飘云阁佳宜固定资产管理软件v1.31(企业版) 算法简析

hczcyy 发表于 2006-5-27 01:59:26

佳宜固定资产管理软件v1.31(企业版) 算法简析

【文章标题】: 佳宜固定资产管理软件v1.31(企业版) 算法简析
【文章作者】: hczcyy(我是一只标准的菜鸟)
【作者邮箱】: [email protected]
【作者QQ号】: 55346577
【软件名称】: 佳宜固定资产管理软件v1.31(企业版)
【软件大小】: 3118KB
【下载地址】: http://sq.newhua.com/soft/46509.htm
【加壳方式】: 无
【保护方式】: 序列号+姓名+注册码
【编写语言】: Delphi
【使用工具】:PEID OD WIN32DASM
【操作平台】: xp+sp2
【软件介绍】: 佳宜固定资产管理系统是一款优秀的固定资产管理软件
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
1.运行.随便输入注册名和注册码,有出错提示.
1.用peid查壳,显示编程语言为delphi.无壳.
2.用od载入,查找字符串"系统注册失败".没有.......怎么办?只好用win32dasm载入,好,找到了,在od同处下断.
载入运行,输入用户名:hczcyy,注册码:87654321断在这里,

005E50DD 6A 03       push 3                   //出错提示,向上看
005E50DF 68 EC515E00 push JyAssetG.005E51EC
005E50E4 E8 6F0FFFFF call <jmp.&PunUnitLib.ShowMess>
005E50E9 33C0          xor eax,eax
005E50EB 5A          pop edx
005E50EC 59          pop ecx
005E50ED 59          pop ecx
005E50EE 64:8910       mov dword ptr fs:,edx
005E50F1 68 55515E00 push JyAssetG.005E5155
005E50F6 8D45 CC       lea eax,dword ptr ss:

我们来到这里:
005E4F16 6A 00       push 0
005E4F18 68 5C515E00 push JyAssetG.005E515C
005E4F1D E8 3611FFFF call <jmp.&PunUnitLib.ShowMess>
005E4F22 8B45 FC       mov eax,dword ptr ss:
005E4F25 8B80 04030000 mov eax,dword ptr ds:
005E4F2B 8B10          mov edx,dword ptr ds:
005E4F2D FF92 C0000000 call dword ptr ds:
005E4F33 E9 B1010000 jmp JyAssetG.005E50E9
005E4F38 8D55 E8       lea edx,dword ptr ss:
005E4F3B 8B45 FC       mov eax,dword ptr ss:
005E4F3E 8B80 FC020000 mov eax,dword ptr ds:
005E4F44 E8 4BA0E6FF call JyAssetG.0044EF94             //取得注册码:87654321
005E4F49 8B45 E8       mov eax,dword ptr ss:
005E4F4C 8D55 EC       lea edx,dword ptr ss:
005E4F4F E8 CC47E2FF call JyAssetG.00409720             //这个call是去假码位数
005E4F54 837D EC 00    cmp dword ptr ss:,0          //没有输入则完
005E4F58 75 22       jnz short JyAssetG.005E4F7C
005E4F5A 6A 00       push 0
005E4F5C 68 70515E00 push JyAssetG.005E5170
005E4F61 E8 F210FFFF call <jmp.&PunUnitLib.ShowMess>
005E4F66 8B45 FC       mov eax,dword ptr ss:
005E4F69 8B80 FC020000 mov eax,dword ptr ds:
005E4F6F 8B10          mov edx,dword ptr ds:
005E4F71 FF92 C0000000 call dword ptr ds:
005E4F77 E9 6D010000 jmp JyAssetG.005E50E9
005E4F7C A1 2C556200 mov eax,dword ptr ds:
005E4F81 8B00          mov eax,dword ptr ds:       //固定字符串"CM86-R1F8"
005E4F83 E8 4800E2FF call JyAssetG.00404FD0
005E4F88 50          push eax
005E4F89 8D55 E4       lea edx,dword ptr ss:
005E4F8C 8B45 FC       mov eax,dword ptr ss:
005E4F8F 8B80 F4020000 mov eax,dword ptr ds:
005E4F95 E8 FA9FE6FF call JyAssetG.0044EF94          //取机器码,我这里为:"5FBCKZR1"
005E4F9A 8B45 E4       mov eax,dword ptr ss:
005E4F9D E8 2E00E2FF call JyAssetG.00404FD0
005E4FA2 50          push eax
005E4FA3 E8 E010FFFF call <jmp.&PunUnitLib.GetRegPass> //算法call,虽然是明码比较,我们还是要找
005E4FA8 8BD0          mov edx,eax                      //算法的. :)
005E4FAA 8D45 F8       lea eax,dword ptr ss:
005E4FAD E8 5EFDE1FF call JyAssetG.00404D10
005E4FB2 8D55 DC       lea edx,dword ptr ss:
005E4FB5 8B45 FC       mov eax,dword ptr ss:
005E4FB8 8B80 FC020000 mov eax,dword ptr ds:
005E4FBE E8 D19FE6FF call JyAssetG.0044EF94
005E4FC3 8B45 DC       mov eax,dword ptr ss:
005E4FC6 8D55 E0       lea edx,dword ptr ss:
005E4FC9 E8 5247E2FF call JyAssetG.00409720
005E4FCE 8B45 E0       mov eax,dword ptr ss:       //假码入栈
005E4FD1 8B55 F8       mov edx,dword ptr ss:       //真码入栈 (嘿嘿明码比较)
005E4FD4 E8 43FFE1FF call JyAssetG.00404F1C             //关键call
005E4FD9 0F85 FE000000 jnz JyAssetG.005E50DD                //关键跳转

