里诺人事管理系统 内存追码笔录
里诺人事管理系统 内存追码笔录 By 傲月清风 QQ 49406460主程序 Hrm.exe 版本 2.2 单机版 Peid载入 无壳 编译 delphi 6-7
OD载入 运行。。点注册 随便输入注册码 提示重启验证 查找注册表得到 software\zy\hrm
OD Ctrl+F2重新载入 查找Ascii字符
搜索 关键字 software\zy\hrm
超级字串参考+ , 条目 4359
地址=00675922
反汇编=MOV EDX,Hrm.00675F14
文本字串=software\zy\hrm
超级字串参考+ , 条目 4360
地址=00675972
反汇编=MOV EDX,Hrm.00675F2C
文本字串=pass
双击pass跟随
006758F7 .55 PUSH EBP ;
006758F8 .68 035A6700 PUSH Hrm.00675A03 ;
006758FD .64:FF30 PUSH DWORD PTR FS:
00675900 .64:8920 MOV DWORD PTR FS:,ESP
00675903 .B2 01 MOV DL,1 ;
00675905 .A1 84CE4400 MOV EAX,DWORD PTR DS:
0067590A .E8 9977DDFF CALL Hrm.0044D0A8
0067590F .8945 F4 MOV DWORD PTR SS:,EAX
00675912 .BA 02000080 MOV EDX,80000002
00675917 .8B45 F4 MOV EAX,DWORD PTR SS:
0067591A .E8 6578DDFF CALL Hrm.0044D184
0067591F .8D45 F0 LEA EAX,DWORD PTR SS:
00675922 .BA 145F6700 MOV EDX,Hrm.00675F14 ;software\zy\hrm
00675927 .E8 2CF2D8FF CALL Hrm.00404B58
0067592C .B1 01 MOV CL,1
0067592E .8B55 F0 MOV EDX,DWORD PTR SS:
00675931 .8B45 F4 MOV EAX,DWORD PTR SS:
00675934 .E8 8F79DDFF CALL Hrm.0044D2C8
00675939 .84C0 TEST AL,AL
0067593B .0F84 A4000000 JE Hrm.006759E5 ;这里让它直接跳走就爆破了 jmp
00675941 .E8 16FEFFFF CALL <JMP.&HDSerial.HDSerialNumRead>
00675946 .8BD0 MOV EDX,EAX
00675948 .8D45 C4 LEA EAX,DWORD PTR SS:
0067594B .E8 78F3D8FF CALL Hrm.00404CC8
00675950 .8B45 C4 MOV EAX,DWORD PTR SS:
00675953 .8D55 C8 LEA EDX,DWORD PTR SS:
00675956 .E8 A145D9FF CALL Hrm.00409EFC
0067595B .8B55 C8 MOV EDX,DWORD PTR SS:
0067595E .A1 88A96B00 MOV EAX,DWORD PTR DS:
00675963 .8B00 MOV EAX,DWORD PTR DS:
00675965 .05 98050000 ADD EAX,598
0067596A .E8 A5F1D8FF CALL Hrm.00404B14
0067596F .8D4D C0 LEA ECX,DWORD PTR SS:
00675972 .BA 2C5F6700 MOV EDX,Hrm.00675F2C ;pass
00675977 .8B45 F4 MOV EAX,DWORD PTR SS:
0067597A .E8 C57EDDFF CALL Hrm.0044D844
0067597F .8B55 C0 MOV EDX,DWORD PTR SS:
00675982 .A1 88A96B00 MOV EAX,DWORD PTR DS:
00675987 .8B00 MOV EAX,DWORD PTR DS:
00675989 .05 9C050000 ADD EAX,59C
0067598E .E8 81F1D8FF CALL Hrm.00404B14
00675993 .33C0 XOR EAX,EAX
00675995 .55 PUSH EBP
00675996 .68 BC596700 PUSH Hrm.006759BC
0067599B .64:FF30 PUSH DWORD PTR FS:
0067599E .64:8920 MOV DWORD PTR FS:,ESP
006759A1 .BA 3C5F6700 MOV EDX,Hrm.00675F3C ;date
006759A6 .8B45 F4 MOV EAX,DWORD PTR SS:
006759A9 .E8 F67FDDFF CALL Hrm.0044D9A4
006759AE .DD5D E8 FSTP QWORD PTR SS:
