佳宜车辆信息管理软件 v1.10(企业版) 算法分析
【文章标题】: 佳宜车辆信息管理软件 v1.10(企业版) 算法分析【文章作者】: wiliy
【作者邮箱】: [email protected]
【作者主页】: ninghuan1984.blog.163.com
【作者QQ号】: 253181924
【软件名称】: 佳宜车辆信息管理软件 v1.10(企业版)
【下载地址】: http://www.jyitsoft.com/
【加壳方式】: 无壳
【保护方式】: 序列号
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OD PEiD
【操作平台】: WinXP
【软件介绍】: 佳宜车辆信息管理软件...
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
因为时间关系,偶只是简单做个分析,适合小鸟学习,大鸟飞过。如有雷同,纯属巧合!
运行软件,输入试验码 “ 用户名: wiliy,授权编号: 0123456789ABCD ”,注册后,提示“系统注册失败,请检查注册是否有误!”
OK! 开始干苦力了!
PEiD查壳,无壳!呵呵,省事了。OD 载入,停在:
0068F96C > $55 push ebp //停在这里
0068F96D .8BEC mov ebp, esp
0068F96F .83C4 F0 add esp, -10
0068F972 .53 push ebx
0068F973 .B8 ECEF6800 mov eax, 0068EFEC
0068F978 .E8 7778D7FF call 004071F4
0068F97D .8B1D 2C566900 mov ebx, dword ptr ;JyCARman.006987EC
0068F983 .A1 24556900 mov eax, dword ptr
0068F988 .8B00 mov eax, dword ptr
0068F98A .E8 4912DEFF call 00470BD8
0068F98F .33C9 xor ecx, ecx
...
Ultra String Reference 分析后(亦可下函数API断点 BP MessagBoxA,偶比较懒嘛,所以...),查找字符串“系统注册失败,请检查注册是否有误!”,双击来到:
0061151A .8B45 FC mov eax, dword ptr
0061151D .E8 8ABFE5FF call 0046D4AC
00611522 .E8 0130DFFF call 00404528
00611527 .EB 0C jmp short 00611535
00611529 >6A 03 push 3
0061152B .68 38166100 push 00611638 ;系统注册失败,请检查注册是否有误!
00611530 .E8 7B0CFEFF call <jmp.&PunUnitLib.ShowMess>
00611535 >33C0 xor eax, eax
00611537 .5A pop edx
00611538 .59 pop ecx
00611539 .59 pop ecx
...
此时,OD向上翻屏,来到这里并下断:
0061132F .8945 FC mov dword ptr , eax
00611332 .33C0 xor eax, eax
00611334 .55 push ebp //F2 下断
00611335 .68 9A156100 push 0061159A
0061133A .64:FF30 push dword ptr fs:
0061133D .64:8920 mov dword ptr fs:, esp
00611340 .8D55 F0 lea edx, dword ptr
00611343 .8B45 FC mov eax, dword ptr
00611346 .8B80 04030000 mov eax, dword ptr
0061134C .E8 0FDEE3FF call 0044F160
00611351 .8B45 F0 mov eax, dword ptr
00611354 .8D55 F4 lea edx, dword ptr
00611357 .E8 9083DFFF call 004096EC
0061135C .837D F4 00 cmp dword ptr , 0
00611360 .75 22 jnz short 00611384
00611362 .6A 00 push 0
00611364 .68 A8156100 push 006115A8 ;请填写用户名称!
00611369 .E8 420EFEFF call <jmp.&PunUnitLib.ShowMess>
0061136E .8B45 FC mov eax, dword ptr
00611371 .8B80 04030000 mov eax, dword ptr
00611377 .8B10 mov edx, dword ptr
00611379 .FF92 C0000000 call dword ptr
...
Ctrl+F2 重载,F9 运行,输入试验码 “ 用户名: wiliy,授权编号: 0123456789ABCD ”,点击注册按钮,被 OD 断下
00611334 .55 push ebp //断在此处
00611335 .68 9A156100 push 0061159A
0061133A .64:FF30 push dword ptr fs:
0061133D .64:8920 mov dword ptr fs:, esp
00611340 .8D55 F0 lea edx, dword ptr
00611343 .8B45 FC mov eax, dword ptr
00611346 .8B80 04030000 mov eax, dword ptr
0061134C .E8 0FDEE3FF call 0044F160 ;// 取用户名
00611351 .8B45 F0 mov eax, dword ptr
00611354 .8D55 F4 lea edx, dword ptr
00611357 .E8 9083DFFF call 004096EC
0061135C .837D F4 00 cmp dword ptr , 0 ;//判断用户名是否为空
00611360 .75 22 jnz short 00611384 ;//不空则跳
00611362 .6A 00 push 0
00611364 .68 A8156100 push 006115A8 ;请填写用户名称!
