- UID
- 2446
注册时间2005-7-21
阅读权限30
最后登录1970-1-1
龙战于野
该用户从未签到
|
易用进销存管理软件 2.57 破解分析
==================================================================================
破解作者:风球
破解工具:PEID,OD
软件下载:http://nj.onlinedown.net/soft/40913.htm
软件大小:4587KB
软件语言:简体中文
软件类别:国产软件/共享版/商业贸易
运行环境:Win9x/Me/NT/2000/XP
加入时间:2005-11-18 11:00:42
软件简介:易用进销存管理软件是一个集“进、销、存、财”四位一体的全功能商贸管理软件。
==================================================================================
破解过程:
PEID查壳为Borland Delphi 6.0 - 7.0
我输入用户名:feng 注册码:123456 用OD载入查找字符来分析```
006471E1 E8 A6020000 call jxc.0064748C ; 关键CALL下断 跟进分析
006471E6 84C0 test al,al
006471E8 0F84 DB000000 je jxc.006472C9 ; 关键跳,跳就OVER
006471EE 33C0 xor eax,eax
006471F0 55 push ebp
006471F1 68 AD726400 push jxc.006472AD
006471F6 64:FF30 push dword ptr fs:[eax]
006471F9 64:8920 mov dword ptr fs:[eax],esp
006471FC B2 01 mov dl,1
006471FE A1 68894400 mov eax,dword ptr ds:[448968]
00647203 E8 CC18E0FF call jxc.00448AD4
00647208 8BD8 mov ebx,eax
0064720A BA 02000080 mov edx,80000002
0064720F 8BC3 mov eax,ebx
00647211 E8 9A19E0FF call jxc.00448BB0
00647216 B1 01 mov cl,1
00647218 BA 28736400 mov edx,jxc.00647328 ; ASCII "Software\zy\JXC"
0064721D 8BC3 mov eax,ebx
0064721F E8 D01AE0FF call jxc.00448CF4
00647224 8D55 F4 lea edx,dword ptr ss:[ebp-C]
00647227 8B45 FC mov eax,dword ptr ss:[ebp-4]
0064722A 8B80 04030000 mov eax,dword ptr ds:[eax+304]
00647230 E8 DF0EE4FF call jxc.00488114
00647235 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00647238 8D55 F8 lea edx,dword ptr ss:[ebp-8]
0064723B E8 0428DCFF call jxc.00409A44
00647240 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
00647243 BA 40736400 mov edx,jxc.00647340 ; ASCII "Name"
00647248 8BC3 mov eax,ebx
0064724A E8 411CE0FF call jxc.00448E90
0064724F 8D55 EC lea edx,dword ptr ss:[ebp-14]
00647252 8B45 FC mov eax,dword ptr ss:[ebp-4]
00647255 8B80 08030000 mov eax,dword ptr ds:[eax+308]
0064725B E8 B40EE4FF call jxc.00488114
00647260 8B45 EC mov eax,dword ptr ss:[ebp-14]
00647263 8D55 F0 lea edx,dword ptr ss:[ebp-10]
00647266 E8 D927DCFF call jxc.00409A44
0064726B 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
0064726E BA 50736400 mov edx,jxc.00647350 ; ASCII "Pass"
00647273 8BC3 mov eax,ebx
00647275 E8 161CE0FF call jxc.00448E90
0064727A 8BC3 mov eax,ebx
0064727C E8 E3C8DBFF call jxc.00403B64
00647281 6A 40 push 40
00647283 68 58736400 push jxc.00647358
00647288 68 64736400 push jxc.00647364 ; 注册成功
0064728D 8B45 FC mov eax,dword ptr ss:[ebp-4]
00647290 E8 8778E4FF call jxc.0048EB1C
00647295 50 push eax
00647296 E8 150EDCFF call <jmp.&user32.MessageBoxA>
0064729B 8B45 FC mov eax,dword ptr ss:[ebp-4]
0064729E E8 DDEAE5FF call jxc.004A5D80
006472A3 33C0 xor eax,eax
006472A5 5A pop edx
006472A6 59 pop ecx
006472A7 59 pop ecx
006472A8 64:8910 mov dword ptr fs:[eax],edx
006472AB EB 36 jmp short jxc.006472E3
