- UID
- 2
注册时间2004-12-1
阅读权限255
最后登录1970-1-1
总坛主
TA的每日心情 | 开心
2024-12-1 11:04 |
|---|
签到天数: 12 天 [LV.3]偶尔看看II
|
【破文标题】[PYG]算法分析入门第十一课
【破文作者】飘云[PYG]
【破解平台】WinXp
【作者邮箱】[email protected]
【软件名称】电子档案之企业人事管理系统 V4.3
【软件大小】1436 KB
【下载地址】http://www.qusheng.com/bluefate/index.htm
【本站下载】ftp://PYG:[email protected]/piaoyun/manager.rar
【视频教程】http://luowei.mireene.com/bbs/viewthread.php?tid=1767&fpage=1
【软件说明】这是一套通用性很强的企事业单位人事管理系统,提供了完备的人事档案管理功能,
使得人员增加、调动、删除,人事报表打印等异常的快捷方便。软件同时提供多种辅助工具及系
统安全维护系统,用户还可以设定软件操作人员及操作权限。软件还自带的人事资源库让你了解
先进的人事管理理念,美观大方的界面也会使你尽情感受到工作的乐趣!新版本增加了数据导出,
数据分析等功能,数据导出可以让库内数据轻松导出到Word、Excel、Web网页等格式,数据分析
让你随时对库内数据了如指掌,分析数据自动生成网页报表,轻松可以在网络发布,软件提供数
据库异常用户解决方案,可以让你放心安全的使用.
【破解工具】PEiD 0.92中文版、W32Dasm10.0汉化版、OD二哥修改版
【保护方式】机器码+序列号
【破解目的】学习破解。熟练应用各种工具。
【破解声明】我乃小菜鸟一只,偶得一点心得,愿与大家分享:)
【破解步骤】先用PEiD 0.92侦测,发现为UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo
手动脱壳并修复之后再侦测为Borland Delphi 6.0 - 7.0
接下来 OD载入脱壳后的程序--运行--字符插件--找到如下关键:
0059BA8D mov ebp,esp
0059BA8F push 0
0059BA91 push 0
0059BA93 push ebx
0059BA94 push esi
0059BA95 mov esi,edx
0059BA97 mov ebx,eax
0059BA99 xor eax,eax
0059BA9B push ebp
0059BA9C push 1_.0059BB35
0059BAA1 push dword ptr fs:[eax]
0059BAA4 mov dword ptr fs:[eax],esp
0059BAA7 lea edx,dword ptr ss:[ebp-4]
0059BAAA mov eax,dword ptr ds:[ebx+308]
0059BAB0 call 1_.0045536C
0059BAB5 mov eax,dword ptr ss:[ebp-4]
0059BAB8 call 1_.0059B264 ★这里就是关键call了,F8进入★
0059BABD test al,al
0059BABF je short 1_.0059BB03 ★跳了就挂!★
***************************************进入call 59b264**************************************
0059B269 push ecx
0059B26A push ecx
0059B26B push ecx
0059B26C push ecx
0059B26D push ecx
0059B26E push ecx
0059B26F push ecx
0059B270 push ecx
0059B271 push ebx
0059B272 push esi
0059B273 push edi
0059B274 mov dword ptr ss:[ebp-4],eax
0059B277 mov eax,dword ptr ss:[ebp-4] ; 假码
0059B27A call 1_.00404E50
0059B27F xor eax,eax
0059B281 push ebp
0059B282 push 1_.0059B3D8
0059B287 push dword ptr fs:[eax]
0059B28A mov dword ptr fs:[eax],esp
0059B28D call 1_.00402D1C
0059B292 xor ebx,ebx
0059B294 lea eax,dword ptr ss:[ebp-10]
0059B297 call 1_.0059B190 ;=============>>★算法call★
0059B29C lea eax,dword ptr ss:[ebp-10]
0059B29F mov edx,1_.0059B3F0 ; ASCII "~!@#$%^&*()_+|"
0059B2A4 call 1_.00404C70
0059B2A9 mov eax,dword ptr ss:[ebp-10] ; 这里得到一串字符和"~!@#$%^&*()_+|"连接的字符,
可断定call 00404C70是做连接只用的,那call 0059B190 即是算法call
0059B2AC lea edx,dword ptr ss:[ebp-8]
0059B2AF call 1_.0059A338
0059B2B4 lea eax,dword ptr ss:[ebp-14]
0059B2B7 mov ecx,1_.0059B3F0 ; ASCII "~!@#$%^&*()_+|"
0059B2BC mov edx,dword ptr ss:[ebp-4] ; 假码
0059B2BF call 1_.00404CB4
0059B2C4 mov eax,dword ptr ss:[ebp-14] ; 假码和上面字符的连接
