- UID
- 2648
注册时间2005-8-5
阅读权限30
最后登录1970-1-1
龙战于野
TA的每日心情 | 开心
2022-11-22 20:08 |
|---|
签到天数: 2 天 [LV.1]初来乍到
|
家电维修资料查询系统算法分析
【 作 者 】machenglin[CZG[D.4S]
【 E-mail 】[email protected]
【文章题目】家电维修资料查询系统算法分析
【软件名称】家电维修资料查询系统v3.0
【下载地址】http://www.onlinedown.net/soft/16714.htm
【加密方式】ASPack 2.1 -> Alexey Solodovnikov [Overlay]
【破解工具】OD、PEiD v0.93
【软件限制】注册码+时间限制
【破解难度】+++初级+++
【破解平台】Win/XP SP2
【软件简介】源声家电维修资料查询系统是专为家电维修人员制作, 可查询实用资料有 《I2C彩电总线 调整》《摇控器资料》《行输出参数》《晶体管查询系统》《总线中英文查询系统》集成电路代换参数 等,查询资料更加方便,是家电维修人员必须的软件。
【破解过程】
004786BD 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 假注册码[ebp-4]-->eax
004786C0 50 push eax ; 假注册码位数=12=edi
004786C1 8D55 F8 lea edx,dword ptr ss:[ebp-8]
004786C4 8BC3 mov eax,ebx
004786C6 8B08 mov ecx,dword ptr ds:[eax]
004786C8 FF91 E4000000 call dword ptr ds:[ecx+E4] ; 取出机器码=9398559311
004786CE 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 机器码[ebp-8]-->eax
004786D1 8B8B F8020000 mov ecx,dword ptr ds:[ebx+2F8] ; [ebx+2F8]=wgg12345678
移动到ecx
004786D7 5A pop edx ; 假注册码压栈--->edx
004786D8 E8 1FF7FFFF call unpacked.00477DFC ; 关键算法CALL,跟进去看看 !
004786DD 8BD8 mov ebx,eax
-----------------------------------------------------------------------------------------
关键算法CALL,004786D8 E8 1FF7FFFF call unpacked.00477DFC
00477DFC 55 push ebp ; 来到这里
00477DFD 8BEC mov ebp,esp
00477DFF 81C4 FCFEFFFF add esp,-104
00477E05 53 push ebx
00477E06 56 push esi
00477E07 57 push edi
00477E08 33DB xor ebx,ebx
00477E0A 895D FC mov dword ptr ss:[ebp-4],ebx
00477E0D 8BF9 mov edi,ecx ; wgg12345678-->edi
00477E0F 8BF2 mov esi,edx ; 假注册码--->esi
00477E11 8BD8 mov ebx,eax ; 机器码-->ebx
00477E13 33C0 xor eax,eax ; eax清零
00477E15 55 push ebp
00477E16 68 637E4700 push unpacked.00477E63
00477E1B 64:FF30 push dword ptr fs:[eax]
00477E1E 64:8920 mov dword ptr fs:[eax],esp
00477E21 8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-104]
00477E27 8BD7 mov edx,edi ; ediwgg12345678-->edx
00477E29 8BC3 mov eax,ebx ; ebx=机器码-->eax
00477E2B E8 64FEFFFF call unpacked.00477C94 ; 算法CALL,跟进去!
