- UID
- 2
注册时间2004-12-1
阅读权限255
最后登录1970-1-1
总坛主
TA的每日心情 | 开心
2024-12-1 11:04 |
|---|
签到天数: 12 天 [LV.3]偶尔看看II
|
【破文标题】[PYG]算法分析入门第八课
【破文作者】飘云[PYG]
【作者主页】https://www.chinapyg.com
【破解平台】winxp
【破解工具】PEiD0.93、w32dasm、OD二哥修改版
【作者邮箱】[email protected]
【软件名称】易用会员管理软件 1.50
【软件大小】3876KB
【原版下载】http://www.onlinedown.net/soft/26837.htm
【软件简介】易用会员管理系统是一套功能强大的会员管理软件,软件将会员消费,会员基本信息,以及各种
查询统计等紧密结合起来,操作简单方便,界面美观大方,能满足如销售,餐饮,美容,服务等行业进行会员
制管理,会员卡管理,会员积分管理,会员消费管理的需求,科学的管理方法会给您带来无限的效益,易用会
员管理软件(会员卡管理软件)是您明智的选择。
【分析过程】先用PEiD探测一下:没有加壳,Borland Delphi 6.0 - 7.0编写。
用w32dasm找到关键:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006058AC(C) ★★这里是关键跳转★★
|
:0060598D 6A40 push 00000040
* Possible StringData Ref from Code Obj ->"软件注册"
|
:0060598F 68205A6000 push 00605A20
* Possible StringData Ref from Code Obj ->"注册失败,请检查您的注册名和注册码!"
************************************************************用od载入原程序,输入以下信息:
用户名:piaoyun[PYG]
注册码:789456123
来到这里:
00605896 . 55 push ebp
00605897 . 68 D5596000 push Member.006059D5
0060589C . 64:FF30 push dword ptr fs:[eax]
0060589F . 64:8920 mov dword ptr fs:[eax],esp
006058A2 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
006058A5 . E8 AE020000 call Member.00605B58 ★算法call1,跟进★
006058AA . 84C0 test al,al ;返回值为0则game over!
006058AC . 0F84 DB000000 je Member.0060598D
************************************************************以下进入算法call1:
00605B58 /$ 55 push ebp
00605B59 |. 8BEC mov ebp,esp
00605B5B |. 33C9 xor ecx,ecx
00605B5D |. 51 push ecx
00605B5E |. 51 push ecx
00605B5F |. 51 push ecx
00605B60 |. 51 push ecx
00605B61 |. 51 push ecx
00605B62 |. 53 push ebx
00605B63 |. 56 push esi
00605B64 |. 8BF0 mov esi,eax
00605B66 |. 33C0 xor eax,eax
00605B68 |. 55 push ebp
00605B69 |. 68 135C6000 push Member.00605C13
00605B6E |. 64:FF30 push dword ptr fs:[eax]
00605B71 |. 64:8920 mov dword ptr fs:[eax],esp
00605B74 |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
00605B77 |. 8B86 FC020000 mov eax,dword ptr ds:[esi+2FC]
00605B7D |. E8 8EA5E4FF call Member.00450110 ; 注册码位数
00605B82 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 假码送到eax
00605B85 |. 50 push eax
00605B86 |. 8D55 F4 lea edx,dword ptr ss:[ebp-C]
00605B89 |. 8B86 F8020000 mov eax,dword ptr ds:[esi+2F8]
00605B8F |. E8 7CA5E4FF call Member.00450110 ; 假码位数
00605B94 |. 8B55 F4 mov edx,dword ptr ss:[ebp-C] ; 用户名送到edx
00605B97 |. 8D4D F8 lea ecx,dword ptr ss:[ebp-8]
00605B9A |. 8BC6 mov eax,esi
00605B9C |. E8 F3FAFFFF call Member.00605694 ; ★算法call2,跟进!★
00605BA1 |. 8B55 F8 mov edx,dword ptr ss:[ebp-8] ; [EBP-8]中就是你要的!
