- UID
- 9389
注册时间2006-3-14
阅读权限20
最后登录1970-1-1
以武会友
 
TA的每日心情 | 郁闷
2016-1-23 16:20 |
|---|
签到天数: 1 天 [LV.1]初来乍到
|
【破文作者】gg1211[CZG][PYG][PCG][D.4s]
【破解平台】WinXp
【作者邮箱】[email protected]
【破解工具】PEiD 、OD
【保护方式】用户名+机器码+序列号
【破解目的】学习简单算法破解
【破解声明】我乃小菜鸟一只,偶得一点心得,愿与大家分享:)
【软件名称】佳宜采购管理软件 1.50
【下载地址】http://www.onlinedown.net/soft/39236.htm
【软件简介】采购管理软件参考了各类采购管理软件精华,溶入了各自的优点并采纳众多用户的宝贵意见,真正地从用户的需要出发,为客户需要而设计。
本软件提供了完备的采购管理功能,包括采购管理(采购订货、采购收货、退货管理、付款登记)、基本信息(公司基本资料、供货商资料、货品资料、业务员、其他基础置)、单据查询(订货单查询、收货单查询、付款单查询)、系统维护(操作权限、数据备份及恢复、数据压缩、数据清理)等功能。
本系统采用安全稳定的数据库管理系统设计而成,介面友好,所见即所得,操作简便,多级密码设置及备份功能,数据安全可靠,全真模拟显示功能,经营业务管理成熟,汇集了许多优秀企业的成功管理经验。
现已广泛应用于:大中小型企业集团、工厂、进出口公司`、五交化公司、商场、购物中心、酒店、连锁店、专卖店、批发部;化工、建材、五金水电、医药、汽配、食品、服装、电子、电脑、图书、仓储、化装品等行业...
【破解步骤】先用PEiD 侦测,发现无壳
od载入
试验码gg1211
123456789
005E00AC . 55 push ebp 这里下断
005E00AD . 68 12035E00 push 005E0312
005E00B2 . 64:FF30 push dword ptr fs:[eax]
005E00B5 . 64:8920 mov fs:[eax], esp
005E00B8 . 8D55 F0 lea edx, [ebp-10]
005E00BB . 8B45 FC mov eax, [ebp-4]
005E00BE . 8B80 04030000 mov eax, [eax+304]
005E00C4 . E8 D7EEE6FF call 0044EFA0 \\计算用户名位数
005E00C9 . 8B45 F0 mov eax, [ebp-10]
005E00CC . 8D55 F4 lea edx, [ebp-C]
005E00CF . E8 4C96E2FF call 00409720
005E00D4 . 837D F4 00 cmp dword ptr [ebp-C], 0 \\ 判断用户名是否为空,空则死
005E00D8 . 75 22 jnz short 005E00FC
005E00DA . 6A 00 push 0
005E00DC . 68 20035E00 push 005E0320 \\ 请填写用户名称!
005E00E1 . E8 7E0AFFFF call <jmp.&PunUnitLib.ShowMess>
005E00E6 . 8B45 FC mov eax, [ebp-4]
005E00E9 . 8B80 04030000 mov eax, [eax+304]
005E00EF . 8B10 mov edx, [eax]
005E00F1 . FF92 C0000000 call [edx+C0]
005E00F7 . E9 B1010000 jmp 005E02AD
005E00FC > 8D55 E8 lea edx, [ebp-18]
005E00FF . 8B45 FC mov eax, [ebp-4]
005E0102 . 8B80 FC020000 mov eax, [eax+2FC]
005E0108 . E8 93EEE6FF call 0044EFA0 \\计算注册码位数
005E010D . 8B45 E8 mov eax, [ebp-18]
005E0110 . 8D55 EC lea edx, [ebp-14]
005E0113 . E8 0896E2FF call 00409720
005E0118 . 837D EC 00 cmp dword ptr [ebp-14], 0 \\ 判断注册码是否为空,是则死
005E011C . 75 22 jnz short 005E0140
005E011E . 6A 00 push 0
005E0120 . 68 34035E00 push 005E0334 \\ 授权号不能为空,请填写授权号!
