【文章标题】: XXXX酒店管理系统(单机标准版) 5.7.1 版本破解
【文章作者】: csshrb
【作者邮箱】: [email]csshrb2004@yahoo.com.cn[/email]
【作者主页】:
www.freeoffice.com.cn
【作者QQ号】: 69780955
【软件名称】: XXXX酒店管理系统
【软件大小】: 压缩包6.21M
【下载地址】: 自己搜索下载
【加壳方式】: ASPack 2.12 -> Alexey Solodovnikov
【保护方式】: 加壳
【编写语言】: delphi
【使用工具】: ollydbg,ASPackdie unpacker,dede,PEid
【操作平台】: win
【软件介绍】: 什么国际酒店管理软件,版本好像不少。
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
一、用peid查看采用ASPack 2.12 -> Alexey Solodovnikov加壳,直接用ASPack脱壳。脱壳后文件运行正常。要是不正常的
话就得手动脱了,那俺可就不行了,还得不一课啊!
二、运行软件,熟悉一下注册窗口。有试用次数限制50次,注册信息要填写用户名称、注册码16位、激活码8位。
三、看可一下软件安装目录有个叫sn.exe的文件,先运行,是一个取得硬件信息的,有ABCDEFG七个信息。包括
网卡ID、CPU ID什么的。软件说是通过以上信息进行加密的。晕!!这个看来不好对付啊!
四、调出dede反编译看看,哈有注册过程,记下地址。
五、OD调出在上面地址下段。填入试炼信息:
用户名:yonghu
注册码:AAAA-BBBB-CCCC-DDDD 调试时能区别开,毕竟更方便
激活码:EEEE-FFFF
0085B4A4 /. 55 push ebp 断在此处,F8步近
0085B4A5 |. 8BEC mov ebp, esp
0085B4A7 |. B9 08000000 mov ecx, 8
0085B4AC |> 6A 00 /push 0
0085B4AE |. 6A 00 |push 0
0085B4B0 |. 49 |dec ecx
0085B4B1 |.^ 75 F9 \jnz short 0085B4AC
0085B4B3 |. 51 push ecx
0085B4B4 |. 53 push ebx
0085B4B5 |. 8BD8 mov ebx, eax
0085B4B7 |. 33C0 xor eax, eax
0085B4B9 |. 55 push ebp
0085B4BA |. 68 AAB68500 push 0085B6AA
0085B4BF |. 64:FF30 push dword ptr fs:[eax]
0085B4C2 |. 64:8920 mov dword ptr fs:[eax], esp
0085B4C5 |. 8D45 F0 lea eax, dword ptr [ebp-10]
0085B4C8 |. E8 BF62E4FF call 006A178C
0085B4CD |. 8B45 F0 mov eax, dword ptr [ebp-10]
0085B4D0 |. 8D55 FC lea edx, dword ptr [ebp-4]
0085B4D3 |. E8 CCE1BAFF call 004096A4
0085B4D8 |. 837D FC 00 cmp dword ptr [ebp-4], 0
0085B4DC |. 75 0F jnz short 0085B4ED
0085B4DE |. 8D55 FC lea edx, dword ptr [ebp-4]
0085B4E1 |. A1 80858900 mov eax, dword ptr [898580]
0085B4E6 |. 8B00 mov eax, dword ptr [eax]
0085B4E8 |. E8 77ECE7FF call 006DA164
0085B4ED |> 8D55 EC lea edx, dword ptr [ebp-14]
0085B4F0 |. 8B83 10030000 mov eax, dword ptr [ebx+310]
0085B4F6 |. E8 E9A4BFFF call 004559E4
0085B4FB |. 8B55 EC mov edx, dword ptr [ebp-14]
0085B4FE |. 8D4D F8 lea ecx, dword ptr [ebp-8]
0085B501 |. 8B45 FC mov eax, dword ptr [ebp-4]
0085B504 |. E8 4B5EE4FF call 006A1354
0085B509 |. 8D55 E8 lea edx, dword ptr [ebp-18]
0085B50C |. 8B83 1C030000 mov eax, dword ptr [ebx+31C]
0085B512 |. E8 CDA4BFFF call 004559E4
0085B517 |. FF75 E8 push dword ptr [ebp-18]
0085B51A |. 8D55 E4 lea edx, dword ptr [ebp-1C]
0085B51D |. 8B83 24030000 mov eax, dword ptr [ebx+324] 出现AAAA试炼码
0085B523 |. E8 BCA4BFFF call 004559E4 这些CALL是算法吧
0085B528 |. FF75 E4 push dword ptr [ebp-1C]
0085B52B |. 8D55 E0 lea edx, dword ptr [ebp-20]