00477E30 8D95 FCFEFFFF lea edx,dword ptr ss:[ebp-104] ; 真注册码出现[ebp-104]-- >edx
00477E36 8D45 FC lea eax,dword ptr ss:[ebp-4]
00477E39 E8 8ABFF8FF call unpacked.00403DC8
00477E3E 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 在这里可以做内存注册机
00477E41 8BD6 mov edx,esi ; 假注册码位数-->edx
00477E43 E8 ECC0F8FF call unpacked.00403F34
-----------------------------------------------------------------------------------------
算法CALL,00477E2B E8 64FEFFFF call unpacked.00477C94
00477C94 55 push ebp ; 来到这里了。
00477C95 8BEC mov ebp,esp
00477C97 83C4 E0 add esp,-20
00477C9A 53 push ebx
00477C9B 56 push esi
00477C9C 57 push edi
00477C9D 33DB xor ebx,ebx
00477C9F 895D E0 mov dword ptr ss:[ebp-20],ebx
00477CA2 895D E4 mov dword ptr ss:[ebp-1C],ebx
00477CA5 895D E8 mov dword ptr ss:[ebp-18],ebx
00477CA8 8BF9 mov edi,ecx
00477CAA 8955 F8 mov dword ptr ss:[ebp-8],edx ; wgg12345678-->[ebp-8]
00477CAD 8945 FC mov dword ptr ss:[ebp-4],eax ; 假注册码-->[ebp-4]
00477CB0 8B45 FC mov eax,dword ptr ss:[ebp-4] ; [ebp-4]=机器码-->eax
00477CB3 E8 20C3F8FF call unpacked.00403FD8
00477CB8 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; [ebp-8]=wgg12345678
00477CBB E8 18C3F8FF call unpacked.00403FD8
00477CC0 33C0 xor eax,eax
00477CC2 55 push ebp
00477CC3 68 ED7D4700 push unpacked.00477DED
00477CC8 64:FF30 push dword ptr fs:[eax]
00477CCB 64:8920 mov dword ptr fs:[eax],esp
00477CCE 837D FC 00 cmp dword ptr ss:[ebp-4],0 ; [ebp-4]=机器码=0 吗?
00477CD2 74 6F je short unpacked.00477D43 ; 是就跳走!
00477CD4 BB 01000000 mov ebx,1 ; ebx置1
00477CD9 8D75 EF lea esi,dword ptr ss:[ebp-11] ; 传送[ebp-11]-->esi
00477CDC 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 机器码-->eax
00477CDF E8 40C1F8FF call unpacked.00403E24 ; 取出机器码位数
00477CE4 50 push eax ; 压栈
00477CE5 8BC3 mov eax,ebx ; ebx-->eax
00477CE7 48 dec eax ; eax位数减1
00477CE8 5A pop edx
00477CE9 8BCA mov ecx,edx ; edx-->ecx
00477CEB 99 cdq
00477CEC F7F9 idiv ecx ; 带符号数除ecx
00477CEE 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 机器码-->eax
00477CF1 8A0410 mov al,byte ptr ds:[eax+edx] ; [eax+edx]-->al
00477CF4 50 push eax
00477CF5 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 机器码-->eax
00477CF8 E8 27C1F8FF call unpacked.00403E24 ; 取出机器码位数
00477CFD 5A pop edx
00477CFE 32D0 xor dl,al ; al xor Dl
00477D00 32D3 xor dl,bl ; bl xor dl
00477D02 8816 mov byte ptr ds:[esi],dl ; dl-->0012F668=5F
00477D04 43 inc ebx ; ebx加1
00477D05 46 inc esi ; esi加1
00477D06 83FB 0A cmp ebx,0A ; 比较是否ebx=0A
00477D09 ^ 75 D1 jnz short unpacked.00477CDC ; 不相等就继续循环
00477D0B 8B45 FC mov eax,dword ptr ss:[ebp-4] ; [ebp-4]=机器码-->eax
00477D0E E8 11C1F8FF call unpacked.00403E24
00477D13 8BF0 mov esi,eax
00477D15 85F6 test esi,esi
00477D17 7E 2A jle short unpacked.00477D43
00477D19 BB 01000000 mov ebx,1 ; ebx置1
00477D1E 8B45 FC mov eax,dword ptr ss:[ebp-4] ; [ebp-4]=机器码-->eax
00477D21 E8 FEC0F8FF call unpacked.00403E24
00477D26 2BC3 sub eax,ebx ; ebx-eax
00477D28 8B55 FC mov edx,dword ptr ss:[ebp-4] ; [ebp-4]=机器码-->edx
00477D2B 8A0C02 mov cl,byte ptr ds:[edx+eax] ; [edx+eax]-->cl
00477D2E 8BC3 mov eax,ebx ; ebx-->eax
00477D30 48 dec eax ; eax减1
00477D31 51 push ecx ; ecx压栈
00477D32 B9 09000000 mov ecx,9 ; ecx=9
00477D37 99 cdq
00477D38 F7F9 idiv ecx ; 带符号数除ecx
00477D3A 59 pop ecx
00477D3B 304C15 EF xor byte ptr ss:[ebp+edx-11],cl ; [ebp+edx-11] xor cl
00477D3F 43 inc ebx ; edx加1
00477D40 4E dec esi ; esi减1
00477D41 ^ 75 DB jnz short unpacked.00477D1E ; 没有完就继续
00477D43 837D F8 00 cmp dword ptr ss:[ebp-8],0 ; [ebp-8]=0 吗?