006759B1 .9B WAIT
F8继续单步往下走
00675A68 .E8 5BF5E5FF CALL Hrm.004D4FC8
00675A6D .8B10 MOV EDX,DWORD PTR DS:
00675A6F .FF52 58 CALL DWORD PTR DS:
00675A72 .8B55 FC MOV EDX,DWORD PTR SS:
00675A75 .8982 3C060000 MOV DWORD PTR DS:,EAX
00675A7B .A1 88A96B00 MOV EAX,DWORD PTR DS:
00675A80 .8B00 MOV EAX,DWORD PTR DS:
00675A82 .C680 B0050000>MOV BYTE PTR DS:,1
00675A89 .8B45 FC MOV EAX,DWORD PTR SS:
00675A8C .C680 40060000>MOV BYTE PTR DS:,1
00675A93 .8D4D BC LEA ECX,DWORD PTR SS:
00675A96 .A1 88A96B00 MOV EAX,DWORD PTR DS:
00675A9B .8B00 MOV EAX,DWORD PTR DS:
00675A9D .8B90 98050000 MOV EDX,DWORD PTR DS:
00675AA3 .A1 1CA66B00 MOV EAX,DWORD PTR DS:
00675AA8 .8B00 MOV EAX,DWORD PTR DS:
00675AAA .E8 158C0300 CALL Hrm.006AE6C4 ; // 进这个Call跟算法
00675AAF .8B55 BC MOV EDX,DWORD PTR SS: ; // 噢NO!~~注册码明文
堆栈 SS:=02A41B74, (ASCII "Hrm4-85155yr87-B4B4")
EDX=0176B95C, (ASCII "5LA3KKQX")
算法分析:
006AE6C4/$55 PUSH EBP
006AE6C5|.8BEC MOV EBP,ESP
006AE6C7|.51 PUSH ECX
006AE6C8|.B9 04000000 MOV ECX,4
006AE6CD|>6A 00 /PUSH 0
006AE6CF|.6A 00 |PUSH 0
006AE6D1|.49 |DEC ECX
006AE6D2|.^ 75 F9 \JNZ SHORT Hrm.006AE6CD
006AE6D4|.51 PUSH ECX
006AE6D5|.874D FC XCHG DWORD PTR SS:,ECX
006AE6D8|.53 PUSH EBX
006AE6D9|.56 PUSH ESI
006AE6DA|.57 PUSH EDI
006AE6DB|.8BF9 MOV EDI,ECX
006AE6DD|.8955 FC MOV DWORD PTR SS:,EDX
006AE6E0|.8B45 FC MOV EAX,DWORD PTR SS:
006AE6E3|.E8 9868D5FF CALL Hrm.00404F80
006AE6E8|.33C0 XOR EAX,EAX
006AE6EA|.55 PUSH EBP
006AE6EB|.68 85E86A00 PUSH Hrm.006AE885
006AE6F0|.64:FF30 PUSH DWORD PTR FS:
006AE6F3|.64:8920 MOV DWORD PTR FS:,ESP
006AE6F6|.8BC7 MOV EAX,EDI
006AE6F8|.E8 C363D5FF CALL Hrm.00404AC0
006AE6FD|.8B45 FC MOV EAX,DWORD PTR SS:
006AE700|.E8 8B66D5FF CALL Hrm.00404D90
006AE705|.8BF0 MOV ESI,EAX
006AE707|.85F6 TEST ESI,ESI
006AE709|.7E 26 JLE SHORT Hrm.006AE731
006AE70B|.BB 01000000 MOV EBX,1
006AE710|>8D4D EC /LEA ECX,DWORD PTR SS: //这里循环开始 将硬盘序号 逐个取Ascii码转十六进制
006AE713|.8B45 FC |MOV EAX,DWORD PTR SS:
006AE716|.0FB64418 FF |MOVZX EAX,BYTE PTR DS:
006AE71B|.33D2 |XOR EDX,EDX
006AE71D|.E8 7EC0D5FF |CALL Hrm.0040A7A0
006AE722|.8B55 EC |MOV EDX,DWORD PTR SS:
006AE725|.8D45 F8 |LEA EAX,DWORD PTR SS:
006AE728|.E8 6B66D5FF |CALL Hrm.00404D98
006AE72D|.43 |INC EBX
006AE72E|.4E |DEC ESI
006AE72F|.^ 75 DF \JNZ SHORT Hrm.006AE710 //循环
006AE731|>8B45 F8 MOV EAX,DWORD PTR SS: // 得到的结果..