0085B52E |. 8B83 28030000 mov eax, dword ptr [ebx+328] 出现BBBB试炼码
0085B534 |. E8 ABA4BFFF call 004559E4
0085B539 |. FF75 E0 push dword ptr [ebp-20]
0085B53C |. 8D55 DC lea edx, dword ptr [ebp-24]
0085B53F |. 8B83 20030000 mov eax, dword ptr [ebx+320] 出现CCCC试炼码
0085B545 |. E8 9AA4BFFF call 004559E4
0085B54A |. FF75 DC push dword ptr [ebp-24]
0085B54D |. 8D55 D8 lea edx, dword ptr [ebp-28]
0085B550 |. 8B83 30030000 mov eax, dword ptr [ebx+330] 出现DDDD试炼码
0085B556 |. E8 89A4BFFF call 004559E4
0085B55B |. FF75 D8 push dword ptr [ebp-28]
0085B55E |. 8D55 D4 lea edx, dword ptr [ebp-2C] 出现EEEE试炼码
0085B561 |. 8B83 34030000 mov eax, dword ptr [ebx+334]
0085B567 |. E8 78A4BFFF call 004559E4
0085B56C |. FF75 D4 push dword ptr [ebp-2C]
0085B56F |. 8D45 F4 lea eax, dword ptr [ebp-C] 出现FFFF试炼码
0085B572 |. BA 06000000 mov edx, 6
0085B577 |. E8 2896BAFF call 00404BA4
0085B57C |. 8B45 F8 mov eax, dword ptr [ebp-8]
0085B57F |. 8B55 F4 mov edx, dword ptr [ebp-C] 看见什么了,哈
0085B582 |. E8 A196BAFF call 00404C28 比较码,没想到是明码的 哈记下填入
重新运行看看怎么样 ,注册成功了!简单吧
0085B587 |. 0F85 C1000000 jnz 0085B64E
0085B58D |. 8D55 D0 lea edx, dword ptr [ebp-30]
0085B590 |. 8B83 10030000 mov eax, dword ptr [ebx+310]
0085B596 |. E8 49A4BFFF call 004559E4
0085B59B |. 8B45 D0 mov eax, dword ptr [ebp-30]
0085B59E |. 50 push eax
0085B59F |. 8D55 C8 lea edx, dword ptr [ebp-38]
0085B5A2 |. A1 E8808900 mov eax, dword ptr [8980E8]
0085B5A7 |. 8B00 mov eax, dword ptr [eax]
0085B5A9 |. E8 16C5C1FF call 00477AC4
0085B5AE |. 8B45 C8 mov eax, dword ptr [ebp-38]
0085B5B1 |. 8D55 CC lea edx, dword ptr [ebp-34]
0085B5B4 |. E8 8FEBBAFF call 0040A148
0085B5B9 |. 8D45 CC lea eax, dword ptr [ebp-34]
0085B5BC |. BA C0B68500 mov edx, 0085B6C0 ; key.ini 将信息写入文件
0085B5C1 |. E8 2695BAFF call 00404AEC
0085B5C6 |. 8B45 CC mov eax, dword ptr [ebp-34]
0085B5C9 |. B9 D0B68500 mov ecx, 0085B6D0 ; user
0085B5CE |. BA E0B68500 mov edx, 0085B6E0 ; key
0085B5D3 |. E8 2073E4FF call 006A28F8
0085B5D8 |. 8B45 F4 mov eax, dword ptr [ebp-C]
0085B5DB |. 50 push eax
0085B5DC |. 8D55 C0 lea edx, dword ptr [ebp-40]
0085B5DF |. A1 E8808900 mov eax, dword ptr [8980E8]
0085B5E4 |. 8B00 mov eax, dword ptr [eax]
0085B5E6 |. E8 D9C4C1FF call 00477AC4
0085B5EB |. 8B45 C0 mov eax, dword ptr [ebp-40]
0085B5EE |. 8D55 C4 lea edx, dword ptr [ebp-3C]
0085B5F1 |. E8 52EBBAFF call 0040A148
0085B5F6 |. 8D45 C4 lea eax, dword ptr [ebp-3C]
0085B5F9 |. BA C0B68500 mov edx, 0085B6C0 ; key.ini
0085B5FE |. E8 E994BAFF call 00404AEC
0085B603 |. 8B45 C4 mov eax, dword ptr [ebp-3C]
