- UID
- 2887
注册时间2005-8-25
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
【破文标题】易用门诊收费系统算法分析
【破文作者】ayan
【软件名称】易用门诊收费系统 V1.20
【下载地址】http://nj.onlinedown.net/soft/40486.htm
【破解工具】flyOD peid
【保护方式】注册码
【软件限制】未知
【破解难度】简单
-----------------------------------------------------------------
【软件简介】《易用门诊收费系统》是一套对医院门诊的收费开票、退款、发票查询、门诊收费明细汇总、发票打印等进行多方管理的系统。系统的各种功能是根据国家《医院信息系统基本功能规范》的标准要求来设计的,更利于标准化管理。系统操作简单方便,界面美观大方,查询方便,且根据实际需要设计了各类汇总报表,使管理工作更为简便,是目前小型医院的最实用的收费系统之一。
门诊收费系统的主要功能有:
费用处理:收费开票、退款、发票查询、退出
收费报表:收费当班报表、收费工作汇总表、门诊科室收入汇总表、门诊收费
分类汇总表、门诊收费分医师汇总表、超级查询;
系统维护:修改密码、部门参数管理、费用参数管理理、医师参数管理、数据备份、数据恢复、数据库升级、系统初始化
-----------------------------------------------------------------
【破解分析】
查壳:Borland Delphi 6.0 - 7.0无壳,先运行注册看看,提示重起验证。好用OD载入,字符参考“已保存了注册信息!
下次启动本程序时将会对你的注册码进行验证,如注册码正确,本程序所有功能限制将被解除,您成为我们正式版本用户!”
向上看字符,有NAME和PASS,判断这个NAME和PASS就是放注册信息的键名,好,在字符参考里搜索“PASS”,一共用两处,全部
下断,运行程序,在00606E78处断下,F8向下分析:
00606E78 . BA 84706000 mov edx,MZSF.00607084 ; ASCII "Pass"//运行后断在此处
00606E7D . 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00606E80 . E8 D74FE4FF call MZSF.0044BE5C
00606E85 . 8B55 C4 mov edx,dword ptr ss:[ebp-3C]
00606E88 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00606E8B . 05 58040000 add eax,458
00606E90 . E8 ABDBDFFF call MZSF.00404A40
00606E95 . 33C0 xor eax,eax
00606E97 . 55 push ebp
00606E98 . 68 BE6E6000 push MZSF.00606EBE
00606E9D . 64:FF30 push dword ptr fs:[eax]
00606EA0 . 64:8920 mov dword ptr fs:[eax],esp
00606EA3 . BA 94706000 mov edx,MZSF.00607094 ; ASCII "Date"
00606EA8 . 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00606EAB . E8 C450E4FF call MZSF.0044BF74
00606EB0 . DD5D E8 fstp qword ptr ss:[ebp-18]
00606EB3 . 9B wait
00606EB4 . 33C0 xor eax,eax
00606EB6 . 5A pop edx
00606EB7 . 59 pop ecx
00606EB8 . 59 pop ecx
00606EB9 . 64:8910 mov dword ptr fs:[eax],edx
00606EBC . EB 29 jmp short MZSF.00606EE7
00606EBE .^ E9 15D1DFFF jmp MZSF.00403FD8
00606EC3 . FF75 E4 push dword ptr ss:[ebp-1C] ; /Arg2
00606EC6 . FF75 E0 push dword ptr ss:[ebp-20] ; |Arg1
00606EC9 . BA 94706000 mov edx,MZSF.00607094 ; |ASCII "Date"
00606ECE . 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; |
00606ED1 . E8 8A50E4FF call MZSF.0044BF60 ; \MZSF.0044BF60
00606ED6 . 8B45 E0 mov eax,dword ptr ss:[ebp-20]
00606ED9 . 8945 E8 mov dword ptr ss:[ebp-18],eax
00606EDC . 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
00606EDF . 8945 EC mov dword ptr ss:[ebp-14],eax
00606EE2 . E8 1DD5DFFF call MZSF.00404404
00606EE7 > 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00606EEA . E8 314CE4FF call MZSF.0044BB20
00606EEF . 33C0 xor eax,eax
00606EF1 . 5A pop edx
00606EF2 . 59 pop ecx
00606EF3 . 59 pop ecx
00606EF4 . 64:8910 mov dword ptr fs:[eax],edx
00606EF7 . 68 0C6F6000 push MZSF.00606F0C
00606EFC > 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00606EFF . E8 F4CBDFFF call MZSF.00403AF8
00606F04 . C3 retn
00606F05 .^ E9 82D3DFFF jmp MZSF.0040428C
00606F0A .^ EB F0 jmp short MZSF.00606EFC
