[原创]XX旺铺进销存 8.0 算法分析-经典问答-看雪-安全社区|安全招聘|kanxue.com

[原创]XX旺铺进销存 8.0 算法分析

发表于: 2007-11-10 03:12 3618

[原创]XX旺铺进销存 8.0 算法分析

mElOdy

2007-11-10 03:12

3618

【文章标题】: XX旺铺进销存  8.0 算法分析
【文章作者】: mElOdy
【下载地址】: 自己搜索下载
【加壳方式】: N/A
【保护方式】: 启动NAG + 启动弹网站 + 序列号 + 10天试用限制
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OD
【操作平台】: 盗版XPsp2
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
运行程序后注册得到敏感提示“注册失败，请检查注册号码！”就从这里入手！
OD字符串搜索插件找到以下地点，并设置相应断点：
005B6740 55                push ebp                                     ; 注册算法区域
005B6741 8BEC             mov ebp,esp
005B6743 6A 00             push 0
005B6745 53                push ebx
005B6746 8BD8             mov ebx,eax
005B6748 33C0             xor eax,eax
005B674A 55                push ebp
005B674B 68 ED675B00       push PSale.005B67ED
005B6750 64:FF30          push dword ptr fs:[eax]
005B6753 64:8920          mov dword ptr fs:[eax],esp
005B6756 66:8339 0D       cmp word ptr ds:[ecx],0D
005B675A 75 7B             jnz short PSale.005B67D7
005B675C 8D55 FC          lea edx,dword ptr ss:[ebp-4]
005B675F 8B83 24030000    mov eax,dword ptr ds:[ebx+324]
005B6765 E8 625FEBFF       call PSale.0046C6CC
005B676A 8B4D FC          mov ecx,dword ptr ss:[ebp-4]
005B676D A1 8CC95B00       mov eax,dword ptr ds:[5BC98C]
005B6772 8B00             mov eax,dword ptr ds:[eax]
005B6774 BA 04685B00       mov edx,PSale.005B6804                      ; pid
005B6779 E8 52130000       call PSale.005B7AD0
005B677E A1 8CC95B00       mov eax,dword ptr ds:[5BC98C]
005B6783 8B00             mov eax,dword ptr ds:[eax]
005B6785 E8 EE170000       call PSale.005B7F78                         ; 算法CALL
005B678A 84C0             test al,al
005B678C 74 31             je short PSale.005B67BF
005B678E 6A 00             push 0
005B6790 B9 08685B00       mov ecx,PSale.005B6808                      ; 提示
005B6795 BA 10685B00       mov edx,PSale.005B6810                      ; 注册成功！
005B679A A1 3CCB5B00       mov eax,dword ptr ds:[5BCB3C]
005B679F 8B00             mov eax,dword ptr ds:[eax]
005B67A1 E8 726DEDFF       call PSale.0048D518
005B67A6 A1 8CC95B00       mov eax,dword ptr ds:[5BC98C]
005B67AB 8B00             mov eax,dword ptr ds:[eax]
005B67AD 8B80 34030000    mov eax,dword ptr ds:[eax+334]
005B67B3 BA 24685B00       mov edx,PSale.005B6824                      ; 已注册
005B67B8 E8 3F5FEBFF       call PSale.0046C6FC
005B67BD EB 18             jmp short PSale.005B67D7
005B67BF 6A 00             push 0
005B67C1 B9 08685B00       mov ecx,PSale.005B6808                      ; 提示
005B67C6 BA 2C685B00       mov edx,PSale.005B682C                      ; 注册失败，请检查注册号码！
005B67CB A1 3CCB5B00       mov eax,dword ptr ds:[5BCB3C]
005B67D0 8B00             mov eax,dword ptr ds:[eax]
005B67D2 E8 416DEDFF       call PSale.0048D518
005B67D7 33C0             xor eax,eax
005B67D9 5A                pop edx
005B67DA 59                pop ecx
005B67DB 59                pop ecx
005B67DC 64:8910          mov dword ptr fs:[eax],edx
005B67DF 68 F4675B00       push PSale.005B67F4
005B67E4 8D45 FC          lea eax,dword ptr ss:[ebp-4]
005B67E7 E8 68DBE4FF       call PSale.00404354
005B67EC C3                retn
005B67ED  ^ E9 66D4E4FF       jmp PSale.00403C58
005B67F2  ^ EB F0             jmp short PSale.005B67E4
005B67F4 5B                pop ebx
005B67F5 59                pop ecx
005B67F6 5D                pop ebp
005B67F7 C2 0400          retn 4
F9运行，填写注册信息：

