- UID
- 2648
注册时间2005-8-5
阅读权限30
最后登录1970-1-1
龙战于野
TA的每日心情 | 开心
2022-11-22 20:08 |
|---|
签到天数: 2 天 [LV.1]初来乍到
|
【作者】machenglin[CZG][D.4S]
【E-mail】[email protected]
【文章题目】五星手机维修版2005版破解分析
【软件名称】五星手机维修版2005版
【下载地址】http://www.boosir.com/download/mrepair.rar
【加密方式】未加密
【破解工具】OD、PEiD
【软件限制】注册码+功能限制
【破解平台】Win9x/NT/2000/XP
【软件简介】本系统严格按照维修的业务流程设计开发,让您轻松完成维修受理、维修、领配件、检测
、取机等正常维修业务流程;本系统还提供了强大的查询统计功能,可根据型号、起始日期和维修状态
统计出相应维修手机的数量、送修日期、手机品名、型号、串号等信息,有故障统计、维修统计和返修
统计等;并且还提供了对缺少资料手机的维修处理,给您在处理维修业务方面带来了很大的方便!提高
您的工作效率
【破解过程】
----------------------------------------------------------------------------------------------------------
----
011F90A6 E8 97320300 call <jmp.&PBVM90.#2050> ; 取出假注册码
011F90AB 898424 98000000 mov dword ptr ss:[esp+98],eax
011F90B2 66:8B43 04 mov ax,word ptr ds:[ebx+4]
011F90B6 30E4 xor ah,ah
011F90B8 24 01 and al,1
011F90BA 25 FFFF0000 and eax,0FFFF
011F90BF 894424 7C mov dword ptr ss:[esp+7C],eax
011F90C3 31C0 xor eax,eax
011F90C5 66:894424 2E mov word ptr ss:[esp+2E],ax
011F90CA 8D4424 70 lea eax,dword ptr ss:[esp+70]
011F90CE 50 push eax
011F90CF 56 push esi
011F90D0 E8 4F320300 call <jmp.&PBVM90.#2012>
011F90D5 8BAE D2000000 mov ebp,dword ptr ds:[esi+D2]
011F90DB 85ED test ebp,ebp
011F90DD 75 16 jnz short repair_1.011F90F5
011F90DF 68 16500000 push 5016
011F90E4 56 push esi
011F90E5 E8 4C320300 call <jmp.&PBVM90.#2183>
011F90EA 85C0 test eax,eax
011F90EC 75 3C jnz short repair_1.011F912A
011F90EE 31FF xor edi,edi
011F90F0 E9 11120000 jmp repair_1.011FA306
011F90F5 55 push ebp
011F90F6 56 push esi
011F90F7 E8 2C310300 call <jmp.&PBVM90.#2624>
011F90FC 898424 9C000000 mov dword ptr ss:[esp+9C],eax
011F9103 31D2 xor edx,edx
011F9105 895424 78 mov dword ptr ss:[esp+78],edx
011F9109 31D2 xor edx,edx
011F910B 66:895424 36 mov word ptr ss:[esp+36],dx
011F9110 85C0 test eax,eax
011F9112 75 16 jnz short repair_1.011F912A
011F9114 68 3F500000 push 503F
011F9119 56 push esi
011F911A E8 17320300 call <jmp.&PBVM90.#2183>
011F911F 85C0 test eax,eax
011F9121 75 07 jnz short repair_1.011F912A
011F9123 31FF xor edi,edi
011F9125 E9 DC110000 jmp repair_1.011FA306
011F912A 837C24 78 00 cmp dword ptr ss:[esp+78],0
011F912F 75 0B jnz short repair_1.011F913C
011F9131 8B9C24 9C000000 mov ebx,dword ptr ss:[esp+9C]
011F9138 85DB test ebx,ebx
011F913A 75 16 jnz short repair_1.011F9152
011F913C 68 16500000 push 5016
011F9141 56 push esi
011F9142 E8 EF310300 call <jmp.&PBVM90.#2183>
011F9147 85C0 test eax,eax
011F9149 75 60 jnz short repair_1.011F91AB
011F914B 31FF xor edi,edi
011F914D E9 B4110000 jmp repair_1.011FA306
011F9152 895C24 74 mov dword ptr ss:[esp+74],ebx