00606F0C . DD45 E0 fld qword ptr ss:[ebp-20]
00606F0F . DC65 E8 fsub qword ptr ss:[ebp-18]
00606F12 . DD5D D8 fstp qword ptr ss:[ebp-28]
00606F15 . 9B wait
00606F16 . D905 9C706000 fld dword ptr ds:[60709C]
00606F1C . DC65 D8 fsub qword ptr ss:[ebp-28]
00606F1F . E8 C4BEDFFF call MZSF.00402DE8
00606F24 . 8B55 FC mov edx,dword ptr ss:[ebp-4]
00606F27 . 8982 74040000 mov dword ptr ds:[edx+474],eax
00606F2D . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00606F30 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00606F33 . 8B90 54040000 mov edx,dword ptr ds:[eax+454]
00606F39 . A1 60E16000 mov eax,dword ptr ds:[60E160]
00606F3E . 8B00 mov eax,dword ptr ds:[eax]
00606F40 . E8 17A4FFFF call MZSF.0060135C //关键CALL,跟进
00606F45 . 8B55 C0 mov edx,dword ptr ss:[ebp-40]
00606F48 . 8B45 FC mov eax,dword ptr ss:[ebp-4] //到此可见真码
00606F4B . 8B80 58040000 mov eax,dword ptr ds:[eax+458] //假码->EAX
00606F51 . E8 A2DEDFFF call MZSF.00404DF8 //比较
00606F56 . 75 52 jnz short MZSF.00606FAA //关键跳转,跳OVER
00606F58 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00606F5B . C680 50040000 0>mov byte ptr ds:[eax+450],0
00606F62 . 6A FF push -1
00606F64 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00606F67 . 8B80 7C040000 mov eax,dword ptr ds:[eax+47C]
跟进关键CALL来到这里:
0060135C /$ 55 push ebp
0060135D |. 8BEC mov ebp,esp
0060135F |. 51 push ecx
00601360 |. B9 04000000 mov ecx,4
00601365 |> 6A 00 /push 0
00601367 |. 6A 00 |push 0
00601369 |. 49 |dec ecx
0060136A |.^ 75 F9 \jnz short MZSF.00601365
0060136C |. 51 push ecx
0060136D |. 874D FC xchg dword ptr ss:[ebp-4],ecx
00601370 |. 53 push ebx
00601371 |. 56 push esi
00601372 |. 57 push edi
00601373 |. 8BF9 mov edi,ecx
00601375 |. 8955 FC mov dword ptr ss:[ebp-4],edx
00601378 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] //用户名->EAX
0060137B |. E8 1C3BE0FF call MZSF.00404E9C //取得用户名位数->EDX
00601380 |. 33C0 xor eax,eax //EAX清零
00601382 |. 55 push ebp
00601383 |. 68 1D156000 push MZSF.0060151D
00601388 |. 64:FF30 push dword ptr fs:[eax]
0060138B |. 64:8920 mov dword ptr fs:[eax],esp
0060138E |. 8BC7 mov eax,edi
00601390 |. E8 5736E0FF call MZSF.004049EC
00601395 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] //用户名->EAX
00601398 |. E8 0F39E0FF call MZSF.00404CAC //取得用户名位数->EAX
0060139D |. 8BF0 mov esi,eax //EAX->ESI
0060139F |. 85F6 test esi,esi //测试ESI
006013A1 |. 7E 26 jle short MZSF.006013C9 //小于等于零跳,OVER
006013A3 |. BB 01000000 mov ebx,1 //1->EBX,用来记数
006013A8 |> 8D4D EC /lea ecx,dword ptr ss:[ebp-14]
006013AB |. 8B45 FC |mov eax,dword ptr ss:[ebp-4] //用户名-EAX
006013AE |. 0FB64418 FF |movzx eax,byte ptr ds:[eax+ebx-1]//取用户名第1位->EAX
006013B3 |. 33D2 |xor edx,edx //EDX清零
006013B5 |. E8 BE8CE0FF |call MZSF.0040A078 //取用户名第1位->[ebp-14]
006013BA |. 8B55 EC |mov edx,dword ptr ss:[ebp-14] //[ebp-14]-EDX
006013BD |. 8D45 F8 |lea eax,dword ptr ss:[ebp-8] //[ebp-8]地址-EAX
006013C0 |. E8 EF38E0FF |call MZSF.00404CB4
006013C5 |. 43 |inc ebx //EBX=EBX+1
006013C6 |. 4E |dec esi //ESI=ESI-1
