[PYG]算法分析入门第八课
【破文标题】算法分析入门第八课【破文作者】飘云
【作者主页】https://www.chinapyg.com
【破解平台】winxp
【破解工具】PEiD0.93、w32dasm、OD二哥修改版
【作者邮箱】[email protected]
【软件名称】易用会员管理软件 1.50
【软件大小】3876KB
【原版下载】http://www.onlinedown.net/soft/26837.htm
【软件简介】易用会员管理系统是一套功能强大的会员管理软件,软件将会员消费,会员基本信息,以及各种
查询统计等紧密结合起来,操作简单方便,界面美观大方,能满足如销售,餐饮,美容,服务等行业进行会员
制管理,会员卡管理,会员积分管理,会员消费管理的需求,科学的管理方法会给您带来无限的效益,易用会
员管理软件(会员卡管理软件)是您明智的选择。
【分析过程】先用PEiD探测一下:没有加壳,Borland Delphi 6.0 - 7.0编写。
用w32dasm找到关键:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006058AC(C) ★★这里是关键跳转★★
|
:0060598D 6A40 push 00000040
* Possible StringData Ref from Code Obj ->"软件注册"
|
:0060598F 68205A6000 push 00605A20
* Possible StringData Ref from Code Obj ->"注册失败,请检查您的注册名和注册码!"
************************************************************用od载入原程序,输入以下信息:
用户名:piaoyun
注册码:789456123
来到这里:
00605896 .55 push ebp
00605897 .68 D5596000 push Member.006059D5
0060589C .64:FF30 push dword ptr fs:
0060589F .64:8920 mov dword ptr fs:,esp
006058A2 .8B45 FC mov eax,dword ptr ss:
006058A5 .E8 AE020000 call Member.00605B58 ★算法call1,跟进★
006058AA .84C0 test al,al ;返回值为0则game over!
006058AC .0F84 DB000000 je Member.0060598D
************************************************************以下进入算法call1:
00605B58 /$55 push ebp
00605B59 |.8BEC mov ebp,esp
00605B5B |.33C9 xor ecx,ecx
00605B5D |.51 push ecx
00605B5E |.51 push ecx
00605B5F |.51 push ecx
00605B60 |.51 push ecx
00605B61 |.51 push ecx
00605B62 |.53 push ebx
00605B63 |.56 push esi
00605B64 |.8BF0 mov esi,eax
00605B66 |.33C0 xor eax,eax
00605B68 |.55 push ebp
00605B69 |.68 135C6000 push Member.00605C13
00605B6E |.64:FF30 push dword ptr fs:
00605B71 |.64:8920 mov dword ptr fs:,esp
00605B74 |.8D55 FC lea edx,dword ptr ss:
00605B77 |.8B86 FC020000 mov eax,dword ptr ds:
00605B7D |.E8 8EA5E4FF call Member.00450110 ;注册码位数
00605B82 |.8B45 FC mov eax,dword ptr ss: ;假码送到eax
00605B85 |.50 push eax
00605B86 |.8D55 F4 lea edx,dword ptr ss:
00605B89 |.8B86 F8020000 mov eax,dword ptr ds:
00605B8F |.E8 7CA5E4FF call Member.00450110 ;假码位数
00605B94 |.8B55 F4 mov edx,dword ptr ss: ;用户名送到edx
00605B97 |.8D4D F8 lea ecx,dword ptr ss:
00605B9A |.8BC6 mov eax,esi
00605B9C |.E8 F3FAFFFF call Member.00605694 ; ★算法call2,跟进!★
00605BA1 |.8B55 F8 mov edx,dword ptr ss: ; 中就是你要的!