00477D47 74 39 je short unpacked.00477D82 ; 是就跳走
00477D49 BB 01000000 mov ebx,1 ; ebx置1
00477D4E 8D75 EF lea esi,dword ptr ss:[ebp-11]
00477D51 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; [ebp-8]=wgg12345678-- >eax
00477D54 E8 CBC0F8FF call unpacked.00403E24 ; 取出位数=b=11
00477D59 50 push eax ; eax压栈
00477D5A 8BC3 mov eax,ebx ; ebx-->eax
00477D5C 48 dec eax ; eax减1
00477D5D 5A pop edx
00477D5E 8BCA mov ecx,edx
00477D60 99 cdq
00477D61 F7F9 idiv ecx ; 带符号数除ecx
00477D63 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; [ebp-8]-->eax
00477D66 8A0410 mov al,byte ptr ds:[eax+edx] ; [eax+edx]-->al
00477D69 3206 xor al,byte ptr ds:[esi] ; [esi] xor al [esi] =12F667=3a
00477D6B 50 push eax ; eax压栈
00477D6C 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; [ebp-8]-->eax
00477D6F E8 B0C0F8FF call unpacked.00403E24 ; 取出位数=b=11
00477D74 5A pop edx
00477D75 32D0 xor dl,al ; al xor dl
00477D77 32D3 xor dl,bl ; dl xor dl
00477D79 8816 mov byte ptr ds:[esi],dl
00477D7B 43 inc ebx ; ebx加1
00477D7C 46 inc esi ; esi加1
00477D7D 83FB 0A cmp ebx,0A ; ebx=0A 吗?
00477D80 ^ 75 CF jnz short unpacked.00477D51 ; 不等于就继续
00477D82 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00477D85 E8 1ABEF8FF call unpacked.00403BA4
00477D8A BB 09000000 mov ebx,9 ; ebx=9
00477D8F 8D75 EF lea esi,dword ptr ss:[ebp-11]
00477D92 8D45 E4 lea eax,dword ptr ss:[ebp-1C] ; 传送[ebp-1C]-->eax
00477D95 8A16 mov dl,byte ptr ds:[esi] ; [esi]=ds:[0012F668]
00477D97 E8 B0BFF8FF call unpacked.00403D4C ; 逐位取出中间结果
00477D9C 8B55 E4 mov edx,dword ptr ss:[ebp-1C] ; 堆栈 ss:[0012F65C] =00E439C0
;edx=00000047=G
;edx=00000064=d
;edx=00E4396C=l
;edx=00E43931=1
;edx=00E58633=3
;edx=00E58632=2
;edx=00E58634=4
;edx=00E5863E=>
;edx=00E60235=5
00477D9F 8D45 E8 lea eax,dword ptr ss:[ebp-18] ; 传送[ebp-18]-->eax
00477DA2 E8 85C0F8FF call unpacked.00403E2C
00477DA7 46 inc esi ; esi加1
00477DA8 4B dec ebx ; ebx减1
00477DA9 ^ 75 E7 jnz short unpacked.00477D92 ; 不相等就继续
00477DAB 8D55 E0 lea edx,dword ptr ss:[ebp-20]
00477DAE 8B45 E8 mov eax,dword ptr ss:[ebp-18] ; Gdl1324>5-->eax
00477DB1 E8 9AFDFFFF call unpacked.00477B50 ; 注册码在这CALL产生了!跟 进去!
