00910295 CALL ,把上面的结果 ,作为参数,作运算(循环 64 次,晕了),产生最终 注册码
4:经过 2 步运算,(命苦啊),太长了实在没法,现在的破文真的难写(我菜的缘故)
内存注册机:
中断地址:910542
中断次数:1
第一字节:E8
指令长度:5
内存方式:寄存器 EDX
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年08月18日 18:44:38
【文章作者】: KAN-LI
【作者邮箱】: TOM8147@HOTMAIL.COM
【软件名称】: 纵横工资管理系统 2006.8.1
【软件大小】: 自己看属性
【下载地址】: http://www.onlinedown.net/soft/7281.htm
【加壳方式】: ASPack 2.12
【编写语言】: Borland Delphi 4.0 - 5.0
【使用工具】: OD PEID
【操作平台】: WINXP SP2
【作者声明】: 只是感兴趣,没有其他目的
--------------------------------------------------------------------------------
【详细过程】
今天又下载了这个软件,分析了一下,这是最新的版本除了算法实在太长外,破解是很容易的贴上来为初学者(象我一样的菜鸟)一同学习
OD 载入,手脱了 ASPack 的壳 ,启动软件(F9),找到注册地方随意输入用户名和注册码(12 位)
lgjxj
123456789012
然后用万能断点断下,ALT+F9 返回,F8 跑了 N 多下,到下面
0091111B . E8 70F3FFFF CALL ZHYW_u.00910490 ; 关键 CALL
00911120 . 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00911123 . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
―――――――――――――――――――――――――――――――――――――――――――――――――――
F7 进入 0091111B 后到下面
00910490 /$ 55 PUSH EBP
00910491 |. 8BEC MOV EBP,ESP
00910493 |. 83C4 E4 ADD ESP,-1C
00910496 |. 53 PUSH EBX
00910497 |. 56 PUSH ESI
00910498 |. 57 PUSH EDI
00910499 |. 33DB XOR EBX,EBX
0091049B |. 895D F4 MOV DWORD PTR SS:[EBP-C],EBX
0091049E |. 895D F0 MOV DWORD PTR SS:[EBP-10],EBX
009104A1 |. 895D EC MOV DWORD PTR SS:[EBP-14],EBX
009104A4 |. 8BF9 MOV EDI,ECX
009104A6 |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
009104A9 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX ; 机器码
009104AC |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
009104AF |. E8 3C46AFFF CALL ZHYW_u.00404AF0
009104B4 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
009104B7 |. E8 3446AFFF CALL ZHYW_u.00404AF0
009104BC |. 33C0 XOR EAX,EAX
009104BE |. 55 PUSH EBP
009104BF |. 68 62059100 PUSH ZHYW_u.00910562
009104C4 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
009104C7 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
009104CA |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
009104CD |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
009104D0 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
009104D3 |. E8 D4FDFFFF CALL ZHYW_u.009102AC ; 关键 CALL,产生注册码
009104D8 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
009104DB |. E8 C041AFFF CALL ZHYW_u.004046A0
009104E0 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
009104E3 |. E8 5444AFFF CALL ZHYW_u.0040493C
009104E8 |. 8BD8 MOV EBX,EAX
009104EA |. 4B DEC EBX
009104EB |. 85DB TEST EBX,EBX
009104ED |. 7C 4E JL SHORT ZHYW_u.0091053D
009104EF |. 43 INC EBX
009104F0 |. 33F6 XOR ESI,ESI
009104F2 |> 8D45 EC /LEA EAX,DWORD PTR SS:[EBP-14] ; 这个循环不是算注册码的,是提取注册码用
009104F5 |. 50 |PUSH EAX ; /Arg1
