VE人事管理系统 1.5 解码分析
【破文标题】VE人事管理系统 1.5 解码分析【破文作者】lzq1973
【作者邮箱】[email protected]
【作者主页】http://my.winzheng.com/?455397
【破解工具】OD、PEiD
【破解平台】WinXP
【软件名称】VE人事管理系统 1.5
【软件大小】1320KB
【原版下载】http://www.sharebank.com.cn/soft/soft_view.php?id=21892
【保护方式】SN
【软件简介】一款专为中小企业、机关事业单位精心设计的人事管理系统。
软件适用于各机关、企事业单位进行人事管理。内容涵盖人事
管理的方方面面,是人事管理人员的得力助手。
系统特色:
1.软件稳定实用,界面较友好,操作方便。
2.数据输出功能强大:
软件支持把职员列表、花名册、通信录等导出到 Microsoft Excel 2000/2003;
支持把人事信息表导出到Microsoft Word 2000/2003。
【破解声明】俺是只小小鸟,纯为学习,愿与大家分享!
------------------------------------------------------------------------
【破解过程】 查壳无,暗喜;运行之,试注册,有提示,窃喜;OD载入,查找字符串并下断,运行来到
00510280/.55 push ebp ;——》断在这里
00510281|.8BEC mov ebp, esp
00510283|.B9 07000000 mov ecx, 7
00510288|>6A 00 /push 0
0051028A|.6A 00 |push 0
0051028C|.49 |dec ecx
0051028D|.^ 75 F9 \jnz short 00510288
0051028F|.53 push ebx
00510290|.8BD8 mov ebx, eax
00510292|.33C0 xor eax, eax
00510294|.55 push ebp
00510295|.68 BF045100 push 005104BF
0051029A|.64:FF30 push dword ptr fs:
0051029D|.64:8920 mov fs:, esp
005102A0|.8D55 F8 lea edx,
005102A3|.8B83 04030000 mov eax,
005102A9|.E8 1A2CF6FF call 00472EC8
005102AE|.8B45 F8 mov eax, ;(ASCII "lzq1973")
005102B1|.8D55 FC lea edx,
005102B4|.E8 0B88EFFF call 00408AC4
005102B9|.837D FC 00 cmp dword ptr , 0
005102BD|.75 26 jnz short 005102E5
005102BF|.6A 40 push 40
005102C1|.68 CC045100 push 005104CC ;提示
005102C6|.68 D4045100 push 005104D4 ;注册单位不能为空。
005102CB|.8BC3 mov eax, ebx
005102CD|.E8 BE95F6FF call 00479890
005102D2|.50 push eax ; |hOwner
005102D3|.E8 7870EFFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
005102D8|.33C0 xor eax, eax
005102DA|.8983 4C020000 mov , eax
005102E0|.E9 62010000 jmp 00510447
005102E5|>8D55 F0 lea edx,
005102E8|.8B83 0C030000 mov eax,
005102EE|.E8 D52BF6FF call 00472EC8
005102F3|.8B45 F0 mov eax,
005102F6|.8D55 F4 lea edx,
005102F9|.E8 C687EFFF call 00408AC4
005102FE|.837D F4 00 cmp dword ptr , 0
00510302|.75 26 jnz short 0051032A
00510304|.6A 40 push 40
00510306|.68 CC045100 push 005104CC ;提示
0051030B|.68 E8045100 push 005104E8 ;请输入注册码。
00510310|.8BC3 mov eax, ebx
00510312|.E8 7995F6FF call 00479890
00510317|.50 push eax ; |hOwner
00510318|.E8 3370EFFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
0051031D|.33C0 xor eax, eax
0051031F|.8983 4C020000 mov , eax
00510325|.E9 1D010000 jmp 00510447
0051032A|>8D55 E4 lea edx,
0051032D|.8B83 04030000 mov eax,
00510333|.E8 902BF6FF call 00472EC8
00510338|.8B45 E4 mov eax,
0051033B|.8D55 E8 lea edx,
0051033E|.E8 8187EFFF call 00408AC4
00510343|.8B45 E8 mov eax,
00510346|.8D55 EC lea edx,
00510349|.E8 A239FEFF call 004F3CF0 ;关键CALL
0051034E|.8B45 EC mov eax, ;(ASCII "14216561")
00510351|.50 push eax
00510352|.8D55 DC lea edx,
00510355|.8B83 0C030000 mov eax,
0051035B|.E8 682BF6FF call 00472EC8