006472AD ^ E9 92CDDBFF jmp jxc.00404044
006472B2 8B45 FC mov eax,dword ptr ss:[ebp-4]
006472B5 E8 C6EAE5FF call jxc.004A5D80
006472BA 8B45 FC mov eax,dword ptr ss:[ebp-4]
006472BD E8 16010000 call jxc.006473D8
006472C2 E8 A9D1DBFF call jxc.00404470
006472C7 EB 1A jmp short jxc.006472E3
006472C9 6A 40 push 40
006472CB 68 58736400 push jxc.00647358
006472D0 68 B4736400 push jxc.006473B4 ; 注册失败
006472D5 8B45 FC mov eax,dword ptr ss:[ebp-4]
006472D8 E8 3F78E4FF call jxc.0048EB1C
======================跟进 0064748C CALL 分析=======================================
0064748C 55 push ebp ; 跟进来到这里
0064748D 8BEC mov ebp,esp
0064748F B9 04000000 mov ecx,4
00647494 6A 00 push 0
00647496 6A 00 push 0
00647498 49 dec ecx
00647499 ^ 75 F9 jnz short jxc.00647494
0064749B 51 push ecx
0064749C 53 push ebx
0064749D 56 push esi
0064749E 8BF0 mov esi,eax
006474A0 33C0 xor eax,eax
006474A2 55 push ebp
006474A3 68 A1756400 push jxc.006475A1
006474A8 64:FF30 push dword ptr fs:[eax]
006474AB 64:8920 mov dword ptr fs:[eax],esp
006474AE 8D55 F8 lea edx,dword ptr ss:[ebp-8]
006474B1 8B86 08030000 mov eax,dword ptr ds:[esi+308]
006474B7 E8 580CE4FF call jxc.00488114
006474BC 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 假码
006474BF 8D55 FC lea edx,dword ptr ss:[ebp-4]
006474C2 E8 7D25DCFF call jxc.00409A44
006474C7 8B45 FC mov eax,dword ptr ss:[ebp-4]
006474CA 50 push eax
006474CB 8D55 EC lea edx,dword ptr ss:[ebp-14]
006474CE 8B86 04030000 mov eax,dword ptr ds:[esi+304]
006474D4 E8 3B0CE4FF call jxc.00488114
006474D9 8B45 EC mov eax,dword ptr ss:[ebp-14] ; 用户名
006474DC 8D55 F0 lea edx,dword ptr ss:[ebp-10]
006474DF E8 6025DCFF call jxc.00409A44
006474E4 8B55 F0 mov edx,dword ptr ss:[ebp-10]
006474E7 8D4D F4 lea ecx,dword ptr ss:[ebp-C]
006474EA 8BC6 mov eax,esi
006474EC E8 FF000000 call jxc.006475F0 ; 算法CALL 一会跟进
006474F1 8B55 F4 mov edx,dword ptr ss:[ebp-C] ; 出现 (ASCII "JXCw-76E6268d5-5666")
006474F4 58 pop eax
006474F5 E8 6AD9DBFF call jxc.00404E64 ; 比较CALL,此处可做内存注册机
006474FA 75 50 jnz short jxc.0064754C ; 关键跳,跳就OVER
========================跟进 006475F0 CALL 分析===========================================
006475F0 55 push ebp ; 跟进来到这里
006475F1 8BEC mov ebp,esp
006475F3 51 push ecx
006475F4 B9 04000000 mov ecx,4
006475F9 6A 00 push 0
006475FB 6A 00 push 0
006475FD 49 dec ecx
```省略部分代码```
0064762C E8 E7D6DBFF call jxc.00404D18
00647631 8BF0 mov esi,eax
00647633 85F6 test esi,esi
00647635 7E 26 jle short jxc.0064765D
00647637 BB 01000000 mov ebx,1
0064763C 8D4D EC lea ecx,dword ptr ss:[ebp-14]
0064763F 8B45 FC mov eax,dword ptr ss:[ebp-4]
00647642 0FB64418 FF movzx eax,byte ptr ds:[eax+ebx-1] ; 逐位取用户名
00647647 33D2 xor edx,edx
00647649 E8 0E2BDCFF call jxc.0040A15C
0064764E 8B55 EC mov edx,dword ptr ss:[ebp-14] ; 转为16进制ASCII码
00647651 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00647654 E8 C7D6DBFF call jxc.00404D20