009104F6 |. 8B45 F0 |MOV EAX,DWORD PTR SS:[EBP-10] ; |
009104F9 |. 0FB60430 |MOVZX EAX,BYTE PTR DS:[EAX+ESI] ; |
009104FD |. 8945 E4 |MOV DWORD PTR SS:[EBP-1C],EAX ; |
00910500 |. C645 E8 00 |MOV BYTE PTR SS:[EBP-18],0 ; |
00910504 |. 8D55 E4 |LEA EDX,DWORD PTR SS:[EBP-1C] ; |
00910507 |. 33C9 |XOR ECX,ECX ; |
00910509 |. B8 78059100 |MOV EAX,ZHYW_u.00910578 ; |ASCII "%x"
0091050E |. E8 55E1AFFF |CALL ZHYW_u.0040E668 ; \ZHYW_u.0040E668
00910513 |. 8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]
00910516 |. E8 2144AFFF |CALL ZHYW_u.0040493C
0091051B |. 48 |DEC EAX
0091051C |. 75 10 |JNZ SHORT ZHYW_u.0091052E
0091051E |. 8D45 EC |LEA EAX,DWORD PTR SS:[EBP-14]
00910521 |. 8B4D EC |MOV ECX,DWORD PTR SS:[EBP-14]
00910524 |. BA 84059100 |MOV EDX,ZHYW_u.00910584
00910529 |. E8 5A44AFFF |CALL ZHYW_u.00404988
0091052E |> 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
00910531 |. 8B55 EC |MOV EDX,DWORD PTR SS:[EBP-14]
00910534 |. E8 0B44AFFF |CALL ZHYW_u.00404944
00910539 |. 46 |INC ESI
0091053A |. 4B |DEC EBX
0091053B |.^ 75 B5 \JNZ SHORT ZHYW_u.009104F2
0091053D |> 8BC7 MOV EAX,EDI
――――――――――――――――――――――――――――――――――――――――――――――――――――――――
F7 跟进 009104D3 后,省略 N 多代码 到下面
0091034A |. E8 F545AFFF |CALL ZHYW_u.00404944
0091034F |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 机器码入 AX
00910352 |. E8 E545AFFF |CALL ZHYW_u.0040493C
00910357 |. 25 07000080 |AND EAX,80000007
0091035C |. 79 05 |JNS SHORT ZHYW_u.00910363
0091035E |. 48 |DEC EAX
0091035F |. 83C8 F8 |OR EAX,FFFFFFF8
00910362 |. 40 |INC EAX
00910363 |> 85C0 |TEST EAX,EAX
00910365 |.^ 75 DB \JNZ SHORT ZHYW_u.00910342
00910367 |. 33DB XOR EBX,EBX
00910369 |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
0091036C |> 8B55 F8 /MOV EDX,DWORD PTR SS:[EBP-8]
0091036F |. 8A141A |MOV DL,BYTE PTR DS:[EDX+EBX]
00910372 |. 8810 |MOV BYTE PTR DS:[EAX],DL
00910374 |. 43 |INC EBX
00910375 |. 40 |INC EAX
00910376 |. 83FB 08 |CMP EBX,8
00910379 |.^ 75 F1 \JNZ SHORT ZHYW_u.0091036C
0091037B |. 6A 0F PUSH 0F ; /Arg1 = 0000000F
0091037D |. B9 685E9500 MOV ECX,ZHYW_u.00955E68 ; |
00910382 |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24] ; |
00910385 |. BA 07000000 MOV EDX,7 ; |
0091038A |. E8 EDFAFFFF CALL ZHYW_u.0090FE7C ; \ZHYW_u.0090FE7C
0091038F |. 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
00910392 |. E8 0943AFFF CALL ZHYW_u.004046A0
00910397 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0091039A |. E8 9D45AFFF CALL ZHYW_u.0040493C
0091039F |. 85C0 TEST EAX,EAX
009103A1 |. 79 03 JNS SHORT ZHYW_u.009103A6
009103A3 |. 83C0 07 ADD EAX,7
009103A6 |> C1F8 03 SAR EAX,3
009103A9 |. 48 DEC EAX
009103AA |. 85C0 TEST EAX,EAX
009103AC |. 7C 65 JL SHORT ZHYW_u.00910413