00477DB6 8B55 E0 mov edx,dword ptr ss:[ebp-20] ; 真注册码=[ebp-20]
00477DB9 8BC7 mov eax,edi
00477DBB B9 FF000000 mov ecx,0FF
00477DC0 E8 3BC0F8FF call unpacked.00403E00
----------------------------------------------------------------------------------------
注册码在这CALL产生了!来自00477DB1 E8 9AFDFFFF call unpacked.00477B50
------------------------------------省略------------------------------------------------
00477C2F E8 38C4F8FF call unpacked.0040406C
00477C34 BE 04000000 mov esi,4
00477C39 8D5D F5 lea ebx,dword ptr ss:[ebp-B]
00477C3C 8D45 F0 lea eax,dword ptr ss:[ebp-10] ; 传送[ebp-10]-->eax
00477C3F 33D2 xor edx,edx ; edx 清零
00477C41 8A13 mov dl,byte ptr ds:[ebx] ; [0047E4D2]-->dl
00477C43 8A92 9DE44700 mov dl,byte ptr ds:[edx+47E49D] ; [edx+47E49D]-->dl
00477C49 E8 FEC0F8FF call unpacked.00403D4C ; 逐位取出真注册码
00477C4E 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; 堆栈 ss:[0012F628] =00E7202C
; edx=0000005A=Z
; edx=0000002B=+
; edx=0000005A=Z
; edx=00000071=q
; edx=00000056=V
; edx=00000042=B
; edx=00000056=V
; edx=00000067=g
; edx=00000043=C
; edx=00000047=G ; edx=00000032=2
; edx=00000036=6
00477C51 8BC7 mov eax,edi ; edi-->edx
00477C53 E8 D4C1F8FF call unpacked.00403E2C
00477C58 43 inc ebx ; ebx加1
00477C59 4E dec esi ; esi减1
00477C5A ^ 75 E0 jnz short unpacked.00477C3C ; 没有取完就继续
00477C5C 837D FC 00 cmp dword ptr ss:[ebp-4],0 ; [ebp-4]=0 吗?
00477C60 ^ 0F85 1FFFFFFF jnz unpacked.00477B85 ; 没有取完就继续
00477C66 33C0 xor eax,eax
00477C68 5A pop edx
00477C69 59 pop ecx
00477C6A 59 pop ecx
00477C6B 64:8910 mov dword ptr fs:[eax],edx
00477C6E 68 8B7C4700 push unpacked.00477C8B
00477C73 8D45 F0 lea eax,dword ptr ss:[ebp-10]
00477C76 E8 29BFF8FF call unpacked.00403BA4
00477C7B 8D45 FC lea eax,dword ptr ss:[ebp-4]
00477C7E E8 21BFF8FF call unpacked.00403BA4
00477C83 C3 retn
------------------------------------------------------------------------------------------
关键比较部分
00477DA2 E8 85C0F8FF call unpacked.00403E2C
00477DA7 46 inc esi
00477DA8 4B dec ebx
00477DA9 ^ 75 E7 jnz short unpacked.00477D92 ; 不相等就跳
00477DAB 8D55 E0 lea edx,dword ptr ss:[ebp-20]
00477DAE 8B45 E8 mov eax,dword ptr ss:[ebp-18] ; Gdl1324>5
00477DB1 E8 9AFDFFFF call unpacked.00477B50 ; 注册码在这CALL产生了!跟 进去!
00477DB6 8B55 E0 mov edx,dword ptr ss:[ebp-20] ; 真注册码=[ebp-20]
00477DB9 8BC7 mov eax,edi
00477DBB B9 FF000000 mov ecx,0FF
00477DC0 E8 3BC0F8FF call unpacked.00403E00
00477DC5 33C0 xor eax,eax
00477DC7 5A pop edx
00477DC8 59 pop ecx
00477DC9 59 pop ecx
00477DCA 64:8910 mov dword ptr fs:[eax],edx
00477DCD 68 F47D4700 push unpacked.00477DF4
00477DD2 8D45 E0 lea eax,dword ptr ss:[ebp-20]
00477DD5 BA 03000000 mov edx,3
00477DDA E8 E9BDF8FF call unpacked.00403BC8
00477DDF 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00477DE2 BA 02000000 mov edx,2
00477DE7 E8 DCBDF8FF call unpacked.00403BC8
00477DEC C3 retn
-----------------------------------------------------------------------------------------
【注册信息】
硬件码:9398559311
注册码:Z+ZqVBVgCG26
【内存注册机】
中断地址:477E41
中断次数:1
第一字节:8B
指令长度:3
内存方式-->EBP-4
【注册信息保存位置】
[HKEY_CURRENT_USER\Software]
eBook Edit Pro\Login\494658F0\LoginPassword
-----------------------------------------------------------------------------------------
[破解声明]我是一只小菜鸟,偶得一点心得,愿与大家分享:)
[版权]本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ Last edited by machenglin on 2005-8-8 at 03:56 AM ] |
|
IP卡
发表于 2005-8-8 02:59:14
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2005-8-8 11:15:25
发表于 2005-8-10 21:09:29
发表于 2006-4-27 08:55:39
发表于 2006-4-29 20:32:05