00510360|.8B45 DC mov eax,
00510363|.8D55 E0 lea edx,
00510366|.E8 5987EFFF call 00408AC4
0051036B|.8B55 E0 mov edx,
0051036E|.58 pop eax
0051036F|.E8 7C43EFFF call 004046F0 ;内存注册器(EAX)
00510374 74 26 je short 0051039C ;爆破处(改变跳转后注册码会自动写入注册表)
00510376|.6A 40 push 40
00510378|.68 CC045100 push 005104CC ;提示
0051037D|.68 F8045100 push 005104F8 ;注册码不正确,请重新输入。
00510382|.8BC3 mov eax, ebx
00510384|.E8 0795F6FF call 00479890
00510389|.50 push eax ; |hOwner
0051038A|.E8 C16FEFFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
0051038F|.33C0 xor eax, eax
00510391|.8983 4C020000 mov , eax
00510397|.E9 AB000000 jmp 00510447
0051039C|>8D55 D0 lea edx,
0051039F|.8B83 04030000 mov eax,
005103A5|.E8 1E2BF6FF call 00472EC8
005103AA|.8B45 D0 mov eax,
005103AD|.8D55 D4 lea edx,
005103B0|.E8 0F87EFFF call 00408AC4
005103B5|.8B45 D4 mov eax,
005103B8|.8D55 D8 lea edx,
005103BB|.E8 3039FEFF call 004F3CF0
005103C0|.8B45 D8 mov eax,
005103C3|.50 push eax
005103C4|.8D55 C8 lea edx,
005103C7|.8B83 04030000 mov eax,
005103CD|.E8 F62AF6FF call 00472EC8
005103D2|.8B45 C8 mov eax,
005103D5|.8D55 CC lea edx,
005103D8|.E8 E786EFFF call 00408AC4
005103DD|.8B45 CC mov eax,
005103E0|.5A pop edx
005103E1|.E8 663AFEFF call 004F3E4C
005103E6|.E8 493BFEFF call 004F3F34
005103EB|.84C0 test al, al
005103ED|.74 37 je short 00510426
005103EF|.6A 40 push 40
005103F1|.68 CC045100 push 005104CC ;提示
005103F6|.68 14055100 push 00510514 ;注册成功!谢谢您的注册。
005103FB|.8BC3 mov eax, ebx
005103FD|.E8 8E94F6FF call 00479890
00510402|.50 push eax ; |hOwner
00510403|.E8 486FEFFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00510408|.A1 28565100 mov eax,
0051040D|.C600 01 mov byte ptr , 1
00510410|.8B15 6C5A5100 mov edx, ;HRM.005482E4
00510416|.8B12 mov edx,
00510418|.A1 74565100 mov eax,
0051041D|.8B00 mov eax,
0051041F|.E8 D42AF6FF call 00472EF8
00510424|.EB 21 jmp short 00510447
00510426|>6A 40 push 40
00510428|.68 CC045100 push 005104CC ;提示
0051042D|.68 2C055100 push 0051052C ;注册失败,请重启再试。
00510432|.8BC3 mov eax, ebx
00510434|.E8 5794F6FF call 00479890
00510439|.50 push eax ; |hOwner
0051043A|.E8 116FEFFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
0051043F|.33C0 xor eax, eax
00510441|.8983 4C020000 mov , eax
00510447|>33C0 xor eax, eax
00510449|.5A pop edx
0051044A|.59 pop ecx
0051044B|.59 pop ecx
0051044C|.64:8910 mov fs:, edx
0051044F|.68 C6045100 push 005104C6
00510454|>8D45 C8 lea eax,
00510457|.E8 883EEFFF call 004042E4
0051045C|.8D45 CC lea eax,
0051045F|.E8 803EEFFF call 004042E4
00510464|.8D45 D0 lea eax,
00510467|.E8 783EEFFF call 004042E4
0051046C|.8D45 D4 lea eax,
0051046F|.BA 02000000 mov edx, 2
00510474|.E8 8F3EEFFF call 00404308
00510479|.8D45 DC lea eax,
0051047C|.E8 633EEFFF call 004042E4
