- UID
- 2446
注册时间2005-7-21
阅读权限30
最后登录1970-1-1
龙战于野
该用户从未签到
|
文章标题: 商品销售管理软件 V5.2.8 算法分析
破解作者: 风球[PYG]
破解日期: 2006.1.9 14:56
软件下载: http://www.skycn.com/soft/24335.html
软件大小: 3331 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 商业贸易
应用平台: Win9x/NT/2000/XP
加入时间: 2006-01-08 14:17:12
软件介绍: (略)
=================================================================
无壳Delphi程序,明码比较```变形MD5
输入试炼信息: 用户代码:3d317ef5281 //软件自动生成
软件序列号:1111-2222-3333-4444
软件注册号:123654789
OD载入,根据错误提示很容易来到这里```
005CBC12 55 push ebp
005CBC13 68 64BE5C00 push projshop.005CBE64
005CBC18 64:FF30 push dword ptr fs:[eax]
005CBC1B 64:8920 mov dword ptr fs:[eax],esp
005CBC1E 8D45 E8 lea eax,dword ptr ss:[ebp-18]
005CBC21 50 push eax
005CBC22 B9 02000000 mov ecx,2
005CBC27 BA 19000000 mov edx,19 ; Mid(字符串,25,2)
005CBC2C 8B83 40030000 mov eax,dword ptr ds:[ebx+340] ; (ASCII "a698b8a5cdd887ae0c5e7a7f1d45c318")
005CBC32 E8 8D8CE3FF call projshop.004048C4 ; 上面这个字符怎么来的呢?一会分析
005CBC37 8D83 40030000 lea eax,dword ptr ds:[ebx+340]
005CBC3D 50 push eax
005CBC3E B9 18000000 mov ecx,18
005CBC43 BA 09000000 mov edx,9 ; Mid(字符串,9,24)
005CBC48 8B83 40030000 mov eax,dword ptr ds:[ebx+340] ; (ASCII "a698b8a5cdd887ae0c5e7a7f1d45c318")
005CBC4E E8 718CE3FF call projshop.004048C4
005CBC53 8D45 FC lea eax,dword ptr ss:[ebp-4]
005CBC56 50 push eax
005CBC57 B9 04000000 mov ecx,4
005CBC5C BA 01000000 mov edx,1 ; Mid(字符串,1,4)
005CBC61 8B83 40030000 mov eax,dword ptr ds:[ebx+340] ; (ASCII "cdd887ae0c5e7a7f1d45c318")
005CBC67 E8 588CE3FF call projshop.004048C4
005CBC6C 8D45 F8 lea eax,dword ptr ss:[ebp-8]
005CBC6F 50 push eax
005CBC70 B9 04000000 mov ecx,4
005CBC75 BA 05000000 mov edx,5 ; Mid(字符串,5,4)
005CBC7A 8B83 40030000 mov eax,dword ptr ds:[ebx+340]
005CBC80 E8 3F8CE3FF call projshop.004048C4
005CBC85 8D45 F4 lea eax,dword ptr ss:[ebp-C]
005CBC88 50 push eax
005CBC89 B9 04000000 mov ecx,4
005CBC8E BA 09000000 mov edx,9 ; Mid(字符串,9,4)
005CBC93 8B83 40030000 mov eax,dword ptr ds:[ebx+340] ; (ASCII "cdd887ae0c5e7a7f1d45c318")
005CBC99 E8 268CE3FF call projshop.004048C4
005CBC9E 8D45 F0 lea eax,dword ptr ss:[ebp-10]
005CBCA1 50 push eax
005CBCA2 B9 04000000 mov ecx,4
005CBCA7 BA 0D000000 mov edx,0D ; Mid(字符串,13,4)
005CBCAC 8B83 40030000 mov eax,dword ptr ds:[ebx+340]
005CBCB2 E8 0D8CE3FF call projshop.004048C4
005CBCB7 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
005CBCBA 50 push eax
005CBCBB B9 08000000 mov ecx,8
005CBCC0 BA 11000000 mov edx,11 ; Mid(字符串,17,8)
005CBCC5 8B83 40030000 mov eax,dword ptr ds:[ebx+340] ; (ASCII "cdd887ae0c5e7a7f1d45c318")
005CBCCB E8 F48BE3FF call projshop.004048C4
005CBCD0 8B55 E4 mov edx,dword ptr ss:[ebp-1C] ; (ASCII "1d45c318")
005CBCD3 8D45 EC lea eax,dword ptr ss:[ebp-14]
005CBCD6 8B4D E8 mov ecx,dword ptr ss:[ebp-18] ; (ASCII "1d")
005CBCD9 E8 D289E3FF call projshop.004046B0
005CBCDE 8D55 DC lea edx,dword ptr ss:[ebp-24]
005CBCE1 8B83 14030000 mov eax,dword ptr ds:[ebx+314]
005CBCE7 E8 340AEFFF call projshop.004BC720
005CBCEC 8B45 DC mov eax,dword ptr ss:[ebp-24] ; 假软件注册号(ASCII "123654789")
005CBCEF 8D55 E0 lea edx,dword ptr ss:[ebp-20]
005CBCF2 E8 5DD3E3FF call projshop.00409054
005CBCF7 8B55 E0 mov edx,dword ptr ss:[ebp-20]