006013C7 |.^ 75 DF \jnz short MZSF.006013A8 //没取完继续
006013C9 |> 8B45 F8 mov eax,dword ptr ss:[ebp-8] //完成后存入EAX
上面就是取用户名ASCLL
006013CC |. E8 DB38E0FF call MZSF.00404CAC //取得用户名ASCLL位数->EAX
006013D1 |. 8BF0 mov esi,eax //EAX-ESI
006013D3 |. 85F6 test esi,esi //测试ESI
006013D5 |. 7E 2C jle short MZSF.00601403 //小于等于零跳,OVER
006013D7 |. BB 01000000 mov ebx,1 //1-EBX,用来记数
006013DC |> 8B45 F8 /mov eax,dword ptr ss:[ebp-8] //用户名ASCLL-EAX
006013DF |. E8 C838E0FF |call MZSF.00404CAC //取得用户名ASCLL位数->EAX
006013E4 |. 2BC3 |sub eax,ebx //EAX=EAX-EBX
006013E6 |. 8B55 F8 |mov edx,dword ptr ss:[ebp-8] //取得用户名ASCLL->EDX
006013E9 |. 8A1402 |mov dl,byte ptr ds:[edx+eax] //用户名ASCLL最后一位->BL
006013EC |. 8D45 E8 |lea eax,dword ptr ss:[ebp-18] //地址传送
006013EF |. E8 E037E0FF |call MZSF.00404BD4 //
006013F4 |. 8B55 E8 |mov edx,dword ptr ss:[ebp-18] //[ebp-18]->EDX
006013F7 |. 8D45 F4 |lea eax,dword ptr ss:[ebp-C] //地址传送
006013FA |. E8 B538E0FF |call MZSF.00404CB4
006013FF |. 43 |inc ebx //EBX+1
00601400 |. 4E |dec esi //ESI-1
00601401 |.^ 75 D9 \jnz short MZSF.006013DC //没取完继续
上面的循环就是将用户名ASCLL取反
00601403 |> 8D45 F8 lea eax,dword ptr ss:[ebp-8] //地址传送
00601406 |. 50 push eax
00601407 |. B9 04000000 mov ecx,4 //4->ECX
0060140C |. BA 01000000 mov edx,1 //1->EDX
00601411 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C] //取反ASCLL->EAX
00601414 |. E8 F33AE0FF call MZSF.00404F0C
00601419 |. 8D45 F4 lea eax,dword ptr ss:[ebp-C] //地址传送
0060141C |. 50 push eax //压栈
0060141D |. B9 04000000 mov ecx,4 //4-ECX
00601422 |. BA 05000000 mov edx,5 //5-EDX
00601427 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C] //取反ASCLL-EAX
0060142A |. E8 DD3AE0FF call MZSF.00404F0C //取前4位->[ebp-8]
0060142F |. 8B45 F8 mov eax,dword ptr ss:[ebp-8] //[ebp-8]->EAX
00601432 |. E8 7538E0FF call MZSF.00404CAC //取位数
00601437 |. 83F8 04 cmp eax,4 //和4比较
0060143A |. 7D 2F jge short MZSF.0060146B //大于等于跳
0060143C |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0060143F |. E8 6838E0FF call MZSF.00404CAC
00601444 |. 8BD8 mov ebx,eax
00601446 |. 83FB 03 cmp ebx,3
00601449 |. 7F 20 jg short MZSF.0060146B
0060144B |> 8D4D E4 /lea ecx,dword ptr ss:[ebp-1C]
0060144E |. 8BC3 |mov eax,ebx
00601450 |. C1E0 02 |shl eax,2
00601453 |. 33D2 |xor edx,edx
00601455 |. E8 1E8CE0FF |call MZSF.0040A078
0060145A |. 8B55 E4 |mov edx,dword ptr ss:[ebp-1C]
0060145D |. 8D45 F8 |lea eax,dword ptr ss:[ebp-8]
00601460 |. E8 4F38E0FF |call MZSF.00404CB4
00601465 |. 43 |inc ebx
00601466 |. 83FB 04 |cmp ebx,4
00601469 |.^ 75 E0 \jnz short MZSF.0060144B
0060146B |> 8B45 F4 mov eax,dword ptr ss:[ebp-C] //取剩下的几位
0060146E |. E8 3938E0FF call MZSF.00404CAC //取位数
00601473 |. 83F8 04 cmp eax,4 //和4比较
00601476 |. 7D 2F jge short MZSF.006014A7 //大于等于跳,
00601478 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C] //剩下的字符->EAX
0060147B |. E8 2C38E0FF call MZSF.00404CAC //取位数
00601480 |. 8BD8 mov ebx,eax //EAX->EBX
00601482 |. 83FB 03 cmp ebx,3 //和3比较
00601485 |. 7F 20 jg short MZSF.006014A7 //大于跳