0059B2C7 lea edx,dword ptr ss:[ebp-C]
0059B2CA call 1_.0059A338
0059B2CF mov eax,dword ptr ss:[ebp-4]
0059B2D2 call 1_.00404C68 ; 假码位数
0059B2D7 cmp eax,0C ; 是否12位
0059B2DA je short 1_.0059B31F ; 通过分析,下面只是一系列的验证过程(可以不看),
真正的算法call就是上面出来可疑字符那个
0059B2DC push 1_.0059B408
0059B2E1 push dword ptr ss:[ebp-4]
0059B2E4 push 1_.0059B414 ; ASCII "dsfasfsadfasdfsafasfasdfasdfasd"
0059B2E9 lea eax,dword ptr ss:[ebp-18]
0059B2EC mov edx,3
0059B2F1 call 1_.00404D28
0059B2F6 mov eax,dword ptr ss:[ebp-18]
0059B2F9 lea edx,dword ptr ss:[ebp-8]
0059B2FC call 1_.0059A338
0059B301 mov eax,2710
0059B306 call 1_.00403354
0059B30B and eax,80000001
0059B310 jns short 1_.0059B317
0059B312 dec eax
0059B313 or eax,FFFFFFFE
0059B316 inc eax
0059B317 test eax,eax
0059B319 je 1_.0059B3BD
0059B31F lea eax,dword ptr ss:[ebp-1C]
0059B322 push eax
0059B323 mov ecx,3
0059B328 mov edx,1
0059B32D mov eax,dword ptr ss:[ebp-4]
0059B330 call 1_.00404EC0
0059B335 mov eax,dword ptr ss:[ebp-1C]
0059B338 mov edx,1_.0059B43C ; ASCII "MG4"
0059B33D call 1_.00404DAC ; 比较前3位是否位 MG4
0059B342 je short 1_.0059B383
0059B344 push 1_.0059B448
0059B349 push dword ptr ss:[ebp-4]
0059B34C push 1_.0059B454 ; ASCII "2341234123412341234123423142314123"
0059B351 lea eax,dword ptr ss:[ebp-20]
0059B354 mov edx,3
.
.
.
.
0059B3BF pop edx
0059B3C0 pop ecx
0059B3C1 pop ecx
0059B3C2 mov dword ptr fs:[eax],edx
0059B3C5 push 1_.0059B3DF
0059B3CA lea eax,dword ptr ss:[ebp-20]
0059B3CD mov edx,8
0059B3D2 call 1_.004049D4
0059B3D7 retn
*****************************************进入call 0059B190*****************************************
0059B190 push ebp
0059B191 mov ebp,esp
0059B193 xor ecx,ecx
0059B195 push ecx
0059B196 push ecx
0059B197 push ecx
0059B198 push ecx
0059B199 push ebx
0059B19A mov ebx,eax
0059B19C xor eax,eax
0059B19E push ebp
0059B19F push 1_.0059B21C
0059B1A4 push dword ptr fs:[eax]
0059B1A7 mov dword ptr fs:[eax],esp
0059B1AA lea eax,dword ptr ss:[ebp-4]
0059B1AD push eax
0059B1AE lea eax,dword ptr ss:[ebp-10]
0059B1B1 call 1_.0059AECC
0059B1B6 push dword ptr ss:[ebp-10] ; 机器码
0059B1B9 push 1_.0059B230 ; ASCII "QStudio Manager"
0059B1BE push 1_.0059B248 ; ASCII "MG4"
0059B1C3 push 1_.0059B254 ; ASCII "~!@#$%^&*()_+|"
0059B1C8 lea eax,dword ptr ss:[ebp-C]
0059B1CB mov edx,4
0059B1D0 call 1_.00404D28
0059B1D5 mov eax,dword ptr ss:[ebp-C] ; 连接以上字符
0059B1D8 lea edx,dword ptr ss:[ebp-8]
0059B1DB call 1_.0059A338 ; 标准MD5换算
0059B1E0 mov eax,dword ptr ss:[ebp-8] ; 结果回送到eax
0059B1E3 mov ecx,9
0059B1E8 mov edx,0C
0059B1ED call 1_.00404EC0 ; 从12位开始取9位
0059B1F2 mov ecx,dword ptr ss:[ebp-4]
0059B1F5 mov eax,ebx
0059B1F7 mov edx,1_.0059B248 ; ASCII "MG4"
0059B1FC call 1_.00404CB4 ; 和MG4连接上就OK!