  机器码：00F27BFB
  注册码：99999999999999999
跟进算法CALL:
005B7F78 55                push ebp
005B7F79 8BEC             mov ebp,esp
005B7F7B B9 08000000       mov ecx,8
005B7F80 6A 00             push 0
005B7F82 6A 00             push 0
005B7F84 49                dec ecx
005B7F85  ^ 75 F9             jnz short PSale.005B7F80
005B7F87 51                push ecx
005B7F88 53                push ebx
005B7F89 56                push esi
005B7F8A 57                push edi
005B7F8B 8BF8             mov edi,eax
005B7F8D 33C0             xor eax,eax
005B7F8F 55                push ebp
005B7F90 68 E9815B00       push PSale.005B81E9
005B7F95 64:FF30          push dword ptr fs:[eax]
005B7F98 64:8920          mov dword ptr fs:[eax],esp
005B7F9B 8B8F 88030000    mov ecx,dword ptr ds:[edi+388]
005B7FA1 8B97 84030000    mov edx,dword ptr ds:[edi+384]             ; ASCII "0A1B2C3"
005B7FA7 8D45 F0          lea eax,dword ptr ss:[ebp-10]
005B7FAA E8 C1C6E4FF       call PSale.00404670
005B7FAF 8D55 F8          lea edx,dword ptr ss:[ebp-8]                ; ASCII "D4E5F6"
005B7FB2 8BC7             mov eax,edi
005B7FB4 E8 E3FEFFFF       call PSale.005B7E9C
005B7FB9 8D4D F4          lea ecx,dword ptr ss:[ebp-C]
005B7FBC BA 04825B00       mov edx,PSale.005B8204                      ; pid
005B7FC1 8BC7             mov eax,edi
005B7FC3 E8 3CFAFFFF       call PSale.005B7A04
005B7FC8 837D F4 00       cmp dword ptr ss:[ebp-C],0
005B7FCC 75 09             jnz short PSale.005B7FD7
005B7FCE C645 FF 00       mov byte ptr ss:[ebp-1],0
005B7FD2 E9 DA010000       jmp PSale.005B81B1
005B7FD7 8D45 EC          lea eax,dword ptr ss:[ebp-14]
005B7FDA E8 75C3E4FF       call PSale.00404354
005B7FDF 8D45 F0          lea eax,dword ptr ss:[ebp-10]
005B7FE2 8B97 8C030000    mov edx,dword ptr ds:[edi+38C]
005B7FE8 E8 3FC6E4FF       call PSale.0040462C
005B7FED 8B45 F8          mov eax,dword ptr ss:[ebp-8]
005B7FF0 E8 2FC6E4FF       call PSale.00404624
005B7FF5 8BD8             mov ebx,eax
005B7FF7 85DB             test ebx,ebx
005B7FF9 7E 48             jle short PSale.005B8043
005B7FFB BE 01000000       mov esi,1
005B8000 8D45 E8          lea eax,dword ptr ss:[ebp-18]
005B8003 8B55 F8          mov edx,dword ptr ss:[ebp-8]
005B8006 8A5432 FF       mov dl,byte ptr ds:[edx+esi-1]
005B800A E8 2DC5E4FF       call PSale.0040453C
005B800F 8B55 F0          mov edx,dword ptr ss:[ebp-10]                ; ASCII "0A1B2C3D4E5F6789"
005B8012 8B45 E8          mov eax,dword ptr ss:[ebp-18]
005B8015 E8 4EC9E4FF       call PSale.00404968
005B801A 8945 D8          mov dword ptr ss:[ebp-28],eax
005B801D DB45 D8          fild dword ptr ss:[ebp-28]
005B8020 83C4 F4          add esp,-0C
005B8023 DB3C24          fstp tbyte ptr ss:[esp]
005B8026 9B                wait
005B8027 8D55 DC          lea edx,dword ptr ss:[ebp-24]
005B802A B8 10825B00       mov eax,PSale.005B8210                      ; 00
005B802F E8 A82BE5FF       call PSale.0040ABDC