00510481|.8D45 E0 lea eax,
00510484|.E8 5B3EEFFF call 004042E4
00510489|.8D45 E4 lea eax,
0051048C|.E8 533EEFFF call 004042E4
00510491|.8D45 E8 lea eax,
00510494|.BA 02000000 mov edx, 2
00510499|.E8 6A3EEFFF call 00404308
0051049E|.8D45 F0 lea eax,
005104A1|.E8 3E3EEFFF call 004042E4
005104A6|.8D45 F4 lea eax,
005104A9|.E8 363EEFFF call 004042E4
005104AE|.8D45 F8 lea eax,
005104B1|>E8 2E3EEFFF call 004042E4
005104B6|.8D45 FC lea eax,
005104B9|.E8 263EEFFF call 004042E4
005104BE\.C3 retn
005104BF >^ E9 4437EFFF jmp 00403C08
005104C4 .^ EB 8E jmp short 00510454
005104C6 >5B pop ebx
005104C7 .8BE5 mov esp, ebp
005104C9 .5D pop ebp
005104CA .C3 retn
================================================
004F3CF0/$55 push ebp ;——》算法部分
004F3CF1|.8BEC mov ebp, esp
004F3CF3|.33C9 xor ecx, ecx
004F3CF5|.51 push ecx
004F3CF6|.51 push ecx
004F3CF7|.51 push ecx
004F3CF8|.51 push ecx
004F3CF9|.51 push ecx
004F3CFA|.51 push ecx
004F3CFB|.51 push ecx
004F3CFC|.53 push ebx
004F3CFD|.56 push esi
004F3CFE|.57 push edi
004F3CFF|.8955 F8 mov , edx
004F3D02|.8945 FC mov , eax
004F3D05|.8B45 FC mov eax, ;(ASCII "lzq1973")
004F3D08|.E8 870AF1FF call 00404794
004F3D0D|.33C0 xor eax, eax
004F3D0F|.55 push ebp
004F3D10|.68 3B3E4F00 push 004F3E3B
004F3D15|.64:FF30 push dword ptr fs:
004F3D18|.64:8920 mov fs:, esp
004F3D1B|.8D45 F4 lea eax,
004F3D1E|.E8 C105F1FF call 004042E4
004F3D23|.8B45 FC mov eax,
004F3D26|.E8 7908F1FF call 004045A4
004F3D2B|.83F8 18 cmp eax, 18 ;长度小于24就跳走
004F3D2E|.7E 73 jle short 004F3DA3
004F3D30|.8BF0 mov esi, eax
004F3D32|.85F6 test esi, esi
004F3D34|.7E 60 jle short 004F3D96 ;用户名长大于24算法如下
004F3D36|.BB 01000000 mov ebx, 1
004F3D3B|>8BC3 /mov eax, ebx ;取3的整数倍位(0除外)
004F3D3D|.B9 03000000 |mov ecx, 3
004F3D42|.99 |cdq
004F3D43|.F7F9 |idiv ecx
004F3D45|.85D2 |test edx, edx
004F3D47|.75 49 |jnz short 004F3D92
004F3D49|.8D45 F0 |lea eax,
004F3D4C|.50 |push eax
004F3D4D|.B9 01000000 |mov ecx, 1
004F3D52|.8BD3 |mov edx, ebx
004F3D54|.8B45 FC |mov eax,
004F3D57|.E8 A80AF1FF |call 00404804
004F3D5C|.8B45 F0 |mov eax,
004F3D5F|.E8 400AF1FF |call 004047A4
004F3D64|.8A00 |mov al,
004F3D66|.8BF8 |mov edi, eax
004F3D68|.81E7 FF000000 |and edi, 0FF
004F3D6E|.8BC7 |mov eax, edi
004F3D70|.B9 62000000 |mov ecx, 62
004F3D75|.99 |cdq
004F3D76|.F7F9 |idiv ecx
004F3D78|.8BC2 |mov eax, edx
004F3D7A|.03C3 |add eax, ebx
004F3D7C|.83C0 03 |add eax, 3
004F3D7F|.8D55 EC |lea edx,
004F3D82|.E8 A550F1FF |call 00408E2C
004F3D87|.8B55 EC |mov edx,
004F3D8A|.8D45 F4 |lea eax,
004F3D8D|.E8 1A08F1FF |call 004045AC
004F3D92|>43 |inc ebx
004F3D93|.4E |dec esi
004F3D94|.^ 75 A5 \jnz short 004F3D3B
004F3D96|>8B45 F8 mov eax,
004F3D99|.8B55 F4 mov edx,
004F3D9C|.E8 9705F1FF call 00404338
004F3DA1|.EB 75 jmp short 004F3E18
004F3DA3|>8BF0 mov esi, eax