0059B201 xor eax,eax
0059B203 pop edx
0059B204 pop ecx
0059B205 pop ecx
0059B206 mov dword ptr fs:[eax],edx
0059B209 push 1_.0059B223
0059B20E lea eax,dword ptr ss:[ebp-10]
0059B211 mov edx,4
0059B216 call 1_.004049D4
0059B21B retn
【算法总结】
1.机器码+QStudio Manager+MG4+~!@#$%^&*()_+| 注意:"+"是连接符
2.将上面组成的字符串做标准MD5运算
3.从MD5运算结果的12位开始取9位
4.前面加上MG4就是注册码了
附:注册信息保存在:HKEY_LOCAL_MACHINE\SOFTWARE\QStudio\manager 删除又可继续研究
【算法注册机】
VB注册源码:
Private Sub Command1_Click()
Dim a, B, C, D, code, tzm, reg As String
a = "QStudio Manager"
B = "MG4"
C = "~!@#$%^&*()_+|"
D = "MG4"
code = Text1.Text
Set c1 = New Class1 '调用MD5模块:先将字符串转换成 MD5密钥,等待下步运算
tzm = c1.Md5_String_Calc(code & a & B & C)
reg = Mid(tzm, 12, 9)
Text2 = D & reg
End Sub
***********************************************MD5类模块***************************************************
Option Explicit
' Visual Basic MD5 Implementation
' Robert Hubley and David Midkiff ([email protected])
' modify by simonyan, Support chinese
' Standard MD5 implementation optimised for the Visual Basic environment.
' Conforms to all standards and can be used in digital signature or password
' protection related schemes.
Private Const OFFSET_4 = 4294967296#
Private Const MAXINT_4 = 2147483647
Private State(4) As Long
Private ByteCounter As Long
Private ByteBuffer(63) As Byte
Private Const S11 = 7
Private Const S12 = 12
Private Const S13 = 17
Private Const S14 = 22
Private Const S21 = 5
Private Const S22 = 9
Private Const S23 = 14
Private Const S24 = 20
Private Const S31 = 4
Private Const S32 = 11
Private Const S33 = 16
Private Const S34 = 23
Private Const S41 = 6
Private Const S42 = 10
Private Const S43 = 15
Private Const S44 = 21
Property Get RegisterA() As String
RegisterA = State(1)
End Property
Property Get RegisterB() As String
RegisterB = State(2)
End Property
Property Get RegisterC() As String
RegisterC = State(3)
End Property
Property Get RegisterD() As String
RegisterD = State(4)
End Property
Public Function Md5_String_Calc(SourceString As String) As String
MD5Init
MD5Update LenB(StrConv(SourceString, vbFromUnicode)), StringToArray(SourceString)
MD5Final
Md5_String_Calc = GetValues
End Function
Public Function Md5_File_Calc(InFile As String) As String
GoSub begin
begin:
Dim FileO As Integer
FileO = FreeFile
Call FileLen(InFile)
Open InFile For Binary Access Read As #FileO
MD5Init
Do While Not EOF(FileO)
Get #FileO, , ByteBuffer
If Loc(FileO) < LOF(FileO) Then
ByteCounter = ByteCounter + 64
MD5Transform ByteBuffer
End If
Loop
ByteCounter = ByteCounter + (LOF(FileO) Mod 64)
Close #FileO
MD5Final
Md5_File_Calc = GetValues
End Function
Private Function StringToArray(InString As String) As Byte()
Dim I As Integer, bytBuffer() As Byte
ReDim bytBuffer(LenB(StrConv(InString, vbFromUnicode)))
bytBuffer = StrConv(InString, vbFromUnicode)
StringToArray = bytBuffer
End Function