005E0125 . E8 3A0AFFFF call <jmp.&PunUnitLib.ShowMess>
005E012A . 8B45 FC mov eax, [ebp-4]
005E012D . 8B80 FC020000 mov eax, [eax+2FC]
005E0133 . 8B10 mov edx, [eax]
005E0135 . FF92 C0000000 call [edx+C0]
005E013B . E9 6D010000 jmp 005E02AD
005E0140 > A1 38C56300 mov eax, [63C538]
005E0145 . 8B00 mov eax, [eax]
005E0147 . E8 844EE2FF call 00404FD0
005E014C . 50 push eax
005E014D . 8D55 E4 lea edx, [ebp-1C]
005E0150 . 8B45 FC mov eax, [ebp-4]
005E0153 . 8B80 F4020000 mov eax, [eax+2F4]
005E0159 . E8 42EEE6FF call 0044EFA0
005E015E . 8B45 E4 mov eax, [ebp-1C] \\ 取机器码给eax参与运算
005E0161 . E8 6A4EE2FF call 00404FD0
005E0166 . 50 push eax
005E0167 . E8 280AFFFF call <jmp.&PunUnitLib.GetRegPass> \\ 关键call进
005E016C . 8BD0 mov edx, eax \\可以作内存注册机
005E016E . 8D45 F8 lea eax, [ebp-8] \\但是我们研究算法键
005E0171 . E8 9A4BE2FF call 00404D10 \\关键call跟进
005E0176 . 8D55 DC lea edx, [ebp-24]
005E0179 . 8B45 FC mov eax, [ebp-4]
005E017C . 8B80 FC020000 mov eax, [eax+2FC]
005E0182 . E8 19EEE6FF call 0044EFA0
005E0187 . 8B45 DC mov eax, [ebp-24]
005E018A . 8D55 E0 lea edx, [ebp-20]
005E018D . E8 8E95E2FF call 00409720
005E0192 . 8B45 E0 mov eax, [ebp-20] \\ 假码
005E0195 . 8B55 F8 mov edx, [ebp-8] \\ 真码
005E0198 . E8 7F4DE2FF call 00404F1C \\比较
005E019D . 0F85 FE000000 jnz 005E02A1 \\关键跳转
005E01A3 . 33C0 xor eax, eax
005E01A5 . 55 push ebp
005E01A6 . 68 8D025E00 push 005E028D
005E01AB . 64:FF30 push dword ptr fs:[eax]
005E01AE . 64:8920 mov fs:[eax], esp
005E01B1 . B2 01 mov dl, 1
005E01B3 . A1 1C2F4700 mov eax, [472F1C]
005E01B8 . E8 CB2EE9FF call 00473088
005E01BD . 8BD8 mov ebx, eax
005E01BF . BA 02000080 mov edx, 80000002
005E01C4 . 8BC3 mov eax, ebx
005E01C6 . E8 992FE9FF call 00473164
005E01CB . B1 01 mov cl, 1
005E01CD . 8B15 70B96300 mov edx, [63B970] ; stockMan.005DFFF4
005E01D3 . 8BC3 mov eax, ebx
005E01D5 . E8 CE30E9FF call 004732A8
005E01DA . 8D55 D8 lea edx, [ebp-28]
005E01DD . 8B45 FC mov eax, [ebp-4]
005E01E0 . 8B80 04030000 mov eax, [eax+304]
005E01E6 . E8 B5EDE6FF call 0044EFA0
005E01EB . 8B4D D8 mov ecx, [ebp-28]
005E01EE . BA 5C035E00 mov edx, 005E035C ; username
005E01F3 . 8BC3 mov eax, ebx
005E01F5 . E8 4A32E9FF call 00473444
005E01FA . 8D55 D0 lea edx, [ebp-30]
005E01FD . 8B45 FC mov eax, [ebp-4]
005E0200 . 8B80 F4020000 mov eax, [eax+2F4]
005E0206 . E8 95EDE6FF call 0044EFA0
005E020B . 8B45 D0 mov eax, [ebp-30]
005E020E . E8 BD4DE2FF call 00404FD0