00605BA4 |.58 pop eax
00605BA5 |.E8 6AF4DFFF call Member.00405014 ; 比较call
00605BAA |.75 3A jnz short Member.00605BE6 ; 不相等就完了~~
00605BAC |.B3 01 mov bl,1
00605BAE |.8D55 F0 lea edx,dword ptr ss:
00605BB1 |.8B86 F8020000 mov eax,dword ptr ds:
00605BB7 |.E8 54A5E4FF call Member.00450110
00605BBC |.8B55 F0 mov edx,dword ptr ss:
00605BBF |.B8 149A6300 mov eax,Member.00639A14
00605BC4 |.E8 A3F0DFFF call Member.00404C6C
00605BC9 |.8D55 EC lea edx,dword ptr ss:
00605BCC |.8B86 FC020000 mov eax,dword ptr ds:
00605BD2 |.E8 39A5E4FF call Member.00450110
00605BD7 |.8B55 EC mov edx,dword ptr ss:
00605BDA |.B8 189A6300 mov eax,Member.00639A18
00605BDF |.E8 88F0DFFF call Member.00404C6C
00605BE4 |.EB 02 jmp short Member.00605BE8
00605BE6 |>33DB xor ebx,ebx
00605BE8 |>33C0 xor eax,eax
00605BEA |.5A pop edx
00605BEB |.59 pop ecx
00605BEC |.59 pop ecx
00605BED |.64:8910 mov dword ptr fs:,edx
00605BF0 |.68 1A5C6000 push Member.00605C1A
00605BF5 |>8D45 EC lea eax,dword ptr ss:
00605BF8 |.BA 03000000 mov edx,3
00605BFD |.E8 3AF0DFFF call Member.00404C3C
00605C02 |.8D45 F8 lea eax,dword ptr ss:
00605C05 |.E8 0EF0DFFF call Member.00404C18
00605C0A |.8D45 FC lea eax,dword ptr ss:
00605C0D |.E8 06F0DFFF call Member.00404C18
00605C12 \.C3 retn
************************************************************以下进入算法call2:
00605694 /$55 push ebp
00605695 |.8BEC mov ebp,esp
00605697 |.51 push ecx
00605698 |.B9 04000000 mov ecx,4
0060569D |>6A 00 /push 0
0060569F |.6A 00 |push 0
006056A1 |.49 |dec ecx
006056A2 |.^ 75 F9 \jnz short Member.0060569D
006056A4 |.51 push ecx
006056A5 |.874D FC xchg dword ptr ss:,ecx
006056A8 |.53 push ebx
006056A9 |.56 push esi
006056AA |.57 push edi
006056AB |.8BF9 mov edi,ecx
006056AD |.8955 FC mov dword ptr ss:,edx ;用户名送到
006056B0 |.8B45 FC mov eax,dword ptr ss: ;eax=用户名
006056B3 |.E8 00FADFFF call Member.004050B8
006056B8 |.33C0 xor eax,eax ;eax清0
006056BA |.55 push ebp
006056BB |.68 55586000 push Member.00605855
006056C0 |.64:FF30 push dword ptr fs:
006056C3 |.64:8920 mov dword ptr fs:,esp
006056C6 |.8BC7 mov eax,edi
006056C8 |.E8 4BF5DFFF call Member.00404C18
006056CD |.8B45 FC mov eax,dword ptr ss:
006056D0 |.E8 FBF7DFFF call Member.00404ED0 ;用户名位数
006056D5 |.8BF0 mov esi,eax ;esi=用户名位数
006056D7 |.85F6 test esi,esi
006056D9 |.7E 26 jle short Member.00605701
006056DB |.BB 01000000 mov ebx,1 ;初始ebx=1
006056E0 |>8D4D EC /lea ecx,dword ptr ss:
006056E3 |.8B45 FC |mov eax,dword ptr ss:
006056E6 |.0FB64418 FF |movzx eax,byte ptr ds:[eax+ebx-1>;逐位取用户名ascii码
006056EB |.33D2 |xor edx,edx ;edx清0