011F9156 68 E70F0000 push 0FE7
011F915B 68 C1162301 push repair_1.012316C1 ; ASCII "C:\DOCUME~1
\ADMINI~1\LOCALS~1\Temp\cgi3nxgy.c"
011F9160 8D4424 7C lea eax,dword ptr ss:[esp+7C]
011F9164 50 push eax
011F9165 53 push ebx
011F9166 56 push esi
011F9167 E8 C4310300 call <jmp.&PBVM90.#2578>
011F916C 6A 35 push 35
011F916E 53 push ebx
011F916F 56 push esi
011F9170 E8 B5310300 call <jmp.&PBVM90.#2458>
011F9175 89C3 mov ebx,eax
011F9177 50 push eax
011F9178 56 push esi
011F9179 E8 C4310300 call <jmp.&PBVM90.#2050> ; 取出真注册码
011F917E 898424 80000000 mov dword ptr ss:[esp+80],eax ; 在这里可以做内存注册机
了。
011F9185 66:8B43 04 mov ax,word ptr ds:[ebx+4]
011F9189 30E4 xor ah,ah
011F918B 24 01 and al,1
011F918D 25 FFFF0000 and eax,0FFFF
011F9192 898424 88000000 mov dword ptr ss:[esp+88],eax
011F9199 31DB xor ebx,ebx
011F919B 66:895C24 36 mov word ptr ss:[esp+36],bx
011F91A0 8D4424 74 lea eax,dword ptr ss:[esp+74]
011F91A4 50 push eax
011F91A5 56 push esi
011F91A6 E8 79310300 call <jmp.&PBVM90.#2012>
011F91AB 837C24 7C 00 cmp dword ptr ss:[esp+7C],0
011F91B0 75 2F jnz short repair_1.011F91E1
011F91B2 83BC24 88000000 00 cmp dword ptr ss:[esp+88],0
011F91BA 75 25 jnz short repair_1.011F91E1
011F91BC 8B9C24 80000000 mov ebx,dword ptr ss:[esp+80] ; [esp+80]=真码-->ebx
011F91C3 53 push ebx ; ebx 压栈
011F91C4 8BAC24 9C000000 mov ebp,dword ptr ss:[esp+9C] ; [esp+9c]=假码-->ebp
011F91CB 55 push ebp ; ebp 压栈
011F91CC 56 push esi ; esi 压栈
011F91CD E8 50300300 call <jmp.&PBVM90.#2611> ; 注册码在这个CALL里逐位
比较
011F91D2 85C0 test eax,eax ; 测试eax
011F91D4 75 07 jnz short repair_1.011F91DD ; 不相等则跳,跳就完蛋了!
!!
011F91D6 B8 01000000 mov eax,1
011F91DB EB 10 jmp short repair_1.011F91ED
-----------------------------------------------------------------------------------------------------------
011F91CD E8 50300300 call <jmp.&PBVM90.#2611> ; 由011F91CD到这里,跟进
去!
--------------------------------------省略部分---------------------------------------------------------
10CC90D0 > E8 0B02F1FF call PBVM90.IsDBCS ; 到这里,再F8步进!
10CC90D5 85C0 test eax,eax
10CC90D7 74 16 je short PBVM90.10CC90EF
10CC90D9 8B4424 0C mov eax,dword ptr ss:[esp+C] ; [ESP+C]=真注册码-->eax
10CC90DD 8B4C24 08 mov ecx,dword ptr ss:[esp+8] ; [esp+8]=假注册码-->ecx
10CC90E1 50 push eax ; 真注册码压栈
10CC90E2 51 push ecx ; 假注册码压栈
10CC90E3 FF15 DCB4DC10 call dword ptr ds:[<&MSVCRT._mbsc>; 到这里,再F7跟进!
-----------------------------------------------------------------------------------------------------------
77C01881 > 8BFF mov edi,edi ; 来到这里。
77C01883 55 push ebp
77C01884 8BEC mov ebp,esp
77C01886 56 push esi
77C01887 E8 99860000 call msvcrt.77C09F25 ; 到这CALL,F7跟进!