005CBCFA 8B45 EC mov eax,dword ptr ss:[ebp-14] ; 真软件注册号(ASCII "1d45c3181d")
005CBCFD E8 AE8AE3FF call projshop.004047B0 ; 比较CALL
005CBD02 0F85 15010000 jnz projshop.005CBE1D ; 不能跳
005CBD08 8D55 D8 lea edx,dword ptr ss:[ebp-28]
005CBD0B 8B83 1C030000 mov eax,dword ptr ds:[ebx+31C]
005CBD11 E8 0A0AEFFF call projshop.004BC720
005CBD16 8B55 D8 mov edx,dword ptr ss:[ebp-28] ; (ASCII "1111")
005CBD19 8B45 FC mov eax,dword ptr ss:[ebp-4] ; (ASCII "cdd8")
005CBD1C E8 8F8AE3FF call projshop.004047B0
005CBD21 0F85 F6000000 jnz projshop.005CBE1D ; 不能跳
005CBD27 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
005CBD2A 8B83 20030000 mov eax,dword ptr ds:[ebx+320]
005CBD30 E8 EB09EFFF call projshop.004BC720
005CBD35 8B55 D4 mov edx,dword ptr ss:[ebp-2C] ; (ASCII "2222")
005CBD38 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; (ASCII "87ae")
005CBD3B E8 708AE3FF call projshop.004047B0
005CBD40 0F85 D7000000 jnz projshop.005CBE1D ; 不能跳
005CBD46 8D55 D0 lea edx,dword ptr ss:[ebp-30]
005CBD49 8B83 24030000 mov eax,dword ptr ds:[ebx+324]
005CBD4F E8 CC09EFFF call projshop.004BC720
005CBD54 8B55 D0 mov edx,dword ptr ss:[ebp-30] ; (ASCII "3333")
005CBD57 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; (ASCII "0c5e")
005CBD5A E8 518AE3FF call projshop.004047B0
005CBD5F 0F85 B8000000 jnz projshop.005CBE1D ; 不能跳
005CBD65 8D55 CC lea edx,dword ptr ss:[ebp-34]
005CBD68 8B83 28030000 mov eax,dword ptr ds:[ebx+328]
005CBD6E E8 AD09EFFF call projshop.004BC720
005CBD73 8B55 CC mov edx,dword ptr ss:[ebp-34] ; (ASCII "4444")
005CBD76 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; (ASCII "7a7f")
005CBD79 E8 328AE3FF call projshop.004047B0
005CBD7E 0F85 99000000 jnz projshop.005CBE1D ; 不能跳
=================================================================
下面来分析上面那串字符是如何得来的,在这里我们也可以看到用户代码的生成
005CBF5F 55 push ebp
005CBF60 68 CDC05C00 push projshop.005CC0CD
005CBF65 64:FF30 push dword ptr fs:[eax]
005CBF68 64:8920 mov dword ptr fs:[eax],esp
005CBF6B 8D85 FCFFFEFF lea eax,dword ptr ss:[ebp+FFFEFFFC]
005CBF71 83C9 FF or ecx,FFFFFFFF
005CBF74 33D2 xor edx,edx
005CBF76 E8 75F5FFFF call projshop.005CB4F0
005CBF7B 84C0 test al,al
005CBF7D 0F84 03010000 je projshop.005CC086
005CBF83 8D4D FC lea ecx,dword ptr ss:[ebp-4]
005CBF86 8D85 FCFFFEFF lea eax,dword ptr ss:[ebp+FFFEFFFC]
005CBF8C BA 71EC0F00 mov edx,0FEC71
005CBF91 E8 0AF6FFFF call projshop.005CB5A0
005CBF96 8D85 F8FFFEFF lea eax,dword ptr ss:[ebp+FFFEFFF8]
005CBF9C 50 push eax
005CBF9D 8D95 E8FFFEFF lea edx,dword ptr ss:[ebp+FFFEFFE8]
005CBFA3 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 主板BiOS序列号
005CBFA6 E8 5DECFFFF call projshop.005CAC08
005CBFAB 8D8D E8FFFEFF lea ecx,dword ptr ss:[ebp+FFFEFFE8]
005CBFB1 8B55 FC mov edx,dword ptr ss:[ebp-4] ; 主板BIOS序列号
005CBFB4 B8 E4C05C00 mov eax,projshop.005CC0E4 ; ASCII "MD5String"
005CBFB9 E8 42010000 call projshop.005CC100
005CBFBE 8B95 F8FFFEFF mov edx,dword ptr ss:[ebp+FFFEFFF8] ; 得到(ASCII "3d317ef7150f27bb830ff1d901a191fb")
005CBFC4 8D45 FC lea eax,dword ptr ss:[ebp-4]
005CBFC7 E8 7084E3FF call projshop.0040443C
005CBFCC 8D85 E0FFFEFF lea eax,dword ptr ss:[ebp+FFFEFFE0]