005E0213 . 50 push eax
005E0214 . E8 7309FFFF call <jmp.&PunUnitLib.SavePass>
005E0219 . 8BD0 mov edx, eax
005E021B . 8D45 D4 lea eax, [ebp-2C]
005E021E . E8 ED4AE2FF call 00404D10
005E0223 . 8B4D D4 mov ecx, [ebp-2C]
005E0226 . BA 70035E00 mov edx, 005E0370 ; signcode
005E022B . 8BC3 mov eax, ebx
005E022D . E8 1232E9FF call 00473444
005E0232 . 8B45 F8 mov eax, [ebp-8]
005E0235 . E8 964DE2FF call 00404FD0
005E023A . 50 push eax
005E023B . E8 4C09FFFF call <jmp.&PunUnitLib.SavePass>
005E0240 . 8BD0 mov edx, eax
005E0242 . 8D45 CC lea eax, [ebp-34]
005E0245 . E8 C64AE2FF call 00404D10
005E024A . 8B4D CC mov ecx, [ebp-34]
005E024D . BA 84035E00 mov edx, 005E0384 ; regcode
005E0252 . 8BC3 mov eax, ebx
005E0254 . E8 EB31E9FF call 00473444
005E0259 . 8BC3 mov eax, ebx
005E025B . E8 CC39E2FF call 00403C2C
005E0260 . 6A 00 push 0
005E0262 . 68 8C035E00 push 005E038C ; 系统注册成功,欢迎你使用本软件!
005E0267 . E8 F808FFFF call <jmp.&PunUnitLib.ShowMess>
005E026C . A1 34C56300 mov eax, [63C534]
005E0271 . C700 02000000 mov dword ptr [eax], 2
005E0277 . A1 ECC26300 mov eax, [63C2EC]
005E027C . 8B00 mov eax, [eax]
005E027E . E8 7108E9FF call 00470AF4
005E0283 . 33C0 xor eax, eax
005E0285 . 5A pop edx
005E0286 . 59 pop ecx
005E0287 . 59 pop ecx
005E0288 . 64:8910 mov fs:[eax], edx
005E028B . EB 20 jmp short 005E02AD
005E028D .^ E9 7A3EE2FF jmp 0040410C
005E0292 . 8B45 FC mov eax, [ebp-4]
005E0295 . E8 AACFE8FF call 0046D244
005E029A . E8 9942E2FF call 00404538
005E029F . EB 0C jmp short 005E02AD
005E02A1 > 6A 03 push 3
005E02A3 . 68 B0035E00 push 005E03B0 ; 系统注册失败,请检查注册是否有误!
由上分析找到了关键call,跟进
来到这里005D0B94 $- FF25 4C0B6400 jmp [<&PunUnitLib.GetRegPass>] ; PunUnitL.GetRegPass
005D0B9A 8BC0 mov eax, eax
005D0B9C $- FF25 480B6400 jmp [<&PunUnitLib.DispFormPos>] ; PunUnitL.DispFormPos
005D0BA2 8BC0 mov eax, eax
005D0BA4 FF db FF
005D0BA5 FF db FF
005D0BA6 FF db FF
f8来到这里
003E9024 > 55 push ebp
003E9025 8BEC mov ebp, esp
003E9027 B9 06000000 mov ecx, 6
003E902C 6A 00 push 0
003E902E 6A 00 push 0
003E9030 49 dec ecx
003E9031 ^ 75 F9 jnz short 003E902C
003E9033 53 push ebx
003E9034 56 push esi
003E9035 33C0 xor eax, eax
003E9037 55 push ebp
003E9038 68 F2913E00 push 003E91F2
003E903D 64:FF30 push dword ptr fs:[eax]
003E9040 64:8920 mov fs:[eax], esp
003E9043 8D45 EC lea eax, [ebp-14]
003E9046 E8 65B5F8FF call 003745B0
003E904B 8D45 F0 lea eax, [ebp-10]