00611369 .E8 420EFEFF call <jmp.&PunUnitLib.ShowMess>
0061136E .8B45 FC mov eax, dword ptr
00611371 .8B80 04030000 mov eax, dword ptr
00611377 .8B10 mov edx, dword ptr
00611379 .FF92 C0000000 call dword ptr
0061137F .E9 B1010000 jmp 00611535
00611384 >8D55 E8 lea edx, dword ptr
00611387 .8B45 FC mov eax, dword ptr
0061138A .8B80 FC020000 mov eax, dword ptr
00611390 .E8 CBDDE3FF call 0044F160 ;// 取授权码(这里是我们输入的假码0123456789ABCD)
00611395 .8B45 E8 mov eax, dword ptr
00611398 .8D55 EC lea edx, dword ptr
0061139B .E8 4C83DFFF call 004096EC
006113A0 .837D EC 00 cmp dword ptr , 0 ;// 判断授权码是否为空
006113A4 .75 22 jnz short 006113C8 ;// 不空则跳
006113A6 .6A 00 push 0
006113A8 .68 BC156100 push 006115BC ;授权号不能为空,请填写授权号!
006113AD .E8 FE0DFEFF call <jmp.&PunUnitLib.ShowMess>
006113B2 .8B45 FC mov eax, dword ptr
006113B5 .8B80 FC020000 mov eax, dword ptr
006113BB .8B10 mov edx, dword ptr
006113BD .FF92 C0000000 call dword ptr
006113C3 .E9 6D010000 jmp 00611535
006113C8 >A1 98576900 mov eax, dword ptr
006113CD .8B00 mov eax, dword ptr ;固定字符串 "C3H5-C2L8"
006113CF .E8 683BDFFF call 00404F3C
006113D4 .50 push eax
006113D5 .8D55 E4 lea edx, dword ptr
006113D8 .8B45 FC mov eax, dword ptr
006113DB .8B80 F4020000 mov eax, dword ptr
006113E1 .E8 7ADDE3FF call 0044F160 ;//取机器码
006113E6 .8B45 E4 mov eax, dword ptr
006113E9 .E8 4E3BDFFF call 00404F3C
006113EE .50 push eax
006113EF .E8 EC0DFEFF call <jmp.&PunUnitLib.GetRegPass> ;// ★ 算法call ★F7 跟进
006113F4 .8BD0 mov edx, eax ;//真码(内存注册机)
006113F6 .8D45 F8 lea eax, dword ptr
006113F9 .E8 7E38DFFF call 00404C7C
006113FE .8D55 DC lea edx, dword ptr
00611401 .8B45 FC mov eax, dword ptr
00611404 .8B80 FC020000 mov eax, dword ptr
0061140A .E8 51DDE3FF call 0044F160
0061140F .8B45 DC mov eax, dword ptr
00611412 .8D55 E0 lea edx, dword ptr
00611415 .E8 D282DFFF call 004096EC
0061141A .8B45 E0 mov eax, dword ptr
0061141D .8B55 F8 mov edx, dword ptr
00611420 .E8 633ADFFF call 00404E88 ;//真假码比较
00611425 .0F85 FE000000 jnz 00611529 ;//关键跳转,不等则跳向失败处(爆破点)
0061142B .33C0 xor eax, eax
0061142D .55 push ebp
0061142E .68 15156100 push 00611515
00611433 .64:FF30 push dword ptr fs:
00611436 .64:8920 mov dword ptr fs:, esp
00611439 .B2 01 mov dl, 1
0061143B .A1 84314700 mov eax, dword ptr
00611440 .E8 AB1EE6FF call 004732F0
00611445 .8BD8 mov ebx, eax
00611447 .BA 02000080 mov edx, 80000002
0061144C .8BC3 mov eax, ebx
0061144E .E8 791FE6FF call 004733CC
00611453 .B1 01 mov cl, 1