006AE734|.E8 5766D5FF CALL Hrm.00404D90
006AE739|.8BF0 MOV ESI,EAX
006AE73B|.85F6 TEST ESI,ESI
006AE73D|.7E 2C JLE SHORT Hrm.006AE76B
006AE73F|.BB 01000000 MOV EBX,1
006AE744|>8B45 F8 /MOV EAX,DWORD PTR SS://又一个循环开始 将上面得到的号码 逆向排序
006AE747|.E8 4466D5FF |CALL Hrm.00404D90
006AE74C|.2BC3 |SUB EAX,EBX
006AE74E|.8B55 F8 |MOV EDX,DWORD PTR SS:
006AE751|.8A1402 |MOV DL,BYTE PTR DS:
006AE754|.8D45 E8 |LEA EAX,DWORD PTR SS:
006AE757|.E8 4C65D5FF |CALL Hrm.00404CA8
006AE75C|.8B55 E8 |MOV EDX,DWORD PTR SS:
006AE75F|.8D45 F4 |LEA EAX,DWORD PTR SS:
006AE762|.E8 3166D5FF |CALL Hrm.00404D98
006AE767|.43 |INC EBX
006AE768|.4E |DEC ESI
006AE769|.^ 75 D9 \JNZ SHORT Hrm.006AE744 //循环
006AE76B|>8D45 F8 LEA EAX,DWORD PTR SS:
006AE76E|.50 PUSH EAX
006AE76F|.B9 04000000 MOV ECX,4
006AE774|.BA 01000000 MOV EDX,1
006AE779|.8B45 F4 MOV EAX,DWORD PTR SS:
006AE77C|.E8 6F68D5FF CALL Hrm.00404FF0
006AE781|.8D45 F4 LEA EAX,DWORD PTR SS:
006AE784|.50 PUSH EAX
006AE785|.B9 04000000 MOV ECX,4
006AE78A|.BA 05000000 MOV EDX,5
006AE78F|.8B45 F4 MOV EAX,DWORD PTR SS:
006AE792|.E8 5968D5FF CALL Hrm.00404FF0
006AE797|.8B45 F8 MOV EAX,DWORD PTR SS: // 得到前4位
006AE79A|.E8 F165D5FF CALL Hrm.00404D90
006AE79F|.83F8 04 CMP EAX,4
006AE7A2|.7D 2F JGE SHORT Hrm.006AE7D3
006AE7A4|.8B45 F8 MOV EAX,DWORD PTR SS:
006AE7A7|.E8 E465D5FF CALL Hrm.00404D90
006AE7AC|.8BD8 MOV EBX,EAX
006AE7AE|.83FB 03 CMP EBX,3
006AE7B1|.7F 20 JG SHORT Hrm.006AE7D3
006AE7B3|>8D4D E4 /LEA ECX,DWORD PTR SS:
006AE7B6|.8BC3 |MOV EAX,EBX
006AE7B8|.C1E0 02 |SHL EAX,2
006AE7BB|.33D2 |XOR EDX,EDX
006AE7BD|.E8 DEBFD5FF |CALL Hrm.0040A7A0
006AE7C2|.8B55 E4 |MOV EDX,DWORD PTR SS:
006AE7C5|.8D45 F8 |LEA EAX,DWORD PTR SS:
006AE7C8|.E8 CB65D5FF |CALL Hrm.00404D98
006AE7CD|.43 |INC EBX
006AE7CE|.83FB 04 |CMP EBX,4
006AE7D1|.^ 75 E0 \JNZ SHORT Hrm.006AE7B3
006AE7D3|>8B45 F4 MOV EAX,DWORD PTR SS: // 得到 第5位-第8位
006AE7D6|.E8 B565D5FF CALL Hrm.00404D90
006AE7DB|.83F8 04 CMP EAX,4
006AE7DE|.7D 2F JGE SHORT Hrm.006AE80F
006AE7E0|.8B45 F4 MOV EAX,DWORD PTR SS:
006AE7E3|.E8 A865D5FF CALL Hrm.00404D90