Public Function GetValues() As String
GetValues = LongToString(State(1)) & LongToString(State(2)) & LongToString(State(3)) & LongToString(State(4))
End Function
Private Function LongToString(Num As Long) As String
Dim a As Byte, B As Byte, C As Byte, D As Byte
a = Num And &HFF&
If a < 16 Then LongToString = "0" & Hex(a) Else LongToString = Hex(a)
B = (Num And &HFF00&) \ 256
If B < 16 Then LongToString = LongToString & "0" & Hex(B) Else LongToString = LongToString & Hex(B)
C = (Num And &HFF0000) \ 65536
If C < 16 Then LongToString = LongToString & "0" & Hex(C) Else LongToString = LongToString & Hex(C)
If Num < 0 Then D = ((Num And &H7F000000) \ 16777216) Or &H80& Else D = (Num And &HFF000000) \ 16777216
If D < 16 Then LongToString = LongToString & "0" & Hex(D) Else LongToString = LongToString & Hex(D)
End Function
Public Sub MD5Init()
ByteCounter = 0
State(1) = UnsignedToLong(1732584193#)
State(2) = UnsignedToLong(4023233417#)
State(3) = UnsignedToLong(2562383102#)
State(4) = UnsignedToLong(271733878#)
End Sub
Public Sub MD5Final()
Dim dblBits As Double, padding(72) As Byte, lngBytesBuffered As Long
padding(0) = &H80
dblBits = ByteCounter * 8
lngBytesBuffered = ByteCounter Mod 64
If lngBytesBuffered <= 56 Then MD5Update 56 - lngBytesBuffered, padding Else MD5Update 120 - ByteCounter, padding
padding(0) = UnsignedToLong(dblBits) And &HFF&
padding(1) = UnsignedToLong(dblBits) \ 256 And &HFF&
padding(2) = UnsignedToLong(dblBits) \ 65536 And &HFF&
padding(3) = UnsignedToLong(dblBits) \ 16777216 And &HFF&
padding(4) = 0
padding(5) = 0
padding(6) = 0
padding(7) = 0
MD5Update 8, padding
End Sub
Public Sub MD5Update(InputLen As Long, InputBuffer() As Byte)
Dim II As Integer, I As Integer, J As Integer, K As Integer, lngBufferedBytes As Long, lngBufferRemaining As Long, lngRem As Long
lngBufferedBytes = ByteCounter Mod 64
lngBufferRemaining = 64 - lngBufferedBytes
ByteCounter = ByteCounter + InputLen
If InputLen >= lngBufferRemaining Then
For II = 0 To lngBufferRemaining - 1
ByteBuffer(lngBufferedBytes + II) = InputBuffer(II)
Next II
MD5Transform ByteBuffer
lngRem = (InputLen) Mod 64
For I = lngBufferRemaining To InputLen - II - lngRem Step 64
For J = 0 To 63
ByteBuffer(J) = InputBuffer(I + J)
Next J
MD5Transform ByteBuffer
Next I
lngBufferedBytes = 0
Else
I = 0
End If
For K = 0 To InputLen - I - 1
ByteBuffer(lngBufferedBytes + K) = InputBuffer(I + K)
Next K
End Sub
Private Sub MD5Transform(Buffer() As Byte)
Dim X(16) As Long, a As Long, B As Long, C As Long, D As Long
a = State(1)
B = State(2)
C = State(3)
D = State(4)
Decode 64, X, Buffer
FF a, B, C, D, X(0), S11, -680876936
FF D, a, B, C, X(1), S12, -389564586
FF C, D, a, B, X(2), S13, 606105819
FF B, C, D, a, X(3), S14, -1044525330
FF a, B, C, D, X(4), S11, -176418897
FF D, a, B, C, X(5), S12, 1200080426
FF C, D, a, B, X(6), S13, -1473231341