009103AE |. 40 INC EAX
009103AF |. 8945 D0 MOV DWORD PTR SS:[EBP-30],EAX
009103B2 |. C745 D4 00000>MOV DWORD PTR SS:[EBP-2C],0
009103B9 |> 33DB /XOR EBX,EBX
009103BB |. 8D45 EC |LEA EAX,DWORD PTR SS:[EBP-14]
009103BE |> 8B55 D4 |/MOV EDX,DWORD PTR SS:[EBP-2C]
009103C1 |. C1E2 03 ||SHL EDX,3
009103C4 |. 03D3 ||ADD EDX,EBX
009103C6 |. 8B4D FC ||MOV ECX,DWORD PTR SS:[EBP-4]
009103C9 |. 8A1411 ||MOV DL,BYTE PTR DS:[ECX+EDX]
009103CC |. 8810 ||MOV BYTE PTR DS:[EAX],DL
009103CE |. 43 ||INC EBX
009103CF |. 40 ||INC EAX
009103D0 |. 83FB 08 ||CMP EBX,8
009103D3 |.^ 75 E9 |\JNZ SHORT ZHYW_u.009103BE
009103D5 |. 8D45 E4 |LEA EAX,DWORD PTR SS:[EBP-1C]
009103D8 |. 50 |PUSH EAX ; /Arg2
009103D9 |. 6A 07 |PUSH 7 ; |Arg1 = 00000007
009103DB |. 8D55 EC |LEA EDX,DWORD PTR SS:[EBP-14] ; |
009103DE |. B9 07000000 |MOV ECX,7 ; |
009103E3 |. 33C0 |XOR EAX,EAX ; |
009103E5 |. E8 EAFCFFFF |CALL ZHYW_u.009100D4 ; \完成算法在这里
――――――――――――――――――――――――――――――――――――――――――――――――――
F7 进入 009103E5 后到下面,这个 CALL 的给作者玩得我够了 ,搞一大段算法,苦
009100D4 /$ 55 PUSH EBP
009100D5 |. 8BEC MOV EBP,ESP
009100D7 |. 83C4 E8 ADD ESP,-18
009100DA |. 53 PUSH EBX
009100DB |. 56 PUSH ESI
009100DC |. 57 PUSH EDI
009100DD |. 8BD9 MOV EBX,ECX
009100DF |. 85DB TEST EBX,EBX
009100E1 |. 78 0A JS SHORT ZHYW_u.009100ED
009100E3 |. C1EB 02 SHR EBX,2
009100E6 |> 8B349A /MOV ESI,DWORD PTR DS:[EDX+EBX*4] ; 算法这里开始
009100E9 |. 4B |DEC EBX
009100EA |. 56 |PUSH ESI
009100EB |.^ 79 F9 \JNS SHORT ZHYW_u.009100E6
009100ED |> 8BD4 MOV EDX,ESP
009100EF |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
009100F2 |. 8BD8 MOV EBX,EAX
009100F4 |. C745 F8 08000>MOV DWORD PTR SS:[EBP-8],8
009100FB |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
009100FE |. 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]
00910101 |> 8A10 /MOV DL,BYTE PTR DS:[EAX]
00910103 |. 8811 |MOV BYTE PTR DS:[ECX],DL
00910105 |. 41 |INC ECX
00910106 |. 40 |INC EAX
00910107 |. FF4D F8 |DEC DWORD PTR SS:[EBP-8]
0091010A |.^ 75 F5 \JNZ SHORT ZHYW_u.00910101
0091010C |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
0091010F |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
00910112 |. E8 81F9FFFF CALL ZHYW_u.0090FA98 ; 这个CALL把上面的计算结果又一次加工
00910117 |. 84DB TEST BL,BL
00910119 |. 0F85 B5000000 JNZ ZHYW_u.009101D4
0091011F |. C745 F8 10000>MOV DWORD PTR SS:[EBP-8],10
00910126 |. C745 EC 685E9>MOV DWORD PTR SS:[EBP-14],ZHYW_u.00955E6>
0091012D |> B8 04000000 /MOV EAX,4 ; 第二段 开始
00910132 |. 8B55 0C |MOV EDX,DWORD PTR SS:[EBP+C]
00910135 |. 8D75 F4 |LEA ESI,DWORD PTR SS:[EBP-C]
00910138 |> 8A0A |/MOV CL,BYTE PTR DS:[EDX]
0091013A |. 880E ||MOV BYTE PTR DS:[ESI],CL
0091013C |. 46 ||INC ESI
0091013D |. 42 ||INC EDX