00647659 43 inc ebx
0064765A 4E dec esi
0064765B ^ 75 DF jnz short jxc.0064763C ; 循环
0064765D 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 转成ASCII码后连起来66656e67
00647660 E8 B3D6DBFF call jxc.00404D18
00647665 8BF0 mov esi,eax
00647667 85F6 test esi,esi
00647669 7E 2C jle short jxc.00647697
0064766B BB 01000000 mov ebx,1
00647670 8B45 F8 mov eax,dword ptr ss:[ebp-8] ;下面是倒置前面的结果
00647673 E8 A0D6DBFF call jxc.00404D18
00647678 2BC3 sub eax,ebx
0064767A 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0064767D 8A1402 mov dl,byte ptr ds:[edx+eax]
00647680 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00647683 E8 B8D5DBFF call jxc.00404C40
00647688 8B55 E8 mov edx,dword ptr ss:[ebp-18]
0064768B 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0064768E E8 8DD6DBFF call jxc.00404D20
00647693 43 inc ebx
00647694 4E dec esi
00647695 ^ 75 D9 jnz short jxc.00647670 ; 循环
00647697 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0064769A 50 push eax
0064769B B9 04000000 mov ecx,4
006476A0 BA 01000000 mov edx,1
006476A5 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; 倒置变成76E65666
006476A8 E8 CBD8DBFF call jxc.00404F78
006476AD 8D45 F4 lea eax,dword ptr ss:[ebp-C]
006476B0 50 push eax
006476B1 B9 04000000 mov ecx,4 ; 赋值4
006476B6 BA 05000000 mov edx,5
006476BB 8B45 F4 mov eax,dword ptr ss:[ebp-C]
006476BE E8 B5D8DBFF call jxc.00404F78
006476C3 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 取四位76E6
006476C6 E8 4DD6DBFF call jxc.00404D18
006476CB 83F8 04 cmp eax,4
006476CE 7D 2F jge short jxc.006476FF
006476D0 8B45 F8 mov eax,dword ptr ss:[ebp-8]
006476D3 E8 40D6DBFF call jxc.00404D18
006476D8 8BD8 mov ebx,eax
006476DA 83FB 03 cmp ebx,3
006476DD 7F 20 jg short jxc.006476FF
006476DF 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
006476E2 8BC3 mov eax,ebx
006476E4 C1E0 02 shl eax,2
006476E7 33D2 xor edx,edx
006476E9 E8 6E2ADCFF call jxc.0040A15C
006476EE 8B55 E4 mov edx,dword ptr ss:[ebp-1C]
006476F1 8D45 F8 lea eax,dword ptr ss:[ebp-8]
006476F4 E8 27D6DBFF call jxc.00404D20
006476F9 43 inc ebx
006476FA 83FB 04 cmp ebx,4
006476FD ^ 75 E0 jnz short jxc.006476DF
006476FF 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; 再取4位5666
00647702 E8 11D6DBFF call jxc.00404D18
00647707 83F8 04 cmp eax,4
0064770A 7D 2F jge short jxc.0064773B
0064770C 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0064770F E8 04D6DBFF call jxc.00404D18
00647714 8BD8 mov ebx,eax
00647716 83FB 03 cmp ebx,3
00647719 7F 20 jg short jxc.0064773B
0064771B 8D4D E0 lea ecx,dword ptr ss:[ebp-20] ; 不够8位来这里取
0064771E 8BC3 mov eax,ebx ; EAX<-EBX
00647720 C1E0 02 shl eax,2 ; 逻辑左移2位
00647723 33D2 xor edx,edx
00647725 E8 322ADCFF call jxc.0040A15C
0064772A 8B55 E0 mov edx,dword ptr ss:[ebp-20]
0064772D 8D45 F4 lea eax,dword ptr ss:[ebp-C]
00647730 E8 EBD5DBFF call jxc.00404D20
00647735 43 inc ebx ; EBX加1