005B8034 8B55 DC          mov edx,dword ptr ss:[ebp-24]
005B8037 8D45 EC          lea eax,dword ptr ss:[ebp-14]
005B803A E8 EDC5E4FF       call PSale.0040462C
005B803F 46                inc esi
005B8040 4B                dec ebx
005B8041  ^ 75 BD             jnz short PSale.005B8000
005B8043 8D45 E4          lea eax,dword ptr ss:[ebp-1C]
005B8046 50                push eax
005B8047 8B45 F8          mov eax,dword ptr ss:[ebp-8]
005B804A E8 D5C5E4FF       call PSale.00404624
005B804F 8BC8             mov ecx,eax
005B8051 03C9             add ecx,ecx
005B8053 BA 01000000       mov edx,1
005B8058 8B45 F4          mov eax,dword ptr ss:[ebp-C]
005B805B E8 24C8E4FF       call PSale.00404884
005B8060 8B45 E4          mov eax,dword ptr ss:[ebp-1C]                ; 假码：ASCII "9999999999999999"
005B8063 8B55 EC          mov edx,dword ptr ss:[ebp-14]                ; 真码：ASCII "0101120514041204"
005B8066 E8 05C7E4FF       call PSale.00404770                         ; 经典比较
005B806B 0F85 3C010000    jnz PSale.005B81AD
005B8071 C645 FF 01       mov byte ptr ss:[ebp-1],1
005B8075 8BCF             mov ecx,edi
005B8077 B2 01             mov dl,1
005B8079 A1 60DA5000       mov eax,dword ptr ds:[50DA60]
005B807E E8 2D25F6FF       call PSale.0051A5B0
005B8083 8BF8             mov edi,eax
005B8085 A1 C0CB5B00       mov eax,dword ptr ds:[5BCBC0]
005B808A 8B00             mov eax,dword ptr ds:[eax]
005B808C 8B50 58          mov edx,dword ptr ds:[eax+58]
005B808F 8BC7             mov eax,edi
005B8091 8B08             mov ecx,dword ptr ds:[eax]
005B8093 FF91 6C020000    call dword ptr ds:[ecx+26C]
005B8099 8BC7             mov eax,edi
005B809B E8 9426F6FF       call PSale.0051A734
005B80A0 BA 1C825B00       mov edx,PSale.005B821C                      ; select rtime from b_user where userid='001'
and issys=1
005B80A5 8B08             mov ecx,dword ptr ds:[eax]
005B80A7 FF51 2C          call dword ptr ds:[ecx+2C]
005B80AA 8BC7             mov eax,edi
005B80AC E8 C3D9F4FF       call PSale.00505A74
005B80B1 BA 5C825B00       mov edx,PSale.005B825C                      ; rtime
005B80B6 8BC7             mov eax,edi
005B80B8 E8 BFEAF4FF       call PSale.00506B7C
005B80BD 8D55 D4          lea edx,dword ptr ss:[ebp-2C]
005B80C0 8B08             mov ecx,dword ptr ds:[eax]
005B80C2 FF51 60          call dword ptr ds:[ecx+60]
005B80C5 837D D4 00       cmp dword ptr ss:[ebp-2C],0
005B80C9 75 36             jnz short PSale.005B8101
005B80CB 8BC7             mov eax,edi
005B80CD E8 6A02F5FF       call PSale.0050833C
005B80D2 E8 FD31E5FF       call PSale.0040B2D4
005B80D7 83C4 F8          add esp,-8
005B80DA DD1C24          fstp qword ptr ss:[esp]
005B80DD 9B                wait
005B80DE BA 5C825B00       mov edx,PSale.005B825C                      ; rtime
005B80E3 8BC7             mov eax,edi
005B80E5 E8 92EAF4FF       call PSale.00506B7C
005B80EA 8B10             mov edx,dword ptr ds:[eax]