0091013E |. 48 ||DEC EAX
0091013F |.^ 75 F7 |\JNZ SHORT ZHYW_u.00910138
00910141 |. B8 04000000 |MOV EAX,4
00910146 |. 8B55 0C |MOV EDX,DWORD PTR SS:[EBP+C]
00910149 |. 83C2 04 |ADD EDX,4
0091014C |> 8A0A |/MOV CL,BYTE PTR DS:[EDX]
0091014E |. 884A FC ||MOV BYTE PTR DS:[EDX-4],CL
00910151 |. 42 ||INC EDX
00910152 |. 48 ||DEC EAX
00910153 |.^ 75 F7 |\JNZ SHORT ZHYW_u.0091014C
00910155 |. 6A 05 |PUSH 5 ; /Arg3 = 00000005
00910157 |. 8D45 F0 |LEA EAX,DWORD PTR SS:[EBP-10] ; |
0091015A |. 50 |PUSH EAX ; |Arg2
0091015B |. 6A 03 |PUSH 3 ; |Arg1 = 00000003
0091015D |. 8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14] ; |
00910160 |. 8BC8 |MOV ECX,EAX ; |
00910162 |. 8B45 0C |MOV EAX,DWORD PTR SS:[EBP+C] ; |
00910165 |. 8B55 08 |MOV EDX,DWORD PTR SS:[EBP+8] ; |
00910168 |. E8 3FFEFFFF |CALL ZHYW_u.0090FFAC ; \ZHYW_u.0090FFAC
0091016D |. B8 04000000 |MOV EAX,4
00910172 |. 8D55 F4 |LEA EDX,DWORD PTR SS:[EBP-C]
00910175 |. 8D75 F0 |LEA ESI,DWORD PTR SS:[EBP-10]
00910178 |. 8B4D 0C |MOV ECX,DWORD PTR SS:[EBP+C]
0091017B |. 83C1 04 |ADD ECX,4
0091017E |> 8A1A |/MOV BL,BYTE PTR DS:[EDX]
00910180 |. 321E ||XOR BL,BYTE PTR DS:[ESI]
00910182 |. 8819 ||MOV BYTE PTR DS:[ECX],BL
00910184 |. 41 ||INC ECX
00910185 |. 46 ||INC ESI
00910186 |. 42 ||INC EDX
00910187 |. 48 ||DEC EAX
00910188 |.^ 75 F4 |\JNZ SHORT ZHYW_u.0091017E
0091018A |. 8345 EC 06 |ADD DWORD PTR SS:[EBP-14],6
0091018E |. FF4D F8 |DEC DWORD PTR SS:[EBP-8]
00910191 |.^ 75 9A \JNZ SHORT ZHYW_u.0091012D ; 跳回,这里循环 十多次,你说死了没有
00910193 |. B8 04000000 MOV EAX,4
00910198 |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
0091019B |. 83C2 04 ADD EDX,4
0091019E |. 8D4D F4 LEA ECX,DWORD PTR SS:[EBP-C]
009101A1 |> 8A1A /MOV BL,BYTE PTR DS:[EDX]
009101A3 |. 8819 |MOV BYTE PTR DS:[ECX],BL
009101A5 |. 41 |INC ECX
009101A6 |. 42 |INC EDX
009101A7 |. 48 |DEC EAX
009101A8 |.^ 75 F7 \JNZ SHORT ZHYW_u.009101A1
009101AA |. B8 04000000 MOV EAX,4
009101AF |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
009101B2 |> 8A0A /MOV CL,BYTE PTR DS:[EDX]
009101B4 |. 884A 04 |MOV BYTE PTR DS:[EDX+4],CL
009101B7 |. 42 |INC EDX
009101B8 |. 48 |DEC EAX
009101B9 |.^ 75 F7 \JNZ SHORT ZHYW_u.009101B2
009101BB |. B8 04000000 MOV EAX,4
009101C0 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
009101C3 |. 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]
009101C6 |> 8A1A /MOV BL,BYTE PTR DS:[EDX]
009101C8 |. 8819 |MOV BYTE PTR DS:[ECX],BL
009101CA |. 41 |INC ECX
009101CB |. 42 |INC EDX
009101CC |. 48 |DEC EAX
009101CD |.^ 75 F7 \JNZ SHORT ZHYW_u.009101C6
009101CF |. E9 BB000000 JMP ZHYW_u.0091028F
009101D4 |> 80FB 01 CMP BL,1
009101D7 |. 0F85 B2000000 JNZ ZHYW_u.0091028F