00611455 .8B15 744D6900 mov edx, dword ptr ;JyCARman.0061123C
0061145B .8BC3 mov eax, ebx
0061145D .E8 AE20E6FF call 00473510
00611462 .8D55 D8 lea edx, dword ptr
00611465 .8B45 FC mov eax, dword ptr
00611468 .8B80 04030000 mov eax, dword ptr
0061146E .E8 EDDCE3FF call 0044F160
00611473 .8B4D D8 mov ecx, dword ptr
00611476 .BA E4156100 mov edx, 006115E4 ;username
0061147B .8BC3 mov eax, ebx
0061147D .E8 2A22E6FF call 004736AC
00611482 .8D55 D0 lea edx, dword ptr
00611485 .8B45 FC mov eax, dword ptr
00611488 .8B80 F4020000 mov eax, dword ptr
0061148E .E8 CDDCE3FF call 0044F160
00611493 .8B45 D0 mov eax, dword ptr
00611496 .E8 A13ADFFF call 00404F3C
0061149B .50 push eax
0061149C .E8 370DFEFF call <jmp.&PunUnitLib.SavePass>
006114A1 .8BD0 mov edx, eax
006114A3 .8D45 D4 lea eax, dword ptr
006114A6 .E8 D137DFFF call 00404C7C
006114AB .8B4D D4 mov ecx, dword ptr
006114AE .BA F8156100 mov edx, 006115F8 ;signcode
006114B3 .8BC3 mov eax, ebx
006114B5 .E8 F221E6FF call 004736AC
006114BA .8B45 F8 mov eax, dword ptr
006114BD .E8 7A3ADFFF call 00404F3C
006114C2 .50 push eax
006114C3 .E8 100DFEFF call <jmp.&PunUnitLib.SavePass>
006114C8 .8BD0 mov edx, eax
006114CA .8D45 CC lea eax, dword ptr
006114CD .E8 AA37DFFF call 00404C7C
006114D2 .8B4D CC mov ecx, dword ptr
006114D5 .BA 0C166100 mov edx, 0061160C ;regcode
006114DA .8BC3 mov eax, ebx
006114DC .E8 CB21E6FF call 004736AC
006114E1 .8BC3 mov eax, ebx
006114E3 .E8 3427DFFF call 00403C1C
006114E8 .6A 00 push 0
006114EA .68 14166100 push 00611614 ;系统注册成功,欢迎你使用本软件!
006114EF .E8 BC0CFEFF call <jmp.&PunUnitLib.ShowMess>
006114F4 .A1 94576900 mov eax, dword ptr
006114F9 .C700 02000000 mov dword ptr , 2
006114FF .A1 24556900 mov eax, dword ptr
00611504 .8B00 mov eax, dword ptr
00611506 .E8 51F8E5FF call 00470D5C
0061150B .33C0 xor eax, eax
0061150D .5A pop edx
0061150E .59 pop ecx
0061150F .59 pop ecx
00611510 .64:8910 mov dword ptr fs:, edx
00611513 .EB 20 jmp short 00611535
00611515 .^ E9 E22BDFFF jmp 004040FC
0061151A .8B45 FC mov eax, dword ptr
0061151D .E8 8ABFE5FF call 0046D4AC
00611522 .E8 0130DFFF call 00404528
00611527 .EB 0C jmp short 00611535
00611529 >6A 03 push 3
0061152B .68 38166100 push 00611638 ;系统注册失败,请检查注册是否有误!
00611530 .E8 7B0CFEFF call <jmp.&PunUnitLib.ShowMess>
00611535 >33C0 xor eax, eax
00611537 .5A pop edx
00611538 .59 pop ecx
00611539 .59 pop ecx
0061153A .64:8910 mov dword ptr fs:, edx
...
★ 算法call ★F7 跟进
...