00605BA4 |. 58 pop eax
00605BA5 |. E8 6AF4DFFF call Member.00405014 ; 比较call
00605BAA |. 75 3A jnz short Member.00605BE6 ; 不相等就完了~~
00605BAC |. B3 01 mov bl,1
00605BAE |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
00605BB1 |. 8B86 F8020000 mov eax,dword ptr ds:[esi+2F8]
00605BB7 |. E8 54A5E4FF call Member.00450110
00605BBC |. 8B55 F0 mov edx,dword ptr ss:[ebp-10]
00605BBF |. B8 149A6300 mov eax,Member.00639A14
00605BC4 |. E8 A3F0DFFF call Member.00404C6C
00605BC9 |. 8D55 EC lea edx,dword ptr ss:[ebp-14]
00605BCC |. 8B86 FC020000 mov eax,dword ptr ds:[esi+2FC]
00605BD2 |. E8 39A5E4FF call Member.00450110
00605BD7 |. 8B55 EC mov edx,dword ptr ss:[ebp-14]
00605BDA |. B8 189A6300 mov eax,Member.00639A18
00605BDF |. E8 88F0DFFF call Member.00404C6C
00605BE4 |. EB 02 jmp short Member.00605BE8
00605BE6 |> 33DB xor ebx,ebx
00605BE8 |> 33C0 xor eax,eax
00605BEA |. 5A pop edx
00605BEB |. 59 pop ecx
00605BEC |. 59 pop ecx
00605BED |. 64:8910 mov dword ptr fs:[eax],edx
00605BF0 |. 68 1A5C6000 push Member.00605C1A
00605BF5 |> 8D45 EC lea eax,dword ptr ss:[ebp-14]
00605BF8 |. BA 03000000 mov edx,3
00605BFD |. E8 3AF0DFFF call Member.00404C3C
00605C02 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00605C05 |. E8 0EF0DFFF call Member.00404C18
00605C0A |. 8D45 FC lea eax,dword ptr ss:[ebp-4]
00605C0D |. E8 06F0DFFF call Member.00404C18
00605C12 \. C3 retn
************************************************************以下进入算法call2:
00605694 /$ 55 push ebp
00605695 |. 8BEC mov ebp,esp
00605697 |. 51 push ecx
00605698 |. B9 04000000 mov ecx,4
0060569D |> 6A 00 /push 0
0060569F |. 6A 00 |push 0
006056A1 |. 49 |dec ecx
006056A2 |.^ 75 F9 \jnz short Member.0060569D
006056A4 |. 51 push ecx
006056A5 |. 874D FC xchg dword ptr ss:[ebp-4],ecx
006056A8 |. 53 push ebx
006056A9 |. 56 push esi
006056AA |. 57 push edi
006056AB |. 8BF9 mov edi,ecx
006056AD |. 8955 FC mov dword ptr ss:[ebp-4],edx ; 用户名送到[EBP-4]
006056B0 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; eax=用户名
006056B3 |. E8 00FADFFF call Member.004050B8
006056B8 |. 33C0 xor eax,eax ; eax清0
006056BA |. 55 push ebp
006056BB |. 68 55586000 push Member.00605855
006056C0 |. 64:FF30 push dword ptr fs:[eax]
006056C3 |. 64:8920 mov dword ptr fs:[eax],esp
006056C6 |. 8BC7 mov eax,edi
006056C8 |. E8 4BF5DFFF call Member.00404C18
006056CD |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
006056D0 |. E8 FBF7DFFF call Member.00404ED0 ; 用户名位数
006056D5 |. 8BF0 mov esi,eax ; esi=用户名位数
006056D7 |. 85F6 test esi,esi
006056D9 |. 7E 26 jle short Member.00605701
006056DB |. BB 01000000 mov ebx,1 ; 初始ebx=1
006056E0 |> 8D4D EC /lea ecx,dword ptr ss:[ebp-14]
006056E3 |. 8B45 FC |mov eax,dword ptr ss:[ebp-4]
006056E6 |. 0FB64418 FF |movzx eax,byte ptr ds:[eax+ebx-1>; 逐位取用户名ascii码
006056EB |. 33D2 |xor edx,edx ; edx清0
006056ED |. E8 9E49E0FF |call Member.0040A090