004F3DA5|.85F6 test esi, esi
004F3DA7|.7E 64 jle short 004F3E0D
004F3DA9|.BB 01000000 mov ebx, 1
004F3DAE|>8BC3 /mov eax, ebx ;/ 算法开始 ---》取第几位
004F3DB0|.25 01000080 |and eax, 80000001 ;| 断奇偶
004F3DB5|.79 05 |jns short 004F3DBC ;|
004F3DB7|.48 |dec eax ;|
004F3DB8|.83C8 FE |or eax, FFFFFFFE ;|
004F3DBB|.40 |inc eax ;|
004F3DBC|>85C0 |test eax, eax ;|
004F3DBE|.74 49 |je short 004F3E09 ;| 偶位数跳走
004F3DC0|.8D45 E8 |lea eax, ;|
004F3DC3|.50 |push eax ;|
004F3DC4|.B9 01000000 |mov ecx, 1 ;|
004F3DC9|.8BD3 |mov edx, ebx ;|
004F3DCB|.8B45 FC |mov eax, ;| (ASCII "lzq1973")
004F3DCE|.E8 310AF1FF |call 00404804 ;|
004F3DD3|.8B45 E8 |mov eax, ;|
004F3DD6|.E8 C909F1FF |call 004047A4 ;|
004F3DDB|.8A00 |mov al, ;|
004F3DDD|.8BF8 |mov edi, eax ;|
004F3DDF|.81E7 FF000000 |and edi, 0FF ;|
004F3DE5|.8BC7 |mov eax, edi ;|
004F3DE7|.B9 62000000 |mov ecx, 62 ;|
004F3DEC|.99 |cdq ;|
004F3DED|.F7F9 |idiv ecx ;| 62/?(字符串奇位数的16进制,取余数,令其为A)
004F3DEF|.8BC2 |mov eax, edx ;| 如是数字取其本身
004F3DF1|.03C3 |add eax, ebx ;| B=A+EBX EXB初始值为1
004F3DF3|.83C0 03 |add eax, 3 ;| C=B+3
004F3DF6|.8D55 E4 |lea edx, ;|
004F3DF9|.E8 2E50F1FF |call 00408E2C ;|
004F3DFE|.8B55 E4 |mov edx, ;| C的十进制
004F3E01|.8D45 F4 |lea eax, ;|
004F3E04|.E8 A307F1FF |call 004045AC ;|
004F3E09|>43 |inc ebx ;| EBX=EBX+1
004F3E0A|.4E |dec esi ;|
004F3E0B|.^ 75 A1 \jnz short 004F3DAE ;\ 循环
004F3E0D|>8B45 F8 mov eax,
004F3E10|.8B55 F4 mov edx, ;(ASCII "14216561")
004F3E13|.E8 2005F1FF call 00404338
004F3E18|>33C0 xor eax, eax
004F3E1A|.5A pop edx
004F3E1B|.59 pop ecx
004F3E1C|.59 pop ecx
004F3E1D|.64:8910 mov fs:, edx
004F3E20|.68 423E4F00 push 004F3E42
004F3E25|>8D45 E4 lea eax,
004F3E28|.BA 05000000 mov edx, 5
004F3E2D|.E8 D604F1FF call 00404308
004F3E32|.8D45 FC lea eax,
004F3E35|.E8 AA04F1FF call 004042E4
004F3E3A\.C3 retn
004F3E3B .^ E9 C8FDF0FF jmp 00403C08
004F3E40 .^ EB E3 jmp short 004F3E25
004F3E42 .5F pop edi
004F3E43 .5E pop esi
004F3E44 .5B pop ebx
004F3E45 .8BE5 mov esp, ebp
004F3E47 .5D pop ebp
004F3E48 .C3 retn
===========================================
004F3F34/$55 push ebp ;——》注册信息
004F3F35|.8BEC mov ebp, esp
004F3F37|.B9 04000000 mov ecx, 4
004F3F3C|>6A 00 /push 0
004F3F3E|.6A 00 |push 0
004F3F40|.49 |dec ecx
004F3F41|.^ 75 F9 \jnz short 004F3F3C
004F3F43|.51 push ecx
004F3F44|.33C0 xor eax, eax
004F3F46|.55 push ebp
004F3F47|.68 49404F00 push 004F4049
004F3F4C|.64:FF30 push dword ptr fs:
004F3F4F|.64:8920 mov fs:, esp
004F3F52|.C645 FF 00 mov byte ptr , 0
004F3F56|.B2 01 mov dl, 1
004F3F58|.A1 F4194400 mov eax,
004F3F5D|.E8 92DBF4FF call 00441AF4
004F3F62|.8945 F8 mov , eax
004F3F65|.33C0 xor eax, eax
004F3F67|.55 push ebp
004F3F68|.68 27404F00 push 004F4027
004F3F6D|.64:FF30 push dword ptr fs:
004F3F70|.64:8920 mov fs:, esp