0085B606 |. B9 E0B68500 mov ecx, 0085B6E0 ; key
0085B60B |. BA E0B68500 mov edx, 0085B6E0 ; key
0085B610 |. E8 E372E4FF call 006A28F8
0085B615 |. A1 CC768900 mov eax, dword ptr [8976CC]
0085B61A |. 8B00 mov eax, dword ptr [eax]
0085B61C |. E8 C378E4FF call 006A2EE4
0085B621 |. 6A 05 push 5
0085B623 |. 8D55 BC lea edx, dword ptr [ebp-44]
0085B626 |. A1 E8808900 mov eax, dword ptr [8980E8]
0085B62B |. 8B00 mov eax, dword ptr [eax]
0085B62D |. E8 92C4C1FF call 00477AC4
0085B632 |. 8B45 BC mov eax, dword ptr [ebp-44]
0085B635 |. E8 A296BAFF call 00404CDC
0085B63A |. 50 push eax ; |CmdLine
0085B63B |. E8 C4BFBAFF call <jmp.&kernel32.WinExec> ; \WinExec
0085B640 |. A1 E8808900 mov eax, dword ptr [8980E8]
0085B645 |. 8B00 mov eax, dword ptr [eax]
0085B647 |. E8 8CBFC1FF call 004775D8
0085B64C |. EB 27 jmp short 0085B675
0085B64E |> A1 00838900 mov eax, dword ptr [898300]
0085B653 |. 8B00 mov eax, dword ptr [eax]
0085B655 |. E8 8A78E4FF call 006A2EE4
0085B65A |. FF83 3C030000 inc dword ptr [ebx+33C]
0085B660 |. 83BB 3C030000>cmp dword ptr [ebx+33C], 3
0085B667 |. 75 0C jnz short 0085B675
0085B669 |. A1 E8808900 mov eax, dword ptr [8980E8]
0085B66E |. 8B00 mov eax, dword ptr [eax]
0085B670 |. E8 63BFC1FF call 004775D8
0085B675 |> 33C0 xor eax, eax
0085B677 |. 5A pop edx
0085B678 |. 59 pop ecx
0085B679 |. 59 pop ecx
0085B67A |. 64:8910 mov dword ptr fs:[eax], edx
0085B67D |. 68 B1B68500 push 0085B6B1
0085B682 |> 8D45 BC lea eax, dword ptr [ebp-44]
0085B685 |. BA 05000000 mov edx, 5
0085B68A |. E8 B191BAFF call 00404840
0085B68F |. 8D45 D0 lea eax, dword ptr [ebp-30]
0085B692 |. BA 08000000 mov edx, 8
0085B697 |. E8 A491BAFF call 00404840
0085B69C |. 8D45 F0 lea eax, dword ptr [ebp-10]
0085B69F |. BA 04000000 mov edx, 4
0085B6A4 |. E8 9791BAFF call 00404840
0085B6A9 \. C3 retn
0085B6AA .^ E9 B58ABAFF jmp 00404164
0085B6AF .^ EB D1 jmp short 0085B682
0085B6B1 . 5B pop ebx
0085B6B2 . 8BE5 mov esp, ebp
0085B6B4 . 5D pop ebp
0085B6B5 . C3 retn
0085B6B6 00 db 00
0085B6B7 00 db 00
0085B6B8 . FFFFFFFF dd FFFFFFFF
0085B6BC . 07000000 dd 00000007
0085B6C0 . 6B 65 79 2E 6>ascii "key.ini",0
0085B6C8 . FFFFFFFF dd FFFFFFFF
0085B6CC . 04000000 dd 00000004
0085B6D0 . 75 73 65 72 0>ascii "user",0
0085B6D5 00 db 00
0085B6D6 00 db 00
0085B6D7 00 db 00
0085B6D8 . FFFFFFFF dd FFFFFFFF
0085B6DC . 03000000 dd 00000003
0085B6E0 . 6B 65 79 00 ascii "key",0
0085B6E4 /. 55 push ebp
0085B6E5 |. 8BEC mov ebp, esp
0085B6E7 |. 6A 00 push 0
0085B6E9 |. 6A 00 push 0
0085B6EB |. 6A 00 push 0