跟入005E4FA3 这个call来到这里:

003E9037 55          push ebp
003E9038 68 F2913E00 push PunUnitL.003E91F2
003E903D 64:FF30       push dword ptr fs:
003E9040 64:8920       mov dword ptr fs:,esp
003E9043 8D45 EC       lea eax,dword ptr ss:
003E9046 E8 65B5F8FF call PunUnitL.003745B0
003E904B 8D45 F0       lea eax,dword ptr ss:
003E904E 8B55 08       mov edx,dword ptr ss:
003E9051 E8 4AB7F8FF call PunUnitL.003747A0
003E9056 8B45 F0       mov eax,dword ptr ss:
003E9059 E8 0AB8F8FF call PunUnitL.00374868
003E905E 8BF0          mov esi,eax
003E9060 85F6          test esi,esi
003E9062 7E 26       jle short PunUnitL.003E908A
003E9064 BB 01000000 mov ebx,1                               //ebx为计数器
003E9069 8D4D E8       lea ecx,dword ptr ss:             //这里分别取机器码的各位ascii码
003E906C 8B45 F0       mov eax,dword ptr ss:
003E906F 0FB64418 FF movzx eax,byte ptr ds:
003E9074 33D2          xor edx,edx
003E9076 E8 F905F9FF call PunUnitL.00379674                   //这个call是将取得的ascii码连起来
003E907B 8B55 E8       mov edx,dword ptr ss:
003E907E 8D45 FC       lea eax,dword ptr ss:             // "5FBCKZR1"取的结果为"354642434B5A5231"