006056ED |.E8 9E49E0FF |call Member.0040A090
006056F2 |.8B55 EC |mov edx,dword ptr ss:
006056F5 |.8D45 F8 |lea eax,dword ptr ss:
006056F8 |.E8 DBF7DFFF |call Member.00404ED8
006056FD |.43 |inc ebx
006056FE |.4E |dec esi
006056FF |.^ 75 DF \jnz short Member.006056E0
00605701 |>8B45 F8 mov eax,dword ptr ss: ;用户名16进制送给eax
00605704 |.E8 C7F7DFFF call Member.00404ED0 ;计算位数
00605709 |.8BF0 mov esi,eax ;送到esi
0060570B |.85F6 test esi,esi
0060570D |.7E 2C jle short Member.0060573B
0060570F |.BB 01000000 mov ebx,1 ;初始ebx=1
00605714 |>8B45 F8 /mov eax,dword ptr ss: ;用户名16进制送到eax
00605717 |.E8 B4F7DFFF |call Member.00404ED0 ;用户名16进制位数
0060571C |.2BC3 |sub eax,ebx ;eax=位数-1
0060571E |.8B55 F8 |mov edx,dword ptr ss: ;从16进制后面开始每两位一取
00605721 |.8A1402 |mov dl,byte ptr ds: ;倒取每一位ascii给dl
00605724 |.8D45 E8 |lea eax,dword ptr ss:
00605727 |.E8 CCF6DFFF |call Member.00404DF8
0060572C |.8B55 E8 |mov edx,dword ptr ss:
0060572F |.8D45 F4 |lea eax,dword ptr ss:
00605732 |.E8 A1F7DFFF |call Member.00404ED8
00605737 |.43 |inc ebx ;ebx+1
00605738 |.4E |dec esi ;esi=esi-1 (用户名位数16进制)
00605739 |.^ 75 D9 \jnz short Member.00605714 ;循环
★这段代码是把用户名的16进制倒排序★
0060573B |>8D45 F8 lea eax,dword ptr ss:
0060573E |.50 push eax
0060573F |.B9 04000000 mov ecx,4
00605744 |.BA 01000000 mov edx,1
00605749 |.8B45 F4 mov eax,dword ptr ss: ;倒排序后的字符串送到eax
0060574C |.E8 D7F9DFFF call Member.00405128
00605751 |.8D45 F4 lea eax,dword ptr ss:
00605754 |.50 push eax
00605755 |.B9 04000000 mov ecx,4
0060575A |.BA 05000000 mov edx,5
0060575F |.8B45 F4 mov eax,dword ptr ss:
00605762 |.E8 C1F9DFFF call Member.00405128 ;取前4位
00605767 |.8B45 F8 mov eax,dword ptr ss: ;送到eax
0060576A |.E8 61F7DFFF call Member.00404ED0 ;计算位数
0060576F |.83F8 04 cmp eax,4 ;和4比较
00605772 |.7D 2F jge short Member.006057A3 ;大于等于就跳
00605774 |.8B45 F8 mov eax,dword ptr ss:
00605777 |.E8 54F7DFFF call Member.00404ED0
0060577C |.8BD8 mov ebx,eax
0060577E |.83FB 03 cmp ebx,3
00605781 |.7F 20 jg short Member.006057A3
00605783 |>8D4D E4 /lea ecx,dword ptr ss:
00605786 |.8BC3 |mov eax,ebx
00605788 |.C1E0 02 |shl eax,2
0060578B |.33D2 |xor edx,edx
0060578D |.E8 FE48E0FF |call Member.0040A090
00605792 |.8B55 E4 |mov edx,dword ptr ss:
00605795 |.8D45 F8 |lea eax,dword ptr ss:
00605798 |.E8 3BF7DFFF |call Member.00404ED8
0060579D |.43 |inc ebx
0060579E |.83FB 04 |cmp ebx,4
006057A1 |.^ 75 E0 \jnz short Member.00605783
006057A3 |>8B45 F4 mov eax,dword ptr ss: ;5—8位送到eax
006057A6 |.E8 25F7DFFF call Member.00404ED0
006057AB |.83F8 04 cmp eax,4
006057AE |.7D 2F jge short Member.006057DF