0085B6ED |. 53 push ebx
0085B6EE |. 8BD8 mov ebx, eax
0085B6F0 |. 33C0 xor eax, eax
0085B6F2 |. 55 push ebp
0085B6F3 |. 68 75B78500 push 0085B775
0085B6F8 |. 64:FF30 push dword ptr fs:[eax]
0085B6FB |. 64:8920 mov dword ptr fs:[eax], esp
0085B6FE |. 8BC3 mov eax, ebx
0085B700 |. E8 6BEBE6FF call 006CA270
0085B705 |. 6A 00 push 0
0085B707 |. 8D45 FC lea eax, dword ptr [ebp-4]
0085B70A |. 50 push eax
0085B70B |. 8D55 F4 lea edx, dword ptr [ebp-C]
0085B70E |. A1 E8808900 mov eax, dword ptr [8980E8]
0085B713 |. 8B00 mov eax, dword ptr [eax]
0085B715 |. E8 AAC3C1FF call 00477AC4
0085B71A |. 8B45 F4 mov eax, dword ptr [ebp-C]
0085B71D |. 8D55 F8 lea edx, dword ptr [ebp-8]
0085B720 |. E8 23EABAFF call 0040A148
0085B725 |. 8D45 F8 lea eax, dword ptr [ebp-8]
0085B728 |. BA 8CB78500 mov edx, 0085B78C ; key.ini
0085B72D |. E8 BA93BAFF call 00404AEC
0085B732 |. 8B45 F8 mov eax, dword ptr [ebp-8]
0085B735 |. B9 9CB78500 mov ecx, 0085B79C ; user
0085B73A |. BA ACB78500 mov edx, 0085B7AC ; key
0085B73F |. E8 C86FE4FF call 006A270C
0085B744 |. 8B55 FC mov edx, dword ptr [ebp-4]
0085B747 |. 8B83 10030000 mov eax, dword ptr [ebx+310]
0085B74D |. E8 C2A2BFFF call 00455A14
0085B752 |. 33C0 xor eax, eax
0085B754 |. 8983 3C030000 mov dword ptr [ebx+33C], eax
0085B75A |. 33C0 xor eax, eax
0085B75C |. 5A pop edx
0085B75D |. 59 pop ecx
0085B75E |. 59 pop ecx
0085B75F |. 64:8910 mov dword ptr fs:[eax], edx
0085B762 |. 68 7CB78500 push 0085B77C
0085B767 |> 8D45 F4 lea eax, dword ptr [ebp-C]
0085B76A |. BA 03000000 mov edx, 3
0085B76F |. E8 CC90BAFF call 00404840
0085B774 \. C3 retn 返回
0085B775 .^ E9 EA89BAFF jmp 00404164
0085B77A .^ EB EB jmp short 0085B767
0085B77C . 5B pop ebx
0085B77D . 8BE5 mov esp, ebp
0085B77F . 5D pop ebp
0085B780 . C3 retn
0085B781 00 db 00
0085B782 00 db 00
0085B783 00 db 00
0085B784 . FFFFFFFF dd FFFFFFFF
0085B788 . 07000000 dd 00000007
0085B78C . 6B 65 79 2E 6>ascii "key.ini",0
0085B794 . FFFFFFFF dd FFFFFFFF
0085B798 . 04000000 dd 00000004
0085B79C . 75 73 65 72 0>ascii "user",0
0085B7A1 00 db 00
0085B7A2 00 db 00
0085B7A3 00 db 00
0085B7A4 . FFFFFFFF dd FFFFFFFF
0085B7A8 . 03000000 dd 00000003
0085B7AC . 6B 65 79 00 ascii "key",0
0085B7B0 /. 55 push ebp
0085B7B1 |. 8BEC mov ebp, esp
0085B7B3 |. 6A 00 push 0
0085B7B5 |. 53 push ebx
0085B7B6 |. 56 push esi
0085B7B7 |. 8BDA mov ebx, edx
0085B7B9 |. 8BF0 mov esi, eax
0085B7BB |. 33C0 xor eax, eax
0085B7BD |. 55 push ebp
0085B7BE |. 68 25B88500 push 0085B825
0085B7C3 |. 64:FF30 push dword ptr fs:[eax]