004F3F73|.BA 03000080 mov edx, 80000003
004F3F78|.8B45 F8 mov eax,
004F3F7B|.E8 14DCF4FF call 00441B94
004F3F80|.B1 01 mov cl, 1
004F3F82|.BA 60404F00 mov edx, 004F4060 ;ASCII "\.DEFAULT\Software\HJSoft"
004F3F87|.8B45 F8 mov eax,
004F3F8A|.E8 69DCF4FF call 00441BF8
004F3F8F|.84C0 test al, al
004F3F91|.74 7E je short 004F4011
004F3F93|.8D4D EC lea ecx,
004F3F96|.BA 84404F00 mov edx, 004F4084 ;ASCII "UserName"
004F3F9B|.8B45 F8 mov eax,
004F3F9E|.E8 1DDEF4FF call 00441DC0
004F3FA3|.8B45 EC mov eax,
004F3FA6|.8D55 F4 lea edx,
004F3FA9|.E8 164BF1FF call 00408AC4
004F3FAE|.8D4D E8 lea ecx,
004F3FB1|.BA 98404F00 mov edx, 004F4098 ;ASCII "RegCode"
004F3FB6|.8B45 F8 mov eax,
004F3FB9|.E8 02DEF4FF call 00441DC0
004F3FBE|.8B45 E8 mov eax,
004F3FC1|.8D55 F0 lea edx,
004F3FC4|.E8 FB4AF1FF call 00408AC4
004F3FC9|.8B45 F8 mov eax,
004F3FCC|.E8 93DBF4FF call 00441B64
004F3FD1|.837D F0 00 cmp dword ptr , 0
004F3FD5|.74 3A je short 004F4011
004F3FD7|.837D F4 00 cmp dword ptr , 0
004F3FDB|.74 34 je short 004F4011
004F3FDD|.8D55 E0 lea edx,
004F3FE0|.8B45 F4 mov eax,
004F3FE3|.E8 DC4AF1FF call 00408AC4
004F3FE8|.8B45 E0 mov eax,
004F3FEB|.8D55 E4 lea edx,
004F3FEE|.E8 FDFCFFFF call 004F3CF0
004F3FF3|.8B45 E4 mov eax,
004F3FF6|.50 push eax
004F3FF7|.8D55 DC lea edx,
004F3FFA|.8B45 F0 mov eax,
004F3FFD|.E8 C24AF1FF call 00408AC4
004F4002|.8B55 DC mov edx,
004F4005|.58 pop eax
004F4006|.E8 E506F1FF call 004046F0
004F400B|.75 04 jnz short 004F4011
004F400D|.C645 FF 01 mov byte ptr , 1
004F4011|>33C0 xor eax, eax
004F4013|.5A pop edx
004F4014|.59 pop ecx
004F4015|.59 pop ecx
004F4016|.64:8910 mov fs:, edx
004F4019|.68 2E404F00 push 004F402E
004F401E|>8B45 F8 mov eax,
004F4021|.E8 4EF4F0FF call 00403474
004F4026\.C3 retn
004F4027 .^ E9 DCFBF0FF jmp 00403C08
004F402C .^ EB F0 jmp short 004F401E
004F402E .33C0 xor eax, eax
004F4030 .5A pop edx
004F4031 .59 pop ecx
004F4032 .59 pop ecx
004F4033 .64:8910 mov fs:, edx
004F4036 .68 50404F00 push 004F4050
004F403B >8D45 DC lea eax,
004F403E .BA 07000000 mov edx, 7
004F4043 .E8 C002F1FF call 00404308
004F4048 .C3 retn
004F4049 .^ E9 BAFBF0FF jmp 00403C08
004F404E .^ EB EB jmp short 004F403B
004F4050 .8A45 FF mov al,
004F4053 .8BE5 mov esp, ebp
004F4055 .5D pop ebp
004F4056 .C3 retn
------------------------------------------------------------------------
【破解总结】
明码比较,注册码计算有两种(用户名长度大于24是另一算注),这里以小于24为例。
1、取用户名长度的奇位字符(大于24位的取3的整数倍);
2、当前字符的16进制(令其为A,数字取本身)除以62取余数+EBX+3为对应的注册码部分;
3、各部分相连即为注册码。
注:EBX=EBX+1
=========================================
注册名:lzq1973
注册码:2164921081081121029510110153
------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者信息并保持文章的完整, 谢谢! 谢谢!学习了,顶/:good 顶!!!!!!! 支持一下.... 学习学习,谢谢楼主的共享 学习一下了,感谢分享了 哈哈, 太好了,我也搞定了,多谢LZ! 很棒的分析,膜拜一下大牛哦,感谢分享了 谢谢分享,感谢。
页:
[1]