009101DD |. C745 F8 F0FFF>MOV DWORD PTR SS:[EBP-8],-10
009101E4 |. BB C25E9500 MOV EBX,ZHYW_u.00955EC2
009101E9 |> B8 04000000 /MOV EAX,4
009101EE |. 8B55 0C |MOV EDX,DWORD PTR SS:[EBP+C]
009101F1 |. 8D75 F4 |LEA ESI,DWORD PTR SS:[EBP-C]
009101F4 |> 8A0A |/MOV CL,BYTE PTR DS:[EDX]
009101F6 |. 880E ||MOV BYTE PTR DS:[ESI],CL
009101F8 |. 46 ||INC ESI
009101F9 |. 42 ||INC EDX
009101FA |. 48 ||DEC EAX
009101FB |.^ 75 F7 |\JNZ SHORT ZHYW_u.009101F4
009101FD |. B8 04000000 |MOV EAX,4
00910202 |. 8B55 0C |MOV EDX,DWORD PTR SS:[EBP+C]
00910205 |. 83C2 04 |ADD EDX,4
00910208 |> 8A0A |/MOV CL,BYTE PTR DS:[EDX]
0091020A |. 884A FC ||MOV BYTE PTR DS:[EDX-4],CL
0091020D |. 42 ||INC EDX
0091020E |. 48 ||DEC EAX
0091020F |.^ 75 F7 |\JNZ SHORT ZHYW_u.00910208
00910211 |. 6A 05 |PUSH 5 ; /Arg3 = 00000005
00910213 |. 8D45 F0 |LEA EAX,DWORD PTR SS:[EBP-10] ; |
00910216 |. 50 |PUSH EAX ; |Arg2
00910217 |. 6A 03 |PUSH 3 ; |Arg1 = 00000003
00910219 |. 8BCB |MOV ECX,EBX ; |
0091021B |. 8B45 0C |MOV EAX,DWORD PTR SS:[EBP+C] ; |
0091021E |. 8B55 08 |MOV EDX,DWORD PTR SS:[EBP+8] ; |
00910221 |. E8 86FDFFFF |CALL ZHYW_u.0090FFAC ; \ZHYW_u.0090FFAC
00910226 |. B8 04000000 |MOV EAX,4
0091022B |. 8D55 F4 |LEA EDX,DWORD PTR SS:[EBP-C]
0091022E |. 8D75 F0 |LEA ESI,DWORD PTR SS:[EBP-10]
00910231 |. 8B4D 0C |MOV ECX,DWORD PTR SS:[EBP+C]
00910234 |. 83C1 04 |ADD ECX,4
00910237 |. 894D E8 |MOV DWORD PTR SS:[EBP-18],ECX
0091023A |> 8A0A |/MOV CL,BYTE PTR DS:[EDX]
0091023C |. 320E ||XOR CL,BYTE PTR DS:[ESI]
0091023E |. 8B7D E8 ||MOV EDI,DWORD PTR SS:[EBP-18]
00910241 |. 880F ||MOV BYTE PTR DS:[EDI],CL
00910243 |. FF45 E8 ||INC DWORD PTR SS:[EBP-18]
00910246 |. 46 ||INC ESI
00910247 |. 42 ||INC EDX
00910248 |. 48 ||DEC EAX
00910249 |.^ 75 EF |\JNZ SHORT ZHYW_u.0091023A
0091024B |. 83EB 06 |SUB EBX,6
0091024E |. FF45 F8 |INC DWORD PTR SS:[EBP-8]
00910251 |.^ 75 96 \JNZ SHORT ZHYW_u.009101E9
00910253 |. B8 04000000 MOV EAX,4
00910258 |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
0091025B |. 83C2 04 ADD EDX,4
0091025E |. 8D5D F4 LEA EBX,DWORD PTR SS:[EBP-C]
00910261 |> 8A0A /MOV CL,BYTE PTR DS:[EDX]
00910263 |. 880B |MOV BYTE PTR DS:[EBX],CL
00910265 |. 43 |INC EBX
00910266 |. 42 |INC EDX
00910267 |. 48 |DEC EAX
00910268 |.^ 75 F7 \JNZ SHORT ZHYW_u.00910261
0091026A |. B8 04000000 MOV EAX,4
0091026F |. 8B5D 0C MOV EBX,DWORD PTR SS:[EBP+C]
00910272 |> 8A13 /MOV DL,BYTE PTR DS:[EBX]
00910274 |. 8853 04 |MOV BYTE PTR DS:[EBX+4],DL
00910277 |. 43 |INC EBX
00910278 |. 48 |DEC EAX
00910279 |.^ 75 F7 \JNZ SHORT ZHYW_u.00910272
0091027B |. B8 04000000 MOV EAX,4
00910280 |. 8D5D F4 LEA EBX,DWORD PTR SS:[EBP-C]
00910283 |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