003E9081 E8 EAB7F8FF call PunUnitL.00374870
003E9086 43          inc ebx
003E9087 4E          dec esi
003E9088^ 75 DF       jnz short PunUnitL.003E9069
003E908A 8B45 FC       mov eax,dword ptr ss:
003E908D E8 D6B7F8FF call PunUnitL.00374868
003E9092 8BF0          mov esi,eax
003E9094 85F6          test esi,esi
003E9096 7E 2C       jle short PunUnitL.003E90C4
003E9098 BB 01000000 mov ebx,1                      //这里又是一个循环,将取得的结果反序排列
003E909D 8B45 FC       mov eax,dword ptr ss:
003E90A0 E8 C3B7F8FF call PunUnitL.00374868
003E90A5 2BC3          sub eax,ebx
003E90A7 8B55 FC       mov edx,dword ptr ss:
003E90AA 8A1402       mov dl,byte ptr ds:
003E90AD 8D45 E4       lea eax,dword ptr ss:
003E90B0 E8 DBB6F8FF call PunUnitL.00374790
003E90B5 8B55 E4       mov edx,dword ptr ss:
003E90B8 8D45 F8       lea eax,dword ptr ss:
003E90BB E8 B0B7F8FF call PunUnitL.00374870
003E90C0 43          inc ebx
003E90C1 4E          dec esi
003E90C2^ 75 D9       jnz short PunUnitL.003E909D
003E90C4 8D45 FC       lea eax,dword ptr ss:
003E90C7 50          push eax
003E90C8 B9 04000000 mov ecx,4
003E90CD BA 01000000 mov edx,1
003E90D2 8B45 F8       mov eax,dword ptr ss://我这里结果为"1325A5B434246453"
003E90D5 E8 E6B9F8FF call PunUnitL.00374AC0
003E90DA 8D45 F8       lea eax,dword ptr ss:
003E90DD 50          push eax
003E90DE B9 04000000 mov ecx,4
003E90E3 BA 05000000 mov edx,5
003E90E8 8B45 F8       mov eax,dword ptr ss:
003E90EB E8 D0B9F8FF call PunUnitL.00374AC0
003E90F0 8B45 FC       mov eax,dword ptr ss: //取前 4位 "1325"
003E90F3 E8 70B7F8FF call PunUnitL.00374868
003E90F8 83F8 04       cmp eax,4
003E90FB 7D 2F       jge short PunUnitL.003E912C
003E90FD 8B45 FC       mov eax,dword ptr ss:
003E9100 E8 63B7F8FF call PunUnitL.00374868
003E9105 8BD8          mov ebx,eax
003E9107 83FB 03       cmp ebx,3
003E910A 7F 20       jg short PunUnitL.003E912C
003E910C 8D4D E0       lea ecx,dword ptr ss:
003E910F 8BC3          mov eax,ebx
003E9111 C1E0 02       shl eax,2
003E9114 33D2          xor edx,edx
003E9116 E8 5905F9FF call PunUnitL.00379674
003E911B 8B55 E0       mov edx,dword ptr ss:
003E911E 8D45 FC       lea eax,dword ptr ss:
003E9121 E8 4AB7F8FF call PunUnitL.00374870
003E9126 43          inc ebx
003E9127 83FB 04       cmp ebx,4
003E912A^ 75 E0       jnz short PunUnitL.003E910C
003E912C 8B45 F8       mov eax,dword ptr ss:    //再取4位"A5B4"
003E912F E8 34B7F8FF call PunUnitL.00374868
003E9134 83F8 04       cmp eax,4
003E9137 7D 2F       jge short PunUnitL.003E9168
003E9139 8B45 F8       mov eax,dword ptr ss:
003E913C E8 27B7F8FF call PunUnitL.00374868
003E9141 8BD8          mov ebx,eax
003E9143 83FB 03       cmp ebx,3
003E9146 7F 20       jg short PunUnitL.003E9168
003E9148 8D4D DC       lea ecx,dword ptr ss:
003E914B 8BC3          mov eax,ebx
003E914D C1E0 02       shl eax,2
003E9150 33D2          xor edx,edx
003E9152 E8 1D05F9FF call PunUnitL.00379674
003E9157 8B55 DC       mov edx,dword ptr ss:
003E915A 8D45 F8       lea eax,dword ptr ss:
003E915D E8 0EB7F8FF call PunUnitL.00374870
003E9162 43          inc ebx
003E9163 83FB 04       cmp ebx,4
003E9166^ 75 E0       jnz short PunUnitL.003E9148
003E9168 8D45 D8       lea eax,dword ptr ss:
003E916B 8B55 0C       mov edx,dword ptr ss:             //EDX=固定字符串"CM86-R1F8"
003E916E E8 2DB6F8FF call PunUnitL.003747A0
003E9173 8B45 D8       mov eax,dword ptr ss:             //以下是将CM86-R1F8 1325 A5B4重新排序
003E9176 8D55 F4       lea edx,dword ptr ss:
003E9179 E8 DE03F9FF call PunUnitL.0037955C
003E917E 8D45 D4       lea eax,dword ptr ss:
003E9181 50          push eax
003E9182 B9 04000000 mov ecx,4
003E9187 BA 01000000 mov edx,1
003E918C 8B45 F4       mov eax,dword ptr ss:
003E918F E8 2CB9F8FF call PunUnitL.00374AC0
003E9194 FF75 D4       push dword ptr ss:
003E9197 68 0C923E00 push PunUnitL.003E920C
003E919C FF75 FC       push dword ptr ss:
003E919F 8D45 D0       lea eax,dword ptr ss:
003E91A2 50          push eax
003E91A3 B9 05000000 mov ecx,5
003E91A8 BA 05000000 mov edx,5
003E91AD 8B45 F4       mov eax,dword ptr ss:
003E91B0 E8 0BB9F8FF call PunUnitL.00374AC0
003E91B5 FF75 D0       push dword ptr ss:
003E91B8 68 0C923E00 push PunUnitL.003E920C
003E91BD FF75 F8       push dword ptr ss:
003E91C0 8D45 EC       lea eax,dword ptr ss:
003E91C3 BA 06000000 mov edx,6
003E91C8 E8 5BB7F8FF call PunUnitL.00374928
003E91CD 8B45 EC       mov eax,dword ptr ss:    //eax="CM86-1325-R1F8-A5B4"
003E91D0 E8 8BB8F8FF call PunUnitL.00374A60
003E91D5 8BD8          mov ebx,eax
003E91D7 33C0          xor eax,eax
003E91D9 5A          pop edx
003E91DA 59          pop ecx
003E91DB 59          pop ecx
003E91DC 64:8910       mov dword ptr fs:,edx
003E91DF 68 F9913E00 push PunUnitL.003E91F9
003E91E4 8D45 D0       lea eax,dword ptr ss:
003E91E7 BA 0C000000 mov edx,0C
003E91EC E8 E3B3F8FF call PunUnitL.003745D4
003E91F1 C3          retn