003E904E 8B55 08 mov edx, [ebp+8]
003E9051 E8 4AB7F8FF call 003747A0
003E9056 8B45 F0 mov eax, [ebp-10]
003E9059 E8 0AB8F8FF call 00374868
003E905E 8BF0 mov esi, eax
003E9060 85F6 test esi, esi
003E9062 7E 26 jle short 003E908A
003E9064 BB 01000000 mov ebx, 1 \\这里进行循环,将机器码字符窜转换位他对应的asc字符串,假设位a
003E9069 8D4D E8 lea ecx, [ebp-18]
003E906C 8B45 F0 mov eax, [ebp-10]
003E906F 0FB64418 FF movzx eax, byte ptr [eax+ebx-1]
003E9074 33D2 xor edx, edx
003E9076 E8 F905F9FF call 00379674
003E907B 8B55 E8 mov edx, [ebp-18]
003E907E 8D45 FC lea eax, [ebp-4]
003E9081 E8 EAB7F8FF call 00374870
003E9086 43 inc ebx
003E9087 4E dec esi
003E9088 ^ 75 DF jnz short 003E9069 \\循环借宿
003E908A 8B45 FC mov eax, [ebp-4]
003E908D E8 D6B7F8FF call 00374868
003E9092 8BF0 mov esi, eax
003E9094 85F6 test esi, esi
003E9096 7E 2C jle short 003E90C4
003E9098 BB 01000000 mov ebx, 1
003E909D 8B45 FC mov eax, [ebp-4]\\这里将a颠倒,变换后假设为b
003E90A0 E8 C3B7F8FF call 00374868
003E90A5 2BC3 sub eax, ebx
003E90A7 8B55 FC mov edx, [ebp-4]
003E90AA 8A1402 mov dl, [edx+eax]
003E90AD 8D45 E4 lea eax, [ebp-1C]
003E90B0 E8 DBB6F8FF call 00374790
003E90B5 8B55 E4 mov edx, [ebp-1C]
003E90B8 8D45 F8 lea eax, [ebp-8]
003E90BB E8 B0B7F8FF call 00374870
003E90C0 43 inc ebx
003E90C1 4E dec esi
003E90C2 ^ 75 D9 jnz short 003E909D \\循环借宿
003E90C4 8D45 FC lea eax, [ebp-4]
003E90C7 50 push eax
003E90C8 B9 04000000 mov ecx, 4
003E90CD BA 01000000 mov edx, 1
003E90D2 8B45 F8 mov eax, [ebp-8]
003E90D5 E8 E6B9F8FF call 00374AC0 \\取b的前四位,假设为c
003E90DA 8D45 F8 lea eax, [ebp-8]
003E90DD 50 push eax
003E90DE B9 04000000 mov ecx, 4
003E90E3 BA 05000000 mov edx, 5
003E90E8 8B45 F8 mov eax, [ebp-8]
003E90EB E8 D0B9F8FF call 00374AC0 \\取b的5-8位,假设位d
003E90F0 8B45 FC mov eax, [ebp-4]
003E90F3 E8 70B7F8FF call 00374868
003E90F8 83F8 04 cmp eax, 4
003E90FB 7D 2F jge short 003E912C
003E90FD 8B45 FC mov eax, [ebp-4]
003E9100 E8 63B7F8FF call 00374868
003E9105 8BD8 mov ebx, eax
003E9107 83FB 03 cmp ebx, 3
003E910A 7F 20 jg short 003E912C
003E910C 8D4D E0 lea ecx, [ebp-20]
003E910F 8BC3 mov eax, ebx
003E9111 C1E0 02 shl eax, 2
003E9114 33D2 xor edx, edx
003E9116 E8 5905F9FF call 00379674
003E911B 8B55 E0 mov edx, [ebp-20]
003E911E 8D45 FC lea eax, [ebp-4]
003E9121 E8 4AB7F8FF call 00374870
003E9126 43 inc ebx
003E9127 83FB 04 cmp ebx, 4
003E912A ^ 75 E0 jnz short 003E910C
003E912C 8B45 F8 mov eax, [ebp-8]