00910286 |> 8A0B /MOV CL,BYTE PTR DS:[EBX]
00910288 |. 880A |MOV BYTE PTR DS:[EDX],CL
0091028A |. 42 |INC EDX
0091028B |. 43 |INC EBX
0091028C |. 48 |DEC EAX
0091028D |.^ 75 F7 \JNZ SHORT ZHYW_u.00910286
0091028F |> 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
00910292 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
00910295 |. E8 82F8FFFF CALL ZHYW_u.0090FB1C ; 这个CALL,里面才是最后计算
0091029A |. 8B7D DC MOV EDI,DWORD PTR SS:[EBP-24]
0091029D |. 8B75 E0 MOV ESI,DWORD PTR SS:[EBP-20]
009102A0 |. 8B5D E4 MOV EBX,DWORD PTR SS:[EBP-1C]
009102A3 |. 8BE5 MOV ESP,EBP
009102A5 |. 5D POP EBP
009102A6 \. C2 0800 RETN 8
;上面几乎全是计算部分,循环多啊,这样的软件你说,救命
―――――――――――――――――――――――――――――――――――――――――――――――――――――
F7 入 00910295,进了一层又一层的 机关,总算到位了
0090FB2D |. E8 8638AFFF CALL ZHYW_u.004033B8 ; 这个CALL 清空指定内存空间
0090FB32 |. 33D2 XOR EDX,EDX
0090FB34 |. B8 A00A9500 MOV EAX,ZHYW_u.00950AA0
0090FB39 |> 8A18 /MOV BL,BYTE PTR DS:[EAX] ;注册码就是这个循环产生的
0090FB3B |. 8BCB |MOV ECX,EBX
0090FB3D |. 80E1 07 |AND CL,7
0090FB40 |. 81E1 FF000000 |AND ECX,0FF
0090FB46 |. 51 |PUSH ECX
0090FB47 |. B9 07000000 |MOV ECX,7
0090FB4C |. 5F |POP EDI
0090FB4D |. 2BCF |SUB ECX,EDI
0090FB4F |. BF 01000000 |MOV EDI,1
0090FB54 |. D3E7 |SHL EDI,CL
0090FB56 |. 33C9 |XOR ECX,ECX
0090FB58 |. 8ACB |MOV CL,BL
0090FB5A |. C1E9 03 |SHR ECX,3
0090FB5D |. 0FB60C0E |MOVZX ECX,BYTE PTR DS:[ESI+ECX]
0090FB61 |. 23F9 |AND EDI,ECX
0090FB63 |. 74 1A |JE SHORT ZHYW_u.0090FB7F
0090FB65 |. 8BCA |MOV ECX,EDX
0090FB67 |. 83E1 07 |AND ECX,7
0090FB6A |. 51 |PUSH ECX
0090FB6B |. B9 07000000 |MOV ECX,7
0090FB70 |. 5B |POP EBX
0090FB71 |. 2BCB |SUB ECX,EBX
0090FB73 |. B3 01 |MOV BL,1
0090FB75 |. D2E3 |SHL BL,CL
0090FB77 |. 8BCA |MOV ECX,EDX
0090FB79 |. C1E9 03 |SHR ECX,3
0090FB7C |. 081C0C |OR BYTE PTR SS:[ESP+ECX],BL
0090FB7F |> 42 |INC EDX
0090FB80 |. 40 |INC EAX
0090FB81 |. 83FA 40 |CMP EDX,40 ;共要循环 64 次,晕死
0090FB84 |.^ 75 B3 \JNZ SHORT ZHYW_u.0090FB39 ;跳回
;
0090FB86 |. BA 08000000 MOV EDX,8
0090FB8B |. 8BC4 MOV EAX,ESP
0090FB8D |. 8BCE MOV ECX,ESI
0090FB8F |> 8A18 /MOV BL,BYTE PTR DS:[EAX] ;这个循环是提取结果送入指定的内存
0090FB91 |. 8819 |MOV BYTE PTR DS:[ECX],BL
0090FB93 |. 41 |INC ECX
0090FB94 |. 40 |INC EAX
0090FB95 |. 4A |DEC EDX
0090FB96 |.^ 75 F7 \JNZ SHORT ZHYW_u.0090FB8F
--------------------------------------------------------------------------------
【经验总结】
1:算法跟用户名无关,只认 机器码
2:首先经过 009103E5 CALL 计算出第一步 ,把结果保存(这里的计算长啊 。。。。。。。。。。)
3:进入 00910295 CALL ,把上面的结果 ,作为参数,作运算(循环 64 次,晕了),产生最终 注册码
4:经过 2 步运算,(命苦啊),太长了实在没法,现在的破文真的难写(我菜的缘故)
内存注册机:
中断地址:910542
中断次数:1
第一字节:E8
指令长度:5
内存方式:寄存器 EDX
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年08月18日 18:44:38
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