00647736 83FB 04 cmp ebx,4
00647739 ^ 75 E0 jnz short jxc.0064771B ; 循环
0064773B 8D45 F0 lea eax,dword ptr ss:[ebp-10]
0064773E BA C8776400 mov edx,jxc.006477C8 ; ASCII "JXCw268d58k"固定字符
00647743 E8 A8D3DBFF call jxc.00404AF0
00647748 8D45 DC lea eax,dword ptr ss:[ebp-24]
0064774B 50 push eax
0064774C B9 04000000 mov ecx,4 ; 赋值4
00647751 BA 01000000 mov edx,1
00647756 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00647759 E8 1AD8DBFF call jxc.00404F78
0064775E FF75 DC push dword ptr ss:[ebp-24] ; 取固定字符前四位JXCw
00647761 68 DC776400 push jxc.006477DC
00647766 FF75 F8 push dword ptr ss:[ebp-8]
00647769 8D45 D8 lea eax,dword ptr ss:[ebp-28]
0064776C 50 push eax
0064776D B9 05000000 mov ecx,5 ; 赋值5
00647772 BA 05000000 mov edx,5
00647777 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0064777A E8 F9D7DBFF call jxc.00404F78
0064777F FF75 D8 push dword ptr ss:[ebp-28] ; 取接下来的五位268d5
00647782 68 DC776400 push jxc.006477DC
00647787 FF75 F4 push dword ptr ss:[ebp-C]
0064778A 8BC7 mov eax,edi
0064778C BA 06000000 mov edx,6
00647791 E8 42D6DBFF call jxc.00404DD8
00647796 33C0 xor eax,eax
00647798 5A pop edx
00647799 59 pop ecx
0064779A 59 pop ecx
0064779B 64:8910 mov dword ptr fs:[eax],edx
0064779E 68 B8776400 push jxc.006477B8
006477A3 8D45 D8 lea eax,dword ptr ss:[ebp-28]
006477A6 BA 0A000000 mov edx,0A
006477AB E8 CCD2DBFF call jxc.00404A7C
006477B0 C3 retn
006477B1 ^ E9 42CBDBFF jmp jxc.004042F8
006477B6 ^ EB EB jmp short jxc.006477A3
006477B8 5F pop edi
006477B9 5E pop esi
006477BA 5B pop ebx
006477BB 8BE5 mov esp,ebp
006477BD 5D pop ebp
006477BE C3 retn ; 此处返回
==============================================================================
做内存注册机:
中断地址:6474F5
中断次数:1
第一字节:E8
指令长度:5
注册码:内存方式--寄存器--EDX
================================
VB算法注册机:
'易用进销存软件V2.57 算法注册机
Private Sub Command1_Click()
Dim i As Integer
For i = 1 To Len(Text1.Text)
a = a & Hex(Asc(Mid$(Text1.Text, i)))
Next i
b = StrReverse(a)
c = "JXCw268d58k"
sn3 = Mid(c, 1, 4)
sn4 = Mid(c, 5, 5)
Select Case Len(b)
Case 0
sn1 = "048C"
sn2 = "048C"
Case 2
sn1 = Mid(b, 1, 2) & "8C"
sn2 = "048C"
Case 4
sn1 = Mid(b, 1, 4)
sn2 = "048C"
Case 6
sn1 = Mid(b, 1, 4)
sn2 = Mid(b, 5, 4) & "8C"
Case Else
sn1 = Mid(b, 1, 4)
sn2 = Mid(b, 5, 4)
End Select
Text2.Text = sn3 & "-" & sn1 & sn4 & "-" & sn2
End Sub
=============================================================================
算法总结:
逐位取用户名转换为16进制ASCII码,再倒置,然后取前8位(不够8位的再由0,1,2,3 逻辑左移2位来获得)再加上固定字符组合成为注册码形式JXCw-前四位268d58k-后四位,表达得不清楚,呵```
如我的注册信息就是
用户名:风球
注册码:JXCw-2F7C268d5-7E7B
---------------------------------------------------------------------2005.11.19 14:13
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ Last edited by 风球 on 2005-11-22 at 09:39 PM ] |
|
IP卡
发表于 2005-11-19 15:55:35
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2005-11-19 17:49:23
楼主
发表于 2005-11-20 09:56:25