005B80EC FF92 A0000000    call dword ptr ds:[edx+A0]
005B80F2 8BC7             mov eax,edi
005B80F4 8B10             mov edx,dword ptr ds:[eax]
005B80F6 FF92 4C020000    call dword ptr ds:[edx+24C]
005B80FC E9 A3000000       jmp PSale.005B81A4
005B8101 BA 5C825B00       mov edx,PSale.005B825C                      ; rtime
005B8106 8BC7             mov eax,edi
005B8108 E8 6FEAF4FF       call PSale.00506B7C
005B810D 8B10             mov edx,dword ptr ds:[eax]
005B810F FF52 50          call dword ptr ds:[edx+50]
005B8112 D805 64825B00    fadd dword ptr ds:[5B8264]
005B8118 DB7D C8          fstp tbyte ptr ss:[ebp-38]
005B811B 9B                wait
005B811C E8 DF31E5FF       call PSale.0040B300
005B8121 DB6D C8          fld tbyte ptr ss:[ebp-38]
005B8124 DED9             fcompp
005B8126 DFE0             fstsw ax
005B8128 9E                sahf
005B8129 73 79             jnb short PSale.005B81A4
005B812B 33C0             xor eax,eax
005B812D 8945 E0          mov dword ptr ss:[ebp-20],eax
005B8130 8B45 F8          mov eax,dword ptr ss:[ebp-8]
005B8133 E8 ECC4E4FF       call PSale.00404624
005B8138 8BD8             mov ebx,eax
005B813A 03DB             add ebx,ebx
005B813C 85DB             test ebx,ebx
005B813E 7E 23             jle short PSale.005B8163
005B8140 BE 01000000       mov esi,1
005B8145 8D45 C4          lea eax,dword ptr ss:[ebp-3C]
005B8148 8B55 F4          mov edx,dword ptr ss:[ebp-C]
005B814B 8A5432 FF       mov dl,byte ptr ds:[edx+esi-1]
005B814F E8 E8C3E4FF       call PSale.0040453C
005B8154 8B45 C4          mov eax,dword ptr ss:[ebp-3C]
005B8157 E8 C812E5FF       call PSale.00409424
005B815C 0145 E0          add dword ptr ss:[ebp-20],eax
005B815F 46                inc esi
005B8160 4B                dec ebx
005B8161  ^ 75 E2             jnz short PSale.005B8145
005B8163 8D55 C0          lea edx,dword ptr ss:[ebp-40]
005B8166 8B45 E0          mov eax,dword ptr ss:[ebp-20]
005B8169 E8 7A11E5FF       call PSale.004092E8
005B816E 8B45 C0          mov eax,dword ptr ss:[ebp-40]
005B8171 50                push eax
005B8172 8D45 BC          lea eax,dword ptr ss:[ebp-44]
005B8175 50                push eax
005B8176 8B45 F4          mov eax,dword ptr ss:[ebp-C]
005B8179 E8 A6C4E4FF       call PSale.00404624
005B817E 50                push eax
005B817F 8B45 F8          mov eax,dword ptr ss:[ebp-8]
005B8182 E8 9DC4E4FF       call PSale.00404624
005B8187 8BD0             mov edx,eax
005B8189 03D2             add edx,edx
005B818B 42                inc edx
005B818C 8B45 F4          mov eax,dword ptr ss:[ebp-C]
005B818F 59                pop ecx
005B8190 E8 EFC6E4FF       call PSale.00404884
005B8195 8B55 BC          mov edx,dword ptr ss:[ebp-44]
005B8198 58                pop eax
005B8199 E8 D2C5E4FF       call PSale.00404770
005B819E 74 04             je short PSale.005B81A4
005B81A0 C645 FF 00       mov byte ptr ss:[ebp-1],0