--------------------------------------------------------------------------------
【经验总结】
1.注册名不参与注册码的运算.
2.注册码运算过程如下:取机器码的ascii码连起来,然后反序,前8位分两段取(记为XXXX和YYYY).
3.再将固定字符串CM86 和R1F8与他们连起来.次序固定 :CM86-XXXX-R1F8-YYYY
4.水能帮写个注册机,不胜感激,(用vb和delphi都可以,最好不要用c或c++,谢谢)

--------------------------------------------------------------------------------
【版权声明】: 本文原创于论坛, 转载请注明作者并保持文章的完整, 谢谢!

                                                   2006年05月27日 1:47:08

飘云发表于 2006-5-27 09:17:06

GOOD JOB！！

精华之！
呵呵～～

附上VB & Delphi KeyGen源码

VB：

Private Sub Command1_Click()
Dim Code As String
Dim Temp As String
Dim Sn1, Sn2 As String
Dim HexStr As String

Const Str1 = "CM86"
Const Str2 = "R1F8"
Const Str3 = "-"

Code = Text1.Text
If Code <> "" Then

         For i = 1 To Len(Code) '将机器码逐位转换成16进制
            HexStr = HexStr & Hex(Asc(Mid(Code, i, 1)))
         Next

   Temp = StrReverse(HexStr) '倒置
   Sn1 = Mid(Temp, 1, 4)
   Sn2 = Mid(Temp, 5, 4)
   Sn = Str1 & Str3 & Sn1 & Str3 & Str2 & Str3 & Sn2
   Text2.Text = Sn '输出注册码

Else
   Text2.Text = "请先输入机器码！"
End If

End Sub

Delphi：

procedure TForm1.Button1Click(Sender: TObject);
const
str1:string = 'CM86' ;
Str2:string = 'R1F8' ;
Str3:string = '-' ;
Err:string = '请先输入机器码！';
var
Code,Temp,Sn,Sn1,Sn2,HexStr:String;
i:integer;
begin
Code:=Edit1.Text;
if Code <> '' then
begin
   for i:= 1 to length(Code) do
   begin
      HexStr:=HexStr + inttohex(ord(Code),1);
   end;
   //注意：先在 Uses 内加入 ,StrUtils
   temp:= ReverseString(HexStr);
   Sn1:= copy(Temp, 1, 4);
   Sn2:= copy(Temp, 5, 4);
   Sn:= Str1 + Str3 + Sn1 + Str3 + Str2 + Str3 + Sn2;
   edit2.Text:= Sn; //输出注册码
end
else
   edit2.Text:= err;
end;

hczcyy 发表于 2006-5-28 15:31:02

谢谢飘云兄指点.

lzq1973 发表于 2006-5-29 08:09:58

老大亲自指点

cfc1680 发表于 2012-4-1 22:56:40

菜鸟学习一下了，感谢分享交流

页: [1]

飘云阁's Archiver

佳宜固定资产管理软件v1.31(企业版) 算法简析

GOOD JOB！！