006056F2 |. 8B55 EC |mov edx,dword ptr ss:[ebp-14]
006056F5 |. 8D45 F8 |lea eax,dword ptr ss:[ebp-8]
006056F8 |. E8 DBF7DFFF |call Member.00404ED8
006056FD |. 43 |inc ebx
006056FE |. 4E |dec esi
006056FF |.^ 75 DF \jnz short Member.006056E0
00605701 |> 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 用户名16进制送给eax
00605704 |. E8 C7F7DFFF call Member.00404ED0 ; 计算位数
00605709 |. 8BF0 mov esi,eax ; 送到esi
0060570B |. 85F6 test esi,esi
0060570D |. 7E 2C jle short Member.0060573B
0060570F |. BB 01000000 mov ebx,1 ; 初始ebx=1
00605714 |> 8B45 F8 /mov eax,dword ptr ss:[ebp-8] ; 用户名16进制送到eax
00605717 |. E8 B4F7DFFF |call Member.00404ED0 ; 用户名16进制位数
0060571C |. 2BC3 |sub eax,ebx ; eax=位数-1
0060571E |. 8B55 F8 |mov edx,dword ptr ss:[ebp-8] ; 从16进制后面开始每两位一取
00605721 |. 8A1402 |mov dl,byte ptr ds:[edx+eax] ; 倒取每一位ascii给dl
00605724 |. 8D45 E8 |lea eax,dword ptr ss:[ebp-18]
00605727 |. E8 CCF6DFFF |call Member.00404DF8
0060572C |. 8B55 E8 |mov edx,dword ptr ss:[ebp-18]
0060572F |. 8D45 F4 |lea eax,dword ptr ss:[ebp-C]
00605732 |. E8 A1F7DFFF |call Member.00404ED8
00605737 |. 43 |inc ebx ; ebx+1
00605738 |. 4E |dec esi ; esi=esi-1 (用户名位数16进制)
00605739 |.^ 75 D9 \jnz short Member.00605714 ; 循环
★这段代码是把用户名的16进制倒排序★
0060573B |> 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0060573E |. 50 push eax
0060573F |. B9 04000000 mov ecx,4
00605744 |. BA 01000000 mov edx,1
00605749 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; 倒排序后的字符串送到eax
0060574C |. E8 D7F9DFFF call Member.00405128
00605751 |. 8D45 F4 lea eax,dword ptr ss:[ebp-C]
00605754 |. 50 push eax
00605755 |. B9 04000000 mov ecx,4
0060575A |. BA 05000000 mov edx,5
0060575F |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00605762 |. E8 C1F9DFFF call Member.00405128 ; 取前4位
00605767 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 送到eax
0060576A |. E8 61F7DFFF call Member.00404ED0 ; 计算位数
0060576F |. 83F8 04 cmp eax,4 ; 和4比较
00605772 |. 7D 2F jge short Member.006057A3 ; 大于等于就跳
00605774 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00605777 |. E8 54F7DFFF call Member.00404ED0
0060577C |. 8BD8 mov ebx,eax
0060577E |. 83FB 03 cmp ebx,3
00605781 |. 7F 20 jg short Member.006057A3
00605783 |> 8D4D E4 /lea ecx,dword ptr ss:[ebp-1C]
00605786 |. 8BC3 |mov eax,ebx
00605788 |. C1E0 02 |shl eax,2
0060578B |. 33D2 |xor edx,edx
0060578D |. E8 FE48E0FF |call Member.0040A090
00605792 |. 8B55 E4 |mov edx,dword ptr ss:[ebp-1C]
00605795 |. 8D45 F8 |lea eax,dword ptr ss:[ebp-8]
00605798 |. E8 3BF7DFFF |call Member.00404ED8
0060579D |. 43 |inc ebx
0060579E |. 83FB 04 |cmp ebx,4
006057A1 |.^ 75 E0 \jnz short Member.00605783
006057A3 |> 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; 5—8位送到eax
006057A6 |. E8 25F7DFFF call Member.00404ED0
006057AB |. 83F8 04 cmp eax,4
006057AE |. 7D 2F jge short Member.006057DF