006057B0 |.8B45 F4 mov eax,dword ptr ss:
006057B3 |.E8 18F7DFFF call Member.00404ED0
006057B8 |.8BD8 mov ebx,eax
006057BA |.83FB 03 cmp ebx,3
006057BD |.7F 20 jg short Member.006057DF
006057BF |>8D4D E0 /lea ecx,dword ptr ss:
006057C2 |.8BC3 |mov eax,ebx
006057C4 |.C1E0 02 |shl eax,2
006057C7 |.33D2 |xor edx,edx
006057C9 |.E8 C248E0FF |call Member.0040A090
006057CE |.8B55 E0 |mov edx,dword ptr ss:
006057D1 |.8D45 F4 |lea eax,dword ptr ss:
006057D4 |.E8 FFF6DFFF |call Member.00404ED8
006057D9 |.43 |inc ebx
006057DA |.83FB 04 |cmp ebx,4
006057DD |.^ 75 E0 \jnz short Member.006057BF
006057DF |>8D45 F0 lea eax,dword ptr ss:
006057E2 |.BA 6C586000 mov edx,Member.0060586C ;edx="mem45erpe"
006057E7 |.E8 C4F4DFFF call Member.00404CB0
006057EC |.8D45 DC lea eax,dword ptr ss:
006057EF |.50 push eax
006057F0 |.B9 04000000 mov ecx,4
006057F5 |.BA 01000000 mov edx,1
006057FA |.8B45 F0 mov eax,dword ptr ss: ;eax="mem45erpe"
006057FD |.E8 26F9DFFF call Member.00405128 ;取前4位
00605802 |.FF75 DC push dword ptr ss:
00605805 |.68 80586000 push Member.00605880
0060580A |.FF75 F8 push dword ptr ss: ;用户名16进制倒序后的前4位
0060580D |.8D45 D8 lea eax,dword ptr ss:
00605810 |.50 push eax
00605811 |.B9 05000000 mov ecx,5
00605816 |.BA 05000000 mov edx,5
0060581B |.8B45 F0 mov eax,dword ptr ss: ;edx="mem45erpe"
0060581E |.E8 05F9DFFF call Member.00405128 ;取剩下的五位
00605823 |.FF75 D8 push dword ptr ss:
00605826 |.68 80586000 push Member.00605880
0060582B |.FF75 F4 push dword ptr ss: ;用户名16进制倒序后的5—8位
0060582E |.8BC7 mov eax,edi
00605830 |.BA 06000000 mov edx,6
00605835 |.E8 56F7DFFF call Member.00404F90 ;以下是把上面的数据组合起来
0060583A |.33C0 xor eax,eax
0060583C |.5A pop edx
0060583D |.59 pop ecx
0060583E |.59 pop ecx
0060583F |.64:8910 mov dword ptr fs:,edx
00605842 |.68 5C586000 push Member.0060585C
00605847 |>8D45 D8 lea eax,dword ptr ss:
0060584A |.BA 0A000000 mov edx,0A
0060584F |.E8 E8F3DFFF call Member.00404C3C
00605854 \.C3 retn
00605855 .^ E9 3EECDFFF jmp Member.00404498
0060585A .^ EB EB jmp short Member.00605847
0060585C .5F pop edi
0060585D .5E pop esi
0060585E .5B pop ebx
0060585F .8BE5 mov esp,ebp
00605861 .5D pop ebp
00605862 .C3 retn
【算法总结】
把用户名转换成ascii码,再倒排序(设为x)
用到一个常数 mem45erpe(设为y)
符合“-”
注册码= y的前4位-x的前4位+y的后五位-x的第5到第8位
我的注册信息:
piaoyun
mem4-D5745erpe-9505
附:注册信息保存在 HKEY_LOCAL_MACHINE\SOFTWARE\zy\member 删除后又可继续研究~~~
内存注册机:
中断地址:00605BA5
中断次数:1
第一字节:E8
指令长度:5
内存方式-寄存器-EDX
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! 飘云兄速度还快也,都学不赢了,呵呵~~~~~~~~~~ 真快啊。支持。 还有暗桩,呵呵 支持!不错! 不错 学习下 继续学习,顶啊。 好好学习。 还有一小半了 今天网络好 多下点回家学习 都有些不好意思回复了。
我不是在灌水。我在收藏。呵呵