005CBFD2 50 push eax
005CBFD3 B9 07000000 mov ecx,7
005CBFD8 BA 01000000 mov edx,1
005CBFDD 8B45 FC mov eax,dword ptr ss:[ebp-4]
005CBFE0 E8 DF88E3FF call projshop.004048C4
005CBFE5 8B85 E0FFFEFF mov eax,dword ptr ss:[ebp+FFFEFFE0] ; (ASCII "3d317ef")
005CBFEB 8D95 E4FFFEFF lea edx,dword ptr ss:[ebp+FFFEFFE4]
005CBFF1 E8 5ED0E3FF call projshop.00409054
005CBFF6 8D85 E4FFFEFF lea eax,dword ptr ss:[ebp+FFFEFFE4]
005CBFFC BA F8C05C00 mov edx,projshop.005CC0F8 ; 固定字符ASCII "5281"
005CC001 E8 6686E3FF call projshop.0040466C
005CC006 8B95 E4FFFEFF mov edx,dword ptr ss:[ebp+FFFEFFE4] ; 得到用户代码(ASCII "3d317ef5281")
005CC00C 8B83 30030000 mov eax,dword ptr ds:[ebx+330]
005CC012 E8 D9B7E9FF call projshop.004677F0
005CC017 8D95 D8FFFEFF lea edx,dword ptr ss:[ebp+FFFEFFD8]
005CC01D 8B83 30030000 mov eax,dword ptr ds:[ebx+330]
005CC023 E8 98B7E9FF call projshop.004677C0
005CC028 8B85 D8FFFEFF mov eax,dword ptr ss:[ebp+FFFEFFD8]
005CC02E 8D95 DCFFFEFF lea edx,dword ptr ss:[ebp+FFFEFFDC]
005CC034 E8 1BD0E3FF call projshop.00409054
005CC039 8B95 DCFFFEFF mov edx,dword ptr ss:[ebp+FFFEFFDC]
005CC03F 8D83 40030000 lea eax,dword ptr ds:[ebx+340]
005CC045 E8 AE83E3FF call projshop.004043F8
005CC04A 8D85 D4FFFEFF lea eax,dword ptr ss:[ebp+FFFEFFD4]
005CC050 50 push eax
005CC051 8D95 E8FFFEFF lea edx,dword ptr ss:[ebp+FFFEFFE8]
005CC057 8B83 40030000 mov eax,dword ptr ds:[ebx+340]
005CC05D E8 A6EBFFFF call projshop.005CAC08
005CC062 8D8D E8FFFEFF lea ecx,dword ptr ss:[ebp+FFFEFFE8]
005CC068 8B55 FC mov edx,dword ptr ss:[ebp-4] ; (ASCII "3d317ef7150f27bb830ff1d901a191fb")
005CC06B B8 E4C05C00 mov eax,projshop.005CC0E4 ; ASCII "MD5String"
005CC070 E8 8B000000 call projshop.005CC100
005CC075 8B95 D4FFFEFF mov edx,dword ptr ss:[ebp+FFFEFFD4] ; 得到(ASCII "a698b8a5cdd887ae0c5e7a7f1d45c318")
=================================================================
上面可以很清楚地看到运算主要是取主板BIOS序列号进行MD5变换```此MD5是一个变形的MD5
经过分析我们可以找到这个变形MD5的四个常数的变形
005CBFA6 E8 5DECFFFF call projshop.005CAC08 //跟进
005CAC2D E8 AEFEFFFF call projshop.005CAAE0 //再跟进即可看到这四个变形常数
005CAAE0 C700 E1563462 mov dword ptr ds:[eax],623456E1
005CAAE6 C740 04 89FBFF0>mov dword ptr ds:[eax+4],0EFFFB89
005CAAED C740 08 FEDA8B0>mov dword ptr ds:[eax+8],98BDAFE
005CAAF4 C740 0C AADD030>mov dword ptr ds:[eax+C],103DDAA
-------------------------------------------------------------
标准MD5初始化的四个常数应该为
state[0] = 0x67452301;
state[1] = 0xefcdab89;
state[2] = 0x98badcfe;
state[3] = 0x10325476;
=================================================================
算法总结:
字符串A=MD5String(主板BIOS序列号)
用户代码=Mid(字符串A,1,7) & "5281"
字符串B=MD5String(用户代码)
字符串C=Mid(字符串B,9,24)
软件序列号=Mid(字符串C,1,4) - Mid(字符串C,5,4) - Mid(字符串C,9,4) - Mid(字符串C,13,4) //-为连接符
软件注册号=Mid(字符串C,17,8) & Mid(字符串B,25,2)
明码比较的,这个变形的MD5函数MD5String只是四个常数变形,所以算法注册机还是很容易实现的,算法注册机见https://www.chinapyg.com/viewthr ... &extra=page%3D1
它的另外两个同类产品(万能商品销售管理系统 V5.2.8 和 旺铺销售理财专家 V5.2.8)的算法也是一样的,唉```
-----------------------------------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! |
|
IP卡
发表于 2006-1-10 19:47:21
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-1-10 20:55:26
发表于 2006-1-11 00:32:00
发表于 2006-2-2 00:46:24
发表于 2006-3-4 16:27:03