005B81A4 8BC7             mov eax,edi
005B81A6 E8 19B3E4FF       call PSale.004034C4
005B81AB EB 04             jmp short PSale.005B81B1
005B81AD C645 FF 00       mov byte ptr ss:[ebp-1],0
005B81B1 33C0             xor eax,eax
005B81B3 5A                pop edx
005B81B4 59                pop ecx
005B81B5 59                pop ecx
005B81B6 64:8910          mov dword ptr fs:[eax],edx
005B81B9 68 F0815B00       push PSale.005B81F0
005B81BE 8D45 BC          lea eax,dword ptr ss:[ebp-44]
005B81C1 BA 03000000       mov edx,3
005B81C6 E8 ADC1E4FF       call PSale.00404378
005B81CB 8D45 D4          lea eax,dword ptr ss:[ebp-2C]
005B81CE E8 81C1E4FF       call PSale.00404354
005B81D3 8D45 DC          lea eax,dword ptr ss:[ebp-24]
005B81D6 E8 79C1E4FF       call PSale.00404354
005B81DB 8D45 E4          lea eax,dword ptr ss:[ebp-1C]
005B81DE BA 06000000       mov edx,6
005B81E3 E8 90C1E4FF       call PSale.00404378
005B81E8 C3                retn
005B81E9  ^ E9 6ABAE4FF       jmp PSale.00403C58
005B81EE  ^ EB CE             jmp short PSale.005B81BE
005B81F0 8A45 FF          mov al,byte ptr ss:[ebp-1]
005B81F3 5F                pop edi
005B81F4 5E                pop esi
005B81F5 5B                pop ebx
005B81F6 8BE5             mov esp,ebp
005B81F8 5D                pop ebp
005B81F9 C3                retn
粗略的比较了下，其实程序就只是简单的做了异或运算而已，因为没涉及到很深的运算，所以可以归类总结为查表运算：
注册机如下：
  ============ 以下程序在盗版XPsp2、VC++6.0下编译测试通过 ============
  void Ckeygen::OnChangeText1()
  {
  // TODO: Add your control notification handler code here
  // Keygen by mElOdy
CString MachineCode;
CComVariant n, m; BYTE i;
CComVariant Sn; CString tmp;
CString Char;
CString Table;
  // 字符串
  Char = CString("0123456789")+"ABCDEF";
  // 字符串对应密码表
  Table = "01030507091113141516020406081012";
  // 输入机器码
  MachineCode = Text(m_Text1);
  // 计算注册码
  if ( MachineCode.GetLength()>8) { MachineCode =  MachineCode.Mid(1-1, 8); }
  n =  MachineCode.GetLength();
  for(i=1; i<=n; i++) {
tmp =  MachineCode.Mid(i-1, 1);
m =  (1+Char.Find(tmp, 1-1));
Sn = Sn+ Table.Mid(2*m-1-1, 2);
}
  // 输出注册码
  m_Text2.SetWindowText(Sn);
  }

[课程]Linux pwn 探索篇！

收藏・0

免费・0

支持

最新回复 (2)
kanxue 雪币： 44229 活跃值： (19955) 能力值： (RANK：350 ) 在线值：发帖 2369 回帖 17027 粉丝 528 关注私信	kanxue 8 2 楼文章分析的不错，建议你不要用国产软件来分析。请参看置顶帖的通告，谢谢理解。【公告】看雪论坛对于所涉及到目标软件的管理2007.10.15 2007-11-10 11:47 0
mElOdy 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 23 粉丝 0 关注私信	mElOdy 3 楼 OK 已经编辑为 XX旺铺进销存 2007-11-10 15:26 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

mElOdy

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (2)
kanxue 雪币： 44229 活跃值： (19955) 能力值： (RANK：350 ) 在线值：发帖 2369 回帖 17027 粉丝 528 关注私信	kanxue 8 2 楼文章分析的不错，建议你不要用国产软件来分析。请参看置顶帖的通告，谢谢理解。【公告】看雪论坛对于所涉及到目标软件的管理2007.10.15 2007-11-10 11:47 0
mElOdy 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 23 粉丝 0 关注私信	mElOdy 3 楼 OK 已经编辑为 XX旺铺进销存 2007-11-10 15:26 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复