00601487 |> 8D4D E0 /lea ecx,dword ptr ss:[ebp-20] //地址传送
0060148A |. 8BC3 |mov eax,ebx //EBX->EAX
0060148C |. C1E0 02 |shl eax,2 //EAX逻辑左移2位
0060148F |. 33D2 |xor edx,edx //EDX清零
00601491 |. E8 E28BE0FF |call MZSF.0040A078
00601496 |. 8B55 E0 |mov edx,dword ptr ss:[ebp-20]
00601499 |. 8D45 F4 |lea eax,dword ptr ss:[ebp-C]
0060149C |. E8 1338E0FF |call MZSF.00404CB4
006014A1 |. 43 |inc ebx //EBX+1
006014A2 |. 83FB 04 |cmp ebx,4 //和4比较
006014A5 |.^ 75 E0 \jnz short MZSF.00601487 //不等回跳继续
上面的循环就是取剩下的两位字符和2左移2位得到8,3左移2位得到C连在一起,如果用户名大于4的话就会跳过这个循环
006014A7 |> 8D45 F0 lea eax,dword ptr ss:[ebp-10] //如果用户名大于4位的话会跳到此处
006014AA |. BA 34156000 mov edx,MZSF.00601534 ASCII "MZSF9588dj5"//字符"MZSF9588dj5"->EDX
006014AF |. E8 D035E0FF call MZSF.00404A84
006014B4 |. 8D45 DC lea eax,dword ptr ss:[ebp-24]
006014B7 |. 50 push eax
006014B8 |. B9 04000000 mov ecx,4
006014BD |. BA 01000000 mov edx,1
006014C2 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10] //"MZSF9588dj5"->EAX
006014C5 |. E8 423AE0FF call MZSF.00404F0C //取"MZSF9588dj5"前4位
006014CA |. FF75 DC push dword ptr ss:[ebp-24]
006014CD |. 68 48156000 push MZSF.00601548
006014D2 |. FF75 F8 push dword ptr ss:[ebp-8]
006014D5 |. 8D45 D8 lea eax,dword ptr ss:[ebp-28]
006014D8 |. 50 push eax
006014D9 |. B9 05000000 mov ecx,5 //5->ECX
006014DE |. BA 05000000 mov edx,5 //5->EDX
006014E3 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10] //"MZSF9588dj5"->EAX
006014E6 |. E8 213AE0FF call MZSF.00404F0C //取"MZSF9588dj5"中9588d
006014EB |. FF75 D8 push dword ptr ss:[ebp-28] //9588d压栈
006014EE |. 68 48156000 push MZSF.00601548
006014F3 |. FF75 F4 push dword ptr ss:[ebp-C] //字符压栈
006014F6 |. 8BC7 mov eax,edi //EDI->EAX
006014F8 |. BA 06000000 mov edx,6 //6->EDX
006014FD |. E8 6A38E0FF call MZSF.00404D6C
00601502 |. 33C0 xor eax,eax
00601504 |. 5A pop edx
00601505 |. 59 pop ecx
00601506 |. 59 pop ecx
00601507 |. 64:8910 mov dword ptr fs:[eax],edx
0060150A |. 68 24156000 push MZSF.00601524
0060150F |> 8D45 D8 lea eax,dword ptr ss:[ebp-28]
00601512 |. BA 0A000000 mov edx,0A
00601517 |. E8 F434E0FF call MZSF.00404A10
0060151C \. C3 retn
0060151D .^ E9 6A2DE0FF jmp MZSF.0040428C
00601522 .^ EB EB jmp short MZSF.0060150F
00601524 . 5F pop edi
00601525 . 5E pop esi
00601526 . 5B pop ebx
00601527 . 8BE5 mov esp,ebp
00601529 . 5D pop ebp
0060152A . C3 retn
-----------------------------------------------------------------
【破解总结】
注册名大于等于4位,只取后4位进行运算,MZSF-后4位ASCLL取反的前4位+9588d-后4位ASCLL取反的后4位
注册名等于3位,MZSF-注册名ASCLL取反的前4位+9588d-注册名ASCLL取反的后2位+8C
注册名等于2位,MZSF-注册名ASCLL取反+9588d-048C
注册名等于1位,MZSF-注册名ASCLL取反+8C+9588d-048C
最后还是明码,简单的算法
一组可用的注册信息,来个简单的
NAME:a
pass:MZSF-168C9588d-048C(注意大小写)
-----------------------------------------------------------------
【版权信息】
本文纯属技术交流,转载请保持文章完整,谢谢!
本文章写于2005-9-5
[ Last edited by ayan on 2005-9-5 at 12:30 PM ] |
|
IP卡
发表于 2005-9-5 12:17:15
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2005-9-12 13:09:40
发表于 2005-9-15 15:24:34
发表于 2005-9-30 08:16:33