-----------------------------------------------------------------------------------------------------------
继续F8,来到下面。
-----------------------------------------------------------------------------------------------------------
关键比较
77C018D3 57 push edi ; 来到这里了
77C018D4 8B7D 0C mov edi,dword ptr ss:[ebp+C] ; [ebp+C]=真注册码-->edi
77C018D7 53 push ebx ; ebx 压栈
77C018D8 8B45 08 mov eax,dword ptr ss:[ebp+8] ; [ebp+8]=假注册码-->eax
77C018DB 66:0FB600 movzx ax,byte ptr ds:[eax] ; 假注册码逐位进-->ax
77C018DF FF45 08 inc dword ptr ss:[ebp+8] ; 假注册码+1
77C018E2 0FB6C8 movzx ecx,al ; al 逐字节-->ecx
77C018E5 F64431 1D 04 test byte ptr ds:[ecx+esi+1D],4 ; 测试[ecx+esi+1D],4
77C018EA 74 18 je short msvcrt.77C01904
77C018EC 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
77C018EF 8A09 mov cl,byte ptr ds:[ecx]
77C018F1 84C9 test cl,cl
77C018F3 75 04 jnz short msvcrt.77C018F9
77C018F5 33C0 xor eax,eax
77C018F7 EB 0B jmp short msvcrt.77C01904
77C018F9 33D2 xor edx,edx
77C018FB FF45 08 inc dword ptr ss:[ebp+8]
77C018FE 8AF0 mov dh,al
77C01900 8AD1 mov dl,cl
77C01902 8BC2 mov eax,edx
77C01904 66:0FB60F movzx cx,byte ptr ds:[edi] ; 真注册码逐位进-->cx
77C01908 0FB6D1 movzx edx,cl ; cl真注册码逐位进-->edx
77C0190B 47 inc edi ; 真注册码+1
77C0190C F64432 1D 04 test byte ptr ds:[edx+esi+1D],4 ; 测试[edx+esi+1D],4
77C01911 74 13 je short msvcrt.77C01926
77C01911 /74 13 je short msvcrt.77C01926
77C01913 |8A17 mov dl,byte ptr ds:[edi]
77C01915 |84D2 test dl,dl
77C01917 |75 04 jnz short msvcrt.77C0191D
77C01919 |33C9 xor ecx,ecx
77C0191B |EB 09 jmp short msvcrt.77C01926
77C0191D |33DB xor ebx,ebx
77C0191F |8AF9 mov bh,cl
77C01921 |47 inc edi
77C01922 |8ADA mov bl,dl
77C01924 |8BCB mov ecx,ebx
77C01926 \66:3BC8 cmp cx,ax ; 真、假码逐位比较
77C01929 75 0C jnz short msvcrt.77C01937 ; 不能跳,跳则完蛋!
77C0192B 66:85C0 test ax,ax ; 测试ax
77C0192E ^\75 A8 jnz short msvcrt.77C018D8 ; 不跳则走向光明之顶了!
77C01930 33C0 xor eax,eax
77C01932 5B pop ebx
77C01933 5F pop edi
77C01934 5E pop esi
77C01935 5D pop ebp
77C01936 C3 retn
77C01937 1BC0 sbb eax,eax ; eax 带借位减 eax
77C01939 83E0 02 and eax,2 ; 2 and eax
77C0193C 48 dec eax ; eax减1
77C0193D ^\EB F3 jmp short msvcrt.77C01932 ; 到这个跳转就说明完蛋了
!
-----------------------------------------------------------------------------------------------------------
【注册信息】
硬件码:3CK0KW13
姓 名:随便(不参与计算)
单 位:随便(不参与计算)
注册码:160-208-193-197-181
【内存注册机】
中断地址:11F917E
中断次数:1
第一字节:89
指令长度:7
内存方式-->EAX
不勾选地址指针。
------------------------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
[ Last edited by machenglin on 2005-8-9 at 05:19 PM ] |
|
IP卡
发表于 2005-8-9 17:15:32
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2005-8-9 17:30:04
楼主
发表于 2005-8-10 21:12:30