FF B, C, D, a, X(7), S14, -45705983
FF a, B, C, D, X(8), S11, 1770035416
FF D, a, B, C, X(9), S12, -1958414417
FF C, D, a, B, X(10), S13, -42063
FF B, C, D, a, X(11), S14, -1990404162
FF a, B, C, D, X(12), S11, 1804603682
FF D, a, B, C, X(13), S12, -40341101
FF C, D, a, B, X(14), S13, -1502002290
FF B, C, D, a, X(15), S14, 1236535329
GG a, B, C, D, X(1), S21, -165796510
GG D, a, B, C, X(6), S22, -1069501632
GG C, D, a, B, X(11), S23, 643717713
GG B, C, D, a, X(0), S24, -373897302
GG a, B, C, D, X(5), S21, -701558691
GG D, a, B, C, X(10), S22, 38016083
GG C, D, a, B, X(15), S23, -660478335
GG B, C, D, a, X(4), S24, -405537848
GG a, B, C, D, X(9), S21, 568446438
GG D, a, B, C, X(14), S22, -1019803690
GG C, D, a, B, X(3), S23, -187363961
GG B, C, D, a, X(8), S24, 1163531501
GG a, B, C, D, X(13), S21, -1444681467
GG D, a, B, C, X(2), S22, -51403784
GG C, D, a, B, X(7), S23, 1735328473
GG B, C, D, a, X(12), S24, -1926607734
HH a, B, C, D, X(5), S31, -378558
HH D, a, B, C, X(8), S32, -2022574463
HH C, D, a, B, X(11), S33, 1839030562
HH B, C, D, a, X(14), S34, -35309556
HH a, B, C, D, X(1), S31, -1530992060
HH D, a, B, C, X(4), S32, 1272893353
HH C, D, a, B, X(7), S33, -155497632
HH B, C, D, a, X(10), S34, -1094730640
HH a, B, C, D, X(13), S31, 681279174
HH D, a, B, C, X(0), S32, -358537222
HH C, D, a, B, X(3), S33, -722521979
HH B, C, D, a, X(6), S34, 76029189
HH a, B, C, D, X(9), S31, -640364487
HH D, a, B, C, X(12), S32, -421815835
HH C, D, a, B, X(15), S33, 530742520
HH B, C, D, a, X(2), S34, -995338651
II a, B, C, D, X(0), S41, -198630844
II D, a, B, C, X(7), S42, 1126891415
II C, D, a, B, X(14), S43, -1416354905
II B, C, D, a, X(5), S44, -57434055
II a, B, C, D, X(12), S41, 1700485571
II D, a, B, C, X(3), S42, -1894986606
II C, D, a, B, X(10), S43, -1051523
II B, C, D, a, X(1), S44, -2054922799
II a, B, C, D, X(8), S41, 1873313359
II D, a, B, C, X(15), S42, -30611744
II C, D, a, B, X(6), S43, -1560198380
II B, C, D, a, X(13), S44, 1309151649
II a, B, C, D, X(4), S41, -145523070
II D, a, B, C, X(11), S42, -1120210379
II C, D, a, B, X(2), S43, 718787259
II B, C, D, a, X(9), S44, -343485551
State(1) = LongOverflowAdd(State(1), a)
State(2) = LongOverflowAdd(State(2), B)
State(3) = LongOverflowAdd(State(3), C)
State(4) = LongOverflowAdd(State(4), D)
End Sub
Private Sub Decode(Length As Integer, OutputBuffer() As Long, InputBuffer() As Byte)
Dim intDblIndex As Integer, intByteIndex As Integer, dblSum As Double
For intByteIndex = 0 To Length - 1 Step 4
dblSum = InputBuffer(intByteIndex) + InputBuffer(intByteIndex + 1) * 256# + InputBuffer(intByteIndex + 2) * 65536# + InputBuffer(intByteIndex + 3) * 16777216#
OutputBuffer(intDblIndex) = UnsignedToLong(dblSum)
intDblIndex = intDblIndex + 1
Next intByteIndex
End Sub
Private Function FF(a As Long, B As Long, C As Long, D As Long, X As Long, S As Long, ac As Long) As Long