006057B0 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
006057B3 |. E8 18F7DFFF call Member.00404ED0
006057B8 |. 8BD8 mov ebx,eax
006057BA |. 83FB 03 cmp ebx,3
006057BD |. 7F 20 jg short Member.006057DF
006057BF |> 8D4D E0 /lea ecx,dword ptr ss:[ebp-20]
006057C2 |. 8BC3 |mov eax,ebx
006057C4 |. C1E0 02 |shl eax,2
006057C7 |. 33D2 |xor edx,edx
006057C9 |. E8 C248E0FF |call Member.0040A090
006057CE |. 8B55 E0 |mov edx,dword ptr ss:[ebp-20]
006057D1 |. 8D45 F4 |lea eax,dword ptr ss:[ebp-C]
006057D4 |. E8 FFF6DFFF |call Member.00404ED8
006057D9 |. 43 |inc ebx
006057DA |. 83FB 04 |cmp ebx,4
006057DD |.^ 75 E0 \jnz short Member.006057BF
006057DF |> 8D45 F0 lea eax,dword ptr ss:[ebp-10]
006057E2 |. BA 6C586000 mov edx,Member.0060586C ; edx="mem45erpe"
006057E7 |. E8 C4F4DFFF call Member.00404CB0
006057EC |. 8D45 DC lea eax,dword ptr ss:[ebp-24]
006057EF |. 50 push eax
006057F0 |. B9 04000000 mov ecx,4
006057F5 |. BA 01000000 mov edx,1
006057FA |. 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; eax="mem45erpe"
006057FD |. E8 26F9DFFF call Member.00405128 ; 取前4位
00605802 |. FF75 DC push dword ptr ss:[ebp-24]
00605805 |. 68 80586000 push Member.00605880
0060580A |. FF75 F8 push dword ptr ss:[ebp-8] ; 用户名16进制倒序后的前4位
0060580D |. 8D45 D8 lea eax,dword ptr ss:[ebp-28]
00605810 |. 50 push eax
00605811 |. B9 05000000 mov ecx,5
00605816 |. BA 05000000 mov edx,5
0060581B |. 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; edx="mem45erpe"
0060581E |. E8 05F9DFFF call Member.00405128 ; 取剩下的五位
00605823 |. FF75 D8 push dword ptr ss:[ebp-28]
00605826 |. 68 80586000 push Member.00605880
0060582B |. FF75 F4 push dword ptr ss:[ebp-C] ; 用户名16进制倒序后的5—8位
0060582E |. 8BC7 mov eax,edi
00605830 |. BA 06000000 mov edx,6
00605835 |. E8 56F7DFFF call Member.00404F90 ; 以下是把上面的数据组合起来
0060583A |. 33C0 xor eax,eax
0060583C |. 5A pop edx
0060583D |. 59 pop ecx
0060583E |. 59 pop ecx
0060583F |. 64:8910 mov dword ptr fs:[eax],edx
00605842 |. 68 5C586000 push Member.0060585C
00605847 |> 8D45 D8 lea eax,dword ptr ss:[ebp-28]
0060584A |. BA 0A000000 mov edx,0A
0060584F |. E8 E8F3DFFF call Member.00404C3C
00605854 \. C3 retn
00605855 .^ E9 3EECDFFF jmp Member.00404498
0060585A .^ EB EB jmp short Member.00605847
0060585C . 5F pop edi
0060585D . 5E pop esi
0060585E . 5B pop ebx
0060585F . 8BE5 mov esp,ebp
00605861 . 5D pop ebp
00605862 . C3 retn
【算法总结】
把用户名转换成ascii码,再倒排序(设为x)
用到一个常数 mem45erpe(设为y)
符合“-”
注册码= y的前4位-x的前4位+y的后五位-x的第5到第8位
我的注册信息:
piaoyun[PYG]
mem4-D5745erpe-9505
附:注册信息保存在 HKEY_LOCAL_MACHINE\SOFTWARE\zy\member 删除后又可继续研究~~~
内存注册机:
中断地址:00605BA5
中断次数:1
第一字节:E8
指令长度:5
内存方式-寄存器-EDX
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! |
|
IP卡
发表于 2005-4-13 13:01:33
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2005-4-13 19:36:40
发表于 2005-4-15 19:46:48
发表于 2005-4-18 16:46:57
发表于 2005-9-6 17:54:13
发表于 2005-10-3 14:45:47