0085B7C6 |. 64:8920 mov dword ptr fs:[eax], esp
0085B7C9 |. 8BC3 mov eax, ebx
0085B7CB |. 8B15 BCF36B00 mov edx, dword ptr [6BF3BC] ; unpacked.006BF408
0085B7D1 |. E8 8683BAFF call 00403B5C
0085B7D6 |. 84C0 test al, al
0085B7D8 |. 74 35 je short 0085B80F
0085B7DA |. 8BC3 mov eax, ebx
0085B7DC |. 8B15 BCF36B00 mov edx, dword ptr [6BF3BC] ; unpacked.006BF408
0085B7E2 |. E8 9983BAFF call 00403B80
0085B7E7 |. 8D55 FC lea edx, dword ptr [ebp-4]
0085B7EA |. E8 F5A1BFFF call 004559E4
0085B7EF |. 8B45 FC mov eax, dword ptr [ebp-4]
0085B7F2 |. E8 ED92BAFF call 00404AE4
0085B7F7 |. 83F8 03 cmp eax, 3
0085B7FA |. 75 13 jnz short 0085B80F
0085B7FC |. 6A 00 push 0
0085B7FE |. 6A 00 push 0
0085B800 |. 6A 28 push 28
0085B802 |. 8BC6 mov eax, esi
0085B804 |. E8 1F0BC0FF call 0045C328
0085B809 |. 50 push eax ; |hWnd
0085B80A |. E8 C5C6BAFF call <jmp.&user32.PostMessageA> ; \PostMessageA
0085B80F |> 33C0 xor eax, eax
0085B811 |. 5A pop edx
0085B812 |. 59 pop ecx
0085B813 |. 59 pop ecx
0085B814 |. 64:8910 mov dword ptr fs:[eax], edx
0085B817 |. 68 2CB88500 push 0085B82C
0085B81C |> 8D45 FC lea eax, dword ptr [ebp-4]
0085B81F |. E8 F88FBAFF call 0040481C
0085B824 \. C3 retn
0085B825 .^ E9 3A89BAFF jmp 00404164
0085B82A .^ EB F0 jmp short 0085B81C
0085B82C . 5E pop esi
0085B82D . 5B pop ebx
0085B82E . 59 pop ecx
0085B82F . 5D pop ebp
0085B830 . C2 0400 retn 4
0085B833 90 nop
0085B834 . 55 push ebp
0085B835 . 8BEC mov ebp, esp
0085B837 . 33C0 xor eax, eax
0085B839 . 55 push ebp
0085B83A . 68 59B88500 push 0085B859
0085B83F . 64:FF30 push dword ptr fs:[eax]
0085B842 . 64:8920 mov dword ptr fs:[eax], esp
0085B845 . FF05 88CE8900 inc dword ptr [89CE88]
0085B84B . 33C0 xor eax, eax
0085B84D . 5A pop edx
0085B84E . 59 pop ecx
0085B84F . 59 pop ecx
0085B850 . 64:8910 mov dword ptr fs:[eax], edx
0085B853 . 68 60B88500 push 0085B860
0085B858 > C3 retn ; RET used as a jump to 0085B860
0085B859 .^ E9 0689BAFF jmp 00404164
0085B85E .^ EB F8 jmp short 0085B858
0085B860 > 5D pop ebp
0085B861 . C3 retn
0085B862 8BC0 mov eax, eax
0085B864 . 832D 88CE8900>sub dword ptr [89CE88], 1
0085B86B . C3 retn
0085B86C . B8B88500 dd unpacked.0085B8B8
0085B870 00 db 00
--------------------------------------------------------------------------------
【经验总结】
原以为这个软件会很难破解,看到什么网卡ID〕CPUid什么的。本来想打场硬仗。这两天还学了一下汇编!那想到这么简单
以后有机会好好分析一下他的算法。软件的具体功能没用过。是不是这么破解的不彻底或是功能上有了什么限制!还望那位
高手看到了给予指点! 不知道这篇能否发到软件调试里!只好先发到新兵里了!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年03月27日 16:29:12
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