a = LongOverflowAdd4(a, (B And C) Or (Not (B) And D), X, ac)
a = LongLeftRotate(a, S)
a = LongOverflowAdd(a, B)
End Function
Private Function GG(a As Long, B As Long, C As Long, D As Long, X As Long, S As Long, ac As Long) As Long
a = LongOverflowAdd4(a, (B And D) Or (C And Not (D)), X, ac)
a = LongLeftRotate(a, S)
a = LongOverflowAdd(a, B)
End Function
Private Function HH(a As Long, B As Long, C As Long, D As Long, X As Long, S As Long, ac As Long) As Long
a = LongOverflowAdd4(a, B Xor C Xor D, X, ac)
a = LongLeftRotate(a, S)
a = LongOverflowAdd(a, B)
End Function
Private Function II(a As Long, B As Long, C As Long, D As Long, X As Long, S As Long, ac As Long) As Long
a = LongOverflowAdd4(a, C Xor (B Or Not (D)), X, ac)
a = LongLeftRotate(a, S)
a = LongOverflowAdd(a, B)
End Function
Function LongLeftRotate(value As Long, Bits As Long) As Long
Dim lngSign As Long, lngI As Long
Bits = Bits Mod 32
If Bits = 0 Then LongLeftRotate = value: Exit Function
For lngI = 1 To Bits
lngSign = value And &HC0000000
value = (value And &H3FFFFFFF) * 2
value = value Or ((lngSign < 0) And 1) Or (CBool(lngSign And &H40000000) And &H80000000)
Next
LongLeftRotate = value
End Function
Private Function LongOverflowAdd(Val1 As Long, Val2 As Long) As Long
Dim lngHighWord As Long, lngLowWord As Long, lngOverflow As Long
lngLowWord = (Val1 And &HFFFF&) + (Val2 And &HFFFF&)
lngOverflow = lngLowWord \ 65536
lngHighWord = (((Val1 And &HFFFF0000) \ 65536) + ((Val2 And &HFFFF0000) \ 65536) + lngOverflow) And &HFFFF&
LongOverflowAdd = UnsignedToLong((lngHighWord * 65536#) + (lngLowWord And &HFFFF&))
End Function
Private Function LongOverflowAdd4(Val1 As Long, Val2 As Long, val3 As Long, val4 As Long) As Long
Dim lngHighWord As Long, lngLowWord As Long, lngOverflow As Long
lngLowWord = (Val1 And &HFFFF&) + (Val2 And &HFFFF&) + (val3 And &HFFFF&) + (val4 And &HFFFF&)
lngOverflow = lngLowWord \ 65536
lngHighWord = (((Val1 And &HFFFF0000) \ 65536) + ((Val2 And &HFFFF0000) \ 65536) + ((val3 And &HFFFF0000) \ 65536) + ((val4 And &HFFFF0000) \ 65536) + lngOverflow) And &HFFFF&
LongOverflowAdd4 = UnsignedToLong((lngHighWord * 65536#) + (lngLowWord And &HFFFF&))
End Function
Private Function UnsignedToLong(value As Double) As Long
If value < 0 Or value >= OFFSET_4 Then Error 6
If value <= MAXINT_4 Then UnsignedToLong = value Else UnsignedToLong = value - OFFSET_4
End Function
Private Function LongToUnsigned(value As Long) As Double
If value < 0 Then LongToUnsigned = value + OFFSET_4 Else LongToUnsigned = value
End Function
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! |
|
IP卡
发表于 2005-7-30 15:56:48
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2005-9-2 13:24:05
发表于 2005-9-6 12:27:39
发表于 2005-9-7 15:53:24
发表于 2005-10-14 22:21:13
发表于 2006-4-1 19:01:27