003E912F E8 34B7F8FF call 00374868
003E9134 83F8 04 cmp eax, 4
003E9137 7D 2F jge short 003E9168
003E9139 8B45 F8 mov eax, [ebp-8]
003E913C E8 27B7F8FF call 00374868
003E9141 8BD8 mov ebx, eax
003E9143 83FB 03 cmp ebx, 3
003E9146 7F 20 jg short 003E9168
003E9148 8D4D DC lea ecx, [ebp-24]
003E914B 8BC3 mov eax, ebx
003E914D C1E0 02 shl eax, 2
003E9150 33D2 xor edx, edx
003E9152 E8 1D05F9FF call 00379674
003E9157 8B55 DC mov edx, [ebp-24]
003E915A 8D45 F8 lea eax, [ebp-8]
003E915D E8 0EB7F8FF call 00374870
003E9162 43 inc ebx
003E9163 83FB 04 cmp ebx, 4
003E9166 ^ 75 E0 jnz short 003E9148
003E9168 8D45 D8 lea eax, [ebp-28]
003E916B 8B55 0C mov edx, [ebp+C]
003E916E E8 2DB6F8FF call 003747A0
003E9173 8B45 D8 mov eax, [ebp-28]
003E9176 8D55 F4 lea edx, [ebp-C]
003E9179 E8 DE03F9FF call 0037955C
003E917E 8D45 D4 lea eax, [ebp-2C]
003E9181 50 push eax
003E9182 B9 04000000 mov ecx, 4
003E9187 BA 01000000 mov edx, 1
003E918C 8B45 F4 mov eax, [ebp-C]
003E918F E8 2CB9F8FF call 00374AC0 \\取常量c26d-q628的前四位,假设位e
003E9194 FF75 D4 push dword ptr [ebp-2C]
003E9197 68 0C923E00 push 003E920C
003E919C FF75 FC push dword ptr [ebp-4]
003E919F 8D45 D0 lea eax, [ebp-30]
003E91A2 50 push eax
003E91A3 B9 05000000 mov ecx, 5
003E91A8 BA 05000000 mov edx, 5
003E91AD 8B45 F4 mov eax, [ebp-C]
003E91B0 E8 0BB9F8FF call 00374AC0 \\取常量c26d-q628的后四位,假设位f
003E91B5 FF75 D0 push dword ptr [ebp-30]
003E91B8 68 0C923E00 push 003E920C
003E91BD FF75 F8 push dword ptr [ebp-8]
003E91C0 8D45 EC lea eax, [ebp-14]
003E91C3 BA 06000000 mov edx, 6
003E91C8 E8 5BB7F8FF call 00374928 \\将e,c,f,d按顺序用-连接,构成注册码
003E91CD 8B45 EC mov eax, [ebp-14]
003E91D0 E8 8BB8F8FF call 00374A60
003E91D5 8BD8 mov ebx, eax
003E91D7 33C0 xor eax, eax
003E91D9 5A pop edx
003E91DA 59 pop ecx
003E91DB 59 pop ecx
003E91DC 64:8910 mov fs:[eax], edx
003E91DF 68 F9913E00 push 003E91F9
003E91E4 8D45 D0 lea eax, [ebp-30]
003E91E7 BA 0C000000 mov edx, 0C
003E91EC E8 E3B3F8FF call 003745D4
003E91F1 C3 retn
003E91F2 ^ E9 1DADF8FF jmp 00373F14
003E91F7 ^ EB EB jmp short 003E91E4
003E91F9 8BC3 mov eax, ebx
003E91FB 5E pop esi
003E91FC 5B pop ebx
003E91FD 8BE5 mov esp, ebp
003E91FF 5D pop ebp
003E9200 C2 0800 retn 8
到了这里,分析就算完成了
他这个于用户名无关
注册码是直接由机器码和常量的来
通过以上分析知
我的注册码是C26D-1413-Q628-D473 |
|
IP卡
发表于 2006-3-16 13:59:23
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-3-16 14:43:47
发表于 2006-3-17 06:54:24
发表于 2006-7-29 09:50:42