006AE7E8|.8BD8 MOV EBX,EAX
006AE7EA|.83FB 03 CMP EBX,3
006AE7ED|.7F 20 JG SHORT Hrm.006AE80F
006AE7EF|>8D4D E0 /LEA ECX,DWORD PTR SS:
006AE7F2|.8BC3 |MOV EAX,EBX
006AE7F4|.C1E0 02 |SHL EAX,2
006AE7F7|.33D2 |XOR EDX,EDX
006AE7F9|.E8 A2BFD5FF |CALL Hrm.0040A7A0
006AE7FE|.8B55 E0 |MOV EDX,DWORD PTR SS:
006AE801|.8D45 F4 |LEA EAX,DWORD PTR SS:
006AE804|.E8 8F65D5FF |CALL Hrm.00404D98
006AE809|.43 |INC EBX
006AE80A|.83FB 04 |CMP EBX,4
006AE80D|.^ 75 E0 \JNZ SHORT Hrm.006AE7EF
006AE80F|>8D45 F0 LEA EAX,DWORD PTR SS:
006AE812|.BA 9CE86A00 MOV EDX,Hrm.006AE89C ;hrm45yr87
006AE817|.E8 3C63D5FF CALL Hrm.00404B58
006AE81C|.8D45 DC LEA EAX,DWORD PTR SS:
006AE81F|.50 PUSH EAX
006AE820|.B9 04000000 MOV ECX,4
006AE825|.BA 01000000 MOV EDX,1
006AE82A|.8B45 F0 MOV EAX,DWORD PTR SS:
006AE82D|.E8 BE67D5FF CALL Hrm.00404FF0
006AE832|.FF75 DC PUSH DWORD PTR SS: // push hrm4 压入hrm45yr87前4位
006AE835|.68 B0E86A00 PUSH Hrm.006AE8B0 ;-
006AE83A|.FF75 F8 PUSH DWORD PTR SS: // push 8515 压入s 上文中的序号前4位
006AE83D|.8D45 D8 LEA EAX,DWORD PTR SS:
006AE840|.50 PUSH EAX
006AE841|.B9 05000000 MOV ECX,5
006AE846|.BA 05000000 MOV EDX,5
006AE84B|.8B45 F0 MOV EAX,DWORD PTR SS:
006AE84E|.E8 9D67D5FF CALL Hrm.00404FF0
006AE853|.FF75 D8 PUSH DWORD PTR SS:
006AE856|.68 B0E86A00 PUSH Hrm.006AE8B0 ;-
006AE85B|.FF75 F4 PUSH DWORD PTR SS:
006AE85E|.8BC7 MOV EAX,EDI
006AE860|.BA 06000000 MOV EDX,6
006AE865|.E8 E665D5FF CALL Hrm.00404E50
006AE86A|.33C0 XOR EAX,EAX
006AE86C|.5A POP EDX
006AE86D|.59 POP ECX
006AE86E|.59 POP ECX
006AE86F|.64:8910 MOV DWORD PTR FS:,EDX
006AE872|.68 8CE86A00 PUSH Hrm.006AE88C
006AE877|>8D45 D8 LEA EAX,DWORD PTR SS:
006AE87A|.BA 0A000000 MOV EDX,0A
006AE87F|.E8 6062D5FF CALL Hrm.00404AE4
006AE884\.C3 RETN
00675AAF .8B55 BC MOV EDX,DWORD PTR SS: ;噢NO!~~注册码明文
EDX 02A41B74 ASCII "Hrm4-85155yr87-B4B4"
到这里。。写注册机不难了吧???~
[ 本帖最后由 wjxgzz 于 2009-5-30 13:49 编辑 ] 沙发一下/:014 。。。。。。。。。。。。。。。。
这里里诺软件。
里诺软件还算可以,但是我还是觉得金维思商贸通,更好用,楼主也时间也做个笔记试,是算法分析的、 加精鼓励 希望楼主能继续分享更多的分析文章. 里诺的东西,是一个功能不错,单算法简单的东东!一系列都是如此 学习一下,感谢分享。
页:
[1]