00889024 >55 push ebp ; // F8一步到这里
00889025 8BEC mov ebp, esp
00889027 B9 06000000 mov ecx, 6
0088902C 6A 00 push 0
0088902E 6A 00 push 0
00889030 49 dec ecx
00889031^ 75 F9 jnz short 0088902C
00889033 53 push ebx
00889034 56 push esi
00889035 33C0 xor eax, eax
00889037 55 push ebp
00889038 68 F2918800 push 008891F2
0088903D 64:FF30 push dword ptr fs:
00889040 64:8920 mov dword ptr fs:, esp
00889043 8D45 EC lea eax, dword ptr
00889046 E8 65B5F8FF call 008145B0
0088904B 8D45 F0 lea eax, dword ptr
0088904E 8B55 08 mov edx, dword ptr ; // 机器码给EDX
00889051 E8 4AB7F8FF call 008147A0
00889056 8B45 F0 mov eax, dword ptr
00889059 E8 0AB8F8FF call 00814868
0088905E 8BF0 mov esi, eax
00889060 85F6 test esi, esi
00889062 7E 26 jle short 0088908A
00889064 BB 01000000 mov ebx, 1
00889069 8D4D E8 lea ecx, dword ptr
0088906C 8B45 F0 mov eax, dword ptr
0088906F 0FB64418 FF movzx eax, byte ptr
00889074 33D2 xor edx, edx
00889076 E8 F905F9FF call 00819674
0088907B 8B55 E8 mov edx, dword ptr
0088907E 8D45 FC lea eax, dword ptr
00889081 E8 EAB7F8FF call 00814870
00889086 43 inc ebx
00889087 4E dec esi
00889088^ 75 DF jnz short 00889069 ; //以上循环转换机器码为十六进制字符串STR1
0088908A 8B45 FC mov eax, dword ptr ; //STR1给EAX
0088908D E8 D6B7F8FF call 00814868
00889092 8BF0 mov esi, eax
00889094 85F6 test esi, esi
00889096 7E 2C jle short 008890C4
00889098 BB 01000000 mov ebx, 1
0088909D 8B45 FC mov eax, dword ptr
008890A0 E8 C3B7F8FF call 00814868
008890A5 2BC3 sub eax, ebx
008890A7 8B55 FC mov edx, dword ptr
008890AA 8A1402 mov dl, byte ptr
008890AD 8D45 E4 lea eax, dword ptr
008890B0 E8 DBB6F8FF call 00814790
008890B5 8B55 E4 mov edx, dword ptr
008890B8 8D45 F8 lea eax, dword ptr
008890BB E8 B0B7F8FF call 00814870
008890C0 43 inc ebx
008890C1 4E dec esi
008890C2^ 75 D9 jnz short 0088909D ; //以上循环将STR1倒序为STR2
008890C4 8D45 FC lea eax, dword ptr
008890C7 50 push eax
008890C8 B9 04000000 mov ecx, 4
008890CD BA 01000000 mov edx, 1
008890D2 8B45 F8 mov eax, dword ptr ; //STR2给EAX
008890D5 E8 E6B9F8FF call 00814AC0
008890DA 8D45 F8 lea eax, dword ptr
008890DD 50 push eax
008890DE B9 04000000 mov ecx, 4
008890E3 BA 05000000 mov edx, 5
008890E8 8B45 F8 mov eax, dword ptr
008890EB E8 D0B9F8FF call 00814AC0
008890F0 8B45 FC mov eax, dword ptr ; //取STR2前4位字符设为STR3
008890F3 E8 70B7F8FF call 00814868
008890F8 83F8 04 cmp eax, 4 ; //判断STR3是否大于等于4位
008890FB 7D 2F jge short 0088912C
008890FD 8B45 FC mov eax, dword ptr
00889100 E8 63B7F8FF call 00814868
00889105 8BD8 mov ebx, eax
00889107 83FB 03 cmp ebx, 3
0088910A 7F 20 jg short 0088912C
0088910C 8D4D E0 lea ecx, dword ptr
0088910F 8BC3 mov eax, ebx
00889111 C1E0 02 shl eax, 2
00889114 33D2 xor edx, edx
00889116 E8 5905F9FF call 00819674
0088911B 8B55 E0 mov edx, dword ptr
0088911E 8D45 FC lea eax, dword ptr
00889121 E8 4AB7F8FF call 00814870
00889126 43 inc ebx
00889127 83FB 04 cmp ebx, 4
0088912A^ 75 E0 jnz short 0088910C
0088912C 8B45 F8 mov eax, dword ptr ; //将STR2第五到第八位的字符,送给EAX,设为STR4
0088912F E8 34B7F8FF call 00814868
00889134 83F8 04 cmp eax, 4 ;//判断STR4是否大于等于4位
00889137 7D 2F jge short 00889168
00889139 8B45 F8 mov eax, dword ptr
0088913C E8 27B7F8FF call 00814868
00889141 8BD8 mov ebx, eax
00889143 83FB 03 cmp ebx, 3
00889146 7F 20 jg short 00889168
00889148 8D4D DC lea ecx, dword ptr
0088914B 8BC3 mov eax, ebx
0088914D C1E0 02 shl eax, 2
00889150 33D2 xor edx, edx
00889152 E8 1D05F9FF call 00819674
00889157 8B55 DC mov edx, dword ptr
0088915A 8D45 F8 lea eax, dword ptr
0088915D E8 0EB7F8FF call 00814870
00889162 43 inc ebx
00889163 83FB 04 cmp ebx, 4
00889166^ 75 E0 jnz short 00889148
00889168 8D45 D8 lea eax, dword ptr
0088916B 8B55 0C mov edx, dword ptr ; //取固定字符串 "C3H5-C2L8" 给EDX
0088916E E8 2DB6F8FF call 008147A0
00889173 8B45 D8 mov eax, dword ptr
00889176 8D55 F4 lea edx, dword ptr
00889179 E8 DE03F9FF call 0081955C
0088917E 8D45 D4 lea eax, dword ptr
00889181 50 push eax
00889182 B9 04000000 mov ecx, 4
00889187 BA 01000000 mov edx, 1
0088918C 8B45 F4 mov eax, dword ptr
0088918F E8 2CB9F8FF call 00814AC0 ; //取字符串"C3H5-C2L8"前4位即C3H5设为A1
00889194 FF75 D4 push dword ptr
00889197 68 0C928800 push 0088920C
0088919C FF75 FC push dword ptr
0088919F 8D45 D0 lea eax, dword ptr
008891A2 50 push eax
008891A3 B9 05000000 mov ecx, 5
008891A8 BA 05000000 mov edx, 5
008891AD 8B45 F4 mov eax, dword ptr
008891B0 E8 0BB9F8FF call 00814AC0 ; //取字符串"C3H5-C2L8"后5位即-C2L8设为A2
008891B5 FF75 D0 push dword ptr
008891B8 68 0C928800 push 0088920C
008891BD FF75 F8 push dword ptr
008891C0 8D45 EC lea eax, dword ptr
008891C3 BA 06000000 mov edx, 6
008891C8 E8 5BB7F8FF call 00814928
008891CD 8B45 EC mov eax, dword ptr ; //组合字符串“A1-STR3-A2-STR4”为授权码
008891D0 E8 8BB8F8FF call 00814A60
008891D5 8BD8 mov ebx, eax
008891D7 33C0 xor eax, eax
008891D9 5A pop edx
008891DA 59 pop ecx
008891DB 59 pop ecx
008891DC 64:8910 mov dword ptr fs:, edx
008891DF 68 F9918800 push 008891F9
008891E4 8D45 D0 lea eax, dword ptr
008891E7 BA 0C000000 mov edx, 0C
008891EC E8 E3B3F8FF call 008145D4
008891F1 C3 retn
008891F2^ E9 1DADF8FF jmp 00813F14
008891F7^ EB EB jmp short 008891E4
008891F9 8BC3 mov eax, ebx ; //授权码给EAX
008891FB 5E pop esi ; JyCARman.00477B20
008891FC 5B pop ebx
008891FD 8BE5 mov esp, ebp
008891FF 5D pop ebp
00889200 C2 0800 retn 8
...
【经验总结】
算法注册机:将产品编号字符串转换为十六进制,再倒序排列,取倒序后的字符串前四位为STR3,第五位到第八位为STR4,利用固定字符串 "C3H5-C2L8"交叉组合为授权码,即:C3H5-STR3-C2L8-STR4。鉴于时间关系,注册机代码偶就不写了。哪位大虾可以补充一下。
内存注册机: 中断地址 006113F4
中断次数 1
第一字节 8B
指令长度 2
内存方式
寄存器 EAX o(∩_∩)o...,向楼主学习下!!
多学习点经验~~~~/:014 感觉分析的不够细,还有很多地方没有写出来,呵呵!! 怎么用vb写注册机呢???
页:
[1]